resilient procedure use Halden Reactor Project, Norway

obey the principles without being bound by them bruce lee

resilience is about… the ability of a system to adapt to unforeseen, challenging situations (incl. but not limited to Fukushima-scale events) the ability to mobilize additional resources when a system approaches its margin of maneuver enabling smooth transfer of control

Balancing pre-planned responses and the ability to adapt to novel situations is not easy. These demands can be competing or contradictory. Focusing solely on procedural adherence may undermine the crew’s ability to make autonomous assessments, to think ahead, and to keep a high-level overview of the situation (over-reliance on procedures). Emergency response in complex scenarios requires reliability and resilience motivation

To respond to unanticipated situations that are not entirely covered by procedure, crews need – Cognitive capacity, expertise, questioning attitude – Understand procedure backgrounds and applicability – Monitor for anomalies, predict plant evolution – Avoid over-reliance on procedures Can we improve the ability to handle unexpected scenarios through staffing and support systems? – Shift technical advisor – Procedure overview tool – New large screen display with safety focus motivation

resilient procedure use requires balancing of heads-down operation heads-up operation and How to support this? - Crew roles - Procedure support tools - Overview tools (e.g. LSD) - External support - Others?

experimental design 5 Swedish and 5 US crews – (note: in Sweden there is no STA position) 4 EOP scenarios with complications – For optimal recovery, crew may have to make knowledge based decisions. 2 experimental factors (4 conditions) – STA available / not available (4/3 person crew) – Tools available / not available (Tools = procedure flowchart & large-screen display)

Experimental design Run 1 Run 2 Run 3 Run 4 Large-screen display, Procedure flowchart ✔✔✗✗ Shift technical advisor ✔✗✔✗ Sc 1 Sc 2 Sc 3 Sc 4 experimental design most support least support counterbalanced to avoid order effects First study to compare LSD with a no-LSD control group

scenarios Multiple SG tube break Interfacing system LOCA – LOCA outside containment (RHR system) Loss of feedwater Fire in cable compartment – With high-head SI pump breakdown – H.B. Robinson fire event Scenario has been coded into SACADA

Sc-1. Multiple SG tube break Main event: Stuck open SG 3 safety valve and multiple tube leaks in SG 2 and 3. At the transient one of SG 3 safety valves is get stuck open causing a partial tube break in the same SG 3. SG 2 is as well affected of the pressure transients at the Reactor trip and starts also to leak even though not much. Dependent of the tube SG 3 tube break and the failed open safety valve an uncontrolled release of activity is a fact. One complication in the scenario is that one sampling valve from SG 3 is forgotten closed after a maintenance work, thus the RMS channel R19C may not(possibly not) give any indication activity once it is reopened trying identify SG:s with tube rupture(s). The reason for not indicating activity is that if, as supposed, the crew isolates the faulted SG3, it will go dry and be completely fill with steam and no or maybe no water will enter SG3 sampling cooler and R19C. Another complication making it difficult to identify SG with tube leakages is that N16 measurement does give any indications after a reactor trip. The crews must in exception of using the EOP:s use other process indications to identify and isolate the affected SG:s no 2 and 3. Such indications will be a combination of RCS sub cooling, ΔT over SG3, SG3 not depressurized completely to atmospheric pressure, AF flow Steam flow and SG level progressions. Process thinking and situation awareness is very important in this scenario.

Sc-1. Multiple SG tube break Malfunctions: - Clogged strainer after main cooling water pump.. - SG2 tubleak (0.2) - SG3 tubleak (0.4) - SG3 failed open safety valve - SG3 sampling valves forgotten in closed position.. Expected operator actions: MCR Start emergency boration at turbine load reduction MCR Manually initiate SI when PRZ:er level is LESS THAN 12 %. MCR From E-0 transfer to E-2 and isolate faulted SG3 MCR Send a field operator to verify that SG3 PORV PCV-1103 is closed. MCR Should inform that a tube leak or rupture can be expected in the faulted SG. MCR From E-2, transfer to E-3 to isolate SG2. MCR From E-3, transfer to ECA-3.1 on uncontrolled cool down. MCR Conclude that even SG3 has a tube leak at latest when the SG is empty and does not dry out. MCR Start cool down with only SG1 since both SG2 and SG3 are affected. MCR Keep minimum sub cooling to minimize break flow in SG3. MCR When cool down rate decreases and level off, take actions/build a strategy to minimize the radioactive release from SG 3. Support is be to found in Key Decision Point in E-3 if needed. The optimal strategy would be to open SG2 PORV since the water level has a scrubbing effect.

