NPSAG RAPPORT

Transcription

1 NPSAG RAPPORT Evaluation of Existing Applications and Guidance on Methods for HRA EXAM-HRA HRA Application guide NPSAG Report Gunnar Johanson, Sandra Jonsson 1 Kent Bladh, Tobias Iseland and Karl-Henrik Karlsson, 2 Anders Karlsson, Julia Ljungbjörk 3 Günter Becker 4 Lasse Tunturivuori 5 Markus Porthin 6 Anders Olsson 7 Jörg Böhm 8 1 ÅF Industry 2 Vattenfall 3 Forsmark NPP (FKA) 4 RISA 5 Olkiluoto NPP (TVO) 6 VTT 7 Lloyd's Register Consulting 8 Mühleberg NPP (KKM) Nordiska PSA Gruppen (NPSAG) är samarbete för forskning och utveckling inom PSA-relaterade frågor vid de nordiska kärnkraftverken

2

3

4 Issued by Sandra Jonsson Reviewed by Anna Georgiadis Approved by Gunnar Johansson Distribution Sign Sign Sign REPORT Document-ID Project number Client RAB, FKA, SSM HRA APPLICATION GUIDE Summary: This report is intended to provide guidance of the scope of HFEs (human failure event) to include in the HRA (human reliability analysis) applications in a plant specific PSA level 1 or 2 in order to improve the consistency of in-depth HRA and HEP (human error probability) assessment. Accordingly, this report is the result of performed survey and case studies in the EXAM-HRA project and presents an overview of operator actions represented by HFEs which are recommended to be covered in an HRA. The HRA application evaluation includes the following tasks: - By using the results from the survey of existing applications, an HRA application framework can be presented where for each HFE a context description can be formulated. This to provide a framework for screening and identification of candidate HFEs, including examples from the survey. Here a categorisation of the actions must be performed the in order to identify groups of operator action to compare. The initial grouping is based on action type, i.e. pre initiator (type A), initiator (type B) or post initiator (type C). - By using the check list developed in the project to assess the rationale for inclusion or exclusion of actions in the PSA model in question. The check list can be used initially as a part of the PSA model development or at a later stage as a part of a PSA model review. The application guide can be used as a tool for identification. By following the guide means are provided to get an understanding of how the HFE scope has been defined and how analysed operator actions have been chosen This document or any part of it may not be copied without permission of client or ÅF 1 (43)

5 R E V I S I O N S Ver. Cause / Reviewed pages Issued by Reviewed/Reg.no. Approved 1.0 New report SJ AG/ GJ New report/tables without numbers SJ AG/ GJ 2 (43)

6 LIST OF CONTENT LIST OF CONTENT... 3 REFERENCES BACKGROUND INTRODUCTION HFE CONTEXT DESCRIPTIONS CHECK LIST FOR REASONING FOR INCLUSION OR EXCLUSION OF ACTIONS HFE CONTEXT DESCRIPTION ACTION TYPE A PRE INITIATOR ACTION TYPE B INITIATOR ACTION TYPE C POST INITIATOR Connection to safety function Operating mode Level 1 and level 2 PSA HRA APPLICATION FRAMEWORK FOR PRE-INITIATORS LATENT ERRORS DEPENDENCIES HRA APPLICATION FRAMEWORK FOR INITIATORS LOCA/LEAKS Faulty opening of valve During work Valve opens due to misstake during test LOCAs due to Faulty maintenance Faulty handling of sealing PLugs/bottles/flanges Leakage through heat exchanger Faulty inspection PRESSURE EVENTS Pressure relief system Cold pressurization Faulty Alignment of systems/high temperature Faulty maintenance leading to pressure event or leak HEAVY LOAD DROP LOSS OF SYSTEM FUNCTION (43)

7 5.4.1 Loss of systems FAULTY LOADING OF FUEL HRA APPLICATION FRAMEWORK FOR POST-INITIATORS REACTIVITY CONTROL Manual actions regarding reactivity Boration after recriticality Manual Scram Failure to activate boron injection INTEGRITY OF RCPB Stop main feed water Isolation of main steam Isolation of Steam lines to ECCS/AFW EMERGENCY CORE COOLING Closing of containment air lock Flushing of strainers Manual activation of external water supply Manual activation of external water supply Feeding via pump seal/ rod lubrication Manual depressurization of RPV Manual actuation ECCS/AFW Regulate water level in RPV, power operation Regulate water level in RPV, shutdown Manual activation of dilution feed functions Manual restart of main feed water/auxiliary feed water Filling reactor pool with external water Core reflood RESIDUAL HEAT REMOVAL Manual restoration of residual heat removal Manual restoration of residual heat removal Flooding of containment with external water source Forced cooling with reactor water cleanup system manual activation of residual heat removal system at high pressure Manual activation of spray system Manual opening of containment pressure relief valve Closing of safety and pressure relief valves (43)

