Summary of April 25, 2000, Meeting with the Boiling Water Reactor Owners Group (BWROG) Regarding Appendix R Safe Shutdown

ML003718830
Person / Time
Site:	Boiling Water Reactor Owners Group
Issue date:	05/24/2000
From:	Pulsifer R NRC/NRR/DLPM/LPD1
To:	Richards S NRC/NRR/DLPM
References
GE-NE-T43-00002-00-03
Download: ML003718830 (50)
v • d • e

Text

MEMORANDUM:

FROM:

SUBJECT UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 May 24, 2000 Stuart A. Richards, Director Project Directorate IV & Decommissioning Division of Licensing Project Management Office of Nuclear Reactor Regulation Robert M. Pulsifer, Project Manager Project Directorate I, Section 2 Division of Licensing Project Management Office of Nuclear Reactor Regulation

SUMMARY

OF APRIL 25, 2000, MEETING WITH THE BOILING WATER REACTOR OWNERS GROUP (BWROG) REGARDING APPENDIX R SAFE SHUTDOWN On April 25, 2000, the U.S. Nuclear Regulatory Commission (NRC) staff held a meeting with the BWROG to discuss their safety relief valve/low pressure systems (SRV/LPS) Topical Report, GE-NE-T43-00002-00-03, "BWR Owners' Group Appendix R Fire Protection Committee Position on SRVs + Low Pressure Systems Used as "Redundant" Shutdown Systems Under Appendix R" dated September 1, 1999. Attachment 1 is a list of attendees. The BWROG presentation slides are in Attachment 2 and the staff's presentation slides are provided as Attachment 3.

Mr. Weiss, Section Chief in the Plant Systems Branch, opened the meeting with a short discussion of the need for the meeting. He stated that the prime objective was to determine whether there was evidence to show that SRV/LPS as a redundant shutdown system is in the licensing basis of boiling water reactor licensees.

The BWROG position is that the use of SRV/LPS for post-fire safe shutdown is within the original BWR design basis, is technically acceptable and is a safe means of achieving shutdown. The BWROG also stated that the SRV/LPS meets the requirements of Appendix R as a redundant system and that Appendix R does not limit boiling water reactors to use high pressure systems in meeting the requirements of Sections III.G.1 and 2 of Appendix R. It was also stated by the BWROG that the SRV/LPS will also be able to maintain hot shutdown. The staff indicated that Section III.G.2 requires that the redundant system be able to achieve and maintain hot shutdown conditions until cold shutdown is achieved. The BWROG provided excerpts from various safety evaluations that indicated that the NRC may have accepted the use of SRV/LPS as a redundant shutdown path. The staff made a short presentation regarding the background and the staff's reasoning during the development of Appendix R.

Stuart A. Richards The following five agreements are for further action by either the NRC staff or the BWROG:

The BWROG will provide the staff with a step-by-step narrative discussion of how plant specific operating procedures (derived from BWR EPG, Rev. 4) can be used to achieve and maintain hot shutdown conditions using SRV/LPS (rathe r than HPCI, RCIC, or condensate/feedwater or other possible shutdown systems) after a reactor scram which occurs with a 100 percent power history, to the extent that latent and decay heat would be of sufficient magnitude to permit continuation of this mode of plant operation.

[Such a plant-specific operating procedure would be needed to meet the hot shutdown capability requirement of Appendix R,Section III.G.1.a, and the intent of Appendix R as stated in the Statements of Consideration in Federal Register, Section Q, Associated Circuits, November 19, 1980 (45 FR 76609). As described in Appendix R,Section III.G.l.b, cold shutdown capability may not be available for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> due to potential fire damage to shutdown cooling components. Therefore, the NRC staff and the BWROG agreed that hot shutdown capability is required in Appendix R,Section III.G.l.a.]

