Text

TER of IPE Submittal,Human Reliability Analysis, Final Rept
	ML20101S045
Person / Time
Site:	Vogtle
Issue date:	11/20/1995
From:	Wrtathall J; CONCORD ASSOCIATES, INC.
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20101S035	List: ML20101S038; ML20101S041; ML20101S045;
References
	CON-NRC-04-91-069, CON-NRC-4-91-69 CA-TR-95-019-42, CA-TR-95-19-42, NUDOCS 9604170524
	Download: ML20101S045 (39)
	v • d • e

.)

a' 't l

l 1

l

\

l I

V0GTLE ELECTRIC GENERATING PLANT UNITS 1 AND 2 INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS) l l

ENCLOSURE 4 9604170524 960415 PDR ADOCK 05000424 P PDR vtyi v . I*

1 8

,- t o

l CONCORD ASSOCIATES,INC. CNTR 95-019-42 Systems Performance Engineers :

, j

l 9 I VOGTLE ELECTRIC GENERATING STATION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS i 1

l FINAL REPORT by John Wreathall John Wreathall & Company, Inc.

Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology

, Final Report, December 20,1995

%r 11915 Cheviot Dr. 725 Pellissippi Parkway Herndon, VA 22070 6201 Picketts Lake Dr.

Knoxville, TN 37932 Acworth, GA 3010i (703) 318-9262 (615) 675-0930 (404) 917-0690

, f l

CA/TR-95-019-42 9

i l VOGTLE ELECTRIC GENERATING STATION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT By:

J. Wreathall John Wreathall & Company, Inc.

Prepared for:

U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Final Report November 20,1995 O

CONCORD ASSOCIATES. INC.

Systems Performance Engineers

725 Pellissippi Parkway Knoxville, TN 37932

, Contract No. NRC-04-91-069 l Task Order No. 42

l 1

9 Y I

l TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . El E.1 Pimt Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El l, E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . E3 -

E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E3 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . E4 E.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E4 !

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 HRA Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1 1

\

2. TECHNI CAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 l 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 {

2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . 3 !

2.1.2 Multi-Unit Effects and As-Built', As-Operated Status . . . . .. . . . 3 2.1.3 Licensee Participation and Peer Review ................4 l 2.1.3.1 Licensee Participation . . . . . . . . . . . . . . . . . . . . . 4

' 2.1.3.2 Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 l 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.lTypes of Pre-Initiator Human Actions Considered . . . . . . . . . 5 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.3 Screening Process for Pre-Initiator Human Actions . . . . . . . . . 7 2.2.4Quantification Process for Pre-Initiator Human Actions . . . . . . 7 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.lTypes of Post-Initiator Human Actions Considered . . . . . . . . . 9 2.3.2 Process for Identification and Selection of Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . ..... 9 2.3.3 Screening Process for Post-Initiator Response Actions . . . . . . 10 l

2.3.4Quantification of Post-Initiator Human Actions . . . . . . . . . . 10 2.3.4.1 SLIM Analyses . . . . . . . . . . . . . . . . . . . . . . . . . I1 2.3.4.2 THERP Analyses . . . . . . . . . . . . . . . . . . . . . . . 14 i 2.3.4.3 Dependency Analyses . . . . . . . . . . . . . . . . . . . . 16 2.3.5 Impact of Recovery Actions . . . . . . . . . . . . . . . . . . . . . . 17 l-2.3.6 Impact of Human Actions on Internal Flooding . . . . . . . . . 19 l

2.3.7 Generic and Unresolved Safety Issues, and Containment

( ', Performance Improvement Recommendations . . . . . . . . . . 19 l 2.3.7.1 Generic and Unresolved Safety Issues . . . . . . . . . 19 2.3.7.2 Containment Performance Improvement (CPI) l Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 i

l , -f i

l 2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . 20

. 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4.2 Insights Related to Human Performance . . . . . . . . . . . . . . . 20 '

2.4.2.1 Human Actions Contributing to Core l Damage Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 i

2.4.2.2 Human Actions Contributing to Containment ,

Bypass Accident Sequences . . . . . . . . . . . . . . . . . . . . . . 22 l 2.4.2.3 Insights from Queutification Process . . . . . . . . . . 22 2.4.3 Human-Performance-Related Enhancements . . . . . . . . . . . . . 23 1

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . 25

4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 REFERENCES ............................................. 29 1

l 9

ii

, f E. EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Georgia ,

c Power Company's submittal of the Vogtle Electric Generating Station (VEGP)

Individual Plant Examination (IPE) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE

,' and conclusions regarding whether the IPE meets the intent of Generic letter 88-20.

l E.1 Plant Characterization 6

The Vogtle Electric Generating Plant (VEGP) consists of two essentially identical Westinghouse PWRs. Both units are four-loop designs with large, dry containments.

Both units have power ratings of 3565 Mwt and 1210 gross Mwe. Unit 1 began y

commercial operation on June 1,1987, while Unit 2 began commercial operation on May 201989. The VEGP site is located in southeast Georgia, on the west side of the Savannah River about 26 miles southeast of Augusta, Georgia.

l Very limited information is provided in the VEGP IPE Submittal and the response to I

the RAI concerning the human-performance-related characteristics of the plant. The only specific information provided is that the VEGP Emergency Operating Procedures i are based on the Westinghouse Owners Group Emergency Response Guidelines.

As a result of performing this analysis, the licensee identified three recovery actions that, at the time of the analysis, were not included in plant procedures. These actions were incorporated into the VEGP procedures in August 1992 and credit is taken in the HRA analysis.

E.2. Licensee IPE Process i

The HRA process addressed both pre-initiator and post-initiator actions (performed as part of the response to an accident). Pre-initiator actions considered included only restoration errors (failures to restore components after testing). Miscalibration errors were excluded from the scope of the analysis; this exclusion is a limitation in the IPE l since, by excluding the consideration of such errors, no possible plant-specific vulnerabilities in these activities will be found.

Post-initiator actions included both response-type and mcovery-type actions. The i primary HRA technique employed to quantify for pre-initiator human actions was a l

simplified version of the Technique for Human Error Rate Prediction (THERP). For post-initiator human actions, three HRA tec' hniques were employed to quantify errors:

the Success Likelihood Index Method (SLIM), the simplified version of THERP, and a dependency model for use with multiple human actions occurring in a single accident sequence. Plant-specific performance shaping factors were considered

('

l extensively in '.he SLIM method and to some degree in the other analyses. Human l El l

l l

k

, f errors were identified as significant contributors in accident sequences leading to core damage, and three human-performance-related enhancements were identified and credited in the IPE. Licensee staff with knowledge of plant design, operations and maintenance had significant involvement in the HRA process.

Procedures reviews, interviews with operations staff, and plant walkdowns helped l assure that the IPE represented the as-built, as-operated plant. An independent review I* of the HRA performed by an in-house staff, supplemented by an independent I consultant, helped to assure appropriate use of HRA techniques.

E.3 Human Reliability Analysis -

E.3.1 Pre-Initiator Human Actions.

The HRA addressed errors in pre-initiator human actions associated with maintenance i and test surveillance tasks which could cause equipment necessary for response to an accident to be unavailable on demand.' Human error in these pre-initiator actions were incorporated into the systems analysis (fault trees) as a specific cause for system unavailability. As indicated above, only misalignment (restoration errors) and were considered. Errors in calibration actions were excluded because "such errors would be as likely to produce an early actuation as a delayed or prevented actuation; there l are normally multiple input signals or actuation devices; and miscalibration errors l have seldom %en shown to be important in past probabilistic risk assessments."' The l

exclusion of these errors is considered a limitation in the analysis since any potential vulnerabilities in these actions cannot be uncovered if they excluded entirely from the analysis.

Pre-initiator actions to be quantified were identified and selected from operating procedures and functional test procedures during the development of the system models and failure sequences. Qualitative evaluation removed certain errors from consideration. The screening rules were such that a component (pump or valve) was modeled if none of the following criteria were met: proper valve positioning cannot be detected using specified pump flow tests; valve or other component mis-positioning is not immediately detectable by status lights or alarms at the main control panel, and the valve is not automatically realigned by an ESFAS signal. Six errors survived the

, qualitative screening.

