IMC 0308 Att 3 App G Technical Basis for Shutdown Operations Significance Determination Process

ML20246G438
Person / Time
Issue date:	01/11/2022
From:	Jeffrey Mitman NRC/NRR/DRA/APOB
To:
Mitman J
Shared Package
ML21347A990, ML20246G434	List:
References
CN 22-001, DC 20-028
Download: ML20246G438 (37)
v • d • e

Text

NRC INSPECTION MANUAL APOB INSPECTION MANUAL CHAPTER 0308 ATTACHMENT 3 APPENDIX G TECHNICAL BASIS FOR SHUTDOWN OPERATIONS SIGNIFICANCE DETERMINATION PROCESS Effective Date: Upon Issuance

Issue Date: 01/11/22 i

0308 Att 3 App G Table of Contents 0308.03G-01 PURPOSE........................................................................................................... 1 0308.03G-02 INTRODUCTION................................................................................................. 1 02.01 Model Scope..................................................................................................................... 2 02.02 Limitations of Shutdown Risk Analysis Model................................................................... 3 0308.03G-03 CHARACTERIZATION OF SHUTDOWN OPERATIONS.................................... 4 0308.03G-04 SHUTDOWN INITIATING EVENTS..................................................................... 6 0308.03G-05 SHUTDOWN INITIATING EVENT FREQUENCIES............................................ 7 0308.03G-06 EVENT TREE MODELS...................................................................................... 8 06.01 Overview........................................................................................................................... 8 06.02 Event Tree Success Criteria........................................................................................... 10 06.03 General Description/Philosophy for Event Trees............................................................ 12 06.03.01 LOLC Event Trees (PWRs Only)............................................................. 12 06.03.02 LOI Event Trees....................................................................................... 12 06.03.03 LORHR Event Trees................................................................................ 13 06.03.04 LOOP Event Trees.................................................................................. 14 0308.03G-07 HUMAN ERROR PROBABILITIES (HEPs)....................................................... 14 07.01 Basis for HEPs used in the IEL Tables........................................................................... 14 07.02 General Discussion for HEPs Used in Worksheets......................................................... 15 07.02.01 BWR HEPs Definitions and Characterizations........................................ 16 07.02.02 PWR HEPs Definitions and Characterizations........................................ 24 0308.03G-08 REFERENCES.................................................................................................. 33 0308.03G-09 : Revision History.................................................................. Att1-1

Issue Date: 01/11/22 1

0308 Att 3 App G 0308.03G-01 PURPOSE The purpose of this basis document is to provide background information for the probabilistic risk assessment (PRA) models used to develop IMC 0609 Appendix G, Attachment 3 for boiling water reactors (BWRs) and the associated BWR shutdown template, and Attachment 2 for pressurized water reactors (PWRs) and the associated PWR shutdown template.

0308.03G-02 INTRODUCTION Studies conducted from the late 1980s onward indicate that core damage frequencies during shutdown are comparable to risks at-power. Results from EPRI 1003465 (Low Power and Shutdown Risk Assessment Benchmarking Study) are reproduced below in Tables 1 and 2.

These tables document shutdown analysis from 2002 and illustrate this insight. The BWR in the EPRI study was a dual unit General Electric BWR 4, and the PWR was a dual unit Westinghouse four-loop plant. US plant availability has increased substantially over the subsequent decades, decreasing the time spent in shutdown. The average refueling outage duration in 2019 was 36 days. In addition, industry has placed additional attention on shutdown risk with the implementation of NUMARC 91-06 (Guidelines for Industry Actions to Assess Shutdown Management),10 CFR 50.65(a)(4) (i.e., the maintenance rule) and Generic Letter 88-17 (Loss of Decay Heat Removal - 10 CFR 50.54(f)). The risk during outages is not equally distributed, as much of the risk is concentrated early in the outage during periods of comparably low reactor coolant system (RCS) water levels. The IMC shutdown models used in the procedure account for those drivers of shutdown risk, i.e., time after shutdown, water level, and equipment availability. The above insights are also true for new reactor designs (AP1000 Design Certification Document, PRA Results and Insights Chapter 59).

Table 1 Typical BWR Risk Results Notes: 1) Baseline configuration has all equipment available.

2) The actual outage configurations were analyzed with two decay heat removal means available.

3) From EPRI 1003465, Low Power and Shutdown Risk Assessment Benchmarking Study, Table 3-7.

Issue Date: 01/11/22 2

0308 Att 3 App G Table 2 Typical PWR Outage Risk Results Notes: 1) Baseline configuration has all equipment available.

2) The actual outage configurations were analyzed with two decay heat removal means available.

3) The 6 below the flange risk levels are higher than the midloop levels because of slightly different equipment configurations and slightly different outage timings.

4) From EPRI 1003465, Low Power and Shutdown Risk Assessment Benchmarking Study, Table 3-3.

02.01 Model Scope This methodology covers shutdown operations, which begin when the licensee has met the entry conditions for residual heat removal (RHR) or decay heat removal (DHR), and RHR/DHR cooling has been initiated, and end when the licensee is heating up and RHR has been secured.

It focuses on reactor shutdown operations when more than one used fuel assembly (i.e., an assembly that contains fission products and thus decay heat) is in the reactor vessel. This methodology does not apply to a reactor containing no used fuel assemblies nor to the spent fuel pool. During core offloading, shuffling, or reloading the number of used fuel assemblies in the reactor can be less than a full core, thus, the decay heat level in the reactor correspondingly decreased. As the decay heat levels decrease, the time to boil and the time to core uncovery decrease and therefore, the probability of core damage. Thus, if an analysis is required when the number of used bundles in the core has been reduced from a full core compliment, the corresponding risk should also be reduced.

Once the plants temperature and pressure are greater than the RHR entry conditions, a severe accident during this configuration is expected to produce a plant response that is bounded by the plant response to full power initiating events. For deficiencies occurring above the RHR entry conditions, the at-power Significance Determination Process (SDP) tools should be used acknowledging: (1) decay heat is less compared to full power, potentially allowing more time for operator recovery (2) some mitigating systems may require manual operation versus automatic

Issue Date: 01/11/22 3

0308 Att 3 App G operation, and (3) some containment systems may not be required to be operable potentially increasing the likelihood of containment failure.

This approach does not address positive reactivity insertion issues during shutdown. Examples of these issues include inadvertent control rod withdrawals or boron dilution events (EPRI NSAC-164L, Guidelines for BWR Reactivity Control during Refueling, and EPRI NSAC-183, Risk of PWR Inadvertent Criticality during Shutdown and Refueling,). Thus, reactivity issues should be referred to headquarters personnel for resolution.

02.02 Limitations of Shutdown Risk Analysis Model Three approaches for shutdown risk analysis are used to evaluate shutdown conditions in this methodology. Two templates were developed - one for a BWR and a second one for a PWR.

For the AP1000, an advanced PWR, a third approach was used. This will be discussed further below. The BWR and PWR templates are simplified tools that generate an order-of-magnitude assessment of the risk significance. They are intended to be conservative with the expectation that a conservative analysis will appropriately screen many if not most situations to Green, and those that do not screen to Green will be given a more comprehensive and realistic evaluation.

However, experience using these methods shows that the templates are not always conservative. Thus, the analyst must approach the task with judgement and deviate from the methods when it is obvious that the methods are not conservative.

The templates were developed for a BWR plant, considering the features of a General Electric BWR 4 - Mark I plant and a Westinghouse 4-loop PWR respectively. However, it can be used for different plant classes as long as the analyst considers each system and strategy that can be used to maintain the shutdown key safety functions such as the ability to: maintain/recover decay heat removal, maintain RCS level control, maintain RCS pressure control, and maintain containment closure capability (the key safety function of containment closure applies to PWRs only).

This generic tool could not include plant specific mitigating features because they vary between licensees and outages. Therefore, the analyst must consider the licensees outage-specific mitigation capability.

Since the template was developed based on maintaining key shutdown safety functions, this template does not provide any information on system dependencies. The analyst should refer to the plant specific at-power SPAR model and associated material for a better understanding of the plant specific system-dependencies. However, the analyst should consider additional dependencies for additional systems/functions not needed at full power (e.g., alternating current (AC) power for PWR containment closure). In addition, the analyst also has to consider whether a support system is needed for the supported system at shutdown. For example, in a PWR is component cooling water (CCW) required for high pressure injection pump bearing and motor cooling if the pump is pumping relatively cool water (< 120F)?

Because the NRC has a shutdown SPAR model for the AP1000, a template approach for the AP1000 was not necessary. Thus, for the AP1000 the approach for shutdown analysis is similar to the approach found in IMC 0609, Appendix A for at-power issues where the SPAR model is used for screening and detailed analysis.

Issue Date: 01/11/22 4

0308 Att 3 App G In a detailed risk evaluation (DRE) herein referred to as a Phase 3 evaluation, condition issues are assessed by quantifying a degraded condition and subtracting from it the base (i.e.,

undegraded) quantification. In these Phase 2 evaluations the base, undegraded condition is not quantified. Instead, the degraded quantification is considered to be the final value. This is justified for two reasons. First, this Phase 2 evaluation is intended to be a conservative screening evaluation. Second, during the development of these shutdown worksheets the base configuration risk was considered to be sufficiently small that it could be ignored.

