ML052210262
| ML052210262 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 07/22/2005 |
| From: | Progress Energy Florida |
| To: | NRC/RGN-II |
| References | |
| Download: ML052210262 (63) | |
Text
Crystal River Unit 3 Regulatory Conference Region II, Atlanta, GA July 22, 2005 1
Introduction - Dale Young Description of Finding - Mike Annacone Electrical Distribution and Plant Layout - Steve Barkofski Response Timeline - Dave Porter Probabilistic Safety Assessment - Dave Miskiewicz Conclusions - Mike Annacone Closing Remarks - Dale Young 2 July 22, 2005
Background -
NRC Triennial Inspection O Findings related to todays presentation:
Z Single failure criteria violation for 4160V ES protective relaying.
Z B EDG lockout reset manual action not considered feasible in required time frame O Introduced during implementation of Off-Site Power and Backup Emergency Safeguards Transformer installations (1990/1993)
O Vulnerability originally recognized in Fire Study as a Fire Protection issue (Appendix R Manual Action) but not as a Single Failure Criteria Violation 3 July 22, 2005
Background -
Single Failure Issue O Modifications implemented Z Eliminating need for manual action to reset the B EDG lockout.
O Immediate extent of condition - 4160V and 480V Emergency Safeguards power distribution protective relaying and metering with no additional vulnerabilities identified O Root Cause Analysis performed:
Z Failure to perform Failure Modes Effects Analysis during OPT/BEST modifications Z Corrective Actions:
X Implement FMEA process X Detailed Extent of Condition completed with no additional vulnerabilities identified 4 July 22, 2005
Highlights of NRC Findings:
O Reliance on manual actions vs. physical separation or protection O Local Manual Action to reset B EDG Lockout not feasible:
Z Proximity to Fire location - Fire in A ES SWGR Room X Fire Team entry through B ES SWGR Room requires fire door between rooms to be open, No floor drains in rooms Z Manual Action time critical - 30 minutes:
X Restoration of ventilation and cooling to Emergency Feedwater Isolation and Control (EFIC)
Z Operator arrival at B SWGR room - 25 minutes, room not yet ventilated - smoke filled, water on floor, water mist X CR3 Time validated / NRC walk-down 5 July 22, 2005
CR-3 Insights O 30 minute time requirement to re-establish EFIC room cooling is conservative.
Z Fire Study 30 minute time limit conservatively chosen for simplicity Z At least 120 minutes available Z Steam driven EFP-2 remains available O Fire Study and NRC SDP do not credit use of Auxiliary Feedwater System.
Z System free of fire damage Z FWP-7 has its own diesel generator Z Emergency Operating Procedures direct system use when EFW unavailable 6 July 22, 2005
CR-3 Insights O As a result of the above items, secondary side heat removal is not lost Z Eliminates uncertainties in Phase II evaluation regarding:
X Effectiveness of secondary side cooling following an overcooling event X Primary system response with a delay in secondary side heat removal O Only one scenario causes loss of power to Unit Auxiliary loads Z Reduces probability of normal secondary side heat removal loss 7 July 22, 2005
CR-3 Insights O At least one off-site power transformer remains available in all scenarios O EDG availability without room cooling Z Diesel has started and is running unloaded Z Engine coolant and lube oil cooling remains unaffected Z No power to EDG Room Supply Fans until ES Bus re-powered Z Engine heat raises room ambient temperature 8 July 22, 2005
Electrical Distribution and Physical Layout CR3 Energy Complex Switchyard Layout Emergency Safeguards (ES) Electrical Buses Control Complex Physical Layout Photos of the ES Switchgear Rooms Photos of the ES Switchgear Control Cubicles Fire Scenarios Mechanical / Hydraulic Time Line ES Switchgear Room Fire Model Evaluation of Auxiliary Feed Water Pump Circuits 9 July 22, 2005
500KV Switchyard One-Line Diagram 10 July 22, 2005
230KV Switchyard One-Line Diagram 11 July 22, 2005
DELETED DUE TO PROPRIETARY CONTENT 12 July 22, 2005
Emergency Safeguards (ES) Buses DELETED DUE TO PROPRIETARY CONTENT 13July 22, 200513Emergency Safeguards (ES)
July 22,Buses 2005DE
Control Complex 108 Elevation DELETED DUE TO PROPRIETARY CONTENT 14 July 22, 2005
Control Complex 108 Elevation B 4160V Switchgear (SWGR) Room DELETED DUE TO PROPRIETARY CONTENT 15 July 22, 2005
Control Complex 108 Elevation B 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT 16 July 22, 2005
Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT 17 July 22, 2005
Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT 18 July 22, 2005
Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT 19 July 22, 2005
Control Complex 108 Elevation DELETED DUE TO PROPRIETARY CONTENT 20 July 22, 2005
Fire Scenarios O Evaluated Fire Scenarios in the A 4160V Switchgear Room Z Fire had to impact the CT relay circuits associated with a single failure issue.
