ML030850061
| ML030850061 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  (DPR-051, NPF-006) |
| Issue date: | 03/25/2003 |
| From: | Chamberlain D Division of Reactor Safety I |
| To: | Anderson C Entergy Operations |
| References | |
| EA-03-016, FOIA/PA-2003-0358 IR-01-006 | |
| Download: ML030850061 (12) | |
See also: IR 05000313/2001006
Text
March 25, 2003
Craig G. Anderson, Vice President,
Operations
Arkansas Nuclear One
Entergy Operations, Inc.
1448 S.R. 333
Russellville, Arkansas 72801-0967
SUBJECT:
ARKANSAS NUCLEAR ONE - NRC TRIENNIAL FIRE PROTECTION
INSPECTION REPORT 50-313/01-06; 50-368/01-06 - PRELIMINARY
GREATER THAN GREEN FINDING
Dear Mr. Anderson:
On August 20, 2001, the NRC issued the subject triennial fire protection report, which
discussed a finding concerning the acceptability of your use of operator actions to remotely
operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing
protection to the cables associated with that equipment, as a method of complying with
10 CFR Part 50, Appendix R,Section III.G.2. This finding was unresolved pending further NRC
review of your licensing basis and a determination of its risk significance. By letter dated
April 15, 2002, in response to your backfit claim, the NRC informed you that this finding was not
a backfit, and reclassified the unresolved item as an apparent violation, pending NRCs
assessment of the risk.
Using the Significance Determination Process described in NRC Inspection Manual
Chapter 0609, this finding was preliminarily determined to be Greater Than Green
(i.e., a finding whose safety significance is greater than very low). A significance of Greater
Than Green may result in additional NRC inspection and other NRC action. The NRC
assessed this finding using the best available information, including influential assumptions. As
indicated in the enclosed Significance Determination Process Phase 3 Summary, the
preliminary significance of this finding was due to the number of safe shutdown components
potentially affected as a result of fire (e.g., main feedwater, high pressure injection, emergency
ac power, and emergency feedwater), the ability of your fire brigade to manually suppress the
fire before damage to safe shutdown components occurs, and the uncertainty regarding the
timing and impact that potential failures may have on the operators ability to accomplish
required shutdown functions in time to prevent core damage.
Entergy Operations, Inc.
-2-
There were some differences between your safety assessment and the significance
determination performed by the NRC. These differences include the method for determining
fire duration and severity, heat release rates, the fire ignition frequency, and operator recovery
of critical shutdown functions. Your analysts used the FIVE (fire-induced vulnerability
evaluation developed by the Electric Power Resource Institute) methodology, whereas NRC
analysts used the consolidated fire growth and smoke transport (CFAST) model to assess fire
duration and fire severity. The NRC analysts assumed higher heat release rates (200-500 kW
vs.70-200 kW). Consequently, in the NRC analysis, the time to reach critical temperatures
was shorter; therefore, the likelihood for success of manual suppression capabilities was
reduced. In addition, the heat release rates used by the NRC analyst resulted in an increased
likelihood that both the emergency feedwater and high pressure injection functions would be
affected by a fire. Finally, the NRC considered the added risk from other fire areas affected by
this finding, which may warrant an increase in the final significance of the finding. A more
detailed discussion of the NRCs significance determination is included in the Enclosure. As a
result of these differences, the NRC has preliminarily characterized this finding as Greater Than
Green until the differences can be understood.
The finding is also an apparent violation of NRC requirements and is being considered for
escalated enforcement action in accordance with the "General Statement of Policy and
Procedure for NRC Enforcement Actions" (Enforcement Policy), NUREG-1600. The current
Enforcement Policy is included on the NRCs website at www.nrc.gov/OE.
Since the NRC has not made a final determination in this matter, no Notice of Violation is being
issued for this inspection finding at this time. In addition, please be advised that the
characterization of the apparent violation may change as a result of further NRC review.
