ML20024C852

From kanterella
Revision as of 01:18, 16 February 2020 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
the Effect of Some Operations and Control Room Improvements on the Safety of the Arkansas Nuclear One,Unit One,Nuclear Power Plant
ML20024C852
Person / Time
Site: Arkansas Nuclear Entergy icon.png
Issue date: 06/30/1983
From: Bell B, Kolb G
Battelle Memorial Institute, COLUMBUS LABORATORIES, SANDIA NATIONAL LABORATORIES
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
CON-FIN-A-1241 NUREG-CR-3246, SAND83-0710, SAND83-710, NUDOCS 8307150365
Download: ML20024C852 (41)


Text

4 NUREQ/CR-3246 SAND 83-0710 RG Printed May 1983

, The Effect of Some Operations and Control Room improvements on the Safety of the Arkansas Nuclear One, Unit One, Nuclear Power Plant i

B. J. Bell, G. J. Kolb Prepared by 1 Saron Natonal Latypatores Abuquerque, New Mexco 87185 and Uvermore, Cahfortua 94550 for the Uruted States Department of Energy under Contract DE-AC04-76DP00789

> 6 t 4 s.,

y

, , ;f -

~

[':

, La

- 1

. t +

9 > ,.< ay,

' ,1N

, ly :h: ; A N

L:iv Q , .

3 f_ gl?}{

_ .'%j, 'g; luL,,ll~;i ;[ff.;gff')

i . . ,

'- ~; s e

. e... ,, ., of t

s. .,. ..

. u py  :  ; 'l it' [ta $kE:

'x^q 1

.c C - ec c: , ,

. . g* ! '.

r. ~e- @: -

k .',l-

. f }ij ,k , '{'

,3 _

r,

'

  • s~ '

. 1[ .( -

2 e+  ;; 68: .

\ .. . .

('

s a 4;

Prepared for ~i

.c '

U."S.' NUCLEAR. REGULATORY COMMISSION sr ammuri 8307150365 830630 PDR ADOCK 05000313 P PDR

= - _ _ _ _ _ _ _ _ .

NOTICE This report was prepared as an account cf work sponsored by an agency of the United States Government. Neither the United States Government not any agency thereof, or any of their employ-ees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.

Available from GPO Sales Program Division of Technical Information and Document Control U.S. Nuclear Regulatory Commission Washington, D.C. 20555 and National Technical Informatioit Service Springfield, Virginia 22161 i-

NUREG/CR-3246 SAND 83-0710 RG THE EFFECT OF SOME OPERATIONS AND CONTROL ROOM IMPROVEMENTS ON THE SAFETY OF THE ARKANSAS NUCLEAR ONE, UNIT ONE, NUCLEAR POWER PLANT May 1983 B. J. Bell Battelle Columbus Laboratories G.J. Kolb Sandia National Laboratories Sandia National Laboratories Albuquerque, New Mexico 87185 .

operated by Sandia Corporation for the US Department of Energy.

Prepared for Division of Risk Analysis Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 Under Memorandum of Understanding DOE 40-550-75 NRC FIN No. A1241

Abstract In this report, a sensitivity analysis was performed to evaluate the effect that three operations and control room improvements have on the core melt frequency estimated for the Arkansas Nuclear One-Unit 1 (ANO-1) nuclear power plant. The three improvements evaluated were 1) installation of a safety parameter display system, 2) installation of a margin to saturation annunciator, and 3) increased control room operator manning. Core melt frequencies were calculated through use of the plant models published in the ANO-1 probabilistic risk assessment. The three improvements were found to decrease the ANO-1 core melt frequency by approximately a factor of 2.5.

i 111 u .

Table of Contents CHAPTER PAGE Executive Summary............................................. 1 1.0 Introduction .......................................... 2 2.0 Feview of ANO-1 Dominant Core Melt Sequences .......... 4 3.0 Reanalysis of Important ANO-1 Operator Errors ......... 8 3.1 Loss of All Main and Emergency Feedwater Reliability Analyses ........................... 10 3.2 Switchover From Injection To Recirculation Following Small LOCA Human Reliability Analyses ....................................... 19 4.0 Requantification of ANO-1 Dominant Accident Sequences ........................................... 28 References ................................................... 32

+

V

i Executive Summary In this report, a sensitivity analysis was performed to evaluate the effect that three operations and control room improvements have on the core melt frequency estimated for the Arkansas Nuclear One-Unit 1 (ANO-1) nuclear power plant. The three improvaments evaluated were 1) installation of a safety parameter display system, 2) installation of a margin to saturation annunciator, and 3) increased control room operator manning. Core melt frequencies were calculated through use of the plant models published in the ANO-1 probabilistic risk assessment (PRA). The ANO-l PRA was performed by Sandia Laboratories as part of the NRC sponsored Interim Reliability Evaluation Program.

The reason for performing a sensitivity analysis was due to a stated insight in the PRA that operator errors contributed a small percentage to the overall core melt frequency because of the three post TMI operations and control room improvements listed above.

The evaluation of these improvements was accomplished by performing a before-and-after set of human reliability analyses and determining the contribution made by the results of each analysis to the total core melt frequency. In the first (before) case, the staffing in effect at the time of the TMI-2 accident was assumed to be in force. No safety parameter display system or saturation annunciator was in the control room. In the second (after) case, the staffing in effect after the post-TMI directive was in force, a safety parameter display system was in place, and so, too, a saturation annunciator.

The three improvements were found to decrease the ANO-1 core melt frequency by approximately a factor of 2.5. Accident sequences found to be affected the most by the three improvements were those involving operator initiation of feed and bleed core cooling following a total loss of main and emergency feedwater.

For the before case, operator errors committed during these sequences was found to be dominated by accident misdiagnosis. For the after case, no single type of error dominated and the accident misdiagnosis error was found to be negligible. The overall operator error probability for the after case was estimated to be i two orders of magnitude smaller than the before case for these sequences.

l To place these results in proper perspective, some limitations l in the analysis should be recognized. The IREP ANO-1 PRA did not l use an operator recovery model sufficiently sophisticated to allow for the effect of the post-TMI operations and control room improvements on recovery operations to be evaluated. These affects on recovery operations would not only affect the accident sequences evaluated herein, but others as well. Thus, this report

-only evaluates part of the affects of these three post-TMI improvements on core melt frequency.

m

CHAPTER 1 Introduction The Interim Reliability Evaluation Program (IREP) conducted probabilistic risk assessments (PRA) of four light water reactors. One of the reactors analyzed was the Arkansas Nuclear One Unit 1 (ANO-1) PWR.1 ANO-1 is a plant designed by Babcock and Wilcox and Bechtel Power Corporation and is owned and operated by Arkansas Power and Light Company.

One of the insights from the PRA was that operator errors committed during the course of an accident contributed only 10 percent of the total estimated core melt frequency. The reasons stated in the PRA for the low contribution are:

1. Following the accident at Three Mile Island (TMI), the Nuclear Regulatory Commission (NRC) issued a directive requiring an increased number of licensed operators to be present in the control room. The added human redundancy afforded by this directive significantly increases the probability of recovering from operator errors.
2. Following the accident at TMI, ANO-1 installed a Safety Parameter Display System (SPDS) and a margin to saturation annunciator. These instruments provide good indications that a core damage accident may ensue and thus afford recovery potential from operator errors.

