Final Report, Post-Fire Manual Action Feasibility Assessment: a Phase 3 Significance Determination Process (SDP) Evaluation of Arkansas Nuclear One Unit 1

ML050840393
Person / Time
Site:	Arkansas Nuclear
Issue date:	07/31/2003
From:	Science Applications International Corp (SAIC)
To:	Office of Nuclear Reactor Regulation
References
FOIA/PA-2004-0277
Download: ML050840393 (113)
v • d • e

Text

/

Post-Fire Manual Action Feasibility Assessment:

A Phase 3 Significance Determination Process (SDP) Evaluation at Arkansas Nuclear One Unit I Final Report, July 2003

_Science Applications.International.Corporation 4920 El Cami&Rel a

Los Altos, CA 94022

I, REPORT

SUMMARY

The report is a phase 3 significance determination process evaluation of the use of manual actions for achieving and maintaining hot shutdown at ANO.

Background

On August 20, 2001 the NRC issued a triennial fire inspection report (IR 01-06), which discussed a finding concerniig the acceptability of the ANO use of operator actions to remotely operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing protection to the cables associated with that equipme nt, as a method of complying with I OCFR50 Appendix R Section III.G.2.

In a Match 25, 2003 supplement to IR 01-06, noted above, the NRC stated that by using the'*

Significance Determination Process the above finding was preliminarily-determined to be Greater than Green. The preliminary significance of this finding was due to the number of safe

~

shutdowf components potentially affected as a result of fire, the ability of the ANO fire brigade to manually suppress the fire before damage to safe shutdown components occurs, and the uncertainty regarding the timing and impact that potential failures may have on the operators ability to accomplish required shutdown functions in time to prevent core damage.

Objectives The objective of this evaluation was to demonstrate that the use of manual actions in response to a fire at ANO unit I is both feasible and the risk resulting from these actions is acceptable.

Approach The approach to demonstrate the objective stated above followed a combination of qualitative and quantitative evaluations that are illustrated in the following chart.

FinMModein 7 1 Simulator Scenario, circut Analysis & Location

(irei'zone 99SM)

Development (Rire zone 99M)

Evaluation (Fire zone 99.M)

EOP/AOPIPre-frePan KSmlto xrlo(lez o

Tac'tical Procedures

~ ~ Siulatoi Human Reliability Assessment (F iz\\

i

The technical methods and data used were consistent with the published state-of-the-art and relevant ANO design and operation data. Detailed analysis was done for the unit 1 4KV switchgear room IA4 (fire zone 99-M) and extrapolated to two other fire zones in unit 1, the 4KV switchgear room I A3 (fire zone I 00-N) and electrical equipment room (fire zone 104-S) where use of manual actions were considered potential contributors to fire risk. These fire zones arenot equipped with automatic suppression. -

Results The results of our analysis are as follows:

Fire analysis:

Cable damage criteria (70OPF for ANO) is critical in the extent/timing of circuit damage and our conclusion Energetic arcing fire in the 4KV switchgear is the maximum expected and bounding fire in the fire zone 99-M A damaging 700'F hot gas layer in fire zone 99-M is not credible because of the configuration of the room and the combustibles in it.

Manual actions feasibility and reliability Both the current and the new emergency procedures adequately deal with a fire in 99-M Key manual actions, needed in response to the bounding fire scenario in 99-M, meet the NRC "inspection criteria for fire protection manual actions,"

The impact of the new versus the current procedures on human error probabilities (?lHEP) is measurable but small.

Fire-risk The cumulative firc-induced risk in unit 1, reflective of the manual actions needed to achieve hot shutdown in fire zones where these actions'are determined to impact fire risk, is Green, i.e., less than I E-6/reactor-year.

The defense-in-depth is maintained and adequate margin exists in our analyses of fire scenarios and HRA to ensure confidence in our conclusions.

ii

I 11 TABLE OF CONTENTS I

INTRODUCTINON.

I 1.1 Background........................

1.2 Description of the Issue........................

13 Overview of the Assessment.......................

1 1.4 Scopend Key Assumptions 3

H ASSESSMENT OF FIRE RISK IN UNIT I 4KV S*NITCIIGEAR ROOM (FIRE ZONE 99M)............

4 11.1 Selection and Analysis of Fire Scenarios..........................

5 11.1.1 Switchgear Room, Fire zone 99M 11.1.2 Selection of Fire Scenarios in Switchgear Room 99M 8

11.1.3 Quantitative Fire Analysis 17 11.2 Analysis of Operator Response and Reliability

............................ 36 11.2.1 Information Collection and Simulation of Fire Scenarios

.36 11.2.2 Feasibility of Manual Actions 40 11.2.3 Reliability of Manual Actions (Human Reliability Analysis - HRA)..

44 11.2.4 Gcneral Observations 50 11.3 Quantification of the Conditional Core Damage Probabilities (CCDP) 55 11.4 Assessment Fire Risk in 99-

.................................................................................... 57 11.4.1 Calculation Fire-Induced Core Damage Frequency............................................ 57 11.4.2 Examination of Defenso-in-Depth and Safety Margin........................................ 62 III DETERAIINATION OFTlE RISK-SIGNIFICANCE OF THE ISSUE 65 IV CONCLUSIONS.............

67 V

REFERENCES..........

68 APPENDIX A.1: BASIS FOR INCREASE IN IIFES DUE TO FIRE

.70 APPENDIX A.2 COGNITIVE EVENT TREE SCREENING LOGIC.........

94 APPENDIX &I SIMULATOR OBSERVATIONS......................................

97

APPENDIX B X

SUMMARY

OF EQWPAEM FAtURE AS A F -

CTION OF Fan GRO\\Vnl IJS FIRE ZONE 99-N1

_105 APPENDIX B3 FIRE BRIGADE CONDICAnON SCRIPT................................................ _ 109 i

t.

j

\\

iv

/

LIST OF FIGURES Figure 1: Switchgear room 99M. Drawing not to scale.......................................................................6 Figure 2: Switchgear room 99M. Drawing not to scale.......................................................................7 Figure 3: Pictorial Representation of the Zone-of-Influence of a Non-Energetic Fire in the 4KV Switchgear A4.......................................................................................................................... 10 Figure 4: Pictorial Representation of the Zone-of-Influenc e of a High-Energy Fire in the 4KV Switchgear A4.......................................................................................................................... 11 Figure 5: Pictorial lepresentation of the Fire Scenario 2, Fire in MCC B-5S...................................... 12 Figure 6: Pictorial Representation of the Fire Scenario 3, Fire in MCC B-56...................................... 13 Figure 7: Pictorial Representation of the Fire Scenario 4, Fire in Inverter Y-22...............

.................... 14 Figure 8: Pictorial Representation of the Fire Scenario 5, Fire in Load Center B-6............................... 15 Figure 9: Pictorial Representation of the Fire Scenario 6, Transient-Fire Between MCCs B-55 and B-56..........................................................

16 Figure 10: Selected heat release rate profile for cabinet fires in switchgear room 99M......................... 18 Figure 12: Cable tray stack fire propagation model........................

.................................. 20 Figure 13: Conceptual representation of the use of t2 fire growth model for representing ignition of adjacent cable trays............................................................................................................... 26 Figure 14: CFAST results for upper layer and heat release rate in scenario la.

.................................... 29 Figure 15: CFAST results for upper layer and heat release rate in scenario Ia..................................... 29 Figure 16: CFAST results for upper layer and heat release rate in scenario lb..................................... 30 Figure 17: CFAST results for upper hyer and heat release rate in scenario lb..................................... 30 Figure 18: CFAST results for upper layer and heat release rate in scenario 2 & 3................................ 31 Figure 19: CFAST results for upper layer and heat release rate in scenario 2 & 3................................ 31 Figure 20: CFAST results for upper layer and heat release rate in scenario 4......................................

32 Figure 21: CFAST results for upper layer and heat release rate in scenario 4....................................... 32 Figure 22: CFAST results for upper layer and heat release rate in scenario 5...................................... 33 Figure 23: CFAST results for upper layer and heat release rate in scenario 5....................................... 33 Figure 24: Change in HEP for new Attachment compared with Current EOPs.................................... 53 Figure 25: HIFE values for current and attachment to EOPs for fire in 99-NI........................................ 53 LIST OF TABLES Table l: Function and location of electrical cabinets in room 99M......................................................... 5 Table 2: Localized targets and intervening combustibles..................................................................... 24 Table 3: Fire scenarios evaluated with zone model CFAST........................................................... 27 Table 4: Summary of potential HEP increase cases due to Fire in zone 99-M......................................

45 Table 5: Summary of adjusted HRA values in the CCDP model for fire in zone 99-M.......

.................. 48 Table 6: Summary of key local actions........................................................... 51 Table 7: Basis for feasibility cf local action used to protect the core during a 99-M fire 52 V

I Table 8: Sumnmary of Calculated Conditional Core Damage Probabilities......................

...................... 56 Table 9: Generic ignition frequencies and calculated CCDP's............................................................. 59 Table 10: Summary of the Risk-Significance of the Safe Shutdown Manual Actions Issue at ANO Unit I.................................................................

65 Table 11: Summary of HFE Increases due to Fire in zone 99-M........................................... 69 Table 12: FIREOLDP cognitive unrecovered....................................................................................... 71 Table 13: FIREOLDP cognitive recovery..................................

72 Table 14: FIREOLDP execution unrecovered......

72 Table 15: FIREODP execution recovery......

73 Table 16: FIREEWP cognitive unrecovered......

............................. 76 Table 17: FIRENEWP cognitive recovery..............................................................

........................... 77 Table 18: FIRENEWP execution unrecovered 78 Table 19: FIRENEWP execution recovery.................................................

78 Table 20 99-MFIRECR cognitive unrecovered.

81 Table 21: 99-MFIRECR cognitive recovery...............................

82 Table 22: 99-MFIRECR execution unrecovered.

83 Table 23: 99-MFIRECR execution recovery.....................................

83 Table 24: 99-MFIRECRE cognitive unrecovered.................................

85 Table 25: 99-MFIRECRE cognitive recovery..

86 Table 26: 99-MFIRECRE execution unrecovered

87 Table 27: 99-MFIRECRE execution recovery..........................................

87 Table 28: 99-MFIRELOCAL cognitive unrecovered

............. 90 Table 29:. 99-MFIRELOCAL cognitive recovery....................................

................... 91 Table 30: 99-MFIRELOCAL execution unrecovered.......

92 Table 31: 99-MFIRELOCAL execution recovery 92 Table 32: Summary of selected actions for maintaining core cooling during simulated fire..........

......... 99 Table 33: Local manual actions current EOPs with experienced auxiliary operator crew I

101 Table 34

Local manual actions new EOP attachment with new auxiliary operator crew 2.................. 102 Table 35: Equipment damage for realistic fire in theA4 breaker cabinet and cable trays..............'..... 104 Table 36: Failure of remaining equipment if a hot gas layer is assumed................

............................. 105 Table 37: Fire Scenario in IA4 4KV Switchgear (Fire Zone 99-M).

108 vi

I INTRODUCTION This section provides an overview of the issues and its assessment in accordance with a phase 3 Significance Determination Process (SDP).

1.1 Background

On August 20, 2091 the NRC issued a triennial fire inspection report (IR 01-06), which discussed a findingg concerning the acceptability of the ANO use of operator actions to remotely operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing protection to the cables associated with that equipment, as a method of complying with I OCFR50 Appendix R Section Ill.G.2.

1.2 Description of the Issue In a March 25, 2003 supplement to IR 0 1-06, noted above, the NRC stated that by using the Significance Determination Process the above finding was preliminarily determined to be Greater than Green. The preliminary significance of this finding was due to the number of safe shutdown components potentially affected as a result of fire (e.g., main feedwater, high pressure injection, emergency ac power and emergency feedwater), the ability of the ANO fire brigade to manually suppress the fire before damage to safe shutdown components occurs, and the uncertainty regarding the timing and impact that potential failures may have on the operators' ability to accomplish required shutdown functions in time to prevent core damage.

1.3 Overview of the Assessment The Reactor Oversight Process (ROP) describes the need for a method for assigning a risk characterization to inspection findings. The staff developed a method for this risk characterization, which is referred to as Significance Determination Process (SDP). The entry conditions for the Fire Protection SDP are defined for inspection findings of the degradei conditions associated with the plant "approved" fire protection program. Therefore, the SDP seeks to estimate the change in risk between the "approved" and the "degraded" conditions and determine the risk-significance of this change.

In the case of the manual action feasibility issue at ANO we maintain that such an analogy does not apply as the perceived "degraded" (by the NRC) condition has always been an integral part of the ANO "approved" fire protection program.

Therefore, in our assessment we do n ot calculate a change in risk between a perceived "degraded" and a "hypothetical" approved condition. Rather we investigate the risk-significance of the existing (and "approved") condition at ANO as they relate to adequacy of the procedures for safe shutdown in post-fire conditions. We conduct this investigation through the following elements:

I

I

/

1. Fire Modeling - This is a detailed assessment of fire hazards and investigation of the extent and timing of fire damage leading to potential loss of safe shutdown equipment and functions.

2 Reliability of the Manual Actions - In this assessment We examine reliability of the post-fire safe shutdown manual actions to demonstrate that they can be performed with reasonable confidence under the fire conditions. We developed quantitative assessment of the manual actions using state-of-the-art human reliability analysis (HRA) methods-and plant-specific data obtained from review of safe shutdown procedures and training program, as well as simulator exeqcises. In the simulator exercises we observed and evaluated the response of two operator crews through simulation of maximum expect fire scenarios in the unit I 4KV switchgear room. This examination was done for two sets of procedures. One with the procedures in existence prior to this assessment and another with revised procedures.

3. Risk-Significance of the Current Symptomatic Procedures - The safe shufdown strategy and its associated manual actions are reflective of a level of fire risk that-also depends on a number of oth er factors. These factors include, Fire hazards present and types and size fires they may initiate and sustain within the

room, Fire protection systems design and other elements of the fire protection program that can delay and/or prevent spread of fire, Cable and circuit design that determines the extent, timing, and failure modes of the safe shutdown systems, Plant safety functions and systems and how they can mitigate post fire conditions.

In this assessment we examined the fire risk for those areas of the plant where these manual actions are a contributor to determine whether the level of fire risk is acceptable. The current documented state-of-the-art in fire risk assessment was used for this assessment. [Ref. 1]

The remainder of this report contains the following information.

Section 2 contains a phase 3 SDP examination of the Unit 1 4KV switchgear room (fire zone 99-M). Detailed assessment was conducted for Unit 1 4KV switchgear room (fire zone 99-M).

Qualitative assessment of other fire zones in unit I was done with plant walkdown and, where possible, extrapolation of the results obtained for fire zone 99-M. Section 2.1 covers determination of realistic fire scenarios and examination of sensitivities and factors contributing to uncertainty. Section 2.2 documents qualitative and quantitative evaluation of the manual actions including discussion of simulation of fire scenarios. Sections 2.3 and 2.4 document the approach and the results of the development of the conditional core damage probabilities (CCDPs) and fire risk (CDF) respectively.

Section 3 of this report is a quantitative assessment of the issue that includes qualitative examination of other fire zones where manual actions are critical to post-fire strategy and may be to fire risk. Section 4 contains the conclusions of our assessment with respect to the four elements listed above. References used in the conduct of our assessment are listed in section 5.

2

1.4 Scope and Key Assumptions Following are the scope limitations and important assu mptions in our assessment:

Risk estimates are developed using the documented state-o f-the-art in fire risk assessment. As such these estimates have the general limitations of these methods. However, in the technical area where there are known uncertainties in the state-of-the-art and our conclusions are sensitive to the technical area, we seek to establish the margin needed to provide confidence in our conclusions. For example, the models for cable fires and the distance and the rate at which they sprfead is somewhat uncertain. At the same time our conclusions is sensitive to how far and how fast a cable fire in the fire zone 99-M can spread. In this case we supplement our conclusion with adequacy of the margin between what is the best-estimate model and what may lead to undesirable consequences:

Consistent with the requirement of the fire protection SDP (IMC 0609 Appendix F), this assessment defines risk-significance in the context of change in fire-iniduced Core Damage Frequency (CDF).

This assessment is limited to fires occurring during at-power mode of operation. Nature and frequency of fire scenarios and fire protection systems and features may be affected during low power and shutdown modes of operation in such ways that may not be reflected in our assessment.

Detailed fire risk analysis was performed for the unit 1 4KV switchgear room (fire zone 99-M).

The estimates of fire risk in the remaining fire zones of the plant are derived through walkdown and approximate extrapolation of the estimates for fire zone 99-NI. Even though care was exercised to use conservative bounding estimates, we should emphasize the difference in the pedigree of the risk estimates for 99-NI versus the risk estimate for the entire site.

We did not perform a systematic, quantitative assessment of uncertainties. Where appropriate a possible alternative approach, such as use of safety margin, was used to establish confidence in the face of the uncertainties.

3

/1 11 ASSESSMENT OF FIRE RISK IN UNIT 1 4KV SWITCHGEAR ROOM (FIRE ZONE 99-M)

The section contains a detailed, phase 3 SDP assessment for unit 1 4KV switchgear room at ANO as it relates to the issue of adequacy of procedures for post-fire manual actions.

ma Riblt

,i ed'K W^4II:S A ; r umnnrkcliablliY Anajjsls ag

.4-:

Xs~m ac; ons i}'v hi \\rXMpojiiel2:.

Section 11.1 describes the detailed fire modeling done for this fire zone to determine the -

consequences of fire in the room in terms of the extent and timing of the damage to the raceways in the room. Selection and analysis of the fire scenarios is done in such way as to ensure*

sufficient margin and confidence in the results.

Once the affected raceways are identified for each fire scenario, the next step determined the-circuit and equipment lost and their failure mode, including instrumentation and control (I&C).

The equipment lost defines the core damage sequences and the manual actions needed in response to these sequences, including the timing for these actions and the state of the o&C following potential damage resulting from the fire scenario. Details of the identification and assessment of the reliability of the manual actions is documented in section 11.2.

Wfith fire-induced core damage accident sequences and human error probabilities known, the conditional core damage probabilities (CCDPs) for each fire scenario were derived. Details of this step are documented next, in section 11.3.

m Finally, calculation of the fire-induced core damage frequency for fire zone 99-M is documented in section 11.4. This calculation includes development of the frequency of the fire scenarios analyzed in section 11.1 and use of the CCDPs calculated in section 11.3.

4

/

11.1 Selection and Analysis of Fire Scenarios 11.1.1 Switchgear Room, Fire zone 99M Fire zone 99M is approximately 34.5' x 25.' x 12' switchgear room with 2' thick concrete ceiling and floor, and 1' thick concrete walls (north and south walls are concrete masonry units). The room has two normally closed 8' x 8' access doors located at the center of the north and south wall respectively. Four hundred forty (440) CFM's of air are injected into the room through a 14' x 6' fire damprer on the south wall near the ceiling. The room is equipped with a smoke detection alarm system.

The fixed fire sources inside the fire zone 99M consists of a 4 KV switchgear cabinet, three motor control centers (MCC), four inverters, and a load center with its associated inert gas filled transformer. Cables are routed both in metal conduits and 24" wide cable trays.

Figures 1 and 2 provide a pictorial representation of the electrical equipment (potential fixed fire sources) and cable tray layout in room 99M. Table I provides additional details about function and location of the cabinets.

Table 1: Function and location of electrical cabinets In room 99M.

lbCabinet Fu.nc.ions.-`-;

' i. o A4 Switchvear cabinets 4'-3" from west wall, next to B65 B65 MCC 7'-9" from north wall Y22 Inverter 7' from west wall Y24 Inverter 6--2" from west wall, I'-4" from north wall Y25 Inverter Next to Y22 Y28 Inverter 7'-3" from A4 B6 Load centerfrransfonmer 7'-3" from A4 B55 MCC 5'-8" from east wall B56 MCC North-east comer of the room As illustrated in Figures 1 and 2, there are two areas of the room where a two or a three-cable tray stack is present. A two -cable tray stack (EC 201, EC 240) starts between cubicles A406 and A407 of the switchgear cabinet, extending north and turning east along the north wall over the door. This two-tray stack turns south between MCC cabinets B55 and B56. Once between B55 and B56, a third cable tray comes into the room from the north wall, aligning itself between the two trays turning south. Thisthree-tray stack runs up to where the B56 MCC cabinet ends. The three trays have different lengths. Details about this three-tray stack are provided in Figure 2.

Notice that cable tray labeling varies throughout their lengths.

5

II Figure 1: Switchgear room 99M. Drawing not to scale.

EC1530 &

EC1 504 6

I I

EC236 EC205 EC2O1 EC236 EC205 EC201 ENDS ENDS ENDS B-55 B-5j Y-28 B-6 9-11 1V0 L

.L......1 I _____________

Section A-A (Looking East)

Figure 2: SwItchgear room 99M. Drawing not to scale.

