Text

Plant TER of IPE Submittal Human Reliability Analysis, Final Rept
	ML20129A864
Person / Time
Site:	River Bend
Issue date:	04/11/1996
From:	Swanson P; CONCORD ASSOCIATES, INC.
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20129A856	List: ML20129A850; ML20129A858; ML20129A864; ML20129B752;
References
	CA-TR-95-019-39, CA-TR-95-19-39, NUDOCS 9609190304
	Download: ML20129A864 (43)
	v • d • e

. g 8 e

l l

I APPENDIX C RIVER BEND STATION UNIT 1 INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS) l l

CONCORD ASSOCIATES,INC. cuTR 95-019-39 Systems Performance Engineers RIVER BEND STATION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT by P.J. Swanson Prepared for U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Systems Technology Final Report, April 11,1996 11915 Cheviot Dr. 725 Pellissippi Parkway 6201 Picketts Lake Dr.

Herndon, VA 22070 Knoxville,TN 37932 Acworth, GA 30101 (703) 318-9262 (423) 675-0930 (404) 917-0690

CA/TR-95-019-39 RIVER BEND STATION TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT P. J. Swanson Prepared for U.S. Nuclear Regulatory Conunission Office of Nuclear Regulatory Research Division of Systems Technology Final TER, April 1996 CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 39 I l

j l

TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . El E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . E2 E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . E2 E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E4 E.5 Vulnerabilities and Plant Improvements .................... E4 ,

E.6 Observations ............................. ...... E5

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . ................... 1 1 1

1.1 HRA Review Process . . . . . . . . . . . . . . . . ............... 1 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 I

1

2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1.1 Completeness and Methodology ..................... 3 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . 3 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . 4 2.1.3.1 Licensee Participation . . . . . . . . . . . . . . . . . . . . . . 4 2.1.3.2 Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1 Pre-Initiator Human Actions Considered ................5 l 2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 !

2.2.3 Screening Process for Pre-Initiator Human Actions . . . . . . . . . . 6 2.2.4 Quantification of Pre-Initiator Human Actions . . . . . . . . . . . . . 6 '

2.3 Post-Initiator Human Actions ............. ............. 7 l 2.3.1 Types of Post-Initiator Human Actions Considered . . . . . . . . . . 7 l

2.3.2 Process for Identification and Selection of Post-Initiator Human :

Actions ........... ........................7 2.3.2.1 Response Actions . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.2.2 Recovery Actions . . . . . . . . . . . . . . . . . . ......8 2.3.3 Screening Process for Post-Initiator Actions ...... .....8 2.3.4 Quantification of Post-Initiator Human Actions ............ 9 2.3.4.1 Transient and LOCA Events . . . . . . . . . . . . . . . . . . 9 2.3.4.2 ATWS Events . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.4.3 Quantification of Recovery Actions . . . . . . . . . . . . . . 13 2.3.5 Treatment of Operator Actions in the Internal Flooding Analysis . 15 2.3.6 Treatment of Operator Actions in the Level 2 Analysis . ...... 15 2.3.7 GSI/USI and CPI Recommendations . . . . . .. .......... 15 i .

Table of Contents (continued) 2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . . . 16 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.2 IPE Insights Related to Human Performance . . . . . . . . . . . . . . 16 2.4.3 Human-Related Enhancements ...................... 19

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . 20

4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 REFERENCES . . . . . . . . . . . . . . . . . .

...............,.......... 23 APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 i

1 l

l l

l

i i

E. EXECUTIVE

SUMMARY

This Technical Evaluation Repon (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the River Bend Station (RBS) 2 Individual Plant Examination (IPE) submittal from Gulf States Utilities (GSU) to the U.S.

Nuclear Regulatory Commission (NRC). Following GSU's submittal of the IPE, responsibility for the operation of RBS has transferred from GSU to Entergy Operations, Inc.

j (EOI). Our review is to assist NRC staff in their evaluation of the IPE and conclusion

regarding whether the submittal meets the intent of Generic Letter 88-20.

j E.1 Plant Characterization i

RBS is a BWR-6 with a Mark III containment. The unit is rated at 2887 MWt and 936 MWe (net). The unit commenced commercial operation in June 1986. NRC's front-er.d 3 reviewer identified several of RBS's design features that directly impact core damage frequency (CDF) relative to other BWR-6 plants, these being, (1) ability to crosstie the standby service water and diesel driven firewater to Low Pressure Coolant Injection (LPCI) loop B for injection to the vessel, (2) difficulty in using feedwater crosstie for injection during station blackout, (3) four hour. battery lifetime, (4) containment fan coolers and no

, containment spray system, (5) ability of High Pressure Core Spray (HPCS), Low Pressure l Core Spray (LPCS), and RHR pumps to operate with saturated suppression pool, (6) three

motor driven air compressors, and (7) room cooling required for standby electrical i switchgear.

I i

E.2 Licensee IPE Process j The RBS IPE was a I.evel 2 Probabilistic Risk Assessment (PRA) that considered operator

! actions primarily in the Level 1 analysis. The HRA process addressed pre-initiator actions j (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed i as part of the response to an accident), Pre-initiator actions considered included both j restoration (misalignment) errors and miscalibration. Post-initiator actions (human

interactions) included both response-type and recovery-type actions. The primary HRA i

techniques employed to quantify human error included the Accident Sequence Evaluation Program (ASEP) HRA procedure for all pre-initiator actions and most post-initiator actions.

l The Technique for Human Error Prediction (THERP) was used for the assessment of post-1 initiator actions during ATWS. Plant-specific factors and dependencies were considered m i

both pre-initiator and post-initiator analyses. Human errors identified as significant j contributors in accident sequences leading to core damage, and human-performance-related l insights and/or possible enhancements were identified for future consideration. Licensee staff members with knowledge of plant design, operations and maintenance appear to have j had significant involvement in the HRA process. Their efforts were suppon by HRA

! specialists from SAIC. Procedure reviews, interviews with operations staff, and plant l walkdowns helped assure that the IPE represented the as-built, as-operated plant. An

, E1 1

-. . , .-~

J Mependent review of the HRA performed by an independent contractor and in-house staff

helped to assure appropriate use of HRA techniques.

E.3 Human Reliability Analysis i E.3.1 Pre-Initiator Human Actions.

8

The RBS HRA addressed pre-initiator errors in maintenance, test and surveillance actions. l l' Misalignment (restoration) error and miscalibration were considered for quantification in the !

analysis. l r

Pre-initiator human error events were identified during the development of the system fault !

?- trees. Identification and selection was based on a review of system operating instructions, l 3

surveillance instructions, maintenance, calibration and testing procedures, and to the extent !

they apply, Emergency Operating and Abnormal Operating procedures. 'llie analyst talked with the responsible system engineers, and operations and maintenance personnel during the j selection process. All the identified events were modeled as basic events in the system fault j trees. The analyst reviewed Licensee Event Reports (LERs), Condition Reports (CRs), and l Operating Experience Reports (OERs) to ensure any past occurrence of pre-initiator human errors were modeled. !

Except for errors associated with the Alternate Rod Insertion (ARI) system and the Reactor i

Protective System (RPS), estimates of human error probabilities were derived using ASEP.

ARI and RPS-related pre-initiator human errors were assigned an estimated value based '

simply on judgement. The licensee states this was done because Anticipated Transient Without Scram (ATWS) was not a significant contributor to core damage risk, and the pre- l initiator events are not significant contributors to ATWS. All pre-initiators identified were !

included in the fault trees and used for quantification. The licensee followed the ASEP procedure in their consideration of recovery factors and dependency. Sixty-nine (69) pre- !

initiator human actions were included in the RBS models.

E.3.2 Post-Initiator Human Actions. !

The post-initiator HRA addressed both response-type and recovery type actions. A reasonably comprehensive process was employed by the licensee to identify and select the post-initiator ;

actions to be included in the IPE model. Response actions considered by the HRA analyst l

included those which involve manual actuation or alignment of systems / components that would not initiate or aligned automatically. All actions considered were explicitly directed m ;

procedures. A numerical screening process was used to select important post-initiator actions.

The screening process included consideration of dependencies so important human actions :

were not unintentionally eliminated. The licensee identified 141 different combinations of ;

human errors. RBS's HRA analysts used two methods for quantifying post-initiator human ;

error; (1) for transient and loss of coolant accident (LOCA) events the ASEP methodology t was used, and (2) Anticipated Transients Without Scram (ATWS) analysis was performed ,

E2

with the THERP approach. The use of THERP instead of ASEP for the quantification of ATWS sequences is said to have been based on the increased flexibility afforded in THERP.

In the RBS HRA, estimates of the time window available were based on results of BWRSAR and MAAP calculations. The times required to perform control room actions were based on estimates from plant operators with direct experience, the guidance in the ASEP procedure, and/or plant-specific simulator data. For actions performed outside of the control room, travel and manipulation times were estimated by simulated walk-throughs of applicable procedures.

