E L S E V I E R Nuclear Engineering and Design 167 (1996) 77-83

Nuclear Engir ed.ng add Design

Probabilistic fire analysis capabilities, applications and weak points

P. Fernandez SaJety Department, Reliability Section, Empresarios Agrupados, AlE, Magallanes 3, 28015 Madrid, Spain

Accepted 11 May 1996

Abstract

Fires occur in nuclear power plants with a relatively high frequency, and can cause multiple and simultaneous failures of redundant or diverse plant equipment or systems. The development of a method of probabilistic fire risk analysis, although subject to more uncertainties than internal events, can provide insights complementary to those provided by deterministic analysis. In many cases, it can also provide a more realistic point of view of the risk involved.

I. Introduction

Fires represent an actual risk to plants. In contrast to other external events that nuclear power plants are designed to resist, i.e. earth- quakes, plane crashes etc., fires occur regularly in the plants. They represent events that can affect redundant or diverse equipment, and can pose a significant risk to plant safety.

2. Deterministic approach

Fire protection can be seen as a combination of measures to achieve the following:

(1) prevent the occurrence of fires; (2) detect and extinguish the fires as quickly

and effectively as possible; (3) minimize the effects of fires on plant sys-

tems and components essential to safety.

For this third point, Appendix R to 10CRF50 sets forth some criteria for minimizing the possi- bility of the fire causing damage to redundant equipment. The criteria are based on physical separation of redundant trains by the following:

(1) 3 h rated fire barriers; (2) 1 h rated fire barriers plus automatic sup-

pression systems; (3) separation of 20f (6.1 m) with no fuel. These criteria are applied in the same way to

every zone in the plant, regardless of the specific characteristics of each zone.

In many cases, the criteria for separation of redundant systems contained in Appendix R tend to be overly conservative. The application of the criteria is often costly and ver difficult to imple- ment, especially in the case of plants with older designs. Furthermore, the installation of new au- tomatic systems, for example, could not only be costly and difficult but also could have other

0029-5493/96/$15.00 © 1996 Elsevier Science S.A. All rights reserved PH S0029- 5493(96)01243-5

78 P. Fernandez/Nuclear Engineering and Design 167 (1996) 77-83

imp!ications for plant operation. This is be- cause, if the automatic system is protecting safety systems, then it should be included in the technical specification, which means that it should undergo periodic testing and mainte- nance, so should be subject to certain limiting conditions for operation (LCO). In many other cases, the implementation of an automatic sys- tem would not be feasible, because of the equipment in the zone or its specific character- istics.

The installation of fire barriers often entails some problems, not only related to their instal- lation. These barriers could make it difficult to gain access to some plant locations or equip- ment, in turn making some works of mainte- nance, testing or cleaning more laborious. They could also affect the ageing of cables and make it more complicated to introduce certain design modifications. The fire barriers should be sub- ject to some verification or maintenance to en- sure that they are actually in a condition to protect the cables or equipment, so adding to the plant personnel's work.

Also worth mentioning is the recently iden- tified and as yet unsolved problem relating to the qualification of passive protection in three principal areas of concern: the fire endurance capability of the fire barrier; the ampacity der- ating of cables enclosed in the barriers; and problems relating to the installation of the fire barrier and possible as-built configurations that may not be qualified by a valid endurance test. This last problem was first identified for Thermo-Lag 330-1 fire barriers (NRC IE-Bul- letin 92-01 and Generic Letter 92-08) but it has developed into a generic problem connected with the fire endurance test acceptance criteria for fire barriers (NRC Generic Letter 86-10 Supplement 1). Therefore, it cannot be assumed that the fire barriers are providing an adequate protection in all the cases and configurations in which they are installed.

For these reasons, it is very important to en- sure that new automatic systems or fire barriers are only installed in cases where they are really essential.

3. Differences between deterministic and probabilistic safety analysis

Deterministic and probabilistic fire risk analy- ses are not to be considered at the present stage as competitive and mutually excluding approaches, provided that they start from different boundary conditions for the analysis. Instead, they can provide complementary insights to fire analysis.

First, however, the main differences between deterministic and probabilistic approaches must be clarified.

3.1. Deterministic analysis (Appendix R to 10 Code Federal Register 50)

(1) Only failures directly caused by the fire are to be considered in the analysis. This means that the trains or equipment items not affected by the fire are not considered to fail because of other causes.

(2) The fire does not propagate between differ- ent fire areas. This means that no credit is given to the possibility that the fire barriers could be in a situation that prevents them from performing their intended function.

(3) Loss of off-site power (LOOP) is postulated simultaneously with the fire.

3.2. Probabilistic safety analys&

(1) The trains or equipment items not affected by the fire can fail randomly, or can be unavail- able, with a given probability of failure.

