ML052210262
| ML052210262 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 07/22/2005 |
| From: | Progress Energy Florida |
| To: | NRC/RGN-II |
| References | |
| Download: ML052210262 (63) | |
Text
1 Crystal River Unit 3 Regulatory Conference Region II, Atlanta, GA July 22, 2005
July 22, 2005 2
Introduction -
Dale Young Description of Finding -
Mike Annacone Electrical Distribution and Plant Layout -
Steve Barkofski Response Timeline -
Dave Porter Probabilistic Safety Assessment -
Dave Miskiewicz Conclusions -
Mike Annacone Closing Remarks -
Dale Young
July 22, 2005 3
Background -
NRC Triennial Inspection O Findings related to todays presentation:
Z Single failure criteria violation for 4160V ES protective relaying.
Z B EDG lockout reset manual action not considered feasible in required time frame O Introduced during implementation of Off-Site Power and Backup Emergency Safeguards Transformer installations (1990/1993)
O Vulnerability originally recognized in Fire Study as a Fire Protection issue (Appendix R Manual Action) but not as a Single Failure Criteria Violation
July 22, 2005 4
Background -
Single Failure Issue O Modifications implemented Z Eliminating need for manual action to reset the B EDG lockout.
O Immediate extent of condition - 4160V and 480V Emergency Safeguards power distribution protective relaying and metering with no additional vulnerabilities identified O Root Cause Analysis performed:
Z Failure to perform Failure Modes Effects Analysis during OPT/BEST modifications Z Corrective Actions:
X Implement FMEA process X Detailed Extent of Condition completed with no additional vulnerabilities identified
July 22, 2005 5
Highlights of NRC Findings:
O Reliance on manual actions vs. physical separation or protection O Local Manual Action to reset B EDG Lockout not feasible:
Z Proximity to Fire location - Fire in A ES SWGR Room XFire Team entry through B ES SWGR Room requires fire door between rooms to be open, No floor drains in rooms Z Manual Action time critical - 30 minutes:
XRestoration of ventilation and cooling to Emergency Feedwater Isolation and Control (EFIC)
Z Operator arrival at B SWGR room - 25 minutes, room not yet ventilated - smoke filled, water on floor, water mist XCR3 Time validated / NRC walk-down
July 22, 2005 6
CR-3 Insights O 30 minute time requirement to re-establish EFIC room cooling is conservative.
Z Fire Study 30 minute time limit conservatively chosen for simplicity Z At least 120 minutes available Z Steam driven EFP-2 remains available O Fire Study and NRC SDP do not credit use of Auxiliary Feedwater System.
Z System free of fire damage Z FWP-7 has its own diesel generator Z Emergency Operating Procedures direct system use when EFW unavailable
July 22, 2005 7
CR-3 Insights O As a result of the above items, secondary side heat removal is not lost Z Eliminates uncertainties in Phase II evaluation regarding:
X Effectiveness of secondary side cooling following an overcooling event X Primary system response with a delay in secondary side heat removal O Only one scenario causes loss of power to Unit Auxiliary loads Z Reduces probability of normal secondary side heat removal loss
July 22, 2005 8
CR-3 Insights O At least one off-site power transformer remains available in all scenarios O EDG availability without room cooling Z Diesel has started and is running unloaded Z Engine coolant and lube oil cooling remains unaffected Z No power to EDG Room Supply Fans until ES Bus re-powered Z Engine heat raises room ambient temperature
July 22, 2005 9
Electrical Distribution and Physical Layout CR3 Energy Complex Switchyard Layout Emergency Safeguards (ES) Electrical Buses Control Complex Physical Layout Photos of the ES Switchgear Rooms Photos of the ES Switchgear Control Cubicles Fire Scenarios Mechanical / Hydraulic Time Line ES Switchgear Room Fire Model Evaluation of Auxiliary Feed Water Pump Circuits
July 22, 2005 10 500KV Switchyard One-Line Diagram
July 22, 2005 11 230KV Switchyard One-Line Diagram
July 22, 2005 12 DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005DE 13July 22, 200513Emergency Safeguards (ES) Buses Emergency Safeguards (ES) Buses DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 14 Control Complex 108 Elevation DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 15 Control Complex 108 Elevation B 4160V Switchgear (SWGR) Room DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 16 Control Complex 108 Elevation B 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 17 Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 18 Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 19 Control Complex 108 Elevation A 4160V SWGR DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 20 Control Complex 108 Elevation DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 21 Fire Scenarios O Evaluated Fire Scenarios in the A 4160V Switchgear Room Z Fire had to impact the CT relay circuits associated with a single failure issue.