The BWROG will provide citations (such as date of document, title of document, issuing organization, sender, addressee) for plant-specific licensing documents (e.g., licensee submittals and NRC staff SEs), which the BWROG believes support its contention that after 1982 the staff explicitly approved SRV/LPS as a redundant means of post-fire safe shutdown. The NRC staff will obtain these documents through its NUDOCS document retrieval system. The BWROG will identify at which points, and in what way, the documents provide approval (e.g., "at this point, if taken in context, the word 'safe' actually means "redundant," and therefore the NRC staff was approving SRV/LPS as an Section III.G.2 "redundant train" means of post-fire safe shutdown capability").

The NRC staff has concluded that redundant train post-fire safe shutdown capability need not meet the Appendix R,Section III.L.1 requirements including the requirement that "reactor coolant system process variables shall be maintained within those predicted for a loss of normal alternating current power."

The NRC staff will consider whether GDC single failure, seismic Category I, or other design basis accident criteria are, or are not, applicable to Section III.G.2 redundant systems. [It was agreed that it is clear that these criteria are not applicable to Section III.G.3 alternative systems per Appendix R, Section Ill.L6].

The NRC staff asked the BWROG to respond regarding the applicability of the fire protection feature (wraps, detectors, sprinklers) removal assumptions in the Probabilistic Safety Assessment Branch risk analysis of the BWROG SRV/LPS position (Rubin to Weiss, April 18, 2000, Attachment 4).

Stuart A. Richards In addition, the NRC staff committed to call the BWROG Appendix R Chairman on approximately May 4, 2000, to discuss whether any problems with implementation of the above five agreements had emerged, and whether a management meeting needs to be scheduled.

This call was made on May 4, 2000 and it was determined that no problems have emerged with the five agreements, there is presently no need for a follow-up meeting, and that no RAI will be issued for the last agreement; however, the BWROG are asked to review and comment on that analysis.

Project No. 691 Attachments: 1.

Attendance List

2.

BWROG Presentation Slides

3.

NRC Slides

4.

Memo to Weiss from Rubin dated 4/18/00 cc w/atts: See next page DISTRIBUTION:

PUBLIC PDIV-2 Reading RPulsifer OGC (RidsOGCRp)

ACRS (RidsACRSACNWMailCenter)

E-MAIL JZwolinski SBlack EPeyton EConnell LWhitney SDinsmore SAmarjit EWeiss JHannon JHolmes GMizuno

• For previous concurrences see attached ORC OFFICE PDI-2/PM*

PDIV-2/LA SPLB/SC*

OGC*

PDIV-2/SC,7 NAME RPulsifer:lcc f

EWeiss GMizuno SDemb DATE 5/22/00

/3 i00 c

5/16/00 5/23/00 24 /oo DOCUMENT NAME: G:\\PDIV-2\\bwrog\\Mts042500.wpd OFFICIAL RECORD COPY BWR Owners Group cc:

Mr. James M. Kenny BWR Owners' Group Vice Chairman PP&L, Inc.

Mail Code GENA6-1 Allentown, PA 18101-1179 Mr. Thomas J. Rausch RRG Chairman Commonwealth Edison Company Nuclear Fuel Services 1400 Opus Place, 4th Floor Downers Grove, IL 60515-5701 Mr. Drew B. Fetters PECO Energy Nuclear Group Headquarters MC 61A-3 965 Chesterbrook Blvd.

Wayne, PA 19087-5691 Mr. H. Lewis Sumner Southern Nuclear Company 40 Inverness Parkway PO Box 1295 Birmingham, GA 35201 Mr. Carl D. Terry Vice President, Nuclear Engineering Niagara Mohawk Power Corporation Nine Mile Point - Station OPS Bldg/2nd Floor PO Box 63 Lycoming, NY 13093 Mr. George T. Jones PP& L, Inc.

