ML031890921
| ML031890921 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 07/03/2003 |
| From: | Cotton S Entergy Operations |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 0CAN070302, EA-03-016, FOIA/PA-2003-0358 IR-01-006 | |
| Download: ML031890921 (117) | |
Text
Post-Fire Manual Action Feasibility Assessment:
A Phase 3 Significance Determination Process (SDP) Evaluation at Arkansas Nuclear One Unit 1 Final Report, July 2003 Science Applications International Corporation 4920 El Camino Real Los Altos, CA 94022
i REPORT
SUMMARY
The report is a phase 3 significance determination process evaluation of the use of manual actions for achieving and maintaining hot shutdown at ANO.
Background
On August 20, 2001 the NRC issued a triennial fire inspection report (IR 01-06), which discussed a finding concerning the acceptability of the ANO use of operator actions to remotely operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing protection to the cables associated with that equipment, as a method of complying with 10CFR50 Appendix R Section III.G.2.
In a March 25, 2003 supplement to IR 01-06, noted above, the NRC stated that by using the Significance Determination Process the above finding was preliminarily determined to be Greater than Green. The preliminary significance of this finding was due to the number of safe shutdown components potentially affected as a result of fire, the ability of the ANO fire brigade to manually suppress the fire before damage to safe shutdown components occurs, and the uncertainty regarding the timing and impact that potential failures may have on the operators ability to accomplish required shutdown functions in time to prevent core damage.
Objectives The objective of this evaluation was to demonstrate that the use of manual actions in response to a fire at ANO unit 1 is both feasible and the risk resulting from these actions is acceptable.
Approach The approach to demonstrate the objective stated above followed a combination of qualitative and quantitative evaluations that are illustrated in the following chart.
Total Unit Risk PSA Simulator Exercise (Fire zone 99-M)
Human Reliability Assessment (Fire zone 99-M)
Fire Modeling (Fire zone 99-M)
Tactical Procedures Simulator Scenario Development (Fire zone 99M)
Circuit Analysis & Location Evaluation (Fire zone 99-M)
EOP/AOP/Pre-fire Plans
ii The technical methods and data used were consistent with the published state-of-the-art and relevant ANO design and operation data. Detailed analysis was done for the unit 1 4KV switchgear room 1A4 (fire zone 99-M) and extrapolated to two other fire zones in unit 1, the 4KV switchgear room 1A3 (fire zone 100-N) and electrical equipment room (fire zone 104-S) where use of manual actions were considered potential contributors to fire risk. These fire zones are not equipped with automatic suppression.
Results The results of our analysis are as follows:
Fire analysis:
Cable damage criteria (700oF for ANO) is critical in the extent/timing of circuit damage and our conclusion Energetic arcing fire in the 4KV switchgear is the maximum expected and bounding fire in the fire zone 99-M A damaging 700oF hot gas layer in fire zone 99-M is not credible because of the configuration of the room and the combustibles in it.
Manual actions feasibility and reliability Both the current and the new emergency procedures adequately deal with a fire in 99-M Key manual actions, needed in response to the bounding fire scenario in 99 -M, meet the NRC inspection criteria for fire protection manual actions, The impact of the new versus the current procedures on human error probabilities (? HEP) is measurable but small.
Fire-risk The cumulative fire-induced risk in unit 1, reflective of the manual actions needed to achieve hot shutdown in fire zones where these actions are determined to impact fire risk, is Green, i.e., less than 1E-6/reactor-year.
The defense-in-depth is maintained and adequate margin exists in our analyses of fire scenarios and HRA to ensure confidence in our conclusions.
TABLE OF CONTENTS I
INTRODUCTION................................................................................................................1 I.1 Background....................................................................................................................1 I.2 Description of the Issue...................................................................................................1 I.3 Overview of the Assessment............................................................................................1 I.4 Scope and Key Assumptions............................................................................................3 II ASSESSMENT OF FIRE RISK IN UNIT 1 4KV SWITCHGEAR ROOM (FIRE ZONE 99-M).........................................................................................................................4 II.1 Selection and Analysis of Fire Scenarios...........................................................................5 II.1.1 Switchgear Room, Fire zone 99M.......................................................................5 II.1.2 Selection of Fire Scenarios in Switchgear Room 99M..........................................8 II.1.3 Quantitative Fire Analysis................................................................................ 17 II.2 Analysis of Operator Response and Reliability................................................................ 36 II.2.1 Information Collection and Simulation of Fire Scenarios.................................... 36 II.2.2 Feasibility of Manual Actions........................................................................... 40 II.2.3 Reliability of Manual Actions (Human Reliability Analysis - HRA)................... 44 II.2.4 General Observations....................................................................................... 50 II.3 Quantification of the Conditional Core Damage Probabilities (CCDP).............................. 55 II.4 Assessment Fire Risk in 99-M....................................................................................... 57 II.4.1 Calculation Fire-Induced Core Damage Frequency............................................ 57 II.4.2 Examination of Defense-in-Depth and Safety Margin........................................ 62 III DETERMINATION OF THE RISK-SIGNIFICANCE OF THE ISSUE............................... 65 IV CONCLUSIONS................................................................................................................... 67 V
REFERENCES..................................................................................................................... 68 APPENDIX A.1: BASIS FOR INCREASE IN HFES DUE TO FIRE............................................. 70 APPENDIX A.2 COGNITIVE EVENT TREE SCREENING LOGIC............................................ 94 APPENDIX B.1 SIMULATOR OBSERVATIONS......................................................................... 97
iv APPENDIX B.2
SUMMARY
OF EQUIPMENT FAILURE AS A FUNCTION OF FIRE GROWTH IN FIRE ZONE 99-M..................................................................................... 105 APPENDIX B.3 FIRE BRIGADE COMMUNICATION SCRIPT................................................ 109
v LIST OF FIGURES Figure 1: Switchgear room 99M. Drawing not to scale.......................................................................6 Figure 2: Switchgear room 99M. Drawing not to scale.......................................................................7 Figure 3: Pictorial Representation of the Zone-of-Influence of a Non-Energetic Fire in the 4KV Switchgear A4.......................................................................................................................... 10 Figure 4: Pictorial Representation of the Zone-of-Influence of a High-Energy Fire in the 4KV Switchgear A4......................................................................................................................... 11 Figure 5: Pictorial Representation of the Fire Scenario 2, Fire in MCC B-55....................................... 12 Figure 6: Pictorial Representation of the Fire Scenario 3, Fire in MCC B-56....................................... 13 Figure 7: Pictorial Representation of the Fire Scenario 4, Fire in Inverter Y-22................................... 14 Figure 8: Pictorial Representation of the Fire Scenario 5, Fire in Load Center B-6.............................. 15 Figure 9: Pictorial Representation of the Fire Scenario 6, Transient Fire Between MCCs B-55 and B-56................................................................................................................................. 16 Figure 10: Selected heat release rate profile for cabinet fires in switchgear room 99M......................... 18 Figure 12: Cable tray stack fire propagation model........................................................................... 20 Figure 13: Conceptual representation of the use of t2 fire growth model for representing ignition of adjacent cable trays.............................................................................................................. 26 Figure 14: CFAST results for upper layer and heat release rate in scenario 1a..................................... 29 Figure 15: CFAST results for upper layer and heat release rate in scenario 1a..................................... 29 Figure 16: CFAST results for upper layer and heat release rate in scenario 1b..................................... 30 Figure 17: CFAST results for upper layer and heat release rate in scenario 1b..................................... 30 Figure 18: CFAST results for upper layer and heat release rate in scenario 2 & 3................................ 31 Figure 19: CFAST results for upper layer and heat release rate in scenario 2 & 3................................ 31 Figure 20: CFAST results for upper layer and heat release rate in scenario 4....................................... 32 Figure 21: CFAST results for upper layer and heat release rate in scenario 4....................................... 32 Figure 22: CFAST results for upper layer and heat release rate in scenario 5...................................... 33 Figure 23: CFAST results for upper layer and heat release rate in scenario 5....................................... 33 Figure 24: Change in HEP for new Attachment compared with Current EOPs.................................... 53 Figure 25: HFE values for current and attachment to EOPs for fire in 99-M........................................ 53 LIST OF TABLES Table 1: Function and location of electrical cabinets in room 99M.........................................................5 Table 2: Localized targets and intervening combustibles..................................................................... 24 Table 3: Fire scenarios evaluated with zone model CFAST................................................................. 27 Table 4: Summary of potential HEP increase cases due to Fire in zone 99-M....................................... 45 Table 5: Summary of adjusted HRA values in the CCDP model for fire in zone 99-M......................... 48 Table 6: Summary of key local actions.............................................................................................. 51 Table 7: Basis for feasibility of local action used to protect the core during a 99-M fire........................ 52
vi Table 8: Summary of Calculated Conditional Core Damage Probabilities............................................ 56 Table 9: Generic ignition frequencies and calculated CCDPs............................................................. 59 Table 10: Summary of the Risk-Significance of the Safe Shutdown Manual Actions Issue at ANO Unit 1............................................................................................................................. 65 Table 11: Summary of HFE Increases due to Fire in zone 99-M.......................................................... 69 Table 12: FIREOLDP cognitive unrecovered...................................................................................... 71 Table 13: FIREOLDP cognitive recovery........................................................................................... 72 Table 14: FIREOLDP execution unrecovered..................................................................................... 72 Table 15: FIREOLDP execution recovery......................................................................................... 73 Table 16: FIRENEWP cognitive unrecovered.................................................................................... 76 Table 17: FIRENEWP cognitive recovery......................................................................................... 77 Table 18: FIRENEWP execution unrecovered................................................................................... 78 Table 19: FIRENEWP execution recovery......................................................................................... 78 Table 20: 99-MFIRECR cognitive unrecovered................................................................................. 81 Table 21: 99-MFIRECR cognitive recovery....................................................................................... 82 Table 22: 99-MFIRECR execution unrecovered.................................................................................. 83 Table 23: 99-MFIRECR execution recovery....................................................................................... 83 Table 24: 99-MFIRECRE cognitive unrecovered................................................................................ 85 Table 25: 99-MFIRECRE cognitive recovery..................................................................................... 86 Table 26: 99-MFIRECRE execution unrecovered............................................................................... 87 Table 27: 99-MFIRECRE execution recovery..................................................................................... 87 Table 28: 99-MFIRELOCAL cognitive unrecovered........................................................................... 90 Table 29: 99-MFIRELOCAL cognitive recovery............................................................................... 91 Table 30: 99-MFIRELOCAL execution unrecovered......................................................................... 92 Table 31: 99-MFIRELOCAL execution recovery............................................................................... 92 Table 32: Summary of selected actions for maintaining core cooling during simulated fire................... 99 Table 33: Local manual actions current EOPs with experienced auxiliary operator crew 1.................. 101 Table 34: Local manual actions new EOP attachment with new auxiliary operator crew 2.................. 102 Table 35: Equipment damage for realistic fire in the A4 breaker cabinet and cable trays..................... 104 Table 36: Failure of remaining equipment if a hot gas layer is assumed............................................. 105 Table 37: Fire Scenario in 1A4 4KV Switchgear (Fire Zone 99-M)................................................... 108
1 I
INTRODUCTION This section provides an overview of the issues and its assessment in accordance with a phase 3 Significance Determination Process (SDP).
I.1
Background
On August 20, 2001 the NRC issued a triennial fire inspection report (IR 01-06), which discussed a finding concerning the acceptability of the ANO use of operator actions to remotely operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing protection to the cables associated with that equipment, as a method of complying with 10CFR50 Appendix R Section III.G.2.
I.2 Description of the Issue In a March 25, 2003 supplement to IR 01-06, noted above, the NRC stated that by using the Significance Determination Process the above finding was preliminarily determined to be Greater than Green. The preliminary significance of this finding was due to the number of safe shutdown components potentially affected as a result of fire (e.g., main feedwater, high pressure injection, emergency ac power and emergency feedwater), the ability of the ANO fire brigade to manually suppress the fire before damage to safe shutdown components occurs, and the uncertainty regarding the timing and impact that po tential failures may have on the operators' ability to accomplish required shutdown functions in time to prevent core damage.
I.3 Overview of the Assessment The Reactor Oversight Process (ROP) describes the need for a method for assigning a risk characterization to inspection findings. The staff developed a method for this risk characterization, which is referred to as Significance Determination Process (SDP). The entry conditions for the Fire Protection SDP are defined for inspection findings of the degraded conditions associated with the plant approved fire protection program. Therefore, the SDP seeks to estimate the change in risk between the approved and the degraded conditions and determine the risk-significance of this change.
In the case of the manual action feasibility issue at ANO we maintain that such an analogy does not apply as the perceived degraded (by the NRC) condition has always been an integral part of the ANO approved fire protection program.
Therefore, in our assessment we do n ot calculate a change in risk between a perceived degraded and a hypothetical approved condition. Rather we investigate the risk-significance of the existing (and approved) condition at ANO as they relate to adequacy of the procedures for safe shutdown in post-fire conditions. We conduct this investigation through the following elements:
2
- 1. Fire Modeling - This is a detailed assessment of fire hazards and investigation of the extent and timing of fire damage leading to potential loss of safe shutdown equipment and functions.
- 2. Reliability of the Manual Actions - In this assessment we examine reliability of the post-fire safe shutdown manual actions to demonstrate that they can be performed with reasonable confidence under the fire conditions. We developed quantitative assessment of the manual actions using state-of-the-art human reliability analysis (HRA) methods and plant-specific data obtained from review of safe shutdown procedures and training program, as well as simulator exercises. In the simulator exercises we observed and evaluated the response of two operator crews through simulation of maximum expect fire scenarios in the unit 1 4KV switchgear room. This examination was done for two sets of procedures. One with the procedures in existence prior to this assessment and another with revised procedures.
- 3. Risk-Significance of the Current Symptomatic Procedures - The safe shutdown strategy and its associated manual actions are reflective of a level of fire risk that also depends on a number of oth er factors. These factors include, Fire hazards present and types and size fires they may initiate and sustain within the room, Fire protection systems design and other elements of the fire protection program that can delay and/or prevent spread of fire, Cable and circuit design that determines the extent, timing, and failure modes of the safe shutdown systems, Plant safety functions and systems and how they can mitigate post fire conditions.
In this assessment we examined the fire risk for those areas of the plant where these manual actions are a contributor to determine whether the level of fire risk is acceptable. The current documented state-of-the-art in fire risk assessment was used for this assessment. [Ref. 1]
The remainder of this report contains the following information.
Section 2 contains a phase 3 SDP examination of the Unit 1 4KV switchgear room (fire zone 99-M). Detailed assessment was conducted for Unit 1 4KV switchgear room (fire zone 99-M).
Qualitative assessment of other fire zones in unit 1 was done with plant walkdown and, where possible, extrapolation of the results obtained for fire zone 99-M. Section 2.1 covers determination of realistic fire scenarios and examination of sensitivities and factors contributing to uncertainty. Section 2.2 documents qualitative and quantitative evaluation of the manual actions including discussion of simulation of fire scenarios. Sections 2.3 and 2.4 document the approach and the results of the development of the conditional core damage probabilities (CCDPs) and fire risk (CDF) respectively.
Section 3 of this report is a quantitative assessment of the issue that includes qualitative examination of other fire zones where manual actions are critical to post-fire strategy and may be to fire risk. Section 4 contains the conclusions of our assessment with respect to the four elements listed above. References used in the conduct of our assessment are listed in section 5.
3 I.4 Scope and Key Assumptions Following are the scope limitations and important assu mptions in our assessment:
Risk estimates are developed using the documented state-of-the-art in fire risk assessment. As such these estimates have the general limitations of these methods. However, in the technical area where there are known uncertainties in the state-of-the-art and our conclusions are sensitive to the technical area, we seek to establish the margin needed to provide confidence in our conclusions. For example, the models for cable fires and the distance and the rate at which they spread is somewhat uncertain. At the same time our conclusions is sensitive to how far and how fast a cable fire in the fire zone 99-M can spread. In this case we supplement our conclusion with adequacy of the margin between what is the best-estimate model and what may lead to undesirable consequences.
Consistent with the requirement of the fire protection SDP (IMC 0609 Appendix F), this assessment defines risk-significance in the context of change in fire-induced Core Damage Frequency (CDF).
This assessment is limited to fires occurring during at-power mode of operation. Nature and frequency of fire scenarios and fire protection systems and features may be affected during low power and shutdown modes of operation in such ways that may not be reflected in our assessment.
Detailed fire risk analysis was performed for the unit 1 4KV switchgear room (fire zone 99-M).
The estimates of fire risk in the remaining fire zones of the plant are derived through walkdown and approximate extrapolation of the estimates for fire zone 99-M. Even though care was exercised to use conservative bounding estimates, we should emphasize the difference in the pedigree of the risk estimates for 99-M versus the risk estimate for the entire site.
We did not perform a systematic, quantitative assessment of uncertainties. Where appropriate a possible alternative approach, such as use of safety margin, was used to establish confidence in the face of the uncertainties.
4 II ASSESSMENT OF FIRE RISK IN UNIT 1 4KV SWITCHGEAR ROOM (FIRE ZONE 99-M)
The section contains a detailed, phase 3 SDP assessment for unit 1 4KV switchgear room at ANO as it relates to the issue of adequacy of procedures for post-fire manual actions.
Section II.1 describes the detailed fire modeling done for this fire zone to determine the consequences of fire in the room in terms of the extent and timing of the damage to the raceways in the room. Selection and analysis of the fire scenarios is done in such way as to ensure sufficient margin and confidence in the results.
Once the affected raceways are identified for each fire scenario, the next step determined the circuit and equipment lost and their failure mode, including instrumentation and control (I&C).
The equipment lost defines the core damage sequences and the manual actions needed in response to these sequences, including the timing for these actions and the state of the I&C following potential damage resulting from the fire scenario. Details of the identification and assessment of the reliability of the manual actions is documented in section II.2.
With fire-induced core damage accident sequences and human error probabilities known, the conditional core damage probabilities (CCDPs) for each fire scenario were derived. Details of this step are documented next, in section II.3.
Finally, calculation of the fire-induced core damage frequency for fire zone 99-M is documented in section II.4. This calculation includes development of the frequency of the fire scenarios analyzed in section II.1 and use of the CCDPs calculated in section II.3.
Fire Modeling -
Fire hazards and extent and timing of damage (II.1)
Human Reliability Analysis - Manual actions needed and human error probabilities (II.2)
CCDP - Accident sequences resulting from equipment/functions lost to the fire (II.3)
Circuit routing and analysis -
Equipment/fu nctions lost to the fire Fire-induced CDF (section II.4)
5 II.1 Selection and Analysis of Fire Scenarios II.1.1 Switchgear Room, Fire zone 99M Fire zone 99M is approximately 34.5 x 25. x 12 switchgear room with 2 thick concrete ceiling and floor, and 1 thick concrete walls (north and south walls are concrete masonry units). The room has two normally closed 8 x 8 access doors located at the center of the north and south wall respectively. Four hundred forty (440) CFMs of air are injected into the room through a 14 x 6 fire damper on the south wall near the ceiling. The room is equipped with a smoke detection alarm system.
The fixed fire sources inside the fire zone 99M consists of a 4 KV switchgear cabinet, three motor control centers (MCC), four inverters, and a load center with its associated inert gas filled transformer. Cables are routed both in metal conduits and 24 wide cable trays.
Figures 1 and 2 provide a pictorial representation of the electrical equipment (potential fixed fire sources) and cable tray layout in room 99M. Table 1 provides additional details about function and location of the cabinets.
Table 1: Function and location of electrical cabinets in room 99M.
Cabinet Function Location A4 Switchgear cabinets 4-3 from west wall, next to B65 B65 MCC 7-9 from north wall Y22 Inverter 7 from west wall Y24 Inverter 6-2 from west wall, 1-4 from north wall Y25 Inverter Next to Y22 Y28 Inverter 7-3 from A4 B6 Load center/Transformer 7-3 from A4 B55 MCC 5-8 from east wall B56 MCC North-east corner of the room As illustrated in Figures 1 and 2, there are two areas of the room where a two or a three-cable tray stack is present. A two -cable tray stack (EC 201, EC 240) starts between cubicles A406 and A407 of the switchgear cabinet, extending north and turning east along the north wall over the door. This two-tray stack turns south between MCC cabinets B55 and B56. Once between B55 and B56, a third cable tray comes into the room from the north wall, aligning itself between the two trays turning south. This three-tray stack runs up to where the B56 MCC cabinet ends. The three trays have different lengths. Details about this three-tray stack are provided in Figure 2.
Notice that cable tray labeling varies throughout their lengths.
6 Figure 1: Switchgear room 99M. Drawing not to scale.
B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA20 1
DA00 8
EC22 1
EC222 EC20 1
EC22 1
EC24 0
EC20 2
EC23 9
EC20 1
EC24 0
EC223 EC238 EC20 2
EC23 9
EC203 EC237 EC223 EC238 EC204 EC236 EC203 EC237 EC20 4
EB203 EC23 6
ENDS EC20 5
ENDS EB201 ENDS EB203 (enters)
EC204 EB202 EC20 5
EB202 9
2 1
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 EC1163
7 Figure 2: Switchgear room 99M. Drawing not to scale.
Section A-A (Looking East)
B-56 Y-28 B-6 B-55 EC236 ENDS EC201 ENDS EC205 ENDS 11-0 9-11 8-8
8 II.1.2 Selection of Fire Scenarios in Switchgear Room 99M Eight fire scenarios have been selected as representative of th e fire risk in room 99M. The selection of these scenarios is based on the following considerations:
- 1. Location of critical conduits and cable trays in the room with respect to floor-based in -situ and transient fires - the selected scenarios capture all critical targets.
- 2. Potential high-energy characteristics of switchgear cabinets and transformer fires - there is historical evidence of such events.
- 3. Combustible characteristics of electrical cabinets - there is evidence in EPRIs Fire Events Database of switchgear cabinet fires.
- 4. Combustible characteristics of cable tray stacks - there is evidence in EPRIs Fire Events Database of cable fires, and fires propagating from cabinets to cable trays.
- 5. Electrical connections between cabinets, cable trays and conduits Scenario 1a:
A non-energetic fire in the A4 switchgear starts near the A 409 cubicle just below the two -stack cable tray. This fire may propagate to the trays above and cause subsequent damage to adjacent trays and conduits. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions.