The licensee's analysis considered plant-specific infonnation in the assessment of operator response times and in calculating human error probabilities.

HRA for transient and LOCA events was performed using the ASEP method. In analysis the analyst first developed detailed event sequence diagrams. These diagrams display graphically the sequence of actions and system responses occurrmg in the particular sequence being analyzed. The success and failure paths identified are converted into an event tree for quantification. The diagriostic and action events from the event sequence diagram are assigned and quantified as top events in the event tree. It is our observation that the analyst appropriately accounted timing and dependency effects which may arise from time coincidence, common indications and operator keys, common procedural steps, or even common personnel. The different combinations of the individual post-initiator actions identified in the cutset review were each analyzed separately and on a " sequence-specific" basis.

Post-initiator human actions for ATWS sequences were identified in the event tree. The HRA for these actions was performed using THERP. A detailed task analysis was performed for the ATWS case. The task analysis considered staffing, team interaction, and control room layout in addressing each critical decision point and EOP insuuction step that the operator encounters in considering the accident progression. Information gathering for the ATWS analysis included: (1) observation of minimum crew performance during ATWS scenarios on the RBS simulator, (2) interviews with control room operators and training department personnel, (3) tour of the control room, and (4) review of the EOP for ATWS.

Generally speaking the licensee performed the ATWS analysis in a thorough and consistent manner with the THERP procedure. However, in our view, one of the assumptions made in the treatment of human error in the ATWS case is a simplistic and optimistic view of expected operator response to a severe accident, and is considered a significant limitation of the post-initiator HRA. The estimated values for human error probability associated with RBS's ATWS analysis are generally lower than seen in other BWR IPE's reviewed. A HEP value of " epsilon" (< 1.00E-05) was assessed for operator actions to manual scram (SCRM),

manually insert rods (ARI), and inhibiting of the automatic depressurization system (NADS).

The analyst assumed that consideration of diagnosis was not required for these events because they could be considered "immediate emergency actions." This assumption is based on the fact that the operators are " thoroughly trained in their execution." We believe this assumption may be somewhat optimistic in the case of AR' The actions which follow ARI initiation are assessed as " subsequent action" and with the exception of the inhibition of E3

ADS, are assumed to require sat the EOPs be used. Inhibition of ADS is treated as an "immediate emergency action" requiring no diagnosis based on it being a well memorized and routine action. We find this assumption to be highly questionable. The low HEPs j assessed for ATWS are believed to have contributed significantly toward ATWS being dropped (below truncation value of 1.00E-09) from consideration in calculating core damage j

frequency.

The RBS HRA included the use of recovery actions to recover cutsets to a non-core damage condition. Recovery actions were identified in two ways: (1) review of potendal recoveries i during system analysis, and (2) the analyst's review of resultant cutsets to identify other procedurally directed actions that would recover failed components. Then events were then quantified and added to the cutsets. Recovery actions were credited for recovery of offsite ,

power within a specified time, recovery of FPW or PCS within a specified time, and i recovery of DC power hardware faults. The HRA analyst assigned operator recovery actions to cut sets, as appropriate', to recover the cutset to a non-core damage sequence. Recoveries ,

were applied to cutsets rather than sequences to account for different time frames available to :

perform an action based on the different component failures that have caused the sequence.

E.4 Generic Issues and CPI l The front-end reviewer identified several unique features at RBS that directly impact the [

availability to provide DHR. A number of these features involve operator action. Those l considered most instrumental to the success of DHR include: (1) the ability to crosstie i standby service water and diesel driven firewater to LPCI loop B for injection to the vessel, )

(2) containment fan coolers and no containment spray system, and (3) room cooling required i

for standby electrical switchgear. The human actions associated with these issues were addressed by the licensee in there analysis of post-initiator human actions related to transient ,

and LOCA events. l i

The reliability of the RPV depressurization system is the only CPI issue we identified which l has a close relationship to human actions, namely, operator action to depressurize. The l licensee addressed two issues which impede the operators ability to depresssurize: (1) loss of DC power sources for the SRVs, and (2) loss of air to the SRVs. These issues are reported as being resolved with an enhanced depressurization system that includes the hardware addition of a station blackout diesel generator, and the addition of two temporary, one to be made permanent, diesel driven compressors. Details of extent to which these changes impact existing procedures is not reported. However, it is expected that additional procedural guidance and/or surveillance would be required.

E.5 Vulnerabilities, Insights and Enhancements GSU used the NRC's Safety Goal Policy Statement for defining RBS's vulnerability criteria.

If the CDF for any functional accident sequence exceeded 1.00E-04/ year, a vulnerability was assumed to exist. No vulnerabilities were identified for the RBS. The IPE used systemic E4

--=,y v-- .e -m-,>vs , , . , - - -m . -- -,, ~ - --, , -e- ., ,--,, - - - - ---, -- ,

event trees to quantify core damage. The cut sets were binned into functional groups, and

- the results of the IPE were reported on a functional basis. There were eight dominant functional sequences, which together contribute approximately 99.7% of the total CDF.

Human action was identified as important contributor in each of the eight most important

)

functional sequences.

In the RBS sensitivity analysis, post-initiator human actions were found to be relatively I insensitive to significant changes in HEPs. However increasing all pre-initiator human error probabilities by a factor of 10 resulted in total CDF value of 1.02E-04/ year. The licensee identified two restoration pre-initiators, SWP-HEEHRSV133 and SWP-HEEHRSV134, as the dominating influence for this increase. In evaluating these events the licensee determined I that the calculated HEP value of 3.60E-02 was in fact extremely conservative because it does i not credit independent verification of the valve position following test and maintenance. The resultant CDF from increasing all pre-initiator other than these two events was 2.20E-5/ year. i RBS identified four enhancements during the IPE process. Three enhancements deal with ;

HRA issues, the forth is a hardware change which does not impact the HRA. The three i enhancements associated with HRA involve procedure changes. These enhancements are briefly summarized below:

1) Revised Abnormal Operating Procedules (AOPs) to provide enhanced guidance to operators on how to mitigate loss of corol building ventilation scenarios.

2) Revised Operations Section Procedure (OSP) to require twice per shift checks of running diesel-powered IAS compressors to prevent diesel running out of fuel.

3) Identified SSW pump lock-out as an operator action which should be eliminated.

Experience with new closed-loop Normal Service Water (NSW) system demonstrated that the manual lock-out was no longer needed.

E.6 Observations The following observations from our document-only review are pertinent to NRC's determination of whether the licensee's submittal meets the intent of Generic Letter 88-20.

The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant. The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

The HRA addressed pre-initiator errors in maintenance, test and surveillance actions. Both misalignment (restoration) errors and miscalibration were considered. The processes for identification and selection, screening, quantification, and incorporation of pre-initiator errors E5

. - _ . - , . . - - ._ ~ _ ._ _, _ . ~ _ _ . , - - ,

l

1 into the IPE model were reasonable and consistent with practice in other PRAs. Numerical results are consistent with results in other PRAs. Two pre-initiator actions are identified in the licensee's sensitivity analysis as being among the most important human actions. The

treatment of post-initiator human actions for transient and LOCA cases was reasonably complete and thorough. Both response-type and recovery-type actions were included. ,

Quantification of transient and LOCA post-initiator errors appear to be reasonably complete !

and found to have appropriately followed the HRA methodology selected by the licensee. l Plant-specific performance shaping factors and dependencies were considered. Quantitative ;

estimates of post-initiator human error probabilities are generally conservative with respect to 3 results in other PRAs.

The treatment of post-initiator human actions for the ATWS case included an assumption l which we believe is optimistic and may have contributed to ATWS events being truncated.

The assumption that ARI and Inhibit of ADS may be assumed to be memorized immediate '

actions which eliminates consideration of diagnosis is believed to have generated questionably low HEPs.

4 i The insights reported indicate that the HRA provided the licensee with an appreciation for

the importance of human error to the estimated core damage and radioactive material release fractions. Human action was noted as an important contributor in the dommant sequences.

Credit for human action in the recovery analysis was noted as a significant factor in reducing the estimated core damage frequency. Importance calculations were performed which identified the most important human error contributors. The licensee identified a number of procedure enhancements through the IPE process and these improvements have been made.

4 Y t n

t 1

l 4

a 4

f E6 -

Q I

1. INTRODUCTION ;

This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the River Bend Station (RBS)

Individual Plant Examination (IPE) submittal from Gulf States Utilities (GSU) to the U.S.

Nuclear Regulatory Commission (NRC). Subsequent to GSU's submittal of the IPE, responsibility for the operation of RBS has transferred from GSU to Entergy Operations, Inc. ,

(EOI). The review was performed to assist NRC staff in their evaluation of the IPE and ,

conclusion regarding whether the submittal meets the intent of Generic Letter 88-20. ;

1.1 HRA Review Process i

The HRA review was a " document-only" process which consisted of essentially four steps:

(1) Comprehensive review of the IPE submittal focusing on information pertinent to i HRA.

l (2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was needed from the licensee, and formulating requests to the licensee for the necessary additional infzination.