(2) The fire can propagate between different fire areas, assigning a failure probability to the different fire barriers.

(3) Loss of off-site power is not postulated to occur simultaneously with the fire, but the possi- bility is considered of LOOP being caused by the fire, or occurring with a given probability.

4. Complementary use of Appendix R and probabilistic analysis

It is clear that both approaches start from different initial assumptions, so could lead to

P. Fernandez/Nuclear Engineering and Design 167 (1996) 77-83 79

slightly different results. It would appear that the assumptions in Appendix R are generally more conservative, but this is not completely true. For example, Appendix R does not consider that sys- tems not affected by the fire can fail randomly or be unavailable; also, Appendix R does not con- sider that fire barriers can fail or be in a situation that could prevent them from accomplishing their function. However, Appendix R requires the ap- plication of separation criteria in every plant loca- tion, regardless of the specific characteristics of the zone for aspects such as fuel loading, expected fire frequency or the potential for fire propaga- tion.

The probabilistic approach can provide a more realistic picture, by trying to eliminate excessive conservatism associated with deterministic criteria and, at the same time, provide a more integrated approach, by considering other possible failures or unavailabilities of equipment not affected by the fire.

When a plant is analyzed from both points of view, the results may show that a zone appears to be important according to the Appendix R analy- sis, according to the probabilistic analysis, or according to both. However, the probabilistic analysis will provide more detailed information on the problems inside a given zone, based on the in-depth analysis of every possible fire origin and the associated fire frequency, and an evaluation of the possible propagation of the fire.

5. Utility of probabilistic fire analysis

The application of a general methodology for probabitistic fire analysis allows the integration of different aspects of the fire protection, such as the four detailed below. Once the analysis is com- pleted, recommendations can be made to reduce the risks associated with fire, as well as to evaluate the efficiency of implementing different modifica- tions.

(1) Fire frequency. The probabilistic analysis provides the proper conditions to evaluate the impact of the following:

(a) The installation of new equipment involving fire risk:

(b) The transfer of equipment involving fire risk;

(c) The identification of those zones in which activities with fire risk must be reduced to a minimum and must be done under control;

(d) The identification of those zones in which the presence of transient combustibles must be controlled and reduced as much as possible.

(2) Fire detection and suppression. The follow- ing aspects can be analyzed:

(a) The advantages of automatic detection and suppression systems;

(b) The identification of areas that the fire brigade must know best and on which special emphasis has to be made during personnel train- ing.

(3) Fire barrier failure. The probabilistic analy- sis allows the following aspects to be evaluated:

(a) improvements introduced by fire barriers installed between specific areas;

(b) the identification of fire barriers that re- quire special monitoring to ensure their integrity in design conditions;

(c) improvements achieved by the installation of passive protections.

(4) Failures not caused by the fire. In addition to taking into. account equipment or system fail- ure as a direct consequence of the fire, the proba- bilistic analysis also considers failure of equipment caused by different reasons. This al- lows the identification of possible system design modifications, or of modifications in the operating procedures to control or reduce the risk associ- ated with fire.

In Spanish nuclear power plants (NPPs) that have developed both deterministic (Appendix R) and probabilistic approaches, the following mod- ifications were identified to improve the risk asso- ciated with fires:

(1) a double power supply from both redun- dant electrical trains to both pressurizer relief valves, to enhance the reliability of the 'feed and bleed' in case of fires;

(2) a dedicated battery for the turbine-driven auxiliary feedwater pump;

(3) the retiring of the electrical supply to the residual heat removal (RHR) suction valves dur- ing power operation to minimize the possibility of

80 P. Fernandez/Nuclear Engineering and Design 167 (1996) 77-83

a spurious opening caused by fire effects that could cause a loss-of-coolant accident.

In some cases, probabilistic arguments or con- clusions can be used to relax deterministic re- quirements. In the analysis of a cable-spreading room in a Spanish NPP, it was possible to justify that the installation of 1 h rated passive protec- tion in the cable trays of one train was not required, provided that the automatic detection and suppression system proved to be very reliable. For this purpose, certain modifications were made and new automatic ionic detectors were added. In this case, the argument (among others) of low fire frequency in cables was used, because there were only instrumentation and control cables, and the presence of transient combustibles '~,-a.~ carefully controlled.

In other closed zones that contained only ca- bles, it was justified that the installation of 1 h rated passive protection in cable trays was not required, because of the effectiveness of the auto- matic total flooding halon system. In this case, the zone had to be effectively sealed and the detection system modified, by adding new optical smoke detectors to minimize the effects of a possible common-cause failure of the detection system.

In other Spanish NPPs, several sensitivity analyses have been performed to evaluate the suitability of different modifications related to the fire protection system. The conclusions reached are described in some detail below.

