B12002, Forwards Probabilistic risk-based Fire Analysis of internally-initiated Events.Fire Analysis Documented as Chapter 6 of Probabilistic Safety Study.W/Nine Oversize Encls
| ML20203B329 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 03/26/1986 |
| From: | Opeka J NORTHEAST NUCLEAR ENERGY CO., NORTHEAST UTILITIES |
| To: | Charemagne Grimes Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20203B337 | List: |
| References | |
| B12002, NUDOCS 8604180146 | |
| Download: ML20203B329 (148) | |
Text
- ..
con.a on.c:. . s.io.n su i. 8.mn. conn.cocui NORTHEAST UTILITIES P O BOX 270 2,.EUN[.C.2[ .~..
H ART FORD. CONNECTICUT 06141-0270
.o +. ..wa .ow . c-.--
(203W5*
L L a ',%. C,Z'1',"C.
March 26,1986 Docket No. 50-2M B12002 Office of Nuclear Reactor Regulation Attn: Mr. Christopher 1. Grimes, Director Integrated Safety Assessment Project Directorate Division of PWR Licensing - B U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Gentlemen:
Millstone Nuclear Power Station, Unit No.1 Probabilistic Safety Study - Fire Analysis in a letter dated July 10, 1985,(1) Northeast Nuclear Energy Company (NNECO) submitted a summary report of the resultsAt of that a plant-specific time, we noted Probabilistic that the Safety Study (PSS) for Millstone Unit No.1.
study only considered internally-initiated events and that we were planning to complete and document an analysis of fire-initiated events.
Northeast Utilities Service Company, on behalf of NNECO, has recently completed a probabilistic risk analysis of fire-initiated eve in order to identify and evaluate the probability and consequences of postulated fires on the operation of Millstone Unit No.1. Specifically, a set of event trees was developed which modeled the pathways via which a fire would lead to plant events similar to those Fires previously analyzed as originating fromasinternally-in critical areas of the plant can act transient initiated events.
initiating events as well as lead to degradation or loss of vital safety equipment, thus resulting in a decrease in the likelihcod of successful transient mitigation.
The fire analysis calculated a mean core melt frequency of 5.3 x 10-5 per When combined with the reactor-year resulting from fire-initiated events.
results of the internally-initiated events PSS (calculated core melt frequency of the total calculated core melt frequency for 8.07 x 10 4 per reactor-year),4 per reactor-year. Approximately 6.2% of this Millstone Unit No.1 is 8.6 x 10 total calculated core melt frequency is attributable to fire-initiated events.
(1) 3. F. Opeka letter to 3. A. Zwolinski, "Probabilistic Safety Study - Results and Summary Report," dated July 10,1985. r A)
- hl 6g 0
g 8604180146 860326 5 g g ADOCK 0500 gDR
E.
In a manner similar to our evaluation of internally-initiated events, we are presently evaluating the results of the fire analysis in order to determine insights into the major fire-related contributors to core melt frequency at Millstone Unit No.1. These insights will be evaluated using the methodology developed as part of the ISAP concept.
it should be noted that the fire analysis is a best estimate analysis of the as Additionally, riskthe of fire-initiated transient events at Millstone Unit No.1.
collection of data and preparations for this analysis was undertaken during the late 1984/early 1985 time period, the plant has undergone changes which are not reflected in the analysis. As an example, the analysis identifies eutectic heat sensing wire as being in use in many areas of the plant, however during the course of the past few years much of this wire has been removed from the plant.
Our review of the benefit of this heat sensing wire has determined that the wire However, as provided an insignificant contribution to the safety of the plant.
the Millstone Unit No. 1 PSS is a living document which we plan to update periodically, the first update to the fire analysis will include revisions to the fire analysis models to account for the removal of the eutectic heat sensing wires as well as the addition of plant modifications scheduled to be implemented as part The PSS will also be revised to of the requirements reflect the impact ofofother 10CFR50, Appendix R. modifications (e.g., leg-term cooling-relat modifications) on the study.
Per your request, we are sending 20 copies of the Millstone Unit No. I probabilistic risk-based fire analysis to the ISAP Project Directorate for We have distribution within the NRC (including NRR, Region I, ACRS, etc.).
documented the fire analysis as Chapter 6 of the Millstone Unit No. I PSS. As such, the attached analysis and revised index should be inserted in Volume 4 of the Millstone Unit No.1 PSS.
If you have any questions on the attached material, please feel free to contact my staff.
Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY hbM J. F. Gpeka Senior Vice President
Docket No. 50-245 B12002 Millstone Unit No.1 Probabilistic Safety Study Fire Analysis Summary and Results March 1986
UEO General Offices e Selden Street. Berlin Connecticut
- t.4 COWC'Ott L@t mO 80*f 4 COMPw 1 .we= = ss.c.uerrs eactac == P.O. BOX 270 HARTFORD. CONNECTICUT 06141-0270 L L j [,[' ((,',[,",",
(203) 665-5000 March 26,1986 Docket No. 50-245 B12002 Office of Nuclear Reactor Regulation Attn: Mr. Christopher I. Grimes, Director Integrated Safety Assessment Project Directorate Division of PWR Licensing - B U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Gentlemen:
Millstone Nuclear Power Station, Unit No.1 Probabilistic Safety Study - Fire Analysis In a letter dated July 10, 1985,(1) Northeast Nuclear Energy Company (NNECO) submitted a summary report of the results of a plant-specific Probabilistic Safety Study (PSS) for Millstone Unit No.1. At that time, we noted that the study only considered internally-initiated events and that we were planning to complete and document an analysis of fire-initiated events.
Northeast Utilities Service Company, on behalf of NNECO, has recently completed a probabilistic risk analysis of fire-initiated events at Millstone Unit No.1. The fire analysis, included as an attachment to this letter, was performed in order to identify and evaluate the probability and consequences of postulated fires on the operation of Millstone Unit No.1. Specifically, a set of event trees was developed which modeled the pathways via which a fire would lead to plant events similar to those previously analyzed as originating from internally-initiated events. Fires in critical areas of the plant can act as transient initiating events as well as lead to degradation or loss of vital safety equipment, thus resulting in a decrease in the likelihood of successful transient mitigation.
The fire analysis calculated a mean core melt frequency of 5.3 x 10-5 per reactor-year resulting from fire-initiated events. When combined with the results of the internally-initiated events PSS (calculated core melt frequency of 8.07 x 10-4 per reactor-year), the total calculated core melt frequency for Millstone Unit No.1 is 8.6 x 10-4 per reactor-year. Approximately 6.2% of this total calculated core melt frequency is attributable to fire-initiated events.
(1) 3. F. Opeka letter to J. A. Zwolinski, "Probabilistic Safety Study - Results and Summary Report," dated July 10,1985. - ,
/l v _,-
o OO
. In a manner similar to our evaluation of internally-initiated events, we are presently evaluating the results of the fire analysis in order to determine insights into the major fire-related contributors to core melt frequency at Millstone Unit No.1. These insights will be evaluated using the methodology developed as part of the ISAP concept.
It should be noted that the fire analysis is a best estimate analysis of the risk of fire-initiated transient events at Millstone Unit No.1. Additionally, as the collection of data and preparations for this analysis was undertaken during the late 1984/early 1985 time period, the plant has undergone changes which are not reflected in the analysis. As an example, the analysis identifies eutectic heat sensing wire as being in use in many areas of the plant, however during the course of the past few years much of this wire has been removed from the plant.
Our review of the benefit of this heat sensing wire has determined that the wire provided an insignificant contribution to the safety of the plant. However, as the Millstone Unit No. 1 PSS is a living document which we plan to update periodically, the first update to the fire analysis will include revisions to the fire analysis models to account for the removal of the eutectic heat sensing wires as well as the addition of plant modifications scheduled to be implemented as part of the requirements of 10CFR50, Appendix R. The PSS will also be revised to reflect the impact of other modifications (e.g., long-term cooling-related modifications) on the study.
Per your request, we are sending 20 copies of the Millstone Unit No. I probabilistic risk-based fire analysis to the ISAP Project Directorate for distribution within the NRC (including NRR, Region 1, ACRS, etc.). We have documented the fire analysis as Chapter 6 of the Millstone Unit No.1 PSS. As such, the attached analysis and revised index should be inserted in Volume 4 of 1 the Millstone Unit No.1 PSS.
If you have any questions on the attached material, please feel free to contact my staff.
Very truly yours, NORTHEAST NUCLEAR ENERGY COMPANY J. F. Opeka bM "
Senior Vice President I
l e
~
Docket No. 50-245 B12002 Millstone Unit No.1 Probabilistic Safety Study Fire Analysis Summary and Results l
l i
March 1986
't SECTION TITLE PAGE VOLUME 4 3.2.21 Recirculation Pump Trip System 3.2-294 3.2.22 Standby Liquid Control System 3.2-296 3.2.23 Shutdown Cooling System 3.2-300 t 3.2.24 Alternate Shutdown Cooling / Containment Cooling 3.2-311 3.2.25 Emergency Service Water System 3.2-316 4.0 HUMAN RELIABILITY ANALYSIS 4.0-1 i
4.1 IlfrRODUCTION 4.1-1 4.2 METHODOLOGY 4.2-1
. 4.3 TABULATION OF IMPORTANT OPERATOR ACTIONS 4.3-1 lO 5.0 HODEL QUANTIFICATION AND RESULTS 5.0-1 1 5.1 METHOD OF QUANTIFICATION 5.1-1 5.2 SUPPORT STATE QUANTIFICATIONS 5.2-1 5.3 SYSTEM EVENT TREE QUANTIFICATION RESULTS 5.3-1 i
4 6.0 ACCIDEffrS CAUSED BY FIRE 6.0-1
) 6.1 FIRE EVENT TREE MODEL 6.1-1 1 6.1.1 Control Room 6 .1 -7 6.1.2 Cable Vault 6.1-18 6.1.3 Mezzanine 6.1-30 6.1.4 Feedwater Area 6.1-35 4
I V
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
~. . . . -.
SECTION TITLE PAGE p
V 6.1.5 Switchgear Area 6.1-46 6.1-57 6.1.6 Reactor Building 6.2 ACCIDENT SEQUENCE MODELING 6.2-1 1
r 6.2.1 Fire Damage State F-1A 6.2-4 6.2.2 Fire Damage State F-1B 6.2-8 6.2.3 Fire Damage State F-1C 6.2-9 6.2.4 Fire Damage State F-1D 6.2-11 6.2.5 Fire Damage State F-2A 6.2-16 I
6.2.6 Fire Damage State F-2B 6.2-17 6.2.7 Fire Damage State F-2C 6.2-19 6.2-20 6.2.8 Fire Damage State F-2D I 6.2 9 Fire Danage State F-3A 6.2-21 6.2.10 Fire Danage State F-3B 6.2-25 6.2.11 Fire Damage State F-4A 6.2-26 6.2.12 Fire Damage State F-4B 6.2-28 l 6.2.13 Fire Damage State F-4C 6.2-31 6.2.14 Fire Damage State F-5A 6.2-34 1 6.2.15 Fire Damage State F-5B 6.2-35 6.2.16 Fire Damage State F-5C 6.2-38 6.2.17 Fire Damage State F-5D 6.2-39 6.2.18 Fire Damage State F-6 6.2-40
. 6.2.19 Fire Damage State F-7 6.2-42 6.2.20 Fire Damage State CM 6.2-46 6.3 QUAttrIFICATION RESULTS FOR ACCIDENTS CAUSED BY FIRE 6.3-0 APPEt0IX 6-A Fire Zone Layout 6A-1
!O I
vi l MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
TITLE PAGE SECTION VOLUME 4 3.2.21 Recirculation Pump Trip System 3.2-294 3.2.22 Standby Liquid Control System 3.2-296 3.2.23 Shutdown Cooling System 3.2-300 3.2.24 Alternate Shutdown Cooling / Containment Cooling 3.2-311 3.2.25 Emergency Service Water System 3.2-316 3
4.0 HUMAN RELIABILITY ANALYSIS 4.0-1 u .1 IERODUCTION 4.1-1 4.2 METHODOLOGY 4.2-1 4.3 TABULATION OF IMPORTANT OPERATOR ACTIONS 4.3-1 O
I 5.0 HODEL QUA EIFICATION AND RESULTS 5.0-1 5.1 METHOD OF QUANTIFICATION 5.1-1 i
! 5.2 SUPPORT STATE QUAEIFICATIONS 5.2-1 i
5.3 SYSTEM EVE E TREE QUAE IFICATION RESULTS 5.3-1 i
6.0 ACCIDE E S CAUSED BY FIRE 6.0-1 6.1 FIRE EVENT TREE MODEL 6.1-1 6.1.1 Control Room 6.1-7 6.1.2 Cable Vault 6.1-18 6.1.3 Mezzanine 6.1-30 6.1.4 Feedwater Area 6.1-35 v
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
i SECTION TITLE' PAGE l 6.1.5 Switchgear Area 6.1-46
]
Cd 6.1.6 Reactor Building 6.1-57 6.2 ACCIDEE SEQUENCE MODELING 6.2-1 l
l 6.2.1 Fire Damage State F-1A 6.2-4 1
6.2.2 Fire Damage State F-1B 6.2-8
-6.2.3 Fire Damage State F-1C 6.2-9 6.2.4 Fire Damage State F-1D 6.2-11 6.2.5 Fire Damage State F-2A 6.2-16
! 6.2.6 Fire Damage State F-2B 6.2-17 6.2.7 Fire Damage State F-2C 6.2-19 6.2.8 Fire Damage State F-2D 6.2-20 6.2.9 Fire Damage State F-3A 6.2-21
- 6.2.10 Fire Damage State F-3B 6.2-25 6.2.11 Fire Damage State F-4A 6.2-26 7
6.2.12 Fire Damage State F-4B 6.2-28 6.2.13 Fire Damage State F-4C 6.2-31 1
O 6.2.14 Fire Damage State F-5A 6.2-34 i 6.2.15 Fire Damage State F-5B 6.2-35 6.2.16 Fire Damage State F-SC 6.2-38 6.2.17 Fire Damage State F-SD 6.2-39 6.2.18 Fire Damage State F-6 6.2-40 l
! 6.2.19 Fire Damage State F-7 6.2-42 j 6.2.20 Fire Damage State CM 6.2-46 6.3 QUAttrIFICATION RESULTS FOR ACCIDENTS CAUSED BY FIRE 6.3-0 1
i APPENDIX 6-A Fire Zone Layout 6A-1
!O l
' VI
. MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
TITLE PAGE SECTION VOLUME 4 3.2.21 Recirculation Pump Trip System 3.2-294 3.2.22 Standby Liquid Control System 3.2-296 3.2.23 Shutdown Cooling System 3 2-300 3.2.24 Alternate Shutdown Cooling / Containment Cooling 3.2-311 t
4 3.2.25 Emergency Service Water System 3 2-316 4
j 4.0 HUMAN RELIABILITY ANALYSIS 4.0-1 4.1 IERODUCTION 4.1-1 3
4.2 METHODOLOGY 4.2-1 f
1 4.3 TABULATION OF IMPORTANT OPERATOR ACTIONS 4.3-1 I
, 5.0 MODEL QUANTIFICATION AND RESULTS 5.0-1 5.1 METHOD OF QUANTIFICATION 5.1-1 5.2 SUPPORT STATE QUAEIFICATIONS 5.2-1 5.3 SYSTEM EVENT TREE QUANTIFICATION RESULTS 5.3-1 l
j 6.0 ACCIDENTS CAUSED BY FIRE 6.0-1 l
6.1 FIRE EVENT TREE MODEL 6.1-1 6.1.1 Control Room 6.1-7 6.1.2 Cable Vault 6.1-18 6.1.3 Mezzanine 6.1-30 6.1.4 Feedwater Area 6.1-35 l
V i
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
SECTION TITLE PAGE 6.1-46 p) 6.1.5 Switchgear Area L' 6.1.6 Reactor Building 6.1-57 6.2 ACCIDEIC SEQUENCE MODELING 6.2-1 6.2.1 Fire ')amage State F-1A 6.P-4 6.2.2 Fire M mage State F-1B 6.2-8 6.2.3 Fire Damage State F-1C 6.2-9 6.2.4 Fire Damage State F-1D 6.2-11 6.2.5 Fire Damage State F-2A 6.2-16 6.2.6 Fire Damage State F-2B 6.2-17 6.2.7 Fire Damage State F-2C 6.2-19 6.2.8 Fire Damage State F-2D 6.2-20 6.2.9 Fire Damage State F-3A 6.2-21 6.2.10 Fire Damage State F-3B 6.2-25 6.2.11 Fire Damage State F-4A 6.2-26 6.2.12 Fire Damage State F-4B 6.2-28 6.2.13 Fire Damage State F-4C 6.2-31 6.2.14 Fire Damage State F-5A 6.2-34 6.2.15 Fire Damage State F-5B 6.2-35 6.2.16 Fire Damage State F-Sc 6.2-38 6.2.17 Fire Damage State F-5D 6.2-39 6.2.18 Fire Damage State F-6 6.2-40 6.2.19 Fire Damage State F-7 6.2-42 6.2.20 Fire Damage State CM 6.2-46 6.3 QUA?EIFICATION RESULTS FOR ACCIDENTS CAUSED BY FIRE 6.3-0 APPE?OIX 6-A Fire Zone Layout 6A-1 1
. i vi MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY l l
i SECTION TITLE PAGE O V_e 4 4
3.2.21 Recirculation Pump Trip System 3.2-294 3.2.22 Standby Liquid Control System 3.2-296 3.2.23 Shutdown Cooling System 3.2-300 3.2.24 Alternate Shutdown Cooling / Containment Cooling 3.2-311
, 3.2.25 Emergency Service Water System 3.2-316 1
I 4.0 HUMAN RELIABILITY ANALYSIS 4.0-1 4.1 ItTIRODUCTION 4.1-1 l
2 4.2 METHODOLOGY 4.2-1 l
! 4.3 TABULATION OF IMPORTAE OPERATOR ACTIONS 4.3-1 ,
i: O I 5.0 MODEL QUANTIFICATION AND RESULTS 5.0-1 5.1 MEIh0D OF QUANTIFICATION 5.1-1
> 5.2 SUPPORT STATE QUAEIFICATIO!1S 5.2-1 5.3 SYSTEM EVEE TREE QUA EIFICATION RESULTS 5.3-1 F
4 6.0 ACCIDEffrS CAUSED BY FIRE 6.0-1 6.1 FIRE EVENT TREE MODEL 6.1-1
, 6.1.1 Control Room 6.1-7 !
l 6.1.2 Cable Vault 6.1-18 6,1.3 Mezzanine 6.1-30 l
6.1.4 Feedwater Area 6.1-35 l
- V j MILLSTONE UNIT 1 i PROBABILISTIC SAFETY ~ STUDY
SICTION T]TI.E PAGE 6.1.5 Switchgear Area 6.1-46 6.1.6 Reactor Building 6.1-57 i 6.2 ACCIDENT SEQUENCE H0DELING 6.2-1 f
6.2.1 Fire Damage State F-1A 6.2-4 6.2.2 Fire Damage State F-1B 6.2-8 6.2.3 Fire Damage State F-1C 6.2-9 6.2.4 Fire Damage State F-1D 6.2-11 6.2.5 Fire Damage State F-2A 6.2-16 6.2.6 Fire Damage State F-2B 6.2-17 l 6.2.7 Fire Damage State F-2C 6.2-19 6.2.8 Fire Damage State F-2D 6.2-20 6.2.9 Fire Damage State F-3A 6.2-21 6.2.10 Fir.e Damage State F-3B 6.2-25 6.2.11 Fire Damage State F-4A 6.2-26 6.2.12 Fire Damage State F-4B 6.2-28 6.2.13 Fire Damage State F-4C 6.2-31 O 6.2.14 Fire Damage State F-5A 6.2-34 6.2-35 6.2.15 Fire Damage State F-5B 6.2.16 Fire Damage State F-5C 6.2-38 6.2.17 Fire Damage State F-5D 6.2-39 6.2.18 Fire Damage State F-6 6.2-40 6.2.19 Fire Damage State F-7 6.2-42 l 6.2.20 Fire Damage State CM 6.2-46 6.3 QUANTIFICATION RESULTS FOR ACCIDENTS CAUSED BY FIRE 6.3-0 APPEWIX 6-A Fire Zone Layout 6A-1 V}
HILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
6.0 ACCIDENTS CAUSED BY FIRE This sectio'n documents the results from the analysis of fire events at Millstone Unit 1. The purpose of the fire analysis is to identify the effects and likelihood of postulated fires which could consequently result in a core melt accident. This was done by developing a set of special event trees that describe the ways in which fires can lead to evants similar to those previously analyzed as originating from internal initiated events. j Fires in the most critical plant areas can cause both plant initiating events I as well as the loss of one or more safety functions, thus decreasing the likelihood of successful transient mitigation. Fires in other areas may cause the loss of certain safety functions without creating a plant transient condition. Such events could result in a slow controlled manual shutdown using normally available decay heat removal systems such as the Feedwater and Main Condenser systems. Accordingly, fires of this nature can be shown to have considerably less impact on public risk.
