L-MT-17-016, Risk-Informed Request for Exemption from 10 CFR 50, Appendix R, III.G.2 Requirements for Multiple Spurious Operations of Drywell Spray Motor-Operated Valves
| ML17096A599 | |
| Person / Time | |
|---|---|
| Site: | Monticello  |
| Issue date: | 04/06/2017 |
| From: | Gardner P Northern States Power Co, Xcel Energy |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| L-MT-17-016 | |
| Download: ML17096A599 (156) | |
Text
2807 West County Road 75 Monticello, MN 55362 800.895.4999 xcelenergy.com April 6, 2017 L-MT-17-016 10 CFR 50.12 10 CFR 50 Appendix R ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Monticello Nuclear Generating Plant Docket No. 50-263 Renewed Facility Operating License No. DPR-22 Risk-Informed Request for Exemption from 10 CFR 50, Appendix R, III.G.2 Requirements for Multiple Spurious Operations of Drywell Spray Motor-Operated Valves In accordance with 10 CFR 50.12, Northern States Power Company, a Minnesota Corporation, doing business as Xcel Energy (hereafter NSPM), hereby requests an exemption from certain requirements of 10 CFR 50, Appendix R, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, for the Monticello Nuclear Generating Plant (MNGP). Specifically, NSPM requests a permanent exemption from the requirements of 10 CFR 50, Appendix R, Subsection III.G.2 with respect to the physical separation of the control circuitry for the Drywell Spray (DWS) Motor-Operated Valves (MOVs). On November 17, 2016, NSPM and the NRC held a public meeting to discuss this proposed exemption for MNGP.
The design of the MNGP could result in multiple spurious operations (MSOs) of the DWS MOVs. Such an MSO event would result in a flow diversion from the credited Appendix R cooling system, potentially complicating the response to a fire. Upon identification of this condition, NSPM installed a modification which significantly reduced the risk associated with a DWS MOV MSO. This significant risk reduction, coupled with the defense-in-depth attributes of the Fire Protection Program at MNGP, form the basis for submitting this request for a risk-informed exemption in accordance with NRC Regulatory Guide (RG) 1.174, Revision 2, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis.
This request has been evaluated consistent with the key principles identified in RG 1.174 for risk-informed changes to the licensing basis and demonstrates that the risk from the proposed change is very small. Enclosure 1 to this letter contains the detailed discussions supporting the requested exemption, including a discussion of each of the key principles identified in RG 1.174.
Document Control Desk Page 2 NSPM requests review and approval of this exemption within 18 months from the date of this letter.
If there are any questions or if additional information is required, please contact Mr. Shane Jurek at (612) 330-5788.
Summary of Commitments This letter makes one new commitment and revises no existing regulatory commitments.
Within 180 days following approval of this exemption request, NSPM will institute Appendix R programmatic requirements to establish performance-based monitoring of the shorting switches installed on the control circuitry for the drywell spray outboard motor operated valves.
~~
Peter A. Gardner Site Vice President, Monticello Nuclear Generating Plant Northern States Power Company-Minnesota Enclosures (4) cc:
Administrator, Region Ill, USNRC Project Manager, Monticello, USNRC Resident Inspector, Monticello, USNRC
Page 1 of 25 ENCLOSURE 1 MONTICELLO NUCLEAR GENERATING PLANT Risk-Informed Request for Exemption from 10 CFR 50, Appendix R, III.G.2 Requirements for Multiple Spurious Operations of Drywell Spray Motor-Operated Valves
- 1.
SUMMARY
DESCRIPTION In accordance with 10 CFR 50.12, Northern States Power Company, a Minnesota Corporation, doing business as Xcel Energy (hereafter NSPM), hereby requests an exemption from certain requirements of 10 CFR 50, Appendix R, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, for the Monticello Nuclear Generating Plant (MNGP). Specifically, NSPM requests a permanent exemption from the deterministic requirements of 10 CFR 50, Appendix R, Subsection III.G.2 with respect to the physical separation of the control circuitry for the Drywell Spray (DWS) Motor-Operated Valves (MOVs).
This exemption is requested so NSPM can take credit for an installed modification that significantly reduces the likelihood of core damage and a large release of radioactive material in the event of Multiple Spurious Operations (MSOs) of the DWS MOVs. This exemption request is supported by a Probabilistic Risk Assessment (PRA) analysis and is submitted following the guidance of Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, (Reference 1). The requested exemption meets the special circumstance of 10 CFR 50.12(a)(2)(ii) which states that, application of the regulation in the particular circumstances would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule. In this particular circumstance, application of the subject regulation is not necessary to achieve the underlying purpose of the rule.
- 2.
BACKGROUND Nuclear Management Company, LLC (NMC), a predecessor license-holder for MNGP, submitted a letter of intent to adopt a fire protection program in accordance with the guidance of NFPA-805, Performance-based Standards for Fire Protection for Light Water Reactor Electric Generating Plants in November 2005 (Reference 2). Subsequent to Reference 2, the NRC issued RG 1.189, Revision 2, Fire Protection for Nuclear Power Plants (Reference 3),
which provided an acceptable method for licensees not transitioning to NFPA-805 to meet 10 CFR 50, Appendix R with respect to, among other phenomena, MSOs. Subsequent to issuance of Reference 3, NSPM notified the NRC of its intent to no longer pursue adoption of NFPA-805 at MNGP (Reference 4). In Reference 4, NSPM stated it would address circuit issues related to MSOs in accordance with RG 1.189.
In accordance with NEI 00-01, Revision 2, Guidance for Post Fire Safe Shutdown Circuit Analysis, (Reference 5) as endorsed by the NRC in RG 1.189, Revision 2, NSPM performed an expert panel review and identified multiple MSO concerns. Modifications were subsequently installed to preclude the identified MSOs. Following installation of the initial MSO modifications,
L-MT-17-016 NSPM Page 2 of 25 a thermal hydraulic analysis was performed to bound the assumptions made in the expert panel process. Through the analysis, NSPM identified that an MSO of the DWS MOVs would result in a flow diversion that would have the potential to damage the Residual Heat Removal (RHR) pumps. In accordance with Reference 5, a component can be re-classified from Required for Safe Shutdown to Important to Safe Shutdown if it can be shown, through an engineering evaluation, that a flow diversion will not impact the required safe shutdown function. Because NSPM could not support re-classification as Important to Safe Shutdown through evaluation, the potential degradation of the RHR pumps requires classifying the DWS MOVs as Required for Safe Shutdown components. Therefore, in accordance with Appendix H to NEI 00-01, Revision 2, the requirements of 10 CFR 50, Appendix R, Subsection III.G.2, apply to the DWS MOVs at MNGP.
10 CFR 50 Appendix R Subsection III.G.2 (hereafter III.G.2) states the following:
Except as provided for in paragraph G.3 of this section, where cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, one of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided:
- a. Separation of cables and equipment and associated non-safety circuits of redundant trains by a fire barrier having a 3-hour rating. Structural steel forming a part of or supporting such fire barriers shall be protected to provide fire resistance equivalent to that of the barrier;
- b. Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustible or fire hazards. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area; or
- c. Enclosure of cable and equipment and associated non-safety circuits of one redundant train in a fire barrier having a 1-hour fire rating. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area; Upon identification that the requirements of III.G.2 applied to the DWS MOVs, NSPM installed a shorting switch modification on the control circuitry for one MOV in each division of the DWS system. NSPM determined that this modification was sufficient to preclude an MSO of the DWS MOVs, citing the on-going industry cable failure studies which preliminarily indicated that the failure mechanism could be considered incredible. The NRC reviewed the modification and assessed a non-cited violation (NCV) because, after installation of the modification, there would still exist a multiple hot short scenario for the DWS MOVs (Reference 6).
Following receipt of the NCV, NSPM re-assessed the requirements of III.G.2 with respect to the DWS MOVs. In order to meet III.G.2, NSPM would have to install modifications at MNGP to create the physical separation required to meet the regulation stated above. Such a modification would involve powering one MOV in each division from a new Motor Control Center (MCC) in a fire area different than its divisional counterpart, thereby requiring the
L-MT-17-016 NSPM Page 3 of 25 installation of new cables in dedicated conduit throughout the plant. In lieu of this modification that provides minimal safety benefit (as detailed in Section 3.3 of this enclosure), NSPM is requesting an exemption from the physical separation requirements of III.G.2 for the DWS MOVs because application of the subject regulation is not necessary to achieve the underlying purpose of the rule.
- 3.
TECHNICAL EVALUATION 3.1.
System Description
DWS is an operational mode of the RHR system at MNGP. The major equipment of the RHR system consists of two heat exchangers, four main injection pumps, and four RHR Service Water (RHRSW) pumps. The equipment is connected by associated valves and piping. A simplified drawing of the RHR system at MNGP is shown in Figure 1. Note: Figure 1 shows only the suppression pool cooling and DWS flow paths as they are the only modes of RHR pertinent to this exemption request.
Figure 1, One-Line Diagram of RHR System at MNGP Torus 13 RHR Pump 11 RHR Pump 12 RHR Pump 14 RHR Pump Division I RHR Heat Exchanger Division II RHR Heat Exchanger MO-2020 MO-2022 MO-2021 MO-2023 RHR Cross-Tie Line MO-2033 RHR-7
L-MT-17-016 NSPM Page 4 of 25 With the RHR system in the DWS mode of operation, the RHR pumps are aligned to pump water from the suppression pool through the RHR heat exchangers where cooling takes place by transferring heat to the service water. The water is then diverted through the DWS isolation valves to the spray headers in the drywell. The spray emitted from the spray headers in the drywell condenses any steam that may exist in the drywell thereby lowering containment pressure. The spray collects in the bottom of the drywell until the water level rises to the level of the pressure suppression vent lines where it overflows and drains back to the suppression pool.
In the event of a fire, suppression pool cooling is the credited operational mode of RHR. In suppression pool cooling, the RHR pumps are aligned to pump water from the suppression pool through the RHR heat exchangers. The water is then returned directly to the suppression pool. During the suppression pool cooling mode of RHR, the suppression pool is cooled and decay heat is transferred to the ultimate heat sink through at least one RHR heat exchanger and respective RHR service water system. As a minimum, one of the four RHR pumps and its associated valves must be available for remote operation regardless of the fire location.
In Division I, the DWS isolation valves are identified as MO-2020 and MO-2022, where MO-2020 is the outboard MOV and MO-2022 is the inboard MOV; in Division II, the valves are MO-2021 and MO-2023, respectively. Both Division I MOVs are powered from MCC-133, which is located in Fire Area IX. MO-2021 is powered by MCC-143 and MO-2023 is powered from MCC-142, both of which are located in Fire Area XII. Therefore, in the event of a fire in Fire Area IX for Division I (Fire Area XII for Division II), the control circuitry for both DWS MOVs in the division could potentially undergo fire-induced hot shorts leading to spurious opening of the MOVs. If both the inboard and outboard MOVs in a division spuriously opened, a flow diversion from the suppression pool cooling mode to the DWS mode of RHR would occur, thereby complicating NSPMs response to a fire at MNGP. Specifically, the flow diversion would result in lowering the drywell pressure. This has the potential to result in a loss of Containment Accident Pressure which leads to the loss of the required Net Positive Suction Head (NPSH) for the RHR pumps to perform their necessary function. Inadequate NPSH for the RHR pumps could result in an inability to adequately cool the core in the event of a fire. An MSO in either division would affect both divisions because the RHR cross-tie valves are normally kept open.
3.1.1. Installed Modification Upon identification of the potential flow diversion, NSPM installed a shorting switch on the control circuitry for the outboard DWS MOV in each Division (MO-2020 and MO-2021). This wiring configuration creates a short across the open coil when the handswitch is in the AUTO position. Wiring schematics depicting the installed configuration of the shorting switches on the control circuitry for MO-2020 and MO-2021 are included as Attachments 1 and 2, respectively.
Figure 2 below depicts a typical shorting switch schematic.
The modification, completed in 2012, installed wiring within Control Room Panel C03 between panel terminal blocks and control board control switches 10A-S9A (spring return to AUTO control switch for MO-2020) and 10A-S9B (spring return to AUTO control switch for MO-2021).
Specifically, internal panel wiring was installed from terminal point MM-52 in Control Room Panel C03 to contact terminal 4 of existing control room switch 10A-S9A (terminal point
L-MT-17-016 NSPM Page 5 of 25 DD-101 to terminal 4 of switch 10A-S9B). Internal panel wiring was also installed from terminal point MM-46 in Control Room Panel C03 to contact terminal 4T of existing control room switch 10A-S9A (terminal point DD-95 to terminal 4-T of switch 10A-S9B). During a fire event, a fire induced short on conductor 1F or conductor 1 is provided a low impedance path around the open coil, thus preventing the open coil from being energized. Placing a short around the open coil of the contactor creates a shorting circuit that will preclude both intra-cable and inter-cable hot shorts from spuriously opening valves MO-2020 and MO-2021.
The shorting circuit does not defeat the normal opening function of the valve as contact 4-4T will open when the valve control switch is placed in the OPEN position. GE type SBM switches 10A-S9A and 10A-S9B are configured to break before make which open the shorting contacts before the open contacts close, permitting no adverse impact on the normal opening operation of the valve. The shorting circuit has no interaction with the close circuit of the valve.
Therefore, it does not interfere with the closing function (either manual or automatic).
Additionally, the shorting circuit does not cause the valve to drive or return to a defined position and, therefore, does not interfere with the throttling function of the valves.
Figure 2, Simplified MOV Circuit with Shorting Switch The proper functioning of the shorting switch is completely dependent on maintaining the integrity of the shorting switch and other associated components, (e.g., terminal blocks and conductors), necessary to maintain the continuity of the shorting path. An open circuit in the
L-MT-17-016 NSPM Page 6 of 25 shorting path would eliminate the protection provided by a shorting switch in preventing a spurious operation. Even with the presence of an open circuit, a spurious operation of the component will not occur without the presence of a subsequent hot short. Specifically, for a DWS MOV MSO to occur with the shorting switch installed, an appropriately sequenced open circuit on the shorting conductor and hot short on the open conductor is required. Because these conductors are routed in the same cable, the postulated failure mechanism is an arc event that damages the shorting conductor and allows a hot conductor to come into contact with the open coil conductor.
3.1.2. Compliant Modification Upon receipt of the NCV, NSPM assessed the requirements of III.G.2 and determined the modification necessary for the DWS system to meet those requirements. This compliant modification would create the physical separation required by III.G.2 by re-powering one Division I and one Division II DWS MOV from different MCCs. Specifically, either MO-2020 or MO-2022 would be re-powered from MCC-134 which is located in Fire Area XXI, and either MO-2021 or MO-2023 would be re-powered from MCC-144 which is located in Fire Area XXII.
The compliant modification would specifically involve splicing and extending existing power cables to the new MCCs in the Emergency Filtration Train (EFT) Building from the existing MCCs in the turbine building. Additionally, the control conductors which could spuriously open the MOVs if energized would need to be protected. Protection would require running dedicated conduit for the single conductor cables from the control room to the new supply MCCs in the EFT Building. NSPM is requesting an exemption from the physical separation requirements of III.G.2 for the DWS MOVs because installation of this compliant modification is not necessary to achieve the underlying purpose of the rule.
3.2.
Fire Protection Program The MNGP Fire Protection Program, consistent with Branch Technical Position (BTP) APCSB 9.5-1, 10 CFR 50.48, 10 CFR 50 Appendix R, and supporting generic communications, is designed and implemented based on a foundation of defense-in-depth protection. The defense-in-depth consists of:
Fire Prevention - Preventing fires from starting through control of fuel and ignition sources and conditions.
Fire Detection and Suppression - Providing the capability to promptly detect any fires that may occur and the capability to promptly and effectively control and extinguish any such fire.
Protection of Safe Shutdown Capability - Providing protection for systems, structures, and components important to safety such that any fire that is not promptly detected and extinguished will not prevent the safe shutdown of the plant.
Fire Prevention: The fire prevention defense-in-depth is composed of administrative controls as well as inherent plant design features. Noncombustible materials have been used to the extent practicable in original plant design and in any subsequent plant modifications. This
L-MT-17-016 NSPM Page 7 of 25 includes structural components, as well as the use of flame-resistant electrical cable insulation.
Introduction of combustible materials into the power block is strictly controlled by administrative procedure FP-PE-CC-01, Combustible Controls, which requires fire protection team review and approval prior to the introduction of any transient combustibles exceeding established limits for that zone. Routine transient combustible inspections ensure validation and enforcement of the controls on transient combustibles. Hot work in the plant is also controlled administratively in accordance with procedure 4 AWI-08.01.02, Combustion Source Use Permit, for processes including open-flame work, cutting, welding, and grinding. Based on the above, the potential for exposure fires (in transient combustibles) and fires resulting from the introduction of ignition sources (hot work) is limited or compensatory measures are instituted.
Fire Detection and Suppression: The fire detection and suppression is installed in plant areas based primarily on the significance of the fire hazards contained within that area. Fire detection includes smoke, heat and flame detection systems that typically provide alarms to the Control Room. Suppression systems include pre-action, deluge, dry and wet pipe sprinkler systems, and Halon total-flooding suppression systems. Hydrants, hose stations and fire extinguishers are located throughout the plant to facilitate firefighting activities. The installed fire detection and automatic suppression systems, in conjunction with the fire brigade response and deployment of the available manual fire suppression features provides, reasonable assurance that a fire will be precluded from rapidly growing and involving other fire zones or areas.
Protection of Safe-Shutdown Capability: The protection of safe-shutdown capability defense-in-depth is represented by adequate fire area boundary barriers. These barriers provide reasonable assurance that a fire that is not promptly detected and not promptly controlled and suppressed will ultimately be contained within the fire area of origination. Each fire area is separated from adjacent fire areas with a barrier commensurate with the hazards of the area.
The fire barriers typically have a 3-hour fire resistance rating, including the barrier, doors, fire dampers, and penetration seals. Other barrier types, including spatial separation, are used to divide fire areas. These fire area boundaries are described in the MNGP Fire Hazards Analysis (Reference 7). The MNGP Appendix R Safe-Shutdown Analysis (Reference 8) documents the basis for achieving safe shutdown following a fire in any given fire area. The equipment lost and the equipment available has been reviewed and the actions necessary to ensure shutdown have been identified in the post-fire safe-shutdown procedures.
3.2.1 Fire Protection Features in III.G.2 Exemption Fire Areas This exemption is sought in order to credit the electrical protection of the shorting switches in lieu of the physical separation requirements of III.G.2 in the following fire areas:
Fire Area IX (Division I):
o Fire Zone 13C - 911 ft Elevation, Turbine Building East (Engineered Safeguards Feature (ESF) MCC Area) o Fire Zone 19C - 931 ft Elevation, Turbine Building East (Pipe and Cable Tray Penetration Area)
L-MT-17-016 NSPM Page 8 of 25 Fire Area XII (Division II):
o Fire Zone 19B - 931 ft Elevation, Turbine Building East (ESF MCC including EFT Cable Tunnel)
The details of combustible loading/fire severity and active fire protection features for the specific fire zones of concern are listed in Table 1. Note that both of the fire areas for which the shorting switches are sought to be credited are comprised of a number of fire zones consisting of separate compartments based on spatial separation. As described below and in MNGPs Fire Hazards Analysis, while it is assumed that components of one train may be lost, the localization of the hazards and combustibles by fire zone, combined with the separation between fire zones by spatial and barrier separation, provide reasonable assurance that fires that occur within a given zone will be confined to the fire zone of origination. Table 1 summarizes the fire protection program features in each of the applicable fire zones in this exemption. Each fire area is comprised of more than the number of fire zones listed in Table 1.
However, the shorting switches are only sought to be credited in the fire zones listed.
Table 1, Summary of III.G.2 Fire Zones Fire Area Fire Zone Fixed Combustible Loading Category Fire Detection Fixed Fire Suppression Manual Fire Suppression Adjacent Suppression Type Coverage Type Coverage Equipment Fire Zone IX 13C LOW Ionization Full Open head deluge Partial Hose Station Portable Extinguisher Open head deluge Wet Pipe Sprinkler Hose Station Portable Extinguisher 13B IX 19C LOW Ionization Full None N/A None Hose Station Portable Extinguisher 19B XII 19B LOW Ionization Full None N/A Hose Station Portable Extinguisher Hose Station Portable Extinguisher 19A As shown in Table 1, the fire zones that contain the target conductors of concern are characterized by LOW fixed combustible loading, corresponding to less than 100,000 BTU/ft2, or an equivalent fire severity of 75 minutes or less.
Summary descriptions of each of the III.G.2 Fire Zone are provided below. The combustible loading, types of combustibles, available detection and suppression, and smoke/hot gas ejection methods are identified.
Fire Area IX, Fire Zone 13C (MCC Area) exhibits a LOW combustible loading primarily consisting of cable insulation. The zone has a LOW fixed combustible load despite its small floor area of 908 ft2. This restriction on combustibles is administratively controlled by FP-PE-CC-01, Combustible Controls. Ignition sources within the fire zone include electrical cabinets, consisting mostly of MCCs and electrical panels, and an electric motor associated with Valve MO-1133, High Pressure Feedwater Line A Block Valve.
This zone has partial sprinkler coverage from an open head deluge system which, when activated, provides a water flow alarm to the control room. Additionally, the ionization detection system alarms in the control room. Both alarms provide early warning of a fire and, subsequently, an early response of the fire brigade to extinguish the fire. Smoke and hot gases can be evacuated using the open hatchway to the turbine operating floor.
If necessary, portable smoke ejectors can be used as a backup. The zone contains a
L-MT-17-016 NSPM Page 9 of 25 significant number of Division I Safe Shutdown cables. In the event of a fire in this zone, Division II Safe Shutdown Equipment would be available for Safe Shutdown.
Fire Area IX, Fire Zone 19C (Pipe and Cable Tray Penetration Area) exhibits a LOW fixed combustible loading almost exclusively consisting of cable insulation. The zone has a LOW combustible load despite its small floor area of 204 ft2. Additionally, the storage of combustibles in this fire zone is not permitted in accordance with fire protection program commitments. This restriction on combustibles is administratively controlled by FP-PE-CC-01, Combustible Controls. The zone has no fixed ignition sources. Additionally, the ionization detection system alarms in the control room thereby providing early warning of a fire and, subsequently, response of the fire brigade to extinguish the fire. Smoke and hot gases can be evacuated using normal air handling systems. If necessary, portable smoke ejectors can be used as a backup. The zone contains a significant number of Division I Safe Shutdown cables. In the event of a fire in this zone, Division II Safe Shutdown Equipment would be available for Safe Shutdown.
Fire Area XII, Fire Zone 19B (ESF MCC and EFT Tunnel) exhibits a LOW fixed combustible loading primarily consisting of cable insulation. The zone has a LOW combustible load despite its small floor area of 942 ft2. This restriction on combustibles is administratively controlled by FP-PE-CC-01, Combustible Controls. Ignition sources within the fire zone are limited to electrical cabinets, consisting mostly of MCCs and electrical panels. The ionization detection system alarms in the control room thereby providing early warning of a fire and, subsequently, response of the fire brigade to extinguish the fire. Smoke and hot gases can be evacuated using the Turbine Building ventilation system. If necessary, portable smoke ejectors can be used as a backup. The zone contains a significant number of Division II Safe Shutdown cables. In the event of a fire in this zone, Division I Safe Shutdown Equipment would be available for Safe Shutdown.
In summary, given the limited fire hazards in the fire zones containing the target conductors, and the provision of appropriate active fire protection features, combined with the compartmental and/or spatial separation between fire zones, there is reasonable assurance that in the event of a fire in any of the affected fire areas, the likelihood of fire induced damage to the target conductors would be minimal.
3.3.
Probabilistic Risk Assessment Insights This section contains a summary of the PRA analysis performed to support the exemption request. In order to determine the increase in risk incurred by continued operation with the installed modification, two variations of the Fire PRA model were evaluated: a compliant model and a variant model. The variant model represents the current as-installed and as-operated configuration of the plant. The compliant model represents the configuration of the plant as if the compliant modification discussed in Section 3.1.2 were installed.
L-MT-17-016 NSPM Page 10 of 25 3.3.1. Monticello PRA Model Rigor a) Internal Events PRA Quality The MNGP Internal Events PRA Peer Review was performed in April 2013, applying the NEI 05-04, Process for Performing Internal Events PRA Peer Reviews Using the ASME/ANS PRA Standard, process, the American Society of Mechanical Engineers (ASME) PRA Standard (ASME/ANS RA-Sa-2009) and RG 1.200, Revision 2 (Reference 9). The purpose of this review was to provide a method for establishing the technical adequacy of the PRA for the spectrum of potential risk-informed plant licensing applications for which the PRA may be used. The 2013 MNGP PRA Peer Review was a full-scope review of the Technical Elements of the internal events and internal flood, at-power PRA. Ninety-three percent of the ASME PRA Standard Supporting Requirements (SR) were found to be supportive of Capability Category II or greater.
All Facts and Observations (F&Os) Findings from the 2013 MNGP PRA Review have been resolved and determined to not affect the requested exemption. Enclosure 2 to this letter provides a summary of the Findings, including NSPMs resolution. Therefore, the MNGP Internal Events PRA was judged to meet Capability Category II consistent with RG 1.200 guidance.
b) Fire PRA Quality The MNGP Fire PRA model uses the peer reviewed Internal Events PRA model as a base logic structure. To create the Fire PRA model, the following logic was added to the Internal Events model: fire initiating events mapped to PRA equipment, fire specific human failure events, MSOs, and alternate shutdown events and equipment.
The MNGP Full-Scope Fire PRA Peer Review was performed March 2-6, 2015, applying the NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines, process, the ASME PRA Standard (ASME/ANS RA-Sa-2009) and RG 1.200, Revision 2. The purpose of this review was to establish the technical adequacy of the Fire PRA for the spectrum of potential risk-informed plant licensing applications for which the Fire PRA model may be used. The 2015 MNGP Fire PRA Peer Review was a full-scope review of all the Technical Elements of the MNGP at-power January 2015, Revision 1a, Fire PRA against all Technical Elements in Section 4 of the ASME/ANS combined PRA Standard, including the referenced internal events SRs. The Fire PRA model has since been updated thrice, and Revision 4.0 was used in the analysis performed to support this request.
For the assessment of the reviewed ASME PRA Standard SRs, 102 unique F&Os were generated by the Peer Review Team, 73 were Peer Review Findings, 28 were Suggestions, and one was considered a best practice. All Findings have been resolved and determined to not affect the requested exemption. Enclosure 3 to this letter provides a summary of the findings, including NSPMs resolution.
L-MT-17-016 NSPM Page 11 of 25 Additionally, a focused-scope peer review was performed on the Revision 4.0 Fire PRA model on December 27-30, 2016. The focused-scope peer review included High Level Requirements (HLR) FSS-C, D, G, and H of the ASME/ANS RA-Sa-2009 Standard endorsed by Revision 2 to RG 1.200. The reason this Peer Review was performed was that enhanced fire modeling methods were used for the first time during development of RAI responses for an unrelated license amendment request. The scope of the peer review was limited to the evaluation of the implementation of a new method for determining target damage in the Fire PRA. Because this was determined to be a methodology change with a potential for open questions, a focused-scope peer review was performed.
For the assessment of the reviewed ASME PRA Standard SRs, two F&O Findings were identified. NSPM has subsequently resolved the Findings and determined that their resolutions do not affect the requested exemption. Enclosure 4 to this letter provides a summary of the Findings, including NSPMs resolution.
Therefore, the technical adequacy of the Fire PRA model with respect to applying to this exemption has been determined to be acceptable.
3.3.2. Compliant Model The compliant model used Fire PRA model, Revision 4.0, all associated files, and software used from the Fire Quantification notebook. The compliant model was used where the DWS MOV MSO is assumed to not occur in any fire. This is conservative because any modification, including one that is compliant with III.G.2, is assumed to not have a failure probability of zero.
3.3.3. Variant Model The variant model was created by modifying the Revision 4.0 Fire PRA model to include the possibility of a DWS MOV MSO. The model modification included cable selection, which determined the conductors/cables which could potentially cause a DWS MOV MSO. Those cables were then mapped to PRA model basic events that fail the MOVs open. The cables were also mapped to their associated raceways which are associated with fire zones in the plant which in turn were linked to fire scenarios modeled in the Fire PRA. Circuit failure mode likelihood and shorting switch failure rates are also applied. If a DWS MOV MSO were to occur, the following functions were assumed to have failed:
All RHR functions except DWS due to flow diversion:
o Torus Cooling (which fails High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC) suction from the torus) o Low Pressure Coolant Injection (LPCI) o Shutdown Cooling o Torus Spray (not credited in the MNGP PRA model)
L-MT-17-016 NSPM Page 12 of 25 Core Spray Alternate injection with Condensate Service Water (CSW), the Fire Protection System (FPS), or RHRSW through the LPCI piping Primary Containment Figure 3 illustrates the revised fault tree logic described in this paragraph. All fault tree gates that were added during this calculation are shaded in gray to make them more visible in Figures 3-5. The variant Fire PRA model was modified to include new logic: a new OR gate, R-DWS-MSO, was added and below that two new AND gates, R-DWS-MSO-DIV1 and R-DWS-MSO-DIV2, were added. New Basic Events RVMMO2020L, RVMMO2021L, RVMMO2022L, and RVMMO2023L were also added to model spurious opening of MO-2020, MO-2021, MO-2022, and MO-2023, respectively. The two DWS potential pathways are under a single OR gate. Each DWS MOV is ANDed with a hot short probability. The valves with a shorting switch installed (MO-2020 and MO-2021) use a failure probability of 1.0E-03 whereas the valves without shorting switches (MO-2022, and MO-2023) use the hot short probability, 0.39, from NUREG/CR-7150, Joint Assessment of Cable Damage and Quantification of Effects from Fire, (Reference 10). Gates R-MO-2020-SS, R-MO-2021-SS, R-MO-2022, and R-MO-2023 are AND gates since the FRANX software automatically fails basic events RVMMO2020L, RVMMO2022L, RVMMO2021L, and RVMMO2023L if the associated cables are affected by a fire. These probabilities were added to the fault tree logic instead of the FRANX database to provide more clarity for review. There is no need for a unique shorting switch and/or Circuit Failure Mode Likelihood Analysis (CFMLA) basic event names since only one train of DWS valves must spuriously open to true out the DWS MOV logic top R-DWS-MSO.
This new R-DWS-MSO gate, as shown in Figure 3, was placed under the following existing gates which directly fails the listed functions below:
- 1. TE_TORCLG, TORUS COOLING UNAVAILABLE. This gate will fail torus cooling due to flow diversion.
- a. Failing the torus cooling gate directly fails the following gates/functions:
- i. H029-L, HPCI SUCTION FROM THE TORUS NOT AVAILABLE LONG TERM ii. TE_HPCI-ATWS, HPCI UNAVAILABLE (ATWS) iii. I018-L, RCIC SUCTION FROM TORUS UNAVAILABLE LONG TERM
- 3. TE_SDC, SHUTDOWN COOLING NOT AVAILABLE. This gate will fail SDC due to flow diversion.
- 4. C002 and C039, CORE SPRAY LOOP A and B NOT AVAILABLE.
L-MT-17-016 NSPM Page 13 of 25 Figure 3, Drywell Spray MOV Logic
CROSSTIE DURING SBO. A new gate (FAIL-LPCI-FLOW-PATH) under DFP-HRS-SBO was created that will fail the LPCI flow path for DFP injection if gates R-DWS-MSO or R018-SBO (LPCI PATH UNAVAILABLE FOR DFP CROSSTIE DURING SBO, NO FIRE) are true.
- 6. TE_FIRXINJ, FIRE WATER INJECTION THROUGH LPCI CROSSTIE NOT AVAILABLE. This gate will fail fire water injection through LPCI due to flow diversion.
This gate will fail RHRSW injection through LPCI due to flow diversion.
- 8. R209, CSW INJECTION FLOW PATH THROUGH LPCI NOT AVAILABLE. This gate will fail CSW injection through LPCI due to flow diversion.
EITHER DIV I/II DWS SPURIOUSLY OPENS DUE TO FIRE R-DWS-MSO DIV I DRYWELL SPRAY SPURIOUSLY OPENS DUE TO FIRE DIV II DRYWELL SPRAY SPURIOUSLY OPENS DUE TO FIRE MO-2020 OPENS BY FAILING SHORTING SWITCH AND OPENING VALVE MO-2022 FAILS OPEN WITH CFMLA RHR MOV MO-2020 FAILS TO REMAIN CLOSED SHORTING SWITCH CIRCUIT IS OPENED RHR MOV-2022 FAILS TO REMAIN CLOSED CFMLA PROBABILITY OF MO-2020, 2021, 2022, &
2023 PER TABLE 8-1 CFMLA NOTEBOOK R-DWS-MSO-DIV1 R-DWS-MSO-DIV2 R-MO-2020-SS R-MO-2022 NOTE: Division I logic is representative of Division II Logic. Division II logic is not shown for clarity.
RVMMO2020L SHORT-SWITCH RVMMO2022L CFMLA-MO-2020123 1.07E-06 1.00E-03 1.07E-06 3.90E-01
L-MT-17-016 NSPM Page 14 of 25
- 9. The following Alternate Shutdown (ASD) functions were failed separately in the Fire PRA model since they have different gate names on the ASD side of the Fire PRA model.
- a. F-ASD-RHR-TORUS, FAILURE OF RHR (TORUS) FOR ASD.
- b. F-ASD-CS-FAIL, CORE SPRAY LOOP B NOT AVAILABLE DURING ASD.
Figure 4 illustrates the new logic that was added to model a single RHR pump failing due to run-out. The Division I logic illustrated in Figure 4 is representative of the Division II logic changes described below.