A first sensitivity analysis was performed to evaluate the risk reduction that had been achieved through the installation of fire stops and 1 h rated passive protection on several cable trays and con- duits, as a result of the analysis of compliance with Appendix R requirements. The results of this analysis showed that some benefit had been gained in some cases, especially through the in- stallation of a concrete fire stop. In other cases, however, little benefit had been gained, because the risk of the fire scenario was already low. The analysis also identified some cable trays that had not been protected but which should have been to reduce the risk associated with a given fire sce- nario.

The second sensitivity analysis was related to the benefit that could be gained through some

changes in cable routings. Of special interest is the case of the emergency power supply cables from a hydroelectric power station that are routed through the turbine building. In this case, results have shown that great benefit could be obtained by rerouting these cables to avoid them passing through the turbine building.

Another sensitivity analysis was performed to evaluate the benefit gained through the installati- ion of automatic suppression water systems in- stead of fixed water systems manually activated from outside the fire zone. Results have shown that little benefit is to be gained. This is mainly because of the small size of this plant, which facilitates access to the different fire zones and means that the operator's response time to acti- vate the fixed system is very short. At the same time, the non-installation of automatic suppres- sion systems prevents the possibility of flooding caused by spurious activation.

The results of these sensitivity analyses will be presented to the Spanish regulatory body as part of the evaluation of the fire protection system that is currently under way.

6. Items unresolved, not treated or insufficiently treated

A recent study by SNL (Lambright et al., 1989) identifies up to six areas of fire analysis that have not been properly considered; in some cases, they can contribute to the frequency of core damage caused by fire. These areas are detailed in the following subsections.

6.1. Interaction of control systems

This section discusses the problems related to the interdependence of controls from the control room and from remote shutdown panels, which may affect the control capacity of equipment and systems. Other problems can occur in relation to the availability of data (instrumentation) made available to the operator on the remote shutdown panels, which may significantly affect potential recovery actions from these panels, in the event that a fire necessitates the evacuation of the con- trol room.

P. Fernandez/Nuclear Engineering and Design 167 (1996) 77-83 81

This section also deals with the problems that can occur when the fire affects a certain amount of instruments or associated cables, or the power supply of instrumentation cabinets. This could have three different effects. First, the situation could generate various spurious automatic signals that could produce a transient in the plant. Sec- ondly, the opposite could happen, i.e. automatic signals required in response to the transient or accident caused by fire may not be generated which may have some importance in relation to the other effects of the fire. Thirdly, should the operator not receive complete information on spe- cific variables, or in the event that the data re- ceived are inaccurate, the corresponding actuation may become complicated leading to incorrect de- cisions being made. The first two situtations can be treated and, in fact, used to be treated in the probabilistic fire risk analysis. However, the third situation is a open item that has not been ade- quately treated.

6.2. Seismic-fire interaction

The conclusions of the above-mentioned SNL work are that such interactions are specific to each plant and their quantification is difficult. THe development of some practical generic guides is recommended for the identification and resolu- tion of such situations.

6.3. Effectiveness of fire suppression activities by manual means, including smoke control

This is one of the topics identified as having a higher incidence in the results of fire analysis. Among the factors to be considered, are the fol- lowing:

(1) substanial differences in the composition, equipment and training of fire brigades in NPPs;

(2) the effectiveness of manual suppression strongly depends on the area considered, and on aspects such as accessibility, smoke effects, con- centration of equipment, construction obstacles (supports, pillars, etc.), visibility, distance to cover, etc.

All the above-mentioned aspects complicate the quantification process of the probability of suc-

cess of manual fire suppression. Probabilistic techniques should be used in plant-specific appli- cations to identify critical areas and to provide data about the response time available. This eval- uation would be used as a basis to examine the suitability of the plant fire protection measures.

6.4. Potential equipment damage caused by fire effects other than thermal, including spurious actuation of fire suppression system

The fire analyses performed until now have been carried out on the basis that fire damage would be fundamentally caused by the effects of the sharp rise in temperature that fire produces. The analysis of the effects of this temperature increase also focuses on cables, for two basic reasons: the temperature increase could cause the insulation material to decompose, leading to elec- trical failures in the cables; the cables, their insu- lation and their jacket are also the main combustible material found in the different areas of the plant. These facts are certainly true, but the fire may also have other effects, whose impact-- which has not been assessed to date--could be important in some specific cases.

Among the 'secondary' effects of fire (other than the effect of high temperatures and heat flux) is included the generation of corrosive acids as secondary products of the combustion, especially if cable insulation contains chloridized products such as polyvinyl chloride (PVC), although the use of such products has been restricted somewhat in the more recent power plants. Another sec- ondary effect of combustion is the high degree of moisture that arises from the generation of water steam as a combustion product, or from the use of water as a fire suppression agent. Smoke is also produced as a consequence of fire and its poten- tial consequences may be analyzed from several points of view: first, its effect on manual suppres- sion activities, creating problems related to access, breathing, visibility, etc., which are included in the discussion on the effectiveness of manual suppres- sion activities; secondly smoke deposits particles on equipment, which could prove important in the case of relays or handles whose actuation would be jeopardized by the film of particles;

82 P. Fernandez/Nuclear Engineering and Design 167 (1996) 77 83

finally, smoke can also cause the spurious actuation of the automatic fire suppression systems located in different areas, i f these are activated by smoke detectors.