D r_h 3Mf1tions 6O Fire induceo failures in primary plant systems an,1 their associated support systems can take place in several different ways. As considered in this evaluation, the failures may occur directly as the result of system loss from fire damage or indirectly due to the burning of equipment power / control l
cables. For the case of control circuits, system failure can be caused by loss of control either from through-wire burning or spurious equipment operation due to wire-to-wire hot shorts. In the latter instance, it is assumed that the spurious operation of motor-operated valves or control logic will defeat the intended system function. By way of contrast, the success of reactivity l
control is considered to be independent of fire. This is because a reactor trip will be generated whenever a fire causes the failure of reactor protection system (RPS) control circuits or any of the RPS support systems, such as AC power and instrument / station compressed air. Consequently, reactor trip is assumed to occur even if a fire causes damage to the RPS.
T he critical fire areas were determined through a review of Reference 1 and by O
6.0-1 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
identifying zones in the plant (i.e., fire zones) that contain equipment which is vital to safe shutdown and whose loss would initiate a transient event. The
( class of transient and functions lost as the result of fire in each critical area are specified in the Fire Damage State sections. The critical fire areas are listed below along with the designated fire zones which comprise each of the areas.
o Control Room (zone T-21) o Cable Vault (zone T-16) o Mezzanine (zone T-17) o Feedwater Area (zones T-5A, T-5B and T-SC) o Switchgear Area (zones T-19A, T-19B, T-19C, T-19D and T-19E) o Reactor Building (zones R-2A, R-2B, R-2C, R-2D and R-19) 1 o Diesel Generator Room (zone T-7) o Gas Turbine Generator Building (no zone assigned)
The frequency of fire for each of the critical plant areas shown above is based on the frequencies of fire that were used in the Millstone Unit 3 PSS (Reference 2). These frequencies were derived from historical experience based l on the number of observed fires over total compartment (critical plant area) years in all light water reactor plants. An adjustment was made to reflect the fact that the compartments specified in Reference 2 do not exactly reflect the Millstone Unit 1 plant design. For example, equipment which would only be housed in the Auxiliary Buildings of most plants is housed in both the Switchgear Area and Reactor Building of Millstone Unit 1. Consequently, approximately one half of the fire frequency for Auxiliary Buildings was assigned to each of these critical areas at Millstone Unit 1. The frequency of fire for each of the eight critical plant areas at Millstone is shown in Table 6.0-1.
6.0-2 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
TABLE 6.0-1 O FREX]UENCY CF FIRE EVENT AT MIIlETOIE UNIT 1 g MEAN FREQUENCY Control Room 4.0 x 10-3/ reactor yr.
Cable Vault 7.0 x 10-3/ reactor yr.
Mezzanine 4.7 x 10-3/ reactor yr.
)
Feedwater Area 2.0 x 10-2/ reactor yr.
1 Switchgear Area 1.93 x 10-2/ reactor yr.
Reactor Building 1.75 x 10-2/ reactor yr.
Diesel Generator Room 3.4 x 10-2/ reactor yr.
I Gas Turbine Generator Building 3.4 x 10-2/ reactor yr.
l l
O ,
l MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
6.1 FIRE EVENT TREE MODEL
,m
( )
Event t. ecs were constructed to model the chain of events that, would occur following the start of a fire in each of the critical fire areas. The endpoints of these event tree models lead to conditions where: there is no damage and plant operation would continue, there is limited damage and a controlled shutdown is commenced or there is major damage and a transient is induced by the fire. The mitigation of such transients is modeled by using the basic structure of the transient event trees that were developed in Section 2.0 for internal events. However, the event trees were quantified using systan unavailabilities that reflect the effects of the fire on system components and their associated power and control cables. In the event trees, all fires are assumed to grow in size and none are assumed to self extinguish. The growth of fire is modeled as being wholly dependent upon the various stages of detection, suppression, and propagation as described below.
Detection Detecticn encompasses the first stage of fire development for the event tree
/_ s models that were used in the study. The length of time between the onset of
{} fire and its successful detection determines the extent of damage that could occur within a critical area prior to suppression. The fire detection model considers: plant personnel who occupy an area, early warning area smoke detectors, and eutectic heat sensing wires if they are installed near critical area equipment and cabling. Early discovery of a fire by personnel (within- 3 minutes) is only credited in the model for control room fire because this area is continuously occupied by trained operators. Otherwise the models assume early warning can only be accomplished within 5 minutes by area smoke detectors. In the event that detectors fail, the fire model assumes that the fire would grow in size for approximately 15 minutes until eutectic heat sensing wires could be activiated in areas where they are installed. A fire at this particular stage of development is modeled to damage equipment and spread to other cables or cable trays, producing either control room alarms or some type of transient event. Any of these off normal occurrences would cause operations personnel to respond and, therefore, both personnel and heat sensing wires are credited for late detection in the fire models.
/ i
(_-
l 6.1-1 l MILLSTONE UNIT 1 1 PROBABILISTIC SAFETY STUDY
Suppr.ession O
O If a fire is discovered early by personnel or area smoke detectors, then portable ext.inguisherr, are modeled as being used for suppression with success measured as a function of the time required for people to arrive at the fire (i.e., a longer response time increases the probability of failure). Assuming that the fire is suppressed early by portable extinguishers, minimal equipment / cable damage would occur with no fire propagation. If the fire were not detected early or portable extinguishers failed to suppress the fire, then manual hose stations or automatic sprinkler systems (where available) are modeled as being used for extinguishment. Suppression at this late stage implies that equipment could be irretrievably lost and multiple power / control j
cables damaged.
Procagaijan The fire models assume propagation to unprotected vertical cable trays unless detection is early and suppression is achieved using portable extinguishers.
Eowever, oil or flammable liquid fires are always modeled as propagating fires regardless of the detection or personnel response time. For fires that are detected but not successfully extinguished, propagation to all unprotected cables within a critical fire area is assumed along with a total loss of their related functions. Similarly, an unsuppressed equipment fire would cause a loss of all affected components within the area. Fires are initially assumed to occur in either cables or components if both are housed within the same area.
Eyent Tree Models Event tree models were constructed for six of the eight critical fire areas to quantify the various stages of fire detection, suppression and propagation that are described above. The end points on the paths of each tree represent the different possible fire damage states that result from an assumed fire in a particular critical plant area. As discussed in Section 6.2, each fire damage state defines the frequency and type of fire induced initiating event along 6.1-2 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
with the associated support state conditions. For two of the eight critical fire areas, no event tree models were constructed because a fire in either area would not. result in a plant transient condition. The occurrence of a fire in these areas would, however, cause a total loss of the associated emergency systems that are housed within. Both the Diesel Generator Room and the Gas Turbine Generator Building are critical plant areas that fall into this category as discussed below.
i .
Diesel Generator Room The Diesel Generator (D/G) Room contains an emergency diesel powered generator which is used to supply AC electric power to safe shutdown loads, following a loss of the normal offsite supply. Since the room is totally enclosed on all.
sides by a strui:ture whose materials have a fire rating that exceeds the maximum credible burn time for a postulated fire, no propagation to adjacent areas is assumed. The D/G room is also protected by its own fire detection and suppression systems. In the event of a fire in the room, it is assumed that there will always be a total loss of the emergency generator although steady state operation of the plant is not affected.
O To determine how a fire in this area could contribute to a core melt accidenti, it was necessary to postulate a loss of normal power event (LNP) followed by a fire indt.ced failure of the generator. The internal event tree analysis addresses a similar scenario which involves a LNP with subsequent D/G failure and results in a core melt frequency (C.M.F.) of 3.17 x 10-6/ year. This value of C.M.F. is obtained by quantifying the loss of normal power event tree for support state 5 (which addresses random failure of the diesel) as shown below.
C.M.F.LNP-5 LNP
'OSS5 P LNP-5 f
where A NP is the frequency for loss of offsite power (Section 1.0), QSSS *
- x 10~ is the LNP split fraction for D/G failure in support state 5 (Section 5.0), and P 13 the probability of core melt given LNP and Support State LNP-5 5 To obtain this value the LNP event tree (Section 2.0) is quantified for all plant damage states by using system unavailability data for support state 5 (Appendix 2-A).
O d
6.1-3 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
As noted earlier in Section 6.0, the frequency of a D/G fire is estimated to be 3.4 x 10-2/ year. This value can be converted to a split fraction for being in support stat.e 5 by annuming that the fire will only occur after a start denand on the diesel. Although the Millstone Unit 1 D/G is tested (denanded) approxin.ately 50 times per year, it is conservatively assumed that there are only 12 tests per year. (This is conservative because it increases the predicted chance of fire given any demand.) Thus, the Support State 5 split fraction due to fire is computed to be:
Q'SS5 12 Demands / year
= 2.83 x 10-3 To determine the contribution of D/G room fires to core melt, the above split fraction is substituted for its counterpart in the internal event tree analysis as follows:
Om c a e tNe-s , ,,
O i
C.M.F.D/G FIRE
- SS5 SS5 where C.M.F. D/G FIRE is the core melt frequency due to LNP followed by a fire induced failure of the D/G and C.M.F.LNP-5 is the core melt frequency due to LNP followed by random failure of the D/G. Substituting the previously defined values into the above equation:
3.17 x 10-6/vr.
C.M.F.D/G FIRE =
2.67 x 10
= 3.36 x 10-7/yr.
to the total core melt frequency is thus The addition of C.M.F.D/G Fire negligible.
f.g Das_Igrbine Genpra. tor _Bu11 ding
, j l
6.1-4 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
The emergency gas turbine (G/T) generator, which provides a redundant backup to the D/G, is located in a reinforced concrete " blockhouse" that is located away Q from the plant pro p r. If the G/T generator were to catch on fire, the damage would be confined to the unit itself without having any effect on steady state operation of the plant. Consequently, a G/T generator fire would produce the same effect that was just discussed for a fire in the D/G room.
The internal event tree analysis for loss of normal power (LNP) events quantified a scenario for LNP with subsequent G/T generator failure that produces a core melt frequency of 1.27 x 10 /yr. This can be expressed by:
- O SS3 P LNP-3 C.M.F.LNP-3 0.144 is the split wherel LNP is the frequency of LNP (Section 1.0), QSS3 =
fraction for G/T Failure in support state 3 (Section 5.0), and PLNP-3 18 Dh*
probability of core melt given LNP and support state 3. To obtain this value the LNP event tree (Section 2.0) is quantified for all plant damage states by
< using system unavailability data for support state 3 (Appendix 2-A). A similar split fraction for G/T generator failure due to fire can be obtained by treating the fire as if it were in a D/G. This is a conservative assumption since most D/G fires are caused by carryover of lube oil into the turbocharger and exhaust sections of the unit. Gas turbine generators do not have this type of apparatus since they use the exhaust gases from an aircraft jet engine to spin a turbine which then drives the AC generator.
The contribution of G/T Generator Building fires to core melt can be computed in the same manner as were D/G room fires. This involves substituting the G/T generator fire split fraction, which is assumed to be the same as that for diesels, for the equivalent value used in the internal events analysis:
c a e tNe-s e ,, l QSS3 C.M.F.G/T FIRE = SS3 Substituting the previously defined values, where it is assumed that Q'SS3
- O O'SS5 V
6.1-5 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
1JLxJDbyn.
0.144
- 2.83 x 10-3 C.M.F.G/T FIRE =
= 2.5 x 10 / reactor yr.
Again, it is more appropriate to add this core melt contribution to the internal core melt frequency since the initiating event is loss of offsite power rather than fire. Based on the existing total internal C.M.F. of 8.07 x 10 /R.Y., the contribution from G/T fire following LNP is negligible since it increases the total by less than one percent.
Fires which damage equipment in the plant without inducing transients could potentially have an effect on the unavailability of such equipment before the plant is shutdown. However, as noted in Section 3.0, plant specific data was used to compute equipment unavailability based on actual failure histories and maintenance experience. Data collected for Millstone Unit #1 equipment already includes any unavailability due to fire and further consideration of that due s to hypothetical fires would amount to overcounting. Accordingly, equipment h damage from fire is not considered unless transient events are also induced.
The above represents an exception to the way in which fires in critical areas were treated. For the remaining six fire areas, event tree models were developed as described below.
1 6.1-6 MI O NE UNIT 1 PROBABILISTIC SAFETY STUDY
6.1.1- COlfrROL ROOM g)
( The Control Room is located at the 36'6" elevation of the Turbine Building and contains four rows of control panels along with the main control board (MCB) as shown in Figure 6.1.1-1. (Further information on spatial layout and fire zone Each of the MCB sections (i.e. 903, description can be found in Appendix 6-A.)
that runs 904, etc) is separated from the adjacent section by a metal barrier between them. However, both the back sides of the MCB and the row of control The -Control Room was panels that run parallel to it are open to each other.
divided into four fire damage zones as follows:
Jone__1. consists of control panels in row #1 that contain reactor trip and emergency core cooling system (ECCS) actuation logic.
If a fire occurred in panels 915 and 917, a reactor trip would be generated, while a fire in panels 932 and 933 could cause a loss of ECCS auto actuation and a possible stuck open safety / relief valve (S/RV).
(IAC), and Zone _2 includes panels in row #2 for vital AC (VAC), instrument AC loss of normal power (LNP) logic. A fire in the VAC panel would cause a loss of feedwater and a major portion of critical instrumentation for reactor vessel level and pressure to be lost as well. A fire in the IAC panel would cause the to the failure of some control room instrumentation and could possibly spread VAC panel. Other panels contain LNP logic which is assumed to load shed emergency 4160V buses and ECCS equipment if a fire were to occur in this 1ccation.
Jrne 3 contains MCB "A" (sections 903, 904 and 905) along with the parallel A fire in any one row of control panels that are open to the back of the MCB.
of these row #3 control panels would not cause a transient by itself but, since "A".
the panels are open on the backside, a fire could propagate across to MCB Assuming a fire in sections 903, 904 and 905, there would be a loss of control for al) ECCS systems including the Isolation Condenser (IC). In addition, the main steam isolation valves (MSIV's) would fail closed and the depressurization function via the S/RV's would be lost. There is also the possibility that a single S/RV could fail open because of hot wire-to-wire shorts in the opening circuitry.
m
- 3 6.1-7 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
i Zone _3 includes the row #4 control panels and MCB "B" (sections 906, 907 m.d 908) with overlapping into section 905 which is also part of MCB "A". A fire in row #4 would not cause a transient by itself but could spread to MCB "B" and involve those sections. If a fire occurred in or spread to sections 906 and 907, a loss of feedwater event would be initiated. Since MCB section 908 houses controls for the onsite AC power distribution network, a fire in this location could cause a station blackout if it produced certain worst case wire-to-wire hot shorts.
If a fjre in any one of the panels or sections is detected and suppressed within three minutes, only minimal damage is assumed since all panels are readily accessible. If the fire is not extinguished, then propagation from one panel to the adjacent panels is postulated even for sections of the MCB which have barriers between them. Fire spreading between zones is only possible as the result of some gross human error such as transporting a sufficient quantity of flammable liquid into the Control Room to allow the fire to propagate across the zone spacing.
The total fire loading in the Control Room is such that it can only support a fire for approximately 7.5 minutes. Fire protection consists of early warning smoke detectors, one 20 lb. CO2 portable extinguisher, two 10 lb. CO 2 portable extinguishers, two 17 lb. Halon portable extinguishers and a hose station. No credit is given for the hose station since water would probably cause as much damage as the fire itself if the hose station were used.
The fire event tree model that is used to determine the resultant fire damage states for a Control Room fire is shown in Figure 6.1.1-2. As mentioned earlier, each fire damage state determines the associated plant support state conditions.
Definition of Top Events:
- 1. Frequency of Fire - Initiator FR
,3 As described in the following writeup, this value was increased from 6.1-8 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
4.0 x 10-3/ year to 5.0 x 10-3/ year Jn order to account, for k it.chen rires which are felt to be unique t.o Millstone Unit 1.
]
- 2. Smoke Detection Fails - Node SD SD is the probability that both the early warning smoke detectors and the control room operators fail to detect the fire early.
SD = QSD # HEPDet
.0 x 10 where QSD = 0.22 for failure of the smoke detectors and HEPDet =
is the human error probability for two control room operators failing to detect the fire. Both of these values are taken from Table 2-K-1 in Reference 2. Substituting these values into the above equation:
SD = 0.22
- 1 x 10-2
= 2.2 x 10-3 O
d 3 Portable Extinguishers Fail - fbde PE1 From Table u in Reference 3, the mean value for success of portable extinguishers is calculated to be 0.928 based on a 5th percentile value of 0.95 and a 95th percentile value of 0.90 for response times that are between one and three minutes, respectively. Therefore, PE1 = (1.0 - 0.928) = 7.2 x 10-2
- 4. Propagation Due to lhnen Error - Mode P The probability that a large quantity of flammable liquid will be improperly stored in the Control Room and remain there for more than 30 days is P = 3.3 x 10-5 (Reference 4).
5 Zone Split Fractions - Nodes SZ1, SZ2, SZ3 O
l 6.1-9 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
These aplit fract. ions are condit.lonal probabilitlen that, are unal I.o d ir. tribute the frequency of Control lhun fire bet.wcen 1.he four nonen :'hown .
( in Figure 6.1.1-1. The zones consists of four rows of control panel:. and
^
two groups of MCB sections as described earlier. Initially, each of the four rows and two groups was assigned an equal weight of 1/6 in order to distribute the frequency of Control Room Fire which is 4.0 x 10-3/yr. as shown in Section 6.0. The total zone weights were determined as follows:
Zone 1 (row #1) = 1/6 weight
, Zone 2 (row #2) = 1/6 weight Zone 3 (row #3 and MCB nA") = 2/6 weight Zone 4 (row #4 and MCB "Bn) = 2/6 weight Because row #1 contains ECCS actuation logic in control panels 932/933 and is in close proximity to the kitchen, Zone 1 was assigned an additional weight to account for a kitchen fire spreading to the ECCS panels. The frequency of such an event was estimated to be 1 x 10-3/yr. which increased the total frequency of Control Room fires to 5.0 x 10-3/yr. Inclusion of the kitchen fire caused an additional 1/5 weight to be added to Zone #1 and all initial weights then had to be multiplied by 4/5 to ensure that the total sum did not exceed 1.0. This is shown below:
Zone 1 = 1/6
- 4/5 + 1/5 = 0.333 Zone 2 = 1/6
- 4/5 = 0.133 Zone 3 = 2/6
- 4/5 = 0.266 Zone 4 = 2/6 8 4/5 = 0.266 Based on the above weighting factors, zone split fractions were calculated to properly distribute the fire frequency in the event tree. The split fractions are conditional nodal probabilities that will yield the proper 4
V 6.1-10 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
zone weights when the nodes for different paths in the event tree are noltiplied together. The conditional probabilities used to obtain the Q correct zone split fractions are:
S 73
= 0.667 S = 0.800 Z2 S = 0.500 Z3 Use of these values in the event tree shown in Figure 6.1.1-2, will result in splitting the total frequency of control room fire (i.e., 5 x 10-/3/yr) as follows:
Zone 1 = 1-S = 0.333 73 Zone 2 = = 0.133 SZ1 " ( SZ2)
Zone 3 = S *S Z2 0.M6 73 * (1 SZ3) =
Zone 4 = S *8 *8 = 0.266 Z1 22 23
- 6. Interzonal Split Fraction - Ikxle PC Node PC addresses the split fraction for fire damage within each row of~
control panels that make up Zones 1 and 2. For Zone 1, it is estincted that 0.8 of the fires would be in panels 932 and 933 because of their proximity to the kitchen and the remaining 0.2 would be in reactor protection system (RPS) panels 915 and 917. Zone 2 includes both a vital AC (VAC) and instrument AC (IAC) panel along with other panels for feedwater and LNP load shed circuitry. Two of the ten panels in Zone 2 contain either VAC or IAC which are both located on one end of the zone.
Consequently 0.2 of the fires in this zone are expected to be in VAC or IAC with the remaining 0.8 in the Feedwater or LNP circuitry. These interzonal split fractions can be sumarized as follows:
O V
6.1-11 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
+ e w -m-o Zone 1 Split Fractions PC = 0.8 for fires in ECCS actuation 1-PC = 0.2 for fires in the RPS o Zone 2 Split Fractions P C = 0.8 for fires in feedwater or LNP circuitry 1-PC = 0.2 for fires in VAC or IAC i
- 7. Interzonal Split Fraction for Zone 2 - Node PC1 Fires in Zone 2 can be fbrther divided by P C1 fr the VAC/IAC and Feedwater/LNP panels. Given a fire in the VAC/IAC panels, there is a 0.50 probability that the damage could occur to either panel. Similarly, a fire in Feedwater/LNP panels could damage either set of circuits with equal
, probability. Therefore, PC1 = 0.5 for all of Zone 2
- 8. Safety / Relief Valve Opens - Node SRV l
Control logic for the safety / relief valves (S/RV's) is located in both of the ECCS panels that are in Zone 1 and the MCB sections of Zone 3. Fire damage to these circuits can result either in open circuits due to through wire burning or wire-to-wire hot shorts. In the latter case, shorts could cause an S/RV solenoid to energize, admitting air to the valve operator snd causing it to fail open. From Reference 5, a mean value of 7 x 10-2 13 obtained for the probability of a hot short in a single circuit and hence, the probability of any one of six S/RV's failing open due to a hot short is:
p(S/RV opens) = 1 - p (no S/RV opens)
O G
6.1-12 MILLSTONE UNIT 1 PROBABILISTIC SAFEIY STUDY
where fm p(no S/RV^ opens) = p (S/RV1 not open) x p(S/RV2 not open) x .....