Scenario 1b:
An energetic fire in the A4 switchgear starts near the A 409 cubicle just below the two-stack cable tray. This energy release is assumed to ignite the trays (exposed intervening combustibles as well as potential targets) above and cause subsequent damage to adjacent trays, conduits, and cabinets. Mechanical damage, but no ignition of cabinets and conduits (non-exposed combustibles) away from the energetic source is expected. An ensuing fire may continue to burn that could expose other targets in the room to adverse thermal conditions..
Scenario 2:
A non-energetic fire in the B55 MCC starts in the vicinity of the three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to thermal conditions.
9 Scenario 3:
A non-energetic fire in the B56 MCC starts in the vicinity of the three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to thermal conditions.
Scenario 4:
A non-energetic fire in the Y22 inverter starts in the vicinity of a cable tray. This fire may propagate to the tray and cause subsequent damage to conduits above. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to thermal conditions. This scenario bounds fires in cabinets Y24 and Y25.
Scenario 5:
A non-energetic fire in the B6 load center starts adjacent to a cable tray. This fire may propagate to the tray and cause subsequent damage to conduits above. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions.
Scenario 6:
A transient fire between B55 and B56 MCCs starts below three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions. The effects of this fire in terms of target damage are expected to be similar to Scenarios 3 and 4. It should be also noted that strict administrative controls prevent the presence of transient combustibles in this room.
Pictorial representations of fire scenarios 1 thru 6 are shown in Figures 3 thru 9 respectively.
10 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EC236 EC203 EC237 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 EC1163 Scenario 1a Figure 3: Pictorial Representation of the Zone-of-Influence of a Non-Energetic Fire in the 4KV Switchgear A4 Formatted: Font: Helvetica, Bold
11 Figure 4: Pictorial Representation of the Zone-of-Influence of a High-Energy Fire in the 4KV Switchgear A4 EC1258 EC1175 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EC236 EC203 EC237 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 EC1163 9
Located near the ceiling.
Out of damage zone EC1258 EC1175 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EC236 EC203 EC237 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 EC1163 9
Located near the ceiling.
Out of damage zone Scenario 1b
12 Figure 5: Pictorial Representation of the Fire Scenario 2, Fire in MCC B-55 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 2 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 2
13 Figure 6: Pictorial Representation of the Fire Scenario 3, Fire in MCC B-56 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 3 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 3
14 Figure 7: Pictorial Representation of the Fire Scenario 4, Fire in Inverter Y-22 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 EC2184, EC2212 &
EC2213 Scenario 4 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 EC2184, EC2212 &
EC2213 Scenario 4
15 Figure 8: Pictorial Representation of the Fire Scenario 5, Fire in Load Center B-6 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 5 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 Scenario 5
16 Figure 9: Pictorial Representation of the Fire Scenario 6, Transient Fire Between MCCs B-55 and B-56 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 B-6 B-55 B-56 Y-24 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 EC2184, EC2212
& EC2213 Scenario 6 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 B-65 A-409 A-408 A-407 A-406 A-405 A-404 A-403 A-402 A-401 A-410 Y-28 Y-28 B-6 B-6 B-55 B-55 B-56 B-56 Y-24 Y-24 Y-22 Y-25 Y-22 Y-25 EA201 DA008 EC221 EC222 EC201 EC221 EC240 EC202 EC239 EC201 EC240 EC223 EC238 EC202 EC239 EC203 EC237 EC223 EC238 EC204 EB203 EC236 EC204 EB202 EC236 EC236 ENDS EC205 ENDS EB201 ENDS EB203 (enters)
10 EC1088 EC1258 EC1175 EJ1004 EC1530 &
EC1504 EC1589 EC1236 EC1257 EC1276 EC1275 EC1237 EC1190 EC1193 EC1165 &
EC1165 EC1163 9
EC204 EC236 EC203 EC237 EC2184, EC2212
& EC2213 Scenario 6
17 II.1.3 Quantitative Fire Analysis The following aspects of the fire scenarios listed above are analyzed: 1) a localized damage zone limited to the plume and flame irradiation region, and 2) a global hot gas layer that can damage equipment away from the ignition source and immediate target/intervening combustible. First, a discussion about heat release rates from cabinets, cable trays, and transient fires provides the basis for the selected fire intensities. This discussion is followed by the description and implementation of the models in the analysis. Fire modeling results are presented in Table 2 and Figures 13 thru 22.
II.1.3.1 Heat Release Rate for Cabinet Fires One of the imp ortant parameters to define in a quantitative fire analysis is the heat release rate profile of the postulated fire. The fixed fire sources inside the fire zone 99M consists of a 4 KV switchgear cabinet, three motor control centers (MCC), four inverters, and a load center with its associated inert gas filled transformer. Generally these electrical cabinets (all except control panels) are similar in parameters that contribute to the HRR, namely, combustible load, combustible configuration and ventilation. Therefore, one heat release rate profile was selected for all these sources. The selection is based on empirical evidence of electrical cabinet fires, and a visual examination of the combustible configuration (cables) in the 4KV switchgear cabinets of room 99M. The postulated fire in any of the electrical cabinets in the room reaches a peak heat release rate of 100 kW in 12 minutes, and burns at that peak intensity for 8 additional minutes.
A t2 function has been selected for representing the growth phase of the fire.
The fire growth rate is affected by two principal factors: 1) the flammability properties of the fuel, and 2) the combustible configuration. The flammability properties of the cables inside the cabinets are unknown. In terms of configuration, although the cables in the switchgear cabinet present a consistent layout, cable configuration in other cabinets in the room are unknown.
Given these uncertainties, an average of the time to reach peak heat release rates in all of the cabinet fire experiments reported in NUREG 4527 [Ref. 2] was selected. The average time to peak heat release rate was calculated as 12 min. Similarly, the average burning duration of all the cabinet fire experiments was estimated to be 8 min. It is important to mention that the average time to peak for qualified and unqualified cable fires in cabinets reported in NUREG 4527 are similar. These values were used in the heat release rate profile regardless of the peak fire intensity. That is, in all cases, the peak intensity will be reached in 12 min, and burn steadily for 8 additional minutes. Ignition of nearby cable trays will alter this profile.
18 Figure 10: Selected heat release rate profile for cabinet fires in switchgear room 99M.
EPRIs Fire PRA Implementation Guide [Ref. 1] recommends a HRR value of 65 kW for electrical cabinet fires in which the fire would be limited to a single cable bundle. The 65 kW value is the highest value of the fire experiments described in NUREG 4527, [Ref. 2] in control cabinets with IEEE-383 qualified cable and open or closed doors. In these experiments, the fire was limited to one cable bundle. Switchgear cabinets are distinctly different from control panels in that:
- 1) they have significantly lower combustible loading,
- 2) the combustibles are confined/separated into sheet-metal walled cubicles (control, breaker and busbar cubicles), and
- 3) the wires in the cubicle with the most of the heat load, namely the control cubicle are low voltage (120VAC or DC) wires with lower combustible mass.
Figure 10 shows the configuration of the combustibles in the control cubicles of the 4KV switchgear A4. Based on the small amount of combustible loading in comparison to the Sandia test, a peak value of a 100 kW fire is a reasonable assumption. This nominal value is higher than the 65 kW recommended by the EPRI Fire PRA Guide. Furthermore, this fire intensity is expected to produce flames capable easily reaching cable trays above the cabinet.
Another parameter in characterizing a fire is its location. The location of an electrical cabinet fire could be significant as assuming a fire on the top of the panel versus one at the location of the vents could mean the difference between ignition or no ignition of the overhead cabling with fire intensities in the 100KW or less range. Also, in a closed-top or mechanically -sealed-top cabinet an assumed fire at the top of the cabinet could mean no -flame heating where the flames are likely to be at the location of the vents or warped panel doors.
HRR Profile 0
20 40 60 80 100 120 0
5 10 15 20 Time [min]
HRR [kW]
19 In the case of the A4 switchgear, the fire is assumed to occur at the top of the cabinet. This is close to the location of the top-front cubicle, where the cable bundle is located. Notice in Figure 10 how the cables come into the cabinet and form a bund le along the left side of the cubicle. The metal boundaries of the cabinet are assumed to have no effect in the fire heat release rate profile.
This is, the fire is assumed at the described elevation without any obstruction altering its development. This is not a critical factor in any of our defined fire scenarios due to the proximity of the first raceway and the nominal HRR selected.
Figure 11: Cable configuration in A4 switchgear cubicles.
II.1.3.2 Characterization of the High-Energy Switchgear Fires Some in-situ fire sources in a nuclear power plants are capable of fires that are preceded by a high-energy initial phase. Historical evidence points to switchgears and transformers as a potential source of such events in a NPP. The energetic phase of a high-energy fire in switchgear typically initiates as the result of an arcing fault in the breaker cubicle. The initial high -energy phase is then followed by a potential fire in the switchgear (now possibly venilated, at least in the breaker cubicle) and possibly a fire in any nearby exposed combustible.
The model (zone of influence) for the energetic phase used in this analysis is an empirical one based on such events at Oconee (1989), Waterford (1995) and San Onofre (2001). The model assumes damage and ignition of exposed combustibles within 5 ft. This includes panels across from the switchgear and exposed cable trays overhead. The evidence as it relates to conduits in the zone of influence is not strong. None of three events involved switchgears with conduits nearby to determine the potential for damage. Note that conduits are stainless steel piping far more resistant to pressure spikes than trays. Nevertheless for this assessment, we have assumed functional damage to the cables in the conduits within the zone-of-influence but not ignition and secondary fires.
II.1.3.3 Heat Release Rate for Cable Tray Fires The heat released by a single cable tray fire is estimated using the bench scale to full-scale cable tray heat release rate correlation [Ref. 1, 3]. The correlation o
bs ct A
q Q
=
45
.0 (kW)
20 has the following input parameters: Ao-the cable tray burning area (m2), and qbs-the experimental bench scale heat release rate value (kW). Ao is assumed to be the width of the cable tray (24) times the characteristic length of the fire, which is assumed to be the length of the cabinet. Due to the uncertainty in the cable type, a value of 400 kW/m2 is selected for q bs.
Notice that this is the highest value that can be selected from the bench scale experiments used for developing the correlation. This selection will result in a conservative estimate of the heat release rate.
The model described in EPRI TR-105928 [Ref. 1] for cable tray propagation in a stack is used for estimating heat release rates from the two and three tray stacks currently present in the room.
The model assumes the characteristic length of the fire below the first tray in the stack times the tray width as the burning area in the lowest tray. The fire then propagates to trays above in a 35o angle to each side of the trays. A five-minute delay between cable tray ignitions is recommended based on experimental observations. Figure 11 provides a pictorial representation of the model.
Assuming the fire in the switchgear cabinet A4 will have a characteristic length of 3 (A conservative assumption due to the limited openings in the top of the switch gear.), the first tray will have a burning area of 6 ft2, and a heat release rate of 100 kW. The second tray in the stack will have a burning area of 7.1 ft2, and a heat release rate of 120 kW.
Assuming the fire in the MCC cabinet B55 will have a characteristic length of 3, the first tray will have a burning area of 6 ft2, and a heat release rate of 100 kW. The second tray in the stack will have a burning area of 8.4 ft2, and a heat release rate of 140 kW. Finally, the third and last tray in the stack will have a burning area of 9.7 ft2, and a heat release rate of 160 kW.
Figure 12: Cable tray stack fire propagation model II.1.3.4 Localized Damage to Targets Localized damage to targets can occur to cable trays and conduits located inside the flames, in the fire plume, or subjected to flame radiation. Targets are considered damaged or ignited when their surface temperature reach 700 oF. It is assu med that only cable trays (not metal conduits) will ignite and contribute to room heat up. Cables inside metal conduits assumed damaged at the Ignition Source 35 o 35 o
21 same critical temperature, but will not contribute to room heat up. For a given ignition source/target set comb ination:
- 1. Determination of the time at which the target was immersed in flames using Heskestads flame height correlation,
( )
D t
Q L
02
.1 235
.0 5
2
=
[Ref. 4], were D is the diameter of the fire (assumed as 3), and Qf is the heat release rate as a function of time. The time to damage is assumed as the time the flames reach the target.
- 2. Determination of the time to damage for targets in the plume. The heat fluxes in the plume affecting the target are estimated as a function of time using:
( )
=
2 3
.0 H
t Q
q pl c
(kW/m2) [Ref. 4, 5]
where H is the height of the target above the fire. Finally, the time to target damage given the incident heat flux profile is estimated using:
( )
d t
q c
k T
T t
amb tar
=
0 1
[Ref. 6, 7]
where Ttar is the surface temperature of the target q() is the incident heat flux as a function of time and kc is the thermal inertia of the target. kc is conservatively calculated assuming PE/PVC cable with the following properties [Ref. 8]: k = 0.0001 kW/mK, = 950 kg/m3, and c = 2.25 kJ/kg. This assumption only affects the target heating time and not the ignition or damage temperature in the fire modeling analysis.
- 3. Determination of time to damage for targets in the ceiling jet. The heat fluxes in the ceiling jet affecting the target are estimated as a function of time using:
( )
(
)
2 3
1 04
.0 h
h R
t Q
qc
=
(kW/m2) [Ref. 4, 5]
where H is the height of the target above the fire, and R is the horizontal radial distance. The time to target damage is calculated using the integral equation described above in item 2.
- 4. Determination of time to damage for targets adjacent to flames subjected to thermal radiation. The radiated heat flux as a function of time is calculated using the point source
- model,
( )
2 4 R t
Q q
r irr
=
[Ref. 4]
where Xr is the radiation fraction, assumed as 0.35, and R is the horizontal distance from the flames to the target. The time to target damage is calculated using the integral equation described above in item 2. Notice that irradiation from flames is considered for targets
22 adjacent to the ignition source, as well as for targets adjacent to ignited intervening combustibles, such as cable trays.
Table 2 lists the results for the localized target damage analysis. The second column, Fire Sources, lists the first item ignited or ignition source. The Conduits column lists the conduits that are thermally challenged by the ignition source. The types of exposure and calculated time to target damage are reported in the fourth and fifth column respectively.
The Cable Trays column list the cable trays that can be ignited by the fire in the ignition source. A fire in the trays will contribute to the room heat up at the calculated ignition times, reported in the eighth column of the table.
Columns 9 to 11of Table 2 refer to conduits that can be damaged by a fire in any of the intervening combustibles. Notice that the time to damage of these conduits is relative to the ignition of the trays. The absolute time to damage is the time to cable tray ignition plus the time to conduit damage (columns 8 and 11).
II.1.3.5 Smoke Detection Analysis Switchgear room 99M is equipped with a smoke detection alarm system. With the exception of a fire in the switchgear cabinet A4, the alarm system will indicate the main control room of any fire detected in the room. A fire in the switchgear cabinet A4 will disable power to the fire panels, limiting the information provided to the control room. In this case, the control room will only receive a trouble alarm due to an unknown cause.
No model is currently validated for estimating response time from smoke detectors. Time to detection is therefore calculated using the DETACT model [Ref. 9]. The DETACT model widely used to estimate response of heat detector devices such as sprinklers. When used for estimating the response of smoke detectors, a 55 oF temperature change in the location of the device has been traditionally assumed. This value is conservative since studies have shown that for modern smoke detectors, a value of 41 oF is appropriate [Ref. 10]. Time to detection values were calculated using both activation temperatures. Furthermore, smoke detectors are not modeled using the Response Time Index parameter (RTI), characteristic of heat detectors.
Therefore, a value of 1.0 (m s)1/2 has been assumed as input to DETACT. With this assumption, temperature at the detection device is close to the temperature in the ceiling jet.
DETACT also requires inputs defining the position of the detector with respect to the fire and the fire heat release rate profile. A fire located on the floor will be the most conservative configuration for calculating response time. The elevation of the detector above the fire was selected as 12, which is the height of the room. The detectors are approximately 7 apart from each other. Therefore, a fire located midpoint between them is also the most conservative configuration. The horizontal radial distance from the detector to the centerline of the fire plume was selected as 3.5.
23 Finally, the heat release rate profile used for the DETACT analysis is described in Table 3 below. DETACT results are listed in the last column of Table 2.
24 Table 2: Localized targets and intervening combustibles.
Primary Target Set Secondary target set Scenario Fire Source Conduits Exposure Time to damage/
ignition (min)
Cable Trays Exposure Time to damage/
ignition (min)
Conduits Exposure Time to damage/
ignition (min)
Time to detection of the fire (min) 1a Non-energetic fire in the A4 switchgear. Nominal value, 100 KW fire
EA201, DA008, EC222, EC240 In flames 2.5 - 5 101 1b Energetic event in any of the A4 switchgear breaker cubicles.
EA201, DA008, EC222, EC240 In flames 0
No flames.
0 Y28, B6 Damage due to energetic event.
No flames.
0 101 2
Fire in the B55 MCC. Nominal 100 KW fire. Fire in Inverter Y28 is bounded by this scenario.
EC201, EC205, EC236 Flame rad 7
Fire in the B56 MCC. Nominal 100 KW fire
EC201, EC205, EC236 Flame rad 7
25 Primary Target Set Secondary target set Scenario Fire Source Conduits Exposure Time to damage/
ignition (min)
Cable Trays Exposure Time to damage/
ignition (min)
Conduits Exposure Time to damage/
ignition (min)
Time to detection of the fire (min) 4 Fire in the Y22 Inverter. Base case, 100 KW fire. Fires in Y24 and Y 25 are bounded by this scenario.
5 DA008 Flame rad 14 EC1589 In flames or plume 14 + 2 2 - 6 5
Fire in the Load Center B6.
100KW nominal HRR.
2 - 5 6a Transient fire between the MCCs B55 and B56. Nominal value of 150KW.
< 1
- 1. Time to detection based on live simulation exercised performed at ANO. Time to detection in this scenario is not calculated with DETACT. A fire in cabinet A4 will disable the smoke alarm system.
26 II.1.3.6 Hot Gas Layer Analysis Once the time to localized damage is calculated, the heat release rate profile from the ignition source and intervening combustibles (cable trays) were used to determine hot gas layer temperature. Damage or ignition of targets away from the ignition source is assumed when they become immersed in a hot gas layer of 700 oF, which is the damage criteria for targets in the room.
Hot gas layer temperatures are estimated using the zone model CFAST [Ref. 11], developed by the National Institute of Standards and Technology (NIST) using the room characteristics described earlier in this document.
Ignition of intervening combustibles produce sudden increases in the fire intensity profile due to the fact that cable tray heat release rates have no growth model. In order to avoid step-functions in the HRR profile, and provide a more realistic representation of the fire intensity, a t2 function was super imposed. The peak heat release rate is the sum of the cabinet and cable tray peak intensities and the time to reach the peak is the time when the last tray is ignited. The t2 function is of the form
( )
=
2
t Q
Q Min t
Q peak peak &
(kW) where is the time to reach the peak heat release rate. Figure 12 illustrates the concept of superimposing a t2 growth curve to a heat release rate profile including ignition of adjacent cable trays. Table 3 lists the heat release rate profiles and door positions used in the CFAST runs.
Figure 13: Conceptual representation of the use of t 2 fire growth model for representing ignition of adjacent cable trays.
Heat Release Rate Profile 0
200 400 600 0
500 1000 1500 Time [sec]
HRR [kW]
Step function t2 model Ignition of 1st tray Ignition of 2nd tray Ignition of 3rd tray
27 Table 3: Fire scenarios evaluated with zone model CFAST Scenario Heat release rate profile Vents 1a Fire in A4 cabinet
§ Cabinet fire heat release rate (100 kW, 3 of tray)
§ EC201 & EC240 stack fire starts at 5 min (100, 120 kW and 3 and 3.5 of tray respectively)
§ DA008 tray fire starts at 5 min (100 kW, 3 of tray)
§ EA201 tray fire starts at 2.5 min (100 kW, 3 of tray)
§ Peak heat release rate = 520 kW + fire intensity due to horizontal flame spread in cable trays (Flame spread rate of 10 ft/hr, Ref EPRI NP-7332).
t2 Model: ( )
(
)
+
=
2 725 520 108 520 t
L Min t
Q&
kW Where 108*L is obtained from:
o bs ct A
q Q
=
45
.0 assuming Ao is the cabinet width (0.6 m) times the length of the burning tray. The length of the burning tray, L, is calculated as a function of time assuming 10 ft/hr.
This scenario assumes a 520 kW growing fire due to the cabinet flames propagating to cable trays above. Once the equipment affected by the cabinet fire are ignited, the fire is assumed to spread horizontally in the cable trays.
Closed and open doors 1b Energetic Fire in A4 cabinet
§ Cabinet fire heat release rate (100 kW)
§ EC201 & EC240 stack fire starts at 0 min (100, 120 kW)
§ DA008 tray fire starts at 0 min (100 kW, 3 of tray)
§ EA201 tray fire starts at 0 min (100 kW, 3 of tray)
§ Peak heat release rate = 520 kW + fire intensity due to horizontal flame spread in cable trays (Flame spread rate of 10 ft/hr, Ref EPRI NP 7332).
§ t2 Model: ( )
L t
Q
+
=
108 520 kW See discussion for definition of parameter L in scenario 1a above. This scenario assumes a 520 kW fire as the initial heat output due to the explosion, and a sustained cable fire that spreads horizontally in the trays.
Closed and open doors 2
Fire in B55 cabinet
§ Cabinet fire heat release rate (100 kW)
§ EC201, EC205 & EC236 stack fire starts at 7 min (100, 140, 160 kW and 3, 4.2 and 4.8 of tray respectively)
§ Peak heat release rate = 500 kW t2 Model: ( )
=
2 1500 500 500 t
Min t
Q&
kW Closed and open doors
28 Scenario Heat release rate profile Vents 3
Fire in B56 cabinet
§ Cabinet fire heat release rate (100 kW)
§ EC201, EC205 & EC236 stack fire starts at 7 min (100, 140, 160 kW and 3, 4.2 and 4.8 of tray respectively)
§ Peak heat release rate = 500 kW t2 Model: ( )
=
2 1500 500 500 t
Min t
Q&
kW Closed and open doors 4
Fire in Y22 cabinet
§ Cabinet fire heat release rate (100 kW)
§ DA008 fire starts at 14 min (100 kW, 3 of tray)
§ Peak heat release rate = 200 kW t2 Model: ( )
=
2 840 200 200 t
Min t
Q&
kW Closed and open doors 5
Fire in B6 cabinet
§ Cabinet fire heat release rate (100 kW)
§ EC201, EC205 stack fire starts at 7 min (100, 120 kW, and 3 and 3.5 of tray respectively)
§ Peak heat release rate = 320 kW t2 Model: ( )
=
2 1020 320 320 t
Min t
Q&
kW Closed and open doors 6
Bounded by scenarios 2 and 3 Notice that the highest fire intensity in the initial zone of influence occurs in scenarios 1a and 1b.