Likewise, for event analysis where the issue at hand causes the initiation of an event (e.g., a loss of shutdown cooling occurs), this methodology sets the initiating event likelihood (IEL) to zero (0) which is equivalent to setting the initiating event frequency in a traditional PRA to True.

Then the method calculates a condition core damage probability (CCDP). As with condition issues discussed in the previous paragraph, no base quantification is subtracted from the calculated CCDP, that is the quantified CCDP is taken as the final result.

During PWR outages there is a widespread understanding that the RCS should never be placed in a configuration where there is a large cold leg opening (e.g., a steam generator cold side primary manway removed, or a cold leg valve disassembled) without the presence of a large hotleg opening (note that openings on the pressurizer are usually not sufficient). This type of configuration is exceedingly risky as a loss of shutdown cooling could lead to rapid RCS pressurization that could eject RCS inventory through the cold leg opening and core uncovery -

in a worst case in a matter of minutes after core boiling initiates. Even with this widespread knowledge of the risks involved, the NRC is aware of one planned (but not executed) forced outage. If the analyst encounters this configuration, i.e., a planned or executed outage with a large cold leg opening and no large hotleg opening, a Phase 2 analysis should not be performed, instead a Phase 3 analysis should be conducted by an analyst familiar with the corresponding thermal hydraulic complexities. (NUREG/CR-5820, Consequences of the Loss of Residual Heat Removal Systems in Pressurized Water Reactors).

0308.03G-03 CHARACTERIZATION OF SHUTDOWN OPERATIONS The risk significance of an inspection finding at shutdown depends on the plant configuration.

To account for the plants changing configuration and decay heat level during shutdown, this PRA model parses an outage into plant operational states (POSs) and time windows (TWs).

The plant response to a loss or interruption of RHR is assumed to remain constant during a given POS. TWs are used to separate POSs occurring early in the outage when decay heat is high from POSs occurring late in the outage when decay heat levels are comparatively low.

Figure 1 (in IMC 0609 Appendix G, Attachments 2 for PWRs and Attachment 3 for BWRs) defines the POSs and time windows. It also illustrates the relationship between the POSs and the modes defined in the Technical Specifications (TSs). We now describe the POSs and TWs are defined as follows:

POS 1 -

This POS starts when the RHR and/or decay heat removal (DHR) system is placed in service.

For BWRs the vessel head is on and the RCS is closed such that an extended loss of the DHR function without operator intervention could result in an RCS re-pressurization above the shutoff head for the RHR pumps. This POS typically begins in TS mode hot shutdown and extends into cold shutdown. During this POS the RCS is not vented, thus credit is given for systems requiring steam. Note before core

Issue Date: 01/11/22 5

0308 Att 3 App G reload an open BWR head vent of four inches is not sufficient to prevent RCS repressurization, thus if this is the plant configuration, the POS 1 worksheets should be utilized.

For PWRs the RCS is closed such that a steam generator(s) could be used for decay heat removal if the secondary side of each steam generator(s) has sufficient inventory to be considered available as a heat sink. The RCS may have a bubble in the pressurizer. This POS ends when the RCS is vented such that the steam generators cannot sustain core heat removal. This POS typically includes Mode 4 (hot shutdown) and portions of Mode 5 (cold shutdown).

POS 2 For BWRs this POS represents the shutdown condition when (1) the vessel head is removed, and the reactor pressure vessel water level is less than the minimum level required for movement of irradiated fuel assemblies within the reactor pressure vessel as defined by TSs OR (2) the vessel head is on; however, a sufficient RCS vent path exists for decay heat removal. This POS typically begins in cold shutdown and extends into the beginning of refueling mode. Note before core reload an open BWR head vent of four inches is not sufficient to prevent RCS repressurization, thus if this is the plant configuration, the POS 1 worksheets should be utilized.

For PWRs this POS starts when the RCS is vented such that: (1) the steam generators cannot sustain core heat removal and (2) a sufficient vent path exists for feed and bleed. This POS includes portions of Mode 5 (cold shutdown) and Mode 6 (refueling). Reduced inventory operations and midloop operations with a vented RCS are subsets of this POS.

Note that an open pressurizer power operated relief valve(s) (PORV) is not sufficient to prevent repressurization before core reloading, thus if this is the plant configuration, the POS 1 worksheets should be utilized. Also note, that issues occurring during vacuum refill of the RCS require use of the PWR POS 1 event trees.

POS 3 This POS represents the shutdown condition when the reactor pressure vessel water level is equal or greater than the minimum level required for movement of irradiated fuel assemblies within the reactor pressure vessel and primary or secondary containment as defined by TSs. This POS occurs during refueling mode (Mode 5 for BWRs and Mode 6 for PWRs).

Early Time Window (TW-E) - This time widow represents the time before POS 3 is entered. The decay heat is relatively high. The reactor is either in POS 1 or 2. If the outage being analyzed is not a refueling outage, then this time window is always used.

Late Time Window (TW-L) - This time window represents the time after POS 3 is entered. The decay heat is relatively low. The reactor is either in POS 1 or 2. If the outage being analyzed is not a refueling outage, then this time window is not used.

The above definitions of the POSs and TWs can be used to address different types of plant shutdowns, e.g., refueling outage, planned maintenance outage, and an unplanned outage.

Depending on the type of outage and its duration, the POSs and TWs can be identified from the above list. For example, all POSs and both TWs will apply to a refueling outage. Only POS 1 and TW-E may apply to non-refueling outages.

Issue Date: 01/11/22 6

0308 Att 3 App G NOTE:

The operator credits in the SDP worksheets are given for TW-E. The same worksheets can be used for TW-L except the credits for operator response may need to be changed to account for the longer operator response time. Detailed instructions are given in Chapter 6.0 of this appendix.

0308.03G-04 SHUTDOWN INITIATING EVENTS An initiating event at shutdown is defined as an event that causes a loss or interruption of the shutdown cooling function. This template considers the three internal initiators known to dominate internal-event shutdown risk based on the Grand Gulf Shutdown PRA (NUREG/CR-6143) and the Surry Shutdown PRA (NUREG/CR-6144). The following are the initiating events considered, with their applicability to the three POSs.

Loss of RHR (LORHR)

This initiating event category includes losses of RHR/DHR resulting from failures of the RHR system (such as RHR/DHR pump failure) or failures of the RHR support systems (such as loss of cooling to RHR heat exchanger and loss of AC or direct current (DC) power. Loss of offsite power is treated as a separate initiator. This category also includes interruptions of RHR caused by spurious Engineered Safety Features and Auxiliary System (ESFAS) signals such as RHR suction valve closure.

This initiating event category is always considered for POS 1 and POS 2.

This category is usually not considered applicable to POS 3 because with the reactor head removed and the RCS cavity/canal flooded the time to core damage is extensive, typically 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or greater, and operator success is expected in these long durations. However, in unusual circumstances this initiator should be applied to POS 3. Examples where it should be considered include circumstances where: 1) The time to core damage is greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but the probability of non-recovery of RHR/DHR is significant, i.e., greater than about 1%; 2) For PWRs only, the upper internals have not been removed and these internals may be restrictive (see NUREG/CR-5820, Consequences of the Loss of RHR systems in PWRs (1992), Section 2.5 for a discussion of this issue).

Contact headquarters for support.

Loss of Offsite Power (LOOP)

This initiating event category covers losses of offsite power at shutdown which cause an interruption of core cooling by RHR, and operator action is needed to restore RHR.

This initiator category is always considered for POS 1 and POS 2. This category is usually not considered applicable to POS 3 because with the reactor head removed and the RCS cavity/canal flooded the time to core damage is extensive, typically 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or greater, and operator success is expected in these long durations. However, in unusual circumstances this initiator should be applied to POS 3. Examples where it should be considered include circumstances where: 1) The time to core damage is greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> but the probability of non-recovery of RHR/DHR in significant, i.e., greater than about 1%; 2) For PWRs only, the upper internals have not been removed and these internals may be restrictive (see NUREG/CR-5820, Consequences of the Loss of RHRR systems in PWRs (1992), Section 2.5 for a discussion of this issue); 3) If a LOOP

Issue Date: 01/11/22 7

0308 Att 3 App G should cause a loss of the refueling cavity seal due a loss of a support systems (e.g., instrument air), then this issue should be evaluated using the associated POS 2 LOOP worksheets. Contact headquarters for support.

Loss of Reactor Inventory (LOI)

This initiating event category includes losses of RCS inventory that lead to a loss of RHR due to isolation of RHR on low reactor level (BWR) or loss of RHR pump suction (PWR). Many of these flow diversions are caused from improper alignment of valves. This initiator category is considered for all POS groups including POS 3 because even with the reactor head removed and the RCS cavity/canal flooded the time to core damage can be relatively short due to the loss of water caused by this initiator.

