ML20267A194
| ML20267A194 | |
| Person / Time | |
|---|---|
| Issue date: | 09/23/2020 |
| From: | Susan Cooper, Carmen Franklin Office of Nuclear Regulatory Research |
| To: | |
| Sean Peters, Carmen Franklin | |
| Shared Package | |
| ML20267A193 | List: |
| References | |
| Download: ML20267A194 (30) | |
Text
FLEX HRA USING IDHEAS-ECA Dr. Susan E. Cooper and Carmen Franklin, NRC/RES ACRS PRA Subcommittee Meeting September 23, 2020
Todays Agenda
- Summary of Technical Approach
- Key Resources
- Key scope and limitations
- Scenario Development
- Scenarios and Quantification Results
- Insights and Lessons Learned
- Next steps?
2
Project Objectives
- 2. Use IDHEAS-ECA
- To assess the HFEs in FLEX and non-FLEX scenarios
- Evaluate the ECA software tool 3
Underlying Objectives
- Develop a set of credible HRA/PRA scenarios involving the use of FLEX equipment
- Develop sufficiently detailed qualitative HRA analysis inputs
- Facilitate a face-to-face workshop
- Obtain feedback from both NRC and industry HRA analysts 4
Technical Approach
- Identify and collect information on FLEX strategies, equipment and associated operator actions
- Identify HRA analysts to represent both NRC and industry to participate in this project
- Identify FLEX and operational experts to assist in the development and assessment of FLEX scenarios and associated operator actions
- Develop credible HRA/PRA scenarios involving the use of FLEX equipment 5
Technical Approach (continued)
- Identify and define human failure events (HFEs) associated with using FLEX equipment in each scenario
- Develop qualitative HRA analysis inputs for each HFE that is sufficiently detailed to support HRA quantification
- Train HRA analysts on IDHEAS-ECA prior to the workshop
Key Resources
- Prior studies, e.g.,
- NRCs Expert Elicitation project and report
- EPRIs FLEX Human Reliability Analysis (HRA) for Diverse and Flexible Strategies (FLEX) and Use of Portable Equipment (EPRI 3002013018)
- FLEX Overview meeting
- Industry reports related to FLEX implementation and training
- Plant site visits
- FLEX and operational experts 7
Key Resources (continued)
Technical Support Staff HRA Analysts Susan Cooper - NRC Frank Arner - RI Michelle Kichline - NRC Mark Averett, Florida Power & Light Matt Humberstone- NRC John Bretti - Entergy Mary Presley - EPRI Scott Freeman - RII Kaydee Gunter - Jensen Hughes Owners Group Support Chris Hunter - NRC/RES Greg Krueger - BWR (NEI)
Roy Linthicum - PWR (Exelon)
FLEX & Operations Experts Phil Amway - Exelon Randy Bunt - Southern Company Frank Gaber - Palo Verde Josh Miller - NRC Sue Sallade - Exelon William Webster, Dominion BWR & PWR site staff Jim Lynde - Exelon 8
Key Scope and Limitations Three factors influenced the scope and limitations of this research effort:
- 1. Technical requirements for developing credible HRA/PRA scenarios,
- 2. Available resources (e.g., calendar time, personnel, existing technical inputs),
and
- 3. Project schedule Some key limitations for this project include:
- There were no existing PRAs that were directly relevant to the scenarios
- There were no existing technical calculations to support realistic definitions of some HRA/PRA success criteria.
- A PRA was not developed to support this effort.
- Existing HRA-relevant information for FLEX strategies (e.g., FLEX validation times) was not developed to support PRAs. As a result, some of this information may be conservative for HRA/PRA purposes.
- HRA analysts participating in this effort had limited time outside the FLEX HRA Workshop to perform HRA quantification with IDHEAS-ECA.
