IR 05000313/2001006
| ML20112F251 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 08/20/2001 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Hunter C (301) 415-1394 | |
| References | |
| IR 2001006 | |
| Download: ML20112F251 (17) | |
Text
1 Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Arkansas Nuclear One Unit 1 Inadequate Fire Protection and Procedures for the North Switchgear Room, Fire Zone 99-M Inspection Report Date:
8/20/2001 Inspection Report:
50-313/01-06 Mean CDP = 4x10-6 Condition Summary
!
Condition description The inspection report 50-313/01-06 (Ref. 1 and 2) indicated that the North Switchgear Room (Fire Zone 99-M) power and control cables associated with redundant trains of equipment, credited in the licensees hazards analysis for achieving and maintaining hot shutdown conditions, were not protected from fire damage by one of the methods specified in Appendix R,Section III. In lieu of providing the Appendix R protection from damage, the licensee credited manual actions to remotely operate equipment necessary for achieving and maintaining hot shutdown.
!
Cause Due to the large number of components that may be affected by a fire, the licensee does not have adequate procedures for these manual actions.
!
Condition duration The deficient condition has been present since the initial commercial operation of the plan Therefore, a PRA year (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />) is used for this analysis.
!
Recovery opportunities The B train and swing pumps are lost completely due to a fire, with no recovery opportunitie However, most A train equipment that is lost could be recovered using alternate safe shutdown equipment and procedures. Recoverable equipment includes the turbine-and motor-driven emergency feedwater pumps (P7A and P7B), a service water pump (P4A), a high pressure injection pump (P36A) and an emergency diesel generator (DG1).
Analysis Results
!
Importance The hypothetical fire in the North Switchgear Room (Fire Zone 99-M) would originate in the 4160v train B (green train) switchgear, and disable the switchgear and control cables for the high pressure injection (HPI) pump P36C and swing HPI pump 36B, service water
IR 50-313/01-06
(SW) pump P4C, swing SW pump P4B, decay heat removal (DHR) pump P34A and the emergency diesel generator 2 (DG2) output breaker, as well as control power for EFW turbine-driven pump 7A. In addition, the main feedwater (MFW) turbine driven pump 2 would trip of The fire could propagate to the train A control cables with a probability of non-suppression of 0.3 (see Modeling Assumptions below for details). In addition to the equipment listed above, the SW pump 4A, HPI pump 36A, EFWMDP pump 7B, emergency diesel generator 1 (DG1) and a number of valve control cables could fail due to the hot gasses from the fir However, recovery by local actions for this equipment as well for the EFWTDP pump 7A is possibl The turbine-driven main feedwater pumps would fail without recovery because the main steam isolation valves (MSIVs) close due to loss of instrumentation process signal cables located in the propagation zon The risk significance of the base case is determined by performing a conditional event assessment using the revision 3 SPAR model for ANO (Ref. 4). The base case is analyzed with high quality operating procedures, and the current case is analyzed with available, but poor quality procedure For each case, the transient initiating event frequency is replaced by the initiating fire frequency for one of the two switchgear rooms and the current probability of the base events that are assumed failed (TRUE) are used in the analysi This method is outlined in NUREG/CR-6544, Development of a Methodology for Analyzing Precursors to Earthquake-Initiated or Fire-Initiated Accident Sequences, Section 3.7 (Ref. 3).
The point estimate increase in core damage probability (CDP) is the difference between the point estimate current case and the point estimate base case: 4.1 x 10-6 - 1.6 x 10-7 =
4.0 x 10- The mean increase in core damage probability (mean CDP) is the difference between the mean current case and the mean base case, 4.0 x 10-6.
The Accident Sequence Precursor (ASP) Program acceptance threshold is an importance (CCDP) of 1 x 10-6.
!
Uncertainty The uncertainty about the mean is: 5% bound, 9.6 x 10-8 and 95% bound, 1.6 x 10- This uncertainty range is larger than for most ASP events because the cutsets are overwhelmingly dominated by human failure events.
!
Dominant sequence (Current Case)
The Transient event tree was used to model the fire initiating even The dominant Transient Sequence 22 is shown in Figure TRANS (Sequence 22)
The events and important component failures in TRANS Sequence 22 include:
-
Reactor trips successfully during transient
-
Failure of main feedwater system during transient
-
EFW system fails
IR 50-313/01-06
-
Bleed portion of HPI cooling is successful (PORV opened)
S Insufficient HPI flow
!
Results tables S
Table 1 provides the importance values for some dominant sequence.
S Table 2a provides the event tree sequence logic for the dominant sequence.
