Text

BWROG, RAI, BWR Owners Group Appendix R Fire Protection Committee Generic Guidance for BWR Post-Fire Safe Shutdown Analysis
	ML003706378
Person / Time
Site:	Boiling Water Reactor Owners Group
Issue date:	04/21/2000
From:	Pulsifer R; NRC/NRR/DLPM
To:	Warren W; BWR Owners Group
	Pulsifer R M,NRR/DLPM, 415-3016
References
	-nr
	Download: ML003706378 (42)
	v • d • e

April 21, 2000 Mr. W. Glenn Warren, Chairman BWR Owners Group Southern Nuclear 40 Inverness Center Parkway P.O. Box 1295 Birmingham, AL 35242

SUBJECT:

DRAFT REQUEST FOR ADDITIONAL INFORMATION - BOILING WATER REACTOR OWNERS GROUP GUIDANCE DOCUMENT, "BWR OWNERS GROUP APPENDIX R FIRE PROTECTION COMMITTEE GENERIC GUIDANCE FOR BWR POST-FIRE SAFE SHUTDOWN ANALYSIS" (TAC NO. MA8544)

Dear Mr. Warren:

By letter dated November 15, 1999, the Boiling Water Reactor Owners Group (BWROG) submitted a document titled, "BWR Owners Group Appendix R Fire Protection Committee Generic Guidance for BWR Post-Fire Safe Shutdown Analysis." This document is a proposed methodology for the conduct of deterministic licensee analyses of fire-induced circuit failures.

Upon receipt of the BWROG document, the Plant Systems Branch (SPLB) requested that the Probabilistic Safety Assessment Branch (SPSB) of the Division of Systems Safety and Analysis, and the Electrical & Instrumentation and Controls Branch (EEIB) of the Division of Engineering, comment on the subject BWROG document. Questions posed by EEIB are summarized in. Questions posed by SPSB (less question 1.1) are provided in Enclosure 2.

Revisions and deletions were made to the EEIB and SPSB inputs to better coincide with fire protection inspection practices and the regulatory structure of 10 CFR 50.48 and 10 CFR Part 50, Appendix R.

The staff also contracted with Sandia National Laboratory (SNL) to technically review the BWROG document, assess its adequacy, and audit the document against the commitments made by the BWROG during an August 18 and 19, 1999, meeting with the U. S. Nuclear Regulatory Commission (NRC) staff. SPLB concurs with the SNL review results. SNL comments and questions are provided as Enclosure 3.

The staff would like to schedule a meeting with the BWROG to obtain a clearer understanding of these issues.

Mr. W. Glenn Warren April 21, 2000 The staff will issue a final request for additional information subsequent to the meeting with any outstanding questions on issues that require clarification. Please contact me at (301) 415-3016 if you have any questions and to schedule the meeting.

Sincerely,

/RA/

Robert M. Pulsifer, Project Manager, Section 2 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation Project No. 691

Enclosure:

Draft Request for Additional Information cc w/encl: See next page

Mr. W. Glenn Warren April 21, 2000 The staff will issue a final request for additional information subsequent to the meeting with any outstanding questions on issues that require clarification. Please contact me at (301) 415-3016 if you have any questions and to schedule the meeting.

Sincerely,

/RA/

Robert M. Pulsifer, Project Manager, Section 2 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation Project No. 691

Enclosure:

Draft Request for Additional Information cc w/encl: See next page DISTRIBUTION:

PUBLIC PDIV-2 Reading S. Black (RidsNrrDlpm)

S. Richards (RidsNrrDlpmLpdiv)

R. Pulsifer (RidsNrrPMRPulsifer)

E. Peyton (RidsNrrLAEPeyton)

L. Berry D. McCain Accession No: ML003706378 OFFICE PDI-1/PM PDIV-2/LA PDIV-2/SC NAME RPulsifer:lcc EPeyton SDembek DATE 04/21/00 04/20/00 04/21/00 OFFICIAL RECORD COPY

BWR Owners Group Project No. 691 cc:

Mr. James M. Kenny BWR Owners Group Vice Chairman PP&L, Inc.

Mail Code GENA6-1 Allentown, PA 18101-1179 Mr. Thomas J. Rausch RRG Chairman Commonwealth Edison Company Nuclear Fuel Services 1400 Opus Place, 4th Floor Downers Grove, IL 60515-5701 Mr. Drew B. Fetters PECO Energy Nuclear Group Headquarters MC 61A-3 965 Chesterbrook Blvd.

Wayne, PA 19087-5691 Mr. H. Lewis Sumner Southern Nuclear Company 40 Inverness Parkway PO Box 1295 Birmingham, GA 35201 Mr. Carl D. Terry Vice President, Nuclear Engineering Niagara Mohawk Power Corporation Nine Mile Point - Station OPS Bldg/2nd Floor PO Box 63 Lycoming, NY 13093 Mr. George T. Jones PP& L, Inc.

MC GENA6-1 Two North Ninth Street Allentown, PA 18101 Mr. John Kelly New York Power Authority 14th Floor Mail Stop 14K Centroplex Building 123 Main Street White Plains, NY 10601 Mr. Thomas G. Hurst GE Nuclear Energy M/C 182 175 Curtner Avenue San Jose, CA 95125 Mr. Thomas A. Green GE Nuclear Energy M/C 182 175 Curtner Avenue San Jose, CA 95125

DRAFT REQUEST FOR ADDITIONAL INFORMATION ELECTRICAL & INSTRUMENTATION & CONTROLS BRANCH BOILING WATER REACTOR OWNERS GROUP GUIDANCE DOCUMENT "BWR OWNERS GROUP APPENDIX R FIRE PROTECTION COMMITTEE GENERIC GUIDANCE FOR BWR POST-FIRE SAFE SHUTDOWN ANALYSIS" PROJECT NO. 691 Synopsis of Electrical and Instrumentation Controls Branch Questions 1.

In Section 1.3.1, confusion exists in the second paragraph (which focuses on fire-induced spurious operations which can prevent safe shutdown path equipment from performing their intended functions) as to which equipment the paragraph refers.

Please clarify which equipment (safe shutdown equipment or non-safety equipment) is undergoing spurious operations. To the extent this paragraph refers to spurious operation of safe shutdown equipment itself, it would seem that the discussion belongs in Section 1.3.6, "Safe Shutdown Equipment Impacts." To the extent this paragraph refers to associated circuits for non-safety equipment, it would seem that the discussion belongs in Section 3.3.2, "Associated Circuit Cables."

2.

In the second paragraph of Section 3.0, the assertion that equipment and cables for fire detection and suppression systems, communication systems and 8-hour emergency lighting systems are not necessary for completion of the required post-fire safe shutdown functions is incorrect. While their protection/fire separation may not be governed by Section III.G. of Appendix R, these items are in many cases vital for the completion of required post-fire safe shutdown functions. Please clarify the BWROG position on the necessity of these items.

3.

In Section 3.1.1.8, a "72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months coping period" is postulated starting with a reactor scram, but no guidance is provided for identification of time dependencies. What process or criteria does a licensees engineer follow to identify time dependencies for post-fire safe shutdown?

4.

The technical bases for the assumptions of Section 3.2.1.5 are not provided. Please provide the technical justifications for all of the assumptions in Section 3.2.1.5.

5.

The discussion in Section 3.3.1.7 is disjointed and rambling. Perhaps the entry in Section 4.0 (Definitions) of a set of concise definitions related to fuse/breaker coordination and a subsequent discussion in Section 3.3.1.7 using well-defined terms would provide clarity.

6.

Why are "system logic diagrams" excluded from the list in Section 3.3.3.1?

7.

Section 3.5.1.3 seems to assume some unspecified (but apparently elementary) level of electrical analysis has already been conducted by the licensees engineer, since assertions are made regarding the response of circuits to fire. Please consider whether it may be more clear to address this topic as a set of potential impact cases (e.g.,

"Establish that indication cables are isolated from the primary control circuits required to operate the safe shutdown equipment and/or equipment which may interfere with post-fire safe shutdown").

DRAFT REQUEST FOR ADDITIONAL INFORMATION PROBABILISTIC SAFETY ASSESSMENT BRANCH BOILING WATER REACTOR OWNERS GROUP GUIDANCE DOCUMENT "BWR OWNERS GROUP APPENDIX R FIRE PROTECTION COMMITTEE GENERIC GUIDANCE FOR BWR POST-FIRE SAFE SHUTDOWN ANALYSIS" PROJECT NO. 691 Selected Probabilistic Safety Assessment Branch Questions Questions from Main Body of Report 1.1 Deleted.

1.

Section 3.2.1.5 states that instruments are assumed to fail up-scale or down-scale as a result of fire damage. Is the actuation of related components or spurious indications considered as well?

2.

Sections 3.2.1.6 and 3.4.1.8 indicate that instrument tubing (impulse lines/sensing lines) that may cause subsequent effects on instrument readings or signals should be identified. There is no discussion on the identification of instrumentation cables that may be affected with respect to temperature (similar to EQ) effects or fire damage.

3.

Section 3.3.1.3 discusses instrument loops and isolation devices. Control circuits may also have isolation devices installed (coil to contact for example). Should the isolation devices installed on control circuits be evaluated as well?

Questions regarding Appendix B, Consideration of NRC IN 92-18. (Particularly B.5.0 - Risk Significance Review)

B-1.

Cable spreading room. BWROG provides an assessment of the significance of spurious actuations for a fire in the control room due to the potential for spurious actuations prior to transfer of control from the control room. However, spurious actuations prior to transfer may occur as a result of control room evacuation due to a fire in a non-divisionalized cable spreading room. As a result, the significance of spurious actuations should be evaluated for a fire in the cable spreading room also.

B-2.

Evacuation of Control Room Basis. BWROG indicates that the control room would be evacuated upon a loss of Division 1 ESF MOVs necessary for alternate shutdown, in addition to a loss of Division 2 safe shutdown equipment. Are there no other cases where a loss of several cabinet bays would damage enough safe shutdown equipment such that evacuation of the control room would be necessary and spurious actuations an issue?

B-3.

Smoke forced evacuation. BWROG assesses the potential for spurious actuations due to control room evacuation due to damage in redundant divisions. However, according to Sandia National Laboratory studies (NUREG/CR-4527, Vols. 1 & 2), smoke obscuration of panels due to a single cabinet fire can force control room evacuation.

This smoke forced evacuation has not been evaluated. Evaluate this scenario for all appropriate cabinets, and sum the resulting CDF contributions.

B-4.