Z Result in a loss of both ES Buses.
Z Require the manual action to reset the B-EDG lockout.
O Validated four cabinet fires Z Three cabinets, 3207, 3211 and EFP-1, that are located on the north section of the A ES Bus.
Z One Cabinet, 3205, located on the south section of the A ES Bus.
21 July 22, 2005
Establishing Ventilation Cooling Appendix R Fire Study Mechanical Hydraulic Timeline Identifies time critical functions to ensure safe shutdown Meeting the time line is one of the methods of establishing the feasibility of manual actions Engineering Evaluation 61671 Evaluated margin HVAC Calculation Temperature Rise timeline modeled Critical equipment design temperatures are not exceeded for 140 minutes 22 July 22, 2005
Establishing Ventilation O Summary Z For a fire in the A ES 4160V Switchgear Room, the loss of ventilation will cause the temperature to increase in the Control Complex Z Modeling of the Control Complex shows that EFIC Room equipment will not be challenged for at least 140 minutes after loss of all ventilation.
Z 120 minutes to reset lockout relay provides additional 20 minutes to restore ventilation 23 July 22, 2005
Fire Model Conditions of Habitability in the Switchgear Rooms A Fire Model was prepared by an independent consultant Modeled the conditions in the A 4160V Switchgear Room for credible fire scenarios Evaluated the habitability of the B 4160V Switchgear Room 24 July 22, 2005
Fire Model Results of the Fire Model:
No Hot Gas Layer formed Visibility restored within 60 minutes except for smoldering fire Toxic gas and oxygen levels remain acceptable in the B Switchgear Room 25 July 22, 2005
Auxiliary Feed Water Pump -
FWP-7 MTDG-1 Auxiliary Feed Water Pump Circuits Engineering Disposition 60385 evaluated:
Power and control circuits for FWP-7 Power and control circuits for MTDG-1
Conclusions:
FWP-7 and MTDG-1 power and control circuits remain free from fire damage Can be started from the Aux Feed Pump #7 control room 26 July 22, 2005
Electrical Distribution and Physical Layout Summary CR3 has a robust switchyard CR3 has modified the protective relaying circuits by removing the watt-hour meter, thus removing the single failure mechanism The modeling of the control complex temperatures shows that there is time available to accomplish the manual action.
Fire modeling supports the ability of the operator to reset the lockout in the B Switchgear Room FWP-7 and its emergency power source MTDG-1 are unaffected by fires in the A Switchgear Room 27 July 22, 2005
Fire Response O Five Man On-Site Brigade Z Team Leader is a Licensed Operator Z Cart Driver is a Non licensed Operator O Site Emergency Response Coordinator Z Responds to provide assistance and act as Emergency Medical Technician O Security provides scene control O Local Fire Departments Z Provides backup support 28 July 22, 2005
Response Procedures Fire Begins AR-801 AR-401 Fire Service A PSA F Annunciator Response Annunciator Response EM-225F AP-880 AI-2205A Long Term EFW Pre-Fire Plan -
Fire Protection Management Control Complex OP-880A EOP-2 Appendix R Vital System Status Verification Post Fire Safe (Reactor Trip)
Shutdown Information EOP-12 EOP-14 AP-770 Station Blackout Enclosure 7 EFWP Management EDG Actuation 29 July 22, 2005
Control Complex - 108 Elevation DELETED DUE TO PROPRIETARY CONTENT 33 July 22, 2005
T3 - T5 Plant Response O CR Enters Abnormal Procedure (AP) -880, Fire Protection and performs the following:
Z Sound fire alarm/muster Fire Brigade Z Secure ventilation Z Isolate PORV 31 July 22, 2005
T5 - T10 Plant Response O AP-880 - Secondary Plant Operator (SPO)
Charges fire header for Control Complex O AP-880 - CR Closes Borated Water Storage Tank (BWST) valves O AP-880 - CR Transfers both ES 4160V Buses to Offsite Power Transformer Z FTL will request A ES 4160V de-energization O Fire Brigade is dressed with Primary hose charged Z Secondary hose being charged 32 July 22, 2005
Control CompleDELETED DUE TO PROPR DELETED DUE TO PROPRIETARY CONTENT 33 July 22, 2005
T10-T15 Fire Brigade Response O Primary team enters A ES 4160V SWGR room with fog nozzle.