Before we make a final decision regarding the significance of this finding, we are providing you
the opportunity to present to the NRC your perspectives concerning the facts and assumptions
used by the NRC in its significance determination at a Regulatory Conference or through the
submittal to the NRC of your position on the finding in writing. By letter dated February 8, 2003,
you provided new technical information that you requested be considered before a final
decision is made. If a Regulatory Conference is chosen, we invite you to present this new
technical information at that time, and discuss how it affects the significance determination of
the finding. Of course, we will consider this information whether or not you request a
Regulatory Conference. If you choose to request a Regulatory Conference, it should be held
within 30 days of the receipt of this letter, and we encourage you to submit supporting
documentation at least one week prior to the conference in an effort to make the conference
more efficient and effective. If a Regulatory Conference is held, it will be open for public
observation. If you decide to submit only a written response, such submittal should be sent to
the NRC within 30 days of the receipt of this letter.
Please contact Charles Marschall at 817-860-8185 within 10 business days of the date of
receipt of this letter to notify the NRC of your intentions. If we have not heard from you within
10 days, we will continue with our significance determination and enforcement decision and you
will be advised by separate correspondence of the results of our deliberations on this matter.
Entergy Operations, Inc.
-3-
In accordance with 10 CFR 2.790 of the NRCs Rules of Practice, a copy of this letter
and its enclosures will be available electronically for public inspection in the NRC Public
Document Room or from the Publicly Available Records (PARS) component of NRCs
document system (ADAMS). ADAMS is accessible from the NRC Web site at
http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room).
Sincerely,
/RA/
Dwight D. Chamberlain, Director
Division of Reactor Safety
Dockets: 50-313; 50-368
Enclosure: SDP Phase 3 Summary
cc:
Executive Vice President
& Chief Operating Officer
Entergy Operations, Inc.
P.O. Box 31995
Jackson, Mississippi 39286-1995
Vice President
Operations Support
Entergy Operations, Inc.
P.O. Box 31995
Jackson, Mississippi 39286-1995
Manager, Washington Nuclear Operations
ABB Combustion Engineering Nuclear
Power
12300 Twinbrook Parkway, Suite 330
Rockville, Maryland 20852
County Judge of Pope County
Pope County Courthouse
100 West Main Street
Russellville, Arkansas 72801
Winston & Strawn
1400 L Street, N.W.
Washington, DC 20005-3502
Entergy Operations, Inc.
-4-
Bernard Bevill
Radiation Control Team Leader
Division of Radiation Control and
Emergency Management
4815 West Markham Street, Mail Slot 30
Little Rock, Arkansas 72205-3867
Mike Schoppman
Framatome ANP, Inc.
Suite 705
1911 North Fort Myer Drive
Rosslyn, Virginia 22209
Entergy Operations, Inc.
-5-
Electronic distribution by RIV:
Regional Administrator (EWM)
Deputy Regional Administrator (TPG)
DRP Director (ATH)
DRS Director (DDC)
Deputy Director, DRP (GMG)
Branch Chief, DRP/D (LJS)
Branch Chief, DRS/EMB (CSM)
Senior Resident Inspector (RLB3)
Senior Project Engineer, DRP/D (JAC)
Staff Chief, DRP/TSS (PHH)
RITS Coordinator (NBH)
K. Smith, Region IV (KDS1)
G. Sanborn, D:ACES, Region IV (GFS)
M. Vasquez, ACES, Region IV (GMV)
W. Maier, Region IV (WAM)
S. Morris, OEDO, RIV Coordinator (SAM1)
B. McDermott, OEDO (BJM)
R. Larson, OEDO (RKL)
J. Hannon, NRR (JNH)
L. Dudes, NRR (LAD)
T. Alexion, NRR (TWA)
J. Dixon-Herrity, OE (JLD)
OEMAIL
DOCUMENT: R:\\_ano\\2001\\an0106choice-rln.wpd
RIV:DRS/EMB
C:DRS/PSB
C:DRS/EMB
C:DRP/D
D:ACES
- RLNease/lmb
- TWPruett
CSMarschall
- LJSmith
- GFSanborn
/RA/
/RA/
/RA/
/RA/
/RA/
3/24/03
3/24/03
3/24/03
3/24/03
3/24/03
C:NRR/SPLB
D:DRS
JNHannon
DDChamberlain
E /RA/
/RA/
3/24/03
3/25/03
OFFICIAL RECORD COPY
T=Telephone E=E-mail F=Fax
- Previously concurred
ENCLOSURE
Significance Determination Process
Phase 3 Summary
A.
