ML20107N010
| ML20107N010 | |
| Person / Time | |
|---|---|
| Site: | Mcguire, Catawba, McGuire  |
| Issue date: | 02/29/1996 |
| From: | Rahbar M, Sewell R, Sholly S AFFILIATION NOT ASSIGNED |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20107M978 | List: |
| References | |
| ERI-NRC-95-506, ERI-NRC-95-506-DRF, NUDOCS 9605010252 | |
| Download: ML20107N010 (18) | |
Text
. _
O e
O DRAFT TECHNICAL EVALUATION REPORT ON THE SUBMITi AleONLY REVIEW OF THE CATAWBA NUCLEAR STATION INDIVIDUAL PLANT EXAMINATION OF EXTERNAL EVENTS DRAFT REPORT February 1996 M. Khatib-Rahbar Principal Investigator Authors:
2 8
S. C. Sholly, R. T. Sewell, M. V. Frank,
8 J. A. Imnbright*, A. Mosleh, and A. S. Kuritzky Energy Research, Inc.
P.O. Box 2034 Rockville Maryland 20847 Work Perforened Under the Auspices of the Unked States Nudear Reydetory em Omce of Nuclear Regulatory Research Washlagton, D.C. 24555 Contract No. 9444 058 j
1 Beta Corporation Internataoesi,6707-B kcademy Road NE, &_; :g, NM 87109 2
Safety Factor Associales, lac.,4401 Manchester Avenue, Suite 106, Encinitas, CA 92024 3
University of Maryland, Dept. of Materit.ls and Nuclear Engmeeting, Conese Park, MD 20742 1
9605010252 960426 PDR ADOCK 05000369 P
PDR i
)
l DRAFT-l hazard curve results do not add to or alter any of the insights of the analysis based on the EPRI hazard curve.
Seismic walkdowns of Catawba Unit 2 were originally completed (including specific components, area reviews, and reviews of areas common to both units) as a result of the Catawba trial plant seismic margin review issued in 1989. As part of the IPEEE process, additional walkdowns of Unit 2 and walkdowns of Unit I were completed using the same procedures as for the original Unit 2 walkdowns [5].
In addition to its treatment of IPEEE objectives, the Catawba submittal addressed the following other seismic safety issues: Generic Issue (GI) 131; Unresolved Safety Issue (USI) A-17; and Unresolved Safety Issue A-45.
l 1.1.2 Eitt The Catawba fire IPEEE is an update of the full scope, level 3 PRA performed between 1984 and 1987.
The update was started in 1991. The following summarizes the fire IPEEE procedure used for Catawba.
l The fire areas were reviewed during the walkdown to deter:nine if an area could cause one or more initiating events. The areas that would not are screened out. The remaining areas are reviewed to I
determine the initiating event that gives the " worst case result" involving a fire in that room. The submittal states: "The risk from other possible scenarios is judged to be bounded by the risk from the scenarios examined."
Fire initiating event frequencies were developed using a database containing fire events through 1986 from Licensee Event Reports (LERs) and an EPRI study published in 1983. For most areas, fire initiating event frequencies are based on the selected components of an area. Where a component is selected to represent an area, the frequency of fire of that component is used rather than the frequency of all sources in that area. However, the fire initiation frequencies for the control and cable rooms are based on the ability of fires to occur in the entire area, and the component cooling "short" room is assigned the cable room frequency.
I Each area is screened based on (1) whether the probability of damage for the worst case scenario is less than 104 per year, or (2) whether the fire damage probability is less than the internal events frequency of the same or similar scenario (s). The latter screening process is an important factor in understanding the low frequency of fire-induced core damage that is assessed for Catawba. The screening is performed using a Gallucci style fire event tree. The fire detection, suppression and propagation parameters of the event tree are based on NUREG/CR-0654 [10), judgmentally adjusted for each area to account for plant specific features. Analytical or tabular methods, such as COMPBRN and Fire Vulnerability Evaluation (FIVE), are not used to determine fire propagation potential.
Three rooms survive the above screening: control room, cable room, and "short room" near the component cooling water pumps. Loss of component cooling water is the selected " worst case" scenario for each of these areas. The control room and cable rooms are said to have the same consequences, so they are analyzed together using a loss of component cooling water scenario. Fire-induced failures are combined with random failures using the transient functional event tree / fault tree model to obtain an estimated core damage frequency. Fires in the control room and cable room are combined under the assumption that they have the same effect on the plant, namely, loss of component cooling water.
Energy Research, Inc.
2 ERI/NRC 95-506 I
DRAFT The walkdown is performed to verify assumptions about plant configuration, locate cable runs, and address the Sandia Fire Scoping Study Issues. The walkdown team was composed of two fire protection engineers, a PRA analyst, and a Program Manager, all from DPC. Peer review of the walkdown was performed by a fire protection engineer from McGuire.
On page 1-3 of the submittal [1], vulnerability is defined as an " unduly significant sequence". The study l
identified no vulnerabilities, i
Using the IPE model transient event tree and fault trees in Section 2 of the Catawba PRA [4), cut set l
frequencies summed to a total fire core damage frequency of 4.7x104 per year, which is about 6% of the total core damage frequency of 8x105 per reactor year. Fire sequences from these areas are identified as TQ3U sequences. These sequences involve a transient with reactor coolant pump seal Loss of Coolant Accident (LOCA) (Q3) and failure of safety injection (U). All cut sets are associated with FKC, which is a fire in the component cooling "short room". The frequency of FKC is, however, the sum of the fire damage frequencies of the cable room, control room, and component cooling water "short room".
