ML032970261

From kanterella
Jump to navigation Jump to search
Memo, with Attachment, from David P. Loveless to Charles S. Marschall Regarding Risk Assessment for Fire Related Deficiency
ML032970261
Person / Time
Site: Comanche Peak  Luminant icon.png
Issue date: 02/21/2003
From: David Loveless
NRC Region 4
To: Marschall C
NRC Region 4
References
FOIA/PA-2003-0358
Download: ML032970261 (10)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION REGION IV

?

I%-4, 611 RYAN PLAZA DRIVE, SUITE 400 ARLINGTON, TEXAS 76011405 February 21, 2003 MEMORANDUM TO: Charles S. Marschall, Chief Engineering and Maintenance Branch FROM: David P. Loveless RAI 2121/03 Senior Reactor Analyst

SUBJECT:

RISK ASSESSMENT FOR FIRE RELATED DEFICIENCY I have reviewed the risk significance of the licensee's failure to incorporate the electrical isolation of the Train B pressurizer power-operated relief valve (PORV) into their remote shutdown operations procedure at Comanche Peak Steam Electric Station. This finding resulted in an increased likelihood of core damage should a fire, requiring control room evacuation, also cause an inadvertent opening of the PORV. The evaluation of the significance of this finding was initiated following the triennial fire protection inspection concluded on February 8, 2002. The Phase 3 analysis was prepared by Mr. See-Meng Wong of the Office of Nuclear Reactor Regulation. During the peer review, I initiated significant modifications to the analysis to better model actual plant conditions both in the baseline and the nonconforming cases. Our combined analysis is provided as an Attachment to this memorandum.

Based on the attached evaluation, and in accordance with Manual Chapter 0609, Appendix A, Significance Determination of Reactor Inspection Findings for At-Power Situations," this finding was determined to be of very low risk significance.

Please let me know if you have any additional questions.

Attachment:

SDP Phase IlIl Analysis IV

Anthony T. Gody DISTRIBUTION:

DDC Dwight Chamberlain, D/DRS ATH Arthur Howell III, D/DRP EEC Elmo Collins, DD/DRP DAP Dale Powers, STA/DRS CSM CSMarschall, DRS:C/EMB RLN1 RLNease, DRS/EMB CEJ CEJohnson, DRP/Project Branch C DBA DBAllen, SRI/Project Branch A DOCUMENT: S:\DRS\PRA\RISK ASSESSMENT - Remote Shutdown Hot Shorts.wpd RIV:DRS/SRA - DRS`S- __________ :4 '> W

__________ i' ->

DALoveless:nlh DDChamberlain _ _ 1_ _

IRF ! /RAS 02/19/03 02/20/03 _ _

Anthony T. Gody OFFICIAL RECORD COPY T=Telephone E=E-mail F=Fax

ATTACHMENT Phase 3 SDP Analysis: Comanche Peak Steam Electric Station Inadequate Alternate Shutdown Procedure for Operator Actions to Transfer Control of the Train "B" Power-Operated Relief Valve Due to a Fire in the Main Control Room

1. Performance Deficiency The Comanche Peak Steam Electric Station (CPSES) Alternate Shutdown (ASD)

Procedure, ABN-803A/B, was not adequate to instruct plant operators to transfer control of the Train "B" power-operated relief valve (PORV) to the Remote Shutdown Panel because of a fire in the Main Control Room. This condition could cause the spurious opening of the "B" PORV that would result in the loss of reactor coolant system inventory through the open PORV. This issue was identified as Unresolved Item 50-445;-446/02-03-01 in the Inspection Report 50-445;-446/2002-03, August 2002.

2. Fire Scenario A fire starts in one or more of six electrical cabinets in the Main Control Room that contained electrical circuitry for operation of the power-operated relief valves (PORVs).

One of the cabinets, namely CP1-ECPRCB-05, contains the PORV control circuitry and is in a horseshoe layout surrounded by adjacent cabinets, CP1-ECPRCB-04 and CP1 -ECPRCB-06. The other three cabinets are relay cabinets containing control circuitry for the Train B PORV. These three relay cabinets are physically separated from the other three cabinets in the horseshoe layout. It is postulated that fire growth in any of the six electrical cabinets would result in conditions that require evacuation of the Main Control Room and use of Procedure ABN-803 to shutdown the plant from the Remote Shutdown Panel.

Fire in any of the electrical cabinets may cause "hot short" conditions through insulation breakdown between conductors of the same cable, between conductors of different cables, or from some external source providing an undesired impressed voltage on a specific conductor. It is postulated that a double hot short condition is required to cause the PORV to open in this fire scenario. A hot short must first occur in the control circuitry to provide a signal to open the valve. Then, a second hot short must occur from an energized power cable to provide DC power to energize a solenoid to open the valve. The DC power cable conductor must be in the correct polarity to produce the second hot short.

Otherwise, if the polarity is wrong, the circuit will not be powered and the valve will not open.