I V

7 i X i

/

11.1.2 Selection of Fire Scenarios In Switchgear Room 99M Eight fire scenarios have been selected as representative of th e fire risk in room 99M. The selection of these scenarios is based on the following considerations:

1. Location of critical conduits and cable trays in the room with respect to floor-based in -situ and transient fires - the selected scenarios capture all critical targets.

2 Potential higA-energy characteristics of switchgear cabinets and transformer fires-there is historical evidence of such events.

3. Combustible characteristics of electrical cabinets-there is evidence in EPRI's Fire Events Database of switchgear cabinet fires.

4. Combustible characteristics of cable tray stacks-there is evidence in EPRI's Fire Events Database of cable fires, and fires propagating from cabinets to cable trays..

5. Electrical connections between cabinets, cable trays and conduit Scenario la:

A non-energetic fire in the A4 switchgear starts near the A 409 cubicle just below the two -stack cable tray. This fire may propagate to the trays above and cause subsequent damage to adjacent trays and conduits. As the fire continues to giow and bum, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions.

Scenario lb:

An energetic fire in the A4 switchgear starts ne'ar the A 409 cubicle just below the two-stack cable tray. This energy release is assumed to ignite the trays (exposed intervening combustibles as well as potential targets) above and cause subsequent damage to adjacent trays, conduits, and cabinets. Mechanical damage, but no ignition of cabinets and conduits (non-exposed combustibles) away from the energetic source is expected. An ensuing fire may continue to bum that could expose other targets in the room to adverse thermal conditions.

Scenario 2:

A non-energetic fire in the B55 MCC starts in the vicinity of the three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and bum, a hot gas layer will develop and expose other targets in the room to thermal conditions.

8

p Scenario 3:

A non-energetic fire in the B56 MCC starts in the vicinity of the three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and bum, a hot gas layer will develop and expose other targets in the room to thtrmal conditions.

Scenario 4:

A non-encrgetic fire in the Y22 inverter starts in the vicinity of a cable tray. This fire may propagate to the tray and cause subsequent damage to conduits above. As the fire continues to grow and bum, a hot gas layer will develop and expose other targets in the room to thermal conditions. This scenario bounds fires in cabinets Y24 and Y25.

Scenario 5:

A non-energetic fire in the B6 load center starts adjacent to a cable tray. This fire may propagate to the tray and cause subsequent damage to conduits above. As the fire continues to grow and bum, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions.

Scenario 6:

A transient fire between B55 and B56 MCCs starts below three-stack cable tray. This fire may propagate to the trays and cause subsequent damage to conduits. As the fire continues to grow and burn, a hot gas layer will develop and expose other targets in the room to adverse thermal conditions. The effects o'f this fire in terms of target damage are expected to be similar to Scenarios 3 and 4. It should be also noted that strict administrative controls prevent the presence of transient combustibles in this room.

Pictorial representations of fire scenarios I thru 6 are shown in Figures 3 thru 9 respectively.

9

Scenario 1a I

I Figure 3: Pictorial Representation of the Zone-of-Influenco of a Non-Energetlc Fire in the 4KV Switchgear A4, Formatted:Font: Heletlcaold 10 I i

EC1530 &

EC1504 FIgure 4: Pictorial Representation of the Zone-of-influence of a High-Energy Fire in the 4KV SwltchgearA4 I,

11 t i I

EC1258 H

xQ HEC1237 EC1276 EC1175

,23 ecmEC202 C202 EC20i EC1 190 E 221 C221 EC1257 EC238 EC239 EC239 EC240 E 40 EC2.,

ff l

'EAEA2 O1?vr%

2

.EI.=

EC1530 &

,D.

EC1504

,EC123 Figure 5: Pictorial Representation of the Fire Scenario 2, FIre In MCC B-55 12 I

I

Scenario 3 EC1530 &

EC1504 Figure 6: Pictorial Representation of the Fire Scenario 3, Fire in MCC B-56 13

Scenario 4 Figure 7: Pictorial Representation of the Fire Scenario 4, Fire In Inverter Y.22 14 i Is

Scenario 5 EJ1004 EC1530 &

EC1504 Figure 8: Pictorial Representation of the Fire Scenario 5, Fire in Load Center 8.6 15

Scenario 6 EC2184, EC2212

& EC2213 Figure 9: Pictorial Representation of the Fire Scenario 6, Transient Fire Between MCCs B855 and B56 16 I I

./

11.1.3 Quantitative Fire Analysis The following aspects of the fire scenarios listed above are analyzed: I) a localized damage zone limited to the plume and flame irradiation region, and 2) a global hot gas layer that can damage equipment away from the ignition source and immediate target/intervening combustible. First, a discussion about heat release rates from cabinets, cable trays, and transient fires provides the basis for the selected fire intensities. This discussion is followed by the description and implementation of the models in the analysis. Fire modeling results are presented in Table 2 and Figures 13 thiru 224-11.1.3.1 Heat Release Rate for Cabinet Fires One of the imnp ortant parameters to define in a quantitative fire analysis is the heat release rate profile of the postulated fire. The fixed fire sources inside the fire zone 99M consists of a 4 KV switchgear cabinet, three motor control centers (MCC), four inverters, and a load center with its associated inert gas filled transformer. Generally these electrical cabinets (all except control panels) are similar in parameters that contribute to the HRR, namely, combustible load, combustible configuration and ventilation. Therefore, one heat release rate profile was selected for all these sources. The selection is based on empirical evidence of electrical cabinet fires, and a visual examination of the combustible configuration (cables) in the 4KV switchgear cabinets of room 99M. The postulated fire in any of the electrical cabinets in the room reaches a peak heat e

I tkWe of 100 kW in 12 minutes, and bums at that peak intensity for 8 additional minutes.

A t2 function i-5bccna T:ICxrel-ror representing the growth phase of the fire.

The fire growth rate is affected by two principal factors: I) the flammability properties of the fuel, and 2) the combustible configuration. The flammability properties of the cables inside the cabinets are unknown. In terms of configuration, although the cables in the switchgear cabinet present a consistent layout, cable configuration in other cabinets in the room are unknown.

Given these uncertainties, an average of the time to reach peak heat release rates in all of the cabinet fire experiments reported in NUREG 4527 [Ref. 2] was selected. The average time to peak heat release rate was calculated as 12 min. Similarly, the average burning duration of all the cabinet fire experiments was estimated to be 8 min. It is important to mention that the average time to peak for qualified and unqualified cable fires in cabinets reported in NUREG 4527 are similar. These values were used in the heat release rate profile regardless of the peak fire intensity. That is, in all cases, the peak intensity will be reached in 12 min, and bum steadily for 8 additional minutes. Ignition of nearby cable trays will alter this profile.

17

.HRR Pofile 120 80/

Cr 40 -

20-

• 0*

0 5

'10 15 20 Time [min, Figure 1o: Selected heat release rate profile for cabinet fires In swltchgear room 99M.

EPRI's Fire PRA Implementation Guide [Ref. I] recommends a HRR value of 65 kW for electrical cabinet fires in which the fire would be limited to a single cable bundle. The 65 kW value is the highest value of the fire experiments described in NUREG 4527, [Ref. 2] in control cabinets with IEEE-383 qualified cable and open or"Cdosed doors. In these experiments, the fire was limited to one cable bundle. Switchgear cabinets are distinctly different from control panels in that:

1) they have significantly iower'combustible loading,

2) the combustibles are confin separated into sheet-metal walled cubicles (control, breaker and busbar cubicles), and

3) the wires in the cubicle with ihe most of the heat load, namely the control cubicle are low voltage (I20VAC or DC) wires vith lower combustible mass.

Figure 10 shows the configuration of the combustibles in the control cubicles of the4KV switchgear A4. Based onthe'smiall amount of combustible loadingin comparison to the Sandia test, aaklue of a 100 kV fire is'a reasonable assumption. This nominal value is higher than e 6 kW recmme;;ed by the EPRi Fire P ua u

ore, this fire intensity is expected to produce flames capable easily reaching cable trays above the cabinet.

Another parameter in characterizing a fire is its location. The location of an electrical cabinet fire could be significant as assuming a fire on the top of the panel versus one at the location of the vents could mean the difference between ignition or no ignition of the overhead cabling with fire intensities in the I OOKW or less range. Also, in a closed-top oi mechanically -sealed-top cabinet an assumed fire at the top of the cabinet could mean no-flame heating where the flames '

are likely to be at the location of the vents or warped panel doors.

18

In the case of the A4 switchgear, the fire is assumed to occur at the top of the cabinet. This is close to the location of the top-front cubicle, where the cable bundle is located. Notice in Figure 10 how the cables come into the cabinet and form a bund le along the left side of the cubicle. The metal boundaries of the cabinet are assumed to have no effect in the fire heat release rate profile.

This is, the fire is assumed at the described elevation without any obstruction altering its development. This is not a critical factor in any of our defined fire scenarios due to the proximity of the first raceway and the nominal HRR selected.

Figure I1: Cable configuration in A4 switchgear cubicles.

11.1.3.2 Characterization of the High-Energy Switchgear Fires Some in -situ fire sources in a nuclear power plants are capable of fires that are preceded by a high-energy initial phase. Historical evidence points to switchgears and transformers as a potential source of such events in a NPP. The energetic phase of a high-energy fire in switchgear typically initiates as the result of an arcing fault in the breaker cubicle. The initial high -energy phase is then followed bya potential fire in the switchgear (now possibly venilated, at least in the breaker cubicle) andpossibly a fire in any nearby exposed combustible.

The model (zone of influence) for the energetic phase used in this analysis is an empirical one based on such events at Oconee (1989), Waterford (1995) and San Onofre (2001). The model assumes damage and ignition of exposed combustibles within 5 ft. This includes panels across from the switchgear and exposed cable trays overhead. The evidence as it relates to conduits in the zone of influence is not strong. None of three events involved switchgears with conduits nearby to determine the potential for damage. Note that conduits are stainless steel piping far more resistant to pressure spikes than trays. Nevertheless for this assessment, we have assumed functional damage to the cables in the-conduits within the zone-of-influence but not ignition and secondary fires.

11.1.3.3 Heat Release Rate for Cable Tray Fires The heat released by a single cable tray fire is estimated using the bench scale to full-scale cable tray heat release rate correlation [Ref. 1, 3]. The correlation

=0.45 qbA*.O (kW) 19

/

has the following input parameters: A0o the cable tray burning area (m2), and qts-the experimental bench scale heat release rate value (kW). A, is assumed to be the width of the cable tray (24") times the characteristic lengih of the fire, which is assumed to be the length of the cabinet. Due to the uncertainty in the cable type, a value of 400 kW/n 2 is selected for q en.

Notice that this is the highest value that can be selected from the bench scale experiments used for developing the correlation. This selection will result in a conservative estimate of the heat release rate.

The model described in EPRI TR-105928 IRef. 1 for cable tray propagation in a stack is used for estimating heat release rates from the two and three tray stacks currently present in the room.

The model assumes the characteristic length of the fire below thefirst tray in the stack times the tray width as the burning area in the lowest tray. The fire then propagates to trays above in a 35° angle to each side of the trays. A five-minute delay between cable tray ignitions is recommended based on experimental observations. Figuie 11 provides a pictorial representation of the model.

Assuming the fire in the switchgear cabinet A4 will have a characteristic length of 3' (A conservative assumption due to the limited openings in the top of the switch gear.), the first tray will have a burning area of 6 ft2, and a heat release rate of 100 kW. The second tray in the stack 2

will have a burning area of 7.1 fIt,and a heat release rate of 120 kW.

Assuming the fire in the MCC cabinet B55 will have a characteristic length of 3', the first tray will have a burning area of 6 It2, and a heat release rate of 100 kW. The second tray in the stack will have a burning area of 8.4 f12, and a heat release rate of 140 kW. Finally, the third and last tray in the stack will have a burning area of 9.7 ft2. and a heat release rate of 160 kW.

\\350 35 t

ignition Source Figure 12 Cable tray stack fire propagation model 11.1.3.4 Localized Damageto Targets Localized damage to targets can occur to cable trays and conduits located inside the flames, in the fire plume, or subjected to flame radiation. Targets are considered damaged or ignited when I

their surface temperature reach 700 'F. It is issu med that only cable trays (not metal conduits) will ignite and contribute to room heat up; Cables inside mieal conduits assumed damaged at the 20

I, same critical temperature, but will not contribute to room heat up. For a given ignition source/target set comb ination:

1. Determination of the time at which the target was immersed in flames using Heskestad's flame height correlation, L = 0.235Q(t)ys - I.02D [Ref. 4], were D is the diameter of the fire (assumed as 3'), and Qfis the heat release rate as a function oftime. The time to damage is assumed as the time the flames reach the target.

2 Determination of the time to damage for targets in the plume. The heat fluxes in the plume affecting the target are estimated as a function of time using:

q;.w =° 2{ ) (kW/r?) [Ref 4, 5]

where H is the height of the target above the fire. Finally, the time to target damage given the incident heat flux profile is estimated using:

T,., -r§

=

[Ref. 6, 7]

where T.., is the surface temperature of the target q(T) is the incident heat flux as a function of time and kpc is the thermal inertia of the target. kpc is conservatively calculated assuming PE/PVC cable with the following properties [Ref. 8]: k = 0.0001 kNV/mK, p = 950 kg/nI, and c = 2.25 kJ/kg. This assumption only affects the target heating time and not the ignition or damage temperature in the fire modeling analysis.

3. Determination of time to damage for targets in the ceilingjet. The heat fluxes in the ceiling jet affecting the target are estimated as a function of time using:

0q 0 = Q (kW/mn)

[Ref. 4, 5]

where H is the height of the target above the fire, and R is the horizontal radial distance. The time to target damage is calculated using the integral equation described above in item 2.

4. Determination of time to damage for targets adjacent to flames subjected to thermal radiation. The radiated heat flux as a function of time is calculated using the point source

model,

= Q&)X2,

[Ref. 4]

whereXr is the radiation fraction, assumed as 0.35, and R is the horizontal distance from the flames to the target. The time to target damage is calculated using the integral equation described above in item 2. Notice that irradiation from flames is considered for targets 21

adjacent to the ignition source, as well as for targets adjacent to ignited intervening combustibles, such as cable trays.-

Table 2 lists the results for the localized target damage analysis. The second column, "Fire Sources", lists the first item ignited or ignition source. The "Conduits" column lists the conduits that are thermally challenged by the ignition source. The types of exposure and calculated time to target damage are reported in the fourth and fifth column respectively.

The "Cable Trays" column list the cable trays that can be ignited by the fire in the ignition source. A fire in the trays will contribute to the room heat up at the calculated ignition times, reported in the eighth column of the table.

Columns 9 to 11 of Table 2 refer to conduits that can be damaged by a fire in any of the intervening combustibles. Notice that the time to damage of these conduits is relative to the ignition of the trays. The absolute time to damage is the time to cable tray ignition plus the time to conduit damage (columns 8 and I1).

11.1.3.5 Smoke Detection Analysis Switchgear room 99M is equipped with a smoke detection alarm system. With the exception of a fire in the switchgear cabinet A4, the alarm system will indicate the main control room of any fire detected in the room. A fire in the switchgear cabinet A4 will disable power to the fire panels, limiting the information provided to the control room. In this case, the control room will only receive a trouble alarm due to an "unknown cause".

No model is currently validated for estimating response time from smoke detectors. Time to detection is therefore calculated using the DETACT model [Ref. 9]. The DETACT model widely used to estimate response of heat detector devices such as sprinklers. When used for estimating the response of smoke detectors, a 55 'F temperature change in the location of the device has been traditionally assumed. This value is conservative since studies have shown that for modem smoke detectors, a value of 41 'F is appropriate [Ref. 10). Time to detection values were calculated using both activation temperatures. Furthermore, smoke detectors are not modeled using the Response Time Index parameter (RTI), characteristic of heat detectors.

Therefore, a value of 1.0 (m s)"2 has been assumed as input to DETACT. WVith this assumption, temperature at the detection device is close to the temperature in the ceiling jet.

DETACT also requires inputs defining the position of the detector with respect to the fire and the fire heat release rate profi le. A fire located on the floor will be the most conservative configuration for calculating response time. The elevation of the detector above the fire was selected as 12', which is the height of the room. The detectors are approximately 7' apart from each other. Therefore, a fire located midpoint between them is also the most conservative configuration. The horizontal radial distance from the detector to the centerline of the fire plume was selected as 3.5'.

22

Finally, the heat release rate profile used for the DETACT analysis is described in Table 3 below. DETACT results are listed in the last column of Table 2.

1.

23

Table 2: Localized targets and Intervening combustibles.

~

R, 4 on-nergetic fire in the A4 C1589 F

Ia switchgear. Nominal value, 100 1236 n plume b

Energetic event in any or the A4 EC159, Ianage to switchgear breaker cubicles.

EC1236 5 g

e n

-e EC1504.

MaNag dua to

.. EC1I530, cergetic~e-vent.,

r EJ1004 No flames.

amage due to

,28, B6 enrgetic event.

.z

.o flames.

S ire in the B355 MCC. Nominal

E1163, 2

100 KW fire. Fire in Inverter Y28 EC1 164, In plume s bounded by this scenario.

EC1165.

Firc in theB856 MCC. Nominal EC1088' 3

I 0

Wfr C03n flames or pluma 24

{

A4 will disable the smoke alarm system.

25

/

11.1.3.6 Hot Gas Layer Analysis Once the time to localized damage is calculated, the heat release rate profile from the ignition source and intervening combustibles (cable trays) were used to determine hot gas layer temperature. Damage or iginition of targets away from the ignition source is assumed when they become immersed in ahot gas layer of 700 OF, which is the damiage criteria for targets in the room.

Hotgas layer ten-peratures are estimated using the zone model CFAST [Ref. II], developed by ihe National lnstitute of Standards and Technology (NIST) using the room characteristics described earlier in this document.

Ignition of intervening combustibles produce sudden increases in the fire intensity profile due to the fact that cable tray heat release rates have no growth model.: In order to avoid step-functions in the HRR profile, and provide a more realistic representation of the fire intensity, a t2 function was super imposed. The peak heat release rate is the sum of the cabinet and cable tray peak intensities and the time to reach the peak is the time when the last tray is ignited. The t2 function is of the form

<?t= AtQ*0 ;( J (k.

-)

where X is the time to reach the peak heat release rate. Figure 12 illustrates the concept of superimposing a t2 growth curve to a heat release rate profile including ignition of adjacent cable trays. Table 3 lists the heat release rate profiles and door positions used in the CFAST runs.

Heat Release Rate Profile, 600 400

'~t 200 _i i; 0 9 0

500 1000 1500 Time Isec]

X aStepfunction-t2model.

Figure 13: Conceptual representation of the use oft2 fire growth model for representing ignition of adjacent cable trays.

26

l.

Table 3: Fire scenarios evaluated with zone model CFAST 27-S.Cenar~i>-

I Heat-rce Ii~e' ate iiprori t>W.<.i:E't-;e, Nent S:~rrv~t§.'X jt i i'>..W7I la Cabinet fire heat release rate (100 kW, 3' of tray)

Closed and EC20i & EC240 stack fire starts at 5 min (100, 120 kW and 3' and open doors 3.5' of tray respectively)

Fire in A4 DA008 tray fire starts at S min (100 kW, 3-of tray) cabinet EA201 tray fire starts at2.5 min (100 kW, 3' of tray)

• 'eak heat release rate - 520 kW + fire intensity due to horizontal Lame spread in cable trays (Flame spread rate of 10 ft/hr, Ref EPRI NP-7332).

4 t2 Model:

(t)= Ali{520+ (08.- L)520 (725) kW Where 10S-L is obtained from:

= 0.45.

Ao assuming Ao is the cabinet width (0.6 m) times the length of the burning tray. The length of the burning tray, L, is calculated as a function of time assuming 10 ft/hr.

This scenario assumes a 520 kW growing fire due to the cabinet flames propagating to cable trays above. Once the equipment affected by the cabinet fire are ignited, the fire is assumed to spread horizontally in the cable trays.

b Cabinet fire heat release rate (100 kW)

Closed and EC201 & EC240 stack fire starts at 0 min (100, 120 kW) open doors Energetic DA008 tray fire staris at 0 min (100 kW, 3' of tray)

Fire in A4 EA201 tray fire starts at 0 min (100 kW, 3' of tray) cabinet Peak heat release rate - 520 kW + fire intensity due to horizontal flame spread in cable trays (Flame spread rate of O ft/hr. Ref EPRI NP 7332).

4 t2Model: 0(t)=520+108-L kW See discussion for definition of paramcetr L in scenario I a above. This scenario assumes a 520 kW fire as the initial heat output due to the explosion, and a sustained cable fire that spreads horizontally in the trays.