The walkdown is performed to verify assumptions about plant configuration used in the PRA, and to address the Sandia Fire Scoping Study Issues. The walkdown findings led to the update of the Catawba fire PRA, as documented in Revision 2 of Section 3.5 of the Catawba PRA. The most significant walkdown insight is the discovery of the close approach of two trains of cables for component cooling water pumps in the elevation 568' "short room". The effort to investigate the Fire Risk Scoping Study issues did not reveal any problems, and no corrective actions were deemed necessary.
1.1.3 HE01 The Catawba Nuclear Station's IPEEE was performed on the foundation laid by the original Catawba PRA [4] and its subsequent update [6]. The report summarizes the examination process for external events performed from 1984-1987 for the original Catawba PRA, the continuing process of updating the l
risk model which resulted in the updated PRA issued in 1992, and the results of the latest update to support the IPEEE. The licensee has documented a detailed analysis of the high winds, external flooding, transportation and nearby facilities accidents hazards. Additionally, other external events have also been evaluated to ensure that there are no hazards unique to the plant. The objectives for this assessment are consistent with the objectives given in Generic Letter 88-20, Supplement 4 [2]. Utility personnel have been directly involved in all aspects of the development, quantification, and documentation of the l
analysis.
l 1.2 Overview of Review Process and Activities l
1.2.1 Seismic The emphasis and guidelines described in the draft report, IPEEE Review Guidance Document [11], for pre-site-visit review of a seismic PRA were generally followed in the seismic audit process. The review guidance provided in the NRC report, IPEEE Step-1 Review Guidance Document [12], was also considered. Data entry tables developed in the LLNL document, IPEEEData Entry Sheet Package [13],
were completed to the extent feasible based on the Catawba seismic IPEEE evaluation.
l Execution of all relevant activities and consideration of all issues, as described in Figure 3.1 of Reference i
[11], served as the systematic basis in evaluating strengths and weaknesses of the licensee's seismic Energy Research, Inc.
3 ERl/NRC 95-506
DRAFT-IPEEE, and in evaluating whether or not the seismic IPEEE meets the guidelines of NUREG-1407. The review was based on the IPEEE submittal and licensee response to Requests for Additional Information (RAls) [14], and has not included independent verification of the information contained in the IPEEE nor an inspection /walkdown of the plant by the review team. The review has not verified whether the data and descriptions presented in the IPEEE match the as-built /as operated conditions of the Catawba, nor whether the programs and procedures described in the IPEEE are indeed implemented as described.
1.2.2 Eirs j
The fire analysis of the IPEEE is reviewed for methodological completeness, accuracy and consistency with other studies. Rather than an independent set of calculations, the review uses experience based comparisons of other plants and other seismic assessments to judge the accuracy and completeness of the information provided by the licensee. The review covered the fire aspects of References [1], [6] and
[14]. In addition, References [4] and [10] were briefly reviewed for background.
The review process is consistent with the review guidance documents of References [11], [12] and [13].
The scope of the review covered elements of methodology, data, results, and insights. The review is conducted with an eye toward consistency with currently accepted methods, as well as the guidance in References [2] and [3]. Special attention is given (1) to the screening methodology, because a trend to prematurely screen out potentially significant areas or to inadequately justify screening out an area has emerged as a common problem among past fire PRAs and IPEEE analyses, and (2) to assumptions, because the results of many studies are unduly infbenced by assumptions made to simplify or introduce conservatism. Other methodology elements inclu4e, for example, development of fire event trees, fire propagation, suppression and detection, and systems modeling. Data elements include such items as cable routing, fire area partitioning, fire initiatio a frequency, detection and non-suppression frequencies and recovery probabilities. Results include such nces as minimal cut sets, core damage frequency and fractional contribution of cut sets, identification of important fire areas and scenarios, and effect of fire on early containment failure.
1 The submittal only review team has not verified whether the data presented in the IPEEE matches the conditions of the plant, or whether the actions and procedures described are indeed implemented.
Furthermore, independent calculations to verify results have, in general, not been performed.
i 1.2.3 HEQs The objectives of this review process are to verify that the HFO portions of the IPEEE study have been completed and documented as requested by Supplement 4 to Generic Letter 88-20 [2] and associated guidance described in NUREG-1407 [3]; to identify and summwize important IPEEE insights and findings; and to identify issues and concerns which require further clarification.
The review process was intended to examine the methodology, validate key input data and calculation models used, and assess all key aspects of the analysis. The methodology was also reviewed for consistency with current acceptable practices. Special attention was placed on the adequacy of data bases used to estimate the frequency of HFO events. The consistency of the results with the conclusions i
derived in the submittal have been reviewed.
Energy Research, Inc.