Because of these stated insights, the NRC requested an analysis which investigates the effect the above post-TMI changes had on the core melt frequency published in the ANO-1 PRA. The evaluation of these changes will be accomplished in this report by performing a before-and-after set of human reliability analyses (HRA) and determining the contribution made by the results of each analysis to the total core melt frequency. In the first (before) case, the staffing in effect at the time of the TMI-2 accident is assumed to be in force. No SPDS or saturation annunciator is in the control room. The second (after) case, the staffing in effect after the post-TMI NRC directive is in force, an SPDS is in place, and so, too, is a margin to saturation annunciator. The latter case formed the basis for the human reliability analysis appearing in the ANO-1 PRA with one exception, which will be discussed in Chapter 3.

^

.It should be noted that even though the first (before) case will henceforth be termed " pre-TMI," the reader should understand that the plant represented by this case does not entirely repre-cent the design and operation of ANO-1 prior to the TMI accident.

Following TMI,'ANO-1 made several design and operations. changes in cddition to the three evaluated in this report (e.g., emergency L

. _ . . - - .-- .- ~

feedwater system design improvements, revisions and additions of several emergency procedures, etc). The pre-TMI case in this report assumes these additional plant changes, made following TMI, are in place.

The before-and-after human reliability analyses appear in Chapter 3 and were performed using the techniques described in NUREG/CR-12782 and NUREG/CR-2254.3 These techniques will not be discussed in this report.* The results of the human reliability analyses were then input to the ANO-1 accident sequence models to determine their ef fect on the overall core melt frequency. This step, along with the appropriate conclusions, appears in Chapter 4.

Before commencing with the human reliability analyses, it is appropriate to review the dominant core melt accident sequences identified in the ANO-1 PRA and to highlight those sequences which will be affected by the post-TMI changes discussed above. This is discussed in Chapter 2.

4 1

  • It is suggested that a reader who is not familiar with the termi-nology and techniques of human reliability analysis should become familiar with these documents in order to enhance understanding of the material presented in this report.

- - - --- , - n

CHAPTER 2 Review of ANO-1 Dominant Core Melt Sequences The published ANO-1 dominant core melt sequences are listed in Table 2.1 and a key to the nomenclature is listed in Table 2.2.

These accident sequences, along with the most important hardware failures and human errors contributing to each sequence's frequency, are described in depth in the ANO-1 PRA and will not be discussed here. Rather, we will highlight those accident sequences for which human reliability analyses had an impact on the sequence frequency estimate. These accident sequences have the potential for being af fected by the post-TMI operator manning, the SPDS, and margin to saturation annunciator.

Dominant or near-dominant sequences for which human reliability analyses had an impact on the sequence frequency are indicated with a single or double asterisk. These sequences will be requan-tified in Chapter 4 of this report to reflect the pre-TMI operator error probabilities calculated in Chapter 3. The sequences high-lighted involve operator errors made in two response situations.

Sequences with a single asterisk are initiated by transients followed by failure of main and emergency feedwater core cooling via the steam generators. Failure of these two systems requires the operator to activate the high pressure injection system and establish a " feed and bleed" core cooling operation. If the operator fails to perform the required actions, core cooling fails and is followed by core melt. This constitutes the first situation for which operator error will be analyzed.

Sequences with a double asterisk are initiated by a small LOCA followed by failure of the high pressure core cooling system at the start of or during the recirculation phase. The prime con-tributor to this type of sequence, as identified in the ANO-1 PRA, is the failure of the operators to follow emergency procedures correctly while establishing the high pressure recirculation system (HPRS) . The HPRS is initiated by realigning the system water source from the borated water storage tank to the contain-ment sump when the tank nears depletion. If the operator fails to perform the required actions, core cooling fails followed by core melt. This is the second situation for which operator error will be analyzed.

In addition to the accident sequences annotated above, the frequency of the B (1. 2) D1 sequence was also impacted by a human reliability analysis. This sequence is initiated by a small LOCA and is dominated by failure of the operator te initiate high pressure core cooling manually before the onset of core damage.

However, a reanalysis of this sequence to reflect the pre-TMI operator error probabilities will not be conducted because of the conservative assumptions made in the published human reliability analysis. The major assumptions were:

TABLE 2.1 ANO-1 Accident Sequences Sequence Frequency T(LOP)LD 1YC 9.9E-6 B(1.2)DIC 4.4E-6 T(D01)LQ-D3 4.0E-6 T(A3)LQ-D3 3.3E-6 ANO-1 Published T(D01)LD1YC 3.lE-6 Dominant Accident Sequences T(FIA)KD1 2.8E-6 B(1.2)D1 2.8E-6 T(D02)LD 1YC ,

2.5E-6

  • T(D01)LD1 2.2E-6 T(D01)LD1C 1.8E-6
    • B(4)H1 1.4E-6 T(A3)LD IC 1.4E-6
    • B(1.66)H1 1.2E-6
  • T(A3)LD1 1.0E-6 ANO-1 Nondominant f **T(PCS)Q-H1 < 10-6 Sequences Affected by Human Reliability i *T(LOP)LD1 < 10-6 Analyses <

} *T(PCS)LD1 < 10-6

  • T(FIA)MLD1 < 10-6 Total Core Meltl SE-5 1This total includes the contribution from other nondominant sequences not shown.
  • Sequences involving operator failure to establish " feed and bleed".
    • Sequences involving operator failure to establish "switchover" to recirculation.

TABLE 2.2 Symbols Used in Table 2.1 Initiating Events B(1.2) - Reactor Coolant Pump Seal Rupture or Small-Small LOCA

( .38" < D s 1.2")

B(1.66) - Small LOCA ( 1. 2 " < D s 1. 6 6 " )

B(4) - Small LOCA (1.66" < D s 4")

T(LOP) - Loss of Offsite Power Transient T(PCS) - Loss of Power Conversion System Transient Caused by other Than a Loss of Offsite Power T(FIA) - Transients With All Front Line Systems Initially Available T(A3) - Transient Initiated by Failure of the ES Bus A3 (4160VAC)

T(D01) - Transient Initiated by Failure of the ES Bus D01 (125VDC)

T(D02) - Transient Initiated by Failure of the ES Bus D02 (125VDC)

System Failures C - Reactor Building Spray Injection System Dy - High Pressure Injection System (1 of 3 pumps)

D3 - liigh Pressure Injection System (2 of 3 pumps)

Hy - liigh Pressure Recirculation System K - Reactor Protection System L -

Emcrgency Feedwater System t

Q - Reclosure of Pressurizer Safety / Relief Valves Y - Reactor Building Cooling System v

M - Power Conversion System

1. The HRA conservatively assumed that if the operators failed to initiate high pressure core cooling within 10 to 15 minutes followLsg the LOCA, they never would, even though at least 30 additiornal minutes would be available before the onset of core damage.
2. The published systems analysis conservatively assumed that the high pressure core cooling system would not receive an auto-matic activation signal before the onset of core damage.

While it is true the automatic signal will not be generated within the 10-15 time interval considered in the HRA , it is pos-sible that the signal will be generated prior to core damage.

Whether a signal is generated depends on the effectiveness of steam generator feedwater systems in lowering system pressure to the 1500 psi setpoint.* Since the feedwater control systems were being redesigned at the time of the ANO-1 PRA, the analysts were not able to review the final design and thus conservatively assumed the feedwater system was ineffective in lowering system pressure.

Requantification of only those sequences on Table 2.1 with an asterisk will form the basis of our conclusions concerning the effect that the SPDS, the saturation annunciator, and increased control room manning has on the ANO-1 core melt frequency.