()
x p (S/RV6 not open)
Substituting the probability of no hot short (1-7 x 10-2) for each S/RV results in the following probability for top event SRV:
p(S/RV opens) = 1-(1-7 x 10-2)6
= 3.53 x 10-1 For top event SRV
- 9. Load Shedding Occurs - Ilode LS Although there are two load shed circuits in the LNP logic of Zone 2, only one of them is required to strip all of the 4160V buses if it becomes energized due to a hot short. Using the probability of a hot short from Node SRV, the probability of load shedding is:
p(hot short either circuit) = 1 - p(no hot short either circuit)
O where p(no hot short either circuit) = p(no short circuit 1) x p(no short circuit 2)
= 1.35 x 10-1 for top event LS
- 10. Operator Action to Restore AC -Ilode OA If the hot short that is described above did occur, the control room operator could restore AC power. The load shed circuits send a " pulsed" signal for 0.3 second and then their circuits open as either one of two time delay 62-relays energize. Postulating failure of the load shed signal would require the double failure of both time delay relays which is less than 1 x 10-4 per occurrence as noted in the AC power fault tree analysis (Section 3.2.2). Since a load shed would cause total loss of AC power, O
6.1-13 MILLSTONE UNIT 1 PROBABILISTIC SAFEIY STUDY
Procedure ONP-503B would be implemented (See Appendix 2-B). This procedure directs the operator to the AC bus control panel (908 in the Cont.rol Room) b gj to re-energize buses using the control switches. Because this is rule basal behavior, an operator error of 1.3 x 10-2 was arsumed. The fai]ure
- of the time delay relays would produce the same effect, as an operator error but the probability is more than two orders of magnitude lower and is, therefore, a negligible contributor.
OA = 1.3 x 10-2
- 11. Isolation Condenser Fails - Node IC A fire in Zone 3 would fail both the automatic and remote manual actuation capability of the IC and operators would have to operate the IC by opening MOV IC-3 locally. If the same fire produced wire-to-wire hot shorts, then there is also a possiblity that the three normally open IC steamline and condensate isolation MOV's would be commanded shut. Since MOV IC-1 and IC-4 are located inside the drywell, they could not be opened and the IC would fail even though IC-2 and IC-3 could be opened locally. The f
probability that either IC-1 and IC-4 fails closed due to hot shorts is:
p(hot short in IC-1 or 4) = 1 - p(no hot short in IC-1 or 4) where p(no hot short in IC-1 or 4) = p(no short in IC-1) x p(no short in IC-4)
Substituting (1-7 x 10-2) for no hot short (See Node SRV) p(hot short in IC-1 or 4) = 1 - (1-7 x 10-2)2
= 1.35 x 10-1 for IC
- 12. Zone 4 Split Fraction - Mode SZ4 j
i 6.1-14 MILL 5 TONE UNIT 1 PROBABILISTIC SAFETY STUDY
SZ4 is the interzonal split fraction that divides fire damage in Zone 4 I
) between control circuits for Feedwater and AC power that, are contained in v
three MCB sections. Section 906 and part of 907 contain feedwater cont.rol circuitry while section 908 houses controls for the onsite AC power network. A fire in section 908 would not necessarily lead to a loss of onsite AC power unless there were additional wire-to-wire hot shorts present in more than one circuit. To simplify the analysis, it was conservatively assumed that one third of the fire damage could be in section 908 which would always cause a station AC blackout. Accordingly P SZ4 = 0.333 for damage to MCB section 908
- 13. Operator Action to Close S/RV's - Node OA1 In the event of a wire-to-wire hot short in the S/RV circuits, at least one S/RV would fail open as discussed in Node SRV. The S/RV would remain open until the short was removed, either by operatcr action or the control fbse n blowing. However, fbse failure is not credited in this analysis. Since
\
( Feedwater would continue to run, the operator has many hours to remove the s.v/
short by opening circuit breakers in DC control room panels DC-11A1 or DC-11A2. Accordingly, an operator error (OA1) of 1.3 x 10-3 was assigned based on the fact that additional personnel who are familiar with the electrical system would be called in within two hours of the fire.
1 1
/
$ h w/
6.1-15 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
s ""
STAIRWAY KI TC H E N D(( l l
~
V
- ~ ~~
~ ~
l Zone 1 e row'1 :
930 915 MG 917 927 928 932 933 l -
]
! - g ,
902 91 0 9 11 913 row #3 937 936 SY- /t f,!,
l y
e3 I
Zone 3 l l 903 904 [ $
Zone 4 g
- MC B "A" S
- ZOU' O
l Je $ T. 2
- .
- I 7
DESK ,,E., j
(~~'T 4
U Sf g
g rou'4 , h ,
g row 2 l m > c I w I
- 5*.8 l e e e l 8 "
l s C
l c
- e l l 0 $
O==l:E N .
~
\ ,
O Y
i
~
\ _
,)
N EXIT i
! O= ICE OFFICE l G V FIGUR E 6.1.1-1. Millstone Unit 1 control room l
- Note : Zone 3 & 4 overlap on 905 panel 6.1-16
l OVERSIZE DOCUMENT ~
PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES: 1 ACCESSION NUMBER (S):
8Co/W l2C/Wo-O/
l l
l l
l APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FTS 492-3939 l
l
6.1.2 CABLE VAET The Cable Vault is a separate enclosed room which is located directly below the Control Room. All cables from the Control Room are routed to the vault where they must pass through either the south wall into the Reactor Building or the west wall into the Mezzanine. Redundant sets of cable for safe shutdown equipment are located in separate cable trays that are covered with fire barriers. Further information on spatial layout and fire zone description can be found in Appendix 6-A.
- Cables routed to the Reactor Building are used for control of the main steam isolation valves (MSIVs), all safe shutdown motor-operated valves, and the safety / relief valves (S/RV's). These cables are contained in two separate _
horizontal levels of cable trays. Other cables which lead to the Mezzanine are located in stacks that consist of four levels of trays. The cables for each of the two redundant safety-related trains are located in their own trays which are vertically separated by a third tray of non-safety related cables that runs between them. The cables for Instrument AC (IAC) are located on the bottom tray of the stack. The safety-related cables are used for control of the Feedwater System, loss of normal power (LNP) logic and all ECCS pumps.
Additional cables for vital AC (VAC) and DC control panels DC-11A1 & 2 are routed in their own separate conduits.
For Cable Vault Fires that are detected early and suppressed by portable 1 extinguishers, only minimal damage is assumed. If smoke detectors fail, then the fire could burn long enough to damage cables in one tray prior- to detection by eutectic heat sensing wire or operators (as described earlier under detection). Similarly, damage to one tray could also occur if portable extinguishers failed to suppress the fire and hose stations had to be used.
Damage would only be confined to one tray if hose stations were successful in suppressing the fire with water in less than one hour. Beyond this time, barrier protection would be breached and cables in other vertical trays could be damaged even if the fire we.3 suppressed. An unextinguished fire could propagate and eventually damage all cables in the room, including those in the conduits.
l 6.1-18 MILLSTONE UNIT 1 PROBABILISTIC SAFF3Y STUDY
F ire pr ot.e ci. iori l'or i be cable vatil1. cori:: i r.l.: o f' car ly t..it si i r y. iori i; al. ii n e detect,orn , heat, serinirig wire iti t.he cable t.raya arkt port.able ext.itigesi:.h. :;, a:'
[ well as hose stations, at both entrances.
4 Definition of Top Events FiFure 6.1.2-1 is the cable vault fire event tree model with top events defined as follows:
- 1. Frequency of Fire - FR Section 6.0 gives the frequency of Cable Vault Fire per reactor year as:
1 FR = 7.0 x 10-3
- 2. Smoke Detection Fails - Node SD Node SD addresses failure of the Smoke Detectors. Table 2-K-1 in Reference 2 gives a mean value for probability of smoke detector failure at:
As P
SD = 2.2 x 10-1 3 Heat Sensing Wire Fails = Node HIL Node HHL addresses the probability that both the eutectic heat sensing wires and plant operators fail to detect the fire at approximately 15 t minutes.
x HEP PHHL
- OHS DET where Qg3 = 0.7 for the probability that heat sensing wires fail and HEPDET j
= 0.1 is the human error probability for plant operators failing to notice and respond to abnormal occurrences as the result of fire. Both values are from Table 2-K-1 in Reference 2. Substituting these values in the above equation yields: ,
O 6.1-19 l MILLSTONE UNIT 1 '
PROBABILISTIC SAFETY STUD 2
Pg =0.7x0.1 r~'N
= 7 x 10~2
- 4. Portable Extinguishers Fail - Node PE3 Node PE3 addresses the probability that portable Extinguishers Fai] .
Reference 2 (Table 2-K-1 ) gives a probability of 0.512 for portable extinguisher failure, given that the arrival time is greater than 5 minutes after early detection.
5 Split Fraction for Cable Trays - Node THS Node THS splits the fire damage between one tray and multiple trays, based on failure of the hose stations to suppress the fire within one hour. As mentioned earlier, hose stations would have to be used if either the early warning ionization detectors or portable extinguishers failed. The probabi]ity of hose stations failing such that more than one cable tray is damaged is defined by
- P BR PTHS * " + kS + (PFB where THS is the sum of the paths on the Figure 6.1.2-2 event tree that lead to damage in more than one cable tray and o HEP is the probability that plant personnel would improperly store a sufficient quantity of flamable liquid to spread the fire to all cable trays, regardless of barrier protection or separation.
HEP = 1.6 x 10-* (Reference 4).
o Qg3 is the probability that the water supply to the hose stations is unavailable based on failure of the fire protection system (QFPS) r failure of the hose station valve to open (Qvalve}*
(v3 '
6.1-20 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY l l
Og3 = Qyp3 + Ovalve ###
hPS=3.23x10-4 from section 3.2.15 of this study and It should be noted that alve = 1.25 x 10-" from Reference 6.
only one hose station is credited although two are available.
Substituting the above values into the equation, yields:
SS= .48 x 10 o P is the probability that the fire brigade does not put the FB fire out in one hour before it has a chance to spread to more than one tray l
P FB = 0.5 (Reference 7).
o P is the probability that barrier protection is breached before BR i one hour based on early and later detection times (Reference 7).
P BR (early) = 0.15 for detection within 5 minutes PBR (late) = 0.25 for detection at 15 minutes Substituting the above values into the equation for PTHS and assuming early detection:
+ 4.48 x 10 + (0.5
- 0.15)
PTHS = 1.6 x 10
= 7.56 x 10-2 Assuming later detection:
P THS = 1.6 x 10-N + 4.48 x 10-* + (0.5
- 0.25)
= 1.26 x 10-1
- 6. Split Fraction for More than One Cable Tray - Mode PF 6.1-21 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
Node PF further splits the fire damage between multiple trays in one stack and all trays in the Cable Vault. Since Node TilS simply represents fire damage 1.o nore t.han one tray, t he fract.lon of damage t.o all iraya in the
! rable Vault ' can be represent ed by P
" +
S where F=
P THS HEP and g3 are the paths in the Figure 6.1.2-2 event tree for damage to all trays. SubstitutingvaluesforHEP,g3 and P THS as defined in Node THS, FP f r early detection within 5 minutes is:
P p = 1.6 x 10-N + 4.48 x 10-N 7.56 x 10-2
= 8.04 x 10-3 l 1 Similarly, the fraction of damage to more than one tray within a stack is
- defined as i
(1 - Pp) = P FB *P BR P
THS I where P #P BR is the path in Figure 6.1.2-2 for damage to more than one FB cable tray within a stack. Substituting for PFB, PBR and P THS f*
- 4 THS, (1-P F
) f r early detection is:
(1 - Pp) = 0.5
- 0.15 7.56 x 10-2
= 0.9921
= 0.126, the For later detection at 15 minutes with PBR = 0.25 and PTHS fraction of damage to all trays is given by:
6.1-22 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
P p = j.6 x 10-" + 4.48 x 10-N 0.126
= 4.83 x 10-3 and the fraction of damage to more than one tray within a stack is (1 - Pp) = 0.5
- 0.25 0.126
= 0.992 In the event that both early detection within 5 minutes and later detection at 15 minutes fail (i.e. P SD #PHHL), it is assumed that' personnel will detect the fire after multiple trays in one stack become involved and that they will have the opportunity to suppress the fire before all trays in the i cable vault are damaged. Therefore, PF is the split between all trays in one stack and all trays in the cable vault based on propagation due to human error (HEP) and availability of water to the hose sr.ations (WS). No credit is given for fire barriers on trays since it is assumed that they have been breached at this point.
PF = HEP + %3 Substituting from above:
P p = 1.6 x 10-* + 4.48 x 10-*
= 6.08 x 10 for all cable trays in the vault- ,
(1 - P ) = 0.9994 for all trays in one stack F
7 Split Fraction For Reactor Building and Tu tine Building Cables - Node PR Approximately 2/3 of all cable trays in the cable vault are routed to the l CN i 6.1-23 MILLSTONE UNIT 1 PROBABILISTIC SAFE 1Y STUDY
Turbine Building while the remainder lead to the Reactor Building.
(3
'g) PR = 0.667 for cable trays to the Turbine Building and (1 - P ) = 0.333 for cable trays to the Reactor Building R
- 8. Partitioning Split Fractions - Nodes PC, PC1 and PC2 The above split fractions are used to partition fire damage between cable trays that contain control / power cables for different typu of components.
Figures 6.1.2-2 and 3 show how the split fractions are applied in the event tree to obtain the consequences of fire damage for different cable trays.
The estimated values for each split fraction are as follows:
P C
= 0.5 l
PC1 = 0.5 i
PC2 = 0.5 J Safety / Relief Valve Opens - Node SRV 9
Fire damage to the S/RV circuits can result either in open circuits due to through wire burning or closed circuits from wire-to-wire hot shorts. Open circuits would cause a total loss of the remote and auto S/RV functions while hot shorts could cause the spurious opening of one or more S/RVs.
The probability that any one or six S/RVs could have a hot short in its circuitry was computed in Section 6.1.1 as:
P SRV = 3.53 x 10-1
- 10. Load Shedding Occurs - Node LS Fires in the safety related cables routed to the Turbine Building could cause the LNP load shed logic to become energized due to hot shorting.
Since each tray of S1 and S2 control cables also contains a LNP circuit, a 6.1-24 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
wire-to-wire hot short in the circuit would cause the associated S1 or S2 4160V buses to be stripped of their loads. For S1 and S2, the probability
( of a single hot short in one of their LNP circuits is:
Pg = 7.0 x 10- (See Section 6.1.1)
- 11. Isolation Condenser Fails - Node IC The Isolation Condenser's motor-operated valve control circuits are located in a cable tray that does not contain safety-related cables or other cables that could cause a reactor trip. Therefore, a fire in this tray alone would only disable the IC but a fire that spread to more than one tray could produce a transient and cause the IC to become disabled. The probability of IC failure due to wire-to-wire hot shorts was computed to be:
P i
IC = 1.35 x 10-1 (See Section 6.1.1) 1
- 12. Operator Action to Close S/RV's - Node OA1 O P OA1 = 1.3 x 10-3 (See Section 6.1.1) 1 l
6.1-25 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
OVERSIZE DOCUMENT ~
PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES: 1 ACCESSION NUMBER (5):
ArooV/Sa/Wo - OR l l l
APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FTS 492 = S989 l
O l
Fire HEP _W S FB BB_ Damage One cable tray l
l One cable tray i
Detection succeeds More than one tray in the same stack O All trays in cable vault All trays in cable vault FIGURE 6.1.2-2. Event tree i
for node THS l
l O
6.1-27
._. - . - _ _ . ~~..-_. ..-_ ~. _ _ . - . . . .. . - . . _ _ _
O O o PR PC PC1 P C 2_
tio transient _
Loss of 4BOV S2 AC Non-sa f e t y related Reactor trip
-l control cables Reactor trip Reactor building
- l MSIV's close No S/RV
[ auto / remote f unction ~
Safety related l
- control cables Loss of S1 control 7'
I $
Loss of S2 control Turbine building Reactor trip gn-sajety Loss of f eedwater control cables i
4
' FIGURE 6.1.2-3. Consequences of fir'e damage for fire contained to one cable tray i
l
}
l
O PR PC PC1 PC2 Reactor building - Loss of all cables Fire in more than ,
one cable tray Loss of S1 power / control cables Turbine building Loss of 52 control cables O Note: PC and PC1 are not used. ,
i FIGURE 6.1.2-4. Consequences of fire damage ,
for fire in more than one cable l tray in same stack 4
i l
- O _
6.1-29 i
__j
h 6.1.3 pw772mram The Mezzanine is an enclosed room that is adjacent to the east wall of the Cable Vault. The Mezzanine contains Feedwater control cables along with S1 and S2 power train control cables which are all routed from the cable vault.
Control cables for the S1 and S2 power trains are separated from each other by a mininum of five feet in the horizontal direction. Further information on spatial layout and fire zone description can be found in Appendix 6-A.
Fire protection consists of early warning ionization detectors, portable extinguishers, a hose station and an automatic sprinkler system. If a fire is detected early and suppressed by portable extinguishers, then minimal damage would be incurred by the cable trays. Failure of the extinguishers after detection would require automatic activation of the sprinkler system or manual deployment of fire hose from the hose station by fire brigade members. For successful fire suppression at this stage, damage would be moderate and could caune either a loss of feedwater control or reactor trip with a possible loss of either the S1 or S2 power train. Without early detection (due to s;.x>ke detector failure), only the automatic sprinkler system is credited for early suppression. However, late detection by personnel is credited in the event v that smoke detectors and the sprinkler system fail. Failure to extinguish the fire would result in a total loss of S1 and S2 control power in the Control Room.
Definition of Top Events Figure 6.2.3-1 shows the event tree model for the Mezzanine area with top events defined as follows:
- 1. Frequency of Fire - FR The frequency of fire for the Mezzanine was assessed as being 2/3 the frequency of fire for the Cable Vault which is 7 x 10-3/ reactor year. This la baned on the fact that 2/3 of all cable trays in the vault are routed to the Turbine Building via the Mezzanine. Consequently, i
- \
% 't 6.1-30 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY l
1 FR = (2/3) (7 x 10-3) = 4.7 x 10-3
- 2. Ihnoke Detection Fails - Mode SD SD = 2.2 x 10-I (See Section 6.1.2)
- 3. Portable Extinguishers Fail - Mode PE2 P
E2 is the probability that extinguishers fail, assuming an arrival time under five minutes. As given in Table 2-K-1 (Reference 2).
P E2 = 2.84 x 10-I
- 4. Water Supply Fails - Mode WS Node WS represents failure of the water supply to the automatic sprinklers and the hose station. This node also accounts for personnel improperly storing a sufficient quantity of flammable liquid to involve all cables in a fire, r egardless of water supply availability.
093=gp3+HEPwhere hPS is unavailability of the water supply Opp3 = 3.23 x 10-" (Section 6.1.2) i HEP is the personnel error for improperly storing flammable liquid j HEP = 1.6 x 10- (Section 6.1.2)
Substituting for the right side of the equation gives:
SS=3.23.x10-4 + 1.6 x 10-4 l
= 4.83 x 10-4 O 6.1-31 l MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
1
- 5. Sprinkler System Falls - Mode SP 2
Two values for sprinkler system failure are calculated. The first value combines failure of the sprinklers with failure of the hose station to suppress the fire early. Early suppression via the hose station is based on early detection by smoke detectors.
i Q3p = QAS e(kSE+kALVE)#'I'
., Q AS is the probability that the automatic sprinklers fail.
l Q33 = 4.70 x 10-2 (Table 2-K-1 Reference 2)
Q WSE is the probability that the hose station fails to suppress the fire early, before multiple cable trays are damaged.
kSE = 1.85 x 10-2 (Table 2-K-1 Reference 2)
Q VALVE is the probability that the hose station manual valve fails to open.
QVALVE = 1.25 x 10-* (Section 6.1.2)
Substituting the above for the right side of the equation yields:
Q3p = (4.70 x 10-2) * (1.85 x 10-2 + 1.25 x 10-4)
= 8.74 x 10-2 For smoke detector failure, only the sprinkler system is credited for early suppression, i.e. hose station not combined with sprinklers.
03p = QAS = 4.70 x 10-2 i
g 6. Hose Station Fails - Node HS Node HS represents late suppression of the fire by using the hose station. l l
4 O 6.1-32 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
Tw) values for hose station unavailability are calculated; one is based on early detection and the other is based on late detection. Given that the smoke detectors work early and the sprinkler system fails (i.e. node SP),
personnel can still extinguish the fire before all cables are burned. The probability that the hose station fails to suppress the fire late is calculated to be conditional on the failure of node SP. This can be expressed by the following equation.
kALVE OHS
- 0 S " kSE + OVALVE) the denominator is Q3p for early detection and all terms are the same as defined earlier for node SP. Substituting for the right side of the equation gives:
QHS *
- 8.74 x 10-4
= 0.143 For late detection of the fire, only the sprinkler system itself is credited for early suppression. Therefore, the unavailability of the hose station is calculated independent of sprinkler failure.
where QHS
- ODE'r + OVALVE Q
DET is the probability that the fire goes undetected and burns all cables in the Mezzanine.
QDET = 0.1 (Table 2-K-1 Reference 2)
Q VEVE is the probability that the manual valve on the hose station fails to open.