Physical configuration factor. BWROG deduces a physical configuration factor which describes the likelihood of propagation of fire from the cabinet bay of fire origin. In particular, as a part of that determination, BWROG indicates that a fire in a bay of a cabinet can damage equipment in an adjacent bay without damaging any other cabinet section. However, it is expected that once the fire propagates beyond the cabinet section of fire origin and gains the additional fuel in the neighboring cabinet section, it would continue to propagate throughout the entire cabinet. BWROG even specifies that penetrations with cables exist in the single interior wall separating cabinet sections.

Therefore, BWROG should justify its assumption that once a fire develops significantly enough to propagate beyond a single bay, that the fire can be stopped from propagating to other bays.

BWROG does not consider propagation of fire from cabinet to cabinet. Provide the basis for this assumption.

BWROG only considers the significance due to the loss of a single division of alternate shutdown MOVs and the other train of safe shutdown, but as the physical configuration factor shows, only a single division can be lost. Provide an assessment which addresses the significance of a loss of one division with the possibility of spurious actuations. In this answer, address whether spurious actuation(s) due to a fire confined to a single panel could impair safe shutdown from the redundant train. Consider the remaining cabinets in the control room. You may perform a bounding calculation.

Are there significant differences in physical configuration factor for control room cabinets in non-BWR6 plants? For example, how would the physical configuration factor take into account cabling which can exist beneath all bays of a cabinet in a BWR, are not separated according to bay with metal sheets, and do not have metal sheets isolating the cabling ducts from the open cabinets above? The concern is that multiple bays, and possibly all bays, can be exposed simultaneously to a fire (or its byproducts which can damage cabinet hardware)?

Identify any other significant differences between BWR6 and non-BWR6 control rooms which would affect the physical configuration factor. Address the significance qualitatively, or if necessary, quantitatively. (NRC is aware that BWROG indicated that no significant differences existed between BWR6 and non-BWR6. However, due to the above observation that multiple, and possibly, all bays in a cabinet can be affected by a single fire in a non-BWR6, the preceding question about significant differences was asked.)

BWROG states that most cabinets in the BWR6 control room have detectors. Are these detectors for smoke or heat? What percentage of non-BWR6 control rooms have safety-related cabinets without detectors? Are these detectors for smoke or heat?

B-5.

Probability of Hot Short. BWROG references NUREG/CR-2258 for the probability distribution of a hot short given that the adequate fire has occurred. According to a recent Sandia National Laboratory (SNL) study on Circuit Failure Mode and Likelihood Analysis (Ref: Memorandum from Thomas L. King to Gary M. Holahan dated December 29, 1999, entitled Draft SNL Letter Report, "Circuit Failure Mode and Likelihood Analysis"), the experimental data suggest that the probability of conductor-to-conductor hot shorts given an adequate fire is 0.3 to 0.6. According to SNL, a recent supplement to that report which considers additional data will indicate that the probability of conductor-to-conductor hot shorts could be as large as 0.8.

In other words, the hot short distribution cited in NUREG/CR-2258 appears to substantially underestimate the hot short probability for general multi-conductor cables. As a result, BWROG should adjust their calculation of hot short significance, or provide adequate justification for their hot short probability.

B-6.

Ten minutes for transfer after evacuation. Appendix B, Page 5, Item 2 states that for most BWRs, the time from the evacuation of the control room to the time that the alternative shutdown system is isolated from the control room will not exceed ten minutes in duration. For those BWRs which require more than ten minutes, how much time is required and what is the basis for the added time requirement? Has ten minutes been shown to limit the occurrences of hot shorts and spurious actuations before the alternate shutdown system is activated or before the alternate shutdown system itself may be disabled by a fire?

B-7.

==

Conclusion:==

Due to the above concerns, BWROG needs to address the above questions prior to NRC deciding on whether it agrees with the BWROG conclusions for Appendix B.

Questions regarding Appendix G, Combined Equipment Impacts. (Especially G.4.0 Risk Insights)

G-1.

Severity Factor. BWROG indicates that a probability of a damaging fire varies between 3E-2/yr and 3E-3/yr. Yet, the severity factor which describes a damaging fire is typically between 0.1 and 0.2 (EPRI Fire PRA Implementation Guide). BWROG used a severity factor in this range (i.e., 0.1 to 0.2) in Appendix B to describe the conditional probability of having a damaging fire in the control room. Since BWROG is diverging from these severity factor values in Appendix B, provide justification for these new values.

G-2.

Probability of Hot Short. As indicated in B-5, the probability of a hot short may be much greater than the 0.068 assumed in this analysis. Also the probability of a second hot short is not necessarily independent of the first hot short, contrary to the BWROG assumption in its analysis. In addition, please explain from a probabilistic viewpoint the statement in the G.3.0, Safety Assessment, that spurious actuations induced by a fire occur one at a time, and indicate its impact on your analyses in Appendix B as well as Appendix G.

G-3.

Other failure mechanisms besides hot shorts. BWROG only analyzes hot shorts in its risk assessment as opposed to other circuit failure mechanisms, i.e., open circuit and short to ground, identified in Section 3.5.2, Types of Circuit Failures. Besides loss of power and control to safe shutdown equipment due to open circuits and shorts to ground identified in this section of the BWROG report, spurious indication can occur in the control room, or locally, due to a spurious signal from open circuits and shorts to ground. As a result, BWROG needs to provide further justification than its statement that hot shorts are the only circuit failure mechanism considered since hot shorts are the circuit failure mechanism most likely to cause spurious actuations or signals.

G-4.

Manual Suppression. BWROG credits a severity factor which is based on detection and suppression, as well as credit manual suppression via the fire brigade term. Crediting manual suppression directly through the fire brigade term (which incorporates early detection and suppression via personnel with hand held extinguishers), and indirectly via the severity factor can lead to double-counting of manual suppression. Remove credit for either the severity factor or manual suppression in your assessment, or provide a justification which eliminates the double-counting conflict.

G-5.

Conclusion. Due to the above concerns, NRC needs answers to the above questions prior to deciding on whether to agree on the BWROG conclusions for Appendix G.

DRAFT REQUEST FOR ADDITIONAL INFORMATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION DIVISION OF SYSTEMS SAFETY AND ANALYSIS PLANT SYSTEMS BRANCH BOILING WATER REACTOR OWNERS GROUP GUIDANCE DOCUMENT BWR OWNERS GROUP APPENDIX R FIRE PROTECTION COMMITTEE GENERIC GUIDANCE FOR BWR POST-FIRE SAFE SHUTDOWN ANALYSIS DOCKET NO. 50-691 Sandia National Laboratory Review Results TECHNICAL REVIEW OF THE BWR OWNERS GROUP GENERIC GUIDANCE FOR BWR POST-FIRE SAFE SHUTDOWN ANALYSIS A Letter Report to the USNRC March 10, 2000 Prepared by:

F. J. Wyant, S. P. Nowlen and J. L. LaChance Sandia National Laboratories Albuquerque, New Mexico 87185-0744 Prepared for:

Plant Systems Branch Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 USNRC JCN J2678

1 INTRODUCTION This report summarizes the results of Sandia National Laboratories technical review of the document Generic Guidance for BWR Post-Fire Safe Shutdown Analysis, prepared by the BWR Owners Group Appendix R Committee.

The BWROG document presented topics much broader than the deterministic circuit analysis methodology previously expected. Consequently, the Sandia review of the BWROG document covered all the topics presented, however, the issues involving circuit analysis (especially the discussions presented in Section 3.5) were the principal focus of this review.

Comments, questions, and findings of interest from the Sandia review are grouped into one of three areas: Technical comments, audit of contents to August 1999 agreements and editorial comments.

1. TECHNICAL COMMENTS

3. General Comment:

Throughout the BWROG document, reference is made to the appendices to the document.

However, the intended stature of the appendices is never stated. The question is, are the appendices to be considered as fundamental parts of this guidance document or are they provided only as supplemental information sources? The BWR Owners Group Appendix R Committee should include an explanation or disclaimer regarding the intended purpose of the appendices in the Introduction of the guidance document.

3. Executive Summary In the first sentence of the second paragraph, the statement using a one failure at a time analysis methodology is rather ambiguous. Are they proposing only postulating a single circuit fault as opposed to a single component failure (e.g., one short circuit as opposed to one spurious valve operation or inoperable condition)? Furthermore, in Attachment 4 to the memorandum, Dembek to Richards, Summary of Meeting with the Boiling Water Reactors Owners Group (BWROG)

Appendix R Committee on Post-Fire Safe Shutdown Circuit Analysis Issues (Fire-Induced Circuit Failures), September 3, 1999, it was agreed that the BWROG circuit analysis methodology document would address deterministic evaluations of the effects of electrical faults on power, control, and instrumentation circuits and provide an assessment of the resultant combinations of multiple spurious signals and/or spurious actuations. The one failure at a time analysis approach does not appear to meet these conditions. The BWROG Appendix R Committee should clearly define their intent and justification for the one failure at a time analysis methodology.

2

3. Section 1.3 The third sentence of the seventh paragraph states,This assumption [unprotected circuits are assumed to be damaged] is only conservative in terms of not being able to credit the systems and equipment associated with these circuits in support of post-fire safe shutdown. However, simply assuming that a system may not be credited does not account for the possibility of spurious or maloperation of the equipment, which may result in consequences much more severe.

The BWR Owners Group Appendix R Committee should discuss the impacts of and mitigation techniques for spurious operation of equipment and improper operation of equipment.

4. Section 1.3.1 In the second paragraph, the list of spurious operations that could adversely affect the safe shutdown functions is too narrowly focused and incomplete. The list is focused primarily on the spurious operations which could open up flow diversion paths or could block intended flow paths. However, spurious operation of components could also cause the equipment to operate to damage (e.g., the IN 92-18 MOV issue) without necessarily changing the state of the system configuration. It is only when the system needs to be configured for safe shutdown functions that the damaged component becomes a hazard to completing the safe shutdown function. Pumps too can spuriously operate to damage, for example, by running continuously against a high discharge pressure or by running continuously without an adequate suction head. It is recommended that the BWROG Appendix R Committee modify the list to include those that can lead to damage to components that may be needed to achieve safe shutdown.

The list is also incomplete in that it makes no mention of the concern for completing the reactivity control functions required for safe shutdown, nor does it mention the concern for proper operation of the support systems and components needed to ensure the primary safe shutdown systems can perform their functions properly. It is recommended that the BWROG Appendix R Committee expand the list to include those functions.

5. Section 1.3.3 The BWROG Appendix R Committee should expand Section 1.3.3 to address the requirement for defining the required support systems and equipment, and the process instrumentation needed for each safe shutdown path.

In addition, it is recommended this section discuss the requirement that High/Low pressure interface valve circuits must be analyzed for multiple, proper polarity hot short conditions. (Ref.:

GL 86-10, response to question 5.3.1 Circuit Failure Modes.)

