Resolution of Generic Safety Issues: Issue 147: Fire-Induced Alternate Shutdown/control Room Panel Interactions (Rev. 1) ( NUREG-0933, Main Report with Supplements 1–34 )
This issue was raised in SECY-89-1701320 and addressed the potential for control system vulnerabilities as a result of fire-induced alternate shutdown/control room panel interactions. Concern for these interactions arose as a result of an NRC-sponsored Fire Risk Scoping Study12ll which focused on existing fire protection practices for control rooms, remote shutdown areas, control transfer areas, and local control areas.
The Fire Risk Scoping Study12ll indicated specific events with significant core-melt frequencies for fires beginning in, or involving, control room cabinets. In all the events analyzed, random failures of unaffected safety systems were required for an event to result in a core-melt sequence. However, the study12ll showed that the random failure frequencies, when conservatively combined with appropriate fire frequencies and probabilities of control room/ remote shutdown panel interactions, resulted in core-melt frequencies in the range of 10-5/RY to 10-6/RY.
A possible solution involved developing guidance for evaluating remote shutdown capability. This guidance could be used at all plants to investigate likely sources of control system interactions among the control room, remote shutdown panel, and shutdown systems, given a fire at any plant location. Existing licensee practice for implementing remote shutdown for system interaction vulnerabilities would be reviewed with consideration given to the following: (1) electrical independence; (2) loss of control power before transfer; (3) damage to a transfer switch, leading to loss of control of associated equipment from both the main control room and remote shutdown panel; (4) spurious actuation of components, leading to damage; (5) spurious opening of valves, leading to LOCA; and (6) spurious opening of high-pressure/low-pressure interface valves.
Upon completion of the review, identified vulnerabilities would be resolved through equipment and/or procedural changes. Operators would receive specific training to ensure their awareness of procedures to respond to a fire, particularly in alternative ways of starting high pressure injection systems or depressurizing in combination with starting low pressure injection systems. Operators would also be trained to start potential alternative systems that could be used to inject coolant (e.g., condensate system).
The analysis performed for the fire-induced alternate shutdown/control room panel interactions was based primarily on information from NUREG/CR-5088.12ll The accident sequence was generated using the LaSalle event sequence Number 8 and an initiating event frequency of 2.2 x 10-4/year, as described in NUREG/CR-5088.12ll This scenario involved a control room fire consuming the ECCS and electrical distribution panels with their controls proceeding to the most undesired state. This event included the failure of all high pressure systems, the successful reactor depressurization, and failure of all low pressure systems.
The parameters affected by the proposed solution and their base case values were as follows:
|RA-FIRE-3-12-80M||= Recovery action (80 minutes for the operators to determine what action to take and to take action and recover the system and for component of interest)|
|= 4 x 10-3/RY|
|OPFAILSCDS-OE||= Operators fail to use the condensate system|
|RA-FIRE-3-12-lH||=Recovery action (1 hour for the operators to determine what action to take and to take action and recover the system and/or component of interest)|
|= 6.7 x 10-2/RY|
Independent failures of the high pressure cooling spray pump and standby component cooling water system were assumed to be unaffected by the solution to the issue; the solution also does not affect the frequency of fire-initiating events. The solution was assumed to affect the likelihood that operators would take appropriate actions to recover from a fire, including actuation of systems that are not part of the emergency core cooling capabilities (e.g., condensate system).
The base case core-melt frequency for fire-initiated events was calculated to be (2.2 x 10-4/RY)(3.5 x 10-2) = 7.7 x 10-6/RY, where the value 3.5 x 10-2 is the probability of failure of high and low pressure systems, given that a control room fire has occurred. This value was determined from the data provided in NUREG/CR-5088.12ll The frequency was calculated based on the assumption that any basic functions representing systems or components in the fire zone of interest would not operate for the duration of the accident.