Other aspects to mention are the possible failures of components or cables subjected to relatively high temperature levels after fire suppression, or the potential adverse impact of gaseous fire suppres- sion systems on control panel circuits. The prob- lem, related to the above aspects, is the absolute lack of applicable data for the quantification of the possible impact on the risk evaluation.

evaluating the probability of the fire being de- tected and extinguished before the required time to reach such a state: This evaluation assumes that fire growth is halted at the moment sup- pression systems--whether automatic or man- ua l - -a re activated. If the damage situation has not reached the stage, it will not occur at all, i.e. the model does not include the interaction between the fire and suppression systems, which could prove inadequate, because this is consid- ered as being related to some of the secondary effects already mentioned.

6.5. Suitability of fire barriers 6. 7. Potential flooding caused by fire

Fire barriers represent a subject that has begun to arouse interest quite recently in the field of probabilistic analyses. Previous fire analyses per- formed at Zion, Indian Point, Millstone 3, Oconee, Limerick or Seabrook did not consider the possible propagation of fire to other areas.

However, the issue of the suitability of fire barriers presents two sides:

(1) Various reports from NRC inspectors show that some barriers were found in such a state that the performance of their design function was not ensured. For example, some fire doors were found open f o r various reasons (access, maintenance activities, etc.); fire gates were found in a situation that did not ensure proper operation; and penetra- tion seals were non-existent, removed or defective.

Reports of this type can be used to evaluate the probabiltiy of finding fire barriers in a defective situation. The representative nature of the failure probability values obtained using this method is questionable, since these violations are considered to be highly specific to each plant.

(2) Another aspect is the suitability of fire bar- rier qualification. Analysis of this subject is highly conditioned, because there is very litte information available about the actual behaviour of a fire barrier in real life.

6.6. Suitability of analytical tools in fire increase analysis

Probabilistic fire .analyses evaluate the proba- bility of fire reaching specific growth levels, by

There are at least three ways in which fire can cause flooding:

(1) as a result of fire suppression activities; (2) as a result of damage caused by fire, such

as the rupture of the condenser expansion joints; (3) as a result of the activation of the auto-

matic water system in a zone other than where the fire starts, caused by smoke propagation (when the automatic system is triggered by sig- nals from smoke detectors).

The fire that started in the Spanish NPP Van- dellos 1 on 19 October 1989 (CSN, 1990) is a good example of combined damage caused by fire and flooding. The fire was caused by turbine failure that led to the rupture of lubricating oil pipes and, apparently, a hydorgen leak. The fire directly caused by failure of several important items of plant and the deterioration of the flex- ible condenser joints. This in turn led to flood- ing that spread throughout the reactor building. It took several hours before the fire was brought under control and finally extinguished, and the water used in the process contributed to the flooding, which caused the failure of other im- portant systems.

6.8. Potential damage caused by hydrogen explosions in plant

Consideration should also be given to the possi- bility of hydorgen explosion, mainly from theal- ternator, although it could result from a hydrogen pipe break.

P. Fernandez/Nuclear Engineering and Design 167 (1996) 77-83 83

7. Conclusions References

Experience gained in Spain from plants where both kinds of analysis have been performed indi- cates that a detailed probabilistic fire risk analysis greatly contributes to well-balanced fire protec- tion measures. On the one hand, this helps to identify weak points in the plant, optimizing the fire protection systems required. On the other hand, it avoids the installation of otherwise re- dundant fire protection systems that do not con- tribute to plant safety but which can increase the problems and workload of normal plant opera- tion.

Appendix R to 10 Code Federal Register 50. NRC IE-Bulletin 92-01, Failure of thermo-lag 330 fire barrier

system to maintain cabling in wide cable trays and small conduits free from fire damage, 1992.

NRC Generic Letter 92-08, Thermo-Lag 330-1 fire barriers, 1992.

NRC Generic Letter 86-10, Supplement 1 Fire endurance test acceptance criteria for fire barrier systems used to separate redundant safe shutdown trains within the same fire area, 1986.

J.A. Lambright et al., Fire risk scoping study: investigation of nuclear power plant fire risk including previously unad- dressed issues, NUREG-CR-5088, 1989.

CSN, Final Report on the Accident of 19 October 1989 at Vandell6s I NPP, Consejo de Seguridad Nuclear, April 1990.