4 ERI/NRC 95-506
a DRAFT o
appraise key management personnei of the results and conclusions of the IPEEE analysis. Finally, an Independent Review Team, consisting of senior level employees with experience in PRA methodology, seismic equipment qualification, and systems engineering, performed a review of the IPEEE process and results. '
Review Mndings: Several levels of peer review, consistent with NUREG 1407 guidelines, were conducted as part of the Catawba seismic IPEEE.
2.1.20 Summary Evaluation of Key Inslehts Based on inspection of the dominant cut sets and the nature of the failures identified in the cut sets, seismically-initiated station blackout sequences are seen to dominate seismic CDF (i.e., they are l
responsible for at least 70% of the seismic CDF). The dominant basic events / component failures that a
contribute to seisade risk are:
1 1.
Seismically-initiated loss of offsite power.
2.
Various failures of diesel generators and emergency AC power system components and support system components, resulting in station blackout.
ReWew Findings: The Catawba seismic IPEEE provides meaningful insights into the seismic severe accident performance of the plant.
2.2 Mre 2.2.1 Documents Reviewed j
The review covered the fire aspects of the Catawba IPEEE submittal [1], responses to requests for additional information [14], and Appendices A, B, and C of the Catawba IPE submittal [6). In addition, Sections 6 and A.13 of the Catawba PRA [4] and Reference [10] were briefly reviewed for background.
This document provides observations by the review team regarding the IPEEE as defined in Generic Letter 88-20, Supplement 4 and NUREG-1407 [3]. The review process is consistent with review guidance documents of References [11], [12] and [13].
2.2.2 Methodolony Selection f
- a. Method Selected For Fire IPEEE The Catawba Fire IPEEE updated an existing PRA to account for the as-built plant. A walkdown is performed to verify assumptions about plant configuration, identify initiating events, locate cable runs, and address the Sandia Fire Scoping Study issues.
- b. Key Asswnprions Used in Performing Fire IPEEE The study's assumptions essentially govern the results:
1.
The study assumes that fire areas in the plant may be dismissed on the basis that a fire equipment damage scenario frequency is less than the internal event frequency for the selected equipment Energy Research, Inc.
14 ERI/NRC 95-506
DRAFT In the area, or because recovery is possible, or because the situation imagined is not credible.
Areas (equipment) dismissed on the basis that the internal events bound them are: 560 Auxiliary Building Lower Switchgear Room, 594 Auxiliary Building Rooms 571, 560 and 570 (Reactor Trip Switchgear and Control Room HVAC), Diesel Generator l A, Turbine Building, Vital I&C battery room, 594 Service Building (instrument air), Containment (RCPs and Power-Operated Relief Valves), and Nuclear Service Water Pump structure. The Load Sequencer Corridor is dismissed because recovery is possible, without assessing the likelihood of recovery. The Level 543 in the Auxiliary Building is dismissed because the selected scenarios are not considered credible.
2.
The study assumes that use of worst case fire scenarios in each area, instead of a variety of scenarios, is a conservative approach for calculation of core damage frequency and identification of vulnerabilities. This approach is used even if the selected scenario did not encompass the total fire frequency of the area.
3.
The study assumes that the effect of control room fires and cable room fires are identical, and have the same effect on the plant as fires in the component cooling water "short room", namely, loss of component cooling water.
l 4.
The study further assumes that the initiating event frequency for the cable room and component cooling water short room is identical, and the fire suppression, detection and propagation frequencies of these rooms are nearly the same.
5.
The study assumes that the parameters of NUREG/CR-0645 are appilcable to the simplified event tree it uses.
6.
The study assumes multiple opportunities for suppression without calculating either timing of l
suppression or fire growth, 7.
The study assumes that damage from fire suppression systems and smoke are insignificant when compared to damage owing to heat from fires, and are, therefore, not included in the analysis.
- c. Status ofAppendix R Modifcations The submittal indicates that Catawba is in compliance with Appendix R.
2.2.3 Review of Plan
- Informatinn and Walkanwn
- a. Walkdown Team Cunposition The walkdown team was composed of two fire protection engineers, a PRA analyst, and a Program Manager, all from DPC, Peer review of the walkdown was performed by a fire protection engineer from McGuire.
- b. Signifcant Walkdown Findings The walkdown was performed to verify assumptions about plant configuration used in the PRA, and to address the Sandia Fire Scoping Study Issues. The most significant walkdown finding is the discovery Energy Research, Inc.
15 ERI/NRC 95-506
DRAFT that cables for the train A and train B component cooling water pumps pass within 3 feet of each other, with no intervening fire barrier, in a "short room" on elevation 568'. In addition, Unit 1 pump cables are not protected by automatic water sprinklers at this location. The walkdown findings led to the update of the Catawba fire PRA, as documented in Revision 2 of Section 3.5 of the Catawba IPEEE [1].
- c. Signijcant Plant Features Significant plant features relative to the fire analysis are the Standby Shutdown System, Appendix R separation between redundant trains, and ability to cross-connect Nuclear Service Water between units, with only one nuclear service water train required to supply the water needs of both units. Instrument air is also shared between units. The Catawba and McGuire plants are quite similar, as is the methodology Duke Power used to analyze fires. The results, however, are significantly different.