  • We have recently been informed that ANO-1 intends to raise this setpoint to that of the TMI-1 reactor.

CHAPTER 3 Reanalysis of Important ANO-1 Operator Errors In Chapter 2, operator errors which influenced the ANO-1 dominant core melt sequences were identified. These errors dealt with establishing feed and bleed core cooling following a total loss of main and emergency feedwater and with accomplishing cwitchover from the injection to the recirculation phase following c small LOCA. In this chapter, we perform a before-and-after set of human reliability analyses on the operator errors possible in parforming these tasks. In the first (before) case, the staffing in effect at the time of the TMI accident is assumed to be in force. No SPDS or saturation annunciator is in the control room.

In the second (after) case, the staffing in effect after the post-TMI NRC directive is in force, an SPDS is in place, and so, too, is the margin to saturation annunciator.

Before presenting the human reliability analyses, discussions of the pre- and post-TMI manning models and of the SPDS and seturation annunciator are in order.

Manning Model Prior to the accident at TMI-2, we assume that ANO-1 would have had in effect a staffing requirement similar to the one that eppears in the draft NUREG/CR-1278.2 It states that only one operator is present in the control room from the onset of a transient until 5 minutes after the onset. From 5 to 20 minutes cfter the onset, two operators are assumed to be in the control room (one of whom may be the shift supervisor). These two operators are assumed to have a moderate-to-high level of d:pendence between them. From 20 minutes to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the onset of a transient, three operators are assumed to be in the control room, with high-to-complete dependence between the third operator and the other two. It is assumed that several people of various backgrounds will be available for consultation with the operators or even be present in the control room after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in a transient. These assumptions are conservatively based on a worst-case scenario in which all operators are as far away from i the control boards as is allowed when the transient occurs.

After the TMI accident, it became apparent to the NRC that etaffing requirements should be upgraded and operator training increased to cope with the performance standards expected of oper-ctors in stressful situations. The staffing model outlined above was accordingly modified to reflect the new requirements. During the first minute following the onset of a transient, it is assumed that there is one reactor operator present in the control room.

From 1 to 5 minutes after onset, two operators are assumed to be present with high dependence between them. From 5 to 15 minutes cfter onset, two operators and the shift supervisor are assumed to

. . . . ~ . . , . . , ., - . . .

be in the control room with low-to-moderate dependence between the "

supervisor and the operators. After 15 minutes, the Shift Tech-nical Advisor (STA) is also assumed to be present with low-to-moderate dependence assumed between him and the rest of the con-  :

trol room staff for diagnosis and major events and high-to-complete dependence for detailed operations. No credit is given for the presence of additional personnel. '

This new model will be described in the final version of NUREG/CR-1278. However, at the time of the ANO PRA, the role and 3 qualifications of the Shift Technical Advisor had not been clearly defined. Hence, the effects of his presence in the control room 7 following an accident were not evaluated in the ANO-1 PRA. (Not giving credit for the presence of the STA is the " exception" referred to in Chapter 1.) If the ANO PRA had given credit for .

the presence of the Shift Technical Advisor, the numerical results of the PRA human reliability analyses would not have changed significantly. To demonstrate this fact we note, in the human reliability analyses which follow, those human error probabilities ,

which the shift technical advisor could impact and the magnitude >

of the impact.

Safety Parameter Display System and Margin to Saturation Annunciator For the first analysis, a " conventional" control room is _r assumed. That is, the control room is assumed to consist of in-formation presentation devices such as standard meters, chart re- =

corders, status lamps, and annunciators.

There are no integrated diagnostic aids or displays. All information must be collected  ;-

discretely from individual displays, then integrated by the oper- -

ator into his internal model of plant status. For example, to s determine the margin to saturation, an operator must read the -

reactor pressure from an analog meter, read the reactor tempera- , .

ture from a digital indicator, then interpolate these two values

~

=

onto a static graph that is located on the front control boards '

and read from the graph the actual status of the plant with re-spect to a curve drawn on it.  ? g-D For the second analysis, the ANO-l control room added a Safety g Parameter Displal System. The purpose of the SPDS is to provide -

the operators with a display that integrates several plant opera- j ting parameters onto a single display. It should be of some use to the operators in helping them diagnose the severity of a par- 25-ticular transient and, ideally, providing them with possible alternatives for responding to the transient.

The SPDS analyzed here cannot be considered in all respects to be a diagnosis aid. It consists of a cathode-ray tube (CRT) hav-ing two display formats. The first format is a family of heatup and cooldown curves to be used during startup and shutdown. These =

curves give plant status for their respective modes, but deal more ..

with the severity of a transient than with determining its causes. The other format is an integrated margin to saturation =

curve. The graph of temperature versus pressure that was used in

-m

the old static display system is reproduced in color on the CRT.

Actual plant status is pictured on the curve, and past trends can also be displayed. (It is conceivable that forecasts of future status could also be incorporated.) In the case of the plant's exceeding the margin to saturation, the format of this display changes in a way that is readily discernible even from across the control room: colors change, and the plant status indicator is maintained along wi th the addition of a goal area for system per-formance. The operators can see clearly which parameters must be controlled and in which directions they must be manipulated to regain the proper margin to saturation.

This SPDS is very useful for the mitigation of transients for which margin to saturation is critical (e.g., prevention of core damage accidents). However, its usefulness for other transients is as yet unclear.

For the second analysis, a margin to saturation annunciator has been added to the control room. The purpose of this annunci-ator is to alert the operators to the fact that the reactor coolant system is approaching saturated conditions; a condition the operators are warned by procedure to avoid. Though this annunciator does not indicate the cause of a transient, like the SPDS it helps the operator diagnose the severity of a transient and, ideally, directs them toward possible alternatives for responding to the transient (e.g., discussions with ANO-1 operators indicated that if margin to saturation could not be maintained, as indicated by the SPDS or saturation annunciator, they would immediately initiate high pressure injection until the proper amount of reactor coolant system subcooling had been achieved).

3.1 Loss of All Main and Emergency Feedwater Human Reliability Analyses In the scenario evaluated, for both the before and after analyses there has been a failure of all core cooling via the steam generators. To reestablish core cooling, the operators must correctly diagnose that the plant has experienced a loss of all feedwater including emergency feedwater, go to the correct section of the written emergency procedure, evaluate the situation further, and initiate high pressure injection (HPI) .

We begin the analysis several minutes after the onset of the transient. We assume that the operators are under a moderately high level of stress. By this time, there will be indications in the control room that relate to the nature of the incident--diag-nosis is possible. We estimate that, at this time, there will be 40 annunciating indicators, 6 of which are relevant to the cause of the transient and form a perceptual unit. These annunciators provide information relating to the trip of the main condensate pumps, the trip of the main feedwater turbine, and the auxiliary feedwater pump (the auxiliary feedwater pump at ANO-1 is separate

1 from the emergency feedwater system and is actually part of the main feedwater system). Noticing a perceptual unit of 6 out of 40 annunciating indicators is roughly equivalent to detecting 1 out of a possible 7.

With the information obtained from these annunciators and from other sources in the control room, the operators must attempt to diagnose the problem. Once the correct diagnosis has been made, the operators consult the relevant procedure to determine the appropriate action required. If an incorrect diagnosis is made, I the operators may take action that will degrade plant status. On l the other hand, the control actions called for in responding to

! several initiators are so similar that no damage may result from a misdiagnosis until such time as adequate information becomes available to the operators to enable them to detect their misdiagnosis. The likelihood of either situation cannot be esti-mated. Therefore, for the purposes of this analysis, we will assume system failure if a correct diagnosis has not been reached.