Loss of Level Control (LOLC)

(PWRs only)

This initiating event category includes: (1) the operator overdrains the RCS while lowering water level for midloop operations such that the RHR function is lost, and (2) the operator fails to maintain level control and/or RHR flow control while in midloop such that the RHR function is lost. This initiator is considered going into or during midloop operations only.

Other initiators may merit discussion and consideration. BWR examples include freeze seal issues on piping that cannot otherwise be isolated from the RCS and issues with reactivity insertion (EPRI NSAC-164L, Guidelines for BWR Reactivity Control during Refueling).

Examples in PWRs include: Those events that challenge low-temperature over pressure protection (LTOP), findings that increase the likelihood of a PWR reactivity transient (EPRI NSAC-183, Risk of PWR Inadvertent Criticality during Shutdown and Refueling). In Surry Shutdown PRA (NUREG/CR 6144), these two initiators were found to make a smaller contribution to the core damage frequency than the four initiators discussed above. For some inspection findings, their contribution may become significant. Therefore, they will go directly to headquarters for Phase 3 analysis.

0308.03G-05 SHUTDOWN INITIATING EVENT FREQUENCIES Initiating event frequencies were estimated by searching LERs from 1992 to 1998 (Loss of Shutdown Cooling Initiating Events Data Summary (1992-1998), Jim Houghton, RES, NRC Internal Report) and totaling the number of refueling hours. This is the source for the IEL found in the tables below and in the corresponding tables of IMC 0609, Appendix G Attachments 2 and 3. A slightly newer source of frequencies can be found in EPRI 1003113 An Analysis of Loss of Decay Heat Removal Trends and Initiation Event Frequencies, (1989-2000). However, these frequencies were not considered in the below tables.

One additional insight is worth discussion involves LOOP frequencies. Statistical analysis performed by INL (INL/ExT-19-54699, An Analysis of Loss-of-Offsite-Power Events 1987-2018,) shows that the initiating event frequency is almost an order of magnitude larger for shutdown versus at-power.

Issue Date: 01/11/22 8

0308 Att 3 App G Table 3 Initiating Event Likelihoods (IELs) for Condition Findings - BWRs Approximate Conditional Frequency Example Event Type Estimated Initiating Event Likelihood (IEL) (1)

Exposure Time for Degraded Condition

> 30 days 3-30 days

< 3 days

> 1 per year Loss of an Operating Train of RHR (LORHR) 2 0

1 2

1 per 1-10 year Loss of offsite power (LOOP) 1 2

3 1 per 10-10 2 year Loss of Inventory (LOI) 2 3

4

1. The likelihood ratings are presented in terms of 0, 1, 2, etc. A rating of 0 is comparable to a frequency of 1 per year, a rating of 1 is comparable to a frequency of 1E-1 per year, and similarly, a rating of 2 is comparable to a frequency of 1E-2 per year.

2. LORHR and LOI are not usually applicable to POS 3.

Table 4 Initiating Event Likelihoods (IELs) for Condition Findings - PWRs Approximate Conditional Frequency Example Event Type Estimated Initiating Event Likelihood (IEL) (1)

Exposure Time for Degraded Condition

> 30 days 3-30 days

< 3 days

> 1 per 1-10 year Loss of offsite power (LOOP), and Loss of RHR (LORHR)2 1

2 3

1 per 10-10 2 year Loss of Inventory (LOI)2 2

3 4

1 per 10-102 year Loss of Level Control (LOLC)3 2

2 2

1. The likelihood ratings are presented in terms of 0, 1, 2, etc. A rating of 0 is comparable to a frequency of 1 per year, a rating of 1 is comparable to a frequency of 1E-1 per year, and similarly, a rating of 2 is comparable to a frequency of 1E-2 per year.

2. LORHR and LOI are not usually applicable to POS 3.

3. LOLC is only applicable to POS 1 and 2.

0308.03G-06 EVENT TREE MODELS 06.01 Overview For each event tree, there is an associated worksheet that defines each top event function in the event tree by:

Issue Date: 01/11/22 9

0308 Att 3 App G Top Event Function - A key safety function that is necessary to restore core cooling given a loss or interruption of the RHR function (e.g., the operator initiates RCS injection before core damage).

Success Criteria - The minimum set of equipment that can be used to fulfill the top event function.

Instrumentation - The minimum set of instrumentation needed by the operator to fulfill the top event function.

Equipment Credit - The credit given to the top event function by the analyst based on all available systems able to fulfill the top event function. If temporary equipment is credited, then use IMC 0609 Appendix G, Attachment 3, Table 6 for BWRs and Attachment 2, Table 7 for PWRs.

Operator Credit - The credit given for the operator to perform the corresponding top event function. The default operator credit for performing the top event assumes that: (1) the success criteria for the top event function has been met, and (2) the minimum set of instrumentation needed by the operator is available and providing reliable indication.

Operator credits were developed using the SPAR-H methodology (NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method).

The analyst must adjust the default operator credits in the worksheets using the following table if:

If the referenced instrumentation is missing or misleading, then the operator credit is decreased by two or becomes zero if the operator credit becomes negative.

Referring to the SPAR-H low power and shutdown (LP/SD) worksheets (contained in NUREG/CR-6883, Appendix B - HRA Worksheets for LP/SD), the performance shaping factor (PSF) level for stress is now considered to be high, and the PSF level for ergonomics is now considered missing/misleading. Using the SPAR-H worksheets, this condition results in a HEP multiplier of 100.

The default time is incorrect and is significantly reduced. If the diagnosis time is less than 20 minutes, OR the time necessary to perform the action is approximately the available time, then the operator credit is decreased by two or becomes zero if the operator credit becomes negative.

Referring to the SPAR-H LP/SD worksheets, the PSF level for available time for diagnosis becomes barely adequate and has a multiplier of ten. The PSF level for available time for the action portion of the task has a PSF multiplier of 10.

If the operator action is complicated by missing equipment, inaccessible equipment, steam or high radiation, or loop seals for pumps that must be vented, then the operator credit is decreased by two or becomes zero if the operator credit becomes negative.

Referring to the SPAR-H LP/SD worksheets, the PSF level for stress is now considered to be high, and the PSF level for ergonomics is now considered to be missing/misleading. Using the SPAR-H LP/SD worksheets, this condition results in a HEP multiplier of 100.

Issue Date: 01/11/22 10 0308 Att 3 App G If the procedure is not complete for the shutdown plant configuration, then the operator credit is decreased by one or becomes zero if the operator credit becomes negative.

Referring to the SPAR-H LP/SD worksheets, the PSF level for procedures is considered incomplete. The HEP multiplier is assigned a factor of 20.

Function Credit - The lower of Equipment Credit and Operator Credit.

06.02 Event Tree Success Criteria The Success Criteria for the BWR Shutdown Template is based on the RES Grand Gulf PRA referenced in Table 5.1.1 of NUREG/CR -6143 Vol 2. Part 1A (ML0705306690). For PWRs the success criteria are based on Byron 1 and 2 low power shutdown PRA and is reproduced here:

Issue Date: 01/11/22 11 0308 Att 3 App G Table 5 PWR Success Criteria Initiator:

LOOP, LORHR,

LOI, LOLC 13 MW (2 days) 10 MW (5 days) 7 MW (12 days) 5 MW (32 days)

FEED

• 1 of 2 low pressure injection (LPI) pumps, OR

• 1 of 2 high pressure safety injection (HPSI) pumps, OR

• 1 of 2 chemical and volume control system (CVCS) pumps

• 1 of 2 LPI, OR

• 1 of 2 HPSI, OR

• 1 of 2 CVCS

• 1 of 2 LPI, OR

• 1 of 2 HPSI, OR

• of 2 CVCS

• 1 of 2 LPI, OR

• 1 of 2 HPSI, OR

• 1 of 2 CVCS This assumes one pump is sufficient to make up for boiloff. This may not be the case with some plants which have small capacity CVCS pumps (e.g., some Combustion Engineering designs).

RHR-R Operator to recover 1 of 2 RHR Operator to recover 1 of 2 RHR trains Operator to recover 1 of 2 RHR trains Operator to recover 1 of 2 RHR trains Steam Generator (SG)

Reflux Cooling 2 SG (available short-term cooling).

Feedwater makeup (FW) to 2 SG (long term) 1 SG (available short-term cooling). FW to 1 SG (long term) 1 SG (available short-term cooling). FW to 1 SG (long term) 1 SG (available short-term cooling). FW to 1 SG (long term)

BLEED

• 1 pressurizer power operated relief valve (PORV), OR

• 1 pressurizer safety valve (SV) removed, OR

• RCS opening of equivalent size

• 1PORV, OR

• 1 SV removed, OR

• RCS opening of equivalent size

• 1PORV, OR

• 1 SV removed, OR

• RCS opening of equivalent size

• 1PORV, OR

• 1 SV removed, OR

• RCS opening of equivalent size Gravity Feed 1 pressurizer safety valve SV removed and LPI flow path (provides 4.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for operator actions) 1 SV removed and LPI flow path (provides 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> for operator actions) 1 SV removed and LPI flow path (provides 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for operator actions) 1 SV removed and LPI flow path (provides 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for operator actions)

To credit Gravity Feed, the analyst needs to confirm that there is sufficient elevation difference between the RCS injection point and the RWST water level such that gravity feed is feasible. In addition, the following factors that can negate the elevation head provided by the RWST or other sources of RCS inventory: (1) pressure drops in the surge line (2) entrained water accumulating in the pressurizer (3) RCS vent paths that are restricted (to control loose parts or control off gassing). A few reactor designs have sufficiently large and/or tall RWSTs which allow gravity feed even if the RCS pressurizes, if this is the case, additional credit can be justified.