2.2.4 Fire-Induced initiating Events
- a. Initiating Ewnts Considered The following initiating events are considered: plant trip, loss of off-site power, loss of main feedwater, loss of nuclear service water, loss of component cooling, loss of control area ventilation, loss of 4160 V essential power, loss of auxiliary shutdown panel, loss of vital instrumentation and control power (125VDC and 120VAC), loss of instrument air, and LOCA. Typically, only one is selected to represent an area.
i
- b. Analysis ofInitiating Ewnts
]
The fire greas are walked down to determine if an area could cause one or more initiating events.
Questionnaires are filled out for each area. Areas that are deemed to not cause an initiating event are screened out. The initiating event criterion used for the initial screening of rooms is not always reasonable. For example, a review of walkdown sheets (14] revealed that electrical penetration areas and diesel generator areas are screened out on this basis. While there are areas in the plant that would not cause an initiating event, some of these areas (for example, #1 Auxiliary Building loss of RHR pumps or # 6 Auxiliary Building loss of an RCP breaker) could initiate a manual shutdown owing to technical specification Limiting Conditions of Operation (LCOs). Manual shutdown also puts a demand on systems (e.g., RHR) that may be disabled by the fire. One of the principle reasons for performing a fire analysis is to investigate situations that cause a plant shutdown and also disable needed equipment.
Other licensee's have performed a detailed investigation into how operators would react to fires in each fire area. This includes interviews with senior operators. This was not done in this study.
2.2.5 Scraanine of Fire Zones 4
- a. Screening Methodology The screening analysis is performed on two levels. First, fire areas are reviewed to determine if an area
]
could cause one or more initiating events. The areas that would not are screened out. The surviving areas are assigned a " worst case result" initiating event. Second, each area is screened based on (1) whether the probability of damage for scenarios of the worst case initiating event is less than 108 per year, or (2) whether the fire damage probability is less than the frequency of the same or similar internal Energy Research, Inc.
16 ERl/NRC 95-506
i 4
DRAFT 4
i events equipment damage scenario. The screening is performed using a Gallucci style fire event tree.
The parameters of the event tree are based on NUREGICR-0654, judgmentally adjusted for each area.
4 l
NUREGICR-0654 was published in 1979 to provide a reasonably simple yet technically comprehensive approach to aid designers and regulators of fire protection systems. It recommended three approaches:
j a deterministic approach, a probabilistic approach, and a qualitative approach. The recommended probabilistic approach is called a critical-path technique, and was developed in 1976. A critical path diagram shows alternative paths of fire ignition, growth, discovery or detection, suppression or self extinguishment. Multiple opportunities for suppression and detection are allowed in a path. The events in the diagram are associated with judgmentally (and statistically, when data existed) determined numbers between zero and one, provided in Table 4 of Reference [10], which are called probabilities.
The table also provided qualitative criteria to guide the selection of the probabilities. The authors of NUREG/CR-0654 point out that thc conservatism of the method depends on the conservatism of the probabilities selected. The probabilities used by the licensee, as discussed in Section 2.2.9 below, tend l
to overestimate the probability of suppression, in comparison with accepted data, thereby underestimating the fire risk. Furthermore, the event tree provided in the subnuttal is only an approximation of the more i
i detailed and explicit critical path diagram in Reference [10]. Reference [10] states "it is necessary to l
visualize events at particular stages of fire development so that a valid estimate of the probability of j
success or failure could be made." The critical path diagram included parameters such as area of l
potential air-intake openings, fuel continuity, fuel availability, and penetration of barriers, all of which j
do not appear on the licensee's fire event tree. Therefore, the use of these probabilities in the simplified
{
event tree used by the licensee may not be valid.
)
)
l The study used the argument of low combustible loading to screen out the Dog Houses that house components whose failure could cause reactor trip, such as Main Steam Isolation Valves (MSIVs) and Feedwater Isolation Valves. Thus, they are not internally consistent with their own screening criteria.
Selecting a " worst case result" scenarb for a room is valid if the frequency of all potential core damage scenarios for the room is accounted for. Except for the control, cable, and component cooling short room, this is not the case in the Catawba study. During the screening, this study quantified the frequency of the selected fire scenario only. Alternative scenarios from other fire sources in an area are deemed to be insignificant. If an argument could be made to probabilistically screen out the selected scenario, the entire area was screened out. This procedure results in prematurely screening out rooms, a potential to miss vulnerabilities, erroneous perception of risk contributors, and underestimation of core damage i
frequency.
Using a screening criterion that eliminates rooms because fire damage to selected equipment within a room is less than the internal events value is not a method that can identify fire vulnerabilities and provide a useful measure of fire-induced core damage frequency. If a fire-induced equipment damage scenario has a lower frequency than a similar IPE equipment damage scenario, then the entire area is screened out.
The licensee provided the rationale that the effects of this fire are sufficiently represented, because the frequency is lower than the IPE scenario frequency [14). 'Ibe submittal, therefore, presents a total fire CDF which may be a significant underestimate. It presents only the sum of the scenario CDFs that happen to be larger than the corresponding IPE scenarios. The licensee's rationale for this that only the most significant sequences, whether they be internal or external, need to be counted in the core damage frequency. This is not consistent with the spirit of GL 88-20, Supplement 4, which is concerned with identification of vulnerabilities for each external event on its own, rather than in comparison to another Energy Research, Inc.