Figure 4, Division I RHR Pump Runout Logic RHR DIV I PUMPS NOT AVAILABLE (DWS, SDC, SPC)
GATE ADDED TO PREVENT CIRCULAR LOGIC WITH GATES BELOW RHR DIV I PUMPS NOT AVAILABLE (DWS, SDC, SPC)
RHR PUMP P-202A NOT AVAILABLE RHR PUMP P-202A RUN OUT DUE TO FIRE MSO RHR PUMP P-202C NOT AVAILABLE RHR PUMP P-202C RUN OUT DUE TO FIRE MSO RHR PUMP P-202D NOT AVAILABLE RHR PUMP P-202A NOT AVAILABLE RHR PUMP P-202D NOT AVAILABLE RHR PUMP P-202C NOT AVAILABLE EITHER DIV I/II DWS SPURIOUSLY OPENS DUE TO FIRE WITH RHR PUMP FAILURE RHR PUMP P-202B NOT AVAILABLE EITHER DIV I/II DWS SPURIOUSLY OPENS DUE TO FIRE WITH RHR PUMP FAILURE RHR PUMP P-202B NOT AVAILABLE R061-CIRC-LOGA R061-CIRC-LOGC R048 R049 R054 R050-RO R055-RO R062 R062 R-DWS-MSO R-DWS-MSO R054 R067 R067 R049
L-MT-17-016 NSPM Page 15 of 25
- a. Under gate R048, RHR DIV I PUMPS NOT AVAILABLE (DWS, SDC, SPC), two OR gates were added for the failure of each pump in Division I. Under one OR gate is the gate for the P-202A normal pump failures (R049) and an AND gate with the following inputs: R-DWS-MSO, R054, R062, and R067 (DWS MOV spuriously opens with normal failures of the other three RHR pumps). Under the other OR gate is the gate for the P-202C normal pump failures (R054) and a AND gate with the following inputs: R-DWS-MSO, R049, R062, and R067.
- b. Under gate R061, RHR DIV II PUMPS NOT AVAILABLE (DWS, SDC, SPC), two OR gates were added for the failure of each pump in Division II. Under one OR gate is the gate for the P-202B normal pump failures (R062) and a AND gate with the following inputs: R-DWS-MSO, R049, R054, and R067 (normal failures of the other three RHR pumps). Under the other OR gate is the gate for the P-202D normal pump failures (R067) and a AND gate with the following inputs:
R-DWS-MSO, R049, R062, and R054.
The following logic was added to model containment failure due to under pressure due to spurious DWS injection into a hot low pressure drywell. Gate CONTISO was changed to an OR gate instead of equivalence gate with only BREACH underneath it. Therefore the spurious operation of DWS (gate R-DWS-MSO) and failure of either set of vacuum breakers (gates 8_IND_DW_WW_FO and WW_TO_SCT-FAIL_TO_OPEN) causes a breach of containment.
This logic is illustrated in Figure 5. Common cause was included in the model but excluded in Figure 5 for clarity. Data for these independent and common cause failures of the vacuum breakers were taken from the NRCs 2010 Parameter Estimates Spreadsheet and the NRCs CCF Parameter Estimations, 2012 Update.
L-MT-17-016 NSPM Page 16 of 25 Figure 5, Containment Failure Logic ALL 8 INDIVIDUAL DW TO WW VACUUM BREAKERS FAIL TO OPEN AO-2380 AND DWV-8-1 FAIL TO OPEN AO-2379 AND DWV-8-2 FAIL TO OPEN BOTH WW TO SCT PATHS FAIL TO OPEN EITHER DIV I/II DWS SPURIOUSLY OPENS DUE TO FIRE EITHER SET OF VACUUM BREAKERS FAILS TO OPEN Vent path open between containment and outside CONTAINMENT FAILS DUE TO DWS SPURIOUSLY STARTING AND CAUSING VACUUM Failure of Containment Isolation CONTISO BREACH G394 R-DWS-MSO DW-WW-SCT_FAIL_TO_OPEN 8_IND_DW-WW_FO WW_TO_SCT-FAIL_TO_OPEN VACUUM BREAKER AO-2382A FAILS TO OPEN NVBA2382AN 2.24E-04 VACUUM BREAKER AO-2382F FAILS TO OPEN NVBA2382FN 2.24E-04 VACUUM BREAKER AO-2382B FAILS TO OPEN NVBA2382BN 2.24E-04 VACUUM BREAKER AO-2382G FAILS TO OPEN NVBA2382GN 2.24E-04 VACUUM BREAKER AO-2382C FAILS TO OPEN NVBA2382CN 2.24E-04 VACUUM BREAKER AO-2382H FAILS TO OPEN NVBA2382HN 2.24E-04 VACUUM BREAKER AO-2382E FAILS TO OPEN NVBA2382EN 2.24E-04 VACUUM BREAKER AO-2382K FAILS TO OPEN NVBA2382KN 2.24E-04 AO2379_DWV-8-2_OPEN AO2380_DWV-8-1_OPEN AIR OPERATED VALVE AO-2379 FAILS TO OPEN NVAAO2379N 1.10E-03 VACUUM BREAKER DWV-8-2 FAILS TO OPEN NVBDWV8-2N 2.24E-04 AIR OPERATED VALVE AO-2380 FAILS TO OPEN NVAAO2380N 1.10E-03 VACUUM BREAKER DWV-8-1 FAILS TO OPEN NVBDWV8-1N 2.24E-04
L-MT-17-016 NSPM Page 17 of 25 In addition to the logic changes described above, the following modifications were made to the Fire PRA FRANX tables to model the cable failures that will cause spurious opening of the DWS MOVs:
- 1. The Component_to_BE table was updated with the following lines to map the component to the basic event:
Component:Normal Position:Desired Position ToEvent ToType 1
MO-2020:Closed:Closed RVMMO2020L 0
2 MO-2021:Closed:Closed RVMMO2021L 0
3 MO-2022:Closed:Closed RVMMO2022L 0
4 MO-2023:Closed:Closed RVMMO2023L 0
- 2. The Cable_to_Component table was updated with the following lines to map the cable to component failure:
Cable ToEvent ToType 1
B3339-C03/1 MO-2020:Closed:Closed 1
2 C03-C32/20 MO-2020:Closed:Closed 1
3 B4339-C03/1 MO-2021:Closed:Closed 1
4 C03-C33/17 MO-2021:Closed:Closed 1
5 B3309-C03/1 MO-2022:Closed:Closed 1
6 C03-C32/14 MO-2022:Closed:Closed 1
7 B4209-C03/1 MO-2023:Closed:Closed 1
8 C03-C33/11 MO-2023:Closed:Closed 1
- 3. In order to update the model to reflect the assumption that all fires in the control room would fail the shorting switches, the FireImpact table was updated with the following lines:
Scenario Item ItemType Excluded Added All Main Control Room Fires SHORT-SWITCH BE FALSE TRUE
- 4. The FireAlteredBE table was updated with the following lines to alter the shorting switch basic event to a new event with a 0.39 failure probability:
Scenario BE Event All Main Control Room Fires SHORT-SWITCH SHORT-SWITCH-C-03 3.3.4. Results of Risk Analyses To quantify the significance of a DWS MOV MSO in terms of Core Damage Frequency (CDF) and Large Early Release Frequency (LERF), the variant model was compared to the compliant model. The difference between the variant model and the compliant model is the most bounding scenario because the compliant model assumes a DWS MOV MSO is impossible, which is the best possible outcome of any modification. Convergence truncation for the MNGP Revision 4.0 Fire PRA is 1E-11 for CDF and 1E-12 for LERF. Therefore, those truncations
L-MT-17-016 NSPM Page 18 of 25 were used in this analysis. The CDF and LERF values reported here were taken using quantifications run on NSPM computers using software versions that were vetted using NSPMs Software Quality Assurance program. Per PRA good practice, basic event checks, circular logic checks, and significant cutset reviews were performed to ensure that the results were appropriate. Table 2 displays the final CDF and LERF values from the quantifications discussed in this section.
Table 2, Final Quantification Results Fire PRA Model CDF LERF Variant Model 5.18E-05 6.30E-06 Compliant Model 5.18E-05 6.28E-06 Risk Change ()
1.81E-08 1.37E-08 RG 1.174 Thresholds ()
1.0E-06 1.0E-07
- All calculated values in this table were rounded to two significant figures for clarity.
The results of the analysis identify that the increase in risk associated with continued operation with only the shorting switches installed over installing the compliant modification is well below the thresholds established in RG 1.174 for CDF and LERF. Therefore, the proposed exemption will result in very small increase in risk as defined in RG 1.174.
Additionally, NSPM determined the safety benefit achieved by installing the shorting switches on MO-2020 and MO-2021. Because the compliant model assumes that a DWS MOV MSO is impossible, the variant model was further modified to determine the results. Specifically, the basic event representing shorting switch failure (SHORT-SWITCH) was changed from 1.0E-03 to 0.39, which is the CFMLA probability for MO-2020 and MO-2021. This modification to the variant model results in the ability to calculate the CDF and LERF assuming that a DWS MOV MSO is possible and that the shorting switches are not installed. The results of this sensitivity analysis are shown in Table 3.
Table 3, Risk Reduction Achieved through Installation of Shorting Switches Fire PRA Model Description CDF LERF Change from Compliant Model Change from Modified Variant Model CDF LERF CDF LERF Compliant Model DWS MOV MSO is Impossible 5.18E-05 6.28E-06 N/A N/A 3.66E-06 1.76E-06 Variant Model Shorting Switches Installed and DWS MOV MSO is Possible 5.18E-05 6.30E-06 1.81E-08 1.37E-08 3.64E-06 1.75E-06 Modified Variant Model Shorting Switches not Installed and DWS MOV MSO is Possible 5.54E-05 8.04E-06 3.66E-06 1.76E-06 N/A N/A
- All calculated values in this table were rounded to two significant figures for clarity.
Table 3 shows that the installation of the shorting switches has already resulted in a decrease of CDF of 3.64E-06, and a decrease in LERF of 1.75E-06 from their pre-modification values.
Further modification of MNGP to meet III.G.2 as described in Section 3.1.2 of this enclosure would only result in a further decrease in CDF of 1.81E-08 and a further decrease in LERF of 1.37E-08. This indicates that, through the installation of the shorting switches, NSPM has
L-MT-17-016 NSPM Page 19 of 25 already achieved 99.5% of the total possible risk reduction in terms of CDF and 99.4% of the total possible risk reduction in terms of LERF. Further modification of the plant to be fully compliant with III.G.2 is not necessary to achieve the underlying purpose of the rule.
3.3.5. Model Conservatisms The results for CDF and LERF discussed in Section 3.3.4 are inherently conservative because of the following assumptions in the analysis:
The model assumes that open circuit failures are a credible failure mechanism. This is conservative because, in accordance with Reference 11, open circuit failures are typically not considered because the fire would have to exceed the melting point of the conductor.
The model assumes a failure probability of 1.0E-03 for the shorting switches in the variant model. The 1.0E-03 failure probability is considered bounding due to the unlikely combination and timing of concurrent failures required to fail a shorting switch. This value for the failure probability of shorting switches has been used by TVA and Entergy for amendments at Browns Ferry and Arkansas Nuclear One. The NRC approved those amendments in References 12 and 13, respectively. The configuration of the MOV control circuitry at MNGP is substantially similar to that at Browns Ferry and Arkansas Nuclear One. Therefore, the use of a failure probability of 1.0E-03 is appropriate for the MNGP shorting switches.
The model assumes that all 180 postulated control room fires can fail the shorting switches. This is conservative because only five of the postulated control room fires directly affect the C-03 panel where the shorting switches are located.
The model assumes that the RHR pumps are running at the time of the MSO event.
This is conservative because if the RHR pumps are not running when the DWS MOV opens, a flow diversion would not occur.
The model assumes that there is no injection from the torus via Core Spray, RHR, HPCI, or RCIC during a DWS MSO because it assumes that there is an immediate loss of Containment Accident Pressure (CAP) in an MSO event. This is conservative because loss of CAP is a long-term issue that occurs when the torus heats up to boiling temperatures that effect pump NPSH. The CAP issue could be mitigated by putting the RHR heat exchanger into service. Placing the RHR heat exchanger in service is not credited in the model.
The model does not take credit for operator manual actions that could potentially reduce the significance of a fire event.
L-MT-17-016 NSPM Page 20 of 25 3.4.
Regulatory Guide 1.174 Considerations This request has been evaluated consistent with the key principles identified in RG 1.174 for risk-informed changes to the licensing basis and demonstrates that the risk from the proposed change is very small. The evaluation with respect to these principles is summarized below.
3.4.1 The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change The requested licensing action is an exemption from III.G.2.
3.4.2 The proposed change is consistent with the defense-in-depth philosophy The philosophy of defense-in-depth is established in the NRCs regulations and guidance documents concerning fire protection. 10 CFR 50, Appendix R explicitly states that the philosophy of defense-in-depth shall be extended to fire protection in fire areas important to safety with the following objectives: to prevent fires from starting; to detect rapidly, control, and extinguish promptly those fires that do occur; and to provide protection for structures, systems and components important to safety so that a fire that is not promptly extinguished by the fire suppression activities will not prevent the safe shutdown of the plant. Section 3.2 of this enclosure describes how the MNGP fire protection program implements the defense-in-depth philosophy.
The proposed change does not affect the first two tiers of defense-in-depth of the fire protection program. The MNGP fire protection program will not be modified with respect to controlling ignition sources and combustible loads in the plant thereby continuing to prevent fires from starting. Furthermore, the MNGP fire detection and suppression systems are not affected by this change, thereby continuing to provide the ability to rapidly detect and extinguish fires once ignited. This change does have the potential to affect the third tier of fire protection defense-in-depth in that a MSO of the DWS MOVs could potentially complicate the ability to achieve and maintain safe shutdown during a fire. However, as described in Section 3.2 of this enclosure and the MNGP safe shutdown analyses, a means of ensuring safe shutdown can be reached and maintained remains in the event of a fire in any plant fire area.
Although this request potentially degrades the ability to achieve and maintain shutdown during a fire event, the PRA analysis in Section 3.3 of this enclosure demonstrates there is a very small risk associated with the exemption and the additional tiers of fire protection defense-in-depth are unaffected. Thus, multi-layered, diverse and redundant means for protecting the public health and safety are preserved when implementing the proposed change. Therefore, the proposed change is consistent with the defense-in-depth philosophy established in 10 CFR 50, Appendix R.
3.4.3 The proposed change maintains sufficient safety margins The design and installation of the shorting switches was completed consistent with the applicable codes and standards in accordance with the MNGP licensing basis. The safety analyses were not impacted by the installation of the switches and are not impacted by this
L-MT-17-016 NSPM Page 21 of 25 request. The proposed change does not further modify the design or function of the installed shorting switches. Therefore, the proposed change maintains sufficient safety margins.
3.4.4 When proposed changes result in an increase in core damage frequency or risk, the increases should be small and consistent with the intent of the Commissions Safety Goal Policy Statement.
The intent of the Commissions Safety Goal Policy statement is to ensure that the risk associated with living or working near a nuclear power plant is acceptably low. The Commission has since quantified in RG 1.174 acceptably low risk as increases of less than 1.0E-06 and 1.0E-07 for CDF and LERF, respectively. As shown in Table 3, the increase in risk is limited to 1.81E-08 for CDF and 1.37E-08 for LERF, both of which are considered very small in accordance with RG 1.174. Therefore, the proposed change results in a small increase in risk and is consistent with the Commissions Safety Goal Policy Statement.
3.4.5 The impact of the proposed change should be monitored using performance measurement strategies.
Upon installation of the shorting switches in 2012, NSPM performed post-maintenance testing to ensure the switches were installed in accordance with the approved design and the DWS MOVs continued to operate as expected. This post-maintenance testing consisted of the following:
For MO-2020, the resistance across contacts 4-4T in switch 10A-S9A was measured prior to installation of the shorting switch and was determined to be 0.2 ohms. After installation of the shorting switch, the resistance was measured across terminal strip points MM-46 and MM-52 and was found to be 0.2 ohms. The unchanged pre-and post-maintenance results indicate minimal resistance at the wire terminals and, therefore, acceptable installation of the wires. Similarly for MO-2021, the pre-installation resistance across contacts 4-4T in switch 10A-S9B was compared to that of the post-installation resistance across terminal strip points DD-95 and DD-101 and installation was determined to be acceptable.
Following installation of the shorting switches, MO-2020 and MO-2021 were exercised in the open and close directions. Both valves stroked open and closed within the acceptance criteria established in MNGP procedures.
NSPM will continue to regularly exercise the DWS MOVs in accordance with the MNGP MOV Program. The MOV Program, as modified by ASME Code Case OMN-1-1, has been accepted by the NRC as providing an acceptable level of quality and safety for the testing of all MOVs within the program scope. NSPM will institute Appendix R programmatic requirements to establish performance-based monitoring of the shorting switches installed on the control circuitry for the drywell spray outboard motor operated valves. This testing will ensure the shorting switches continue to provide the required electrical protection without hampering the DWS MOVs ability to open or close.
Furthermore, the reliability and availability of the DWS MOVs are monitored under the MNGP Maintenance Rule Program. If the pre-established reliability or availability performance criteria
L-MT-17-016 NSPM Page 22 of 25 are exceeded for the DWS mode of RHR, the operational mode is considered for 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants, paragraph (a)(1) actions, requiring increased management attention and goal setting in order to restore their performance (i.e., reliability and availability) to an acceptable level. The performance criteria are based on PRA input and, therefore, are a means to gain risk insights for the DWS mode of RHR relative to the overall plant risk.
In summary, NSPM has adequately installed and tested shorting switches on valves MO-2020 and MO-2021. The expected resistance was found across the shorting switches and the valves were demonstrated to both open and close within the acceptance criteria during post-maintenance testing. MO-2020 and MO-2021 are regularly exercised in accordance with the MNGP MOV Program. NSPM will institute Appendix R programmatic requirements to establish performance-based monitoring of the shorting switches installed on the control circuitry for the drywell spray outboard motor operated valves. In addition to the MOV Program, MNGPs Maintenance Rule Program monitors the risk associated with inoperability of the RHR system as a whole, including the DWS operational mode. Therefore, the impact of the proposed change will be monitored using performance measurement strategies.
- 4.
JUSTIFICATION FOR EXEMPTION 10 CFR 50.12, Specific Exemptions, states that the NRC may grant exemptions from the requirements of the regulations of 10 CFR Part 50 provided the following are met: (1) the exemption is authorized by law; the exemption will not present an undue risk to the health and safety of the public; and the exemption is consistent with the common defense and security; and (2) special circumstances are present. The requested exemption to allow MNGP to take credit for the installation of a shorting switch on the outboard DWS MOVs control circuity in lieu of meeting the deterministic physical separation requirements of III.G.2 satisfies these criteria as described below.
Criterion 1
- 1. This exemption is authorized by law The physical separation requirements in 10 CFR 50 Appendix R, Subsection III.G.2 were adopted at the discretion of the NRC with its statutory authority. No statute required the NRC to adopt these requirements. Additionally, the NRC has the authority under 10 CFR 50.12 to grant exemptions from the requirements of 10 CFR 50 upon showing proper justification. Therefore, this exemption is authorized by law.
- 2. This exemption will not present an undue risk to public health and safety As previously discussed, the increase in risk associated the proposed change is significantly less than the limits specified in RG 1.174 for CDF and LERF. The limits in RG 1.174 were established based on subsidiary objectives derived from the safety goals and quantitative health objectives of the 1986 NRC Safety Goal Policy Statement, and were determined to represent an acceptable level of risk. The requested exemption results in a very small increase in risk that is less than what the
L-MT-17-016 NSPM Page 23 of 25 NRC has established as acceptably low. Therefore, the exemption will not present undue risk to public health and safety.
- 3. This exemption is consistent with common defense and security To ensure that the common defense and security are not endangered, the exemption request must demonstrate that the loss or diversion of special nuclear material (SNM) is precluded. NSPM has processes in place that provide protection for the public from diversion of SNM that is licensed to be possessed on site. These systems and processes are those embodied in the Physical Security Plan, Radioactive Material Security Plan, and the Security Implementing Procedures. The exemption request contained herein does not involve or affect the systems and processes contained in those documents/programs. Therefore, this exemption is consistent with the common defense and security.
Criterion 2 Special Circumstances Support the Issuance of an Exemption 10 CFR 50.12(a)(2) states that the NRC will not consider granting an exemption from the regulations unless special circumstances are present. The requested exemption meets the special circumstance of 10 CFR 50.12(a)(2)(ii) which states that, application of the regulation in the particular circumstances would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule. In this particular circumstance, application of the subject regulation is not necessary to achieve the underlying purpose of the rule.
The underlying purpose of 10 CFR 50, Appendix R, is to provide reasonable assurance that safe shutdown of the reactor can be achieved and maintained in the event of a single postulated fire in any plant area. Circuits that could cause maloperation or prevent the operation of redundant trains for post-fire safe-shutdown and that are located in the same fire area must be protected in accordance with III.G.2. The intent of III.G.2 is to ensure that one safe-shutdown equipment train remains free of fire damage, and several options are provided to establish a level of protection that provides reasonable assurance of meeting that requirement. If such protection is not provided, an exemption from III.G.2 must be requested.
For the fire areas for which this exemption is requested (Fire Areas IX and XII), MNGP is required to comply with 10 CFR 50 Appendix R. The deterministic requirements of III.G.2 mandate that, using one of the options given, the redundant trains should be adequately separated and protected, such that in the event of a fire in that fire area, at least one train will remain free of fire damage. Contrary to the requirement, the control circuitry for the DWS MOVs is not physically separated in accordance with one of the options given in III.G.2.
As described above, the intent of III.G.2 has been met by means other than the deterministic physical separation requirements. Instead, the shorting switch modification provides electrical protection from the MSO of concern by providing a low impedance path around the open coil for postulated hot shorts. The safety benefit of the shorting switches is demonstrated by the fact that their installation reduced overall plant risk by virtually the same amount as the
L-MT-17-016 NSPM Page 24 of 25 compliant modification when compared to baseline CDF and LERF. The additional safety benefit achieved by installing the compliant modification to meet the deterministic requirements of III.G.2 is very small, as defined by RG 1.174. Therefore, in accordance with the guidance of RG 1.174 and the NRCs Safety Goal Policy Statement, continued operation with only the shorting switches installed provides an adequate level of protection to the health and safety of the public. Thus, the shorting switches should be considered an acceptable alternative to meeting the deterministic requirements of III.G.2.
The installed shorting switches along with the risk information presented herein provide an acceptable alternative to the regulation. No demonstrable fire/nuclear safety benefit would be gained by the installation of additional modifications to comply with III.G.2 in lieu of crediting the shorting switches as the credible and reliable means of achieving and maintaining safe-shutdown conditions. Therefore, the underlying purpose of the rule, which is to provide reasonable assurance that safe shutdown of the reactor can be achieved and maintained in the event of a single postulated fire in any plant area, is satisfied and the application of the deterministic requirements of III.G.2 in these particular circumstances is not necessary to achieve the underlying purpose of the rule.
- 5.
CONCLUSION NSPM is requesting an exemption from the physical separation requirements of 10 CFR 50, Appendix R, Section III.G.2, for the control circuitry of the DWS MOVs at the MNGP. A shorting switch was installed on the control circuitry of the outboard MOV in each division of DWS, thereby significantly reducing the probability of core damage or a release of radioactivity in the event of a fire. This request is a risk-informed application for a change to the licensing basis, and was prepared in accordance with guidance of RG 1.174. The increase in risk is very small as defined by RG 1.174 and meets each of the five key principles of a risk-informed application described in RG 1.174. Furthermore, the requested exemption meets the requirements of 10 CFR 50.12 in that it is authorized by law, will not present an undue risk to the health and safety of the public, is consistent with the common defense and security, and special circumstances are present.
- 6.
REFERENCES
- 1. NRC Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated May 2011 (Agencywide Documents Access and Management System (ADAMS)
Accession No. ML100910006).
- 2. Letter from NMC to NRC, Letter of Intent to Transition to 10 CFR 50.48(c) - National Fire Protection Association Standard NFPA 805, Performance-based Standards for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 Edition, dated November 30, 2005 (ADAMS Accession No. ML053460342).
- 3. NRC Regulatory Guide 1.189, Fire Protection for Nuclear Power Plants, Revision 2, dated October 2009 (ADAMS Accession No. ML092580550).
L-MT-17-016 NSPM Page 25 of 25
- 4. Letter from NSPM to NRC, Notice of Withdrawal of Letter of Intent to Transition to 10 CFR 50.48(c), dated July 16, 2010 (ADAMS Accession No. ML102000433).
- 5. Nuclear Energy Institute (NEI) Technical Report NEI 00-01, Guidance for Post Fire Safe Shutdown Circuit Analysis, Revision 2, dated May 2009 (ADAMS Accession No. ML091770265).
- 6. Letter from NRC to NSPM, Monticello Nuclear Generating Plant Triennial Fire Protection inspection Report 05000263/2014008, dated April 29, 2014 (ADAMS Accession No. ML14119A216).
- 7. Monticello Updated Safety Analysis Report (USAR) Section J.05, Updated Fire Hazards Analysis, Revision 34, dated January 13, 2017.
- 8. Monticello USAR Section J.04, Safe Shutdown Analysis, Revision 34, dated January 13, 2017.
- 9. NRC Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009 (ADAMS Accession No. ML090410014).
- 10. NRC NUREG/CR-7150, Joint Assessment of Cable Damage and Quantification of Effects from Fire (JACQUE-FIRE), Volume 2, dated May 2014 (ADAMS Accession No. ML14141A129).
- 11. NRC NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, Volumes 1 and 2 dated September 2005 (ADAMS Accession Nos.
ML15167A401 and ML15167A411).
- 12. Letter from NRC to TVA, Issuance of Amendments Regarding Transition to a Risk-Informed, Performance-Based Fire Protection Program in Accordance with 10 CFR 50.48(c), dated October 28, 2015 (ADAMS Accession No. ML15212A796).
- 13. Letter from NRC to Entergy, Issuance of Amendment Regarding Transition to a Risk-Informed, Performance-Based Fire Protection Program in Accordance with 10 CFR 50.48(c), dated October 7, 2016 (ADAMS Accession No. ML16223A481).
ATTACHMENT 1 Monticello Nuclear Generating Plant Xcel Energy Northern States Power Company - Minnesota Drawing NX-7905-46-14E 11 RHR Containment Spray Outboard Isolation MO-2020, Scheme B3339 Revision 78 1 page follows
ATTACHMENT 2 Monticello Nuclear Generating Plant Xcel Energy Northern States Power Company - Minnesota Drawing NX-7905-46-17E 12 RHR Containment Spray Outboard Isolation MO-2021, Scheme B4339 Revision 77 1 page follows
Page 1 of 27 ENCLOSURE 2 MONTICELLO NUCLEAR GENERATING PLANT Monticello Internal Events PRA Model Response to RG 1.200 Peer Review Findings Change Number: MT-13-0025 (IE)
Brief Problem
Description:
ASEP is used for assessment of all pre-initiator HFEs. A detailed assessment was not used for significant HFEs.
F&O Number: 1-6 Technical Element: HR Detailed Problem
Description:
ASEP is used for assessment of all pre-initiator HFEs. A detailed assessment was not used for significant HFEs. The standard defines "significant basic event: a basic event that contributes significantly to the computed risks for a specific hazard group. For internal events, this includes any basic event that has an FV importance greater than 0.005 or a RAW importance greater than 2. (See Part 2 Requirements DA-C13, DA-D1, DA-D3, DA-D5, DA-D8, HR-D2, and HR-G1.)" For examples of pre-initiator important HEPs see Table E-1 of PRA-MT-QU.
(This F&O originated from SR HR-D2)
Proposed Solution: Use detailed assessment for significant pre-initiator HFEs, e.g., THERP Risk Impact: Specific requirement for Cat II not met.
Actual Solution:
Significant pre-initiator HEPs, as found in the MNGP Rev 3.0D model, we re-evaluated with the THERP methodology. The following significant pre-initiator HEPs were identified in the Rev 3.0D model:
IPTP207WXZ, KCHV-SF-9Z, SPEP111AXZ, and SPEP111BXZ. Pre-initiator HEP KCHT8089CZ was also significant but was determined to be modeled less accurately by the THERP methodology and hence the detailed ASEP methodology was retained. KCHT8089CZ is a miscalibration pre-initiator HFE. In the THERP methodology under Execution Steps there really is no appropriate Error of Commission to choose for miscalibration errors, so Basic Error of Commission was chosen which has a high value of 1E-02. Using the THERP methodology and not applying any testing recovery credit, the HEP was 5.6E-03 which was higher and less accurate than the ASEP value. Once the testing recovery credit was applied (again maintenance done during shutdown but EDG testing done monthly) the value was reduced to 3.5E-05 which seems far too low. An error of commission item in the HRAC tool needs to be developed for miscalibration for this to be more accurately portrayed in HRAC.
The MNGP Rev 3.0I model was re-verified to identify any newly significant pre-initiator HEPs and found one significant pre-initiator HEP (NNTRAINBXZ) that was reanalyzed with the THERP methodology.
Miscalibration HEPs Q-672ABCD44Z, Q-2352AB-22Z, and NSP4237HIZ were also identified as
L-MT-17-016 NSPM Page 2 of 27 significant but have been previously discussed to be inaccurately represented by the THERP methodology. Common cause HEPs QSV672EFX22Z and HPTRCHPSX22Z were also found to be significant. Common cause failures are not well accounted for in the THERP methodology since THERP does not allow for the inclusion of the dependence between the two single failures. There was no obvious option in the HRA Calculator tool for modeling activities that impact more than one train hence the detailed ASEP methodology was retained. Other significant HEPs that were already discussed and re-examined were KCHT8089CZ, SPEP111BXZ, and KCHV-SF-9Z.
L-MT-17-016 NSPM Page 3 of 27 Change Number: MT-13-0026 (IE)
Brief Problem
Description:
(This F&O originated from SR IE-A8) A relatively robust process for system engineering interviews and documentation of same is included in PRA-MT-WI, Rev. 3.0.
F&O Number: 3-2 Technical Element: IE Detailed Problem
Description:
A relatively robust process for system engineering interviews and documentation of same is included in PRA-MT-WI, Rev. 3.0. However, the form used to document system engineer interviews does not include a section or any criteria relating to whether failure of the system in question could cause an initiating event.
(This F&O originated from SR IE-A8)
Proposed Solution: Possible resolution is to re-interact with system engineers regarding the potential for overlooked initiating events, and document the results of that interaction.
Risk Impact: This F&O is deemed a Finding as it prevents the SR from meeting CC II.
Actual Solution:
Since the Peer Review, an Interview with Plant System Engineers and operators was performed to decide whether any initiating events were overlooked. Each system engineer was interviewed to verify that a failure of their system would not cause a plant trip, which is documented in the Walkdown and Interview Notebook. All system engineers concluded that the initiating event fault trees modeled in the PRA were satisfactory in that no initiating events were overlooked.
of the WI Notebook under the statement below documents that this work was performed:
Verify with plant personnel to determine if potential initiating events have been over looked.
L-MT-17-016 NSPM Page 4 of 27 Change Number: MT-13-0027 (IE)
Brief Problem
Description:
During review of the CAFTA fault tree files, some instances of credit for repair of hardware (EDGs) were note that do not seem to be justified. An example is under gate AA131 of the AAC fault tree model.
F&O Number: 3-6 Technical Element: SY Detailed Problem
Description:
During review of the CAFTA fault tree files, some instances of credit for repair of hardware (EDGs) were noted that do not seem to be justified. An example is under gate AA131 of the AAC fault tree model. Under the cited gate, failure to recover a diesel-generator is ANDed with "EDG 11 FAILURES WITH POTENTIAL TO RECOVER". Two issues were noted. First, there is not a corresponding gate for EDG 11 comprised of "failures that cannot be recovered". Second, some of the EDG 11 failures that are recovered, e.g., EDG 11 OOS for corrective maintenance, appear to be unjustified.
(This F&O originated from SR SY-A24)
Proposed Solution: Search for instances of repair of hardware faults in the logic model, and for each instance identified consider whether credit for recovery/repair is justified. If not, revise the affected fault tree model. If so, document an adequate justification for the repair credit.
Risk Impact: Moving some of the EDG failures out from under the AND (i.e., recovery) gate may result in an appreciable impact on CDF.
Actual Solution:
An evaluation was conducted to investigate the basis for which components (basic events) should or should not be in the scope of EDG recovery. EDG non-recoverable failures are modeled under several gates. Certain accident sequences which require rapid response were excluded (NO-RECOVERY) from the scope of the recovery of the EDGs (for example floods that directly fail the EDG or ATWS).
Failures of EDG cooling via HVAC or ESW were also excluded since it is assumed that failures of these systems would cause EDG overheating and hence be non-recoverable (for EDG 11 gate AA049 for EDG12 gate AA086).
RADS data for plants with similar EDGs were reviewed from 1999 to the present. The failures were reviewed and binned based on their time to recover (unavailability), so that an appropriate recovery probability could be calculated. These failures were categorized to determine their potential ability to be recovered. The following failure categories were determined to be recoverable:
- 1. Include components within EDG boundary. These components are inherently in the scope of the recovery data provided from the RADS database. This database is includes MSPI EDG data entries from all US nuclear power plants.
- 2. Include corrective maintenance as part of EDG since it represents unplanned unavailability (UA) data. This unplanned UA was utilized to calculate EDG recovery fraction.
- 3. Include preventative maintenance since the average planned maintenance is less than six hours per month with most months less than three hours. Recovery would be complete or back out of PM and place EDG back into service.
L-MT-17-016 NSPM Page 5 of 27
- 4. Events that do not directly disable the EDG, hence EDG recovery is not applicable but has a separate recovery credit (e.g. FLOODING ANDed with ALOWFUELHY) is allowed.
- 5. Include support system recoverable events. These events contribute to unplanned UA for EDGs which was utilized to calculate EDG recovery fraction.
- 6. Include recoverable Human Actions such as the failure to address low fuel oil. These events may cause temporary loss of EDG but recovery not expected to be difficult.
L-MT-17-016 NSPM Page 6 of 27 Change Number: MT-13-0028 (IE)
Brief Problem
Description:
PRA-MT-QU Rev 3 and PRA-MT-L2-AS document the codes used and limitations that may impact applications in Section 2.4.
F&O Number: 4-2 Technical Element: LE Detailed Problem
Description:
PRA-MT-QU Rev 3 and PRA-MT-L2-AS document the codes used and limitations that may impact applications in Section 2.4. However, there is no discussion related to the impact of HEP dependencies on applications that may be requested from the site. For example, using the current seed values for the HFE dependencies would prevent MT from being able to obtain cutsets at a truncation of 1E-12 which is required for MSPI (i.e. 7 orders of magnitude below CDF).
(This F&O originated from SR QU-F5)
Proposed Solution: Discuss this limitation in the documentation for the current model. In the future, determine the appropriate method for HFE dependency which will allow truncation at an appropriate limit for support of applications.
Risk Impact: MSPI requires that models be quantified at 7 orders of magnitude below the CDF. This will require MT to truncate at a limit of at least 1E-12 which is unattainable based on discussion in Section 3.5 of PRA-MT-QU. Therefore, this item is a finding.