6. Section 1.3.4

3 In the fourth sentence of the second paragraph, it is unclear what... all power cables associated with each bus in the EDS... (emphasis added) refers to. Presumably, this refers in part to a need to identify both safety and non-safety cables on the same busses. It is recommended that the BWROG Appendix R Committee clarify that these power cables include both load circuits as well as bus feeder circuits.

It is also recommended that section 1.3.4 be expanded to discuss the requirements for identifying those cables associated with safe shutdown circuits by common enclosures. In addition, the BWROG Appendix R Committee should identify those systems, components and circuits necessary to provide the required process monitoring functions.

7. Section 1.4 The last sentence in the first paragraph states that the methodology ensures the ability to satisfy the safe shutdown functions and assures the capability to achieve and maintain safe shutdown.

The method provided in the BWROG document cannot, in and of itself, ensure the ability to satisfy the required safe shutdown functions of 10CFR50 Appendix R, nor can it (the method) assure the ability to achieve and maintain safe shutdown. The BWROG Appendix R Committee should reword this statement to indicate that the proposed methodology simply provides a means for identifying those systems and components needed to achieve and maintain safe shutdown conditions following a fire in any plant fire area, and for identifying and evaluating any threats to those systems and components which might prevent them from performing their safe shutdown functions if a fire in any plant fire area were to occur.

8. Section 2.1 Regarding the second and third sentences in the fifth paragraph (which begins with, In Section III.G...), does the performance goal for the GE BWR satisfy the requirements of III.G in Appendix R? The BWROG defined performance goals for GE BWRs do not appear to require the plant to go to cold shutdown conditions. Even under full power operation, one would expect that they would strive to prevent any fuel cladding damage, rupture of the primary coolant boundary or rupture of the primary containment. It is recommended that the BWROG Appendix R Committee restate the performance goal for BWRs to better meet the intent of Appendix R Section III.G.

The second sentence of the sixth paragraph loosely ties in the allowance of operator manual actions to the intent of the term free of fire damage. As stated in GL 86-10, the term free of fire damage is intended to mean the structure, system or component under consideration is capable of performing its intended function during and after the postulated fire, as needed. (Emphasis added.) Thus, any manual actions required to accomplish safe shutdown functions must also be protected from the effects of the fire and must be possible in a timely manner. Regarding this issue, the BWROG Committee should discuss the need for and provide guidance on ensuring protective features, needed to assure the ability to accomplish any required manual actions, are in

4 place. A related discussion should address the corresponding time-critical aspects of performing those manual actions necessary to achieve hot shutdown.

The last sentence in the ninth paragraph states,...manual operator actions and repairs may also be used for certain equipment required to achieve and maintain post-fire safe shutdown. Is the meaning here that protecting (all, many or some) structures, systems, and components important for safe shutdown is unnecessary in that the required post-fire safe shutdown functions can be adequately accomplished solely by virtue of operator action(s)? Is this based on the BWROG Appendix R Committees definition of free of fire damage? The meaning here needs to be clarified. Also, Appendix R only allows for repairs in the case of cold shutdown equipment. The BWROG Committee should clearly state the limitations on the extent of manual actions allowed to accomplish hot shutdown.

The final paragraph of this section concludes by stating,...Safety Determinations may be used to justify configurations that meet the underlying goals of Appendix R, while not meeting certain specific requirements. (Emphasis added.) The meaning of the final clause is very unclear, the BWROG Appendix R Committee should include a clarifying example. It appears that, as written, the intent is that the Safety Determinations can be used as an alternative to the Appendix R exemption process, which is not true. The BWROG Committee needs to be more explicit with respect to compliance under the discussions provided in paragraph C of Generic Letter 86-10 and the interpretation of fire area boundaries (Item 4 in Enclosure 1 to GL 86-10).

9. Section 3.0 The second paragraph states that fire detection and suppression systems, communications and emergency lighting are important features of defense-in-depth fire protection, but that they are not necessary for completion of post-fire safe shutdown functions, they are not governed by the requirements of Appendix R Section III.G., and thus, circuit analysis and fire impact mitigation techniques are not applicable for those systems. However, they will still be needed in order to support the manual actions required to achieve and maintain safe shutdown in the event of a fire.

The BWROG Appendix R Committee should discuss methods for ensuring communications and emergency lighting remain available during and after a fire to support the manual actions needed to accomplish safe shutdown.

10. Section 3.1 The bulleted list, following the second paragraph, does not include suppression pool cooling as a post-fire safe shutdown requirement. Generic Letter 81-12, for example, calls this item out separately. The BWROG Committee should include this function explicitly in the list of functions important to post-fire safe shutdown in a BWR.

The two bullets, following the fourth paragraph, are too narrow in scope. The preceding paragraph leads one to believe that these conditions are the only results of spurious equipment operations to raise concern in a BWR. The broader issue concerns the ability to achieve and

5 maintain safe shutdown. The two bulleted items are simply examples (although serious ones) of the possible effects of spurious equipment operations. The BWROG Appendix R Committee should expand the list to include spurious operation concerns for system support functions and required instrument and control functions.

11. Section 3.1.1.1 The GE Report GE-NE-T43-00002-00-01-R01, Original Safe Shutdown Paths for the BWR, is listed as a source of information when developing safe shutdown paths. Later in this same paragraph the claim is made that Any of the shutdown paths (methods) described in this report are considered to be acceptable methods for achieving redundant safe shutdown. (Emphasis added). This, of course, raises the question, Considered acceptable by whom? Since there has been no indication that the shutdown paths and methods described in the cited report have been endorsed by the NRC staff at this time, the BWROG Committee should provide justification for this assertion.

12. Section 3.1.1.8 The meaning or intent of this paragraph is unclear. The first sentence assumes the 72-hour clock for cold shutdown starts at the time of reactor scram. The BWROG Appendix R Committee should provide a basis for this assertion.

In addition, the second sentence states, Fire induced impacts that provide no adverse consequences within this 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period need not be included in the post-fire safe shutdown analysis. (Emphasis added.) Is this referring to the fact that cold shutdown capability is not required to remain free of fire damage, as long as it is repairable within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (per Appendix R Section III.G.1)? The BWROG Committee should clarify the intent of this statement or provide an example case illustrating this point.

13. Section 3.1.2.4 The second bullet in the list of decay heat removal functions seems to be limited to those safe shutdown systems taking a suction from the suppression pool only. The BWROG Appendix R Committee should discuss why the requirement does not need to include all makeup water sources.

14. Section 3.1.2.6.2 The list of typical HVAC system uses does not mention alternative/remote shutdown area(s).

The BWROG Appendix R Committee should discuss why alternative/remote shutdown area(s) are not included in the list of typical HVAC system uses.

6

15. Section 3.1.3.1 The wording provided in this subsection does not provide guidance on what safe shutdown functions are required. Instead it offers a list of documents to review to identify the required safe shutdown functions. However, the specific functions required to achieve and maintain safe shutdown are not expected to differ markedly among BWR designs. It is recommended that the BWROG Committee move the discussion provided in this section and incorporate it into the next section (3.1.3.2), and replace it with a list of required safe shutdown functions similar to that provided in GL 81-12, Enclosure 1, Item 3, Performance Goals.

16. Section 3.2.1.1 The reason for distinguishing between primary components and secondary components is not clear. However, the logic seems to run something like if a control switch (secondary component) is shorted by a fire then its associated valve (primary component) could change its position.

There is a potential disadvantage to the approach of associating secondary components with primary components in order to shorten the SSEL. To illustrate, cables are clearly secondary components per this definition. Equipment on the SSEL is presumably mapped to fire areas, but cables are critical to safe shutdown. Hence, the secondary components will also need to be mapped. If there is no listing of these secondary components then the mapping may be incomplete and would be hard to audit. If the primary/secondary component approach is taken, then it is recommended that each primary component should be required to have a specific list of supporting secondary components associated with it. The BWROG Appendix R Committee should clarify the fundamental difference between primary and secondary components, discuss the preferred method for documenting the secondary components associated with each primary component, and provide additional guidance for assigning specific components to one category or the other (e.g., instrument, control and power cables).

7

17. Section 3.2.1.5 The assumption that instruments fail up-scale or down-scale is not necessarily true for all designs. Fire can change the physical characteristics of the cables (e.g., insulation resistance) such that the indicator will still provide an output reading, but it will be incorrect. Also, the mechanical portion of a tank-level indicator may not be affected by the fire, yet if an electronic signal is transmitted by the instrument, its cables may be susceptible to damage by fire. The BWROG Appendix R Committee should address the issues of fire-induced mis-indications of process instruments.

18. Section 3.3.1 Section 3.3.1 does not discuss the need and rationale for analyzing the control circuits associated with safe shutdown equipment. Control circuits provide the greatest potential for causing safe shutdown equipment to become inoperable or to operate improperly due to the effects of hot shorts, open circuits, or shorts to ground. The BWROG Appendix R Committee should include a discussion of control circuit analysis in this section.

19. Section 3.3.1.4 This subsection seems to indicate that some cables/circuits can be screened from consideration solely on the basis of their function (annunciator, space heater, and computer input circuits are given as examples). They go on to say that these circuits must be isolated from the components control scheme (circuit) in such a way that a cable fault wont affect the performance of the (control) circuit. First, screening of circuits should be based solely on the results of a rigorous circuit analysis, evaluating the impacts of the principal circuit failure modes on the equipments ability to function as needed. Second, such an analysis will also help determine if the isolation devices/methods used to protect the control circuitry from the effects of an associated circuit (e.g., space heater) failure are adequate or need to be improved. For example, during the Browns Ferry fire in 1975, electric power, back-feeding through the resistor-isolated trip coil status lamps, kept the trip coils energized and prevented the operators from resetting the tripped circuit breakers. The BWROG Appendix R Committee needs to reconsider their position on this issue and modify the guidance given regarding cable/circuit evaluations or provide further justification for the current methodology.

20. Section 3.3.1.6 This section is unclear whether or not the BWROG considers an analysis of automatic initiation logic circuits necessary. They appear to advocate protecting such circuits from the effects of a fire. Nevertheless automatic initiation logic circuits must be analyzed for any potential effects on the safe shutdown systems they control (e.g., spurious operation of equipment). This is because the fire protective features applied to these circuits may be inadequate (e.g., a fire in the panel

8 housing these circuit elements). It is recommended that the BWROG Committee clarify the discussion on the need for analyzing automatic initiation logic circuits.