17 ERI/NRC 95-506 m.
w
-e----
DRAFT event. If the licensee's approach is taken to its logical extreme, then each external event, in total, could be screened out if its total CDF is less than the IPE CDF.
Except for 4160 V switchgear, reactor trip switchgear and the auxiliary shutdown panel in the auxiliary feedwater area, cabinet-initiated fires are not included in the analysis. The licensee's rationale for this is that cabinet fires are less likely to damage the component of interest in a room (e.g., diesel generator or component cooling water pump) than a fire initiated at the component itself. This is invalid, of course, because a cabinet fire can damage the component's MCC or control cables.
Using a 104 per reactor year screening criterion is reasonable, as is using a fire event tree as a quantitative method for screening.
LOCAs, other than transient-induced, appear to have been screened out. It is argued that because power could be removed from the pressurizer PORVs, if they failed open by a fire, such an occurrence is not a concern and not further examined. The potential ability to remove power during a fire does not equate to a certainty that the event will occur. This is particularly the case for a control room fire that leads to having to abandon the control room.
Residual Heat Removal (RHR) isolation valves, which can allow an interfacing LOCA if open, are either located such that redundant trains are not susceptible to the same fire, or have power removed during Mode 1.
Interestingly, the frequency of losing both trains of component cooling is estimated as less than that of McGuire, even though a specific location of close approach of cables for redundant trains is identified for Catawba, but not for McGuire.
- b. Status of Cable Spreading and Control Rooms These rooms are not screened out.
- c. Improperly Screened Out Zones / Areas Because of the concerns expressed in this review document, all areas and zones should be reevaluated using screening criteria and methods such as in the FIVE methodology.
2.2.6 Fire Hmrd Am1vsis
- a. Fire Initiating Ewnt Database
'nie development of initiating event fire frequencies by analysis of industry-wide data is laudable for a site that had little or no operational experience in 1984. However, this database is not updated for the 1988 through 1991 study, and plant-specific data is not used. A comparison of the initiating events used in this study with the Reference [20] database shows that the cable area, control room, and switchgear room frequencies used in the Catawba study are a factor or 2 to 3 lower than those recommended in the FIVE document. The Reference (20] frequencies are based on about 5 times as many fires and more than double the number of reactor years than the data used for the Catawba study. It is not surprising, therefore, that the fire initiation frequencies differ.
Energy Research, Inc.
18 ERI/NRC 95-506
4 i
DRAFT 1,
j]
The fire frequency of the component cooling water short room is taken as that of the cable room. One reason for the low CDF estimated in the submittal is that the control, cable and component cooling short j
rooms are the only rooms used for quantification of core damage frequency, and these rooms used a low i
estimate of fire initiation frequency.
Frequencies of fire initiation in pumps and diesel generators may be of the correct order of magnitude i
in the Catawba study, as compared to the FIVE document. However, the frequency of fires over the
]
entire area (i.e., for other fire sources such as cabinets), not just a selected component, should have been developed to allow the assessment of alternative fires in the area. This procedure may lead to a misperception of risk contributors, missed vulnerabilities, and an underestimate of CDF.
1 The equation used to estimate component fire frequencies not specifically included in the database j
multiplies a surrogate component frequency by the ratio of operating times of component to surrogate 1
component. ' Ibis has the obvious potential to underestimate frequency because it ignores the potential for the development of latent leaks which reveal themselves upon component startup.
- b. Plant-Specifc Database Plant-specific data is not used.
2.2.7 Fire Growth and Proonostion
)
j
- a. Deatment of Cross-Zone Fire Spread and Assumptions The study includes a barrier penetration probability of 0.01 for three hour barriers and five hour barriers J
with doors. These appear to be reasonable as overall average values. However, barrier penetration is allowed in the analysis only if the fire is at Stage 3 (fully engulfing the area). The potential for a fire i
to partially engulf an area (say Stage 2) and spread through an open door (or breach a barrier) is not i
considered. This does not account for a fire that starts in a combustible near an open barrier.
- b. Computer Codes Used Computer codes, such as COMPBRN, are not used for fire propagation, detection, and suppression.
l 2.2.8 Evaluation of Comoonant Frariliti umifailure Modes t
- a. Depnition of Mre-Induced Failures I
Although not explicitly stated, the definition of failure appears to be loss of equipment functionality or, j
j in the case of hot shorts, spurious actuation to an undesired position.
2
\\
}
- b. Method Used to Determine Component Capacities l
i^
~ Analytical or tabular methods, such as COMPBRN and FIVE, are not used to determine fire propagation potential. Temperature criteria for cable damage or electrical / electronic equipment damage are not used.
j Fire detection, suppression and propagation probabilities are based solely on the generic information in NUREG/CR-0654, judgmentally adjusted to account for plant specific features, i
Energy Research, Inc.
19 ERI/NRC 95-506
)
i
DRAFT
- c. Deatment of Operator Recovery Actions i
The control room, component cooling water "short room", and cable ruom fires are modeled in the systems' analysis as if they are loss of component cooling water. The only recovery action included in the analysis is operator failure to start the Standby Shutdown System, which is given a conditional probability of 3x102 Justification for a logical "and" with respect to recovery actions depends on sufficient time available before core damage, and adequate procedures. The study does not provide this justification.