Issue Date: 01/11/22 12 0308 Att 3 App G 06.03 General Description/Philosophy for Event Trees 06.03.01 LOLC Event Trees (PWRs Only)

The LOLC event trees is defined as (1) the operator overdrains the RCS to reach midloop conditions such that the RHR function is lost, and (2) the operator fails to maintain level control and/or RHR flow control while in midloop such that air is entrained into the RHR system and the RHR function is lost. The LOLC does not require termination of the RCS leak path since it is assumed it will terminate without operator action when level goes to the bottom of the hot leg.

There is one known exception to this self-termination. If the operator has gone to midloop and created an opening on the cold leg, e.g.., removed a cold leg injection valve, without a sufficiently large hot leg opening to prevent pressurization on loss of decay heat removal, then water can be forcefully expelled out the cold leg opening on by reactor pressurization. Under these conditions, level can go below the bottom of the hot leg. (see NUREG/CR-5820, Consequences of the Loss of Residual Heat Removal Systems in Pressurized Water Reactors for a detailed analysis.)

If the event occurs in POS 1, then secondary reflux cooling can be used. Successful RCS injection is required to restore RCS level such that RHR can be recovered and provide for core cooling if SG cooling is not available. Failure to recover RHR before refueling water storage tank (RWST) depletion is assumed to fail recirculation from the sump since the RHR pumps are assumed to also perform the recirculation function. Recovery of RHR does not guarantee available recirculation since the sump may be unavailable due to trash.

06.03.02 LOI Event Trees In recent years, industry has worked to reduce spurious and therefore, unnecessary isolation of the RHR/DHR system with the design of reducing shutdown risk. Often these efforts involve modifications that remove the auto isolations. Sometimes these modifications remove or reduce the ability to isolate valves from the main control room. If this type of modification has been implemented, analysis of associated events should take those modifications into consideration by potentially reducing the initiating event likelihood and/or increasing the human error probability associated with manually isolation.

BWR POS 1 - Head on The LOI event trees are defined as losses of RCS inventory such that RHR should have automatically isolated on low reactor water level. Losses through the downcomer can be isolated by the automatic isolation of RHR on low level. Losses from the bottom head (such as through a breached reactor water cleanup (RWCU) drain line) are not assumed to be isolable for Phase 2 analysis. For Phase 2 analysis, the break size is assumed not be large enough to adequately remove decay heat, so RCS pressure control is necessary. Should the operator fail to manually inject early, the possibility of manual high-pressure injection with the SRVs steaming at their safety setpoint is considered.

BWR POS 2 - Head off The LOI event trees are defined as losses of RCS inventory such that RHR should have isolated on low reactor water level. Losses through the downcomer can be isolated by the

Issue Date: 01/11/22 13 0308 Att 3 App G automatic isolation of RHR on low level. Losses from the bottom head (such as through a breached RWCU drain line) are not assumed to be isolable for Phase 2 analysis.

PWR POS 1 and 2 The LOI event trees evaluate losses of RCS inventory that lead to a loss of RHR due to loss of RHR pump suction that do not involve a loss of level control at midloop (LOLC events). Many of these flow diversions are caused from improper alignment of valves. This initiator category is considered for all POSs. In POS 1, since the RCS may be pressurized, a LOI may lead to losses of inventory below the hotleg due to RCS de-pressurization. In POS 2, LOI events do not require termination of the RCS leak path since it is assumed to terminate without operation action at the bottom of the hot leg. If the event occurs in POS 1, then secondary reflux cooling can be used as long as the core is covered. Successful RCS injection is required to restore RCS level such that RHR can be recovered. Failure to recover RHR before RWST depletion is assumed to fail recirculation from the sump since the RHR pumps are assumed to also perform the recirculation function. Recovery of RHR does not guarantee available recirculation since the sump may be unavailable due to trash.

06.03.03 LORHR Event Trees BWR The LORHR event trees are defined as losses or interruptions of the RHR system due to failures of the RHR system and/or its support systems (such as service water or DC power).

Recovery of RHR must take place before (1) RHR shutoff head is reached in POS 1, or (2) low RCS level is reached in POS 2 when RHR is automatically isolated, else RCS injection is required to prevent core damage. It is assumed that automatic emergency core cooling via a low-pressure coolant injection (LPCI) train is not available since the LPCI train would have been re-configured for RHR recovery.

In recent years, industry has worked to reduce spurious and therefore, unnecessary isolation of the RHR/DHR system which are the largest contributor to losses of RHR. Often these efforts involve modifications that remove the auto isolations. Sometimes these modifications remove or reduce the ability to isolate valves from the main control room. If this type of modification has been implemented, analysis of associated events should take those modifications into consideration by potentially reducing the initiating event likelihood and/or increasing the human error probability associated with manually isolation.

PWR The LORHR event trees evaluate losses of the operating train of RHR that result from failures of the RHR system itself or from failures of the RHR support systems. These failures could also cause failure of the standby RHR system. The analyst is asked to consider whether RHR can be recovered prior to boiling to account for the possibility of voids being swept into the RHR pumps, necessitating that the RHR pumps be shutdown and vented. Failure to recover RHR before RWST depletion is assumed to fail recirculation from the sump since the RHR pumps are assumed to also perform the recirculation function. Recovery of RHR does not guarantee available recirculation since the sump may be unavailable due to trash.

Issue Date: 01/11/22 14 0308 Att 3 App G 06.03.04 LOOP Event Trees The LOOP event trees evaluate losses of offsite power that result in a loss or interruption of the operating train of RHR/DHR.

BWR For POS 1, AC independent injection and RCS pressure control is assumed to be sufficient until battery depletion. Based on the RES Grand Gulf Shutdown PRA (NUREG/CR-6143 Vol 2, Part 1, page 8-49), each ESF battery bank can supply the required DC loads for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after a loss of AC power if unnecessary loads are shed.

PWR For POS 1, reflux cooling is considered if sufficient inventory exists until offsite power is recovered. For POS 2, gravity feed may be credited if design arrangements permit (Note: not all RWSTs are at a sufficient elevation to permit gravity feed). For most plants gravity feed should not be credited after RCS boiling initiates because there is insufficient head in the RWST to overcome the RCS pressure cause by boiling. However, gravity feed after boiling initiation can be credited if the licensee can show operating procedures, training and calculations considering:

• Pressure drops in the surge line

• Entrained water accumulating in the pressurizer

• RCS vent paths that are restricted (to control loose parts or control off gassing) 0308.03G-07 HUMAN ERROR PROBABILITIES (HEPs) 07.01 Basis for HEPs used in the IEL Tables Initiating event likelihood (IEL) tables were created to estimate the new conditional likelihood that a loss of RHR will occur due to the performance deficiency, given the occurrence of the performance deficiency and/or condition. These tables are found in IMC 0609 Appendix G for PWRs (Tables 1 through 5) and Attachment 3 for BWRs (Tables 1 through 4).

The following discussion use the BWR Shutdown Template LOI as an example. The tables for LOI, LORHR and LOLC (PWR only) were constructed using a similar approach. The first column in each table uses the estimated time to loss of the RHR function for the specific event.

The second column evaluates the availability of key instrumentation that help the operator:

(1) diagnose that a potential problem exists with maintaining the RHR function and (2) diagnose how to recover from the potential problem such that an interruption or loss of the RHR function is prevented.

Half of the time from the first column is allocated for the operator to diagnose what is needed to recover RHR allowing half of the time for the operator to perform the specific action needed to recover RHR. (The factor two was used for Phase 2 modeling simplicity.) The third and fourth columns determine if, (1) the specific RHR recovery actions can be identified within 1/2 time to loss of the RHR function, and (2) if the action to recover RHR can be performed within 1/2 time to loss of the RHR function.

Issue Date: 01/11/22 15 0308 Att 3 App G This methodology assumes that failure to diagnose (rather than failure to act) dominates the IEL.

The IELs corresponding to 1/2 time to loss of the RHR function are taken from NUREG/CR-1278, Handbook of Human with Emphasis on Reliability Analysis Applications, Table 12-4, Nominal Model of estimated HEPs and EFs within time for diagnosis within time T by control room personnel of an abnormal event annunciated closely in time. The median joint HEP curve was used assuming the operator had key instrumentation referenced in the IEL tables.

If the operator does not have the key instrumentation referenced in the IEL tables, then the IEL is increased by a factor of 100 based on the SPAR-H LP/SD worksheets. If the operator has missing or misleading instrumentation, the PSF multiplier is 50. This loss of instrumentation will result in the task complexity changing from nominal to moderately complex, resulting in an additional multiplier of 2.