8 6.4.9 Manual connection of residual heat removal heat exchanger Residual heat removal using fuel pool cooling and cleanup system Feeding fuel storage pool using RHR system Feeding fuel storage pool using external water supply CONTAINMENT INTEGRITY Containment venting PSA level Containment venting, PSA level Containment isolation, PSA level Containment isolation, PSA level Containment water filling PSA level Containment water filling PSA level Containment spray Lower drywell flooding Stop of containment water filling Manual action after external pipe rupture (several systems) OTHER Failed activation of standby service/secondary water pump Failed restart of shutdown cooling water system /secondary water pump Failed local start of standby service/secondary water pump Failed manual actions regarding sea/river water inlet to ensure service cooling water Switch from diesel grid to external network Diesel activation from main control room Diesel activation from local control room Diesel activation from the diesel room fails Manual activation of gas turbines Connection of mobile generator Manual start of compressors in nitrogen system Manual connection of pressurized air network Failed manual isolation of leak CONCLUSIONS (43)

9 REFERENCES [1] SSM FS 2008:17 The Swedish Nuclear Power Inspectorate s Regulations concerning the Design and Construction of Nuclear Power Reactors [2] IAEA Safety standards series Safety of Nuclear Power Plants: Design Requirements No. NS-R-1 [3] ES-konsult report Survey regarding operator actions across six plant specific PSAs from Germany, Sweden and Finland [4] Draft EXAM HRA Case study C.13 Loca during shutdown [5] EXAM-HRA Case study C.0 - Closing of containment AirlockVTT-R , 2011 [6] EXAM HRA Case study C.2 External water supply, Scandpower Report R-003, version U1 [7] EXAM HRA Case study C.1p Manual Restoration of Residual Heat Removal System during full power operation, Scandpower Report R-001, version U2 [8] EXAM HRA Case study C.1s Manual Restoration of Residual Heat Removal System during shutdown conditions, Scandpower Report R-002, version U1 [9] EXAM HRA Case study C.7/C.13 - Containment water filling, C.7 - PSA level 1 / C.13 - PSA level 2. VTT-R [10] EXAM HRA Case study C.10 - Assessment of manual depressurization of the containment (venting). RISA Report nr Berlin (43)

10 1 BACKGROUND This report is part of the reporting of the EXAM-HRA project. In the project human reliability analysis (HRA) applications in existing probabilistic safety assessment (PSA) studies are assessed. The overall project objective is both to provide guidance for a state of the art HRA for purposes of PSA, to ensure that plant specific properties are properly taken into consideration in the analysis, and to give insights for potential plant improvements. This report is intended to provide guidance of the scope of humna failure events to include in the HRA applications in a plant specific PSA level 1 or 2 in order to improve the consistency of in-depth HRA and HEP assessment. HFE stands for human failure event and in the context of PSA it can be represented by a basic event, which stands for the failure of a task, which will lead to one of, or even both, of the following consequences: Degradation (latent failures) or unavailability of a system/function required for mitigation An initiating event Sometimes, a task is split into more than one basic event (diagnosis / decision making and implementation). The table of candidate HFEs presented in the survey report [3] has been used to develop this guidance document on HRA application scope. Accordingly, this report is the result of performed survey and case studies in the EXAM-HRA project and presents an overview of operator actions represented by HFEs which are recommended to be covered in an HRA. 7 (43)

11 2 INTRODUCTION This report should be considered as a guidance document of the evaluation process when selecting HFEs to be included in the scope of HRA applications. In this section an introduction to the evaluation process is presented and in the subsequent sections each task within the process is described in detail as well as results of the tasks. The HRA application evaluation includes the following tasks: - By using the results from the survey of existing applications, an HRA application framework can be presented where for each HFE a context description can be formulated. This to provide a framework for screening and identification of candidate HFEs, including examples from the survey. - By using the check list to assess the rationale for inclusion or exclusion of actions in the PSA model in question The application guide can be used as a tool for identification. By following the guide means are provided to get an understanding of how the HFE scope has been defined and how analysed operator actions have been chosen. 2.1 HFE CONTEXT DESCRIPTIONS The aim of the HFE context description is to give an understanding of the plant model and the preconditions for a specific operator action and aims at reaching an understanding of when and why the manual action is required. In sections 4-6 the HRA application framework from the different plants have been compiled into an overall scope, i.e. list of HFEs, with a HFE context description of how other plants have done it: - What is the operating mode? - After which initiating event is the action considered? - What is the overall task to be performed? - In what scenario context does the action appear, i.e. when is the action relevant? - HRA/HFE, definition of operator action 2.2 CHECK LIST FOR REASONING FOR INCLUSION OR EXCLUSION OF ACTIONS A practical tool in form of a checklist has been developed in the project, see Table 1. This check list shall be used for checking the rationale for inclusion or exclusion of actions in the PSA models. The idea here is that an evaluation of the scope of HRA application is performed based on the check list and applied on each operator action identified in the project survey. The check list can be used initially as a part of the PSA model development or at a later stage as a part of a PSA model review. In section 4-6 the outcome of the survey and case studies performed in the project is presented which consists of lists of HFEs. These lists can be seen 8 (43)