S Table 2b defines the nomenclature used in Table 2a.
S Table 3 provides the conditional cut sets for the dominant sequenc S Table 4 provides the definitions and probabilities for the modified and dominant basic events
!
Sensitivity Analyses Sensitivity analyses were made with nonrecovery of the main feedwater pumps and with varying probabilities of non-suppression range from 0.1 to The 0.1 value (one decade higher than the Licensee value) was included only to establish a lower value, but not considered justified as it would require an unreasonably short time for the fire brigade to be on statio The 0.4 value is considered the upper value, based on a longer time on station (15 minutes) with an approximate 30 minutes more to suppress the fire. The point estimate importance value for 0.1 is 1.4 x 10-6 and 5.5 x 10-6 for Use of these values would not have a significant effect on the event importanc The possibility of a LOOP caused by a turbine trip (i.e., a conditional LOOP) was considered and dismisse Since a conditional LOOP would occur at or shortly after the time the main generator tripped, DG1 would have been availabl The control cable for the DG1 output breaker could not fail until the fire propagated to Train A (approximately 48 minutes). By that time, DG1 would normally be running and providing power to Train A safe shutdown equipment.
Modeling Assumptions
!
Assessment summary Due to inadequate provision for fire protection for more than one year, a maximum time of one year is used for the duratio This analysis was made as an initiating event assessment, with a postulated fire occurring in the North Switchgear Room (Fire Zone 99-M) train B and propagating to the train A control cables in the same room, if the fire is not manually suppresse A fire in the North Switchgear Room is not assumed to cause a LOO This agrees with the licensee presentation to the NRC on July 10, 2003 (Ref. 3). For the worst case, a 4kV fire could cause a partial LOOP (not a full LOOP) with a malfunction of protection in train B feede A control cable fire (if fire propagates to train A) has insufficient voltage to challenge the train sourc IR 50-313/01-06
The analysis is dominated by human activities to operate equipment affected by the fir Since many cutsets contain multiple human errors, the dependency among events required significant additions to the analysis rules, as shown in Table Recovery human factors are used, as each task does not appear to require a significant amount of diagnosis activity, as shown in Table 6. The diagnosis analysis is include for the information of the reader, but is quantitatively insignificant. The failure of safety systems is assumed to be annunciated in the control room, and activation of these systems is required in the plant EOP For recovery of motor-driven pumps, local operation of a circuit breaker is nominally the local action required outside Fire Zone 99-M, with all breakers in the same fire zon Performance shaping factors for individual recoveries used in this analysis are shown in Table S The actions for recovery of the SWS pump P4A, HPI pump P36A, EFW MDP 7B and DG1 are relatively simple actions to close circuit breakers. Operation of HPI and the EFW MDP are somewhat complex because they require coordination with the control room to avoid over filling the pressurizer and steam generator, respectively. Each of these human factors probabilities was estimated from operator action human factors worksheets, summarized in Table S The EFW TDP 7A complexity attribute used for estimating the human factors probability factors was higher (PSFs 5 vs. 2 for complexity). This was based on several local actions outside Fire Zone 99-M to assure TDP operation and control, including throttling flow or securing the pump when not needed (i.e., to prevent steam generator overfill).
S The DHR pump could be needed late in some accident sequences. Since the condition of the plant would be well understood by this time and there would be plenty of time for the operator, the human actions for starting this system locally would be nominal.
S The dependencies between the human events would follow the rules presented in the SPAR-H (Ref. 4) methodolog The second human failure event in a cutset has a low dependence, the third a medium dependence and the fourth a high dependenc Table 5 shows the rules used for dependency event analysi The order of human actions would be the order shown in Table S In assessing the time available for operations of safety systems, it was assumed that the Train A systems started initially, and failed after 10 to 20 minutes of operation as the fire (hot gas layer) destroyed the control cables.
S The HEP for actions that have 3 or more negative PSF influences are adjusted by the following equation (which is based on unpublished NRC research):
HEP NHEP PSF NHEP PSF composite composite
(
)1
Where - NHEP = nominal HEP
IR 50-313/01-06
- PSFcomposite = product of performance shaping factors (PSF)
S The ergonomics and work processes for all credited actions are assumed to be nomina Access to the areas needed for recovery actions is not blocked and operators would not be required to wear breathing apparatus.
!