Q VEVE = 1.25 x 10-4 I
U 6.1-33 MILLSTONE UNIT 1 PROBABILISTIC SAFEIT STUDY
Substituting for the above gives:
QHS = 0.1 + 1.25 x 10-4
= 0.1
- 7. Split Fractions for Cable Trays - Nodes PC, PC1 PC splits fire damage between safety related cable trays and the remaining trays for fires that are suppressed early by the automatic sprinkler system or the hose station. Since 1/3 of all trays in the Mezzanine contain
< safety related cables, PC = 0.333 for safety related trays and (1 - PC) = 0.667 for all others PC1 splits the fire damage in non-safety related cable trays for fires that are detected early and suppressed by the hose station or spris: .ler system, after the portable extinguishers fail to totally suppress the fire. For y/ fires that are not detected, only the sprinkler system is credited and it is assumed that damage has occurred in all non-safety related trays (i.e.
PC1 is not used to split the damage). It is estimated that 1/2 of the non-safety related trays contain feedwater control cables and 1/2 contain cables that could cause a reactor trip if damaged.
PC1 = 0.50
- 8. Imad Shedding Occurs -Node LS A hot short in either the S1 or S2 control power circuit could cause the associated 4160V buses to be stripped of their loads. The probability of a wire-to-wire hot short in the LNP circuit is P g3 = 7.0 x 10-2 (See Section 6.1.1) y .,
'J 6.1-33A MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
9 Split Between 31 and S2 Cables - Emle PC2
- Node PC2 splits fire damage between S1 and S2 control power cables for those fires which are extinguished. Since S1 and S2 are separated, there i
is a 50% chance that one or the other would be lost.
PC2 = 0.50 I
l i
4 i
I
+
i 1
l i
I i
j i
1 i
o l a- , .
6.1-33B MTIIRTONE UNIT 1 FROBABILISTIC SAFETY STUDY 3
li{lil1ll l !! l A C 8 A B A C _
A A 8 B 7 7 2 4 1 2 1 7 7 5 4 1 2 1
- - - C - -
F F F 2
- C -
F F
F F F F- E F- F F F E F F 2 3 4 5 6 7 8 3 4 5 6 7 8 9 0 1 1 1 1 1 1 1 1 1
, 2 1 2
C P
S L
1 1
E
. C N P
I N
A _
. Z Z _
C E P M _
1 _
. 3 1 _
S 6 H
- ~
E R
U _
G
- I
- P F S
s S _
W _
2 E
P D _
S
- R F _
m * ~i5 _
i:! Ii1 i$ i!!l:i 11!<li}ii 2 <i;t4i' 1)i <!:f :ilI !1 iI;jl:j1ji'
6.1.4 FEDWATER AREA 7m
( ) The feedwater area is located below the concrete rJour of the sw itel.cear aira w/
on the 14'-6" elevation of the Turbine Building and is divided into three compartments (fire zones) that are open to each other on one end. Each of the zones houses the following critical equipment as described below.
Zone T-5A contains two sets of three pumps each (i.e. condensate and condensate booster) that provide water to the high pressure feed pumps. Given a fire in any single one of the pumps or its associated electrical cabling, it is assumed that a reactor trip would occur on low vessel level with subsequent MSIV closure. A fire that caused the loss of any two pumps is assumed to result in a total loss of feedwater.
Zone T-5B houses the three main feed pumps along with S1 train cable runs for J AC and DC power. Cables that provide AC power for service water and emergency !
service water pumps, as well as cables for 480V buses 12E and 12F, are contained in conduit.
() When the plant is operating at full power, the normal feed pump line-up is two running pumps with a third pump in standby. In the event that fire causes the loss of a single feed pump (i.e. fire suppressed early with no spreading), a reactor trip with MSIV closure is postulated. More severe fires which cause the loss of two pumps and/or several overhead cable runs are assumed to result in a total loss of feedwater with a possible accompanying loss of S1 electrical power. An unmitigated fire is assumed to cause all of the above plus a total loss of service water and emergency service water which is the equivalent of a station 9,C blackout (SBO).
Zone T-SE houses the following equipment:
o 2 Turbine Building Secondary Closed Cooling Water (TBSCCW) pumps o 3 Turbine Building Closed Cooling Water (TBCCW) pu:,ps o 2 Air compressors i
'u ,i 6.1-35 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
o Hydrogen seal oil unit t
%) Service water pump cables (safety related pump cables are in conduit) o o Emergency service water pump cables-(in conduit) o S-1 DC control power cables (DC-101B) o Motor Control Centers (MCCs) E-4 and F-4 Further information on spatial layout and fire zone description can be found in Appendix 6-A.
For fires in cables or components that are suppressed early, a reactor trip is assumed to occur with minimum damage to equipment. A fire that is not suppressed early is postulated to cause a total loss of feedwater with possible loss of the S1 power train. All unmitigated fires are assumed to cause the equivalent of a station AC blackout (SBO) because of damage to vital support system equipment.
The fire protecticn features of all three zones are essentially the same and include: overhead early warning ionization detectors, eutectic heat sensing wires in cable trays, portable extinguishers, automatic sprinkler / deluge systems, and hose stations throughout the area. Figure 6.1.4-1 shows the event tree that was used to model the fire consequences for all three zones.
Definition of Top Events 4
- 1. Frequency of Fire - FR Initially, one-half of the total frequency for Turbine Building Fires (i.e., 3 x 10-2/yr. from Reference 2) was assigned to the entire feedwater area with each zone given an equal weight of one-third. However, Zone T-5C is at greater risk from fire because of the potential for an oil spill and was assigned an additional weight of one-third. This makes the total 6.1-36 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
frequency of feedwater area fire equal to 2 x 10-2/yr as shown below.
Frequency of Fire in T-5A = 5 x 10-3/yr.
Frequency of Fire in T-5B = 5 x 10-3fyp, Frequency of Fire in T-5C = 1.0 x 10-2/yr.
Therefore, A FR x Obyr.
I
- 2. Split Fraction for Cable Fires - Node CA CA is the split fraction of cable fires vs. other fires based on nuclear industry experience (23 component oil fires, 11 electrical equipment fires, and 6 cable fires Reference 8). Therefore, 6/43 of the fires in the feedwater area are assessed te be cable fires or PCA = 0.15 for cable fires
- 3. Smoke Detection Fails - Node SD SD = 0.22 (See Section 6.1.2) 4 Heat Sensing Wire Fails - Mode itL Node HHL addresses the probability that both the he't a sensing wires ~ snd plant personnel fail to detect a feedwater area fire in the cable runs after failure of the smoke detectors.
P H
= 7 x 10-2 (Section 6.1.2)
- 5. Porteble Extinguishers Fail - Node PE2 Node PE2 addresses the probability that portable extinguishers fail to suppress a cable fire, assuming the arrival time of plant personnel in under 5 minutes.
P PE2 = 2.84 x 10-l (Section 6.1.3) 6.1-37 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
l
- 6. Automatic Sprinklers Fail - Mode SP Node SP addresses the probability that the automatic sprinkler / deluge system fails to suppress a fire in any of the components that has a potential to cause the upward spread of fire to overhead cables.
P3p = QAS+kPS where Q33 andgp3 are the failure of the sprinklers and water supply as defined in Section 6.1.3, respectively. Substituting for the right side of I the equation yields:
P3p = 4.70 x 10~ + 3.23 x 10-"
= 4.7A x 10-3 I
- 7 Hose Stations Fail - Node HS
, j In the event of a fire in components where the fire could spread, automatic sprinkler / deluge systems would provide the first line of defense and hose i stations would provide the second. Early detection by smoke detectors would give the fire brigade an " edge" on quick arrival, should the sprinkler system fail, but the component fire itself would produce an early I turn-out of the brigade because of its conspicuous location and ability to cause a plant transient. Accordingly, failure of the early warning smoke l detectors has little influence on success of the hose stations except for consequential fire damage as discussed later under Nodes PC1, PC2.
The probability of hose station failure was coquted for two cases
> involving component and cable fires, respectively. Component fires that i
can spread upward would always challenge the sprinkler system before the hose stations could be used. Hence the probability of hose station failure
- for the first case is computed by making the combined failure of the sprinklers and the hose station, conditional on failure of the sprinklers:
O '
V 6.1-38 '
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
p _ P (combined failure of sprinklers and hose station)
HS -
P (sprinklers fail) where the numerator equals 1.20 x 10-3 from section 6.1.3 and the denominator is defined by p (sprinklers fail) = Qg3 + gp3
-2
= 4.73 x 10 Therefore, PHS = 1 x10N 4.73 x 10-2 ,
= 2.54 x 10-2 for component fires In the second case, a fire that originated in the overhead cables would not challenge the sprinkler system since the sprinklers are located below the cables. Consequently, the probability of hose station failure is calculated:
Pg3 = QHS + VALVE +kPS where all tenns and their ass 6ciated values are described in Section 6.1.3 4
Substituting for the terms on the right yields:
P HS = 1.85 x 10-2 + 1.25 x 10-" + 3.23 x 10-4 i = 1.89 x 10-2 for cable fires i
It should be noted that only one hose station per fire zone has been credited even though more than one station per zone is available.
G 8. Split Fractions for Fire Zones - Ilodes B, C 6.1-39 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
As noted earlier, the total frequency of feedwater area fire is a sum of the frequencies for all three zones. Given the total frequency, the zone frequencies can be calculated using B and C as follows Zone T-5A frequency = (2 x 10-2/yr) * (1-B) = 5 x 10-3/yr j
Zone T-5B frequency = (2 x- 10-2/yr) *BP * (1-PC ) = 5 x 10-3/yr Zone T-5C frequency = (2 x 10-2/yr)
- PB
- P C = 1 x 10-2/yr where PB = 0.75 and
] PC = 0.667 9 Split Fractions for Cable Trays - Nodes PC1, PC2 Split fractions PC1 and PC2 are both used to split fire damage to cable runs for those fires that are successfbily suppressed by using hose
- stations. For component fires, split fractions are not required if the fire is suppressed early by the sprinkler system because cable damage is insignificant. Component fires that are successibily extinguished later, following smoke detector failure, do not use split fractions since damage is assumed to all unprotected cables (i.e., cables not in conduit).
Accordingly, only those fires which are detected early and suppressed by l
hose stations could have partial cable damage as shown by Figure 6.1.4-2.
i Split fractions for fires that originate in cables are treated similar to the above for component fires. Figures 6.1.4-3A and 6.1.4-3B show how split fractions are applied to cable fires that are detected as well as suppressed both early and later, respectively.
i 10. S1 Load Shedding Occurs - Mode LS i O 6.1-40 MILLSTONE UNIT 1
' _-_-_________ _ __-- -_______-__- ____ _ ___________- _ _ PROBABILISTIC SAF E
i.
A LNP. load shed circuit runs along with the S1 DC power cables and thus, -a
~
fire induced wire-to-wire short could produce load sheddin6 of S1 AC buses.
S 1 4
1 P
LS = 7.0 x 10-2 (Section 6.1.1) e i-t l ,
- t G
i c
..~
i.
6 l i
(
i i
! i e
i .
- s i O 1 i
l l
1 6.1-41 i MILLSTONE UNIT 1 i I
! PROBABILISTIC SAFETY STUDY w..--_,.----.-.. - . _ - - . , _ - - - - - . - - . . . . --.. --,- .- -
OVERSIZE DOCUMENT PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES: 1 ACCESSION NUMBER (S):
l gro OW 80/% -os --
)
j I
i l
l l APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FTS 492-8989
m,._ _ . _ _ _ _ _ _ _ . . _ _ _ . . . _ . _ ~ _ . . . _ _ _ _ _ . _ . . . . . _ . - . - _ . _ _ . - . _ . . . _ . . _ _ . . . _ _ _ _ _ . _ _ _ _ . . _ . _ _ _ _ _ . _ _ _ _ . . _ _ . . - - ._ . ~ _ .
O i
i.
}
l PC1 PC2 l:
Zone T-S A All pump cables
.i 1
F.W. pump cables 1
e i
Early Det ection Zone T-5B fk g ,
? n/3 fY2 S1 - DC cables i E w
11/
t2 ;
f 1 i i '
i TBSCCW pump cables Zone T-SC 2 y, si oc cabies l
i i
i FIGURE 6.1.4-2 . Cable damage split in each zone for component fires j -
i l
i-l.
- O i
PC1 PC2 !
2 Pump AC cables Zone T-5 A 4
1
- 9 /2 Pump DC cables F.W. pump cables n '
' g/
t 3
Early detection Z ne T-5B 2 h1
{ L /3
/2 i o
- I
/p S1 DC cables l
i i
i I T BSCCW pump cables o
I l- /3 .j l Zone T-SC i' E j n '/g cables i o I
/ St DC cables 4
1 i
i 2
i
$ FIGURE 6.1.4-3A . Cable damage split in each zone for cable fire
(
i i
~
_. . _ _ _ _ . _ _ . . . _ - - . _ _ _ _ _ _ _ _ . . _ . _ . ~ . . . - . . . _ _ _ _ . . . _ - _ - . _ - . . _ _ _ . . . _ . _ _ _ . _ . - - . - _ . _ _ . _ _
O O O PC1 PC2 All pump cables j F.W. pump cable s l Later ai Det ection 2 1
/2 S AC & OC cables
- l. cn i
l m
A ,
l TBSCCW pump cables t 1
/
1
i FIGURE 6.1.4-38. Fire damage to cables as the ;
result of a cable tray fire with ,
later detection l
i i
l i
6.1.5 SWITCHGEAR AREA The Switchgear Area is located above the Feedwater Area at the 34'-6" elevation I of the Turbine Building and is subdivided into five critical areas or fire i zones. All switchgear contained therein are enclosed in metal cabinets and are I separated from each other by three sided concrete block walls which extend approximately one foot beyond the face of the cabinet. Only the front of each cabinet is open in order to allow operators to assume local control of switching operations. The critical equipment within each of the five fire zones are described below. Appendix 6-A provides spatial layout drawings of l
i this fire zone.
j 2pIte_I .19A contains the following components and cables:
l o Emergency 4160V Bus 14E (S1) 1 1
I
- o Emergency 480V Bus 12E (S1) o Two reactor protection MG sets o Vital AC MG set o S2 control power cables (i.e., from DC Bus 101A)
J f
o AC pcuer cables to supply the above MG sets
! A . fire within one component would not produce a transient event unless propagation to other equipment or zones occurred. Cable fires could cause d
reactor trip or loss of feedwater events with a possible accompanying loss of emergency power depending on the extent of fire damage in the cable runs.
't Zone._I:19H houses emergency S2 power train Buses 14F (4160V) and 12F (480V) as
.1 well as S2 control power cables. A loss of either S2 bus would cause nost ~ of the norrral drywell cooling fbnction to be lost and consequently, a reactor trip j fs assumed for a fjre in these components. Cable fires could result in a reactor trip combined with a loss of S1 control power.
t 1
6.1-46 MILLSTONE UNIT 1 i PROBABILISTIC SAFETY STUDY
Zone T-19C contains the following equipment:
!\
o Emergency 4160V Bus 14A o Emergency 4160V Bus 14C o Motor Control Centers (MCC's) E-5 and F-5 o S2 control power cables o S1480V AC power cables A fire in either 4160V bus would cause a loss of feedwater transient with an additional loss of S1 emergency power if the fire were in Bus 14C (i.e.,
supplies power to 14E). Fires in DC 101A cables could produce a reactor trip with Joss of S2 control power, while fires in the 480V cables would not cause a transient at all. ,
j 2pne__I-19Il contains 4160V Buses 14B and 14D along with S2 control power cables and some 480V-AC power cables. A fire in Bus 14B could cause a reactor trip while a fire in Bus 14D could cause a reactor trip with the additional loss of Bus 14F. Cable fires in S2 control power circuits could cause a reactor trip
) with loss of control for S2 equipment.
Zone.I-19E houses the following equipment:
l o Gas Turbine Bus 14G l
o AC Buses 12C at s (480V) o DC Buses 101A, 101B and 101AB-3 l
i
- o Battery chargers for the Bus 101A and 101B batteries
)
i o S2 control power cables O
> 6.1-47 MILLSTONE UNIT 1 PROBABILTSTIC SAFETY STUDY
o S2 480V AC power cables 3
(d The loss of only one bus or battery charger would not cause a transient to be induced, but a fire in the S2 control cables could produce a reactor trip with loss of control on S2 powered equipment.
l If any fire propagates between two adjacent fire zones, then all safety related functions are assumed to be lost and a direct core melt is expected as the result. Propagation of fires between components would not occur unless personnel conrnitted a major error and violated Administrative Control Procedures which prohibit the storing of any flammable liquids in vital areas.
Given a component fire, sufficient quantities of flanrnable liquid could cause l fire to spread out to a diameter of approximately 20 feet. Components and cable trays in adjacent zones are assumed to be affected if the fire is not detected and suppres'ed' s before significant propagation occurs. Fires that originate in cable runs are not expected to carry over into adjacent zones j unless the fire barriers between zones are breached and the fire propagates.
4 Fire protection features for the Switchgear Area consist of the following:
o Early warning ionization-type smoke detectors o Eutectic heat sensing wires located adjacent to cable trays and near the vents of each major switchgear cabinet o Both CO2 and dry chemical portable fire extinguishers o Hose stations located throughout the Switchgear Area.
The fire event tree model that was used to determine fire damage states for the Switchgear Area is shown in Figure 6.1.5-1 with top events as described below.
Definition of Top Events
- 1. Frequency of Fire - FR 6.1-48 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
The total frequency of Switchgear Area fire was init.ja))y assessed as b)
V 1.75 x 10 / year, which is one-half the frequency of fire for al] Auxiliary Building compartment fires as noted in Reference 2. An equal weight of 1/5 was initially assigned to each of the five fire zores, making the frequency of fire in each zone equal to 3.5 x 10-3/ year. However, because Zones T-19D and T-19E have significantly different characteristics than the other zones, their frequencies were adjusted to compensate for the difference.
The fire frequency in Zone T-19D was reduced by a factor eI two because it has a much lower combustible loading than Zones T-19A through C. Zone T-19E has the additional risk of a potential oil spill from the hydrogen seal oil tank and, consequently, its frequency was doubled. The final frequency of fire for each zone is shown below:
Frequency of fire in T-19A = 3.5 x 10-3/ year Frequency of fire in T-19B = 3.5 x 10-3/ year Frequency of fire in T-19C = 3.5 x 10-3/ year O Frequency of fire in T-19D = 1.75 x 10-3/ year Frequency of fire in T-19E = 7.0 x 10-3/ year.
Accordingly, the total frequency of Switchgear Area fire is A FR = 1.93 x 10-2/ year. This value is higher than the original, generic value and accounts for unique fire hazards at Millstone Unit 1.
- 2. Smoke Detection Fails - Node SD QSD = 0.22 (Section 6.1.2)
- 3. Heat Sensing Wire Fails - Node ifL Node HHL models the probability that both the heat sensing wires and plant operators fail to detect a fire in the switchgear or cable runs. Plant i
6.1-49 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
operators would be alerted to a Switchgear Area fire by the induction of consequential transients or the loss of equipment such as running pumps -
O -
G!
P HHL = 7.0 x 10-2 (Section 6.1.2)
- 4. Portable Extinguishers Fail - Node PE2 Node PE2 models the probability that portable extinguishers fail to suppress the fire, assuming an arrival time of less than 5 minutes.
P PE2 = 2.84 x 10-l (Section 6.1.3)
! 5. Split Fraction For Cable Fires - Node CA Node CA is the split fraction between component and cable fires in electrical equipment (Reference 2, Table 2-K-1)
P CA
= 3.53 x 10-I for cables and O(j (1 - P CA) = 6.47 x 10-1 for components
- 6. Hose Stations Fail - Mode HS Node HS represents the failure of hose stations to suppress fires that
- originate in the cable trays under two conditions. For the first condition, it is assumed that fire is detected relatively early by smoke detectors, heat sensing wires or control room operators. Successful suppression of the fire at this point would limit the amount of damage that could be incurred by multiple cable trays. Section 6.1.4 gives the following probability for failure of the hose stations to extinguish a cable fire P
HS = 1.89 x 10-2 l
j Under the second condition, it is assumed that both : smoke detectors and j heat sensing wires fail to detect the fire but plant operators discover the i
6.1-50 i MILLSTONE UNIT 1 '
l PROBABILISTIC SAFETY STUDY
fire and begin to fight it before the fire propagates to ad.jacent zones.
Because 1.he fire brigade arrives at a later point in time than they would for early detect.fon, it was est.imated t. hat the failure of the hose ::t at.fon,
,s i itself, would be five times higher. From Section 6.1 A, the probabilit.y of hose station failure is defined as PHS OHS +kALVE+kPS where Q for relatively early detection. Late detection HS = 1.85 x 10-2 implies a higher failure rate as described above and Og3 = 5 (1.85 x 10-2)
= 9.25 x 10-2 for late detection j
Substituting this value for QHS and the original values for QVALVE' 0 FPS l
P HS = 9.25 x 10-2 + 1.25 x 10-4 + 3.23 x 10
= 9.29 x 10-2 This value of PHS is n t used directly under the top event for HS, but, rather it is used to determine the probability of barrier failure (i.e. CP) as discussed later in this section.