Actual Solution:
The MSPI Sensitivity was quantified for the MT Rev 3.0E model and truncated down to 6E-13 without any modification to our quantification process. It is believed that the improvements to the HEP dependency analysis along with other improvements have made this possible. Model revisions after Rev 3.0E have also been tested and have been successful. Since the model's risk has gone down the truncation also has to progress down which makes quantification at these lower truncations more difficult. Similarly with PI's most recent model, quantification had to be broken up by initiator to meet these lower truncations. The resulting cutsets are simply appended afterwards. This will be documented in the MSPI Basis document and is documented in the convergence study within the Quantification Notebook.
L-MT-17-016 NSPM Page 7 of 27 Change Number: MT-13-0030 (IE)
Brief Problem
Description:
Section 8.1 of PRA-MT-L2-AS gives a table, Table 8.2, which identifies the sources of model uncertainties and assumptions that could impact the PRA model.
F&O Number: 4-6 Technical Element: LE Detailed Problem
Description:
Section 8.1 of PRA-MT-L2-AS gives a table, Table 8.2, which identifies the sources of model uncertainties and assumptions that could impact the PRA model. In this table is a description for the impact on the PRA model, but there doesn't appear to be a sound basis.
For example, for the second item in the table, namely Debris Coolability in the Drywell, the 'approach taken' states that the event is set to FALSE but is provided for the purpose 'of performing sensitivity studies on this assumption;' however, no sensitivity is performed.
(This F&O originated from SR LE-F3)
Proposed Solution: Perform sensitivity analysis to characterize the key model uncertainties identified.
Risk Impact: The sensitivity analysis performed should help to characterize the uncertainties identified; however, there aren't any supporting sensitivities performed for the identified uncertainties. Therefore the SR is not met.
Actual Solution:
PRA calculation PRA-CALC-13-001 (Level 2 Sensitivity Studies - Model Rev 3.1) was generated to document the detailed level 2 sensitivity studies performed by Applied Reliability Engineering Inc.
(AREI) in response to the internal events peer review finding (F&O number 4-6, concerning ASME/ANS RA-Sa Supporting Requirement LE-F3). Section 8.3 (Level 2 Sensitivity Studies) was added to revision 3.1 of the Level 2 PRA Notebook to summarize each of the studies documented in this PRA calculation.
PRA-CALC-13-001 is referred to in the Level 2 PRA Notebook as reference #43. PRA-CALC-13-001 has been reviewed and reviewer signed. All the above statements are accurate. The scope of the sensitivity studies was determined by agreement between the XCEL MNGP Team and AREI.
L-MT-17-016 NSPM Page 8 of 27 Change Number: MT-13-0031 (IE)
Brief Problem
Description:
Section 5.2 of PRA-MT-DA states that coincident maintenance at MT is not a common practice but there is no evidence that coincident maintenance activities have been reviewed for applicability of the PRA model.
F&O Number: 4-10 Technical Element: DA Detailed Problem
Description:
Section 5.2 of PRA-MT-DA states that coincident maintenance at MT is not a common practice but there is no evidence that coincident maintenance activities have been reviewed for applicability of the PRA model.
However, review of the fault tree demonstrates that RHR-A and RHR-C are taken OOS for corrective maintenance per review of event RLOOPAXXCM in the CAFTA fault tree. This is a clear example of coincident maintenance that should be examined and reviewed for impact on the PRA model.
(This F&O originated from SR DA-C14)
Proposed Solution: Document/provide evidence of a review of past planned maintenance to identify any coincident maintenance activities and determine the impact on the PRA model for any items that are identified. A process for coincident maintenance review and impact on the model has been provided via email as one example that this SR can be MET.
Risk Impact: SR is NOT MET because SR requirement is not satisfied.
Actual Solution:
First, high risk combinations were identified that could occur due to online preventive maintenance coupled with random corrective maintenance. These combinations were identified by assigning probabilistic values consistent with those observed for the system combinations from actual plant experience. Second, a detailed cycle plan review was performed for the period 2009-2012 to verify that the risk significant combinations of components/ trains were not coincidently taken out of service. The result of this review concluded that there are no coincident maintenance outages as a matter of practice at Monticello.
See Section 5.2 the Data Notebook for further discussion on this item.
L-MT-17-016 NSPM Page 9 of 27 Change Number: MT-13-0032 (IE)
Brief Problem
Description:
During review of the RHR fault tree, an asymmetry was identified in the fault tree related to Div I and Div II Flow diversion. Specifically, gates R009-A and R010-A should be similar just as R012-A and R013-A are.
F&O Number: 4-11 Technical Element: QU Detailed Problem
Description:
During review of the RHR fault tree, an asymmetry was identified in the fault tree related to Div I and Div II Flow diversion. Specifically, gates R009-A and R010-A should be similar just as R012-A and R013-A are.
The non-symmetry occurs due to including maintenance events under the fail to run gate for one pump and not the other three pumps in the RHR system (or at the very least one of the pumps in the other division). The model should be consistent or documentation should be provided describing the reason for the asymmetry.
(This F&O originated from SR QU-F2)
Proposed Solution: Correct the model or documentation for the RHR system fault tree.
Risk Impact: Incomplete documentation of unusual modeling of an important feature.
Actual Solution:
In the RHR fault tree, the description of gate R009_1 was "common cause failure to start of 2 or 3 pumps" where the proper gate description should have been "common cause failure to run of 2 or 3 pumps". All basic events under this gate are run failures. It appears that the mislabeling of this gate led to the inclusion of maintenance events under the gate, as maintenance events are included under the run failure gates for all of the RHR pumps. The gate name (R009_1) description was corrected to reflect it is a failure to run gate, and the maintenance events under the gate were removed. A review of the fault tree was conducted to verify the proper inclusion of maintenance events under the appropriate (failure to start) gates for each of the four RHR pumps.
Maintenance events are similarly located for each pump under gate R050 for P-202A, gate R055 for P-202C, gate R068 for P-202D, and gate R063 for P-202B. Gates R009-and R010-A are now symmetrical.
L-MT-17-016 NSPM Page 10 of 27 Change Number: MT-13-0033 (IE)
Brief Problem
Description:
The use of a half failure for plant-specific data is being questioned. A SSC either fails to perform its function or it doesn't.
F&O Number: 5-12 Technical Element: DA Detailed Problem
Description:
The use of a half failure for plant-specific data is being questioned. A SSC either fails to perform its function or it doesn't.
Examples include:
- 1. A valve that had minor leakage was considered a half failure. This should be determined if the valve could perform its safety function or not.
- 2. A pump started, stopped, and then restarted successfully. What caused the pump to restart?
Was it a manual restart or automatic?
- 3. A valve did not meet an IST requirement during a surveillance test. Would the valve still be able to perform its function?
- 4. A valve was not able to maintain a required flow, but could maintain a specific flow. Is that specific flow acceptable for success criteria? If it is, then no failure.
(This F&O originated from SR DA-C4)
Proposed Solution: Review the cases where a half failure is given and determine if those are PRA failures or not.
Risk Impact: The basis for identifying events as failures was not clearly defined and is viewed as atypical. Therefore, this is a finding.
Actual Solution:
All half failure rates as reported in Rev 3.0 of the Data Notebook were reviewed to determine if the component failed to perform its intended function. The half failures were adjusted accordingly (to be counted as 0 or 1) depending on the scenario with a confirmation from system engineers. These changes were corrected in the basic event type code database titled MNGP_REV_3-0I.EGS_06 13_IE_&_type_code_Database.mdb and included in any future revisions.
The database file has since been split into two: one for type codes and one for initiating events. The new type code database is titled: "MNGP_TC_REV_3-1-N.EGS_08-14-13.mdb". Paragraph description now added in Section 4.5.4 of the Data Notebook.
L-MT-17-016 NSPM Page 11 of 27 Change Number: MT-13-0034 (IE)
Brief Problem
Description:
The times that components were in their standby statuses were estimated by using a general understanding of average system operation (i.e., a pump in a 2 out of 3 pump system would have 1/3 probability in standby).
F&O Number: 5-15 Technical Element: DA Detailed Problem
Description:
The times that components were in their standby statuses were estimated by using a general understanding of average system operation (i.e., a pump in a 2 out of 3 pump system would have 1/3 probability in standby). Plant-specific operational records were not reviewed.
(This F&O originated from SR DA-C8)
Proposed Solution: Review plant-specific data to capture more realistic standby probabilities.
The use of PI data to determine running data combined with the time the SSC is unavailable may be used to determine the plant-specific standby time.
Risk Impact: Because plant-specific operational records were not reviewed, this SR is not met at CAT II/III, therefore this is a finding.
Actual Solution:
The standby data for the DC, SW, and AIR systems were collected from the SOMs, PI Systems, or Procedure 4953-PM respectively to establish more realistic probabilities for the standby flags BE of redundant components. For systems which lacked sufficient data in PI Systems and SOMs logs, system engineer interviews were conducted to determine appropriate standby fractions. The following systems lacked sufficient plant data: CRDH, HVAC, and RBCCW. The time period reviewed was 2008 to 2012, except for the AIR system which was recently upgraded in 2010. The spreadsheet titled, MT Standby Fraction.xls documents this work.
L-MT-17-016 NSPM Page 12 of 27 Change Number: MT-13-0035 (IE)
Brief Problem
Description:
Mean values and uncertainty intervals were provided through Bayesian updating. However, a number of important basic events in Section 7.1 of PRA-MT-DA were given point estimates without any associated uncertainty values.
F&O Number: 5-16 Technical Element: DA Detailed Problem
Description:
Mean values and uncertainty intervals were provided through Bayesian updating. However, a number of important basic events in Section 7.1 of PRA-MT-DA were given point estimates without any associateduncertainty values. More importantly, no sensitivity studies were performed to ascertain the impact of the point estimates on the model.
(This F&O originated from SR DA-D3)
Proposed Solution: Assign appropriate uncertainty values to the point estimates given in Section 7.1 and perform sensitivity studies to determine the impact of these values to the model.
Risk Impact: These point estimates may have a large impact on the model, therefore this is a finding.
Actual Solution:
For events not linked to Type Codes, the uncertainty bounds for basic events are defined by the use of lognormal distribution Error Factors (EFs) and are assigned as follows:
When available, EFs or Variances are obtained based on the distribution values provided by the data source. When such information is not available, the general EF guidelines below are used.
- 1. Human Error Probabilities: related to Human Error are based on information in Section 7 of NUREG/CR-1278 (Handbook of HRA). The Equipment EF guidelines are based on comparison with various data sources.
- 2. for failure rates probabilities related to Special BE, an engineering judgment and comparisons with similar BE data was utilized.
Table 7-1a Guideline related for probabilities missing distribution attributes is listed in the Data notebook section 7.1.
Sensitivity studies were performed to determine significant point estimate basic events. The Sensitivity study concluded three basic events which are fairly important to LERF only. These events are JUMPERS Hardware needed to align alternate power supply to div. 2 250V DC fails, MVR4543XXN Hard-pipe vent rupture disk PSD-4543 fails to open, and XPP-SRV--L SRV tailpipe rupture in the wet-well airspace. Each basic event contributes an increase in LERF risk by more than 10% in comparison to all special events included in the study.
The insights from the study indicate that our model is sensitive to the following basic events:
JUMPERS: The original probability was conservatively estimated to be 1.0E-3. Since this failure only pertains to the jumper cables themselves this failure probability is much higher than other passive
L-MT-17-016 NSPM Page 13 of 27 components (heat exchangers or check valves). Additionally, this procedure and equipment has been functionally tested (during the 2005 refueling outage) to provide battery charging following a complete discharge.
MVR4543XXN: The only feasible ways that the rupture disk would not open when containment pressure challenges containment integrity (>100 psig) is if the incorrect rupture disk is installed, multiple rupture disks are installed together, or the rupture disk is manufactured incorrectly. The probability of installing multiple disks together is considered to be negligible because of the level of training and experience of maintenance workers, as well as the quality assurance program at the site. This original estimated probability of 1.0E-3 was found to be conservative since the failure rate is much higher than the failure rate to similar passive components.
XPP-SRV--L: The probability of 3.6006 E-04 is assumed to have a testing period of 2 years for three of the SRVs, and 4 years for the other five SRVs. The probability that a rupture is present (on any SRV tailpipe) is calculated by using a calculation type 5 event with a failure rate for all eight SRV tailpipes (estimated to be a total of 100 feet of piping) with an average testing period of 3.25 years. The piping structural analysis performed in PRA-MEMO-12-007 also concluded that the most limited pipe stress in the SRV tail pipe is below water line not in the airspace. Therefore, the probability is also reasonable given the calculation method and the location of the rupture.
L-MT-17-016 NSPM Page 14 of 27 Change Number: MT-13-0036 (IE)
Brief Problem
Description:
Section 4.0 discusses the use of Bayesian Updating of generic priors to provide posterior distributions. Generic information was primarily collected from NUREG/CR-6928.
F&O Number: 5-17 Technical Element: DA Detailed Problem
Description:
Section 4.0 discusses the use of Bayesian Updating of generic priors to provide posterior distributions.
Generic information was primarily collected from NUREG/CR-6928. A number of parameters did not have plant-specific information, therefore only generic information was used.
(This F&O originated from SR DA-D1)
Proposed Solution: An industry reference for a probability of consequential LOOP is given in NUREG/CR-6890 Vol. 1, Section 6.3. Alternately, obtain generic data and perform a Bayesian update using plant-specific data to generate a posterior value.
Risk Impact: This SR requires realistic parameter estimates for significant basic events based on relevant generic and plant-specific evidence. There is no evidence to support a realistic parameter estimate for the consequential LOOP (ALOOPXXXXL). Therefore this is finding.
Actual Solution:
The consequential LOOP basic event was reanalyzed and broken up into two different types based on the scenario. The first is the possibility that a LOCA event with the automatic start of the large ECCS pumps induces a grid or plant instability that leads to a LOOP. The second possibility was the consideration of LOOP due to transient. EPRI has reviewed NRC references (such as NUREG/CR-6890 Vol 1) and provided estimates for conditional LOOP frequencies. The EPRI guidance provided the following recommended values:
- 1. Consequential LOOP for initiators with LOCA was given a frequency of 2.4E-2 per year. The new basic event name for this scenario is ALOOPWLOCA.
- 2. The consequential LOOP caused by a Transient was given a frequency of 2.4E-3 per year. The new basic event name for this scenario is ALOOPTRANS.
Bayesian updating of data was performed on risk significant components from the 2004 Monticello PRA Model (CDF and LERF). The 2004 Monticello model was the model of record at the time of the projects commencement. When the data is updated again, the events which are given a Bayesian update will also be revisited.
The reasonableness check of the Prior versus Posterior was performed using the mean of the Posterior to the 90% confidence intervals of the prior 5th-95th percentile. This check verified that that mean of the Posterior with 90% confidence falls between the Priors 5th and 95th percentile values. This work was performed and documented per Suggestion 5-13 (PCD MT-13-0077).
L-MT-17-016 NSPM Page 15 of 27 Change Number: MT-13-0037 (IE)
Brief Problem
Description:
The system description for the Condensate and Feedwater system (PRA-SY-CFW) states that the oil coolers for the new condensate pumps being installed will be dependent on Service Water; however, SW isn't listed as a required support system.
F&O Number: 6-4 Technical Element: SY Detailed Problem
Description:
The system description for the Condensate and Feedwater system (PRA-SY-CFW) states that the oil coolers for the new condensate pumps being installed will be dependent on Service Water; however, SW isn't listed as a required support system.
(This F&O originated from SR SY-B9)
Proposed Solution: Include SW as a required support system for CFW.
Risk Impact: Documentation and model issue. This dependency may have an appreciable impact on CDF.
Actual Solution:
The CFW fault tree (CFW Rev 3.0.B.ABS_04-30-13.caf) was revised to include service water as a dependency for the condensate pumps. Specifically, gate T_SW-SW was added under gates F009, F009-S, F010 and F010-S. The revised fault tree was renamed "CFW Rev 3.0.C.TPW_05-17-13.caf" and filed appropriately. The system notebook for the CFW system was revised to reflect these changes.
A similar PCD (MT-12-0034) was already established, and will be closed out in conjunction with this PCD. Additionally, PCD MT-11-0027, which is more general but related to EPU changes to the CFW system, will be updated to note the change from this PCD.
Also, feedwater long-term DC dependencies were changed to be long-term instead of short-term.
Specifically gate T_D-DC111-S was changed to T_D-DC111-L under the F051 gate and gate T_D-DC211-S was changed to T_D-DC211-L under gate F054.
L-MT-17-016 NSPM Page 16 of 27 Change Number: MT-13-0038 (IE)
Brief Problem
Description:
PRA-MT-IF-IE Rev 3 includes the information regarding the potential sources of flooding. However, the inadvertent actuation of the fire suppression system is not discussed as a potential initiating event.
F&O Number: 6-6 Technical Element: IFSO Detailed Problem
Description:
PRA-MT-IF-IE Rev 3 includes the information regarding the potential sources of flooding.
However, the inadvertent actuation of the fire suppression system is not discussed as a potential initiating event.
(This F&O originated from SR IFSO-A4)
Proposed Solution: Perform the evaluation of inadvertent fire suppression actuation and include it in PRA-MT-IF-IE.
Risk Impact: This evaluation is a requirement of this SR.
Actual Solution:
The following information has been added to the Internal Flooding Initiating Events (PRA-MT-IF-IE)
Notebook, Section 2.1: CAP 1266742 evaluated the FPS with regard to effects on plant equipment/areas if inadvertent system actuation were to occur. The conclusion of the evaluation is that inadvertent actuation would not affect any safety-related equipments ability to perform its function. This evaluation further supports the following positions regarding inadvertent actuation of the fire suppression system in the MNGP PRA Model.
Sprinkler System The effects of an inadvertent sprinkler discharge are bounded by the effects modeled for random pipe breaks in the same area. The spray effects of a sprinkler discharge would likely be less since the sprinkler targets a specific location while a random pipe break is assumed to spray everything in the room. Additionally, all small FPS piping containing the sprinklers is included in the random FPS pipe break frequencies calculated for the various flood areas. Given that MNGP does not have a history of random sprinkler discharges leading to a plant transient and such events are so rare throughout the industry that no failure data has been developed for such events, inadvertent sprinkler discharge is considered to be within the bounds of uncertainty for the existing flood scenarios hence is not explicitly modeled.
Deluge System The effects of an inadvertent actuation of a deluge system are bounded by the effects modeled for random pipe breaks in the same area. The spray effects of a deluge discharge would likely be less since the deluge system is focused on a specific set of targets while a random pipe break is assumed to spray everything in the room. The human actions associated with isolation of a deluge discharge are considerably different than those for a random pipe break, however. The control room will receive a unique alarm for a deluge discharge indicating exactly where the operator should investigate instead of simply receiving a fire pump running alarm leaving the operator to search for the location of the event.
Additionally, the isolation of the deluge discharge can be performed at the discharge location by simply closing the deluge valve rather than having to travel to the intake structure to locally trip the fire pumps.
While explicit inclusion of this deluge system actuation would increase the initiating event frequency
L-MT-17-016 NSPM Page 17 of 27 slightly, this increase would be more than offset by the decreased HEP associated with the isolation of the deluge discharge. Thus, inadvertent actuation of a deluge system is considered to be within the uncertainty bounds of the existing flood scenarios and is not explicitly modeled.
L-MT-17-016 NSPM Page 18 of 27 Change Number: MT-13-0039 (IE)
Brief Problem
Description:
There is no evidence of plant-specific analysis completed or research done to identify or collect repair time information.
F&O Number: 7-6 Technical Element: DA Detailed Problem
Description:
There is no evidence of plant-specific analysis completed or research done to identify or collect repair time information.
The EDG recovery values in Table 1 of PRA -MT-SY-RECAC are based solely on a generic data source. This is contrary to the SR requirement to gather both generic and plant specific information.
(This F&O originated from SR DA-C15)
Proposed Solution: If EDG recovery is used in the model, base the values on plant specific experience of EDG repair or show "that the plant EDGs are sufficiently similar... such that the generic data can be used to characterize the EDG repair probability" as stated in the EPRI LOOP Technical Guidelines.
Risk Impact: No plant-specific experience is given for repairs which appear to be very plant specific in nature.
Actual Solution:
Data from the NRCs Reliability and Availability Data System (RADS) was utilized to calculate an updated EDG recovery estimate. RADS was used to obtain more data to establish a larger data population than only MNGP related failures. This analysis used similar assumptions and methodology utilized by the most recent NRC diesel generator repair time estimates. The RADS Unplanned Unavailability (UUA) outage data for similarly designed EDGs from 1998-2010 was utilized to characterize diesel generator repair probabilities. Each UUA event was categorized into their respective time span. The sum of events within the time span was calculated. The percent recovered was calculated based on the total of UUA events (1,401). The result of this analysis is provided in Appendix A in the RECAC (AC Recovery) Notebook Rev. 3.1.
L-MT-17-016 NSPM Page 19 of 27 Change Number: MT-13-0040 (IE)
Brief Problem
Description:
Convergence is only demonstrated when quantifying with nominal HEP values. There is no convergence demonstrated when the method described in PRA-MT-QU Rev 3 is used for quantification.
F&O Number: 7-7 Technical Element: QU Detailed Problem
Description:
Convergence is only demonstrated when quantifying with nominal HEP values. There is no convergence demonstrated when the method described in PRA-MT-QU Rev 3 is used for quantification. The truncation level (1E-10) is quite high even given the E-05 CDF value. Also little basis is given for using the 1E-10 truncation rather than the possible lower E-11 truncation.
(This F&O originated from SR QU-B3)
Proposed Solution: Review the model to identify what is limiting the quantification truncation. The self-identified issue of dependent HEP methodology is one potential factor but others could exist.
Risk Impact: A sufficiently low converged truncation is required for many applications such as MSPI.
Actual Solution:
Convergence of the internal events only CDF, complete CDF, and LERF has been tested and proven for each model revision since Rev 3.0E. Quantification at truncation levels required by MSPI (7 orders below converged CDF value) were also successful. No pre or post quantification modification to the model was required to establish this convergence. It is believed that since the Peer Review the improvements to the HEP dependency analysis along with other improvements have made this possible. Since the model's risk has gone down since Rev 3.0 the truncation must also progress down to meet the MSPI requirement, which makes quantification at these lower truncations more difficult. To solve at these lower truncations, quantification is performed on smaller groups of initiators with the resulting cutsets appended post quantification. This is a simple and accurate method to quantify the model at these rarely used truncation levels. The final convergence study will be documented in the Quantification Notebook.
The Rev 3.1 model was solved at a truncation of 1E-13 by splitting the initiators into four groups by flags. Convergence of total CDF, no flood CDF, and total LERF were established at 1E-12, 1E-13, and 1E-12 truncations respectively.
L-MT-17-016 NSPM Page 20 of 27 Change Number: MT-13-0041 (IE)
Brief Problem
Description:
Truncation is only 5 orders of magnitude below CDF. This is less than general industry practice. PRA-MT-QU Rev 3 states that it is because the model quantification fails at lower truncation levels as a result of the joint HEP methodology used.
F&O Number: 7-9 Technical Element: QU Detailed Problem
Description:
Truncation is only 5 orders of magnitude below CDF. This is less than general industry practice.
PRAMT-QU Rev 3.0 states that it is because the model quantification fails at lower truncation levels as a result of the joint HEP methodology used.
(This F&O originated from SR QU-B2)
Proposed Solution: Identify and resolve the issues with quantification to allow quantification at truncation levels required by the standard and for applications. This may include review of the incorporation of HEP dependencies into the quantification, and review of fault tree structure to optimize quantification effectiveness among other possibilities.
Risk Impact: Events can become significant due to many lower value cutsets containing those events whose summed value is important.
Actual Solution:
Convergence of the internal events only CDF, complete CDF, and LERF has been tested and proven for each model revision since Rev 3.0E. Quantification at truncation levels required by MSPI (7 orders below converged CDF value) were also successful. No pre or post quantification modification to the model was required to establish this convergence. It is believed that since the Peer Review the improvements to the HEP dependency analysis along with other improvements have made this possible. Since the model's risk has gone down since Rev 3.0 the truncation must also progress down to meet the MSPI requirement, which makes quantification at these lower truncations more difficult. To solve at these lower truncations, quantification is performed on smaller groups of initiators with the resulting cutsets appended post quantification. This is a simple and accurate method to quantify the model at these rarely used truncation levels. The final convergence study will be documented in the Quantification Notebook.
The Rev 3.1 model was solved at a truncation of 1E-13 by splitting the initiators into four groups by flags. Convergence of total CDF, no flood CDF, and total LERF were established at 1E-12, 1E-13, and 1E-12 truncations respectively.
L-MT-17-016 NSPM Page 21 of 27 Change Number: MT-13-0042 (IE)
Brief Problem
Description:
The reasonableness check appears to be limited to whether the individual values are reasonable, not whether similar (timing, complexity, out of control room etc.) actions when compared to each other have reasonable values, which is the intent of the SR.
F&O Number: 7-15 Technical Element: HR Detailed Problem
Description:
The reasonableness check appears to be limited to whether the individual values are reasonable, not whether similar (timing, complexity, out of control room etc.) actions when compared to each other have reasonable values, which is the intent of the SR.
(This F&O originated from SR HR-G6)
Proposed Solution: Perform the reasonableness check between events.
Risk Impact: Comparison between events with similarities is an important part of validating the values.
Actual Solution:
Since the Peer Review multiple reviews of the post initiator HEPs were performed using the HRA Calculator to get an accurate picture of the overall HRA analysis. A stress review report was generated and reviewed for all HEPs to ensure that the assigned stress levels are accurate. In general actions that are rarely performed, are outside the control room, or have little time to perform were assigned a higher stress level. The locations of HEPs were also reviewed to ensure that consistent naming was used for accurate use in the dependency analysis. A review of the complete HEP values against other similar actions was also performed. Any screening value HEPs that were found to be risk significant were developed further to establish a more accurate failure probability. Similar actions, such as flood isolations and manual depressurizations, were reviewed collectively to validate that actions that have more time or are located in the control room were given a lower failure probability. These reviews have been documented in Section 8.2 of the HRA Notebook, Rev 3.1.
L-MT-17-016 NSPM Page 22 of 27 Change Number: MT-13-0043 (IE)
Brief Problem
Description:
However, it appears that combinations (up to 6) HEPs appearing in cutsets are inappropriately analyzed for dependency resulting in over 8000 dependent combinations.
F&O Number: 7-16 Technical Element: HR Detailed Problem
Description:
The dependency analysis was performed using the HRA calculator which is an acceptable method to perform the dependency analysis and there is evidence that the limitation of the HRA calculator dependency module on the sequence of events times for multiple HEPs within a cutset was addressed at least in part. However, it appears that combinations (up to 6) HEPs appearing in cutsets are inappropriately analyzed for dependency resulting in over 8000 dependent combinations. This analysis does not account for the subset of HEPs where the dependency is addressed via the separate cognitive and execution events.
(This F&O originated from SR HR-G7)
Proposed Solution: Redo the dependency analysis using an awareness of the mix of HEP types, the concept of minimum values, consideration of whether the large number of HEPs in a single cutset is appropriate while retaining the current correct addressing of the cutset length limitations and time sequencing of HEPs from the current analysis. Review available industry guidance on performance of HEP dependency analysis to garner the best, most efficient way to perform the analysis. Ensure the software limitations are explicitly addressed in the dependency analysis process.
Risk Impact: Large sets of HEPs in a cutset may be due to the mix of methods (separate cognitive and execution events with the dependencies explicitly addressed and combined events not addressing dependency). Where the dependency was addressed by the separate events method already, these should be removed from or limited in the dependency analysis.
Actual Solution:
Post model Rev 3.0, a large effort was conducted to simplify and standardize the post initiator HRA analysis. First, cognitive and execution only HEPs were combined into one single HEP to create a more logical and simplified method for accounting for dependencies between HEPs. Second, an effort was conducted to combine the remaining HEPs that were very similar such as high pressure injection with FW or HPCI/RCIC. The number of flood isolation HEPs were reduced from 57 to 12 based on their HEP value and similarity of action. Model logic that duplicated the same operator action for different timings were also removed since these actions are not actually separate (for example depressurizing with one SRV or three). The efforts previously described have reduced the number of HEPs from 160 to 79 and reduced the HEP combos from approximately 12,000 (Rev 3.0) to 1,600 in the Rev 3.1 model.
The amount of HEPs and dependencies is now well within the limitations of the current software used for HRA (HRA Calculator) and quantification (CAFTA and FTREX).
See Table 22 in the PRA-MT-HR Notebook for the summary of the work performed to standardize the HRA analysis by combining cognitive and execution HEPs from the 2004 model.
L-MT-17-016 NSPM Page 23 of 27 Change Number: MT-13-0044 (IE)
Brief Problem
Description:
Part of a reasonableness check should be an evaluation as to whether very low HEP values make sense. Common industry practice is to employ a floor or lower limit value of 1E-06 or 5E-07 to any HEP calculated value below these limits.
F&O Number: 7-17 Technical Element: HR Detailed Problem
Description:
Part of a reasonableness check should be an evaluation as to whether very low HEP values make sense. Common industry practice is to employ a floor or lower limit value of 1E-06 or 5E-07 to any HEP calculated value below these limits. This applies to both independent and dependent HEP values. For example from the DAC, combination 1 has a resultant dependent HEP value of E-11.This is mainly an issue with the dependent HEP values.
(This F&O originated from SR HR-G6)
Proposed Solution: Incorporate the use of floor values in the HRA analysis.
Risk Impact: Use of extremely low HEP values is not realistic from a human performance perspective and can skew the PRA results.
Actual Solution:
All post Rev 3.0 quantifications now include a floor limit of independent or dependent combinations of HEPs of 1E-7. This number is currently being debated among the industry and regulators and is consistent with Prairie Island. A floor limit of the single HEP was set to 1E-5 in the HRAC database.
This single HEP floor limit is rarely used for post initiator HEPs, XDEPHOURSY and J2NDPHRS-Y only. These are reserved for simple control room actions which need to be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
Multiple pre-initiator HEPs have this screening level value.
L-MT-17-016 NSPM Page 24 of 27 Change Number: MT-13-0045 (IE)
Brief Problem
Description:
A comparison of MNGP results with other plants was documented in Section 4.3.6.
F&O Number: 8-1 Technical Element: QU Detailed Problem
Description:
A comparison of MNGP results with other plants was documented in Section 4.3.6. Loss of 125 VDC initiators are a much higher contribution to CDF than for the other three comparison plants, but no adequate explanation was offered as to why there is such a large discrepancy.
(This F&O originated from SR QU-D4)
Proposed Solution: State physical reasons why the 125 VDC initiators are more significant for MNGP, or else identify why these cutsets may be "artificially" high, e.g., use of HEP dependencies.
Risk Impact: The SR states that the causes for significant differences with other comparison plants needs to be identified.
Actual Solution:
A discussion comparing Monticellos results to other similarly designed BWRs will not be created until the Rev 3.1 model is frozen July 15th. This discussion will not affect the PRA model or its applications.
The importance of the complete loss of 125VDC was researched and found to be a result of having the common cause failure of all three battery chargers fails short term injection. This basic event was removed since only two of the three battery chargers are normally in service with the backup in standby. The basic event was replaced with the common cause of two battery chargers failing and the backup also failing independently. These changes reduce the overall CDF significance for complete loss of 125VDC from ~18% (Rev 3.0) to 0.0% (3.0H) at a 1E-9 truncation, which is much more consistent with other similar BWRs. The modeling for complete loss of either single train of 125VDC is about a 1% contributor for non-flood scenarios.
Discussion was added to describe the differences between Monticello and other similarly designed plants in Section 4.3.6 of the QU Notebook. Comparisons to other similarly designed plants were made to the best of our ability based on the information provided.
L-MT-17-016 NSPM Page 25 of 27 Change Number: MT-13-0046 (IE)
Brief Problem
Description:
Based on a review of the CAFTA database file (PRA-MT-DA-CDF-OPT Rev 3.0.RR), it appears that Error Factors were assigned to both Beta and Gamma distributions in the Type Code table instead of using variance values.
F&O Number: 8-5 Technical Element: QU Detailed Problem
Description:
Based on a review of the CAFTA database file (PRA-MT-DA-CDF-OPT Rev 3.0.RR), it appears that Error Factors were assigned to both Beta and Gamma distributions in the Type Code table instead of using variance values. In Attachment 1 of the Data notebook (PRA-MT-DA), the same type codes listed have assigned variance values for their Beta or Gamma distribution. This appears to be a discrepancy in the way the data was utilized in estimating the CDF uncertainty intervals.
(This F&O originated from SR QU-E3)
Proposed Solution: Revise the distribution parameters in the Type Code table of the CAFTA database such that they are consistent with the PRA documentation. If necessary, the parametric uncertainty analysis may need to be re-performed in order to more accurately estimate the CDF and LERF uncertainty intervals.
Risk Impact: This SR requires estimation of uncertainty intervals for CDF and LERF based on the appropriate parameter uncertainties.
Actual Solution:
The Uncertainty Parameters that were implemented in CAFTA were reviewed to assure the data is using the proper uncertainty parameter (Error factor or variance) according to the type of Distribution (Gamma, Beta, and lognormal). The data notebook was updated to be consistent with the CAFTA database. A list of the appropriate parameters with the distribution type is listed in the Data notebook, Section 2.
L-MT-17-016 NSPM Page 26 of 27 Change Number: MT-13-0047 (IE)
Brief Problem
Description:
It appears that the Category III items, such as pipe whip, humidity, condensation, and temperature were not qualitatively addressed (see NRC Resolution, which is required for Cat. II) (This F&O originated from SR IFSN-A6)
F&O Number: 8-8 Technical Element: IFSN Detailed Problem
Description:
It appears that the Category III items, such as pipe whip, humidity, condensation, and temperature were not qualitatively addressed (see NRC Resolution, which is required for Cat. II).
(This F&O originated from SR IFSN-A6)
Proposed Solution: The mechanisms listed for Capability Category III should be qualitatively addressed using conservative methods and treatments to show what additional impact, if any, may be imposed on existing internal flood scenarios.
Risk Impact: for RG 1.200 compliance in order to meet Capability Category II, the mechanisms listed under Category III of the Standard are required to be qualitatively addressed.
Actual Solution:
Per the resolution requested from the Peer Review, a qualitative assessment was performed for the following flood failure mechanisms to meet Capability Category II criteria:
Submergence Spray Jet Impingement Pipe Whip Humidity Condensation Temperature Spray and submergence effects are specifically discussed and accounted for throughout the Internal Flooding Accident Sequence Notebook for those internal flooding scenarios that are impacted. All internal flood initiators account for submergence and spray.