In following the emergency procedures (after having made a correct diagnosis), the operators are subject to several possible errors. Procedural steps 2.4 and 2.5 must be performed in order for the operators to realize the emergency feedwater system has failed. Step 2.6 directs the operator to the section of the procedure that describes initiation of HPI. These procedural steps are listed below:

2.4 Verify that the steam driven and electric emergency feedwater pumps start.

CAUTION P-7B has a time delay of = 10 0 seconds. Do not manually start the pump until all ES loads, if required, are sequenced to Bus A-3.

2.5 Verify that the emergency feedwater block valves open; or open their bypass valves. Verify emergency feed flow to OTSGs.

2.6 If neither EFW or normal feedwater is availabic, follow Section III of this procedure.

The probability of errors of omission for each of these steps must be estimated. This is the probability of omitting an item from a long list of procedures that has no checkoff provision.

This estimate of the human error probability (HEP) per item must 20 be modified (doubled) to account for the effects of the moderately high level of stress and for the dependence between operators peculiar to each situation. The levels of depende ce assessed will depend, in turn, on the staffing assumed for each analysis. g Errors of commission were not considered likely in the per-formance of any of these steps. This is because of the operators' great familiarity with the ES panels (all relevant items of equip-ment for these steps are located on the ES panels) and the labeling convention used at ANO-1. This involves color-coding the labels of all items on the ES panels so that the color of the label itself is the same as the color of the indicator light during ES actuation. Any discrepancy between the color of the label and that of its associated indicator light should be easily '

detected. If all safety systems are functioning correctly, the verification of these items should not involve any manipulation of the equipment items.

There is a recovery factor that occurs during the accident sequence that will act on the above errors of omission. This involves the operators' noticing a group of two annunciators which indicate to the operator that no emergency feedwater is being delivered to the two steam generators. The two annunciators indicate low level in steam generators A and B respectively. When -

these annunciators are on they should be two of many (i .e . , > 4 0) sounding at the time.

\

Y Once the operators have completed the above procedural steps, they move to the next section of the procedure that describes HPI 's initiation. The relevant steps from this section come from the IMMEDIATE ACTION and FOLLOW-UP ACTION SECTIONS and appear as below:

2.5 Monitor margin to saturation; increase RCS pressure to maintain >500F subcooling.

CAUTION IF MARGIN TO SATURATION CANNOT BE MAINTAINED >100F, OR IF '

RCS TEMPERATURES GO OFF-SCALE HIGH, INITIATE HPI COOLING PER FOLLOW-UP ACTIONS.

3.1 If margin to saturation cannot be maintained >100F, or if RCS temperature goes off-scale high, initiate HPI cooling as follows:

3.1.1 Open BWST outlets CV-1407 and CV-1408.

3.1.2 Open all HPI MOVs.

3.1.3 Start the standby ES makeup pump, etc.

1 In carrying out this section of the procedures, the operators could make an error of omission on Step 2.5. Step 3.1 follows directly from Step 2.5--an error of omission on it is completely dependent on an error of omission on 2.5. The task of initiating the HPI is in itself,very well rehearsed by the operators. The chance of their making an error of commission in carrying out this set of well-known tasks is quite small. Nevertheless, because of the moderately high level of stress under which they are oper-ating, an HEP will be assigned that we feel adequately reflects the situation.

First Analysis: Pre-TMI Staffing, No SPDS, and No Margin to Saturation Annunciator In this first analysis, the staffing model from the draft NUREG/CR-1278 is used, as described earlier. It is also assumed that there is no SPDS or saturation annunciator in the control room. The HRA event tree for this first analysis is shown in Figure 3-1. In the first branching, A represents the probability of the operators' failing to notice the six relevant annunci-ators. As stated earlier, noticing six out of a possible forty annunciators is equivalent to detecting one out of a possible seven. Using the annunciator model from NUREG/CR-12782, the basic HEP for failing to notice one of seven annunciators is

.009. This estimate must be modified to account for the effects of there being two operators in the control room at this time (>5 minutes after onset) . The determination of there being six relevant annunciators supposes some degree of interpretation since this grouping of them into a functional unit demands that all six be noticed. Because of the perceptual / interpretive element involved, there exists some level of dependence between the operators, largely due to interaction among them in formulating a hypothesis about the state of the plant. Assuming a high level of dependence between the operators, the resulting joint HEP for this error is approximately .005.

In the second branching, B represents the probability that the operators will make a misdiagnosis of the event taking place. The basic HEP for an error in diagnosing a situation is 10-1.* The operators will probably interact in making a diagnosis, therefore, a high level of dependence between them is assumed. The joint HEP of both operators making diagnosis errors is approximately .06.

Given that the operators have correctly diagnosed the event, the probability of operator errors of omission in following the procedures must now be estimated. In the HRA event tree branchings, D, E, and H represent the probabilities of errors of

  • In the final version of NUREG/CR-1278, a model will be provided that estimates the likelihood of errors of diagnosis. In the interim, a point value of 10-1 has been used. This estimate accounts for the level of stress.

88 .995 As.005 F

to .94 go.0s F

do .99 08.01 g* .04 ge.156 s e .g, go .01 go.gge to .156

.... ./ F as.99 M s .01 98.044 48 .156 F

1*H 3 = . 01 F

ta9995 us 0005 8 F g BMfP JRTP Mors*

Ae Fail to not tee relevaRt ANNs .009 .005 2 3 Misdaagnossa .1 .06 1 D = Omit Step 2.4, Part 1 .01 .01 1,2 E

  • Opst Step 2.5. Part 1 .01 01 1.2 C
  • Fall to notice less of steam .25 .156 2 generator level annunciators n e Omst Step 2.4, Part 1 .01 01 1.2 I = Osit Step 2.5, Part 2 .01 61 1.2 F = Fall to initiate MPI correctly .001 0005 2
  • Modifications 1 - Moderately high strees 2
  • high derendence 2 . ..pplet. dependence Figure 3-1. HRA Event Tree for Operator Response to Loss of Steam Generator Feed - No SPDS, Pre-TMI Manning, No Saturation Annunciator

. ~-

. ~

7

, , (" - , . ,

s- p, ,

A  %

omission in performing Stepd 2.4, 2.5, and 2.6, respectivelyf of the first section of procedures presented. Procedural st m 2.4 ,

and 2.5 must be performed in' order for the operatob. to iea li::e ~

the emergency feedwater system has failed. Step 2.6 directs Jthe operators to the section of" the procedures . ,that describe initiation of HPI. The probability of omitting any cne item from a long list of procedurn h6ving un checkof f provision is . 01. -

This estimate must be dodM ed to the account for the. effects of moderately h ig h strass,- becoming '00.

. We will chalyze there errors as though they occar: red following 2n- initiaf Sorrect diagnosis--we will assume that about"15 m'inutes have elap. Sed 'since the onset of the transient. Assuming high depenjence ' be twoon the two operators, the joint HEP becomes dpproximptely .01 for each case. -

During the accident, several annunciatorc will' alarm, two of which are the low steam gene ris tor level annunciators. If the operators notice and respond to them, they will realize no emergency feedwater is being delivered to the steam generators and take appropriate steps to mitigate their earlier errors of omission. The basic HEP (G) for noticing _2 of ~80 annunciators is

.25. With two operators in the control room and high level of dependence between them, the joint HEP becomes about .156.

