ML033381058

From kanterella
Revision as of 06:03, 25 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Overview of Issue
ML033381058
Person / Time
Site: Arkansas Nuclear  Entergy icon.png
Issue date: 11/24/2003
From:
- No Known Affiliation
To:
Office of Nuclear Reactor Regulation
References
FOIA/PA-2003-0358, FOIA/PA-2004-0277
Download: ML033381058 (6)


Text

A. Overview of Issue ANO Unit 1 fire zones for the diesel generator corridor and the north electrical switchgear room did not meet separation requirements for electrical cables and redundant trains of safe shutdown equipment. In addition, the licensee did not have adequate procedures for the manual actions necessary to achieve safe shutdown. The licensee used manual actions to remotely operate equipment necessary for achieving and maintaining hot shutdown, in lieu of providing protection to the cables associated with that equipment, as a method of complying with 10 CFR Part 50, Appendix R, Section III.G.2. The licensee credited a symptom-based approach which relied on the operator's ability to detect each failure or mis-operation as it occurred and then perform manual actions as necessary to mitigate the effects. Due to the number of components that may be affected as a result of fire and uncertainty regarding the timing and synergistic impact that potential failures may have on the operator's ability to accomplish required shutdown functions, the team determined that the strategy for implementing manual actions to mitigate a postulated fire were inadequate.

B. Results of Risk Analysis The senior reactor analyst (SRA) determined that a SDP Phase 2 analysis using NRC Manual Chapter 0609, "Significance Determination Process," Appendix F, "Determining Potential Risk Significance of Fire Protection and Post-fire Safe Shutdown Inspection Findings," was required because the issue involved fire protection defense in depth. Depending on the assumptions, the results of the Phase 2 analysis varied between very low safety significance and high safety significance. Therefore, the SRA determined that a Phase 3 analysis was required.

The SRA determined that the licensee used lower heat release rates (70-200 KW) in assessing the potential for fire damage in the affected fire zones. The licensee also utilized the FIVE methodology for the derivation of the fire duration and severity. Because the time to reach critical temperatures was more than 20 minutes, the licensee assumed that manual fire suppression would be successful. However, the licensee did not credit manual suppression capability in the determination of the conditional core damage probability (CCDP) results. The lower heat release rate also resulted in a determination by the licensee that a fire in Zone 99-M would not simultaneously affect the emergency feedwater (EFW) and high pressure injection (HPI) functions. Source documents used by the licensee included the EPRI Fire PRA Implementation Guide (EPRI TR-1 05928), Methods of Quantitative Fire Hazards Analysis (EPRI TR-1 0043), and EPRI Report SU-1 05928, "Supplemental to EPRI Fire Implementation Guide (TR-1 05928)."

The NRC analysts used higher heat release rates (200-500 KW) and the CFAST model to assess the potential for fire duration and severity. Consequently, the time to reach critical temperatures was quicker and the likelihood for success of manual suppression capabilities was reduced. Additionally, the heat release rates resulted in an increased likelihood that both the EFW and HPI functions would be affected by a fire in Zone 99-M.

The NRC analysts completed a fire hazards analysis using the CFAST model. Additionally, the analysts requested that the licensee provide additional information involving the ignition frequencies and the CCDP for a fire with and without operator recovery actions.

INEEUEXT-99-0041, "Revision of the 1994 ASP HRA Methodology (Draft)," January 1999, was used to complete a human reliability screening analysis for the manual operator actions. The analysts also completed a qualitative assessment of similarly affected fire areas. Based on thee,

assessment, the analysts determined that the added risk from the remaining fire areas may warrant an increase in the final SDP result.

The NRC analysts determined that multiple redundant trains of mitigating equipment were potentially affected (main feedwater, high pressure injection, emergency AC power, and emergency feedwater). In reviewing the results of each accident sequence, it was concluded that the significance of the finding was primarily attributed to a failure of EFW and feed and bleed capability, assuming no credit for operator recovery actions.

The more significant influential assumptions involved: (1) the human error probability for successful recovery of failed equipment due to the symptomatic operator response to a fire in the affected areas and the large number of operator actions, and (2) the heat release rate associated with the fire and corresponding failure probability associated with manual fire suppression.

Lowering the human error probability directly impacted the core damage frequency (CDF) calculation. Several sensitivity analyses were completed using a wide spectrum of human error probability (HEP) values. Additionally, the NRC analysts' noted that the licensee's human reliability analysis (HRA) values were derived for a non-fire event. Therefore, the NRC analysts' increased the base HEP values for the affected recovery actions. The net increase in the CDF was attributed to the failure to provide adequate alternate shutdown procedures given a fire in Zone 99-M.