MC GENA6-1 Two North Ninth Street Allentown, PA 18101 Mr. John Kelly New York Power Authority 14th Floor Mail Stop 14K Centroplex Building 123 Main Street White Plains, NY 10601 Mr. Thomas G. Hurst GE Nuclear Energy M/C 182 175 Curtner Avenue San Jose, CA 95125 Mr. Thomas A. Green GE Nuclear Energy M/C 182 175 Curtner Avenue San Jose, CA 95125 Mr. W. Glenn Warren BWR Owners Group Chairman Southern Nuclear Company 42 Inverness Parkway P.O. Box 1295 Birmingham, AL 35201 Project No. 691

LIST OF ATTENDEES MEETING BETWEEN BWROG AND NRC REGARDING SAFETY RELIEF VALVES/LOW PRESSURE SYSTEMS APRIL 25, 2000 AIFFII IATICINI Edward Connell NRR/DSSA/SPLB Leon Whitney NRR/DSSA/SPLB Stephen Dinsmore NRRPDSSA/SPSB Tom Gorman PPL/BWROG Glenn Warren SNC/BWROG Jim Kenny PPL/BWROG Gordon Brastad ENERGY NW/BWROG George Stramback BWROG/GE Steve Hardy CP&L/BWROG J. E. Lechner NPPD/BWROG Singh Amarjit NRC/ACRS David Parker SC/BWROG Joe Ribeiro DE&S/BWROG Bob Daley Entergy/BWROG Fred Emerson NEI Eric Weiss NRRJDSSA/SPLB Robert Pulsifer NRRJDLPM Geary S. Mizuno OGC John N. Hannon NRR Jeff Holmes NRR MklA IA I:

NRC & B WROG Meeting White Flint, Md.

Use of SRVs &Low Pressure Systems for Appendix Post-FireSafe Shutdown April25, 2000 I

R (D

C-)

C-'

Agenda Introduction Discussion of

"* Regulation

"* System Selection

"* SER History m Summary El Criteria

Introduction q

BWROG Position:

e The use of Systems for SRVs and Post-Fire Low Pressure Safe Shutdown is within the original BWR basis, is technically accep design

'table and a safemeans of achieving shutdown.

I is

Introduction i BWROG

• SRVs Position:

and Low requi

,dundý R doc

[Continued]

Pressure Systems rrements of Appendix ant System.

is not limit BWRs to the use of High PressureSystems in meeting the requirements of GIl and Sections 2.

I meets thE Rasa RE Appendix Ill-

Introduction We are 11 m We have

'Pressure Fire Safe

- The Posi I

iot asking for always used Systems for a change.

SRVs I/IING. I

& Low Shutdown (Redundant).

Yon Paper on SR Vs &LPS explains our basis.

2 Post-

Introduction ImportantPoints from BWROG GE-NE-T43-00002-O0-03 Rev.

Report I

• BWRs used SRVs &LPS for Redundant Post-FireSafe Shutdown

• Previously Accepted by NRC e Failure to recognize as could presents a acceptable significant burden to BWRs [$0.2 to $20.0 million]

I A

RegulationDiscussion Redundant Safe

• Cold vs. Alternative Post-Fire Shutdown vs. Maintaining Hot Shutdown m Loss of Offsite Power (LOOP)

Assumption

• Section m Changes Protection III.L to Requirements the Approved Plan I

Fire

Redundant VS. Alternative Determination The Redundant Shutdown Methodology must be able to achieve and maintain cold shutdown using cold shutdown equipment repairs,if necessary.

m Cables and equipment for one Redundant Safe Shutdown Path are to be separated by one of the separation techniques described in Il. G.2, including requirements for fire detection and suppression,as appropriate.

I

Redundant vs. Altern Determination iative Alternative Shutdown:

• is used when separation in accordance with Ill. G. 2 cannot be provided for a Redundant Shutdown Path.

0 must be independent of the area,room or zone under consideration.

0 Fire Detection & Fixed Suppression are required for alternative shutdown, except for NUREG 0800 Plants.

I

Redundant vs. Alternative Determination

.n Alternative Shutdown is determined based Son the inability to satisfy the separation requirements of !!!. G. 2 and is not determined based on the systems selected to achieve and maintain safe shutdown.