2 Cabinet fire heat release rate (100 kW)

Closed and EC201, EC205 & EC236 stack fire starts at 7 min (100, 140, 160 kW open doors Fire in BSS and 3', 4.2' and 4.8' of tray respectively) cabinet Peak heat release rate - 500 kW 4

t2 Model: A f(t)

,M{50O0,5O -(-)

) kW 27

/

9cena rio; Tie I raa i

e.rat1i

-roflIse :, 5M i T E T:

T -t-3 Cabinet fire heat release rate (100 kW)

Closed and EC201, EC205 & EC236 stack fire starts at 7 min (100, 140, 160 kW open doors Fire in B56 and 3', 4.2' and 4.8' of tray respectively),

cabinet Peak heat release rate - 500 kW A.

t2 Model: {2t)

Min 5006 5 00 kW 4

Cabinet fire heat release rate (100 kW)

Closed and DA008 fire starts at t4min(tOokW,3'oftray)

Open doors Fire in Y22

• lPcak heat release rate -200 kW cabinet 2

+

2 Model: (t)=Mi 200,200o-840 J kW Cabinet fire heat release rate (100 kW)

Closed and EC201, EC205 stack fire starts at 7 min (100, 120 kW, and 3' and 3.5' open doors Fire in B6 of tray respectively) cabinet Peak heat release rate 320 kW

?Model:

=MI 320,320

.- I kW LIO220 6

Bounded by scenarios 2 and 3 Notice that the highest fire intensity in the initial zone of irfluence occurs in scenarios I a and lb.

Notice however, that cable fires, not the electrical cabinet itself, contribute to the majority of the heat release rate. This is also the case for scenarios 2 through 6.- All the cable trays in room 99M assumed to bum in the selected scenarios are around 8 ft above the floor. Based on this argument, the fires were located 8 ft above the floor. Given that scenario I resulted in the highest heat release rate, it was decided to extend the duration of the fire for two hours. Cable fires would continue propagation during the entire duration of the simulation.

The following graphs provide numerical results calculated with CFAST for scenario 1. Upper layer temperature values are read in the right y -axisheat release rate in the left y-axis. In general, no upper layer temperature exceed ed 500 'F. This temperature level is observed only in Scenario lb. This is the scenario with the highest heat release rate..

28

n CFAST Results Scenario Ia, Open room door 2500

' 400 2 000 -f t

Wove 2000 300 1500 1 200+/-

d.1000

{

i500 100 0

O 0

2000 4000 6000 8000 Time [Secl Calculated HRR -

Input HRR -

UL Temperature Figure 14: CFAST results for upper layer and heat release rate in scenario la.

CFAST Results Scenario la, Closed room door 2500 400 2000__-

350 2000_

300 1500-250 200 1000 150 500 100 50 0 -

I 0

0 2000 4000 6000 8000 Time [Sec)

-Calculated HRR -

Input HRR -UL Temperature Figure 15 CFAST results for upper layer and heat release rate in scenario la.

29

I

/

CFAST Results Scenario lb. Open room door 2500(

600 2000 gcSo-1500 40010000

• 1500:

Ad00t 0

100 0

2000 4000 6000 8000 Time ISeCI Cakuiated HRR -

iput HRR UL Temperature F

f uel rn a,

FIgure 16: CFAST results for upper layer and heat release rateIn scenariol1b.

CFAST Results Scenario lb, Closed room door

-500

• 400

-300 6

-200

-100 0

1000 2000 3000 4000 5000 6000 7000 8000 Tiime [Sc

-I

-Calculated HRR -

Input HRR -

ULi Temperature Figure 17: CFAST results for upper layer and heat release rate In scenario lb.

• The following characteristics are noted from the four graphs above associated with scenario l:

1. The heat release rate decreases to 0 kW in the first ten minutes of the simulation. This is due to lack of oxygen in the smoke layer, where the cables are burning.

The calculated effects of oxygen availability in the fire intensity can be observed by comparing the input heat release rate to the code with the calculated heat release rate. Notice how the calculated profile reaches 0 kW in less than 1000 seconds of simulation.

2. The upper layer temperature reaches a peak value of around 500 'F in the explosion scenario.

(Figure 16 & 17) The temperature then returns to ambient as the fire intensity decreases.

30

N The following graphs illustrate CFAST results for the remaining scenarios. Note that scenarios 2 and 3 bound scenario 6, and therefore, no results are presented.

CFAST Results Scenario 2 & 3, Closed room door 250 -4 200-5

-100.-

7 1 L 50

-78 0

76 0

1000 2000 3000 4000 Time [sec)

Calculated HRR --

UL Temperature Figure 18: CFAST results for upper layer and heat release rate In scenario 2 & 3.

CFAST Results Scenario 2 & 3, Open room door 250 182 200 180

-100 78 50-0 0

76 0

1000 2000 3000 4000 Time [SecJ

- Calculated HRR _--UL Temperature Figure 19: CFAST results for upper layer and heat release rate In scenario 2 & 3.

31

I

/

250 200 y 150 K 100 50

.JI so CFAST Results Scenario 4 Closed room door 84 82 80F 78 76 0

1000 2000 3000 4000 Time [Sec]

Calculated HRR

• -Ul Temperature Figure 20: CFAST results for upper layer and heat release rate In scenario 4.

' CFAST Results Scenarlo 4, Open room door 250 81 200

• 80 10079 50 77 0

'76 0

1000 2000 l3000 4000 Time [Secl Calculated HRR _

UL Temperature Flgure 21: CFAST results fbr upper layer and heat release rate In scenarlo 4.

f t

32

I.

CFAST Results Scenario 5, Closed room door 250 -

83 200-l 82 150 l 80 IC 100 -7 501_

78

g.

76 0

1000 2000 3000 4000 Time [Seci

- Calculated HRR M---UL Temperature Figure 22: CFAST results for upper layer and heat release rate In scenario 5.

CFAST Results Scenario 5, Open room door 250 81 200 80 150 '~100

-7 50

-77 0

- ~ -

-76 0

1000 2000 3000 4000 Time [Secl Calculated HRR.

UL Temperature Figure 23: CFAST results for upper layer and heat release rate In scenario 5.

11.1.3.7 Graphical results associated with scenarios 2 through 5 present similar profiles. This is expected because the heat release rate profiles are very similar.

Compared with' scenario 1. these other scenarios have slower growing fires and lower peak heat release rates. As a consequence, the model suggest that there is enough oxygen at the beginning of the fire to support rapid fire growths, and therefore, higher temperatures.

Slower growing fires consume the oxygen before temperatures increase to hazardous levels.

=

33

scenario. Gerald Storbakken, provided the updated procedure attachment for fire in 99-M.

Jessica Walker, PRA support, calculated the CCDP using information from the equipment failure listing and adjusted HRA values, collected information on the local actions, and made simulator observations for additional crews.

Dan Smith and Nolan Edwards operated the simulator with Andy Clinkingbeard's support.-

Marlin Fletcher provided the fire brigade communications to the control room crew. Two full operating crews (5 control room and 2 local operators supported the simulation) and Bob Eichenberger provided management oversight of the crews. Additional manual action observers included Kathy Ashley and Bob Clark.;

11.2.1.4 Site Activities The following on -site activities were accomplished for the HRA.

Identified fire-generated cues for action. Note that for the simulated zone 99M A4 switchgear fire, a specific fire alarm was not expected, although a fire system trouble alarm does occur due to loss of fire panel electrical power in this fire. Since an immediate and automatic reactor trip was also not expected even with a loss of A4, a manual trip is still initiated (as evidenced by actual response of crews during the simulated fire) because a significantly large number of alarm tiles were lighted. The loss of A4 prompts a check of the switchgear area by a local operator who will report, after a few minutes time delay, that a fire has occurred.

For other scenarios and other fire locations, the cues could be similar and/or include a fire alarm.

Identified possible false signals from thelfire scenario. It is recognized that fires might cause the lack of or spurious alarms. For the simulated 99-M A4 switchgear fire, such conditions were simulated. It was observed that those associated with non-wvorking or unneeded systems or equipment were put on lower priority by the crew, thus no time was wasted on working on false alarms.

Identified hot shorts that might activate equipment. It is recognized that fire might cause hot shorts that could spuriously operate equipment. For the simulated 99-M A4 switchgear fire, a few significant equipment failures (e.g., failure of service water cooling to an operable

• diesel generator and an unalarmed closure of CV -2800, suction valve for the motor driven emergency feedwater pump 7B which when closed, could lead to over-heating and failure of the pump). In the simulated event, the operators noticed and protected the equipment from damage by shutting it down.

Assisted in converting the equipment damaged in a realistic fire scenario in 99-M into a timing sequence for the simulator.

Assisted in establishing event timing and order based on information from the 99-M A4 switchgear fire scenario timing and circuit failure analysis (Four time triggers at T=O, T=2 min, T=5 to 9 min, and T= 15 min).

Identified equipment that is unavailable due to the A4 fire (equipment simulated to progressively fail in an undesired state).

36

I, Assisted in identifying the success path equipment if zone 99-M equipment is inoperable (SG cooling success paths initially included emergency feedwater motor pump, emergency feedwater steam pump, and MFV turbines to atmosphere or condenser; also HIPI cooling to containment with containment switch over (if damage progressively fails the equipment).

Assisted in the mock-up of the zone 99-M fire scenario on the simulator (decision was made to model failures in the entire room by T=1 5 min, because that way, observations could be made of crew response for both the realistic fire and the worst case hot gas layer fire).

Identified capability for ex-control room actions to start or control equipment needed in the zone 99-M fire scenario by walking down each location where a manual action could need to be taken.

Revised the fire brigade script to match the hypothetical fire in 99-M. Fire brigade communications with the crew were also made part of the zone 99-M fire simulation to add realism and additional workload burden and distractions. See Appendix B:3 for the script basically follo wed during the simulation.

Observed simulated zone 99-M A4 fire scenario and crew actions (in-control room activities; ex, control room activities were also observed by ANO-I engineering staff using a form designed to document the, observations) using current procedures to address fire issues.

Symptom based procedures with floating steps illustrated opportunistic responsive control behavior.

Observed same simulation and crew activities using updated procedures to address fire issues.

This time, symptom based procedures were used with specific directions to manage cooling with specific cooling trains. Steps illustrated tactical-pre-emptive control behavior Collected data for human reliability assessment of ex-control room actions. Developed a form for collection of information on the details of each action cued by a call from the control room at the simulator. Took notes and documented timing for key actions leading to establishing the key system alignments for plant cooling.

Reviewed the PRA model for CCDP calculations applied to the zone 99-NI A4 fire including the IIRA assessments, and assisted in establishing the process for updating the model for fire conditions using current EOPs and new fire attachment.

11.2.1.5 Analysis Activities Reconciled notes between observers and simulator printouts.

Compiled HRA data for use in the evaluation.

Evaluated the impact of the new procedure on the IIRA values and identified the changes expected in the simulation.

Developed HRA model and described issues for use in the CCDP evaluation.

Assisted in quantifying the CCDP given a significant A4 fire in 99-M and required operator actions due to effects of the fire.

Added new H RAs to address modeling needs and simulator observations.

Documented results.

37

/

-p 11.2.1.6 Walkdown items The following items were observed to demonstrate feasibility of the action.

Emergency lighting was available at each local site where a local recovery or repair action was postulated.

All electric breakers for aligning EFW valves were easy to get to, and well labeled and coded according to a matrix scheme.

Local breaker operational procedures and tools (e.g., hooks) for operating the breakers were available in cabinets near each breaker location.

Bus position indications are available on the breaker cabinets to note breaker open -closed condition.

Local manual valve operations for opening or closing and controlling-could be easily handled for EFW 7A and 7B trains. Some of the isolation valves could be operated only with ladders in-place. Valve position was determined primarily by stem position, as some of the position indicators were hard to read.

Feedback on SG level is available from the control room via the phone system.

• The EFW turbine driven pump is located in a fire-protected environment. Local piocedures are

• on the wall for repair of over speed and other protective trips (Procedure 1106.006).

All local control valves, breakers, and instrumentation used in this scenario were within the main plant buildings.

The local actions are cued by verbal instructions from the control room.

11.2.1.7 Procedure review and training simulator EOPs ANO-I uses symptombased emergency operating procedures, and functional recovery procedures. Operators are trained on a full scope control room-training simulator. In a simulation of a realistic fire in zone 99-M, the crews pursued multiple paths for maintaining or restoring one of three feedwater systems: (I) the turbine driven emergency feedwater system, (2) the motor driven emergency feedwater system, and (3) the main feedwater system which was available. Another option is to use HPI cooling, but this was clearly a last alternative. The selection of trains to use was up to the operators when choosing the floating steps from the EOPs to apply. The new procedure attachnent (1203.009) provides a clear line up and protection strategy. This reduces the potential of errors in selecting the trains and components. This advantage is reduced by the time it takes to reach the procedure as the fire could be out before the operators reach the protective steps.

38

it-Simulator The fire damage model was tied to several time phases in the simulator as summarized in Appendix B.l. Equipment failures and timing are shown in Appendix B.2. The simulator fidelity was very good. No indications of differences in the control room and simulator were noted except the fire indication panel is not modeled in the simulator. In this scenario the fire alarm panel power supply is lost on the A4 bus trip with only the fire panel trouble alarm activated.

11.2.1.8 Simulation of 99-M Fire Scenarios The simulation of a fire in zone 99-M integrated the efforts of six activities. These are (1) identification of the equipment failures as a function of timing from the fire growth model, (2) testing the simulation to identify unusual or unexpected behaviors, (3) providing communications that would be expected (fire brigade, manual actions, and external communications), (4) modeling crew organization for fire (leaving four in the control room and one of the three local operators ), (5) observing the control room crew actions and communications during the simulation, and (6) verifying the local manual actions called for by the crew. This information is used to verify feasibility of the local actions and to provide HRA inputs to the evaluation of the conditional core damage probability (CCDP). Typical requested actions during the simulations included:

Investigate A4 bus Go to A3 and be ready to Check equipment Check position of A-306 Local manual control of EFW 7A (throttle 2620 and 2627)

D1512 - (CV2663 P7A turbine steam admission valve power) OPEN from breaker room D5241 - (CV2667 P7A turbine steam admission valve power) OPEN from breaker room Verify location on declaration of Site Emergency The simulation observations are summarized in Appendix B. 1.

11.22 FeasibilityofManualActions The potential control room and local actions for managing a significant fire in 99M were demonstrated to be feasible by walkdowns, and by observation of the application in the simulation with local auxiliary operators carrying out a simulation of the instructions in the plant.

The observations from the week at the plant were evaluated from the perspective of the nine inspection criteria for assessing manual actions issued by the NRC 3/6/03.

1 Upon initial investigation they may call for the local fire deparnment. This does not reduce the number of licensed operators in the control room below the minimum needed, and supervisory personnel might be available to provide support.

39

/

11.2.2.1 Instrumentation for diagnosis of core cooling status Simulator observations presented in Appendix B illustrate that the diversity of instrumentation' permitted the control room crew to evaluate the hot shutdown cooling process equipment and define needed local actions when some trains of instruments failed in spurious and odd ways.

Once into the hot shutdown-cooling phase the operators were able to prioritize their actions based on the systems and equipment they had available. They were able to diagnose the need to throttle back on the feedwater flow to the steam generators to avoid overfilling using control circuits unaffectedl by the fire. The feedback on actions taken locally- (inserted by the training simulator supervisor upon verbal communication from the field) - was clearly observed by the board operators and relayed to the procedure reader.

11.2.2.2 Environmental considerations encountered vwhen perforning manual action For a fire in zone 99-M no local actions were required within the zone to maintain 6corecooling, thus the temperature, smoke, toxic fumes and humidity conditions due to the fire and fire brigade actions would not likely effect the local action within the initial I hour of the simulation.

The environmental conditions that the operator would be expected to encounter during the simulated fire were provided verbally to the local operator (e.g., the door is hot and smoke is in the room and you can't enter here). All actions were in the auxiliary building where radiation levels are at a minimum. Emergency lighting was available for all pathways from the control room to the location, including special reflectors in the stairwells. Should the smoke and fumes be released from the affected fire zone, protective breathing gear is available for breaker operations in rooms connected by adjacent hallways.

11.2.2.3 Staffing in control room and fire brigade The simulation showed that the ANOI staffing plan for fires to be adequate for the 99-M fire event and it is above the minimum required by the NRC.

The operating staff at the two-unit plant includes 4 licensed operators and a shift engineer in the control room and two auxiliary operators and one waste control operatorfor each unit. In the case of a fire, a fire brigade of five people is formed.Two memb ers of the brigade will be from the affected unit. The brigade leader will be the wasie control operator and the 2d member from the affected unit will be an auxiliary operator. This leaves the four control room licensed operators, the shift engineer and one local operator for managing the core cooling safety systems.

11.2.2.4 Communications -control room supervisor, local operators and fire brigade Communications observed during the simulation demonstrated the feasibility of using either set ofprocedures to successfully manage the core safety functions.

40

p Communications between the control room and all others involved in the simulation were of a high volume, but the self powered radio phones permitted each person to hear the others communication. The communications were provided on a multiple channel self powered radio system, which is independent of the fire effect in any zone and loud speakers for plant communications from the control room (e.g., site emergency). The volume of communication was high, but each person focused on only the important communications during the initial stages of the event, which involved verification of the instruction, and verification of the action completion.

11.2.2.5 SpeciI tools for executing a local action Most of the actions could be performed without any special tools.

In addition to the special tools of gloves, dosimeter, keys, flashlights, etc; some special tools were needed for the A3 breaker operation, because control power to the breakers failed in this event. In particular, a grounding stick, which was available from a nearby location, was needed.

The valves all had attached hand wheels for manual operation.

11.2.2.6 Training on local actions and use of procedures The local auxiliary operators demonstrated good knowledge of th e locations and how to operate each equipment type.

For actions called for by the control room crew there was no discemable difference between an experienced operator and a recently licensed operator for finding the location, the equipment, and assessing the condition and implementing requested actions using either generic procedures or verbal requests the requested action. The conclusion from this observation is that the training process for field operators provides the key knowledge for operating any equipment specified by the control room in addition to the guidance provided by procedures for generic operation of the equipment.

11.2.2.7 Accessibility for performing local actions The plant walk down demonstrated that the location and the equipment for performing each action were accessible. The simulation confirmed that the timing for performing the actions was adequate.

A walk down of the pathways prior to the simulation was undertaken to verify that the possible local actions could be undertaken. While mo st of the valves and breakers were easily accessible from normal height or by climbing permanently fixed ladders, one valve for steam admission from Steam generator A to the 7A EFW turbine had very difficult access over several pipes and in a cramped area. Its redundant valve from steam generator B to 7A EFW turbine was more easily accessible via a fixed ladder. Hazard warnings or other obvious obstacles did not restrict operators from operating the key safety valves or breakers. The pathway to each location was assessable without going through fire zone 99-NI.

41

I 11.2.2.8 Procedures for response to a complex fire scenario The evolution of a fire in zone 99-M is expected to be a'very rare event, even so it was demonstrated during the simulation that the current EOPs and new attachment could be used to manage an extensive fire in that zone.

Current EOPIAOPIPre-Fire Plans The current ANOI symptom based EOPs provided adequate guidance for a crew licensed on the ANOI plant to mbnage all of the systems needed to protect the core following a fire in 99-M.

This was demonstrated by observation of one crew in the simulator, who successfully cooled the core following the procedures and selecting the necessary floating steps. There'was no time required for studying any element of the procedure, as the crew appeared to havein mind all the elements of how to maintain cooling given a continuously eroding man-machine interface. The current procedures were applied in an opportunistic manner to manage core cooling safety trains during the event. The phasing of the fire permitted sonie successful automatic alignments early in the sequence; however, the operators did not anticipate protecting the operating equipment from spurious operations by removing power from the valves that were manual positioned.

New fire procedure attachment The new attachment provides specific guidance for lining up, controlling, and preventing spurious actions from stopping a key safety train given a fire in 99-M.

In simulation of this event the crew did not start the new' attachmrentfor about'15 minutes after the fire started. By this time it is expected that the damage to cables'and the potential for new spurious actions would be over, even if the temperature of the damaged switch gear was high enough to cause additional self ignition. Fortunately, the new attachment provides a process for moving valves and breakers into their correct positions for core cooling, and then removing the

electric control power to prevent a future spurious operation. The fact that the new attachment' provides specific valve and breaker identification numbers for communication to the local operators for a fire in 99-M means that the control room is more likely to be operating a tactical manner for managing core cooling equipment during the event. Since the new attachment had only recently been written, the crew had not practiced on the procedure before the simulation.

11.2.2.9 Verification and validation of local manual actions Our walk down and simulation exercise provided a verification and validation that the current procedures as well and the new attachment could be pe'rformed to protect the core in the event of a fire in 99-M.

The control room identification of the action, the timing of the action, the route to the local stations was clear of the fire zone, and the use of current auxiliary operators in the simulation clearly showed that the such actions can be performed.' The only issue remaining is the effect 42

that a real fire might have on the local environment (e.g., smoke, heat and toxic gases). The crew is trained in the use of protective gear including special breathing packs.

Once the actions are shown to be feasible the next step is to determine the reliability of the action considering the details of the elements used in quantifying the error potential for each action as is done in the next section.