21. Section 3.3.2: Common Enclosure Cables This discussion should emphasize that the concern about associated circuits not properly protected by an isolation device (breaker/fuse) includes the potential impact on safe shutdown cables from self-ignited cable fires in the associated circuit cables. The heat generated by fire-induced faults on non-essential cables may cause a secondary fire to occur within the common enclosure, thereby exposing the required cables in the enclosure to risk from fire damage. The result could be the loss of both redundant trains of safe shutdown equipment. The BWROG Appendix R Committee should discuss the possibility for self-ignited fires in associated circuit cables not properly protected by isolation devices and the potential impact on safe shutdown equipment from those fires.

22. Section 3.4 Section 3.4 does not address the option of assessing the present state of the fire protection features already in place. These should be evaluated to determine their adequacy and to implement any required upgrades/repairs. The BWROG Committee should include guidance for evaluating existing fire protection features in each fire area and implementing the required upgrades and repairs.

23. Section 3.4 At the end of the first paragraph, the BWROG Appendix R Committee recommends that the circuit analysis and evaluation techniques from subsection 3.5 be applied in this process. The issue is that the BWROG Committee has recommended that circuit analysis and evaluation be incorporated in two or three of the previous subsection processes. The BWROG Appendix R Committee should indicate explicitly at what single point in the safe shutdown analysis that Section 3.5 methods should be followed.

Furthermore, the wording implies that analysis is optional. The BWROG Committee should indicated that circuit analysis is required and the methods presented in Section 3.5 are one approach for completing the analyses.

9

24. Section 3.4.1.6 The BWROG Appendix R Committee should state explicitly that there is a 72-hour repair time limit for making a cold shutdown system operable and that the needed materials must be available on site per Appendix R requirements.

25. Section 3.4.1.7 The one-at-a-time basis for evaluating equipment impacts (including spurious operations) needs to be justified. Perhaps the BWROG Committee is simply taking that position solely for the purpose of determining mitigating strategies on a one-at-a-time approach in order to simplify the impact assessment The BWROG Appendix R Committee needs to clarify their position in this regard. It would seem that for the purpose of determining appropriate mitigating strategies a one-at-a-time approach is reasonable. However, this is not true for assessing the impacts of circuit faults or equipment failures. Multiple circuit faults and equipment failures must be evaluated as possibly occurring concurrently.

26. Section 3.4.2.5 The BWROG Committee should include a discussion of the administrative processes required to be in place to ensure that each of the compliance strategies are being implemented, completed and documented.

27. Section 3.5.1.1 The first sentence of the final paragraph is good. It summarizes the correct philosophy for conducting a truly rigorous circuit analysis. However, the BWROG Committee again advocates evaluating circuit failures one at a time. The effect of multiple circuit failures needs to be considered. Also, the effects of shorts involving multiple conductors should be assessed.

Indeed, multiple circuit failures as the result of a single fire are not unknown (e.g., demonstrated by testing and experience). The BWROG Appendix R Committee should provide guidance for analyzing the effects of multiple circuit failures and multiple conductor shorts.

28. Section 3.5.1.2 The proposed approach here is too limited. The BWROG Appendix R Committee should propose evaluating the circuits with the contacts in their normal positions (i.e., expected positions when the fire starts) as well as their required positions (i.e., desired positions when supporting safe shutdown operations).

29. Section 3.5.1.3

10 The statement that cables/conductors which provide certain types of functions (indication, interlocks, etc.) can be readily determined to not impact safe shutdown is without merit.

Circuit analysis to assess the fire induced failures of these cables and conductors, and the resulting effects on the circuits they interact with must be performed to verify that they in fact will not impact safe shutdown.

For example, with regard to the proposition that indicating circuits are somehow inherently safe:

one should remember that during the Browns Ferry fire in 1975, electric power back-fed through the resistor-isolated trip coil status lamps, thus keeping the trip coils energized, prevented the operators from resetting tripped circuit breakers, until the lamps were disconnected from the control circuits.

The BWROG Committee should recommend that all circuits associated with safe shutdown equipment be evaluated for all circuit fault conditions in order to assure the functional capability of the components under consideration is not impacted.

30. Section 3.5.1.4 This is probably an acceptable practice, but time-related effects are important. Consider a scenario where a normally closed MOV control cable is affected in such a way that it causes the spurious operation of the valve operator in the open direction. Later, as the fire propagates, let us assume a short circuit to ground develops within the MOV control circuit, causing the protective circuit fuse to blow out. This renders the control circuit completely inoperable, including the valves position indication. The result is a partially, if not fully, open valve whose status is unknown to the operator. Therefore, although the fire did not clear the circuit faults per se, it did change the fault conditions over time and the consequential impact on the affected equipment.

It is proper to not credit fortuitous failures, but the BWROG Committee should address the possibility of fault mode progressions leading to more serious damage.

31. Section 3.5.2.1 The BWROG Appendix R Committee should include a discussion of the issues concerning current transformer secondary side open circuits in this section. For example, it should be mentioned that because of their design-to convert high primary currents into low secondary currents--the secondary side voltage is kept as high as required to maintain a constant primary-to-secondary current ratio. Consequently, a break in the secondary side circuit may cause excessively high voltages to develop (because no current is flowing) which in turn may ignite any flammable material in the vicinity of the secondary conductors, including their own insulation.

32. Section 3.5.2.2: Short-to-ground on Ungrounded Circuits

11 The BWROG Committee should discuss a third possible case: If short-to-grounds No. 1 and No. 2 co-exist (but not No. 3) then the equipment will spuriously close/stop without actuation of the control switch. This is because the two ground points effectively bypass the control switch contacts.

33. Section 3.5.2.3: A Hot Short on Grounded Circuits What is the basis of the comment in the first sentence, A short to ground is a more likely failure mode for a grounded control circuit? There are so many factors influencing the response of a cable/conductor to a fire environment that one cannot assume that a particular failure mode will always take precedence. The BWROG Appendix R Committee must provide a basis for the assertion that a short to ground is a more likely failure mode for grounded control circuits.

34. Section 3.5.2.3 The BWROGs position seems to be that only one hot short will occur per fire per fire area.

However, multiple hot shorts can affect the operability of equipment. Multiple hot shorts should be analyzed for their effects on safe shutdown equipment. For example, for either of the two types of circuits discussed (grounded/ungrounded) co-existing hot shorts would have what effect on the MOV? Both relays would be energized closing their respective contacts on the (we assume) three-phase power line to the valves motor operator. Since it is usual practice to switch the A and C phases around depending on the direction you wish the motor to turn, the result of this situation is a phase-to-phase short on the power supply to the MOV! This would likely cause the circuit breaker to trip open (if not causing more extensive damage to the switchgear/MCC),

thus making the valve inoperable. This same situation would occur for the case where the two relay conductors short together and either control switch is actuated.

Although we are aware that usual design practice would include permissive contacts or other features to prevent simultaneously energizing the two relay coils, the example above points out the fact that by dismissing the possibility of multiple hot shorts a priori leads the analyst to miss a potentially serious consequence. The BWROG Committee needs to address the effects of multiple hot shorts and multiple conductor shorts.

This section also seems to ignore the effects of short circuits that bypass normally open contacts (e.g., control switches, auto-initiate contacts, etc.). In the example circuit the BWROG uses, a short circuit involving the two conductors on either side of the Open/Start control switch, for example, would energize the Open relay and result in the undesired opening of a motor operated valve. The analytical method theyve demonstrated is usually called the hot probe approach for determining the effects of hot shorts on the assorted conductors in a control circuit and is equivalent to a single hot short but does not necessarily adequately simulate or predict the potential effects of multiple hot shorts on the circuit. The BWROG Appendix R Committee needs to address the effects of multiple hot shorts.

12 The BWROG Committee should also discuss the requirement for analyzing the effects of multiple/correct polarity (three-phase or DC) hot shorts on high/low pressure interface components (as discussed in GL 86-10, among others).

35. Section 3.5.2.4 In Item 6, the last sentence reads... the effects are mitigated by appropriate methods.

(Emphasis added.) The term appropriate methods should be explained. By that does the BWROG Committee mean procedural methods, alternate power supplies for safe shutdown equipment, alternate safe shutdown paths designated, isolating non-essential circuits (time permitting), or modifying the circuit fuse/breaker/route/power supply? The BWROG Appendix R Committee should clarify the meaning of appropriate methods in the referenced statement.

The BWROG Committee should also address the requirement to analyze the common power source for multiple high impedance faults and the effects on safe shutdown capability should the essential bus be affected.

APPENDIX A: Safe Shutdown Analysis as Part of an Overall Fire Protection Program

36. Section A.2.0 The components of defense-in-depth provided in the first paragraph do not completely agree with the defense-in-depth objectives given in Appendix R Section II.A. For example, demonstration of the ability to achieve and maintain safe shutdown in the event of a single fire in any plant fire area does not express the same objective and intent as To provide protection for structures, systems, and components important to safety so that a fire that is not promptly extinguished by the fire suppression activities will not prevent the safe shutdown of the plant. The BWROG Appendix R Committee should change the wording of the statement to more accurately reflect the intent of the defense-in-depth objectives given in Appendix R Section II.A.

The second sentence in the second paragraph states that Fire damage and equipment failures to the extent postulated in an Appendix R Safe Shutdown Analysis, have never been experienced in an operating U. S. Nuclear Power Plant. The implication here appears to be that the fire protection requirements resulting from Appendix R are too conservative. There are many reported cases of nuclear power plant fires that show the ease with which fires can grow beyond the capability of automatic and manual suppression efforts to mitigate them. Examples include reports concerning fire events at Vandellos-1, Narora Atomic Power Station, Armenia-1, and Chernobyl-2. The BWROG Committee should review those or similar fire events and caution the users of this guidance document that in some cases fires can result in severe consequences.

37. Section A.3.2

13 The description of the Browns Ferry fire is misleading. From a purely fire protection standpoint the fire was by not means extremely severe. Rather, it was a modest fire that had extremely severe consequences in terms of plant operation. This is evidenced by the ease of suppression once water was applied. The tone of the discussion appears intended to establish that despite an extremely severe fire, everything worked out fine and there was no significant radiological release. The real lesson from Browns Ferry was that a relatively modest fire was allowed to burn for a prolonged period and caused a major challenge to plant operations.

It would seem to be a more prudent approach that the BWROG take the position that they are committed to ensuring that a fire in any nuclear plant will never lead to operational consequences as severe as those experienced at Browns Ferry.

In the final paragraph, they seem to be suggesting that measures already taken provide this assurance. However, they fail to mention that continuous reevaluation of the fire protection features is needed to ensure that the design basis (for fire protection) has not changed and is still capable of performing its functions as required. The BWROG Appendix R Committee should provide guidance on reevaluating existing fire protection features to ensure that the design basis has not changed and is still capable of performing its function as required.