07.02 General Discussion for HEPs Used in Worksheets Because every interruption of the RHR function requires a successful operator response to prevent core damage, operator error is a key contributor to shutdown risk. Operator error appears in almost every top event/mitigation path in the shutdown event trees. The SPAR-H methodology was used to derive the HEPs for this IMC.

In shutdown analysis, as is typical in all HRA, the failure to diagnosis failure probability dominates the action probability. Therefore, to simplify the modeling for this analysis, the diagnosis probability defines the operator credits used in the worksheets. The first safety function does not include dependence in the operator credit estimate. The second and succeeding safety functions include an estimate of dependence.

The inferred definition of diagnosis is any cognitive decision making that is necessary to perform a task. This definition includes all cognitive tasks ranging from responding to annunciators to recognizing what is necessary for the corresponding action. The definition of action is any manipulation involved in performing the task.

The analyst must recognize that the impact of various PSFs may overlap each other. For example, if the procedures are poor, the time available to perform an action may be decreased if the operator is following the procedures step-by-step.

The default operator credit referenced in the worksheets is derived in the following sections using the SPAR-H methodology.

Referring to the SPAR-H LP/SD worksheets, for each operator credit, the available time was evaluated. This is defined as the time that the action must be completed (often in terms of several hours) minus the time it takes to perform the action (often in terms of minutes) plus the time it takes to receive the first cue. The definitions for nominal time, extra time, and expansive time are as defined in the SPAR-H report.

Issue Date: 01/11/22 16 0308 Att 3 App G 07.02.01 BWR HEPs Definitions and Characterizations BWR LOI POS 1 (Worksheet 1)

ISOL If the leak is from outside or above the core shroud (i.e., the downcomer region) automatic isolation is assumed from a functional reactor isolation system (e.g., auto closure of the reactor water cleanup system terminating a leak in that system). Therefore, this is marked N/A.

If the leak is in the lower plenum area, the leak is assumed unisolable and no credit is given (e.g., leakage from a control rod drive mechanism during removal).

AECCS Automatic initiation of one or more low pressure emergency core cooling (ECCS) pumps on low reactor level does not require operator action, therefore, this is marked N/A. If no EECS pump will auto start, then the equipment credit is zero and the top event fails.

MINJ Operator manually initiates low pressure injection before RHR shutoff head is reached given the leak path has been isolated. For cues, it is assumed that the operator has received the automatic isolation of RHR on low reactor water level and the associated level alarm. As an additional cue, if RCS injection is delayed, the operators would see rising RCS pressure. It is also assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06.

Time to RHR shutoff head is assumed to occur after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The time to manually initiate RCS injection is assumed to take minutes to perform.

Thus, using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. All other PSF levels are considered nominal. The default HEP is estimated to be 1E-4 or an operator credit of 4 (1E-4).

MINJX Operator manually initiates low pressure injection before RCS pressure control is needed or core damage given the leak path has not been isolated.

For cues, it is assumed that the operator has received the automatic isolation of RHR on Level III alarm. Also, the operators would receive an RCS low-low level alarm. It is also assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06.

Time to RHR shutoff head is assumed to be greater than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Time to core damage given the leak is assumed to occur greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The time to manually initiate injection is assumed to take minutes to perform.

Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

Issue Date: 01/11/22 17 0308 Att 3 App G RHRREC Operator recovers RHR before RCS pressure control is needed given the leak path has been isolated, and the operators successfully initiated RCS injection. Time to RHR shutoff head is assumed to be greater than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

For cues, it is assumed that the operator has received the automatic isolation of RHR on Level III 3 alarm. It is also assumed that the operators have procedures for this action as recommended by NUMARC 91 06. The time to recover RHR from the control room is assumed to take minutes. The time to RHR shutoff head is assumed to be greater than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

SRV Operator controls RCS pressure using an SRV or other means so that core heat removal can be sustained, given the operators successfully initiated RCS injection, but failed to restore RHR. This action has to be performed before core damage. For cues, the operator has increasing RCS pressure and the alarm associated with automatic isolation of shutdown cooling suction valves above 135 psig. The time needed to open the SRVs is assumed to take minutes; the time to core damage is assumed to be greater than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> with injection. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

Considering dependence with RHRREC, the timing of both actions is simultaneous, but not close in time. For this event, the operators have successfully initiated RCS injection. Now, the operators have failed to recover RHR before RCS pressure control is needed - but must control RCS pressure to allow low pressure injection to continue. For cues, the operator has increasing RCS pressure. The dependency between RHRREC and SRV is believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2, so the revised operator credit is two (1E-2).

The above value assumes that a SRV(s) is fully functional from the control room with the required DC electrical power and the associated instrument/drywell air. Some utilities have been known to render the SRVs non-functional from the control room (when they are not TS required) by removing electrical power or isolating the air system. This is would be down to prevent spurious SRV openings. If local operations are required, then the operator credit should be reduced to one (1E-1) at best.

MINJY Operator initiates high pressure injection given complete failure of the operator to manually inject at low pressure (MINJ). Failure of MINJ includes equipment failure and operator failure. This action has to be performed before core damage. For cues, the operator has increasing RCS pressure, automatic isolation of the shutdown cooling suction valves at 135 psig, and possibly the SRVs lifting. The time needed to open the SRVs and initiate high-pressure injection is assumed to take minutes. Using the SPAR-H LP/SD worksheets, the time to perform the action is considered nominal. All other PSF levels are considered nominal, the default HEP is estimated to be two (1E-2).

Issue Date: 01/11/22 18 0308 Att 3 App G Considering dependence with MINJ, the timing of both actions is not close in time. The operators have additional cues increasing RCS pressure, automatic isolation of the shutdown cooling suction valves at 135 psig, and possibly the SRVs lifting. Thus, the dependency between the two actions was believed to be moderate. Using the SPAR-H worksheets, the task failure with dependence was estimated as an operator credit of one (1E-1).

CV Operator successfully initiates containment venting and/or makeup water to the suppression pool for long term cooling given the operator successfully initiated RCS injection. It is assumed that the operator has hours to perform this action. For cues, the operator may have increasing suppression pool temperature; however, suppression pool temperatures are not required to be monitored at shutdown. Suppression pool level is required to be monitored at shutdown to support emergency core cooling system (ECCS) operability.

Using the SPAR-H LP/SD worksheets, the time to diagnose the action versus the time to perform the action is considered expansive. However, the stress level for this action is perceived to be extreme, and it is assumed that training for this scenario is low. Regarding the ergonomics PSF level, if the suppression pool level temperature is available, then all other PSF levels (other than stress and training) are considered nominal, the default HEP is rounded to three (1E-3).

BWR LOI POS 2 and POS 3 (Worksheet 2 & 3)

ISOL If the leak is from outside or above the core shroud (i.e., the downcomer region) automatic isolation is assume from a functional reactor isolation system (e.g., auto closure of the reactor water cleanup system terminating a leak in that system). Therefore, this is marked N/A.

If the leak is in the lower plenum area, the leak is assumed unisolable and no credit is given (e.g., leakage from a control rod drive mechanism during removal).

AECCS Automatic initiation of one or more low pressure emergency core cooling (ECCS) pumps on low reactor level does not require operator action, therefore, this is marked N/A as no operator action is required.

This HEP does not apply to POS 3 as no credit is given for automatic ECCS injection in the corresponding worksheet.

Issue Date: 01/11/22 19 0308 Att 3 App G MINJ Operator manually initiates low pressure injection before core damage given the leak path has been isolated. For cues, it is assumed that the operator has received the automatic isolation of RHR on low reactor level.

It is also assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06. Time to core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. The time to manually initiate injection is assumed to take minutes to perform. As an additional cue, if RCS injection is delayed, the operators would encounter steaming from the top of the open vessel. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive since initiating injection is assumed to take minutes. All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

MINJX Operator manually initiates low pressure injection before core damage given the leak path has not been isolated and automatic ECCS injection has failed.

For cues, it is assumed that the operator has received the automatic isolation of RHR on Level III alarm. Also, the operators would receive an RCS low-low level alarm. It is also assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06.

Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive since the time to initiate RCS injection is assumed to take minutes and core damage is assumed to occur after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> given the leak.

All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

RHRREC Operator recovers RHR before long term makeup to the suppression pool is needed given successful manual injection or automatic injection. For cues, it is assumed that the operator has received the automatic isolation of RHR on low reactor water level with the associated alarm. It is also assumed that the operators have procedures for this action as recommended by NUMARC 91 06. The time to recover RHR from the control room is assumed to take minutes. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, the default HEP is estimated to be four (1E-4).

LCOOL Operator successfully initiates makeup water to the suppression pool for long term cooling given the operator successfully initiated RCS injection or given successful automatic injection. It is assumed that the operator has hours to perform this action. For cues, suppression pool level is required to be monitored at shutdown to support ECCS operability. Using the SPAR-H LP/SD worksheets, the time to diagnose the action versus the time to perform the action is considered expansive. All other PSF levels are considered nominal, the default HEP is estimated as four (1E-4).