In the next branching, I represents the probability that the operators will make an error of omission on Step 2.5 of the second part of the procedures. This step must be followed because it states the criteria for HPI initiation. This has the same joint HEP as the errors of omission previously described, .01. (The probability of an error of omission on Step 3.1 of the same section is completely dependent on the omission of 2.5. It will not be discussed separately.)

Although the initiation of the IIPI is rehearsed.well and often by the operators, we assign an HEP for errors of commission in performing this activity of .001 (K in Figure 3-1). This is done to reflect our feeling that, under stress, even well-learned tasks are subject to disruption. This HEP will not be modified to reflect the effects of stress since the estimate itself has accounted for them. We assume a high level of dependence between the two operators for this activity, resulting in a joint HEP of approximately .0005. Others in the control room will not be actively involved in carrying out these tasks, so complete dependence for them is assumed.

Solving the event tree for this first analysis results in a total failure probability of approximately .08. (Quantification of the tree can be approximated by summing the probabilities of the failure branches, denoted F.) This result can be contrasted with that of the second analysis.

Second Analysis: Post-TMI Staffing, SPDS, and Margin to Saturation Annunciator In this second analysis, the newly developed staffing model, the SPDS, and the saturation annunciator described earlier are assumed to be in offect. The flRA event tree for this analysis is shown in Figure 3-2 (this figure appeared as Figure B15-15 in tne ANO-1 PRA). In this case, A from the first branching represents probability of the operators' failing to notice the relevant annunciators as defined earlier. The basic HEP for this error is the same as that given in the first analysis, .009. The staffing model in this case assumes that there are three qualified opera-tors in the control room at this time. With low dependence between the shift supervisor and the operators and moderate dependence between the operators themselves, the joint HEP for this error becomes approximately .00008.*

In the second branching, B represents the probability of failing to diagnose the event correctly. For diagnosis, the basic HEP is still .1, but since it is assumed that there will be inter-action among those present in agreeing on a diagnosis, moderate and high levels of dependence are assumed. This is due to the fact that both operators will follow the lead of the shift super-visor to some extent, while the more senior operator is more likely to think independently than the more junior man. The joint HEP for this error is approximately 0.013.

The recovery factor for B involves noticing the saturation alarm or the change in color of the SPDS. If either the alarm or SPDS is recognized, the probability of correct diagnosis, given other control room indications is approximately unity. (This was determined during the course of extensive operator interviews.)

At the time of the saturation alarm, it is estimated that >40 indicators will be annunciating, of whica 3 relate directly to the situation. This converts to the probability of noticing 1 of 13 annunciating indicators, having a basic HEP of .l. Assuming high dependence between the two operators and moderate dependence between the shift supervisor and the other operators results in a joint HEP of .013. Another recovery factor affecting the prob-ability that this original error will go undetected is that of the SPDS. The format of the SPDS changes dramatically when the margin =

to saturation is out of tolerance (i.e., changes color). That fact coupled with the operators' probability of detecting the OThe assumption of moderate dependence between the operators was assumed in the ANO PRA. The post TMI manning model assumes high dependence. Moderate dependence was assumed in the ANO PRA because an interim dependence model was used. If high dependence was assumed, the joint HEP would be .0003, and the total event tree failure probability would increase approximately 30 percent over the value used in the ANO PRA. This increase would have an insignificant effect on the published ANO PRA core melt frequency.

ee.99993 ae.00000 F

to.9efe 38.012e e = to =00 ee.9904 0 e.00:e g o .944 S e.064 es.9994 to.00:4 go.944 O s .0S4 he9984 ne,coig 98 944 e s.0$4 be 9999 ao goes S F

, Event BHFP JHFP MODS

  • A = Fail to notice relevant ANNs .009 .00008 2,3 B = Misdiagnosis .1 .0126 3,4 C = Fail to notice saturation ANN ** ~4

<10 Text -

or SPDS D = Omit step 2.4, part 1 .01 .0016 1,3,4 E = Omit step 2.5, part 1 .01 .0016 1,3,4 0 = rail to notice loss of steam .25 .056 3,4 generator level annunciators 11 = Omit step 2.6, part 1 .01 .0016 1,3,4 g = rail to initiate IIPI correctly .001 .0001 3,4

  • Modificatlonn 1 - Moderately high strenn 2 = Inw dependence J = Moderate dependence 4 = High depetulenen Figure 3-2. IIRA Event Tree for Operator Response to Loss of Steam Generator Feed--With SPDS, Post-TMI Manning, and Saturation Alarm 3

ccsociated annunciators sounding at this time make the probability of ignoring these indications negligible, o r < 10 - 4 If we also consider the presence of the Shift Technical Advisor (STA) in curanalysis (as we would if the analysis were performed today cince the saturation annunciator will alarm at about 15 minutes efter the onset of the accident) , the probability of the failure of this recovery factor would be even smaller.

For Steps 2.4, 2.5, and 2.6 of Part 1 of the procedures (D, E, l cnd H of Figure 3-2), the probability of errors of omission must l bs estimated. The basic HEPs for these errors are the same as 1 those for the identical errors in the first analysis, .01. Again, these basic HEPs must be modified to account for the effects of a moderately high level of stress, to .02. The dependence acting in the situation is assessed to be high between the operator follow-ing the procedure and the other control room operator and moderate between the first operator and the shift supervisor. The joint HEP for this error of omission is approximately .0016.

In the next branching, G represents the failure of the recovery factor acting on errors D, E, and H. This is the prob-ebility that the operators will not notice the low steam generator level annunciators. The basic HEP for this event is .25. Given the high and moderate levels of dependence assumed between control room personnel, the joint HEP is approximately equal to 0.056. If wa again looked at the effect of the STA, we would conservatively cssume complete dependence between him and the rest of the control room staff for this task of responding to and interpreting the m2aning of two of several annunciators. With this assumption, the joint HEP for this task remains unchanged.

In considering the probability of the operators' omitting Step 2.5 of Part 2 of the procedures, the effects of the SPDS as a recovery factor again have to be evaluated along with the increased staffing. As was the case with C, the probability that this recovery factor will fail to be effective is < 10 - 4 (Omitting Step 2.5 appeared as event I on Figure 3-1. Event I was not depicted on Figure 3-2 because of this branch's insignificant failure probability.)

As in the first analysis, a basic HEP of .001 is assigned to the operator's making an error of commission in initiating the HPI (K). Using moderate and high levels of dependence to account for the effects of the others in the control room, the joint HEP b:comes approximately .0001.

Sol'v ing the event tree for this second analysis results in a total f ailure probability of approximately 5 x 10-4 I

3.2 Switchover from Injection to Recirculation Following Small

, LOCA Human Reliability Analyses Following a small LOCA at ANO-1, switchover from the BWST to the containment sump is required to continue operation of the core cooling and containment spray pumps. Switchover is performed

,' several hours into the accident. It must be correctly performed, otherwise pump failure will ensue. The switchover activities are conducted at two locations: in the Controlled Access area and in the control room. In the Controlled Access area, locally operated valves are opened to supply low pressure pump discharge water to the suction of the high pressure pumps (the " piggy-back" operation '

common to many Babcock and Wilcox plants) . In the control room, 3 motor-operated valves arc opened to supply the sump water source to the suction of the low pressure pumps. Two sets of HRAs were performed for these switchover activities, as described below. It should be noted that neither the SPDS nor the saturation annunciator impacted these HRAs.