12.3 Reliability of ManualActions (Human Reliability Analysis - HRA)

To evaluate the irn'pact of a fire on the crew actions a human reliability modeling approach was developed using the current human error probability (HEP) values developed from the SAIC TRC model [Ref. 14], which is an integrated single model that considers timing and other factors to produce a single human failure event (HFE) value. The HFE represents an integration of error factors that apply to the scenario, whereas RIEP refers to the human erroi associated with a defined task not yet integrated into the overall scenario. The EPRI HRA calculator was used to supplement the initial assessments with revisions in the PI and P3 assessments.

11.2.3.1 Current HRA model in the CCDP The equation for the SAIC TRC is a lognormal distribution of the following form:

I t I I

nsm I

Pr) =T27,J-ep-+

[

j(l)]2ds The IIRtA analyst accounts for the operational context by adjusting the parameters m and UR for rule-bascd versus knowledgebased behavior, no burden versus burden, and other performance influencing factors.

The I IFEs for non -recovery are based on the TRC system, which assigns an error mode category, location, response time, time available, error factors, and other uncertainty factors. Defaults are provided based on the event categorization, and rules of thumb are provided for the application context. This system is useful for single scenario recovery models. The internal events application of the TRC model assumes good control and indication interfaces in the control room and locally, reliable instrumentation and no smoke or flame nearby. It does not explicitly address the cognitive areas of detection, situation assessment, planning, nd execution of the task (in the control room or locally).

The CCDP model for zone 99-MI was developed by considering the bounding components that could be damaged in a realistic fire as summarized in Appendix B.2. Based on the fire growth model this included all equipment in an A4 breaker cabinet and the two cable trays above it. In the realistic fire the amount of combustible material to feed the fire is not sufficient to form a hot gas layer that damages the remaining equipment in the roon?.

Thus, the fire model used to 2In the simulation the realistic sim was expanded to assume a hot gas layer at T-5 min to extend the simulation by damaging all equipment in the room.

Even in this case both crews demonstrated that the current and enhanced EOPs were sufficient to 43

,I update the CCDP includes the effects of failure of the wiring in the A4 breaker cabinet and the cable trays above it. Since the hot gas layer would not affect the cables that are remote from the fire, these cables are expected to remain insulated and operable.

11.2.3.2 Update Modeling Process The existing HFEs in the model were extracted from the base case internal events CCDP model as calculated above with the SAIC TRC as the starting point for the HRA evaluation. The aim of the HRA fire evaluation is to update the HFEs provided for a transient model by considering the impact oftherfire on the ability to identify and take key actions given that the base case assumptions of Actions in the control room, reliable instrumentation and working controls are available. In the fire scenarios for 99-M the instruments are not reliable, the controls may become unavailable and the actions may have to be taken locally manually. To update the existing HFEs it is assumed that the impact of the fire is to ificrease the errorprobability. To systematically evaluate this effect, methods discussed in EPRi -TR.000259i[Ref. 15] are used to examine potential cognitive.errors and NUREG/CR-1278 [Ref. 16] is used to evaluate errors in execution of the task.

JJFEf, = HFEr-..,L

+ AIEI 1,, - 1IFEko.,,

• JEP Thus, for any fire scenario the HFEs for the basic action can be examined and adjusted to account for the fire effects on local actions taken when the MCR environment is unaffected by the fire. The main effect is that some instruments are lost, some may indicate the wrong position, and some might change during the fire.' The basic local action must be feasible,'where the feasibility of the action can be demonstrated by having the time available, proper tools, interface capability, etc. A fire impact delta HEP was developed to account for the increase in failure potential caused by the fire by considering additional cognitive failures in dealing with unreliable instrumentation and controls and implementation (execution) errors in the manual actions due to local conditions. The AHEP is calculated from estimates of the change in the cognitive and execution failure probabilities as impacted by the fire conditions as shown below.

AHEP~f =PAP,

+ AP

-APC,, *.'P co t fi t

No effort has been made to adjust the.original TRC value for similar error modes considered in the initial assessment. Hence, the values generated may be considered to be conservative in that regard.

I The process used for generating a set of generic conditions for each HEP is discussed in Appendices A and B.

manage core cooling. They reached stablehot shutdown conditions assuming that the hot gas layer failed ail the other equipment if the fie zone.

44

/

- tt 11.2.3.3 HRA Quantification Elements The values for APcog and APexe that are impacted by the fire have been obtained by considering different combinations of actions in version 2 of the EPRI HRA calculator [Ref. 17]. The cases assessed are listed below and presented in Appendix A.l. The cases described bdow were selected to address changes in the HEP for fire conditions that are needed for risk comparison.

Primarily they address the use of the existing procedures and the revised procedure. Since detection, planning and execution of the actions could take place either in the control room or locally, a variety of cases are needed to address the specific conditions for the key actions identified in the base internal events study. Thus, cases I and 2 address the impact of a remote fire - when all acrons are carried out within the control room - for current and new procedures.

Case 3 addresses decisions in the control room that direct local actions. Case 4 addresses, immediate actions following a trip decision. Case 5 addresses cases where the evaluation and decision on how to proceed is primarily locally.

Cases 6 and 7 address those HFEs where the fire conditions would result in no change (e.g., a pre-initiator action for restoring a system alignment), or the action is not feasible (e.g., open or close a breaker in the affected fire zone as a recovery action).

Case I FIREOLDP -generic assessment for current EOPs with floating steps in MCR Case 2 FIRENEWP - generic assessment for new attachment with identification of specific equipment and protective actions in NICR Case 3 99-NIFIRECR - assessment for decisions in CR and actions local Case 4 99-MFIRECRE - assessment of CR actions early (e.g., immediate actions)

Case 5 99-NIFIRELOCAL - assessment of both decisions and actions made locally Case 6 Equipment not available - assign I to the HEP Case 7 No difference identified-Assignment of the same AHEP to both the Current and New procedure.

Data to support the assessment were obtained from plant walkdowns to the locations where the local manual actions can be performed, observation of two simulator runs for a fire growing in 99-M, and observation of simulated local actions during the simulator runs. The resulting changes in HEP due to the hypothetical fire in 99-M are shown in Table 4 for cases described above.

The existing HFEs in the CCDP model were then updated by assigning the values in the Table 4 as changes to the overall scenario description.

Table 4: Summary of potential HEP Increase cases due to Fire In zone 99-M

• --~q I 2 si a sea 1 Eent Ut)..

Daslc vent uescripuorr, s <,~~~4.F.U hi}*

i

-Jn as Gout Realistic fire in 99-M failures at 9.8e-03 7.50E-04 i.E1-02 l

FIREOLDP T0 T-2 T-5 T-9 and T-I 5 2

FIRENEWP Realistic fire in 99-M with new 2.6e-03 6.10E-04 3.2E-03 procedures all actions in CR 3

99-N3FIRECR Realistic fire in 99-M decisions 9.8e-03 2.OOE-02 3.OE-02 45

in CR with local manual actions 4

99-MFIRECRE Realistic fire in 99-M Early CR 4.7e.03 4.3e-04 5.1E-03 4 199-mnR~cRE I actions-47c3 1

-IE0 I

5 99-NIFIRELOCAL Local actions taken by field 1.5-02 2.6e-02 4.AE-02 operators 6

Not Feasible I

7 No Chanre 0

0 0

The detailed evaluations are provided in Appendix A.1 as output from the EPRI HRA calculator.

11.2.3.4 Newv anual Actions New manual actions, not in the original PRA, were'identified during both the observations of actions in the simulator and during the CCDP analysis.

Potentialmanualactions from simulatorobsenvations From the simulator observations three potential new manual actions were identified. These are:

(I) If the manual trip did not occur quickly, then the fire might removepower from the 7A and 7B pump train valves and there would be no automatic start alignment. This might lead to local manual actions for alignment of the steam admission valves to the turbine and train alignment for the water supply to the steam generators (SG's):

Response is - the CCDP model does not have to be changed because all valves in 7B are in correct alignment during standby and only a check valve opens when EFW starts. In the Case of 7A only the steam admission valves are closed and these are modeled as if they can be opened manually if spuriously shut. The new procedure also would reopen and isolate the power supply.

(2) If the operators fail to isolate letdown or another prnimary valve fails open and HP] pumps are unavailable then a loss of primary coolant could lead to core darnage. Thus, the small loss of coolant accident (SLOCA) scenarios might be included in the CCDP model to represent the spurious opening of a primary system valve' leading to the containment.

Response is - the CCDP model does not have to be changed because the letdown flow is small, and under these conditions including rapid cooldown and HPI pumps available (in the realistic fire) is not a core damage concern, but an operational one.

(3) Failure to address spurious closure of CV-2800 damages the 7B pump causing loss of one train of EFW.

Response is - the CCDP model does not have to be changed because this is accounted for within the random failure rate. Spurious closure of this valve requires a hot short and applies onb if the hot gas layer occurs which is shown to be not possible with the material loading in the fire zone. This was modeled in the simulator assuming the worst failure mode for an extended fire.

46

U H-Manual actions identified during analysis of CCDP (1) RECA3LOCAL Operator fails to locally close 4160 Volt power breaker as a result of loss of de control power due to open circuit caused by the fire. This manual action re-establishes the electrical power for all systems (except the 7B motor) drawing from the A3 bus including high-pressure injection pumps. The operators open the breaker door and use the manual push button to close the breaker.

The operators are highly trained on this action, which is proceduralized as part of the Alternate Shutdown action steps. The procedures require use of flash protection, which takes about five minutes to don. A base case assessment without fire was performed using the same model as the other recovery actions.

The resulting HFE for this action is 5.12E-2 with a hardware failure of.02 yielding a base case result of 7.12E-2 for manually closing a 4160-volt breaker.

(2) RECP7BLOCAL This action and context conditions are the same as above except it is for the breaker that supplies the 7B pump directly. The resulting HFE is calculated in the manner described above yielding a base case result of 7.12E-2 for manually closing a 4160-volt breaker.

11.2.3.5 CCDP Input Results The base PRA integrates recovery actions (restoring the function represented by a failed component) on a cutset by cut set basis. Only one recovery was in each cutset of the CCDP model. Each action in the initial model was evaluated to estimate the likely impact of the fire.

In cases where the component was clearly damaged by the fire the HEP was set to one. In other cases the elements from Table 4 were used to represent the HEP case. When there was no perceived difference between the current and new attachment the delta HEP increase was the same for both. The results shown in Table 5 are inputs to the CCDP model.

The values in Table 5 are the combination of the basic FIE and the A Pcog and A Pexe from Table 4 for a specific case assigned. The case identifies the values applied.. If two numbers appear in the case column, then the first is the A Pcog and the second is the A Pexe. This was applied when the relationship between the procedures and local action were different than the base cases. The events in italics were added as a result of the observations in the simulator and needs of the CCPD evaluation. The base modeling process was used to provide the initial cases for the n ew events.

47

/

/

Table 5: Summary of adjusted HRA values In the CCDP model for fire In zone 99-M

)PERATOR FAILSTOSTART DC AAC L)PERATOR FAILS tOCLOSECV-1275PPERREOPS -

)PERATOR FAILS TOALIGNSWING INVERTER(YI S FORRSI/3,Y25 FORR.S24) 1321E01 6 7

6 INVALTREC l.OOE+00 OPEPI3 JOPERStAILTORE-ENERGILEAI/A2FROMST2GIVENTRANSEVEN'I 4,88E4 I 1.10E 1 13.69E431 2 -

OPER13H.

IOPERSFAIL TO RE-ENERGIZE H1H/1i2FROM ST2 GIVEN TRANS EVEN 4.00E.OI 4.06E4; I

4.02E-01 OPELI S b

aorfailstoopen VI276n oallowforpi yback din0 itnecton 2.55E 143I-2 3

4.31 E02 5

32 OPFRF-15 nparvr-?

OPERA TORSFAIL TO IRPBEFORELOSSOFPOWER TOEPWF.

4LIGNMENTVALYFS7

& 7B nP RA fl PRS A.t4 TflfflP rrd I

1l,A T Or.nnin7JlM r v '

.OOE+

3500 1 3.06EW 1 (5 j tS0E-021 4-3 _.

fl & Wn

. MV I t4 M Mfl It q I,n qjp n, I I OPERF-1 7 OPERA TORS FAIL TO RECO VEER C2800 TORSORE 7B EFW A 0

.0OE+O 4.OE0 2'E-0 3

_ _LY__

_ _ _I__ I 6E -0

-96 0 OPERATOR FAILS TOTHRO'TTLE IUI TO PREVENT RCS PRESSURE.

X, QIHFIIEPITRI RELIEF I

.I 7.24E.M I 8.22E-O I

7.54E-02 2

OPERATOR FAILS TO THROMTLE PIl 70 PREVENT SRV LIQUID QIIFIITIRD RELEASE 1.00E+00 I100E+O I

I1.00E+0 2 -

QIIFIP7ATNL i

A A

-0)TCOiECTLYRE.STOEEQUIPN F-W TRAIN A 3.EW 7-OtIFIP7TBTNL IPERATORS FAILTOCORRECTLY RESTO REP7BAFTER kIAJNTENANCE 3.0043 l3.00E43 l 7 l 3.00E-3 1 7

QiiFIRCPRP PERATOR FAILSTOTRIPRCPSON30MINUTES 2

1i2 T

I 2E-03 2__i OPERATOR FAILS TOOPEN CV380, 3SSI TO TRANS'ER EFW QMANSWREC SUCTIONFROMCSTTOSW.

3.60E414 4.1 E-02 5

3.OOE-02 3

OPERA TOR FAILS TO AUNUALLY CL OSE 4160K VBREAIKER TO RESTORE RECAILOCAL POW'ER 7OA3 BUS 7.12E402 1.09E-01 5

9.J7E-02 3

REC114 OPS.FAILSTOCROSSTIEPOWERSUPPLY 4.OOE.41 4.21E-41 3_S 4.14E-01 2 3 RECIB56 PS.FAILSTOALIGNPOUWERlUSi56 4.00E-01 1.00E+O0 6

I.OOEtW 6 OPERA1OR FAILS 1OALIGN L'0 TOBACKUPCIHARGER (DU3A OR RECCHGRD0 03B) 2.09E41 1.00E+00 6

L.00E+00 6

RECCIRD0I oPtERAlORFAILSlOALIGNALERNAlED03CICARGERTODOI I.0Et-O I.O(+IOo 6

1 OOE+oo 6

OPERATOR FAILSTOOPEN CV1405/06ON FAILURETOREMOTELY RECDIIMAN OPEN 9.021E 02 I.27E-01 5

I.17E-01 3

RECEFWSRC oPERATOR FAILS105I 1CH EiW FROM T4 B1TOT41 9.16E2 I D03E-0I 4_

U102E-01 4.

OPERATOR FAILS TO OPEN CV 1407108 OR CLOSE CV1300/01 IF FAIL RECHPIN1AN2 TOOPREMOTELYNONT3 1.92E401 225E4-1 2.16E-01 3

OPERATORFAILSTOOPEN MU-2324 ON LOSSOF2I4 HPI LINES RECI IPMAN I NON-73 2.76E-41 3.05E401 5

2.97E401 3

RECINVALT OPERATOR FAILS TO ALIGN TIIE SWING INVERTER I I.OIOE+OD IIOE+00' 6

L.00E400 6

OPERATOR F'AILS T0 OPEN CV12760 7AFTER FAIL TO OPEN RECLPNIAN2 REMOTELYTBX 9.48E402 132E-01 5

122E-01 3

OPERATORFAILSTOOPEN DIl SUPPLY TOIIPI SUCTIONAFTER RECLPMAN3 REMOTEOPFAILURES I.06E-41 IA2E-01 5

I132E-01 3

OPERATOR FAILS TO OPEN B RKR LOCALLY AT AI FROM UAT AND RECMANDC CLOSEBKRFROMSUTI-R-S 1.17E041 1.53E-01 5

1.43E-01 3

OPERATORFAILSTOOPENBRKXRLOCALLYATAI FROMUATAND RECMANDCX CLOSE BKR FROM SUTI TBX 1.75E42 5.74E-2 5

4.66E-02 3

OPERATOR FAILS TORECOVER P7A MAN AYTEREARLY STM ADM RECP7AMAN OPENING(-T3) 1.17E41 1.3 IE-01 51 1.20E-01 2

OPERATOR FAILS TO RECOVER P7A MAN AFTER EARLY STM AD)M RECP7AMAN3 OPENNG (TBXRX) 2.1tE.02 2.71E-42 4 I 2.70E-42 4 2 OPERATOR FAILS TO MAN START/CONTROL P7A REC STM ADM RECP7ANIOV XFERCLOSEDORFTOT3 I.75E-41 I.88E-1 5_1 1.78E-01 2

RECP7AMO1V3 OPERATOR FAILS TO MAN START/CONTROL P7A RECSTM ADM.

XFER CLOSED OR FTO TBX RBX

.7.95E.2 9.40E-42 5_1 S.25E-02 2

OPERA TOR FA ILS TO MANUAL YALIGN 41 60 BREAKER TOSUPPLY 75 RECP78LOCA!

POR7'R 7.12E.02

).69E-0I 5

987E-02 3

i I 48

-M II U*AIUA FAIL aIUMAN UOLPN Uw 1 U V LWA1JUK V LLZIUN FAILUREIrO OPEN TBX OPERATO R FAILS TO OPEN CV3S23TO PROVIDE RECIRCTO ECP (CV3924 FAILS CLOSED)

SGOFREC OPERATOR FAILS To PREVENrISG OVERFILL Wil If I

`W 4.8E 02 3.79E-02 5 I 4.59E.-

2 SGOFREC2 OPERATORFAILSTOPREVENt5SGOVERAtLLWITH EFW 2Ei 3.SOE.02 Sl2 HI

-57E0 T

'OPERATOR FAILS TOSTART AND AUGN OPSW INCLUDING f SWSWINGREC AVAILABLE POWERSOURCE (NON-T3 1.63E02 2.67E-02..- I 1.95E-02 2

UiHFITHFUJD-OPERAIORFAILSTOATTEMPTIIUI COOLING MOM9 0ROO3 8-4 8.00o-M 4

XIIFIMED0XXX OPERATOR FAILSTOBEGINI1PRFOLLOWINGM-LCEA 2.1E-W 2.IOE-04 7

2.IOE-04 J IF I SMALLX OPERATOR FAILS TO BEGIN HPR FOLLOWING SLWCA

2.

F10f 4 2.I1OE04 7

2.10-4 7

11.24 General Observations 11.2.4.1 Key points Procedures Both the current and new EOPs adequately deal with a fire in 99-MI The current EOPs identify opportunistic actions for establishing key core cooling systems.

The new EOP attachment clearly identifies sets of components for tactically establishing and protecting the core-cooling pathways.

The new EOPs offer slight HEP improvement over current EOPs.

A comparison of key actions with the NRC inspection criteria indicates that they pass a qualitative feasibility test.

Simulations No core damage was detected during simulations.

Operators were able to maintain large margins on all safety parameters during the simulation.

Simulation of 99-M fire, walk down and observation of local actions called for in EOPs indicates that they are feasible.

A general control room operator comment was demonstrated and repeated during interviews on this process - "Because practice in simulators, very complex accident events seem to be routine and cause no significant additional stress."

49

/

/

Human reliability analysis The CCDP evaluations indicate that impact of AHEP is measurable but small between the two procedures.

A fire in 99-M is expected to increase the AHEP for feasible actions over the initial internal events PRA results.

The EPRI HRA calculator facilitates quantification and documentation.

Change in the HFEs ranges from zero to one depending on the fire scenario context. In most cases the change is less than 0.05.;

J;-

11.2.4.2 Qualitative Evaluation of Feasibility for Manual Actions Screening for HRA Both the control room actions and local manual actions have reasonable likelihood's of success in preventing core damage for the realistic fire and the complete room affected fire when failures occur over a time period using the existing procedures. This was demonstrated in the si muation-when the control room operators wvere exp osed to the type of alarms and control malfunctions expected from a fire in the 99-M zone. The operators also contacted local operators interacting at the local plant sites as they would under fire conditions.

The strategy for using symptom based - emergency procedures requires operators to think beyond the opportunistic approach of responding to the situation to protect against hot shorts and erroneous signals.

The currentfire emergencyprocedures include warnings about possible hot shorts and unreliable indications, but it is up to the operators to select cooling equipment and identify protective actions. During simulation of the zone 99-M fire using current procedures,' the process revealed that the operators are able to "think" how to adapt to dev elop a conceptual approach for dealing with a wide spectrum of fires, especially since there is time to do so when the fire damage is simulated to occur progressively rather than unrealistically assuming all fire damage occurs instantaneously.

The revisedfire EOP attachment includes explicitly identified cooling systems to line up for operation and protective actions such as opening specific breakers to remove power from valves that might spuriously close and inhibit operation of the EFW system. The simulation revealed that the crew needs additional training on the new attachment, and a used it was ijaed aboutnd5 minutes after the trip and by this time the fire damage is expected & ha.eially caused spunous events. T he procedure supports systematjcelgnment-e Rpu. icy Jlusures.