In this fire scenario, the Train "B" PORV may not be isolated from the control room because of the stated deficiency in Procedure ABN-803 and, if a double hot short condition occurred, the PORV would spuriously open. This would result in loss of reactor coolant system (RCS) inventory through the open PORV.

As a result of this event, several operator actions at the Remote Shutdown Panel are required to achieve safe shutdown of the plant. The important operator actions are listed below:

  • Operator shuts down the plant from the Remote Shutdown Panel using procedure ABN-803.
  • Operator repositions the appropriate switch on the Remote Shutdown Panel to close the PORV after discovering the Train B PORV is open, or initiates action to close the Train B block valve.
  • Operator aligns the operating high head injection pump (CCP) for ECCS injection mode.
  • Operator secures offsite power supply when Train A Diesel Generator becomes unavailable.
  • Operator aligns the charging system for hot leg recirculation.
  • Operator initiates feed and bleed operation for non-LOCA scenarios.
3. Assumptions (a) Fire Barriers - In the CPSES Main Control Room, there are no physical barriers between redundant cable trains. Therefore, no credit is given in this area.

(b) Automatic Fire Detection and Su~pression Systems - The CPSES Main Control Room does not have automatic detection and suppression systems. Therefore, no credit is given in this area.

(c) Hot Short and Snurious Ogenina of PORV - The PORV is normally closed during full-power operation and is designed to fail closed to its safe position upon removal of control power (DC) or motive power (nitrogen). The Train B PORV will open only as a result of a double hot short condition because the potential for a single hot short to cause spurious opening is eliminated by the ABN-803 procedure requiring operators to remove power to the Train B PORV. The double hot short condition occurs only when the Train A DC power cable must short with the Train B PORV control cable. The two cables must short with the correct polarity. If the polarity is wrong, the circuit will not be powered and the PORV will not open.

The fire-induced core damage frequency equation for the fire scenario can be defined as follows:

FCDF =F 1 *HS*P1 *P2

where F, = Fire ignition frequency of ignition sources HS = Probability of double hot short causing spurious opening of PORV P1 = Probability of operator failing to reclose the open PORV (Proper procedure for conforming case, without procedure for nonconforming case)

P2 = Conditional core damage probability with open PORV.

4. Fire Ignition Freguency The fire ignition frequency estimate for any one of the three electrical cabinets in the main control room horseshoe that contained electrical circuitry for operation of the power-operated relief valves (PORVs) is 1.52E-5/year, as shown on Table 4.6-7, page 4-119 of the CPSES IPEEE study. Since the other three relay cabinets were not explicitly analyzed in the IPEEE study, the highest fire initiating frequency estimate of 2.86E-4/year for cabinets in the control room was used for the relay cabinets. The fire ignition frequency estimates for CPSES electrical cabinets were derived using the methodology described in the EPRI Fire PRA Implementation Guide. Since fire in any one of the six cabinets is considered in the fire scenario, the fire ignition frequency estimate for the identified ignition sources is (3x1.5E-5) + (3X2.9E-4)] = 9.15E-4/year. The licensee's evaluation used an ignition frequency ranging from 9.04E-4 to 6.46E-5/year.
5. Probability of Double Hot Short Causing Spurious ODening of PORV The probability value of 6.8E-2 for a double hot causing spurious opening of PORV was used in this analysis. This probability value is provided in NUREG/CR-2258, Fire Risk Analysis for Nuclear Power Plants," to be used as a probability estimate for the double hot short condition. This estimate is based on testing of conductors within a single cable.

Therefore, this should be a relatively large number in comparison to the finding that requires a hot short in each of two different cables and one requiring the correct polarity.

However, because of the uncertainty surrounding this probability estimate, a sensitivity evaluation was performed by increasing the probability estimate from 6.8E-2 to 0.34, i.e.,

by a factor of 5, to show whether this parameter uncertainty has any influence on the significance outcome.

6. Operator Action to Reclose the Failed Open PORV As a result of fire in any of the identified main control room electrical cabinets, the Train B PORV may be opened by a double hot short condition. The plant operator should realize that the PORV is open and take the action to close the open PORV on the remote shutdown panel. The licensee's human reliability analysis (HRA) provided a human error probability (HEP) estimate of 2.4E-2 for operator failure to reclose the failed open PORV.

The main contributors to this HEP estimate are the cognitive elements affecting operator diagnosis of the situation such as misleading information and skipping a step in the procedure. The performance shaping factor consideration for this HEP estimate is that the action of reclosing the open PORV is a medium stress evolution since the action is trained on the simulator and plant shutdown due to fire in the control room is the only required task.

The analyst determined a baseline HEP estimate for the operator action to reclose the failed open PORV given that an adequate procedure was available. Utilizing the SPAR HEP worksheet, all HRA multipliers were considered to be nominal with two exceptions.