I (3) Review of preliminary findings, conclusions and proposed requests for additional information (RAIs) with NRC staff and with " front-end" and "back-end" reviewers. ,

i (4) Review of licensee responses to the NRC requests for additional information, and :

preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee.

Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process.

1.2 Plant Characterization RBS is a BWR-6 with a Mark III containment. The unit is rated at 2887 MWt and 936 MWe (net). The unit commenced commercial operation in June 1986. NRC's Front-end reviewer identified several of RBS's design features that directly impact core damage -

frequency (CDF) relative to other BWR-6 plants, these being, (1) ability to crosstie the standby service water and diesel driven firewater to Low Pressure Coolant Injection (LPCI) loop B for injection to the vessel, (2) difficulty in using feedwater crosstie for injection during station blackout, (3) four hour battery lifetime, (4) containment fan coolers and no containment spray system, (5) ability of High Pressure Core Spray (HPCS), Low Pressure Core Spray (LPCS), and RHR pumps to operate with saturated suppression pool, (6) three 1

j

motor driven air compressors, and (7) room cooling required for standby electrical switchgear.

2

4 ,

i ,

i i

e 1

2. TECHNICAL REVIEW 1

4 2.1 Licensee IPE Process l 2.1.1 Comoleteness and Methodology.

i

! The RBS IPE was a Level 2 Probabilistic Risk Assessment (PRA) which considered operator ,

I actions primarily in the I.evel 1. The HRA process addressed pre-initiator actions j (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed j as part of the response to an accident). Pre-initiator actions considered included both restoration (misalignment) errors and miscalibration. Post-initiator actions (human '

interactions) included both response-type and recovery-type actions. The primary HRA techniques employed to quantify human error included the Accident Sequence Evaluation -

Program (ASEP) HRA procedure (Reference 1) for all pre-initiator actions and post-initiator j i actions associated with LOCA and transiena (i.e., non-ATWS.) The Technique for Human ;

l Error Prediction (THERP) (Reference 2) was used in the assessment of post-initiator actions j during ATWS. Plant-specific factors were considered in both pre-initiator and post-initiator j analyses. Human errors were identified as significant contributors in accident sequences 1 j leading to core damage, and human-performance-related insights and/or possible

enhancements were identified for future consideration. GSU staff with knowledge of plant

! design, operations and maintenance appear to have had significant involvement in the HRA process. The licensee's HRA development process was support by HRA specialists from j SAIC. Procedures reviews, interviews wi'h operations staff, and plant walkdowns helped assure that the IPE represented the as-built, as-operated plant. Independent reviews of the

! HRA were performed by two different independent contractor and in-house staff. These

! independent reviews helped to assure appropriate HRA techniques were applied. Human errors were identified as significant contributors in accident sequences leading to core

damage, and human-performance-related insights and enhancements were identified for j implementation and future consideration.

I

! .2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status

! River Bend is a single unit site; multi-unit effects are not an issue.

1 I Information on licensee actions to asme that the IPE represents the as-built, as-operated

plant is provided in IPE Section 2.4 "Information Assembly". Section 2.4.3 of the submittal j states that two revisions of the Level 1 IPE were developed. The IPE submittal is based on 4 the second revision and represents the plant as of April,1991. There is one exception to the

, April,1991 freeze date, that being the inclusion of a change completed in the summer of 1992 establishing closed loop operation of the normal service water system. Section 2.4.3 i also contains a brief discussion of administrative control procedures implemented to ensure l

the PRA team included consideration of any significant plant changes which could impact the IPE model.

l.

1 j A listing is provided in the submittal (Section 2.4.3) of the plant documents used in the j information assembly and plant familiarization phase. The submittal provides a brief 1

3 -

4 i

e i

1 i

description of a process that used a number of means to confirm that the documents listed j were accurate and up to date.

Similarly, there is a brief statement in Section 2.4.4 that several types of walkdowns were

! conducted, including:

i l e General walkdown of reactor building, auxiliary building, the standby cooling tower, 3

and the diesel generator building.

i

! e Specific walkdowns for reasons such as internal flooding analysis and natural :

! circulation ventilation flow path for the standby switchgear rooms.

j e Videodisc-based, computer-interactive activity which permitted multiple " visits" to j generally inaccessible areas such as the reactor cavity.

) Walkdowns specific to HRA do not appear to have been conducted. However, the entire IPE i Project team visited the site and participated to some degree in the walkdowns cited above.

t )

! The listing of documents, the statements on verification approach, and the comments on the

walkdowns suggest that the licensee had a reasonably thorough approach to assuring that the

. IPE represented the as-built, as-operated plant.

i

) 2.1.3 Licensee Particioation and Peer Review. l l The NRC review of the submittal attempts to determine whether the utility personnel were !

l involved in the development and application of PRA techniques to their facility, and that the

associated walkdowns and documentation reviews constituted a viable process for confhTning I j that the IPE represents the as-built and as-operated plant.

i j 2.1.3.1 Licensee Particioation. The RBS IPE project team was under the direction of a

GSU supervisor experienced in maintenance, operations, and safety analysis. The project l team members included GSU personnel with experience in PRA development, MAAP code j development, thermal-hydraulic analysis, Quality Assurance (QA), nuclear fuel analysis, and

. the RBS independent safety engineering group (ISEG). Also, contractor personnel from i SAIC, RAPA, Haliburton-NUS (NUS), and EQE Engineering participated with GSU l , personnel in the development of the W. - The HRA portion of the IPE was supponed by human reliability analysts from SAIC. The project team organization and task structure is l

discussed in Sections 1.2 and 5.1 of the submittal. Additionally, the HRA process benefitted i from the direct involvement of the plant operations and training staff through either i interviews or review of IPE documentation pertinent to the HRA. It is our view that tl'e

utility personnel were significantly involved in the IPE/HRA, and that the document reviews, 3 plant walkdowns and other actions taken by the licensee provided reasonable assurance that I j the IPE/HRA models represent the as-built, as-operated plant.

4 i 2.1.3.2 Peer Review. The submittal (Sections 5.1 and 5.2) describes a multi-faceted, 1 independent review process that included the involvement of plant personnel, GSU staff, and 1

4 l

HRA consultants. One element of independent review can be considered the licensee's engineering QA program which facilitated multiple reviews throughout the IPE development process. Additionally, a procedurally directed independent review was performed by GSU's contractors, with NUS doing the I.evel 1 review and SAIC reviewing level 2. The HRA portion of the IPE received yet another review by Dr. Alan D. Swain, who GSU contracted to ensure accuracy of the level 1 analysis. The licensee reported each of the reviewer's comments, along with their resolution in submittal Sections 5.3.1 and 5.3.2, respectively.

In our opinion, the reviews appear to constitute a reasonable process for an "in-house" peer review that provides some assurance that the IPE analytic techniques were correctly applied and that documentation is accurate.

2.2 Pre-Initiator Human Actions Errors in performance of' pre-initiator human actions (i.e., actions performed during maintenance, testing, etc.) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. Our review of the HRA portion of the IPE examines the licensee's HRA process to determme what consideration was given to pre-initiator human actions, how potential actions were identified, the effectiveness of quantitative and/or qualitative screening process employed, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.

1 2.2.1 Pre-Initiator Human Actions Considered.

The RBS HRA addressed pre-initiator errors in maintenance, test and surveillance actions. i Misalignment (restoration) error and miscalibration were considered for quantification in the )

analysis.

2.2.2 Process for Identification and Selection of Pre-Initiator Human Actions.

The key concems of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s), and (b) whether discussions were held with appropriate plant personnel (e.g.,

maintenance, training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.

The licensee used the process outlined in Chapter 5 of NUREGICR-4772 to identify pre-initiator human error events. The potential pre-initiator human errors to be considered in the analysis were identified by the system analysts during the development of the system fault trees. The licensee states that pre-initiator human error was considered for all systems analyzed in the RBS study. As part of the general process of developing the system models, the system analyst was responsible for collecting and reviewing all pertinent information 5

g regarding the system. This information included procedures, including system operating instructions, surveillance instructions, test and maintenance procedures, and the extent they apply, Emergency Operating and Abncrmal Operating procedures. With the information from these procedures, along with that gained from conversations with the responsible system engineers, operations and maintenance personnel, the system nalyst identified the testing, maintenance, and calibration procedures that either result in the unavailability of the system or its components during performance, or that if not correctly performed would result in system or component unavailability. All the identified events were modeled as basic events in the system fault trees.

In addition to the above process, certain steps were taken to help ensure that potentially significant pre-initiator errors were not overlooked. These steps included reviews of all Licensee Event Reports (LERs), Condition Reports (CRs), and Operating Experience Reports (OERs) 'related to the system to identify any past occurrence of pre-initiator human errors and to verify they are modeled if they are identified. Additionally, the system notebooks, which include the system fault trees, were reviewed by the pertinent systems engineers. We believe the RBS analyst used a reasonable process to identify and select pre-initiator human error.