- 7. Hose Stations Fail 'AIO' a Propagating Fire Occurs - Node HSP As noted earlier in this section, a propagating fire could occur as the ,
result of a component fire with subsequent spreading due to a major .
personnel error (storing a large quantity of flammable liquid in the i Switchgear Area). Unless the fire were suppressed early, it could spread
' to components / cables in an adjacent zone, producin6 a resultant core melt. ;
The probability of hose station failure 'AND' a propagating fire is j i
calculated-PHSP " (OHS + OVALVE + k PS)
- OHEP O
6.1-51 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
_ _ . - __ ___ _ , _ . _ _ _ _ - . , .- . ~ - - - .
9 ,
l 1
l where Og3 = 0.5 for early suppression (Reference 3)
QVALVE and QFPS re as defined previously a
QHEP = 1.6 x 10- for leaving a large amount of flammable liquid in vital area (Reference 4)
- Substituting the above into the right side of the equation yields
P g3p = (0.> + 1.25 x 10-" + 3.23 x 10-") * (1.6 x 10-")
= 8.9 x 10-5 For fires where early detection has failed (i.e., SD and HHL), it was assumed that hose stations have also failed. Therefore:
O v PHSP = 1.0 # 1.6 x 10-a
= 1 x 10 for no detection
- 8. Split Fractions For Fire Zones - Modes Z1, Z2, Z3 and Z4 As noted earlier, the total frequency of a Switchgear Area Fire is determined by the sum of the individual zone frequencies. Conversely, the individual frequencies can be determined by splitting the sum as follows T-19A frequency = (1.93 x 10-2/yr) . (1 - P73)
= 3.5 x 10-3fyr i
T-19B frequency = (1.93 x 10-2/yr) . PZ1 . (1 - PZ2)
= 3.5 x 10-3/yr T-19C frequency = (1.93 x 10-2) , pZ1 , pZ2 . (1 - PZ3}
6.1-52 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
= 3.5 x 10-3/yr T-19D frequency = (1.93/10-2/yr) . P 7 ) .PZ2 . PZ3 . (1 - P74)
= 1.75 x 10-3fyr T-19E frequency = (1.93 x 10-2/yr) . Pg3 . PZ2 . PZ3 . PZ4
= 7.0 x 10-3fyr 4
where PZ1, PZ2, PZ3 nd P 74 are defined as P73 = 0.818 PZ2 = 0.718 P
f Z3 = 0.714 Pg4 = 0.800 Split fractions were used above to identify each of the critical zones by l generating their individual frequencies of fire. This split was obtained in order to allow the development of specific fire damage states for each of the zones based on the unique components contained in each zone. While l this type of split is necessary for component fires, it is not required at the same level of detail for cable fires. The different cabJe runs that are in all five zones can be typified by treating zones T-19A and B separately but lumping T-19C through T-19E together as one zone. Although this leads to a conservative treatment of cable fires for Zones T-19C and T-19D, it does not alter the results significantly. Thus, the split for
" cable zones" is defined by 4
P T-19A = (1 - Pg ))
PT-19B = (1- P73) . PZ2 PT-19C thru T-19E = Pgg . PZ2 O
- 6.1-53 MILLSTONE UNIT 1 PPOBABILISTIC SAFETY STUDY
_ _- _ . - - - _ - _ . . . . _ _ , . ___ _. _ _ - - _.. -_. - _ _- . ~_ .-
9 Component Damage Split Fraction - Mode ZF b
ig Node ZF is used to ceparate di fferent components within a zone, whose damage by fire would lead to different fire damage states. For examp)e, a fire in Bus 14A or 14C (in Zone T-19C) would result in a separate fire damage state for each bus. Node ZF is only used if the fire is suppressed and does not propagate. Node ZF is estimated to be 0.50 for Zones T-19C and T-19D.
PZF = 0.5 4
- 10. Cable Damage Split Fractions - Modes PC1, PC2
]
These split fractions are used to define the consequence of fire damage to different cable runs, based on the types of cable contained within each zone (e.g. power vs. control). The splits are only taken if the fire is detected and suppressed. Otherwise all cables are assumed to be damaged within the particular zone.
Node PC1 is used to split the cable fire damage between control and power cables. Based on the cable loading in all zones, s
P = 0.333 For control cables
] C1 4
= 0.667 for power cables (1-PC1)
Split fraction PC2 is used to further split the consequences of fire damage for a particular type of cable (i.e. control or power), where different equipment functions could be affected. This split fraction is also used to ,
more conservatively bias the damage to control cables for later detection
} times and is estimated to be ,
l PC2 = 0.50 l
- 11. S2 Load Shed Occurs - Node LS O
6.1-54 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
. - = . .-. - - . . . .- . - .
Node LS nodels the probability of load shedding Buses 14D and 14F due to a ulre-to-wire bot short in the LNP circuit.
P g3 = 7.0 x 10-2 (Section 6.1.1) i
- 12. Breach of Fire Barrier - Mode CP Node CP is the probability that a cable fire will breach the barriers that are located between adjacent fire zones. Based on an unsuppressed fire duration time that is lower than the barrier rating time, it is estimated i that:
P CP = 1.0 x 10-l for fires where suppression has failed For the special case of no detection by smoke detectors and heat sensing wires, a second value was calculated for Node CP . Barrier failure, in this instance, could be due to failure of the barrier itself and failure of I
the hose stations to suppress the fire before propagation to adjacent zones takes place. Consequently:
lO P
- O CP *O HS where Q
= 1.0 x 10-I from above and 4
Q = 9.29 x 10-2 from Top Event #6 in this section HS l Substituting the above values for QCP' OHS yields:
1 CP = (1 x 10-I) * (9 29 x 10-2)
= 9.29 x 10-3 for barrier breach following no detection (i.e., SD and HHL fail)
I
!O l
. l
- 6. b55 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY i
. . _ . - _ . . . _ - , . . - . . , . . .___.._- ..._,.,_ . _m_.1. . . . _ _ , _ ,_.,_.__m-...__. .,, ,, - _.7 , _ . .. _ ,77,_
I OVERSIZE DOCUMENT PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES: b ACCESSION NUMBER (S):
8 to o 4 1 9 n i m - o y
) APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVMES BRANCH,TIDC FTS 492-3939 i
i
~e--e-rv .v~w-.. =
i 6.1.6 REACTOR BUIIDING The Reactor Building contains five critical areas which are designated as fire zonen R-2A, R-2B, R-2C, R-2D and R-19. All of these zones are located on the 14'-6" elevation except for R-19 which is on the 42'-6" level. Appendix 6-A shows the layout of various fire zones. In terms of consequential damage from fire, Zones R-2A thrugh C are considered to be part of the same area and are treated as if they were one zone. The critical equipment in each zone are described below.
Jrnes R-2A. R-2B and R-2C contain the following components and cable:
o Emergency condensate transfer pu m o Motor control centers (MCCs) E-3 and EF-3 o Control cables for the MSIVs, S/RVs and all ECCS motor-operated valves o Power cables for MCC's F-3 and FE-3 o Control Rod Drive (CRD) system hydraulic control units in Zone R-2A.
A non-propagating fire in any of the components would not cause a transient if it were detected early and suppressed. However, it is assumed that a fire in Zone R-2A would cause a reactor trip, following suppression by hose stations, because the CRD hydraulic control units are located in this zone. If the fire were to originate in a cable tray and was not imediately suppressed, then any of the following events could occur: reactor trip, MSIV closure or a stuck open safety / relief valve. It should be noted that the type of event which is induced is entire?y dependent on the location of the affected cable tray.
Unsuppressed fires are assumed to spread throughout all the zones, resulting in core melt.
Component fires which propagate to cable trays would cause the same type of damage and initiating events as fires that originate in the trays if the fire is not immediately suppressed. As before, unsuppressed fires are assumed to O
6.1-57 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
result in a core melt accident. 4 Fire protection features for Zones R-2A through R-2C consist of:
o Early warning ionization-type smoke detectors o Heat detectors in all MCCs o Portable extinguishers o Hose stations o Individual sprinkler systems over all of the cable trays Zone R-2D houses the following equipment:
o CRD hydraulic control units (the other half of the units are in R-2A) o MCC's F-3 and FE-3 O Power cables for both S1 and S2 ECCS equipment o
o DC power cables for motor-operated valve IC-3 and S2 equipment control.
A component fire that is successfbily extinguished is always assumed to result in a reactor trip. If the fire were in MCC F-3, then an additional loss of the S2 train ECCS function is also assumed. Cable tray fires could result in either no irrpact on plant operation or a reactor trip with varying degrees of electrical system loss, depending on the success of fire suppression systems.
Zone R-2D has all of the same same fire protection features that Zones R-2A through R-2C have with the exception of not having an installed sprinkler system over the cable trays.
Zone R-19 contains the following equipment:
O 6.1-58 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
1 o Reactor recirculation pump MG sets 1 and 2 o MCC DC 101AB-2 Reactor Building Closed Cooling Water (RBCCW) pumps and heat o
exchangers
! o Power and control cables for all of the above components.
I A fire in the running RBCCW pump is assumed to fail both pumps, causing a reactor trip. If a fire were to occur in MCC DC 101AB-2, only the remote opening capability of IC-3 would be affected and no transient would be induced. Since the RBCCW pumps and their associated cabling are widely l ceparated from DC 101AB-2 and the cables for IC-3, no fire spread between these l
different components is expected.
4 The recirculation pump MG sets present the greatest fire risk because they i
i contain lube oil reservoirs. In the event of an unsuppressed fire in this area, it is assumed that a reactor trip would occur with an accompanying loss 4
of the RBCCW and Isolation Condenser (i.e., a fire of this magnitude is assumed to preclude local operation of IC-3).
i j Fire protection for Zone R-19 is extensive as noted below: ,
l c Early warning ionization-type smoke detectors are heavily concentrated in the area i
o Heat rate-of-rise detectors are installed at each MG lube oil location to provide initiation of an automatic deluge system
! o Portable extinguishers are located throughout the area o A sprinkler system that is independent of the deluge system is installed over the MG sets and cable in that area.
l 1
6.1-59 MILLSTONE UNIT 1 j
PROBABILISTIC SAFETY STUDY
y . _
The Reactor Building fire event tree model la shown in Figure 6.1.6-1 and t.be top events are described below.
O Definition of Top Events
- 1. Frequency of Fire - FR The total frequency of fire for the Reactor Building is assessed to be one-half the frequency of all Auxiliary Building fires or 1.75 x 10-2/ year (Referewe 2).
1 FR = 1.75 x 10-2/ year
- 2. Split Fraction for Zone R-19-Node F2 i Based on equipment, fire loading and the potential for oil fires, the fire zones were assigned the following split fractions of the Reactor Building Fire frequency:
O 0.50 Q Zones R-2A, R-2B & R-2C Zone R-2D 0.20 Zone R-19 0.30 Consequently the split fraction for Zone R-19 is:
P = 0.30 Zone R-19 FZ 0.70 All other zones (1 - PF2) =
- 3. Smoke Detection Fails - Node SD SD = 0.22 (See Section 6.1.2)
!! . Portable Extinguishers Fail - Mode PE3 O
6.1-60 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
Node PE3 represent.s the probability that portable extinguishers faiI to suppress a fire, given that the time of arrival from detection is greater than 5 minutes.
! PE3 = 5.12 x 10-l (Table 2-K-1 Reference 2)
- 5. Split Fraction for Cable Fires - Ilode CA i
Node CA is the split fraction between fires in electrical components and j
cables (see Section 6.1.5).
P CA
= 3 53 x 10-1 for cables and
- 6. x 10 for componeus (1 - PCA) =
i 6. Split Fraction for Zone R-2D - alode SZ 1 Node SZ splits the remaining fraction of fire frequency (i.e. 0.70) between Zone R-2D and the remaining zones. Since R-2D was assigned a 0.20 fraction of the total Reactor Building fire frequency, Node SZ is applied as
! follows:
i l
R-2D Fraction = (1-PFZ)
- P37 = 0.20 where (1-PFZ) = 0.70 as defined earlier and PSZ = 0.2M The remaining zones (i.e. R-2A, R-2B & R-2C) are thus assigned a fraction
> of total Reactor Building fire frequency based on (1-SZ) as shown below:
R-2A, R-2B, & R-2C fraction = (1-PFZ) 8 (1-P37) = 0.50 Node SZ is also used in the event tree conditional file to split fires in Zone R-19 between the recirculation pump HG sets and other equipment.
PSZ = 0.8 for the MG sets
,O f
6.1-61 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
7 Lat.e Detection of Fire - Mode IOL Node HDL represents the probability that plant personnel fail to detect a cable fire in Zone R-2D, given that the early warning smoke detwt ora in that, zone fail . Since all other adjacent zones have their own early warning detectors, it was assumed that smoke from a zone R-2D cable fire could activate these smoke detectors at a later time (i.e. before all cables burn). Accordingly, it was estimated that the probability of late detection is:
PHDL =
0.40 for Zone R-2D cable fire
- 8. Hose Stations Fail 'Agga a Propa6ating Fire Occurs - Node HSP Node HSP represents the probability of a component fire propagating to other components and cables, based on hose station failure to suppress the fire and some gross personnel error. As described in Section 6.1.5, two values of P are calculated for early and no detection of
- HSP fires,respectively. These are
v 8.0 x 10-5 for early detection of component fires and Pg3p =
Pg3p = 1.6 x 10 for no detection of component fires.
For fires in cables, no propagation due to human error is assumed since cable fires can spread without the need for additional flammable material.
Additionally, the cable runs are overhead and it is difficult to postulate the storage of large quantities of flamable liquid is in such locations.
Node HSP is also used to represent the probability of hose station failure to suppress cable fires in the event tree by storing it in a conditional file.* Based on calculations in Section 6.1.4, the probability of hose stations failing to extinguish a cable tray fire is P g3p = 1.89 x 10-2 for detected cable fires 9 Failure of Sprinkler Systems - Node SPS O
6.1-62 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
As described earlier in this section, Zones R-2A through R-2C have indivjdual sprinker systems installed over each of their cable trays. The failure of one particular sprinkler system would allow fire to spread from the affected cable-tray over to the next tray. Unless the second sprinkler systen failed as well, no further propagation of fire in the cable trays would occur. Although the failure of multiple sprinkler systems could be j postulated to occur from tray to tray, the most likely failure of all systems would be due to common cause failure of the water supply. The failures of an individual sprinkler system and the water supply are treated as separate nodes in the event tree (i.e., Node P1, which follows, i represents water supply failure). From Section 6.1.4, the failure probability for an individual sprinkler system is:
P 3p3 = 4.73 x 10-2 i
- For Zone R-19, there are automatic sprinklers and an automatic deluge
! system installed over the MG sets to prevent fire spread t cables. Node l
SPS represents the failure of both systems, including common cause failure of the water supply as shown below:
]
P3p3 = (Q33 #A DS)+kPS l
where QAS is the probability that automatic sprinklers fail which is assessed at 4.70 x 10~ (see Section 6.1.3). QDS is assumed to be equal to j Q since both systems are similar and %p3 = 3.23 x 10-4 (see section AS 6.1.3) substituting these values for the right side of the equation.
f P 3p3 = (4.70 x 10-3
- 4.7 x 10-3) + 3.23 x 10-4 I = 2.53 x 10-3 l
)
- 10. Propagation to All Cable Trays - Node P1 l
Node P1 represents the probability of spreading fire to all cable trays in l
Zones R-2A through R-2C as the result of water supply failure. Since Node
! 6.1-63 l
' MILLSTONE UNIT 1 l PROBABILISTIC SAFETY STUDY
i t
f SPS already accounts for failure of the water supply and the sprinklers, I- Node P1 is computed to be conditional on SPS as fo]Iows:
p _
P (water supply fails)
P1 -
l P (sprinklers and water supply fails) where the numerator is equal to Qpp3 from Section 6.1.3, o 3.23 x 1 M and the denominator is equal to P3p3 from above or 4.73 x 10 Substituting these values into the equation for Pp3 yields:
P p3 = M r 10 d 4.73 x 10-2
= 6.83 x 10-3 for propagation of fire to all cable trays.
- 11. Fire Damage State Split Fractions - Modes PC, PC1, PC2 The split fractions are used to partition fire damage in cables for fires '
that affect one tray but are successibily suppressed before spreading to others. Figure 6.1.6-2 shows the consequences of fire in cables after any single tray is damaged by a propagating component fire. Figure 6.1.6-3 shows the consequences that result froma cable fire that originates in one of the cable trays. The estimated values for each split fraction are shown below for the zones they are applied to. ,
o Zones R-2A, R-2B, and R-2C P
C
= 0.3 P
C1
= 0.333 Pcg = 0.25 o Zones R-2D and R-19 6.1-64 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
._ . _ . . . - _ . . _ _ _ _ _ _ _ = _ _ . _ . _ _ _ _ _ . _ . _ . . _ . _ _ _ _ _ _ . . _ _ _ . _ . _ . . . . . _ _ _ . _ _
i 1.
4 f
= 0.50 I P" iO 12. Safety / Relief Valve Opus - Mode SRV Node SRV represents the probability that any one of the 6 S/RVs has a hot l
I short in its opening circuitry due to fire damage. ,
f 1' t l P 33y = 3.53 x 10~1 (See Section 6.1.1) i I
4 s
I i
I 1 <
i
!O .
J I
I I
}
I a
}
i f
i G.1-65 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY.
OVERSIZE DOCUMENT ~
PAGE PULLED i
SEE APERTURE CARDS NUMBER OF PAGES: 1 ACCESSION NUMiiiER(5):
RGoO4 L @CI 4(o - O G 4
i APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TlDC FT5 492 = S989 i
_ _ _ _ _ . _ _ _ _ . _ . _ . _ _ _ _ _ . - _ _. ___.._______._.m..._._.._ _ _ . _ . _ , . _ . . _ _ . _ _ _ _ - . . _ _ . . - _
o o l
! O .
I R PC PC1 PC2 i
} 3 Reactor trip and 74 '
1 loss of 51 AC
!3 o 4
l Reactor trip and g{
loss of' S2 AC i o[3 J
1 Reactor trip and loss of 51 AC 1
1, Zones R-2A, R-2 B, R-2C 2 Reactor trip with MSIV closure
/
Fire spreads to " l l
I l m cable trays
/3 E Reactor trip with loss of S/RV '
I o
N remote function ,
I
'I 3 l
/4 Reactor trip only Zore ^
R-2D U 1/
Reactor trip and loss of S2 AC I
i
\
j FIGURE 6.1.6-2. Consequences of fire damage to cables ;
j as the result of a spreading component fire '
I p ,
1 I
l
l O o o .
I I
i PC PC1 PC2 i "
3/ Reactor trip and loss of 51 AC :
I 1
2 /4
- 73
! Reactor trip and
'3 loss of S2 AC 7 p 1
1 i
No reactor trip Zones R-2A, R-28, R-2C i d .
! m 1 l 2'/ Reactor tr.ip with MSIV closure
- /4 3 Fire originates 1
cn in cable trays 1
/3 Loss of S/RV remote f unction l
' a,
/2 No reactor trip 1
Zone 1 l R-2 D ,
,72 Reactor trip with loss of 52 DC l 1
i
\
1 FIGURE 6.1.6-3. Consequences of fire damage to I cables as the result of a cable J
tray fire I
i l
I.
6.2 ACCIDENT SEQUENCE MODELING 7,
! ) The fire event tree models of the previous section were quantified to deterTnine the possible consequences of fire damage for each path in the tree. As shown in the figures for each of the six models, these paths result in the following damage states:
MD = minimal damaEe to components and cables with no effect on continued plant operation.
NT = loss of at, least one component or set of cables with no effect on steady state operation of the plant (i.e. no transient).
EC = loss of an ECCS function due to component and/or cable damage without an accompanying transient event.
F-X = combination of plant initiating event and equipment loss due to fire related damage. The "X" is an alphanumeric identifier which s categorizes each of the unique combinations.
\
(V explained earlier, the analysis of fire induced accidents is only For reasons concerned with fires that can cause the loss of safety related equipment concurrent witn the initiation of transient events. Quantification of the event tree mode 1s for fire resulted in sequence paths that were grouped into twenty separate categories, each of which describes a unique combination of transient and equipment loss. Since these combinations represent particular fire damage states in terms of transient frequency and support state definition, they were used as input for the internal event trees in order to compute a care melt frequency due to fire. For example, one of the fire damage states could represent a total loss of feedwater accompanied by an additional loss of S1 AC power (i.e. loss of Feedwater, support state 3). The actual effect of such a damage state on the plant can be determined by using the internal accident sequence model for loss of feedwater in support state 3. The fire damage state provides the frequency of losing feedwater in support state 3 ,
which is the equivalent of multiplying the loss of feedwater frequency times 7-'y tne support state 3 split fraction in the internal accident analysis. Thus, i
QJ l
6.2-1 HILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
I I
- the fire damage states provide an initiating event frequency combined with the corresponding support state split fraction which is then used as a direct input j to the appropriate internal event tree nodel.
! The following provides a brief description for each of the fire damage states l
l and explains how they were analyzed using -the internal event tree models.
f Table 6.2-1 shows which fire damage states are assigned to the different critical fire areas of the plant (e.g. Cable Vault, Control Room, etc.) along l
with the frequency of occurrence per year.