Z Result in a loss of both ES Buses.
Z Require the manual action to reset the B-EDG lockout.
O Validated four cabinet fires Z Three cabinets, 3207, 3211 and EFP-1, that are located on the north section of the A ES Bus.
Z One Cabinet, 3205, located on the south section of the A ES Bus.
July 22, 2005 22 Establishing Ventilation Cooling Appendix R Fire Study Mechanical Hydraulic Timeline Identifies time critical functions to ensure safe shutdown Meeting the time line is one of the methods of establishing the feasibility of manual actions Engineering Evaluation 61671 Evaluated margin HVAC Calculation Temperature Rise timeline modeled Critical equipment design temperatures are not exceeded for 140 minutes
July 22, 2005 23 Establishing Ventilation O Summary Z For a fire in the A ES 4160V Switchgear Room, the loss of ventilation will cause the temperature to increase in the Control Complex Z Modeling of the Control Complex shows that EFIC Room equipment will not be challenged for at least 140 minutes after loss of all ventilation.
Z 120 minutes to reset lockout relay provides additional 20 minutes to restore ventilation
July 22, 2005 24 Fire Model Conditions of Habitability in the Switchgear Rooms A Fire Model was prepared by an independent consultant Modeled the conditions in the A 4160V Switchgear Room for credible fire scenarios Evaluated the habitability of the B 4160V Switchgear Room
July 22, 2005 25 Fire Model Results of the Fire Model:
No Hot Gas Layer formed Visibility restored within 60 minutes except for smoldering fire Toxic gas and oxygen levels remain acceptable in the B Switchgear Room
July 22, 2005 26 Auxiliary Feed Water Pump -
FWP-7 Auxiliary Feed Water Pump Circuits Engineering Disposition 60385 evaluated:
Power and control circuits for FWP-7 Power and control circuits for MTDG-1
Conclusions:
FWP-7 and MTDG-1 power and control circuits remain free from fire damage Can be started from the control room Aux Feed Pump #7 MTDG-1
July 22, 2005 27 Electrical Distribution and Physical Layout Summary CR3 has a robust switchyard CR3 has modified the protective relaying circuits by removing the watt-hour meter, thus removing the single failure mechanism The modeling of the control complex temperatures shows that there is time available to accomplish the manual action.
Fire modeling supports the ability of the operator to reset the lockout in the B Switchgear Room FWP-7 and its emergency power source MTDG-1 are unaffected by fires in the A Switchgear Room
July 22, 2005 28 O Five Man On-Site Brigade Z Team Leader is a Licensed Operator Z Cart Driver is a Non licensed Operator O Site Emergency Response Coordinator Z Responds to provide assistance and act as Emergency Medical Technician O Security provides scene control O Local Fire Departments Z Provides backup support Fire Response
July 22, 2005 29 Response Procedures EM-225F Long Term EFW Management Fire Begins AR-801 Fire Service A Annunciator Response AR-401 PSA F Annunciator Response AP-880 Fire Protection AI-2205A Pre-Fire Plan -
Control Complex OP-880A Appendix R Post Fire Safe Shutdown Information EOP-2 Vital System Status Verification (Reactor Trip)
EOP-12 Station Blackout EOP-14 EFWP Management AP-770 EDG Actuation
July 22, 2005 33 Control Complex - 108 Elevation DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 31 T3 - T5 Plant Response O
CR Enters Abnormal Procedure (AP) -880, Fire Protection and performs the following:
Z Sound fire alarm/muster Fire Brigade Z
Secure ventilation Z
Isolate PORV
July 22, 2005 32 T5 - T10 Plant Response O
AP-880 - Secondary Plant Operator (SPO)
Charges fire header for Control Complex O
AP-880 - CR Closes Borated Water Storage Tank (BWST) valves O
AP-880 - CR Transfers both ES 4160V Buses to Offsite Power Transformer Z
FTL will request A ES 4160V de-energization O
Fire Brigade is dressed with Primary hose charged Z
Secondary hose being charged
July 22, 2005 33 Control CompleDELETED DUE TO PROPR DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 34 O Primary team enters A ES 4160V SWGR room with fog nozzle.