Given successful RCS injection, it was assumed that there is no dependence between restoration of RHR and the operator failing to continue long term makeup.

Issue Date: 01/11/22 20 0308 Att 3 App G BWR LORHR POS 1 (Worksheet 4)

RHRREC Operator recovers a train of RHR before RHR shutoff head is reached and RCS pressure control is needed. Use the operator response curves in NUREG 1278 Table 12 4, if each of the following statements are true.

A. There are trouble alarms present for the finding.

B. The action to recover RHR can be identified (diagnosed) within 1/2 the time to RHR shutoff head C. The action to recover RHR can be performed within 1/2 the time to RHR shutoff head THEN CREDIT = 0 if Tshut < 20 minutes CREDIT = 1 if 20 minutes< Tshut < 40 minutes CREDIT = 2 if 40 minutes <Tshut < one hour CREDIT = 3 if Tshut > one hour WHERE Tshut = Time after shutdown.

MINJ&SRV Operator manually (1) initiates RCS injection using another standby low pressure injection pumps in addition to the two LPCI pumps that are being used to satisfy the RHR function and (2) initiates RCS pressure control (e.g., opens an SRV) before RHR shutoff head is reached It is assumed that the operators have received trouble alarms for the RHR system. It is assumed that the operator must perform this action before core damage, which is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive since initiating RCS injection and pressure control is assumed to require minutes.

It is assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06. Thus, all other PSF levels are considered nominal. Using the SPAR-H LP/SD worksheets, the default HEP is rounded to four (1E-4).

Dependence between RHRREC and MINJ&SRV is assumed to be low. The timing of both actions is not close in time. Also, the operators will receive additional cues such as increasing RCS pressure and the automatic isolation of RHR at 135 psig. Using the SPAR LP/SD worksheets considering low dependence, the revised HEP is estimated to be two (1 E-2).

The above value assumes that an SRV(s) is fully functional from the control room with the required DC electrical power and the associated instrument/drywell air. Some utilities have been known to render the SRVs non-functional from the control room (when not they are not TS required) by removing electrical power or isolating the air system. This is would be down to prevent spurious SRV openings. If local operations are required, then the operator credit should be reduced to one (1E-1) at best.

Issue Date: 01/11/22 21 0308 Att 3 App G MINJY Operator initiates high pressure injection given complete failure of the operator to manually inject at low pressure (MINJ). Failure of MINJ includes equipment failure and operator failure. This action has to be performed before core damage. For cues, the operator has increasing RCS pressure, automatic isolation of the shutdown cooling suction valves at 135 psig, and possibly the SRVs lifting. The time needed to open the SRVs and initiate high-pressure injection is assumed to take minutes. Using the SPAR-H LP/SD worksheets, the time to perform the action is considered nominal. All other PSF levels are considered nominal, the default HEP is estimated to be two (1E-2).

Considering dependence with MINJ, the timing of both actions is not close in time. The operators have additional cues including increasing RCS pressure, automatic isolation of the shutdown cooling suction valves at 135 psig, and possibly the SRVs lifting. Thus, the dependency between the two actions was believed to be moderate. Using the SPAR-H worksheets, the task failure with dependence was estimated as an operator credit of one (1E-1).

CV Operator successfully initiates containment venting and/or makeup water to the suppression pool for long term cooling given the operator successfully initiated RCS injection but fails to recover RHR. It is assumed that the operator has hours to perform this action. For cues, the operator may have increasing suppression pool temperature; however, suppression pool temperatures are not required to be monitored at shutdown. Suppression pool level is required to be monitored at shutdown to support ECCS operability. Using the SPAR-H LP/SD worksheets, the time to diagnose the action versus the time to perform the action is considered expansive.

However, the stress level for this action is perceived to be extreme, and it is assumed that training for this scenario is low. Regarding the ergonomics PSF level, if the suppression pool temperature is available, then all other PSF levels (other than stress and training) are considered nominal, the default HEP is rounded to three (1E-3).

Issue Date: 01/11/22 22 0308 Att 3 App G BWR LORHR POS 2 (Worksheet 5)

RHRREC Operator recovers a train of RHR before low RCS level is reached (level 3),

and RHR is automatically isolated. Use the operator response curves in NUREG 1278 Table 12 4, if each of the following statements are true.

A. There are trouble alarms present for the finding.

B. The action to recover RHR can be identified (diagnosed) within 1/2 the time to RHR shutoff head C. The action to recover RHR can be performed within 1/2 the time to RHR shutoff head THEN CREDIT

= 0 if Tisol < 20 min CREDIT = 1 if 20 minutes < Tisol < 40 minutes CREDIT = 2 if 40 minutes < Tisol < one hour CREDIT = 3 if Tisol > one hour WHERE Tisol = Time to isolation, i.e., time between event initiation and auto isolation AECCS Automatic initiation of one or more low pressure emergency core cooling (ECCS) pumps on low reactor level does not require operator action, therefore, this is marked N/A as no operator action is required.

MINJ Operator manually initiates RCS injection using another standby high or low pressure injection pumps in addition to the two LPCI pumps that are being used to satisfy the RHR function before core damage is reached. It is assumed that the operators have received trouble alarms for the RHR system. It is assumed that the operator must perform this action before core damage, which is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive since initiating RCS injection is assumed to require minutes. It is assumed that the operators have procedures for this action at shutdown as recommended by NUMARC 91 06. Thus, all other PSF levels are considered nominal. Using the SPAR-H LP/SD worksheets, the default HEP is rounded to four (1E-4).

Dependence between RHRREC and MINJ is assumed to be low. The timing of both actions is not close in time. Also, the operators will receive additional cues such as decreasing RCS level and the RCS low-low level alarms.

Using the SPAR LP/SD worksheets considering low dependence, the revised HEP is 1 E-2 or an operator credit of 2 (1E-2).

LCOOL Operator successfully initiates makeup water to the suppression pool for long term cooling given the operator successfully initiated RCS injection. It is assumed that the operator has hours to perform this action. For cues, suppression pool level is required to be monitored at shutdown to support ECCS operability. Using the SPAR-H LP/SD worksheets, the time to diagnose the action versus the time to perform the action is considered expansive. All other PSF levels are considered nominal, the default HEP is estimated as four (1E-4).

Issue Date: 01/11/22 23 0308 Att 3 App G BWR LOOP POS 1 and POS 2 (Worksheets 6 & 7)

EAC The emergency diesel generators (EDGs)are assumed to auto start on loss of power to their respective buses. Therefore, no HEP is required.

However, if no EDGs will auto start, then using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered extra. The experience/training in these procedures is considered to be high. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

ACI&SRV In POS 1 operator manually initiates AC independent (ACI) low pressure injection (e.g., fire water) and initiates RCS pressure control (e.g., opens SRVs) from the main control room before core damage. For cues, it is assumed that the operator has received indication that a total loss of AC power occurred via alarms. Time to core damage is assumed to be greater than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. The time to manually initiate AC independent injection is assumed to be under 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. The PSF level for stress is assumed to be extreme, and the level of training for this situation is assumed to be low. All other PSF levels are considered nominal.

Using the SPAR-H LP/SD worksheets, the default HEP is rounded to three (1E-3).

The above value assumes that an SRV(s) is fully functional from the control room with the required DC electrical power and the associated instrument/drywell air. Some utilities have been known to render the SRVs non-functional from the control room (when not they are not TS required) by removing electrical power or isolating the air system. This is would be down to prevent spurious SRV openings. If local operations are required, then the operator credit should be reduced to one (1E-1) at best.

ACI In POS 2 operator manually initiates AC independent low-pressure injection (e.g., fire water) before core damage. For cues, it is assumed that the operator has received indication that a total loss of AC power occurred via alarms. Time to core damage is assumed to be greater than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. The time to manually initiate AC independent injection is assumed to be under 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. The PSF level for stress is assumed to be extreme, and the level of training for this situation is assumed to be low.

All other PSF levels are considered nominal. Using the SPAR-H LP/SD worksheets, the default HEP is rounded to three (1E-3).

RLOOP8 No operator action is required as this action occurs offsite and is based on event data not SPAR-H.

RLOOP20 No operator action is required as this action occurs offsite and is based on event data not SPAR-H.

Issue Date: 01/11/22 24 0308 Att 3 App G 07.02.02 PWR HEPs Definitions and Characterizations PWR LOLC POS 1 (Worksheet 1)

SG Operator acknowledges a loss of RHR function and maintains SG cooling by:

(1) maintaining adequate level for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and (2) venting steam from SGs and (3) keeping the RCS closed. It is assumed that the operators have core exit thermocouples (CETs) and SG level and pressure indication. It is also assumed that the operator has procedures which are supported by analysis for shutdown conditions. Using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered expansive. The experience/training in these procedures is considered to be low for shutdown conditions when the RCS may not be full. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

FEED&BLEED Operator initiates RCS injection and RCS bleed before core damage. It is assumed that the operator has RCS level indication and CETs with a CET hi alarm setpoint. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06.