Notice however, that cable fires, not the electrical cabinet itself, contribute to the majority of the heat release rate. This is also the case for scenarios 2 through 6. All the cable trays in room 99M assumed to burn in the selected scenarios are around 8 ft above the floor. Based on this argument, the fires were located 8 ft above the floor. Given that scenario 1 resulted in the highest heat release rate, it was decided to extend the duration of the fire for two hours. Cable fires would continue propagation during the entire duration of the simulation.
The following graphs provide numerical results calculated with CFAST for scenario 1. Upper layer temperature values are read in the right y -axis, heat release rate in the left y-axis. In general, no upper layer temperature exceed ed 500 oF. This temperature level is observed only in Scenario 1b. This is the scenario with the highest heat release rate.
29 CFAST Results Scenario 1a, Open room door 0
500 1000 1500 2000 2500 0
2000 4000 6000 8000 Time [Sec]
[kW]
0 100 200 300 400
[oF]
Calculated HRR Input HRR UL Temperature Figure 14: CFAST results for upper layer and heat release rate in scenario 1a.
CFAST Results Scenario 1a, Closed room door 0
500 1000 1500 2000 2500 0
2000 4000 6000 8000 Time [Sec]
[kW]
0 50 100 150 200 250 300 350 400
[oF]
Calculated HRR Input HRR UL Temperature Figure 15: CFAST results for upper layer and heat release rate in scenario 1a.
30 CFAST Results Scenario 1b, Open room door 0
500 1000 1500 2000 2500 0
2000 4000 6000 8000 Time [Sec]
[kW]
0 100 200 300 400 500 600
[oF]
Calculated HRR Input HRR UL Temperature Figure 16: CFAST results for upper layer and heat release rate in scenario 1b.
CFAST Results Scenario 1b, Closed room door 0
500 1000 1500 2000 2500 0
1000 2000 3000 4000 5000 6000 7000 8000 Time [Sec]
[kW]
0 100 200 300 400 500 600
[oF]
Calculated HRR Input HRR UL Temperature Figure 17: CFAST results for upper layer and heat release rate in scenario 1b.
The following characteristics are noted from the four graphs above associated with scenario 1:
- 1. The heat release rate decreases to 0 kW in the first ten minutes of the simulation. This is due to lack of oxygen in the smoke layer, where the cables are burning. The calculated effects of oxygen availability in the fire intensity can be observed by comparing the input heat release rate to the code with the calculated heat release rate. Notice how the calculated profile reaches 0 kW in less than 1000 seconds of simulation.
- 2. The upper layer temperature reaches a peak value of around 500 oF in the explosion scenario.
(Figure 16 & 17) The temperature then returns to ambient as the fire intensity decreases.
31 The following graphs illustrate CFAST results for the remaining scenarios. Note that scenarios 2 and 3 bound scenario 6, and therefore, no results are presented.
Figure 18: CFAST results for upper layer and heat release rate in scenario 2 & 3.
Figure 19: CFAST results for upper layer and heat release rate in scenario 2 & 3.
CFAST Results Scenario 2 & 3, Closed room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [sec]
[kW]
76 78 80 82 84
[oF]
Calculated HRR UL Temperature CFAST Results Scenario 2 & 3, Open room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [Sec]
[kW]
76 78 80 82
[oF]
Calculated HRR UL Temperature 0
32 Figure 20: CFAST results for upper layer and heat release rate in scenario 4.
Figure 21: CFAST results for upper layer and heat release rate in scenario 4.
CFAST Results Scenario 4 Closed room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [Sec]
[kW]
76 78 80 82 84
[oF]
Calculated HRR UL Temperature CFAST Results Scenario 4, Open room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [Sec]
[kW]
76 77 78 79 80 81
[oF]
Calculated HRR UL Temperature
33 Figure 22: CFAST results for upper layer and heat release rate in scenario 5.
Figure 23: CFAST results for upper layer and heat release rate in scenario 5.
II.1.3.7 Graphical results associated with scenarios 2 through 5 present similar profiles. This is expected because the heat release rate profiles are very similar.
Compared with scenario 1, these other scenarios have slower growing fires and lower peak heat release rates. As a consequence, the model suggest that there is enough oxygen at the beginning of the fire to support rapid fire growths, and therefore, higher temperatures. Slower growing fires consume the oxygen before temperatures increase to hazardous levels.
CFAST Results Scenario 5, Closed room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [Sec]
[kW]
76 77 78 79 80 81 82 83
[oF]
Calculated HRR UL Temperature CFAST Results Scenario 5, Open room door 0
50 100 150 200 250 0
1000 2000 3000 4000 Time [Sec]
[kW]
76 77 78 79 80 81
[oF]
Calculated HRR UL Temperature
34 Summary Several parameters contribute to the extent and timing of fire damage in fire zone 99-M. These include:
- Size and profile of the initial fire, i.e., how fast the fire grows to its peak and how long it takes before it begins to decay
- The cable damage temperature. ANO verified through review of the original and current plant design and installation documents that the cables installed throughout the plant are predominantly thermoset. Thermoplastic cables are, however, used on a very limited basis. A review by the ANO staff identified no thermoplastic cables in the 3 fire zones in unit 1 where this issues was examined for risk, namely, 99-M, 100N and 104S.
Therefore our assessment assumed damage and ignition temperature of 700oF for cables in these fire zones.
- Size and location of any cable fire that may be initiated by the initial fire.
The following is a summary of the insights from the fire modeling:
- The maximum expected fire scenario in the room is an energetic arcing fire in the 4KV switchgear. This is for two reasons. First, this event is capable of the largest set of immediate circuit/equipment damage and, second, the event is capable of initiating secondary cable fires that can cause additional time-phased circuit/equipment failures.
- A credible fire scenario cannot be postulated in this zone which would result in an immediate damaging 700oF hot gas layer. A large ~2MW fire is needed to produce a damaging 700oF HGL in this fire zone. Only cable fires in the room are capable of generating such intensity if enough cables are burning. Even if such a large cable fire can be sustained (unlimited oxygen) it will take about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the cable fire to propagate to this size.
- Large elevated cable fires that continue to grow unabated can not be sustained due to oxygen limitation:
- 1) Cable fires can only burn inside the hot gas layer. Assuming no man ual intervention, with either closed or open doors, the cable trays will be immersed in smoke because the height of the door is not high enough to allow for smoke movement from the top section of the room, and no automatic extraction system is in place. The fire eventually would be oxygen controlled if it keeps growing in such an environment. CFAST results are consistent with this argument.
- 2) If the simulation is run with open doors, AND the fire is assumed at the elevation lower than the steady state position of the hot gas layer, the fire will have enough oxygen to burn at the stipulated intensity. Therefore, assuming open doors, and a cable fire located about 1 m high growing up to 2 MW in 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> can generate a hot gas layer of 700 oF. All cable trays in fire zone 99-M are located above the steady state position of the hot gas layer, i.e., 6 ft. With closed doors, the smoke layer would reach the floor, and eventually the fire will be oxygen controlled.
35 II.2 Analysis of Operator Response and Reliability II.2.1 Information Collection and Simulation of Fire Scenarios II.2.1.1 Purpose The Human Reliability Analysis (HRA) team of Bill Hannaman and Alan Kolaczkowski lead by Bijan Najafi visited the ANO-1 site on April 14 through 18th to obtain input for the HRA task, and support other parts of the evaluation of a hypothetical fire in location 99-M. Parallel work on fire modeling was performed by, Francisco Joglar. The aim is to support a reevaluation of the CCDP for 99-M that includes the impact of realistic fire growth timing and fire damage on human actions. This work follows a significance determination evaluation by the NRC. The significance determination process reached a conclusion that there was a lack of adequate procedures and the strategy for implementing the manual actions was inadequate, which may result in a potential for a greater than green condition for ANO-1.
Additional information has been obtained to evaluate the potential for more clearly addressing the analysis assumptions used in modeling both the fire scenario (growth and damage of the fire),
and a crews ability to manage the plant cooling from the control room and locally. To evaluate the feasibility of control room and manual actions the ANO-1 plant simulator and local task walkdowns were used to evaluate the feasibility of performing local control actions.
II.2.1.2 Key activities The key activities accomplished for the HRA evaluation with ANO-1 were to (1) Identify a set of realistic fire scenarios for zone 99-M, (2) Identify and visit locations in the plant where local manual actions could be performed to maintain cooling and avoid core damage given a fire in 99-M, (3) Observe two simulations of a fire in 99-M originating in the A4 switchgear (one with the original procedures and one with new procedures that include pre-emptive actions, (4)
Review the ANO-1 PRA model for addressing the fire issues in 99-M, (5) Adjust the HRA values (based on walkdowns and simulation observations) in the existing model to account for fire dependencies, (6) Identify actions that are fire unique that should be added to the model.
Then develop findings for the HRA.
II.2.1.3 Plant Support The HRA team was well supported by the plant operational personnel in this effort. Dale James, Engineering manager made arrangements and provided information as needed. Ron Rispoli, and Tom Robinson, fire protection, provided information and escort during the walkdowns, Mike Cooper, licensing, discussed elements of the work, Ron Hendrix, Dale Smith and Randy Kulbuth, electrical engineering, provided evaluations of circuits in the cable trays to support development of the component damage as a function of cable locations. Ken Canitz, provided integration of the fire growth damage model into the inputs of the simulator and testing of the
36 scenario. Gerald Storbakken, provided the updated procedure attachment for fire in 99-M.
Jessica Walker, PRA support, calculated the CCDP using information from the equipment failure listing and adjusted HRA values, collected information on the local actions, and made simulator observations for additional crews.
Dan Smith and Nolan Edwards operated the simulator with Andy Clinkingbeards support.
Marlin Fletcher provided the fire brigade communications to the control room crew. Two full operating crews (5 control room and 2 local operators supported the simulation) and Bob Eichenberger provided management oversight of the crews. Additional manual action observers included Kathy Ashley and Bob Clark.
II.2.1.4 Site Activities The following on-site activities were accomplished for the HRA.
Identified fire-generated cues for action. Note that for the simulated zone 99-M A4 switchgear fire, a specific fire alarm was not expected, although a fire system trouble alarm does occur due to loss of fire panel electrical power in this fire. Since an immediate and automatic reactor trip was also not expected even with a loss of A4, a manual trip is still initiated (as evidenced by actual response of crews during the simulated fire) because a significantly large number of alarm tiles were lighted. The loss of A4 prompts a check of the switchgear area by a local operator who will report, after a few minutes time delay, that a fire has occurred.
For other scenarios and other fire locations, the cues could be similar and/or include a fire alarm.
Identified possible false signals from the fire scenario. It is recognized that fires might cause the lack of or spurious alarms. For the simulated 99-M A4 switchgear fire, such conditions were simulated. It was observed that those associated with non-working or unneeded systems or equipment were put on lower priority by the crew, thus no time was wasted on working on false alarms.
Identified hot shorts that might activate equipment. It is recognized that fire might cause hot shorts that could spuriously operate equipment. For the simulated 99 -M A4 switchgear fire, a few significant equipment failures (e.g., failure of service water cooling to an operable diesel generator and an unalarmed closure of CV -2800, suction valve for the motor driven emergency feedwater pump 7B which when closed, could lead to over-heating and failure of the pump). In the simulated event, the operators noticed and protected the equipment from damage by shutting it down.
Assisted in converting the equipment damaged in a realistic fire scenario in 99-M into a timing sequence for the simulator.
Assisted in establishing event timing and order based on information from the 99-M A4 switchgear fire scenario timing and circuit failure analysis (Four time triggers at T=0, T=2 min, T=5 to 9 min, and T= 15 min).
Identified equipment that is unavailable due to the A4 fire (equipment simulated to progressively fail in an undesired state).
37 Assisted in identifying the success path equipment if zone 99-M equipment is inoperable (SG cooling success paths initially included emergency feedwater motor pump, emergency feedwater steam pump, and MFW turbines to atmosphere or condenser; also HPI cooling to containment with containment switch over (if damage progressively fails the equipment).
Assisted in the mock-up of the zone 99-M fire scenario on the simulator (decision was made to model failures in the entire room by T=15 min, because that way, observations could be made of crew response for both the realistic fire and the worst case hot gas layer fire).
Identified capability for ex-control room actions to start or control equipment needed in the zone 99-M fire scenario by walking down each location where a manual action could need to be taken.
Revised the fire brigade script to match the hypothetical fire in 99-M. Fire brigade communications with the crew were also made part of the zone 99-M fire simulation to add realism and additional workload burden and distractions. See Appendix B.3 for the script basically followed during the simulation.
Observed simulated zone 99-M A4 fire scenario and crew actions (in-control room activities; ex-control room activities were also observed by ANO-1 engineering staff using a form designed to document the observations) using current procedures to address fire issues.
Symptom based procedures with floating steps illustrated opportunistic responsive control behavior.
Observed same simulation and crew activities using updated procedures to address fire issues.
This time, symptom based procedures were used with specific directions to manage cooling with specific cooling trains. Steps illustrated tactical-pre-emptive control behavior Collected data for human reliability assessment of ex-control room actions. Developed a form for collection of information on the details of each action cued by a call from the control room at the simulator. Took notes and documented timing for key actions leading to establishing the key system alignments for plant cooling.
Reviewed the PRA model for CCDP calculations applied to the zone 99-M A4 fire including the HRA assessments, and assisted in establishing the process for updating the model for fire conditions using current EOPs and new fire attachment.
II.2.1.5 Analysis Activities Reconciled notes between observers and simulator printouts.
Compiled HRA data for use in the evaluation.
Evaluated the impact of the new procedure on the HRA values and identified the changes expected in the simulation.
Developed HRA model and described issues for use in the CCDP evaluation.
Assisted in quantifying the CCDP given a significant A4 fire in 99-M and required operator actions due to effects of the fire.
Added new HRAs to address modeling needs and simulator observations.
Documented results.
38 II.2.1.6 Walkdown items The following items were observed to demonstrate feasibility of the action.
Emergency lighting was available at each local site where a local recovery or repair action was postulated.
All electric breakers for aligning EFW valves were easy to get to, and well labeled and coded according to a matrix scheme.
Local breaker operational procedures and tools (e.g., hooks) for operating the breakers were available in cabinets near each breaker location.
Bus position indications are available on the breaker cabinets to note breaker open -closed condition.
Local manual valve operations for opening or closing and controlling could be easily handled for EFW 7A and 7B trains. Some of the isolation valves could be operated only with ladders in-place. Valve position was determined primarily by stem position, as some of the position indicators were hard to read.
Feedback on SG level is available from the control room via the phone system.
The EFW turbine driven pump is located in a fire-protected environment. Local procedures are on the wall for repair of over speed and other protective trips (Procedure 1106.006).
All local control valves, breakers, and instrumentation used in this scenario were within the main plant buildings.
The local actions are cued by verbal instructions from the control room.
II.2.1.7 Procedure review and training simulator EOPs ANO-1 uses symptom-based emergency operating procedures, and functional recovery procedures. Operators are trained on a full scope control room-training simulator. In a simulation of a realistic fire in zone 99-M, the crews pursued multiple paths for maintaining or restoring one of three feedwater systems: (1) the turbine driven emergency feedwater system, (2) the motor driven emergency feedwater system, and (3) the main feedwater system which was available. Another option is to use HPI cooling, but this was clearly a last alternative. The selection of trains to use was up to the operators when choosing the floating steps from the EOPs to apply. The new procedure attachment (1203.009) provides a clear line up and protection strategy. This reduces the potential of errors in selecting the trains and components. This advantage is reduced by the time it takes to reach the procedure as the fire could be out before the operators reach the protective steps.
39 Simulator The fire damage model was tied to several time phases in the simulator as summarized in Appendix B.1. Equipment failures and timing are shown in Appendix B.2. The simulator fidelity was very good. No indications of differences in the control room and simulator were noted except the fire indication panel is not modeled in the simulator. In this scenario the fire alarm panel power supply is lost on the A4 bus trip with only the fire panel trouble alarm activated.
II.2.1.8 Simulation of 99-M Fire Scenarios The simulation of a fire in zone 99-M integrated the efforts of six activities. These are (1) identification of the equipment failures as a function of timing from the fire growth model, (2) testing the simulation to identify unusual or unexpected behaviors, (3) providing communications that would be expected (fire brigade, manual actions, and external communications), (4) modeling crew organization for fire (leaving four in the control room and one of the three local operators1), (5) observing the control room crew actions and communications during the simulation, and (6) verifying the local manual actions called for by the crew. This information is used to verify feasibility of the local actions and to provide HRA inputs to the evaluation of the conditional core damage probability (CCDP). Typical requested actions during the simulations included:
Investigate A4 bus Go to A3 and be ready to Check equipment Check position of A-306 Local manual control of EFW 7A (throttle 2620 and 2627)
D1512 - (CV2663 P7A turbine steam admission valve power) OPEN from breaker room D5241 - (CV2667 P7A turbine steam admission valve power) OPEN from breaker room Verify location on declaration of Site Emergency The simulation observations are summarized in Appendix B.1.
II.2.2 Feasibility of Manual Actions The potential control room and local actions for managing a significant fire in 99-M were demonstrated to be feasible by walkdowns, and by observation of the application in the simulation with local auxiliary operators carrying out a simulation of the instructions in the plant.
The observations from the week at the plant were evaluated from the perspective of the nine inspection criteria for assessing manual actions issued by the NRC 3 /6/ 03.
1 Upon initial investigation they may call for the local fire department. This does not reduce the number of licensed operators in the control room below the minimum needed, and supervisory personnel might be available to provide support.
40 II.2.2.1 Instrumentation for diagnosis of core cooling status Simulator observations presented in Appendix B illustrate that the diversity of instrumentation permitted the control room crew to evaluate the hot shutdown cooling process equipment and define needed local actions when some trains of instruments failed in spurious and odd ways.
Once into the hot shutdown-cooling phase the operators were able to prioritize their actions based on the systems and equipment they had available. They were able to diagnose the need to throttle back on the feedwater flow to the steam generators to avoid overfilling using control circuits unaffected by the fire. The feedback on actions taken locally - (inserted by the training simulator supervisor upon verbal communication from the field) - was clearly observed by the board operators and relayed to the procedure reader.
II.2.2.2 Environmental considerations encountered when performing manual action For a fire in zone 99-M no local actions were required within the zone to maintain core cooling, thus the temperature, smoke, toxic fumes and humidity conditions due to the fire and fire brigade actions would not likely effect the local action within the initial 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of the simulation.
The environmental conditions that the operator would be expected to encounter during the simulated fire were provided verbally to the local operator (e.g., the door is hot and smoke is in the room and you cant enter here). All actions were in the auxiliary building where radiation levels are at a minimum. Emergency lighting was available for all pathways from the control room to the location, including special reflectors in the stairwells. Should the smoke and fumes be released from the affected fire zone, protective breathing gear is available for breaker operations in rooms connected by adjacent hallways II.2.2.3 Staffing in control room and fire brigade The simulation showed that the ANO1 staffing plan for fires to be adequate for the 99-M fire event and it is above the minimum required by the NRC.
The operating staff at the two-unit plant includes 4 licensed operators and a shift engineer in the control room and two auxiliary operators and one waste control operator for each unit. In the case of a fire, a fire brigade of five people is formed.Two memb ers of the brigade will be from the affected unit. The brigade leader will be the waste control operator and the 2nd member from the affected unit will be an auxiliary operator. This leaves the four control room licensed operators, the shift engineer and one local operator for managing the core cooling safety systems.
II.2.2.4 Communications - control room supervisor, local operators and fire brigade Communications observed during the simulation demonstrated the feasibility of using either set of procedures to successfully manage the core safety functions.
41 Communications between the control room and all others involved in the simulation were of a high volume, but the self powered radio phones permitted each person to hear the others communication. The communications were provided on a multiple channel self powered radio system, which is independent of the fire effect in any zone and loud speakers for plant communications from the control room (e.g., site emergency). The volume of communication was high, but each person focused on only the important communications during the initial stages of the event, which involved verification of the instruction, and verification of the action completion.
II.2.2.5 Special tools for executing a local action Most of the actions could be performed without any special tools.
In addition to the special tools of gloves, dosimeter, keys, flashlights, etc. some special tools were needed for the A3 breaker operation, because control power to the breakers failed in this event. In particular, a grounding stick, which was available from a nearby location, was needed.
The valves all had attached hand wheels for manual operation.
II.2.2.6 Training on local actions and use of procedures The local auxiliary operators demonstrated good knowledge of th e locations and how to operate each equipment type.
For actions called for by the control room crew there was no discernable difference between an experienced operator and a recently licensed operator for finding the location, the equipment, and assessing the condition and implementing requested actions using either generic procedures or verbal requests the requested action. The conclusion from this observation is that the training process for field operators provides the key knowledge for operating any equipment specified by the control room in addition to the guidance provided by procedures for generic operation of the equipment.
II.2.2.7 Accessibility for performing local actions The plant walk down demonstrated that the location and the equipment for performing each action were accessible. The simulation confirmed that the timing for performing the actions was adequate.
A walk down of the pathways prior to the simulation was undertaken to verify that the possible local actions could be undertaken. While mo st of the valves and breakers were easily accessible from normal height or by climbing permanently fixed ladders, one valve for steam admission from Steam generator A to the 7A EFW turbine had very difficult access over several pipes and in a cramped area. Its redundant valve from steam generator B to 7A EFW turbine was more easily accessible via a fixed ladder. Hazard warnings or other obvious obstacles did not restrict operators from operating the key safety valves or breakers. The pathway to each location was assessable without going through fire zone 99-M.