Overview of Issue
The installed configurations of equipment and cabling in the Arkansas Nuclear One
(ANO), Unit 1, diesel generator corridor (Fire Zone 98J) and the north electrical
switchgear room (Fire Zone 99M) did not ensure that cables associated with redundant
trains of safe shutdown equipment were free of fire damage as required by 10 CFR Part 50, Appendix R,Section III.G.2. In lieu of providing this protection from fire
damage, the licensee credited manual actions to remotely operate equipment necessary
for achieving and maintaining hot shutdown. In addition, the licensee did not have
adequate procedures for the manual actions necessary to achieve safe shutdown. The
licensee credited a symptom-based approach, which relied on the operators ability to
detect each failure or mis-operation as it occurred and then perform manual actions as
necessary to mitigate the effects. Although symptom-based procedures can be
acceptable, the NRC determined that the licensee's strategy for implementing manual
actions to mitigate a postulated fire in the ANO, Unit 1 diesel generator corridor and the
north electrical switchgear room was inadequate. This conclusion was based on (1) the
number of components that may be affected as a result of fire, (2) the uncertainty
regarding the timing of the actions, and (3) the synergistic impact that potential failures
may have on the operators ability to accomplish required shutdown functions in
response to a postulated fire in the ANO, Unit 1 diesel generator corridor and the north
electrical switchgear room.
B.
Results of Phase 3 Risk Analysis
A Phase 2 risk analysis using NRC Manual Chapter 0609, Significance Determination
Process, Appendix F, Determining Potential Risk Significance of Fire Protection and
Post-fire Safe Shutdown Inspection Findings, was required, because the issue involved
fire protection defense in depth. Depending on the assumptions, especially those
involving human performance, the results of the Phase 2 analysis varied between very
low safety significance and high safety significance. Therefore, a Phase 3 analysis was
required.
NRC analysts reviewed the licensee's risk analysis, which was performed using the Fire-
Induced Vulnerability Evaluation (FIVE) methodology developed by the Electric Power
Research Institute (EPRI) for determining fire duration and severity. The licensee's
analysis resulted in an increased time for reaching temperatures at which cables could
be damaged. Because the time to reach critical temperatures was more than 20
minutes, the licensee assumed that manual fire suppression would be successful.
However, the licensee did not credit manual suppression capability in the determination
of the conditional core damage probability results. In addition, the licensee's risk
analysts used heat release rates of 70-200 kW in assessing the potential for fire
damage in the affected fire zones, which resulted in a determination by the licensee that
a fire in Fire Zone 99-M would not simultaneously affect the emergency feedwater and
high pressure injection functions. Source documents used by the licensee included
-2-
EPRI TR-105928, "EPRI Fire PRA Implementation Guide," EPRI TR-10043, "Methods of
Quantitative Fire Hazards Analysis," and EPRI Report SU-105928, Supplemental to
EPRI Fire Implementation Guide (TR-105928).
The heat release rates (200-500 kW) used by the NRC analysts to assess the potential
for fire duration and severity were higher than those used by the licensee. The heat
release rates used by the NRC were based on data from actual fire events similar to the
type of fire postulated in this finding (see Section F, "References," of this Enclosure).
As a result, the time to reach critical temperatures was quicker and the likelihood for
success of manual suppression capabilities was reduced. Additionally, the higher heat
release rates resulted in an increased likelihood that both the emergency feedwater and
high pressure injection functions would be affected by a fire in Zone 99-M.
The NRC analysts utilized the consolidated fire growth and smoke transport (CFAST)
model to develop a fire hazards analysis, using as input, licensee-provided information
concerning the ignition frequencies and the conditional core damage probability for a fire
with and without operator recovery actions. A human reliability screening analysis for
the manual operator actions was performed using INEEL/EXT-99-0041, Revision of the
1994 ASP HRA Methodology (Draft), dated January 1999. The NRC analysts also
completed a qualitative assessment of similarly affected fire areas to determine if an
increase in the final significance determination process result was warranted.