Controlled Access Operations The following procedural step describes the operator actions necessary to align the suction of the high pressure / makeup pumps to the discharge of the low pressure pumps:

i 4

3.7 Prepare for LPI boost to MU pump suction and RB s' ump recirc as follows:

i 3.7.1 Verify MU tank outlet MU-13 is closed.

3.7.2 Open DH-7A and DH-7B, LPI discharge to MU

' pumps suction, verify MU pump suction cross-over valves MU-14, MU-15, MU-16, and MU-17 open, and verify MU pump discharge crossover valves MU-23, MU-24, MU-25, and MU-26 open.

3.7.3 Isolate the DH rooms by closing both DH room floor drain valves, ABS-13 and ABS-14, secur-ing room purge dampers CV-7621, CV-7622, CV-7637, and CV-7638 from ventilation control panel (east wall of 404' Ventilation Room) and closing watertight doors.

3.7.4 Verify both DH pumps operating d44 both LPI MOVs open (CV-1400 and CV-1401) .

The only part of the above procedural step designated for analysis by the system analysts is the first part of Substep 3.7.2, that part calling for the opening of the DH valves 7A and 7B. All of the tasks ordered in Substep 3.7.2 are performed out-side the control room. An operator in the control room gives the instructions for the task to an auxiliary operator who goes to the

! valve site to perform the actual manipulation of the valves.

i I

1 l

First Analysis: Pre-TMI Manning 1 The HRA event tree for Controlled Access operations considering pre-TMI manning is in Figure 3-3. The first error modelled (A) involves failure of the control room operator to call for the performance of this step. This error of omission relates to the use of a long list of written procedures that does not require checkoff. The basic HEP for such an error is .01. Assuming that the operators are experiencing a moderately high level of stress at this time, the basic HEP is modified to reflect the effects of such stress, to .02. The effects of the presence of the two other people in the control room are accounted for in assigning high and complete levels of dependence to the shift supervisor and the other control room operator, respectively, for the same error.

The joint HEP for the failure of all three men to call for the valve manipulation is approximately .01. (This error of omission could apply to all of Step 3.7, to Substep 3.7.2, or the single task of calling for the opening of the DH valves.)

The next error is that of the auxiliary operator's omitting to open the DH valves in the course of performing all the tasks given him by the control room operator. He is responding to oral instructions given in the control room and augmented by telephone conversations as necessary. The tasks in Subtask 3.7.2 are all performed in the same general area of the plant. From a talk-through task analysis, it was determined that the organization of these procedural substeps is such that each constitutes a unit of performance, a set of tasks performed closely to each other in time and space and which are perceived as a single task by the auxiliary operator. At the valve site, the auxiliary operator has what he considers to be three unit tasks to perform: opening the DH valves, verifying that the suction crossover valves are open, and verifying that the discharge crossover valves are open. Since he perceives these as unit tasks, he receives instructions for this activity as though three tasks were involved rather than 10 (the number of items of equipment to be manipulated or checked here). The basic HEP for his failing to open the DH valves is

.01. The operator is under a moderately high level of stress, requiring that the basic HEP be modified to .02. Since this task is performed in the Controlled Access area (necessitating the operator's wearing of protective clothing), the BHEP must be modi-fied to reflect the effects of wearing the special clothing, to

.04.

There is some probability that the auxiliary operator could make an error of commission while manipulating the DH valves. If the basic HEP for this type of error is also .01, and if it is modified to reflect the effects of a moderately high level of stress and of protective clothing, it becomes .04. In Figure 3-3, the probabilities of his making an error of omission or an error of commission have been combined as B, .08, the sum of these two potential errors.

F-o= .99 A=.01 F

b= .92 B .08 S

c*.9995 0*.0015 S F Event BHEP JHEP MODS *

7. = Omit step 3.7 .01 .01 1,2,3 B = Omission / Commission, opening DH valves .01,.01 .08 1,4 C = Fail to respond to ANN .003 .0015 2
  • Modifications 1 - Mcderately high-stress 2 - High dependence 3 - Complete dependence 4 - Protective clothing Figure 3-3. HRA Event Tree for Switchover Following Small LOCA:

Controlled Access Activities, Pre-TMI Manning-f

. _ . _ _ . _ _ ____ _]

A recovery factor specific to B occurs in the form of a low flow annunciator in the control room. At that time, it is esti-noted that there will be five annunciating indicators in the con-trol room, so the probability of an operator 's failing to notice the low flow alarm (C) is .003. Assuming high dependence for the other two men in the control room, the joint HEP for this error is cpproximately .0015.

Solving the event tree results in a total failure probability of approximately .01.

Second Analysis: Post-TMI Manning The HRA event tree for this analysis is in Figure 3-4 (this figure appeared in Figure B15-13 in the ANO-l PRA). There is little difference between it and the one shown in Figure 3-3. The only difference in the joint HEPs for this task as performed before and after TMI has to do with the effects of training taken since TMI. It is felt that operators receiving special post-TMI training will perform more effectively in such an accident situa-tion. Therefore, moderate and high levels of dependence were assumed between operators. Given these assumptions, A becomes approximately .0016. If we were to assess the effect of the STA's presence, assuming complete dependence between him and the rest of the crew since this is a detailed operation, the joint HEP is still approximately .0016.

The effects of control room manning are not demonstrated in B since that activity involves only the auxiliary operator who is not in the control room. The recovery factor, noticing the ennunciator is affected by the change in dependence levels in the control room, however. Assuming moderate and high dependence between the operators results in a joint HEP of about .0002.

Solving the event tree result in a total failure probability of .0016.

Control Room Operations The following procedural step describes the operator actions necessary to open the sump suction valves:

i 3.9 Monitor BWST level; when BWST level has fallen to 6' l indicated level, or when the corresponding BWST lo-lo-level alarm is received, transfer suction to  ;

RB sump by verifying RB sump suction valves inside (

containment CV-1414 and CV-1415 open, opening RB sump suction valves outside containment CV-1405 and CV-1406 (a slight upward perturbation should be noted on pump flows indicating suction transfer);

then close both BWST outlets CV-1407 and CV-1408 (Refer to 1104.04 for RCS temperature control methods). Close NaOH tank outlets CV-1616 and CV-1617. MANUAL OVERRIDE PUSHBUTTONS MUST BE DEPRESSED FOR ALL VALVE MANIPULATIONS IF ES ACTUATION HAS OCCURRED.

o=.9984 A5.0016 F

b =.92 B = .OB S

c = .999 8 C =.OOO2 S F l

Event BHEP JHEP MODS

  • A == Omit step 3.7 .01 .0016 2,3 B = Omission / Commission, opening DH valves .01,.01 .08 1,4 C = Fail to respond to ANN .003 .0002 2,3
  • Modifications 1 - Moderately high stress 2 - Moderate dependence 3 - High dependence 4 - Protective clothing Figure 3-4. HRA Event Tree for Switchover Following Small LOCA: Controlled Access Operations, Post-TMI Staffing

I First Analysis: Pre-TMI Manning The HRA event tree for this step (shown in Figure 3-5) begins with the representation of an error of failing to respond to the BWST level. This constitutes an error of omission in following the written procedures, a basic HEP of .01 for A. This basic HEP is doubled to .02 to reflect the effects of a moderately high level of stress. This HEP is doubled again to reflect the poor quality of the written procedures *, becoming .04. Of the three people in the control room, high dependence between the operator assigned to these tasks and the shift supervisor and complete dependence between him and the other operator are assumed. The resulting joint HEP for this task is about .021.