Z Second nozzle man trained to carry extinguisher O Secondary team is in ready status at muster area with charged backup line O Limiting extinguishing time is smoldering fire Z Takes ~ 20 minutes to extinguish Z Requires opening upper cabinets to locate fire T10-T15 Fire Brigade Response
July 22, 2005 35 T10 -T15 Plant Response O Trip reactor if fire is impacting safe operation O Perform EOP-2, Reactor Trip, Immediate Actions Z Ensure Reactor is shut down Z Ensure Turbine valves are closed O Transition to EOP-12, Station Blackout O AP-880 Enclosure 1 CR Initiates both Trains of EFW O AP-880 Enclosure 1 CR Isolates Main feedwater and Main steam to both steam generators
July 22, 2005 36 T15-T20 Plant Response O EOP-12 CR Isolates Main Steam to both steam generators O EOP-12 Isolate losses to reactor coolant system O EOP-12 CR Ensures EFW is operating (EFP-3, EFP-2 or FWP-7)
Z FWP-7 and its diesel (MTDG-1) can be started and controlled from Control Room O EOP-12 SPO Aligns Backup air to atmospheric dump valves O EOP-12 CR Manages battery loads
July 22, 2005 37 Emergency Feedwater (EFW) and Auxiliary Feedwater (AFW) Systems
July 22, 2005 38 T20 -T35 Plant Response O OP-880A PPO aligns EFP-2 flow path to prevent spurious valve closure (T20)
O OP-880A PPO aligns EFP-3 flow path to prevent overfill (T32)
O OP-880A PPO Opens Breakers for BWST valves (T35)
O Fire is out (T35)
July 22, 2005 39 T35-T60 Plant Response O OP-880A PPO is available to reset B EDG Lockout (T-37)
Z Smoke should clear to 4 ft visibility in 20 minutes after SWGR room door is closed Z If habitability of room is impaired, the PPO has SCBA in local area and full bunker gear available in Fire Brigade dress out area Z IF B ES 4160V SWGR room is inaccessible for PPO, CR would notify FTL to have Cart Driver (Operator) perform action
July 22, 2005 40 Control Complex 108 Elevation B 4160V SWGR - South Bus DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 41 Operator Manual Action O Only two of this type lockouts in B ES 4160V SWGR room Z Second is for HPI pump ES select O Proper lockout operation provides immediate feedback (EDG output breaker closure)
Z IF lock out reset is unsuccessful, task can be re-performed O Fire brigade members are in electrically rated boots.