Jet Impingement and Pipe Whip are assumed to have no effect on the internal flooding analysis unless specifically stated in the internal flooding scenario. This assumption is based on the research provided in NUREG/CR-3231 which found that these potential impacts of pipe breaks require very specific pipe spacing/orientation, rarely result in a complete (guillotine) break, and even if pipe break occurs, significant reduction in cross sectional area of the target pipe follows. The instances which all these conditions are met are few in MNGP and the probability of these types of events coincident with a flood
L-MT-17-016 NSPM Page 27 of 27 initiator is sufficiently remote. Assumption #5 was added to the "General Assumption" Section 2.2 of the Internal Flooding Accident Sequence Notebook, PRA-MT-IF-AS.
Humidity, Condensation, and temperature effects are assumed to be encompassed in the bounding, conservative assumption that all spray floods in the MNGP flood model fail the entire room where the flood exists irrespective of room size or pipe orientation. Assumption #6 was added to the "General Assumption" Section 2.2 of the Internal Flooding Accident Sequence Notebook, PRA-MT-IF-AS.
Page 1 of 95 ENCLOSURE 3 MONTICELLO NUCLEAR GENERATING PLANT Monticello Fire PRA Model Response to 2015 Full Scope Peer Review Findings Change Number: MT-15-0016 F&O Number: 1-2 Associated SR(s): HR-E4, HRA-A1, HRA-A2, HRA-A4 Detailed Problem
Description:
Talk-throughs to confirm HEPs and to confirm the response models and 'sequence of events' were conducted during the FPRA development. No follow-on talk-throughs were performed to confirm the response models for the finalized FPRA.
The peer review team performed a walk-through of HFE ALTINJMINYEF. During this walk-through, it was discovered that securing suppression pool cooling valves is needed prior to aligning alternate injection. This step is not considered in the FPRA HFE development for ALTINJMINYEF. This was only a single HFE that the peer review team selected to walk through.
The review team observes that a talk through of the 'sequence of events' to confirm the HRA modeling would provide assurance that the HRA and PRM development reflects the as-built as-operated plant.
(This F&O originated from SR HR-E4)
Proposed Solution: Talk-throughs to confirm HEPs and to confirm the response models and
'sequence of events' as applicable, particularly for risk-significant HFEs.
Basis for Significance: An issue was identified from just one HFE chosen to be walked down.
Actual Solution:
The original internal events HEPs that were carried over to the FPRA were evaluated in detail through operator interviews and simulator exercise experience. Most recently (July 2014), these HFEs were reviewed by Xcel when conducting the version 3.2 update of the internal events HRA.
Fire specific information used to update these HFEs for the Fire PRA was verified with PRA staff with operations and training experience. New walk-throughs, interviews and simulator exercise observations were conducted for the MCR abandonment HFEs as documented in Appendices C and D of the MNGP Fire HRA Notebook.
However, the Execution step analysis of ALTINJMINYEF in the HRA Calculator does appear to omit the following Step 3 of Part D of C.5-3203, as discussed in the Finding:
- 3. Verify CLOSED the following valves:
MO-2020, RHR DIV 1 DRYWELL SPRAY - OUTBOARD.
L-MT-17-016 NSPM Page 2 of 95 MO-2006, RHR DIV 1 DISCHARGE TO TORUS OUTBOARD.
MO-2021, RHR DIV 2 DRYWELL SPRAY - OUTBOARD.
MO-2007, RHR DIV 2 DISCHARGE TO TORUS OUTBOARD.
The Execution portion of this HFE was updated accordingly.
In addition, to ensure that the HRA properly reflects the actions required for fire response, the top 15 risk-significant HFEs of the fire PRA were reviewed against the procedures and the HRA notebook updated to make changes, as relevant. This review did not yield any changes that would adversely impact the risk results.
L-MT-17-016 NSPM Page 3 of 95 Change Number: MT-15-0025 F&O Number: 1-3 Associated SR(s): HR-E3, HRA-A1, HRA-A4, HRA-C1, HRA-E1 Detailed Problem
Description:
Fire specific information used to update the FPIE HFEs for the Fire PRA was verified with PRA staff with operations and training experience. However, no specific documentation of these interactions /
verifications was provided.
New HFE RECRHRSVLY appears to have no documentation of an operator interview.
(This F&O originated from SR HR-E3)
Proposed Solution: Provide documentation of talk-throughs with plant operations and training personnel the procedures and sequence of events to confirm that interpretation of the procedures is consistent with plant observations and training procedures. Ensure that all HFEs modeled in the FPRA receive talk-throughs.
Basis for Significance: Documentation of talk-throughs is needed.
Actual Solution:
As discussed in the response to Finding F&O 1-2, the original internal events HEPs that were carried over to the FPRA were evaluated in detail through operator interviews and simulator exercise experience. Most recently (July 2014), these HFEs were reviewed by Xcel when conducting the version 3.2 update of the internal events HRA.
As this Finding indicates, Xcel PRA staff with operations and training experience verified the fire specific information used to update these HFEs for the Fire PRA. New walk-throughs, interviews and simulator exercise observations were conducted for the MCR abandonment HFEs as documented in Appendices C and D of the Fire HRA Notebook.
The new fire HFE RECRHRSVLY was also reviewed by cognizant PRA staff, as indicated by the Reviewer signature on the BE Data screen for this HFE in the EPRI HRA Calculator file. For completeness of documentation, further information on this review was added to the Operator Interview Insights screen. However, it should be noted that the action is already proceduralized and the timing is based on a Job Performance Measure (JPM) used for operator training. Plans are to modify the plant fire procedure to add specific cognitive direction for the action.
Documentation regarding the Xcel review of the fire HFEs is given in Section 6.4 of the MNGP Fire HRA Notebook.
L-MT-17-016 NSPM Page 4 of 95 Change Number: MT-15-0034 F&O Number: 1-4 Associated SR(s): HR-E1, HR-G3, HR-G4, HRA-A1, HRA-A2, HRA-B3, HRA-C1, HRA-E1, HR-H2 Detailed Problem
Description:
The following observations were made regarding ensuring that the HRA reflects the as-built as-operated plant.
For HFE MHPVLOCAL-YEF - Fail to operate the HPV using N2 bottles to provide Containment Heat Removal During a Fire Event/SBO, no procedure and no timing are documented.
Also, two risk-significant HFEs were added as part of the FPRA model development based on pending /
draft plant procedures:
ADGMANST-Y - Operator fails to manually start EDG when auto start logic fails during SBO and fire.
This action was added based on a pending procedure revision to address post-Fukushima issues.
Since this is a pending change, later confirmation will be needed to ensure the FPRA model reflects the as-built, as-operated plant.
RECRHRSVLY - Operator Fails to Manually Control RHRSW Valve CV-1728 or 1729 in Response to Fire-Induced Failure. Procedure step to be added to Plant Fire procedure to direct operators to procedure B08.01.03-05, Section H.3. Since this is a proposed procedural change, later confirmation will be needed to ensure the FPRA model reflects the as-built, as-operated plant.
Additional HFEs are listed in Appendix F of the HRA notebook that were developed based on recommended procedure modifications. These are: FW-REFLG-Y, Fail to control FW following reference leg leak, and VFILLCST-Y, Fail to refill the CSTs. When these procedures are implemented, the HRA documentation would need to be revised to ensure the HRA reflects the as-built as-operated plant.
(This F&O originated from SR HR-E1)
Proposed Solution: For HFEs that are currently developed based on pending procedure changes or draft procedures, ensure the HFEs reflect the as-built as-operated plant when procedure development is complete.
Basis for Significance: The PRA must reflect the as-built as-operated plant.
Actual Solution:
MNGP Operations reviewed the potential procedure modifications identified in Appendix F of the Fire HRA Notebook and the following dispositions were made:
For HFE MHPVLOCAL-YEF, it was determined that another procedure (C.5-3505, venting primary containment) already references Plant Fire procedure C.4-A.8-05.08 for the necessary actions.
For FW-REFLG-Y, the necessary action is already addressed by the FDW high pump trip switch on C-06 per procedure C.5-2006 Part C.
For VFILLCST-Y the execution procedure was changed to B.08.09-05 in the "Procedures and Training" tab of the HRAC database, which proceduralizes the refill of the CST by truck and references the SAMG.
L-MT-17-016 NSPM Page 5 of 95 Regarding ADGMANST-Y, Operations determined that the procedural direction is already addressed in step 26/27 of the SBO procedure C.4-B.09.02.A. Similarly, for RECRHRSVLY, procedure C.5-3203, Alternate Injection for RPV Makeup, already accounts for the necessary actions.
In summary, all actions identified by the Fire HRA as potentially needing procedure changes are already being addressed by such changes or are already proceduralized.
L-MT-17-016 NSPM Page 6 of 95 Change Number: MT-15-0037 F&O Number: 1-6 Associated SR(s): QU-E1, QU-E2, AS-C3, DA-E3, HR-I3, LE-F3, LE-G4, QU-E4, QU-F4, QU-F5, FSS-H9, IGN-B5, UNC-A1, FQ-F1, HRA-E1, SC-C3, SY-C3, UNC-A2 Detailed Problem
Description:
The treatment of uncertainties is documented in the Uncertainty and Sensitivity notebook, 016015-RPT-15 Rev. 1a. The Uncertainty and Sensitivity notebook documents a significant effort to identify sources of model uncertainty, however, the spectrum of uncertainties documented is considered incomplete particularly with respect to assumptions made as part of the FPRA development that have not been identified or characterized as model uncertainties in the Uncertainty and Sensitivity notebook and also, in some cases, generic FPRA model uncertainties recommended for inclusion by EPRI 1026511, PRA Applications and Uncertainty.
A) The following summarizes potential additional areas of modeling uncertainty suggested to consider and document:
ES - Additional potential sources of model uncertainty that arise from MNGP FPRA ES notebook assumptions, but not documented by the Uncertainty and Sensitivity notebook are: 1) the screening of MSO scenarios based on the number of hot shorts, 2) passive components have been excluded from the equipment selection, but no discussion is provided for potential heat impacts to indications that rely on reference legs, 3) instrument air piping is appropriately assumed to be failed due to soldiered joints for specific fire scenarios, but modeling uncertainty may be introduced based on the locations of this piping relative to the zones of influence.
PRM - Additional potential sources of model uncertainty that arise from MNGP FPRA PRM notebook assumptions, but not documented by the Uncertainty and Sensitivity notebook are: 1)
Assigning the same initiating event to all scenarios in a compartment is conservative. In reality, the operators may initiate a controlled shutdown, precluding some equipment failures; 2) the underlying assumptions and uncertainties identified in MNGP PRA Rev 3.1 PRA model apply to the FPRA as well, and these appear to be discussed in the Uncertainty and Sensitivity notebook; 3) the fire water system alternate supply to RHR via LPCI has not been included due to assumed low significance, but may be revisited later in order to refine the FPRA model.
IGN - Additional potential sources of model uncertainty that arise from MNGP FPRA IGN notebook assumptions, but not documented by the Uncertainty and Sensitivity notebook are: 1) for zones where the analysis shows no cable loading information (i.e. no PRA related cables), a value is used to account for non-PRA related cable loading in the zone; 2) Fire ignition frequencies remain constant over time; 3) Among the plants, total ignition frequency is the same for the same equipment type, regardless of differences in the quantity and characteristics of the equipment type that may exist in the plant; 4) Within each plant, the likelihood of fire ignition is the same across an equipment type. For example, pumps are assumed to have the same ignition frequency regardless of size, usage level, working environment, etc.
FSS - Some additional sources model uncertainties to consider would be the impact of hot short events to alternate shutdown, the treatment of smoke effects on equipment, and selection of main control board scenarios. Additionally, the following potential sources of model uncertainty were identified by the review team: 1) all cable is assumed to be unqualified for damage and heat release rate. This assumption introduces potential conservative results where qualified cables may be present; 2) performance of CFAST modeling using standardized evaluation volumes that are used to represent actual compartment spaces introduces the potential for
L-MT-17-016 NSPM Page 7 of 95 conservative and non-conservative results; 3) the treatment of compartment configuration is considered minimal because it is taken from plant drawings, however the actual modeling treatment introduces uncertainty.
CF - An additional potential source of model uncertainty that arises from MNGP FPRA CF notebook assumptions, but not documented by the Uncertainty and Sensitivity notebook is:
except as noted in the circuit failure mode notebook, the conditional probability of circuit failure leading to the failure mode of interest given fire-induced cable damage is assumed to be 1.
HRA - Additional potential sources of model uncertainty that arise from MNGP FPRA HRA notebook assumptions, but not documented by the Uncertainty and Sensitivity notebook are: 1)
Operator access to areas of the plant controlled by card reader access is determined to have a negligible effect on the timing of operator action performance in this analysis; 2) The crew is aware of the fire location within a short time (i.e. within the first ~10 minutes of a significant indication of non-normal condition by fire alarms, multiple equipment alarms, and automatic trip); 3) It is assumed that most fires will be extinguished or contained within 70 minutes of the start of the fire, except for more challenging fires (i.e., turbine generator [T/G] fires, outdoor transformers, high-energy arcing faults, and flammable gas fires). For this reason, operator actions occurring more than 60 minutes after the start of the fire are generally assumed not to be penalized for fire effects; 4) The crew is aware of the need for a plant trip (if it is not automatic); 5) The crew is aware of the need to implement the fire brigade; 6) The crew is aware of the potential for unusual plant behavior as a result of the fire; 7) In general, a fire anywhere in the plant introduces new accident contextual factors and potential dependencies among human actions beyond those typically treated in the internal events PRA that increase (mildly or significantly) the potential for unsafe actions during an accident sequence; 8) Even if one or more Control Room staff members is used to assist in ex-control room activities such as aiding the fire brigade, the minimum allowable number of operators remains available in the Control Room to manage the safe shutdown of the plant, and the crew makeup is similar to that assumed in the Internal Events PRA.
FQ - Assumptions documented in the FQ notebook introduce sources of modeling uncertainty that have not been documented in the Uncertainty and Sensitivity notebook: 1) For 'full-compartment burn' scenarios, all raceways, conduits, and components within the fire compartment, as provided by FRANX, are assumed to fail or operate spuriously, as applicable, with assigned circuit failure mode probabilities if specified. 'Full compartment burn' scenarios are those in which no detailed analysis has been performed and the full compartment is failed at the time of fire ignition; 2) For unscreened multi-compartment fire scenarios, it is assumed that all raceways, conduits, and components within both the exposing fire zone and the exposed fire zone 016015-RPT-14 Task Interfaces and Assumptions Revision 1a Page 7 are failed or operate spuriously, as applicable, with assigned circuit failure mode probabilities if specified, if the fire mitigating systems, such as the fire barrier and the detection/suppression system(s) fail to operate; 3) It is assumed that certain fires in the main control room (Fire Area 9) or relay room (Fire Area 8) may force control room abandonment, requiring the plant to be shutdown manually from outside the main control room (i.e., at the ASDS). One additional modeling uncertainty to consider would be the potential impact of multiple conservatisms to the FPRA results (recommended for inclusion by EPRI 1026511 PRA Applications and Uncertainty).LERF
- No identification / characterization of LERF sources of model uncertainty and related assumptions was found in the FPRA documentation.
AS - No model uncertainties associated with the alternate shutdown modeling are provided or characterized.
L-MT-17-016 NSPM Page 8 of 95 SC - Regarding spurious SRV opening due to hot short impact analysis performed under EPU and MSO conditions (EC 20955) demonstrated that spurious operation of the SRVs in the ASDS scenario for seven minutes would not adversely impact Monticello's safe shutdown analysis, and would not jeopardize the safe and stable condition of the fuel. Based on observation by the peer review, the referenced calculation, EC 20955, does not support this claim.
SY - No sources of modeling uncertainty and related assumptions are identified for SY.
B) Further, the effects to the FPRA are addressed in very general terms and not specifically characterized. The following summarizes the peer review observations:
ES - One source of modeling uncertainty is identified by the Uncertainty and Sensitivity notebook, which is that the systems assumed to be failed introduce conservatism, with no further discussion. No characterization is provided on the degree to which the conservatism impacts the results, and which portions of the FPRA and the FPRA results are significantly impacted.
PRM - The Uncertainty and Sensitivity notebook reviewed the FPIE sources of model uncertainty, and considered these in the context of fire: 1) the potential to open doors for DG fire pump alternate HVAC are based on room heat up calculations, which have inherent uncertainties, and for fire, the DG fire pump has an enhanced role as a source of alternate injection, thus magnifying the uncertainties, but no specific characterization is provided, such as the quantitative magnitude of the uncertainties to the base FPRA model, 2) operator action for replacement of nitrogen bottles has a system time window of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, but calculations show that the bottles will satisfy the 24-hour mission time, which has a significant impact on the FPRA results, but no further discussion is provided on the magnitude of this impact nor areas of the PRA significantly impacted; 3) HPCI NPSH is modeled in the FPIE PRA to not require closure of MO-2064, although such closure is required by the design basis documented. This modeling approach was carried over into the Fire PRA and as such is a source of uncertainty, potentially magnified by the fact that fire-induced spurious operation could prevent successful closure of the valve, but no specific characterization of the impact to the FPRA model is provided.
HRA - Uncertainties introduced by the industry consensus dependent HRA methodology utilized for the MNGP FPRA are discussed very well, but no characterization of the affect to the PRA is provided, such as the HFE combinations that are risk-significant and a discussion regarding the level of realism represented by this risk-significant combinations.
C) Last, the sources of model uncertainty documented in the Uncertainty and Sensitivity notebook do not specifically document the related assumptions. Conversely, generally for the assumptions documented in each of the FPRA notebooks sources of model uncertainty have not been documented. These issues may be remedied by 1) identifying and documenting the related assumptions for each model uncertainty documented in the Uncertainty and Sensitivity notebook, and 2) rolling up the assumptions documented in each of the notebooks for the FPRA technical elements, placing them into the Uncertainty and Sensitivity Notebook, and documenting the model uncertainties related to each of the assumptions.
(This F&O originated from SR HR-I3)
Proposed Solution: Document a more thorough spectrum of sources of model uncertainty, and characterize the impact to the PRA results of each identified model uncertainty.
For each source of model uncertainty, document the related assumptions.
L-MT-17-016 NSPM Page 9 of 95 Basis for Significance: Characterization of uncertainty is good, but is not thorough, particularly with respect to assumptions made as part of the FPRA development that have not been identified characterized as model uncertainties in the Uncertainty and Sensitivity notebook.
Section 1 of RG 1.200, 'A Technically Acceptable PRA,' is clear on stating that the impact to the FPRA results is to be characterized:
'Sources of uncertainty (both parameter and model) are identified and their impact on the results assessed. A source of model uncertainty is one that is related to an issue for which there is no consensus approach or model (e.g., choice of data source, success criteria, reactor coolant pressure seal LOCA model, human reliability model) and where the choice of approach or model is known to have an impact on the PRA results in terms of introducing new accident sequences, changing the relative importance of sequences, or significantly affecting the overall CDF, LERF, or LRF estimates that might have an impact on the use of the PRA in decision-making.'
Additionally, characterization of model uncertainties includes identifying the related assumptions.
Actual Solution:
A table was added to Appendix B of the Fire PRA Uncertainty and Sensitivity Analysis, which addresses assumptions listed for each of the individual analyses for the fire PRA. Each of these assumptions is evaluated as to whether or not it is a source of uncertainty in the Fire PRA as well as the overall impact to the Fire PRA.
L-MT-17-016 NSPM Page 10 of 95 Change Number: MT-15-0038 F&O Number: 1-7 Associated SR(s): HR-G1, LE-C2, HRA-B1, HRA-B3, HRA-C1, HRA-E1 Detailed Problem
Description:
One HFE with LERF risk-significance, (FV =.006, RAW = 1), MHPVASDS-H2-YEF, Fail HP vent from ASDS with containment deinerted for fire outside the MCR, is quantified as a screening HEP, and no cues, procedures/training, event timing have been defined.
(This F&O originated from SR HRA-B3)
Proposed Solution: Ensure that all HFEs modeled in the FPRA receive complete definitions, including accident sequence specific timing of cues, and time window for successful completion, accident sequence specific procedural guidance (e.g., AOPs, EOPs), the availability of cues or other indications for detection and evaluation errors (d) the specific high-level tasks (e.g., train-level) required to achieve the goal of the response.
Ensure that risk-significant HFEs received detailed HEP quantifications.
Basis for Significance: Risk-significant HFE that has not been defined nor developed with a detailed evaluation.
Actual Solution:
HEPs MHPVASDS-H2-Y, MHPVASDS-PD-Y, and MVENTCONT-H2-Y were removed in the internal events model revision 3.3 and in the Fire PRA and replaced with MHPVASDS-Y since this HEP is fully developed (detailed analysis in the HRA Calculator) and is all actions are similar. MVENTCONT-PB-Y, and MVENTCONT-PD-Y were also removed and replaced with MVENTCONTY (detailed analysis in the HRA Calculator) based on similarity of actions. These actions were initially placed in the internal events model for sensitivities.
L-MT-17-016 NSPM Page 11 of 95 Change Number: MT-15-0007 F&O Number: 1-10 Associated SR(s): LE-F2, UNC-A1 Detailed Problem
Description:
The Fire Quantification notebook, 016015-RPT-14 Rev. 1a) documents the FPRA results, including discussion of significant fire scenarios, and documentation of the contributions of fire risk by PAU. No discussion is provided however of a review of the contributors from the perspective of reasonableness to assure that excessive conservatisms have not skewed the results. The FPRA development team acknowledges the need for enhancing FPRA realism in light of the relatively high CDF and LERF results, and high risk contributions from specific PAUs, multi-compartment fire scenarios, and one particular HFE carried over from internal events PRA. These enhancements are still underway.
(This F&O originated from SR LE-F2)
Proposed Solution: Review risk contributors for reasonableness (e.g., to assure excessive conservatisms have not skewed the results, level of plant-specificity is appropriate for significant contributors, etc.).
Basis for Significance: A review of risk contributors for reasonableness is needed to demonstrate technical adequacy of the FPRA.
Actual Solution:
Cutset reviews were performed during the update of the FPRA and during those reviews reasonableness of modeling and results was considered, especially the LERF model. Particular attention was paid to ensure that excessive conservatisms in the model were modified to ensure that the model was sufficiently realistic.
The cutset reviews were documented in the updated FPRA Quantification notebook and included to document the review of reasonableness in the model.
L-MT-17-016 NSPM Page 12 of 95 Change Number: MT-15-0008 F&O Number: 1-12 Associated SR(s): ES-A1, ES-A3, ES-A4, ES-A5, ES-A6 Detailed Problem
Description:
A review for plant-specific MSOs was performed as part of the expert panel process, but the FPRA development team did not produce documentation of a thorough review. Therefore the identification of equipment including spurious operation related to initiating events or plant response may not be complete. Plant-specific MSO review would include, but is not limited to, 1) a P&ID review of all plant systems for potential MSO scenarios that impact the FPRA development, 2) identification of ISLOCA pathways screened from the FPIE PRA and, 3) for LERF, a review of containment isolation pathways screened from consideration from FPIE LERF that are relevant to the FPRA LERF PRM in the context of fire-induced spurious operations.
(This F&O originated from SR ES-A1)
Proposed Solution: Perform a more thorough review of MNGP plant systems for potential MSO scenarios that are not addressed by the generic BWR MSO scenarios, including plant-specific spurious operations or MSO scenarios that cause or contribute to initiating events, or plant response.
Basis for Significance: Review for plant-specific MSOs would potentially identify spurious operations that cause or contribute to initiating events.
Actual Solution:
After the peer review, a plant-specific MSO review was held. An expert panel was re-convened with most of the members of the original FPRA MSO review panel taking part. The panel included experts from PRA, safe shutdown, and plant systems. During the meeting the panel reviewed P&IDs of all plant systems for potential MSO scenarios that impact the FPRA development, ISLOCA pathways and also containment isolation pathways. It was determined that all of the plant-specific MSOs had been identified previously and were included in the original MSO review.
The review of the plant-specific MSOs is now clearly referenced in the ES notebook.
L-MT-17-016 NSPM Page 13 of 95 Change Number: MT-15-0010 F&O Number: 1-14 Associated SR(s): ES-C1 Detailed Problem
Description:
Section 5.5, Table 3 and Table 4 identify additional mitigating, instrumentation, and diagnostic equipment important to human response in the event of a fire. The peer review examined the instruments identified and issues were identified:
MHVPLOCAL-YEF - No cues are identified (HFE is not in the table).
No cue appears to be modeled for ALT-OIL-Y, yet Table 3 lists FI-4393 as a cue.
The ALOWFUEL-Y is used for DG 1 and DG 2 modeling but selects instrumentation for DG 13. DG 13 was used as a proxy for the other two diesels. The day tank instrumentation is not correct for 13 DG and should be revisited to model the correct instruments.
No cues are modeled for ALT-INJ-PB-Y and ALT-INJ-PD2-Y. The FPRA development team indicated during the review week that: For these HFEs, there is no significant dependency on indication. The failure of all high pressure and low pressure injection systems cannot be missed by the operators, which will lead them to explore alternate means of injection. However, no review was performed of the potential for spurious indication (ES-C2) to mislead the operators regarding status of core cooling /
operation of an ECCS pump.
C4H-EASY-Y - Loss of ammeter / voltmeter for either load center appears to fail the operator action for both load centers, which appears conservative.
ALOWFUELHY and ALOWFUEL-Y were carried over from the internal events PRA and are anticipated to be removed in the next revision of the Internal Events model due to plant modifications. Based on this, the Fire PRA may also be updated accordingly to remove these HFEs. In the case these HFEs are elected to remain in the Fire PRA model, the underlying cue modeling may need further refinement to tie each tank to its associated indication. FS-3236 and FS-3237 are in the model under gates A-INSTR-11 and A-INSTR-12.
Cues listed for ADG13BFD-Y in ES notebook Table 3 are F/DG1/C-08 and F/DG2/C-292. The HRA Calculator indicates that both cues are needed to perform the action. Only F/DG1/C-08 modeled (gate AA024-1). The FPRA development team indicated during the review week that: In case of SBO, there will be multiple cues in the control room (loss of lights, loss of equipment) that will lead the operators to use DG13 as a backup to feed essential loads. It seems that Basic Event AICC08FRQR was conservatively inserted here and could be removed altogether from Gate AA024-1. Therefore further work is needed to ensure the modeling and documentation are reasonable / representative.
Cues for ALTBATCHGY documented as No indication, visual verification, which is unclear. The FPRA development team indicated during the review week that: This HFE is related to ADG13BFD-Y, discussed previously. In case of SBO, it is expected that there would be multiple cues that would lead the operators to provide power to battery chargers, making the direct modeling of such cues in the model unnecessary. Therefore further work is needed to ensure the modeling and documentation are reasonable / representative.
ALTINJNOMY: Remarks for ALTINJNOMY say Reactor water level at ASDS, but the gate modeled for the cues for ALTINJNOMY is the same gate modeled for ALTINJMINY and ALTINJHRSY. The FPRA
L-MT-17-016 NSPM Page 14 of 95 development team indicated during the review week that: The notebook indicates that reactor water level indication is available at the ASDS panel, but this key monitoring indication is also available in the control room. Further work is needed to ensure the modeling and documentation are reasonable /
representative.
(This F&O originated from SR ES-C1)
Proposed Solution: Identify instrumentation that is relevant to the operator actions for which HFEs are defined or modified to account for the context of fire scenarios in the Fire PRA, per SRs HRA-B1 and HRA-B2.
Basis for Significance: Several issues identified, and therefore a finding is assessed.
Actual Solution:
MHVPLOCAL-YEF - The HFE name is actually MHPVLOCAL-YEF. The cue for this HFE identified by the Fire HRA is drywell pressure above 2 psig, so the HFE and its associated instrumentation were added to Table 3 of the ES Notebook and to the FPRA model.
ALT-OIL-Y - The ES Notebook was corrected to remove FI-4393. The cue for ALT-OIL-Y is that the alternate means to provide fuel to the DGs has failed. The current FPRA modeling is correct, but will be coordinated in the future with changes to the internal events model along with related HFEs ALOWFUEL-Y and ALOWFUELHY (see below).
ALOWFUEL-Y and ALOWFUELHY -
ALOWFUELHY has been removed from the internal events model and the modeling of the diesel oil system has been revised to include the following HFEs:
OALT-OIL-Y Fail to align fuel oil supply from gas powered pump or supply DFP tank with division 1 FOTPs OLOWFUEL-Y Fail to start second diesel oil pump in division if first pump fails There are 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available to refuel the diesel generators (as indicated in the time window data of the HFEs), at which point the fire is expected to be extinguished. The operators would be aware that the fuel supply to the diesel needs to be checked. In particular, Step 1 of sections E.1 and E.2 of Operations Procedure B.09.08-05 directs the operators to record EDG parameters on the log sheet contained in procedure 2301, EDG Operating Logs. Procedure 2301 requires hourly logging of Day Tank Fuel Oil Level as well as Base Tank Fuel Oil Level for an EDG that is in operation. Within the fuel oil day tank room for each of the EDGs, there is a local level indicator (LIS-1528 and LIS-1529) for the day tanks (T-45A, and T-45B respectively). Mounted on each of the EDG base tanks, there is base tank fuel oil level indication. Thus, indication for the level would always be available (as least as long as the fire is not in the room, but if it is, the tank is not credited in the Fire PRA). Therefore, the current modeling of the Fire PRA, which includes failure of the human actions by fire-induced loss of level sensors is conservative and overestimates the risk.
ALT-INJ-PB-Y and ALT-INJ-PD2-Y - BWR flow charts are designed to prompt multiple parameter checks for RPV level, RPV pressure and drywell pressure. Given the list of indications for these HFEs in ES Notebook Table 3, it is unlikely that a single spurious indication could mislead the operators. In addition, spurious indications for these level and pressure instruments are routinely addressed in operator classroom and simulator training. Therefore, no specific review is planned.
C4H-EASY-Y - No ammeter/voltmeter is needed, so the instrumentation gate associated with this HFE was deleted from the model. The ES notebook removed the instruments from Table 3.
L-MT-17-016 NSPM Page 15 of 95 ADG13BFD-Y - No frequency meter is needed, therefore basic event AICC08FRQR was deleted from the FPRA model. The ES notebook removed the instruments from Table 3 and change the Remarks to, In case of SBO, there will be multiple cues in the control room (loss of lights, loss of equipment).
ALTBATCHGY - In case of SBO, it is expected that there would be multiple cues that would lead the operators to provide power to battery chargers, the direct modeling of such cues in the model is unnecessary and so was deleted from the FPRA model. This was coordinated with the model changes for ADG13BFD-Y and the text in Table 3 of the ES Notebook was clarified.
ALTINJNOMY, ALTINJMINY and ALTINJHRSY - The current modeling strategy is considered to be correct. Alternate injection will be performed from the control room, using the instrumentation available there.
To address the F&O, the following actions were taken:
Changed Table 3 of the ES Notebook to include the control room indication; Clarified the note in Table 3 of the ES notebook to state that RPV level indication is also available at the ASDS panel, as modeled by Gate L-RX-LVL (LI-4108 and LI-4107 are indications at the ASDS panel);
In the fault tree, clarified at Gate L-RX-LVL that the indication is located at the ASDS panel.
L-MT-17-016 NSPM Page 16 of 95 Change Number: MT-15-0011 F&O Number: 1-15 Associated SR(s): ES-C2 Detailed Problem
Description:
No documentation is provided of a review to identify instrumentation associated with each operator action to be addressed in the FPRA whereby one of the modes of failure to be considered is spurious operation of the instrument.
(This F&O originated from SR ES-C2)
Proposed Solution: Identify instrumentation associated with each operator action to be addressed in the FPRA based on fire-induced failure of any single instrument whereby one of the modes of failure to be considered is spurious operation of the instrument.
Basis for Significance: The potential for fire-induced spurious operations of instrumentation to impact the successful performance of operator actions needs to be considered.
Actual Solution:
The Fire HRA Notebook Appendix G documents the detailed procedure review that was performed to identify single instruments that if spuriously operated would be likely to cause an undesired operator response because there was no clear requirement in the procedure to check or verify the instrument reading before taking an action. Such instances are rare due to continual industry and internal plant reviews of procedures.
As a result of this review, fifteen (15) such procedure cases (involving eighteen different instruments) were identified and are listed in Fire HRA Notebook Table 5-2. A further review was performed by Xcel staff with significant system and operations knowledge, as well as by the fire HRA team. As a result of this review, the updated disposition of the eighteen (18) indications is the following:
Nine (9) were not credited in the fire PRA model because the equipment associated with the instruments is already considered failed during a fire; Four (4) were found to have been miscategorized as leading to an undesired action because operator disablement of the system or equipment when it is specifically required to function is not considered credible.
Three (3) were not modeled because the postulated undesired operator action, to shut down equipment one by one until the ground is identified, is not considered credible, given that operators are generally aware of potential spurious signals caused by fire; and Two (2) were not needed in the model because the cable-induced failure causing the spurious indication already causes the failure of the component (EDG) functional state.
Table 5-2 of the Fire HRA Notebook has been updated accordingly and the Equipment Selection Notebook section 5.5.2 was revised as necessary to include documentation of this update.
Regarding spurious operation of instruments associated with modeled operator actions (HFEs), as noted in F&O 1-22, the fire HRA modeling strategy has been to presume degraded cues and to
L-MT-17-016 NSPM Page 17 of 95 penalize the HFE on that basis. This strategy is consistent with the guidance in NUREG-1921 for considering the impact of confusing or less than optimal cues due to fire on operator performance.
L-MT-17-016 NSPM Page 18 of 95 Change Number: MT-15-0012 F&O Number: 1-16 Associated SR(s): ES-A1, ES-A4, ES-A5, ES-A6 Detailed Problem
Description:
The FPIE initiating events analysis reviewed plant systems for initiating events potential and screened out the systems as applicable. No documentation was provided for the FPRA development to review this screening to determine whether any screening performed for the FPIE is not applicable in the context of fire. The peer review examined this list in the FPIE internal events notebook and identified one system to consider for inclusion in the FPRA: Off gas holdup. Failure of the system can cause loss of condenser vacuum, and this is implicitly treated in the FPIE PRA by the loss of condenser initiating event. However, such impact could result from fire damage, and therefore would need to be considered for the FPRA equipment selection.
(This F&O originated from SR ES-A1)
Proposed Solution: Review the FPIE initiating events development for screening of initiating events for internal events that do no remain valid in the context of fire, and include the applicable equipment on the FPRA equipment list.
Basis for Significance: Systematic issue Actual Solution:
All systems that were considered for initiating events in the FPIE were considered for the FPRA. No systems that were screened for the internal events initiating events analysis were required to be added for the FPRA.