The next error modelled, B, is one of commission. It involves the operator's making an error in reading the BWST monitor. Since it is an analog meter, the basic HEP is .003. This value is modi-fied to account for the effects of moderately high stress on a dynamic task since reading the meter and watching for its fall to a predetermined setpoint constitute a dynamic task. The modified basic HEP is .015. The two people in the control room not assigned specifically to this monitoring task will tend to rely on their colleague's reading (i.e., they will not be involved in the task themselves), but will be suspicious of his reading should other signs in the control room contradict what he says he sees.

Therefore, high and complete dependence are assigned. The joint HEP for this task is approximately .0076.

The next error, C, is the failure of the recovery factor afforded by the operator's noticing the BWST's lo-lo-level annun-ciator. Assuming that there are five annunciating indicators at this time and that the BWST lo-lo-level is relatively independent of the others, the probability that any operator will fail to notice it is .003, the basic HEP. Assuming high and complete levels of dependence for this error results in a joint HEP of about .0015.

Complete dependence is assumed between noticing the annunciator and carrying out the assigned tasks with respect to errors of omission. There is, however, a possibility for an error of commission, D, the operator 's making a selection or a manipula-tion error. The basic HEP for this is .001. Modified for the moderately high stress level, it becomes .002. Again assuming high and complete levels of dependence, the resulting joint HEP is approximately .001.

The' total failure probability for this example is .001.

\

on .90 A. .02 ca.9985 c. 0015 F

b' .9924 Da .0076

c. 9985 C. 0015 d'.999 Ds.001 S F Event BEIEP JHEP MODS
  • A = Fail to monitor BWST level .0A .02 1,2,3,4-B = Reading error on BWST monitor .003 .0076 1,2,3 C = Fail to respond to BWST ANN .003 .0015 2,3 D = Selection error .001 .001 1,2,3
  • Modifications 1 - Moderately high stress 2 - High dependence 3 - Complete dependence 4 - Poor procedures Figure 3-5. HRA Event Tree for Switchover Following Small LOCA: Control Room Operations, Pre-TMI Staffing d ..

l

l l

Second Analysis: Post-TMI Manning Figure 3-6 is the HRA event tree for this analysis (this figure appeared as Figure B15-14 in the ANO-1 PRA). Post-TMI training is assumed to have the same effects demonstrated in Figure 3-4. Moderate and high dependence for A result in a joint HEP of about .0037. If the STA were assumed to be present with a high level of dependence between him and the others, the joint HEP would be .00185.

With respect to the reading error, B, the same level's of dependence are assumed. The joint HEP for this error is now about

.0011. Complete dependence would have been assumed for the STA in this case, resulting in no change in the estimated joint HEP.

For C, Failure to notice the annunciator, low and moderate levels of dependence are assumed among the control room team members. This results in a joint HEP of approximately .00002 for this error. If high dependence w assumed for the STA, the joint HEP would be approximately 10 gre For the selection error, D, moderate and high dependence were again assumed. Given this assumption, the joint HEP for D is about .0001. Complete dependence would be assumed for the STA, causing no change to the joint HEP.

The resulting total failure probability for this example is approximately 1 x 10-4 1

I c a .99 63 A * .OO 37 c a .99998 C a .00002 be.9988 88.0012 c5.99998 C ' .00002 d '.9999 08.0001 S F Event BHEP JHEP MODS

  • A = Fail to monitor BWST level .01 .0037 1,3,4,5 B = Reading error on BWST meter .003 .0011 1,3,4 C = !a;l to respond to BWST ANN .003 .00002 2,3 D = Selection / manipulation error .001 .0001 1,3,4
  • Modifications 1 - Moderately high stress 2 - Low dependence 3 - Moderate dependence 4 - High dependence 5 - Poor procedures Figure 3-6. HRA Event Tree for Switchover Following Small LOCA: Control Room Operations, Post-TMI Staffing CHAPTER 4 Requantification of ANO-1 Dominant Accident Sequences In this chapter we requantify the dominant and near-dominant ANO-1 accident sequences which are significantly effected by the human reliability analyses presented in Chapter 3. The numerical results of the Chapter 3 analysis are summarized below.

Failure to Failure to Failure to Switchover Switchover Establish (Control (Controlled Feed & Bleed Room) Access)

Pre-TMI Operator Manning, No SPDS, No Saturation 0.08 1 x 10-3 0,01 Alarm Post-TMI Operator Manning, With SPDS, 5 x 10-4 1 x 10-4 1.6 x 10-3 With Saturation Alarm (Published ANO-l PRA Results)

ANO PRA Event Name HPI-PUMP-CM SL-SUMP-CM HPRS-CM The requantification of the sequences with an asterisk in Chapter 2 was performed by 1) replacing the published ANO human error event probabilities with the pre-TMI values, and 2) resuming the individual accident sequence cut set frequencies to yield the total accident sequence frequency. Most of the accident sequence cut sets can be found in Appendix C of the ANO-1 PRA. Those that cannot be found were obtained from the original computer runs.

Table 4-1 lists the ANO-1 pre- and post-TMI dominant accident sequences and their frequencies and Table 4-2 gives the key to the nomenclature. (The post-TMI sequence frequencies were those published in the ANO-l PRA.) As can be seen, the post-TMI improvements reduces the overall core melt frequency by approxi-mately a factor of 2.5. Sequences affected the most by the post-TMI changes are those involving operator initiation of feed and bleed core cooling following a total loss of feedwater (single asterisk sequences in Table 4-1). By comparing the HPAs depicted in Figures 3-1 and 3-2, it can be noted that the pre-TMI case is dominated by an error of accident misdiagnosis (branch B in Figure 3-1), whereas the post-TMI case is not dominated by any single type of error.

2 TABLE 4-1 ANO-1 Dominant Sequence Frequencies (per reactor year)

Post-TMI Manning, With SPDS, With Saturation Annunciator Pre-TMI Manning, (Published ANO-1 PRA No SPDS, No Satura-Sequence Results) tion Annunciator T(LOP)LD1YC 9.9E-6 9.9E-6 B(1.2)D1C 4.4E-6 4.4E-6 T(D01)LQ-D3 4.0E-6 4.0E-6 T(A3)LQ-D3 3.3E-6 3.3E-6 T(D01)LD1YC 3.lE-6 3.lE-6 T(FIA)KD1 2.8E-6 2.8E-6 D(1.2)D1 2.8E-6 2.8E-6 T(D02)LD1YC 2.5E-6 2.5E-6

  • T(D01)LD1 2.2E-6 1.5E-5 T(D01)LD1C 1.8E-6 1.8E-6
    • B(4)H1 1.4E-6 4.6E-6 T(A3)LDIC 1.4E-6 1.4E-6

, **B(1.66)H1 1.2E-6 3.7E-6

  • T(A3)LD1 1.0E-

< 10 g 1.3E-5

    • T(PCS)Q-H1 2.4E-6
  • T(LOP)LD1 < 10 -6 9.0E-6
  • T(PCS)LD1 < 10 -6 3.2E-5
  • T(FIA)MLD1 < 10 -6 1.4E-5 Total Core Melt 1 5.0E-5 1.3E-4 1This total includes the contribution from other nondominant sequences not shown.
  • Sequences involving operator failure to establish " feed and L

bleed".