38. Section A.3.4 The opening paragraph appears to imply that the then current (1968) rules were adequate to prevent the Browns Ferry event had they been fully implemented. It should be noted that in 1968 fire protection followed common industrial practice and nuclear reactor specific fire protection defense in depth was not required. Appendix R introduced the concept of defense in depth as applied to fire protection at nuclear power stations.

It would appear appropriate that the BWROG preface the categories and lists of fire protection improvements made since the Browns Ferry fire with a statement that the lists are not all inclusive or necessarily complete.

Also, the first sub-bullet under the last bullet listed in category 5, Post-Fire Safe Shutdown Capability, should be reworded to clear up some confusion of meaning: hot shutdown must be capable of being achieved and maintained during and after a fire as needed, whereas cold shutdown must be achievable within 72-hours and be capable of being maintained indefinitely thereafter, as specified in Appendix R Section III.L.1.

APPENDIX B: Consideration of NRC IN 92-18

39. Section B.1.0 The discussion and example evaluation provided to address the issues raised in IN 92-18 are based on a probabilistic argument centering on the fire frequency in a control room. No

14 deterministic evaluation guidance for motor operated valve circuits is given. The issue of fire induced mechanistic damage to MOVs is not solely a control room fire issue. Depending on the specific design of the MOVs control circuit, the potential for a hot short or short circuit that bypasses the torque switch due to a fire in any of the fire areas through which the control cables are routed must be assessed. For example, many MOV control circuits are designed with a local control switch (and indication) connected in parallel with the valve controls located in the control room. Hence, a short, of the type described in IN 92-18, at the local control center may also be the cause of an over-torque condition.

The BWROG Appendix R Committee should provide guidance and examples for performing deterministic evaluations of fire-induced motor operated valve circuit failures.

40. Section B.2.0 The BWROG Committee again repeats that the focus is on a fire in the control room. In addition to the arguments against this limitation given above, a recent Information Notice (NRC Information Notice 99-17: Problems Associated with Post-Fire Safe-Shutdown Circuit Analysis) indicates that a fire outside of the control room (i.e., the cable spreading room) could cause mechanical damage to shutdown cooling motor operated valves due to hot shorts bypassing the over-torque protection devices. This would indicate that fires in areas outside of the control room should be considered when evaluating the potential for this type of valve failure.

The BWROG Appendix R Committee should broaden the focus of their guidance to include the possibility of MOV mechanical damage occurring due to fires in areas located outside of the control room.

15

41. Section B.4.0, Item A) 2)

The argument here, that an associated circuit shorting to ground due to the effects of the fire thus causing the control circuit fuse for the MOV to blow, therefore making any subsequent hot shorts inconsequential, seems to be one of depending on a fortuitous failure to prevent the adverse situation from occurring. The BWROG Appendix R Committee should remove this example and instead recommend a detailed circuit analysis be performed to assess the true impact of an external hot short on the valve motor.

42. Section B.4.0, Item A) 3)

The BWROG Appendix R Committees argument that the duration of the hot short must be long enough to cause the valve to drive itself to mechanical damage before the fault progresses to a short to ground or open circuit, thus eliminating the potential for damage, does not address the consequence of this alternative scenario: the MOV is now in an indeterminate position and there is no status indication available. Recovery procedures will need to include determining the status of the valve and (manually) positioning it if necessary.

If the BWROG Committee assumes that transferring control to the alternative shutdown station will isolate the control circuit from the fault(s) in the control room, then a confirmatory circuit analysis should be conducted. The BWROG Appendix R Committee should include guidance and an example of a confirmatory circuit analysis showing that transferring control to the alternative shutdown station will isolate the control circuit from the fault(s) in the control room.

43. Section B.4.0, Item C) 2)

The timing is not correct as described; the hot short must occur between the time of fire initiation and circuit isolation rather than control room abandonment and isolation (as noted correctly in Section B.5.1). The BWROG Appendix R Committee should resolve this discrepancy in the guidance document.

44. Section B.5.0 After reviewing the example risk significance evaluation of a control room fire and its potential effects, the following comments are provided:

The risk evaluation is pertinent to only one BWR. Cabinet configurations and loadings can be variable, resulting in higher frequencies.

There is insufficient data (11 incidences) to support partitioning the cabinet fire frequency as was done. Certainly, the presentation of three significant figures is not justified.

The use of a severity factor includes the probability for non-suppressed fires. Such fires could potentially fail the entire cabinet-not just the adjacent bays. (Note that not all BWRs have steel partitions between divisions in the cabinets; for example, Cooper Nuclear Station

16 may not have partitions in their cabinets.) Thus, the use of severity factor (0.2) and outcome (configuration) factors (0.917, 0.25, and 0.125) is probably double counting probabilities to some extent, especially for plants configured different from the BWR-6 that was analyzed.

Analysis does not include potential for other fires outside of the cabinets growing in size and causing MOV problems.

Probability of hot shorts used in their assessment (0.068) is poorly supported. A recent data review (done for the USNRC Office of Research) suggests that the probability of some hot shorts could be as high as 0.8, while the probability of a specific pair of conductors shorting together is uncertain. Industry now has this information and should incorporate the updated estimates. The probability selected needs to be based on the specific circuits characteristics.

In addition, it should be recognized that the shorting together of more than two conductors may result in the same circuit response.

No sensitivity analysis was presented. For example, using different assumed values, the frequency of MOV damage from three cabinet fires, could be as high as 3 x 1.6E-4/yr x 0.2 x 0.8 = 8E-5/yr Even if partitioning was appropriate, this value would still be equal to 3E-5/yr. The contribution from unsuppressed fires in other cabinets (assuming 3E-3 non-suppression probability) could be as high as 55 x 1.6E-4/yr x 3E-3 x 0.8 = 2E-5/yr.

The BWROG Committee should not assess significance (CDF) based on each individual scenario. Rather, scenarios should be summed to assess overall significance (see B.5.2).

Given the above comments, the actual significance may well exceed 1E-6.

APPENDIX C: High/Low Pressure Interfaces

45. Section C.4.0 The last sentence in the first paragraph following the quote from the GL 86-10 response to question 5.3.1 appears to misinterpret the intent of the statement in the response,... if it can be shown that only two hot shorts of the proper polarity without grounding could cause spurious operation, no further evaluation is necessary except for any cases involving Hi/Lo pressure interfaces. Their assertion is that the response implies that two hot shorts need not be postulated except for high/low pressure interface components. Meaning that, outside of considering high/low interface components, no more than one hot short needs to be analyzed.

NRCs intent was simply to limit the requirement for analyzing smart hot shorts on a single circuit (those cases were spurious operation can only be caused by the application of two hot shorts of the proper polarity without grounding) to components comprising high/low interfaces; not to limit the number of hot shorts to be analyzed to single events for all other cases.

17 The BWROG Appendix R Committee should revise Appendix C to accurately reflect NRCs true intent on this issue.

46. Section C.4.1 The thrust of the BWROG discussion in this section is that three phase hot shorts, causing the spurious operation of a motor is highly unlikely for several reasons. Based on the guidance and clarifications provided by NRC it is clear that NRC agrees that such phase-to-phase-to-phase hot shorts are unlikely and as such are not required to be postulated for most cases. However, since the consequences of a fire-induced LOCA are so severe, NRC requires the analysis of these types of circuit faults for high/low pressure interface components. Additionally, GL 86-10 is clear that the analysis must be performed. Therefore, the conclusion stated in the closing paragraph of this section contradicts established NRC guidance.

Screening out the potential for these occurrences on a fire area by fire area basis is one approach to address this issue without a large degree of circuit analysis. Additionally, the arguments made by the BWROG as to the reasons why this event is considered highly unlikely would make appropriate screening bases themselves: no common fire areas, separation of power cable routes, no continuously energized power sources in proximity to motor cables, etc. The BWROG Appendix R Committee should indicate the appropriate screening criteria that might be used to help licensees address the high/low pressure interface concern during a deterministic system analysis.

47. Section C.4.2 The arguments used in this section focus on the complexity of powering and controlling a 250 VDC reversible motor. However, the BWROG Committee does not estimate how many of these types of motors are employed in BWR high/low pressure interface applications. Nevertheless, those DC motor driven components used in high/low pressure interface applications must either be screened from consideration (on a fire protection basis-see above) or analyzed for the possibility of spurious operation. The BWROG Appendix R Committee should indicate that DC motor driven components used in high/low pressure interface applications must either be screened from consideration or analyzed for the possibility of spurious operation.

The final paragraph of this section appears to dismiss the requirement for analyzing spurious operations of any DC compound motor. The discussion prior to this statement focuses on the power circuit. There may also be control circuit faults that could lead to the spurious operation of such motors. The BWROG Appendix R Committee should indicate that control circuits may also lead to the spurious operation of DC motors.

48. Section C.5.0, Case (b)

18 The BWROG Committees suggestion for de-powering one of the valves to prevent spurious opening may not be relevant since the hot shorts under consideration affect the power cables to the drive motors directly. In other words, even if the circuit breaker that normally feeds electric power to the motor is removed, a three-phase hot short, from another power source, interacting with the power cables anywhere between the MCC and the motor would still cause spurious operation of the motor. The BWROG Appendix R Committee should indicate that a three-phase hot short, from another power source, interacting with the power cables anywhere between the MCC and the motor would still cause spurious operation of the motor, even if the circuit breaker that normally feeds electric power to the motor is removed.

It is recommended that the BWROG Committee provide further discussion on what constitutes feasible mitigating actions.

APPENDIX D: Alternative/Dedicated Shutdown Requirements

49. Section D.3.0 The third sentence of the last paragraph states This assumption [unprotected circuits are assumed to be damaged] is only conservative in terms of not being able to credit the systems and equipment associated with these circuits in support of post-fire safe shutdown. However, simply assuming that a system may not be credited does not account for the possibility of spurious or maloperation of the equipment, which may result in consequences much more severe.

The BWR Owners Group Appendix R Committee should discuss the impacts of and mitigation techniques for spurious operation of equipment and improper operation of equipment.

50. Section D.4.0 It is recommended that the BWROG Committee provide a basis for the statement made in the first sentence of the first paragraph following the bulleted list of NRC documents [spurious operations are assumed to occur one-at-a-time]. If it is based on the NRC response to question 5.3.10 in GL 86-10, then the rationale for the NRC response must be assumed: design evaluation of the alternative/dedicated safe shutdown system capability for transients generated by the loss of offsite power and one spurious actuation or signal resulting from a fire. The BWROG discussion appears to be applying this guidance to scenarios outside of the intent of the response given in GL 86-10.