SPAR model used in the analysis The Revision 3 of the Arkansas Nuclear One Standardized Plant Analysis Risk (SPAR)
Model (Ref. 4) was used for this assessmen The SPAR Revision 3 model includes event trees for transients (TRANS), Loss of Offsite Power (LOOP), steam generator tube rupture (SGTR), and small loss of coolant accident (SLOCA). For this conditional assessment all initiating events, other than TRANS are not applicabl Since the fire is not caused by these initiating events, these frequencies are set to zer The transient initiating event (IE-TRANS) frequency is replaced (see below for details of fire-Induced analysis considerations).
!
Fire-induced analysis methodology The fire-induced analysis is based on NUREG/CR-6544 (Ref. 5). For the current case analysis, the product of the initiating fire frequency and the probability of non-suppression replaces the transient event frequency in the conditional assessmen Initiating Fire Frequency - The initiating fire frequency (Fi) was developed from NRC Report RES/OERAB/S02-01 power operation fire event data for severe fires (i.e., fires with duration greater than 5 minutes and were not self-extinguished) in the switchgear room during the 1986-1999 period (Ref. 6), with updated data for 2000-200 The plant Switchgear Room fire frequency is 6.4E-3 for both switchgear rooms (Fire Zone 99-M and Fire Zone 100-N). For the specific Fire Zone 99-M:
Fi = Switchgear Room fire frequency for plant ÷ number of switchgear rooms in the specific plant Fi = 6.4E-3 = 3.2E-3
-
Manual Fire Suppressio Although smoke detectors are installed, automatic suppression is not available for Fire Zone 99-Therefore, manual suppression is the means used by the license The fire brigade was considered well trained and optimum in performanc For this analysis, the trained fire brigade was assumed to be on station in 10 minutes This provides time for suppression of the fire to train A control cables, factoring in smoke detection, fire brigade training, and fire retardants
[mostly thermoset insulation, highly rated cable tray coating (Carboline)] and considering a postulated 4kV energetic fire, distance separation less than 20 feet, and no one hour fire barrier protectio With an NRC estimated time until the fire causes damage to the Train A control cables of 48 minutes, 38 minutes are available for fire suppressio The best estimate value of 0.3 was used for this analysi IR 50-313/01-06
!
Equipment Operability The following table summarizes the status major equipment at ANO-In the basic fire, the switchgear associated with 4160v AC bus A4 is severely damage The fire is assumed to propagate to damage control cables for additional equipmen In addition to the major equipment in the table below, the control cables for many valves found in the SPAR model pass through fire zone 99-These valves were assigned a failure probability of 1.0, rather than TRUE to determine if they appeared in significant cutset Since they did not, the valve failure events were not analyzed for possible recovery action Pump Power Source Basic Fire No Propagation Propagated Fire (Hot Gas)
HPI P36A A3 Will operate normally from the control room.
Operated (on/off) from switchgear room.
HPI P36B A3/A4 Failed, not recoverable HPI P36C A4 Failed, not recoverable SW P4A A3 Will operate normally from the control room Must be started from switchgear room.
SW P4B A3/A4 Failed, not recoverable SW P4C A4 Failed, not recoverable EFW P7A TDP Operable at pum Steam and flow valves failed fully open.
Operable at pum Steam and flow valves failed fully open.
EFW P7B A3 Will operate normally from the control room.
Operable from the breaker in unaffected switchgear room.
DHR P34A A3 Operable from control room.
Operable from the breaker in unaffected switchgear roo Plenty of time.
DHR P34B A4 Failed, not recoverable
!
Modifications to fault trees The recovery of the SWS MDP 4A, HPI MDP 36A, and EFW MDP 7B, and EFW TDP 7A were added by independent base events SWS-XHE-XL-MDP4A, HPI-XHE-XL-MDP36A, EFW-XHE-MDPFIRE, and EFW-XHE-TDPFIRE, respectivel These events were added under the OR gate for the respective pump failure Since LOOP does not occur, the recovery of DG1 was not included as a normal recovery activit These values were estimated above as human factors probabilities.
!
Basic event probability changes
IR 50-313/01-06
Table 4 provides the basic events that were modified to reflect the event condition being analyze The bases for these changes are as follows:
!
Probability changes (Current Case)
S Division B AC Power 4160v Vital Bus (EFW-BAC-LP-A4). Licensee procedures and analyses state that the bus would be de-energize Physical damage to bus work makes it unlikely that the bus could be re-energized.
S Operator fails to open breaker (DCP-XHE-XA-RECMDCR). Breaker control power is failed in all fire cases, recovery has not been analyzed since breaker is not in dominant cutsets.
- Operator Fails to Restart MDP7B (EFW-XHE-XL-MDPFIRE). The value was set as shown in Table Related dependence event is named EFW-XHE-MDPFIRE-LOW.