9
Scenario Development
- Principal objective and predominant effort was to develop scenarios that:
- Were sufficiently detailed to support HRA quantification
- Mostly representative of a specific NPP
- Reflected the understanding of FLEX strategies and equipment gained from plant site visits and FLEX and operations experts
- Were accepted and understood by all participating HRA analysts
- FLEX and operational experts provided inputs throughout project (e.g., before, during, and after plant site visits)
- HRA analysts participated in development by:
- Attending plant site visits (most attended at least 1 NPP visit)
- Reviewing plant site visit notes
- Reviewing and discussing which scenarios and associated HFEs to develop
- Reviewing and discussing scenario descriptions
- Using scenario descriptions to develop human error probabilities (HEPs) with IDHEAS-ECA in face-to-face workshop at NRC (December 2019) 10
Scenario Development (continued)
- Three scenarios and associated human failure events (HFEs) developed:
- Non-FLEX scenario for PWR: Loss of all feedwater
- Non-FLEX scenario for PWR: SBO with pre-staged FLEX Plus diesel generators
- Because scenario-specific PRAs were not available, PRA work also was necessary (e.g., definition of HRA/PRA success criteria)
- Bulk of scenario description was developed and provided to HRA analyst prior to face-to-face workshop
- Some additional details were discussed and identified during the workshop (with assistance of attending FLEX and operations experts) 11
Scenario Development (continued)
- Scenario descriptions consisted of:
- Assumptions (general and scenario-specific)
- High-level description
- Event tree(s) and fault tree (s) (if available/applicable)
- Scenario script, timeline, and/or procedure path
- Relevant procedures (e.g., EOPs, FLEX Support Guidelines (FSGs))
- Timing information (e.g., times developed for FLEX validations)
- Key operator actions and associated HFEs
- Description of HFEs
- Variations on scenario/HFEs (if applicable)
- Relevant HRA-insights (from plant site visit notes or FLEX/ops expert inputs)
- Assumptions/information were especially important
- Focused on FLEX-related actions only 12
Scenarios and Quantification Results
- Plant site visits
- Summary scenario descriptions
- Human failure events (HFEs)
- Key assumptions and information
- Quantification Results 13
- Beyond-design basis external event (BDBEE) - seismic event (i.e., no debris removal required)
- Key information/assumptions:
- 1 (of 2) emergency diesel generator (EDG) is out-of-service for maintenance
- Plant-specific procedural guidance in EOP for the loss of offsite power
- EOPs - flowchart format with different sheets for different numbers of EDGs running
- Simulator training provided; Systematic Approach to Training (SAT) used to develop content and frequency (consistent with other EOP-driven operator actions)
- Consensus on details (e.g., how many times will they try to start failed EDG?)
- Implemented standardized FLEX connections and simple-to-use FLEX equipment, systematic approach to training (SAT) for FLEX actions, etc.
- HFEs:
- Operators fail to declare extended loss of AC power (ELAP)
- Operators fail to perform FLEX DC load shed
- Operators fail to deploy FLEX diesel generator (DG)
- Operators fail to perform containment venting 14
FLEX Scenario for a BWR (continued)
Operators fail to declare ELAP
- Base case (Case #1):
- Short battery life
- Prominent Note defines ELAP: Extended loss of AC power exists when it is expected that no 4 kV bus will be re-powered within one hour - considered explicit guidance
- Severe BDBEE with severe and wide-spread damage
- Other power options clearly unavailable
- Variations:
- Case #2: Severe BDBEE; longer battery life => IF AC power cannot be restored within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, declare ELAP within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of losing all AC power - considered ambiguous
- Case #3: Same as Case #2, but less severe event, less obvious when power can be restored
- HEP results:
- Base case (explicit guidance): 1.1E-3 to 2.7E-3*
- Variation #1 (judgment required): 1.1E-3 to 3E-2
- Variation #2 (judgment and less severe event): 1.6E-3 to 1E-1
- One analyst explicitly made certain choices for this HFE only and case to illustrate a point about difficulty in making choices within the method; range of results for this analyst was 1.4E-1 to 1.5E-1 15
FLEX Scenario for a BWR (continued)
Operators fail to perform FLEX DC load shed
- Key information:
- EOP sheet for ELAP clearly identified FLEX load shed as a priority
- FSG provides procedural guidance for this action
- Relatively few breaker manipulations are required
- Blue FLEX tag identifies breakers that require manipulation
- Procedure checkoff mimics panel layout 20 critical manipulations
- Overall, action is similar to SBO load shed (except fewer manipulations &
better human factors) - could be supported better than SBO load shed(!)