2.2.9 Fire Detection and Sunoression
- a. Detection and Suppression Assunpions Detection and suppression are addressed within the framework of the fire event tree. The detection and suppression probabilities are based on NUREG/CR-0654.
Ten minutes to fire brigade response is used for all scenarios / areas except the cable and diesel rooms (3 minutes) and the control room (1 minute). The document states thr.t ten minutes was verified during the fire walkdown. Fire brigade response data is not used. The relevant time, however, is not brigade initial response time. It is time to suppression, which must be longer than these times. The assumption of fire suppression in the diesel and control rooms is highly optimistic. No basis is provided for the assumptions.
- b. Deatment of Rre Detection and Suppression i
The fire event tree included three opportunities for suppression. In order for a fire to be considered a Stage 3 fire, it must have failed suppression three times in series (if detected). This inherently makes 1
assumptions that may not be realistic. For example, it implicitly assumes that failure of automatic suppression will always be accompanied by a second and third attempt in time to prevent a Stage 3 fire (by either auto-systems or manual means). The suppression failure probabilities provided in Table 3.5-5 are typically 0.8,0.8, and 0.1, for a product of 6x102 For the control room, the product is 4x10-8 These are the same order as automatic detection / suppression systems, as shown in the FIVE document (20]. The possibility of misaligned heads or nonconforming locations is not considered.
However, detection failure probabilities are treated separately. There are two opportunities in series to detect the fire. These are typically 0.1 and 0.05, for a product of 5x10-8. For automatic fire suppression systems, the industry accepted number of approximately 10-8 includes detection. Thus, Catawba has estimated detection / suppression failure probabilities that are significantly lower in the absence of manual suppression. In effect, the study took credit for a manual suppression failure probability of 5x105 or lower. This means that for the control room, for example, there is only a 1/200 chance of non-suppression in 1 minute. This is clearly a very optimistic assessment. This method has the potential to prematurely screen out rooms, miss vulnerabilities, and underestimate core damage frequency.
- c. Treatment ofSuppression Induced Damage No cost-effective modifications to fire suppression systems have been identified to mitigate the effect of fire suppression water discharge and migration. However, all discussion related to suppression induced Energy Research, Inc.
20 ERI/NRC 95-506
]
.~
DPAFT damage involves water effects. There are no comments with respect to CO suppression-induced damage 2
for the diesel generator areas.
2.2.10 Analysis of Plant Systems and Secuences i
- a. Key Assumptions Including Success Criteria and Bases The assumptions discussed in previous sections, particularly (1) the use of a single worst case scenario to represent an area, (2) the underestimation of fire initiation frequency, and (3) the screening out of areas based on comparison to IPE results, caused the study to underestimate the significance of fires. An example follows.
The analysis of cut sets involving the control room assumes a Stage 3 fire that fully involves the control room. While this may be the worst case with respect to the ability of the plan? to deal with the situation, It may not capture the majority of the risk with respect to total core damage Gequency. For example, typical fire scenarios in control rooms involve smoke that is sufficient to force operators to abandon the i
control room, either because of the adverse environment or because control is lost from smoke damage.
This category of scenarios is not included in the Catawba study.
i
- b. Ewnt Trees (Functional or Systemic)
Functional event trees supported by fault trees are used.
- c. Dependency Matrix A dependency matrix is not provided.
- d. Plant Unique System Dependencies There are no plant unique system dependencies.
- e. Shared Systems for Multi-Unit Plant The Catawba units share the ability to cross-connect Nuclear Service Water, with only one nuclear service water train required to supply the water needs of both units. Instrument air is also shared between units.
- f. Most Signipcant Human Actions The most significant human actions are failure to initiate the Standby Shutdown Facility, and latent human error induced-failure of the Standby Shutdown Facility.
2.2.11 Core Damme Freauency Evaluation
- a. Owrall Treatment and Scrutability All areas are screened out except three. The three scenarios / areas that survived the screening are: control room, cable room, and component cooling water "short room". The selected scenario for all three rooms is loss of component cooling. Using the IPE model transient event tree and fault trees in Section 2 of Energy Research Inc.
21 ERUNRC 95-506
l DRAFT the Catawba PRA [4], cut set frequencies summed to a total fire core damage frequency of 4.7x104 per reactor year, which is about 6% of the total core damage frequency of 8x10'8 per year. Fire sequences from these areas are identified as TQ,U sequences. These sequences involve a transient with reactor coolant pump seal LOCA (Q3) and failure of safety injection (U). All cut sets are associated with FKC, which is a fire in the component cooling "short room". The frequency of FKC, is 6x10-8 per reactor year, which is (1) the sum of the products of the fire initiation frequencies with the conditional probability of Stage 2 fires for the cable room and control room all multiplied by the damaging hot short frequency of 0.2, plus (2) the fire initiation frequency of a component cooling pump times the conditional probability of a Stage 2 fire. The assumption that all control and cable room fires are equivalent to component cooling fires, therefore, manifests itself in cut sets that are comprised solely of component cooling water related events. Because this assumption, in effect, screens out all non-component cooling related equipment, this clearly can lead to missed vulnerabilities. It is not clear that assuming a loss of component cooling for a control room fire is conservative with respect to core damage frequency and the ability to uncover vulnerabilities.