• SRVs + LPS can meet the separation requirements of Ill. G. 2 using raceway fire barriers and suppression and detection, as necessary.

I

Redundant vs. Alternative Determination When I accordý l//.G.2, safety c

)RVs + LPS are separated

]nce with the requirements they assure that the health if the public in of and will be protected.

111G.1 Fire protection eatures shall be provided for structures,

systems, and components important to safe shutdown

[i EII.G..2 Ensure that one of the redundant trains is free of fire damagce(*) by one of the following:

--'V One train of systems necessary to achieve and maintain hot shutdown is free of fire damaqe(*)

Are the cables or equipment located es-within the same fire area outside of primary containment?

Systems necessary to achieve and maintain cold shutdown can be 7/

repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Identify and locate the cables and equipment, including associated non safety circuits that could prevent operation or cause maloperation due t

hot shorts, open circuits, or shorts to

ground, of redundant trains of system!

necessary to achieve and maintain ho shutdown.

.



["~Ir ieparation and associ redunda distance of tervening c

"rNO 4,

4r oatld n n-aet uits o

nciosure of cable and equipmen S Separation of cables and ated on-saety ircuis ofand associated non-safety circuits

/ equipment and associated non nt trains by a horizontal of one redundant train In a fire safety circuits of redundant trains more than 20 feet with no by a fire barrier having a 3-hour combustible or fire hazards.

barrier having a 1-hour rating ratin

!:?

J Ensure that fire detectors andJ;i Does the protection of systems whose*'

• Ian automatic fire suppression funtio Is-reure o

hot shutdown satis,!fy*

s y s te m is in s ta lle d in th e a re a.

'i*-*....

th e re q u ire m e nt o f 111.0.2 ?...

D for"1111II.G3.3 Alternative or dedicated shutdown i

• efer to: Appendlix a

the aaiiyadisascae icis

,ecuirement~s of Alternativel/

independent of

cables, systems or Dedi~icatedi Shutdown

!:components in the

areas, room or zone Ii:i Capailit.:

.under consideration, shall be provided.

J*!

1) Iree of fire damage is achieved when the structure, system or component under consideration a capable of performing its Intended function during and after the postulated

fire, as needed.

It ay perform this function automatically, by remote

control, or by manual operations.

.. ) Exemptions, Deviations or GL 88-10 Evaluations with 10CFR50.59 Safety Determinations may e developed as necessary.

(***) For simplicity, the mitigation options for Inside non-inerted containments have been omitted froh this diagram.

Done Y

3o I

,i I

f I

fchieving Cold Shutdown v Maintaining Hot Shutdown IlL G. I allows Maintaining Hot Shutdown while Cold Shutdown Repairs are completed.

Maintaining Hot Shutdown is not a more desirable condition than achieving Cold Shutdown.

m "... Cold Shutdown is the Ultimate Safe Shutdown Condition..."(Appendix R Statement of Considerations)

'0 I

LOOP Assumption

• Prior to 1994 Utilities understood that assuming a LOOP was required for Post-Fire Safe Shutdown governed by both ///. G. I & 2 and ///.G.3 m NRC Clarification in 1994

"* Assumption applies to Ill. G.3 only

"* Offsite Power may be credited in IlI.

I & 2 areas unless the fire causes a LOOP

Section III.LRequirements Section 1111 PerformanceGoals do not applb Secti m Secti safe III. GM Cont

' to redundant safe shutdown under bon IIl. G. I & 2.

'on lll.L applies to the alternative shutdown option under Section 3 (Court of Appeals decision. on iecticut Light and Power).

Changesto Approved Fire ProtectionPlan All Plants with a Standard License Condition

• Use 50.59 Process Changes cannot "...adversely affect the ability to achieve and maintain safe shutdown in the event of a fire."

m Changes must consider all Fire Protection Requirements including those related to automatic suppression, fire detection and fire barriers used to protect redundant safe shutdown raceway.