The evaluation of adjusted case frequencies focused on affected parameters relating to operator recovery actions. Basic event probabilities involving operator actions and/or decisions were reduced by 30% to obtain adjusted case values. This reduction would result from improved procedures and training relative to recovery from fires. Operator failure to use alternative coolant injection systems, such as the condensate system, was reduced from a frequency of 1/demand to a frequency of 2 x 10-3/demand; this reduction was based on past practice and engineering judgment. This large decrease appeared reasonable because resolution of the issue would include developing procedures and training to alert operators to potential backup sources of cooling water. Because these procedures were not in place, the failure probability was assumed in NUREG/CR-508812ll to be 1 (see base case values above). Using these adjusted case values, the adjusted case core-melt frequency was estimated to be 4.91 x 10-6/RY.
The containment failure probabilities for the fire-initiated core-melt sequences were not in the scope of the analysis performed in NUREG/CR-5088.1211 Therefore, the fire risk analysis performed for Oconee 3 in NSAC-60889 was used as the basis for these parameters. The Oconee 3 PRA was the only available PRA that addressed fires in sufficient detail to match the accident sequences generated in this analysis with containment failure modes.
All the fire-initiated accident sequences investigated in NSAC-60889 were placed in one of two plant damage categories. Of these two categories, the most severe type of containment failure following a core-melt accident was estimated to occur 10% of the time and the least severe, 90% of the time. Thus, the containment failure probabilities used in this analysis were 0.1 and 0.9.
Incorporating the above values into the analysis resulted in a reduction in public risk of 2.9 man-rem/RY for a total public risk reduction of 11,000 man-rem for all affected plants.
Industry Cost: The proposed solution involved developing guidance for evaluating remote shutdown capability; this guidance would consider those vulnerabilities listed earlier. A review of these vulnerabilities would have to be conducted to identify those that can be resolved through equipment and/or procedural changes.
Remote shutdown capabilities would have to be evaluated by licensees using the guidance developed by the NRC. This was anticipated to be a significant effort for each plant and would include an extensive review of the control room design, remote shutdown panel design, and associated electrical and instrument connections. In addition, a significant effort was likely to be needed to evaluate procedures associated with the remote shutdown system. A further major activity which would involve some occupational doses would include a comprehensive walkdown inspection of the remote shutdown system, including connections to the plant hardware. The estimated resource requirements for industry were as follows:
|Evaluate Plant Designs||8.0 man-weeks/plant|
|Evaluate Remote Shutdown Procedures||8.0 man-weeks/plant|
|Walkdown Inspection||2.7 man-weeks/plant|
The total labor for the review process would be 18.7 man-weeks/plant; at $2,270/man-week, the cost would be $42,400/plant.
Following implementation of the possible solution, some plants were anticipated to require modifications to procedures and/or plant equipment to reduce their vulnerability to this issue. However, the number of plants that required procedural and/or hardware modifications could not be accurately estimated. For this analysis, all backfit plants were assumed to require one minor procedural modification and 10% of the backfit plants were assumed to require hardware modifications. According to NUREG/CR-4627,961 the cost for a minor procedural change was approximately $900/plant. For the hardware modifications, procurement and installation costs were assumed to be $30,000 with 4 man-weeks required for associated design studies, safety analysis, and QA activities. Thus, the total cost for this modification would be [$30,000 + (4 man-weeks)($2,270/man-week)] or $39,080.
The incremental cost for procedural changes and hardware modifications to forward-fit plants was assumed to be zero, i.e., these modifications could be made during construction without additional costs. However, the costs for evaluating designs, procedures, and the walkdown inspection were incremental costs for forward-fit plants. The total cost would then be:
|(134 plants)($42,400/plant)||+ (71 plants)($900/plant)|
|+ (7 plants)($39,080/plant) = $6M|
An annual review of procedure/hardware modifications relative to potential changes in plant configurations and/or NRC regulations was assumed to be required. This review should take approximately 0.5 man-week/RY. At $2,270/man-week, this cost was estimated to be $1,140/RY. For 90 PWRs and 44 BWRs with average remaining lives of 28.8 and 27.4 years, respectively, the total estimated cost for this review was $4.3M. Thus, the total industry cost was estimated to be $(6 + 4.3)M or $10.3M.