An important assumption in the quantification is as follows: loss of component cooling can be prevented if the fire causes a hot short to ground, followed by control fuse actuation, before a hot short causes equipment trip. The study estimated that such an event would occur 80% of the time. Thus, the probability of losing componant cooling water owing to a fire in the cable or control rooms is reduced by a factor of 5 (previous frequency multiplied by 1/5). This approach is applied only to the cable and control rooms. The basic problem with this approach is that it assumes that hot shorts are the only way that a fire in the area can cause damage or cause equipment to change state. For example, fires in cabinets can adversely affect the operation of equipment without producing hot shorts in cables.
Unfortunately, another limitation of the study, as pointed out in Section 2.2.5 above, is that cabinet fires are not adequately considered in this study.
CAFTA is used to solve the trees.
l 2.2.12 Analysis of Containment Perform __
- a. Signifcant Containment Performance Insights i
Typical of other fire PRAs, containment performance is assumed to be the same as for the internal event study, because all fire scenarios are seen as alternative initiating events for the internal event trees. There is no discussion on additional fire unique initiating events or containment failure modes.
- b. Plant Unique Phenomenology Considered Plant unique accident phenomenology associated with fires is not considered.
2.2.13 Traatmant of Fire Sconing Study Issues
- a. Assumptions Used to Address Rre Scoping Study Issues An implicit assumption of the walkdown used to address these issues is that all ventilation equipment would be fully operational.
Energy Research, Inc.
22 ERI/NRC 95-506
DRAFT
- s. siwantam s a
The key findings are:
1.
Where smoke could be generated by fire, existing smoke control capability (i.e., ventilation, automatic suppression, fire brigade action, and large areas) !s sufficient to prevent unacceptable damage.
2.
No cost-effective modifications to fire suppression systems are needed (have been identified) to mitigate the effect of fire suppression water discharge and migration.
3.
Seismic-induced failure of fire protection control panels is not a problem. Automatic heat activated sprinkler heads may be actuated during an earthquake, but no actions are suggested to l
mitigate or prevent this. Seismic-induced fires owing to failure of RCP motors is found to not be a problem because fires in the motors would not affect the ability to achieve safe shutdown.
No other area of seismic-induced fires is discussed.
4.
Control system interactions are not a problem because of the Standby Shutdown System.
5.
Intercompartment fire barrier breaching is considered in the fire PRA by use of an average screening value. It is not clear from the study if maintenance records are reviewed to verify the state of repair of barriers, doors, and dampers. However, the Standby Shutdown System further mitigates the adverse affects of failure of redundant trains caused by breach of fire barriers.
6.
Discussion of manual fire fighting effectiveness is not included in the reviewed documents.
7.
Discussion of fire barrier qualification is not included in the reviewed documents.
2.2.14 USI A-45 Issue
- a. Methods of Removing Decay Heat The Catawba plants can remove decay heat using:
1.
Main Feedwater or Auxiliary Feehater through power-operated relief valves (PORVs) or condenser dump valves 2.
Charging or SI, and PORVs, for feed and bleed 3.
RHR and long term recirculation 4.
Standby Shutdown System Credit is taken for bleed and feed and the Standby Shutdown System. Fire is not a significant contributor to the risk associated with shutdown decay heat removai sequences.
Energy Research, Inc.
23 ERI/NRC 95-506
~ -
=
y DRAFT 3.
OVERALL EVALUATION, CONCLUSIONS AND RECOhmtENDATIONS 1
3.2 Fire ne Catawba fire IPEEE is an update of the full scope, Level 3 PRA performed between 1984 and 1987. Consistent with the guidance of NUREG-1407, the analysis identified critical fire areas, identified possible initiating events, calculated the fire initiation frequency, analyzed for the I
impairment of critical safety functions, and developed core damage cut sets with frequencies using a functional transient event tree and associated fault trees. A special fire event tree is used to help screen out areas, and assess fire damage and the frequency of fire damage. Typical of other fire PRAs, containment performance is assumed to be the same as for the internal event study, because all fire scenarios are seen as alternative initiating events for the internal event trees. There is no discussion of additional fire unique initiating events or containment failure modes. The walkdown was performed to verify assumptions about plant configuration, locate cable runs, and address the Sandia Fire Scoping Study Issues.
While the licensee's procedure for performing its fire IPEEE appears reasonable on the surface, its application and assumptions tend to prematurely screen-out fire areas, obscure or potentially miss vulnerabilities, provide an erroneous perception of risk contributors, and underestimate core damage frequency. The fire methodoiogy employed is outdated and leads to a general underestimation of the significance of fires in the plant. He calculated core damage frequency is significantly lower than is typical of other Westinghouse PWRs. Even considering the mitigating effects of the Standby Shutdown System, a much higher fire-induced core damage frequency would be expected. Because of the concerns expressed in this review document, all areas and zones should be reevaluated using screening criteria and methods such as in the FIVE methodology.
Although this review found many methodological aspects of the study below the state-of-art, five aspects are of particular concern.