I i
i I.
i O t I
l l
, O 1
4 j 6.2-2 i MILLSTONE UNIT 1
} PROBABILISTIC SAFETY STUDY
'l
.w y TABLE 6.2-1 FREQUENCY OF FIRE PER YEAR IN DE AFFECTED FIRE AREA O FIRE DAMAGE STATE CR CV MZ FW SWGR RB F-1A 4.40E-5 5.21E-4 F-1B 1.88E-4 2.42 E-5 1.05E-4 F-1C 7.76 E-7 5.70E-4 F-1D 3.29E-5 6.81E-5 8.99E-6 F-2A 1.86E-4 7.76E-7 F-2B 9.32E-4 4.07E-4 1.04E-3 1.04E-3 F-2C 5 02E-4 F-2D 8.09E-3 F-3A 8.54E-5 1.62E-4 F-3B 5.34E-4 -
1.50E-5 F-4A 4.65E-5 2.42E-5 2.51E-4 O
F-4B 1.57E-4 1.26E-3 3.62E-4 F-4C 2.56E-4 3.73E-7 F-5A 2.47E-5 9.42E-4 3.47E-4 8.21E-3 9 3E-4 6.97E-3 F-5B 1.21E-4 F-5C 8.47E-4 3.22E-4 F-5D 1.06E-5 F-4 3.48E-5 1.11E-4 2.64E-6 F-7 1.33E-5 2.37E-5 1.26 E-6 CM 5.14E-8 6.33E-6 6.34E-6 6.18E-7 CR -
Control Room CV - Cable Vault MZ - Mezzanine FV -
Feedwater Area SWGR - Switchgear Area RB -
Reactor Building
- Assumed to be direct, early core melt O
6.2-3 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
r-6.2.1 FIRE DAMAGE STATE F-1A This damage state represents a fire induced loss of feedwater with failure of S1 Bus 14E due to load shedding or loss of the AC source from Bus 14C. Since the S2 power train is unaffected, both Foedwater and the main condenser can be recovered through operator action in the control room. The total frequency of fire damage state F-1 A is 5.65 x 10-4/yr and is due to fires in the Cable Vault and Switchgear Area as shown in Table 6.2-1.
The internal event tree for loss of feedwater (Section 2.0) was quantified for All support state 3, using the frequency of damage state F-1A as noted above.
top events are the same as those defined for support state 3 in the internal analysis except for the following.
- 1. Feedwater Restoration - Node C 3 Node C represents restoration of Feedwater flow, following the loss of 3
feedwater strings A and B due to fire induced loss of 4160V Bus 14C.
Success is defined as operator manual start of feedwater string C which includes Feedwater Pump 1C, Condensate Booster Pump 1C and Condensate Pump is defined by:
- 10. The unavailability of Node C3 C3
- h + OHEP where Og represents the unavailablity of feedwater string C due to any of the following:
o W Pump 1 C fails to start = 9 48 x 10 o W Pump 1C fails to run 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> = 3 51 x 10-5 o
o W Pump 1C in maintenance = 2.60 x 10~ '
o CB Pump 1C fails to start = 1.66 x 10-3 o CB Pump 1C fails to run 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> = 1.21 x 10-3 o CB Pump 1C in maintenance = 3.55 x 10-3 o C Pump 1C fails to start = 1.07 x 10-3 o C Pump 1C fails to run 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> = 2.06 x 10-5 o C Pump 1C in maintenance = 6.5 x 10~N 0'2~4 MILLSTONE UNIT 1 PROBABIllSTIC SAFETY STUDY
o Check valves on strings A or B .
I fail to close which diverts flow = 4.56 x 10-3 O
Thus, Og is the Boolean sum of the above unavai abilities which were obtained from Section 3.0 or og = 1,63 x 10 . QHEP represents the failure of the operator to start feedwater string C or QHEP = 1.3 x 10-3 i for skill based behavior (Section 4.0). Substituting values for Qg, QHEP into the right side of the equation yields:
j O c3 = 1.63 x 10-2 + 1.3 x 10-3 4
= 1.76 x 10-2 I
- 2. Restoration of AC Power - Mode U4
\
j Node U addresses the restoration of power to 4160V Bus 14E (S1_ power 4
! train) by having an operator align it to the emergency diesel generator (Refercnce 9) at approximately four hours after the transient. The
' development of Node 4U is described below:
lO i 004
- 914E + OHEP where Q 14E represents the unavailability of Bus 14E due to any of the t
l following:
j! i o Diesel generator fails to start = 6.71 x 10-3 o Diesel generator fails to run 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> = 2.69 x 10-2 I o Diesel generator in maintenance = 1.07 x 10-3 o Breaker between diesel and Bus 14E fails to close = 1.34 x 10-4 i
Thus, Q14E = 3 48 x 10-2 The failure of an operator to start the >
f .
emergency diesel generator and align it to Bus 14E is QHEP =,3 x 10-3 pop ,
general error of omission (Reference 6). Substituting the above into the
! equation for Q,g4 gives:
1 1
!O t
6.2-5 MILLSTONE UNIT l' f PROBABILISTIC SAFETY STUDY ,
09y = 3.48 x 104 + 3.0 x 104
= 3.78 x 10-2
- 3. SDS and Alternate SDC Systems - Node M As defined in Section 2.0, the equation used for calculating the failure probability for Node M is:
- INSDC + S EP1) "INALT-SDC + SEP2)
+ IO2S/RV + S EP3 where: QSDC = unavailability of the SDC system QALT-SDC = unavailability of the Alternate SDC system Q
2S/RV
= probability of the operator failing to open 2 S/RVs SEP1
= error of comission to place SDC in service Q
HEP 2
= error of comission to place Alternate SDC in service Q = err r f comission to open 2 S/RVs.
HEP 3 Depending on the success of feedwater (C ) and AC power restoration (Ug ),
3 there are four possible values for Node U4as described below, a) If Feedwater succeeds and power is restored to Bus 14E, then it
- is assumed that no fuel damage has been incurred and support state 1 unavailabilities (Appendix 2-A) can be used.
Og = (.12 + 1.3 x 104 ) * (.148 + 1.3 x 104)
+ (6.7 x 10~N + 1.3 x 10-3) 6.2-6 MILLSTONE UNIT 1 PROBABILISTIC SAFtT. Y STUDY
= 2.15 x 10-2 O
V b) If feedwater fails and power is restored to Bus 14E, then 'it is assumed that fuel damage occurs and support state 1 unavailabilities are uscd.
Og = ( .39 + 1.3 x 10-3) '- ( .148 + 1.3 x 10-2)
+ (1.97 x 10-3)
= 6.50 x 10-2 c) If feedwater and power restoration fail, then support state 3 unavailabilities are used with the assumption that fbel damage has taken place.
Og = 1.0 d) If feedwater succeeds and power restoration fails, then support O
g state 3 unavailabilities are used assuming fbel damage. l Og = (.29 + 1.3 x 10-3) * (1.0) + (1 97 x 10-3)
= 2.93 x 10-1 J
O
( )
w/
6.2-7 MILLSTONE UNIT 1 PROBABIL3STIC SAFETY STUDY
6.2.2 FIRE DAMAGE STATE F-1B Damage state F-1B produces the same transient that F-1A does (i.e. loss of feedwater in support state 3) with the exception that S1 power cannot be restored. This is because the S1 power / control cables that are routed from the Turbine Building to the Cable Vault are affected by the fire. Consequently, l the S1 train of LPCI and Emergency Service Water Pumps cannot be used, causing the loss of Alternate SDC. The total frequency of F-1B is 3.17 x 10-"/yr and is due to fire damage in the Cable Vault, Mezzanine and Feedwater Area.
The internal event tree for loss of feedwater in support state 3 was used in its entiretj except for the following top event which is described below, i l
l SDC and Alternate SC Syste s - Mode M Because the S1 power train cannot be recovered, only the SDC system is available for long term cooling and the success of this system is totally dependent on the successful restoration of feedwater. Accordingly, Node M has only two values:
a) If feedwater fails,then fbel damage is postulated and SDC cannot be used which implies that Qg = 1.0 (Section 6.3.1) b) If feedwater restoration succeeds, then SDC can be used and Qg = 2.93 x 10-l (Section 6.3.1) 6.2-8 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY s
6.2.3 FIRE DAMAGE STATE F-1C Fire damage state F-1C results from a fire in the Feedwater Area or Mezzanine which causes a total loss of feedwater and the main condenser along with power to S1 ECCS equipment. However, the S1 power train can be recovered for long term cooling at approximately four hours after the fire. The total frequency of F-1C is 5.71 x 10-4/yr as shown in Table 6.2-1.
The loss of feedwater event tree for support state 3 was used to quantify the effects of damage state F-1C on the plant. All top events are the same as those defined for the loss of feedwater event tree that was used in the internal analysis (Section 2.0) except for the following:
- 1. Feedwater Restoration - Mode C 3
A total loss of feedwater implies that QC3 = 1.0
- 2. Restoration of AC Power - Mode Ug AC power can be restored to S1 ECCS equipment in either of two ways, Os depending on the cause of its loss. If S1 pe er were lost because wire-to-wire hot shorts caused load shedding, restoration would involve de-energizing the load shed circuit by opening a breaker in the control room. In the event that S1 AC power were unavailable due to fire damage in control cables, recovery could be effected by operating the AC breakers locally at the switchgear. Both forms of recovery only require operator action at four hours and thus:
l 004
- OHEP where QHEP = 3 x 10-3 for a general error of omission (Section 6.2.1)
- 3. Restoration of Main Condenser - Node H 3
Given a total loss of feedwater with no recovery, N
6.2-9 I
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
QH3 = 1.0 l
- 4. SDC and Alternate SDC Systans - Node M Since there is a total loss of feedwater in damage state F-1C, fbel damage is assumed and the combinations of long term cooling systems are as follows:
a) For successibl restoration of S1 AC power, both SDC and Alternate SDC are available.
Qg = 6.50 x 10-2 (Section 6.2.1) b) If S1 AC power cannot be restored, then neither long term cooling system is available.
Og = 1.0 (Section 6.2.1)
O 4
L 6.2-10 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
f 6.2.4 FIRE DAMAGE STATE F-ID b
g Damage state F-1D represents a total losa of feedwat.er event, with no AC power available due to fire induced loss of both the S1 and S2 power trains. Fires in the Feedwater Area, Switchgear Area, and Control Room contribut.e to this damage state (see Table 6.2-1) whose total frequency is 1.10 x 10-N /yr.
The core melt frequency resulting from fire damage state F-1D was quantified by developing an event tree model for loss of feedwater combined with a total loss of AC power. This model is shown in Figure 6.2.4-1 and is based on the loss of Feedwater (LOF) event tree for internal events.
Definition of Top Events
- 1. Loss of Feedwater - Node T3 Node T represents the frequency of losing all feedwater due to fire damage 3
state F-1D.
O)
( AT3
- AF-1D = 1.10 x 10-4
/yr
- 2. Reactor Trip - Node R This node is assumed to have the same value as Node R for all LOF internal event trees (Section 2.0)
O R = 5.4 x 10-5 i
3 Safety / Relief Valve Reclose - Mode J J Node J represents the same node as described in the LOF event trees (Section 2.0)
Qy = 1.027 x 10-2
- 4. IC Automatic Actuation - Node K" O,
6.2-11 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
r Node K represents the automatic initiation of the IC on high HPV pressure 2
and the manual cycling of one S/RV to remove non-condensible gases from the
(
IC tube area if required. Since the radiolytic decomposition of water in the vessel could generate sufficient quantities of hydrogen and oxygen to impair IC heat removal, it may be necessary to manually cycle one S/RV several hours into IC operation. The following equation is used to calculate the failure probability for Node K2 '
OK2
- OIC-AUTO + OSRV-FT0 + OSRV-FTC where QIC-AUTC = 2.19 x 10-2 for failure of IC automatic initiation, QSR -FTO = 7.0 x 10-N for failure of one S/RV to open, and QSRV-FTC = 1.0 x 10- for failure of the S/RV to subsequently close (all values in Appendix 2-1A). Substituting the above values into the right side of the equation yields:
Q K2 = 2.19 x 10-2 + 7.0 x 10-" + 1.0 x 10-3
= 2.36 x 10-2
- 5. Operator Action to Actuate IC - Node Ogg Node 0 34 represents a cognitive operator error for failure to manually operate the IC from the control room, given that auto actuation has failed. As noted in Section 2.0, the HEP for such a cognitive error is 1.3 x 10-2 The final value for Node 0 34 is based on a weighted average of fire damage frequencies for the Control Room and other areas outside the control room as shown below:
+
- 0014
- OHEP1 HEP 2 OTHER A F-1D where Q is based on a Control Room fire that produces a stress level HEP 1 factor of five times the HEP for cognitive error or QHEP1 = 5 (1.3 x 10-2),
O 6.2-12 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY L -~' -- - - -- - - - _ . _ __ ___ _ _ . _
The frequency of fire damage state F-1D due to Control Room fire is A CR *
(,.s) 3.29 x 10-5/yr
= 1.3 x 10-2 for cognitive error, following a fire outside the SEP2 control room.
10THER = 7.71 x 10-5/yr for the frequency of fire damage state F-1D due to Switchgear and Feedwater Area fires.
A F-1D = 1.10 x 10 /yr for the total frequency of fire damage state F-1D.
Substituting the above values into the equation for 0014 EI V'8 0$ # M.7x10k Q
O14 = (6 A r 10 N # M r 10 % + M .3 1.10 x 10
= 2.86 x 10-2
- 6. IC Recovery From Control Room - Mode K4 Node K addresses operator remote / local manual recovery of the IC from both 4
the Control Room and the local valve station, given that automatic actuation of the IC has failed.
OK4
- IC-MAN ,
l K2 18 where QK2 = 2.36 x 10-2 as defined earlier in this section and QIC-MAN l remote / local manual IC recovery defined by: i OIC-MAN
- OIC-CR*OIC-LCL + OSRV-FT0 + OSRV-FTC i
where Q IC-CR = 5.55 x 10-3 for. recovery of the IC from the Control Room and 10-l for local recovery, given that control room QIC-LCL = 5.56 x Q'
\ 6.2-13 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
. restoration has failed (both values from Section 2.0). The remaining terms, Q SRV-FTO and QSRV-FTC, were defined earlier in this section.
Substituting for the right side of the above equation yields:
Q IC-MAN = (5.55 x 10-3) * (5.56 x 10-1) + 1.7 x 10-3
= 4.79 x 10-3 The above value can now be substituted, along with QK2, into the equation for QK4 which gives Q gg=4.79x10i 2.36 x 10-2
= 2.03 x 10-1 7 IC Make-up Automatic Acutation With Operator Recovery - Node L3 Node L represents the probability that both the automatic actuation and 3
Pi g restoration of IC make-up have failed as defined by:
OL3
- OICM-AUTO * (0ICM-REST + OHEP}
where QICM-AUTO = 2.78 x 10-2 for failure of automatic make-up, QICM-REST
- 0.406 for the failure to. restore make-up (given automatic make-up has failed) and Q HEP = 1.'. x 10-2 for operator error of omission. Using the above values (as defined .
'in Section 2.0) and substituting them into the above equation yields: :
Q L3 = (2.78 x 10-2) * (0.406 + 1.3 x 10-2)
= 1.16 x 10-2 6.2-14 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
O S S
S S
E E C C C 1 C 1 1 1 1 1 U E U E E E E E e S T S T T T T T u 1 2 3 4 5 6 7 8 d r
e t
3 a L w d
eD e1 -
f F
f 3 o e K s ta s
l ot s r e og 4 f a
O 1
0 em ea rd t
e t r 2 ni f K e vo Et 1-4 J
2 _
6 E
R .
U R G I
F 3
T O _
?$
m
6.2.5 FIRE DAMAGE STATE F-2A Fire damage state F-2A is identical to F-1C except that power to S2 ECCS equipment is~ 1.)st instead of S1 power (i.e. total LOF with no S2 AC power).
Consequently, the same event tree was used with a new value for the frequency of fire damage which is 1.87 x 10 /yr for F-2A. The contribution to fire damage comes from fires that occur in the Cable Vault and Mezzanine. All top j
) events remain the same as those which were defined earlier for damage state l F-1C. l l
1 lO l
1 1
l 6.2-16 MILLSTONE UNIT 1 PROBABILISTIC SAFETY Sil)DY l
6.2.6 FIRE DAMAGE STATE F-2B This damage state represents a total loss of feedwater event with all support systems available (i.e. LOF-support state 1). Accordingly, the internal event tree for loss of feedwater was used with a total fire damage state frequency of 3.42 x 10-3/yr as the initiating event frequency. Fires in the Control Room, Cable Vault, Mezzanine, and Feedwater Area are the sole contributors to fire damage state F-2B as shown in Table 6.2-1.
Because there is a total failure of feedwater in F-2B, the following top events
'were re-evaluated prior to event tree quantification.
QC3 = 1.0
?. Operator Action to Restore RPV Level - Mode Ogg Node 0 34 represents the cognitive operator error to restore RPV level, following a loss of feedwater event with subsequent failure of IC automatic initiation as described in Section 2.0. Because a Control Room fire would increase the level of stress for successfbl operator action, the final value for Node 0 34 is expressed as a weighted average which is based on the frequency of fire damage from areas that are both inside and outside the Control Room. As shown in Section 6.4.2, Q O14 can be expressed as:
I i
+
- OHEP 1 HEP 2 ER Q -2B 014 =
l
- yr
/ for the frequency of fire damage state F-2B due where CR = 9.32 x 10 to Control Room fire,A0THER = 2.48 x 10-3/yr for the frequency of F-2B in other areas which are outside the control room, and hF-2B = 3.30 x 10-3/yr O
v 6.2-17 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
. . = - - . - . . - . . . . .. . _ . - . . . - - _ . - _ _ _ _ .
, for the total frequency of F-2B. All other values are as defined in Section 6.2.4 Substituting for the right side of the above equation gives O .(6 3 x 10-2) * (9.12 x E-4) + (1.3 x jf 2) * (2.48 x 10-3) 0 3.38 x 10-3 014 =
= 2.73 x 10-2 1
- 3. Restoration of Main Condenser - Node H3 f Given a total failure of Feedwater:
I QH3 = 1.0 1
i i ,
\
i I
1 i
l 1
l 1
L 1
l
! 6.2-18 MTLI.RTONE UNIT 1 PROBABILISTIC SAFETY STUDY l
6.2.7 FIRE DAMAGE STATE F-2C Fire damage state F-2C represents a partial or fbil loss of feedwater with AC available to power both the S1 and S2 trains of ECCS equipment (i.e. buses 14E and 14F available). The initiating event is due to a Switchgear Area fire that causes the loss of Feedwater Pumps 1A and 1B because of fire damage to 4160V Bus 14A. Although feedwater could continue to run, it was conservatively assumed that feedwater string C would have to be started in order to restore feed. The total frequency of fire damage state F-2C is 5.02 x 10-4/yr and is due to a fire in the Switchgear Area.
l The effects of damage state F-2C on core melt frequency were quantified by using the loss of feedwater internal event tree for support state 1. All top l
events are the same as those defined for the internal event tree except for
'! feedwater restoration which is based on manual start of the C feed string. As noted in Section 6.2.1, Node C3 f r feedwater restoration via the C string is defined as:
Q 1.76 x 10-2 C3 l
f s
i 1
i O
6.2-19 MILLSTONE UNIT 1 l PROBABILISTIC SAFETY STUDY
6.2.8 FIRE DAMAGE STATE F-2D
' ()
'~
Fire damage state F-2D represents a partial loss of feedwater due to a Feedwater Area fire that could disable any one of the following components:
o Main Feedwater Pump 4
o Condensate Booster Pump l.
o Condensate Pump Following the partial loss of feedwater, a reactor trip would occur on low level with subsequent MSIV closure. All support systems are assumed to be
- available post trip since the fire only damages one of the pumps in the Feedwater system. The cause of such a transient is entirely due to Feedwater Area fire damage state F-2D which is estimated to occur with a frequency of 8.09 x 10-3/yr as sbown in Table 6.2-1.
l The core melt frequency that can be attributed to fire damage state F-2D was
()
quantified by using the reactor transient internal event tree for support state
- 1. Since MSIV closure is postulated to occur following reactor trip, Node H3 for main condenser recovery was given a value of QH1 = 1.0. All other nodes remain unchanged and are described in Section 2.0 for the reactor transient event tree.
(T ,
V i
6.2-20 MILLSTONE UNIT 1 4
PHOBABILISTIC SAFETY STUDY
6.2.9 FIRE DAMAGE STATE F-3A
(i Damage state F-3A is attributable to fires in the Cable Vault and Control Room G which cause a reactor trip along with the following:
o MSIV closure o Loss of the remote S/RV opening fbnction in both the automatic and manual modes of operation Total loss of all ECCS functions o
o Total loss of SDC and Alternate SDC systems o Loss of IC remote / automatic actuation from the Control Room.
Consequently, only the running Feedwater System, IC (in local control mode),
and IC Make-up System are available for mitigation. The IC Make-up System is essentially unaffected by the fire since both the diesel driven fire pump and the motor driven fire pump (from Unit 2) are available for duty. The total frequency of F-3A is estimated to be 2.47 x 10 /yr as noted'in Table 6.2-1.
In order' to quantify the effect of damage state F-3A on core melt frequency, a special event tree model was constructed using the reactor transient internal event tree as the basis for development. The event tree for fire damage state F-3A is shown as Figure 6.2.9-1 and the top events are described below.
Definition of Top Events
- 1. Reactor Transient Initiator - Node T3 Node T) represents the frequency of fire damage state F-3A. Therefore-g .p; = A F-3A = 2.47 x 10 /yr
- 2. Reactor Trip - Node R O
6.2-21 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
The success criteria for automatic reactor trip is similar to that for the
( reactor transient internal event tree (Section 2.0).