2.2.3 Screenine Process for Pre-Initiator Human Actions.

There was no numerical screening performed for pre-initiator human errors. All pre-initiator errors selected during the identification process were included in the fault trees used for l quantification. The licensee performed a qualitative screening of pre-initiator human events 1 which reduced the scope of pre-initiator errors to mispositioning of valves and miscalibration of plant instrumentation. Mispositioned valves, other than manual valves, were not considered because these components can be operated from the main control room and/or i receive automatic initiation signals. Also screened out were pre-initiators that result in I component failure, such as design errors. These are addressed as part of the component j failure rate or system maintenance unavailabilities. We consider the basis used by the HRA !

analyst to screen out pre-initiator reasonable.

2.2.4 Ouantification of Pre-Initiator Human Actions.

Except for errors associated with the Alternate Rod Insertion (ARI) system and the Reactor Protection System (RPS), estimates of human error probabilities were derived using ASEP.

ARI and RPS-related pre-initiator human errors were assigned an estimated value of 1.00E-02 based on the analyst's judgement. The licensee states this was done because Anticipated l Transient Without Scram (ATWS) was not a significant contributor to core damage risk, and I the pre-initiator events are not significant contributors to ATWS. All pre-initiators identified were included in the fault trees and used for quantification.

For systems other than ARI and RPS, the HRA analyst assigned each human action a BHEP of 0.03, representative of a generic HEP of 0.02 for an error of omission and 0.01 for an I error of commission. No upward adjustment was made to the BHEP for poor procedures and practices. The HRA analyst is said to have based this on detailed reviews of RBS's l l

6

administrative control, work practices, surveillance test procedures, system operating l procedures, general operating procedures operating section procedures, and administrative !

procedures. The licensee cites the results for RBS's SALP assessments as supporting l evidence for this assumption.

The licensce's consideration of recovery factors and dependency appears to be consistent with the recommendations of ASEP. Credit for recovery factors included human redundancy, compelling signals that notify operators of an unavailable component, post-calibration or post-maintenance tests, and frequent checks and inspections; each supported through evaluation of specific situation, procedures, and activities. Series system dependence, where any failure within a set of connected human actions fails, were treated as independent. For parallel systems, where all human actions in a set must be performed incorrectly to fail, values from ASEP (NUREG/CR-4772) for complete or high dependence were used based on the applicable guidelines. In their response to a NRC RAI, the licensee provided a number of examples which indicate that the treatment of recovery factors and dependency, were consistent with the ASEP recommended guidelines. A listing of the pre-initiator human actions included in the RBS analysis is provided in Appendix A to this report.

2.3 Post-Initiator Human Actions Human errors in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly or failing to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). These errors are referred to as post-initiator human errors. Our review determines the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, dependency among human actions, and other plant-specific performance shaping factors.

2.3.1 Tvoes of Post-Initiator Human Actions Considered.

There are two important types of post-initiator actions considered in most nuclear plant PRAs: (1) resoonse actions, which are performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOls); and, (2) recovery actions, which are performed to recover a specific failure or fault, e.g., recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event.

The RBS HRA considered both response and recovery human actions in their analysis of post-initiator human error events.

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.

The primary thmst of our review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures (e.g., emergency / abnormal operating procedures or system instructions) associated with the 7

=

. l l

accident sequences delineated and the systems modeled; and, (2) discussions were held with ,

appropriate plant personnel (e.g., operators or training staff) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.

2.3.2.1 Resoonse Actiggi. In general, only actions that are explicitly included in procedures were credited. The scope of potential response actions was further limited to manual actuation or alignment of systems and components only if there was not an automatic ,

action. ,

As part of the general process of developing the system models, the systems analyst was responsible for collecting and reviewing all pertinent information regarding the system. This information is said to have included all system operating instructions, surveillance instructions, test and maintenance procedures, alarm response procedures, and the extent they l apply to the system in question, the emergency operating and abnormal operating procedures. '

Information from these procedures, along with that gained from conversations with the responsible system engineers, operations and maintenance personnel, the system analyst identified the manual actions required to actuate or align the system in response to different plant conditions. These actions were then modeled as basic events in the system fault trees.

2.3.2.2 Recovery Actions. The recovery post-initiator human actions included in the RBS IPE were said to have been identified in two ways. First, a process similar to that for the pre-initiat' or and post-initiator response type actions during the system analysis as discussed above was performed. Specifically, during the development of the system models, the system analyst was responsible for collecting and reviewing all pertinent information regarding the system. This information included all system operating procedures, surveillance procedures, test and maintenance procedures, alarm response procedures, and the extent that they apply to the system in question, the emergency operating and abnormal operating procedures. With the information form these procedures, along with that gained from conversations with the responsible system engineers, operations and maintenance personnel, the system analyst identified the manual actions that were proceduralized that would recover a failed component or system. These actions were then modeled as basic events in the system fault trees. The second effort involved review of resultant cutsets to identify other procedurally directed actions that would recover failed components. These events were then quantified and added to the cutsets. Operator recovery actions that are included in the RBS analysis are listed in Table 2.3-3, Section 2.3.4.3 of this report.

Based on our review, it appears the licensee had a reasonable process for identifying post-initiator human actions which are important to risk.

2.3.3 Screening Process for Post-Initiator Resoonse Actions.

The licensee set all post-initiator human errors to 0.5 for initial quantification. The licensee identified 141 different combinations of human errors. No major human error dependencies l were found by the licensee in this initial screening. Therefore, the screening value was ,

lowered to 0.1. All but one of the combinations of three or more human error events had a 8 .

1.7E-04 or lower HEP. The analyst set any new human error events identified after the initial screening to 0.5 to ensure that these events were captured in the cutsets 2.3.4 Ouantification of Post-Initiator Human Action RBS's HRA analysts used two methods for treating post-initiator human error; (1) for transient and loss of coolant accident (LOCA) events the ASEP methodology was used, and (2) Anticipated Transients Without Scram (ATWS) analysis was performed with the THERP approach. The use of THERP for ATWS is said to have afforded more flexibility than ASEP and, given the nature of the ATWS scenarios, it was judged by the RBS analyst to be more appropriate.

2.3.4.1 Transients and LOCA Events. HRA for transient and LOCA events was performed using the ASEP method. Different combinations of individual actions identified in cutset review were analyzed separately and on a sequence-specific basis.

The licensee's process started with the development of event sequence diagrams. These diagrams display graphically the sequence of actions and system responses occurring in the particular sequence being analyzed along with the information and alarms being generated and the tuning of the events. Also shown are the interactions of the members of the operating crew and the interaction between possible actions in response to the events occurring. The diagrams show the combinations of diagnostic opportunities and actions leading to both successful and unsuccessful accomplishment of the post-initiator actions considered. Once an event sequence diagram is developed, the success and failure paths identified on it can be converted into an event tree for quantification. The diagnostic and action events from the event sequence diagram are assigned as top events in the event tree.

The steps prescribed in the ASEP procedure, Chapter 8 were applied to the top events in the event tree to determine their individual probabilities of success and failure. The failure paths were then quantified and summed to give the overall HEP for the action under analysis. A listing of the post-initiator human actions considered for transient and LOCA events is provided in Appendix A of this report. ,

e The HEPs assessed for post-initiator transient and LOCA actions are generally higher than those which we have seen in PRAs for similar type plants. We believe from our review of several examples provided by the licensee that the RBS HRA analyst performed a comprehensive review of transient and LOCA events consistent with the recommendations of the methodology used. One possible exception is the estimation of time required to perform an action based on operator recollection (see section 2.3.4.1.1 below.)

Performance shaping factors (PSPs) influencing the likelihood of human error in post-initiator actions were identified and evaluated by the HRA team during plant visits, walkdowns, operator and training staff interviews, and procedure reviews. Each of the PSFs discussed in the ASEP procedure appear to have been considered. Of particular interest are those plant-specific consideration given to timing and dependency in the licensee's analysis.

9

2.3.4.1.1 Timins - The time window available is the critical parameter determining the probability of error in the diagnostic portion of the operator response. The ASEP nominal procedure uses a subjectively derived time-reliability relationship to assess an HEP for diagnosis. The time available for diagnosis is the total time available for the diagnosis and actions to be completed minus the estimated time required for action execution.

Plant-specific data from computer code calculations (BWRSAR or MAAP) were used to determine the total time available for diagnosis and action. These are appropriate sources for estimates of total time available. Required time for operator action came from several sources. First, operator estimates were used for those actions which are routinely performed in operation and the operator has direct experience. For events for which direct experience

was not available, simulator exercises or the ASEP procedure (Step 5) were used. The submittal does not discuss details of the simulator exercises (scenarios observed, methods of data collection and data analysis, etc.) For actions performed outside of the control room, travel and manipulation times were estimated by simulated walk-throughs of applicable procedures.