42 II.2.2.8 Procedures for response to a complex fire scenario The evolution of a fire in zone 99-M is expected to be a very rare event, even so it was demonstrated during the simulation that the current EOPs and new attachment could be used to manage an extensive fire in that zone.
Current EOP/AOP/Pre-Fire Plans The current ANO1 symptom based EOPs provided adequate guidance for a crew licensed on the ANO1 plant to manage all of the systems needed to protect the core following a fire in 99-M.
This was demonstrated by observation of one crew in the simulator, who successfully cooled the core following the procedures and selecting the necessary floating steps. There was no time required for studying any element of the procedure, as the crew appeared to have in mind all the elements of how to maintain cooling given a continuously eroding man-machine interface. The current procedures were applied in an opportunistic manner to manage core cooling safety trains during the event. The phasing of the fire permitted some successful automatic alignments early in the sequence; however, the operators did not anticipate protecting the operating equipment from spurious operations by removing power from the valves that were manual positioned.
New fire procedure attachment The new attachment provides specific guidance for lining up, controlling, and preventing spurious actions from stopping a key safety train given a fire in 99-M.
In simulation of this event the crew did not start the new attachment for about 15 minutes after the fire started. By this time it is expected that the damage to cables and the potential for new spurious actions would be over, even if the temperature of the damaged switch gear was high enough to cause additional self ignition. Fortunately, the new attachment provides a process for moving valves and breakers into their correct positions for core cooling, and then removing the electric control power to prevent a future spurious operation. The fact that the new attachment provides specific valve and breaker identification numbers for communication to the local operators for a fire in 99-M means that the control room is more likely to be operating a tactical manner for managing core cooling equipment during the event. Since the new attachment had only recently been written, the crew had not practiced on the procedure before the simulation.
II.2.2.9 Verification and validation of local manual actions Our walk down and simulation exercise provided a verification and validation that the current procedures as well and the new attachment could be performed to protect the core in the event of a fire in 99-M.
The control room identification of the action, the timing of the action, the route to the local stations was clear of the fire zone, and the use of current auxiliary operators in the simulation clearly showed that the such actions can be performed. The only issue remaining is the effect
43 that a real fire might have on the local environment (e.g., smoke, heat and toxic gases). The crew is trained in the use of protective gear including special breathing packs.
Once the actions are shown to be feasible the next step is to determine the reliability of the action considering the details of the elements used in quantifying the error potential for each action as is done in the next section.
II.2.3 Reliability of Manual Actions (Human Reliability Analysis - HRA)
To evaluate the impact of a fire on the crew actions a human reliability modeling approach was developed using the current human error probability (HEP) values developed from the SAIC TRC model [Ref. 14], which is an integrated single model that considers timing and other factors to produce a single human failure event (HFE) value. The HFE represents an integration of error factors that apply to the scenario, whereas HEP refers to the human error associated with a defined task not yet integrated into the overall scenario. The EPRI HRA calculator was used to supplement the initial assessments with revisions in the P1 and P3 assessments.
II.2.3.1 Current HRA model in the CCDP The equation for the SAIC TRC is a lognormal distribution of the following form:
ds
)
m
/
s ln(
exp s
)t(
P t
R R
=
2 1
2 1
The HRA analyst accounts for the operational context by adjusting the parameters m and R for rule-based versus knowledge-based behavior, no burden versus burden, and other performance influencing factors.
The HFEs for non -recovery are based on the TRC system, which assigns an error mode category, location, response time, time available, error factors, and other uncertainty factors. Defaults are provided based on the event categorization, and rules of thumb are provided for the application context. This system is useful for single scenario recovery models. The internal events application of the TRC model assumes good control and indication interfaces in the control room and locally, reliable instrumentation and no smoke or flame nearby. It does not explicitly address the cognitive areas of detection, situation assessment, planning, and execution of the task (in the control room or locally).
The CCDP model for zone 99-M was developed by considering the bounding components that could be damaged in a realistic fire as summarized in Appendix B.2. Based on the fire growth model this included all equipment in an A4 breaker cabinet and the two cable trays above it. In the realistic fire the amount of combustible material to feed the fire is not sufficient to form a hot gas layer that damages the remaining equipment in the room2. Thus, the fire model used to 2In the simulation the realistic fire was expanded to assume a hot gas layer at T=15 min to extend the simulation by damaging all equipment in the room. Even in this case both crews demonstrated that the current and enhanced EOPs were sufficient to
44 update the CCDP includes the effects of failure of the wiring in the A4 breaker cabinet and the cable trays above it. Since the hot gas layer would not affect the cables that are remote from the fire, these cables are expected to remain insulated and operable.
II.2.3.2 Update Modeling Process The existing HFEs in the model were extracted from the base case internal events CCDP model as calculated above with the SAIC TRC as the starting point for the HRA evaluation. The aim of the HRA fire evaluation is to update the HFEs provided for a transient model by considering the impact of the fire on the ability to identify and take key actions given that the base case assumptions of actions in the control room, reliable instrumentation and working controls are available. In the fire scenarios for 99-M the instruments are not reliable, the controls may become unavailable and the actions may have to be taken locally manually. To update the existing HFEs it is assumed that the impact of the fire is to increase the error probability. To systematically evaluate this effect, methods discussed in EPRI -TR-000259 [Ref. 15] are used to examine potential cognitive errors and NUREG/CR-1278 [Ref. 16] is used to evaluate errors in execution of the task.
Thus, for any fire scenario the HFEs for the basic action can be examined and adjusted to account for the fire effects on local actions taken when the MCR environment is unaffected by the fire. The main effect is that some instruments are lost, some may indicate the wrong position, and some might change during the fire. The basic local action must be feasible, where the feasibility of the action can be demonstrated by having the time available, proper tools, interface capability, etc. A fire impact delta HEP was developed to account for the increase in failure potential caused by the fire by considering additional cognitive failures in dealing with unreliable instrumentation and controls and implementation (execution) errors in the manual actions due to local conditions. The HEP is calculated from estimates of the change in the cognitive and execution failure probabilities as impacted by the fire conditions as shown below.
No effort has been made to adjust the original TRC value for similar error modes considered in the initial assessment. Hence, the values generated may be considered to be conservative in that regard.
The process used for generating a set of generic conditions for each HEP is discussed in Appendices A and B.
manage core cooling. They reached stable hot shutdown conditions assuming that the hot gas layer failed all the other equipment in the fire zone.
exe cog exe cog fire P
P P
P HEP
+
=
fire Transient fire Transient fire HEP HFE HEP HFE HFE
+
=
45 II.2.3.3 HRA Quantification Elements The values for Pcog and Pexe that are impacted by the fire have been obtained by considering different combinations of actions in version 2 of the EPRI HRA calculator [Ref. 17]. The cases assessed are listed below and presented in Appendix A.1. The cases described below were selected to address changes in the HEP for fire conditions that are needed for risk comparison.
Primarily they address the use of the existing procedures and the revised procedure. Since detection, planning and execution of the actions could take place either in the control room or locally, a variety of cases are needed to address the specific conditions for the key actions identified in the base internal events study. Thus, cases 1 and 2 address the impact of a remote fire - when all actions are carried out within the control room - for current and new procedures.
Case 3 addresses decisions in the control room that direct local actions. Case 4 addresses immediate actions following a trip decision. Case 5 addresses cases where the evaluatio n and decision on how to proceed is primarily locally.
Cases 6 and 7 address those HFEs where the fire conditions would result in no change (e.g., a pre-initiator action for restoring a system alignment), or the action is not feasible (e.g., open or close a breaker in the affected fire zone as a recovery action).
Case 1 FIREOLDP - generic assessment for current EOPs with floating steps in MCR Case 2 FIRENEWP - generic assessment for new attachment with identification of specific equipment and protectiv e actions in MCR Case 3 99-MFIRECR - assessment for decisions in CR and actions local Case 4 99-MFIRECRE - assessment of CR actions early (e.g., immediate actions)
Case 5 99-MFIRELOCAL - assessment of both decisions and actions made locally Case 6 Equipment not available - assign 1 to the HEP Case 7 No difference identified - Assignment of the same HEP to both the Current and New procedure.
Data to support the assessment were obtained from plant walkdowns to the locations where the local manual actions can be performed, observation of two simulator runs for a fire growing in 99-M, and observation of simulated local actions during the simulator runs. The resulting changes in HEP due to the hypothetical fire in 99-M are shown in Table 4 for cases described above.
The existing HFEs in the CCDP model were then updated by assigning the values in the Table 4 as changes to the overall scenario description.
Table 4: Summary of potential HEP increase cases due to Fire in zone 99-M Case Event ID Basic Event Description Pcog Pexe HEPfire 1
FIREOLDP Realistic fire in 99-M failures at T-0 T-2 T -5 T-9 and T-15 9.8e-03 7.50E-04 1.1E-02 2
FIRENEWP Realistic fire in 99-M with new procedures all actions in CR 2.6e-03 6.10E-04 3.2E-03 3
99-MFIRECR Realistic fire in 99-M decisions 9.8e-03 2.00E-02 3.0E-02
46 in CR with local manual actions 4
99-MFIRECRE Realistic fire in 99-M Early CR actions 4.7e-03 4.3e-04 5.1E-03 5
99-MFIRELOCAL Local actions taken by field operators 1.5e-02 2.6e-02 4.1E-02 6
Not Feasible 1
1 1
7 No Change 0
0 0
The detailed evaluations are provided in Appendix A.1 as output from the EPRI HRA calculator.
II.2.3.4 New Manual Actions New manual actions, not in the original PRA, were identified during both the observations of actions in the simulator and during the CCDP analysis.
Potential manual actions from simulator observations From the simulator observations three potential new manual actions were identified. These are:
(1) If the manual trip did not occur quickly, then the fire might remove power from the 7A and 7B pump train valves and there would be no automatic start alignment. This might lead to local manual actions for alignment of the steam admission valves to the turbine and train alignment for the water supply to the steam generators (SGs).
Response is - the CCDP model does not have to be changed because all valves in 7B are in correct alignment during standby and only a check valve opens when EFW starts. In the Case of 7A only the steam admission valves are closed and these are modeled as if they can be opened manually if spuriously shut. The new procedure also would reopen and isolate the power supply.
(2) If the operators fail to isolate letdown or another primary valve fails open and HPI pumps are unavailable then a loss of primary coolant could lead to core damage. Thus, the small loss of coolant accident (SLOCA) scenarios might be included in the CCDP model to represent the spurious opening of a primary system valve leading to the containment.
Response is - the CCDP model does not have to be changed because the letdown flow is small, and under these conditions including rapid cooldown and HPI pumps available (in the realistic fire) is not a core damage concern, but an operational one.
(3) Failure to address spurious closure of CV-2800 damages the 7B pump causing loss of one train of EFW.
Response is - the CCDP model does not have to be changed because this is accounted for within the random failure rate. Spurious closure of this valve requires a hot short and applies only if the hot gas layer occurs which is shown to be not possible with the material loading in the fire zone. This was modeled in the simulator assuming the worst failure mode for an extended fire.
47 Manual actions identified during analysis of CCDP (1) RECA3LOCAL Operator fails to locally close 4160 Volt power breaker as a result of loss of dc control power due to open circuit caused by the fire. This manual action re-establishes the electrical power for all systems (except the 7B motor) drawing from the A3 bus including high-pressure injection pumps. The operators open the breaker door and use the manual push button to close the breaker.
The operators are highly trained on this action, which is proceduralized as part of the Alternate Shutdown action steps. The procedures require use of flash protection, which takes about five minutes to don. A base case assessment without fire was performed using the same model as the other recovery actions.
The resulting HFE for this action is 5.12E-2 with a hardware failure of.02 yielding a base case result of 7.12E-2 for manually closing a 4160-volt breaker.
(2) RECP7BLOCAL This action and context conditions are the same as above except it is for the breaker that supplies the 7B pump directly. The resulting HFE is calculated in the manner described above yielding a base case result of 7.12E-2 for manually closing a 4160-volt breaker.
II.2.3.5 CCDP Input Results The base PRA integrates recovery actions (restoring the function represented by a failed component) on a cutset by cut set basis. Only one recovery was in each cutset of the CCDP model. Each action in the initial model was evaluated to estimate the likely impact of the fire.
In cases where the component was clearly damaged by the fire the HEP was set to one. In other cases the elements from Table 4 were used to represent the HEP case. When there was no perceived difference between the current and new attachment the delta HEP increase was the same for both. The results shown in Table 5 are inputs to the CCDP model.
The values in Table 5 are the combination of the basic HFE and the Pcog and Pexe from Table 4 for a specific case assigned. The case identifies the values applied. If two numbers appear in the case column, then the first is the Pcog and the second is the Pexe. This was applied when the relationship between the procedures and local action were different than the base cases. The events in italics were added as a result of the observations in the simulator and needs of the CCPD evaluation. The base modeling process was used to provide the initial cases for the new events.
48 Table 5: Summary of adjusted HRA values in the CCDP model for fire in zone 99-M Event Name Description Base HFE Probability HFE Using Current EOPs Fire Case HFE using new att.
Fire Case EDGOPER2 OPERATOR FAILS TO OPEN MANUAL VALVE 2AAC-17 8.51E-02 1.22E-01 5
1.12E-01 3
EDGOPER-R OPERATOR FAILS TO START DG AAC 6.47E-03 6.47E-03 7
6.47E-03 7
HHF101275C OPERATOR FAILS TO CLOSE CV-1275 PER EOPS 1.81E-03 4.23E-02 5
3.14E-02 3
INVALTREC OPERATOR FAILS TO ALIGN SWING INVERTER (Y15 FOR RS1/3, Y25 FOR RS 2/4) 1.32E-01 1.00E+00 6
1.00E+00 6
OPER-13 OPERS FAIL TO RE-ENERGIZE A1/A2 FROM ST2 GIVEN TRANS EVENT 4.88E-04 1.10E-02 1
3.69E-03 2
OPER-13H OPERS FAIL TO RE-ENERGIZE H1/H2 FROM ST2 GIVEN TRANS EVENT 4.00E-01 4.06E-01 1
4.02E-01 2
OPER-15 Oper ator fails to open CV1276/77 to allow for piggyback during injection 2.55E-03 4.31E-02 5
3.21E-02 3
OPERF-15 OPERATORS FAIL TO TRIP BEFORE LOSS OF POWER TO EWF ALIGNMENT VALVES 7A & 7B 0.00E+00 3.06E-02 4_5 3.06E-02 4_3 OPERF-16 OPERATORS FAIL TO CORRECTLY ISOLATE LETDOWN LINES 0.00E+00 3.55E-02 3_5 2.85E-02 2_3 OPERF-17 OPERATORS FAIL TO RECOVER CV2800 TO RESTORE 7B EFW TRAIN 0.00E+00 4.06E-02 5
2.96E-02 3
QHF1HPITR1 OPERATOR FAILS TO THROTTLE HPI TO PREVENT RCS PRESSURE RELIEF 7.24E-02 8.22E-02 1
7.54E-02 2
QHF1HPITRD OPERATOR FAILS TO THROTTLE HPI TO PREVENT SRV LIQUID RELEASE 1.00E+00 1.00E+00 1
1.00E+00 2
QHF1P7ATNL OPERATORS FAIL TO CORRECTLY RESTORE EQUIP IN EFW TRAIN A 3.00E-03 3.00E-03 7
3.00E-03 7
QHF1P7BTNL OPERATORS FAIL TO CORRECTLY RESTO RE P7B AFTER MAINTENANCE 3.00E-03 3.00E-03 7
3.00E-03 7
QHF1RCPTRP OPERATOR FAILS TO TRIP RCPS ON 30 MINUTES 2.12E-03 1.26E-02 1
5.32E-03 2
QMANSWREC OPERATOR FAILS TO OPEN CV3850, 3851 TO TRANSFER EFW SUCTION FROM CST TO SW.
3.60E-04 4.10E-02 5
3.00E-02 3
RECA3LOCAL OPERATOR FAILS TO MANUALLY CLOSE 4160KV BREAKER TO RESTORE POWER TO A3 BUS 7.12E-02 1.09E-01 5
9.87E-02 3
RECB34 OPS. FAILS TO CROSSTIE POWER SUPPLY 4.00E-01 4.21E-01 3_5 4.14E-01 2_3 RECB56 OPS. FAILS TO ALIGN POWER TO B56 4.00E-01 1.00E+00 6
1.00E+00 6
RECCHGRD01 OPERATOR FAILS TO ALIGN D01 TO BACKUP CHARGER (D03A OR D03B) 2.09E-01 1.00E+00 6
1.00E+00 6
RECCHRD01 OPERATOR FAILS TO ALIGN ALERNATE D03 CHARGERTO D01 1.00E+00 1.00E+00 6
1.00E+00 6
RECDHMAN OPERATOR FAILS TO OPEN CV1405/06 ON FAILURE TO REMOTELY OPEN 9.02E-02 1.27E-01 5
1.17E-01 3
RECEFWSRC OPERATOR FAILS TO SWITCH EFW FROM T41B TO T41 9.76E-02 1.03E-01 4_1 1.02E-01 4_2 RECHPIMAN2 OPERATOR FAILS TO OPEN CV1407/08 OR CLOSE CV1300/01 IF FAIL TO OP REMOTELY NONT3 1.92E-01 2.25E-01 5
2.16E-01 3
RECHPMAN1 OPERATOR FAILS TO OPEN MU-23, 24 ON LOSS OF 2/4 HPI LINES NON-T3 2.76E-01 3.05E-01 5
2.97E-01 3
RECINVALT OPERATOR FAILS TO ALIGN THE SWING INVERTER 1.00E+00 1.00E+00 6
1.00E+00 6
RECLPMAN2 OPERATOR FAILS TO OPEN CV1276/77 AFTER FAIL TO OPEN REMOTELY TBX 9.48E-02 1.32E-01 5
1.22E-01 3
RECLPMAN3 OPERATOR FAILS TO OPEN DH SUPPLY TO HPI SUCTION AFTER REMOTE OP FAILURES 1.06E-01 1.42E-01 5
1.32E-01 3
RECMANDC OPERATOR FAILS TO OPEN BRKR LOCALLY AT A1 FROM UAT AND CLOSE BKR FROM SUT1 -R -S 1.17E-01 1.53E-01 5
1.43E-01 3
RECMANDCX OPERATOR FAILS TO OPEN BRKR LOCALLY AT A1 FROM UAT AND CLOSE BKR FROM SUT1 TBX 1.75E-02 5.74E-02 5
4.66E-02 3
RECP7AMAN OPERATOR FAILS TO RECOVER P7A MAN AFTER EARLY STM ADM OPENING ( -T3) 1.17E-01 1.31E-01 5_1 1.20E-01 2
RECP7AMAN3 OPERATOR FAILS TO RECOVER P7A MAN AFTER EARLY STM ADM OPENING (TBX, RBX) 2.18E-02 2.71E-02 4_1 2.70E-02 4_2 RECP7AMOV OPERATOR FAILS TO MAN START/CONTROL P7A REC STM ADM XFER CLOSED OR FTO -T3 1.75E-01 1.88E-01 5_1 1.78E-01 2
RECP7AMOV3 OPERATOR FAILS TO MAN START/CONTROL P7A REC STM ADM XFER CLOSED OR FTO TBX RBX 7.95E-02 9.40E-02 5_1 8.25E-02 2
RECP7BLOCAL 2
OPERATOR FAILS TO MANUALLY ALIGN 4160 BREAKER TO SUPPLY 7B POWER 7.12E-02 1.09E-01 5
9.87E-02 3
49 Event Name Description Base HFE Probability HFE Using Current EOPs Fire Case HFE using new att.
Fire Case RECQMANSW Operator failure to open valves (3850,3851) and operate handswitch 1.00E-01 1.28E-01 4_5 1.22E-01 4_3 RECSW OPS. FAILS TO START SW PUMP 1.00E+00 1.00E+00 3_5 1.00E+00 2_3 RECSWECP OPERATOR FAILS TO ALIGN SW PUMPS TO ECP UPON LOSS OF SW SUCTION FLOW 1.63E-02 1.63E-02 7
1.63E-02 7
RECSWMAN OPERATOR FAILS TO MAN OPEN AOV CV3840, 41 ON SIGNAL FAILURE 2.60E-01 2.90E-01 5
2.82E-01 3
RECSWRBC2 OPERATOR FAILS TO MAN OPEN SW TO VCC2A/B OR VCC2C/D ON FAILURE TO OPEN TBX 7.94E-02 1.17E-01 5
1.07E-01 3
RECSWRCECP OPERATO R FAILS TO OPEN CV3823 TO PROVIDE RECIRC TO ECP (CV3824 FAILS CLOSED) 5.18E-02 9.03E-02 5
7.99E-02 3
SGOFREC OPERATOR FAILS TO PREVENT SG OVERFILL WITH MFW 4.28E-02 5.79E-02 5_1 4.59E-02 2
SGOFREC2 OPERATOR FAILS TO PREVENT SG OVERFILL WITH EFW 2.26E-02 3.80E-02 5_1 2.57E-02 2
SWSWINGREC OPERATOR FAILS TO START AND ALIGN OP SW INCLUDING AVAILABLE POWER SOURCE (NON-T3 1.63E-02 2.67E-02 1
1.95E-02 2
UHF1THPIAD OPERATOR FAILS TO ATTEMPT HPI COOLING 2.89E-03 8.00E-03 4
8.00E-03 4
XHF1MEDXXX OPERATOR FAILS TO BEGIN HPR FOLLOWING M-LOCA 2.10E-04 2.10E-04 7
2.10E-04 7
XHF1SMALLX OPERATOR FAILS TO BEGIN HPR FOLLOWING S-LOCA 2.10E-04 2.10E-04 7
2.10E-04 7
II.2.4 General Observations II.2.4.1 Key points Procedures Both the current and new EOPs adequately deal with a fire in 99-M The current EOPs identify opportunistic actions for establishing key core cooling systems.
The new EOP attachment clearly identifies sets of components for tactically establishing and protecting the core-cooling pathways.
The new EOPs offer slight HEP improvement over current EOPs.
A comparison of key actions with the NRC inspection criteria indicates that they pass a qualitative feasibility test.
Simulations No core damage was detected during simulations.
Operators were able to maintain large margins on all safety parameters during the simulation.
Simulation of 99-M fire, walk down and observation of local actions called for in EOPs indicates that they are feasible.