12 as recommendations of HFEs that should be covered in an HRA in order to reflect the plant features as good as possible. Why excluded? Reasons relating to plant design. Action not possible in specific plant design. Action is possible, but time is too short. Action is possible, but it is too complex to benefit from. Reasons relating to PSA concept. Action is not credited, because it is a backup to an automatic activation. Action is not credited, because it goes into an "and-gate" with some other event with low probability. Action is neglected, because it goes into an "or-gate" with some other event with large probability. Action is not credited, because it is known not to contribute to PSA results. Action is not included into the model to keep PSA logic simple. Action is beyond scope of PSA. Reasons relating to methodological constraints. Action is not credited due to lack of written procedures. Action is not credited, because the method used is not applicable (e.g. too many skill based or knowledge based aspects). Action is not credited, because too little is known about the context, or the context is too variable to obtain a probability value. Action is not credited, because it would yield too small total HRA contribution to a SINGLE minimal cut set. Administrative reasons. Action could have been credited, but there was lack of time. Action could have been credited, but there was lack of other resources. None of the above; please specify. Table 1. Check list for reasoning. 9 (43)

13 3 HFE CONTEXT DESCRIPTION In order to identify groups of operator action to compare, some kind of categorisation must be performed. In the case studies, all participating plants have submitted information regarding operator actions which is used for grouping and selection of actions for further evaluation. The completed survey has been reviewed during work group meetings, giving all participants the opportunity to give some explanation and input regarding the different operator actions. The survey contains information about unit, basic event ID and basic event description for all operator actions and for each action the following information (if applicable) is submitted: - Action type, i.e. pre initiator (type A), initiator (type B) or post initiator (type C) action - Operating mode - PSA level 1 or level 2 - Connection to initiating event (only initiators) - Connection to safety function (only post initiators) - HEP - Importance measure In this report limited information about the operator actions is presented and complete information can be found in the survey report [3]. 3.1 ACTION TYPE A PRE INITIATOR Pre initiator actions are such actions where equipment availability is degraded during for example testing and maintenance. The error is not immediately exposed but leads to affected function of the system whenever it is needed. Hence, the error can be latent for long time without notice. A framework regarding selecting pre initiators is presented in section ACTION TYPE B INITIATOR Initiator actions are directly causing or contributing to an initiating event. Initiator actions are therefore grouped based on what type of initiating event they contribute to, instead of categorising according to safety functions. A framework regarding selecting initiators is presented in section ACTION TYPE C POST INITIATOR Post initiator actions are such actions that occur after the initiating event. The actions can both aggravate and improve the situation. 10 (43)

14 The categorisation for post initiator actions is based on safety functions, as for the pre initiator actions. However, for post initiator actions additional sub categorisation is performed when applicable according to the IAEA safety function as described in section Table 2. A framework regarding selecting post initiators is presented in section CONNECTION TO SAFETY FUNCTION In order to categorise post initiator operator actions to specific safety functions it is essential to define the safety functions. The safety function categorisation is performed based on five main categories [1]: 1) Reactivity control 2) Integrity of reactor coolant pressure boundary 3) Emergency core cooling 4) Residual heat removal 5) Containment function 1 An additional main category named 6) Other, including safety functions such as pneumatic and electrical power supply, is added. These six categories have been further specified with the help of IAEAs list of safety functions [2], see Table 2. 1 REACTIVITY CONTROL 11 to prevent of unacceptable reactivity transients 12 to maintain the reactor in a safe shut down condition after all shutdown actions 13 to shut down the reactor as necessary to prevent anticipated operational occurrences from leading to design basis accident and to shut down the reactor to mitigate the consequence of design basis accidents 14 to maintain sufficient subcriticality of fuel stored outside the reactor coolant system but within the site 2 INTEGRITY OF REACTOR COOLANT PRESSURE BOUNDARY 21 to maintain the integrity of the reactor coolant pressure boundary 3 EMERGENCY CORE COOLING 31 to maintain sufficient reactor coolant inventory for core cooling in and after accident conditions not involving the failure of the reactor coolant pressure boundary 32 to maintain sufficient reactor coolant inventory for core cooling in and after all PIE considered in the design basis 1 For BWR the containment function refers to containment leaktightness function and pressure suppression function. For PWR the containment function refers to leaktightness function only. 11 (43)