NRC Cost: NRC would need to develop the guidance necessary for licensees to evaluate the remote shutdown capabilities of their plants. This was anticipated to be a substantial effort because some consideration would have to be given to differences in plant designs. Developing this guidance was estimated to require approximately 1 man-year of effort for an NRC contractor plus about 1 man-month of NRC labor to monitor the contract. Assuming $100,000 for 1 man-year/contractor and $2,270/man-week of NRC labor, the total cost for development would be $0.11M.
Additional costs would be incurred for reviewing the evaluations of each plant, the proposed procedural changes, and the hardware modifications. About 1 man-week of NRC labor was estimated to be required to review the remote shutdown capability evaluation of each plant. Reviews of minor procedural changes would not necessarily be resource-intensive and were estimated to require 2 man-days (0.4 man-wks) of NRC labor. NRC reviews of the plants requiring hardware modifications would require much more resources to review design changes, safety analyses, and QA documentation. An estimated 2 man-weeks/plant was necessary for these reviews. Using the same assumptions for the number of plants requiring hardware modifications, the total NRC implementation cost was $0.4M. An annual review of the solution by the NRC was assumed to require approximately 1 man-day/RY, for an additional cost of $1.7M. Thus, the total NRC cost was estimated to be $(0.11 + 0.4 + 1.7)M or $2.1M.
Total Cost: The total industry and NRC cost associated with the possible solution was estimated to be $(10.3 + 2.1)M or $12.4M.
Based on a potential public risk reduction of 11,000 man-rem and an estimated cost of $12.2M to implement the possible solution, the value/impact score was given by:
(1) Implementing the possible solution would require 2.7 man-weeks/plant for a walkdown inspection in radiation zones; however, radiation doses would only be incurred at backfit plants. In addition, the solution included installation of modified hardware in 10% of the backfit plants. The dose rates in areas in which the walkdown inspection crew and hardware installation crew activities would be performed were assumed to be 2.5 millirem/hour. The solution involved no labor in radiation zones for operation and maintenance. Based on these assumptions, the calculated ORE increase was 20 man-rem.
(2) The most significant variable was the change in core-melt frequency. This change was driven by the reduction in the OPFAILSCDS-OE parameter from a value of 1 to 2 x 10-3. This reduction was based solely on past practice and engineering judgment and was expected to result from operator training. Any changes in this variable would drive the priority lower.
(3) The other significant variable was the total cost to implement the possible solution. The assumption that only 10% of the plants would have to make one hardware modification at a nominal cost of $30,000 was subjective. However, any increase in cost would be minor in comparison to the size of the reduced core-melt frequency. Also, if the amount of the reduction in core-melt frequency were less significant, then any increased cost would tend to drive the priority lower. The estimated reduction in core-melt frequency was so high that the priority ranking would remain in the medium range, regardless of variation in costs.
(4) Fires in the control rooms of WNP-2, Susquehanna, and Monticello could cause short-circuits between control wiring and power sources for 15 to 37 MOVs that are required to shut down the reactors and did not have thermal overload protection. Thus, critical valves could be disabled and inoperable from the remote shutdown panel.13l9 Incorrectly installed isolation switches at emergency control stations could short-circuit and compromise the remote shutdown capability at the Waterford plant.1321
Based on the value/impact score and the potential core-melt frequency reduction, this issue was in the medium priority range. However, the safety significance was likely to vary greatly from plant to plant and it appeared unlikely that any cost-effective generic resolution could be identified. Thus, plant-specific reviews would most likely be required, but such reviews were already required as part of the IPEEE program. However, the staff had little or no guidance for the review and acceptance of IPEEE submittals in this area. Therefore, this issue was classified as a Licensing Issue and guidance was developed to improve the staff's effectiveness in reviewing licensee IPEEE submittals.1555