The offgas holdup system is considered in the Fire PRA and is modeled in the CDR (Main Condenser) system tree. Components from this system were included in the FPRA ES and had cable selection performed. This system was modeled in the FPRA at the time of peer review and is still included in the current model.
The following offgas holdup system components are modeled in the FPRA. Details about how these are modeled can be found in the ES database and PRM model.
BE NAME BE Description Passport EquipId GCMC1001AR12 Offgas compressor C-1001A fails to run C-1001A GCMC1001BR12 Offgas compressor C-1001B fails to run C-1001B GCMC1001BS OG COMPRESSOR C-1001B FAILS TO START C-1001B GCMC1002AR12 Chiller compressor C-1002A fails to run C-1002A GCMC1002BR12 Chiller compressor C-1002B fails to run C-1002B GCMC1002BS CHILLER COMPRESSOR C-1002B FAILS TO START C-1002B GPMP1002AR12 CHILLED WATER PUMP P-1002A FAILS TO RUN P-1002A GPMP1002BR12 CHILLED WATER PUMP P-1002B FAILS TO RUN P-1002B GPMP1002BS CHILLED WATER PUMP P-1002B FAILS TO START P-1002B GVACV1928F AOV CV-1928 FAILS TO REMAIN OPEN CV-1928 GVACV7583F AOV HCV-7583 FAILS TO REMAIN OPEN HCV-7583 GVACV7583N AOV HCV-7583 FAILS TO OPEN HCV-7583
L-MT-17-016 NSPM Page 19 of 95 Change Number: MT-15-0014 F&O Number: 1-18 Associated SR(s): PP-B5 Detailed Problem
Description:
According to the Section 3.0 of the Plant Boundary and Partitioning Notebook no active barrier (e.g., a water curtain, normally open fire doors and fire dampers) has been credited in the portioning scheme.
During conduct of the plant walk down on 3/4/2015 two such separation elements were identified that are representative of the elements that should be credited for separation. The double doors located in the barrier separating FZ-2C and FZ-2B are held open with fusible link hold-open devices. Another example is the normally open fire damper located in the barrier separating FZ-2A and FZ-2B. These two instances are examples only and should not be considered indicative of all such occurrences.
Information concerning the credit of such elements should be added to the justification for separation of such Fire Zones.
(This F&O originated from SR PP-B5)
Proposed Solution: Ensure that available, active fire barrier elements are credited in the partitioning.
Basis for Significance: Satisfaction of CCII for this SR requires crediting active fire barrier elements such as active fire doors.
Actual Solution:
Section 3.0 has been revised such that fire dampers are not included in the list of non-credited active partitioning features. Instead, the Plant Boundary and Partitioning Notebook clearly states that fire dampers located in credited fire barriers are credited in the plant partitioning scheme.
The failure probability of these dampers to contain fire effects is captured in the multi-compartment analysis.
Section 3.0 has also been revised to state that normally open fire doors that are held open by a fusible link are also credited in the plant partitioning scheme. The only normally open fire doors that are credited in the analysis are Doors 410A and 410B, which separate Fire Zone 2B and Fire Zone 2C.
By crediting this active feature, an update to the multi-compartment analysis was also necessary.
Specifically, the barrier failure probability for these doors was set equal to a screening value of 0.1; a typical normally closed doorway is assigned a barrier failure probability of 7.4E-03.
It should be noted that no other active partitioning features, such as a water curtain, are credited in the plant partitioning scheme.
L-MT-17-016 NSPM Page 20 of 95 Change Number: MT-15-0015 F&O Number: 1-19 Associated SR(s): QU-D5, FQ-E1, FQ-F1, HR-G7, HR-H3, HRA-C1, QU-C2, LE-E4, LE-F2, UNC-A2 Detailed Problem
Description:
The HRA dependency analysis uses a joint HEP floor of 1E-7, which is low relative to the guidance (which recommends 1E-6 or 1E-5 depending on the scenario / sequence) particularly in the context of fire scenarios.
The peer review examined the risk-significant dependent HFE combinations risk achievement worth significance and found none with HFE combination probabilities less than 1E-5.
However, dependent combinations with low floors may be truncated by the 1E-12 truncation level.
Therefore, it is unknown whether the use of the 1E-7 floor produces a risk-significant impact.
(This F&O originated from SR QU-D5)
Proposed Solution: Examine through sensitivity studies whether use of a higher joint HEP floor, or a lower PRA truncation, would produce risk-significant changes to the FPRA results, and consider the use of a higher joint HEP floor if so.
Basis for Significance: Potential risk-significant impact.
Actual Solution:
The dependency analysis was revised and performed with a general joint HEP floor set to 1.0E-05. For some combinations that involve long-term decay heat removal actions or LERF-reduction specific actions, a minimum joint HEP floor of 1E-06 was used. Maintaining a lower minimum joint probability for these combinations is appropriate because they will take place many hours after the fire, at which point the activation of the Technical Support Center (TSC) would be able to provide a mind frame that allows for a 1E-06 minimum joint dependency threshold. This is documented in the Fire Human Reliability Analysis Notebook.
L-MT-17-016 NSPM Page 21 of 95 Change Number: MT-15-0018 F&O Number: 1-21 Associated SR(s): HR-F1, HR-F2, ES-C2, HRA-B4, HRA-E1 Detailed Problem
Description:
No documentation of inclusion of the undesired operator actions documented in Table 5.2 of the HRA notebook into the FPRA was provided in the FPRA notebooks, in particular the plant response model notebook.
The peer review observed that impacts for level transmitters related to undesired actions (LS-13-74, FT-1095A, FT-1095B) were modeled incidentally in the FPRA, but the functional states related to spurious operation were not included for these transmitters on the FPRA equipment list nor included in the FPRA, and no corresponding undesired HFEs were defined.
150/151-510-A and 150/151-510-B and 150/151-510-C are related to a potential undesired action that could stop P-61, but no functional states related to spurious operation were identified in the equipment selection nor included in the FPRA and no undesired HFE was modeled. The FPRA development team indicated that P-61 is assumed to be failed for the FPRA development, but the review team suggests that it is better to include the modeling and assume that it also is failed (due to the potential that later PRA updates could credit P-61, and this potential undesired action would need to be captured).
No functional states related to spurious operation were identified in the equipment selection nor included in the FPRA and no undesired HFE(s) was modeled related toTS-7048, TS-7056, TS-7050, TS-7058. The FPRA development team indicated that the undesired HFE(s) that would arise from spurious operation of these instruments related to SW operation, which they indicated was not modeled in the FPRA. However, SW was observed to be modeled in the FPRA.
No functional states related to spurious operation were identified in the equipment selection nor included in the FPRA and no undesired HFE(s) was modeled related 186-502, TIS-7320, 159N/DG1, and 159N/DG2.
(This F&O originated from SR HRA-B4)
Proposed Solution: Include HFEs for cases where fire-induced instrumentation failure of any single instrument could cause an undesired operator action.
Basis for Significance: The FPRA does not included modeling of HFEs for cases where fire-induced instrumentation failure of any single instrument could cause an undesired operator action.
Actual Solution:
As stated in the response to F&O 1-15, Fire HRA Notebook Table 5-2 lists the fifteen (15) procedure cases (involving eighteen different instruments) that were originally identified where single instrument spurious operation was considered likely to cause an undesired operator response.
In response to this F&O, a further review was performed by Xcel staff with significant system and operations knowledge, as well as by the fire HRA team. As a result of this review, the updated disposition of the eighteen (18) indications is the following:
Nine (9) were not credited in the fire PRA model because the equipment associated with the instruments is already considered failed during a fire;
L-MT-17-016 NSPM Page 22 of 95 Four (4) were found to have been miscategorized as leading to an undesired action because operator disablement of the system or equipment when it is specifically required to function is not considered credible.
Three (3) were not modeled because the postulated undesired operator action, to shut down equipment one by one until the ground is identified, is not considered credible, given that operators are generally aware of potential spurious signals caused by fire; and Two (2) were not needed in the model because the cable-induced failure causing the spurious indication already causes the failure of the component (EDG) functional state.
Table 5-2 of the Fire HRA Notebook has been updated accordingly and the Equipment Selection Notebook was revised as necessary to include documentation of this update (Section 5.5.2).
It should be noted, however, that in several cases, it has been suggested that a warning could be added to the procedure in question that the signal is spurious in case of a fire in particular Fire Zones.
L-MT-17-016 NSPM Page 23 of 95 Change Number: MT-15-0019 F&O Number: 1-22 Associated SR(s): HRA-C1 Detailed Problem
Description:
The following HFEs contribute significantly to the FPRA results (FV value for the HEP is above 0.005 or the HFE combination(s) in which some appear are above 0.005):
ADGMANST-Y - Operator fails to manually start EDG when auto start logic fails during SBO and fire C4H-EASY-YEF - Fail to restore loads (simple CR action) after LOSP and ECCS load shed given a fire outside the MCR HPI-CNTRLYEF - Fail to control FW, HPCI, or RCIC following a transient given a fire outside the MCR HPI-CNTRLYIF - Fail to control FW, HPCI, or RCIC following a transient given a fire inside the MCR MHPVLOCAL-YEF - Fail to operate the HPV using N2 bottles to provide Containment Heat Removal During a Fire Event/SBO RECBKRVLVYEF - Fail to locally operate breaker or valve on loss of 125 VDC or other circuit failure (exMCR fire)
XDEP40MINYEF - Fail to depressurize within 40 minutes (transient, no SORV) given a fire outside the MCR The HEPs for these HFEs are quantified from the perspective that the relevant cues are degraded (some but not all of the cues are unavailable or spuriously operating). Consideration has not been given to modeling versions of the HFEs where cues are not degraded, and therefore more realistically taking into account the context presented by the fire scenarios in the Fire PRA.
The FPRA development team indicated that because the operators may be distracted by spurious fire induced alarms or misleading ancillary instrumentation not explicitly modeled in the Fire PRA logic. It was considered that failing to account for this possibility may cause the fire risk to be inadequately represented in the model. This is considered by the review team to be a reasonable assessment for the initial FPRA quantifications. However, further consideration is judged to be warranted to assess whether consideration be given to modeling HFEs for the condition where cues are available for the action.
(This F&O originated from SR HRA-C1)
Proposed Solution: Consider defining and modeling HFEs for applicable fire scenarios in which cues are not impacted.
Basis for Significance: Potential risk-significant impact Actual Solution:
The issue of operator distraction or confusion from spurious or potentially contradictory cues has been a key concern of U.S. NRC personnel involved in evaluating and auditing fire HRA. Since the current modeling approach to assess fire HFEs by presuming degraded cues addresses those concerns and is, by the Peer Reviews admission considered by the review team to be a reasonable assessment for the
L-MT-17-016 NSPM Page 24 of 95 initial FPRA quantifications, no changes were made. Furthermore, these distinctions are not required by the ASME PRA standard. Since this is only a slightly conservative assumption, it does not significantly impact the PRA model and its insights.
L-MT-17-016 NSPM Page 25 of 95 Change Number: MT-15-0021 F&O Number: 1-24 Associated SR(s): LE-F2, QU-D5, PRM-A4, PRM-C1, FQ-A3, FQ-F1, QU-B1, FQ-B1, UNC-A2 Detailed Problem
Description:
The peer review noted issues related to the output produced from the fire modeling database FMDB.
FMDB contains queries that combine the fire scenario information and the cable selection and location information into the tables utilized by FRANX to quantify the FPRA scenarios:
The review team noted that equipment impacts from fire damage for a full burnup scenario of the yard were not translating from the cable selection to the plant response model. Fire damage impacts therefore were missing from the fire scenario modeled. Further review indicated that items coded as '2',
for example, in the zone-to-raceway table were not translating into fire impacts due to a missing query in the FMDB. This impacted fire scenarios for the yard, and the scenarios that end with EC5 (i.e.,
scenarios in which the ignition source is an electrical cabinet for which only the cabinet itself was damaged), in addition to other scenarios.
The review team also noted that all fire scenarios involving HEAF their respective targets are not include were not included in the FPRA PRM modeling.
Based on these observations, the review team did not have confidence that the FMDB demonstrated the capability to generate appropriate results.
(This F&O originated from SR PRM-A4)
Proposed Solution: Demonstrate that the FMDB generates appropriate results as well as outputs to FRANX through a process of verification.
Construct the Fire PRA plant response model consistent with the scope and location of equipment and cables (accounting for cable damage effects on the equipment of interest) per Section 4.2.2 and Section 4.2.3.
Basis for Significance: Potential risk-significant impacts.
Actual Solution:
The fire scenario associated with full zone damage to the Yard has been corrected. To do so, the following verifications have been conducted:
- 1. The fire scenario associated with full zone damage to the Yard, which is originated and maintained in the Fire modeling Database was reviewed to ensure that all the targets mapped to the Yard were accounted for.
- 2. The FRANX quantification tables (i.e., FRANX Scenarios table and FRANX Zone To Raceway table) generated in the fire modeling database and exported to FRANX were reviewed to ensure that the Yard scenario was appropriately specified.
- 3. The FRANX quantification was reviewed to ensure that the scenario was treated and quantified correctly FRANX.
The risk contribution of the full zone burn in the Yard is now correctly accounted for in the MNGP Fire PRA.
L-MT-17-016 NSPM Page 26 of 95 Change Number: MT-15-0022 F&O Number: 1-26 Associated SR(s): AS-A10, AS-A4, AS-A5, AS-A7, PRM-B5, PRM-C1 Detailed Problem
Description:
The alternate shutdown (ASD) accident sequence development is developed for the case in which 40 minutes are available to establish alternate shutdown to establish core cooling through the use of core spray train B and decay heat removal through RHR train B.
Issues were identified associated with the accident sequence and system modeling development for ASD:
Spurious SRV opening due to hot short impact is not addressed by the ASD modeling. Analysis performed under EPU and MSO conditions (EC 20955) demonstrated that spurious operation of the SRVs in the ASDS scenario for seven minutes would not adversely impact Monticello's safe shutdown analysis, and would not jeopardize the safe and stable condition of the fuel. Based on observation by the peer review, the referenced calculation, EC 20955, does not support this claim in that time frame.
The peer review team queried regarding the time available for one SRV open to reach core damage, and the FPRA development team indicated 17 minutes are available. Therefore, two relevant accident sequences are presented, which are not modeled: 1) SRVs spuriously open for seven minutes or less and reclose due to hot short(s) going to ground; the time available to perform ASD may need to be adjusted for this case. The FPRA development team performed a MAAP run for the peer review team and found that 30 minutes are available to perform ASD is one SRV spuriously opens for seven minutes and recloses, and 27 minutes are available if two SRVs are spuriously open for seven minutes.
These T/H results significantly impact the timing for the HFE development for ASD (as currently modeled in the HRA calculator, there would be insufficient time available to execute ASD). This strongly suggests that additional HFEs would need to be identified for this particular ASD sequence; and 2)
SRVs spuriously open and do not reclose in time to be mitigated by ASD or to prevent core damage, including probabilities for hot short duration.
(This F&O originated from SR PRM-B9)
Proposed Solution: Ensure that the accident sequence development for alternate shutdown accounts for all applicable MSO scenarios.
Basis for Significance: ASD is a risk-significant FPRA contributor.
Actual Solution:
Draft T/H analyses were recently performed to ascertain the time available for human actions at the ASDS panel. These T/H analyses account for various numbers of SRVs spuriously opening, each yielding a different time window. The ASD model and associated human failure events (HFEs) have been updated accordingly to reflect the latest data.
L-MT-17-016 NSPM Page 27 of 95 Change Number: MT-15-0024 F&O Number: 1-29 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook 016015-RPT-07 incorporates a 10 minute propagation to adjacent panels based on the guidance in Appendix S of NUREG/CR-6850. The lack of Main Control Board partitioning between panels may not support the use of the Appendix S timing.
(This F&O originated from SR FSS-B2)
Proposed Solution: Assess the Main Control Board partitioning between panels to ensure the Appendix S propagation timing is appropriate and provide justification. Alternatively, utilize a method to model the propagation between panels.
Basis for Significance: The propagation timing to the adjacent panels would impact the non-suppression probabilities and time to abandonment.
Actual Solution:
Per Appendix S of NUREG/CR-6850, the propagation time between panels was assumed to be ten minutes when there is a potential for cables in an adjacent panel to be in contact with the panel boundaries. The MNGP Fire PRA uses this ten minute propagation time, which is the value recommended in the guidance. However, due to the lack of partitioning between panels of the Main Control Board, an additional sensitivity analysis was conducted to evaluate the impact of changes to this propagation time.
The sensitivity analysis postulates fire propagation between panels at both five and fifteen minutes after ignition. In order to minimize the flow of combustion products out of the model domain and develop a conservative analysis, it is assumed the mechanical ventilation system is inoperative and all doors remain closed. The results for the abandonment times for the sensitivity analysis are shown in Table 1 below.
Sensitivity to the Time for Cabinet Propagation when the Mechanical Ventilation is Inoperative and All Doors Remain Closed Fire Scenario Sensitivity Condition Abandonment Time (min)
Bin 4 Heat Release Rate Bin 8 Heat Release Rate Bin 12 Heat Release Rate MCR Open Electronic Cabinet; Multiple Bundles; Spreads Base (10 minutes) 10.5 (T) 7.0 (T) 5.6 (T) 5 minutes 8.9 (T) 6.6 (T) 5.5 (T) 15 minutes 10.6 (T) 7.0 (T) 5.6 (T)
The results are considered to be not sensitive to variations in the assumed time for propagation between cabinets. The sensitivity results are discussed below.
Multiple cable bundle electrical panel fire in the MCR (propagating), variations in abandonment time was less than 2 minutes for a very conservative propagation time of 5 min. For a propagation time of 15 min, the resulting abandonment time was very similar to the one obtained with the base assumption of 10 minutes.
L-MT-17-016 NSPM Page 28 of 95 Multiple cable bundle electrical panel fire in the MCR (propagating), variations in abandonment time was less than 1 minutes for a very conservative propagation time of 5 min. For a propagation time of 15 min, the resulting abandonment time was very similar to the one obtained with the base assumption of 10 minutes.
Since the results of the sensitivity analysis does not suggest large differences in the abandonment times, particularly for the conservative assumption of 5 minutes of propagation between panels, the results assuming 10 minute propagation following the guidance of NUREG/CR-6850 are justified..
L-MT-17-016 NSPM Page 29 of 95 Change Number: MT-15-0029 F&O Number: 1-35 Associated SR(s): ES-C2 Detailed Problem
Description:
Instruments were identified from the review of ARPs whose spurious operation could result in undesired operator actions, but it is not clear from the FPRA documentation whether these instrument spurious operations were added to the FPRA equipment list. Later confirmation was made during the review that some of the identified instruments were not added to the FPRA equipment list.
(This F&O originated from SR ES-C2)
Proposed Solution: Include instrumentation whose fire-induced failure, including spurious indication, even if they are not relevant to the HFEs for which instrumentation is identified within the scope defined by ES-C1, on the FPRA equipment list if the failure could cause an undesired operator action related to that portion of the plant design credited in the analysis.
Basis for Significance: Instrumentation whose fire-induced failure, including spurious indication, even if they are not relevant to the HFEs for which instrumentation is identified within the scope defined by ES-C1, is to be included on the FPRA equipment list if the failure could cause an undesired operator action related to that portion of the plant design credited in the analysis.
Actual Solution:
As stated in the responses to F&Os 1-15 and 1-21, the fifteen (15) procedure cases (involving eighteen different instruments) that were identified where single instruments that if spuriously operated would be likely to cause an undesired operator response are listed in Fire HRA Notebook Table 5.2. The scope defined by ES-C1 refers to HRA-B1, which in turn refers to HRA-A1, whose scope is the internal events HFEs carried over to the fire HRA. The procedure review included the full spectrum of AOPs, EOPs and ARPs, not just those associated with the internal events HFEs credited in the Fire PRA. The results of the procedure review are summarized in Table 5.2 and documented in detail in Appendix G of the Fire HRA notebook.
Upon the issuance of the question posed in this and other F&Os during the Peer Review, the list of instrumentation identified in Table 5.2 was reviewed by Xcel staff with significant operations and training background, as well as by the fire HRA team. As a result, the updated disposition of the eighteen (18) indications is the following:
Nine (9) were not credited in the fire PRA model because the equipment associated with the instruments is already considered failed during a fire; Four (4) were found to have been miscategorized as leading to an undesired action because operator disablement of the system or equipment when it is specifically required to function is not considered credible.
Three (3) were not modeled because the postulated undesired operator action, to shut down equipment one by one until the ground is identified, is not considered credible, given that operators are generally aware of potential spurious signals caused by fire; and Two (2) were not needed in the model because the cable-induced failure causing the spurious indication already causes the failure of the component (EDG) functional state.
L-MT-17-016 NSPM Page 30 of 95 Table 5-2 of the Fire HRA Notebook has been updated accordingly and the Plant Response Model and Equipment Selection Notebook will be revised as necessary to include documentation of this update.
It should be noted, however, that in several cases, it has been suggested that a warning could be added to the procedure in question that the signal is spurious in case of a fire in particular Fire Zones.
L-MT-17-016 NSPM Page 31 of 95 Change Number: MT-15-0030 F&O Number: 1-36 Associated SR(s): QU-D2, FQ-E1 Detailed Problem
Description:
The Quantification notebook documents the sequences of events for the dominant CDF and LERF fire scenarios. However, based on the issues identified for the CS and PRM elements, the review team concludes that cutset reviews were not performed to the extent needed to ensure FPRA model realism.
(This F&O originated from SR QU-D2)
Proposed Solution: Review the results of the PRA for modeling consistency (e.g., event sequence model's consistency with systems models and success criteria) and operational consistency (e.g., plant configuration, procedures, and plant-specific and industry experience).
Basis for Significance: Risk-significant issues were identified in the FPRA model that would have been observable by review of results, and therefore the review team finds the review the review of results of the PRA for modeling consistency to be insufficient.
Actual Solution:
At the time of peer review, the CDF and LERF numbers were higher than acceptable. This was known going in to review. One of the factors contributing to the high risk values is model conservatisms.
Detailed cutset reviews were performed during the quantification process and were documented in the Quantification notebook, however, there were known conservatisms.
After the peer review, the model was refined to address F&Os and reduce risk, including updated ASD modeling, additional CFMLA, etc. Additional cutset reviews were performed. Model realism was considered carefully during these reviews and the reviews were documented as part of the updated Quantification notebook.
L-MT-17-016 NSPM Page 32 of 95 Change Number: MT-15-0031 F&O Number: 1-37 Associated SR(s): QU-D7, FQ-E1 Detailed Problem
Description:
No documentation was provided of a review of the importance of components and basic events to determine that they make logical sense.
(This F&O originated from SR QU-D7)
Proposed Solution: Review the importance of components and basic events to determine that they make logical sense.
Basis for Significance: Review of the importance of components and basic events to determine that they make logical sense is required.
Actual Solution:
The FPRA Quantification notebook at the time of peer review did not include descriptions of the importance results that were listed in Section 5.4. The updated notebook includes a summary of the importances for each table of importance results and details on the reasoning for their importance.
L-MT-17-016 NSPM Page 33 of 95 Change Number: MT-15-0035 F&O Number: 1-40 Associated SR(s): SY-A5 Detailed Problem
Description:
System modeling was added for: alternate shutdown modeling, instrumentation that supports operator actions modeled by the FPRA, as well as system modeling for MSOs 2c, 2j, 2k, 2o, 2ai, 2aj, 3a, 3b, 3c, and 5a (failure of load shed only), 5g, 7a. No documentation is provided on the consideration of the potential effects of alternate system alignments.
MSO scenarios introduce new equipment and new flow paths into the PRA, which potentially are impacted by alternate system alignments. As an example, MSO 2c models spurious opening of the steam line drains, and an alternate system alignment could alter the destination of the leakage flow.
The FPRA development team would need to at least examine the potential for any of the new components / flow paths modeled, and document what they found. No documentation and no self-assessment of SY-A5 were provided in the notebooks.
(This F&O originated from SR SY-A5)
Proposed Solution: Include the effects of both normal and alternate system alignments, to the extent needed for CDF and LERF determination.
Basis for Significance: Potential alternate alignments need to be considered in the development of system models.
Actual Solution:
Normal, alternate, and emergency system alignments are captured by the use of flags in the internal events PRA model as documented in Section 1 of each of the PRA system notebooks.
Review of new system modeling for MSOs, alternate shutdown, and added instrumentation, did not identify any system alignments that were not already considered as part of the internal events modeling. The PRM notebook has been revised to include a statement about the review of potential alignments.
L-MT-17-016 NSPM Page 34 of 95 Change Number: MT-15-0039 F&O Number: 2-1 Associated SR(s): PP-B3, PP-C3 Detailed Problem
Description:
The requirement for this SR is to JUSTIFY credited spatial separation. This section does not provide the required justification. The documentation should include an evaluation that establishes why the separation provided by "space" will ensure that the adverse effects of fire will be substantially contained in each of the adjacent PAUs.
(This F&O originated from SR PP-B3)
Proposed Solution: Each credited spatial separation barrier should be justified to establish that the barrier will substantially contain the adverse effects of fire.
Basis for Significance: This SR requires that justification be provided for credited spatial separation; no such justification is provided.
Actual Solution:
As stated in Section 3.0 of the Plant Boundary and Partitioning Notebook, the spatial separation between fire zones is not expected to substantially confine fire generated conditions such as smoke.
Instead, the probability that fire generated effects propagate across this boundary is captured in the multi-compartment analysis. In the cases where spatial separation is credited between fire zones, a barrier failure probability of 1.0 is assigned to these multi-compartment scenarios. Per the guidance of NUREG/CR-6850, multi-compartment combinations are screened where a hot gas layer is not expected in the exposing zone.
Further, the qualitative assessment provided in the resolution to F&O 4-14 qualitatively addresses the localized effects of fires near openings at credited boundaries. The assessment suggests that the localized fire effects near boundaries is low.
L-MT-17-016 NSPM Page 35 of 95 Change Number: MT-15-0042 F&O Number: 2-3 Associated SR(s): PP-B7, PP-C3 Detailed Problem
Description:
According to the Section 4.0 of the Plant Boundary and Partitioning Notebook confirmatory walk downs of the plant partitioning was performed to verify the conditions and characteristics of the credited partitioning elements for each Fire Zone and to verify that the zone drawings reflect as-built conditions.
According to the notebook the information obtained during these walk downs is documented in the Monticello Fire Modeling Database and in Tables A-1 and A-2 of the notebook.
Table A-1 of the plant partitioning notebook includes walk down notes which provide a list of the Fire Areas and Fire Zones that are considered in the Fire PRA. Specifically this table lists Fire Area, Fire Zone, Room Elevations, Building Name, Description, and FHA Drawing No. Table A-2 provides the confirmatory walk down documentation which entails the Fire Zone ID, originator and review initials and preparer and reviewer dates. Neither table includes information specific to partitioning element characteristics.
According to Section 4.0 of the Plant Boundary and Partitioning Notebook Fire Zone information from the plant partitioning task is contained in the Plant Fire Modeling Database (FMDB) in tables tblCompartmentInfo, tblRooms, and tblZones. The information in these tables was reviewed and found to contain very little information concerning the partitioning element characteristics. Most of the information contained in these table concerns information associated with location (i.e., building, elevation, Fire Zone, Fire Area, transient mapping, etc.), cable loading, influencing factors, detection, suppression, instrument air details, etc. The only information that pertains to partitioning element characteristics is wall material, wall thickness, and no. of doors. These fields are populated as follows for every Fire Zone: wall material = concrete; wall thickness = 2ft; no. of doors = 1.
Based on this review, the documentation provided does not support conduct of a confirmatory walkdown that confirmed the conditions and characteristics of credited partitioning elements.
(This F&O originated from SR PP-B7)
Proposed Solution: Provide documentation that addresses the acceptability of the credited partitioning elements.
Basis for Significance: The requirement is to perform confirmatory walkdowns that confirm the conditions and characteristics of credited partitioning elements.
Actual Solution:
The appendices to the Plant boundary and Partitioning Notebook have been updated to include scans of the notes taken during the confirmatory walkdowns conducted in support of the plant partitioning task. These notes provide documentation of the conditions and characteristics of credited partitioning elements.
L-MT-17-016 NSPM Page 36 of 95 Change Number: MT-15-0043 F&O Number: 2-4 Associated SR(s): PP-B2, PP-C3 Detailed Problem
Description:
According to the Section 3.0 of the Plant Boundary and Partitioning Notebook the FPRA credits nonrated-fire barriers as detailed in Table 3-2. Table 3-2 provides a listing of each credited non-rated-fire barrier. The information provided includes Fire Zone, Adjacent Zone, Orientation to Adjacent Zone, Barrier Type, Construction and Walk down Comments. The walk down comments included in this table typically state 'Barrier Observed'; three exceptions provide a little detail concerning openings in the barrier. Reference is made to the Monticello Updated Safety Analysis Report, Fire Protection Program, Updated Fire Hazard Analysis Revision 30, with regard to barrier construction and to the Plant Partitioning Walk down Notes. However, the notebook provides no justification/evaluation that would indicate that the credited non-fire-rated barriers should substantially contain the damaging effects of fire.
(This F&O originated from SR PP-B2)
Proposed Solution: Provide documentation that addresses the acceptability of the credited partitioning elements.
Basis for Significance: The requirement is to JUSTIFY that the credited non-fire rated barriers will substantially contain the damaging effects of fire.
Actual Solution:
The appendices to the Plant boundary and Partitioning Notebook have been updated to include scans of the notes taken during the confirmatory walkdowns conducted in support of the plant partitioning task. These notes provide documentation of the conditions and characteristics of credited partitioning elements.
L-MT-17-016 NSPM Page 37 of 95 Change Number: MT-15-0044 F&O Number: 2-5 Associated SR(s): IGN-A7 Detailed Problem
Description:
Section 5.6 discusses the apportionment of generic transient fire ignition frequencies and the development of the influencing factors for each area. The influencing factors were assigned by the FPRA analysts based on engineering judgment and a set of rules documented in Section 5.6.2 of the Ignition Frequency Notebook. Assignment of these values resulted in a comparatively low result. Based on the information contained in the Fire Modeling Database the influencing factors average as follows:
Maintenance 1.7; Occupancy 2.2; and Storage 1.8. Its typically assumed that these factors will produce an average value, i.e., Medium or 3, by definition. Based on the values stated it appears that the influencing factors may have been underestimated. To increase the accuracy and reliability its suggested that these values be set or validated by plant operations and maintenance personnel.
For example, numerous fire zones were assigned LOW maintenance factors including H2 Seal Oil/Condensate Pump Area, Turbine Condenser Area, Air Ejector Room, Admin Bldg HVAC Room, ESF Motor Control Center, 13.8 kV Switchgear Rooms, RCIC and HPCI Rooms, Diesel Fuel Oil Pump House, etc. as these zones contain pumps, motors, electrical equipment that would require maintenance.
LOW storage factor was assigned in numerous fire zones including Lube Oil Storage Room, Contaminated Equipment Storage Area, etc. which appear to be defined storage areas in the plant.
Additionally, there are only 13 fire zones that are assigned storage factors greater than LOW.
(This F&O originated from SR IGN-A7)
Proposed Solution: Review the influencing factors with knowledgeable plant personnel to ensure that the factors applied are representative of realistic plant conditions. Consider augmentation of this effort with a review of historical work orders and storage permits to provide definition to the revised factors.
Basis for Significance: By definition, the average of the assigned influencing factors should reflect the average value.
Actual Solution:
A comprehensive review of the influence factors for all the fire zones was conducted to address this finding. As a result of the review, the values for several influence factors were increased to provide a better representation of the transient ignition source likelihood in the fire zone. For example, the storage factor for a number for fire zones was increased to better reflect the storage practices at the fire zone.
In addition, the updated influence factors were reviewed by plant personnel. The updated influence factors, documented in the MNGP Fire Ignition Frequency Notebook, are now part of the base model and their impact is reflected in the quantification process.
L-MT-17-016 NSPM Page 38 of 95 Change Number: MT-15-0045 F&O Number: 2-6 Associated SR(s): SF-A4 Detailed Problem
Description:
Section 6.4 and 6.5 of the Seismic Fire Interaction Notebook provide a discussion of how plant fire detection and suppression systems may be expected to respond to a seismic event including discussion of the potential impact of system actuations. Section 7.0 of the notebook includes a discussion of how these failures may impact plant response however this discussion is not clearly linked to a review of the plant seismic response procedures.
(This F&O originated from SR SF-A4)
Proposed Solution: Document the plant seismic response procedures evaluated and document the potential impact of a seismically induced fire and spurious actuation of a fire system to the performance of seismic responses.
Basis for Significance: This SR requires the performance of a qualitative assessment of the potential impact of seismically induced fires and spurious actuation of fire detection/suppression systems review on a seismic response based on review of the plant seismic response procedures.
Actual Solution:
Procedure 4 AWI-08.01.01, Section 4.5.4 states that site management personnel are responsible for Ensuring medically qualified personnel complete fire brigade training Ensuring that the content of the brigade training is adequate. This training consists of, in part, a review of all fire protection procedures and strategies.
Such a review of all fire protection procedures and strategies will help in preparing the fire brigade for response following a seismic event.
Additionally, Operations Manual C.4-B.05.14.A, provides direction to isolate close fire protection valve FP-37 (To Admin & Rx Building Headers) if a significant fire system leak occurs in the Plant Administration Building. If FP-37 does not close, then direction is given to close additional valves FP-49, FP-36, and FP-114. Isolation of the fire protection system to the Plant Administration Building is required to reduce the risk of flooding the Access Control areas to a depth of 20 inches that would impact 125VDC and 250 VDC battery operability.
L-MT-17-016 NSPM Page 39 of 95 Change Number: MT-15-0046 F&O Number: 2-7 Associated SR(s): SF-A5 Detailed Problem
Description:
Section 6.6 of the Seismic Fire Interaction Notebook provides a discussion of the potential impact of a seismic event on manual firefighting efforts. The discussion centers around the challenges that the fire brigade may face and the potential for loss of access to their equipment for fighting fires. The discussion does not include an assessment of the fire brigade training procedures or the extent to which this training prepares the brigade members to response to a seismically induced fire response.
The discussion of the availability of firefighting material establishes that this equipment is stored in two separate areas and it concludes that this separation should provide access to one or the other following a seismic event, however no justification for this conclusion is provided.
(This F&O originated from SR SF-A5)
Proposed Solution: Review and assess the fire brigade training procedures with respect to their preparation for response to a seismic event and provide justification for the post-earthquake availability of necessary firefighting resources.
Basis for Significance: SR requires that the fire brigade training procedures be reviewed to assess the extent to which the brigade is prepared for response to a seismic event and their ability to respond with respect availability of firefighting equipment and resources.