The NRC analysts determined that multiple redundant trains of mitigating equipment
(main feedwater, high pressure injection, emergency ac power, and emergency
feedwater) could potentially be affected by a fire in Fire Zone 99M. In reviewing the
results of each accident sequence, it was concluded that the significance of the finding
was primarily attributed to a failure of emergency feedwater and feed and bleed
capability.
The more significant influential assumptions involved: (1) the human error probability for
successful recovery of failed equipment due to the symptomatic operator response to a
fire in the affected areas and the large number of operator actions, and (2) the heat
release rate associated with the fire and corresponding failure probability associated
with manual fire suppression.
Lowering the human error probability directly impacted the core damage frequency
calculation; therefore, several sensitivity analyses were completed using a wide
spectrum of human error probability values. Additionally, the NRC analysts noted that
the licensees human reliability analysis values were derived for a non-fire event;
therefore, the base human error probability values for the affected recovery actions were
increased. The net increase in the core damage frequency was attributed to the failure
to provide adequate alternate shutdown procedures given a fire in Zone 99-M.
A reduction in the heat release rate would extend the time required to reach critical
temperatures. An extension in the time to reach critical temperatures to beyond
20 minutes could result in fewer affected components and lower the failure probability
for manual fire suppression. Nevertheless, the NRC analysts determined that a
-3-
reduction in the heat release rate was not appropriate given the data collected from
industry events, which involved energetic switchgear fires.
The sensitivity analyses were completed using licensee-calculated conditional core
damage probability values, which corresponded to various combinations of human error
probabilities. The NRC analysts determined that the calculated increase in core
damage frequency for Fire Zone 99-M was in the range of 7E-6/year to 2E-5/year. The
NRC analysts qualitatively determined that an additional increase in the core damage
frequency was warranted due to the existence of additional fire zones at the facility,
which also credited the use of operator recovery actions. The increase in the core
damage frequency from these additional fire zones warranted a proposed significance
determination of Greater Than Green (i.e., a finding whose safety significance is greater
than very low).
C.
Human Reliability Screening Analysis
The NRC determined that the licensee had not implemented appropriate procedural
controls for a fire in Fire Zones 99-M (north electrical switchgear room) and 98-J (diesel
generator corridor). Specifically, the licensee relied solely on a symptomatic response
to a fire in these areas. For example, if a control room operator became aware of a loss
of feedwater condition, then operators would respond by aligning emergency feedwater
from either the control room or locally. This approach differed from other alternate
shutdown areas of the plant. For these areas, specific procedural guidance (Procedure
1203.002, Alternate Shutdown) existed to direct the operators to isolate and then
restore potentially affected components.
The following four broad classes of operator actions were evaluated:
1.
Manual alignment of emergency feedwater to the steam generators.
2.
Restoration of service water to the affected diesel generators.
3.
Isolation of letdown flow and inventory control.
4.
Local start of an diesel generators without dc control power.
For each of the above classes, an operator would be required to successfully diagnose
the system failure, determine the appropriate procedure, and then take the appropriate
series of operator actions to mitigate the failure. There were several complicating
factors in completing the analysis because the operator actions would be required
during or following a major fire. Specifically, the fire could result in: (1) inaccurate
indications associated with critical plant parameters, (2) spurious actuation of plant
equipment, which could be detrimental to the event, (3) failure of plant equipment to
respond automatically, (4) inability to remotely operate plant equipment from the main
control room, and (5) previously implemented operator actions could become
over-ridden by subsequent operator actions through the use of multiple procedures in
lieu of a single prioritized procedure.
An Extreme Stress classification was used for each class of operator actions. This
level of stress is likely to occur when the onset of the stressor is sudden and the
stressing situation persists for long periods.
-4-
An Available, But Poor classification was used for the procedural actions necessary to
recover failed or degraded mitigating equipment. This classification is used for
conditions where a procedure is available but inadequate. This classification level was
chosen because the licensee planned to utilize a symptomatic operator response to fire-
damaged equipment, in lieu of having a pre-planned shutdown procedure. If properly
diagnosed, procedures existed for operators to implement the individual system
recovery actions. However, there may be dependencies between the procedures, which
are not accounted for. Specifically, to recover ac power, the operators may need to
open the individual breakers on various switchgear. This activity could affect other
operator actions that may be required to restore mitigating systems. A single
pre-planned procedure would account for the dependencies between procedures such
that subsequent recovery actions do not adversely affect previously-performed required
recovery actions.