A general control room operator comment was demonstrated and repeated during interviews on this process - Because practice in simulators, very complex accident events seem to be routine and cause no significant additional stress.
50 Human reliability analysis The CCDP evaluations indicate that impact of HEP is measurable but s mall between the two procedures.
A fire in 99-M is expected to increase the HEP for feasible actions over the initial internal events PRA results.
The EPRI HRA calculator facilitates quantification and documentation.
Change in the HFEs ranges from zero to one depending on the fire scenario context. In most cases the change is less than 0.05.
II.2.4.2 Qualitative Evaluation of Feasibility for Manual Actions Screening for HRA Both the control room actions and local manual actions have reasonable likelihood's of success in preventing core damage for the realistic fire and the complete room affected fire when failures occur over a time period using the existing procedures. This was demonstrated in the simulation when the control room operators were exp osed to the type of alarms and control malfunctions expected from a fire in the 99-M zone. The operators also contacted local operators interacting at the local plant sites as they would under fire conditions.
The strategy for using symptom based - emergency procedures requires operators to think beyond the opportunistic approach of responding to the situation to protect against hot shorts and erroneous signals.
The current fire emergency procedures include warnings about possible hot shorts and unreliable indications, but it is up to the operators to select cooling equipment and identify protective actions. During simulation of the zone 99-M fire using current procedures, the process revealed that the operators are able to think how to adapt to dev elop a conceptual approach for dealing with a wide spectrum of fires, especially since there is time to do so when the fire damage is simulated to occur progressively rather than unrealistically assuming all fire damage occurs instantaneously.
The revised fire EOP attachment includes explicitly identified cooling systems to line up for operation and protective actions such as opening specific breakers to remove power from valves that might spuriously close and inhibit operation of the EFW system. The simulation revealed that the crew needs additional training on the new attachment, and as used it was started about 15 minutes after the trip and by this time the fire damage is expected to have potentially caused spurious events. The procedure supports systematic realignment after spurious closures.
Application of inspection criteria The NRC inspection criteria for fire protection manual actions [Ref. 13] were also used as a measure of the qualitative identification of feasibility for performing operator actions. Table 6
51 provides both a listing of key actions from the simulation (1-4) and through iteration with the PRA model (5-6). These actions were evaluated via walkdown, simulation and observation to support the feasibility evaluation.
Table 6: Summary of key local actions Key Action EOP treatment Discussion 1 Starting P-7A manually and positioning associated valves Both current and new EOPs discuss this local action in great detail (also in local procedure Feasible under both procedures.
Corrections for spurious actuations are NOT mentioned in current procedure which may delay full manual control of P-7A 2 Controlling EFW (A or B) to prevent overfill Both current and new EOPs discuss this local or control room action Feasible under both procedures. Specific corrective actions to counteract spurious operations of the EFW are provided explicitly in the new procedure 3 Local Closing A3 switchgear for P-7B and HPI A (e.g., Inverter fires
)
This action is NOT explicitly discussed in the current EOPs but is in the Alternate Shutdown procedure Feasible in both current and new EOPs. The new EOP attachment explicitly calls for local actions to manually close breakers for this equipment 4 Isolation of letdown to avoid needing HPI (Makeup) sooner In both current and new EOPs Feasible CR action that is highly proceduralized step and can be performed locally 5 Starting HPI cooling long term In both current and new EOPs Feasible CR action. New procedure adds direct discussion of possibility of locally starting the HPI pump due to aux lube oil pump P-64 problems 6 Switch to recirculation long term cooling In both current and new EOPs Feasible CR action that is performed only after all the equipment needed is verified to be operational As su mmarized in Table 7, application of criteria in column 1 to onsite actions listed above was used to evaluate the feasibility of key local actions using methods in columns 2 to 6. The actions called for during the simulation and anticipated as possible requests were feasible according to the criteria. The key test becomes how reliable are they and what is their impact on the CCDP.
52 Table 7: Basis for feasibility of local action used to protect the core during a 99-M fire Feasibility criteria Met Plant Walkdown Simulation Preparation Training Simulation MCR Events In Plant Local Simulation Post Simulation Discussion Instrumentation for diagnosis Yes X
X Environmental considerations Yes X
X Staffing Yes X
X Communications Yes X
X X
Special tools Yes X
X Training Yes X
X X
Accessibility Yes X
X Procedures Yes X
X Verification and validation Yes X
X X
X II.2.4.3 Quantitative HRA In developing the CCDP there is a need to address special fire specific manual actions that are identified in the fire procedures and to recover key components needed to ensure safe shutdown of the reactor core under the fire scenario conditions. The manual action for closing a 4160-volt breaker to start 7B is parallel to the actions for 7A for opening the steam admission valves to supply power to the turbine.
The fire in 99-M is expected to increase the HEP for typical feasible actions over the initial internal events PRA results from zero to a value in the range of 3E-3 to 4E-2 for various scenarios and conditions. If the action is not feasible, then the HEP assessment is set at 1.0.
There is actually a very small difference in the impact of the current procedures versus the new attachment on the likelihood of core damage, however, the EOP new attachment helps the crew move from an opportunistic approach to control (where the probability of action failure is in the range of.5 to 1E-2) to a more tactical control process (where the probability of action failure is in the range of 0.1 to 1E-3) [Ref. 18]. Figure 23 illustrates the impact of the fire on the estimate of the HEPs for the current EOPs and the new EOP attachment for a fire in zone 99-M. It shows a slight decrease for some of the HEPs. The basic inputs to this figure are derived from the inputs to Table 4. When the HEPs are combined with the current HFE assessments as provided in Table 4 it is interesting to compare the impact of the fire on the HFEs ordered from smallest to largest in Figure 24. The impact for most of the actions considered is very small in terms of change in overall frequency.
53 Figure 24: Change in HEP for new Attachment compared with Current EOPs Figure 25: HFE values for current and attachment to EOPs for fire in 99-M Comparison of current and new EOPs on the HFEs for fire impact in M-99 0.0001 0.001 0.01 0.1 1
0.0001 0.001 0.01 0.1 1
Value of current HFEs in the Base PRA model Value of HFE adjusted for Fire and procedure conditions Combined Fire Value using Current procedure (HFE)
Combined Fire Value using new EOP att (HFE)
Base PRA Probability Comparison of HEPs for current and new EOPs with fire in M-99 0.001 0.01 0.1 1
0.001 0.01 0.1 1
Value of HEPs for current EOPs Value of HEPs adjusted for Fire conditions Fire (DHEP) EOP Att Fire (DHEP) current EOPs Improved cases below line Opportunistic range Tactical Range
54 II.3 Quantification of the Conditional Core Damage Probabilities (CCDP)
The conditional core d amage probability (CCDP) is a key element in the evaluation fire risk.
The CCDP represents the likelihood that for a given hypothetical fire scenario, the core would be damaged. It uses fire frequency and additional fire modeling evaluations to establis h the overall core damage frequency.
The CCDP calculation begins with the creation of an updated base model for the fire analysis.
Starting with the current PSA internal events model the following modifications and assumptions were used to create the base CCDP model. All non-transient sequences were deleted from the fault tree using the Delete Subtree option in CAFTA, since the primary impact of the fire is expected to damage electrical cables leading to a loss of buses, electrical control points and a plant trip. Next, all non-trip initiators were set to False and the trip initiator was set to True, this accounts for those fires large enough for the operators to manually trip the plant, if not already tripped automatically. The compress true/false option in CAFTA was used to simplify the CCDP model by removing these fire independent initiators from the tree. The tree was compressed and saved as firestart.caf. This fault tree now represents the basic CCDP model for a manual trip. It contains the key systems and components needed for managing core cooling in parallel with fighting the fire. The base CCDP model result includes the reliability evaluation of those components and operator actions contributing to the success of hot and cold shutdown cooling. Thus, quantitative evaluation of the base CCDP model assumes that the fire has no impact on the systems, structures, components and operator actions used to reach hot and cold shutdown. For any specific fire zone the basic events can be set to fail if the components are affected by the fire. The files for each fire scenario are stored in a PRAQuant file.
The next step is creation of a component failure list for each of the fire scenarios described previously.
A Microsoft Access database was created to expedite the creation of the failure lists for each zone. The access file takes the scenario table and the conduit/raceway table and provides a list of affected components represented as basic events in the CAFTA model for each scenario.
Each individual scenario list was reviewed for logical inconsistencies, which would then be removed from the event listing or adjusted by adding special fire related actions or impacts. The following rules were applied to the scenarios.
Power failures that occur before or at the same time as the control circuitry will prevent spurious operations of components. These components will fail as is or in their normal loss of power condition.
Components were included in the basic event failures list that were not included in the cable lists. These were components that were directly impacted by the fire either as the fire initiating source or as a component impacted by failure of cables for electric power supply or control circuits which was included in the list of conduits or cable trays.
D-1104 removes control power from the A3 bus. This will not allow any of the breakers to change position without local action. Instead of setting these events to TRUE in the tree,
55 they are set as equivalent to a new HRA action to locally close the associated A3 breaker to start the component of interest. 2 HRAs were created RECP7BLOCAL and RECA3LOCAL.
CV-2663 will not open due to loss of power; however an HRA already existed in the QRecover file to manually open this valve. The failure of this event was set to RECP7AMOV instead of to True.
Using Table 7-2 of EPRI TR 1006961 Spurious Actuation of Electrical Circuits due to Cable Fires, a probability of spurious operation was included in scenario 2 in the case of cables near the fire source but outside the impact of the direct explosion. These hot short probabilities differed depending on the presence of a control power transformer (CPT) in the circuit. Analysis of each key zone by fire protection engineers provided a list of the cables of interest and whether or not they contained a CPT. These events were named HSWCPT and HSNOCPT and were added to the basic event listing. HSWCPT was given a value of 0.3 originally to judge its importance in the cutsets. The value will be changed to match the case B11 value of 0.075 during the recovery process. HSNOCPT was given its correct value of 0.6 based on the no CPT case from Reference 3. See Attachment C.
Using the above rules, an excel spreadsheet was created for each of the scenarios. This spreadsheet contained the unique set of events and how they would be set during the scenario quantification. In order to expedite the quantification process, these events were then added to the existing flag file for the current model. Each scenario now had a unique flag file that contained all of the flag settings and the new basic event settings to implement the effects of a fire scenario on the evaluation of the CCDP for that fire scenario.
PRAQuant was then used to quantify each scenario by reevaluation of modified CCDP logic tree.
The quantification then provided 7 starting cutset files, one for each fire scenario in Zone 99M.
The following adjustments were done to each of the cutsets before any recoveries were added.
To eliminate unrealistic plant states ETM1A1XXX and ETM1A3XXX were set to false.
ANO-1 would not continue to run with either of the main switchgears out of service, so this conservatism is removed.
To eliminate unallowed actions in the fire zone RECB56 and RECB5OR6 are set to TRUE. These events although valid in the normal model could not be performed in the zone 99-M fire because B55/56 and B6 are located in the room. Even if the components were not damaged by the fire, operations would not crosstie equipment in a room with possible fire and water damage. The possibility of shorting out the good power side would be too much of a risk, and special heroic actions are not modeled in the CCDP evaluation.
The cutsets were then subsumed and sorted by probability for each fire scenario Specific human actions were introduced into the model by running QRecover on the base recovery file for each scenario. This step places base-case recoveries in the cutsets. 2 copies of the newly created cutset files were then created.
56 Finally the HRA QRecover files with the HRA values previously discussed were used to update the scenario cutset files for each of the scenarios with the previous symptom based procedure method and the new fire zone specific procedures.
The following table provides the Scenarios and their results for each of the 4 stages of the calculation process. PRAQuant post true/false subsume, Base QRecover, Old QRecover and New QRecover.
Table 8: Summary of Calculated Conditional Core Damage Probabilities Fire Scenario BaseRecover CCDP (Old Procedure)
CCDP (New Procedure)
Delta CCDP 1a 1.5E-04 3.1E-04 2.1E-04 1.0E-04 1b 4.9E-04 1.3E-03 9.0E-04 3.8E-04 2
8.6E-05 2.8E-04 1.8E-04 9.9E-05 3
8.6E-05 2.8E-04 1.8E-04 9.9E-05 4
3.4E-05 4.0E-05 3.8E-05 1.2E-06 5
3.3E-02 3.0E-02 1.9E-02 1.1E-02 6
1.0E-02 3.2E-03 2.1E-03 1.1E-03 Note that scenario no. 5 currently has the largest CCDP; however many of component failures resulting from this scenario occur at a time > 20 minutes. This time would allow the fire brigade to mitigate the fire and would prevent many of the HRA necessities existing in this fire.
However, the current projected fire frequency for this fire is also very low (~E-6) so no further work will be done on this fire scenario to remove these known co nservatisms, because this conservatively calculated scenario frequency is within an acceptable risk value.
II.4 Assessment Fire Risk in 99-M Core damage frequency (CDF) is selected as the figure of merit representing risk in our assessment.
II.4.1 Calculation Fire-Induced Core Damage Frequency The fire-induced core damage frequency for the fire zone 99-M is calculated as the sum of the risk associated with each fire scenario using the following equation:
scenario CCDP P
EF SF W
W CDF ns i
l g
)
(
x x
x x
x x
=
where g is the generic fire ignition frequency for electrical cabinets in the switchgear room reported in EPRIs Fire PRA implementation guide [Ref. 1], Wl and Wi are the location and ignition source weighting factors respectively, SF is the severity factor, EF is an explosion factor (applied only to a high-energy fire in the 4KV switchgear), Pns is the probability of the failure to manually suppress the fire prior to damage to the first target and CCDP is the conditional core damage probability given the damage caused by the fire scenario. This switchgear room (fire zone 99-M) does not have an automatic suppression system.
57 The fire ignition frequencies for the switchgear room and individual fire scenarios are calculated using the EPRI FIVE and Fire PRA Guide methodology [Ref. 1]. Although ANO has only 6 distinct switchgear areas, the EPRI guidelines indicates that weight of a switchgear room should be assigned according to the amount of electrical equipment located in the location. Each of the two switchgear areas located in the turbine building has approximately twice the electrical equipment located in the individual auxiliary building switchgear rooms. Consequently, the number of switchgear rooms was increased from six (i.e. based on physical areas) to eight (i.e.
based on amount of electrical equipment). The location weighting factor, W ls for electrical cabinets are assigned a value according to the room location. For 99-M (i.e. switchgear room)
WFL = 0.25 (number of units per site divided by the number of switchgear rooms or 2/8). In this study, 7 of the 8 fire scenarios include cabinets as the ignition source of the fire. There are 17 cabinets in 99M, including the 10 cubicles in A4 switchgear. Therefore, WFi is calculated by dividing one over the number of cabinets in the room (1/17 = 0.06) or fires in individual cabinets, and (10/17 = 0.59) for a fire in the switchgear cabinet. This value apportions the generic frequency to each cabinet in the room. The location weighting factor (WFi) for the p lant wide components-transformers was obtained by dividing the number of components in the specified room by the total number of components in the plant. There are two transformers in 99-M. The total number of transformers is 98. Therefore, WFi is estimated as 0.02. One of the transformers in 99-M is an instrument transformer, while the other is totally enclosed gas-cooled unit using non-combustible gas. Neither is deemed to be a credible ignition source, but both were conservatively included in the ignition source frequency calculation.
The severity factor, SF, adjusts the value of the generic fire frequency, which includes fires that pose no challenge to plant safety, to reflect the number of fires that are of sufficient magnitude to potentially cause damage to components/cables other than the ignition source. EPRIs Fire PRA Implementation Guide [Ref. 1] Appendix D provides severity factors (SF) for various ignition sources. For switchgear room electrical cabinet fires, the suggested severity factor is 0.12. For indoor transformer fires, the suggested severity factor is 0.10. No severity factor however is provided for transient fires.
An explosion factor, EF, has been also included in the equation to reflect the potential for a high -
energy fire in the 4KV switchgear. The operating experience indicates that high-energy arcing fault is a credible mode for high-energy electrical cabinets. This conditional probability, which only applies in scenario 1b, is calculated to reflect the percent of the fires in a switchgear that will likely lead to a high-energy arcing event followed by a fire in combination with the potentially ignited intervening combustibles. The conditional probability is derived by dividing the number of energetic events in EPRIs FEDB [Ref. 12] by the total number of fires in similar ignition sources. The derived conditional probability shows that severe (potentially damaging) fires in switchgears are more likely to begin with high-energy arcing. This is supported by the operating experience where more significant switchgear fires tend to be of arcing nature (Waterford 1985, Oconee 1995, and San Onofre 2001).
Additional factors are used for the case of transient fires. The floor area factor is the percentage of the floor area where the postulated transient fire has to occur to ignite the three-tray stack.
This area constitutes 10% of the open space in the room. A transient fire in any other locations in the room either has no raceways in the plume (therefore requiring larger fires to be threatening
58 through formation of high temperature ceiling jet or HGL) or affects a single raceway threatening significantly less circuits/components.
Two types of suppression are credited in our assessment. One is prompt suppression by plant personnel or fire watch in case of a transient fire or a fire during welding & cutting (hot work).
Operating experience supports the assertion that work activity (hot work or not) is the cause of many transient fires. And the presence of the plant personn el (in many cases the same that initiated the fire) is the most effective means of suppression for a transient fire in its incipient stage. In case of a fire initiated during welding & cutting (hot work), nearly all US commercial nuclear facilities require a fire watch present at the time of the activity. The operating experience clearly reflects the effectiveness of these trained individuals as the first line of defense in the suppression. The probability of suppression by the plant personnel and fire watch for transient and welding & cutting fires was calculated from the operating experience and documented in the EPRI Fire PRA Guide [Ref. 1, page K-3]. These values are used in this assessment. The other form of suppression credited in this assessment is suppression of an electrical cabinet fire by the plant fire brigade prior to damage to the target set. The probability of non-suppression was obtained from Figure K-1 of EPRIs Fire PRA Guide [Ref. 1]. The calculation of the time-to-damage (time available for suppression) is described in section II.2.
The non-suppression No suppression was credited to prevent damage from the initial high-energy phase of the 4KV switchgear fire.
The conditional core damage probabilities including detailed analysis of the manual actions needed to achieve safe shutdown was calculated for each scenario. The details of this evaluation are documented in section II.3 of this report.
Table 9 lists the calculated fire-induced CDFs for the fire scenarios in fire zone 99-M.
59 Table 9: Generic ignition frequencies and calculated CCDPs.
Scenario Source Generic Frequency 1 (per rx-yr)
WFl (location weighting factor)
Wis (ignition source weighting factor)
Floor area ratio (transient fires)
Severity Factor 2 Ratio of HE event for a severe switchgear fire 3 Pns by plant personnel or fire watch Pns by fire brigade 4 CCDP old 5 CCDP new 5 CDF old (per rx-yr)
CDF new (per rx-yr)
? CDF 1a Non-energetic fire in the A4 switchgear. Nominal value, 100 KW fire 1.5E-02 0.25 0.59 N/A 0.12 0.25 1.0 1.0 3.1E-04 2.1E-04 2.1E-08 1.4E-08 6.6E-09 1b Energetic event in any of the A4 switchgear breaker cubicles.
1.5E-02 0.25 0.59 N/A 0.12 0.75 1.0 1.0 1.3E-03 9.0E-04 2.6E-07 1.8E-07 7.9E-08 2
Fire in the B55 MCC. Nominal 100 KW fire. A fire in Inverter Y28 is bounded by this scenario.
1.5E-02 0.25 0.06 N/A 0.12 1.0 1.0 1.0 2.8E-04 1.8E-04 7.4E-09 4.8E-09 2.6E-09 3 Fire in the B56 MCC. Nominal 100 KW fire 1.5E-02 0.25 0.06 N/A 0.12 1.0 1.0 1.0 2.8E-04 1.8E-04 7.4E-09 4.8E-09 2.6E-09 4
Fire in the Y22 Inverter. Base case, 100 KW fire. Fires in Y24 and Y 25 are bounded by this scenario.
1.5E-02 0.25 0.06 N/A 0.12 1.0 1.0 0.5 4.0E-05 3.8E-05 5.3E-10 5.0E-10 2.6E-11 5 Fire in the Load Center B6.
100KW nominal HRR.
1.5E-02 0.25 0.06 N/A 0.12 1.0 1.0 0.2 3.0E-02 1.9E-02 1.6E-07 1.0E-07 5.8E-08
60 Scenario Source Generic Frequency 1 (per rx-yr)
WFl (location weighting factor)
Wis (ignition source weighting factor)
Floor area ratio (transient fires)
Severity Factor 2 Ratio of HE event for a severe switchgear fire 3 Pns by plant personnel or fire watch Pns by fire brigade 4 CCDP old 5 CCDP new 5 CDF old (per rx-yr)
CDF new (per rx-yr)
? CDF 6a Transient fire in areas of the room where cable trays are exposed to a floor-based fire. Nominal Value of 150KW.
3.6E-02 2.00 0.02 0.10 1.0 1.0 0.50 1.0 3.2E-03 2.1E-03 2.1E-07 1.4E-07 7.1E-08 6b Cable fire caused by welding and cutting in areas of the room where cable trays are exposed to a floor-based fire. Nominal Value of 150KW.
1.3E-03 2.00 0.02 0.10 1.0 1.0 0.05 1.0 3.2E-03 2.1E-03 8.3E-10 5.5E-10 2.9E-10 TOTAL 6.6E-07 4.4E-07 2.2E-07 Notes:
- 1.
Generic frequency from EPRI TR 105928 page 4-7.
- 2.
Severity factors from EPRI TR 105928, page D-7.
- 3.
This ratio is derived from the records of the switchgear fires in table D.3-2 of the EPRI TR 105928. This shows that of those switchgear events t hat are severe,
- 4.
i.e., likely of external damage, more are the result of high-energy events rather than low energy thermal fire. These are more likely outcome if Most scenarios involving target damage to the first and second target set involve short time between detection and damage and therefore no credit for fire brigade response.
- 5.