First, the operators are trained in the simulator on control room evacuation using the remote shutdown procedure. Therefore, a factor of 0.5 was used for the high level of operator knowledge and training. Also, a factor of 0.8 was used for processes given the training, simulated layout, and routine nature of identifying and manipulating a given control panel switch. The nominal HRA of 1E-3 was used for a control board manipulation.

The resulting HRA for the reactor operator was calculated:

HRARO = (1E-3) * (0.5) * (0.8) = 4E-4 The licensee uses two operators at the auxiliary shutdown panel with the shift supervisor roving and providing oversight in the shutdown process. Therefore, the analyst determined that additional credit should be given for the shift supervisor identifying and correcting the original failure to follow procedure. This action is conducted by the same crew, at the same location, but is not conducted closely In time. Therefore, there is a high dependence between the reactor operator actions and the shift supervisor's recovery action. The resulting HRA for the shift supervisor was calculated using the SPAR HRA high dependence equation:

HRAss = (1 + 4E-4) /2 = 0.5002 The total HRA for the failure to isolate the Train B PORV from the main control room given that an appropriate procedure existed was calculated as follows:

HRA = P1 (conforming) = (4E-4) * (0.5002) = 2E-4

7. Conditional Core Damaae Probability (CCDP)

In the fire scenario considered, a conditional core damage probability (CCDP) was calculated using the licensee-supplied PRA evaluations for remote shutdown operations with one PORV inadvertently open. In this case, the calculated CCDP estimate was dominated by operator actions to achieve safe shutdown outside of the main control room (as listed in Section 2).

The CCDP estimate for the case of PORV open with operator failing to reclose the open PORV was calculated to be 1.2E-1 based on supplementary licensee PSA analyses to estimate the conditional core damage frequency (CCDF) for the described fire scenario.

The risk analyst requested the licensee to perform supplementary PSA analyses after reviewing the licensee-supplied cutsets and fire risk analysis of this particular issue (CPSES Report, Analysis of the Plant Shutdown from the Remote Shutdown Panel due to a Fire in the Control Room, Revision 1, October 2002).

8. Assessment of Fire-Induced Core Damaae Freguency

The fire-induced CDF estimate for fire in any one or more of six electrical cabinets in the main control room that contained electrical circuitry for operation of the power-operated

relief valves (PORVs) is calculated as shown below. This is the nonconforming case.

FCDF(nonconforming) = F

  • HS
  • P1 (nonconforming)
  • P2

= (9.1 5E-4/year)*(6.8E-2)*(2.4E-2)*(1 .2E-1)

= 1.8E-7lyear

9. Incremental Fire-Induced CDF The baseline CDF (conforming case) for the fire scenario where the Train B PORV inadvertently opens, but the procedure directs the operator to isolate the circuitry from the main control room is calculated by assuming that the operator isolates the valve control circuitry from the main control room while performing the procedure, or the shift supervisor detects the error during his oversight walkdown. The baseline CDF for the conforming-case analysis is estimated as shown below:

FcDF(conforming) = F,

  • HS
  • P1 (conforming)
  • P2

= (9.1 5E-4/year)*(6.8E-2)*(2E-4)*(1 .2E-1)

= 1.5E-9lyear Therefore, the incremental CDF change based on an inadequate remote shutdown procedure for control of the Train B PORV in the described fire scenario is estimated as follows:

Delta CDF = FCDC(nonconforming) - FCDF(conconforming)

= (1.8E-7/year) - (1.5E-9/year)

= 1.8E-7lyear SENSITIVITY ANALYSIS:

In light of the uncertainty surrounding probability estimation. All parameters were considered to determine their impact on the final change in CDF. The initiating event frequency used by the analyst was based on a conservative evaluation in the licensee's original IPEEE. The value was slightly higher than the range provided by the licensee and did not account for manual suppression. Therefore, no sensitivity analysis was performed on this value. The likelihood of an operator failing to manipulate the isolation handswitch during a remote shutdown operation would need to be at least two orders of magnitude larger to impact the final analysis result because of the high relative significance of the nonconforming case.

The analyst determined the sensitivity of each of the remaining estimated parameters.

None of the parameters were so sensitive that changes to an individual would have resulted in a significant change to the final analysis result. The results of the sensitivity analysis are presented in the table below:

Parameter Increase New Estimate Resulting A CDF Double Hot Short Factor of five 0.34 9.OE-7/yr Operator Recovery Factor of four 1E-1 7.5E-7/yr Remote Shutdown Operations Factor of four 0.5 7.5E-7/yr

10. Conclusions The change in CDF caused by an inadequate remote shutdown procedure that resulted in the Train B PORV not being electrically isolated from the main control room was determined to be 1.8E-7/year. Therefore, the finding is of very low risk significance (GREEN.) Sensitivity analysis indicates that this conclusion is not sensitive to changes in any single parameter estimated during the evaluation. Therefore, there is high confidence that the significance characterization of the stated performance deficiency is GREEN.
Retrieved from "https://kanterella.com/w/index.php?title=ML032970261&oldid=2689510"