I' i

System Selection Criteria NRC Generic Letter 81-12 suggested use of ECCS and RCIC Systems for Post-Fire Safe Shutdown. [G.L. 81-12 Section 8.(k) also]

The LOOP Assumption required the use of ECCS, including SRVs and Low Pressure Systems, and RCIC Systems.

ECCS and RCIC Systems are Redundant to each other and we used whatever was least affected by the fire.

System Selection Criteria NUREG 0050 states that the the when coupled SRVs with low pressure pumping are redundant alternatives to RCIC and HPCI.

m SECY 83-269 states that the use of ADS and achieving LPCIis an approved means of and maintaining shutdown conditions.

safe

System Selection Criteria NRC Inspection Procedure 64100 states

"...For BWRs, the NRC has approved partial short-term core recovery using the automatic depressurization system (ADS) and low pressure coolant injection system (LPCIS).

Note that this option eliminates the need for the hot shutdown maintenance capability of Section III. G. 1.a of Appendix R."

System Selection Criteria There is no regulatory requirement that restricts the use of ECCS and RCIC Systems in support of Post-Fire Safe Sections II1. G. I Shutdown under

&2.

m Disallowing the use SRVs and LPS in support of Post-Fire Safe Shutdown under Sections

///. G. I & 2 is equivalent to requiring that Post-Fire Safe Shutdown be accomplished using High Pressure Systems.

only

!i!

System Selection Criteria l Appendix not limit BWRs as currently written, to the use of does only High Pressure Systems.

SER History 7r i Foreword m Review of Specific Licensee Submittals and NRC Interactions

Summary Parking Lot Items

• Actions Items m Schedule for Action Items

Summary SRVs and Post-FireSafe LPS for Shutdown:

"* Meets the regulation

"* Is safe

• Has been previouslyaccepted

• Is consistent with what BWRs have done Using III

- GMI &2 00 I

Summary Failure by NRC Position on this

• Will represent a to accept significant the BWROG burden to BWRs [$0.2 to $20.0 million].

• Will require an analysisin accordance IOCFR50.

I issue:

with 109.

ISSUES Definition of Terms - Redundant, Alternative, Dedicated, Backup, Normal, Preferred, Etc.

Previous Staff Approvals, Positions, Interpretations Applicability of III.L Performance Criteria to III.G

• Safety Margin, Risk Insights Resolution of GL 92-08, Thermo-Lag Fire Barriers BWROG August 1999, Topical Reports on ADS/ Low Pressure

• Path Forward

TERMS Redundant - Not defined in 50.48, App. R or App. A.

Tech Specs - LPS Redundant/Diverse for LOCA, 12 Hour Action Mode 3 if both HPCI/RCIC Inop Alternative/Dedicated - Defined in App. R footnote Backup - Not defined Normal - NPRM for App. R (45 FR 36087)

GL 86-10 Preferred - GL 86-10 12/3/82 Rubenstein to Mattson If ADS/LPS Not Alternative SD What Is?

Previous Staff Approvals 50.48 (c)(5)

GL 81-12 Examples of Licensee Submittals Exemptions Granted

Applicability of III.L Criteria to III.G IIL.L linked to III.G.3 (D.C. Circuit., 1982)

IN 84-09 III.L.6 Exclusions are NOT repeated in III.G (e.g. Single Failure Criteria)

GDC 34 (RHR) & GDC 35 (ECCS) require assuming a single failure for performing safety function

Safety Margin/Risk Insights IIl.G.3.b - Fire Detection & Fixed Fire Suppression Systems Loss of HP Makeup Capability Loss of Makeup Sources Single Failure Vulnerability MOV Fails to Position 1E-02/Demand (NUREG 1363)

Motor Driven Pump Fails to Continue to Run 2.4E-04/Hr (NUREG 5499)