Application of inspection criteria The NRC inspection criteria for fire protection manual actions [Ref. 13] were also used as a measure of the qualitative identification of feasibility for performing operator actions. Table 6 50

I provides both a listing of key actions from the simulation (14) and through iteration with the PRA model (5-6). These actions were evaluated via walkdown, simulation and observation to support the feasibility evaluation.

Table 6: Summary of key local actions ii W10WA600 "WEMtW-li RE Dtoi 1 Starting P17A Both current and new EOPs Feasible under both procedures.

manually and discuss this local action In Corrections for spurious actuations are NOT positioning great detail (also in local mentioned in current procedure which may associated valves procedure delay full manual control of P-7A 2 Controlling EFW: Both current and new EOPs Feasible under both procedures. Specific (A or B) to prevent discuss this local or control corrective actions to counteract spurious overfill room action operations of the EFW are provided explicitly in the new pirocedure 3 Local Closing A3 This action is NOT explicitly Feasible in both current and, new EOPs. The switchgear for P. discussed in the current new EOP attachment explicitly calls for local 7B and HPI A EOPs but Is In the Altemate actions to manually close breakers for this (e.g.. Inverter fires Shutdown procedure equipment 4 Isolation of In both current and new Feasible CR action that is highly letdown to avoid EOPs proceduralized step and can be performed needing HPI localy (Makeup) sooner 5 Starting HPI In both current and new Feasible CR action. New procedure adds cooling long term EOPs direct discussion of possibility of locally starting the HPI pump due to aux lube oil pump R64 problems 6 Switch to.

In both current and new Feasible CR action that is performed only recirculation long EOPs after all the equipment needed is verified to t erm cooling

_be operational I

As su mmarized in Table 7, application of criteria in column I to onsite actions listed above was used to evaluate the feasibility of key local actions using methods in columns 2 to 6. The actions called for during the simulation and anticipated as possible requests were feasible according to the criteria. The key test becomes how reliable are they and what is their impact on the CCDP.

I 51

/

Table 7: BasIs for feasibility of local action used to protect the core duringa 99-M fire Staffing Yes X

X rommunications.

Yes I __

X X

X Special tools

.1 Yes X

_X raining s

X X

X Accessibility Yes X

x

'rocedures Yes

. X X *

• Verihcation and validation Yes X

- X Xx 11.2.4.3 Quantitative HRA In developing the CCDP there is a need to address special fire specific manual actions that are identified in the fire procedures and to recover key components needed to ensure safe shutdown of the reactor core under the fire scenario conditions. The manual action for closing a 4160-volt breaker to start 7B is parallel to the actions for 7A for opening the steam admission valves to supply power to the turbine.

The fire in 99-M is expected to increase the AHEP for typical feasible actions over the initial internal events PRA results'from zero to a value in the range of 3E-3 to 4E-2 for various scenarios and conditions. If the action is not feasible, then the HEP assessment is set at 1.0.

There is actually a very small difference in the impact of the current procedures versus the new attachment on the likelihood of core damage, however, the EOP new attachment helps the crew move from an opportunistic approach to control (where the probability of action failure is in the range of.5 to IE-2) to a more tactical control process (where the probability of action failure is in the range of 0.1 to I E-3) [Ref. 18]. Figure 23 illustrates the impact of the fire on the estimate of the AHEPs for the current EOPs and the new EOP attachment for a fire in zone 99-M. It shows a slight decrease for some of the HEPs. The basic inputs to this figure are derived from the inputs to Table 4. When the AHEPs are combined with the current HFE assessments as provided in Table 4 it is interesting to compare the impact of the fire on the HFEs ordered from smallest to largest in Figure 24. Theimpact for most of the actions considered is very small in terms of change in overall frequency.

'52

if I

Co"vadsono A HEPS kr cuMft wW nd E

m hG In h.99 I

SI I

ii owl I-0DO1 D 01 O.,

Figure 24: Change In HEP for new Attachment compared with Current EOPs coczwiso dafcw xiedonxEOPs mei.Es resfri ii" PA A.

M A-04

~e 001 SI Tow It-a

.X

-o E2 0OOOD 0 ODI 001 VA* ofajoti HFfs bint Bwe PRA.

o l

Figure 25: HFE values for current and attachment to EOPs for fire In 99-M 53

/

/

11.3 Quantification of the Conditional Core Damage Probabilities (CCDP)

The conditional core d amage probability (CCDP) is a key element in the evaluation fire risk.

The CCDP represents the likelihood that for a giveii hypothetical fire scenario, the core would be damaged. It uses fire frequency and additional fire modeling evaluations to establish the overall core damage frequency.

The CCDP calculation begins with the creation of an updated base model for the fire analysis.

Starting with the current PSA internal events model the following modifications and assumptions were used to creixte the base CCDP model. All non-transient sequences were deleted from the fault tree using the "Delete Subtree', option in CAFTA, since the primary impact of the fire is expected to damage electrical cables leading to a loss of buses, electrical control points anda plant trip. Next, all non-trip initiators were set to False and ihe trip initiator was set to True, this accounts for those fires large enough for the operators to manually trip the planitif not already tripped automatically. The compress true/false option in CAFTA was used to simplify the CCDP model by removing these fire independent initiators from the tree. The tree was compressed and saved as firestart.caf. This fault tree now represents the basic CCDP model for a manual trip. It contains'the'key systems'and components needed for managing core cooling in parallel with fighting the fire. The base CCDP model result includes the reliability evaluation of those components and operator actions contributing to the success of hot and cold shutdown cooling. Thus, quantitative evaluation ofthe base CCDP model assumes that the fire has no impact on the systems, structures, components and operator actions used to reach hot and cold shutdown. For any specific fire zone the basic events can be set to fail ifthe components are affected by the fire. The files for each fire scenario are stored in a PRAQuant file.

The next step is creation of a component failure list for each of the fire scenarios described previously.

A Microsofl Access database was created to expedite the'creation-of the failure lists for each zone. The access file takes the scenario table and the conduit/raceway table and provides a list of affected components represented as basic events in the CAFTA model for each scenario.

Each individual scenario list was reviewed for logical inconsistencies, which would then be removed from the event listing or adjusted by adding special fire'related actions or impacts. The following rules were applied to the scenarios. '

Power failures that occur before or at the same time as the control circuitry will prevent spurious operations of components. These components will fail as is or in their normal loss of power condition.

Components were included in the basic event failures list that were not included in the cable lists. These were components that were directly impacted by the fire either as the fire initiating source or as a component impacted by failure of cables for electric power supply or control circuits which was included in the list of conduits or cable trays.

D-104 removes control power from the A3 bus. This will not allow any of the breakers to change position without local action. Instead of setting these events to'TRUE in the tree, 54

M-they are set as equivalent to a new HRA action to locally close the associated A3 breaker to start the component of interest. 2 HRAs were created RECP7BLOCAL and RECA3LOCAL.

CV-2663 will not open due to loss of power; however an HRA already existed in the QRecover file to manually open this.valve. The failure of this event was set to RECP7AMOV instead of to True.

Using Table 7-2 of EPRI TR 1006961 "Spurious Actuation of Electrical Circuits due to Cable Fires", a probability of spurious operation was included in scenario 2 in the case of cables near th e fire source but outside the impact of the direct explosion. These hot short probabilities differed depending on the presence of a control power transformer (CPT) in the circuit. Analysis of each key zone by fire protection engineers provided a list ofthe cables of interest and whether or not they contained a CPT. These events were named HSWCPT and HSNOCPT and were added to the basic event listing. HSWCPT was given a value of 0.3 originally to judge its importance in the cutsets. The value will be changed.to match the case BI I value of 0.075 during the recovery process. HSNOCPT was given its correct value of 0.6 based on the no CPT case from Reference 3. See Attachment C.

Using the above rules, an excel spreadsheet was created for each of the scenarios. This spreadsheet contained the unique set of events and how they would be set during the scenario quantification. In order to expedite the quantification process, these events were then added to the existing flag file for the current model. Each scenario now had a unique flag file that contained all of the flag settings and the new basic event settings to implement the effects of a fire scenario on the evaluation of the CCDP for that fire scenario.

PRAQuant was then used to quantify each scenario by reevaluation of modified CCDP logic tree.

The quantification then provided 7 starting cutset files, one for each fire scenario in Zone 99M.

The following adjustments were done to each of the cutsets before any recoveries were added.

To eliminate unrealistic plant states ETM I A I XXX and ETM I A3XXX were set to false.

ANO-I would not continue to run with either of the main switchgears out of service, so this conservatism is removed.

To eliminate unallowed actions in the fire zone RECB56 and RECB5OR6 are set to TRUE. These events although valid in the normal model could not be performed in the zone 99-NI fire because B55/56 and B6 are located in the room. Even if the components were not damaged by the fire, operations would not crosstie equipment in a room with possible fire and water damage. The possibility of shorting out the good power side would be too much of a risk, and special heroic actions are not modeled in the CCDP evaluation.

The cutsets were then subsumed and sorted by probability for each fire scenario Specific human actions were introduced into the model by running QRecover on the base recovery file for each scenario. This step places baso-case recoveries in the cutsets. 2 copies of the newly created cutset files were then created.

55

/

Finally the HRA QRecover files with the HRA values previously discussed were used to update the scenario cutset files for each of the scenarios with the previous symptom based procedure method and the new fire zone specific procedures.

The following table provides the Scenarios and their results for each of the 4 stages of the calculation process. PRAQuantpost true/false subsume, Base QRecover, Old QRecover and New QRecover.

Table 8: Summary of Calculated Conditional Core Damage Probabilities

~ifiric

~

CDPOIoCC V Pelt VU~

la 1.5E-04

--3.E-04 2.1E-04 1.01-04 lb 4.9E 13E-03 9.0E-04 3.8E-04 2

8.6E-05

-2.8E-04 1.8E 9.9E-05 3

8.6E-05 2.8E-04 l-1.8E-04 9.9E-05 4

'3.4E-05 4.0E-05 3.8E-05 1.2E-06 5

-33E-02 3.0E-02 1.9E-02

-1.IE-02 6

1.OE-02 3.2E-03 2.1 E-03 ' I.IE-03 Note that scenario no. 5 currently has the largest CCDP; however many of component failures resulting from this scenario occur at a time > 20 minutes. This time would allow the fire brigade to mitigate the fire and would prevent many of the B-RA necessities existing in this fire.

However, the current projected fire frequency for this fire is also very low (-1-6) so no further work will be done-on this fire scenaio to remove these known conservatisms, because this conservatively calculated scenario frequency is within an acceptable risk value.

11.4 Assessment Fire Risk in 99-M Core damage frequency (CDF) is selected as the figure of merit representing risk in our assessment.

11.4.1 Calculation Fire-Induced Core Damage Frequency The fire-induced core damage frequency for the fire zone 99-M is calculated as the sum of the risk associated with each fire scenario using the following equation:

CDF= 7Q.5

, x IV, x, M xSFxEFxP. xCCDP)scenario where As is the generic fire ignition frequency for electrical cabinets in the switchgear room reported in EPRI's Fire PRA implementation guide [Ref. I], WI and W. are the location and ignition source weighting factors respectively, SF is the severity factor, EF is an explosion factor (applied only to a high-energy fire in the 4KV switchgear), P. is the probability of the failure to manually suppress the fire prior to damage to the first target and CCDP is the conditional core damage probability given the damagecaused by the fire scenario. This switchgear room (fire zone 99-M) does not have an automatic suppression system. *.

56

A' -

The fire ignition frequencies for the switchgear room and individual fire scenarios are calculated using the EPRI FIVE and Fire PRA Guide methodology [Ref. 1]. Although ANO has only 6 distinct switchgear areas, the EPRI guidelines indicates that "weight" of a switchgear room should be assigned according to the amount of electrical equipment located in the location. Each of the two switchgear areas located in the turbine building has approximately twice the electrical equipment located in the individual auxiliary building switchgear rooms. Consequently, the number of switchgear rooms was increased from six (i.e. based on physical areas) to eight (i.e.

based on amount of electrical equipment). The location weighting factor, W i's for electrical cabinets are assigned a value according to the room location. For 9AM (i.e. switchgear room)

WFL = 0.25 (number of units per site divided by the number of switchgear rooms or 2/8). In this study, 7 of the 8 fire scenarios include cabinets as the ignition source of the fire. There are 17 cabinets in 99M, including the 10 cubicles in A4 switchgear. Therefore, WRl is calculated by dividing one over thenumber of cabinets in the room (1/17= 0.06) or fires in individual cabinets, and (10/17=0.59) fora fire in theswitchgearcabinet. This value apportions the generic frequency to each cabinet in the room. The location weighting factor (Wfi) for the p lant wide components-transformers was obtained by dividing the number of components in the specified room by the total number of components in the plant. There are two transformers in 99-M. The total number of transformers is 98. Therefore, WF, is estimated as 0.02. One of the transformers in 99-M is an instrument transformer, while the other is totally enclosed gas-cooled unit using non-combustible gas. Neither is deemed to be a credible ignition source, but both were conservatively included in the ignition source frequency calculation.

The severity factor, SF, adjusts the value of the generic fire frequency, which includes fires that pose no challenge to plant safety, to reflect the number of fires that arc of sufficient magnitude to potentially cause damage to componcnts/cabics other than the ignition source. EPRI's Fire PRA Implementation Guide [Ref. I] Appendix D provides severity factors (SF) for various ignition sources. For switchgear room electrical cabinet fires, the suggested severity factor is 0.12. For indoor transformer fires, the suggested severity factor is 0.10. No severity factor however is provided for transient fires.

An explosion factor, EF, has been also included in the equation to reflect the potential for a high -

energy fire in the 4KV switchgear. The operating experience indicates that high-energy arcing fault is a credible mode for high-energy electrical cabinets. This conditional probability, which only applies in scenario l b, is calculated to reflect the percent of the fires in a switchgear that will likely lead to a high-energy arcing event followed by a fire in combination with the potentially ignited intervening combustibles. The conditional probability is derived by dividing the number of energetic events in EPRli's FEDB [Ref. 12] by the total number of fires in similar ignition sources. The derived conditional probability shows that severe (potentially damaging) fires in switchgears are more likely to begin with high-energy arcing. This is supported by the operatin g experience where more significant switchgear fires tend to be of arcing nature (Waterford 1985, Oconee 1995, and San Onofre 2001).

Additional factors are used for the case of transient fires. The floor area factor is the percentage of the floor area wh ere the postulated transient fire has to occur to ignite the three-tray stack.

This area constitutes 10% of the open space in the room. A transient fire in any other locations in the room either has no raceways in the plume (therefore requiring larger fires to be threatening 57

through formation of high temperature ceiling jet or HGL) or affects a single raceway threatening significantly less circuits/components.

Two types of suppression are credited in our assessment. One is prompt suppression by plant personnel or fire watch in case of a transient fire or a fire during welding & cutting (hot work).

Operating experience supports the assertion that work activity (hot work or not) is the cause of many transient fires. And the presence of the plant personn el (in many cases the same that initiated the fire) is the most effective means of suppression for a transient fire in its incipient stage. In case of a fire initiated during welding & cutting (hot work), nearly all US commercial nuclear facilities jTequire a fire watch present at the time of the activity. The operating experience clearly reflects the effectiveness of these trained individuals as the first line of defense in the suppression. The probability of suppression by the plant personnel and fire watch for transient and welding & cutting fires was calculated from the operating experience and documented in the EPRI Fire PRA Guide [Ref. 1, page K-3]1;These values are used in this assessment.

The other form of suppression credited in thisas-sessmeni is suppression of an electrical cabinet fire by the plant fire brigade prior to damage to the target set. The probability ofnon -suppression was obtained from Figure K-1 of EPRI's Fire PRA Guide [Ref. 1]. The calculation of the time-to-damage (time available for suppression) is described in section 11.2.

The non-suppression No suppression was credited to prevent damage from the initial high-energy phase of the 4KV switchgear fire.

The conditional core damage probabilities including detailed analysisof the manual actions needed to achieve safe shutdown was calculated for each scenario: The details of this evaluation are documented in section 11.3 of this report.

Table 9 lists the calculated fire-induced CDF's for the fire scenarios in fire zone 99-M.

58

Table 9: Generic Ignition frequencies and calculated CCDP's.

9,.

59 a

I Notes:

1. Generic frequency from EPRI TR 105928 page 47.

2.

Severity factors from EPRI TR 105928, page D47.

3.

This ratio is derived from the records of the switchgear fires in table D.3-2 of the EPRI TR 105928. This shows that of those switchgear events t hat are severe,

4.

i.e., likely of external damage, more are the result of high-energy events rather than low energy thermal fire. These are more likely outcome if Most scenarios involving target damage to the first and second target set involve short time between detection and damage and therefore no credit for fire brigade response.

S.

A fire in the switchgear affects the power supply to the fire protection panel in the control room making early detection of the fire doubtful.

In the simulator exercise fie fire was not detected until 10 minutes into the first effect (damage) of the fire was observed. The CCDPs are based on damage to all the primary and secondary target sets. No damaging (700( F) hot gas layer could be evaluated that cause loss of all cicuits in the room. A 700OF HGL can only be generated in this room as the result of a large cable fire that involves burning of 12-15m of 24-inch wide cable tray (based on cable tray HRR of 41.85 Btu/fV2se from EPRI TR 105928, page 1-1). Such a cable fre requires I to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to develop in 2 and 3 cable tray stack respectively (based on cable fire spread rate of 10 ft'hr).

L_

11.4.2 Examination of Defense -in-Depth and Safety Margin 11.4.2.1 Fire Protection Defense-in-Depth In commercial nuclear industry, fire safety objectives, i.e., minimize probability of occurrence and the consequences of fire, are achieved through a defense-in-depth philosophy where defensive measures are put in place at different level of fire initiation, progression and damage to ensure that a fire wiltnot prevent the performance of necessary safe shutdown function and the and radioactive releases to the environment in the event of a fire. The principals of fire protection defense-in-depth are aimed to:

Prevent fires from occurring Detect, control and extinguish promptly those fires that do occur, and Provide protection for structures, systems and components needed for safe shutdown so that a fire that is not promptly extinguished will not prevent safe shutdown Prevention is achieved through preventive maintenance program aimed, in part, at prevention of fixed fires (through repair of faulty electrical equipment or leaking oil on a pump) and transient combustible control program aimed at prevention of transient fires by controlling the amount of th e transient combustibles introduced in the area and the activities that can cause their ignition. Quantitatively, the fire scenarios in this room show at least 3 orders of magnitude (I E-3) for frequency of damaging fires. Even though these frequencies am, for the most part, indicative of generic industry experience, nevertheless they are consistent with the occurrence (or non-occurrence) of severe fires at ANO over the past -50 reactor-years.

Detection and control/extinguishment of fires in the area is achieved through a smoke detection alarm system. With the exception of a fire in the switchgear cabinet A4, the alarm system will indicate the main control room of any fire detected in the room. A fire in the switchgear cabinet A4 will disable power to the fire panels, limiting the information provided to the control room. Early detection for fires resulting from welding & cutting is achieved through use of fire watch. In addition ANO has a dedicated full-time fire brigade trained to respond to fires in the 99-M switchgear room as well as elsewhere in the plant.

Quantitatively, the fire scenarios in this room all have fire detection/control/extinguishment capability in the range of I E-01 for prompt suppression of transient fires by pant personnel or fire watch and suppression, by fire brigade, of fires before they spread to the entire room. Refer to section 11.1 for the description of fire scenarios and their timing.

Protection for SSD systems/components in this fire zone is achieved through a combination of the following:

61

/

Enough of physical separation of critical cables and circuits.to limit fire progression in some cases and provide the needed time for the fire brigade to control and extinguish the fire, Feasible and reliable means of safe shutdown (including manual actions) to safely shutdown the plant after the postulated fire scenarios.

Quantitatively, this element was estimated to provide at least 1.5 orders of magnitude (fire scenario CCDPs range from 4E-5 to 3E-02) for most fire scenarios in this area.

11.4.2.2 Safety Margin A critical aspect of risk-informed decision -making is recognition of inherent uncertainties in the estimates and consideration of these uncertainties in the decision-making.

Determination and use of margin is one way to ensure appropriateness of the decision in the face of these uncertainties. The following discussion is a qualitative assessment of the safety margin.

We used the concept of limiting fire scenario described in the NFPA 805 (sections 1.6.36 and C.3.3) to ensure confidence in our estimate of fire consequences. The NFPA 805 define a limiting fire scenario as," "Fire scenario(s) in which one or more of the inputs to the fire modeling calculation (e.g., heat release rate, initiation location or ventilation rate) are varied to the point that the performance criterion is not met. The intent of this scenario(s) is to determine that there is a resale margin between the expected fire scenario conditions and the point of failure."

Having already included a high-energy fire in the 4KV switchgear where considerable failures occur in virtually no time followed by additional time-phased failures (if suppression is failed), we defined the creation of a hot gas layer (leading to failure of all circuits in the room) as the "point of failure." We determined the following conditions required to reach this hypothetic "point of failure."