The first is the method used for screening of fire areas. His is based on comparison with the IPE results of the same or similar equipment damage scenarios. If a fire-induced equipment failure scenario causes equipment damage at a frequency lower than the frequency of a similar IPE equipment failure scenario, then the entire area is screened out. He submittal, therefore, does not present a total fire CDF. It presents only the sum of the scenario CDFs that happen to be larger than the corresponding IPE scenarios. This is not consistent with the spirit of GL 88-20, Supplement 4, which is concerned with identification of vulnerabilities for each external event on its own, rather than in comparison to another event. If the licensee's approach is taken to its logical extreme, then each external event, in total, could be screened out if its total CDF is less than the IPE CDF.
The second is the outdated data base which has led to use of fire initiation frequencies for key areas (control room, cable room, and switchgear rooms) that are one-half to one-third of the Reference [20]
database. The three rooms which survived screening (control, cable, and component cooling short room), and upon which the total CDF estimate is based, are analyzed using these low fire initiation frequencies.
The third is the use of a single component and a single initiating event as representative of the area.
34
i DRAFT For example, component cooling water pumps are used as a source, but cabinets in the component cooling area are not. Only the pump fire initiation frequency and plant response to loss of pump is j
used in.the analysis. Vulnerabilities associated with other sources of fire (e.g., cabinets) in an area l
can not be identified by this method. The licensee states that this approach is used because the component causing the selected initiating event has the greatest chance of causing the initiating event.
j Dis neglects the possibility of other initiating events in the area caused by other sources.
1 i
The fourth is that all unscreened rooms are analyzed with a loss of component cooling water transient initiating event. The assumption that all control and cable room fires are equivalent to component i
cooling fires, therefore, manifests itselfin cut sets that are comprised solely of component cooling water related events. He licensee claims that the analysis is conservative because loss of component cooling water is the most severe transient which gives the worst case result. However, because this assumption, in effect, screens out all non-component cooling related equipment, this clearly can lead to missed vulnerabilities.
The fifth is the use of a multiplicative factor on the control and cable room scenarios that reduces the calculated core damage frequency for these rooms by a factor of five because, as the submittal argues, only hot shorts can cause failures that jeopardize the ability to control the plant. This argument fails to acknowledge an entire class of scenarios that involves loss of the ability to control the plant simply because of accumulated fire damage that opens circuits. Fires in either the control or cable spreading rooms can damage control and instrumentation equipment, without hot shorts, to the point that the ability to control the plant from the control room is lost. Fires in the control room, furthermore, may force operators to abandon the control room because of smoke. Smoke induced abandonment may be the result of limited visibility as well as non-breathable environment. In either case, abandonment of the control room means that plant control depends on successful use of the auxiliary or remote shutdown panals (or perhaps the SSF). Typically, control room abandonment scenario of this class would have been the most important core damage scenarios. In this study, a scenario of this class would have been the most important contributor. His class of scenarios does not appear to have been included in the submittal.
Strengths The strengths of this study are summarized as follows:
1.
Consistent with the guidance of NUREG-1407, the analysis identified critical fire areas, identified possible initiating events, calculated the fire initiation frequency, analyzed for the impairment of critical safety functions, and developed core damage cut sets with frequencies using a functional transient event tree and associated fault trees.
1 2.
.A fire walkdown was conducted.
3.
The licensee had control over the study, and apparently performed the entire study.
4.
Internal peer review is performed.
Weaknesses The weaknesses of this study are summarized as follows:
35
DRAF_i 1.
The fire methodology employed is outdated and leads to a general underestimation of the significance of fires in the plant. The use of NUREG/CR-0654 values in the fire event tree may not be valid.
2.
The screening method, which is based on comparison of fire induced equipment damage frequency with internal event induced equipment damage frequency, may have prematurely screened out significant areas (e.g. the turbine building).
3.
An outdated fire database leading to low estimates of fire initiation frequencies is used.
4.
The use of a single " worst case result" scenario in each fire area, instead of a more comprehensive approach of evaluating fires at each potential source location.
l 5.
Fire-induced failure cut sets are limited, by assumption, to loss of component cooling related events.
l 6.
The treatment of the conditional probability of hot shorts as a multiplier on core damage 1
l frequency for the control and cable rooms is not valid.
l l
7.
A dubious assessment of area-by-area initiating event selection is used to screen out fire areas.
8.
Inadequate attention is given to cabinet fires, I
i 9.
The fire event tree method and assumptions, with respect to propagation and suppression, underestimate fire risk.
j 10.
The Fire Risk Scoping Study issues are either inadequately documented or addressed.
l Specifically, there is inadequate documentation with respect to seismic fire interactras, fire l
brigade effectiveness, and barrier effectiveness, i
t I
3.3 HFOs The Catawba IPEEE relies heavily on the previous PRA results and evaluations to meet the requirements of Supplement 4 to Generic Letter 88-20 [2] and associated guidance described in NUREG-1407 [3]. In the following sections the strengths and waak-= found are summarized.
Strengths l
1.
The methodology utilized for the analysis of tornado events is state-of-the-art.
1 2.
He analysis was completely performed and reviewed by Duke Power personnel, using their l
plant knowledge. His has lead to marimintion of their staff's appreciation of severe accident behavior.
Weak =<an 1.
Significant changes since the OL was issued are not discussed and documented in the submittal. In most cases, the plant design is not compared with the applicable SRP criteria.
36 t
-