A reduction in the heat release rate would extend the time required to reach critical temperatures. An extension in the time to reach critical temperatures to beyond 20 minutes could result in fewer affected components and lower the failure probability for manual fire suppression. Nevertheless, the analysts determined that a reduction in the heat release rate was not appropriate given the data collected from industry events which involved energetic switchgear fires.

The sensitivity analyses were completed by requesting that the licensee calculate CCDP values which corresponded to various combinations of HEPs. The analysts determined that the calculated increase in CDF for Fire Zone 99-M was in the range of 7E-6/year to 2E-5/year. The analyst qualitatively determined that an additional increase in the CDF was warranted due the existence of additional fire zones at the facility which also credited the use of operator recovery actions. The increase in the CDF from these additional fire zones warranted a proposed significance determination of Yellow.

C. Human Reliability Screening Analysis The team determined that the licensee had not implemented appropriate procedural controls for a fire in Fire Areas 99-M (Green Train switchgear room) and 98-J (corridor with Red and Green Train conduit). Specifically, the licensee relied solely on a symptomatic response to a fire in these areas. For example, if a control room operator became aware of a loss of feedwater condition, then operators would respond by aligning EFW from either the control room or locally. This approach differed from other alternate shutdown areas of the plant. For these areas, specific procedural guidance (Procedure 1203.002, "Alternate Shutdown") existed to direct the operators to isolate and then restore potentially affected components.

The following four broad classes of operator actions were evaluated:

1. Manual alignment of EFW to the steam generators.
2. Restoration of service water to the affected emergency diesel generators (EDG).
3. Isolation of letdown flow and inventory control.
4. Local start of an EDG without DC control power.

For each of the above classes, an operator would be required to successfully diagnose the system failure, determine the appropriate procedure, and then take the appropriate series of operator actions to mitigate the failure. There were several complicating factors in completing the analysis because the operator actions would be required following a major fire. Specifically the fire could result in: (1) suspect indications associated with critical plant parameters, (2) spurious actuations of plant equipment which are detrimental to the event, (3) failure of plant equipment to respond automatically, (4) inability to remotely operate plant equipment from the main control room, and (5) previously implemented operator actions could become over-ridden by subsequent operator actions through the use of multiple procedures in lieu of a single prioritized procedure.

An "Extreme Stress" classification was used for each class of operator actions. This level of stress is likely to occur when the onset of the stressor is sudden and the stressing situation persists for long periods.

An "Available, But Poor" classification was used for the procedural actions necessary to recover failed or degraded mitigating equipment. This classification is used for conditions where a procedure is available but inadequate. This classification level was chosen because of the symptomatic response of operators to a fire instead of a having a pre-planned alternate shutdown procedure. If properly diagnosed, procedures existed for operators to implement the individual system recovery actions. However, there may be dependencies between the procedures which are not accounted for. Specifically, to recover AC power, the operators may need to open the individual breakers on various switchgear. This activity could affect previous actions to restore mitigating systems. A single pre-planned procedure would account for the dependencies between procedures such that subsequent recovery actions do not affect previously implemented recovery actions.

A "Barely Adequate Time" classification was used for diagnosing a loss of flow to the steam generators and establishing EFW flow. This classification level was chosen based on the potential for indications and controls not being available in the control room. The timing associated with initiating EFW flow is dependent on operator actions to secure reactor coolant pumps. In addition, the flow rate to the steam generators must be controlled to prevent over-cooling and shrinkage of the reactor coolant system.

A "Barely Adequate Time" classification was used for diagnosing an EDG without service water and for securing the affected EDG. The EDG without service water flow must be secured within 7 minutes to prevent overheating and mechanical damage. The failure to secure the EDG could potentially prevent recovery of an emergency AC power source.

A "Barely Adequate Time" classification was used for diagnosing the failure of letdown to isolate and for securing letdown. If letdown is isolated within 4 minutes, then inventory control may not be required for 40 minutes. The failure to isolate letdown directly impacts the time available to initiate inventory control.

A uHighly Complex" classification was used for a local start of the EDG without DC power. This procedure is infrequently performed, requires a high degree of skill, and includes multiple steps to complete.

A 'Moderately Complex" classification was used for a local manual start of an EFW pump and for local manual control of EFW flow to a steam generator. This activity is infrequently performed and would require constant communication with personnel monitoring important plant parameters to ensure the appropriate heat removal rate was maintained.

Limited personnel would be available during the first hour following a fire. Two individuals would be available for field operations (1 main control room reactor operator and 1 auxiliary operator). The remaining personnel would be assigned other functions. Specifically, the shift manager would be assigned emergency response organization duties, the control room supervisor and one reactor operator would remain in the main control room, the waste control operator and 1 auxiliary operator would be assigned to the fire brigade. The shift engineer would be available to provide assistance where necessary. A Unit 2 operator would be dispatched to start the alternate EDG. The licensee did not credit the use of Unit 2 operators in the performance of Unit 1 plant manipulations.