Actual Solution:
Procedure 4 AWI-08.01.01, Section 4.5.4 states that site management personnel are responsible for Ensuring medically qualified personnel complete fire brigade training Ensuring that the content of the brigade training is adequate. This training consists of, in part, a review of all fire protection procedures and strategies.
Such a review of all fire protection procedures and strategies will help in the preparation of a post-seismic event firefighting resources.
Operations Manual C.4-B.05.14.A, provides direction to isolate close fire protection valve FP-37 (To Admin & Rx Building Headers) if a significant fire system leak occurs in the Plant Administration Building. If FP-37 does not close, then direction is given to close additional valves FP-49, FP-36, and FP-114. Isolation of the fire protection system to the Plant Administration Building is required to reduce the risk of flooding the Access Control areas to a depth of 20 inches that would impact 125VDC and 250 VDC battery operability.
Classroom and hands-on debris removal and tool use/safety training is provided to fire brigade members under MNGP lesson plan MT-OPS-FB-006L. This training covers the use of equipment used to clear debris in the aftermath of natural events including earthquakes. Redundant debris removal equipment is stored in multiple locations to assure protection and access to equipment is reasonably assured following a seismic event.
L-MT-17-016 NSPM Page 40 of 95 Change Number: MT-15-0040 F&O Number: 2-10 Associated SR(s): FSS-C5 Detailed Problem
Description:
The damage mechanism for soldered piping (instrument air) is discussed resulting in a conclusion that piping located in a plume should be considered damaged, however a criterion for this damage is not established.
(This F&O originated from SR FSS-C5)
Proposed Solution: Establish a measurable damage criterion for soldered piping and provide the corresponding justification.
Basis for Significance: This SR requires the justification of damage criteria used in the Fire PRA. The criterion suggested for soldered piping needs to be fully developed and justified. Instrument air is fire risk-significant.
Actual Solution:
Appendix F of the Single Compartment Analysis Notebook documents the methodology used to evaluate fire scenarios that may cause the depressurization of the instrument air piping. Such an event is assumed to lead to failure of the instrument air system in the Fire PRA model.
In Appendix F.3 of the Single Compartment Analysis Notebook, Piping Specification Standard PSRS_PSRS113_1 is referenced. This specification standard indicates that the fittings in the instrument air piping system are silver brazed. Silver brazing is a joining process whereby a non-ferrous filler alloy is heated to its melting temperature; this melting temperature is usually above 800°F (430°C) and distributed between two or more close-fitting parts by capillary attraction. At its liquid temperature, the molten filler metal interacts with a thin layer of the base metal, cooling to form an exceptionally strong, sealed joint due to grain structure interaction.
The brazing process temperatures are in the range of pre-flashover conditions in a fire event (approximately 600°C). The brazing process temperature is well within the range of fire plume conditions at a relatively short distance from the fire. Therefore, the analysis conservatively assumes that any piping exposed to fire plume conditions will cause a failure of the piping.
Document Condition Evaluation 01390623-01 indicates that the instrument air compressors would not be able to maintain adequate flow and pressure if a 2 inch line break were to occur. The Fire PRA assumes that depressurization will occur in those instances where the failed piping is at least 1.5 inches in diameter.
L-MT-17-016 NSPM Page 41 of 95 Change Number: MT-15-0049 F&O Number: 3-4 Associated SR(s): AS-A10, AS-A4, PRM-B5, PRM-B6, PRM-C1, HRA-B3, HRA-C1 Detailed Problem
Description:
The dominant HFE for the PRA is the failure to provide safe shutdown after control room evacuation.
These actions are aggregated into 3 HFE's, one for a) cognition to evacuate the main control room, b) establishing EDG, c) all other execution actions required for safe shutdown. HFE for a) and b) appear to be reasonable. HFE for c) is quantified by adding 29 separate actions into an aggregated HFE. 21 of the 29 actions are 'recovered'.
However, the HRA of the execution error has several unsupported (or weakly supported) assumptions and calculations. The required manpower for this action is only 4 staff. The number of staff required for recovery of 21 actions in 25 minutes is not discussed or justified. The timing is to start at 10 minutes, be completed by 40 minutes and takes 25 minutes to complete. Of the 21 actions applied with recovery, 4 are High dependence and 17 are medium dependence. The timing to substantiate medium dependency is not justified.
(This F&O originated from SR HRA-D2)
Proposed Solution: Develop a supportable basis for the aggregate execution HFE for control room evacuation. Provide sensitivity studies for assumptions about manpower, timing, recovery, and dependency.
Basis for Significance: Potentially risk-significant impact Actual Solution:
As part of the path forward for the resolution of F&O 1-20, the HFE execution actions were re-evaluated to 1) remove the extraneous actions that are not credited for mitigation purposes, and 2) group together under separate, individual HFEs the sets of actions that accomplish the same function (pressure/inventory control, and decay heat removal).
In addition, as part of the path forward for the resolution of F&O 1-26, the time windows for the actions supporting ASD were refined into various cases representative of the latest timing data associated with various fire scenarios.
These refinements provide a more realistic representation of the HFEs modeled for MCR abandonment, and a firmer basis for the assumptions made about manpower, timing, recovery, and dependency.
The analysis is documented in Section 8.0 of the Fire HRA Notebook.
L-MT-17-016 NSPM Page 42 of 95 Change Number: MT-15-0050 F&O Number: 3-6 Associated SR(s): PRM-B10 Detailed Problem
Description:
The Fire PRA plant response model was not successfully modified to fail SSCs not selected in the ES element. Representative examples of this include:
- 1. In the PRM notebook, the basis for exclusion of MSO 5j is that 'Monticello does not credit operation of service water', however, service water is not failed in the logic model.
- 2. In section 3.2 of the PRM notebook Water, it states that use of the Fire Water System as a back-up to LPCI is not credited, however, this is not failed in the model.
- 3. In both the ES notebook and PRM notebook, it is stated that CRDH and SLBC were not used in the fire PRA, however, these are not successfully failed in the model. They were failed by putting appropriate flags set to 1.0 in the model. However, basic events for SBLCS components (L) and HFE's appear in the results. Basic events for CRD pump random failures (J) also appear in the model, with random failure probabilities. If the systems are correctly FLAGGED out, there should not be random failures of these systems. If the correct component is flagged, the logical 1.0 should propagate to the top of the tree, eliminating all other random failures. The fact that random events for these systems appear in cutsets indicate the correct basic event has not been chosen to be flagged. This particular example is not expected to be risk significant.
- 4. Individual components identified in Table D-1 of the ES notebook as not credited were not failed in the PRM [e.g., FPAP1AXXXR12-S - CONDENSATE PUMP P-1A FAILS TO RUN (SHORT TERM)]
- 5. Conversely - Basic events that were not failed in the model, yet were not included in table C-1 as credited [e.g., ABSLPCIAXG - LPCI MCC FAULT (MCC-133A)]
(This F&O originated from SR PRM-B10)
Proposed Solution: For systems equipment that were included in the Internal Events PRA but were not selected in the ES element, and that are potentially vulnerable to fire-induced failure, are to be failed in the worst possible failure mode, including spurious operation.
Basis for Significance: Inadvertent credit for non-selected equipment is a potentially risk significant error.
Actual Solution:
At the time of peer review, the documentation for this particular file lagged behind the model updates and therefore did not appropriately reflect what was modeled. Both the flag file and the documentation has been updated to reflect the non-credited components in the master flag file appropriately. In addition, components that did not have cable selection have been either failed or dispositioned appropriately in the notebook.
A review of the ES notebook and master flag file was completed and both files were updated to properly reflect the components and systems that were not credited in the model.
Systems affected by these updates include the fire water system, service water, CRDH and SBLC.
L-MT-17-016 NSPM Page 43 of 95 Change Number: MT-15-0051 F&O Number: 3-8 Associated SR(s): AS-A9, PRM-B7, SC-A3, SC-B1, SC-B3, SC-B5, SC-C1, SC-C2 Detailed Problem
Description:
The peer review identified cases where new or modified success criteria would be needed to support the Fire PRA, as discussed below, but no thermal hydraulic calculations or success criteria development were found specifically developed for the FPRA.
Based on the review by peers, the following issues were identified. These are based on limited time to review and are only examples.
Regarding spurious SRV opening due to hot short impact analysis performed under EPU and MSO conditions (EC 20955) demonstrated that spurious operation of the SRVs in the ASDS scenario for seven minutes would not adversely impact Monticello's safe shutdown analysis, and would not jeopardize the safe and stable condition of the fuel. Based on observation by the peer review, the referenced calculation, EC 20955, does not support this claim. The peer review team queried regarding the time available for one SRV open to reach core damage, and the FPRA development team indicated 17 minutes is available, but no specific thermal hydraulic calculation was documented. Therefore, thermal hydraulic calculations need to be developed or referenced to support ASD accident sequence modeling for the cases in which spuriously open SRV(s) reclose as well as spuriously open SRV(s) do not reclose.
T/H calculations are needed for the following FPRA cases:
- 1. 1 SRV open for 7 minutes: Time at which injection must occur to prevent core damage.
- 2. 2 SRV open for 7 minutes: Time at which injection must occur to prevent core damage.
- 3. SRVs spuriously open and do not reclose in time to be mitigated by ASD or to prevent core damage, including probabilities for hot short duration.
The need for success criteria development has been noted by the peer review for MSO 5a (additional loads on diesel): the number of additional loads and the specific impact to the diesels have not been determined. The success criteria development will need be confirmed to be consistent with the features, procedures, and operating philosophy of the plant.
(This F&O originated from SR PRM-B7)
Proposed Solution: Identify any cases where new or modified success criteria will be needed to support the Fire PRA consistent with the HLR-SCA and HLR-SC-B of Section 2 and their supporting requirements.
Basis for Significance: ASD modeling is risk-significant. MSO 5a was screened from FPRA modeling without success criteria consideration for the DGs.
Actual Solution:
Regarding spurious SRV openings, draft T/H analyses were recently performed to ascertain the time available for human actions at the ASDS panel. These T/H analyses account for various numbers of SRVs spuriously opening, each yielding a different time window. The ASD model and associated human failure events (HFEs) have been updated accordingly to reflect the latest data.
L-MT-17-016 NSPM Page 44 of 95 The modeling for MSO 5a was developed using input from plant personnel and is documented in the PRM notebook. The modeling is considered to be conservative and is based on the features, procedures, and operating philosophy of the plant. The MSO results in the total loss of the EDG.
L-MT-17-016 NSPM Page 45 of 95 Change Number: MT-15-0047 F&O Number: 3-10 Associated SR(s): LE-G5, QU-F5, FQ-F1, UNC-A2 Detailed Problem
Description:
LE G-5 requires discussion of modeling limitations and impact on results. This was not performed (This F&O originated from SR LE-G5)
Proposed Solution: Add discussion of limitations Basis for Significance: There is no documentation of modeling limitations and effect on applications.
Actual Solution:
A discussion of LERF modeling limitations and the potential impact on results was added to the Quantification notebook. The discussion was added to Section 3 of the quantification notebook.
Change Number: MT-15-0053 F&O Number: 4-1 Associated SR(s): PP-A1, PP-C2 Detailed Problem
Description:
The Global Analysis Boundary excludes several buildings and structures in Section 2.0 of Notebook 016015-RPT-02, however, and there is no detailed discussion related to the impact on an adjacent PAU such as distance between structures and/or building construction.
(This F&O originated from SR PP-A1)
Proposed Solution: Provide additional documentation regarding the basis for screening of excluded structures including building construction and actual distances to adequately justify excluding the structures from potential impact on FPRA components in an adjacent PAU.
Basis for Significance: There is a potential for buildings/structures screened out of the global analysis boundary that could impact adjacent buildings/PAUs that contain FPRA components.
Actual Solution:
Section 2.0 of the Plant Boundary Definition and Partitioning Notebook has been revised to more clearly document the basis by which buildings within the global analysis boundary were screened.
Revision 0 of the Plant Boundary Definition and Partitioning Notebook screened a number of the locations on the basis that the screened building did not contain plant systems or components contributing to fire risk.
The revised Plant Boundary Definition and Partitioning Notebook includes an evaluation of the potential impacts of fires occurring in these screened locations. Specifically, this evaluation ensures that a fire occurring in these screened locations will not impact plant systems or components contributing to fire risk that are located in other plant buildings within the global analysis boundary.
L-MT-17-016 NSPM Page 46 of 95 Change Number: MT-15-0085 F&O Number: 4-6 Associated SR(s): IGN-A10, UNC-A2 Detailed Problem
Description:
A sensitivity analysis was not performed for fire ignition frequency bins characterized by an alpha from EPRI 1016735 analysis that are less than or equal to 1 as required by Supplement 1 to NUREG/CR-6850.
(This F&O originated from SR IGN-A10)
Proposed Solution: Perform and document the sensitivity analysis for fire ignition frequency bins with alpha less than 1 as required by Supplement 1 to NUREG/CR-6850 in order to utilize the updated ignition frequency values.
Basis for Significance: Supplement 1 to NUREG/CR-6850 requires a sensitivity analysis to be completed in order to utilize the updated fire ignition frequency values.
Actual Solution:
A sensitivity analysis case has been created to quantify the impact of using the generic fire ignition frequencies in NUREG/CR-6850. The Fire PRA has been quantified with the fire ignition frequencies listed in Chapter 6 of NUREG/CR-6850 for those bins with Alpha values less than or equal to 1.0. The results of the quantification are documented in the MNGP UNC Notebook. The process for quantifying the Fire PRA with these frequencies is identical to the one in the base quantification. That is, the applicable generic frequencies from NUREG/CR-6850 are stored in the Fire Modeling Database and propagated through the fire scenario frequency quantification. The fire scenario frequencies are then imported into FRANX to complete the quantification process.
L-MT-17-016 NSPM Page 47 of 95 Change Number: MT-15-0086 F&O Number: 4-7 Associated SR(s): SF-A3 Detailed Problem
Description:
Section 6.5 states that the procedure to provide alternative fire water directly from the river depends on the fire main being intact. The notebook does not document the assessment of the common cause failure of the yard mains and provide justification for the ability to suppress fires for this failure.
(This F&O originated from SR SF-A3)
Proposed Solution: Include the assessment of the impact of the common cause failure of the yard mains on the potential to provide fire suppression capability.
Basis for Significance: The notebook does not address suppression capability in the event of the unavailability of the fire main.
Actual Solution:
Site Procedure A.8-02.06, Fire System Management Strategies, provides directions to isolate portions of the fire system in the event of damage or inadvertent actuation. Additionally, this procedure also provides directions to setup a Portable Diesel Fire Pump in order to supply water to backfeed the fire system or to supply water to the plant bypassing all of the fire system.
By this site procedure, the fire brigade is directed to choose the connection point for the portable diesel fire pump. The following options are listed in the procedure in order of preference:
CONNECT one 5-inch supply hose to Fire system at 5-inch Storz connection at north end of #11 Cooling Tower.
CONNECT two 5-inch supply hoses to Fire system at hydrants. [Note: If the Intake Structure was isolated in Step 5.f., feeding Fire system thru Hydrant House #2 is NOT available and a further away hydrant will have to be used.]
CONNECT one 2-1/2-inch hose to the fire system at Hydrant House #2 (PDP suction from Intake).
In the event that a portion of the fire main is unavailable following a seismic event, the fire brigade is directed to isolate those portions of the system. After the unavailable portions of the fire main are isolated, the fire brigade will choose the appropriate connection point for the portable diesel fire pump, thereby delivering water to the fire system.
In addition, Operations Procedure C.5-3203 (Use of Alternate Injection systems for RPV Makeup) Part D prescribes makeup to the reactor vessel using the fire crosstie to LPCI, which depend on major portions of the fire main being intact. New sections of the C.5-3203 procedure (Parts F and H) now accommodate portable fire pump tie-in to LPCI using fire hoses, thus not being dependent on the fire main being intact.
L-MT-17-016 NSPM Page 48 of 95 Change Number: MT-15-0088 F&O Number: 4-9 Associated SR(s): IGN-A1, IGN-A7 Detailed Problem
Description:
The Ignition Frequency Notebook 016015-RPT-10 does not utilize the current nuclear power industry guidance for transient influence factors provided in PRA FAQ 12-0064.
(This F&O originated from SR IFN-A1)
Proposed Solution: Utilize the guidance in PRA FAQ 12-0064 for the transient influence factors, including the new factor for hotwork, which is separated from the previous maintenance factor.
Basis for Significance: The guidance in PRA FAQ 12-0064 enhances the guidance previously provided in NUREG/CR-6850. Risk-significant influence on the cable spreading room fire scenarios.
Actual Solution:
Supporting requirement IGN A7 requires a consistent methodology based on parameters that are expected to influence the likelihood of ignition to apportion high level ignition frequencies. The MNGP utilizes a consistent methodology. The guidance in PRA FAQ 12-0064 describes influence factors lower than the ones available in Chapter 6 of NUREG/CR-6850 for plant configurations that meet specific criteria. For example, influence factors lower than 1.0 can be applied if the room is locked with a key controlling access to general plant personnel. Such configurations are not currently in place in the Fire Zones at MNGP and therefore values less than 1.0 are not used. For the specific guidance of separating hot work from maintenance influence factors, the MNGP Fire PRA reflects both activities in one factor as described in NUREG/CR-6850. To do so, influence factors have been assigned so that they are bounding to each of the activities (i.e., maintenance and/or hotwork activities).
L-MT-17-016 NSPM Page 49 of 95 Change Number: MT-15-0054 F&O Number: 4-10 Associated SR(s): FSS-G2 Detailed Problem
Description:
Several MCA zone combinations are screened quantitatively in the Multi-Zone Analysis Notebook 016015-RPT-08 based on having a frequency of occurrence of less than 1E-08. However, there is no justification for the screening threshold providing reasonable assurance that the cumulative contribution of the screened physical analysis unit combinations are of low risk significance.
(This F&O originated from SR FSS-G2)
Proposed Solution: Provide detailed justification that the 1E-08 screening is an acceptable threshold for the plant to ensure that the contribution of the cumulative screened combinations are of low risk significance.
Basis for Significance: 1E-08 screening is typically an industry accepted threshold however, no justification is provided.
Actual Solution:
Scenarios with a frequency of occurrence of less than 1E-08 were screened on the basis that when multiplied by the CCDP or CLERP, the total core damage or large early release frequency of these scenario would be insignificant.
In the interest of understanding the cumulative risk contribution of these screened fire scenarios, the FPRA Multi-Zone Analysis Notebook has been updated to include the total scenario frequency for these screened scenarios. The total scenario frequency for all of the scenarios screened using this criteria is 3.99E-07. This value is the sum of the scenario frequencies for all multi-zone scenarios that were screened because their frequency of occurrence was less than 1E-08. This value does not include the scenario frequency of those multi-zone scenarios that were screened using another basis, such as the lack of a hot gas layer formed in the exposing zone or no new Basic Events impacted in the exposed zone.
It follows that if the CCDP (CLERP) for each scenario was applied, then the total CDF (LERF) for these scenarios would be insignificant to the total risk calculation. The total CDF, which is calculated using assuming a CCDP of 1.0, represents less than 1% of the total CDF for MNGP. On this basis, these scenarios are screened from further analysis.
L-MT-17-016 NSPM Page 50 of 95 Change Number: MT-15-0055 F&O Number: 4-11 Associated SR(s): FSS-D4 Detailed Problem
Description:
An initial ambient temperature of 20°C was utilized in the fire modeling calculations for all MNGP fire zones. This ambient temperature does not appear to be appropriate for areas that are not temperature controlled such as the Turbine Building, Diesel Generator Building, and areas of the Reactor Building.
(This F&O originated from SR FSS-D4)
Proposed Solution: Utilize an appropriate initial ambient temperature for non-temperature controlled areas and update the fire modeling calculations as necessary.
Basis for Significance: The use of a higher initial ambient temperature could impact the required HRR, damage time, and therefore, the severity factors and non-suppression probabilities.
Actual Solution:
The fire modeling calculations in the MNGP Fire PRA are performed with the in the following three fire models:
- 1. The Heskestads Fire Plume Temperature Correlation (see Section 5.3.1 of NUREG 1805)
- 2. The Point Source Flame Radiation Model (see Section 9.3 of NUREG1805)
- 3. The Zone Model CFAST mostly used for determination of hot gas layer development inside a fire zone.
Validation studies were conducted for the use of these models in the MNGP Fire PRA. Chapter 4 of NUREG 1934 lists the following model biases. Values larger than 1.0 indicate that the models tend to over predict the relevant fire condition. In contrast, values less than 1.0 indicate that the values are under-predicted.
Between 0.73 and 0.94 for the Heskestads Fire Plume Temperature correlation. It should be noted that these values are based on experiments where plume temperatures measured inside the hot gas layer, and therefore, are not fully applicable to zone of influence calculations in the early stages of the fire before the hot gas layer develops.
Between 1.42 and 2.02 for the Point Source Flame Radiation model (ambient temperature is not a factor in this calculations), and 1.06 for the hot gas layer temperature in CFAST.
NUREG 1934, Table 4.1, reports that CFAST over predicts hot gas layer temperatures by six percent.
The MNGP fire PRA utilizes the thermoplastic damage criteria of 205oC therefore six percent of the damage criteria is approximately 12 degrees Celsius. Given the over-predictions in the models listed above, together with the conservative use of heat release rate values (98th percent values are recommended in NUREG/CR-6850 for screening purposes), relatively small changes in the ambient temperature will not affect the predictions and the corresponding implementation in the Fire PRA.
L-MT-17-016 NSPM Page 51 of 95 Change Number: MT-15-0057 F&O Number: 4-14 Associated SR(s): FSS-G2 Detailed Problem
Description:
For multi-zone scenario combinations that are screening due to no hot gas layer in the exposed fire zone, there is no consideration for localized target damage in the exposed compartment due to fire exposure near the barrier opening (i.e., targets located in the flow path of postulated hot gases from the exposing fire zone).
(This F&O originated from SR FSS-G2)
Proposed Solution: Perform an assessment for multi-zone analysis to confirm that the screened scenarios do not have targets in the postulated hot gas flow path.
Basis for Significance: Not expected to be significant but there is a potential for additional FPRA target damage.
Actual Solution:
The multi compartment analysis in the MGNP Fire PRA has been developed and implemented following the guidance described in Chapter 11 of NUREG/CR-6850. Consistent with this guidance, multi compartment scenarios have been screened if no hot gas layer scenario is expected in the exposing fire zone. That is, an exposing fire zone that does not generate a hot gas layer scenario is not expected to damage targets in the exposing fire zone.
The fire scenarios described in this finding are outside the recommended guidance in NUREG/CR-6850. Therefore, these scenarios have not been explicitly analyzed in the MGNP Fire PRA. A number of factors suggest that the risk contribution of these scenarios is low. These factors include:
Location of Fixed Ignition Sources: Damage to components in the adjacent zone is likely to occur only for fixed ignition sources located near the zone boundary. Only a portion of the ignition sources in a given zone are found near these zone boundaries. Further, it follows that fixed ignition sources located away from the zone boundaries are not likely to damage components in the adjacent zone without propagating through secondary combustibles. In the case of fire propagation through intervening combustibles, there will be time available for manual or automatic suppression, thereby reducing the risk contribution of these scenarios.
Therefore, the overall risk contribution of fixed ignition sources is low.
Location of Transient Ignition Sources: Only transient fire sources that start and are sustained near a fire zone boundary are capable of damaging components in the adjacent zone. By crediting a geometry factor (i.e., a floor area ratio), only a portion of the ignition frequency of the transient fires postulated in the exposing zone would contribute to the total risk of these localized scenarios. Further, the effects of certain transient fires types, such as cable fires and transient fires due to hotwork, are mitigated by prompt detection and prompt suppression activities. Therefore, it is unlikely that a hotwork fire would damage targets in the adjacent zone.
Fire modeling treatments of self-ignited cable fires and junction box fires ensure that damage to targets in the adjacent zone is unlikely. Therefore, only general transients, of which only a portion are located near the boundary, are expected to contribute to the overall risk of these localized scenarios.
L-MT-17-016 NSPM Page 52 of 95 Target Configuration: In order to be damaged by localized fire effects at the boundary, Fire PRA raceways in the adjacent zone would need to be located near that boundary.
Barrier Features: It is generally accepted that the risk contribution of multi-compartment fires is lower than that of single compartment scenarios. This notion is based on the credited separation features (i.e., fire walls, fire doors, penetration seals, etc.) between fire zones. The failure probability of these separation features is considered to be low.
Consequently, the risk contribution of localized fire effects near zone boundaries is expected to be low.
L-MT-17-016 NSPM Page 53 of 95 Change Number: MT-15-0058 F&O Number: 4-15 Associated SR(s): FSS-G1 Detailed Problem
Description:
Appendix D identifies the non-suppression probability assigned to each multi-zone scenario combination based on the suppression in the exposing or exposed zone. There were several inconsistencies identified between the zone suppression credited versus the non-suppression probability assigned.
Additionally, the Multi-Zone Analysis Notebook identifies that Halon suppression is not credited in the analysis due to potential barrier openings, however, Appendix D identifies the application of a non-suppression probability for several multi-zone scenarios with only Halon in one of the fire zones.
(This F&O originated from SR FSS-G1)
Proposed Solution: Revise Appendix D of the Multi-Zone Analysis Notebook, the FMDB, and the quantification of the multi-zone scenarios to account for the correct non-suppression probabilities.
Basis for Significance: There is a potential risk impact for changing the non-suppression probabilities between suppression system type, specifically, removing a non-suppression probability for those assigned for Halon protected zones.
Actual Solution:
A comprehensive review of the automatic suppression credit for the multi compartment scenarios was conducted to eliminate the inconsistencies identified during the peer review. In addition, the automatic Halon system is not credited in the multi compartment analysis. The table in the fire modeling database listing the credit for automatic suppression has been updated.
L-MT-17-016 NSPM Page 54 of 95 Change Number: MT-15-0059 F&O Number: 4-16 Associated SR(s): FSS-G1 Detailed Problem
Description:
Several fire zones are protected by partial suppression systems which are credited in the multi-zone analysis with no justification to ensure that the partial protection is capable of preventing damage to FPRA targets in the exposed fire zone.
(This F&O originated from SR FSS-G1)
Proposed Solution: Provide appropriate justification that the partial coverage suppression systems credited in the Multi-Zone Analysis Notebook is capable of preventing FPRA target damage in the exposed zone.
Basis for Significance: There is a possibility that the credit for non-suppression probabilities associated with partial coverage systems may not be appropriate for all multi-zone scenarios.
Actual Solution:
Credit in the multi-compartment analysis for systems providing partial coverage in the fire zones has been removed from the analysis. The table in the fire modeling database listing the credit for automatic suppression has been updated to reflect no credit for systems providing partial coverage (i.e., non-suppression probability has been set to 1.0).
L-MT-17-016 NSPM Page 55 of 95 Change Number: MT-15-0060 F&O Number: 4-17 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook identifies a non-suppression value for fires limited to the panel based on a time to prompt suppression of 'about 3 minutes'.
(This F&O originated from SR FSS-B2)
Proposed Solution: Provide detailed justification in the Main Control Room Analysis Notebook to support the use of a prompt suppression value in addition to the non-suppression values calculated in the CFAST abandonment models.
Basis for Significance: There is no justification for this value of the time of 3 minutes to prompt suppression.
Actual Solution:
The second revision of manual fire suppression events contained within Supplement 1 to NUREG/CR-6850 reflects the overall process of manual fire suppression in a more continuous manner, crediting suppression activities which begin as soon as a fire has been detected. In the case of the Main Control Room, operators staff this location on a permanent basis. Therefore a fire event that is promptly suppressed accounts for manual suppression by operators before the fire ignition source develops and spreads. Most fires will burn out or be detected by operators in the incipient stage and will be extinguished before spreading.
Supplement 1 to NUREG/CR-6850 gives manual non-suppression probability for the Main Control Room of 0.33 min-1. Using this value, the time available for suppression prior to spread beyond localized effects is 1/0.33 min-1. This calculation yields an average time to manual suppression of 3 minutes.
This average time to manual suppression corresponds to values presented in Table 9-1 of the Main Control Room Abandonment Notebook. In comparison to the values given in Appendix L of NUREG/CR-6850, the likelihood of damage of localized targets used in the Monticello Fire PRA exceeds even the largest value given in Figure L-1 of NUREG/CR-6850. In the MNGP Fire PRA, the split fraction for a fire that is promptly suppressed (i.e., the fire damage remains very localized, which is consistent with all of the main control room fire events considered in the development of the generic frequency value), is obtained solving the exponential distribution for Pr(t < 3 minutes) = 0.63. This is the probability that the damage is limited to the ignition source within the panel by prompt suppression activities. The conditional likelihood of very localized damage in NUREG/CR-6850, is much smaller, 8.5E-03.
L-MT-17-016 NSPM Page 56 of 95 Change Number: MT-15-0064 F&O Number: 4-20 Associated SR(s): FSS-C5, FSS-D9 Detailed Problem
Description:
Although the damage criteria for sensitive electronics is defined in the Single Compartment Analysis Notebook 016015-RPT-06 and zones of influence (critical distances) are calculated in the Fire Modeling Database, there is no specific discussion of how specific sensitive electronics at Monticello are analyzed in the FPRA.
(This F&O originated from SR FSS-C5)
Proposed Solution: The Single Compartment Analysis Notebook 016015-RPT-06 and the Fire Modeling Database require an update to specifically discuss the treatment of sensitive electronic targets, for temperature, heat flux, and smoke impacts, in the FPRA including the use of the guidance in Fire PRA FAQ 13-0004.
Basis for Significance: There is no documentation ensuring the sensitive electronics have been addressed in accordance with the damage criteria of NUREG/CR-6850 or analyzed in accordance with the guidance in Fire PRA FAQ 13-0004.
Actual Solution:
The Fire PRA Single Compartment Analysis notebook has been updated to reflect the analysis associated with sensitive electronics. The treatment of sensitive electronics is as follows:
- 1. In Fire Zone 8, all the cabinets are closed. Therefore, the guidance in FAQ 13-0004 is applicable. That is, the fire generated conditions associated with damaging thermoset cables are necessary to damage sensitive electronics inside a closed cabinet. Specifically to this fire zone: 1) Electrical cabinets that are both ignition sources and targets are failed at ignition time, failing all the sensitive electronics inside the panel, 2) The adjacent bank of cabinet is failed at the time of the first cable tray failure above the ignition source, which fails sensitive electronics in the adjacent panel, 3) the hot gas layer scenario for the room fails all the targets in the fire zone at the thermoplastic damage temperature of (approximately 200 °C), which fail all sensitive electronics in the room, 4) the multi compartment scenarios where Fire Zone 8 is the exposed compartment credit the manual suppression at the time of the hot gas layer in the exposed (i.e., in Fire Zone 8)- therefore the sensitive electronics in inside the panels are failed at the thermoplastic damage criteria in the room.
- 2. In Fire Zone 9, FAQ 13-0004 does not apply to the main control board because the back of the board is open. The FAQ however applies to any sensitive electronics in the closed cabinets behind the main control board. For the specific case of the closed cabinets behind the main control board, as well as for the main control board panels, the control room is abandoned at temperatures around 100 °C (see Appendix A of 016015-RPT-07), at which point no equipment is credited, regardless if the panels are open or closed. Currently, the model does not credit any suppression where the control room is the exposed compartment. Therefore, targets in the control room are assumed to fail at ignition.
For all other fire zones, there are no open panels containing sensitive electronics. During plant walkdowns, observations confirmed that all panels were closed. Therefore, the guidance in FAQ 13-0004 is applicable. That is, the fire generated conditions associated with damaging thermoset cables are necessary to damage sensitive electronics inside a closed cabinet.
L-MT-17-016 NSPM Page 57 of 95 Change Number: MT-15-0065 F&O Number: 4-21 Associated SR(s): FSS-C8 Detailed Problem
Description:
A technical basis for the fire resistance of the embedded cables credited in the Fire PRA analysis is not provided.
(This F&O originated from SR FSS-C8)
Proposed Solution: The technical basis for the fire resistance of any credited embedded cables should be established. The integrity of all credited cable protection should be established with respect to potential fire related exposure to which the protection may be exposed (direct flame impingement, HEAF, etc.).
Basis for Significance: The FPRA currently 'protects' embedded cables from damage due to fire impacts without technical justification ensuring the integrity of the embedded protection for all fire scenarios.
Actual Solution:
The MNGP Single Compartment Analysis Notebook has been updated to clarify the technical basis used to establish target sets for embedded or wrapped cables:
There are no fire wraps credited in the Fire PRA at MNGP. Therefore, no fire wrap credit is included in the detailed fire modeling analysis.
Electrical raceways that are fully embedded (e.g., those located within the floor slab or within a wall) are not vulnerable to fire effects. The concrete will prevent direct flame impingement, contain HEAF events, and prevent heating of these raceways by combustion products.
Inspection of the barriers is conducted in accordance with Procedure 0275-01: Fire Barrier Penetration Seal Visual Inspection, which ensures that there are no cracks or vulnerabilities in the material in which the raceway is embedded.
A list of embedded raceways has also been added to the Single Compartment Analysis Notebook.
L-MT-17-016 NSPM Page 58 of 95 Change Number: MT-15-0066 F&O Number: 4-22 Associated SR(s): FSS-D1, FSS-D2 Detailed Problem
Description:
The combined effects of a hot gas layer and plume or radiant damage to a target are not considered in the fire modeling. There is no specific threshold over which the fire modeling tools are identified as being used outside their limits.
The detection/suppression model is critical for application of the severity factor and non-suppression probabilities. Although the inputs (distance to detector/sprinkler) are conservative, the model used is not validated and may not be conservative.
(This F&O originated from SR FSS-D1)
Proposed Solution: Provide a specific threshold over which the hot gas layer effects need to be addressed. Provide a modified methodology for incorporating these effects when significant. Provide V&V basis and applicability range for the DETACT model used or utilize a model that has already been verified and validated.
Basis for Significance: The plume hot gas layer interaction could impact the plume temperature at targets and thus impact time to damage, severity factors, and non-suppression probabilities. There is a potential that the DETACT model does not provide conservative results.
Actual Solution:
For targets located above the fire, Heskestad plume temperature equation (
Reference:
NUREG-1805) is used to calculate the temperature of the fire plume at the target closest to the source. Using this equation, the critical heat release rate can be calculated for each source. The time at which this target is damaged is equal to the time at which the ignition source reaches the critical heat release, using the guidance on fire growth times in NUREG/CR-6850; transient sources reach their 98th percentile peak heat release in 2 minutes and fixed ignition sources reach their 98th percentile peak heat release rate in 12 minutes.