- Important note: Success criteria for this operator actions is unclear (e.g.,
failure would not occur if 1-2 loads are missed)
FLEX Scenario for a BWR (continued)
Operators fail to deploy FLEX DG
- Two critical tasks: 1) fail to transport and 2) fail to connect and start
- Key information:
- Transport vehicles are staged for departure, have hard cards for operation, and require only journeyman level of experience to operate
- Standardized and color-coded connections; push button operation for FLEX DG
- Field operator training content and frequency developed per SAT
- HEP range:
- Fail to transport: 1E-3 to 3E-3
- Fail to connect and load: 1E-3 to 1.2E-2 17
Non-FLEX Scenario for PWR: Loss of All Feedwater Initiating event followed by loss of feedwater after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
- Key information/assumptions:
- NPP has only 2 motor-driven auxiliary feedwater pumps (AFW);
- 1 AFW pump is unavailable due to maintenance
- All 4 condensate pumps fail
- FLEX pump deployment takes 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (i.e., FLEX validation time is realistic)
- If 1 AFW pump runs for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> before failure, there is >1 hour until feed-and-bleed criteria are reached (i.e., action is feasible)
- Loss of heat sink procedure (FR-H.1) is modified to include use of FLEX pump
- Integrated into simulator training
- Procedure guidance is salient and unambiguous (e.g., no instructions in NOTES or CAUTIONS; any instructions in a CAUTION do not have operators skipping procedure steps)
- One HFE: Operators fail to initiate use of FLEX pump
- Cognitive portion only: Operators fail recognize need for FLEX pump 18
Non-FLEX Scenario for PWR: Loss of All Feedwater (continued)
- HEP results: 1.7E-3 to 1.6E-2
- Actual instruction in modified FR-H.1 was placed in CAUTION prior to step
- If at any time it has been determined that restoration of feed flow to any SG is untimely or may be ineffective in heat sink restoration, then the AF crosstie should be implemented per Step 5 (Page 8).
- Other cues available, but unclear based on available information if sufficient time was available to get to those steps
- HRA analysts preferred to evaluate case using assumption rather than actual instruction:
- More plant-specific information would have been required to address actual situation
- Likely, the actual situation would have resulted in higher HEPs (because of ambiguity in cues, judgment required, instructions in a CAUTION)
- Time reliability results were not captured, but Time Available was assumed for this scenario in absence of scenario and plant-specific thermal-hydraulic calculations.
19
FLEX Scenarios: Insights and Lessons Learned
- In most cases, FLEX validations and integrated timelines are sufficient to demonstrate HRA feasibility
- Some difficulty with FLEX actions that are taken on side-wide basis, but are modeled by HRA/PRA for a single unit
- At present, debris removal is outside preview of HRA
- Important to understand and represent P-S implementation of FLEX because FLEX actions can be different than what is typically modeled in HRA/PRA, e.g.,
- How is decision to declare ELAP supported (especially compared to other decisions made within EOPs)?
- How is FLEX DC load shed supported (especially as compared to SBO DC load shed)?
- Have industry-wide recommendations for FLEX implementation been followed (e.g., was systematic approach to training used for FLEX actions)?
- What actions need only a journeyman skill set (and associated training)?
- Does recent operating experience support assumptions that FLEX equipment is easy to operate?
20
FLEX Scenarios: Insights and Lessons Learned (continued)
- Because most HRA methods are designed to represent in-control room, licensed operator actions taken using EOPs, HRA analysts must appropriately interpret their understanding of FLEX when using most HRA quantification tools, e.g.,
- How cut-and-dried has the decision to declare ELAP been made in procedures and training? (Or, are operators given flexibility, introducing some ambiguity or competing goals?)
- Has SAT been used to develop training? Does the simplicity of the action compensate for less training than traditionally acceptable for HRA/PRA?
Can operator interviews, walkdowns, etc. verify?
- How to assess actions that require only a journeymans skillset (and may not be performed by an operator, e.g., FLEX equipment transport)?
- What do reviewers need as justification for HRA modeling and quantification choices?
- In this effort, IDHEAS-ECA provided reasonable results 21
Non-FLEX Scenarios: Insights and Lessons Learned
- Non-FLEX scenarios are likely to very plant-specific, starting with what initiating event and plant function or system are important, e.g.,
- An NPP with extra FLEX diesel generator capability might focus on station blackout scenarios
- Lessons learned may not be sufficient to address future non-FLEX scenario needs
- Important for HRA, PRA, and FLEX experts to work together determine new event tree branches, end states, and associated timing, e.g.,
- What is success? Does it align with existing HRA/PRA definitions?
- Under what conditions could success be claimed for deploying a FLEX pump in a feed-and-bleed scenario?
- New thermal-hydraulic analyses may be needed to support new event tree branches or end states when crediting FLEX equipment
- Assumptions were used in place of plant-specific T-H calculation for NRCs FLEX HRA effort 22
Non-FLEX Scenarios: Insights and Lessons Learned (continued)
- FLEX timing information is NOT likely to be sufficient to demonstrate feasibility
- Timing for most traditional PRA scenarios (e.g., time to core damage, time to feed-and-bleed criteria) is shorter than for most FLEX scenarios
- Are the cues for using FLEX equipment unique?