Z Second nozzle man trained to carry extinguisher O Secondary team is in ready status at muster area with charged backup line O Limiting extinguishing time is smoldering fire Z Takes ~ 20 minutes to extinguish Z Requires opening upper cabinets to locate fire 34 July 22, 2005
T10 -T15 Plant Response O Trip reactor if fire is impacting safe operation O Perform EOP-2, Reactor Trip, Immediate Actions Z Ensure Reactor is shut down Z Ensure Turbine valves are closed O Transition to EOP-12, Station Blackout O AP-880 Enclosure 1 CR Initiates both Trains of EFW O AP-880 Enclosure 1 CR Isolates Main feedwater and Main steam to both steam generators 35 July 22, 2005
T15-T20 Plant Response O EOP-12 CR Isolates Main Steam to both steam generators O EOP-12 Isolate losses to reactor coolant system O EOP-12 CR Ensures EFW is operating (EFP-3, EFP-2 or FWP-7)
Z FWP-7 and its diesel (MTDG-1) can be started and controlled from Control Room O EOP-12 SPO Aligns Backup air to atmospheric dump valves O EOP-12 CR Manages battery loads 36 July 22, 2005
Emergency Feedwater (EFW) and Auxiliary Feedwater (AFW) Systems 37 July 22, 2005
T20 -T35 Plant Response O OP-880A PPO aligns EFP-2 flow path to prevent spurious valve closure (T20)
O OP-880A PPO aligns EFP-3 flow path to prevent overfill (T32)
O OP-880A PPO Opens Breakers for BWST valves (T35)
O Fire is out (T35) 38 July 22, 2005
T35-T60 Plant Response O OP-880A PPO is available to reset B EDG Lockout (T-37)
Z Smoke should clear to 4 ft visibility in 20 minutes after SWGR room door is closed Z If habitability of room is impaired, the PPO has SCBA in local area and full bunker gear available in Fire Brigade dress out area Z IF B ES 4160V SWGR room is inaccessible for PPO, CR would notify FTL to have Cart Driver (Operator) perform action 39 July 22, 2005
Control Complex 108 Elevation B 4160V SWGR - South Bus DELETED DUE TO PROPRIETARY CONTENT 40 July 22, 2005
Operator Manual Action O Only two of this type lockouts in B ES 4160V SWGR room Z Second is for HPI pump ES select O Proper lockout operation provides immediate feedback (EDG output breaker closure)
Z IF lock out reset is unsuccessful, task can be re-performed O Fire brigade members are in electrically rated boots.