S Operator Fails to Restart TDP7A (EFW-XHE-XL-TDPFIRE). The value was set as shown in Table Related dependence events include EFW-XHE-XL-TDPFIRE-LOW and EFW-XHE-XL-TDPFIRE-MED.
- Diesel Generator 2 fails to Run (EPS-DGN-FR-DG2) and Diesel Generator 2 fails to Start (EPS-DGN-FS-DG2). This value was set TRUE since the breaker is assumed destroyed in each fire event.
- Probability That the Fire Propagates to Train A (FIRE-PROPAGATE-TRAIN A).
This value was set to 3E-1 and is the probability of non-suppression.
S Operator fails to initiate HPI cooling (HPI-XHE-XM-HPIC). This basic value was not changed from the nominal SPAR mode Difficulty executing the feed portion of bleed and feed is accounted for by HPI-XHE-XL-MDP36 Related dependence events and dependency rules were added because the event can appear in cutsets with other human error Related dependence events are named HPI-XHE-XM-HPIC1 (low dependency) and HPI-XHE-XM-HPIC2 (medium dependency).
S Operator Fails to Restart MDP 36A (HPI-XHE-XL-MDP36A). The value was set as shown in Table Related dependence events are named HPI-XHE-XL-MDP36A-LOW, HPI-XHE-XL-MDP36A-MED and HPI-XHE-XL-MDP36A-HIGH.
- Operator Fails to Restart MDP 4A (SWSI-XHE-XL-MDP4A). The value was set as shown in Table S MFW Unavailable (Assume 20% 0f TRANS are LOMFW)(MFW-SYS-UNAVAIL).
This value was set to TRUE.
S Failure of MFW TDP 1 to Run (MFW-TDP-FR-1). This value was set to TRUE for the cases in which the fire propagates.
S Failure of MFW TDP 2 to Run (MFW-TDP-FR-2). This value was set to TRUE for all case IR 50-313/01-06
S Operator Fails to Recover (Restore) MFW pumps (MFW-XHE-NOREC). This value was set to TRUE, as the MFW pumps are assumed to be unrecoverable whenever the fire propagate S Transient Initiating Event (IE-TRANS). This value was set to the annual fire probability for fire zone 99-M, 3.2E-3/y S All other initiating events were set to zer S Operator Fails to Recover From SLOCA in Short Term (SLOCA-XHE-NOREC).
This value was set to FALSE, as the initiating event IE-SLOCA was set to zero for this analysi S PORV fails to reclose after opening (PPR-SRV-OO-PORV) - This value was set to 2E-3/demand per NUREG/CR-4550.
- PORV/SRVs open during transient (PPR-SRV-CO-TRAN). The general probability of lifting a relief valve is calculated, based on operating experience, to be 4% for all transient Since plant pressure control is much more difficult in this event than in most transients, the 4% value cannot be use No standard methodology or data analysis is available to properly evaluate this probabilit Conservatively, the probability is set to This is consistent with the SPAR model assumption that the PORV opens on all sequences in which EFW is los EFW is lost and then recovered on all successful sequences in this fire analysi This assumes that the operator loses control of plant pressure (i.e., over-injects with HPI or allows the plant to heat-up while recovering an EFW pump) at least once during the event.
- Valves. The following valves are modeled as failed in the propagating cases, based on a review of potentially affected control cable Events unavailabilities were set to 1.0 to ensure that any failed values appeared in cutsets, and could be dealt with in detail (i.e., considering recovery or possible failsafe conditions) if the had an affect on total ris No detailed recovery analysis was performed:
- DHR suction MOV 1410 (DHR-MOV-CC-RCS2)
- DHR suction MOV 1404 (DHR-MOV-CC-RCS3)
- DHR discharge MOV 1400 (DHR-MOV-CC-TRNB)
- EFW TDP steam inlet (EFW-MOV-CC-STM2)
- HPI discharge MOV 1227 (HIP-MOV-CC-1227)
- HPI discharge MOV 1228 (HPI-MOV-CC-1228)
- HPR sump isolation MOV 1406 (HPR-MOV-CC-1406)
- PCS ADV 2676 (PCS-ADV-CC-2676)
- PPR block valve 1000 (PPR-MOV-00-BLK)
- SWS crossover MOV 3640 (SWS-MOV-OO-1B1C)
- SWS crossover MOV 3642 (SWS-MOV-CC-1C1B, SWS-MOV-OO-1C1B)
- SWS crossover MOV 3644 (SWS-MOV-CC-1B1A, SWS-MOV-OO-1B1A)
- SWS crossover MOV 3646 (SWS-MOV-OO-1A1B)
!