As a conservatism, the MNGP Fire PRA assumes that all targets located within the 98th percentile Zone of Influence (ZOI) are damaged at the time at which the first (nearest) target is damaged. In other words, the time to damage for all targets within the 98th percentile ZOI is equal to the time at which the critical heat release rate is achieved.
By assuming that all targets in the ZOI are lost when the first target is damaged, the MNGP Fire PRA postulates damage early in the scenario progression. At this early time in the scenario, the temperature of the hot gas layer has not appreciably changed. In other words, the temperature of the fire zone remains close to ambient. Therefore, the temperature predicted by the Heskestad plume equation is appropriate for use in the MNGP Fire PRA.
L-MT-17-016 NSPM Page 59 of 95 Change Number: MT-15-0067 F&O Number: 4-23 Associated SR(s): FSS-D7 Detailed Problem
Description:
There is no generic estimate or plant-specific value assigned to the non-suppression probability.
(This F&O originated from SR FSS-D7)
Proposed Solution: Assign a plant-specific unavailability value for the credited suppression and detection systems to be included to the nonsuppression probabilities.
Alternatively, assign a generic estimate for unavailability and perform a review of the suppression and detection systems for outlier behavior relative to system unavailability.
Basis for Significance: The non-suppression values are only based on the NUREG/CR-6850 generic values for unreliability with no account for unavailability.
Actual Solution:
Halon Suppression System Unlike many other automatic suppression systems used in U.S. nuclear plants, the halon suppression system in the cable spreading room is subject to the Maintenance Rule program. The Maintenance Rule Program sets strict availability and reliability criteria for this system. As such, a plant-specific unavailability value of 4E-3 is fully supported by the requirements of this program and the documented availability data.
In the MNGP Fire PRA, the non-suppression probability for each credited automatic suppression system is equal to the sum of the plant-specific unavailability for that system and the generic system unreliability given in Appendix P of NUREG/CR-6850. In the case of the halon suppression system, the generic system unreliability is equal to 0.05. Therefore, the total non-suppression probability for the cable spreading room halon suppression system is equal to 0.054.
All Other Credited Detection and Suppression Systems Plant specific unavailability values for the credited suppression and detection systems were developed through a search of the Passport Action Tracking Database for a 10-year period from 9/18/2005 to 7/15/2015.
The resulting data export consisted of the dates and times at which a fire impairment was established and then closed. Given the impairment durations documented in the preceding table, the total unavailability factor for the system type can be calculated by dividing the total unavailability of each system type (the sum of the duration of the impairments on those systems) over the time period from which the data was taken (3587 days). In the MNGP Fire PRA, the non-suppression probability for each credited automatic suppression system is equal to the sum of the plant-specific unavailability for that system and the generic system unreliability given in Appendix P of NUREG/CR-6850. The MNGP Fire Modeling Database has been updated to reflect this revised non-suppression probability to include the plant specific unavailability value.
L-MT-17-016 NSPM Page 60 of 95 Change Number: MT-15-0068 F&O Number: 4-24 Associated SR(s): FSS-D7 Detailed Problem
Description:
The automatic Halon system in the Cable Spreading Room is assigned a non-suppression probability of 0.004 based on the Maintenance Rule program which indicates that 'the system has been available 99.6% of the time since 2006, at least by the rules of the Maintenance Rule Program'.
(This F&O originated from SR FSS-D7)
Proposed Solution: Update the non-suppression probability for the Cable Spreading Room automatic Halon system to incorporate the NUREG/CR-6850 unreliability value and the plant-specific unavailability value.
Basis for Significance: The FPRA is incorrectly utilizing the unavailability value (0.004) for the non-suppression probability for this system which should account for unreliability and unavailability.
Actual Solution:
Unlike many other automatic suppression systems used in U.S. nuclear plants, the halon suppression system in the cable spreading room is subject to the Maintenance Rule program. The Maintenance Rule Program sets strict availability and reliability criteria for this system. As such, a plant-specific unavailability value of 4E-3 is fully supported by the requirements of this program and the documented availability data.
In the MNGP Fire PRA, the non-suppression probability for each credited automatic suppression system is equal to the sum of the plant-specific unavailability for that system and the generic system unreliability given in Appendix P of NUREG/CR-6850. In the case of the halon suppression system, the generic system unreliability is equal to 0.05. Therefore, the total non-suppression probability for the cable spreading room halon suppression system is equal to 0.054.
L-MT-17-016 NSPM Page 61 of 95 Change Number: MT-15-0072 F&O Number: 4-28 Associated SR(s): FSS-A2 Detailed Problem
Description:
Cables assigned to the Yard fire zone located in manholes and duct banks are not included in the whole compartment burn scenario.
Additionally, bus duct targets are not included as FPRA targets damaged in whole compartment/hot gas layer scenarios in fire zones where they are located.
(This F&O originated from SR FSS-A2)
Proposed Solution: Include cables in the yard manholes/duct banks as FPRA targets in the Yard whole compartment burn scenario or alternatively, perform detailed fire modeling of the yard to justify exclusion of the cables in the yard from fire scenarios located aboveground.
Include bus duct targets as damaged in the FPRA for all fire zone scenarios that could impact the bus ducts, including whole compartment burns and hot gas layer scenarios.
Basis for Significance: The risk impact of these targets have not been analyzed.
Actual Solution:
The fire scenario associated with full zone damage for Fire Zone Yard has been corrected to include all cables in manholes and duct banks located in this zone. Specifically, components that are directly mapped to functional states and Basic Events are now included.
To include all Basic Events for components and cables found in the Yard, the following verifications were conducted:
- 1. The fire scenario associated with full zone damage to the Yard, which is originated and maintained in the Fire modeling Database was reviewed to ensure that all the targets mapped to the Yard were accounted for.
- 2. The FRANX quantification tables (i.e., FRANX Scenarios table and FRANX Zone To Raceway table) generated in the fire modeling database and exported to FRANX were reviewed to ensure that the Yard scenario was appropriately specified.
- 3. The FRANX quantification was reviewed to ensure that the scenario was treated and quantified correctly FRANX.
The risk contribution of the full zone burn in the Yard is now correctly accounted for in the MNGP Fire PRA.
L-MT-17-016 NSPM Page 62 of 95 Change Number: MT-15-0073 F&O Number: 4-29 Associated SR(s): FSS-A1, FQ-A3 Detailed Problem
Description:
Appendix E of the Single Compartment Analysis Notebook 016015-RPT-06 identifies that scenarios for cable fires caused by welding and cutting and self-ignited cable fires result in high total CDF contributions and further evaluation and refinement will be completed after risk reduction activities are completed. These scenarios are not currently quantified in the FPRA model.
(This F&O originated from SR FSS-A1)
Proposed Solution: Perform risk reduction refinements of the scenarios for cable fires caused by welding and cutting and self-ignited cable fires and include the scenarios in the FPRA quantification.
Basis for Significance: Probable risk-significant impact Actual Solution:
The risk contribution for self-ignited cable fires and cable fires due to welding and cutting have been included in the Fire PRA following the guidance described in FAQ 13-0005. Appendix E.2 of the Single Compartment Analysis Notebook has been updated to reflect this analysis.
L-MT-17-016 NSPM Page 63 of 95 Change Number: MT-15-0076 F&O Number: 4-31 Associated SR(s): FSS-A2, FSS-A3, FSS-A5, FSS-B2, FSS-D3, FQ-E1 Detailed Problem
Description:
The current Fire PRA model contains numerous risk significant fire scenarios that are modeled as bounding fire scenarios (whole compartment burns) resulting in unrealistically high CDF/LERF values.
Additionally, for fire zones where detailed fire modeling was performed, numerous bounding assumptions have been applied without further refinement. These include the following:
Heat release rates of 1002 kW were utilized for closed electrical cabinets, including MCCs.
Transient scenarios fail all targets up to the ceiling without consideration of the zone of influence.
Fixed and transient scenarios are mapped to all targets located within a transient zone without consideration of actual zone of influence of the scenario.
The use of bounding areas and volumes in the CFAST model groups which are smaller than the actual fire zone configuration.
The use of a peak heat release rate for motor (electrical) fires of 211 kW as opposed to the 69 kW heat release rate identified in NUREG/CR-6850.
The use of bounding heat release rate calculations in FLASH-CAT for electrical cabinet fires, transient fires, and fixed sources including spread/propagation of cable trays (including tray stack configurations) as opposed to actual plant configurations.
The use of a single door opening in the CFAST hot gas layer calculations as opposed to the actual openings of the fire zone.
Failing all conduits in the PAU for every scenario in the PAU.
Instrument air piping when exposed to fire plume conditions is considered damaged by fire scenario regardless of temperature of the piping and elevation above the source.
Assignment the worst case abandonment probability to each MCR ignition source configuration regardless of ventilation condition.
(This F&O originated from SR FSS-D3)
Proposed Solution: Perform detailed scenario analysis for risk significant fire scenarios presently modeled as bounding whole compartment burns and refine bounding assumptions of current detailed fire modeling scenarios.
Basis for Significance: The use of bounding fire scenarios provides unrealistically high CDF/LERF values.
L-MT-17-016 NSPM Page 64 of 95 Actual Solution:
The Fire PRA has been developed following the guidance in NUREG/CR-6850. Accordingly, the analysis is initially quantified with conservative assumptions in the definition of the fire scenarios.
Conservatisms are removed on an as needed basis as part of the cut set review and risk reduction activities. Cut set reviews and risk reduction activities continued after the peer review. Consequently, some of the conservatisms listed in the F&O have been addressed. In each case, the removal of a conservatism is evaluated to determine the most efficient means of reducing risk.
In the case of MCCs and Switchgear cabinets, the heat release rate probability distributions have been updated to the ones associated with electrical cabinets with one cable bundle listed in Appendix G of NUREG/CR-6850.
Transient zones extend from the floor slab to the ceiling slab. By mapping all of the identified targets to the, the Fire PRA assumes that a transient fire may occur anywhere (i.e., at any elevation) in the transient zone.
In Step 1 of Detailed Fire Modeling, all targets in each transient zone are assigned to the ignition sources located within that transient zone. If future risk reduction activities warrant a refined approach, the zone of influence of each ignition source will be considered.
The use of bounding volumes in CFAST ensures that the bounding scenario is analyzed. If the FPRA results indicate that the time to hot gas layer formation is overly conservative, then additional CFAST simulations may be considered.
The peak heat release rate of motor (electrical) fires was updated to 69 kW as opposed to 211 kW per NUREG/CR-6850.
The use of bounding heat release rate calculations in FLASH-CAT ensures that the uncertainties in the input parameters for the FLASH-CAT method are accounted for.
The use of a single door opening in the CFAST hot gas layer calculations ensures that the bounding scenario is analyzed. If the FPRA results indicate that the time to hot gas layer formation is overly conservative, then additional CFAST simulations may be considered.
On an as needed basis, the mapping of conduits to specific fire scenarios has been completed as required for risk reduction by the cut set review process. This approach is used in some scenarios in place of mapping all conduits in the PAU to every scenario in the PAU.
The assumption that piping exposed to fire plume conditions are damaged by fire limited the scope of the drawing review and walkdowns that supported the development of these scenarios.
The use of the worst-case abandonment probability for each MCR ignition source configuration ensures that changes to the ventilation condition do not require re-analysis of the Fire PRA scenarios.
L-MT-17-016 NSPM Page 65 of 95 Change Number: MT-15-0077 F&O Number: 4-32 Associated SR(s): FSS-A5 Detailed Problem
Description:
The Single Compartment Analysis Notebook 016015-RPT-06 states that electrical cabinet heights are assumed to be 1.8 m (6 ft.) above the floor in the CFAST fire modeling applications. Additionally, the cable trays at MNGP were modeled with 0.46 m (1.5 ft) height between cable trays in a stack, a typical tray arrangement; this value is used in the FLASH-CAT application. Cable tray assumptions in FLASHCAT include that each cable tray contains 61 cables, is two foot in width, and 75% percent of the cable will burn completely. These bounding assumptions may not accurately reflect the as-built configurations and provide non-conservative results.
(This F&O originated from SR FSS-A5)
Proposed Solution: Provide justification that these assumptions reflect or bound all as-built configurations that they are applied to.
Basis for Significance: The use of these assumptions may not accurately reflect plant configurations and could be non-conservative.
Actual Solution:
The following list describes the basis for each of the inputs and provides a basis by which these results bound the as-built configurations. By ensuring that the modeled conditions bound the as-built conditions, it is ensured that results of the Fire PRA are conservative. In each case, future cut set reviews and risk reduction activities may warrant removal of such bounding assumptions. Removal of these conservatisms is evaluated on an as-needed basis.
Electrical cabinet are assumed to be 6 feet in height. Ignition source walkdowns did not identify any outlier cabinets that are significantly taller than 6 feet. By using the largest typical cabinet height, the calculated time to hot gas layer formation is conservatively calculated. This calculation is conservative because the taller the height at which the fire occurs, the less volume is available above the fire. This smaller volume will reach the critical damage temperature in less time.
The FLASH-CAT application assumes a distance of 0.46 m (1.5 ft) between cable trays in a stack. FLASH-CAT was programmed using the equations given in NUREG/CR-7010. In the tests documented in NUREG/CR-7010, the vertical distance between the trays ranged from 0.23 m to 0.46 m (9 in. to 18 in.).
o It is important to note that the burning length of the trays ignited is equal to o L_(n+1)=L_n+2(h_(n+1) tan(35°))
o where L is length, n is the cable tray index, and h is the vertical distance between trays By using this maximum vertical distance between cable trays, the FLASH-CAT model calculates the maximum length ignited in each successive tray.
L-MT-17-016 NSPM Page 66 of 95 The average number of cables installed in a cable tray segment at MNGP is 61. While this value is an average, this number does not affect the calculation since fuel burnout is not expected over the duration of the simulation.
Inspection of the MNGP raceway drawings indicate that the maximum tray width is 0.61 m (2 ft).
By using this maximum tray width, the maximum heat release rate contribution from the burning cable trays is calculated.
The mass fraction of the non-metallic part of the cable that remains after a fire is known as the char yield. NUREG/CR-7010 recommends that a char yield value of 0. This value corresponds with approximately 100% of the non-metallic mass of the cable being consumed by a fire. This represents the maximum contribution to the heat release rate from burning thermoplastic cables.
L-MT-17-016 NSPM Page 67 of 95 Change Number: MT-15-0078 F&O Number: 4-33 Associated SR(s): FSS-A5 Detailed Problem
Description:
Wall and corner effects are not accounted for in the FLASH-CAT modeling for heat release rate calculations that are used for the CFAST hot gas layer models.
(This F&O originated from SR FSS-A5)
Proposed Solution: Incorporate wall and corner effects in the FLASH-CAT heat release rate calculations.
Basis for Significance: The HRR rates calculated in FLASH-CAT may be non-conservative for certain fire scenarios impacting hot gas layer timing.
Actual Solution:
The FLASH-CAT modeling of heat release rates using the CFAST hot gas layer models predict hot gas layer formation using bounding assumptions. By ensuring that the modeled conditions bound the as-built conditions, it is ensured that results of the FLASH-CAT model are conservative. These conservatisms include:
Maximum flame spread rate for thermoplastic cables (0.9 mm/sec)
Maximum heat release rate per unit area of thermoplastic cable (250 kW/m2)
Bounding value of cable mass per unit length (0.75 kg/m)
Bounding value of plastic yield (0.75), which bounds all cables tested in NUREG/CR 7010 Char yield value of 0. This value corresponds with approximately 100% of the non-metallic mass of the cable being consumed by a fire. This represents the maximum contribution to the heat release rate from burning thermoplastic cables.
All cable trays are assumed to be 2 ft wide, which is the maximum width measured on the cable tray layout drawings.
Maximum vertical distance between trays modeled in NUREG/CR-7010 (18 in.)
Maximum heat release rates of transient fires (317 kW) and electrical cabinet fires (1002 kW).
These heat release rates are equal to the 98th percentile from Table E-1 of NUREG/CR-6850.
Flame is assumed to spread through up to 12 vertically stacked cable trays, which bounds the as-built plant configuration.
Such conservatisms bound the heat release rates resulting from wall and corner effects.
L-MT-17-016 NSPM Page 68 of 95 Change Number MT-15-0080 F&O Number: 4-35 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook 016015-RPT-07 apportions the ignition frequency of the main control board to individual scenarios based on the number of cables. PRA FAQ 14-0008 provides details for apportioning of the MCB ignition frequency if Appendix L is recalculated.
(This F&O originated from SR FSS-B2)
Proposed Solution: Remove the ignition frequency apportioning methods and assign the entire MCB frequency to each scenario. Alternatively, provide technical justification for the apportioning of the MCB ignition frequency by cables or other method.
Basis for Significance: Appendix L is not utilized in the MCR analysis and ignition frequency should not be apportioned. Additionally, the number of cables may not be an appropriate method as cables could be routed through a MCB panel and not a termination point, therefore, the number of cables could be inaccurate.
Actual Solution:
The methodology used in the Main Control Room Analysis Notebook 016015-RPT-07 is appropriate because the frequency is apportioned based on the density of cables and thus the concentration of sources (e.g., connections, switches) that are more likely to cause a fire. In addition, the methodology that has been implemented does not double count credit for non-suppression probability for scenarios where control room abandonment is credited. The documentation provided in the Main Control Room Analysis Notebook gives a comparison to the approach recommended in NUREG/CR-6850, Appendix L. This comparison shows that the method used in the Monticello Fire PRA calculates a higher likelihood for the different fire scenario sequences modeled. The approach has the advantage of fully accounting for the main control board frequency and not double count non suppression probability credit when the control room abandonment is credited.
L-MT-17-016 NSPM Page 69 of 95 Change Number: MT-15-0082 F&O Number: 4-38 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook 016015-RPT-07 does not address the potential of transient scenarios impacting multiple MCBs or panels. The analysis only assigns a geometric factor of 0.01 for the fraction of transient fire frequency for transients adjacent to the panels which is applied to each panel scenario.
(This F&O originated from SR FSS-B2)
Proposed Solution: Postulate transient scenarios in the Main Control Room that could impact multiple MCBs or panels based on their location on the floor with respect to the zone of influence. Additionally, provide technical justification for the geometric factor of 0.01 for the fraction of transient fires added to the electrical panel frequency.
Basis for Significance: Scenarios do not address the risk impact of fire damage to multiple MCBs or panels.
Actual Solution:
The following F&O response is broken down into two sections: (1) Correction to the use of geometric factor and (2) Revised approach to address potential transient scenarios impacting multiple MCBs or panels.
Correction to Use of Geometric Factor Using the point source flame radiation model described in Section 9.2.5 of the Report 016015-RPT-07, it was determined that a transient fire may damage a MCB panel or electrical cabinet if the transient fire is located within 4 feet of that panel.
Using this critical distance, the open floor area around each panel is then measured. This open floor area is used to determine the geometric weighting fraction for each MCB Panel and Electrical Cabinet in the MCR. In Figure 3-1, the shaded area indicates the open floor area within which a postulated transient fire would damage the panel or cabinet.
Figure 3-1: - Example of Main Control Room Transient Fire Area
L-MT-17-016 NSPM Page 70 of 95 After measuring the width and length of each panel, the open area around each panel is calculated.
This area is then divided by the total floor area of the Main Control Room to determine the geometric ratio. The risk contribution of transient fires is then captured by adding the geometrically weighted transient fire frequency to the fixed source frequency for each analyzed scenario.
Revised Approach to Transient Fires Impacting More than One Panel As described in Section 9.1.1 of Report 016015-RPT-07, there are five sequences that describe each fire postulated in the Main Control Room. For each of these five sequences, the ignition frequency of the transient fires calculated in Item (1) of this F&O response is added to the ignition frequency of the panel.
In the cases of Sequences 3 and 4, the fire continues to grow after prompt suppression fails.
Sequences 3 and 4 include targets damaged by the radiative fire effects of the ignition source. In other words, MCB panels and electrical cabinets within the radiative zone of influence of the ignition source are damaged during Sequences 3 and 4.
A portion of the transient ignition frequency is mapped to each ignition source and to each Sequence for that ignition source. As such, the analysis captures transient fires that, when prompt suppression fails, cause damage to more than one MCB panel or electrical cabinet based on their location within the transient fire area.
L-MT-17-016 NSPM Page 71 of 95 Change Number: MT-15-0083 F&O Number: 4-40 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook 016015-RPT-07 does not address the impact of a transient fire behind the open panels igniting cables inside of the panel.
(This F&O originated from SR FSS-B2)
Proposed Solution: Address the potential for a transient fire located behind an open electrical panel igniting the cables inside of the panel.
Basis for Significance: Potential increases in heat release rate of scenarios are not addressed and could impact risk.
Actual Solution:
Transient fires adjacent to panels in the Main Control Room are assumed to damage panels by assigning the same impacts as fixed-ignition source scenarios originating in the panel. Using this approach, the transient fire frequency is added to the fixed-source frequency in order to reduce the number of scenarios postulated in the control room, and, at the same time, include the transient frequency contribution to fire risk.
It is important to note that the ignition of the cables inside of an open panel by a transient ignition source does not change the impact of the fires; the damage to each panel by a transient fire is equivalent to the panel igniting on its own.
Further, fires igniting within each panel are evaluated for propagation to adjacent panels. By adding the transient fire frequency to the fixed ignition source frequency in these scenarios, the potential for a transient fire to ignite cables in more than one cabinet is already captured.
With regards to the MCR abandonment analysis, it is not necessary to analyze an additional fuel package fire scenario in which a transient fire ignites cables inside of an open panel. Ignition of these secondary combustibles would not measurably impact the time to abandonment calculations presented in Section 6.0 of the MCR Notebook. Regardless of the location of the transient fuel package (open, wall, corner) and of the environmental conditions (functionality of HVAC, open/closed entry doors),
abandonment conditions were achieved before the fire reached a peak heat release rate of 317 kW.
Importantly, the peak heat release rate of the transient scenario is achieved two minutes after ignition.
Following guidance in Appendix R of NUREG/CR-6850, the exposed cables are not expected to ignite until at least 5 minutes after ignition. Therefore, abandonment conditions would have been achieved prior ignition of these exposed cables.
L-MT-17-016 NSPM Page 72 of 95 Change Number: MT-15-0084 F&O Number: 4-42 Associated SR(s): FSS-B2 Detailed Problem
Description:
The Main Control Room Analysis Notebook 016015-RPT-07 does not reduce the total available floor area by removing equipment floor space when calculating the transient fire frequencies.
(This F&O originated from SR FSS-B2)
Proposed Solution: Reduce the available floor area for transients by removing equipment floor space and recalculate the transient scenario fire frequencies.
Basis for Significance: The reduction of the total available floor area would impact the individual transient fire frequencies.
Actual Solution:
The Main Control Room Analysis Notebook has been updated such that the transient fire frequencies in the MCR are calculated using the available floor area; the available floor area is calculating by subtracting the equipment floor space from the total floor area of the main control room.
The Monticello Fire PRA postulates a transient fire in front of each panel in the Main Control Room.
These postulated transient fires are considered to have the same impacts as the fixed-ignition-source scenarios originating on the panel. The frequency of these postulated transient fires includes a geometry factor. This geometry factor apportions the total transient frequency assigned to the Main Control Room to the floor area near the panel under consideration. This geometry factor is equal to the ratio of the floor area in which a transient fire may damage a panel (approximately 16 sq. ft) to the total available floor area in which a transient fire may occur. The total available floor area is equal to the total floor area of the Main Control Room (2250 sq. ft) minus the areas of the floor that are permanently occupied by plant equipment (653 sq. ft). The total available floor area in which a transient fire may occur is equal to 1,597 sq. ft.
L-MT-17-016 NSPM Page 73 of 95 Change Number: MT-15-0089 F&O Number: 5-2 Associated SR(s): ES-A1, ES-A4, ES-A5, ES-A6, ES-B2 Detailed Problem
Description:
The evaluation of potential MSOs included in the Equipment Selection and Plant Response Model Notebooks, 016015-RPT-03, were, in general, found to be very narrowly focused and based largely on the assessments originally developed for fire safe shutdown. Further, a review of these assessments revealed incomplete evaluation or treatment of various MSOs. Specific examples are cited below:
MSO 2a - Spurious head vent was screened based on line size for the safe shutdown analysis.
However, spurious head vent involves a loss of RCS integrity and needs to be retained per ES-A5 and equipment are to be placed on the FPRA equipment list.
MSO 2b - The MSO was considered by the FPRA development to be a high consequence initiation event (non-isolable LOCA outside containment). It was evaluated as such, and determined to require four spurious actuations. Therefore, it was not required to be added to the model, per ES-A6. However, the peer review noted that three spurious actuations will produce MSO 2b: two MSIVs spuriously open on a steam line (inboard and outboard), and one of two turbine bypass valves fail to close (BPV-11 or BPV-12), and therefore will be retained per ES-A6 and equipment placed on the FPRA equipment list and developed in the plant response model.
MSO 2i Spurious Drywell Spray valves - There is no discussion of impact on LPCI.
MSO 2d - Not modeled, based on small LOCA leakage potential (40-70 gpm). However, MSO 2d involves a loss of RCS integrity and needs to be retained per ES-A5 and equipment are to be placed on the FPRA equipment list.
MSO 2e - This MSO involves a fire induced LOCA through the SCRAM discharge volume; screened from the FPRA equipment list using cable selection / routing arguments. Cable selection / routing arguments are not applicable to the equipment selection process and are not an applicable bases for ES screening.
MSO 5g - Asynchronous paralleling of onsite power sources. Included in the model, but the potential initiating event impacts are not documented. Support system initiating events are modeled by the general transient event tree in the MNGP PRA model, so probably a documentation issue only, unless the loss of two buses due to the asynchronous paralleling alters the applicability to the general transient event tree.
MSO 2-New Potential pumping of suppression pool to the CST. Screened based on plant modifications to prevent pumping of suppression pool to the CST. Regardless of modifications, the pertinent equipment would need to be included on the FPRA equipment list unless a means is found to screen them (e.g., based on the number of spurious operations, or based on passive devices such as orifices or manual valves). If orifices used, would need to reference the thermal hydraulic calculation.
MSO 2l, 2-new-6 Assessment of spurious CS or RHR without flow paths does not include impact on the increase in temperature of the suppression pool from spuriously running pumps. Also, the potential impacts from pump running on minimum flow for an extended period not discussed (the possibility for pump damage). The potential for pump dead-heading was addressed by assessment of MSOs through plant modifications. Modifications address fire safe shutdown, but it is not clear whether these modifications permit screening from the PRA / FPRA equipment list.
L-MT-17-016 NSPM Page 74 of 95 MSO 2m Assessment seems to be inconclusive. It states that three phase hot shorts 'appear to be required'. It also references a manual valve that is not identified on the drawings. This is only a documentation issue only; there is need only to clarify the documentation.
Flow diversion scenarios for HPCI and RCIC do not evaluate transfer of inventory from Pool to CST and vice versa (including CST overfill)
MSO 4r,s,t,u - Containment overpressure is not included in the model, despite being critical to the operation of CS and RHR pumps. Justification is provided for exclusion of major valves, but there was no evaluation of all of the potential spurious operations that could reduce containment overpressure. In addition, the MSO evaluation report identifies several treatments for alternate safe shutdown.
Modifications address fire safe shutdown, but it is not clear whether these modifications permit screening from the PRA / FPRA equipment list (For example, one plant modification made for 4s allows fire safe shutdown to address the MSO from the alternate shutdown panel. The PRA may model scenarios that don't involve alternate shutdown that could be impacted by MSO 4s).
MSO 5a This MSO is not addressed. The modeling only treats failure of load shed. It does not address diesel challenges due to simultaneous 9or out of sequence) breaker closures or overloading due to multiple sequential breaker closures.
MSO 5d The evaluation of spurious RHRSW does not take into account that RHRSW flow path is normally isolated by valves at the heat exchangers.
MSO 5f It is not clear that the evaluation of paralleling the Diesel with offsite power is complete.
Divisional separation does not provide an allowable basis to screen equipment from the FPRA equipment list. It only addresses 'most cases' and refers to a mod on only one of the diesel generators.
There is no discussion of combinations of MSOs e.g., cumulative impact on inventory control function of SORV plus head vent, or multiple recirc pump fail to trip, etc.
MSO 5h - Based on discussion with FPRA development team, MNGP switchyards are synchronized, however, it was difficult for the review team to ascertain this from the documentation.
There is no discussion of combinations of MSOs such as spurious head vent plus a single SRV, or failure of two recirc pumps to trip.
(This F&O originated from SR ES-B2)
Proposed Solution: Complete review of generic MSOs and address MSO combinations.
Basis for Significance: This F&O is classified as a finding as several of the MSOs in question could prove to be risk significant.
Actual Solution:
After the peer review, generic MSOs evaluations were reviewed and revised to provide additional detail and clarification, and include new evaluations for a number of MSOs. MSO combinations were considered and addressed where applicable. Updated MSO evaluations are documented in the Equipment Selection and Plant Response Model Notebooks. The specific concerns cited in this F&O were addressed as follows:
MSO 2a - Evaluation revised to provide details related to the basis for screening; the scenario is screened based on thermal-hydraulic analysis performed and documented in EC 20901 and EC 20902.
MSO 2b - MSO developed and included in model. Evaluation revised.
L-MT-17-016 NSPM Page 75 of 95 MSO 2i - EC 20669 QF-0525 installs a shorting circuit using control room switches 10A-S9A/B for RHR Valves MO-2020 and MO-2021, respectively. The installation of a shorting circuit ensures that the RHR Drywell Spray Outboard Isolation Valves, MO-2020 (Division 1) and MO-2021 (Division 2), remain in their normal closed position in the event of a fire. No operator action is required to preclude spurious opening of MO-2020 or MO-2021.
MSO 2d - Evaluation revised to provide details related to the basis for screening; the scenario is screened based on thermal-hydraulic analysis performed and documented in EC 20901 and EC 20902.
MSO 2e - Evaluation revised to provide details related to the basis for screening; the scenario is screened based on thermal-hydraulic analysis performed and documented in EC 20901 and EC 20902.
MSO 5g - Evaluation was revised to include a discussion of how the MSO was incorporated into the model sequence logic.
MSO 2-New Evaluation revised to discuss consequences of all potential sources of water to the CST. MSO remains screened. Evaluation of flow diversion scenarios for HPCI and RCIC that transfer inventory from Pool to CST and vice versa (including CST overfill) are included.
MSO 2l, 2-new The evaluation of MSO 2-new-6 includes the assessment of the CS and RHR spurious starts. An increase in temperature of the suppression pool is not considered for evaluation at MNGP due to timing for the event.
MSO 2m - Documentation issue only. Evaluation revised to clarify.
MSO 4r,s,t,u - Evaluations revised to address all of potential spurious operations that could reduce containment overpressure. EC 20901 includes MSOs originally screened out as being insignificant to assess the risk of combined MSOs, up to a maximum of four simultaneous spuriously operating components. In all MSO cases, the acceptance criteria are met. It was determined upon review of MSO 4r that its disposition was sufficient.
MSO 5a - MSO evaluation provided to address potential DG failures due to additional components loading. Evaluation includes input from plant systems analysts.
MSO 5d - The evaluation was updated to further clarify that the spurious start of the RHRSW pumps is not included due to the current modeling bounding the MSO. The CVs that isolate the RHRSW pumps are modeled in the logic and fail the pump. A spurious start of the pump would also require a failure of the CVs, which is already modeled. Therefore modeling spurious start of the pump is unnecessary.
MSO 5f - The evaluation was updated to clarify that the modification installed precludes the MSO from occurring.
MSO 5h - Evaluation revised to discuss switchyard breaker operation. All are controlled either locally in the subyard and/or from the grid system control center. The only breakers in the switchyard that can be operated from the Monticello Plant Control Room are the main generator output breakers.
Text was added to the MSO section to clarify that combinations of MSOs, such as spurious head vent plus a single SRV, or failure of two recirc pumps to trip, were considered during the MSO expert panel meeting, but no additional scenarios were identified.
The updated MSO evaluations are included in the referenced ES and PRM notebooks.
L-MT-17-016 NSPM Page 76 of 95 Change Number: MT-15-0090 F&O Number: 5-3 Associated SR(s): ES-B1, ES-D1 Detailed Problem
Description:
The following deficiencies were noted in the ES documentation:
- 1. There is no documentation of the basis for exclusion of SSEL components. This had to be provided informally by the PRA team.
- 2. The list of screened components in Table D-1 includes events that should retain their random failure values as well as those that should be failed.
- 3. The MSO evaluation table is not consistent in use of 'not modeled' vs 'modeled' in its disposition column. In some cases these entries conflict with the discussion of the assessment of the MSO.
- 4. In some cases, the MSO Evaluation table in the ES report is not consistent with the similar table in the PRM report.
- 5. These are several basic events that have no basis for screening in table D-1.
(This F&O originated from SR ES-D1)
Proposed Solution: Provide a separate table that includes disposition of all SSEL components and make changes as necessary to ensure consistency, completeness and clarity of documentation.
Basis for Significance: This is considered a finding based on the need for additional information to be provided in order to evaluate SR ES-B2.
Actual Solution:
- 2. The update ES notebook includes updated text that indicates that all screened components will retain their random failures. There is also now a column that indicates if a component is always failed in the model.
- 3. The MSO table in the updated notebook text is updated to reflect the proper modeled or not modeled dispositions.
- 5. A review of the basic events in D-1 was performed and the updated ES Notebook includes a screening basis for all entries.
L-MT-17-016 NSPM Page 77 of 95 Change Number: MT-15-0091 F&O Number: 5-4 Associated SR(s): ES-A1, ES-A4, ES-A5, ES-A6, ES-B2 Detailed Problem
Description:
Fault propagation sequences (single spurious or no spurious) are not modeled and can have a significant impact on mitigation. An example would be the fault of a 4 kV load cable and damage to its breaker of dc power source that prevents the breaker from opening. The incoming breaker (from offsite power or diesel) would open de-energizing the bus. If the incoming breaker is also impacted, the sequence could include loss of the next upstream bus as well.
(This F&O originated from SR ES-D1)
Proposed Solution: Include fault propagation logic in the model for breakers with separate control circuits.
Basis for Significance: This F&O is a finding given that the omitted sequences have a high potential to be risk significant.
Actual Solution:
A review was performed of the fault propagation sequences that could occur for specific fire scenarios.
The cable pairs that can cause the faults on the upstream buses were checked to ensure that all pairs that were both failed in specific fire scenarios had the upstream bus failures included in the scenarios as well. This process was documented in the PRM notebook.