It is believed that operator estimates of time response tend to error in the non-conservative direction. Such non-conservatism in estimates may be accounted for by increasing the estimated time. For example, sub-step 5.e of the referenced ASEP procedure states that "If estimates of time are obtained from operating personnel, double them." We were unable to i confirm if the analyst made such an adjustment in their treatment of time estimates. In the documentation provided, it is stated that " conservative" estimates were obtained but details were not provided. We believe based on our review of HEP results that estimates were l conservative.

2.3.4.1.2 Devendencies - An important concern in HRA is the treatment of dependencies. Human performance is dependent on sequence-specific response of the system and of the humans involved. The likelihood of success on a given action is influenced by success or failure on a preceding action, performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on past experience, etc. Accounting for dependency among top-level actions in a l sequence is particularly important. The human error probability estimates for HRA are I

conditional probabilities. If dependencies are not specifically accounted for, and HEPs are treated as independent, the Probabilistic combination of HEPs can lead to an unrealistically :

I low estimate of human performance overall (i.e., of the joint human error probability), and to a significant underestimate of risk.

From our review of the examples provided by the licensee, it appears that the analyst accounted for dependency effects consistent with the guidance contained within the tables of the ASEP procedure. The process described by the licensee included those dependencies which may arise from time coincidence, common indications and operator keys, common procedural steps, or even common personnel. The different combinations of the individual post-initiator actions identified in the cutset review were each analyzed separately and on a

" sequence-specific" basis.

10

4 j 2.3.4.2 , ATWS Ev.gnts. The post-initiator human actions for ATWS sequences were

identified in the event tree. The HRA for these actions was performed using THERP. .

j The RBS HRA team performed a detailed task analysis for the ATWS case. The task l analysis considered staffing, team interaction, and control room layout in addressing each critical decision point and EOP instruction step that the operator encounters in considering

. the accident progression. Information gathering for the ATWS analysis included: (1) observation of minimum crew performance during ATWS scenarios on the RBS simulator, (2) interviews with control room operators and training department personnel, (3) tour of the control room, and (4) review of the EOP for ATWS.

The estimated values for human error probability associated with RBS's ATWS analysis are generally lower than seen in other BWR IPE's reviewed. Table 2.3-1 provides listing of the operator actions and HEPs included in the RBS analysis. In our view, the treatment of human error in the ATWS case is a simplistic and optimistic view of expected operator response to a severe accident, and is considered a significant limitation of the post-initiator HRA. .

i Table 2.3-1, Human Actions Included in the RBS ATWS Analysis.

ACTION HEP

)

Manual Scram (SCRM) epsilon l

Manual Rod Insertion (ARI) epsilon Automatic Depressurization System (ADS) epsilon Inhibit (NADS)

Initiate Standby Liquid Control (SLC) 1.00E-03 l withm one mmute j i

Reactor Depressurization (XI) 2.50E-01 Reactor Depressurization (X2) 6.30E-02 Initiate HPCS - Prevent HPCS pump 3.50E4)3 suction swithchover (CST)

The HRA analyst made a number of general assumptions related to the THERP methodology. These assumptions include:

1) Once ATWS is recognized, the level of stress was considered " moderately high" representing a heavy task load. If the transient continues beyond the attempted boron injection because SLC does not work, " extremely high stress" is assessed based on discussions with operations personnel. We consider this assumption to be reasonable.

11

3) During ATWS immediately previous errors, when time stress is present, considered the doubling rule from THERP which is typically applied to situations where repeated attempts to perform a required action is considered. The use of the doubling rule was i

applied only to related tasks performed by the same persons (i.e., the crew) as <

determined as appropriate by the analyst. We consider this assumption to be reasonable.

4) Hesitancy of the operators to perform an action based on adverse personal consequence if their action is incorrect is considered negligible. At RBS operators are protected for such actions. This appears more lenient than typically assessed but in ,

our opinion, reasonable given RBS's stated policy to absolve any operator from I adverse consequence if actions taken were based on the interest of plant safety.

5) At RBS the symptom-oriented EOPs are presented in the flowchart format. Control Operating Foreman (COF) are trained to pace the accident progression and not :'

procedure regiment. This allows for some response action to be taken prior to when procedurally directed action would be called for. An example cited is the COF's opening ADS /SRVs when SRVs start cycling rather than waiting to arrive at that l point in the EOP. We consider this assumption reasonable for actions which are well J trained upon and generally repetitive in occurrence. This appears to have be the case, j based on the example provided by the licensee.

6) Manual scram (SCRM) and Manual rod insertion (ARI) are assessed as post-diagnosis "immediate emergency actions." This assumption is based on the fact that the operators are " thoroughly trained in their execution." We believe this assumption may be somewhat optimistic in the case of ARI. The actions which follow ARI initiation are assessed as " subsequent action" and with the exception of the inhibition of ADS they are assumed to require that the EOPs be used. Inhibition of ADS is treated as an "immediate emergency action" requiring no diagnosis based on it being a well memorized and routine action. We find this assumption to be highly questionable because, although well memorized and routine from a procedural standpoint, as a third level response (possibly could be considered second level) the operator must first identify the condition, recognize the need, and then decide to take the action.

The licensee further assumes that per the discussion in THERP, page 12-22, a negligible HEP (i.e., epsilon) is assessed for diagnosis errors when interviews and other information establishes that the operating personnel are so well versed in recognizing the pattern of stimuli associated with the abnormal event that the cognitive aspects of behavior can be considered to be negligibly small. Although mentioned in THERP, the analyst is advised to exercise extreme caution in it application. In the ASEP method, generally recognized as more conservative than THERP, the lower bound HEP is recommended for diagnosis actions when all of the j

operators performing the action are using well designed symptom-based procedures.

The ASEP procedure also notes that in some cases, task analysis information may indicate that even the lower bound limits are unduly conservative. It may be judged 12 I

. i i l 1- l 4 s 4

that in some instances the operating personnel are so well versed in recognizing the ;

i pattern of stimuli associated with the event that the cognitive aspect of behavior may

] be very small. Thus, it may be entirely consistent with the letter of the ASEP :

a guidance for the analyst to use the lower bound estimate or even to assume a ;

negligible HEP for the diagnostic portion. On the other hand, the ASEP general guidance is that this practice is expected to be the exception, rather than the rule; that i the analyst needs to be careful to avoid overly optimistic estimates; and, that the basis :

i should be fully documented. Specifically, ASEP recommends using the lower bound i HEP if: a) the event is a well-recognized classic (e.g., the TMI-2 incident) and the

! operators have practiced the event in simulator requalification exercises, AND b) the talk-through and interviews indicate that all the operators have a good verbal

! recognition of the relevant stimulus patterns and know what to do or which written :

j procedures to follow. ASEP general rules specifically state that the nominal HEP :

! should be used if the only practice of the event is in simulator requalification l j exercises and all o'perators have had this experience. Thus, the use of the lower [

bound values may or may not be appropriate, per ASEP, depending on the specific ,

]

in-depth analysis supporting the judgment. Documentation of any in-depth analysis ,

performed was not available to this reviewer for evaluation of the reasonability of the j licensee's assumption.

1

We consider this last assumption to be generally optimistic and an inappropriate departure j j from the THERP procedure. It is our observation that the low HEP value for operator j actions to inhibit ADS and execute manual rod insertion is generally lower than seen for 4 other BWR IPEs which used a similar process.

2.3.4.3 Ouantification of Recovery Actiqm.

I

The RBS HRA included the use of recovery actions to recover cutsets to a non-core damage

condition. Recovery actions were credited for recovery of offsite power within a specified

time, recovery of FPW or PCS within a specified time, and recovery of DC power hardware 1

faults. The recovery of offsite power was based upon RBS-specific analysis. This analysis considered RBS location and eliminated weather related events associated with salt spray and 1

j snow / ice buildup. Offsite power recovery times were calculated using data from NUREG-i 1032 (Reference 3). Recovery of FPW was determined using the ASEP methodology i discussed in Section 2.3.4.1 of this report. Power conversion system and DC hardware recoveries were based on generic information from NUREG/CR-4550 (Reference 4).

i The HRA analyst assigned operator recovery actions to cut sets, as appropriate, to recover ,

the cutset to a non-core damage sequence. Recoveries were applied to cutsets rather than l

sequences to account for different time frames available to perform an action based on the j different component failures that have caused the sequence.

i 1

l t i a

13 .

i

, - - - ________v - -___- _ _ _ _______m_ _ _ _- - - - - . - - - - ,

Table 2.3-3, Operator Recovery Actions Considered in the RBS Analysis Event Name Description HEP Seq. ( ) Seq. ( )

Freq.before Freq. after RECVRY RECVRY ORA-EDC4 HRS No recovery of DC hardware faults 1.77E- < 1.0E-within 2 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 08/YR 09/YR (T-SI-9) (T-SI-9)

ORA- No recovery of RPV Injection via FPW ;