Frequency of Initiating Event Medium Break LOCA - 4E-05/yr (NUREG CR/5750)

Fire - 3.3E-01/yr (AEOD Special Study)

GL 92-08 Thermo-Lag March 3, 1993, Chairman Selin's Testimony to House of Representatives Subcommittee on Oversight & Investigations September 9, 1994, Letter from Chairman Selin to The Honorable John Dingell, Chairman November 16, 1994, Letter from Chairman Selin to The Honorable John Dingell, Chairman "NRC is requiring that all commercial nuclear power plants with Thermo-Lag fire barriers return to compliance with existing NRC fire protection regulations."

BWROG August 1999 Position Papers "The specific process variables of concern and a clear definition of the condition described as "a loss of normal a.c. power" is not contained in the various regulations and guidance documents. As a result, the requirements for this condition are left to interpretation." (Page 12 of 30)

"The risk, assessed in terms of Core Damage Frequency (CDF) and Larege early release frequency (LERF),

associated with using SRV's and Low pressure Systems as a redundant safe shutdown methodology is as low or lower than when using a high pressure safe shutdown methodology." (Page 25 of 30)

Attachment B provides Core & Downcomer Level, PCT information only. Other Process Parameters Not Included (e.g. RCS Temp/Cooldown Rate, Supp Pool Temp).

Assumptions/Bounding Information Not Included.

"During normal operation and anticipated operational occurrences (AOOs), the intent of the BWR design is to maintain hot shutdown conditions if power operation is interrupted, with options available to the operators to proceed to cold shutdown, if needed. For abnormal events, such as an Appendix R fire, the BWR design is intended to provide several ways for automatic logic or manual operator actions to achieve the safest reactor condition cold shutdown as soon as practical." (Page 4)

Path Forward Restore/Maintain HP Makeup Capability Rulemaking (e.g. NFPA 805)

Exemptions New Interpretation (e.g. Reg Guide)

April 18, 2000 MEMORANDUM TO:

FROM:

Eric W. Weiss, Section Chief Plant System Branch Fire Protection Engineering and Special Projects Section Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation Mark P. Rubin, Section Chief IRA!

Safety Program Section Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation

SUBJECT:

BOILING WATER REACTOR OWNERS' GROUP (BWROG)

APPENDIX R FIRE PROTECTION COMMITTEE POSITION ON SAFETY RELIEF VALVES (SRVs) AND LOW-PRESSURE SYSTEMS (LPS) USED AS "REDUNDANT" SHUTDOWN SYSTEMS UNDER APPENDIX R (TAC NO. MA4745)

Responding to your request, the Probabilistic Safety Assessment Branch (SPSB) reviewed the September 1, 1999, "BWR Owners' Group Appendix R Fire Protection Committee Position on SRVs + Low-Pressure Systems Used as "Redundant" Shutdown Systems under Appendix R."

The review focused on Section 3.3 Risk Insight. All thermal-hydraulic assumptions, such as no core damage following dropping of the water level below the top of active fuel, are beyond the scope of this evaluation and considered to be valid.

The Boiling Water Reactor Owners Group (BWROG) report defines a high-pressure shutdown scenario that includes high-pressure injection (HPI) with either high-pressure coolant injection (HPCI) or reactor core isolation coolant (RCIC) followed by shut down cooling (SDC). For convenience this is labeled the HPI/SDC scenario. SDC is defined as taking water directly from the reactor vessel, cooling it, and returning it to the vessel. The report defines a low-pressure shutdown scenario that requires no high-pressure injection but, instead, includes manual depressurization with the automatic depressurization system (ADS), followed by low-pressure injection (LPI), suppression pool cooling (SPC), and SDC. This is labeled the SRV/LPS scenario. LPI, SPC, and SDC are different alignments of the residual heat removal (RHR) system. That is, the same pumps are used with different flowpaths.