Cable damage temperatures of 400-5000F and a 500KW fire that ramps in 12 minutes can reach the "point of failure". The cables at ANO were investigated and confirmed to be thermoset with 70d'F damage/ignition temperature The only credible means of generating a 700°F HGL is through a large cable fire (over 24 linear ft of 24" cable trays). -Even though such a cable fire can theoretically be developed if the cable fire continues for nearly 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> unchecked, there are realistic considerations that make such occurrence non -credible. Foremost, a cable fire of such magnitude requires considerable volume of oxygen to sustain. These cable fires are expected to be in the smoke layer once the smoke layer reaches the top of the door. Once in the smoke layer, intensity of the cable fire will be controlled by the oxygen availability. With an elevated cable fire that grows at a rate of 10 linear ft/hr as input; The oxygen depletion occurs very quickly, regardless ofopen or closed door The cable fire does not grow beyond the initial 12 ft and 62

It-The temperature peaks at 500-535TF The cable fire has to be below the settled smoke layer, 4-5 fl below the door opening, for the cable fire to continue to grow.

Therefore, the scenarios analyzed in our analysis particularly the high-energy arcing fault in the 4KV switchgear and the ensuing cable fires is bounding with sufficient margin.

63

III DETERMINATION OF THE RISK-SIGNIFICANCE OF THE ISSUE To determine the risk-significance of the manual actions at ANO the estimates for other fire zones need to be generated. The NRC SDP provided 2 other ANO-I zones to evaluate. The estimates of fire risk for other areas of the plant were generat ed using walkdown and approximation.

The fire risk estiroates for these fire zones is summarized in table 10.

64

Table 10: Summary of the Risk-Significance of the Safe Shutdown Manual Actions Issue at ANO Unit 1 Assumed similar risk profile as the Unit 1 4KV Switchgear room 104S Equipment Roomr 1.3E-07 08 The hazard profile in the room similar to 99M, i.e., MCCs and inverters (no control panel was observed in the room). The primary source of fire is the MCCs 21 (Black or non-safety) and 51 (Red division) w ith Red division 3-stack cable tray above.

Fire zone 104S is a compartment in the auxiliary building. Therefore the electrical cabinet ignition frequency will be a fraction of the total AB electrical cabinet ignition frequency, i. e.,

1.9E-02 and therefore lower than the 99M switchgear room electrical cabinet fire frequency, by an order of magnitude assuming 20% of the electrical cabinets in the AB are in this room. There are some 41 60V circuits in the room. The circuits are related to the swing makeup pump (P36B) and arc routed to the Motor Operated Disconnect (MOD) switch. Essentially, it's a switch that connects to either a red division breaker or a green division breaker. This switch is treated as switchgear with potential for a high-energy arcing fault. The consequence of an MCC fire in this room or an energetic fault in the Motor Operated Disconnect (MOD) switch does not appear to be worse than the fire zone 99-M.

Therefore the risk in this room is estimated at half an order of magnitude lower than 99-M for the following reason: I) frequency of a fire is 5 times lower, b) consequences of loss of circuits to a fire are no worse than 99M based on the known Appendix R componcnts/circuits in the room (assumption), and c) a damaging 7007F hot gas layer is non-crediblc without a large cable fire (see discussion under 99M) based on the type of the ignition sources (MCCs and inverters), room size and configuration of the cable trays.

TOTAL l 1.5S06 l 9.7E&07 4.9E07 65

.P IV CONCLUSIONS In response to the issu e of adequacy of the manual actions at the ANO power station, a fire significance determination process (SDP) examination was performed. Following are the conclusions of this examination..

Reliability of the Manual Actions1-The manual actions identified during the simulation and from the ANO unit I PRA were evaluated. The plant walk down and simulator exercise showed the equipment was accessible and the operators had enough knowledge to use their procedures to perform each of ihe actions necessary.Our assessment of the manual action using generally accepted human reliabilityrnethods show that the manual actions, using both the old and the new procedures are reasonable and reliable. Detailed simulation of the maximum expected fire scenarios were done with two independent crews to obtain data for th& development of the human reliability estimates. Following are a few insights:

ee Previous procedures use an opportunistic approach'to cbntrol where crews resp6od to cues and symptoms by selecting the appropriateprocedure for that condition New AOP attachment assists crew to respond using a more tactical control process Identifying symptom or cue will generate appropriate response for either procedure Ability to recover from spurious actuations is enhanced in new AOP's Risk -Significance of the Current Symptomatic Procedures - Our assessment of the risk-significance of the current procedures used to reach safe shutdown for a fire in fire zone 99-M shows that the ? CDF to zone specific procedures is less than I E -06/yr, i.e.; a Green finding. An examination of elements of defense-in-depth (DiD) and safety margin shows that an adequate balance in the DiD elements is maintained with adequate margin in the determination of the consequences of the fire.

The following are some of the key observations and important factors in our examination of the issue, particularly as it relates to the fire zone 99-M; The bounding fire results from a high-energy arcing fault in the 4KV. switchgear and the ensuing fire. This fire starts with and immediate set of failures followed by time-phased secondary failures caused by the ignition of the intervening combustibles. Time-phased failures are critical in the effectiveness of the operators. - '

A 700TF damaging hot gas layer in the fire zone 99-M is not credible due to the configuration of the combustibles in the room. A zone-wide damage scenario through a large cable fire is not possible due to the location of the cable tray, i.e., in the smoke layer above the door 6pening.

Even if such scenario was assumed its timing to reach damaging hot gas layer will reach 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> due to slow growth (10 fl/hr) cable fire.

-f..

'I 8:

66

-ii-V REFERENCES

1.

EPRI TR-105928, "Fire PRA Implementation Guide," Parkinson, W.J. et al, December 1995.

2.

J. M. Chavez. An Experimental In vestigation of Internally Ignited Fires in Nuclear Power Plant Control Cabinets -Parts I & 2. Albuquerque, NM: Sandia National Laboratories. SAND86-0336. Washington, D.C.: Government Printing Office, April 1987. NUREG/CR-4527

3.

Babrauskak V. "Heat Release Rates," SFPE Handbook of Fire Protection Engineering, 3"d Edition, 2002.

4.

EPRI TR-1002981, "Fire Modeling Guide for Nuclear Power Plant Applications," Najafi, B. & F. Joglar, August 2001.

5.

Alpert, R., Ward, E., "Evaluation of Unsprinklered Fire Hazards". Fire Safety Journal. 7, 1984. pp. 127-143.

6 Quintiere, J. "Growth of Fire in Building Compartments". Fire Standards andSafety, ASTMf STP 614. A. F. Robertson Ed., American Society for Testing and Materials, 1977, pp. 131-167.

7.

Carslaw & Jaeger. Conduction Heat in Solids. 2nd Edition. Oxford University Press, London, 1959. pp 76.

lo, Siu & Apostolakis, "COMPBRN Ill-A Fire Hazard Model for Risk Analysis," Fire Safety Journal, 13, 1988, pp 137-158. Values obtained from database available in the sofivare.

9.

lleskestad, G. and R. Bill, Jr. "Modeling of Thermal Responsiveness of Automatic Sprinklers," Fire Safety Science - Proceedings of the Second International Symposium pp. 603-612.

10.

Bukowski, R., Averill, J., "Methods for Predicting Smoke Detector Activation". Fire Suppression and Detection Research Application Symposium. February 25-27, 1998.

Orlando Fl. (available at the NIST library).

11.

Peacock, R., Jones, W., Reneke, P., Forney, G. "Technical Reference for CFAST: An Engineering Tool for Estimating Fire and Smoke Transport" NIST Technical Note 1431, January, 2000.

12.

EPRI-10031 11, "Fire Events Database and Generic Ignition Frequency Model for U.S.

Nuclear Power Plants," Najafi, B. & F. Joglar, November 2001.

13. 1 111.5, Inspection Manual for Fire Protection, Enclosure 2, "Inspection Criteria for Fire Protection Manual Actions," March 06, 2003.

14.

Dougherty, E.M. & J.R. Fragola, "Human Reliability Analysis: A Systems Engineering Approach with Nuclear Power Plant Applications," John Wiley, 1988.

15.

EPRI TR-000259, "An Approach to the Analysis of Operator Actions, in Probabilistic Risk Assessment," Parry, G.W., 1992.

67

/

16.

NUREG/CR-1278, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Application, Swain, A.D., & H.E. Guttman, 1983.

17.

"EPRI HRA Calculator,-Version 2" ID # 1006461 Electric Power Research Institute, Julius, J., 2002.

18.

Hlollnagel, E, "Cognitive Reliability'and Error Analysis Method, CREAM," pp 240, Elsevier, Oxford, UK.;

.1 i

.

j, I,

i 68

II-

/

APPENDIX A.1: BASIS FOR INCREASE IN HFES DUE TO FIRE This Appendix provides a summary of various cases for evaluating the effects of the fire on the ability to carry out various actions needed to cool the core and maintain primary integrity as a result of a fire in zone 99-m where the A4 bus breaker control cabinils are located. Table 11 shows the results in terms of the change in cognitive and execution errors due to the context of the fire for specific tasks. The calculated HEPs are combined with the existing HFEs and then mapped to the CCDP model.

The values were based on the use of the logic trees described in Appendix A.2.

Table 11: Summary of HFE Increases due to Fire in zone 99-M.

ffigBeepelo

'I

'aEe0 FIREOLDP Realistic hI n 99-M ames at TO T2 T5 T9 9.8e-03 7.5e-04 1.1 E02 5

FIRENEWP Realstic ire in 99-M wth new pIcedures a 2.6e-03 6.1e-04 3.2E-03 5

adctl" in CR__

99-MFIRECR Realistc fire i 99-M decxisiors n CR adis 9.8e-03 2.0e-02 3.002 5

local 99-MFIRECRE Reaistictfre i 99-M Early CR ats 4.7e-03 4.3e-04 5.1603 5 -

99.

Local actionstakenbyleld operators 1.5e-02 2.6e-02 4.1E-02 5

MFIRELOCAL I

A.1.1 FIREOLDP, Realistic fire in 99-M failures at T-0 T-2 T-5 T-9 Basic Event Summary JAayt-<S^-.j GWH tReZ Diiio X

• 04123103

_ gnie CDBTMrrHERP I

FIREOLDP

SUMMARY

HFE Scenario

Description:

The operators are required to establish cooling to the SGs-the MFW and EFW 7A and 7B are all available if the trip is early (as simulated for a fire even with a hot gas layer).

This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. The old symptom based procedures provide details and warnings related to fires. The o perator should manually trip the reactor 69

/

because of excessive alarms. In fact the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms.

Even with no fire alarm, loss of instrumentation, loss of power to valves and spurious closures the core was-clearly protected throughout the fire evolution of a simulated growing fire in 99-m that eventually took out all equipment in the room. The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. Manual local actions were required and were initiated by verbal communication over phone.

All local actibns requested were feasibe.

Related Human Interactions:

Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable io the internal events assessment. Uses floating steps derived from symptom based procedures Performance Shaping Factors:

Heavy communication is required between two field operators, the fire brigade, offsite, and in the control room.

During simulation some equipment started then failed and indications were lost requiring detective work by the operators and the shift technical advisor (STA).

Operators stated that they focused on alarms on running equipment and those used in the selected cooling strategy.

Manual reactor trip is applied early because of the large number of alarms.

Control room operators identify and request the local manual actions using procedures.

Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.

Restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).

The operators go to location without going through the affected fire zone.

The time to reach the zone and take action is sufficient (considering security and radiation protection).

Lighting is available along path.

70

Local man-machine interface permits the action (open, close, control, monitor).

Local environment permits action (temperature, noise, smoke, lighting, etc.).

Local action is verbally instructed and local procedure (generic or specific) is available.

Special tools are available.

Feedback on action is available (sound, visual position, feedback from control room).

Time to implement action is sufficient.

Procedure and step governing Hi:

Floating steps in EOPs as selected by the control room crew Cognitive Unrecovered FIREOLDP Cue:

Feedback from local report because failure of alarm when A4 bus is lost Multiple alarms Duration of time window available for action (TNV): 1950 Seconds. The base case models used 40min or 2400 seconds of which about 450 seconds are estimated for hearing a report back on the fire and location.

Table 12: FIREOLDP cognitive unrecovered Pc Failure Mcchantsm,'b!*

.z a

Branch r.Zx HEP. xM4rU ReduceJWjby, Pc.: Availability of Information e

5.0e-02 PCb: Failure of Attention I

7.5e-04 Pc: Misread/miscommunicate data.

9 4.0e-03 Pcd: Information misleading b

3.0e-03 Pc: Skip a step in procedure 9

6.0e-03 Pc; Misinterpret instruction f

6.0e-03 Peg: Misinterpret decision logic i

3.0e-04 PCh: Deliberate violation Sum of Pca through Pch = Initial Pc =

7.0e-02 Total Reduction in TW =

450.0 Seconds 71

Cognitive Recovery FIREOLDP Table 13: FIREOLDP cognitive recovery i

-T lFina l

Initial HEP l

>l

>l n

• 5 8 M 5

e

'E l2

4) ui (00 UO)

Value itm0 W

'Pc 5.0e-02 X

5.0e-01 5.0e-01

.107 5.4e-03 e.Pc 1h 7.5e-04 X

1.0e-01 CD 1.0 7.5e-04 15

!:Pcl'f 4.0e-03 X

1.0e-01 MD 1.5e-01 6.0e-04 15 y.Ped, 3.0e-03 X

5.0e-01 5.0e-01 1.5e-03 15 12iP 6.0e-03 X

1.0e.01 MD 1.5e-01 9.0e-04

.Pco" 6.0e.03 X

1.0e-01 LD 5.6e-02 3.4e-04 15 3.0e-04 NC 1.0 3.0e-04 15 Pc :c X

1.Oe-01 1.Oe-01 15 4

rniLcUMoghmPu 4 1nliaLPc.

9.8e.03

______at_____whm iatcwh___ allfrexoverynfactors Seffectsves=.

Seconds Recovery Factors Identified:

Self Review by Stars Extra crewmembers STA review Local feedback Execution Unrecovered FIREOLDP Table 14: FIREOLDP execution unrecovered 1

3.8E.3 20.7 2

M 2

1.3E3 20-11

1.

M 2

1.0e0 2 Actions: Manual action In control room Comments:

1 1.3E2 120o7 4

oM 2

1 1

z.6 AM=ns Recovery Comments.

I I

I 11 72 I

I i

Execution Recovery FIREOLDP Table 15: HREOLDP execution recovery lcdticaJ Msp Noocry.Se g

gHEP Crit@

EP(R~c),.

H, Efer 1 c Manual a ontic o l room1 I.e2 1 1 7,5o04 j

2

} R cvr 264 LD I

7.5e.02 73

,I A.1.2 FIRENEWP, Realistic fire In 99-M with new procedures all actions in CR Basic Event Summary

[vtn e

\\~

GWH 04/23/03 CDBTM!THERP

.1 FIREWNEWP.

SUMMARY

WAnalysis-Results:S'V Without Recover With Recovery APc6

-j 3.3e-02 2.6e-03 a 3 60e-03 6.16-04

,PtaE 3.2e-03 5

HFE Scenario

Description:

The operator should manually trip the reactor because of excessive alarms, and verify or perform immediate actions and call for investigation of A4 breaker room.

This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. The new attachment to the symptom-based procedures provides specific details for both establishing cooling with manual local actions assuming the worst-case fire conditions. The operators are required to establish cooling to the SGs -the MFW and EFW 7A and 7B are all available if the trip is early (as simulated for a fire even with a hot gas layer).

Early trip causes all valves to be in the proper positions for cooldown to hot shutdown; if the trip were delayed the alignments would have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms. Control room operators define actions for local operators. Even with no fire alarm, loss of instrumentation, loss of power to valves and spurious closures the core was clearly protected throughout the fire evolution of a simulated growing fire in 99-m that eventually resulted in failure of equipment located throughoutthe room. The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. Manual local actions were required and were initiated by verbal communication.

All local actions requested were feasible.

Related Human Interactions:

74

It-Start with new procedures. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment.

Perfornance Shaping Factors:

Heavy communication is required between two field operators, the fire brigade, offsite, and in control room.

During simulation some equipment started then failed and indications were lost requiring detective work by the operators and STA.

Operators stated that they focused on alarms on running equipment and those used in the selected cooling strategy.

Manual reactor trip is applied early because of the large number ofalarms.

Control room operators identify and request the local manual actions using procedures.

Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.

The restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).

The operators go to location without going through the affected fire zone.

The time to reach the zone and take action is sufficient (considering security and radiation protection).

Lighting is available along path.

Local man-machine interface permits the action (open, close, control, monitor).

Local environment permits action (temperature, noise, smoke, lighting, etc.)

Local action is verbally instructed and local procedure (generic or specific) is available.

Special tools are available.

Feedback on action is available (sound, visual position, feedback from control room).

Time to implement action is sufficient.

75

.I Procedure and step governing HI:

New procedure 1203.009 Fire Protection System Annunciator Corrective action Cognitive Unrecovered FIRENEWP Cue:

Report from field because fire panel lost on A4 bus trip Duration or time window available for action (T#V): 1950 Seconds. The base time for the initial HFEs was 40 min or 2400 seconds. Based on the simulator results and discussions it appears the about 7.5 minutes is an estimate of the time to reach and report on the event.

Table 16: FIRENEWP cognitive unrecovered

~

I

, I I

• I 94c4 BranchlechasrXf-s6oSBraWct-HilidudeeTW, byL Pc,: Availability of Information d

1.5e-03 Pcb: Failure of Attention m!

1.5e-02 Pcc: Misread/miscommunicate data 9

4.0e-03 Pcd: Information misleading b

3.0e-03 Pc,: Skip a step In procedure 9

i6.0e-03 Pce Misinterpret instruction d

)3.0e-03 Pc, Misinterpret decision logic I

3.0e-04 Pch: Deliberate violation Sum of Pc. through Pch Initial Pc =

3.3e-02 Total Reduction In TW=

i 450 Seconds Effective TW =

1950 Seconds t

I I

I i :

i u.

I s

r I

76

.- i I

i I -

I

Cognitive Recovery FIRENEWP Table 17: FIRENEWP cognitive recovery

.J..InitilaiHEP a,-

Fia a)~

(o l

W.g W° l

Value Q:

0 W

0

<Pc 11 1.5e-03 X

5.0e-01 5.0e-01 7.5e-04

'tPcq:!

1.5e.02 X I I

1.0e-01 ZD 1.5e-02 2.2e-04 15

"'Pc"4l 4.0e 03 X

11.0e-01 1.0e-01 4.0e-04 15

iPcd, 3.0e-03 X

1.0e-01 1.0e-01 3.0e-04 15 f

6.0e-03 X

1.0e-01 I.e-01 6.0e-04 P M 3.0e-03 X

1.0e-01 1.0e-01 3.0e-04 15 rPc:4 3.0e-04 X

1:0e-011 1.0e-01 3.0e-05 15 X

1.0e-01 I

1.0e-01 15 t;;,,;uBt ft iF^,'.St P c~hmuE~c S~nila'!P:-:2.6e 03

-th__hl'aecoverfacor'effectivek Seconds Recovery Factors Identified:

Self Review by Stars Extra crewmembers STA review Local feedback 77 Ii I

Execution Unrecovered FIRENEWP Table 18: FIRENEWP execution unrecovered S

.u,.

-,T 9msr~

Sres

~ble jilten

-sts, Stress7;M" =I t

Per.I S

No.

EPi Is He.' '*

Re -I Mi 4

-Vah e -;.

R I

r-Ref.:s 4K ReE-mii7 Vatue c...R'deu*s Ste y

3.8E43 20-7 2

M 2

1.3E.3 20-9 2

M 2

.006 6.0e.03 Actions: control room action Comments 2

l2.7E-2 20.7b I 5 l M

l 2

l '

I 1 5.40-02 Actions: observe and recover Comments:.

Execution Recovery-FIRENEWP Table 19: FIRENEWP execution recovery II

. Control room action

i06.1r 04 l 2 1 Obsee andrecover 5.4e-02 LD 1.0e-01 78

-11.

A.1.3 99-MFIRECR, Realistic fire in 99-M decisions in CR for local actions Basic Event Summary 04/23/03 o'tnitl@iielow CDBTM/THERP 99.MFIRECR

SUMMARY

rAnatys siResult

• Without Recovery With Recovery 2IP 6.702 9.8e-03 jbta ta 3.Oe -02 HFE Scenario

Description:

Fire in 99-m is known and this addresses fire effects later in the event.

Local operators are required to control cooling to the SGs through EFW 7A or 7B to prevent SG overfill and maintain cooling.

Local actions to isolate EWF feedwater valves to ensure that fire will not spuriously close the valves are assumed not to have occurred.

This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on in the simulator. Early trip causes all valves to be in the proper positions for cooldown to hot shutdown, if the trip were delayed the alignments may have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms. Control room operators define actions for local operators to control valve positions because the control circuits are lost.