Time is to core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. The time to manually initiate injection is assumed to take minutes to perform. Rising CET values and the CET hi alarm would be received well before RCS boiling. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal since FEED & BLEED is a common recovery procedure for an extended loss of RHR and is performed similar to the full power procedures.

The default operator credit is estimated to be four (1E-4).

Considering dependence, if the operator failed to maintain SG cooling, the PORVs and/or the RHR relief valves would lift providing the operator additional cues that RHR cooling is interrupted. The actions to initiate FEED

& BLEED would be performed by the same crew, but not close in time.

Thus, the dependency between the two actions was determined to be low.

Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

RHR-R Given a loss of RHR due to loss of level/flow control, the operator can recover one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The operator may need to fill the RCS and vent the RHR pumps. As recommended in GL 88 17, the licensees should have procedures for this recovery action. Using the SPAR-H LP/SD worksheets, the PSF level for time was considered extra not expansive since action outside the control is required. All other PSF levels were considered nominal. The default operator credit was estimated as three (1E-3).

Issue Date: 01/11/22 25 0308 Att 3 App G RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low-level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long-time duration. The timing of both actions is simultaneous but not close in time. The operators would receive the additional cue of the RWST level alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

PWR LOLC POS 2 (Worksheet 2)

FEED Operator initiates RCS injection before core damage. It is assumed that the operator has RCS level indication and CETs. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06.

Core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> without FEED. The time to manually initiate injection is assumed to take minutes to perform. Rising CET values and the CET hi alarm would be received well before RCS boiling. Also, since the RCS is open, steam would be an additional visual cue. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, since FEED is a common recovery procedure for an extended loss of RHR and is performed similar to the full power procedures. The default operator credit is estimated to be four (1E-4).

RHR-R Given a loss of RHR due to loss of level/flow control, the operator can recover one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The operator may need to fill the RCS and vent the RHR pumps. As recommended in GL 88 17, the licensees should have procedures for this recovery action. Using the SPAR-H LP/SD worksheets, the PSF level for time was considered extra not expansive since operator action outside the control room is required. All other PSF levels were considered nominal.

The default operator credit was estimated as three (1E-3).

Issue Date: 01/11/22 26 0308 Att 3 App G RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low-level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long-time duration. The timing of both actions is simultaneous but not close in time. The operators would receive the additional cue of a low RWST level alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

PWR LOOP POS 1 and POS 2 (Worksheets 3 & 4)

EAC The emergency diesel generators (EDGs)are assumed to auto start on loss of power to their respective buses. Therefore, no HEP is required.

However, if no EDGs will auto start, then using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered extra. The experience/training in these procedures is considered to be high. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

SGSBO Operator acknowledges a LOOP and maintains SG cooling by: (1) maintaining adequate SG level for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and (2) venting steam from SGs and (3) keeping the RCS closed. It is assumed that the operators have CETs and SG level and pressure indication. It is also assumed that the operator has procedures which are supported by analysis for shutdown conditions. Using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered expansive. The experience/training in these procedures is considered to be low. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

GRAVITY Operator initiates Gravity Feed assuming SBO before core damage.

Requires an available flow path, procedures, and supporting analyses.

Gravity feeding to the RCS may be credited if Gravity Feed is expected to be available AFTER RCS boiling initiates. To credit Gravity Feed, the analyst needs to consider the following factors that can negate the elevation head provided by the RWST or other sources of RCS inventory: (1) pressure drops in the surge line (2) entrained water accumulating in the pressurizer (3) RCS vent paths that are restricted (to control loose parts or control off gassing).

Issue Date: 01/11/22 27 0308 Att 3 App G Using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered expansive. The experience/training in these procedures is considered to be low. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

RLOOP3 No operator action is required as this action occurs offsite and is based on event data not SPAR-H.

RLOOP4 No operator action is required as this action occurs offsite and is based on event data not SPAR-H.

RLOOP18 No operator action is required as this action occurs offsite and is based on event data not SPAR-H.

PWR LOI POS 1 (Worksheet 5)

FEED Operator acknowledges a loss of inventory and initiates RCS injection before core damage. It is assumed that the operator has RCS level indication and CETs. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. All other PSF levels are considered nominal, since FEED is a common recovery procedure for any type of loss of RCS inventory and is similar response to the full power procedures. The default operator credit is estimated to be four (1E-4).

LEAK-STOP Operator isolates leak before RWST depletion given successful FEED. Using the SPAR-H LP/SD worksheets, the PSF level for available time is considered to be expansive. However, the diagnoses on the operators part to locate the source of the leak and isolate is considered to be highly complex and high stress. All other PSFs were considered to be nominal.

The default operator credit was estimated as two (1E-2). The time assumption assumes that the leak does not impact the availability of the standby injection pumps (e.g., Wolf Creek draindown event in 1994).

LEAK-STOP2 The operator isolates the leak before core uncovery at which point the SG cooling is no longer considered to prevent core damage given unsuccessful FEED.

Using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be extra not expansive. The diagnoses on the operators part to locate the source of the leak and isolate is considered to be highly complex and high stress. All other PSFs were considered to be nominal. Thus, the default failure probability was estimated as 1E-2. Considering dependence, both the FEED task and the LEAK STOP task occur using the same crew and not close in time. However, additional cues would be provided to the operator indicating the location of an LOI such as sump level alarms, tank level alarms, visible flooding, etc. The dependency was believed to be low. The revised operator credit considering dependence was estimated as two (1E-2).

Issue Date: 01/11/22 28 0308 Att 3 App G SG Operator successfully isolates the leak before core uncovery and maintains SG cooling by: (1) maintaining adequate level for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and (2) venting steam from SGs and (3) keeping the RCS closed. It is assumed that the operators have CETs and SG level and pressure indication. It is also assumed that the operator has procedures which are supported by analysis for shutdown conditions. Using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered expansive. The experience/training in these procedures is considered to be low. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

BLEED The operator opens a pressurizer power operated relief valve (PORV) or vent path large enough to remove decay heat by FEED&BLEED. This task assumes that the operators already have successfully isolated the leak and started RCS injection. It is assumed that the operator has procedures for FEED & BLEED as recommended by NUMARC 91 06. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. All other PSF levels are considered nominal since FEED & BLEED PORV is a common recovery procedure an extended loss of RHR. The default operator credit is estimated to be four (1E-4).

RHR-R Given a loss of RHR function due to an LOI, the operator can recover one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The operator may need to fill the RCS and vent the RHR pumps. As recommended in GL 88 17, the licensees should have procedures for this recovery action. Using the SPAR-H LP/SD worksheets, the PSF level for time was considered extra not expansive. All other PSF levels were considered nominal. The default operator credit was estimated as three (1E-3).

RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low-level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long time duration. The timing of both actions is simultaneous but the close in time. The operators would receive the additional cue of a low RWST level RWST alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

Issue Date: 01/11/22 29 0308 Att 3 App G PWR LOI POS 2 (Worksheet 6)

FEED Operator initiates RCS injection before core damage. It is assumed that the operator has RCS level indication and CETs. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06.

Core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> without FEED. The time to manually initiate injection is assumed to take minutes to perform. Rising CET values and the CET hi alarm would be received well before RCS boiling. Also, since the RCS is open, steam would be an additional visual cue. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, since FEED is a common recovery procedure for an extended loss of RHR and is performed similar to the full power procedures. The default operator credit is estimated to be four (1E-4).

LEAK-STOP Operator isolates leak before RWST depletion given successful FEED. Using the SPAR-H LP/SD worksheets, the PSF level for available, time is considered to be expansive. However, the diagnoses on the operators part to locate the source of the leak and isolate is considered to be highly complex and high stress. All other PSFs were considered to be nominal.

The default operator credit was estimated as three (1E-3). The time PSF assumes that the leak does not impact the availability of the standby injection pumps (e.g., Wolf Creek draindown event in 1994).

RHR-R Given a loss of RHR due to loss of level/flow control, the operator can recover one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The operator may need to fill the RCS and vent the RHR pumps. As recommended in GL 88 17, the licensees should have procedures for this recovery action. Using the SPAR-H LP/SD worksheets, the PSF level for time was considered extra not expansive since operator action outside the control room is required. All other PSF levels were considered nominal.

The default operator credit was estimated as three (1E-3).

RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low-level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long time duration. The timing of both actions is simultaneous but the close in time. The operators would receive the additional cue of a RWST low level alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

Issue Date: 01/11/22 30 0308 Att 3 App G PWR LOI POS 3 (Worksheet 7)

FEED Operator initiates RCS injection before core damage. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06.

Core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> without FEED. The time to manually initiate injection is assumed to take minutes to perform. Also, since the RCS is open, steam would be an additional visual cue. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, since FEED is a common recovery procedure for an extended loss of RHR and is performed similar to the full power procedures. The default operator credit is estimated to be four (1E-4).

If the upper internals are not removed, then further investigation is required to determine if the unit has restrictive upper internals. See NUREG/CR-5820, Consequences of the Loss of RHRR systems in PWRs (1992), Section 2.5 for a discussion of this issue. It is highly recommended that the analyst contact NRC headquarters for additional guidance as a Phase 3 analysis may be required to properly characterize.