Quantification was performed using a version of THERP that has been found in other submittals to lead to inconsistent results, though primarily in modeling the post-initiator human actions. A limited number of plant-specific performance shaping factors and dependencies were treated in the quantification, these were the existence, length and type of procedures. The numerical values for the pre-initiator HEPs are generally consistent with the range of results in other PRAs. No pre-initiator actions were identified as important human errors in the IPE model. Overall, the VEGP pre-

!.' initiator analysis was one of an average to somewhat limited assessments of pre-

initiator actions of the IPEs we have reviewed to date.

l

I i

E.3.2 Post-Initiator Human Actions.

i As indicated above, the HRA addressed both response-type and recovery-type actions.

i Actions to be included were identified from review of procedures and by discussion and interview with operations staff. IPE team members included individuals with

plant operational experience. The actions identified and quantified are generally consistent with those analyzed in other PWR PRAs. No quantitative screening was performed for post-initiator human actions. The response-type actions were quantified principally using the Success Likelihood Index Method (SLIM). This method involved assessing seven plant-specific performance-shaping factors: complexity of the operator action; time factors; the crew's level of knowledge, training, and experience; adequacy of guidance materials; characteristics of the man-machine interface; previous, subsequent and concurrent actions; and stress. Events involving actions j outside the control room were quantified using the version of THERP that has been identified as leading to inconsistent results in the HRA portions of other IPEs.

Dependencies among multiple actions within an accident sequence were quantified using a specialized decision tree that included such factors as: stress in the prior task (s); adequacy of the procedures, time, and complexity.

A total of ten recovery actions were identified after initial quantification of the IPE I and applied to sequences. Seven actions were already proceduralized at VEGP. The l remaining three were identified during the performance of the IPE, incorporated in i the procedures, and credited in the analysis. They were quantified using the same version of THERP as the ex-control-room actions. This process of applying credit for i recovery actions resulted in a significant though unreported reduction of the CDF; however a sensitivity analysis of the recovery actions indicated an increase in the core

, damage of about a factor of 2 if the recovery action probabilities were each increased by a factor of 10. NUREG-1335 guidance emphasizes the importance of assuring that credit for recovery actions, in particular non-proceduralized recovery actions, is thoroughly justified. In our view, the information provided by the licensee in the submittal justifies the recovery actions in that all the claimed recovery actions are proceduralized (and have been since 1991), and were subject to extensive internal reviews before being incorporated in the analysis. This is considered a strength in the IPE submittal.

E.4 Generic Issues and CPI The licensee discusses the unresolved safety issues associated with decay heat removal (USI A-45) and with internal flooding (USI A-17), and states that the IPE analyses may be used at some future time to address other generic or unresolved safety issues.

In the evaluation of issues associated with decay heat removal, the submittal discusses the post-initiator human actions related to the following heat-removal functions:

during transients, via the secondary side using the AFW, MFW, or condensate systems, or via feed-and-bleed operations; during small LOCAs via the AFW system E3 0

, t :

I or by feed-and-bleed operations; and during small LOCAs and following feed-and- !

j~

bleed operations, when recirculation or normal RHR cooling is established,' heat is removed via the RHR heat exchangers or containment cooling units.

l

. 1 3 . No operator actions were identified with regard to the analysis of internal floods, and therefore none are identified in response to UGI A-17.

In the discussion of containment performance, the licensee has not identified any

{ human actions associated with the issue of CPI.

E.5 Vulnerabilities and Plant Improvements The licensee adopted the guidelines presented in NUMARC 91-04 as its basis for <

i assessing whether any plant-specific vulnerabilities to severe accidents existed at I VEGP in terms of core-damage accidents. For containment performance, the licensee adopted the guidance provided in Appendix 2 of Generic letter 88-02. As a result of l

applying the NUMARC and Appendix 2 guidelines, the submittal concludes that no plant-specific vulnerabilities exist at VEGP. Therefort no human actions are associated with vulnerabilities. ,

The submittal identified three operator-related improvements to the plant. These have been incorporated as new recovery actions in the VEGP EOPa. These actions are:

1. Manual control of turbine-driven AFW pump following loss of all AC ;

j and DC power. I

2. Establishment of one Nuclear Services Cooling Water (NSCW) pump

operation on " loss of NSCW" initiating event. and l

. 3. Opening the doors on loss of Control Building ESF electrical HVAC l

1 room cooling. !

j E.6. Observations l The following observations were produced by our document-only review of the VEGP

submittal that are pertinent to NRC's evaluation of whether the submittal has met the j intent of the NRC's Generic Letter 88-12: I

1. The submittal and supporting documentation indicates that utility personnel were extensively involved in the HRA, and that the walkdowns and documentation reviews constituted a suitable process for conf'mning that the HRA portions of the IPE represent the as-built and as-operated plant.

2. The licensee performed in-house peer reviews that provides some assurance that the HRA techniques have been correctly applied and that the human actions included in the documentation are accurately described.

E4 n-

L :

. t l

3. The analysis of pre-initiator human actions was limited in that only failures in ,

restoration following testing were included. The omission of any analysis of i miscalibration errors means that no opportunity existed for the licensee to identify any plant-specific vulnerabilities in calibration actions.

l The processes for identification and selection of actions, qualitative screening 1 (no numerical screening was performed), and quantificction of pre-initiator !

l actions was reasonably comprehensive. The quantification involved the {

assessment of a limited number of plant-specific performance shaping factors ]

and dependencies influencing the probability of failure. Numerical results '

(human error probabilities) are generally consistent with values in other PRAs.

{,

4. The treatment of post-initiator human actions was reasonably complete in scope. Both response-type and recovery-type actions were included, including two actions modeled in the post-core-damage (back-end) analysis. The process for the identification and selection of actions was based on the development of Event Sequence Diagrams, whose development included both HRA and " front-end" analysis personnel. The development of these diagrams involved review of procedures and discussion with plant personnel. The collaboration between the HRA and systems' analysis tasks in creating these diagrams is a strength of the VEGP IPE.

The SLIM method uses probabilities provided external to the method as ,

anchor points or reference values; the anchor points used in the VEGP IPE are '

not identified or described by the licensee. The selection ofinappropriate .

anchor points can distort the probabilities assigned by the SLIM method. l Therefore the possibility exists that the VEGP human error probabilities are i based on inappropriate anchor points and could potentially limit the validity of 1 the IPE results. '

5. Several limitations exist in the treatment of a small number of post-initiator human actions that are modeled using the simplified version of the THERP !

method. One pri: al limitation is the failure to treat the diagnosis element of the modeled acti A second is the inappropriate use of special one-of-a-kind checking as a reewery factor. It is not possible to determine the overall significance of these limitations from our document-only review. However, because of only the restricted use of this simplified method in this IPE, this is not a major limitation in the IPE.

i e

! ES

, f l

1. INTRODUCTION 1.1 Review Process The HRA review was a " document-only" process, which consisted of essentially four steps:

1) Comprehensive review of the IPE submittal focusing on all information l pertinent to HRA. '

2) Preparation of a draft TER summarizing preliminary findings and 1 conclusions, noting specific issues for which additional information was I required from the licensee, and formulating requests to the licensee for the necessary additional information.

I i

3) Review of preliminary findings, conclusions and proposed requests for

! additional information (RAIs) with NRC staff and with " front-end" and i "back-end" reviewers.

4) Review oflicensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to !

l. incorporate results of the additional information provided by the L licensee.

l l Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. In general it was not l possible, and it was not the intent of the review, to reproduce results or verify in ,

l detail the licensee's HRA quantification process. '

i j 1.2 Plant Characterization The Vogtle Electric Generating Plant (VEGP) consists of two essentially identical l Westinghouse PWRs. Both units are four-loop designs with large, dry contaihments.

Both units have power ratings of 3565 Mwt and 1210 gross Mwe. Unit 1 began commercial operation on June 1,1987, while Unit 2 began commercial operation on May 201989. The VEGP site is located in southeast Georgia, on the west side of the Savannah River about 26 miles southeast of Augusta, Georgia.

Very limited information is provided in the VEGP IPE Submittal and the response to the RAI concerning the human-performance-related characteristics of the plant. Other than identifying Abnormal, Emergency, General, and System Operating Procedures, Surveillance Test Procedures, and Maintenance Procedures as sources of information l

for the study, there is almost no description of the plant-specific human-performance-

) . related factors used in the HRA quantification, which include factors associated with

! operators' knowledge and training, the human-system interface, and the adequacy of 4 the procedures and other job-performance aids. The only specific information 1

% J - - 4 4 + - -, ,-n5, ~e- 5 . n.,

n- _ e

. o provided is that the VEGP Emergency Operating Procedures are based on the

. Westinghouse Owners Group Emergency Response Guidelines.