The old procedures provided sufficient guidance, however no consideration was given to protecting equipment from hot shorts. By the time that the operators got to the protective steps in the procedure the fire damage assuming a breaker fire would be completed.

Manual local actions were required and were initiated by verbal communication over phone. Thus, valves su ch as CV-2800 could go closed. This was no problem for plant cooling since both MFW and EFW 7A were available.

All local actions requested were feasible.

79

/

/

Related Human Interactions:

Adjust the baseline IHEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Uses floating steps derived from symptom based procedures Performance Shaping Factors:

Heavy communication is required between two field operators,-the fire brigade, offsite, and in contro room.

During simulation some equipment started then failed and indications were lost requiring detective work by the operators and STA.

Operators stated that they focused on alarms on running equipment and those used in cooling strategy.

Manual reactor trip applied early because of the large number of alarms.

Control room operators identify and request the local manual actions using procedures Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due'to the fire are not remotely operable from the control room, however might be operated locally by manual actions.

The restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).

The operators go to Iocation without going through the affected fire zone.

The time to reach the zone and take action is sufficient (considering security and radiation protection).

Lighting is available along path.

Local man-machine interface permits the action (open, close, control, monitor).

Local environment permits action (temperature,'noise, smoke, lighting, etc.).

Local action is verbally instructed and local procedu re (generic or specific) is available.

Special tools are available.

Feedback on action is available (sound, visual position, feedback from control room).

Time to implement action is sufficient.

80

11-Procedure and step governing Hi:

Symptom based with floating steps plus fire cautions Cognitive Unrecovered 99.MFIRECR Cue:

Report from the field (either A4 or security) See fire brigade script Duration of time window available for action fTWv): 1950 Seconds. -The base case models used 40min or 2400 seconds of which about 450 seconds are estimated for hearing a report back on the fire and location.

Table 20: 99-MFIRECR cognitive unrecovered S

T A

S H

__Y, LJ Branch,7 i

Pc,: Availability of Information e

5.oe-02 Pcb Failure of Attention j

7.5e-04 Pc,: Misread/miscommunicate data g

4.0e-03 Pcd: Information misleading b

3.0e-03 Pce Skip a step in procedure e

2.0e-03 PcF Misinterpret instruction f

6.0e-03 Pcg: Misinterpret decision logic j

1.Oe-03 Pch Deliberate violation Sum of Pc. through Pch = Initial Pc 6.7e-02 Total Reduction In TW =

300 Seconds Effective TW =

1950 Seconds 81

Cognitive Recovery 99-MFIRECR Table 21: 99-MFIRECR cognitive recovery I...

Initial HEP 3:

a,

.4)

I-. 3 u) (

(D

aC

(.)

,iki.

8 c r, nonin U. -

a0 R

)

'E 0

a)

Final Value t t w

vJ 5.0eA-0 X

r n-ni 1q

IPc 7.5e-04 X

1.0e-01 1.0e-01 7.5e-05

• 'P c 4.0e-03 X

1.0e-01 1.0e-01 4.0e-04 15 P:

3.0e-03 X

1.0e-01 1.0e-01 3.0e.04 15 t-Pc 2.0e-03 X

5.0e-01 5.0e-01

.25 5.0e-04

PC 6.0e-03 X

5.0e-01 5.0e-01 3.0e-03

~PcC 1.0e-03 X

5.0e-01 5.0e-01 5.0e-04 X

1.0e-01 1.0e-01 9.8e-03 v~Seconds Recovery Factors Identified:

Self Review by Stars Extra crewmembers STA review Local feedback This applies to the hidden Instrumentation cases I

82 I

/./

Execution Unrecovered 99-MFIRECR Table 22: 99-MFIRECR execution unrecovered F;.tSte'v, 2

I t,

=4:Oiision*.-

5 C ommissionl -- m iO.F.t7

,ci:,,

,,ular48 zl tem-i gStress-I Stres8di, n4 I

.Z I tem' l 'Slress..

.Sttess'J ol1' Actions: manual action In control room Comments.

2 l

4.3E4 20-7b I

M 2

F 8.6e-04 Actions: recovery Comments!

II I

I I

I I

I 1,

Execution Recovery T99-MFIRECR Tablo 23: 99-MFIRECR execution recovery I

I 83

/

A.1.4 99-MFIRECRE, Realistic fire In 99-M Early CR actions Basic Event Summary GWHl R-IRC

04U23M03 v I hoA. CDBTMrTHERP 99-MFIRECRE

SUMMARY

$Analyn sisRsults*

Without Recovery With Recovery 1.4e.02 4.7e-03 4.3e04 I4.3e-D0 5.2e-03 I 5 1.

HFE Scenario

Description:

Complete immediate actions and call for local evaluation of A4 bus.

This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on. This case addresses the immediate actions following a trip. The operator should manually trip the reactor because of excessive alarms. The operators are required to establish cooling to the SGs -the MFW and EF W 7A and 7B are all available if the trip is early.

Early trip causes all valves to bein the proper position for cooldown to hot shutdown, if the trip were delayed the alignments would have to be locally manually established. In early trip cases the challenge is to prevent SG overfill and maintain the cooling as additional failures cause loss of indications, loss of power to valves, and even spurious closures and alarms.

Related Human Interactions:

Adjust the baseline IIEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment.

Uses floating steps derived from symptom based procedures.

Performance Shaping Factors:

Well-known steps.

Reactor trip applied early because of the large number of alarms.

Control room operators identify and request the local manual actions using procedures.

Procedure and step governing Hi:

Immediate actions 84

- tI-Cognitive Unrecovered 99-MFIRECRE Cue:

Loss of A4 b reaker and many alarms Subsequent cues for loss of instruments and control circuits are later.

.I Duration of time window available for action (TV): 1950 Seconds. The base time for the initial HFEs wvas 40 min or 2400 seconds. Based on the simulator results and discussions it appears the about 7.5 minutes is an estimate of the time to. reach and report on the event.

Table 24: 99-MFIRECRE cognitive unrecovered P PEi!ZaIlu'rZMeehanismn

,_0 BranctW>8PJ-E Ad RodtceeTW b Pc.: Availability of Information d

1.5e-03 Pct Failure of Attention j

7.5e,04 Pc,: Misread/miscommunicate data e

3.0e.03 Pc: Information misleading b

. 3.0e 03 Pc.: Skip a step in procedure e

2.0e03 Pc Misinterpret instruction b

3.0e-03 Pcg: Misinterpret decision logic I

3.0e-04 PCh: Deliberate violation Sum of Pc. through Pch = Initial Pc 1.4e-02 Total Reduction In TW =

450 85

Cognitive Recovery 99-MFIRECRE Table 25: 99-MFIRECRE cognitive recovery r =',-;,-Z

,,;
f II-,-1. I

-
,,:41 I
.,.,-

"i

1,

-.1 -

.1 -
-,.
,,

-
-.
.- ;,
z I

!,Pci-Initial HEP 3:

ID w()

(0) 0 C.)

3:

it~

8t m c) 50e-0 o.a

-ina.n O

0 a

0 0

C >

Final o'

0 Value 2 t°

. W"0 1.5e.03 X

.6 PC6 7.5e.04 X

0 e-01 HD 5.0e-01 3.8e*04 15 JPc¢:

3.0e.03 X

1.0e-01 MD 1.5e-01 4.5e.04 15 Pdi 3.0e.03 X

1.0e-01 MD 1.5e-01 4.5e.04 15 2.0e-03 X

5.0e-01 5.0e-01 1.0e-03 J;IPc;p 3.0e.03 X

5.0e-01 5.0e-01 1.5e-03 15

.Pcgi-3.0e.04 X

1.0e-01 MD 1.4e.01 4.2e-05 15 h

X 1.0e-01 1.0e-01 15

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ta__ _P_

4 m 4.7 e -0 3 Recovery Factors Identified:

Self Review by Stars Extra crewmembers STA review Local feedback 1.

I 86 i I

Execution Unrecovered 99-MFIRECRE Table 26: 99-MFIRECRE execution unrecovered

-:.;: ;.t-r>- 5Strp~w

• 4<.~w.Omission Zt';.77777'J'..

'-4

.4i, iZYcm7ss()n-77_;7z

'e.

4snit~tlifii4 49

'Stop NoHc i r't, I 'r'< HEP 'r" I. RefA1 Ref.' Le-E/M/O t 'Vslue9

'- HEP

' I 'b Ref.-#I Ret4 I EJM/O Value 1

4.3E4 I20-7b I

t ll o

I 1

43-04 Actions: Manual action in contron room Comment Com1ents:

Execution Recovery

' 99-MFIRECRE Table 27: 99.MFIRECRE execution recovery Manual action in control room 14.30.04 l

oW87

,c, NI

A.1.5 99-MFIRELOCAL, Local actions taken by field operators Basic Event Summary.

04123/03 ont YQ.e; tho CDBTMrrHERP 99-MFIRELOCAL

SUMMARY

a Ys W. eisIts Without Recovery With Recovery 5.4e-02 1.5e-02 I&l :

2.6e-02 2.6e-02 '

.,4.1e-02

,I.*O.

.,5 HFE Scenario

Description:

Local actions for inspecting and reporting back as well as manual actions for establishing cooling to the SGs with either EFW 7A or 7B are required.

Need to travel to local station.

This is a moderate to high stress evolution because of the large number of alarms, but one that has been trained on by classroom instruction and walk down with simulated actions and communications. Manual local actions were required and were initiated by verbal communication over phone. Pathways to the local stations were not allowed through the fire zone.

All local actions requested were feasible.

Related Human Interactions:

Adjust the baseline HEP values established for the internal events. This calculation provides additional errors due to the fire context that was not applicable to the internal events assessment. Control room decision-making in APcog Performance Shaping Factors:

Time to location is generally I to 2 minutes (all less than 5 min from previous location).

Local lighting was available.

Smoke could exist in areas but air packs not needed.

88

Valve position indication judged by stem location.

Feedback from control room on flow rate and adjustments required.

Heavy communication required between two field operators, the fire brigade, offsite, and in control room.

Wireless communication permitted everyone to hear conversations.

During simulation some equipment started then failed and indications were lost requiring det ective work by the operators and STA.

Control room operators identify and request the local manual actions using procedures Specific components (e.g., valves, breakers and some pumps) whose control circuit cables fail open due to the fire are not remotely operable from the control room, however might be operated locally by manual actions.

Restoration actions depend on the specific failure mode of the circuits (e.g., loss of power cables, loss of control cables, spurious operation induced by fire).

The operators go to location without going through the affected fire zone.

The time to reach the zone and take action is sufficient (considering security and radiation protection).

Lighting is available along path.

Local man-machine interface permits the action (open, close, control, monitor).

Local environment permits action (temperature, noise, smoke, lighting, etc.).

Local action is verbally instructed and local procedure (generic or specific) is available.

Special tools are available.

Feedback on action is available (sound, visual position, feedback from control room).

Time to implement action is sufficient.

Procedure and step governing Hi:

Verbal instruction and local procedure (manual control of EFW) both new and old procedures and isolation of power to valves in train to prevent spurious operation in case of new procedure 89

1 Cognitive Unrecovered 99-MFIRELOCAL Cue:

Phone call with verbal instructions Duration of time window available for action (TIN): 1950 Seconds. The base time for the initial HFEs was 40 min or 2400 seconds. Based on the simulator results and discussions if appears the about 7.5 minutes is an estimate of the time to reach and report on the event.

Table 28: 99.MFIRELOCAL cognitive unrecovered tJ-F~allu~r ~OC an~sw __ra ch,_

t.i, ucoeT

~ S i <

-'W ablT Xtm-e e

iE.2 23.7 I4 M

2 Z

X I

I 2.6-ie-Actions: implementation action Comments:

Execution Recovery 99 MFIRELOCAL Table 31: 99-MFIRELOCAL execution recovery Scit No.i jke,*t Ii 1

1 1 Imdementation action 2.6,02 92

I -

APPENDIX A.2 COGNITIVE EVENT TREE SCREENING LOGIC pca: Avatabily of infoniion bIncatio.nAnd In CR Indcation WarningA~errade Trh~*Vg CR Accurte I

In Pvocatk, kodicaors I'm (c) nev pMb+/- Faia" of afttoofon Low ms m Check vs. M~oio Front VS. Back Aianed ms o Workload MAn Marumv Front Beck (b) 1. 5"0 Low(c3 1.S..0 Front 0d).1. -44 Monkot (FontINn) 1.54 CBock M 1.5.

Front M 7.5t."

93

/

pcc: kSwvatwhcopvmnkte daia kdlh ors E"ylo GoodSadhlictorl Formal Locae I

Coommicat

' a)n.

lb) 10043 IC)

(dU.03 No (d) l0e-03 L

g)4J03

-h) 7.h03 pcd:

ormatilon nisleang Al Cues as Stated Warning of Specific Taini lGeneral Traig Differences Ycsl a}neg.

(C) 1.Ce-02

-N;L lb) 3.0*-03

=(d) 1.De-Ie) 1.0 pce:Skipastepinprocedure Obvious vs.

Single vs. Multiple Gaphicalry Placekeeping JUds l Kdden Distinct (a) I.Ce-03 (b) 3.Oe-03

=={().0)-30t3 (d) t.Oe-02

_ _(e) 2.Oe-03 No (g) *.e-.03 i

(h) t.3c-02 94

a_..

pcP Misinterpret histnxtion Standard All Requved Training on Step Unanbiguous wordin information (a) neg.

(b) 3.0.43 Yes(e) 3.e042 No id) 3.0"e3 (e) 3.0.02 L __ ____

r--

(1)6.0.43 pcr. linseprt decision logic

'NOT' Statment

'AND' or Bot h'AN'& l Practiced Scenario StaItement I

t I

(a) 1.5*42 I

lb) 4&902 (c) 6.e0"3 (d) 1.9.42 (e) 2.0e.43 M tt e-03 (g1)6.0.43 No

{h 3.1*-02

-- (i)3.9.-'0l 4

(k) net (t) neg.

pch: Deliberate violation lBeeitnAdequacy Aderse Reasonable Policy of ol Instruction Consequence I Alternativea

'Vesbatimr l

(a) net (b) 5.0S41 No l}c) 1.0 (d) ne.

(e) neg.

95

/

/

APPENDIX B.1 SIMULAT OR OBSERVATIONS The simulation of a fire in zone 99-M integrated the efforts of eight activities. The activities are:

1. Identification of the equipment failures as a function of timing from the fire growth model,

2. Testing the simulation to identify unusual or unexpected behaviors,

3. Providing communications that would be expected (fire brigade, manual actions, and extemal communications),

4. Modeling brew organization for fire,

5. Observing the control room crew actions and communications during.the simulation, and

6. Verifying the local manual actions called for by the crew. -

7. Summarizing the results so that the feasibility can be demonstrated Feasibility section)

8. Support the evaluation of human reliability for the actions. (Appendix A)

B.1.1 Fire Damage to Plant Equipment The fire growth model was converted into a fire damage effects by identifying the equipment in the breaker cabinet and the components serviced by the cables in the two trays above the cabinet.

The effect of the fire damage and possible failure modes of the associated equipment was evaluated by the engineering team and the failures were then introduced in the simulator programming. The failures modeled addresses loss of signals, false alarms, and spurious actions. The equipment failures and timing are shown in Appendix B.2.

B.1.2 Initial Scenario Testing The initial mockup was tested to understand the interactive effects of the failures on the simulator model. A surprise was identified - when time phasing the failures, and if the operators opt for an early trip the EFW valve alignments are automatically positioned to the shutdown core-cooling mode. This along with continuation of the main feedwater pumps results in a steam generator overfill condition. Steam generators dry out results if all equipment is assumed to fail at the same time. Thus, the couirse of the scenario is highly dependent on the previous actions of the crew, as well as'the hardware failures and their timing introduced into the simulation.

The simulator fidelity was very good. No indications of differences in the control room and simulator were noted except the fire indication panel is not modeled inthe simulator. In this scenario the fire alarm panel power supply is lost on the A4 bus trip with only the fire panel trouble alarm activated (K I 2D1I ), but this alarm was not used by either crew to detect the fire.

96

B.1.3 Communications It is expected that a large communication load will occur to the procedure reader and coordinator during a fire, and to make this realistic a script was written for the fire brigade to match the fire modeled. The script is shown in Appendix B.3. The multiple channel radio phones were very good at keeping every one informed. Both the local operators and the fire brigade were careful in being precise in communications. At about 15 minutes into the event the control room team had to limit communications to maintain path though the procedures.

B.1.4 Crew organization for fires Different plants handle the organization of the crew during fires in different ways. At ANOI and 2 the practice is to establish a fire brigade by selecting a waste control and auxiliary operator from the affected unit to be part of the five man brigade This leaves the 4 licensed operator and shift engineer in the control room and an auxiliary operator to implement recovery actions.

Upon initial investigation of the fire the five-man brigade may call for additional assistance from the local fire department. This does not reduce the number of licensed operators in the control room below the minimum needed, and supervisory personnel will be immediately available to provide support on most shifts. Thus, for the simulation one non-shift crewmember was available to support the simulator crew. One auxiliary operator was available to perform local actions in the plant and as additional actions were needed outside the control room on of the licensed operators was dispathched to perform actions outside the control room.

B.1.5 Observations of the simulation The aim was to verify the necessary actions to maintain core cooling could be carried locally and in the control room. Thus the key actions could be tied to various phases of the fire scenario by selecting a cue form the new damage condition and noting the operational response. Table 32 provides a listing of selected key actions taken in the control room and with instructions for local actionusingthe currentprocedures (crew l) and the procedure with anew fire attachment (crew 2).

Table 32 is constructed to help understand the effectiveness of the EOP and the new attachment for dealing with a fire in 99M. The first column is an index for the key cue, request or action described in the second column. The descriptions came from the training printout and notes taken during the observation. The third column describes the location where the cue originated.

The fourth column provides a basis for the cue (e.g., a simulated fault or a crew request). The fifth column describes the response to the cue. Columns six and seven provide the clock time and the difference in time from the cue to the action for the first simulation using the current EOPs. The eighth and ninth column repeat the results for the same event with the new EOP attachment.

The information in a row can be interpreted as follows: a simulated loss of the A4 bus signal appeared at 8:39 am on 4/16/03 in the case of crew I and at 8:26 4117/03 in the case of crew 2.

Both responded by sending an auxiliary operator to investigate.

Meanwhile, multiple alarms 97

1

/

appeared about I Osec later and the response by both crews was to trip the reactor. The selected items are some of the key actions associated with maintaining the core cooling, controlling primary inventory and fighting the fire. The location is where'the cue and action start. Reports or actions taken locally are reported back to the control room. The basis for that action is a component failure, verbal instruction, alarm or procedure to carry out an action.

The clock times were observed by using a combination of the simulation-training file, which includes all changes in the siniulator configuration, and observational notes taken during the simulation, which give times for key communication actions. The delta times indicate the time from a cue to the pompletion of a specific action.

Some of the insights that can be drawn from this table are that:

1. As can be seen from the table the interaction of the control room crew and the local operators was very good in terms of timing and communication. Verbal icnfirniation from the local operators indicating the action was complete (e.g.; opening a valve) cued the simulator training staff to implement the change in the simulator

2. The crew responses in the two cases were very uniform through action I I -although the timing differed somewhat.

3. The difference in the responses for steps 12 -13 and 15-16 can be attributed to the difference in the procedures. The new attachment appears to bring clarity on specific actions for preventing spurious operations (e.g., move specific valves and open specific breakers) whereas the current procedures leave the means for protecting against spurious operations up to the crew (e.g., be ready to manually operate breakers to maintain power to the A3 bus).

i

4. In both cases the reactor was tripped within one minute of the major alarms appearing.

There wvas no automatic trip. Both crews tripped the plant quickly wh ich simplified the scenario and allowed the emergency systems to be aligned before fire damage to control cables would prevent the realignment. If the crews had not tripped early the scenario would change, because the EFW systems might not align automatically, and would require manual operation initially.

5. Even with heavy communication loads the crews were able to protect the core from damage by a wide margin.;

6. Differences in the timing between crews for most actions were well within the range of typical simulator observations in most complex accident scenarios. However, it is not enough to establish overall uncertainty ranges. There were some large timing differences, which is indicative of "knowledge based" behavior (e.g., step 14). This was a case where the MCR control circuits for the HPI pump were lost due to the fire, and the operators had to use secondary indications to track down the issue and then request local control actions.

7. Numerous false signals were provided to the operator to see if they would waste time.

tracking down something that was not important.' Both crews used a screening approach to focus on only those systems that were operating and that were needed for core cooling.

Thus, very little time was spent on the spurious alarms, and no unneeded actions were taken.

98

ti 10

8. The impact of the new procedure attachment was actually very small except that the requests for local actions could be much more precise. However, the results of the changes arc quantifiable when using the HRA calculator to evaluate differences in the procedures. It was also clear that the crew using the new procedure had only had a brief training session on it application.