Model update
IR 50-313/01-06
The SPAR models for Arkansas Nuclear One Unit 1 were updated to add human factors for diagnosis and recovery of HPI MDP 36A, SWS P4A, EFW MDP 7B, and EFW TDP 7A after a postulated fire and to include the probability that the fire propagates to train The human factors probability was revised for the recovery of DG However, this recovery is not considered to have any effect on the analysis because it was assumed that the postulated fire did not cause a LOO References 1.
NRC Letter, dated August 20, 2001, Arkansas Nuclear One, Units 1 and 2 - NRC Inspection Report 50-313/01-06 and 50-368/01-06. (ADAMS Accession No.
2.
EA-03-016, dated March 25, 2003, Arkansas Nuclear One - NRC Triennial Fire Protection Inspection Report 50-313/01-06; 50-368/01-06 - Preliminary Greater Than Green Finding. (ADAMS Accession No. ML030850061)
3.
EA-03-016, dated July 17, 2003, Regulatory Conference with Entergy Operations, Inc.
Concerning the Arkansas Nuclear One Facility (including: Entergy presentation to NRC, Arkansas Nuclear One Appendix R Regulatory Conference, dated July 10, 2003.(ADAMS Accession No. ML031990085)
4.
Scott T. Beck, Standardized Plant Analysis Risk Model for Arkansas Nuclear One, Unit 1 (ASP PWR D), Revision 3, Idaho National Engineering and Environmental Laboratory, November 2003.
5.
R. J. Budnitz, et al., Development of a Methodology for Analyzing Precursors to Earthquake-Induced and Fire-Induced Accident Sequences, NUREG/CR-6544, U.S.
Nuclear Regulatory Commission, Washington, DC, April 1998.
6.
J. R. Houghton and D. M. Rasmuson, NRC Report RES/OERAB/S02-01, Fire Events Update of U.S. Operating Experience. 1986-1999, U. S. Nuclear Regulatory Commission, Washington DC, January 2002.
7.
J. Walker, Zone 99-M PSA Analysis for Operator Action SDP, Arkansas Nuclear One Calc 02-E-004-01, Rev. 1, March 2002.
8.
NRC Letter, dated 7 April 2004, ANO1 Final Significance Determination for a White Finding and Notice of Violation (NRC IR No. 0-313/01-06; 368/01-06)(ADAMS Accession No. ML040990100)
IR 50-313/01-06
Table Conditional Probabilities Associated with Highest Probability Sequences (Point Estimate)
Event tree name Sequence Number Conditional core damage probability (CCDP)
TRANS
23 2.1E-006 1.4E-006 Total (all sequences)
4.1E-006
Table 2 Event Tree Sequence Logic for Dominant Sequence Event tree name Sequence no.
Logic (/ denotes success; see Table 4b for top event names)
TRANS
23
/RT, MFW-T, EFW, /HPI-COOL, HPI
/RT, MFW-T, EFW, HPI-COOL Table 2 Definitions of Fault Trees Listed in Table 2a
/RT Reactor Trips Successfully During Transient MFW-T Main Feedwater System Fails During Transient EFW Insufficient EFW flow HPI-COOL Failure to provide HPI Cooling (Bleed)
HPI Insufficient HPI flow Table Conditional cut sets for Dominant TRANS Sequences (Point Estimates)
CCDP Percent contribution Minimal cut sets1 Event Tree: TRANS, Sequence 22 1.3E-06 62.1 EFW-XHE-XL-MDPFIRE FIRE-PROPAGATE-TRAINA HPI-XHE-XL-MDP36A-MED EFW-XHE-XL-TDPFIRE-LOW 2.4E-07 11.4 EFW-XHE-XL-MDPFIRE-LOW FIRE-PROPAGATE-TRAINA SWS-XHE-XL-MDP4A-FR EFW-XHE-XL-TDPFIRE-MED Event Tree: TRANS, Sequence 23 1.2E-06 82.1 EFW-XHE-XL-MDPFIRE FIRE-PROPAGATE-TRAINA HPI-XHE-XL-XM-HPIC2 EFW-XHE-XL-TDPFIRE-LOW Notes:
1.
See Table 4 for definitions and probabilities for the basic events.
2.
Total CCDP includes all cut sets (including those not shown in this table).