L-MT-17-016 NSPM Page 78 of 95 Change Number: MT-15-0092 F&O Number: 5-5 Associated SR(s): CS-B1, CS-C4 Detailed Problem
Description:
For power supplies addressed by existing coordination analyses, the studies must be reviewed to confirm coordination exists for fire PRA credited power supplies for the configurations credited in the fire PRA. In some cases a study may conclude that a power supply is not coordinated, requires credit for cable length to achieve coordination, or is only coordinated in certain power distribution configurations (e.g., not cross-tied).
For power supplies not previously evaluated, the evaluation must be performed.
For those power supplies credited in the fire PRA that are not adequately coordinated, adjustments to the cable mapping and/or modeling of the components must be made.
(This F&O originated from SR CS-B1)
Proposed Solution: Review existing overcurrent protection analyses to confirm that coordination exists for fire PRA credited power supplies for the configurations credited in the fire PRA. Evaluate power supplies not addressed by existing calculations. Identify any additional circuits and cables whose failure could challenge power supply availability due to inadequate electrical overcurrent protective device coordination.
Basis for Significance: An evaluation of electrical coordination was not performed and has the potential for risk significant impact on the fire PRA.
Actual Solution:
An evaluation of electrical coordination has been performed. The failures due to lack of coordination have been integrated into the current Fire PRA model. The values reported in this ILRT extension analysis account for lack of documentation proving electrical coordination. Circuits that were not proven to be electrically coordinated were conservatively assumed uncoordinated in the Fire PRA model.
L-MT-17-016 NSPM Page 79 of 95 Change Number: MT-15-0093 F&O Number: 5-6 Associated SR(s): CS-C1 Detailed Problem
Description:
The review team noted the following documentation items associated with the CS element:
- 1. Assumption number 4 in Section 4 of the CS notebook states: It was assumed that the cable selection and circuit analysis that supported the Appendix R Safe Shutdown Equipment List (SSEL) was complete and correct. This information as previously documented in the Monticello Appendix R Database (MNGP APPR.mdb) as part of the Appendix R Safe Shutdown Analysis (SSA). A review of these components was completed to determine if the cable selection for Appendix R was appropriate and/or bounding for Fire PRA applications. Per interview with FPRA development team, existing Appendix R circuit analyses were, in fact, not assumed to be complete and correct. Each package was validated using modern criteria - not simply reviewed for applicability. This is an important and necessary activity and the documentation should be clarified to identify that it was performed. Section 5.2 should also be revised.
- 2. In Table B-5 of the ES notebook, MSIV-ISOL-A:Avail:Avail is not currently used in the fire PRA and can be deleted.
- 3. Table D-1 of the ES notebook, which identifies relays screened from CS, also includes relays that are included by virtue of equivalence to other components or pseudo-components.
Additional data should be provided to identify how they are included (reference the analyzed event), and would be better presented in a separate table.
(This F&O originated from SR CS-C2)
Proposed Solution: Make the necessary document changes.
Basis for Significance: This is considered a finding as item 1 is the validation of a critical input and must be properly represented in the documentation.
Actual Solution:
- 1. Assumption 4 of Section 4.0 and Case 1 of Section 5.2 has been updated to better clarify that Appendix R circuit analysis packages were validated for usage in the Fire PRA.
- 2. N/A to this notebook, update performed in the PRM notebook.
- 3. N/A to this notebook, update performed in the ES notebook.
L-MT-17-016 NSPM Page 80 of 95 Change Number: MT-15-0094 F&O Number: 5-7 Associated SR(s): CS-A1 Detailed Problem
Description:
The circuit analyses for some pseudo-components were found to be broad and merit further refinement.
For example, the circuit analyses for the spurious ADS pseudo-components include cables that are must fail in combination to result in spurious ADS.
(This F&O originated from SR CS-A1)
Proposed Solution: Refine circuit analyses associated with risk significant failures.
Basis for Significance: Conservatisms exist in circuit analysis associated with risk significant failures.
Actual Solution:
The circuit analysis for pseudo-components and all components are analyzed at a functional state level to match the basic events in the Fire PRA model. All risk significant basic events as identified during cutset reviews are evaluated to determine whether further detailed circuit analysis can be performed in order to reduce any conservatisms in the circuit analysis of the corresponding function state.
The circuit analysis and function states for the ADS pseudo-components were developed in the MNGP Fire PRA at a train level (A and B) instead of for each ADS Initiation relay due to the common cables (different conductors) associated with the 2E-K6A and 2E-K7A relays (similar for B), see drawing NX-7831-143-2. This cable routing on the main scheme of the pseudo eliminates some of the conservativeness of the ADS Initiation relay contacts being in series with each other, see NX-7831-143-2. However, conservatism does exist in the pseudo components by including off scheme cables that affect the spurious actuation of relays 2E-K6A and 2E-K7A.
For the ADS pseudo-components, the circuit analysis has now been broken down from two pseudos into four, one for each ADS Initiation relay.
ADS-CHANNEL-K6A:Avail:Non-Spur ADS-CHANNEL-K7A:Avail:Non-Spur ADS-CHANNEL-K6B:Avail:Non-Spur ADS-CHANNEL-K7B:Avail:Non-Spur The Fire PRA model has been updated to incorporate AND gate logic of each ADS Initiation pseudo on a train level.
L-MT-17-016 NSPM Page 81 of 95 Change Number: MT-15-0100 F&O Number: 6-2 Associated SR(s): IGN-A1, IGN-B1, IGN-B4 Detailed Problem
Description:
The FPRA development review plant-specific experience for fire event outlier experience. No outlier fires were identified for the FPRA. However, subjective criteria (active intervention was needed to prevent potential spread, indications that heat was generated of sufficient intensity and duration to effect components outside the fire source, potential for secondary combustible ignition) for identifying outlier fire events were not assessed. For example, for one hydrogen fire event, 01003990, that was screened, involved an eight inch flame, which could have damaged equipment.
Additionally, there are several fire events associated with hot work. The results of the hot work fire events may meet the 'objective criteria' specified in the documentation. However, hot work fires should be addressed in the context of whether active intervention was required to suppress the fire.
The methodology discussed in section 5.2.1 of the IGN notebook, does not discuss or review the fire events in the context of the subjective criteria.
(This F&O originated from SR IGN-A4)
Proposed Solution: Apply and document subjective criteria to review plant-specific experience for fire event outlier experience, and update fire frequencies if outliers are found.
Basis for Significance: Subjective criteria not applied in the review of fire events.
Actual Solution:
The following documents the review of the fire events contained within the Fire Ignition Frequencies Notebook using the criteria given in Section C.2.3 of NUREG/CR-6850 regarding potentially challenging fire events. According to Section C.2.3 of NUREG/CR-6850, a fire event is to be considered potentially challenging if any one of the following events are true:
A hose stream, multiple portable fire extinguishers, and/or a fixed fire suppression system (either manually or automatically actuated) were used to suppress the fire One or more components outside the boundaries of the ignition source were affected Combustible materials outside the boundaries of the fire ignition sources were ignited Further, a fire event may also be considered potentially challenging if any two of the follow features are cited in the fire event report:
Actuation of an automatic detection system A plant trip was experienced A reported loss of greater than $5,000 (not including any lost business damages)
A burning duration or suppression time of 10 minutes or longer
L-MT-17-016 NSPM Page 82 of 95 A fire was also considered for classification as Potentially Challenging if there was sufficient indication that the fire was self-sustaining:
It is apparent that active intervention was needed to prevent potential spread.
Indication that flames or heat was generated of sufficient intensity and duration to cause the ignition of secondary combustibles outside the fire ignition source, or enough to affect components, had such been in close proximity to the ignition source.
Substantial smoke was generated.
This additional review confirmed the conclusion documented in Section 5.2.1 of the Ignition Frequency Notebook; specifically, no unusual pattern of fire events can be attributed to a specific ignition source.
No update to the generic ignition frequency values is necessary. It is important to note that while several of the events are connected with welding machines and/or welding activities, this result is in line with the generic frequency values for hot work fires given in Supplement 1 to NUREG/CR-6850.
Further, there is no evidence that the hydrogen fire event is any different from the events used to develop the generic ignition frequency values. No other hydrogen fire events were identified during this review, indicating that no distinct fire event history is attributable to this source.
L-MT-17-016 NSPM Page 83 of 95 Change Number: MT-15-0101 F&O Number: 6-3 Associated SR(s): IGN-A1 Detailed Problem
Description:
Battery Chargers have been counted as either 10 or Bin 15 in the IGN development.
It appears that well sealed low voltage panels (e.g. lighting panels) have been included in the bin 15 count that should be excluded.
(This F&O originated from SR IGN-A1)
Proposed Solution: Assign all battery chargers into Bin 10.
Well-sealed electrical cabinets that have robustly secured doors and that house only circuits below 440V should be excluded from the counting process.
Basis for Significance: Binning assigned not consistent with equipment type.
Sealed low voltage panels should be excluded from the fire ignition frequency count. Their inclusion unduly dilutes the frequency for bin 15 and reduces the panel frequency for higher risk components.
Actual Solution:
The counting of Battery Chargers has been corrected such that all battery chargers are now mapped to Bin 10. This correction is reflected in the Ignition Frequency Notebook.
The counting for electrical cabinets (i.e., Bin 15) follows the guidance in NUREG/CR-6850 and the clarification for well-sealed panels in Supplement 1 to NUREG/CR-6850. Only small, low voltage wall-mounted panels are screened from the count. Lighting panels are not screened if they have doors that do not meet the criteria for well-sealed panels. This approach ensures that future monitoring of condition of panel is unnecessary.
L-MT-17-016 NSPM Page 84 of 95 Change Number: MT-15-0102 F&O Number: 6-4 Associated SR(s): IGN-A7, IGN-B1 Detailed Problem
Description:
Chapter 7, of NUREG-6850 Supplement 1 provides two counting methods for segmented bus ducts.
The analysis currently counts segmented bus ducts as a 1 for each duct in a given compartment.
However this does not apportion the total frequency appropriately. The frequency should be weighted for longer lengths (more segments) in any given compartment. The approach would be to choose Option 1 or Option 2 laid out in Chapter 7 of Supplement 1 to NUREG/CR-6850.
(This F&O originated from SR IGN-A7)
Proposed Solution: Apply Supplement 1 guidance for segmented bus ducts.
Basis for Significance: IGN documentation indicates that Supplement 1 guidance was utilized for segmented bus ducts, but observations indicate that it was not.
Actual Solution:
The Monticello Fire PRA and Ignition Frequency Notebook have been updated to reflect the use of Counting Approach 2 for segmented bus ducts given in Supplement 1 to NUREG/CR-6850. This approach assumes that the fire ignition frequency for segmented bus ducts is apportioned equally along the length of the bus duct. First, the analyst measures the total length of segmented bus ducts as well as the length of segmented bus duct found within each fire compartment. A ratio of the length of segmented bus duct within the compartment to the total length is then calculated. The plant-wide fire ignition frequency is then multiplied by the ratio of segmented bus duct lengths for each fire compartment. This apportions the total frequency in accordance with the guidance.
L-MT-17-016 NSPM Page 85 of 95 Change Number: MT-15-0104 F&O Number: 6-6 Associated SR(s): AS-A10, HR-G3, AS-A4, PRM-B5, PRM-B6, PRM-C1, HRA-B3, HRA-C1, HRA-A2 Detailed Problem
Description:
The entry condition for the C.4-C Abnormal Procedures requires the plant operations to determine control room evacuation is required. For cases where the fire is burning for longer than ten minutes as directed by the procedure, or abandonment is imminently obvious, the decision to abandon may be more obvious and indicative of the timing assumed. However, for fires that are suppressed earlier than ten minutes, the cognitive decision to transfer control may require more time than the 10-minute time delay modeled in the PRA, which impacts the time available to perform the ASD actions modeled by HFE, F-ASDEXE-YIF. Currently the Tsw for F-ASDEXE-YIF is 40 minutes, the Tdelay is 10 minutes, the Tcog is 0 minutes and Texe is 25 minutes, leaving 5 minutes for recovery. However, if the decision to leave the control room is more than 10 minutes, less time will be available for recovery (potentially changing the recommended dependence for recovering execution errors from high dependence to complete dependence) and potentially insufficient time will be available to perform alternate shutdown.
For example, for fire scenario FC9-MCR-1P-C-263A, a back panel in the main control room is suppressed within five minutes, and only the panel is damaged. Control room is modeled to be eventually abandoned due insufficient control of the plant, and the review team considers that the cognitive decision to transfer control may require more time than 10-minutes time postulated.
The peer review also observed that the alternate shutdown modeling does not account for differences in timing that could arise from MSO scenarios (e.g., SRVs spuriously open).
(This F&O originated from SR HRA-B2)
Proposed Solution: Evaluate the timing defined for the alternate shutdown actions to ensure the HFE definition and modeling to ensure model realism.
Basis for Significance: Potential risk-significant impact Actual Solution:
T/H analyses documented in PRA-CALC-15-003 (Fire PRA MAAP Analysis) were recently performed to ascertain the time available for human actions at the ASDS panel. These T/H analyses account for various levels of fire damage (for example, the numbers of SRVs spuriously opening), each yielding a different time window.
As part of the resolution of the present F&O and also F&Os 1-20 and 1-26, several human failure events (HFEs) were developed to more realistically represent the timeline of needed human actions under the various fire damage configurations mentioned above.
Refer to Section 8.0 of the Fire HRA Notebook for details of the analysis.
The HFEs were developed in concert to ensure a coherent integration of their timeline and enhance model realism. With that approach, the timing for the cognitive decision to abandon for fire scenarios that eventually lead to a loss of control was based on the functional impacts of the fire, in particular with regard to reactor pressure and inventory control functions. Because these specific functions are called out in the first minutes following plant trip (i.e., need to establish high-pressure injection, and depressurize if it is unavailable), the operators would be alerted to their loss early in the process. In that respect, the actual duration of the fire is of secondary importance or irrelevant altogether. This is also
L-MT-17-016 NSPM Page 86 of 95 true of those fire scenarios that eventually lead to loss of control but over a relatively long time window (for example, 40 min as opposed to 20 min). For these fire scenarios, the decision to abandon is determined by the functions that are lost, not by the duration of the fire. Finally, if the fire affects key systems relatively late in the process (for example, a high-pressure injection system runs initially, but then fails after 15 min), the time window for deciding to abandon would shift, at least, by the amount of time during which cooling occurred.
L-MT-17-016 NSPM Page 87 of 95 Change Number: MT-15-0105 F&O Number: 6-7 Associated SR(s): PRM-B2, PRM-C1 Detailed Problem
Description:
The peer review exceptions and deficiencies for the 2013 Internal Events PRA were entered and resolved in the PCD database and was used as the starting basis for Fire PRA model. However, it does not appear from the documentation that a verification of the internal events PRA dispositions from the 2013 peer review was performed to ensure they do not adversely affect the Fire PRA model, as required by the standard.
From a cursory review of the internal event deficiencies, FPIE F/Os 7-15, 7-17 and 4-2 revealed concerns regarding HRA assumptions and potential impact on the quantification. There is no evidence in the documentation that these concerns were evaluated in the context of the fire PRA.
(This F&O originated from SR PRM-C1)
Proposed Solution: Verify the peer review exceptions and deficiencies for the Internal Events PRA are dispositioned, and the disposition does not adversely affect the development of the Fire PRA plant response model.
Basis for Significance: As required by the standard, the development of the FPRA requires a verification of the dispositions to the peer review exceptions and deficiencies to ensure they not adversely affect the development of the Fire PRA plant response model.
Actual Solution:
Internal Events F&Os 7-15, 7-17 and 4-2 were closed and incorporated in the Internal Events PRA model, which was the basis for the Fire PRA model. The Internal Events PRA model has been reviewed to ensure technical adequacy. Therefore, the concerns of these F&Os have been addressed in the Fire PRA.
The dependency analysis was revised and performed with a general joint HEP floor set to 1.0E-05. For some combinations that involve long-term decay heat removal actions or LERF-reduction specific actions, a minimum joint HEP floor of 1E-06 was used. Maintaining a lower minimum joint probability for these combinations is appropriate because they will take place many hours after the fire, at which point the activation of the Technical Support Center (TSC) would be able to provide a mind frame that allows for a 1E-06 minimum joint dependency threshold. This is documented in the Fire Human Reliability Analysis Notebook.
L-MT-17-016 NSPM Page 88 of 95 Change Number: MT-15-0106 F&O Number: 6-8 Associated SR(s): PRM-C1, AS-C2, AS-C1, SC-C1, SC-C2, SY-C1, SY-C2 Detailed Problem
Description:
Appendix B of the Plant Response Model notebook documents the modeling changes made for the FPRA, but does not go into detail for all of the logic changes made to create the fire PRA. The peer review noted that 798 gates added to the FPIE PRA model for the FPRA development, and 427 FPIE gates were altered for the FPRA. Detailed information should be provided for how the FPIE PRA model was converted into the fire PRA, including system modeling, success criteria development, and accident sequence analysis.
A more thorough discussion is required on the development of the ASD logic, including the back referenced SRs in AS/SC/SY/DA. Regarding the alternate shutdown modeling, Section B.4 provides a brief description of the development for the alternate shutdown model. However, limited discussion is provided on logic changes made to the system models for alternate shutdown, and the new events added. The new ASD logic created basic events associated with unique cable failures. No details are provided in the documentation to support that effort. More documentation also is needed of the processes used to develop accident sequences and treat dependencies in accident sequences, including the inputs, methods, and results, such as: the success criteria established, a description of the accident progression, and the interface of the accident sequence model with plant damage states.
(This F&O originated from SR PRM-C1)
Proposed Solution: Document the Fire PRA plant response model consistent with HLR-PRM-C, HLR-AS-C, HLR-SC-C, and HLR-SY-C and their SRs, in a manner that facilitates Fire PRA applications, upgrades, and peer review.
Basis for Significance: Documentation of the system modeling, success criteria development, and accident sequence analysis is needed to facilitate PRA applications, upgrades, and peer review.
Actual Solution:
The PRM notebook was updated to include a more detailed description of the changes made to the internal events modeling for the FPRA. Several tables were added to Appendix B to clarify changes made to the system fault trees. These tables include information for changes related to ASD, power supply dependencies, MSO modeling, and other unique cable selection updates made for fire-specific failures.
The discussion on the development of the ASD logic in Appendix B.4 was also updated and more detail was added in the PRM notebook as well as the HRA notebook. Detailed discussion was added on logic changes made to the system models for alternate shutdown, and the new events that were added, including the special basic events for components that have alternate cable selection when they are operated from the ASD panel. Additional information on success criteria used for ASD sequences was also added based on new MAAP runs that were performed to refine the ASD logic.
L-MT-17-016 NSPM Page 89 of 95 Change Number: MT-15-0107 F&O Number: 6-9 Associated SR(s): SY-A19, PRM-B9, SY-A1, SY-A16, SY-A14, SY-B9, SY-B5 Detailed Problem
Description:
Common cause and test and maintenance, and pre-initiator human error basic events for core spray and RHR are missing from the ASD Logic. Additionally, the alternate shutdown modeling of core spray train B is also missing the failure mode for: 'CS Pump P-208B to run after the first hour.' Also, the review found that power supplies for some of the active components were missing from the alternate shutdown logic.
(This F&O originated from SR DA-E2)
Proposed Solution: Include component failure mode basic events and system dependencies for system modeling added for the FPRA consistent with HLR-SY-A, and HLR-SY-B.
Basis for Significance: Missing random failure basic events underestimate the unavailabilities of systems and trains modeled for alternate shutdown, which has a risk-significant impact on the FPRA results.
Actual Solution:
Some of the new basic events that were added to the model were not linked to existing type code data.
The model was updated so that all new basic events are connected to existing Type codes so that the proper data are connected and existing data documentation is correlated.
RHR and CS logic for ASD have been reviewed and basic events for common cause failures, test and maintenance, as well as pre-initiator human failure events (HFEs) have been added where appropriate.
CPCP208BXT12-ASD (CS PUMP P-208B FAILS TO RUN 1ST HOUR) has been added to the ASD logic. The ASD logics were updated after the peer review to remove conservatism in the overall modeling approach and this pump was included in the updated modeling.
A detailed review of all power supplies in the model was completed and the appropriate supplies have been added to the model. This is documented in Appendix B of the PRM notebook.
L-MT-17-016 NSPM Page 90 of 95 Change Number: MT-15-0096 F&O Number: 6-10 Associated SR(s): QU-B2, QU-B3, LE-E4, FQ-D1, FQ-B1 Detailed Problem
Description:
No LERF convergence test for the quantification truncation level was performed.
(This F&O originated from SR QU-B2)
Proposed Solution: Perform truncation convergence test for LERF.
Basis for Significance: Test for convergence required.
Actual Solution:
The updated FPRA Quantification notebook includes a LERF convergence test and associated documentation.
L-MT-17-016 NSPM Page 91 of 95 Change Number: MT-15-0097 F&O Number: 6-11 Associated SR(s): PRM-B9, SY-A1, UNC-A2, DA-E2 Detailed Problem
Description:
Basic events added to the FPRA associated with the following failure modes have failure probabilities set to zero:
UPS panel fault Circuit breaker fails to remain open Circuit breaker fails to open Fused disconnect switch, fuse spuriously fails Transformer fault CS pump fails to start CS pump fails to run 1st hour MOV fails to remain open MOV fails to open MOV fails to close 125 VDC distribution panel fault AOV fails to remain closed AOV fails to remain open Level transmitter spurious operation RHR Pump fails to run RHR Pump fails to start Solenoid valve fails to transfer (This F&O originated from SR SY-A2)
Proposed Solution: Include failure probabilities for system modeling added for the FPRA consistent with HLR-SY-A, and HLR-SY-B.
Basis for Significance: Basic event probabilities of zero underestimate the unavailabilities of systems and trains modeled for the FPRA, including the alternate shutdown modeling, which has a risk-significant impact on the FPRA results.
L-MT-17-016 NSPM Page 92 of 95 Actual Solution:
A full review of the basic events in the model was completed and all events that had no associated unavailability data were updated to use type code data where necessary. The basic events that previously did not have unavailability data were all newly added for the FPRA and mostly associated with ASD.
In the case of the UPS panel fault and any other basic events that were split out to represent primary and alternate or AC and DC power supplies, these unavailabilities are captured in the original BE associated with the specific component. These new BEs are only used for fire impacts and are only set to true in specific fire scenarios.
L-MT-17-016 NSPM Page 93 of 95 Change Number: MT-15-0108 F&O Number: 7-3 Associated SR(s): PRM-A4, PRM-C1, SY-A1, PRM-B9 Detailed Problem
Description:
The purpose SR PRM-A4 is to confirm that the plant response model is constructed in such a manner that it reflects the failure of identified equipment due to the loss of the associated equipment selected cables.
Based on the review by peers, the following issues were identified. These are based on limited time to review and are only examples.
The fault tree modeling of essential cues for HFE HPI-CNTRLY is not correct. The cues are modeled under gate F-HEP-CNTRLML, and ANDed with the medium LOCA initiator IE_MLOCA 2.72E-4/yr (with no FPRA IE modeled there). The FPRA development team concurred that the cues modeling gate LRPV-INSTR should be input into OR gate F020 (Ored with HPI-CNTRLY).
Equipment Selection report 016015-RPT-03 Table B-2 identifies ADS-CHANNEL-A:Avail:Non-Spur and ADS-CHANNEL-B:Avail:Non-Spur low level pseudo functions and equipment dependencies. It was determined during CS that the cables were properly mapped to the ADS pseudo component.
Equipment SV271A, C, and D are dependent on both ADS A and B channel cables. However, review of the FRANX database FPRA CDF 2-2 determined improper Component to basic event mapping was made to the PRM. ADS channel A is mapped to SV271A and ADS channel B is mapped to the remaining SV271C and D.
A review of pseudo components MSIV-ISOL-A:Avail:Avail and LLS-DIV-B1:Avail:Non-Spur as identified in the ES procedure determined there was no modeling of the component to basic event relationship.
From peer discussion it was determined that the noted pseudo-components were determined not required in the model following cut set review by the utility.
In addition, there was no evidence that the interlocks on the cable selection data worksheets were reviewed and properly incorporated into the PRM.
(This F&O originated from SR PRM-A4)
Proposed Solution: Perform the review of equipment selected through to PRM basic events to confirm the Fire PRA plant response model is consistent with the scope and location of equipment and cables (accounting for cable damage effects on the equipment of interest) per Section 4.2.2 and Section 4.2.3.
Basis for Significance: From the review performed it appears there may be two PRM related areas requiring additional review. Review the PRM model for correct component to basic event mapping particularly in areas where component mapping is directed to more than one channel or division of components. And, identify and correct the appropriate documentation of selected equipment and/or response modeling.
Actual Solution:
Following the peer review, a review of the pseudo component and interlock modeling was performed and changes were incorporated into the model. This is documented in the updated FPRA PRM notebook. The logic for MSIV-ISOL pseudos was added at this time. The logic for the ADS-CHANNEL pseudos was also updated. New, more specific, ADS channel pseudos were added to the model as described in F&O 5-7 and replaced the existing ADS-CHANNEL-A and ADS-CHANNEL-B components.
L-MT-17-016 NSPM Page 94 of 95 The instrumentation modeling for HPI-CNTRLY was also fixed in the model. The gate I-HEP-HPI-CNTRL, which is an OR gate with the HEP and instrumentation gate L-RPV-INSTR, was included in gate I038 where the original HEP was in the model.
L-MT-17-016 NSPM Page 95 of 95 Change Number: MT-15-0109 F&O Number: 7-4 Associated SR(s): SY-A1, PRM-B1, PRM-B9, PRM-C1, FQ-A2 Detailed Problem
Description:
It is not clear if the internal events PRA initiating events and accident sequences applicable to two or more SRVs open similar to LLOCA have been correctly applied. If it is deemed that opening of two or more SRVs does not need to mimic LLOCA, then provisions for a new initiating event, success criteria and accident sequence is required.
PRM calculation 016015-RPT-05, MSO 3a and 3b for potential opening of two or more SRVs added additional logic to the PRM. Potential opening of all SRVs mimics sequences similar to Large LOCA.
Review of the PRM calculation noted in section 6.0 that the initiating events and accident sequences embodied in the MNGP internal events model are used as the basis for development of the FPRA model. Additional information received from the utility representative regarding the review of internal events initiating events determined that Large LOCA was deemed not applicable to the FPRA. Review of the PRM CAFTA model located MSO failure of more than one SRV via gate F_SORV_2of8 with parents to gates different from LLOCA. If it is deemed that opening of all SRVs does not need to mimic LLOCA, then provisions for a new initiating event, success criteria and accident sequence is required.
(This F&O originated from SR PRM-B1)
Proposed Solution: When internal events PRA initiating events and accident sequences for CDF and /
or LERF are utilized, ensure that the FPRA sequences are definitively modeled.
Basis for Significance: It is not clear if the internal events PRA initiating events and accident sequences applicable to all SRVs open similar to LLOCA have been correctly applied.
Actual Solution:
The logic in the PRM was updated to map the correct logic to the LLOCA initiating logic. This includes the F_SORV_2OF8 gate that models 2 of the 8 SRVs spuriously opening (MSO 3a/b).
Section 6.1 of the PRM notebook was updated to state the Large LOCA event tree was determined to be applicable to the modeling the plant response to fire-induced spurious opening of two or more SRVs, and the PRM notebook was revised to clarify the treatment given to fire-induced spurious opening of two or more SRVs.
Page 1 of 3 ENCLOSURE 4 MONTICELLO NUCLEAR GENERATING PLANT Monticello Fire PRA Model Response to 2016 Focused-Scope Peer Review Findings Change Number: MT-17-0005 F&O Number: FO-1 Associated SR(s): FSS-D3, FSS-D4 Detailed Problem
Description:
The analysis results of the thermal heat soak method appear to credit ventilation limited burning in several PAUs without providing sufficient basis. An example is the Group 1 scenarios listed in Table J-6 of 016015-RPT-06. Each of the four fire case CFAST results have sensitivity cases due to the development of ventilation limited conditions. The baseline CFAST results do not result in damage to a generic target over a 60 min time interval. The CFAST sensitivity cases that were originally run with additional ventilation to verify constant exposure damage times would likely result in damage to a generic TP target when assessed in the heat soak model.
Proposed Solution: Evaluate the performance of the thermal heat soak model for the parameter sensitivity cases indicated in the SCA and where applicable for the MCA, or provide additional validation basis for the selection of the ventilation limited configurations used in the updated analysis.
Basis for Significance: The original evaluation included ventilation limited configurations that were outside the recommended validation range specified for the fire modeling tools applied. The results were then justified based on conservative outcomes relative to additional parameter sensitivity evaluations. This exercise was not documented for the thermal heat soak method. Therefore, it may be possible that the updated results are not validated, or justified as conservatively bounding.
Actual Solution: The heat soak method was extended to the sensitivity analysis (Section J.5 of FPRA-MNGP-SCA) in order to evaluate the effect in simulations where no oxygen depletion is assumed.
Under the assumption of no oxygen depletion, there is additional heat added to the enclosures, resulting in an increase in CDF of 3.48E-06 and an increase in LERF of 2.69E-07. The increases are approximately an order of magnitude lower than the plant Fire CDF and LERF results. It should be noted that the CFAST simulations assuming oxygen consumption include a lower oxygen limit of one percent. The resulting risk increase is a conservative estimate based on the following:
- 1. The CFAST volumes chosen for the analysis are selected in 5 different size groups, which bound the actual size of the fire compartments. That is, the fire modeling results are based on fire compartments that are smaller in size than the as built compartments in the plant.
Therefore, the resulting temperatures are higher than the ones that would result if the actual compartment size is used.
- 2. The CFAST simulations assume worst case combination of ignition source and secondary combustibles (i.e., cable tray arrangement) for the fire compartment. This approach bounds a number of scenarios associated with lesser fire intensities.
L-MT-17-016 NSPM Page 2 of 3 Change Number: MT-17-0006 F&O Number: FO-2 Associated SR(s): FSS-D3, FSS-D4, FSS-H4, FSS-H5, FSS-H9 Detailed Problem
Description:
A number of documentation issues have been identified. These include:
- 1. There are a number of scenarios that appear to credit the thermal heat soak method listed in the FMDB but the HGL times do not match any scenario listed in Report 016015-RPT-06. An example is Equipment C-18 in tblIgnitionScenarios of the fire modeling database. Scenario 2 and the corresponding comment indicates HGL time is 25 minutes based on heat soak time.
Table J-6 in Section J-6 of Report 016015-RPT-06 does not list any damage times from any ignition source - secondary combustible grouping of 25 minutes. The database should be checked for additional examples and addressed as necessary.
- 2. There are a number of scenarios listed in the FMDB indicating HGL timings but there is inconsistent indication for when a scenario credits the thermal heat soak method. The only method to verify that the thermal heat soak method was applied in the FMDB was to query the results in TblIgnitionScenarios and match HGL timing to those reported in Table J-6 in Section J-6 of Report 016015-RPT-06, or to search for comment fields in IgScnComment.
- 3. Description of the method in which the results from the thermal heat soak analysis is incorporated in the MCA. It is not clear where the MCA heat soak calculations or their direct inputs are among the reviewed material. Section 5.4 of the MCA Report 016015-RPT-08 points to Table J-6 in the SCA Report 016015-RPT-06 for heat soak results. However, the compartments listed in Table J-6 do not completely match the compartments that were screened from the MCA using the heat soak method. This suggests that there may be other heat soak results that are not documented. For example, the MCA screens combinations involving compartments 19B and 32A, but the SCA does not indicate that thermal heat soak analysis was performed for these compartments. In addition it appears that the heat soak method was used to increase the HGL timing for combinations involving compartment 32A, but there is no documentation of the results used to justify this timing.
- 4. It is difficult to link the CFAST Group and the Fire Case as listed in Table J-6 in the SCA Report 016015-RPT-06 with the damage integral result listed in the database for the SCA and MCA where applied. There is no consolidated table which includes the CFAST Group and the Fire Case as applied to a given scenario in the FMDB.
- 5. The thermal heat soak method does not fully document the approach for target damage accumulation at low temperatures. No technical deficiencies were noted in the method review; however, the treatment of the low temperature damage accumulation can have a significant influence on the overall result and should be clearly discussed.
- 6. Additional documentation of the limits of applicability for the thermal heat soak method is needed in Report 016022-RPT-01. For example, is there a maximum exposure temperature or maximum/minimum cable size over which the results can be used?
- 7. Documentation of sources of model uncertainty and its treatment in the analysis is needed to achieve a Cat II for FSS-H5 and FSS-H9. Since the heat soak method is an interpolation of the generic cable damage times listed in NUREG/CR-6850, there is no new uncertainty introduced
L-MT-17-016 NSPM Page 3 of 3 with the heat soak method, except for the damage accrual estimates at temperatures below the damage threshold.
- 8. Reports 016015-RPT-06, Rev. 4 and 016015-RPT-08, Rev. 4 were draft at the time of the review. They will need to be finalized and signed.
Proposed Solution: Revise the SCA, MCA, and thermal heat soak documentation to clearly address all identified documentation concerns. Many of these can be easily addressed with minor revisions to existing documentation.
The database should be updated to clearly indicate which scenarios have credit for the heat soak method. It would improve the traceability of the data if a new table was created that stored the heat soak results, and new columns created in the SC and MC tables that indicate whether heat soak is being used, and if so point back to the heat soak table for data source.
Basis for Significance: It is not possible to verify that the application of the thermal heat soak method is appropriate or complete.
Actual Solution:
- 1. Scenarios crediting the heat soak method have been reviewed. The configuration for Group 2 volumes missing from table J-1 in the Single Compartment Analysis notebook has been added to document the scenarios mentioned in this F&O.
- 2. Table J-7 has been added to the SCA notebook that indicates the equip and equip type that have the heat soak method applied.
- 3. Reference to Appendix J has been removed. Table E-2 in Attachment E to the MCA report includes the multi-compartment combinations that were considered for heat soak application.
- 4. Table J-7 has been added to the SCA notebook that indicates the group and fire case for each equipment that was considered for the heat soak application.
- 5. Additional technical discussion added to the SCA notebook on the low temperature treatment of the heat soak method. The discussion of cable heating at low temperatures is now included in the analysis.
- 6. Additional discussion on the limits of applicability for the heat soak method has been included in the SCA notebook.
- 7. Additional discussion added on uncertainty has been added based on the verification and validation study performed on the heat soak analysis.
- 8. The Reports 016015-RPT-06, Rev. 4 and 016015-RPT-08, Rev. 4 are final and signed.