FPW1.5 HRS within 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ORA-INJ4 HRS No recovery of RPV injection via PCS or FPW within 2 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ORA-LOWP No recovery of low pressure injection 1.00E-02 ORA- No recovery of offsite power within 30 2.20E-01 i OSP30 MIN minutes ORA-OSP1 HRS No recovery of offsite power within 1 1.10E-01 2.28E- 2.51E-hour 08/YR 09/YR (L-SI-17) (L-S1-17)

ORA-OSP2 HRS No recovery of offsite power within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ORA- No recovery of offsite power within 2.5 3.28E- 1.19E-OSP2.5 HRS hours 06/YR 07/YR (T-L-15) (T-L-15) ;

I ORA-OSP4 HRS No recovery of offsite power within 4 1.54E-02 4.03E- 3.68E-hours 06/YR 08/YR (T-L-20) (T-L-20)

ORA-PCS1 HRS No recovery of Feedwater/PCS within 1 4.06E- 2.34E-hour 07/YR 07/YR (T-S214) (TS2-14)

ORA-PCS2 HRS No recovery of Feedwater/PCS within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ORA-RCIC No recovery of RCIC injection (S1 LOCA)

ORA. No recovery of switchgear room within 9.00E-02 5.87E- 4.32E-SWO1 HRS 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Opening doors) 08/YR 09/YR (S116) (S116)

ORA- No recovery of switchgear room within 3.60E-03 SWG4 HRS 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (Opening doors) 14

2.3.5 Treatment of Operator Actions in the Internal Floodina Analysis.

The RBS flooding analysis did not include any operator actions specific to internal flooding.

Operator recovery time for attended breaks was identified as a possible recovery action but was not applied in the RBS analysis'.

HEPs considered in the internal flooding analysis were taken from the Level 1 analysis. The actions considered include; . (1) operator failure to restart reactor feedwater pumps following plant trip (PCS-HEEHFRRFWPUM), (2) operator failure to start ADS by opening individual ADS valves or SRVs (ADS-HEEEHFRINDIV), and (3) operator failure to start standby cooling tower fans (SWP-HEEHFRSCTAN). The only operator recovery action considered in the analysis was opening switchgear room doors (ORA-SWG1 HRS).

2.3.6 Treatment of Ooerator Actions in the 12 vel 2 Annivsis.

RBS considered human actions in the Level 2 analysis, but did not perform detailed HRA for specific operator actions. The licensee states that human performance is considered implicitly in the decomposition event trees (DET) split fractions. Unlike a Level I cutset, it is not possible to take a Level 2 sequence and determine the state of the equipment or the specific actions required to mitigate or prevent containment failure. Each Level 2 sequence represents an aggregate of plant damage states to which no single operator action applies.

Therefore, given the level of resolution and uncertainty inherent in the Level 2 analysis it would not be reasonable to consider detailed HRA results the same as is done in Level 1 analysis.

2.3.7 GSI/USI and CPI Recommendations.

The licensee's consideration of generic safety issues (GSIs) and unresolved safety issues -

(USIs) and of containment performance improvements (CPI) recommendations are the subject of the front-end review, and back-end review, respectively.

The front-end reviewer identified several unique features at RBS that directly impact the availability to provide DHR. A number of these features involve operator action. Those considered most instrumental to the success of DHR include:

e Ability to crosstie standby service water and diesel driven firewater to LPCI loop B for injection to the vessel.

e Containment fan coolers and no containment spray system.

e Room cooling required for standby electrical switchgear.

Human actions associated with these issues were addressed by the licensee in their analysis of post-initiator human actions related to transient and LOCA events.

15

The reliability of the RPV depressurization system is the only CPI issue identified for which ,

human action, namely the operators action to depressurize, is significant. The licensee addressed two issues which impede the operators ability, (1) loss of DC power sources for

'the SRVs, and (2) loss of air to the SRVs. These issues are reported as being resolved with an enhanced depressurization system that includes the hardware r.ddition of a station blackout diesel generator, and the addition of two temporary, one to be made permanent, diesel driven compressors. Details of extent to which these changes impact existing procedures is not reported. However, it is expected that additional procedural guidance and/or surveillance '

would be required.

2.4 Vulnerabilities, Insights and Enhancements 2.4.1 Vulnerabilities.

GSU used the NRC's Safety Goal Policy Statement far defining RBS's vulnerability criteria.

If the CDF for any functional accident sequence exceeded 1.00E-04/ year, a vulnerability was !

assumed to exist. No vulnerabilities were identified far the RBS. l 2.4.2 IPE Insights Related to Human Performance.

The total core damage frequency (CDF) estimate for internal events for River Bend is 1.55E-05/ year, and the total CDF from internal flooding was calculated to be 1.75E-08/ year. The IPE used systemic event trees to quantify core damage. The cut sets were binned into functional groups, and the results of the IPE were reported on a functional basis. There were eight dominant functional sequences, which together contribute approximately 99.7% of the total CDF. Table 2.4-1 lists the eight most important functional sequences. Human actions were identified as important contributors in each of the important functional sequences.

The licensee performed sensitivity and uncertainty calculations (Fussell-Vesely) to see if the )

RBS CDF was sensitive to any one operator error or recovery probability. The sensitivity analysis was performed using what the licensee states were pre-existing cutsets. Details concerning the actions analyzed and results were provided in response to NRCs request for additional infonnation. Combinations of human error probabilities, i.e., the functional sequence method used to treat transient and LOCA human error, were not subjected to Table 2.4-1, Functional Sequences Most Important To Core Damage Frequency i

Functional Group ' Description TBU Station blackout with immediate failure of HPCS and RCIC.

TBUX Station blackout with immediate failure of HPCS and long term failure of RCIC due to battery depletion.

TQUX Transient with loss of PCS, failure of all high pressure injection systems, and failure to depressurize.

16 3

o T1UX Sequences involving loss of offsite power, failure of all high pressure injection systems, and failure to depressurize.

TQUV Transients with loss of PCS, failure of all high pressure injection systems, successful depressurization, and failure of all low pressure injection systems.

S2UX Small LOCA, failure of high pressure makeup, and failure to depressurize.

TW Transients, failure of all high pressure injection systems, successful depressurization, loss of all containment heat removal (suppression pool cooling and fan coolers), loss of SRVs due to EQ after containment failure by overpressurization resulting in repressurization of the vessel and inability to use low pressure injution systems.

TIUV Sequences involving loss of offsite power, failure of all high pressure injection systems , successful depressurization, and failure of all low pressure injection systems.

sensitivity analysis. Post-initiator human actions are relatively insensitive to significant l changes in HEPs since the estimated HEPs used in IPE are generally greater than 0.1. I 1

However increasing all pre-initiator human error by a factor of 10 resulted in a total CDF value of 1.02E-04/ year. The licensee identified two events, SWP-HEEHRSV133 and SWP-HEEHRSV134, as the dominating influence for this increase. In evaluating these events the licensee determined that :he r.alculated HEP value of 3.60E-02 was in fact extremely l conservative because it does not credit independent verification of the valve position following test and maintenarce. The resultant CDF from increasing all pre-initiator other l than these two events was 2.20E-5/ year.

Table 2.4-2a lists pre-initiator and response actions included in functional sequences )

determined most important to CDF. Table 2.4-2b provides a similar listing for recovery l

actions.

Table 2-4.2a, Important Pre-initiator and Response-Type Operator Actions Operator Action Functional Import. Risk Sequence Achiev.

I Operator fails to restore SSW manual valve V-134 after TBU 0.134 test or maintenance. TBUX 0.14" TIUV 0.236 l

1 Operator fails to restore SSW manual valve V.133 after TBU 0.131 test or maintenance. TBUX 0.131 17

., o Operator fails to start the standby cooling tower fans. TBU 106 TBUX 118 TQUX 1080

'TW 1180 Operator fails to restore manual valve downstream of TBU 22.2 MOV SSA after test or maintenance. TBUX 21.9 TQUX 34.8 Operator fails to restore manual valve VI after test or TBU 14.1 maintenance. T1UX 15.2 TQUV 12.2 S2UX 0.151 127 Operator fails to depressurize the reactor vessel. T1UX 1.000 500 S2UX 0.880 . 440 -

Operator fails to restore manual valve VF036 after TQUV 12.2 maintenance. S2UX 22.4 I

Operator fails to restore manual valve VF029A after T1UV 0.239 maintenance (pump or valve) l

. Operator fails to restore manual valves V464, V465, T1UV 0.174 180 V457, V458, V459, V472, V473, or V474 after ,

' maintenance on UC6

. Operator fails to restore manual valve VF007 after T1UV 11.8 l maintenance or test. j 1

l Table 2-4,2b, Important Operator Recovery Actions Operator Action Functional Import. Risk

Sequence Achiev.

Failure to recover offsite power within one hour. TBU 0.931 T1UX 0.901 v

Failure to recover offsite power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . TBUX 0.996 64.7 T1UV 0.137 No recovery of switchgear room within one hour TQUX 0.986 11 (opening doors). TQUV 0.639 S2UX 0.120 TW 0.887 No recovery of RPV injection via feedwater or FPW TQUV 0.622 48.2 l

, within four hours.