IR 50-313/01-06
Table Definitions and probabilities for modified and dominant basic events for current case Event name Description Probability/
Frequency Modified ACP-BAC-LP-A4 DIVISION B AC POWER 4160V VITAL BUS A4 FAILS TRUE YES1 ACP-BAC-LP-A3 DIVISION A AC POWER 4160V VITAL BUS A3 FAILS 9.0E-05 NO DCP-XHE-XA-RECMDCR OPERATOR FAILS TO OPEN BRKR LOCALLY FROM UAT 1.0 YES1 DHR-MOV-CC-RCS2 RCS SUCTION MOV 1410 TO DHR FAILS 1.0 YES1 DHR-MOV-CC-RCS3 RCS SUCTION MOV 1404 TO DHR FAILS 1.0 YES1 DHR-MOV-CC-TRNB DHR DISCHARGE MOV 1400 FAILS TO OPEN 1.0 YES1 EFW-MOV-CC-STM2 EFW TDP STM TURBINE INLET ISOL MOV 2663 FAILS TO OPEN 1.0 YES1 EFW-TDP-FR-P7A EFW TDP P7A FAILS TO RUN 2.8E-02 NO EFW-TDP-FS-P7A EFW TDP P7A FAILS TO START 6.8E-03 NO EFW-TDP-TM-P7A EFW TDP P7A FAILS TO UNAVAILABLE DUE TO T&M 6.8E-03 NO EFW-XHE-XL-MDPFIRE OPERATOR FAILS TO RESTORE EFW MDP 7B AFTER A FIRE 4.8E-02 YES2 EFW-XHE-XL-MDPFIRE-LOW OPERATOR FAILS TO RESTORE EFW MDP 7B AFTER A FIRE 9.6E-02 YES2 EFW-XHE-XL-TDPFIRE OPERATOR FAILS TO RESTORE EFW TDP 7A AFTER A FIRE 1.1E-02 YES2 EFW-XHE-XL-TDPFIRE-LOW OPERATOR FAILS TO RESTORE EFW TDP 7A AFTER A FIRE 1.6E-01 YES2 EFW-XHE-XL-TDPFIRE-MED OPERATOR FAILS TO RESTORE EFW TDP 7A AFTER A FIRE 2.4E-01 YES2 EPS-DGN-FR-DG2 DIESEL GENERATOR 2 FAILS TO RUN TRUE YES1 EPS-DGN-XR-DG1 OPERATOR FAILS TO RESTORE DG1 TRUE YES2 HPI-MDP-CF-RUN COMMON CAUSE FAILURE OF HPI MDPS TO RUN 7.8E-04 NO HPI-MDP-TM-36A HPI MDP 36A UNAVAILABLE DUE TO T&M 9.4E-03 NO HPI-MDP-FS-36A HPI MDP 36A FAILS TO START 3.0E-03 NO HPI-MOV-CC-1227 HPI DISCHARGE MOV 1227 TO HDR B/CL B FAILS 1.0 YES1 HPI-MOV-CC-1228 HPI DISCHARGE MOV 1228 TO HDR A/CL B FAILS 1.0 YES1 HPI-XHE-XL-MDP36A-LOW Failure to recover HPI pump 36A in a fire 9.6E-02 YES2 HPI-XHE-XL-MDP36A-HIGH Failure to recover HPI pump 36A in a fire 5.2E-01 YES2 HPI-XHE-XL-MDP36A-FR Failure to recover HPI pump 36A in a fire 4.9E-02 YES2 HPI-XHE-XL-MDP36A-MED Failure to recover HPI pump 36A in a fire 1.8E-02 YES2
IR 50-313/01-06 Event name Description Probability/
Frequency Modified
HPI-XHE-XL-MDP36B-FR Failure to recover HPI pump 36B in a fire TRUE YES1 HPR-MOV-CC-1406 SUMP ISOLATION MOV 1406 FAILS TO OPEN 1.0 YES1 HPR-MOV-CC-TRNA MOV 1276 FAILS TO OPEN 3.0E-03 NO HPR-MOV-VF-CESMPA SUMP TRAIN A DISCHARGE VALVES FAIL 3.0E-03 NO HPR-XHE-XM OPERATOR FAILS TO INITIATE HIGH PRESSURE RECIRC 2.0E-03 NO ICW-XHE-XA-E28B OPERATOR FAILS TO ALIGN STANDBY ICW COOLER E28B TO LOOP I 1.0 YES1 IE-ACBA3 INITIATING EVENT-LOSS OF VITAL AC BUS (A3)