Sc-2. ISLOCA Main event: Multiple break on RHR/LHSI system 1 On turbine T31 one of the two operable FW pumps P201 trip on over current signal. An automatic turbine load reduction to 45% turbine load on T31 is starts as expected. Since there is a malfunction on the steam dump control the steam dump valves does not open.. 2 At the end of T31 load reduction, T32 trips on a generator protection signal. 3 Since dump control is blocked the RCS temperature and pressure increases rapidly and PRZ:er and SG relief valves open. The reactor control rods start to decrease reactor power on Tave-Tref miss match. 4 At the pressure transient RHR/LHSI suction valve 8702 B a former induced crack develop to a partial internal break on the sluice valve disc. The pressure increase rapidly in train B and the safety valve 8708 B open and releases hot RCS water to the pressurizer relief tank PRT). The heavy pressure spikes depend of the safety valves opening and closing causes a break on the pressure side of the RHR/LHSI-pumps and safety valve 8708B get stuck 75% open. The break position is between 8707 A and B on common RHR/LHSI pressure side. This break is possible to isolate but the second break (stucked open safety valve) is not possible to isolate.

Sc-2. ISLOCA 5 Since the the PRZ level and pressure decreases rapidly, reactor trip and safety injection is automatically released on low pressurizer pressure. 6 The two breaks initiates almost simultaneous fire alarms in containment and auxiliary building. From containment and from auxiliary ventilation stack alarms for high radiation is as well received. 7 Some minutes after the break in auxiliary building, RHR/LHSI trips on earth failure since the pump motor is flooded. Expected crew responses Start emergency borate during the load reduction. Identify that there exist two breaks on RHR/LHSI system. Isolate the break on pressure side of RHR/LHSI pumps using ECA-1.2 with belonging backgrounds. Conclude that one “break” remain since the containment pressure is increasing. Transfer to E-1 “ Loss of reactor coolant” and from E-1 continue to ES-1.2 to start cool down

Sc-3. Loss of feedwater Main event: Break on T31 condensate system cause loss of feed water. A few minutes into the scenario a break arise which progressively develops to a loss of 240 kg/s condensate flow. Condenser level decreases due to the loss of condensate flow, but dependent on an unsuccessful remedy level transmitter calibration, the actual condenser level decrease faster than indicated in MCR. When the breaks starts a high pressure water jet hits a high temperature drain pump motor and the pumps trips on earth failure which also entail one low temperature drain pump to stop. Due to the extensive break flow, the suction pressure to main FW pumps decreases resulting that the SG levels slowly decreases despite fully open SG FW control valves. A few minutes after the condensate pump trips on low condenser level (cavitation) resulting in trip of main feed water pumps which induce a 200% turbine run back and start of aux.feed pumps. At the start of AF pumps, motor driven pump -01 and -02 stop on overload and turbine driven (AFAPST-01) can`t speed up dependent of a stem separation of the regulating valve. The valve indicates open in MCR. A few moments later, Turbine T31 trips on high condenser pressure giving a reactor trip, but since leaking 411-V101 can`t be isolated by the stucked isolation valve, T31 remains connected to the grid at a slowly decreasing power, thus cooling down the tripped reactor. The turbine may as well overspeed if generator breaker is manually opened.

Sc-3. Loss of feedwater If Steam line isolation is not actuated the turbine will over speed it may cause severe damages and fire in the turbine building. At the steam line isolation MS safety valves open for a short while but all reclose properly.Since no AF flow is received and SG NR levels are out of span, the operators enters FR-H1 “loss of secondary heat sink” after completed immediate actions in E-0. While attempting to restore feed flow to the SG:s in FR-H1, the crew initiates bleed and feed when at latest 2 SG wide range level is below set point 20 %. At this moment the PRZ:er PORV PCV-445B get an internal leakage. PCV-444A is jammed closed. Electrical maintenance is calling the MCR reporting that they have made a temporarily adjustment on over load relay to Aux. feed pump AFAPEL-01 and that the pump can be started again. When AF flow is started to SG1 or SG3, a small crack on a SG tube is initiated. After a assumed successful restoration of a heat sink (Level ˃ 12%NR), the PRZR:er PORV:s are closed in sequence by the MCR. One PRZR PORV PCV-445B is now leaking 25% after closure of the valve which render difficulties to restore sub cooling and stop of SI flow. During the BLEED and FEED phase in FR-H1 “Loss of Heat Sink” it`s probable that Orange or Red condition appears for FR-P1 “Pressurized Thermal Chock”. When ONE SG level is ˃ 12%, the crew close PRZ:er PORVs and stop SI flow. Since a PTS problem probably exists crew transfers to FR-P.1 Imminent Pressurized Thermal Shock condition to stabilize the plant.