O High voltage gloves are staged just outside SWGR rooms
July 22, 2005 42 Operator Manual Action O Post Fire Room Conditions Z Smoke diminishing X Natural or forced ventilation Z Water in SWGR room is less than 1 X Trained to use Primary hose to divert water to hallway X Water drains to Control Complex stairwell X Water absorbing devices are on fire cart for water management Z Could be steam in atmosphere X Trained to minimize time B to A SWGR door is opened
July 22, 2005 43 Operator Manual Action O Establishing EFIC Room Cooling Z Following Power restoration XCR starts EFIC room fan (1 minute)
XSPO starts Appendix R Chiller (5 minutes)
XTotal time for EFIC ventilation restoration is less that 66 minutes from fire initiation
July 22, 2005 44 Technical Support Center O Staffed at maximum of 75 minutes O Provides support and guidance outside of EOPs and APs O EM-225F provides guidance for diverse EFW/AFW lineups (EFP-3)
O Provide guidance for electrical distribution alignment
July 22, 2005 45 Summary O Reset of B EDG lockout is feasible O Restoration of EFIC room ventilation can be accomplished well before equipment temperature limits are exceeded O Primary heat removal is maintained with EFP-2 O FWP-7 provides a readily available source of backup to emergency feedwater O EFP-3 and Offsite Power available via Technical Support Center guidance
July 22, 2005 46 PSA Model Inputs and Methodology PSA Analysis Z Fire Modeling Z Initial Conditions Z Initiator Selection Z Appendix R Procedure Impacts Z Human Reliability Analysis (HRA)
Z Core Damage Frequency Z Conservatisms Z Sensitivities
July 22, 2005 47 Fire/Smoke Model O Considered Thermal and High Energy Fires O Suppression times assumed out to 35 minutes from alarm O Habitability (Cleared) conditions based on:
Z visibility (4ft)
Z carbon monoxide (500 ppm)
Z oxygen (16%)
Z temperature (116F)
Z radiant heat flux (2.5kW/m2)
PSA Model Inputs and Methodology
July 22, 2005 48 Fire/Smoke Model O Thermal Fires Z 200kw and 65kw Z Initial Damage limited to cubicle (can propagate)
Z No hot gas layer (HGL)
Z Smoke cleared within 60 minutes for all cases except smoldering fires O High Energy Arcing Faults (HEAF)
Z All targets within 3ft (H) and 5ft (V) are failed at T=0 Z No HGL Z Smoke cleared within 60 minutes PSA Model Inputs and Methodology
July 22, 2005 49 Initial Conditions O On-line 100% power O A 4160V ES Bus aligned to OPT (BKR 3211)
O B 4160V ES Bus aligned to BEST (BKR 3206)
O Operating equipment Z MUP-1B Z RWP-1, SWP-1C (non-safety related)
Z A train HVAC PSA Model Inputs and Methodology
July 22, 2005 50 Initiator Selection O FMEA of single failure scenarios was performed O Abnormal bus alignments can be screened out based on time spent in these configurations (<1%)
O With normal bus alignment the fire must create:
Z ES A bus fault Z CT path open with ground present on ESA side of OPT circuits O Initiators limited to cubicles containing or close to the CT circuits connecting the OPT feeds to breakers 3211 & 3212 PSA Model Inputs and Methodology
July 22, 2005 51 PSA Model Inputs and Methodology DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 52 Two fire initiators modeled O Fire 1 - North Bus Breaker cubicles 3207,3211,EFP-1 Z HEAF and Thermal fires (1.86E-04/yr)
X Conservatism, HEAF in 3207 is less likely based on data X Conservatism, Thermal fire in EFP-1 cubicle needs to propagate Z Fails both ES buses at T=0 X Control Complex HVAC stops X No Makeup (incl. RCP seal injection)
X Emergency Diesels can not load due to fault X Plant trip assumed (manual or 3207 protective circuitry)
X Startup transformer continues supplying offsite power to unit loads (RWP-1, SWP-1C,RCPs, Battery Chargers, IA, MFW)
X BEST available PSA Model Inputs and Methodology
July 22, 2005 53 Two fire initiators modeled (cont.)