0.00 YES4 IE-DHR-DIS-V ISLOCA COLD LEG ISOLATION DISCHARGE MOV INITIATING EVENT 0.00 YES4 IE-DHR-SUC-V ISLOCA HOT LEG SUCTION MOV INITIATING EVENT 0.00 YES4 IE-HPIA-DIS-V HPI TRAIN A DISCHARGE ISLOCA INITIATING EVENT 0.00 YES4 IE-HPIB-DIS-V HPI TRAIN B DISCHARGE ISLOCA INITIATING EVENT 0.00 YES4 IE-LLOCA LARGE LOSS OF COOLANT ACCIDENT INITIAT. EVENT 0.00 YES4 IE-LODIP LOSS OF DC BUS INITIATING EVENT 0.00 YES4 IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 0.00 YES4 IE-LOSWS LOSS OF SERVICE WATER INITIATING EVENT 0.00 YES4 IE-MLOCA MEDIUM LOSS OF COOLANT ACCIDENT INITIAT. EVENT 0.00 YES4 IE-SGTR STEAM GENERATOR TUBE RUPTURE INITIATING EVENT 0.00 YES4 IE-SLOCA SMALL LOSS OF COOLANT ACCIDENT INITIATING EVENT 0.00 YES4 IE-TRANS TRANSIENT INITIATING EVENT (FIRE)
3.2E-03 YES5 MFW-XHE-NOREC OPERATOR FAILS TO RECOVER MAIN FEEDWATER TRUE YES1 MFW-SYS-UNAVAIL MAIN FEEDWATER SYTEM UNAVAILABLE (ASSUME 20% OF TRANSIENT ARE LOMFW)
TRUE YES1 MFW-TDP-FR-1 FAILURE OF MFW TDP 1 TO RUN TRUE YES1 MFW-TDP-FR-2 FAILURE OF MFW TDP 2 TO RUN TRUE YES1 PCS-ADV-CC-2676 FAILURE OF STEAM GENERATOR A ADV 2676 TRUE YES7 PPR-MOV-OO-BLK PORV BLOCK VALVE FAILS TO CLOSE TRUE YES1
IR 50-313/01-06 Event name Description Probability/
Frequency Modified
PPR-SRV-CO-TRAN PORV/SRVs OPEN DURING TRANSIENT 1.0 YES1 SWS-MDP-FS-P4A SERVICE WATER MDP P4A FAILS TO START 3.0E-03 NO SWS-MOV-CC-1B1A SWS CROSSOVER MOV 3644 FAILS TO OPEN 1.0 YES1 SWS-MOV-CC-1C1B SWS CROSSOVER MOV 3642 FAILS TO OPEN 1.0 YES1 SWS-MOV-OO-1A1B SWS CROSSOVER MOV 3646 FAILS TO CLOSE 1.0 YES1 SWS-MOV-OO-1B1A SWS CROSSOVER MOV 3644 FAILS TO CLOSE 1.0 YES1 SWS-MOV-OO-1B1C SWS CROSSOVER MOV 3640 FAILS TO CLOSE 1.0 YES1 SWS-MOV-OO-1C1B SWS CROSSOVER MOV 3642 FAILS TO CLOSE 1.0 YES1 SWS-MOV-OO-ACW FAILURE TO ISOLATE THE ACW FROM SWS (MOV 3643)
1.0 YES1 SWS-XHE-XL-MDP4A-FR Failure to recover SW pump 4A in a fire 1.1E-02 YES2 SWS-XHE-XL-MDP4B-FR Failure to recover SW pump 4B in a fire TRUE YES1 Notes:
1.
Base events set to TRUE or 1.0 reflect the failed position, if applicable, for this analysis.
2.
The probability was determined from human factors work sheets.
3.
The probability for non-suppression (current case) was derived from the time for the fire brigade on station and the time available to suppress the fire.
4.
Initiating event frequencies set to zero for this analysis.
5.
Transient initiating event frequency revised to reflect the initiating fire frequency.
6.
Identifies dominant sequence cutset base events that were not revised.
7.