A:; a result of performing this analysis, the licensee identified three recovery actions j

, that, at the time of the analysis, were not included in plant procedures. These actions l 2

were incorporated into the VEGP procedures in August 1992 and are included in the '

, HRA analysis. These actions are:

1) Manual control of turbine-driven AFW pump following loss of all AC and DC power;

2) Establishment of one NSCW pump operation on " loss of NSCW" initiating event; and

3) Opening the DC-Power room doors on loss of Control Building ESF electrical

HVAC.

4 i

'f 9

2

, . --. . . - . - - - - . -. ~ .. _

, s l

l 2. TECHNICAL REVIEW 2.1 Licensee IPE Process l

This section of the TER discusses the overall process used by the licensee to perform the HRA portion of the analysis.

2.1.1 Comoleteness and Methodology.

The HRA process addressed both pre-initiator actions (performed during maintenance, l test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident).

The analysis of pre-initiator actions included restoration errors but errors involving miscalibration were not analyzed, as discussed in Section 2.2.1 below.

Post-initiator actions considered included both response-type and recovery-type actions.

No actions were identified to be taken following the onset of core damage, although actions to isolate the containment were included in the plant response trees for the post-core-damage phase. The licensee identified these actions would be taken before core damage according to the analysis.

l The primary HRA technique employed to quantify human errors in pre-initiator I actions was a simplified version of the Technique for Human Error Rate Prediction l (THERP) (Ref.1.). The primary technique for quantifying human errors in post-initiator actions was the Success Likelihood Index Method (SLIM) (Ref. 2.),

though some post-initiator actions were quantified using the simplified version of the THERP method--these were mostly recovery actions. In addition, a number of human actions were evaluated using a " dependency" HRA model for the limited number of cases where multiple actions were identified in the same accident sequence.

2.1.2 Multi-Unit Effects and As-Built. As-Operated Status.

VEGP is a two-unit station. No specific multi-unit effects on the modeling of j operator actions were identified in the submittal or the responses to the RAI. l The licensee's approach to ensuring that the IPE HRA analysis represented the as-built and as-operated unit involved several activities. These included the following:

1) use of plant specific abnormal, emergency, general, and system operating procedures, surveillance test procedures, and maintenance

, procedures to identify pre-initiator and post-initiator operator actions; i

l 1

3 i

e f

2) use of plant walkdowns to identify (1) control-room alarms and indications; (2) local controls, indications, and associated lighting and posted instructions, for the plant systems and the containment;

3) use of plant operators as subject-matter experts, both to review the event sequence diagrams (used to define needed post-initiator operator actions) and to provide the expert rankings and ratings of the performance-shaping factors in the SLIM method; and l 4) participation of other Southern Nuclear Operating Company (SNC) personnel from the plant and the headquarters offices in the HRA task.

The utility identified a " freeze date" for the analysis, of January 1,1991. However several exceptions to this freeze date were taken; these exceptions are principally in the area of the " front-end" review. However, one of these exceptio~ns included the incorporation of enhancements in operating procedures summarized in Section 1.2.

These enhancements were identified in the course of the analysis and were implemented in August 1992; the analysis was performed to include the effects of these enhancements.

Overall, the submittal documentation and responses to the RAI indicate that the licensee took steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant at the time of the cutoff date of January 1,1991, with the addition of the procedural revisions that were l implemented in August 1992.

2.1.3 Licensee Particioation and Peer Review.

2.1.3.1 Licensee Particioation. Neither the VEGP IPE Organization Chart (Figure 5.1-1 of the submittal) nor the description of the program organization provided in Section 5.1.1 of the submittal identifies explicitly the HRA analysis as an activity separate from the front-end analysis. Therefore it is inferred that the front-end contractor (Westinghouse) was the primary performer of the HRA analysis.

However, the HRA analysis involved licensee personnel in several parts of the study.

First was the use of plant operators as subject-matter experts, both to review the event sequence diagrams (used to define needed post-initiator operator actions) and to

provide the expert rankings and ratings of the performance-shaping factors in the l SLIM method.

Second was the participation of other Southern Nuclear Operating Company (SNC) personnel from the plant and the headquarters offices in the HRA task. In particular, SNC personnel familiar with plant operations reviewed the written summaries of the operator actions evaluated using the SLIM method. These reviews were to ensure

that the summaries identified the correct procedures and steps, that the descriptions of 3 the scenarios were appropriate and readily recognizable by the VEGP operators, and i

4

. e j

that the terminology used in the summaries correctly reflected VEGP procedures and 4

operating practices.

l Finally, the Manager of Technical Support and representatives from the training and

j. operations staffs participated in the analysis of recovery actions.

, The level of participation of the utility is considered a strength of the VEGP IPE.

2.1.3.2 Ps.:r Reviews. Several levels of review were provided for the HRA

analysis. First was the review by SNC personnel familiar with plant operations of the

! written summaries of the operator actions evaluated using the SIlM method, as

previously described. Second, the submittal discusses in general terms the

! independent reviews of the analysis (including, where appropriate, analysis notebooks)

within the contractor organizations, by the SNC PRA group and plant personnel, and i

by the IPE Independent Review Group (IRG) and its consultant (PLG, Inc.). The l

IRG was staffed with nuaagement staff from the plant (assistant general manager, plant support; manager, training; manager, engineering technical support; and acting

] manager, maintenance), from the corporate staff (manager, maintenance and support;

[ manager engineering and licensing; and manager, safety audit and engineering i review), and from SNC (vice president, technical services).

i i

The human reliability analysis is specifically identified as being included in the plant, i corporate, and IRG reviews.

a

! The level of review and its explicit inclusicn of the HRA analysis is considered a strength of the VEGP IPE.

j 2.2 Pre-Initiator Human Actions i

! Errors in performance of pre-initiator human actions (i.e., actions performed during l maintenance, testing, and calibration) may cause components, trains, or entire systems to be unavailable on demand durbg an accident, and thus may significantly impact

plant risk. For information, the li::ensee refers to pre-initiator human actions as " pre-i initiator human errors." Our revicw of the HRA portion of the IPE includes evaluating the licensee's HRA process tc determine what consideration was given to

! pre-initiator human actions, how potential actions were identified, the effectiveness of l screening processes employed, and the processes for accounting for plant-specific j- performance shaping factors, recovery factors, and dependencies among multiple actions.

f 2.2.1 Tvoes of Pre-Initiator Human Actions Considered.

i*

] The licensee included consideration of the failures of test and maintenance personnel to return valves, pumps and other system components to their normal position j' following test and maintenance activities.

i

5

, s The licensee did not include miscalibration errors; three reasons are given for these j l errors not being included: i 4

1) such errors would be as likely to produce an early actuation as a

delayed or prevented actuation; f, 2) there are normally multiple input signals or actuation devices; and j i l

! 3) miscalibration errors have seldom been shown to be important in past

! probabilistic risk assessments.

This omission of miscalibration errors is considered a limitation of the VEGP IPE.

j While it is generally true that such errors are often not identified as significant in l

! PRAs, this can be because they also have been excluded from the scope of other

PRAs. In those cases where miscalibration errors have been modeled, some PRAs have shown significant contribution from miscalibration errors. In addition, errors in !

j instmmentation (including miscalibration errors) have played significant roles in l

! operational events, such as those described in recent NRC reports (Ref. 3.). In j PWRs like Vogtle, certain parameters such as pressurizer water level and pressure are j important in diagnosing the state of the plant; erroneous calibration of instrumentation j associated with these parameters can lead to important post-initiator operator and '

other system failures. By excluding miscalibration~ errors (particularly any common-cause errors) from the scope of the analysis, any potential plant-specific vulnerabilities cannot be found regardless of the significance (or not) of such errors in other PRAs. j i

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.

1 No explicit description of the process for the initial identification of pre-initiator human actions is provided. However the following is inferred from the description of the fault trees' development and the description of information used in the IPE. j 1

First, systems that could influence the development of accident sequences were identified and selected as part of the front-end analysis. For each such system, detailed systems' analysis notebooks were prepared. These included identification of ;

~'

all components whose states were changed during testing and maintenance, as def"med in the VEGP test and maintenance procedures. Those components whose changes of state during testing and maintenance could lead to system or train failures (within the definition of the system fault trees) were then reviewed using a qualitative screening l process to identify those pre-initiator human actions to be subject to detailed HRA l

quantification modeling. The screening process and the detailed quantification process !

are described in the following sections. !