A Barely Adequate Time classification was used for diagnosing a loss of flow to the
steam generators and establishing emergency feedwater flow. This classification level
was chosen based on the potential for indications and controls not being available in the
control room. The timing associated with initiating emergency feedwater flow is
dependent on operator actions to secure reactor coolant pumps. In addition, the flow
rate to the steam generators must be controlled to prevent over-cooling and shrinkage
of the reactor coolant system.
A Barely Adequate Time classification was used for diagnosing a loss of service water
to the diesel generators, and for securing the affected diesel generators. Diesel
generators without service water flow must be secured within 7 minutes to prevent
overheating and mechanical damage. The failure to secure the diesel generators could
potentially prevent recovery of an emergency ac power source.
A Barely Adequate Time classification was used for diagnosing the failure of letdown
to isolate, and taking manual action to secure letdown. If letdown is isolated within
4 minutes, then inventory control may not be required for 40 minutes. The failure to
isolate letdown directly impacts the time available to initiate inventory control.
A Highly Complex classification was used for a local start of the diesel generators
without dc power. This procedure is infrequently performed, requires a high degree of
skill, and includes multiple steps to complete.
A Moderately Complex classification was used for a local manual start of an
emergency feedwater pump and for local manual control of emergency feedwater flow
to a steam generator. This activity is infrequently performed and would require constant
communication with personnel monitoring important plant parameters to ensure the
appropriate heat removal rate was maintained.
Limited personnel would be available during the first hour following a fire. Two
individuals would be available for field operations (one main control room reactor
operator and one auxiliary operator). The remaining personnel would be assigned other
functions. Specifically, the shift manager would be assigned emergency response
organization duties, the control room supervisor and one reactor operator would remain
-5-
in the main control room, the waste control operator and one auxiliary operator would be
assigned to the fire brigade. The shift engineer would be available to provide assistance
where necessary, but cannot operate equipment. A Unit 2 operator could be dispatched
to start the alternate diesel generator; however, the licensee did not credit the use of
Unit 2 operators in the performance of Unit 1 plant manipulations.
The NRC analysts determined that one operator would need to be dedicated to the
restoration of emergency feedwater and the operation of the emergency feedwater flow
control valves. The remaining operator would be required to complete all other
evolutions (Isolate letdown, local start of the diesel generator, and all breaker
manipulations). In contrast, the alternate shutdown procedure requires four operators,
as a minimum, for successful completion. The NRC analysts determined that the
majority of actions specified in the alternate shutdown procedure could be required for a
major fire in Fire Areas 98J or 99M.
Recovery Action
Diagnosis
Failure
Probability
Action Failure Probability
Task Failure Probability
Without Formal
Dependence
Without
Procedure
With
Procedure
Without
Procedure
With
Procedure
Establish
emergency
0.5
0.5
0.1
1.0
0.6
Secure diesel
generator without
0.5
0.25
0.05
0.75
0.55
Local diesel
generator start
0.05
0.125
0.025
0.18
0.075
Isolate letdown and
inventory control
0.5
0.25
0.05
0.75
0.55
D.
Sensitivity Analysis
A wide spectrum of sensitivity analyses were completed using the licensees conditional
core damage probability values, which corresponded to various combinations of human
error probabilities. The NRC analysts determined that the calculated increase in core
damage frequency for Fire Zone 99-M would, most likely, be in the range of 7E-6 to
2E-5. The NRC analysts qualitatively determined that an additional increase in the core
damage frequency was warranted due the existence of other fire zones at the facility in
which the licensee credited the use of operator recovery actions in lieu of meeting
10 CFR Part 50, Appendix R,Section III.G.2 separation. The increase in the core
damage frequency from these additional fire zones warranted a proposed significance
determination of Greater Than Green (i.e., a finding whose safety significance is greater
than very low).