Q R = 5.4 x 10-5 3 Feedwater Operates Post Trip - Node C3 Node C 3 represents the availability of the feedwater system after reactor trip.
Q C1 = 1.03 x 10-2 (Section 2.0)
- 4. Operator Action to Restore RPV - Node 010 Node 0 10 represents the cognitive operator decisions that have to be made following reactor trip and feedwater failure as described for the reactor transient internal event tree in Section 2.0. Since part of damage state F-3A is caused by Con *,rol Room fire, a weighted average was used to g
d determine the final value of Node G10 (Scotion 6.4.2).
OHEP 1 *
- CR + OHEP2 OTHER 0 10 A F-3A where ACR = 8.54 x 10-5 for Control Room fire, 1,0THER = 1.62 x 10 for Cable Vault fire and AF-3A = 2.47 x 10^ for the total frequency of damage state F-3A. Substituting for the right side of the equation yields; (6.5 x 10-2) * (8.54 x 10-5) + (1.9 x 10-2) * (1.62 x 104) b10= 2.W x 10
= 2.33 x 10-2 j
- 5. Restore Feeduster - Mode C 3
O MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY :
1
Node3 C represents restoration of feedwater, following its failure to
- continue running post trip as described in Section 2.0.
O C3 = 1.3 x 10-1
~
- 6. Safety Relief Valves Reclose - Node J Node J represents cycling of the S/RV's, following both the failure of feedwater and its restoration. As noted in Section 2.0 for the LNP internal event tree, the S/RV's will cycle ten times before the operator can initiate the IC locally.
Qy = 2.37 x 10-2
- 7. IC and IC Make-up - Node K Node K represents the failure probability of IC local initiation and the !
failure probability of automatic IC Make-up with restoration. This can be expressed by lO j
k * ( IC-MAN + HEP 1} + ( ICM-AUTO
- IOICM-REST + S EP2}) SRV-FT0
+
+OSRV-FTC where Q IC-MAN = 3.01 x 10-3 for failure of local IC initiation, QHEP1 = 1.3 x 10-2 for operator error of omission, QICM-AUTO = 2.78 x 10 for failure of automatic IC make-up, QICM-REST = 0.406 for failure to restore make-up 4 for operator error of (given automatic failure), Q HEP 2 = 1.3 x 10 j
omission, and QSRV-FTO + QSRV-FTC = 1.7 xfor 10-3failure of a S/RV to manually cycle once (see Section 6.2.4). The above terms are defined in more detail in Section 2.0 for the LNP internal event tree model.
Substituting for the right side of the equation, it becomes:
~
Qg = (3.01 x 10-3 + 1.2 x 10-2; + (2.78 x 10-2 * (0.406 + 1.3 x10-2))
+ 1.7 x 10-3 n = 2.93 x 10-2 U
6.2-23 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
! O O O '
2 T1 R C1 010 C3 J K 1 SUCCESS t
- 2 TL2 ;
i 3 SUCCESS !
.i
- 1 4 TL2 !
i 5 SUCCESS l 6 TE1 l cn j v 7 TE1 1
! 8 TE1
, 9 ATWS-1 ,
i l 1
I FIGURE 6.2.9-1. Event tree for reactor trip due to fire damage state F - 3A 4
} $
r 1 .
i i-1 :
- i i
6.2.10 FIRE DAMAGE STATE F-3B O This damage state represents fire induced MSIV closure, which is Q non-recoverable, with all other support systems available (i.e. reactor trip in support state 1). The transient is attributable to damage
" resulting from Cable Vault and Reactor Building fires and is estimated to have a total frequency of 5.49 x 10-4/yr as noted in Table 6.2-1.
The reactor transient internal event tree for support state 1 (Section 2.0) was used to quantify the frequency of core melt resulting from fire damage state F-3B, All top events remain unchanged from the internal event tree except for the following:
- 1. Main Condenser Post Trip - Node Hg Since the MSIV's fail closed, the main condenser is unavailable and QH1 = 1.0
/~
Q] 2. Restoration of Main Condenser - Node H3 Because the MSIV closure is not recoverable, the main condenser cannot <
j be restored and QH3 = 1.0 O
~
MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
I-6.2.11 FIRE DAMAGE STATE F-4A t,v) Damage state F-4A results from fires in the Cable Vault, Mezzanine and Switchgear Area that produce a partial loss of feedwater due to fire induced loss of S2 Buses 14D and 14F. The S2 power train failure could result from either hot wire-to-wire shorts in the load shedding circuits or a direct loss of Bus 14D which feeds 14F. The total frequency of F-4A is estimated to be 3.22 x 104 /yr as shown in Table 6.2-1.
The frequency of core melt was determined by using the reactor transient internal event tree for support state 5 Top events in the tree remain unchanged from those described in Section 2.0 except for the ones that are noted below.
- 1. Feedwater Operates Post Trip - Node C3 Node C 3 represents the probability that feedwater fails to continue running after the reactor trip. Given a failure of S2 AC power, there is a 2/3 chance that Feedwater Pump C (powered by S2) was running since the normal configuration of Feedpumps is A and B, A and C or B
(]
V and C. Although Feedsater may continue running post trip, it was conservatively assumed that it always fails after a loss of pump C.
Accordingly, Node3 C was assigned a 2/3 probability of failure as shown below OC1 = 0.667
following its failure to continue running. As noted in Section 6.2.1, the probability of failing to start a single feed string is:
Q C3 = 1.76 x 10-2 3 Restoration of AC Power - Node U g A
U 6.2-26 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
a Although S2 AC power can be restored at four hours by either renoving the load shed signal or aligning the diesel generator to Bus 14F, it was conservatively assumed that restoration would always take place via the lat,ter met. hod . Section 6.2.1 computes a value for Nate U y based on restoring AC to Bus 14E with the diesel. Since Buses 14E and
~
14F are symetrical and can be individually aligned to the diesel, the I probability of failing to restore power to Bus 14F is the same as Q g4 1 in Section 6.2.1.
l Og4 = 3.78 x 10-2 J
i i
1 1
a lO l
l 1
l l
i i
I l
l I
l 6.2-27 MTU STONE UNIT 1 l
PROBABILISTIC SAFETY STUDY
6.2.12 FIRE DAMAGE STATE F-4B
,y Fire damage state F-4B represents a reactor trip which is caused by fire induced loss of 4160V Bus 14F or 480V motor control centers (MCC's) in the Reactor Building which are powered by Bus 12F. The total frequency of F-4B is estimated to be 1.78 x 10-3/yr and is attributable to fires in the Cable Vault, Switchgear Area and Reactor Building as noted in Table 6.2-1.
The reactor transient internal event tree for support state 5 was used to quantify the frequency of core melt that results from damage state F-4B.
All top events remain unchanged from the internal event tree (Section 2.0) except for the following.
- 1. Restoration of AC Power - Node U4 Because the fire can damage either the "F" MCC's or Bus 14F, only partial restoration of S2 power to the Reactor Building is possible.
If the fire were to damage the "F" MCC's or their power cables, motor-operated valves in the SDC and Alternate SDC systems could not have power restored to them. This would result in a total failure of Alternate SDC and a restorable failure of SDC if no fbel damage were postulated. Fire induced failure of Bus 14F could be recovered at four hours by cross-tying 480V Buses 12E and 12F which would allow the "F" MCC's to receive power. Although this action would allow motor-operated valves that are powered from "F" MCC's to fbnction, Alternate SDC would still remain failed since Bus 14F is required to power the pumps.
Node U 4 represents the probability of not restoring power to the "F" MCC's via 480V Bus 12F. This probability is computed by adding the fraction of fire in areas where "F" MCC's cannot be recovered (i.e.
Cable Vault and Reactor Building) to the HEP for failure to crosstie Buses 12E and 12F at four hours.
O !
6.2-28 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
.~ 4CV + RB) +
004 A F-4B EP where A CV = 1.57 x 10-4/yr for the frequency of F-4A due to Cable Vault fires,h RB = 3.62 x 10-4 for Reactor Building fires and 1.78 x 10-3 for the total frequency of F-4B. The value for A F-4B =
O is 3.0 x 10-3 for failure of the operator to perform the HEP crosstie, based on the general error of omission that was assumed in Section 6.2.1. Substituting the above values in the equation for QU4 yields:
(1.57 r 10-N + 3.62 x 10-N)
Qgg = 1.78 x 10-3 + 3.0 x 10-3
= 2.95 x 10-1
- 2. SDC System - Mode M As explained above, only the SDC system is available for long term cooling. The probability of SDC system failure'is dependent on the success of feedwater (6.2.1) and restoration of Bus 12F. Thus the following are possible.
a) Restoration of 480V Bus 12F fails and SDC fails since the motor-operated inlet valve is inside the drywell, precluding operator manual recovery.
Og = 1.0 b) Feedwater succeeds and Bus 12F is restored (i.e. no fuel damage support state 1).
OM*OSDC + S EP1
= 1.21 x 10-1 (Section 6.2.1) 6.2-29 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
- j. ,
i 1
l i-c) Feedwater fails and Bus 12F is restored (i.e. fbel damage in :
support state 1).
3 k
- SDC + h EP1 l 1
i I
- i. = 3.91 x 10-l'(Section 6.2.1) i 5 I
}
i '
I i
' +
l f l 4 :
I l 3
i i
I .
l
! t I
t l
4 l
1 +
1 !
1 I 1 i r ,
i i
I ,
i i
i i
i a
f l
l I i i i i i 6.2-30 l MILLSTONE UNIT 1
- PROBABILISTIC SAFETY STUDY
4 6.2.13 FIRE DAMAGE STATE F-4C Damage state F-4C represents a reactor trip with a fire induced 3o33 of either 4160V Bus 14E or the "E" motor control centers (MCC's) in the Reactor Building. The total frequency of F-4C is estimated to be 2.56 x 10'N/yr and results from fires in the Switchgear Area and Reactor Building.
The internal event tree for reactor tra'isients in support state 1 was used
! to quantify the core melt frequency due to fire damage state F-4C. It should be noted that support state 1 rather than 3 was used since feedwater :
continues to run on just a loss of Bus 14E. Accordingly, all top events remain unchanged from the internal event tree (Section 2.0) except for those which are affected by a loss of Bus 14E. A description of the changes that were made is given below.
- 1. Restoration of AC Power - Node U4 This node is analogous to Node U 4 which is described in previous l
Section 6.2.12. Again, the Alternate SDC system is totally failed due i to loss of either the "E" MCC's or Bus 14 E and thus only the SDC system can be used for long term cooling. Since the motor control esnters cannot be restored, the fraction of fires that cause their loss is assumed to result in the failure of AC power restoration.
Therefore, the total probability that Node U fails 4 is computed by adding the above fraction to the HEP for cross-tie of Bus 12E to Bus 1 1.= .
A RB
+
k!EP QU4
- A -4C F
where A.RB = 3.73 x 10-7 for the frequency of damage state F-4C due to ReactorBuildingFireandb-4C=2.56x10-4 is the total frequency of F-4C. The probability of failure to cross-tie is QHEP = 3.0 x 10-3 as explained in Section 6.2.12. Substituting these values into the above equation gives l
6.2-31 MILLSTONE UNIT 1 PROBABILISTIC SAFEIT STUDY
4
.L71.x.J0d 00 11 : P.56 x 10 + 3.0 x 10-3
= 4.46 x 10-3
- 2. SDC System - Rode M I
Node M represents the probability of SDC failure which is dependent on
- the success of feedwater and AC power recovery to Bus 12E as shown below for the four possibilities.
a) Feedwater runs and restoration of Bus 12E is successib1 (i.e.
support state 1 with no fbel damage) b*OSDC + SEP1
= 1.21 x 10-1 (Section 6.2.1)
O b) Feedwater fails but restoration of Bus 12E succeeds (i.e. support
]
state 1 with fbel damage) l b*OSDC + S EP1
= 3.91 x 10-I (Section 6.2.1) i j c) Feedwater runs and restoration of Bus 12E fails (i.e. support i state 3 with no fuel damage) k~ESDC + S EP1
= 2.91 x 10-1 (Section 6.2.1) l 1
O i 6.2-32 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
i -
I :.
I i
d) Feedwater fails and restoration of Bus 12E fails as well (i.e.
! support state 3 with fbel damage).
Qg = 1.0 (Section 6.2.1) l
[
1 !
I 1
)
i j
1 !
- t i !
l 6 4
I 0
1 l !
4
}
l i
l l
i I
4 i
l 6.2-33 MILLSTONE UNIT 1
! PROBABILISTIC SAFETY STUDY i 4 . _ . _ _ _ _ _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ . . , _ , _ _ _ _ . . . , _ . _l
6.2.14 FIRE DAMAGE STATE F-5A Damage state F-5A represents a reactor trip with all support systems available (i.e. support state 1). The internal event tree for reactor transients in suppcrt state 1 was used without modification to quantify the contribution of F-5A to core melt frequency. All of the critical fire areas in the plant contribute to the total frequency of fire damage state F-5A which is estimated to be 1.74 x 10~~/yr, as noted in Table 6.2-1.
O l
3 I
O 6.2-34 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
6.2.15 FIRE DAMAGE STATE F-5B This damage state represents a reactor trip combined with a total loss of all ECCS fbnctions due to fire induced failure of safety / relief valve remote opening capability or a total loss of AC in the Reactor Building. The total frequency of damage state F-5B is estimated to be 1.21 x 10 /yr and is entirely due to fires in the Reactor Building.
In order to quantify the effect of F-5B on core melt frequency, a special event tree was developed to account for the total loss of ECCS functions. Since Feedwater is unaffected by the fire, the Feedwater System and Main Condenser System are available for decay heat removal. Operation of the IC is possible if valve IC-3 is opened locally at its station in the Reactor Building. The IC Make-up System is unaffected by the fire because make-up valve IC-10 is DC powered. The event tree that was used to quantify F-5B is shown in Figure 6.2.15-1 and the top events are described below.
Definition of Top Ever.ts
- 1. Reactor Transient Initiator - Mode T 3 Node T 3 represents the frequency of fire damage state F-5B and therefore:
A T) = 1.21 x 10 /yr
- 2. Reactor Trip - Node R T l
I The success criteria for automatic reactor trip is similar to that for the reactor transient internal event tree QR = 5.4 x 10-5 (Section 2.0)
- 3. Feedwater Operates Post Trip - C 3
Node C 3 represents the availability of feedwater following a transient with i subsequent reactor trip.
l 6.2-35 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
(~}
C' QC1 = 1.03 x 10-2 (section 2.0)
- 4. Main Condenser Post Trip - Node H 3 This node represents the operation of the main condenser as a heat sink, following a reactor trip. The success criteria for node H are 3
the same as those for the reactor transient internal event tree. 1 0
33 = 3.10 x 10-1 (section 2.0) 5 Operctor Action to Restore RPV Level - Node 0 10 )
Node 0 10 addresses the cognitive operator decisions following failure of the feedwater system as described for the reactor transient internal event tree.
0010 = 1.3 x 10-2 (section 2.0) ,
- 6. Restore Feedwater - Node C 3
This node represents restoration of feedwater, given that it fails to continue running post trip. All success criteria are the same as those specified for the reactor transient internal event tree.
O c3 = 1.3 x 10-1 (Section 2.0)
- 7. Safety Relier Valves Close - Node J Q
J = 2.37 x 10-2 (section 6.2.9)
- 8. IC and IC Make-up - Node K Qg = 2.93 x 10-2 (section 6.2.9) 6.2-36 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
S i j S S S S S S 1 F_. E E E -
O C C
U C
C U
2 L
C C
U 2
L C
C U
1 1 E
1 E
S W
T E
S S T S T S T T T A 1 2 3 4 5 6 7 8 9 0 1
K t
o e
J u d
i p
r t 8 3 r5 C oF t _
c _
ae et rat 0 rs 1
0 o O f eg e
ea
_ 1 t rma H
t n d ee vr Ei f 1
C 1-5 1
2 6
R E
R U _
G I
1 F
T O
[L"
a c
6.P.16 FINE DAMAGE STATE F-SC Damage state F-SC represents a reactor trip combined with the fire induced loss of DC Bus 101A or its power cables in the Reactor Building. Consequently, all S2 ECCS eqetpment are unavailable and the IC must be operated manually at the local valve station. This is equivalent to the reactor transient internal event tree for support state 11 (i.e. DC 101A and Bus 14F failed) which was used to quantify the core melt frequency resulting from F-5C. As shown in Table 6.2-1, fire damage state F-SC results from Reactor Building and Switchgear Area fires. The total frequency of F-5C is estimated to be 1.17 x 10-3/yr and was used as the initiating event frequency for the event tree just described.
O I
i O
6.2-38 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
6.2.17 FIRE DAMAGE STATE F-5D (3 This damage state represents a reactor trip with a combined loss of RBCCW and l] the IC due to a Reactor Building fire. The total frequency of F-SD is estimated to be 1.06 x 10-5/yr.
Since all ECCS and support systems are available, the core melt frequency attributable to F-5D was computed by using the reactor transient internal event tree for support state 1. The failure of RBCCW and the IC resulted in modifications being made to the following top events in the tree.
( 1. IC and IC Make-Up - Node K Because the postulated Reactor Building fire is in close proximity to motor-operated valve IC-3, the IC is assumed to be unavailable due to total failure of the valve. Therefore:
Qg = 1.0 s 2. SDC and Alternate SDC Systems - Node M Node M represents the probability thct both SDC and Alternate SDC fail to operate. As noted in Section 6.2.1, this can be represented by:
0M * ( SDC + SEP1 ' (0 ALT-SDC + HEP 2
+ (02 S/RV + OHEP3}
Since RBCCW fails as a result.of the fire, SDC cannot be used and QSDC
- 1.0. Substituting this value along with the remaining values from .Section 6.2.1 for the right side of the equation yields:
Qg = (1.0) * (.1% + 1.3 x 10N + (1.W x 10N
= 1.63 x 10-1 O
v MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
6.2.18 FIRE DAMAGE STATE F-6 Damage state F-6 represents a reactor trip with loss of the S/RV remote opening fbnction and one S/RV stuck open due to fire induced hot shorts in its opening circuitry. The frequency of F-6 is estimated to be 1.48 x 10 /yr and is due to fires in the Control Room, Cable Vault and Reactor Building.
The resultant core melt frequency from damage state F-6 was quantified by using the internal event tree for inadvertant opening of a safety / relief valve (IORV) in suppert state 1. Because the S/RV remote opening fbnction also is lost as a result of the postulated fire, some of the top events in the IORV event tree had to be modified. These are described below.
! 1. Operator Action to Restore RPV Level - Node 03 l
A portion of fire damage state F-6 is due to control Room fires which could
! place a level of stress on operator action. Accordingly, a weighted average was computed for Node 03 based on the the method described in Section 6.2.4.
0 SEP1 ACR+SEP2 HER 03
- A F-6 where A CR = 3.48 x 10 4/yr for the frequency of damage state F-6 due to Control Room fire,10THER = 1.14 x 10-N/yr for the frequency of F-6 attributable to other areas, and A = 1.48 x10-N/yr for the total F-6 frequency of F-6. Substituting the above values and O HEP 1' OHEP 2 from Section 6.2.4 into the right side of the equation yields:
Q 03 = (6 A r 10 %
- N1.48 8 xx 10 10- h_+ (1 a r 10 M 1.14 x 1o S
= 2.53 x 10-2
- 2. Core Spray and LPCI System - Node E
-)
6.2-40 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
- - None of the low pressure systems can be used since the S/RV's cannot be opened to depressurize the RPV. Therefore
- Qg = 1.0 3 Safety / Relief Valve (Manual) - Mode I Failure of the S/RV remote opening fbnction implies
Q7 = 1.0
- 4. SDC and Alternate SDC Systems - Node M Since Alternate SDC is part of the LPCI system, it cannot be used for long term cooling. This leaves only the SDC system which would be used following the success of feedwater. Consequently, Node M represents the probability of SDC failure, i
., Qg=QSDC + k EP1 where QSDC and QHEP 1 are defined in Section 6.2.1. Substituting these values into the equation gives:
Qg = 1.2 x 10-1 + 1.3 x 10-2
= 1.21 x 10-I i
1 O i 6.2-41 MILLSTONE UNIT 1 PROBABILISTIC SAFEIT STUDY
-._ _- _ _ . _ . . _ _ _ . _ . _ . . _ _ ._. _ . _ . _ _ _ . . _ . ~ . - _. . _ _
6.2.19 FIRE DMMGE STATE F-7 This fire damage state results from fires that simultaneouly cause reactor trip, MSIV closure, a stuck-open S/RV with loss of the remote opening fbnction, and loss of the IC due to hot shorts in the MOV closing circuits. In order to assess the contribution of damage state F-7 to core melt requency, it was necessary to develop the special event tree shown in Figure 6.2.19-1. The total frequency of fire damage state F-7 is estimated to be 3.83 x 10-5/yr and is due to Cable Vault, Mezzanine and Control Room Fires.
Definition of Top Events i
- 1. Frequency of Reactor Trip - Mode F Node F represents the total frequency of damage state F-7 which is described above.