Table 32: Summary of selected actions for maintaining core cooling during simulated fire I 1 PC I ;r p

_ _I Loss d A4 bus signal MCR auftsimulated Investf A4 us toca 83939 0:02t21 8:26:27 0 04:33 Muntiple alarms MCR aultsimulated Manual Reactor trip 8 39:49 0:00:12 8:26:36 000 50 (CV CV2617 EFW Pump Tuthe 0 Response to Observe start /note K3 Steanm rom SG B) 1 Auto rp(Lw SG eve overEll -

84201 0:10:59 8:27:40 0:07:20 adrflonal Action in response to A4 CIO CSI-DG2 LOCK OUr. EDG2 MCR to A4 breaker fault 8:41:38 0:0122 8:28:52 0:03:38 Noted fire as pat of S Investigate A4 bus notes fire Local mutated fire noted sinulation script 8:42:00 0:04:00 8:30:30 0:02:00 (BK D1512CV26t3 P7A TUR9 S-M re Induced breaker Preempted by manual tnp ADMSSION UV POWER) OPEN Fire

ailure, and EWF auto start 8 44:40 0 00:00 8:30:32 0 00o00 7

Setup team and read Establish (dispatch) Fre Brigade MCR

-ire procedure script 8.46.00 0.03.00 8:33 0 01:30 (CV CV2800 EFW P7 BSucbon FTurn of P78 to protect from CST) 0 Fire irmulated failure pump 8:49:14 0:08:46 8:38 46 0 06t14 C09 Hs2805 STOP. EFVW PUMP epresents manual Introduced into simulataon P78.

52805 TRUE Local ontrd upon local cal 8:55 00 0:02:00 8:39:12 0 00:34 P41rust SPEED CNTR on Local manual control of EFW 7A 3ack off EFW flaw to EFW P7A. HIC-6601)

(throttle 2620 and 2627)

Local xevent over fit 0.85 8:53.00 0:16:00 8:43 0:20:00 t

Venty location on declaration of Site Cal for site emergency MCR n procedures.

Emergency 9 06.00 0.02:20 8:48 0.03:00 1 D1512 - (CV2663 P7A turbine

'ew aflachrment to steam adnission valve power)

Drevent spurious Fre damage over by this OPEN rnm breaker room Local cosure time 8:56 0:02:20 1 D5241 - (CV2667 P7Aturtine steam ardission valve power)

Fire damage over by this OPEN from breaker room Local eow attachnent time 8 56 0:02.30 14 Restore Injection Manual start d HPI frorm A3 Local mp operatlon Use local control 9:04:00 0:22:00 8:34 0.54:00 16 Go to A3 and be ready to Check Pnect A3 safety Al location ready lor m

Sayent Local action 9 32 0 02 00 Chcect A3 sapety

_Check posibion of A 306 Local us9:38 0:02:00 B.1.6 Summary of data from manual actions during simulation Tables 33 and 34 summarize the notes taken by observers of the local actions called upon by the simulator crew. In both cases an observer followed the local operator from the control room to the local control point, or from the previous control point to the new control point. There were two operators who took action outside the control room, the auxiliary operator and a licensed operator dispatched fromthe control room The notes were supplemented by interviews afler the simulation.

99

/

/

Based on the observations the local actions requested were all feasible in timing, tools, instructions, knowledge, lighting, pathway to local action is outside the fire zone, procedures available, indications, and feedback on action. In the case of the current procedures the instructions for guarding against the effects of spurious actions (loss of control power to the A3 breakers) was undertaken by local observations in the A3 breaker room. The local operator was not sure what the assignment was other than being on alert for a possible action. In the case of the new attachment the restoration of spurious actions was undertaken by specific local actions to isolate the power to specific valves.

100 0.

i

hi i

Table 33: Local manual actions current EOPs with experienced auxiliary operator crew I Local manual control of Gto A3 and be ready to EFW7A (throtle 2620 Check position ofA Venly location on Requested task Investigate A4 bus Check equipment and 2627) 306 Site emergency Location Local Local Local at el 335 Local Local Time to location (minutes) 1 2

1.5 1.5 1

Procedure used or not Verbal Verbal Procedure 1106.006 Verbal Verbal Communication verification yes Yes Yes Yes Yes Special tools if any (Ladder flashliqht gloves)

I door key/ Gloves Gloves Gloves /Dosimeter Gloves Gloves Must transmit only vital Must transmit only Must transmit only Difficulties or complaints by Confusion on what to information to control vital information to vital information to.

operator check room control room control room Indications for judging Cant compare status Used cabinet position/status Smoke heat without further instruction See Valve Stem position indication Smoke heat Estimate of timing for Implementation (minutes)11 5

0.5 1

Venfication of task (Stars?)

Yes Yes Yes Yes Yes Communication complete Yes yes Yes yea Yes Error potential Selection Error Comparison error Mistake Mistake Communicat Ion 1 mi for cal back and report of 5min for complete Notes fire/smoke throttle 101 i i a

l

Table 34: Local manual actions new EOP attachment with now auxiliary operator crew 2 D z rlpt~i nsfo n t ri D

e 01512 *(CV2663 P7A turbine steam 05241 *(CV26667 P7A Local manual control admission valve turbine steam admission Verity bcation on Site of EFW 7A (throttle power) OPEN from valve power) OPEN from Requested task Investigate A4 bus emergency 2620 and 2627) breaker room breaker room Location Local Local Local elevation 335 Local el 335 Local el 335 Time to location (minutes) 1 1

1.5 1

2 Procedure used or not Verbal Verbal Procedure 1106.006 Verbal Verbal Communication verification Yes Yes Yes Yes Yes Special tools if any (ladder flashlight gloves)

Gloves 11 door key Gloves Gloves /Dosimeter Gioves Gloves Can't easily Difficulties or complaints by Went through communicate with operator radiation protection control room None None Indications for Judging Fire brigade See Valve Stem posifonistatus

' Smoke heat communications position Breaker Indication Breaker Indication Estimate of timing for Implementation (minutes) 1 1

5 0.5 1

Verification of task (STARs7)

Yes Yes Yes Yes Yes Communication complete Yes Yes Yes Yes Yes Error potential Communication Mistake Mistake Mistake 1 mi for cad back and report of firelsmoke 5 mim for complete throttle Notes (One of 2 needed)

(One of 2 needed) 102 I

I

APPENDIX B.2

SUMMARY

OF SIMULATED EQUIPMENT FAILURES AS A FUNCTION OF FIRE GROWTH IN FIRE ZONE 99-M The following descriptions of events in Table 35 and 36 are in the language of the simulator control system. They relate to the plant nomenclature and are provided here to help support repeats of the simulation.

Ji 103

Table 35: Equipment damage for realistic fire In the A4 breaker cabinet and cable trays

m oiren cc;-'Ds x

hy I.

T=n ABK B6315 INVERTER Y25 IRFB6315( 10) OPEN A EL ED188 LOSS OF 4.16 KV BUS A4 IMF ED188 (I 0) TRUE A K12 K12DI FIRE PROT SYSTEM TROUBLE IRF K12DI (Q 0) ON AC19 DO-K125A6 AMB LP,FPS, C463 PANEL TROUBLE IOR DO K125A6 (I0) ON T-2

^ Cl9 DlHS6034T.. TRIPCHLR.CNTR RM,VCH2A POWER-

. IOR Dl HS6034T (I 0) TRUE -

AC19 DOHS6034G - GRN LP,CHLR.CNTR RM.VCH2A POWE

[OR DOHS6034G (I 0) ON A C19 DOVCH2ASLG GRN LP,CHILLER.CNTR RM,COMPRES

_lOR DOiCH2ASLG ( 0) OFF A CV CV2630 FW Isol Control Valve to OTSG "B "...AfF CV2630 ( 10) 0.000000 0o 0.ooooo0 A. :

BK C54OBKR Y28 OUTPUT BREAKER FEED TO C540 IRF C540BKR (Q 20) OPEN

.A._

..^ K12 K12C7.EFIC SYSTEM TROUBLE IRF K12C7 (I 25) ON CV CV3644 P-4A to P.4B Discharge Crossover A!F CV3644 (I 30) 0.000000 35 0.000000 A CV CV3642 P-4B to P-4C Discharge Crossover

!MF35) 0.000000 370.000000 A CV CV2617 EFW Pump Turbine K3 Steam from SG B IMF CV2617 (I 40) 1.000000 0 0.000000 -

A C16 DlHS11293S STARTHPI,P36BAUX,HS-1293 IOR DIHS1293S (I 40) FALSE -

.C18 DlHS1292S STARTHPI,P36B.AUXHS-1292 IOR DI-HS1292S (I 40) FALSE A. C09 AOHIC6601. DEMAND, EFW PUMP P7A, HIC-6601_

IOR AO-HIC6601 (I 45) 100.0000 0 0.996124

^ C09 AO.S16601 2 EFW PUMP P7A. SPEED, S1-6601

[OR AO-S16601 (I 46) 0.000000 0 0.000000 I ^CV CV3805 SW TO RB SPRAY PMP CLR E47B IAfF CV3805 (I J0) 1.000000 100.000000 A CV CV3841 SW P34B BRG.CLR E50B A-IF CV3841 (I 55) 1.000000 4 0.000000

.'CV CV 1432 Decay Heat Cooler E-35B Bypass IPA CV1432 (I 0) 0.000000 0 0.000000 AK02 K02B7 A4 LO RELAY TRIP IRF K02B7 (l 57) OFF A K09 K09C8 DH PUMP A/B SUCT TEMP HI IRF K09C8 (I 58) ON T=5

^ CIO DlA308T TRIP, DGI OUTPUT A-308 IOR DlA308T (I 0) TRUE

^ BK - D1512 CV2663 P7A TURB STM ADMISSION VLV POWER IRF D1512 (I 15) OPEN

'A BK D1514 CV2620 P7A TO BSG EFW ISOL VLV POWER IRFD1514 (I 15) OPEN

^ BK D1522 CV2627 P7A TO A SG EFW ISOL VLV POWER-IRFD1522(I 15) OPEN -

104 e

.e f

i

Table 36: Failure of remaining equipment if a hot gas layer is assumed lMme of-fire -.

induced failure

. Dcscription oftthe event Simulator control file:..

T-IS

^CVCV2S00EFWP.7B Suaion from CST 1AWFCV28000( OJ ()

97/

I

'C18DI HS1261 BLUSA4,P36BRUSSELECTOR IORDI-HS1261(10)TRUE

^C18DIHS1241SP STOP.P36A.HS.1241 IORDIHS1241SP(i 15)TRUE

^CISDI HS12415 START, P36A, HS.1241 IORDIHS1241S(I 15)FALSE

^C18DI H 2SP STOPHPIP36R,HS-1242 IORDI HS1242SP(I 15)TRUE

^C18DI HS1242S START HPi P36R HS-1242 IORDI HS1242S(I 15)FALSE

^C18DI HS1291SP STOP HPI P'6A AUX HS 1291 IORDI HS1291SP(I I5)TRUE

^C18 DlHS1291S START, HPI, P36A, AUX, HS-1291 IORDlHS12915(I 15) FALSE

'CIODI B513T TRIPB5-W6CROSSTIEB.5I3 IORDI B51iT(160)TRUE

^ CIO DlB5 2C CLOSE. A3 FEEDTO BSBSI2 IOR DlBS12C(1 60)TRUE

^C18 DIHS74 1OS START. RB COOLING FANS. VSFIA IOR DlHS74 IOS (I 60) TRUE

.A^

Cl8 DlHS741 1S START. RB COOLING FANS, VSFIB IOR DlHS741 IS(I 60)TRUE

^CIODOBS12G GRN LP, A3 FEEDTO B5, BS5I2

- IOR DO-BSI2G ( 60) ON

^CIODO B512R REDLP,A3FEEDTOBS,B.512 IORDO-B512R(160)OFF -

^CIODO BS130 GRNLP,B5.86CROSSTIEB.513 IORDO 513C,(160)OFF

^CIODO B513R RED1LP,B5-R6CROSSTIEB-512 IORDO B513R(160)OFF

^CIODO B512R REDLPA3FEEDTOB5,8-512 IORDO-B512R(160)OFF

^ 'CIODOBS12G GRNLPA3FEEDTOBSB&512

[OR DOBS 12G(160) OFF

^ CIODO B512G GRNLP,A3FEEDTOB5,B-512

[OR DOB512G(1 60)OFF

^C18DO HS7410R2 REDLP RBCOOLINGFANS VSFIA IORDO HS741OR2(160)OFF

^CISDO HS7410W2 GRNLP RBCOOLINGFANS VSFIA IORDO HS74101G0(60)OFF

'CIRDO HS74I1G2 GRNLP RBCOOLINGFANS VSFIB IORDO HS74llG?(I6080FF

^CI8 WDOHS741IR2 RED LP.RBCOOLINGFANS.VSFIB IOR DOHS741IR2(I 60)OFF

^CIODIJ301C CLOSE, A3 FEED TO BS A.301 IOR DlA3OIC(I S5)TRUE ACIODlA30IT TRIPA3FEEDTOB5A-301 IOR DIA30 IT(I S5) FALSE

^C10 Di A308C CLOSE, DG IOUTPUTA.30S' IOR DI A30SC(185) FALSE ACIODIA309C CLOSEAIFEEDTOA3A-309 IOR Di A309C(1 SS)TRUE

^CIODI A309T TRIP,AIFEEDTOA3A-309 IORDI-A309T(IS5PFALSE

^CIODIA310C CLOSE. A3.A4CROSST1EA3I0 IOR DlA310C(I 85) FALSE

^MPFCO P34A DECAYHEATPUMPP34A IRFCCO P4A (85)OFF

^MPFCOP35A RECATORBLDGSPRAYPUMPP35A IRFCOP35A(1 85)OFP

^ MPFCO P16A-MAKEUPPUMPP36A IRF COP36A (I 8S OFF I MPFCO P4A SERVICE WATER PUMPP4A-- -

IRFCO P4A(I85)ON

^MPFCO P4B3 SERVICE WATERPUMPP4BMOD IRFCO P4B3(185)OFF

^ MPFCO P7B EMERGENCYFWPUMPP7B IRFCO P7B(1?5)0N

^CIODO A10IA AMBLP A3FEEDTOB5.A-301 IORDO A301A(190)OFF

^CIO DA301G GRN LP. A3 FEED TO B5, A.301 IOR DOA3OIG(I 90)OFF

^CIODO A30IR REDLPA3FEEDTOB5,A.301 IORDOA30IR(190)ON CIODO A30IR REDLPA3FEEDTOBS,A-301 IORDO A3O1R(190)OFF-105 F

Table 36: Failure of remaining equipment If a hot gas layer Is assumed continued

.Timeo ffre~-

Ad ii...

eidu'd!ffaiil

_n-scitindt~f

-V CT i X

iq%

t u

l Vr;id ThI5 A CI0 DO-A301 W

-WHlT LP. A3 FEED TO 1351 A.301 IOR DO-A301W (1. 90) OFF

_A CI0 DO-A308A AMB LP. DGI OUTPUT A-308 IOR DO A308A (I 90) OFF A CIO DORA308G GRN LP, DGI OUTPUT A-308 IOR DOA308G (I 90) OFF A CR0 DOA308R RED LP. DGI OUTPUT A.308 IOR DOA308R (I 90) OFF I C IO D0-A308W WIT LP. DGI OUTPUT A-308 IOR DOA308W (I 90) OFF A CR0 DOA309A AMB LP, Al FEED TO A3, A-309 IOR DOA309A (I 90) OFF A CR0 DOA309G GRN LP. Al FEED TO A3. A.309 IOR DOA309G (I 90) OFF A CIO DOA309R RED LP. Al FEED TO A3, A-309 IOR DOA309R (I 90) OFF A CIO DO A309W WHT LP, Al FEED TO B3, A-309 IOR DOA309W (I 90) OFF ACIO DOA3iOA AMB LP, A3.A4 CROSSTIE A,31 0 IOR DO A31 OA (I 90) OFF ACIO DQA3IOG GRN LP. A3-A4 CROSSTIE 4310 IOR DOA31OG (I 90) OFF ACIO DO A3IOR RED LP. A3-A4 CROSSTIE A-310 IOR DOA3IOR (I 90) OFF A CR0 DOA310W WIJT LP. A3-A4 CROSSTIE A-310 IOR DOA3IOW (I 90) OFF AC18 D0HSR2410 GRN LP, P36A, HS-1241

[OR DOHS1241G (1 90) OFF A C18 DO_HS124IW2 WIT LP. P36A. HS-1241 IOR DOKS24RW2 ( 90)OFF A C18 DOHS1242GI GRN LP, HPI, P36B, HS-1242 IOR DO-HSI242GI (I 90) OFF C18 DO_HS1242W2 WHT LP, HPI, P36B, HS-1242 IOR DOHS1242W2 (I 90) OFF

^ C18 DO HS361IR RED LIP. SERVICE WATER. P4A IOR DO HS361IR(I 90) OFF AC I D0HS361 I W WHT LP, SERVICE WATER, _A IOR DOHS361 1 W (I 90) OFF A C18 DO-HS1417G GRN LP, LOW PRESS INJ. P34A IOR DO-HS1417G (I 90) OFF A C18 DOHS1417W2 WHT LP. LOW PRESS INJ, P34A IOR DOHS1417W2 (I 90) OFF A C18 DOHS2403G GRN LP, RB SPRAY. P35A IOR DOHS2403G (I 90) OFF A C18 DOHS2403W2 WHT LP. RB SPRAY, P35A IOR DO-HS2403W2 (I 90) OFF A C09 DOHS2805A AMB LP, EFW PUMP P713, HS-2805 IOR DOHS2805A (I 90) OFF A C09 DOHS2805G GRN LP, EFW PUMP P7B, HS-2805 IOR DOHS2805G (I 90) OFF A1 C09 DO-HS2805W WHT LP. EFW PUMP P713, HS_2805 IOR DOJIS2805W (I 90) OFF.

A C09 DOHS2805R RED LP, EFW PUMP P71_ HS52805 IOR DO-HS2805R (I 90) OFF A C18 DO HS3609GI GRN LP, SERVICE WATER, P4B IOR DO HS3609GI (I 90) OFF A CR8 DO HS3609W WHT LP. SERVICE WATER, P413 IOR DO HS3609W (I 90) OFF 106

• 1 APPENDIX B.3 FIRE BRIGADE COMMUNICATION SCRIPT Table 37 is a summary of the communication script between the fire brigade and the control room from the simulator exercises.

107

I Table 37: Fire Scenario In 1A4 4KV Switchgear (Fire Zone 99-M)

~,ETO; 1UN'-~~

-ICNATION X

Control Room/AO Send to check out A4 Breaker in room 99-m X + I min.

AOICR There is a fire in the A4 (North) Switchgear Room 372 el. Unit I.

X+ Y Control Room "Announce to CR and Plant that fire exists" Y + I min.

FBLICR Fire in A4-I will be FBL-reporting to locker for equipment. Staging area for this fire will be outside corridor 98 near the stairs and Cardox tank.

We will need Security assistance to maintain the door to the corridor open.

Y + 4 min.

FBL/CR Ask Security to station an officer inside the South Switchgear Room and to not allow anyone access through to the North Switchgear room.

Y+ 10 min.

FBL/CR Fire Brigade is on scene at A4 Switchgear room. No smoke or fire showing from door 46. We are preparing to enter and investigate with breathing packs.

Y + 12 min.

FBLICR Entry team is entering A4 Switchgear room with two CO2 fire extinguishers.

Y + 12 min.

CR/FBL "ill ou need off site assistance?"

Y + 12 min.

FBL/CR Off-site assistance will be needed at this time Call the fire Department.

Y + 12 min.

Entry l/FBL There is damage to breaker with smoke in the cable trays above. It is very hot in here. Can't see flame. We are using CO2 on the breaker at this time. Request that A 4 bus be de-energized.

Y + 13 min.

FBLICR Request that you de-energize A4 bus.

Y +- 14 min.

CRtFBL Is there any Indication that thisfire was Intentional-a security threat?

Y + 14 min.

FBLICR That is unknown at this time.

Y + Z' min.

CR/FBL A4 is de-energized.

Y + 19 min.

Entry I/FI3L No flames visible, but a lot of smoke and heat. It is very hot in here. Consider ventilating this room.

Y + 19 min.

FBIJCR Entry team reports no flames visible, but a lot of damage and heat. We are preparing to ventilate this room.

Y + 20 min.

Entry l/FBL We need water to cool the room and we will need a ladder to assess the cables above the breaker cubicle., Get a hose into this room to cool the damaged breaker and cables.

0 + 22 min.

Entry I/FBL The fire is much worse than we thought.

We are starting water spray. The trays above are damaged and on fire. We will need to continue cooling this breaker and assess damage to the adioining breakers.

Y + Z" min.

FBL/CR We think the fire is out. We will continue cooling the damaged breaker, and assess damage to the adjoining breakers.

108 3 Z" is when the reactor side is stable and controlled with a success path established.

I I

t

_