It is considered that the identification and selection of pre-initiator human actions was performed in a manner very similar to that used in other studies. As described in Section 2.1.3, the systems' analysis notebooks were subject to extensive review by plant and other licensee personnel; these reviews should have ensured that appropriate pre-initiator acticas witbin the scope selected for the VEGP analysis were identified.

. 6

l 2.2.3 Screenine Process for Pre-Initiator Human Actions.

l l A non-quantitative screening process was used by the licensee to eliminate many l potential pre-accident human actions from the detailed HRA quantification process.

6 The screening mies for the pre-accident human actions were to include a component (pump or valve) if none of the following criteria were met

l 1) proper valve positioning cannot be detected using specified pump flow tests; l

2). valve or other component mis-positioning is not immediately detectable by status lights or alanns at the main control panel, and

3) the valve is not automatically realigned by an ESFAS signal.

No list is provided for the pre-accident human actions screened out using these criteria. A total of 6 pre-accident human actions remained following the screening process. These are comprised of valves not restored or realigned following testing of the auxiliary feedwater, main steam, and emergency cooling water systems.

These criteria broadly follow the guidelines for the quantification of pre-initiator human actions performed as part of the NRC's Accident Sequence Evaluation Program (ASEP) (Ref. 4.). However, there are .some differences from the ASEP quantification guidelines. First, criterion I above is only effective providing the flow tests are performed correctly (or even at all); the ASEP guidelines recommend a failure probability of 0.01 for failing to perform the test correctly. Second, criterion 2 is only considered effective when combined with written daily or shift logging.

While logging of indicators associated with important components is normally '

performed at most plants, there is nothing in the VEGP submittal or its responses to l

the RAI that confirms that practice at Vogtle.

The lack of justification for the actions screened out is a limitation in the VEGP submittal; providing the plant actually performs the kind of checking described above, !

this screening is not considered a limitation in the IPE.

l 2.2.4 Ouantification Process for Pre-Initiator Human Actions.

The six pre-accident human actions that were not screened out using the criteria in Section were quantified using an interpretation of the Technique for Human Error Rate Prediction (THERP) (Ref.1.). The values calculated for each of the pre-accident human action error probabilities is given in Table 1.

Examples of the calculation process for quantifying these pre-initiator human actions i indicate that the assessment of performance-shaping factors was limited to the existence, length and type of procedures-for example, operator uses procedure with check-off, more than 10 items.

7

_ _ . _ . _.y- _

j . .

- Table 1. Summary of pre-accident human actions (from Table 3.3.3-2 of VEGP l Submittal)

. Event Name Human Action Description Failure 4

' Probability

. 4 206-EXI Restore valve U4 206' after test (ECW system) 7.7E-04 207-EXl Restore valve U4-207 after test (ECW system) 7.7E-04 l 5095-EW1 Restore valve HV 5095 after test (AFW system) 7.7E-04 l

5094-EW1 Restore valve HV-5094 after test (AFW system) 7.7E-04

$ 7/226-GAO Restore valves U6 027 and U6-226 after test (RHR 1.2E-04

! system) j IMSXV Align steam dump valves after test (MS system) 7.5E-04 s '-Table 3.3.3-2 idenuties this valve as UR-206; however, other discussions 40r example, the response to

} HRA RAI Question 6--consistently identifies the valve as U4-206.

i

_ Generally the failure probabilities in Table 1 above lie within a range of 10 or less of i similar failure probabilities calculated in those IPEs that have modeled pre-initiator i

! human actions associated with failures to restore valves following test or maintenance.

l For example, using the generic ASEP method, without credit for any plant-specific l j features (labeling, periodic checks, etc.), would indicate a failure probability of 3E-03.

j Therefore it is concluded that the failure probabilities presented in Table 1 are reasonable and appropriate for the purposes of the IPE.

While general concerns with this HRA method exist in relation to the modeling of post-initiator human actions, it is considered an adequate method for the quantification of pre-accident human actions.

No explicit analysis of possible dependencies between the pre-initiator human actions is described. However, in the description of the analysis of pre-initiator human actions such as 206-EX1 and 207-EX1, it states that the restoration of the two valves is completely independent since the test on valve 206 is completed (including the valve restoration action) before testing of valve 207 is begun.

Overall the information from the licensee regarding the assessment of pre-initiator human actions indicates that the assessment was relatively narrow in scope and limited in depth. Calibration errors were discounted without a thorough justification being

. presented. The scope of the assessment of restoration errors appears to be limited to valves, and the detailed analysis limited to two sets of valves. The THERP.

calculations appear to have been executed properly, though unjustified assumptions about reductions in the failure probabilities of errors of commission are identified in the THERP data. These values for errors of commission did not appear to be used in any actual calculations, however.

While these weaknesses may or may not have a significant impact on the gross quan'.itative results of the IPE or the basic conclusions drawn from the study, they do i limit the potential for the licensee to gain a full appreciation of the ways in which i human performance can influence overall risk and to identify potential risk-reduction I measures. In some PRAs more rigorous assessments of pre-initiator human actions I

8

4 I f

a

have determined that they are significant contributors to risk, and some enhancements i have been made that have contributed to an overall estimated reduction of risk based i

on the assessment of pre-initiator human actions.

i 2.3 Post-Initiator Human Actions

, Failures by operators to take actions in responding to an accident initiator (e.g., by not j l recognizing and diagnosing the situation properly or failing to perform required activities as directed by procedures) can have a significant effect on plant risk. These actions are referred to as post-initiator human actions; the licensee refers to these as

" post-initiator human errors." Our review assesses the types of post-initiator human actions considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for !

evaluating timing, dependency among human actions, and other plant-specific )

performance shaping fa: tors.

2.3.1 Tvoes of Post-Initiator Human Actions Considered.

There are two important types of post-initiator actions considered in most nuclear plant {

PRAs: (1) response actions, which are performed in response to the first level l

directives of the emergency operating procedures and instructions (EOPs, or EOIs); '

and, (2) recovery actions, which are performed to recover a specific failure or fault, such as recovery of offsite power or recovery of a front-line safety system that was !

unavailable on demand earlier in the event. i l

Both response and recovery actions were considered in the VEGP analysis, including j two sets of actions to prevent leakage from the containment.

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions. !

Separate processes were followed to identify response actions and recovery actions.

The identification of response actions was primarily based on the development of event j sequence diagrams (ESDs). An ESD is a graphical representation showing the combinations of systems and operator actions needed to prevent a particular initiating event from developing to the stage of causing core damage. The development of ESDs is based, in part, on the systems and related operator actions presented in the '

EOPs. In the case of VEGP the development of the ESDs is described as being performed by the systems' analysts in collaboration with the HRA analysts. (The technical review of the ESDs lies within the scope of the " front-end" review as the ESDs primarily provide the basis for development of the plant response trees [PRTs]). ,

The joint development of the ESDs by the systems and HRA analysts is considered a strength of the VEGP IPE.

9 i

l i

) I

! Two response-type actions related to the back-end modeling were incorporated in the l PRTs; these are to establish containment spray recirculation (event OAS) and to isolate l the containment (event OCI).

i The identification of recovery actions was performed after the majority of the PRT and l j fault-tree modeling had been completed. The general process involved performing a series of steps in an iterative manner. These steps include the following:

i 1. reviewing quantification results to determine where contributions to core i damage frequency of dominant contributors could be reduced through

! credit for " appropriate and reasonable" actions or equipment not already

! in the IPE models; 1 2. modeling these actions or equipment; i

j 3. re-quantifying the results; and i

[ 4. repeating the process to address new dominant contributors.

4 The first step, determining appropriate and reasonable actions, was performed by plant,

corporate, and management personnel in discussions with IPE analysts. Such actions j were documented in the Recovery Analysis Notebook, which was then subject to the project review process. l l

2.3.3 Screenine Process for Post-Initiator Human Actions.

, The licensee states that VEGP IPE did not use a numerical screening approach for post-initiator human actions.