I No recovery of PCS/Feedwater within one hour. S2UX 0.655 j

18

o No recovery of offsite power within 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months T1UV 0.812 22.1 2.4.3 Enhancements and Commitments.

RBS incorporated four changes as a result of their IPE. Three changes which were incorporated and credited in the analysis deal with HRA issues, the fourth is a hardware 4

change which does not impact the HRA. All three changes associated with the HRA involved procedure modifications, namely: ,

1) Revised Abnormal Operating Procedures (AOPs) to provide enhanced guidance to operators on how to mitigate loss of control building ventilation scenarios.

2) Revised Operations Section Procedure (OSP) to require twice per shift checks of running diesel-powered IAS compressors to prevent diesel running out of fuel.

3) Identified SSW pump lock-out as an operator action which should be eliminated. l Experience with new closed-loop Normal Service Water (NSW) system demonstrated that the manual lock-out was no longer needed.

1 19

l 4

l l

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS :

1 The purpose of our document-only review is to enhance the NRC staff's ability to determine with the licensee's IPE met the intent of Generic Letter 88-20. The Generic Letter had four specific objectives for the licensee:

(1) Develop an appreciation of severe accident behavior.

(2) Understand the most likely severe accident sequences that could occur at its j plant. l (3) Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.

i (4) If necessar , reduce the overall probability of core damage and radioactive material release by appropriate modifications to procedures and hardware that l would prevent or mitigate severe accidents. l With specific regard to the HRA, these objectives might be restated as follows:

(1) Develop an overall appreciation of human perfonnance in severe accidents; how human actions can impact positively or negatively the course of severe I accidents, and what factors influence human performance.

I (2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.

(3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material !

release.

(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

The following observations from our document-only review are seen as pertinent to NRC's determination of the adequacy of the RBS submittal:

(1) The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant.

20 l

l

(2) The licensee performed an in-house peer review that provides some assurance that the HRA techniques have been correctly applied and that documentation is accurate.

(3) The HRA addressed pre-initiator errors in maintenance, test and surveillance actions.

Both misalignment (restoration) errors and miscalibration were considered. The processes for identification and selection, screening, quantification, and incorporation of pre-initiator errors into the IPE model were reasonable and consistent with practice in other PRAs. Numerical results are consistent with results in other PRAs. Two pre-initiator actions are identified in the licensee's sensitivity analysis as being among the most important human actions.

(4) The treatment of post-initiator human actions for transient and LOCA cases was reasonably complete and thorough. Both response-type and recovery-type actions l were included. The process for identification and selection of actions involved review ^ l of procedures'and' discussions with plant personnel. A numerical screening process was performed. Quantification of post-initiator errors appears to reasonably complete ;

and appears to have appropriately employed the chosen HRA techniques. )

Plant-specific performance shaping factors and dependencies were considered l Quantitative estimates of post-initiator human error probabilities are generally conservative with respect to results in other PRAs.

(5) The treatment of post-initiator human actions for the ATWS case include assumptions which we believe are optimistic and may have contributed to ATWS events being ;

truncated. The assumption that ARI and Inhibit of ADS may.be assumed to be memorized immediate actions which eliminates consideration of diagnosis is believed to have generated questionably low HEPs.

-(6) Insights reported by the licensee indicate that the HRA provided the licensee with an appreciation for the importance of human error to the estimated core damage and radioactive material release fractions. Human action was noted as an important contributor in the dommant sequences. Credit for human action in the recovery I analysis was noted as a significant factor in reducing the estimated core damage frequency. Importance calculations were performed which identified the most l important human error contributors.

l 21

4. DATA

SUMMARY

SHEETS Important Operator Actions / Errors:

Pre-initiator actions Operator fails to restore SSW manual valve V-134 after test or maintenance.

Operator fails to restore SSW manual valve V-133 after test or maintenance.

Operator fails to restore manual valve downstream of MOV SSA after test or maintenance.

Operator fails to restore manual valve VI after test or maintenance.

Operator fails to restore manual valve VF036 after maintenance.

Operator fails to restore manual valve VF029A after maintenance (pump or valve).

Operator fails to restore manual valves V464, V465, V457, V458, V459, V472, V473, or V474 after maintenance on UC6.

Operator fails to restore manual valve VF007 after maintenance or teot.

Post-initiator response actions Operator fails to start the standby cooling tower fans.

Operator fails to depressurize the reactor vessel.

Post-initiator recovery actions Failure to recover offsite power within one hour.

Failure to recover offsite power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

No recovery of switchgear room within one hour (opening doors).

No recovery of RPV injection via feedwater or FPW within four hours.

No recovery of PCS/Feedwater within one hour.

No recovery of offsite power within 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

Human-Performance Related Enhancements:

1) Revised Abnormal Operating Procedures (AOPs) to provide enhanced guidance to operators on how to mitigate loss of control building ventilation scenarios.

2) Revised Operations Section Procedure (OSP) to require twice per shift checks of running diesel-powered IAS compressors to prevent diesel running out of fuel.

3) Identified SSW pump lock-out as an operator action which should be eliminated. Experience with new closed-loop NSW system demonstrated that the manual lock-out was no longer needed.

22

j REFERENCES l 1) A.D. Swain, Accident Secuence Evaluation Program Human Reliability Analysis

, Procedure, NUREGICR-4772, Sandia National Laboratories, February 1987.

2) A.D. Swain and H.E. Guttman, Handbook of Human Reliability Analysis with Emohasis on Nuclear Power Plant Aeolications, NUREG/CR-1278, Sandia National Laboratories, August 1983.

3) United States Regulatory Commission, Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, May 1985.

4) M.T. Drouin et al., Analysis of Core Damage Freauency for Internal Events: Grand Gulf. Unit 1, NUREG/CR-4550, Vol. 6, Sandia National Laboratories, April 1987.

23 .

l l

APPENDIX A l Table 2.2-1, Pre-Initiator Human Actions Event Name Description Prob.

ARI-HEECC658AF Common cause miscalibration of 2 sensors: B21-N658A/F 1.00E-02 l l

ARI-HEECC658EB Common cause miscalibration of 2 sensors: B21-N658E/B 1.00E-02 ARI-HEECC699AF Common cause miscalibration of 2 sensors: B21-N699A/F 1.00E-02 3 ARI-HEECC699EB Common cause miscalibration of 2 sensors: B21-N699E/B 1.00E-02 ARI-LESHNC699A Level transm/ sensor miscalibration (B21-N699A) 1.00E-02 ARI-LESHNC699B Level transm/ sensor miscalibration (B21-N699B) 1.00E-02 ARI-LESHNC699E Level transm/ sensor miscalibration (B21-N699E) 1.00E-02 ARI-LESHNC699F Level transm/ sensor miscalibration (B21-N699F) 1.00E-02

~

ARI-PSWHCM658A Pressure trans/ sensor miscalibration (B21-658A) 1.00E-02 ARI-PSWHCM658B Pressure trans/ sensor miscalibration (B21-658B) 1.00E-02 ARI-PSWHCM658E Pressure trans/ sensor miscalibration (B21-658E) 1.00E-02 ARI-PSWHCM658F Pressure trans/ sensor miscalibration (B,21-658F) 1.00E-02

, CSH- Common cause miscalibration of CST level sensors 5.3E-04 CCFHMCLEVEL CSH-HEEHRSV1 Operator fails to restore manual valve VI after 1.20E-03 maintenance CSH- Operator fails to restore manual valve VF036 after 1.20E-03 HEEHRSVF036 maintenance I

CSH- Operator fails to restore manual valve VF007 after 1.20E-03

HEEHRSMNTF07 maintenance ESF- Common mode miscalibration of level signals (all reactor 1.00E-05 CCFHMCLEVEL level) 24

ESF- Common mode miscalibration of pressure signals (all 5.30E-04 CCFHMCPRESS drywell press)

ESF- Common mode miscalibration of low RX pressure signals 1.00E-05 CCFHMCRXPRES i

l FPW- Operator fails to restore FPW manual valves after test or 5.30E-04 HEEHRSXOVS maintenance HVX- Common mode miscalibration of pressure sensors 5.30E-04 l CCFHMCCWPSNR )

HVX- common cause miscalibration of temperature sensors 1.00E-05 CCFHMCHVXTMP ,

)

IAS. common cause miscalibration of all three set of 5.30E-04 CCFHMCCMPTMP temperature :

ICS- Common cause miscal of HI Steam Flow instr N083A/B 5.30E-04 j CCFHMCN08384 or N084A/B ,