O Fire 2 - South Bus Breaker cubicle 3205 Z HEAF fire only (1.42E-05/yr)
XConservative, HEAF is less likely based on data Z Fails both ES buses at T=0 XControl Complex HVAC stops XNo Makeup (incl. RCP seal injection)
XEmergency Diesels can not load due to fault XLoss of Startup transformer XOPT available PSA Model Inputs and Methodology
July 22, 2005 54 Other modeled impacts due to Appendix R Fire Procedures Z EFP-3 injection lines closed and de-energized Z PORV-block closed and de-energized Z MSIVs closed, MFW tripped PSA Model Inputs and Methodology
July 22, 2005 55 HRA Impacts Z No credit for local actions outside control room X EFP-3 recovery due to HVAC X Local start/control of FWP-7 Z Reduced Credit for time critical control room actions X Early start of FWP-7 to limit RCS re-pressurization X Trip RCPs following loss of SW cooling Z Appendix R actions X Restore B ES power by resetting EGDG-1B lockout Z TSC actions X EFP-3 (if EFP-2 and FWP-7 unavailable)
X Offsite Power (if Diesel generator unavailable)
PSA Model Inputs and Methodology
July 22, 2005 56 Timeline for HRA Z
T=0 min.,
fire initiation/alarm, AP-880 Z
T=12 min.,
diagnosis compete, enter EOPs, trip RX Z
T=18 min.,
operator dispatched to perform Appendix R manual actions Z
T=35 min.,
fire extinguished Z
T=37 min., operator available to reset lockout W Typically simple action (< 1 min to perform), complicated by environmental conditions W Fire brigade members available to assist, Qualified operators W Smoke cleared @ T=60 for most cases Z
T=60 min.,
lockout reset (B 4160V power restored)
X EGDG-1B operation may be impacted Z
T=66 min., EFIC room cooling restored Z
T=75 min.,
TSC operational X Begin efforts to align offsite power if EDG unavailable Z
T=120 min., last opportunity to restore EFIC cooling Z
T=140 min., EFIC failure (ends credit for EFP-2)
X Start FWP-7 (EOP action)
X Attempt other recovery (TSC support)
Z T=200 min., Core damage 1 hr after loss of all core cooling PSA Model Inputs and Methodology
July 22, 2005 57 Appendix R Manual Action Z Timeline X Tsw
= 120 minutes X T1/2
= 12 minutes X Tm
= 48 minutes Z Probabilities X 1.0E-01 (typical screening value)
X 6.7E-02 (traditional HRA methodology, with unfavorable PSFs to account for fire condition)
X 4.4E-02 (credit applied for fire brigade assistance*)
X 2.1E-02 (unfavorable PSFs, no fire complications)
PSA Model Inputs and Methodology
July 22, 2005 58 TSC Recovery Actions Z EFP-3, (EM-225F)
X Open EFV-12,13 to feed through B train injection path X Open EFV-14,33 to feed through A train injection path Z BEST, (AP-770, OP-880A)
X Available for fire scenarios involving North A bus X Availability obvious due to continued operation of Startup Transformer X Simple control room action Z OPT, (AP-770, OP-880A)
X Available for fire scenarios involving South A bus X Availability would need to be deliberately determined X Simple control room action Z Completion any of these actions within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from loss of core cooling (0.3)
PSA Model Inputs and Methodology
July 22, 2005 59 Conservatisms Z Fire frequencies X not all modeled fires will create the subject faults W Smoldering fires (high smoke production) are less likely to cause the fault before suppressed W propagation of low energy fires between cabinets is less likely before suppression X HEAFs in normally open breakers less likely Z 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery life X CR3 2004 LOOP event demonstrated > 8hrs (non-1E)
PSA Model Inputs and Methodology
July 22, 2005 60 CDF = 1.47E-07/yr Z Emergency Diesel available Z Initiating Event Frequency (2.0E-04)
Z Appendix R manual action (4.4E-02)
X Fire brigade assistance credited Z FWP-7 (EOP directed, HEP = 5.6E-03)
X Full credit for control room action Z Other recoveries (TSC support, HEP = 0.3)
X EFP-3 X Offsite power PSA Model Inputs and Methodology
PSA Model Inputs and Methodology DELETED DUE TO PROPRIETARY CONTENT
July 22, 2005 62 Conclusions O Unit Auxiliary Loads lost in only one fire scenario O At least 120 minutes available before EFIC is inoperable Z Room conditions able to be improved, or more time for dress-out Z Time for repeated attempts to reset the EDG lockout O Auxiliary Feedwater and EFP-2 remain available - secondary side heat removal not lost O EFP-3 can be restored with TSC Guidance O Operator action is simple, trained on, proceduralized, and provides immediate feedback O Fire brigade members may be used for manual action after fire out O Offsite power can be restored if EDG unavailable
July 22, 2005 63 Closing Remarks