O High voltage gloves are staged just outside SWGR rooms 41 July 22, 2005
Operator Manual Action O Post Fire Room Conditions Z Smoke diminishing X Natural or forced ventilation Z Water in SWGR room is less than 1 X Trained to use Primary hose to divert water to hallway X Water drains to Control Complex stairwell X Water absorbing devices are on fire cart for water management Z Could be steam in atmosphere X Trained to minimize time B to A SWGR door is opened 42 July 22, 2005
Operator Manual Action O Establishing EFIC Room Cooling Z Following Power restoration X CR starts EFIC room fan (1 minute)
X SPO starts Appendix R Chiller (5 minutes)
X Total time for EFIC ventilation restoration is less that 66 minutes from fire initiation 43 July 22, 2005
Technical Support Center O Staffed at maximum of 75 minutes O Provides support and guidance outside of EOPs and APs O EM-225F provides guidance for diverse EFW/AFW lineups (EFP-3)
O Provide guidance for electrical distribution alignment 44 July 22, 2005
Summary O Reset of B EDG lockout is feasible O Restoration of EFIC room ventilation can be accomplished well before equipment temperature limits are exceeded O Primary heat removal is maintained with EFP-2 O FWP-7 provides a readily available source of backup to emergency feedwater O EFP-3 and Offsite Power available via Technical Support Center guidance 45 July 22, 2005
PSA Model Inputs and Methodology PSA Analysis Z Fire Modeling Z Initial Conditions Z Initiator Selection Z Appendix R Procedure Impacts Z Human Reliability Analysis (HRA)
Z Core Damage Frequency Z Conservatisms Z Sensitivities 46 July 22, 2005
PSA Model Inputs and Methodology Fire/Smoke Model O Considered Thermal and High Energy Fires O Suppression times assumed out to 35 minutes from alarm O Habitability (Cleared) conditions based on:
Z visibility (4ft)
Z carbon monoxide (500 ppm)
Z oxygen (16%)
Z temperature (116F)
Z radiant heat flux (2.5kW/m2) 47 July 22, 2005
PSA Model Inputs and Methodology Fire/Smoke Model O Thermal Fires Z 200kw and 65kw Z Initial Damage limited to cubicle (can propagate)
Z No hot gas layer (HGL)
Z Smoke cleared within 60 minutes for all cases except smoldering fires O High Energy Arcing Faults (HEAF)
Z All targets within 3ft (H) and 5ft (V) are failed at T=0 Z No HGL Z Smoke cleared within 60 minutes 48 July 22, 2005
PSA Model Inputs and Methodology Initial Conditions O On-line 100% power O A 4160V ES Bus aligned to OPT (BKR 3211)
O B 4160V ES Bus aligned to BEST (BKR 3206)
O Operating equipment Z MUP-1B Z RWP-1, SWP-1C (non-safety related)
Z A train HVAC 49 July 22, 2005
PSA Model Inputs and Methodology Initiator Selection O FMEA of single failure scenarios was performed O Abnormal bus alignments can be screened out based on time spent in these configurations (<1%)
O With normal bus alignment the fire must create:
Z ES A bus fault Z CT path open with ground present on ESA side of OPT circuits O Initiators limited to cubicles containing or close to the CT circuits connecting the OPT feeds to breakers 3211 & 3212 50 July 22, 2005
PSA Model Inputs and Methodology DELETED DUE TO PROPRIETARY CONTENT 51 July 22, 2005
PSA Model Inputs and Methodology Two fire initiators modeled O Fire 1 - North Bus Breaker cubicles 3207,3211,EFP-1 Z HEAF and Thermal fires (1.86E-04/yr)
X Conservatism, HEAF in 3207 is less likely based on data X Conservatism, Thermal fire in EFP-1 cubicle needs to propagate Z Fails both ES buses at T=0 X Control Complex HVAC stops X No Makeup (incl. RCP seal injection)
X Emergency Diesels can not load due to fault X Plant trip assumed (manual or 3207 protective circuitry)
X Startup transformer continues supplying offsite power to unit loads (RWP-1, SWP-1C ,RCPs, Battery Chargers, IA, MFW)
X BEST available 52 July 22, 2005
PSA Model Inputs and Methodology Two fire initiators modeled (cont.)