51. Section D.4.0 The last sentence of the second bullet, following the quoted NRC response to Question 5.3.10 in GL 86-10, states that The requirement for addressing a worst-case spurious signal be met by identifying any spurious actuation that has the potential to adversely affect the safe shutdown

19 capability and to evaluate the effects on the safe shutdown capability on a one-at-a-time basis.

(Emphasis added.) As long as the one-at-a-time based evaluation of the effects of spurious actuation is for the purpose of assessing the adequacy of alternative/dedicated safe shutdown system designs only, this is probably an acceptable practice. However, extending this philosophy to all fire related assessments is an incorrect application of the intent of the NRC response to GL 86-10 question 5.3.10. The BWROG Appendix R Committee should state the limitations of the one-at-a-time evaluation approach.

52. Section D.6.0 The additional operator actions, beyond performing a reactor scram, recommended by the BWROG should be identified as optional, based on the feasibility given the specific conditions under which the control room is being evacuated. The BWROG Committee should also note that such additional operation actions must be submitted for review under the provisions of 10 CFR 50.48 paragraph (c) (5). The issue of the time required and ability to perform these additional actions would appear to be the most important factors. This gets into issues of human factors that may not be appropriate to assume are possible in a deterministic Appendix R analysis.

APPENDIX E: Multiple High Impedance Faults

53. Section E.3.0 The arguments presented are based largely on the expectation that high impedance faults will progress rapidly from arcing faults to dead short faults (which will then be cleared by the action of the fuse/breaker protective devices) or be of sufficiently low energy that they will self-extinguish. The BWROG Committee also claims that more than one arcing fault occurring at a time has a very low probability (i.e., not credible). Finally, the BWROG Committee argues, for DC systems, that the arc will erode the conductor to the point that it causes an open circuit, thus stopping the arcing fault.

This is another case where the BWROG Appendix R Committee document defends the position that an event is so unlikely to occur that there is no need to evaluate its impact on safe shutdown.

These arguments are made on a generic basis without regard for specific plant designs. In addition, even if the probability of occurrence is low, due regard must be given to the consequences of the effect if it were ever to occur. This the BWROG Committee has not addressed. It is recommended that the BWROG Appendix R Committee discussion be revised to provide guidance on methods to be used to evaluate, deterministically, the potential impact of multiple high impedance faults on essential switchgear and to suggest the means by which such impacts may be mitigated (e.g., developing procedures for clearing non-essential loads before re-energizing the essential bus).

54. Section E.4.0

20 The BWROG Appendix R Committee document is supposed to provide guidance on the deterministic evaluation of safe shutdown systems and components. It was not intended to present risk-based arguments as to why a concern need not be evaluated. The BWROG Committee should revise Appendix E to provided guidance on deterministic evaluation of multiple high impedance faults.

APPENDIX F: Manual Actions and Repairs

55. Section F.6.0 The statement made in the last sentence of the fourth paragraph in this section, Actions required in a fire area experiencing a fire or that require travel through a fire area experiencing a fire, may be credited if it is demonstrated that these actions are not required until the fire has been sufficiently extinguished to allow completion of necessary actions in the fire area (emphasis added) requires some very careful consideration. First, how is sufficiently extinguished defined or determined for a particular fire? Consideration must be given to timing issues, for example, will the maximum expected fire duration for the fire area under consideration be consistent with the allotted time to complete the manual actions required for safe shutdown?

This type of generalizing statement can lead to many pitfalls or large uncertainties for determining a reliable success path in a safe shutdown analysis because not all of the pertinent details are considered and properly evaluated.

The BWROG Appendix R Committee should include a discussion of the environment, access, and timing issues to be considered when taking credit for manual actions in a fire area.

21 APPENDIX G: Combined Equipment Impacts

56. Section G.3.0 The last sentence of the first paragraph states Typically, the plant areas where post-fire safe shutdown analysis is performed could not have a fire of this magnitude or damage potential. It is recommended that the BWROG Committee should provide a basis for this assertion. In addition, it appears that the statement ignores the fact that the purpose of the fire protection rule is to ensure safe shutdown capability even if a fire of that magnitude or damage potential ever does occur.

The second sentence of the second paragraph states The expected fire size would be a fire that is contained within a single electrical panel or a localized portion of one room or area. It may be true that most fires fall into this category of size, however, the problem is that this is not always the case. Some fires, like the one at Browns Ferry, for example, grow beyond the initial area and cause significant damage. Accordingly, the consequences of severe damage caused by the fire are what is important and of particular concern with respect to overall plant safety. The BWROG Appendix R Committee should indicate that even small fires have the potential for causing severe consequences.

57. Section G.4.0 The BWROG Appendix R Committee seems to have minimized, without any established basis, the importance of consequences resulting from the opening of two flow diversion valves (or the closing of two flow blocking valves) in order to let probability drive the final risk determination.

Again, the focus should be on deterministic methodologies to be employed in evaluating the effect of a fire on safe shutdown capability. The BWROG Appendix R Committee should indicate the need to assess the impact of multiple circuit faults based on analysis of the specific circuit designs.

58. Section G.4.0 The example case discussed appears to be generic. Clearly, to make the risk significance argument valid one would need to evaluate the plant-specific system design to accurately assess the consequence and determine the subsequent risk.

In determining the probability of hot short occurrence, the BWROG Committee says that the separate probabilities must be multiplied together to represent the probability of the combined events. However, since the fire is a common cause for individual circuit failures in the two cables, they cannot be considered random events, meaning that the probability for the combined events should probably be something greater than the result obtained by multiplying the two random probability estimates (0.068) together. Further, recent work demonstrates that for the illustrated case the hot short probability may be as high as 0.8. Additionally, the risk

22 quantification includes a value for the probability of a damaging fire that needs to be justified.

Use of this term may, in fact, be double counting success by allowing an independent credit for manual suppression before such damage occurs.

The last two sentences of the second paragraph following Table G.1 discusses routing of cables in separate raceways or fire areas would reduce the likelihood of occurrence. The BWROG Committee should note that the reason the regulations and guidance support cable separation techniques is, in part, to make sure that the probability of multiple fire-induced circuit faults is kept low.

59. Section G.4.0 In the third paragraph following Table G.1, it is stated that BWROG has been unable to identify a high safety significance associated with multiple spurious operations. The BWROG document asserts that no known fire risk assessment has identified multiple spurious operations as a significant risk contributor. This assertion is both misleading and inaccurate.

The statement is misleading because it implies that risk assessments have commonly looked for these problems and have not found them to be important. In fact, most fire PRAs to date have not looked for spurious actuation scenarios. Indeed, this requires modifications to the normally used internal events models to account for possible spurious actuations, and special attention to circuit analysis. These steps are lacking in the vast majority of currently available fire PRAs, including the IPEEEs. Hence, the fact that these studies did not find spurious actuation to be important (having not looked for them) does not support the contention that they are not, in fact, important.

The statement is inaccurate because spurious actuation issues have been identified as important contributors in those existing fire PRAs that have specifically examined spurious actuation scenarios. In particular the USNRC-sponsored analysis of LaSalle included consideration of potential spurious actuations, and all of the dominant fire risk scenarios inherently include multiple spurious actuations in the quantification (reference NUREG/CR-4832, Vol. 9). A second example is found in the analysis of one advanced reactor design (AP600) where 95% of the fire CDF was associated with large and small LOCA scenarios induced by the spurious actuation of valves due to fire-induced hot shorts. A third example is the Ginna IPEEE. This study concluded that, assuming a hot short probability of 0.1, spurious actuations only increased fire risk by 6% as compared to assuming that no spurious actuations occurred. However, when all spurious operation opportunities were set to true (i.e., all possible spurious operations were assumed to occur) fire CDF estimates increased by 61% (as compared to the value obtained assuming a 0.1 hot short probability). A fourth set of examples can also be found in the IPEEE analyses for those plants with complicated manual actions required to overcome potential spurious operations in the event of a fire. Examples include, in particular, those plants that enter a self-induced station blackout in response to some fires. In the case of at least one PWR plant (Summer) the complicated nature of the required actions contributed directly to relatively low reliability estimates for remote shutdown, hence, to significant increases in the CDF contribution of control room abandonment scenarios. These cases illustrate that some fire PRAs have, indeed,

23 found spurious actuations and multiple spurious actuations to be potentially important fire CDF contributors.

The BWROG Appendix R Committee should review current PRAs to ascertain the risk significance of multiple spurious operations.

60. Section G.5.0 The first bullet states Performing such a combined equipment failure analysis, addressing all possible permutations and combinations, is probably not possible. It is probably not warranted either given that a reasonable set of combinations can be established during the safe shutdown evaluation process, with particular attention given to the few critical components whose failure(s) could prevent accomplishing the safe shutdown functions. The BWROG Appendix R Committee should direct that this level of analysis be done in the main body of the guidance document.

B. AUDIT OF CONTENTS TO AUGUST 1999 AGREEMENTS Sandia was requested by the USNRC to audit the BWROG circuit failure analysis methodology document against the agreements reached at the meeting between NRC and the BWR Owners Group Appendix R Committee in August 1999. The agreements reached at that meeting are summarized in Attachment 4, NRC Staff and BWROG Appendix R Committee Meeting on Circuit Analysis Summary of Topics Covered and Agreements Reached, to the memorandum, Dembek to Richards, Summary of Meeting with the Boiling Water Reactors Owners Group (BWROG) Appendix R Committee on Post-Fire Safe Shutdown Circuit Analysis Issues (Fire-Induced Circuit Failures), dated September 3, 1999. The following comments regarding the degree to which Sandia finds each agreement has been met based on the technical review of the document.

Agreement 1 - The final BWROG circuit analysis methodology document:

Will address deterministic evaluation of the effects of fire-induced electrical faults (hot shorts, shorts to ground, and open circuits) on power, control, control logic, and instrumentation circuits, and assessment and prevention of resultant combinations of multiple spurious signals and/or spurious actuations which may interfere with or prevent the achievement and maintenance of post-fire safe shutdown. [It is possible that the extent of this approach may be limited based on the complementary risk-informed, performance-based circuit analysis methodology development effort currently being undertaken by the Nuclear Energy Institute (NEI).]

Commentary Insofar as addressing deterministic methods for evaluating the effects of fire-induced faults, the BWROG document does so at a comparatively low level of detail. For example, the methods

24 discussed for evaluating the effects of hot shorts on a MOV control circuit utilize a hot probe that is applied to the circuit, one conductor at a time, and the resulting effect of the potential hot short is noted for each case. However, the topic of conductor-to-conductor short circuits is not addressed in the document.