15 33 to maintain acceptable integrity of the cladding of the fuel in the reactor core 4 RESIDUAL HEAT REMOVAL 41 to remove heat from the core 2 after a failure of the reactor coolant pressure boundary in order to limit fuel damage 42 to remove residual heat (see footnote 2) in appropriate operational states and accident conditions with the reactor coolant pressure boundary intact 43 to remove decay heat from irradiated fuel stored outside the reactor coolant system but within the site 5 CONTAINMENT FUNCTION 51 to limit the release of radioactive material from the reactor containment in accident conditions following an accident 52 to limit the radiation exposure of the public and site personnel in and following design basis accidents and selected severe accidents that release radioactive materials from sources outside the reactor containment 53 to limit the discharge or release of radioactive waste and airborne radioactive materials to below prescribed limits in all operational states 6 OTHER 61 to transfer heat from other safety systems to ultimate heat sink 3 62 to ensure necessary services (such as electrical, pneumatic, hydraulic power supplies, lubrication) as a support function for safety system 63 to prevent the failure or limit the consequences of failure of a structure, system or component whose failure would cause impairment of a safety function 64 to maintain control of environmental conditions within the plant for the operation of safety systems and for habitability for personnel necessary to allow performance of operations important to safety 65 to maintain control of radioactive releases from irradiated fuel transported or stored outside the reactor coolant system, but within the site, in all operational states Table 2. Definition of safety functions according to SSM and IAEA. 2 This safety function applies to the first step of the heat removal system(s). The remaining step(s) are encompassed in safety function (61). 3 This is a support function for other safety systems when they must perform their safety functions. 12 (43)

16 3.3.2 OPERATING MODE The following operating modes are used for categorisation of the initiators post initiators: - Power operation - Startup - Transition to shut down (shutting down?) - Shut down (cold shut down?) - Refuelling LEVEL 1 AND LEVEL 2 PSA The post initiators are categorised to PSA level 1 or level 2. The level 1 PSA is the part of the PSA which aims at quantifying the core damage frequency (CDF). The level 2 PSA is the part of the PSA which aims at quantifying the frequency of radioactive release. Level 1 PSA is used as input to level 2 PSA. 13 (43)

17 4 HRA APPLICATION FRAMEWORK FOR PRE- INITIATORS The pre initiators are often very common in the PSAs, representing several hundred basic events. Therefore, a more general case study of pre initiators has been performed where a group of pre initiators has been looked into regarding how they have been selected and treated. The following groups of pre initiators were included in the study: Latent errors Dependencies 4.1 LATENT ERRORS Pre initiators are latent errors and many of them originate from human errors during maintenance work. Maintenance personnel, site technicians and/or contractors as well as control room staff are involved in the events that may cause pre initiators. The latent errors can be divided into different categories such as: misalignments, faulty calibration and reparation. The selection process starts by identifying critical objects, e.g. in an FMEA. From these lists objects that are relevant for an error, e. g. misalignments, are collected. Then the barriers from making this error latent are identified. The barriers can be broken down as follows: 1. The alignment itself, normally including a number of (local) independent checks. 2. Signals, alarms or other forms of information in the control room that can reveal the error. 3. Function testing: operability verification, integral testing, tech spec testing. 4. Function testing during operation The barriers are considered to be independent.e.g. a latent misalignment error is thus considered possible if the alignment fails and the subsequent checks fail and information is missed or not present in the control room and function testing is missed or not present. Some plants consider pre initiators relatively thoroughly, while others have no explicit analysis of pre initiators. The reason behind this difference is different assumptions regarding testing before start-up, where testing is either seen to prevent pre initiators from happening at all, or is only seen as a kind of barrier in the models as described above. In the first case the risk introduced by pre initiators could implicitly be seen as part of basic event frequencies. 14 (43)

18 4.2 DEPENDENCIES Dependencies between actions are considered in different ways.dependency between human errors in maintenance actions can mean two things: 1. Human error probability can decrease after a person who has committed a human error notices it, and alters his way of working 2. Human error probability can increase after a person learns the wrong way of performing the action and continues to make errors. Actions which have immediate feedback, like leaving a valve which has a main control room indicator in the wrong position after maintenance, are of type 1, above. Cases where there is no immediate feedback are of type 2. Analysis of human common cause failures consists of two stages; qualitative analysis and quantitative analysis. The first stage in the qualitative analysis is the identification of possible dependencies in human actions, and the second stage is the identification of possibilities to notice the dependencies. A simplified method for systematic misalignment can be used. Dependency is for instance considered for the same object in different subdivisions. Location (same room?), person of shift (same person/shift?) and the use of checklists are also considered. Identified dependencies are modelled in fault trees. This might be conservative, since these dependencies in some sense are considered in the CCF contributions. On the contrary it may be non-conservative if there are several sequential basic events representing human actions appearing as independent barriers in a sequence of events, a so called cut set. In order to evaluate if there are several basic events representing human actions related to one scenario, the cut set list can be used as a tool to identify possible candidates for dependency analysis with respect to HRA. 15 (43)