2.3.4 Ouantification Process for Post-Initiator Human Actions.

Three separate quantification processes were used for the analysis of post-initiator i human actions. Most of the response-type human actions were modeled using the

. Success Likelihood Index Method (SLIM). A small number of response type actions

and all the recovery actions were modeled using the simplified version of the THERP I method. In addition, a dependency quantification method was used for those actions j that were dependent on prior actions in an accident sequence. Each of these methods

will be reviewed.

l In some cases, an action is identified in different accident sequences, which may have 4 different success criteria or timescales associated with them; these different criteria can

[_ - have an effect on the quantified failure probabilities. In these cases, the licensee

! identified the different " versions" of the human action by adding a different suffix or i , modifier to the event name used in the PRA, and then quantified the different versions

separately. For example, event OAR, realign ECCS system for recirculation, is i quantified in five different versions of the event depending on whether the high- or

low-pressure systems are used, and whether actions are required to stop RHR pumps.

i 2 10 i

Io

1 These different versions of the same human action may be quantified using different quant ;ication methods according to whether the particular version is a response, a recovery, or a dependent event. For example, in the case of event OAR, four of the

. five versions were quantified using SLIM and one version (OARa-LPSLB) was j* quantified as a dependent event.

i

In the analyses, the parameters of " time available" and " time required" for performing the actions was incorporated to some degree in all three quantification methods, but it was not a dominant influence in any of them. Therefore sequence-to-sequence variations in accident-sequence timescales would be unlikely to result in significant

] changes in event probabilities.

i 2.3.4.1 SLIM Analyses. The SLIM method, published in the 1984 in i NUREG/CR-3518 (Ref. 2.), has been used as an HRA quantification method in several 2

industry-sponsored PRAs. The method is based on the rationale that the likelihood of

an error occurring in a particular work setting depends on the combined effects of a small number of performance shaping factors (PSFs), and that these PSFs can be

{ compared from one setting to another to determine their relative effects on the error

likelihoods. Thus, if error likelihoods are known for two events (for example, from historical experience) then the error likelihood of a third event (for which there is no

experience) can be estimated by comparing the PSFs for the third event to those of the

} two known " reference events'. The SLIM method therefore provides a means of i

converting expert opinions about the effectiveness of PSFs into error probabilities through the use of" reference events'.

l A total of 39 post-initiator human actions were analyzed in the VEGP IPE using the I j SLIM method. l The practical application of SLIM requires:

1. at least one pair of reference events to act as anchors;

2. a set of PSFs to be evaluated; and

3. subject matter experts to evaluate the PSFs.

This review will consider each of these requirements as it was implemented in the VEGP IPE.

The licensee states that the reference events were obtained from HRA estimates obtained by using HRA methods other than SLIM, from HRA studies of other nuclear power plants. Neither the VEGP submission nor the responses to the RAI tre specific as to the sources of the reference events, the specific reference events used, and their

' probabilities. The VEGP submittal does identify five PRA studies of Westinghouse-designed plants as providing inputs to the overall VEGP study:

Millstone 3 IPE (1990) 11

9 Diablo Canyon IPE (1992)

Zion IPE (1992)

! Seabrook PSA (1983)

NUREG-1150 (1990).

However no indication is given as to which of these studies (if any) were used to !

, supply the reference events. It is recognized that at least one of the above five studies (Zion IPE) is being extensively revised in response to NRC concerns about the methods and results of the HRA portion. Therefore, if the Zion study was used to provide reference events for the VEGP analysis, the probabilities of the reference events may have been changed since the VEGP analysis and therefore the probabilities calculated in the SLIM analysis are no longer consistent with that method's rationale.

' It is not known if any of the other reference PRAs are being revised. ;

Within the selection of the reference events, the PSFs selected for analysis in the SLIM study should be capable of being assessed for the reference events as well as the event being analyzed. For example, if" quality of procedures" is one PSF, the !

reference events must be capable of being assessed for their " quality of procedures."

This is an inherent part of the SLIM method; without a spectrum of the degree of influence of each PSF (for example, " good-to-bad") being represented in the reference i points, it is impractical to estimate the influence of,an intermediate rating of the PSF.

In the VEGP SLIM analyses, however, several of the PSFs (TRN, PRC, STR) were assumed to be the same for the reference events and the VEGP event--in other words, such PSFs had no practical influence on the derivation of the VEGP failure i

probability.

The general discussion of the selection and modeling of PSFs is discussed below. I Seven PSFs were selected for the VEGP SLIM analyses. These were;

1. Complexity of the operator action (CPX);

2. Time factors (TIM);

3. Crew's level of knowledge, training, and experience (TRN);

4. Adequacy of guidance materials (PRC);

5. Characteristics of the interface as it relates to the specific task (MMlg

6. Previous, subsequent and concurrent actions (ACT);

7. Stress (STR).

Definitions of these PSFs and the interpretation of them as influences in the human actions being analyzed were provided to the expert teams assessing the PSFs.

There is no uniquely correct set of PSFs for use with the SLIM method; the selection and assessment of PSFs is a task within the analysis. The PSFs selected for the VEGP analysis listed above are similar to those selected in other SLIM analyses and are

, similar to those hypothesized in the original documentation of the method. It is concluded that the PSFs used in the VEGP SLIM analyses are appropriate and reasonable.

~

12

i l

The process used to evaluate each PSF is generally laid down in the method's documentation. The process involves two separate judgments for the PSFs. First, a :

decision is required as to how important is each PSF to the probability of failure of the i event being analyzed; this is termed the weighting of the PSFs. Each expert makes a l first estimate of this weighting, the results are discussed between the team of experts ;

performing the analysis, and a group consensus is developed for the weightings of all the PSFs. Each analyst then estimates the " quality" of each PSF for the task being analyzed; this is the PSF rating. The scores of the weightings and ratings are then combined to form the Success Likelihood Index (SLI):

L SLl=;i=1,n(WiRi) !

l where: Wi is the weight ofi-th PSF '

i, Ri is the ranking of the i-th PSF n is the number of PSFs being considered.

l' By substituting the failure probabilities of each of the two reference events, P, and Py, j and each of their SLI parameters, a slope, a, and intercept, b, for the equation:

i Log (P)=a(SLI) + b can be calculated using the two resulting simultaneous equations. This equation, with the substituted SLI for each human action being modeled, is then used to calculate the corresponding failure probability.

This approach was followed appropriately in the VEGP SLIM analyses. Assessment of the weights and rankings of the PSFs was performed by two operating crews from the plant, with a SLIM facilitator leading the discussion and keeping track of the results. Each crew was composed of one senior reactor operator (SRO) and two i licensed operators. The work arrangement was such that each crew evaluated different post-initiator human actions. The crews were provided with the same training in the SLIM concepts and descriptions of the meaning of the PSFs in the context of the HRA were provided. As the evaluation of PSFs progressed, the weights and rankings were recorded on appropriate scoring sheets. Action summaries that listed the action, its

. event-tree context, other concurrent or related actions, relevant procedural steps, indications and controls, and time-related information were provided to the crews as a frame of reference for the analysis. The resulting weights and ratings were then entered into a cornputer program that calculated the SLI for the event.

The clicitation of the weights and rankings of the PSFs followed the pattern of

, NUREG/CR-3518, and is generally similar to that followed in other HRA studies using the SLIM method. Some other studies have augmented the use of operators as assessors of the PSFs with experienced training personnel, since such personnel tend to see more instances of " errors" in the training simulator setting and are therefore sometimes more sensitive to the kinds of influences that cause errors. However using operators alone to assess the PSFs is an accepted practice in SLIM assessments. Table

-13 e

2 presents the summary of results from the SLIM analysis for those events identified as yielding at least 1% contribution to the total core-damage frequency. I 1

Table 2. Summary of significant human errors modeled using the SLIM method. l Event Name Human Action Description Failure Probability OABa Establish feed-and-bleed cooling,51 m 5.9E-03 progress

OABb Establish feed-and-bleed cooling, actuate SI 1.0E-02 i

! OARaLP Realign ECCS low-pressure system for cold- 1.6E-03 l log recirculation OARa-OLP OARa plus stop RHR pumps (OLP) 5.7E-03 4

OARb-HP Realign ECCS high-pressure system for cold- 2.0E-03 i j log recirculation OARb-OLP OARb plus stop RHR pumps (OLP) 6.lE-03

] l s ORS Restore systems following loss of otIsite power 6.2E-03 or station blackout

2.3.4.2 TRERP Analyses. THERP analyses were performed for recovery

! actions and certain other post-initiator human actions that involved tasks outside the control room.

l l The VEGP submittal refers to this quantification as being performed using the THERP i method described in NUREG/CR-1278 (Ref.1.). However, in the sample calculations 4

provided, the method used was a simplified variant of the THERP method. These j include its failure to consider errors in decisionmaking, an assumption that all actions l can be modeled to be " read procedure step-carry out action" regardless of the l complexity or simplicity of the actions, arbitrary reductions in failure probabilities j from the THERP database, and use ofinappropriate checking models.