- Or, are they the same as others already addressed in EOPs?
- Are cues supposed to result in BOTH normal control room response AND implementation of FLEX?
- If so, what compensatory measures are used to BOTH assure normal MCR operator response AND response to use FLEX equipment?
23
Non-FLEX Scenarios: Insights and Lessons Learned (continued)
- Important to understand plant-specific approach (continued):
- How does decision to use FLEX equipment compare to other decisions in EOPs?
- IF xxx, THEN yyy?
- Or, more operator flexibility (and ambiguity)?
- How is decision to use FLEX equipment supported, e.g.,
- Are formal procedures used (with associated formatting and syntax)?
- Are instructions are in main body procedure (rather than NOTES)?
- NRCs HRA for non-FLEX used scenarios modified from original P-S design
- HRA analysts were more comfortable with modified scenarios because HFE characteristics were more like with typical HFEs and increased likelihood for operator success
- Could original scenarios been assessed?
- How would they be assessed with HRA?
- Are two non-FLEX scenarios sufficient to identify HRA modeling needs?
- What do reviewers need as justification for HRA modeling and quantification choices?
24
Next steps?
- FLEX understood better from HRA/PRA perspective
- Would be good to capture this understanding
- There are context-specific factors that need to be addressed differently than for traditional HRA/PRA
- More guidance could be helpful (generally for HRA and specific to IDHEAS-ECA)
- More example scenarios with different plant details?
- Review and assess feedback from:
- Effort to apply IDHEAS-ECA to FLEX
- NEI FLEX Summit
- ACRS PRA Sub-Committee meeting 25
BACKUP SLIDES 26
Plant Site Visits
- Two plant site visits:
- BWR: September 17-19, 2019
- PWR: October 2-3, 2019
- Instrumental to understanding FLEX strategies and equipment:
- an opportunity to review site-specific FLEX procedures and walkdowns of FLEX strategies, equipment, staging locations, and operator actions
- a basis for comparison to operator actions modeled in internal event Level 1 HRA (i.e., traditional HRA) and post-core damage response using Severe Accident Management Guidelines (SAMGs) and Extensive Damage Mitigation Guidelines (EDMGs)
- confirmation of the importance how FLEX strategies have been implemented (e.g., industry-wide standardization of fittings, color-coding of electrical cables, simple-to-use design of FLEX equipment)
- a vehicle for HRA analysts (both NRC and industry) to form a common understanding of FLEX strategies, equipment, and associated operator actions
- an opportunity for HRA analysts to communicate face-to-face with FLEX experts who have a broader knowledge of FLEX strategies
- a transparent means of collecting and interpreting HRA-relevant information, regardless of HRA quantification method, on FLEX strategies, associated equipment and operator actions 27
Plant Site Visits (continued)
- Information gathered:
- Plant-specific notes and combined notes
- HRA/PRA insights
- Basis for FLEX and non-FLEX scenarios:
- Direct inputs for FLEX scenario development and HRA quantification
- Understanding of FLEX strategies, equipment, and FSGs and how they might be integrated into EOPs 28
Non-FLEX Scenario for PWR: Station Blackout with pre-staged FLEX diesel generators Initiating event response to non-FLEX SBO with 1 EDG out-of-service for maintenance: Use Pre-Staged FLEX Plus DGs instead of declaring ELAP
- Key information/assumptions:
- 1 EDG out-of-service for long-term maintenance; 2nd EDG fails to start
- Long battery life
- 3 FLEX Plus DGs pre-staged to replace EDG
- Contingency plan formalizes guidance on putting FLEX Plus DGs into service
- Written with formatting and logic similar to EOPs (e.g., IF THEN)
- Clear cues for implementation
- Contingency plan briefed every shift
- Field operator designated to perform necessary actions; available 24/7
- Sufficient time for actions (without needing formal ELAP declaration)
- Extra, reactor operator (RO) is designated to implement
- HRA analysts identified loading FLEX Plus DGs as another part of larger HFE but decided not to address due to lack of plant-specific information or applicable general information.
29
Non-FLEX Scenario for PWR: Station Blackout with pre-staged FLEX diesel generators (continued)
- HEP results: 1.1E-3 to 2.5E-2
- HRA analysts preferred to evaluate case using assumption rather than actual situation:
- More plant-specific information would have been required to address actual situation, e.g.,
- simulator observations of how contingency plan is implemented in parallel with normal initiating event response
- Operator interviews on response to cue that prompts entry to both SBO procedure and contingency plan
- Likely, the actual situation would have resulted in higher HEPs 30