The topics of multiple spurious signals and spurious actuations and their potential impact(s) on the ability to achieve and maintain post-fire safe shutdown is not addressed at any significant level of discussion. The BWROG Committee often asserts, however, that failures should be analyzed on a one-at-a-time basis, thus completely avoiding the need to discuss the multiple failure condition.

Findings The Agreement 1 issues have been partially addressed, however, much more could be done within the scope of the BWROG circuit analysis methodology document to fully meet the intent of Agreement 1.

Agreement 2 - The final BWROG circuit analysis methodology document:

Will have a definitions section.

Commentary Section 4.0 of the BWROG document provides the definitions of approximately 45 terms. Six of the definitions were taken from IEEE standard definitions, nine were derived from regulatory sources (e.g., Generic Letters, SRP, etc.), four referred to other terms or one of the appendices, and the rest were produced by the BWROG committee.

Findings The Agreement 2 issue has been addressed, and the definition section provided fully meets the intent of Agreement 2.

Agreement 3 - The final BWROG circuit analysis methodology document:

Will draw clear distinctions between guidance meant to apply to redundant train separation analysis, and other guidance meant to be considered in the analysis of alternative/dedicated safe shutdown capability.

Commentary The distinctions made within the body of the BWROG document were not very clear between guidance meant to apply to redundant train separation analysis and guidance meant to be considered for alternative/dedicated safe shutdown capability. On the other hand, Appendix D

25 discusses the requirements and recommended implementation guidance for alternative and dedicated systems at great length.

Appendix D offers a very detailed discussion of the regulatory requirements concerning alternative and dedicated shutdown systems and provides some guidance on implementing those requirements. Appendix D also lists six general areas that must be considered differently when evaluating alternative/dedicated shutdown systems as compared to the methods employed for redundant trains, discussed in the main body of the document.

Findings The Agreement 3 issue has been addressed in Appendix D to the extent that it appears Agreement 3 has been met.

Agreement 4 - The final BWROG circuit analysis methodology document:

Will include a definition of the term free of fire damage (which may or may not be identical to the NRC definition provided in Generic Letter 86-10).

Commentary The BWROG Committee provides the following definition for the term Free of Fire Damage in Section 4.0:

The structure, system or component under consideration is capable of performing its intended function during and after the postulated fire, as needed. It may perform this function automatically, by remote control, or by manual operations.

The first sentence of the above definition is a word-for-word duplicate of the NRC definition provided in Generic Letter 86-10. The second sentence of the definition appears to be a clarification of the various means by which the intended function may be initiated and controlled, and does not in any way reduce the inherent requirement or intent of NRCs definition.

Findings The Agreement 4 issues have been addressed, and the definition provided for the term free of fire damage fully meets the intent of Agreement 4.

Agreement 5 - The final BWROG circuit analysis methodology document:

Will specify and define one or more safe shutdown analysis time zero points (e.g., fire inception, fire discovery, major fire confirmation, reactor scram, control room evacuation), and will discuss their appropriate applications in activities such as redundant train and alternative/dedicated safe shutdown capability engineering design and procedure development.

26 Commentary The BWROG document contains no reference to critical time zero points. The only reference to a specified time is with regard to the 72-hour limit in being able to achieve cold shutdown.

Findings The Agreement 5 issues have not been addressed and Agreement 5 has not been met.

Agreement 6 - The final BWROG circuit analysis methodology document:

Will provide justification as to why multiple high impedance fault (MHIF) analysis and three phase hot shorts analysis do not need to be conducted by reactor licensees.

Commentary The BWROG circuit analysis methodology document does not discuss the issues concerning multiple high impedance faults or three-phase hot shorts in the body of the document. Appendix C provides a discussion of the three-phase hot short issue for high/low interface components, and Appendix E discusses multiple high impedance faults.

Regarding the three-phase hot short issue, the arguments presented for not requiring licensees to analyze these faults is based largely on the assertion that they are highly unlikely occurrences.

The guidance provided in Appendix C perhaps should have offered more in the way of possible screening criteria than it did. For example, the BWROG Committee could have recommended that the analysis evaluate the routing of the power cables for the (two) valves making up a high/low pressure interface, or determining whether or not other continuously energized power cables are in proximity to the motor power cables. If in close proximity, however, the valve cables wont screen on the basis of separation.

Appendix E discusses a multitude of reasons why consideration of multiple high impedance faults are not credible, and thus do not need to be considered for safe shutdown. Principally, the BWROG Appendix R Committee argues that, should a single high impedance (arcing) fault occur, it will either quickly self-extinguish or progress rapidly to a dead short, whereupon the protective device (fuse/breaker) would open, clearing the fault condition. The BWROG Committee deems multiple, simultaneous high impedance faults developing as not credible and of sufficiently low probability that they are not a concern. The BWROG Committee should provide a technical basis for these assertions (e.g., test data).

The BWROG Appendix R Committee should provide guidance in Appendix E on methods to analyze the potential effects of multiple high impedance faults on essential switchgear and to suggest ways to mitigate those impacts (e.g., clearing non-essential loads prior to re-powering the bus).

27 Findings The issues of Agreement 6 have been addressed, however, the justifications presented appear to be weak. Specific guidance on evaluating the effects of multiple high impedance faults and three-phase shorts should be provided in the BWROG document, as well as suggestions on mitigating strategies.

Agreement 7 - The final BWROG circuit analysis methodology document:

Will consider whether the fire-induced circuit failures analysis used to establish Susquehanna Steam Electric Station post-fire safe shutdown capability constitutes an effective generic circuit analysis process.

Commentary There was no direct comparison to or discussion of the Susquehanna Steam Electric Station post-fire safe shutdown circuit failure analysis in the BWROG document.

Findings The Agreement 7 issue has not been addressed and Agreement 7 has not been met.

Agreement 8 - The final BWROG circuit analysis methodology document:

Will include, or explain why it does not include, a generic evaluation methodology of the potential for indirect fire-induced physical damage of equipment to interfere with or prevent the achievement and maintenance of post-fire safe shutdown [e.g., mechanistic failures of motor operated valves (MOVs)

(as discussed in Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire), or mechanical pump damage from a fire-induced spurious pump start with both the pump discharge and minimum flow valves closed.]

Commentary There was no discussion of these issues in the main body of the BWROG document. Appendix B to the BWROG document attempts to address the technical MOV mechanical damage issues associated with IN 92-18. The basis of their argument, in the appendix, is that a control room fire capable of causing mechanistic failure of a MOV by the action of a fire-induced hot short has a low probability of occurring. Sandias review of the example evaluation method presented uncovered several shortcomings of their approach, the principal one being the lack of sensitivity analyses, especially one based on different control room or panel configurations.

Though the BWROG Committee did discuss the many factors that would have to exist in order to cause the specific type of hot short to develop to cause the valve to drive itself to damage, they did not, however, present any guidance on evaluating the control circuit (which might contain

28 specific design features differing from those discussed in IN 92-18) deterministically to assess the potential for this kind of behavior in a fire.

There was no discussion about the potential for fire-induced spurious operation and mechanical pump damage provided in the document as required by the agreement.

Findings Agreement 8 has been partially addressed, but the BWROG Appendix R Committee arguments concerning spurious operation and mechanical damage to MOVs are too narrowly focused on fire in the control room. In addition, the probabilistic approach presented should be more rigorously developed. The issues concerning possible spurious operation and resulting damage to pumps was omitted, contrary to Agreement 8.

Agreement 9 - The final BWROG circuit analysis methodology document:

Considering that Appendix R,Section III.G.2. specifies that both cables and equipment (including associated non-safety circuits) of redundant trains shall be free of fire damage (i.e., able to perform their intended functions), the methodology document will address the acceptable limit or extent of fire-induced damage to redundant train power, indication and control circuits.

Commentary This issue was not addressed directly in the BWROG document. However, somewhat oblique reference to it seems to be made by crediting operator actions to ensure functionality of safe shutdown equipment, and by recommending an assessment of the importance of cables and circuits associated with safe shutdown equipment to ensure they are protected if necessary.

Otherwise, there seems to be no direct reference to the limit of fire damage (or damage threshold) allowed to cables and circuits before the impact of such damage prevents safe shutdown functionality.

Findings The Agreement 9 issue has not been fully addressed and Agreement 9 has not been met.

Agreement 10 - The final BWROG circuit analysis methodology document:

Will identity manual action considerations to be addressed to ensure comprehensive and effective analysis of both redundant train and alternative/dedicated post-fire safe shutdown capabilities, such as:

Operator actions to address reactor transients from the panels in the control room (before the control room evacuation decision is made) and from the remote/alternative/dedicated shutdown stations in the plant.

Personnel hazards (radiation, steam, heat, smoke, fire, heights, etc.)

29 The limits on shutdown procedure complexity when the following human factors issues are considered: training, walkdown, and simulation frequency and depth (relative to operator familiarity with the manual actions and the locations at which they are conducted);

communications equipment and their limitations and adequacy; on shift staffing requirements; numbers of independent operators; procedural action timing requirements; and plant conditions (lighting, temperature, noise, etc.); procedure feasibility, and the availability and practicality of the application of operator aids.

The availability of materials for, and practicality of procedures for cold shutdown repairs. This discussion will include a definition of the term cold shutdown repair as distinct from the definition of the term manual action.

Discussions/definitions of terms such as remote control, local control, manual control, remote shutdown panel, and remote shutdown location, and any limitations on remote or local actions based on the type of shutdown being conducted (redundant train/alternative/dedicated).

Commentary There was very little discussion of these issues in the main body of the BWROG document.

Appendix D to the BWROG document addresses the issues associated with alternative/dedicated shutdown, and Appendix F discusses manual actions and repairs.

The manual actions discussed in Appendix D actually involve additional actions, recommended by the BWROG, beyond scramming the reactor. They recommend these actions as a potential benefit in minimizing the potential for flooding of the main steam lines outside of containment.

Other than these recommendations, specific required operator actions are not discussed. The most pertinent statements are very general, for example, in Section D.3.0,...the remaining Control Room operators would continue to perform their duties as trained, responding to alarms and monitoring important plant parameters.

No specific discussions on personnel hazards are presented in Appendix D other than brief mentions of the need for assuring that ingress and egress routes to equipment and components requiring manual action for safe shutdown are provided with sufficient lighting and communications. No mention of radiation, steam, or heights is made as consideration for personnel access to those areas.

The same is true of the discussion of manual actions and repairs, provided in Appendix F.

Appendix F also identifies those criteria unique to repairs as opposed to manual actions required to accomplish safe shutdown. However, rather than address the issue of practicality of performing the required manual actions, Appendix F only mentions the requirements to be met.