-6-
The licensees human reliability analysis was completed for non-fire conditions. The
dominate recovery actions for a fire in Zone 99-M involved the establishment of
emergency feedwater, the restoration of electrical power, and the establishment of feed
and bleed capability. The associated non-fire human error probabilities for these
recovery actions were 1.86E-1 for emergency feedwater, 1.0E-1 for electrical power,
and 6.0E-3 for feed and bleed. The revised human reliability analysis estimate from the
licensee included human error probability values of 2.6E-1 for emergency feedwater,
1.0E-1 for electric power, and 3.2E-1 for feed and bleed.
The NRC analysts completed a simplified human reliability analysis screening analysis
using INEEL/EXT-99-0041, Revision of the 1994 ASP HRA Methodology (Draft),
January of 1999. The human error probability values, assuming that procedures were
available but poor, were 1.0 for emergency feedwater, 7.5E-1 for electric power, and
7.5E-1 for feed and bleed. The human error probability values using the assumption
that procedures were adequate were 6.0E-1 for emergency feedwater, 5.5E-1 for
electric power, and 5.5E-1 for feed and bleed.
E.
Qualitative Assessment of Other Fire Areas
A qualitative analysis of similarly-affected fire zones in Unit 1 and Unit 2 was performed
by the NRC analysts. The analysts compared 15 fire zones in Unit 1, which required
manual recovery actions for safe shutdown to Calculation 85-E-0053-47, Individual
Plant Examination of External Events/Fire, Revision 2, to determine which fire zones
were unscreened as part of the FIVE analysis. The analysts also compared the 21 fire
zones in Unit 2, which required manual recovery actions for safe shutdown to
Calculation 85-E-0053-48, Individual Plant Examination of External Events/Fire,
Revision 2, to determine which fire zones were unscreened as part of the FIVE analysis.
Those fire zones that did not screen out in the licensee's FIVE analysis were considered
further, as described below.
The remaining fire zones affected by this finding were reviewed for the presence of
automatic suppression capability. The NRC's quantitative analysis of Fire Zones 98J
and 99M determined that the finding in Fire Zone 98-J was of low safety significance
partially due to the availability of automatic suppression capability. The analysis of Fire
Zone 99-M resulted in the finding having a safety significance greater than very low
(Greater Than Green), partially due to the lack of automatic suppression capability.
Based on this, the NRC analysts determined that for other fire zones affected by this
finding, the significance would be reduced for those with automatic suppression.
The NRC analysts determined that Fire Zones 98-J and 99-M had ignition frequencies
between 2E-3 and 4E-3 and that both fire zones included multiple redundant trains of
safe shut down equipment. The analysts determined the significance of a fire in a
particular fire zone would be reduced if multiple redundant trains of equipment were not
affected, or if the fire zone had a relatively low ignition frequency (less than 1E-3).
Accordingly, fire zones were qualitatively removed from further consideration if any of
the following conditions existed: the ignition frequency was less than 1E-3, the affected
area had automatic suppression capability, or multiple redundant trains of safe
-7-
shutdown equipment were not affected by a postulated fire. The NRC analysts
qualitatively determined that 2 additional fire zones in Unit 1 (Fire Zones 104-S and
100-N) had a safety significance that could be greater than very low (Greater Than
Green). The NRC analysts also qualitatively determined that 4 fire zones in Unit 2 (Fire
Zones 2100-Z, 2096-M, 2091-BB, and 2040-JJ) had a safety significance that could be
greater than very low (Greater Than Green). Based on this, the NRC determined that
escalation of the quantitative result of greater than very low (Greater Than Green) safety
significance may be warranted.
F.
References
ANO Calculation 85-E-0053-47, Individual Plant Examination of External Events/Fire
(Unit 1), Revision 2
ANO Calculation 85-E-0053-48, Individual Plant Examination of External Events/Fire
(Unit 2), Revision 2
EPRI TR-105928, "EPRI Fire PRA Implementation Guide"
EPRI TR-10043, "Methods of Quantitative Fire Hazards Analysis"
EPRI Report SU-105928, Supplemental to EPRI Fire Implementation Guide
(TR-105928)
INEEL/EXT-99-0041, Revision of the 1994 ASP HRA Methodology (Draft), dated
January 1999.
NUREG/CR-4527, "An Experimental Investigation of Internally Ignited Fires in Nuclear
Power Plant Control Cabinets, Part II: Room Effects Tests," Volume 2, November 1988,
Tests #23 and 24.