1 ICS- RCIC speed controller miscalibration 1.00E-05 l HEEHMCFCR600 ICS- Operator fails to restore manual valves V24 or V25 after 1.60E-03 HEEHRSMNTV45 maintenance ICS- Operator fails to restore manual valves V14 or V16 after 4.80E-03 HEEHRSMNTV46 maintenance ICS-HEEHRSV14 Operator fails to restore manual valves V14 after test 1.20E-03 RDS- Operator fails to restore manual valves VF013B after 9.70E-04 HEEHRSVF013B maintenance RHS- Operator fails to restore min flow valve F018A to open 8.00E-04 HEEHRSVF018A position RHS. Operator fails to restore min flow valve F018B to open 8.00E-04 HEEHRSVF018B position RHS- Operator fails to re:, tore manual valve VF029A after 9.70E-02 HEEHRSVF029A maintenance RHS- Operator fails to restore manual valve VF029B after 9.70E-02 HEEHRSVF029B maintenance 25

,, 1 l

l RHSDHEEHRSVF0 Operator fails to restore manual valve VF010 after test or 1.20E-03 10 maintenance RHSLHEEHRSF048 RHR Train A HX bypass valve MOV F048A is left 0.00E-00 A closed RHSLHEEHRSF048 RHR Train B HX bypass valve MOV F048B is left closed 0.00E-00 B

RHSLHEEHRSVF0 Operator fails to restore manual valve VF029C after 1.20E-04 29C maintenance RHSLHEEHRSVFO Operator fails to restore manual valve VF039A after 1.60E-03 39A maintenance l

RHSLHEEHRSVF0 Operator fails to restore manual valve VF039B after 1.60E-03 l 39B maintenance RHSLHEEHRSVF0 Operator fails to restore manual valve VF039C after 1.60E-03 39C maintenance RPS-HEEHRSCCF Human error common cause failure to restore SDV vent 1.00E-02 and RPS-HEEHRSF009 Operator fails to restore SOV F009 to open position 1.00E RPS-HEEHRSF010 Human error, fail to restore F010 to open position 1.00E-02 RPS-HEEHRSF011 Human error, fail to restore F011 to open pcsition 1.00E-02 RPS-HEEHRSF180 Human error, fail to restore F180 to open position 1.00E-02 RPS-HEEHRSF181 Human error, fail to restore F181 to open position 1.00E-02 RPS-HEEHRSF182 Operator fails to restore F182 to open position 1.00E-02 i RPS- Operator fails to drain SDV at 18 in. level 3.00E-04 HEEHRSSDVAOV RPS-HEEHRSV18 Operator fails to restore V18 in open position 1.00E-03

. SLS-HEEHRS-TEST Operator fails to restore test valves F016 & F017 or F031 2.40E-03 SLS- Operator fails to restore manual valve VF008 after 1.60E-03 HEEHRSMNT008 maintenance 26

1 SLS- Operator fails to restore manual valve VF002A or 9.70E-04 ,

HEEHRSMNT23A VF003A after maintenance SLS- Operator fails to restore manual valve VF002B or 9.70E-04 HEEHRSMNT23B VF003B after maintenance SWP-HEEHRS55A Operator fails to restore XOV downstream of FOSSA 8.00E-04 !

SWP-HEEHRS55B Operator fails to restore XOV downstream of F055B 8.00E-04 ;

l SWP- Operator fails to restore manual valves V133 and V195 1.50E-04 HEEHRSMNTGIA after SWP- Operator fails to restore manual valves V134 and Vl% 1.50E-04 HEEHRSMNTG1B after SWP- Op. fails to restore mn vivs V464,465,457,458,459, 9.70E-04

, HEEHRSMNTUC6 472, 473,4 SWP- Op. fails to restore mn vivs V468, 55, 469, 800, 801, 9.70E-04 HEEHRSMNTUC7 802,3 l

SWP- Op. fails to restore mn vivs V466,467,455,456,470, 9.70E-04 l HEEHRSMNTUC8 471,3 '

SWP- Operator fails to restore manual valves V522 & V521 9.70R-04 HEEHRSMNTUC9 after SWP- Operator fails to restore manual valve VF014A after RHR 1.50E-04 HEEHRSMRHXAC HXs maint.

SWP- Operator fails to restore manual valve VF014B after RHR 1.50E-04 HEEHRSMRHXBD HXs maint.

SWP- Operator fails to restore manual valves V537 & V538 9.70E-04 HEEHRSMTUC10 following SWP- Operator fails to restore a sufficient number of HX after 1.00E-05 HEEHRSSWCHXS BA SWP-HEEHRSV133 Operator fails to restore manual valve V133 after test 3.60E-02 SWP-HEEHRSV134 Operator fails to restore manual valve V134 after test 3.60E-02 4

SWP-HEEHRSV636 Operator fails to restore manual valve V636 after MOV- 1.60E-03 507A M 4

27

SWP-HEEHRSV637 Operator fails to restore manual valve V637 after MOV- 1.60E-03 507B M Table 2.3-1, Post-Initiator Human Actions Considered for Transient and LOCA Events.

Event Name Description Screening Prob.

ADS- Operator fails to start ADS by opening individual ADS 2.00E-03 HEEHFRINDIV valves or SRVs ARI- Conditional human error fail to insert negative reactivity 1.00E-01 HEEFFPATWSX CCP-HEEHFLV'62 Operator fails to open manual valve CCP-V62 1.67E-01 CCPHEEHPRMOV1 Operator fails to reopen CCP MOVs 163 or 169 given 1.00E-01 639 loss of RPCCW CFS- Operator fails to start unit coolers 1HVR*UCIA & 1.00E-01 HEEHFLCFSUC IHVR*UC1B CSH-HEEHFR- Failure of the operator to switch HPCS suction back to 1.00E-01 CSTRL CST l l

CSH-HEEHFRFO15 Operator fails to open valve FO15 1.00E-01 CSH- Operator fails to start HP injection 5.00E-01 HEEHIGHPRSS CSH- Operator fails to start LP injection 5.00E-01 l HEELOWPRSS j FPW- Failure of operator to follow EOP-1 Enclosure 7 1.00E-01 )

HEEHFLEOPEN7 IAS- Operator fails to place dryer 11AS-DRY 1 AB in service 1.00E-01 HEEHFLDRY1AB IAS- Operator fails to place dryer 11AS-DRY 1BB in service 1.00E-01 HEEFLDRY1BB IAS- Operator fails to place filter 11 AS-DLT2B in service 1.67E-01 HEEHFLFLT2B 28 .

y IAS- Operator fails to place filter 11AS-DLT2B in service 1.67E-01 HEEHFLFLT2B IAS- Operator fails to place filter 11AS-FLT3B in service 1.67E-01 HEEHFLFLT3B IAS-HEEHFRC4C5 Operator fails to start IAS-C4 or IAS-C5 5.00E-01 IAS-HEEHRSC4 Operator fails to refuel IAS-C4 diesel 5.00E-01 IAS-HEEHRSC5 Operator fails to refuel IAS-C5 diesel 5.00E-01 ICS- Operator fails to bypass main steam tunnel high temp 5.00E-01 HEEHBYPSTMST isolation ICS-HEEHFLF031 Operator fails switch to suppression pool 1.67E-01 ICS- Operator fails to control RCIC flow to prevent level 8 trip 1.00E-01 HEEHFRLVCTL ICS-HEEHIGHPRSS Operator fails to manually stan RCIC 5.00E-01 l MRI- Human error failure to insert negative reactivity 1.00E-01 HEEFFPATWS PCS- Operator fails to align condensate system for low pressure 1.00E-01 HEEHFRCOND RPV injection PCS- Operator fails to restan reactor feedwater pumps 1.00E-01 HEEHFRRFWPUM following plant trip ;

RDS-HEEHFRCRD Operator fails to align CRD for injection 1.00E-01 !

RHRDHEEHFRSDC Operator fails to properly align and actuate the SDC 1.00E-01 mode of RHR RHRDHEEHFRSPC Operator fails to properly align and actuate the SPC mode 1.00E 01 of RHR RPS- Conditional human error fail to insen negative reactivity 1.00E-01 HEEFFPATWSX r

(

RPS- Conditional human error fail to insen negative reactivity 1.00E-01 l HEEFFPATWSY l

29

.- . - . - - - ~.. -- .-._ . -. - - ..._- -. . . . . - . . - . - . . _ - - . ..-..

F t

RPS- Operator fails to drain SCV at level 5.7 in. 3.00E-02 HEEHFRSDVAOV SLS-HEEHFR-SLS Operator fails to initiate SLS 1.00E-01 SWP- Operator fails to unlock and start SSW after an initiator 1.00E-00 HEEHFLUNLOCK SWP- Operator fails to open SWP-MOV55A before air 1.00E-01 HEEHFLVF055A depletion to AOV599 SWP- Operator fails to open MOVs 504A(B) or 510A(B) given 1.00E-01 HEEHFR5104AB loss of RPCCW SWP- .

O

' perator fails to open the RHR HX coolant injection 1.00E-01 HEEHFRF068AB valves IE12*MOV68A/B i

SWP- Operator fails to start the standby cooling tower fans 1.00E-05 HEEHFRSCTFAN ;

SWP- Operator fails to inject coolant into the RPV using SSW 1.00E-01 HEEHFRSSWINJ flow r

t 30

,

ML20129A864

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search