19 5 HRA APPLICATION FRAMEWORK FOR INITIATORS Initiator actions have been subject for in-depth assessment within EXAM HRA phase initiator actions have been collected in the survey and the five case studies presented within EXAM HRA covers approximately 26 of these. The following initiating event groups are to be discussed: LOCA/leaks Pressure events Heavy load drop 5.1 LOCA/LEAKS Loss of system function Faulty loading of fuel FAULTY OPENING OF VALVE DURING WORK Plants consider faulty opening of valve during work on other systems causing leakage from reactor vessel as initiator and it is considered during cold shutdown. Systems where this failure mode is applied are main feedwater, auxiliary feedwater system, boron injection system or standby liquid control system, shutdown cooling system and low pressure coolant injection system. The expected frequency for failed action is in the observed applications between 2,0E-03 and 8,0E-04 per year, see the table below. Unit Basic event ID Operator action/ Basic event modeled Expected value Faulty opening of valve Leakage from reactor vessel due to faulty opening of valve during work on system 327 (auxiliary feedwater system) Leakage from reactor vessel due to faulty opening of valve during work on system 351 (boron injection system or standby liquid control system) Leakage from reactor vessel due to faulty opening of valve during work on feedwater Leakage from reactor vessel (outside the containment) due to faulty opening of valve during work on system 321 (shutdown cooling system) Leakage from reactor vessel due to faulty opening of valve during work on feedwater Leakage from reactor vessel due to faulty opening of valve during work on system 321 (shutdown cooling system) Leakage from reactor vessel due to faulty opening of valve during work on system 323 (low pressure coolant injection system) Leakage from reactor vessel due to faulty opening of valve during work on system 327 (auxiliary feedwater system) 16 (43)

20 Leakage from reactor vessel due to faulty opening of valve during work on system 351 (boron injection system or standby liquid control system) Leakage from reactor vessel (outside the containment) due to faulty opening of valve during work on system 321 (shutdown cooling system) VALVE OPENS DUE TO MISSTAKE DURING TEST Plants consider that the inner steam isolation valve opens due to mistake during hermetic testing when outer isolation valve is in an unwarranted open state. The expected frequency for failed action is in the observed applications between 1,0E-05 and 1,0E-06 per year, see the table below. Unit Basic event ID Operator action/ Basic event modeled Expected value Inner steam isolation valve opens due to misstake during hermetic testing when outer isolation valve is in an unwarrented open state LOCAS DUE TO FAULTY MAINTENANCE Plants consider small and large, top and bottom LOCAs due to human errors when performing maintenance on different systems, for example maintenance on RC pump, control rod drive and valves in shutdown cooling system. The expected frequency for failed action is in the observed applications between 3,0E-04 and 1,0E-07 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Initiating event small bottom LOCA due to human errors when performing maintenace Initiating event large top LOCA due to human error when performing maintenance Initiating event medium top LOCA due to human error when performing maintenance Initiating event small top LOCA due to human error when performing maintenance Initiating event Large Bottom LOCA due to human errors when performing RC pump maintenance Initiating event Large Bottom LOCA due to human errors when performing maintenance on valve 321V1 (RHR) Initiating event medium size bottom LOCA due to human errors when performing control rod drive maintenance FAULTY HANDLING OF SEALING PLUGS/BOTTLES/FLANGES Plants consider faulty installation of sealing bottles for the probe of the core instrumentation. Due to faulty installation of sealing bottles plants also consider the possibility that the bottles will fall or are destroyed by objects on the turn disc of the control rod drive changing machine. Plants also consider faulty installation of sealing plugs when performing maintenance on RC pump. The expected frequency for failed action is in the observed applications between 1,0E-03 and 1,0E-07 per year, see the table below. 17 (43)

21 Unit Basic event ID Operator action/ Basic event modelled Expected value Faulty installation of "sealing bottles" (Swedish: tätflaskor) for the probe of the core instrumentation Faulty installation of "sealing bottles" (Swedish: tätflaskor) for the probe of the core instrumentation "Sealing bottles" (Swedish: tätflaskor) for probes (n units) fall or are destroyed by objects on the "turn disc" (Swedish: vridskiva) of the control rod drive changing machine Faulty installation of "sealing bottles" (Swedish: tätflaskor) for the probes of the core instrumenation Faulty installation of "sealing bottles" (Swedish: tätflaskor) for the probes of the core instrumenation "Sealing bottles" (Swedish: tätflaskor) for probes (n units) fall or are destroyed by objects on the "turn disc" (Swedish: vridskiva) of the control rod drive changing machine Control rod drive disassembled with the control rod drive housing not sealed with control rod or plug Control rod drive disassembled with the control rod drive housing not sealed with control rod or plug Faulty handling of sealing plug or unwarrented opening of sealing flang for recirculation pump Faulty handling of sealing plug or unwarrented opening of sealing flang for recirculation pump LEAKAGE THROUGH HEAT EXCHANGER Plants consider human errors leading to leakage through heat exchanger (recirculation pump) with plug and shaft disassembled. The expected frequency for failed action is in the observed applications between 1,0E-05 and 1,0E-06 per year. Unit Basic event Id Operator action/basic event modelled Expected value Leakage through heat exchanger (recirculation pump) with plug and shaft disassembled FAULTY INSPECTION One plant considers the initiating event of a large bottom LOCA due to human errors while performing inspection on 313 nozzles. The expected frequency for failed action is in the observed applications between 1,0E-05 and 1,0E-06 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value 5.2 PRESSURE EVENTS Initiating event Large Bottom LOCA due to human errors performing inspection on 313 nozzle PRESSURE RELIEF SYSTEM Plants consider maintenance on the pressure relief system without the sealing plug installed. The expected frequency for failed action is in the 18 (43)