    • Sequences involving operator failure to establish "switchover" to recirculation.

TABLE 4-2 Symbols Used in Table 4-1 Initiating Events B (1. 2) - Reactor Coolant Pump Seal Rupture or Small-Small LOCA

(.38" < C s 1.2")

B (1. 66 ) - Small LOCA (1.2" < D s 1. 6 6")

B(4) - Small LOCA (1.66" < D $ 4")

T(LOP) - Loss of Offsite Power Transient T(PCS) - Loss of Power Conversion System Transient Caused by Other Than a Loss of Offsite Power T(FIA) - Transients With All Front Line Systems Initially Available T(A3) - Transient Initiated by Failure of the ES Bus A3 (4160VAC)

T(D01) - Transient Initiated by Failure of the ES Bus D01 (125VDC)

T(D02) - Transient Initiated by Failure of the ES Bus D02 (125VDC)

System Failures C - Reactor Building Spray Injection System Dy - High Pressure Injection System (1 of 3 pumps)

D 3

- High Pressure Injection System (2 of 3 pumps)

Hy - High Pressure Recirculation System K - Reactor Protection System L -

Emergency Feedwater System 0 - Reclosure of Pressurizer Safety / Relief Valves 4 Y - Reactor Building Cooling System M - Power Conversion System ,

In closing, certain limitations in this analysis should be recognized. The IREP ANO-1 PRA, upon which this sensitivity study is based, did not use an operator recovery model sufficiently sophisticated to allow the affects of these three post-TMI improvements on recovery operations to be evaluated. These unevaluated affects would not only be expected to apply to the accident sequence considered here, but others as well. Thus, the report only evaluates part of the affects of the three post-TMI improvements on core melt frequency.

5

- _ _ _ _ - _ __-_J

REFERENCES I

1. NUREG/CR-2787, " Interim Reliability Evaluation Program:

Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant," G. J. Kolb, et al, US NRC, Washington, DC, June 1982.

2. NUREG/CR-1270, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," A. D. Swain and H.E. Guttmann, draft report for interim use and comment, US NRC, Washington, DC, October 1980.
3. NUREG/CR-2254, "A Procedure for Conducting a Human Reliability Analysis for Nuclear Power Plants," B. J. Bell and A. D.

Swain, draft report for interim use and comment, US NRC, Washington, DC, December 1981.

I i

l r

l

e., - - -

DISTRIBUTION:

US NRC Distribution Contractor (CDSI) (250 copies) 7300 Pearl Street Bethesda, MD 20014 250 copies for RG

B. J. Bell (5)

Battelle Columbus Laboratories 505 King Avenue Columbus, Ohio 43201 W. T. Craddock (10)

Arkansas Power & Light Co.

P. O. Box 551 Little Rock, AR 72203 W. L. Ferrell Science Applications, Inc.

1710 Goodridge Dr.

McLean, VA 22102 W. J. Galyean Science Applications, Inc.

505 Marquette NW, Suite 1200 Albuquerque, NM 87102 D. M. Kunsman Science Applications, Inc.

505 Marquette NW, Suite 1200 Albuquerque, NM 87102 J. A. Murphy (25)

Division of Risk Analysis Office of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555 K. Neamtz Arkansas Power & Light Co.

P. O. Box 551 Little Rock, AR 72203 h

J. Robertson Arkansas Power & Light Co.

P. O. Box 551 Little' Rock, AR 72203 J. Young i

Energy, Inc.

515 W. Harrison, Suite 220 Kent, Washington 98031 l

DISTRIBUTION (Cont.)

3141 L. J.'Ericson (5) 3151 W. L. Garner 7223 R. R. Prairie 7223 A. D. Swain III 7223 D. P. Miller 8214 M. A. Pound 9400 A. W. Snyder 9410 D. J. McCloskey 9411 A. S. Benjamin 9411 S. W. Hatch 9412 J. W. Hickman (9) 9412 N. L. Brisbin 9443 D. D. Carlson 9412 W. R. Cramond 9412 F. T. Harper 9412 A.M. Kolaczkowski 9412 G. J. Kolb (5) 9412 S . II . McAhren 9412 A. C. Payne 9412 T. A. Wheeler 9412 D. W. Whitehead 9413 N. R. Ortiz 9414 G. B. Varnado 9414 D. L. Berry 9414 D. R. Gallup 9414 G. A. Sanders 9414 D. W. Stack 9414 R. B. Wcrrell 9415 D. C. Aldrich 9416 L. D. Chapman 9416 B.J. Roscoe 9420 J. V. Walker 9440 D. A. Dahlgren 9450 J. A. Reuscher t

  1. O m en U.S. NUCLE AR REGULATORY COMMISSION BIBLIOGRAPHIC DATA SHEET SAND 83-0710, NUREG/CR-32 4
4. TITLE ANO SUBTlTLE (Add Volume No., of approorratel 2- (Leave b/mkl The Effect of Some Operations and Control Room Improvements on the Safety of the Arkansas J. RECIPIENT'S ACCESSION NO.

Nuclear One, Unit One, Nuclear Power Plant

7. AUTHOR (Si Barbara J. Bell (Battelle Columbus Labs) s. DATE REPORT COMPLE TED M ON T H l YEAR Gregory J. Kolb (Sandia) May v 1983
9. PE RF ORMING ORGAN 1/ATION N AMC AND MAILING ADDRESS (incluor I,p Codel DATE REPORT ISSUED Sandia National Laboratories '

Division 9412 e ft,,,,o,,,,,

Albuquerque, NM 87185

8. (Leave blank) 12 SPONSORING ORGANIZ ATION N AME AND M AILING ADDRESS (include Ip Codel
10. PROJECTITASK/ WORK UNIT NO.

US Nuclear Regulatory Commission 11. FIN NO.

Division of Risk Analysis Office of Nuclear Reaulatory Research A1241 Washington. nr  ? n s n e!

13 T Y PE OF RE PO R T 'E RIOD COVE RE D (inclus>ve oefest Technical Report

15. SUPPLEMENTARY NOTES 14 (L'8v' 8/ 8"" #

None

16. ABSTR ACT (200 words or less!

In this report, a sensitivity analysis was performed to evaluate the the effect that three operations and control room improvements have on the core melt frequency estimated for the Arkansas Nuclear One-Unit 1 (ANO-1) nuclear power plant. The three improvements evaluated were 1) installation of a safety parameter display system, 2) installation of a margin to saturation annunciator, and 3) increased control room operator manning.

Core melt frequencies were calculated through use of the plant models published in the ANO-1 probabilistic risk assessment. The three improve-ments were found to decrease the ANO-1 core melt frequency by approximately a factor of 2.5.

17 KE Y WORDS AND DOCUMENT AN ALYSIS 17a DESCRIPTORS 17b IDENTIFIE RS OPEN ENDE D TERYS

18. AV AILABILITY ST ATEMENT 19. SECURITY CLASS (Thes reporrl 21 NO OF P AGES Unclassified 33 Un1imited ' " '"

' U n c l Y s's't F i E d "'"' S NRC ,ORu sas m en

Org. Bldg. Name Rec'd by Org. Bldg. Name Rec'd by t 1ANIRG 120555078877 S &1 C'I o;op 6

b ea-co, noneG DC 20555 90(Mnown ns i

I

__ _ _ _ _ - _ - _ - - -