A fire in the switchgear affects the power supply to the fire protection panel in the control room making early detection of the fire doubtful. In the simulator exercise the fire was not detected until 10 minutes into the first effect (damage) of the fire was observed. The CCDPs are based on damage to all the primary and secondary target sets. No damaging (700o F) hot gas layer could be evaluated that cause loss of all circuits in the room. A 700oF HGL can only be generated in this room as the result of a large cable fire that involves burning of 12-15m of 24-inch wide cable tray (based on cable tray HRR of 41.85 Btu/ft2/sec from EPRI TR 105928, page I-11). Such a cable fire requires 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to develop in 2 and 3 cable tray stack respectively (based on cable fire spread rate of 10 ft/hr).
61 II.4.2 Examination of Defense -in-Depth and Safety Margin II.4.2.1 Fire Protection Defense-in-Depth In commercial nuclear industry, fire safety objectives, i.e., minimize probability of occurrence and the consequences of fire, are achieved through a defense-in-depth philosophy where defensive measures are put in place at different level of fire initiation, progression and damage to ensure that a fire will not prevent the performance of necessary safe shutdown function and the and radioactive releases to the environment in the event of a fire. The principals of fire protection defense-in-depth are aimed to:
Prevent fires from occurring Detect, control, and extinguish promptly those fires that do occur, and Provide protection for structures, systems and components needed for safe shutdown so that a fire that is not promptly extinguished will not prevent safe shutdown Prevention is achieved through preventive maintenance program aimed, in part, at prevention of fixed fires (through repair of faulty electrical equipment or leaking oil on a pump) and transient combustible control program aimed at prevention of transient fires by controlling the amount of the transient combustibles introduced in the area and the activities that can cause their ignition. Quantitatively, the fire scenarios in this room show at least 3 orders of magnitude (1E-3) for frequency of damaging fires. Even though these frequencies are, for the most part, indicative of generic industry experience, nevertheless they are consistent with the occurrence (or non-occurrence) of severe fires at ANO over the past ~50 reactor-years.
Detection and control/extinguishment of fires in the area is achieved through a smoke detection alarm system. With the exception of a fire in the switchgear cabinet A4, the alarm system will indicate the main control room of any fire detected in the room. A fire in the switchgear cabinet A4 will disable power to the fire panels, limiting the information provided to the control room. Early detection for fires resulting from welding & cutting is achieved through use of fire watch. In addition ANO has a dedicated full-time fire brigade trained to respond to fires in the 99-M switchgear room as well as elsewhere in the plant.
Quantitatively, the fire scenarios in this room all have fire detection/control/extinguishment capability in the range of 1E-01 for prompt suppression of transient fires by pant personnel or fire watch and suppression, by fire brigade, of fires before they spread to the entire room. Refer to section II.1 for the description of fire scenarios and their timing.
Protection for SSD systems/components in this fire zone is achieved through a combination of the following:
62 Enough of physical separation of critical cables and circuits to limit fire progression in some cases and provide the needed time for the fire brigade to control and extinguish the fire, Feasible and reliable means of safe shutdown (including manual actions) to safely shutdown the plant after the postulated fire scenarios.
Quantitatively, this element was estimated to provide at least 1.5 orders of magnitude (fire scenario CCDPs range from 4E-5 to 3E-02) for most fire scenarios in this area.
II.4.2.2 Safety Margin A critical aspect of risk-informed decision -making is recognition of inherent uncertainties in the estimates and consideration of these uncertainties in the decision-making.
Determination and use of margin is one way to ensure appropriateness of the decision in the face of these uncertainties. The following discussion is a qualitative assessment of the safety margin.
We used the concept of limiting fire scenario described in the NFPA 805 (sections 1.6.36 and C.3.3) to ensure confidence in our estimate of fire consequences. The NFPA 805 define a limiting fire scenario as, Fire scenario(s) in which one or more of the inputs to the fire modeling calculation (e.g., heat release rate, initiation location or ventilation rate) are varied to the point that the performance criterion is not met. The intent of this scenario(s) is to determine that there is a resale margin between the expected fire scenario conditions and the point of failure.
Having already included a high-energy fire in the 4KV switchgear where considerable failures occur in virtually no time followed by additional time-phased failures (if suppression is failed), we defined the creation of a hot gas layer (leading to failure of all circuits in the room) as the point of failure. We determined the following conditions required to reach this hypothetic point of failure.
Cable damage temperatures of 400-500oF and a 500KW fire that ramps in 12 minutes can reach the point of failure. The cables at ANO were investigated and confirmed to be thermoset with 700oF damage/ignition temperature The only credible means of generating a 700oF HGL is through a large cable fire (over 24 linear ft of 24 cable trays). Even though such a cable fire can theoretically be developed if the cable fire continues for nearly 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> unchecked, there are realistic considerations that make such occurrence non -credible. Foremost, a cable fire of such magnitude requires considerable volume of oxygen to sustain. These cable fires are expected to be in the smoke layer once the smoke layer reaches the top of the door. Once in the smoke layer, intensity of the cable fire will be controlled by the oxygen availability. With an elevated cable fire that grows at a rate of 10 linear ft/hr as input; The oxygen depletion occurs very quickly, regardless of open or closed door The cable fire does not grow beyond the initial 12 ft and
63 The temperature peaks at 500-535oF The cable fire has to be below the settled smoke layer, 4-5 ft below the door opening, for the cable fire to continue to grow.
Therefore, the scenarios analyzed in our analysis particularly the high-energy arcing fault in the 4KV switchgear and the ensuing cable fires is bounding with sufficient margin.
64 III DETERMINATION OF THE RISK-SIGNIFICANCE OF THE ISSUE To determine the risk-significance of the manual actions at ANO the estimates for other fire zones need to be generated. The NRC SDP provided 2 other ANO-1 zones to evaluate. The estimates of fire risk for other areas of the plant were generat ed using walkdown and approximation.
The fire risk estimates for these fire zones is summarized in table 10.
65 Table 10: Summary of the Risk-Significance of the Safe Shutdown Manual Actions Issue at ANO Unit 1 Fire zone Description CDF Old Proc.
CDF New Proc.
? CDF Basis 99M Unit 1 4KV (1A4)
Switchgear room 6.6E-07 4.4E-07 2.2E-07 Fire risk estimates were calculated 100N Unit 1 4KV (1A3)
Switchgear room 6.6E-07 4.4E-07 2.2E-07 Assumed similar risk profile as the Unit 1 4KV Switchgear room 104S Unit 1 Electrical Equipment Room 1.3E-07 8.8E-08 4.4E-08 The hazard profile in the room similar to 99M, i.e., MCCs and inverters (no control panel was observed in the room). The primary source of fire is the MCCs 21 (Black or non-safety) and 51 (Red division) w ith Red division 3-stack cable tray above. Fire zone 104S is a compartment in the auxiliary building. Therefore the electrical cabinet ignition frequency will be a fraction of the total AB electrical cabinet ignition frequency, i. e.,
1.9E-02 and therefore lower than the 99M switchgear room electrical cabinet fire frequency, by an order of magnitude assuming 20% of the electrical cabinets in the AB are in this room. There are some 4160V circuits in the room. The circuits are related to the swing makeup pump (P36B) and are routed to the Motor Operated Disconnect (MOD) switch. Essentially, it's a switch that connects to either a red division breaker or a green division breaker. This switch is treated as switchgear with potential for a high-energy arcing fault. The consequence of an MCC fire in this room or an energetic fault in the Motor Operated Disconnect (MOD) switch does not appear to be worse than the fire zone 99-M.
Therefore the risk in this room is estimated at half an order of magnitude lower than 99-M for the following reason: 1) frequency of a fire is 5 times lower, b) consequences of loss of circuits to a fire are no worse than 99M based on the known Appendix R components/circuits in the room (assumption), and c) a damaging 700oF hot gas layer is non-credible without a large cable fire (see discussion under 99M) based on the type of the ignition sources (MCCs and inverters), room size and configuration of the cable trays.
TOTAL 1.5E-06 9.7E-07 4.9E-07
66 IV CONCLUSIONS In response to the issu e of adequacy of the manual actions at the ANO power station, a fire significance determination process (SDP) examination was performed. Following are the conclusions of this examination..
Reliability of the Manual Actions - The manual actions identified during the simulation and from the ANO unit 1 PRA were evaluated. The plant walk down and simulator exercise showed the equipment was accessible and the operators had enough knowledge to use their procedures to perform each of the actions necessary.Our assessment of the manual action using generally accepted human reliability methods show that the manual actions, using both the old and the new procedures are reasonable and reliable. Detailed simulation of the maximum expected fire scenarios were done with two independent crews to obtain data for the development of the human reliability estimates. Following are a few insights:
Previous procedures use an opportunistic approach to control where crews respond to cues and symptoms by selecting the appropriate procedure for that condition New AOP attachment assists crew to respond using a more tactical control process Identifying symptom or cue will generate appropriate response for either procedure Ability to recover from spurious actuations is enhanced in new AOPs Risk -Significance of the Current Symptomatic Procedures - Our assessment of the risk-significance of the current procedures used to reach safe shutdown for a fire in fire zone 99-M shows that the ? CDF to zone specific procedures is less than 1E-06/yr, i.e., a Green finding. An examination of elements of defense-in-depth (DiD) and safety margin shows that an adequate balance in the DiD elements is maintained with adequate margin in the determination of the consequences of the fire.
The following are some of the key observations and important factors in our examination of the issue, particularly as it relates to the fire zone 99-M; The bounding fire results from a high-energy arcing fault in the 4KV switchgear and the ensuing fire. This fire starts with and immediate set of failures followed by time-phased secondary failures caused by the ignition of the intervening combustibles. Time-phased failures are critical in the effectiveness of the operators.
A 700oF damaging hot gas layer in the fire zone 99-M is not credible due to the configuration of the combustibles in the room. A zone-wide damage scenario through a large cable fire is not possible due to the location of the cable tray, i.e., in the smoke layer above the door opening.
Even if such scenario was assumed its timing to reach damaging hot gas layer will reach 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> due to slow growth (10 ft/hr) cable fire.
67 V
REFERENCES
- 1.
EPRI TR-105928, Fire PRA Implementation Guide, Parkinson, W.J. et al, December 1995.
- 2.
J. M. Chavez. An Experimental In vestigation of Internally Ignited Fires in Nuclear Power Plant Control Cabinets - Parts 1 & 2. Albuquerque, NM: Sandia National Laboratories. SAND86-0336. Washington, D.C.: Government Printing Office, April 1987. NUREG/CR-4527
- 3.
Babrauskas, V. Heat Release Rates, SFPE Handbook of Fire Protection Engineering, 3nd. Edition, 2002.
- 4.
EPRI TR-1002981, Fire Modeling Guide for Nuclear Power Plant Applications, Najafi, B. & F. Joglar, August 2001.
- 5.
Alpert, R., Ward, E., Evaluation of Unsprinklered Fire Hazards. Fire Safety Journal. 7, 1984. pp. 127-143.
- 6.
Quintiere, J. "Growth of Fire in Building Compartments". Fire Standards and Safety, ASTM STP 614. A. F. Robertson Ed., American Society for Testing and Materials, 1977, pp. 131-167.
- 7.
Carslaw & Jaeger. Conduction Heat in Solids. 2nd Edition. Oxford University Press, London, 1959. pp 76.
- 8.
Ho, Siu & Apostolakis, COMPBRN III-A Fire Hazard Model for Risk Analysis, Fire Safety Journal, 13, 1988, pp 137-158. Values obtained from database available in the software.
- 9.
Heskestad, G. and R. Bill, Jr. Modeling of Thermal Responsiveness of Automatic Sprinklers, Fire Safety Science - Proceedings of the Second International Symposium.
pp. 603-612.
- 10.
Bukowski, R., Averill, J., Methods for Predicting Smoke Detector Activation. Fire Suppression and Detection Research Application Symposium. February 25-27, 1998.
Orlando Fl. (available at the NIST library).
- 11.
Peacock, R., Jones, W., Reneke, P., Forney, G. Technical Reference for CFAST: An Engineering Tool for Estimating Fire and Smoke Transport NIST Technical Note 1431, January, 2000.
- 12.
EPRI-1003111, Fire Events Database and Generic Ignition Frequency Model for U.S.
Nuclear Power Plants, Najafi, B. & F. Joglar, November 2001.
- 13. 1111.5, Inspection Manual for Fire Protection, Enclosure 2, Inspection Criteria for Fire Protection Manual Actions, March 06, 2003.
- 14.
Dougherty, E.M. & J.R. Fragola, Human Reliability Analysis: A Systems Engineering Approach with Nuclear Power Plant Applications, John Wiley, 1988.
- 15.
EPRI TR-000259, An Approach to the Analysis of Operator Actions, in Probabilistic Risk Assessment, Parry, G.W., 1992.
68
- 16.
NUREG/CR-1278, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Application, Swain, A.D., & H.E. Guttman, 1983.
- 17.
EPRI HRA Calculator, Version 2 ID # 1006461, Electric Power Research Institute, Julius, J., 2002.
- 18.
Hollnagel, E, Cognitive Reliability and Error Analysis Method, CREAM, pp 240, Elsevier, Oxford, UK.
69 APPENDIX A.1: BASIS FOR INCREASE IN HFES DUE TO FIRE This Appendix provides a summary of various cases for evaluating the effects of the fire on the ability to carry out various actions needed to cool the core and maintain primary integrity as a result of a fire in zone 99-m where the A4 bus breaker control cabinets are located. Table 11 shows the results in terms of the change in cognitive and execution errors due to the context of the fire for specific tasks. The calculated HEPs are combined with the existing HFEs and then mapped to the CCDP model. The values were based on the use of the logic trees described in Appendix A.2.
Table 11: Summary of HFE Increases due to Fire in zone 99-M Event ID Basic Event Description Pcog Pexe Increase in HFE Error Factor FIREOLDP Realistic fire in 99-M failures at T0 T2 T5 T9 9.8e-03 7.5e-04 1.1E-02 5
FIRENEWP Realistic fire in 99-M with new procedures all actions in CR 2.6e-03 6.1e-04 3.2E-03 5
99-MFIRECR Realistic fire in 99-M decisions in CR actions local 9.8e-03 2.0e-02 3.0E-02 5
99-MFIRECRE Realistic fire in 99-M Early CR actions 4.7e-03 4.3e-04 5.1E-03 5
99-MFIRELOCAL Local actions taken by field operators 1.5e-02 2.6e-02 4.1E-02 5
A.1.1 FIREOLDP, Realistic fire in 99-M failures at T-0 T-2 T-5 T-9 Basic Event Summary Analyst:
GWH Rev. Date:
04/23/03 Cognitive Method:
CDBTM/THERP FIREOLDP
SUMMARY
Analysis Results:
Without Recovery With Recovery Pcog 7.0e-02 9.8e-03 Pexe 1.0e-02 7.5e-04 Total HEP 1.1e-02 Error Factor 5
HFE Scenario
Description:
The operators are required to establish cooling to the SGs - the MFW and EFW 7A and 7B are all available if the trip is early (as simulated for a fire even with a hot gas layer).
This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. The old symptom based procedures provide details and warnings related to fires. The operator should manually trip the reactor
70 because of excessive alarms. In fact the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms. Even with no fire alarm, loss of instrumentation, loss of power to valves and spurious closures the core was clearly protected throughout the fire evolution of a simulated growing fire in 99-m that eventually took out all equipment in the room. The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. Manual local actions were required and were initiated by verbal communication over phone.
All local actions requested were feasible.
Related Human Interactions:
Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Uses floating steps derived from symptom based procedures Performance Shaping Factors:
Heavy communication is required between two field operators, the fire brigade, offsite, and in the control room.
During simulation some equipment started then failed and indications were lost requiring detective work by the operators and the shift technical advisor (STA).
Operators stated that they focused on alarms on running equipment and those used in the selected cooling strategy.
Manual reactor trip is applied early because of the large number of alarms.
Control room operators identify and request the local manual actions using procedures.
Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.
Restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).
The operators go to location without going through the affected fire zone.
The time to reach the zone and take action is sufficient (considering security and radiation protection).
Lighting is available along path.
71 Local man-machine interface permits the action (open, close, control, monitor).
Local environment permits action (temperature, noise, smoke, lighting, etc.).
Local action is verbally instructed and local procedure (generic or specific) is available.
Special tools are available.
Feedback on action is available (sound, visual position, feedback from control room).
Time to implement action is sufficient.
Procedure and step governing HI:
Floating steps in EOPs as selected by the control room crew Cognitive Unrecovered FIREOLDP Cue:
Feedback from local report because failure of alarm when A4 bus is lost Multiple alarms Duration of time window available for action (TW): 1950 Seconds. The base case models used 40min or 2400 seconds of which about 450 seconds are estimated for hearing a report back on the fire and location.
Table 12: FIREOLDP cognitive unrecovered Pc Failure Mechanism Branch HEP Reduce TW by Pca: Availability of Information e
5.0e-02 Pcb: Failure of Attention l
7.5e-04 Pcc: Misread/miscommunicate data g
4.0e-03 Pcd: Information misleading b
3.0e-03 Pce: Skip a step in procedure g
6.0e-03 Pcf: Misinterpret instruction f
6.0e-03 Pcg: Misinterpret decision logic i
3.0e-04 Pch: Deliberate violation Sum of Pca through Pch = Initial Pc =
7.0e-02 Total Reduction in TW =
450.0 Seconds
72 Cognitive Recovery FIREOLDP Table 13: FIREOLDP cognitive recovery Initial HEP Self-Review Extra Crew STA Review Shift Change ERF Review Recovery Matrix DF Multiply HEP By Override Value Final Value When Effective Pca:
5.0e-02 X
5.0e-01 5.0e-01
.107 5.4e-03 Pcb:
7.5e-04 X
1.0e-01 CD 1.0 7.5e-04 15 Pcc:
4.0e-03 X
1.0e-01 MD 1.5e-01 6.0e-04 15 Pcd:
3.0e-03 X
5.0e-01 5.0e-01 1.5e-03 15 Pce:
6.0e-03 X
1.0e-01 MD 1.5e-01 9.0e-04 Pcf:
6.0e-03 X
1.0e-01 LD 5.6e-02 3.4e-04 15 Pcg:
3.0e-04 NC 1.0 3.0e-04 15 Pch:
X 1.0e-01 1.0e-01 15 Sum of Pc a through Pch = Initial Pc =
9.8e-03 Time at which all recovery factors effective =
Seconds Recovery Factors identified:
Self Review by Stars Extra crewmembers STA review Local feedback Execution Unrecovered FIREOLDP Table 14: FIREOLDP execution unrecovered Step Omission Commission Total Table Item Stress Stress Table Item Stress Stress Over Per Step No.
HEP Ref.
Ref.
E/M/O Value HEP Ref.
Ref.
E/M/O Value Ride Step 1
3.8E-3 20-7 2
M 2
1.3E-3 20-11 1
M 2
1.0e-02 Actions: Manual action in control room Comments:
2 1.3E-2 20-7 4
M 2
2.6e-02 Actions: Recovery Comments:
73 Execution Recovery FIREOLDP Table 15: FIREOLDP execution recovery Critical Step No.
Recovery Step No.
Action HEP (Crit)
HEP (Rec)
Dep.
Cond. HEP (Rec)
Total for Step 1
Manual action in control room 1.0e-02 7.5e-04 2
Recovery 2.6e-02 LD 7.5e-02 Total Unrecovered:
1.0e-02 Total Recovered:
7.5e-04
74 A.1.2 FIRENEWP, Realistic fire in 99-M with new procedures all actions in CR Basic Event Summary Analyst:
GWH Rev. Date:
04/23/03 Cognitive Method:
CDBTM/THERP FIREWNEWP
SUMMARY
Analysis Results:
Without Recovery With Recovery Pcog 3.3e-02 2.6e-03 Pexe 6.0e-03 6.1e-04 Total HEP 3.2e-03 Error Factor 5
HFE Scenario
Description:
The operator should manually trip the reactor because of excessive alarms, and verify or perform immediate actions and call for investigation of A4 breaker room.
This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. The new attachment to the symptom-based procedures provides specific details for both establishing cooling with manual local actions assuming the worst-case fire conditions. The operators are required to establish cooling to the SGs - the MFW and EFW 7A and 7B are all available if the trip is early (as simulated for a fire even with a hot gas layer).
Early trip causes all valves to be in the proper positions for cooldown to hot shutdown; if the trip were delayed the alignments would have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms. Control room operators define actions for local operators. Even with no fire alarm, loss of instrumentation, loss of power to valves and spurious closures the core was clearly protected throughout the fire evolution of a simulated growing fire in 99-m that eventually resulted in failure of equipment located throughout the room. The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. Manual local actions were required and were initiated by verbal communication.
All local actions requested were feasible.
Related Human Interactions:
75 Start with new procedures. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment.
Performance Shaping Factors:
Heavy communication is required between two field operators, the fire brigade, offsite, and in control room.
During simulation some equipment started then failed and indications were lost requiring detective work by the operators and STA.
Operators stated that they focused on alarms on running equipment and those used in the selected cooling strategy.
Manual reactor trip is applied early because of the large number of alarms.
Control room operators identify and request the local manual actions using procedures.
Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.
The restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).
The operators go to location without going through the affected fire zone.
The time to reach the zone and take action is sufficient (considering security and radiation protection).
Lighting is available along path.
Local man-machine interface permits the action (open, close, control, monitor).
Local environment permits action (temperature, noise, smoke, lighting, etc.)
Local action is verbally instructed and local procedure (generic or specific) is available.
Special tools are available.
Feedback on action is available (sound, visual position, feedback from control room).
Time to implement action is sufficient.
76 Procedure and step governing HI:
New procedure 1203.009 Fire Protection System Annunciator Corrective action Cognitive Unrecovered FIRENEWP Cue:
Report from field because fire panel lost on A4 bus trip Duration of time window available for action (TW): 1950 Seconds. The base time for the initial HFEs was 40 min or 2400 seconds. Based on the simulator results and discussions it appears the about 7.5 minutes is an estimate of the time to reach and report on the event.