Sc-3. Loss of feedwater Expected operator actions MCR should decrease turbine load to decrease FW demand and stabilize SG levels. MCR should communicate clearly what they observe and initiate Reactor trip. MCR should manually initiate main steam line isolation to stop cool down and over speeding. Depending of the crew operational history the crew should transfer to FR-H1 when exit E-0 formally or by SM decision. MCR should choose another SG and send a FO to check the pump and flow path. MCR should open the sampling valves from the SG, since a tube leak isn`t unlikely when restoring AF to hot and empty SG. MCR are expected, after a time delay of around 15 min, to identify that SG2 or SG3 have a tube leak and isolate the affected SG. MCR is expected to identify and isolate the the leaking PORV. If not MCR will end up in E-1 and ES-1.2. When ONE SG level is ˃ 12% and Bleed & Feed is stopped and subcooling established, the crew should transfer to FR-P1 to stop SI flow and stabilize the plant for at least one our + return to procedure and step in effect.

H.B. Robinson fire Main event: Fire in cable compartment with SI and HHSI pumps break down At the welding of the pipe supports a fire arise causing short cuts in power cables to: 1) T32 Condensate pumps P 103 and P 102 2) T32 Condensate drain pump 3) Feed Water pumps P 203 4) Reactor coolant pump RCP 3 (7 min in the scenario) The electrical short cuts cause in a disorderly manner trips of of the pumps. T32 starts to runback and due to the T32 pump trips steam dump to the condenser is restricted. The fire in the cable compartment as well cause a that RCP is operation for a short while on 2 phases and finally stop on earth failure, rolling out with very high vibrations, causing a shaft seal damage and leakage. The reactor reactor trip automatically on only 2 RCP in operation, SG and PRZ pressures increases rapidly due to the restricted steam dump. PRZR PORV:s reclose but one safety valve on SG1 do not reclose completely, thus begin to release steam to the atmosphere and slowly cool down RCS. Charging control valve FCV-122 open automatically to compensate for RCS shrinkage at the cool down and the Make Up system will not have capacity to keep the VCT level. After some minutes RCS pressure reach the set point for Safety Injection on low PRZ pressure 122 bar g and SI starts. LCV-115 E does not close at HHSI pumps suction side at the transfer from VCT to RWST. Non condensable gases are induced to to the HHSI pumps mixing with RWST water. The gas mixture causes the HHSI pumps to break down one after the other. If the Crew don`t take actions to preserve one HHSI pump and manually close suction valve from VCT, no HHSI pumps will be available.

H.B. Robinson fire Operator actions 1) Identify SG 1 with secondary break and isolate it by E-2. 2) Stabilize the the plant with no PRZ:er level available. 3) Take action to close one suction valve from VCT and try to start one charging pump. 3) Form a strategy for long term restoration. Possible operator actions - Reset SI signal and stop one SI pump before it break down. - Order a field operator to manually close LCV 115 C or E. - Align and start the hydro test pump to fill the pressurizer. - Test to restart one charging pump after venting the pump after closure of LCV-115 C or E AND establish normal charging flow.

week plan

measures HRA-type performance measures – HFE success / failure, HFE performance time – PSFs, crew errors, aggregated crew stories New measure of SA for ISV New measure of teamwork competence and emergency competence Eye tracking Questionnaires

tools for improving situation overview: new large-screen display and STA flowchart

new large screen display

status of important safety systems status of automatic systems, and other important alarms (e.g. RMS) sub- cooling mass balance increasing/ decreasing PRZ pressure/ level trends; alarm levels; trip points new large screen display: primary SG pressure / level trends

procedure flowchart E-0 E-1 E-2 E-3 ECA-1.1 ECA-1.2 ECA-1.3 ES-1.2 FR-H.1 FR-P.1

Link to background material > Key decision point > Critical action steps > < Grouping of procedure steps < Procedure /step transfers < Procedure transfers (clickable) < Short description of step links to full text Step number > Link to high-level summary >

CSF status, link to decision tree > Foldout page, link to appendix >

Some flowcharts contain diagrams with live data > *

Halden Reactor Project, Norway

contact