Reviews of other submittals that have used essentially the scme simplified THERP !

method have identified several concerns:

a) The diagnosis model does not appear to be in agreement with the original THERP method. " Diagnosis" in NUREG/CR-1278 includes the actions to

" perceive, discriminate, interpret, diagnose" an event and the operators "first-level of decision making." While using symptom-based emergency operating procedures (EOPs) removes the need to identify the type of accident, such as a LOCA, their use does not remove the need for other aspects of diagnosis. It appears, however, that only " detection" was modeled and no basis was provided as to why other diagnostic tasks were excluded. Diagnosis is an important

, contributor to human error. For example, in the EPRI-sponsored Operator Error Experiment (ORE) program,70% of the errors and near misses by the operating crew observed in simulator experiments were categorized as errors "in information processin'g and decision making."

14 S

~

1

} b) The method for addressing the influence of the accident progression on human performance does not appear to be in agreement with the THERP method as 4

reported in NUREG/CR-1278. ' The licensee uses combinations of (the same) three PSFs for all human actions for all accident conditions. It has not been

, . explained why these three PSFs are adequate to account for the specifics of

! human performance under all accident conditions, nor why a particular PSF

combination applies to a particular human action in a particular accident j sequence.

i j' c) The consideration of time does not appear to be in agreement with the THERP method. The licensee appeared to have only considered a " slack time" which j the licensee defmed as "the amount of time available to the operator over and

! above that necessary to diagnose and perform the action."

l It is not apparent what was the basis for the calculation of the " slack time;" whether it was based on real time measures or simply on analysts' assumptions.

l -

The calculation of " slack time" does not appear to consider the time needed to perform an action versus the time available to perform the action.

The licensee's treatment of plant-specific performance shaping factors does not d)

I appear to be adequately justified. General conclusions appear to have been assumed regarding such items as training, communications, supervision, and

, procedures that resulted in reducing the human error probabilities (HEPs). It is i not apparent that plant-specific experience or history (e.g., detailed control j room reviews, NRC or INPO training audits, NRC SALP reports or other j reviews of plant operating history) was sufficiently considered, and therefore,

, the HEPs appear to be artificially derived.

[

The review of example events indicates that these deficiencies in the simplified

" THERP HRA are present in the VEGP analyses. Consider, for example, the case of event CBHVAC-SBO, "Open Inverter Room Doors on Loss of All AC". This event is i described as involving two basic failures:

i l (1) Diagnosis: failure to recognize no power to AC emergency buses; and (2) Action: failure to open 1 of 4 inverter room doors.

1 While the description of error (1) refers to a failure in diagnosis, it is actually modeled i as omitting a step in the E-0 procedure combined with failure to perform "special j short-term one-of-a-kind checking." This modeling does not correspond to the i

4 15 i

5 l

l l

diagnosis model in THERP, which uses the time available for diagnosis as,a basis for quantification. Additionally, the use of the "special short-term one-of-a-kind checking" as a recovery factor is restricted in the THERP documentation as not being applicable to post-initiator human actions (p.19-3 of NUREG/CR-1278).

a -

It is concluded that the calculation of failure probabilities of post-initiator human actions using the simplified THERP HRA leads generally to inconsistent results because of the omission of failure modes associated with diagnosis, the limited numbers of performance-shaping factors and the use of an inappropriate recovery factor (the use of the "special" checking).

The use of the simplified THERP method is considered a significant limitatica in the IPE. However, because of the limited role of this simplified method in the IPE, it is

, not considered necessary to recommend the rejection of the IPE because of this limitation.

l Table 3 identifies those human actions modeled using the THERP method that contributed at least 1% to the total core-damage frequency.

1 Table 3. Summary of significant human errors modeled using the THERP method.

Event Name . Human Action Description Failure Probability CBHV-OPD Open inverter docrs on loss of CB ESF electrical HVAC 7.3 E-02 CBH V-BOPD Open inverter doors on loss of all AC (station blackout) 2.lE-02 OFC2 Manually control TD AFW pump 2.9E-03 2.3.4.3 Denendency Analysis. Twelve post-initiator human actions were identified as occurring in accident sequences that already included one or more post-initiator human errors. The modeling of these twelve events was performed explicitly using a dependency analysis method.

r These events were quantified with the aid of a decision tree that guided the analyst to assessing whether the degree of dependence was considered high, moderate, or low.

According to the degree of dependence, a failure probability conditional on the previous error event was calculated. Broadly these probabilities corresponded to the

values cited as low, moderate, and high dependence conditional probabilities in Table 20-17 of NUREG/CR-1278.

The decision tree considered five factors in assessing the degree of dependence. These were:

1. the level of stress in the prior event; 16

2. the time window for the second event (i.e., the time available for the action to be performed before system failures occur); j

3. the amount of slack time for the second event (i.e., the difference between the time window and the time required for responding);

4. . the complexity involved in the second event (i.e., the number of steps required to perform the task); and j

5. the simplicity of procedural guidance for the second event (i.e., more than one procedure required or the steps are ambiguous or confusing).

No explanadon is provided by the licensee as to why these particular factors are' important influences in one human action being dependent on a prior human error in an accident scenario. For example, one combination of factors--a low stress level in the prior action combined with a short time window and small slack time for the second action-yieE r. high dependence.

The selection of factors does not appear to be based on any underlying models or understanding of coupling mechanisms between human errors, such as those discussed in Chapter 10 of NUREG/CR-1278, those incorporated in the ASEP HRA dependence model described in NUREG/CR-4772 (Ref. 5.), or those discussed in other HRA literature. In the absence of an explanation for the selection of factors, an intuitive justideation can be made that failure in the earlier event and its associated stress, combined with poor PSFs for the task being performed, will lead to a higher failure probability than when the task is being performed with no prior failure. It should also be noted that the factors as applied, would seem generally to lead towards conservative probabilities for most of the events analyzed. Table 4 presents the results of the dependency analysis for events that contributed at least 1% to the total core-damage frequency.

Table 4. Summary of significant results for the dependency analysis.

Event Name Human Action Description Failure i Probability CBHVAC- Open inverter room doors, depetkeat on LOSP initiator 0.21 LOPD OARa-LPSLB Establish cold-leg recirculation, dependent on OAN dunng small 0.5 LOCA OFCI Control of TD AFW Pump, dependent on opening of doors during 0.52 station blackout 2.3.5 Imoact of Recovery Actions.

The licensee performed a sensitivity study to examine the effects of the modeling of recovery actions on the estimates of the core-damage frequency and the sequences 17

making up that frequency. This sensitivity analysis was performed by re-quantifying the core-damage frequency with human error probabilities associated with recovery actions increased by a factor of 10. The net result was to increase the total core-damage frequency by a factor of approximately 2, from 4.9E-05 to 9.3E-05 per year.

The following seven recovery actions were incorporated that were already proceduralized prior to the IPE analysis of VEGP: I

1. Opening the DC power room doors on loss of all AC;

2. Manual starting of equipment on failure of automatic SI signal;

3. Manual starting of AFW on failure of automatic initiation signal; 1

l

4. Realign back to cold-leg recirculation following failure to establish hot - l leg recirculation;

5. Local opening of MFW valves to establish feedwater or condensate flow following loss of AFW and DC power; ;

. 1

6. Local opening of SG atmospheric relief valves on SGTR; and

7. Manual opening of RHR sump valves on failure of automatic RWST

- switchover signal. ;

1 In addition three recovery actions were identified as a result of the IPE analysis and j have been incorporated in VEGP procedures:

1. Manual control of turbine-driven AFW pump following loss of all AC and DC power;

2. Establishment of one NSCW pump operation on " loss of NSCW" initiating event; and

3. Opening the doors on loss of Control Building ESF electrical HVAC for six rooms that supply essential 125 V DC.

~

The predominant increase in the core-damage frequency was associated with loss-of-offsite-power sequences. The recovery actions primarily responsible for this change

- are:

1. Opening the DC-Power room doors on loss of all AC; 18

. . i l

l

2. Opening the DC-Power room doors on loss of Control Building ESF electrical HVAC; and

3. Manual control of turbine-driven AFW pump following loss of all AC and DC power.

In addition, the recovery action to realign back to cold-leg recirculation following failure to establish hot-leg recirculation (because of component failures in medium-and large-break LOCAs) was also a contributor to the change in core damage frequency.