Table 16: FIRENEWP cognitive unrecovered Pc Failure Mechanism Branch HEP Reduce TW by Pca: Availability of Information d
1.5e-03 Pcb: Failure of Attention m
1.5e-02 Pcc: Misread/miscommunicate data g
4.0e-03 Pcd: Information misleading b
3.0e-03 Pce: Skip a step in procedure g
6.0e-03 Pcf: Misinterpret instruction d
3.0e-03 Pcg: Misinterpret decision logic i
3.0e-04 Pch: Deliberate violation Sum of Pca through Pch = Initial Pc =
3.3e-02 Total Reduction in TW =
450 Seconds Effective TW =
1950 Seconds
77 Cognitive Recovery FIRENEWP Table 17: FIRENEWP cognitive recovery Initial HEP Self-Review Extra Crew STA Review Shift Change ERF Review Recovery Matrix DF Multiply HEP By Override Value Final Value When Effective Pca:
1.5e-03 X
5.0e-01 5.0e-01 7.5e-04 Pcb:
1.5e-02 X
1.0e-01 ZD 1.5e-02 2.2e-04 15 Pcc:
4.0e-03 X
1.0e-01 1.0e-01 4.0e-04 15 Pcd:
3.0e-03 X
1.0e-01 1.0e-01 3.0e-04 15 Pce:
6.0e-03 X
1.0e-01 1.0e-01 6.0e-04 Pcf:
3.0e-03 X
1.0e-01 1.0e-01 3.0e-04 15 Pcg:
3.0e-04 X
1.0e-01 1.0e-01 3.0e-05 15 Pch:
X 1.0e-01 1.0e-01 15 Sum of Pc a through Pch = Initial Pc =
2.6e-03 Time at which all recovery factors effective =
Seconds Recovery Factors identified:
Self Review by Stars Extra crewmembers STA review Local feedback
78 Execution Unrecovered FIRENEWP Table 18: FIRENEWP execution unrecovered Step Omission Commission Total Table Item Stress Stress Table Item Stress Stress Over Per Step No.
HEP Ref.
Ref.
E/M/O Value HEP Ref.
Ref.
E/M/O Value Ride Step 1
3.8E-3 20-7 2
M 2
1.3E-3 20-9 2
M 2
.006 6.0e-03 Actions: control room action Comments:
2 2.7E-2 20-7b 5
M 2
5.4e-02 Actions: observe and recover Comments:
Execution Recovery FIRENEWP Table 19: FIRENEWP execution recovery Critical Step No.
Recovery Step No.
Action HEP (Crit)
HEP (Rec)
Dep.
Cond. HEP (Rec)
Total for Step 1
Control room action 6.0e-03 6.1e-04 2
Observe and recover 5.4e-02 LD 1.0e-01 Total Unrecovered:
6.0e-03 Total Recovered:
6.1e-04
79 A.1.3 99-MFIRECR, Realistic fire in 99-M decisions in CR for local actions Basic Event Summary Analyst:
GWH Rev. Date:
04/23/03 Cognitive Method:
CDBTM/THERP 99-MFIRECR
SUMMARY
Analysis Results:
Without Recovery With Recovery Pcog 6.7e-02 9.8e-03 Pexe 2.0e-02 2.0e-02 Total HEP 3.0e-02 Error Factor 5
HFE Scenario
Description:
Fire in 99-m is known and this addresses fire effects later in the event.
Local operators are required to control cooling to the SGs through EFW 7A or 7B to prevent SG overfill and maintain cooling.
Local actions to isolate EWF feedwater valves to ensure that fire will not spuriously close the valves are assumed not to have occurred.
This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. Early trip causes all valves to be in the proper positions for cooldown to hot shutdown, if the trip were delayed the alignments may have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms. Control room operators define actions for local operators to control valve positions because the control circuits are lost.
The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. By the time that the operators got to the protective steps in the procedure the fire damage assuming a breaker fire would be completed.
Manual local actions were required and were initiated by verbal communication over phone. Thus, valves su ch as CV-2800 could go closed. This was no problem for plant cooling since both MFW and EFW 7A were available.
All local actions requested were feasible.
80 Related Human Interactions:
Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Uses floating steps derived from symptom based procedures Performance Shaping Factors:
Heavy communication is required between two field operators, the fire brigade, offsite, and in control room.
During simulation some equipment started then failed and indications were lost requiring detective work by the operators and STA.
Operators stated that they focused on alarms on running equipment and those used in cooling strategy.
Manual reactor trip applied early because of the large number of alarms.
Control room operators identify and request the local manual actions using procedures Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.
The restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).
The operators go to location without going through the affected fire zone.
The time to reach the zone and take action is sufficient (considering security and radiation protection).
Lighting is available along path.
Local man-machine interface permits the action (open, close, control, monitor).
Local environment permits action (temperature, noise, smoke, lighting, etc.).
Local action is verbally instructed and local procedu re (generic or specific) is available.
Special tools are available.
Feedback on action is available (sound, visual position, feedback from control room).
Time to implement action is sufficient.
81 Procedure and step governing HI:
Symptom based with floating steps plus fire cautions Cognitive Unrecovered 99-MFIRECR Cue:
Report from the field (either A4 or security) See fire brigade script Duration of time window available for action (TW): 1950 Seconds. The base case models used 40min or 2400 seconds of which about 450 seconds are estimated for hearing a report back on the fire and location.
Table 20: 99-MFIRECR cognitive unrecovered Pc Failure Mechanism Branch HEP Reduce TW by Pca: Availability of Information e
5.0e-02 Pcb: Failure of Attention j
7.5e-04 Pcc: Misread/miscommunicate data g
4.0e-03 Pcd: Information misleading b
3.0e-03 Pce: Skip a step in procedure e
2.0e-03 Pcf: Misinterpret instruction f
6.0e-03 Pcg: Misinterpret decision logic j
1.0e-03 Pch: Deliberate violation Sum of Pca through Pch = Initial Pc =
6.7e-02 Total Reduction in TW =
300 Seconds Effective TW =
1950 Seconds
82 Cognitive Recovery 99-MFIRECR Table 21: 99-MFIRECR cognitive recovery Initial HEP Self-Review Extra Crew STA Review Shift Change ERF Review Recovery Matrix DF Multiply HEP By Override Value Final Value When Effective Pca:
5.0e-02 X
5.0e-01 5.0e-01
.1 5.0e-03 Pcb:
7.5e-04 X
1.0e-01 1.0e-01 7.5e-05 Pcc:
4.0e-03 X
1.0e-01 1.0e-01 4.0e-04 15 Pcd:
3.0e-03 X
1.0e-01 1.0e-01 3.0e-04 15 Pce:
2.0e-03 X
5.0e-01 5.0e-01
.25 5.0e-04 Pcf:
6.0e-03 X
5.0e-01 5.0e-01 3.0e-03 Pcg:
1.0e-03 X
5.0e-01 5.0e-01 5.0e-04 Pch:
X 1.0e-01 1.0e-01 Sum of Pc a through Pch = Initial Pc =
9.8e-03 Time at which all recovery factors effective =
Seconds Recovery Factors identified: This applies to the hidden instrumentation cases Self Review by Stars Extra crewmembers STA review Local feedback
83 Execution Unrecovered 99-MFIRECR Table 22: 99-MFIRECR execution unrecovered Step Omission Commission Total Table Item Stress Stress Table Item Stress Stress Over Per Step No.
HEP Ref.
Ref.
E/M/O Value HEP Ref.
Ref.
E/M/O Value Ride Step 1
3.8E-3 20-7 2
E 5
3.8E-3 20-12 2
- 1. 9e-02 Actions: manual action in control room Comments:
2 4.3E-4 20-7b 1
M 2
8.6e-04 Actions: recovery Comments:
Execution Recovery 99-MFIRECR Table 23: 99-MFIRECR execution recovery Critical Step No.
Recovery Step No.
Action HEP (Crit)
HEP (Rec)
Dep.
Cond. HEP (Rec)
Total for Step 1
manual action in control room 1.9e-02 2
recovery 8.6e-04 Total Unrecovered:
2.0e-02 Total Recovered:
2.0e-02
84 A.1.4 99-MFIRECRE, Realistic fire in 99-M Early CR actions Basic Event Summary Analyst:
GWH Rev. Date:
04/23/03 Cognitive Method:
CDBTM/THERP 99-MFIRECRE
SUMMARY
Analysis Results:
Without Recovery With Recovery Pcog 1.4e-02 4.7e-03 Pexe 4.3e-04 4.3e-04 Total HEP 5.2e-03 Error Factor 5
HFE Scenario
Description:
Complete immediate actions and call for local evaluation of A4 bus.
This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on. This case addresses the immediate actions following a trip. The operator should manually trip the reactor because of excessive alarms. The operators are required to establish cooling to the SGs - the MFW and EF W 7A and 7B are all available if the trip is early.
Early trip causes all valves to be in the proper position for cooldown to hot shutdown, if the trip were delayed the alignments would have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms.
Related Human Interactions:
Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment.
Uses floating steps derived from symptom based procedures.
Performance Shaping Factors:
Well-known steps.
Reactor trip applied early because of the large number of alarms.
Control room operators identify and request the local manual actions using procedures.
Procedure and step governing HI:
Immediate actions
85 Cognitive Unrecovered 99-MFIRECRE Cue:
Loss of A4 b reaker and many alarms Subsequent cues for loss of instruments and control circuits are later.
Duration of time window available for action (TW): 1950 Seconds. The base time for the initial HFEs was 40 min or 2400 seconds. Based on the simulator results and discussions it appears the about 7.5 minutes is an estimate of the time to reach and report on the event.
Table 24: 99-MFIRECRE cognitive unrecovered Pc Failure Mechanism Branch HEP Reduce TW by Pca: Availability of Information d
1.5e-03 Pcb: Failure of Attention j
7.5e-04 Pcc: Misread/miscommunicate data e
3.0e-03 Pcd: Information misleading b
3.0e-03 Pce: Skip a step in procedure e
2.0e-03 Pcf: Misinterpret instruction b
3.0e-03 Pcg: Misinterpret decision logic i
3.0e-04 Pch: Deliberate violation Sum of Pca through Pch = Initial Pc =
1.4e-02 Total Reduction in TW =
450
86 Cognitive Recovery 99-MFIRECRE Table 25: 99-MFIRECRE cognitive recovery Initial HEP Self-Review Extra Crew STA Review Shift Change ERF Review Recovery Matrix DF Multiply HEP By Override Value Final Value When Effective Pca:
1.5e-03 X
5.0e-01 5.0e-01
.6 9.0e-04 Pcb:
7.5e-04 X
1.0e-01 HD 5.0e-01 3.8e-04 15 Pcc:
3.0e-03 X
1.0e-01 MD 1.5e-01 4.5e-04 15 Pcd:
3.0e-03 X
1.0e-01 MD 1.5e-01 4.5e-04 15 Pce:
2.0e-03 X
5.0e-01 5.0e-01 1.0e-03 Pcf:
3.0e-03 X
5.0e-01 5.0e-01 1.5e-03 15 Pcg:
3.0e-04 X
1.0e-01 MD 1.4e-01 4.2e-05 15 Pch:
X 1.0e-01 1.0e-01 15 Sum of Pc a through Pch = Initial Pc =
4.7e-03 Time at which all recovery factors effective =
Recovery Factors identified:
Self Review by Stars Extra crewmembers STA review Local feedback
87 Execution Unrecovered 99-MFIRECRE Table 26: 99-MFIRECRE execution unrecovered Step Omission Commission Total Table Item Stress Stress Table Item Stress Stress Over Per Step No.
HEP Ref.
Ref.
E/M/O Value HEP Ref.
Ref.
E/M/O Value Ride Step 1
4.3E-4 20-7b 1
O 1
4.3e-04 Actions: Manual action in control room Comments:
Execution Recovery 99-MFIRECRE Table 27: 99-MFIRECRE execution recovery Critical Step No.
Recovery Step No.
Action HEP (Crit)
HEP (Rec)
Dep.
Cond. HEP (Rec)
Total for Step 1
Manual action in control room 4.3e-04 Total Unrecovered:
4.3e-04 Total Recovered:
4.3e-04
88 A.1.5 99-MFIRELOCAL, Local actions taken by field operators Basic Event Summary Analyst:
Rev. Date:
04/23/03 Cognitive Method:
CDBTM/THERP 99-MFIRELOCAL
SUMMARY
Analysis Results:
Without Recovery With Recovery Pcog 5.4e-02 1.5e-02 Pexe 2.6e-02 2.6e-02 Total HEP 4.1e-02 Error Factor 5
HFE Scenario
Description:
Local actions for inspecting and reporting back as well as manual actions for establishing cooling to the SGs with either EFW 7A or 7B are required.
Need to travel to local station.
This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on by classroom instruction and walk down with simulated actions and communications. Manual local actions were required and were initiated by verbal communication over phone. Pathways to the local stations were not allowed through the fire zone.
All local actions requested were feasible.
Related Human Interactions:
Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Control room decision-making in Pcog Performance Shaping Factors:
Time to location is generally 1 to 2 minutes (all less than 5 min from previous location).
Local lighting was available.
Smoke could exist in areas but air packs not needed.
89 Valve position indication judged by stem location.
Feedback from control room on flow rate and adjustments required.
Heavy communication required between two field operators, the fire brigade, offsite, and in control room.
Wireless communication permitted everyone to hear conversations.
During simulation some equipment started then failed and indications were lost requiring detective work by the operators and STA.
Control room operators identify and request the local manual actions using procedures Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.
Restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).
The operators go to location without going through the affected fire zone.
The time to reach the zone and take action is sufficient (considering security and radiation protection).
Lighting is available along path.
Local man-machine interface permits the action (open, close, control, monitor).
Local environment permits action (temperature, noise, smoke, lighting, etc.).
Local action is verbally instructed and local procedure (generic or specific) is available.
Special tools are available.
Feedback on action is available (sound, visual position, feedback from control room).
Time to implement action is sufficient.
Procedure and step governing HI:
Verbal instruction and local procedure (manual control of EFW) both new and old procedures and isolation of power to valves in train to prevent spurious operation in case of new procedure
90 Cognitive Unrecovered 99-MFIRELOCAL Cue:
Phone call with verbal instructions Duration of time window available for action (TW): 1950 Seconds. The base time for the initial HFEs was 40 min or 2400 seconds. Based on the simulator results and discussions it appears the about 7.5 minutes is an estimate of the time to reach and report on the event.
Table 28: 99-MFIRELOCAL cognitive unrecovered Pc Failure Mechanism Branch HEP Reduce TW by Pca: Availability of Information d
1.5e-03 Pcb: Failure of Attention o
3.0e-02 Pcc: Misread/miscommunicate data g
4.0e-03 Pcd: Information misleading c
1.0e-02 Pce: Skip a step in procedure e
2.0e-03 Pcf: Misinterpret instruction f
6.0e-03 Pcg: Misinterpret decision logic i
3.0e-04 Pch: Deliberate violation Sum of Pca through Pch = Initial Pc =
5.4e-02 Total Reduction in TW =
300 Seconds
91 Cognitive Recovery 99-MFIRELOCAL Table 29: 99-MFIRELOCAL cognitive recovery Initial HEP Self-Review Extra Crew STA Review Shift Change ERF Review Recovery Matrix DF Multiply HEP By Override Value Final Value When Effective Pca:
1.5e-03 NC 1.0 1.5e-03 Pcb:
3.0e-02 X
1.0e-01 1.0e-01 3.0e-03 Pcc:
4.0e-03 NC 1.0 4.0e-03 Pcd:
1.0e-02 NC 1.0
.1 1.0e-03 Pce:
2.0e-03 X
1.0e-01 1.0e-01 2.0e-04 Pcf:
6.0e-03 NC 1.0
.8 4.8e-03 Pcg:
3.0e-04 NC 1.0 3.0e-04 Pch:
NC 1.0 Sum of Pc a through Pch = Initial Pc =
1.5e-02 Time at which all recovery factors effective =
Seconds Recovery Factors identified:
Self Review by Stars Extra crewmembers STA review Local feedback
92 Execution Unrecovered 99-MFIRELOCAL Table 30: 99-MFIRELOCAL execution unrecovered Step Omission Commission Total Table Item Stress Stress Table Item Stress Stress Over Per Step No.
HEP Ref.
Ref.
E/M/O Value HEP Ref.
Ref.
E/M/O Value Ride Step 1
1.3E-2 20-7 4
M 2
2.6e-02 Actions: implementation action Comments:
Execution Recovery 99-MFIRELOCAL Table 31: 99-MFIRELOCAL execution recovery Critical Step No.
Recovery Step No.
Action HEP (Crit)
HEP (Rec)
Dep.
Cond. HEP (Rec)
Total for Step 1
Implementation action 2.6e-02 Total Unrecovered:
2.6e-02 Total Recovered:
2.6e-02
93 APPENDIX A.2 COGNITIVE EVENT TREE SCREENING LOGIC
94
95
96 APPENDIX B.1 SIMULAT OR OBSERVATIONS The simulation of a fire in zone 99-M integrated the efforts of eight activities. The activities are:
- 1. Identification of the equipment failures as a function of timing from the fire growth model,
- 2. Testing the simulation to identify unusual or unexpected behaviors,
- 3. Providing communications that would be expected (fire brigade, manual actions, and external communications),
- 4. Modeling crew organization for fire,
- 5. Observing the control room crew actions and communications during the simulation, and
- 6. Verifying the local manual actions called for by the crew.
- 7. Summarizing the results so that the feasibility can be demonstrated (Feasibility section)
- 8. Support the evaluation of human reliability for the actions. (Appendix A)
B.1.1 Fire Damage to Plant Equipment The fire growth model was converted into a fire damage effects by identifying the equipment in the breaker cabinet and the components serviced by the cables in the two trays above the cabinet.
The effect of the fire damage and possible failure modes of the associated equipment was evaluated by the engineering team and the failures were then introduced in the simulator programming. The failures modeled addresses loss of signals, false alarms, and spurious actions. The equipment failures and timing are shown in Appendix B.2.
B.1.2 Initial Scenario Testing The initial mockup was tested to understand the interactive effects of the failures on the simulator model. A surprise was identified - when time phasing the failures, and if the operators opt for an early trip the EFW valve alignments are automatically positioned to the shutdown core-cooling mode. This along with continuation of the main feedwater pumps results in a steam generator overfill condition. Steam generators dry out results if all equipment is assumed to fail at the same time. Thus, the course of the scenario is highly dependent on the previous actions of the crew, as well as the hardware failures and their timing introduced into the simulation.
The simulator fidelity was very good. No indications of differences in the control room and simulator were noted except the fire indication panel is not modeled in the simulator. In this scenario the fire alarm panel power supply is lost on the A4 bus trip with only the fire panel trouble alarm activated (K12D1), but this alarm was not used by either crew to detect the fire.
97 B.1.3 Communications It is expected that a large communication load will occur to the procedure reader and coordinator during a fire, and to make this realistic a script was written for the fire brigade to match the fire modeled. The script is shown in Appendix B.3. The multiple channel radio phones were very good at keeping every one informed. Both the local operators and the fire brigade were careful in being precise in communications. At about 15 minutes into the event the control room team had to limit communications to maintain path through the procedures.
B.1.4 Crew organization for fires Different plants handle the organization of the crew during fires in different ways. At ANO1 and 2 the practice is to establish a fire brigade by selecting a waste control and auxiliary operator from the affected unit to be part of the five man brigade. This leaves the 4 licensed operator and shift engineer in the control room and an auxiliary operator to implement recovery actions.
Upon initial investigation of the fire the five-man brigade may call for additional assistance from the local fire department. This does not reduce the number of licensed operators in the control room below the minimum needed, and supervisory personnel will be immediately available to provide support on most shifts. Thus, for the simulation one non-shift crewmember was available to support the simulator crew. One auxiliary operator was available to perform local actions in the plant and as additional actions were needed outside the control room on of the licensed operators was dispathched to perform actions outside the control room.
B.1.5 Observations of the simulation The aim was to verify the necessary actions to maintain core cooling could be carried locally and in the control room. Thus the key actions could be tied to various phases of the fire scenario by selecting a cue form the new damage condition and noting the operational response. Table 32 provides a listing of selected key actions taken in the control room and with instructions for local action using th e current procedures (crew 1) and the procedure with a new fire attachment (crew 2).
Table 32 is constructed to help understand the effectiveness of the EOP and the new attachment for dealing with a fire in 99M. The first column is an index for the key cue, request or action described in the second column. The descriptions came from the training printout and notes taken during the observation. The third column describes the location where the cue originated.
The fourth column provides a basis for th e cue (e.g., a simulated fault or a crew request). The fifth column describes the response to the cue. Columns six and seven provide the clock time and the difference in time from the cue to the action for the first simulation using the current EOPs. The eighth and ninth column repeat the results for the same event with the new EOP attachment.
The information in a row can be interpreted as follows: a simulated loss of the A4 bus signal appeared at 8:39 am on 4/16/03 in the case of crew 1 and at 8:26 4/17/03 in the case of crew 2.
Both responded by sending an auxiliary operator to investigate. Meanwhile, multiple alarms
98 appeared about 10sec later and the response by both crews was to trip the reactor. The selected items are some of the key actions associated with maintaining the core cooling, controlling primary inventory and fighting the fire. The location is where the cue and action start. Reports or actions taken locally are reported back to the control room. The basis for that action is a component failure, verbal instruction, alarm or procedure to carry out an action.
The clock times were observed by using a combination of the simulation-training file, which includes all changes in the simulator configuration, and observational notes taken during the simulation, which give times for key communication actions. The delta times indicate the time from a cue to the completion of a specific action.
Some of the insights that can be drawn from this table are that:
- 1. As can be seen from the table the interaction of the control room crew and the local operators was very good in terms of timing and communication. Verbal confirmation from the local operators indicating the action was complete (e.g., opening a valve) cued the simulator training staff to implement the change in the simulator
- 2. The crew responses in the two cases were very uniform through action 11, although the timing differed somewhat.
- 3. The difference in the responses for steps 12 -13 and 15-16 can be attributed to the difference in the procedures. The new attachment appears to bring clarity on specific actions for preventing spurious operations (e.g., move specific valves and open specific breakers) whereas the current procedures leave the means for protecting against spurious operations up to the crew (e.g., be ready to manually operate breakers to maintain power to the A3 bus).
- 4. In both cases the reactor was tripped within one minute of the major alarms appearing.
There was no automatic trip. Both crews tripped the plant quickly which simplified the scenario and allowed the emergency systems to be aligned before fire damage to control cables would prevent the realignment. If the crews had not tripped early the scenario would change, because the EFW systems might not align automatically, and would require manual operation initially.
- 5. Even with heavy communication loads the crews were able to protect the core from damage by a wide margin.