Base event set to FALSE to reflect that this event has no applicability to this analysis as the IE-SLOCA was set to zer IR 50-313/01-06
Table SPAR Model Rules for Substituting Dependent Events Added to the model to handle the actions following a fire in lZone 99M elsif HPI-XHE-XM-HPIC * EFW-XHE-XL-MDPFIRE * EFW-XHE-XL-TDPFIRE then DeleteEvent = HPI-XHE-XM-HPIC; AddEvent = HPI-XHE-XM-HPIC2; DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-LOW; elsif HPI-XHE-XM-HPIC * EFW-XHE-XL-MDPFIRE then DeleteEvent = HPI-XHE-XM-HPIC; AddEvent = HPI-XHE-XM-HPIC1; elsif HPI-XHE-XM-HPIC * EFW-XHE-XL-TDPFIRE then DeleteEvent = HPI-XHE-XM-HPIC; AddEvent = HPI-XHE-XM-HPIC1; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-MDPFIRE * EFW-XHE-XL-TDPFIRE *
HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-HIGH; DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-MED; DeleteEvent = EFW-XHE-XL-MDPFIRE; AddEvent = EFW-XHE-XL-MDPFIRE-LOW; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-MDPFIRE * EFW-XHE-XL-TDPFIRE then DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-MED; DeleteEvent = EFW-XHE-XL-MDPFIRE; AddEvent = EFW-XHE-XL-MDPFIRE-LOW; elsif EFW-XHE-XL-MDPFIRE * EFW-XHE-XL-TDPFIRE * HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-MED; DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-LOW; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-MDPFIRE * HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-MED; DeleteEvent = EFW-XHE-XL-MDPFIRE; AddEvent = EFW-XHE-XL-MDPFIRE-LOW; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-TDPFIRE * HPI-XHE-XL-MDP36A-FR then
IR 50-313/01-06
DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-MED; DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-LOW; elsif EFW-XHE-XL-MDPFIRE * EFW-XHE-XL-TDPFIRE then DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-LOW; elsif SWS-XHE-XL-MDP4A-FR * HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-LOW; elsif EFW-XHE-XL-TDPFIRE * HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-LOW; elsif EFW-XHE-XL-MDPFIRE * HPI-XHE-XL-MDP36A-FR then DeleteEvent = HPI-XHE-XL-MDP36A-FR; AddEvent = HPI-XHE-XL-MDP36A-LOW; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-MDPFIRE then DeleteEvent = EFW-XHE-XL-MDPFIRE; AddEvent = EFW-XHE-XL-MDPFIRE-LOW; elsif SWS-XHE-XL-MDP4A-FR * EFW-XHE-XL-TDPFIRE then DeleteEvent = EFW-XHE-XL-TDPFIRE; AddEvent = EFW-XHE-XL-TDPFIRE-LOW; endif
Table Summary of the Human Reliability Analysis for Operator Recovery Actions Ref: SPAR Human Error Worksheet for Full Power Operations, taken from INEEL/EXT-02-10307, SPAR-H Method, November 2002 Time Stress Complexity Experience/Training Procedures Ergonomics Fitness Work Process DIAGNOSTIC Time Stress Complexity Experience/Training Procedures Ergonomics Fitness Work Process ACTION Adjusted Action TOTAL Low Dependency Medium Dependency High Dependency EDG & SW - good procedures
2 0.1 0.5 0.5
1
2
1
1
1 2E-3 2.5E-3 EDG &SW - inadequate procedures
2 0.1 0.5 0.5
1
2
1
1
1 1E-2 1.1E-2 MDAFW - good procedures
2 0.1 0.5 0.5
1
2
1
1
1 4E-3 4.5E-3 5.4E-2 MDAFW - inadequate procedures
2 0.1 0.5 0.5
1
5
1
1
1 5E-2 5E-2 4.8E-2 9.6E-2 TDAFW - good procedures
5 0.1 0.5 0.5
1
2
1
1
1 1E-2 1.1E-2 6.1E-2 1.5E-1 TDAFW - inadequate procedures
5 0.1 0.5 0.5
1
5
1
1
1 1E-1 1E-1 1.1E-1 1.6E-1 2.4E-1 HPI - good procedures
5 0.1 0.5 0.5
1
2
1
1
1 4E-3 4E-3 5.2E-3 5.5E-2 1.5E-1 5.0E-1 HPI - inadequate procedures
5 0.1 0.5 0.5
1
5
1
1
1 5E-2 5E-2 4.9E-2 9.6E-2 1.8E-1 5.2E-1
Figure Trans Sequence 22 HPR HPR PRESSURE RECIRCULATION DHR DECAY HEAT REMOVAL COOLDOWN SECONDARY SIDE RCS COOLDOWN SGCOOL SECONDARY COOLING RECOVERED HPI HIGH PRESSURE INJECTION HPI-COOL BLEED PORTION OF HPI COOLING RCPSL-TRANS RCP SEALS INTACT PORV-RES PORVs RESEAT PORV NO PORVs OPEN EFW EMERGENCY FEEDW ATER SYSTEM MFW -T MAIN FEEDW ATER SYSTEM RT REACTOR TRIP IE-FIRE FIRE TRANSIENT
2 T
4
6
8
10 11 T
13
15
17
19
21
23 24 T