2.3.6 Imoact of Human Actions on Internal Floodinn Analysis.

The VEGP analysis ofinternal flooding was predominantly qualitative, with only two zones being subject to quantitative analysis. In neither case (qualitative or quantitative) were operator actions identified as being involved to prevent core damage.

2.3.7 Generic and Unresolved Safety Issues. and Containment Performance Imorovement Recommendations.

2.3.7.1 Generic and Unresolved Safety Issues. The licensee discusses the unresolved safety issues associated with decay heat removal (USI A-45) and with internal flooding (USI A-17), and states that the IPE analyses may be used at some future time to address other generic or unresolved safety issues.

In the evaluation of issues associated with decay heat removal, the submittal discusses the post-initiator human actions related to the following functions:

1. During transients, heat can be removed via the secondary side using the AFW, MFW, or condensate systems. If these systems are unavailable, bleed-and-feed operations are established on the primary side. Operator actions are required for feed-and-bleed operations, and may be required for:

- manual starting of AFW on loss of automatic initiation; manual control of AFW on loss of all AC and DC power; and local opening of MFW valves on loss of AFW and DC power.

19

i

{ 2. During small LOCAs, some heat is removed by the discharge through the break

[ while the balance is removed by the AFW system or by feed-and-bleed j operations. Related operator actions related to these systems are listed as for transients. .

4 .

3. During small LOCAs and following feed-and-bleed operations, when i: . recirculation or normal RHR cooling is established, heat is removed via the

, RHR heat exchangers or containment cooling units. Operator actions are i

identified to align the RHR suction to the hot legs and establish normal RHR l cooling.

1 These actions were included in the assosments of post-initiation human actions

{

discussed above. The licensee concludes that these human actions, including the procedural enhancements described earlier, contribute to an adequate resolution of this

. . USI.

4 As discussed in Section 2.3.6, no operator actions were identified with regard to the analysis ofinternal floods, and therefore none are identified in response to UGI A-17. j 2.3.7.2 Containment Performance Imorovement (CPD Recommendations. In !

the discussion of containment performance, the licensee has not identified any human l

} actions associated with the issue of CPI. I i

i 2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

1

1

! The licensee adopted the guidelines presemed in NUMARC 91-04 as its basis for l assessing whether any plant-specific vulnerabilities to severe accidents existed at j VEGP in terms of core-damage accidents. For containment performance, the licensee

adopted the guidance provided in Appendix 2 of Generic Letter 88-02. As a result of i applying the NUMARC and Appendix 2 guidelines, the submittal concludes that no 1- plant-specific vulnerabilities exist at VEGP. Therefore no human actions are identified

with any vulnerability.

2.4.2 Insiehts Related to Human Performance.

, The licensee has been successful in identifying the importance of human performance in relation to the risks of severe accidents at VEGP. The submittal identifies both those human actions important to the frequency of core damage in the base case, and also explores the sensitivity of the core-damage frequency to changes, particularly in relation to the recovery-type actions. Together with the PSF weightings for some of 20 i

the more significant response type actions modeled in the SLIM analysis, it is possible to obtain several insights related to human performance in the " front-end" analyses.

, 2.4.2.1 Human Actions Contributing to Core Damnoe Freauency. Table 5 lists i those human actions that the submittal identifies as contributing at least 1% of the core-damage frequency. All the actions listed are post-initiator human actions; the largest single contribution is a recovery action to open ESF Electrical Equipment Room doors on loss of HVAC cooling that was identified during the course of the i study.

l The data presented in the VEGP submission used for creating Table 5 are only provided for the total of the " versions" of each human action, as discussed in Section

! 2.3.4. For example, the contribution for event OAB is the total for OABa, establishing j feed-and-bleed while SI is in progress, and OABb, establishing feed-and-bleed, j including starting SI. No breakdown of the different versions is provided.

l The relatively high contributions of post-initiator human actions associated with

, recovering from loss-of-offsite-power and station blackout scenarios (CBHV, OAR, OFC, ORS) reflects the large contribution of such sequences to the total core-damage

frequency at VEGP; the " front-end" review indicates that 70% of the core-damage frequency is associated with these sequences.

Table 5. Human action events that contribute 1% or more to total core-damage frequency.

Event Human Action Description % Core Name Damage Frequency CBHV Operators fail to open ESF Electrical Equipment Room doors on loss of 17.7 HVAC cooling OAR Operators fail to establish recirculation (high- or low pressure) coolmg 11.5 OFC Operators fail to contmue operation of TD AFW pump following failure 9.2 of DC power during station blackout OAB. Operators fail to open pressurizer PORV and initiate 51 for feed-and- 4.9

, bleed cooling ORS Operators fail to restore systems following loss of offsite power or 3.9 station blackout OLP Operators fail to stop RHR pumps when RCS pressure is greater than 1.4 300 psig or fail to start RHR pump when pressure is less than 300 psig The next largest group of sequences involving human action events are medium LOCAs, where the operator fails to align the RHR system (OAR) for low-pressure recirculation following depletion of the refueling water storage tank (RWST), and

, where the operator fails to stop the RHR pumps (OLP) while the RCS pressure is above the shutoff head of the pumps and hence the pumps fail. Medium LOCAs comprise 9% of the core-damage frequency.

21

I

! The third largest group of core-damage sequences involving human action events are j associated with steam-generator tube rupture (SGTR) events, where operators fail to accomplish feed-and-bleed (OAB) following mechanical failure of the AFW system.

i All SGTR accident sequences comprise approximately 4% of the core-damage

- - frequency.

l 2.4.2.2 Human Actions Contributine to Containment-Bvoass Accident Seauences.

Three of the top six accident sequences leading to bypass of the containment involve l human action events. The two largest of these sequences are associated with SGTR events. The largest single sequence giving rise to containment bypass is that involving

event OAB just described above. The second largest containment-bypass sequence involves an SGTR event where operators fail to establish recirculation cooling after i successfully accomplishing feed-and bleed on loss of AFW. The frequencies of these

sequences are 5.9E-07 and 3.6E-07 per year respectively, and contribute 1.2% and 0.7% of the total core-damage frequency.

The fifth largest sequence involves an interfacing-systems LOCA where the operators i fail to minimize ECCS flow to preserve the RWST inventory for high-pressure l injection. The frequency of this sequence is 5.1E-08 per year and contributes 0.11%

l of the total core-damage frequency.

h 2.4.2.3 Insichts from Ouantification Process. Several of the other important human j actions were modeled using the SLIM method. Deti!ed descriptions of some of the

events modeled using SLIM were provided in response to the RAI. The PSF analyses of these events were reviewed to identify any potentially consistent patterns as to j which are the most influential factors in the judgment of the operating crews. This is i summarized in Table 6; no data were provided for event OARb. In this table, a score of 1 means that PSF had the highest weight (and, hence, was most influential) on the failure probability. A score of 2 means that PSF had the second highest weight, and )

so on.

Table 6. Relative weighting of each PSF for the significant events listed in Table 2.

Event CPX TIM TRN PRC MMI ACT STR

. OABa 5 4 1 2= 2= 7 6 OABb 5 4 1 2= 2= 7 6 OARa 6 4 1 2 3 7 5 ORS 3= 7 1 2 3= 5= 5=

As can be readily seen, training was weighted as the most influential PSF overall, with procedures and related written instructions weighted second; the man-machine interface was third, with the other four factors being less significant. There is no evidence, ,

however, that this information provided inherently by the SLIM process was used by l

. the licensee (for example, to prioritize human-factors resources or to identify the need or opportunities for potential improvements in the higher-weighted PSFs).

4 22 O

i I

= .

Within the scoring of these PSFs, then the rating of the highest weighted PSFs is most influential in determining the SLI value. Table 7 summarizes the ratings of the three highest weighted PSFs for the events listed in Table 6. These ratings are provided on a scale of 0 to 1, with 0 representing a PSF as bad as practically feasible for the event and scenario being analyzed and I representing a PSF that is as good as practically feasible.

Table 7. Rating for highest-weighted PSFs listed in Table 6.

Event TRG PRC MMI OABa 0.533 0.767 0.75 OABb 0.55 0.753 0.7 OARa 0.8 0.85 0.667 ORS 0.717 0.817 0.753 )

In a practical sense, no PSF is ever rated a perfect 1; however the relative scorings provide insights as to the underlying programs at VEGP. For example, for feed-and- !

bleed operations (events OABa and OABb combined), the man-machine interface is I somewhat more problematical than for the restoration of systems following station blackout (event ORS). However, the training is judged more effective for event OAB than for ORS. Since event OAB is more important to the frequency of core damage (see Table 5), the licensee could use these ratings combined with the contribution to the core-damage frequency to identify possible prioritizations in programs like training ,

or MMI design improvements. However, there is no indication from the submittal that l these data have been, or are planned to be, used in any systematic manner.