For example, the BWROG Committee mentions that there shall be a sufficient number of operators to perform the required actions on shift, but not skill levels or needed equipment.

Most of the terms requiring definition, as specified in sub-bullets 4 and 5, above, are defined in Section 4.0 (Definitions) of the BWROG document. A few definition of terms is also provided in Appendix F. The definitions appear to be complete.

Findings

30 Some, but not all, of the issues in Agreement 10 have been addressed. Additional consideration of the Agreement 10 issues on the part of the BWROG is necessary to fully meet the intent of the agreement.

C. EDITORIAL COMMENTS

1. Section 1.1 In the second sentence of the second to last paragraph, the word criteria should be replaced by method.

2. Section 1.3 In the second sentence of the third paragraph, the word separation should be replaced by protection.

Later in the same sentence, the statement a safe plant design is achieved is too broad a statement. It should be replaced with a reasonable assurance of safe shutdown capability is achieved.

The following changes to the fourth paragraph should be made:...for evaluating the potential effects... and equipment to function as required and for... impacts from the fire on these systems and equipment.

In the second sentence of the sixth paragraph, the following word change should be made: from

...on identifying the circuits of concern... to...on identifying and analyzing the circuits of concern...

3. Section 1.3.2 The third sentence in the paragraph should be changed to read as follows: By assuring that one or more safe shutdown paths, capable of performing their required functions, exist in the event of a fire in any fire area, safe shutdown capability is reasonably assured.

4. Section 1.3.3 The third sentence in the first paragraph should be changed from related to to identified for.

The first sentence of the third paragraph should be changed to read as follows: By assuring the availability of the equipment required for the safe shutdown systems required for one or more safe shutdown paths defined for each fire area, safe shutdown capability is reasonably assured.

31

5. Section 1.3.4 The first sentence of the third paragraph should be changed to read as follows: By assuring the integrity of the cables required for the safe shutdown equipment on one safe shutdown path identified for each fire area, safe shutdown capability is reasonably assured.

6. Section 1.3.5 The second sentence in the first paragraph should be changed from related to to defined for.

The word or in the first sentence of the second paragraph should be changed to and. Otherwise it appears that the circuit analyst can pick any one of the three circuit failure modes to evaluate, at his discretion.

The second sentence of the second paragraph should be changed to read as follows: If any of these circuit failure modes affect the ability of the equipment to function, or cause it to function improperly, then the safe shutdown equipment is considered to be impacted.

7. Section 1.3.6 The words have been, in the first sentence of the first paragraph should be changed to are.

The second sentence in the first paragraph should be changed to read as follows: The effects on safe shutdown capability for each safe shutdown equipment potentially impacted by a fire must be addressed and a process for mitigating those effects must be developed and implemented.

The first sentence of the second paragraph should be changed from safe shutdown is assured.

to safe shutdown capability is reasonably assured.

8. Section 2.1 The first sentence of the first paragraph should be changed to read as follows: 10CFR50 Appendix R Section III.G, establishes the specific regulatory requirements for protecting structures, systems, equipment, cables and associated circuits important for achieving Safe Shutdown.

The colon (:) at the end of the second paragraph should be replaced with a period (.).

The first sentence of the third paragraph should be revised to read as follows: Section III.G.1 provides the specific requirements for fire protection of safe shutdown capability and states the following:

32

9. Section 2.3.4 The period at the end of this paragraph is missing and should be added.

10. Section 3.0 The word acceptable in the second sentence of the first paragraph should be changed to possible.

11. Section 3.1.1.3 Recommend that the following sentence be inserted between the second and third sentences of this paragraph: Alternative shutdown capability is achieved by rerouting, relocating or modification of existing systems.

12. Section 3.1.2.3 Reactor should not be capitalized.

13. Section 3.1.2.5 The final sentence of the first paragraph should be changed to read,...for the typical BWR to successfully achieve safe shutdown.

The word select in the final paragraph should be changed to selected.

14. Section 3.1.3.4 The second sentence should be reworded to indicated that the combination of systems relied upon for safe shutdown will be identified for a fire occurring in each fire area. In other words, the successful safe shutdown path(s) identified for each fire area will be protected from the effects a fire within that fire area.

15. Section 3.3.1 The word impact near the end of the second sentence should be changed to effect.

16. Section 3.3.1.1 The word investigated at the end of the third sentence should be changed to analyzed.

33 The second to last sentence in the paragraph should be changed to read, The methods discussed in Section 3.5 must be applied as part of this section. Also, delete the last sentence of this paragraph.

17. Section 3.3.1.7 The last half of the discussion on selection of power distribution cables in uncoordinated switchgear is very confusing. This subsection should be completely rewritten.

34

18. Section 3.3.3.3 The last sentence of the second paragraph makes a reference to secondary components. An example of this concept should be provided or the sentence should be truncated after the word equipment.

19. Section 3.4 The word determined at the end of the third sentence of the first paragraph should be changed to designated.

The word individually should be deleted from the second paragraph.

20. Section 3.4.1.4 The last paragraph needs to be reworded (i.e., what does the following mentioned above mean?).

21. Section 3.4.1.8 The end of the sentence should be changed to read as...post-fire safe shutdown capability and mitigating any impacts discovered.

22. Section 3.4.2.2 The use of the words position and positions in the last paragraph is somewhat misleading.

Replacing these words with state and states would be clearer and in keeping with the intent of the statements. Also, replace equipment may with each component should in the last sentence.

23. Section 3.4.2.5 The first sentence should be changed to read...or mitigating actions required for assuring safe shutdown capability.

35

24. Section 3.5, The second sentence of the first paragraph should be modified to read as...to achieve and maintain post-fire safe shutdown in the event of a fire occurring in a particular fire area.

25. Section 3.5.1.1 (first bullet) Remove the a from between cause and spurious. Add the following sentence to the end of the paragraph: A hot short may also cause the loss of equipment functionality (e.g., a fuse blows in the control circuit, leading to an open circuit condition).

(third bullet) Modify the end of the last sentence to read,...of which it is a part, resulting in maloperation of the equipment (e.g., spurious operation).

26. Section 3.5.2.1 (third bullet) The statement should be changed to read as An open circuit on the secondary side of a high voltage (e.g., 4.16 kV) current transformer may result in fire ignition and damage.

27. Section 3.5.2.1: Open circuit No. 1 An additional explanation should be added: The same result occurs if the open circuit were to be on the common return conductor, upstream of the circuit ground connection.

28. Section 3.5.2.1 A final summary statement should be added to conclude the open circuit failures discussion:

Analysis must determine if any of the possible outcomes resulting from an open circuit condition is acceptable with regard to the required functionality of the affected equipment.

29. Section 3.5.2.2: Short-to-Ground on Grounded Circuits, Short-to-ground No. 1 The second sentence should be changed to read...using either control switch.

30. Section 3.5.2.2: Short-to-Ground on Ungrounded Circuits, Short-to-ground No. 1 The second sentence should be changed to read...using either control switch.

31. Section 3.5.2.2: Short-to-Ground on Ungrounded Circuits, Short-to-ground No. 2

36 The first sentence should be changed to read...until the close/stop control switch is closed and if short-to-ground No. 3 also exists.

32. Section 3.5.2.3: A Hot Short on Grounded Circuits The word one in the third sentence of the second paragraph should be removed. The word individual in the next sentence should also be removed.

33. Section 3.5.2.3: A Hot Short on Ungrounded Circuits The second sentence of the first paragraph should be modified to read, A single hot short can cause a spurious operation if the hot short comes from a circuit whose positive leg comes from the same ungrounded source as the effected circuit.

34. Section 3.5.2.4 The second sentence of the first paragraph should be changed... to a single cable, lack of...

The statement provided in item 2, on the next page, should be changed to... and the breakers/fuses feeding all of the loads...

The last sentence in Item 3 should read... the maximum available fault current at the bus.

35. Section 3.5.2.5 In the first sentence: the word Associated should not be capitalized, and the word failures should be fires.

The end of the second paragraph should be changed to read,... to alleviate fire propagation concerns along the associated circuit cables.

36. Section 4.0: Required Safe Shutdown Path The first sentence should be changed to read, The safe shutdown path selected for achieving and maintaining safe shutdown during and after a fire in a particular fire area.

37. Section 4.0: Required Safe Shutdown Equipment/Component

37 The definition should be changed to read, Equipment that is required to either function or not malfunction in order that the required safe shutdown path will be capable of achieving and maintaining safe shutdown during and after a fire in a particular fire area.

38. Section 4.0: Required Safe Shutdown Cable/Circuit The sentence should be changed to read, Cable/circuit required to support the operation or prevent the maloperation of required safe shutdown equipment during and after a fire in a particular fire area.

APPENDIX A: Safe Shutdown Analysis as Part of an Overall Fire Protection Program

39. Section A.3.4 The word us should be changed to use in the second-to-last sub-bullet under Fire Brigade Training includes:.

The statement provided in the fourth bullet under category 5, Post-Fire Safe Shutdown Capability, should be modified to indicate that the fire area wherein the twenty foot horizontal train separation criteria is employed must also include fire detection and automatic suppression systems.

APPENDIX B: Consideration of NRC IN 92-18

40. Section B.5.1, Ignition Frequency Factor: Equation 2b The subscripts Term Cabinet in the second term of both equations should be changed to Control Panel.

41. Section B.5.1 The number 9 in the second term of the first equation should be changed to 39.

42. Section B.5.1, P701 The subscript Conf P601 for F should be changed to Conf P701 in the last sentence of the subsection.

43. Section B.5.2

38 IN 92-28 should be changed to IN 92-18.

APPENDIX D: Alternative/Dedicated Shutdown Requirements

44. Section D.2.0 The word in in the first sentence of the first paragraph should be changed to for.

The word form in the first sentence of the third paragraph should be changed to from.

45. Section D.4.0 Following the quote from Appendix R,Section III.L.1, is an italicized passage: Alternative shutdown capability is provided by rerouting, relocating or modification of existing systems; dedicated shutdown capability is provided by installing new structures and systems for the function of post-fire safe shutdown, that is from Appendix R,Section III.G.3, and should include the correct section reference or it should be removed.

APPENDIX F: Manual Actions and Repairs

46. Section F.4.0 The last sentence of the first paragraph states... to maintain hot shutdown for an extended period of time if necessary... It is recommended that the statement be modified to recognize that the ability to achieve cold shutdown must be available within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and which 72-hour rule applies.

ML003706378

Contents

Text

SUBJECT:

Dear Mr. Warren:

Enclosure:

Enclosure:

Navigation menu

ML003706378

Text

SUBJECT:

Dear Mr. Warren:

Enclosure:

Enclosure:

Navigation menu

Search