LEAK-STOP Operator isolates leak before RWST depletion given successful FEED. Using the SPAR H LP/SD worksheets, the PSF level for available, time is considered to be expansive as it is assumed time to core uncovery is greater than four hours. However, the diagnoses on the operators part to locate the source of the leak and isolate is considered to be highly complex and high stress. All other PSFs were considered to be nominal. The default operator credit was estimated as three (1E-3). The time PSF assumes that the leak does not impact the availability of the standby injection pumps (e.g., Wolf Creek draindown event in 1994).

RHR-R Given that RHR could not be recovered before boiling, the operators can recover/repair one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The level of diagnoses to recover/repair the RHR system is considered to be highly complex and high stress. The PSF level for time is considered extra not expansive since operator action outside the control room is necessary.

All other PSFs were considered to be nominal. Using the SPAR-H LP/SD worksheets, the default HEP was estimated as two (1E-2).

Issue Date: 01/11/22 31 0308 Att 3 App G PWR LORHR POS 1 (Worksheet 8)

RHR-S The operators ability to quickly recover the alternate train of RHR from the control room before boiling given a loss or interruption of the operating train of RHR. Using the operator response curves in NUREG 1278 Table 12 4, it was assumed if RHR recovery action can be identified within 1/2 the time to boiling (TBB). AND RHR recovery action can be performed within 1/2 TBB. AND Trouble alarms are available.

THEN CREDIT = 0 if TBB < 20 minutes CREDIT = 1 if 20 minutes < TBB < 40 minutes CREDIT = 2 if 40 min. < TBB < 1hour CREDIT = 3 if TBB > 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

SG Operator acknowledges a loss of RHR function and maintains SG cooling by:

(1) maintaining adequate level for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and (2) venting steam from SGs and (3) keeping the RCS closed. It is assumed that the operators have CETs and SG level and pressure indication. It is also assumed that the operator has procedures which are supported by analysis for shutdown conditions. Using the SPAR-H LP/SD diagnosis worksheets, the PSF level for time is considered expansive. The experience/training in these procedures is considered to be low. All other PSF levels are considered nominal. The default operator credit is assumed to be three (1E-3).

FEED&BLEED Operator initiates RCS injection and RCS bleed before core damage. It is assumed that the operator has RCS level indication and CETs. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. All other PSF levels are considered nominal, since FEED & BLEED is a common recovery procedure for an extended loss of RHR and is similar to the full power procedures. The default operator credit is estimated to be four (1E-4).

Considering dependence, if the operator failed to maintain SG cooling, the PORVs and/or the RHR relief valves would lift providing the operator additional cues the RHR cooling is interrupted. The actions would be performed by the same crew, but not close in time. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

RHR-R Given that RHR could not be recovered before boiling, the operators can recover/repair one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The level of diagnoses to recover/repair the RHR system is considered to be highly complex and high stress. The PSF level for time is considered extra not expansive since operator action outside the control room is necessary.

All other PSFs were considered to be nominal. Using the SPAR-H LP/SD worksheets, the default HEP was estimated as two (1E-2).

Issue Date: 01/11/22 32 0308 Att 3 App G RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low-level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive. The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long time duration. The timing of both actions is simultaneous but the not close in time. The operators would receive the additional cue of a RWST low level alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

PWR LORHR POS 2 (Worksheet 9)

RHR-S The operators ability to quickly recover the alternate train of RHR from the control room before boiling given a loss or interruption of the operating train of RHR. Using the operator response curves in NUREG 1278 Table 12 4, it was assumed if RHR recovery action can be identified within 1/2 TBB AND RHR recovery action can be performed within 1/2 TBB.

AND Trouble alarms are available.

THEN CREDIT = 0 if TBB < 20 minutes CREDIT = 1 if 10 min. < TBB < 30 minutes CREDIT = 2 if 30 min. < TBB < 1hour CREDIT = 3 if TBB > 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> FEED Operator initiates RCS injection before core damage. It is assumed that the operator has RCS level indication and CETs. It is assumed that the operator has procedures for this action as recommended by NUMARC 91 06.

Core damage is assumed to occur after 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> without FEED. The time to manually initiate injection is assumed to take minutes to perform. Rising CET values and the CET hi alarm would be received well before RCS boiling. Also, since the RCS is open, steam would be an additional visual cue. Therefore, using the SPAR-H LP/SD worksheets, the PSF level for time is considered to be expansive. All other PSF levels are considered nominal, since FEED is a common recovery procedure for an extended loss of RHR and is performed similar to the full power procedures. The default operator credit is estimated to be four (1E-4).

Issue Date: 01/11/22 33 0308 Att 3 App G RHR R Given that RHR could not be recovered before boiling, the operators can recover/repair one of two operable trains of RHR before RWST depletion. It was assumed that the operators had at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> to repair/recover one operable train of RHR before RWST depletion based on a full RWST. The level of diagnoses to recover/repair the RHR system is considered to be highly complex and high stress. The PSF level for time is considered extra not expansive since operator action outside the control room may be required. All other PSFs were considered to be nominal. Using the SPAR-H LP/SD worksheets, the default HEP was estimated as two (1E-2).

RWSTMU It was assumed that the licensee could makeup to the RWST if long term RHR recovery failed. The time to perform this action was considered expansive. It was assumed that the licensee has procedures for this action, and the operator has RWST level indication with a low level alarm. Using the SPAR-H LP/SD worksheets, the PSF level for time is considered expansive.

The stress was assumed to be high, and the complexity was assumed to be high, the operators would be simultaneously trying to recover RHR. All other PSF levels were assumed to be nominal. The default HEP was estimated as three (1E-3).

Considering dependence with RHR R, an additional shift would be available due to the long time duration. The timing of both actions is simultaneous but the not close in time. The operators would receive the additional cue of a RWST low level alarm. Thus, the dependency between the two actions was believed to be low. Using the SPAR-H worksheets, the task failure with dependence was estimated as 5E-2. Since the SDP uses operator credits in multiplies of ten, the revised operator default credit is two (1E-2).

0308.03G-08 REFERENCES

1. APP-GW-GL-022, Revision 1, AP1000 Probabilistic Risk Assessment, Chapter 59 -

Results and Insights, ADAMS Accession No. ML030510639.

2. EPRI 1003113 An Analysis of Loss of Decay Heat Removal Trends and Initiation Event Frequencies, (1989-2000), 2001.

3. EPRI 1003465, Low Power and Shutdown Risk Assessment Benchmarking Study, 2002.

4. EPRI NSAC-164L, Guidelines for BWR Reactivity Control during Refueling, 1992.

5. EPRI NSAC-183, Risk of PWR Inadvertent Criticality during Shutdown and Refueling, 1992.

6. EPRI 1021176, An Analysis of Loss of Decay Heat Removal and Loss of Inventory Event Trends (1990-2009), 2010.

7. Federal Register (dated February 4, 1999, Vol. 64, no. 23).

8. Generic Letter (GL) 88-17, Loss of Decay Heat Removal - 10 CFR 50.54(f).

Issue Date: 01/11/22 34 0308 Att 3 App G

9. Information Notice (IN) 88-36, Possible Sudden Loss of RCS Inventory During Low Coolant Level Operation.

10. INL/ExT-19-54699, An Analysis of Loss-of-Offsite-Power Events 1987-2018, N.

Johnson and Z. Ma, 2019.

11. NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

12. NUREG/CR-1278, Handbook of Human with Emphasis on Reliability Analysis Applications, 1983.

13. NUREG/CR-5820, Consequences of the Loss of Residual Heat Removal Systems in Pressurized Water Reactors, 1992.

14. NUREG/CR-6143, Evaluation of Potential Severe Accidents during Low Power and Shutdown Operations at Grand Gulf, Unit 1. 1994.

15. NUREG/CR-6144, Evaluation of Potential Severe Accidents during Low Power and Shutdown Operations at Surry, Unit 1. 1994.

16. NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, 2005.

17. SECY-97-168, Issuance for Public Comment of Proposed Rulemaking Package for Shutdown and Fuel Storage Pool Operation.

18. Vogtle Units 3 and 4 Updated Final Safety Analysis Report (UFSAR) (ADAMS Accession No. ML19171A078), Chapter 19, Probabilistic Risk Assessment.

END

Issue Date: 01/11/22 Att1-1 0308 Att 3 App G 0308.03G-09 Attachment 1: Revision History for IMC 0308, Attachment 3, Appendix G Commitment Tracking Number Accession Number Issue Date Change Notice Description of Change Training Required and Completion Date Comment Resolution and Closed Feedback Form Accession Number (Pre-Decisional, Non-Public Information)

N/A ML041470264 5/25/04 CN 04-015 Initial Issuance N/A ML050700199 2/28/05 CN 05-007 Revised to add automatic injection as a condition for operator actions RHRREC and LCOOL. The definition for Plan Operational States (POS) POSs 1 and 2 were made to coincide with the revision.

N/A ML20246G438 01/11/22 CN 22-001 Revision as part of 5-year update to conform to IMC 0040 formatting standards. Correct errors and added information from lessons learned.

None ML20246G437