No human actions were identified as critical to the containment performance, though actions to ensure containment isolation prior to the onset of core damage were modeled in the plant response trees. These actions are identified as being required in j the VEGP Emergency Operating Procedure E-0. at step 7. l 2.4.3 Human-Performance-Related Enhancements.

Three procedural enhancements were identified in the course of this study. These are:

l. Manual control of turbine-driven AFW pump following loss of all AC and DC power. The pump requires 125 V DC to maintain operation during a station blackout,; without this supply the pump will trip.

Providing the operators have opened the room doors to allow cooling (see item 3 below), the pump should continue for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> before the DC supply is depleted. To continue providing secondary decay heat removal, an operator will be located locally at the AFW turbine-driven pump and attempt to control AFW flow manually;

2. Establishment of one Nuclear Services Cooling Water (NSCW) pump operation on " loss of NSCW" initiating event. The NSCW provides 23 s

cooling to all major ESF components. This action is to start manually one of the two standby NSCW pumps following failure of all four ,

running pumps and to take additional actions to reduce the heat load on l the NSCW system; and 1 1

1

3. Opening the doors on loss of Control Building ESF electrical HVAC .

I room cooling for the following rooms that supply 125V DC for the i major ESF equipment:

CB Room B76 -

CB Room B61 1

- CB Room B47 l' CB Room B52 CB Room BS5 CB Room B48.

l These actions were incorporated into the VEGP procedures in August 1992 and are !

included in the HRA analysis. The combined effect of the three recovery actions is to l reduce the total core-damage frequency from 8.2E-05 per year to 4.9E-05 per year. !

l l

I 4

l l

9 4

4 24

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The purpose of our document-only review is to enhance the NRC staff's ability to

' determine with the licensee's IPE met the intent of Generic Letter 88-20. The Generic Letter had four specific objectives for the licensee:

l. Develop an appreciation of severe accident behavior.

2. Understand the most likely severe accident sequences that could occur at its plant.

3. Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.

1

4. If necessary, reduce the overall probability of core damage and radioactive i material release by appropriate modifications to procedures and hardware that l would prevent or nutigate severe accidents. l i

l With specific regard to the HRA, these objectives might be restated as follows. ,

i I

1. Develop an overall appreciation of human performance in severe accidents; '

how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

I

2. Identify and understand the operator actions important to the most likely I accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

3. Gain a more quantitative understanding of the quantitative impact of human !'

~

performance on the overall probability of core damage and radioactive material release.

4. Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

The following observations from our document-only review are pertinent to NRC's determination of the adequacy of the VEGP IPE HRA task:

25 9

. I. The submittal and supporting documentation indicates that utility personnel were extensively involved in the HRA, and that the walkdowns and documentation reviews constituted a suitable process for confm' ning that the HRA portions of the IPE represcht the as-built and as-operated plant.

2. The licensee performed in-house peer reviews that provides assurance that the HRA techniques have been correctly applied and that the human actions included in the documentation are accurately described.

The analysis of pre-initiator human actions followed a simplified version of THERP. While the simplifications of this version have led to limitations in ;

other IPEs in which the same method has been applied, the method as anolied )

in this IPE appear adequate for the purpose of the IPE.

The scope of the pre-initiator analysis was limited in that only failures in restoration following testing were included. The omission of any analysis of miscalibration errors means that no opportunity existed for identifying any plant-specific vulnerabilities in calibration actions notwithstanding the claimed low contribution to core-damage frequencies in other plant PRAs. This omission is considered a weakness in the VEGP IPE.

The processes for identification and selection of actions, qualitative screening (no numerical screening was performed), and quantification of pre-initiator actions were reasonably comprehensive (except for the omission of calibration errors discussed above). The quantification involved the assessment of a limited number of plant-specific performance shaping factors and dependencies influencing the probability of failure. Numerical results (human error probabilities) are generally consistent with values in other PRAs. No pre-

, initiator human actions were identified as important contributors to core damage frequency.

5. The treatment of post-initiator human actions was reasonably complete in

l. scope. Both response-type and recovery-type actions were included, including two actions modeled in the post-core-damage (back-end) analysis. The processes for identification and selection of actions was based on the development of Event Sequence Diagrams, whose development included both HRA and " front-end" analysis personnel. The development of these diagrams involved review of procedures and. discussion with plant personnel. The use of these Event Sequence Diagrams is considered a strength in the VEGP IPE in that the process used for their construction required an early detailed collaboration between the systems-analysis and HRA tasks thereby leading to i .

their early integration.

No numerical screening approach was used.

1 26 9

6. Three quantification processes were used: SLIM, a simplified version of the THERP method, and a special dependency model. These methods ,

~

incorporated a range of plant-specific performance shaping factors and l sequence-specific influences, and addressed dependencies among multiple human actions. The SLIM method uses probabilities provided external to the l

. method as anchor points or reference values; the anchor points used in the l VEGP IPE are not described by the licensee. The selection ofinappropriate l anchor points can distort the probabilities assigned by the SLIM method.

7. Several limitations exist in the treatment of post-initiator human actions that are modeled using the simplified version of the THERP method. One principal limitation is the failure to treat the diagnosis element of the modeled actions. A second is the inappropriate use of special one-of-a-kind checking as a recovery factor. It is not possible to determine the overall significance of these limitations from our document-only review. However, because of only the restricted use of this simplified method in this IPE, this is not considered a l major limitation of the study. l

8. The submittal provided a concise definition of vulnerability. No vulnerabilities were identified by the licensee. However, the licensee did identify insights from the Level 1 analyses relating to human-performance-related enhancements. These enhancements have been made and are incorporated in the analysis by the licensee.

9. No human actions were identified as important to the areas ofinternal flooding or containment performance improvement.

4 27

o D

4. DATA

SUMMARY

4.1 Important Operator Actions i

The following table lists all those human actions that contributed at least 1% to the '

, total core-damage frequency of VEGP.

I Human action events that contribute 1% or more to total core-damage frequency.

Event Name Human Action Description % Core Damage Frequency l CBHV Operators fail to open ESF Electrical Equipment Room 17.7 doors on loss of HVAC cooling

~

OAR Operators fail to esablish recirculation (high- or low- l 1.5 pressure) cooling OFC Operators fail to contmue operation of TD AFW pump 9.2 following failure of DC power during station blackout OAB Operators fail to open pressurtzer PORV and initiate S1 for 4.9 l feed-and-bleed cooling ORS Operators fail to restore systems followmg loss of offsite 3.9 power or station blackout OLP Operators fail to stop RHR pumps when RCS pressure is 1.4 greater than 300 psig or fail to stan RHR pump when pressure is less than 300 psig l I

4.2 Human-Performance Related Enhancements: j 4.2.1 Imnlemented human oerformance imorovements stemmine from HRA.

The improvements are the incorporation of new recovery actions in the VEGP EOPs.

These actions are:

1. Manual control of turbine-driven AFW pump following loss of all AC and DC power.

2. Establishment of one Nuclear Services Cooling Water (NSCW) pump operation on " loss of NSCW" initiating event, and

3. Opening the doors on loss of Control Building ESF electrical HVAC room cooling.

28

o , .

REFERENCES 4

1. Swain, A. D. and H. E. Guttmann, Handbook ofHuman Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREGICR-1278, Rev.

1, Sandia National Laboratories, Albuquerque, NM, August 1983.

2. Embrey, D. E., et al., SLIM-MAUD: An Approach to Assessing Human Error Probabilities Using Structured Expert Judgment (Vols.1 & H), NUREGICR-3518, Brookhaven National Laboratory, Upton, NY,1984.

3. Kauffman, J. V., et al., Operating Experience Feedback Report - Human Performance in Operating Events, NUREG-1275, Vol. 8, U.S. Nuclear Regulatory Commission, Washington, DC, December 1992.

4. Ericson, D. M., et al., Analysis ofCore Damage Frequency: Internal Events Methodology, NUREG/CR-4550, Vol.1, Sand.a National Laboratories, Albuquerque, NM, January 1990.

5. Swain, A. D., Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772,'Sandia National Laboratories, l Albuquerque, NM, February 1987.

I F

0 1

29 O

ML20101S045

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20101S045

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search