The analyst determined that 1 operator would need to be dedicated to the restoration of EFW and the operation of the EFW flow control valves. The remaining operator would be required to complete all other evolutions (Isolate letdown, local start of the EDG, and all breaker manipulations). In contrast, the alternate shutdown procedure requires four operators, as a minimum, for successful completion. The analyst determined that the majority of actions specified in the alternate shutdown procedure could potentially be required for a major fire in Fire Areas 99-M or 98-J.

Recovery Action Diagnosis Action Failure Probability Task Failure Probability Failure Without Formal Probability Dependence Without With Without With Procedure Procedure Procedure Procedure Establish AFW 0.5 0.5 0.1 1.0 0.6 Secure EDG 0.5 0.25 0.05 0.75 0.55 Without Service Water Local EDG Start 0.05 0.125 0.025 0.18 0.075 Isolate Letdown 0.5 0.25 0.05 0.75 0.55 and Inventory Control

D. Sensitivity Analysis A wide spectrum of sensitivity analyses were completed by requesting that the licensee calculate CCDP values which corresponded to various combinations of HEPs. The analysts determined that the calculated increase in CDF for Fire Zone 99-M was most likely in the range of 7E-6 to 2E-5. The analyst qualitatively determined that an additional increase in the CDF was warranted due the existence of additional fire zones at the facility which also credited the use of operator recovery actions. The increase in the CDF from these additional fire zones warranted a proposed significance determination of Yellow.

The licensee's HRA was completed for non-fire conditions. The dominate recovery actions for a fire in Zone 99-M involved the establishment of EFW, the restoration of electrical power, and the establishment of feed and bleed capability. The associated non-fire human error probabilities for these recovery actions were 1.86E-1 for EFW, 1.0E-1 for electrical power, and 6E-3 for feed and bleed. The revised HRA estimate from the licensee included HEP values of 2.6E-1 for EFW, 1E-1 for electric power, and 3.2E-1 for feed and bleed.

The NRC analysts' completed a simplified HRA screening analysis using INEEUEXT-99-0041, "Revision of the 1994 ASP HRA Methodology (Draft)," January 1999. The HEP values using the assumption that procedures were available, but poor were 1.0 for EFW, 7.5E-1 for electric power, and 7.5E-1 for feed and bleed. The HEP values using the assumption that procedures were adequate were 6E-1 for EFW, 5.5E-1 for electric power, and 5.5E-1 for feed and bleed.

The analysts selected multiple combinations of NRC and licensee derived HEP values for the sensitivity analysis. The range of results was typically between 7E-6/year and 2E-5/year.

E. Qualitative Assessment of Other Fire Areas A qualitative analysis of similarly affected fire zones in Unit 1 and Unit 2 was completed. The analyst compared the remaining 15 fire zones in Unit 1 which required manual actions for safe shutdown to Calculation 85-E-0053-47, 'Individual Plant Examination of External Events/Fire,"

Revision 2, to determine which fire zones were unscreened as part of the FIVE analysis. The analyst also compared the 21 fire zones in Unit 2 which required manual actions for safe shutdown to Calculation 85-E-0053-48, "Individual Plant Examination of External Events/Fire,"

Revision 2, to determine which fire zones were unscreened as part of the FIVE analysis.

The analysts' quantitative analysis determined that Fire Zone 98-J was of low safety significance due to the availability of automatic suppression capability and Fire Zone 99-M had either low to moderate or substantial safety significance due to not having automatic suppression capability.

The analysts determined that Fire Zones 98-J and 99-M had ignition frequencies between 2E-3 and 4E-3 and that both fire zones included multiple redundant trains of safe shut down equipment. The analysts determined the significance of a fire in a particular fire zone would be reduced if multiple redundant trains of equipment were "not" affected or if the fire zone had a relatively low ignition frequency (less than 1E-3). Accordingly, the analysts qualitatively removed fire zones from further consideration if any of the following conditions existed: the ignition frequency was less than 1E-3, the affected area had automatic suppression capability, or multiple redundant trains of safe shutdown equipment were "not" affected by a postulated fire.

The analysts' qualitatively determined that 2 additional fire zones in Unit 1 (104-S and 100-N) had either low to moderate or substantial safety significance. The analysts' qualitatively determined that 4 fire zones in Unit 2 (21 00-Z, 2096-M, 2091 -BB, and 2040-JJ) had low to moderate safety significance. Consequently, the analysts' determined that escalation of a quantitative result of low to moderate to substantial safety significance may be warranted.