22 observed applications between 2,0E-05 and 4,0E-06 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Maintenance work on system 314 (pressure relief system) starts before the sealing plug is installed Maintenance work on system 314 (pressure relief system) starts before the sealing plug is installed Maintenance work on steam isolation valve starts before the sealing plug is installed Faulty loading of fuel assembly in supercell where the control rod is in an out position COLD PRESSURIZATION Plants consider human errors leading to cold pressurization of RPV when filling with water prior to lift of RPV lid. The expected frequency for failed action is in the observed applications between 1,0E-06 and 1,0E-08 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Cold pressurization of RPV when filling with water prior to lift of RPV lid. Unwarrented start of feedwater causing top filling and cold pressure build-up of RCPB FAULTY ALIGNMENT OF SYSTEMS/HIGH TEMPERATURE Plants consider human alignment errors leading high temperature in cooling water circuits caused by recirculation. The expected frequency for failed action is in the observed applications between 1,0E-01 and 1,0E-03 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value High temperature in cooling water circuits caused by recirculation FAULTY MAINTENANCE LEADING TO PRESSURE EVENT OR LEAK Plants consider maintenance on the pressure relief system and/or on steam isolation valve before the sealing plug is installed. The expected frequency for failed action is in the observed applications between 5,0E-03 and 2,0E- 05 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Faulty handling of maintenance work on steam isolation valve Faulty handling of maintenance work on steam isolation valve Maintenance work on system 314 (pressure relief system) starts before the sealing plug is installed Maintenance work on system 314 (pressure relief system) starts before the sealing plug is installed Maintenance work on steam isolation valve starts before the sealing plug is installed 19 (43)

23 5.3 HEAVY LOAD DROP Plants consider several initiating events related to heavy load drop. For example upper head, containment dome, steam separator, moisture separator, core shroud head or pool barriers. Due to faulty installation of sealing bottles plants also consider the possibility that the bottles will fall or are destroyed by objects on the turn disc of the control rod drive changing machine. The expected frequency for failed action is in the observed applications between 1,0E-06 and 1,0E-08 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Falling steam separator, moisture separator or core shroud head Falling of two types of removable pool barriers (Swedish: sättlucka and skivport) in the reactor service room Falling upper head Lift of sealing plug with faulty shear bolt Initiating event heavy load drop Falling steam separator, moisture separator or core shroud head Falling of two types of removable pool barriers (Swedish: sättar and skivportar) in the reactor service room Falling upper head or containment dome 5.4 LOSS OF SYSTEM FUNCTION LOSS OF SYSTEMS Plants consider loss of systems due to erroneous disconnection or failure to start and connect systems. Systems where this failure mode is applied are main feedwater, auxiliary feedwater system, shutdown cooling system and fuel pool cooling and cleanup system. The expected frequency for failed action is in the observed applications between 3,0E-02 and 1,0E-06 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Failing of system 321 (shutdown cooling system) (phase 1 and 6) Failing of system 321 (shutdown cooling system) (phase 2) Failing of system 321 (shutdown cooling system) (phase 3 and 5) Failing of systems 321/324 (shutdown cooling system/fuel pool cooling and cleanup system) (phase 4.2) Failing of systems 321/324 (shutdown cooling system/fuel pool cooling and cleanup system) (phase 4.2) Failing of system 324 (fuel pool cooling and 20 (43)

24 cleanup system) (pool cooling) Failing of system 321 (shutdown cooling system) Failing of system 321 (shutdown cooling system) (phase 2 and 6) Failing of system 321 (shutdown cooling system) (phase 3 and 5) Failing of systems 321/324 (shutdown cooling system/fuel pool cooling and cleanup system) (phase 4.2) Failing of systems 321/324 (shutdown cooling system/fuel pool cooling and cleanup system) (phase 4.2) Failing of system 324 (fuel pool cooling and cleanup system) (pool cooling) Failure to start and connect RHR (321) for cooling. Erroneous disconnection of MFW (415) without having connected AFW (329) No manual start and connection of RHR (321) in combination with to early disconnection of condenser 5.5 FAULTY LOADING OF FUEL Plants consider faulty loading of fuel assembly. The expected frequency for failed action is in the observed applications between 1,0E-05 and 1,0E-06 per year, see the table below. Unit Basic event ID Operator action/ Basic event modelled Expected value Faulty loading of fuel assembly in supercell where the control rod is in an out position. Faulty loading of fuel assembly in supercell where the control rod is in an out position. 21 (43)