O Fire 2 - South Bus Breaker cubicle 3205 Z HEAF fire only (1.42E-05/yr)
X Conservative, HEAF is less likely based on data Z Fails both ES buses at T=0 X Control Complex HVAC stops X No Makeup (incl. RCP seal injection)
X Emergency Diesels can not load due to fault X Loss of Startup transformer X OPT available 53 July 22, 2005
PSA Model Inputs and Methodology Other modeled impacts due to Appendix R Fire Procedures Z EFP-3 injection lines closed and de-energized Z PORV-block closed and de-energized Z MSIVs closed, MFW tripped 54 July 22, 2005
PSA Model Inputs and Methodology HRA Impacts Z No credit for local actions outside control room X EFP-3 recovery due to HVAC X Local start/control of FWP-7 Z Reduced Credit for time critical control room actions X Early start of FWP-7 to limit RCS re-pressurization X Trip RCPs following loss of SW cooling Z Appendix R actions X Restore B ES power by resetting EGDG-1B lockout Z TSC actions X EFP-3 (if EFP-2 and FWP-7 unavailable)
X Offsite Power (if Diesel generator unavailable) 55 July 22, 2005
PSA Model Inputs and Methodology Timeline for HRA Z T=0 min., fire initiation/alarm, AP-880 Z T=12 min., diagnosis compete, enter EOPs, trip RX Z T=18 min., operator dispatched to perform Appendix R manual actions Z T=35 min., fire extinguished Z T=37 min., operator available to reset lockout W Typically simple action (< 1 min to perform), complicated by environmental conditions W Fire brigade members available to assist, Qualified operators W Smoke cleared @ T=60 for most cases Z T=60 min., lockout reset (B 4160V power restored)
X EGDG-1B operation may be impacted Z T=66 min., EFIC room cooling restored Z T=75 min., TSC operational X Begin efforts to align offsite power if EDG unavailable Z T=120 min., last opportunity to restore EFIC cooling Z T=140 min., EFIC failure (ends credit for EFP-2)
X Start FWP-7 (EOP action)
X Attempt other recovery (TSC support)
Z T=200 min., Core damage 1 hr after loss of all core cooling 56 July 22, 2005
PSA Model Inputs and Methodology Appendix R Manual Action Z Timeline X Tsw = 120 minutes X T1/2 = 12 minutes X Tm = 48 minutes Z Probabilities X 1.0E-01 (typical screening value)
X 6.7E-02 (traditional HRA methodology, with unfavorable PSFs to account for fire condition)
X 4.4E-02 (credit applied for fire brigade assistance*)
X 2.1E-02 (unfavorable PSFs, no fire complications) 57 July 22, 2005
PSA Model Inputs and Methodology TSC Recovery Actions Z EFP-3, (EM-225F)
X Open EFV-12,13 to feed through B train injection path X Open EFV-14,33 to feed through A train injection path Z BEST, (AP-770, OP-880A)
X Available for fire scenarios involving North A bus X Availability obvious due to continued operation of Startup Transformer X Simple control room action Z OPT, (AP-770, OP-880A)
X Available for fire scenarios involving South A bus X Availability would need to be deliberately determined X Simple control room action Z Completion any of these actions within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from loss of core cooling (0.3) 58 July 22, 2005
PSA Model Inputs and Methodology Conservatisms Z Fire frequencies X not all modeled fires will create the subject faults W Smoldering fires (high smoke production) are less likely to cause the fault before suppressed W propagation of low energy fires between cabinets is less likely before suppression X HEAFs in normally open breakers less likely Z 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery life X CR3 2004 LOOP event demonstrated > 8hrs (non-1E) 59 July 22, 2005
PSA Model Inputs and Methodology CDF = 1.47E-07/yr Z Emergency Diesel available Z Initiating Event Frequency (2.0E-04)
Z Appendix R manual action (4.4E-02)
X Fire brigade assistance credited Z FWP-7 (EOP directed, HEP = 5.6E-03)
X Full credit for control room action Z Other recoveries (TSC support, HEP = 0.3)
X EFP-3 X Offsite power 60 July 22, 2005
PSA Model Inputs and Methodology DELETED DUE TO PROPRIETARY CONTENT
Conclusions O Unit Auxiliary Loads lost in only one fire scenario O At least 120 minutes available before EFIC is inoperable Z Room conditions able to be improved, or more time for dress-out Z Time for repeated attempts to reset the EDG lockout O Auxiliary Feedwater and EFP-2 remain available - secondary side heat removal not lost O EFP-3 can be restored with TSC Guidance O Operator action is simple, trained on, proceduralized, and provides immediate feedback O Fire brigade members may be used for manual action after fire out O Offsite power can be restored if EDG unavailable 62 July 22, 2005
Closing Remarks 63 July 22, 2005