A y = 3 70 x 10-5/yr
- 2. Feedwater Continues to Run Post Trip - Mode C 3 Since the Feedwater System is unaffected by damage state F-7, the probability of Node C is 3 the same as in the reactor transient event tree '
for support state 1.
f k1=1.03x10-2 3 Operator Action - Mode OA Node OA represents the following operator actions that would be performed at approximately four hours after the reactor had tripped.
- a. In order to close the stuck open S/RV, an operator would have to deenergize the opening circuit by opening a breaker in the Control Room.
. 6.2-42 l MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
.- - .-- . - _ - . - - _ . - - _ - - - . _ . . . , , - . , ~ .
- b. Motor-operat,ed va]ves on the IC that. faihd clo:nl due to bot. :du o t.:.
would have to be re-opened after isolat ing the control eJ rcuit:, t. hat.
,a come from the Control Room via the Cable Vault. This would be accomplished by an operator transfering control of the volves to the local mode (through a transfer switch on the appropriate MCC's) and then opening the valves.
The HEP for the above actions was assessed to be governed by skill based behavior and therefore:
0 04 = 1.3 x 10-2 (section 4.0)
- 4. Safety / Relief Valve Closes __ Node J Following successful operator action (Node OA), the open S/RV could fai] to close due to internal valve failure. Node J represents S/RV failure to close.
Q3 = 1.0 x 10-3 (Appendix 2-A) 5 IC and IC Make-up - Node K Given that the operator successfully isolates the IC motor-operated valve control circuits, the probability of IC failure is based on the failure of any one valve to open. The IC Make-up System is unaffected by fire damage state F-7. Accordingly, Node K represents the probability that the IC or its make-up fails to function.
OK*OIC + OlCM where Q IC is defined by:
01C
- OIC2-FTO + 01C3-FTO + OIC1-FTO + OIC4-FTO where: Q IC2-FT0 = 4.45 x 10-3 Q
IC3-FTO = 4.45 x 10-3 v
6.2-43 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
. ~ _ -- . - . . . . -.. - -- ... . - __ .
QIC1-FTo = 3 79 x 10 QIC4-FTo = 3.79 x 10-3 i A &' of the above values are taken from Appendix 2-A for " valve failure to 4
open". MOV's IC-2 and IC-3 use failure rates for valves that are located ,
" outside the drywell while MOV's IC-1 and IC-4 use failure rates for valves i,
inside the drywell. Substituting the above values into the equation, QIC s
becomes:
l
- t Q IC = (4.45 x 10-3) + (4.45 x 10-3) + (3.79 x 10-3) + (3.70 4
l = 1.65 x 10-2 l
QICM is defined for IC Make-up as follows:
l i
4
! OICM O
ICM-AUTO
- OICM-REST 1
where: Q ICM-AUTO = 2.78 x 10-2 for failure of automatic tr.ake-up and QICM-REST = 0.406 for failure of restoration, given nutomatic j operation fails, t
- j. Substituting the above for the right side of the equation yields:
\ !
QICM = (2.78 x 10-2) * (0.406) l t
Qg can now be quantified by substituting the values for QIC and Q ICM into i the original equation as follows:
i Qg = (1.65 x 10-2) + (1.13 x 10-2) i ,
= 2 78 x 10-2 l i 4
i-l
!O l
! 6.2-44 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY i j
l 9 O O 't f
i F C1 OA J K 1 SllCCESS i 2 TL2 r
3 TL2
.i' m
L.
8 4 TL2 5 TE1 l
FIGURE 6.2.19-1. Event tree for reactor trip due to fire damage state F-7 i
, l t
J
- 6.P.20 FIRE DAMAGE SfATE CM
.I Damage state CH represents a total loss of . all AC end DC. power which is ;
- i. conservatively assumed 'to result in an early core melt due to the lack of a t
detailed consequence analysis. The frequency of core melt due to CM is .,
f estimated to be 1.33 x 10-5/yr and is caused by fires in the Control Room, Cable Vault, Switctigear Area, and Reactor Building. l l
i i
f 4
i i
I
! 1 i
)
l 1
l i
1 1
.q i ,
l 5 ,
l l
4 ;
4 1 1
l I
i i
i i
j 6.2-46 HILLSTONE UNIT 1 j- PROBABILISTIC SAFETY STUDY
6.3 QUANrlF1 CATION MSt1.TS FOR ACCIDEffrS CAUSED BY FIRE Q] Quantification of the internal event trees for fire induced transients resulted in frequencies being calculated for both core melt and core damage. As defined in Section 2.2 for internal events, the total core melt frequency is equa) to the sum of the individual frequencies for the various plant damage states (i.e.
is endpoints on the system event trees), while the total core damage frequency the sum of the frequencies for scenarios which result from partial core uncovery (over a short tine interval) or overpower conditions prior to reactor trip. The quantification of fire initiated accidents resulted in calculating the following values for frequency of core melt and core damage due to fire:
Core Melt Frequency = 5.33 x 10-5/ year (mean value)
Core Damage Frequency = 1.05 x 10-4/ year (mean value)
< Core Melt Grouping By Core Melt Timing i
Table 6.3-1 provides a sumary of the core melt frequencies that are attributable to fire induced transients, according to the time of core melt.
Since the consequences of different core melt times are independant of the initiating event, the earlier discussion on core melt timing (Section 5.3) for internal events is applicable here as well.
Core Melt Grouping By Fire Damage State Initiator And Critical Plant Area i,
Table 6.3-2 provides the core melt contributdan from various fire damage state I
initiators. Damage state CM is the largest contributor and accounts for 25% of the total core melt, of which over 95% is due to propagating fires in the Cable Vault and Switchgcar Areas.
4 Table 6.3-3 shows the contribution to core melt by critical plant area.
Approxi.nately 33% of the total is due to fires in the Cable Vault, lollcwed by i Switchd ear Area fires which account for another 22% of the total core melt ,
1
! frequency. The link between Fire Darrage State and Critical Plant Area is shown in Table 6.3-4 which shows the core melt frequency in each plant state, resulting from fire.
O 6.3-1 MILLSTONE UNIT 1 PROBABIL 3 TIC SAFETY STUDY
. _ - .... .._.--~..- . - ._-.- - . . . . . - - . . - _ . . . _ - . . . - . . - . . . . - . . . - _ - - ..
j- ;
3 .
l- The last. t.able (Table 6.3-5) provides o doncription or the top 15 ' dominant core i
l melt. sequences which collect.lvely account for approximat.ely 80% or . t.la- 1.01 a l .
W
- j. Simj]ar sequences have been grouped together under one sequence heading ar. f i
! shown by the event tree path numbers that, appear in the last column heading of the table. The sequences are listed in decreasing order of their contribution i to core melt. l i
i I i i
P i
4 !
r l
1
(
i i l
i i
! I l
4 ,
[
I
(
l i :
i :'
l i
i I
I 6.3-2 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
!i .
TAE.E 6.3-1 CORE DELT FREQUEIEIES BY CORE DELT TDES l
CORE MELT TIME FREQUENCY / YEAR PERCEE COERIBlffION
- Early (T < 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) 2.70 E-5 50.41 Intermediate .
(2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> < T < 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />) 7.43 E-6 13.87 1
Late (T > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) 1.41 E si 35.66 l
i 4
TOTAL 5.36 E-5 100 l 1,
t i
1 4
i 1
l l
t ,
I I
l i
l 1
i i
4 6.3-3 .
d MILLSTONE UNIT 1 i PROBABILISTIC SAFETY STUDY
, ~ - . - . - . - - - - , - ,-----n-w-- -, -- .-, - . - ,
TAIKJ 6.3-2 CORE DELT Fas45T'T5 BY FIRE DAMAGE STATE IIKTIATOR ElBE DAMAGE STATE FREQUENCY / YEAR PERCENT CONTRIBtTTION F-1A 6.81 E-7 1.27 F-1B 2.83 E-6 5.28 F-1C 1.54 E-6 2.88 F-1D 2.92 E-6 5.45 F-2A 5.04 E-7 0.94 F-2B 1.19 E-5 22.20 F-2C 4.52 E-7 0.84 F-2D 6.91 E-7 1.29
'F-3A 7.32 E-6 13.65 F-3B 3.50 E-7 0.65 F-4A 4.63 E-7 0.86 F-4B 4.72 E-6 8.81 F-4C 4.78 E-8 0.09 F-5A 1.22 E-6 2.28 I
F-5B 1.15 E-6 ; 2.15 F-SC 5.85 E-7 1.09 F-SD 2.56 E-8 0.05 F-6 9 43 E-7 1.76 F-7 1.96 E-6 3.66 CM 1.99 E-5 24.81 TOTAL 5.36 E-5 100 O 6.3-4 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY 1
TABLE 6.3-3 CORE PE1.T FRsrymIES BY CRITICAL PtJNT AREAS CRITICAL AREA FREQUENCY / YEAR PERCENT CONTRIBIIIION '
Control Room 7.59 E-6 14.16 f Cable Vault 1.76 E-5 32.84 Mezzanine 3.99 E-6 7.44 Feedwater Area 9 15 E-6 17.07 Switchgear Area 1.19 E-5 22.20 Reactor Building 1.49 E-6 6.40 TOTAL 5.36 E-5 100 d
0 -
e O 6.3-5 MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY
TABLE 6.3-4 CORE MELT FREQUENCIES BY CRITICAL PLANT AREA AIO FIRE DAMAGE STATE IMITIATOR FIRE DAMAGE CRITICAL PLANT AREA (FREQUENCY / YEAR)
CR CV M2 F1d SWGR RB STATE INITIAIDE F-1A 5.31 E-8 6.28 E-7 F-1B 1.68 E 6 2.08 E-7 9.34 E-7 F-1C 2.09 E-9 1.54 E-6 F-1D 8.73 E-7 1.81 E-6 2.39E-7 F-2A 5.01 E-7 3.00 E-9 F-2B 3.32 E-6 1.40 E-6 3.66 E-6 3.60 E-6 F-2C 4.52 E-7 F-FD 6.91 E-7 F-3A 2.53 E-6 4.80 E-6
- F-3B 3.41 E-7 9.45 E-9 F-4A 6.70 E-8 3.49 E-8 3.61 E-7
^
F-4B 4.15 E-7 3.34 E-6 9 58 E-7 F-4C 4.78 E-8 F-5A 1.22 E-9 6.59 E-8 2.44 E-8 5.75 E-7 6.47 E-8 4.89 E-7 F-5B 1.15 E-6 F-5'; 4.24 E-7 1.61 E-7 F-5D 2.56 E-8 F-6 2.22 E-7 7.07 E-7 1.70 E-8 F-7 6.82 E-7 1.22 E-6 6.00 E-8 CM S.14 E-8 6.33 E-6 6.34 E-6 6.18 E-7 CR = Control Room FW = Feedwater Area CV = Cable Vault SWGR = Switchgear Area MZ = Mezzanine RB = Reactor Building O 6.3-6 l MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY l
O O O TABLE 6.3 5 DOMINANT FIRE INDUCED CORE MELT SEQUENCES Core Core Melt % of Sequence Nos.
Fire Damage Affected Melt Time frequency /Yr. Total C.M.F. in Event Tree State Initiator Plant Area Sequence Description
! Early 6.34E-6 11.83 10, 20, 22, 24,
- 1. CM Switchgear
- Propagation of fire to more than 33, 42, 44, 46, oeie zone in Switchgear Area 54, 56, 58 and causes total loss of both AC and 60 on Figure DC power as a result of: 6.1.5-1 for a) cogonent fire which spreads due Switchgear Area to flammable liquid stored in the area or m b) cable fire which spreads after L3 zone fire barriers are breached u'
- Fire assumed to lead directly to core melt without requiring additional equipment failures Early 6.33E-6 11.80 17, 22, 39, 43,
- 2. CM Cable e Fire induced loss of all AC and DC 47 and 52 on Vault cables routed to Reactor Building combined with a stuck open S/RV Figure 6.1.2-1 for Cable Vault and IC failure due to wire-to-wire hot shorts or eloss of all cable trays in cable l
' vault due to fire propagation as the result of storing flammable liquid in the area eFire assumed to cause core melt
. - without the need for additional equipment failure .-
Late 4.80E-6 8. 9'6 4 on Figure
- 3. F-3A Cable
- Fire causes MSIV closure and loss 6.2.9-1 for Vault of all power / control cables to Reactor Trip Reactor Building
I O O O TABLE 6.3-5 .
DOMINANT FIRE-INDUCED CORE MELT SEQUENCES Fire Damage Affected Core Core Melt 1 of Sequence Nos.
In Event Tree Plant Area Sequence Description Melt Time frequency /Yr. Total C.M.F.
State Initiator I
! 3. F-3A (Continued) eFeedwater continues to run but I IC or IC Make-Up fails sub-
- sequent to the fire
- 4. F-28 Feedwater
- Total failure of Feedwater and Early to 3.60E-6 6.72 9, 14 and 21 on main condenser due to a fire Intermediate Figure 2.4.4-1 l
that spreads to more than one for LOF S5#1
- feedwater or TBSCCW pump eSubsequent to the fire
?
a) IC auto-actuation fails and Y
m cognitive error to not restore RPV level or b) S/RV closes but IC or It make-up falls along with long term cooling systems or c) S/RV sticks open and long term cooling falls 1
- 5. F-25 Mezzanine .
- Fire causes loss of all Feedwater Early to 3.66-6 6.83 9.14 and 21 on control cables, failing Feeduater Intermediate Figure 2.4.4-1 ;
and Main Condenser for LOF 55#1
- Subsequent to the fire- ;
(see a), b) and c) for No. 4 above) '
. _ _ . -____ _ . - - - --. . - - . , . - . _ , . --m , .- --,_-m
- --- . . _ _ . m,.m e---,,
O O o TABLE 6.3-5 1
DOMINANT FIRE INDUCED CORE MELT SEQUENCES Core Core Melt % of Sequence Nos.
Fire Damage Affected Melt Time Frequency /Yr. Total C.M.F. in Event Tree, State Initiator Plant Area Sequence Description eTotal loss of Feedwater and Main Early to 3.23E-6 6.03 9, 14, and 21 on ,
- 6. F-28 Control Figure 2.4.4-1
~
Room Condenser due to fire induced Intermediate for LOF SSf1 loss of Vital AC or Feedwater control circuitry eSubsequent to fire:
(see a). b) and c) for no. 4 above) 6.23 J I Late 3.34E-6 7 and 12 on l 7. F-48 Switchgear eloss of S2 AC power from fire in 52 Figure 2.4.3-1 cn cables or bus 14F causes reactor for RT SSe5 trip L
b eSubsequent to fire:
a) Feedwater runs but it or IC 1 Hake-Up fails along with long term cooling system failure or b) Feedwater runs. S/RV sticks 4
open and long term cooling i
systems fall 1
2.53E-6 4,72 4 on Figure Control
- Fire in zone #3 panels causes late
- 8. F-3A 6.2.9-1 for i'
Room MSIV closure and loss of all Reactor Trip ECCS functions including remote S/RV opening capability 1
4
O O o 4
TABLE 6.3-5 DOMINANT FIRE INDUCED CORE MELT SEQUENCES Core Core Melt % of Sequence Nos.
Iire Damage Affected Melt Time frequency /Yr. Total C.M.F. in Event Tree
! State Initiator Plant Area Sequence Description
! Feedwater eUnsuppressed fire causes a Early 1.81E-6 3.38 2 and 7 on
- 9. F-ID Figure 6.2.4-1 total loss of Feedwater with AC power blackout (580) for LOF eSubsequent to fire:
i a) IC works and make-up fails
- or I
i b) S/RV sticks open i e :
Late 1.68E-6 3.13 7 and 9 on ;
! E5 10. F-1B Cable eloss of Feedwater due to cable Figure 2.4.4-1 '
Vault fire that damages 51 power /centrol l for LOF 55#3 cables which arE routed from the lurbine Butiding
)
l i
- Subsequent to fire:
a) Feedwater is restored but IC l or IC Make-Up fails along with l
SDC i or b) S/RV sticks open. Teedwater runs j
and SDC fails
, t l
2 I
I O O O TA8LE 6.3-5 DOMINANT FIRE INDUCED CORE MELT SEQUENCES i
Fire Damage Affected Core Core Melt 1 of Sequenca Nos.
State Initiator Plant Area Sequence Description Melt Time Frequency /Yr. Total C.M.F. in Event Tree Early to 1.56E-6 2.91 9, 14 and 21 on
- 11. F-IC Feedwater
- Total loss of Feedwater and Main Figure 2.4.4-1
' Condenser due to fire in F.W. Intermediate puans which also causes 51 for LOF SSf 3 ,
)
I control cable failure
' Subsequent to fire:
! a) IC or IC make-up and long
! term cooling systems fail
< or b) IC auto-actuatida falls and
) g cognitive error to restore RPV
- . level
~
or c) S/RV sticks open and long term I
cooling systems fall
' Fire causes loss of Feedwater Early to 1.40E-6 2.61 9, 14 and 21 i 12. F-28 Cable on Figure Intermediate
+
Vault control cables routed to Turbine Building, resulting in F.W. and 2.4.4-1 for 1
Main Condenser failure LOF 55f1
!
- Subsequent to fire:
a) IC auto-actuation falls and operator makes cognitive error to ,
t not restore RPV level ,
' or i
l b) S/RV closes but IC/IC make-vo fails i
along with long term cooling systems I or
l O O O TABLE 6.3-5 DOMINANT flRE INDUCED CORE HELT SEQUENCES Fire Damage Affected Core Core Melt 1 of Sequence Nos.
State Initiator Plant Area Sequence Description Mel t Time Frequency /Yr. Total C.M.F. In Event free
- 12. F-2B (Continued)^ c) S/RV sticks open and long term cooling fails
- 13. F-7 Cable e Loss of all cables to Reactor Late-80% 1.22E-6 2228 2 and 5 on l
Vault Building with MSIV closure and Early-20% Figure 6.2.19-1 failure of the remote S/RV for Reactor opening function as well as IC trip failure eSubsequent to the fire:
1 a) IC recovery falls (late C.H.)
en or E b) Feedwater fails (early C.M.)
I
- 14. F-58 Reactor eloss of all ECCS functions due to Late. 1.15E-6 2.15 3 and 5 on Building cable fire in S/RV opening Figure 6.2.15-1 j circuitry or total loss of AC for Reactor
- power feed to Reactor Building Trip eSubsequent to fire, Feedwater runs but MSIV's close and IC/IC make-up fails
- 15. F-48 Reactor e Fire causes loss of S2 AC power Late 9.58E-7 1.79 7 and 12 on Building in Reactor Building, failing S2 Figure 2.4.3-1 ECCS and Alt. SDC for RT 55#5 ,
eSubsequent to the fire:
a) Feeduster runs but IC/IC make-up and 50C fall or
} ,
1 i i t I _
t
( TAALE b.3-5
l j DOMINANT FIRE INDUCED CORE MELT SEQUENCES 1
i Fire Damage Affected Core Core Melt % of Sequence Nos.
I State Initiator Plant Area Sequence Description Melt Time . Frequency /Yr. Total C.M.F. in Event Tree '
l
. t 2 TOTAL FROM 15 SEQUENCES 4.36E-5/YR. 81% of C.M.
I
- i 1
3 .
E
+
@ \
i j 'w 5 -b I
1 i
l l ;
i I
I i I
1 '
_ - _ . _ _ . _ _ . _ . __ _ J
References O
- 1. " Fire Protect.f on Program Am. ear, ment of Hil] stone linit.1", Torrey Pinen Technology, February 1982
- 2. " Millstone Unit 3 Probabilistic Safety Study", Northeast Utilities Service Company, August 1983 3 Berry D.L., Minor E.F., "Nucicar Power Plant Fire Protection - Fire Hazards Analysis", NUREG/CR-0654, September 1979
- 4. Beveridge R.L., "MP-1 Human Reliability Analysis for Fires Calculation",
December 1985
- 5. Kazarians M., Apostolakis G., " Fire Risk Analysis for Nuclear Power Plants", trdREG/CR-2258, University of California 1981
- 6. Peactor Safety Study, WASH-1400, U.S.N.R.C., October 1975 N,
- 7. Weatinghouse Transmitta), Cassidy B. to Radder J.A., January 1986
- 8. Galluci R., "A Methodology for Evaluation of the Probability for Fire Loss of Nuclear Power Plant Safety Functions", Ph-D thesis, Rensselaer I Polytechnic Institute, Troy N.Y., May 1980
- 9. Millstone Unit 1 Operating Procedure OP-341, "4160 Volt Electrical System",
i June 28,1984, Revision 12 l
l l
l l
l f
b 6.3-14 MILLSTONE UNIT 1 PROBAHILIST)C SAFETY STUDY
i i
i 1
- l APPDDIX 6-A I t i ,
t it the ;
i This appendix provides drawings that show all of the critical areas inside plant. The areas have been further subdivided into fire zones which illustrate the various plant equipment and fire protection features that are contained within each area's zones. a I l 1
=
1 4
)
i f
I
.i i
i l
i 1 i !
! 1 2
i 1
i
'I
+
l l
}
1 l
6 A-1 I
MILLSTONE UNIT 1
! PROSABILISTIC SAFETY STUDY t_--.-.-_-..-_... . . - - . - - . - , . , - . - , - - - - - . - - . - -
OVERSIZE DOCUMENT PAGE PULLED SEE APERTURE CARDS NUMBER OF PAGES:
ACCESSION NUMBER (S):
84 o V /70/ M IR I
/6 S
/$6 APERTURE CARD /HARD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FT5 492 = 8989