25 6 HRA APPLICATION FRAMEWORK FOR POST- INITIATORS Post initiator actions have been subject for in-depth assessment within EXAM HRA phase 1 and post initiator actions have been collected in the survey and the six case studies presented within EXAM HRA covers approximately 280 of these in more detail. The following safety functions are to be discussed: Reactivity control Integrity of RCPB Emergency core cooling Residual heat removal Containment integrity Other 6.1 REACTIVITY CONTROL MANUAL ACTIONS REGARDING REACTIVITY To avoid recriticality a certain reactivity margin has to be ensured after the Xenon poisoning of the core has depleted. Manual actions regarding reactivity is credited during cold shut down and are related to PSA level 1. Plants consider failed actions regarding reactivity after the initiating event. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-01, see the table below. Failed actions regarding reactivity Failed actions regarding reactivity BORATION AFTER RECRITICALITY Boration after recriticality is credited during power operation and is related to PSA level 2. The expected probability for failed action is in the observed applications high although it is dependent of the time. Boration after recriticality Time window dependent (function p(t), t is a continuous variable) MANUAL SCRAM Manual scram is credited during power operation and is related to PSA level 1. The manual scram is credited as backup in various cases where the automatic signals have failed. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-01, see the table below. 22 (43)

26 Failed manual scram at emergency tripping of the turbine Manual scram activation within 2 minutes FAILURE TO ACTIVATE BORON INJECTION Failure to activate boron injection is credited during power operation and is related to PSA level 1. Plants consider failure to manually initiate boron injection, for example in case of incomplete reactor shutdown. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-02, see the table below. No manual start of boron injection. No manual initiation of boron injection in case of incompletet reactor shutdown (ATWS) Failure to activate boron system within 2 minutes 6.2 INTEGRITY OF RCPB STOP MAIN FEED WATER Manual stop of main feed water is credited during power operation and is related to PSA level 1. Plants consider failure to manually stop feed water system in case of uncontrolled feedwater injection. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-02, see the table below. Failure to manually stop feed water system at initiating event TZ (uncontrolled feedwater injection) ISOLATION OF MAIN STEAM Manual isolation of main steam lines is credited during power operation and is related to PSA level 2. Plants consider failed manual isolation of main steam line isolation valves in situations in case of external leaks. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-02, see the table below. No manual isolation of main steam line isolation valves (MSIV) ISOLATION OF STEAM LINES TO ECCS/AFW Manual isolation of steam lines to ECCS/AFW turbine driven pumps is credited during power operation and is related to PSA level 2. Plants with steam driven pumps consider failed manual activation of isolation chain in order to isolate steam lines to ECCS and AFW in case a steam line break in the auxiliary building. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-02, see the table below. 23 (43)

27 No manual activation of isolation chain in order to isolate steam lines for ECCS and AFW (turbine driven) 6.3 EMERGENCY CORE COOLING CLOSING OF CONTAINMENT AIR LOCK Closing of containment air lock is credited during cold shut down and refueling and is related to PSA level 1. The lower air lock is normally open during overhaul shutdown. In case of leak occurs inside containment below the reactor core, closing the lower airlock in a timely fashion is an important action. During critical outage work the airlock is monitored by a person trained to close the airlock, or the airlock is closed. After a not isolated leakage beneath core level, closing of the lower containment air lock is required to stabilize the situation. Closing of the lower containment air lock is also a relevant measure for leakages above core level, if the leakage point is within the containment. The measure stops the flow from the containment and helps to secure the water balance in the condensation pool. Depending on the initiating event the human action of closing the airlock has different success criteria. A larger leak will require the door to be closed within a shorter time window. The time windows considered for success range from 1 minute to 14 hours. Very large bottom leak has a time window of 1 minute, after which closing the airlock will likely be unsuccessful due to the water flow keeping the door open. The expected probability for failed action in the observed applications varies a lot dependent on case and the available time, between 1,0E-00 and 1,0E-04, see the table below. See EXAM HRA case study [5] for further details. closing containment airlock Failed closing of lower containment air lock door during large water flow Failed closing of lower containment air lock door during small water flow Failed water filling of the containment or closing of the upper containment air lock door at high break flow Failed water filling of the containment or closing of the upper containment air lock door at medium break flow Failed action regarding system 328 (condensation (suppression) pool) hatches, large bottom LOCA Failed action regarding system 328 (condensation (suppression) pool) hatches, medium bottom LOCA Failed action regarding system 328 (condensation (suppression) pool) hatches, small bottom LOCA Failed closing of lower containment air lock 24 (43)

28 door during large water flow Failed closing of lower containment air lock door during small water flow Failed water filling of the containment or closing of the upper containment air lock door during large water flow Failed water filling of the containment or closing of the upper containment air lock door during small water flow Failure to close wetwell doors Failure to close wetwell doors Containment lower airlock closure fails Containment lower airlock closure fails Containment lower airlock closure fails Containment lower airlock closure fails Containment lower airlock closure fails Containment lower airlock closure fails Containment lower airlock closure fails Containment upper airlock closure fails Containment upper airlock closure fails Failure to open gate Failure to close fuel storage pool gate Failure to close fuel storage pool gate Failure to close fuel storage pool gate Failure to close fuel storage pool gate FLUSHING OF STRAINERS Flushing of strainers is credited during power operation and is related to PSA level 1. Flushing of strainers is credited in the event of an internal pipe break and to prevent clogging of strainers in the condensation pool. Plants consider failed reverse flow flushing within 20 hours after the initiating event or failure to manually connect external water source to ECCS to back flush. The expected probability for failed action is between 3E-04 and 8E- 03, see the table below. Failed reverse flushing within 20 hours after initiating event Failed reverse flushing of pump suction strainer in system 323 (low pressure coolant injection system). DI For internal pipe break, loss of manual activation of back flushing of strainers in ECCS and containment spray system (CS). Failure to manually connect external water source to ECCS (backflushing) MANUAL ACTIVATION OF EXTERNAL WATER SUPPLY Manual activation of external water supply is credited during power operation and is related to PSA level 1. The type of scenarios that are evaluated here are related to PSA Level 1 but are still somewhat of SAMG (Severe Accident Management) in their nature. The SAMG nature is in the sense that the operator will try their last option to prevent a core damage to occur by using "un-clean water" (fire water, sea water, river water) and feed it into the RPV/primary system or the condensation pool (and from there it might be transferred to the RPV/primary system) in a feed and bleed sequence. The expected 25 (43)