- 6. Differences in the timing between crews for most actions were well within the range of typical simulator observations in most complex accident scenarios. However, it is not enough to establish overall uncertainty ranges. There were some large timing differences, which is indicative of knowledge based behavior (e.g., step 14). This was a case where the MCR control circuits for the HPI pump were lost due to the fire, and the operators had to use secondary indications to track down the issue and then request local control actions.
- 7. Numerous false signals were provided to the operator to see if they would waste time tracking down something that was not important. Both crews used a screening approach to focus on only those systems that were operating and that were needed for core cooling.
Thus, very little time was spent on the spurious alarms, and no unneeded actions were taken.
99
- 8. The impact of the new procedure attachment was actually very small except that the requests for local actions could be much more precise. However, the results of the changes are quantifiable when using the HRA calculator to evaluate differences in the procedures. It was also clear that the crew using the new procedure had only had a brief training session on it application.
Table 32: Summary of selected actions for maintaining core cooling during simulated fire
- Selected Actions, Requests or Cues Location Basis Operator
Response
Crew 1 Clock time from loss of A4 Crew 1 Time from cue to action Crew 2 Clock time from loss of A4 Crew 2 Time from cue to action 1 Loss of A4 bus signal MCR Fault simulated Investigate A4 bus locally 8:39:39 0:02:21 8:26:27 0:04:33 2 Multiple alarms MCR Fault simulated Manual Reactor trip 8:39:49 0:00:12 8:26:36 0:00:50 3 (CV CV2617 EFW Pump Turbine K3 Steam from SG B) 1 Auto Auto Response to Trip (Low SG level)
Observe start /note overfill 8:42:01 0:10:59 8:27:40 0:07:20 4
C10 CSI-DG2 LOCK OUT, EDG2 MCR Prevent additional damage to A4 Action in response to A4 breaker fault 8:41:38 0:01:22 8:28:52 0:03:38 5
Investigate A4 bus notes fire Local Simulated fire noted Noted fire - as part of simulation script 8:42:00 0:04:00 8:30:30 0:02:00 6 (BK D1512CV2663 P7A TURB STM ADMISSION VLV POWER) OPEN Fire Fire induced breaker failure Preempted by manual trip and EWF auto start 8:44:40 0:00:00 8:30:32 0:00:00 7
Establish (dispatch) Fire Brigade MCR Fire procedure Setup team and read script 8:46:00 0:03:00 8:33 0:01:30 8 (CV CV2800 EFW P-7B Suction from CST) 0 Fire Simulated failure Turn off P7B to protect pump 8:49:14 0:08:46 8:38:46 0:06:14 9 C09 HS2805 STOP, EFW PUMP P7B, HS-2805 TRUE Local Represents manual control Introduced into simulation upon local call 8:55:00 0:02:00 8:39:12 0:00:34 10 Local manual control of EFW 7A (throttle 2620 and 2627)
Local Back off EFW flow to prevent over fill Adjust SPEED CNTR on EFW P7A, HIC-6601) 0.85 8:53:00 0:16:00 8:43 0:20:00 11 Call for site emergency MCR In procedures Verify location on declaration of Site Emergency 9:06:00 0:02:20 8:48 0:03:00 12 D1512 - (CV2663 P7A turbine steam admission valve power)
OPEN from breaker room Local New attachment to prevent spurious closure Fire damage over by this time 8:56 0:02:20 13 D5241 - (CV2667 P7A turbine steam admission valve power)
OPEN from breaker room Local New attachment Fire damage over by this time 8:56 0:02:30 14 Manual start of HPI from A3 Local Restore injection pump operation Use local control 9:04:00 0:22:00 8:34 0:54:00 15 Go to A3 and be ready to Check equipment Local Protect A3 safety bus At location ready for action 9:32 0:02:00 16 Check position of A-306 Local Protect A3 safety bus 9:38 0:02:00 B.1.6 Summary of data from manual actions during simulation Tables 33 and 34 summarize the notes taken by observers of the local actions called upon by the simulator crew. In both cases an observer followed the local operator from the control room to the local control point, or from the previous control point to the new control point. There were two operators who took action outside the control room, the auxiliary operator and a licensed operator dispatched from the control room. The notes were supplemented by interviews after the simulation.
100 Based on the observations the local actions requested were all feasible in timing, tools, instructions, knowledge, lighting, pathway to local action is outside the fire zone, procedures available, indications, and feedback on action. In the case of the current procedures the instructions for guarding against the effects of spurious actions (loss of control power to the A3 breakers) was undertaken by local observations in the A3 breaker room. The local operator was not sure what the assignment was other than being on alert for a possible action. In the case of the new attachment the restoration of spurious actions was undertaken by specific local actions to isolate the power to specific valves.
101 Table 33: Local manual actions current EOPs with experienced auxiliary operator crew 1 Items for monitoring Description Requested task Investigate A4 bus Go to A3 and be ready to Check equipment Local manual control of EFW 7A (throttle 2620 and 2627)
Check position of A-306 Verify location on Site emergency Location Local Local Local at el 335 Local Local Time to location (minutes) 1 2
1.5 1.5 1
Procedure used or not Verbal Verbal Procedure 1106.006 Verbal Verbal Communication verification Yes Yes Yes Yes Yes Special tools if any (ladder flashlight, gloves) 1 door key/ Gloves Gloves Gloves /Dosimeter Gloves Gloves Difficulties or complaints by operator Confusion on what to check Must transmit only vital information to control room Must transmit only vital information to control room Must transmit only vital information to control room Indications for judging position/status Smoke heat Cant compare status without further instruction See Valve Stem position Used cabinet indication Smoke heat Estimate of timing for implementation (minutes) 1 1
5 0.5 1
Verification of task (Stars?)
Yes Yes Yes Yes Yes Communication complete Yes Yes Yes Yes Yes Error potential Selection Error Comparison error Mistake Mistake Communicat ion Notes 1 min for call back and report of fire/smoke 5 min for complete throttle
102 Table 34: Local manual actions new EOP attachment with new auxiliary operator crew 2 Items for monitoring Description Requested task Investigate A4 bus Verify location on Site emergency Local manual control of EFW 7A (throttle 2620 and 2627)
D1512 - (CV2663 P7A turbine steam admission valve power) OPEN from breaker room D5241 - (CV26667 P7A turbine steam admission valve power) OPEN from breaker room Location Local Local Local elevation 335 Local el 335 Local el 335 Time to location (minutes) 1 1
1.5 1
2 Procedure used or not Verbal Verbal Procedure 1106.006 Verbal Verbal Communication verification Yes Yes Yes Yes Yes Special tools if any (ladder flashlight, gloves)
Gloves /1 door key Gloves Gloves /Dosimeter Gloves Gloves Difficulties or complaints by operator Went through radiation protection Can't easily communicate with control room None None Indications for judging position/status Smoke heat Fire brigade communications See Valve Stem position Breaker indication Breaker indication Estimate of timing for implementation (minutes) 1 1
5 0.5 1
Verification of task (STARs?)
Yes Yes Yes Yes Yes Communication complete Yes Yes Yes Yes Yes Error potential Communication Mistake Mistake Mistake Notes 1 min for call back and report of fire/smoke 5 min for complete throttle (One of 2 needed)
(One of 2 needed)
103 APPENDIX B.2
SUMMARY
OF SIMULATED EQUIPMENT FAILURES AS A FUNCTION OF FIRE GROWTH IN FIRE ZONE 99-M The following descriptions of events in Table 35 and 36 are in the language of the simulator control system. They relate to the plant nomenclature and are provided here to help support repeats of the simulation.
104 Table 35: Equipment damage for realistic fire in the A4 breaker cabinet and cable trays Time of fire induced failure Description of the event Simulator control file T=0
^ BK B6315 INVERTER Y25 IRF B6315 ( -1 0) OPEN
^ EL ED188 LOSS OF 4.16 KV BUS A4 IMF ED188 (1 0) TRUE
^ K12 K12D1 FIRE PROT SYSTEM TROUBLE IRF K12D1 (1 0) ON
^ C19 DO_K125A6 AMB LP,FPS, C463 PANEL TROUBLE IOR DO_K125A6 (1 0) ON T=2
^ C19 DI_HS6034T TRIP,CHLR,CNTR RM,VCH2A POWER IOR DI_HS6034T (1 0) TRUE
^ C19 DO_HS6034G GRN LP,CHLR,CNTR RM,VCH2A POWE IOR DO_HS6034G (1 0) ON
^ C19 DO_VCH2ASLG GRN LP,CHILLER,CNTR RM,COMPRES IOR DO_VCH2ASLG (1 0) OFF
^ CV CV2630 FW Isol Control Valve to OTSG "B" IMF CV2630 (1 10) 0.000000 60 0.000000
^ BK C540BKR Y28 OUTPUT BREAKER FEED TO C540 IRF C540BKR (1 20) OPEN
^ K12 K12C7 EFIC SYSTEM TROUBLE IRF K12C7 (1 25) ON
^ CV CV3644 P-4A to P-4B Discharge Crossover IMF CV3644 (1 30) 0.000000 35 0.000000
^ CV CV3642 P-4B to P-4C Discharge Crossover IMF CV3642 (1 35) 0.000000 37 0.000000
^ CV CV2617 EFW Pump Turbine K3 Steam from SG B IMF CV2617 (1 40) 1.000000 0 0.000000
^ C16 DI_HS1293S START,HPI,P36B,AUX,HS-1293 IOR DI_HS1293S (1 40) FALSE
^ C18 DI_HS1292S START,HPI,P36B,AUX,HS-1292 IOR DI_HS1292S (1 40) FALSE
^ C09 AO_HIC6601 DEMAND, EFW PUMP P7A, HIC-6601 IOR AO_HIC6601 (1 45) 100.0000 0 0.996124
^ C09 AO_SI6601 EFW PUMP P7A, SPEED, SI-6601 IOR AO_SI6601 (1 46) 0.000000 0 0.000000
^ CV CV3805 SW TO RB SPRAY PMP CLR E47B IMF CV3805 (1 50) 1.000000 10 0.000000
^ CV CV3841 SW P34B BRG.CLR E50B IMF CV3841 (1 55) 1.000000 4 0.000000
^ CV CV1432 Decay Heat Cooler E-35B Bypass IMF CV1432 (1 0) 0.000000 0 0.000000
^ K02 K02B7 A4 LO RELAY TRIP IRF K02B7 (1 57) OFF
^ K09 K09C8 DH PUMP A/B SUCT TEMP HI IRF K09C8 (1 58) ON T=5
^ C10 DI_A308T TRIP, DG1 OUTPUT A-308 IOR DI_A308T (1 0) TRUE
^ BK D1512 CV2663 P7A TURB STM ADMISSION VLV POWER IRF D1512 (1 15) OPEN
^ BK D1514 CV2620 P7A TO BSG EFW ISOL VLV POWER IRF D1514 (1 15) OPEN
^ BK D1522 CV2627 P7A TO A SG EFW ISOL VLV POWER IRF D1522 (1 15) OPEN
105 Table 36: Failure of remaining equipment if a hot gas layer is assumed Time of fire induced failure Description of the event Simulator control file T=15
^ CV CV2800 EFW P -7B Suction from CST IMF CV2800 (1 0) 0.000000 97 1.000000
^ C18 DI_HS1261 BUS A4, P36B BUS SELECTOR IOR DI_HS1261 (1 0) TRUE
^ C18 DI_HS1241SP STOP, P36A, HS-1241 IOR DI_HS1241SP (1 15) TRUE
^ C18 DI_HS1241S START, P36A, HS-1241 IOR DI_HS1241S (1 15) FALSE
^ C18 DI_HS1242SP STOP, HPI, P36B, HS-1242 IOR DI_HS1242SP (1 15) TRUE
^ C18 DI_HS1242S START, HPI, P36B, HS-1242 IOR DI_HS1242S (1 15) FALSE
^ C18 DI_HS1291SP STOP, HPI, P36A, AUX, HS-1291 IOR DI_HS1291SP (1 15) TRUE
^ C18 DI_HS1291S START, HPI, P36A, AUX, HS-1291 IOR DI_HS1291S (1 15) FALSE
^ C10 DI_B513T TRIP, B5-B6 CROSSTIE B-513 IOR DI_B513T (1 60) TRUE
^ C10 DI_B512C CLOSE, A3 FEED TO B5 B-512 IOR DI_B512C (1 60) TRUE
^ C18 DI_HS7410S START, RB COOLING FANS, VSF1A IOR DI_HS7410S (1 60) TRUE
^ C18 DI_HS7411S START, RB COOLING FANS, VSF1B IOR DI_HS7411S (1 60) TRUE
^ C10 DO_B512G GRN LP, A3 FEED TO B5, B-512 IOR DO_B512G (1 60) ON
^ C10 DO_B512R RED LP, A3 FEED TO B5, B-512 IOR DO_B512R (1 60) OFF
^ C10 DO_B513G GRN LP, B5-B6 CROSSTIE B-513 IOR DO_B513G (1 60) OFF
^ C10 DO_B513R RED LP, B5-B6 CROSSTIE B-512 IOR DO_B513R (1 60) OFF
^ C10 DO_B512R RED LP, A3 FEED TO B5, B-512 IOR DO_B512R (1 60) OFF
^ C10 DO_B512G GRN LP, A3 FEED TO B5, B-512 IOR DO_B512G (1 60) OFF
^ C10 DO_B512G GRN LP, A3 FEED TO B5, B-512 IOR DO_B512G (1 60) OFF
^ C18 DO_HS7410R2 RED LP, RB COOLING FANS, VSF1A IOR DO_HS7410R2 (1 60) OFF
^ C18 DO_HS7410G2 GRN LP, RB COOLING FANS, VSF1A IOR DO_HS7410G2 (1 60) OFF
^ C18 DO_HS7411G2 GRN LP, RB COOLING FANS, VSF1B IOR DO_HS7411G2 (1 60) OFF
^ C18 DO_HS7411R2 RED LP, RB COOLING FANS, VSF1B IOR DO_HS7411R2 (1 60) OFF
^ C10 DI_A301C CLOSE, A3 FEED TO B5 A-301 IOR DI_A301C (1 85) TRUE
^ C10 DI_A301T TRIP, A3 FEED TO B5 A-301 IOR DI_A301T (1 85) FALSE
^ C10 DI_A308C CLOSE, DG1 OUTPUT A-308 IOR DI_A308C (1 85) FALSE
^ C10 DI_A309C CLOSE, A1 FEED TO A3 A -309 IOR DI_A309C (1 85) TRUE
^ C10 DI_A309T TRIP, A1 FEED TO A3 A-309 IOR DI_A309T (1 85) FALSE
^ C10 DI_A310C CLOSE, A3-A4 CROSSTIE A -310 IOR DI_A310C (1 85) FALSE
^ MPF CO_P34A DECAY HEAT PUMP P34A IRF CO_P34A (1 85) OFF
^ MPF CO_P35A RECATOR BLDG SPRAY PUMP P35A IRF CO_P35A (1 85) OFF
^ MPF CO_P36A MAKEUP PUMP P36A IRF CO_P36A (1 85) OFF
^ MPF CO_P4A SERVICE WATER PUMP P4A IRF CO_P4A (1 85) ON
^ MPF CO_P4B3 SERVICE WATER PUMP P4B MOD IRF CO_P4B3 (1 85) OFF
^ MPF CO_P7B EMERGENCY FW PUMP P7B IRF CO_P7B (1 85) ON
^ C10 DO_A301A AMB LP, A3 FEED TO B5, A-301 IOR DO_A301A (1 90) OFF
^ C10 DO_A301G GRN LP, A3 FEED TO B5, A-301 IOR DO_A301G (1 90) OFF
^ C10 DO_A301R RED LP, A3 FEED TO B5, A -301 IOR DO_A301R (1 90) ON
^ C10 DO_A301R RED L P, A3 FEED TO B5, A -301 IOR DO_A301R (1 90) OFF
106 Table 36: Failure of remaining equipment if a hot gas layer is assumed continued Time of fire induced failure Description of the event Simulator control file T=15
^ C10 DO_A301W WHT LP, A3 FEED TO B5, A-301 IOR DO_A301W (1 90) OFF
^ C10 DO_A308A AMB LP, DG1 OUTPUT A-308 IOR DO_A308A (1 90) OFF
^ C10 DO_A308G GRN LP, DG1 OUTPUT A-308 IOR DO_A308G (1 90) OFF
^ C10 DO_A308R RED LP, DG1 OUTPUT A-308 IOR DO_A308R (1 90) OFF
^ C10 DO_A308W WHT LP, DG1 OUTPUT A-308 IOR DO_A308W (1 90) OFF
^ C10 DO_A309A AMB LP, A1 FEED TO A3, A-309 IOR DO_A309A (1 90) OFF
^ C10 DO_A309G GRN LP, A1 FEED TO A3, A-309 IOR DO_A309G (1 90) OFF
^ C10 DO_A309R RED LP, A1 FEED TO A3, A-309 IOR DO_A309R (1 90) OFF
^ C10 DO_A309W WHT LP, A1 FEED TO B3, A-309 IOR DO_A309W (1 90) OFF
^ C10 DO_A310A AMB LP, A3-A4 CROSSTIE A-310 IOR DO_A310A (1 90) OFF
^ C10 DO_A310G GRN LP, A3-A4 CROSSTIE A-310 IOR DO_A310G (1 90) OFF
^ C10 DO_A310R RED LP, A3-A4 CROSSTIE A-310 IOR DO_A310R (1 90) OFF
^ C10 DO_A310W WHT LP, A3-A4 CROSSTIE A-310 IOR DO_A310W (1 90) OFF
^ C18 DO_HS1241G GRN LP, P36A, HS-1241 IOR DO_HS1241G (1 90) OFF
^ C18 DO_HS1241W2 WHT LP, P36A, HS-1241 IOR DO_HS1241W2 (1 90) OFF
^ C18 DO_HS1242G1 GRN LP, HPI, P36B, HS-1242 IOR DO_HS1242G1 (1 90) OFF
^ C18 DO_HS1242W2 WHT LP, HPI, P36B, HS-1242 IOR DO_HS1242W2 (1 90) OFF
^ C18 DO_HS3611R RED LP, SERVICE WATER, P4A IOR DO_HS3611R (1 90) OFF
^ C18 DO_HS3611W WHT LP, SERVICE WATER, P4A IOR DO_HS3611W (1 90) OFF
^ C18 DO_HS1417G GRN LP, LOW PRESS INJ, P34A IOR DO_HS1417G (1 90) OFF
^ C18 DO_HS1417W2 WHT LP, LOW PRESS INJ, P34A IOR DO_HS1417W2 (1 90) OFF
^ C18 DO_HS2403G GRN LP, RB SPRAY, P35A IOR DO_HS2403G (1 90) OFF
^ C18 DO_HS2403W2 WHT LP, RB SPRAY, P35A IOR DO_HS2403W2 (1 90) OFF
^ C09 DO_HS2805A AMB LP, EFW PUMP P7B, HS-2805 IOR DO_HS2805A (1 90) OFF
^ C09 DO_HS2805G GRN LP, EFW PUMP P7B, HS-2805 IOR DO_HS2805G (1 90) OFF
^ C09 DO_HS2805W WHT LP, EFW PUMP P7B, HS-2805 IOR DO_HS2805W (1 90) OFF
^ C09 DO_HS2805R RED LP, EFW PUMP P7B, HS-2805 IOR DO_HS2805R (1 90) OFF
^ C18 DO_HS3609G1 GRN LP, SERVICE WATER, P4B IOR DO_HS3609G1 (1 90) OFF
^ C18 DO_HS3609W WHT LP, SERVICE WATER, P4B IOR DO_HS3609W (1 90) OFF
107 APPENDIX B.3 FIRE BRIGADE COMMUNICATION SCRIPT Table 37 is a summary of the communication script between the fire brigade and the control room from the simulator exercises.
108 3 Z is when the reactor side is stable and controlled with a success path established.
Table 37: Fire Scenario in 1A4 4KV Switchgear (Fire Zone 99-M)
TIME Message From/To COMMUNICATION X
Control Room/AO Send to check out A4 Breaker in room 99-m X + 1 min.
AO/CR There is a fire in the A4 (North) Switchgear Room 372 el. Unit 1.
X+ Y Control Room Announce to CR and Plant that fire exists Y + 1 min.
FBL/CR Fire in A4I will be FBLreporting to locker for equipment. Staging area for this fire will be outside corridor 98 near the stairs and Cardox tank.
We will need Security assistance to maintain the door to the corridor open.
Y + 4 min.
FBL/CR Ask Security to station an officer inside the South Switchgear Room and to not allow anyone access through to the North Switchgear room.
Y+ 10 min.
FBL/CR Fire Brigade is on scene at A4 Switchgear room. No smoke or fire showing from door 46. We are preparing to enter and investigate with breathing packs.
Y + 12 min.
FBL/CR Entry team is entering A4 Switchgear room with two CO2 fire extinguishers.
Y + 12 min.
CR/FBL Will you need off site assistance?
Y + 12 min.
FBL/CR Off-site assistance will be needed at this time Call the fire Department.
Y + 12 min.
Entry 1/FBL Ther e is damage to breaker with smoke in the cable trays above. It is very hot in here. Cant see flame. We are using CO2 on the breaker at this time. Request that A 4 bus be de-energized.
Y + 13 min.
FBL/CR Request that you de-energize A4 bus.
Y + 14 min.
CR/FBL Is there any indication that this fire was intentionala security threat?
Y + 14 min.
FBL/CR That is unknown at this time.
Y + Z min.
CR/FBL A4 is de-energized.
Y + 19 min.
Entry 1/FBL No flames visible, but a lot of smoke and heat. It is very hot in here. Consider ventilating this room.
Y + 19 min.
FBL/CR Entry team reports no flames visible, but a lot of damage and heat. We are preparing to ventilate this room.
Y + 20 min.
Entry 1/FBL We need water to cool the room and we will need a ladder to assess the cables above the breaker cubicle. Get a hose into this room to cool the damaged breaker and cables.
0 + 22 min.
Entry 1/FBL The fire is much worse than we thought. We are starting water spray. The trays above are damaged and on fire. We will need to continue cooling this breaker and assess damage to the adjoining breakers.
Y + Z3 min.
FBL/CR We think the fire is out. We will continue cooling the damaged breaker, and assess damage to the adjoining breakers.