29 probability for failed action in the observed applications varies a lot dependent on case and the available time, between 1,0E-00 and 1,0E-04, see the table below. See EXAM HRA case study [6] for further details. feeding with mobile pump from the elbe river into the reactor vessel using TH pipes (low pressure system) feeding with a mobile pump from the deionate container into the reactor vessel using TH pipes (low pressure system) feeding with a mobile pump from the deionate container into the reactor vessel using TF pipes (low pressure system) feeding with mobile pump from the deionate container into the reactor vessel using feed water pipes Failed manual start of extra circuit in system 732 (demineralization plant) Failed manual switch of buffer tank TD802 or 803. DI 'Auxiliary water into condensate system fails within 15 minutes 'Auxiliary water into condensate system fails within 20 minutes 'Auxiliary water into condensate system fails within 2 hours Activation of pump 733P2 manually fails 'Feeding of additional water from the demineralization plant fails within 2,5 horus 'Initiation of filling demineralized water tanks firefighting water is not initiated within 16 hours 'Initiation of filling demineralized water tanks firefighting water is not initiated within 4 hours MANUAL ACTIVATION OF EXTERNAL WATER SUPPLY Manual activation of external water supply is credited during shut down and is related to PSA level 1. Plants consider feeding the reactor vessel from the water grid or from the sea or river with a mobile pump. The expected probability for failed action is in the observed applications high, between 1,0E-00 and 1,0E-02, see the table below. feeding the reactor vessel from the water grid or from the elbe river with a mobile pump FEEDING VIA PUMP SEAL/ ROD LUBRICATION Feeding via pump seal/rod lubrication is credited during power operation or shut down and is related to PSA level 1. Plants consider feeding the reactor vessel with recirculation pump seal water and control rod drive lubrication water when other ways to feed the primary circuit are lost. The expected probability for failed action is in the observed applications between 1,0E-01 and 1,0E-03, see the table below. feeding the reactor vessel with recirculation pump seal water and control rod drive lubrification water feeding into the reaction vessel with RS control 26 (43)

30 rod drive lubrification water system feeding into the reactor vessel with TE system 7,90E MANUAL DEPRESSURIZATION OF RPV Manual depressurization of RPV is credited during power operation or shut down and is related to PSA level 1. Plants consider failure to manually depressurize RPV with different time windows between 5 minutes to 16 hours. It is also possible to manual open valves to regulate the water level in the reactor tank or manually unburden water with blowdown system. The expected probability for failed action in the observed applications varies depending on case and the available time, between 1,0E-01 and 1,0E-04, see the table below. Failed manual switch TB2 (manual forced blowing) Failed TB3-TB4 switch. ASI DI-3037 part 2.3, mainitaining level; within 5 minutes. Failed TB3-TB4 switch. ASI DI-3037 part 2.3, maintaining level; within 90 minutes Manually open valves to regulate water level in reactor tank and manually unburden water with blowdown system (314) Depressurization of the primary circuit Manual depressurization fails, 15 min Manual depressurization fails, 16 h Manual depressurization fails, 2 h Manual depressurization fails, 30 min Manual depressurization fails, 7 h in IRT-1A MANUAL ACTUATION ECCS/AFW Manual actuation of ECCS/AFW is credited during power operation, refuelling and shut down and is related to PSA level 1. When the automatic signal is missing it is possible to start (locally and manually) auxiliary feed water. It is also possible to manual start AFW from the control room when automatic start signal is missing. Plants also consider failure to activate ECCS/AFW manually under different time windows between 15 minutes to 2 hours. The expected probability for failed action in the observed applications varies depending on case and the available time, between 1,0E- 01 and 1,0E-03, see the table below. start up of a TH train (low pressure system) in the function core flooding switch TH trains to "soll kernfluten" (small leak in the wetwell) Local and manual start of auxiliry feed water, when automatical signal is missing. Manual start of AFW system from the control room, when there is no automatic start signal. Manual activation (327/323) fails within 2 hours Manual activation (327/323) fails within 30 minutes Manual activation (327/323) fails within 60 minutes Manual activation (327/323) fails, over 2 27 (43)