The risk evaluation submitted in the BWROG report compares a minimal success path (SRV/LPS) with a design base success path (HPI/SDC). The BWROG report observes that the SRV/LPS scenario is less likely to fail than the HPI/SDC because the SRV/LPS includes only a subset of the equipment required in the HPI/SDC. From this it is concluded that the analysis CONTACT:

Stephen Dinsmore, SPSB/DSSA 415-8482

Eric W. Weiss has, "demonstrated that the potential for core damage frequency (CDF) or large early release frequency (LERF) for the Low-Pressure Methodology [SRV/LPS scenario] is as low or lower than that for the High-Pressure Methodology [HPI/SDC scenario]."

The high-pressure scenario in the BWROG report appears to be incomplete because it does not include actions that would certainly be taken by plant personnel if the high-pressure injection source failed. Upon failure of HPCI and RCIC the operators would, realistically and by procedure, try the SRV/LPS scenario. The difference between SRV/LPS and SDC functions, assuming that SRV/LPS is designated "redundant," is that the SRV/LPS function must have at least one train free from fire damage for immediate use, while the SDC function may have damage that can be repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The report mentions this in several places, but does not appear to discuss the implications of this difference. This is unfortunate because this appears to be the only issue that (if proven to be important such that fire protection features are subsequently added to protect SRV/LPS equipment) could support the claim that CDF and LERF are not increased and might be decreased by the changes in fire protection features allowed by designating SRV/LPS as a redundant shutdown path.

The BWROG report states that, for the SRV/LPS scenario, low pressure injection must be running in recirculation mode and the operators must manually depressurize the reactor within about 30 minutes (2109 seconds) from the beginning of the event. The probabilistic risk assessment (PRA) estimates of the probabilities of operators failing to properly implement SDC versus SRV/LPS reflect the difference in circumstances and available time. For example, the risk analysis of Peach Bottom in NUREG-4550, used 1 E-5 as the failure to properly align SDC and 1 E-2 as failure to manually depressurize the reactor using ADS. Thus, aside from any equipment failure caused directly by the fire, the assumption that the reliability of the SRV/RHR equipment and alignment is equivalent for HPI/SDC and SRV/LPS is not supported when time and circumstance is included in the evaluation. It is also unclear if one or two RHR trains are needed to simultaneously support LPS and SDC in the SRV/LPS scenario. Further, if HPCI or RCIC succeeded in the HPI/SDC scenario, many hours would be available to extinguish the fire and to develop and implement strategies to repair RHR or to provide long term cooling with other equipment. Stratagem include using other pumps to inject low pressure water and containment heat removal using containment venting.

Any actions taken that would reduce the likelihood that HPCI and RCIC would be available, without increasing the likelihood that any other function would be available, will inevitably increase risk, albeit by an unknown and possibly negligible amount. Although the difference related to "free from fire damage "for a redundant SRV/LPS versus "repairable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />" for SDC alignment is mentioned, the BWROG submittal concludes that, "the potential for a fire effecting equipment for one or the other methodologies is the same." It appears that high pressure and low pressure injection systems at the plants are well separated and that no additional fire protection features would be needed. Only if fire protection features are installed to protect SRV/LPS equipment expected to fail due to fires would there be an improvement in the availability of the SRV/LPS function that might offset the reduced reliability of the HPI/SDC caused by removing fire protection features.

Based on the above discussion, the SPSB evaluation differs from the BWROG's report evaluation on two issues. The BWROG evaluation does not credit the use of SRV/LPS as a Eric W. Weiss backup to failed HPRI and RCIC but, to address risk, this backup should be credited. The BWROG evaluation states that the SDC and SRV/LPS functions are equally reliable, but the different time and circumstance constraints indicate that the SRV/LPS function is less reliable than the SDC function. SPSB and SPLB decided that a staff evaluation of the potential risk significance of the proposed change would be useful in defining specific issues for further discussion between the staff and the BWROG. The evaluation is summarized below and described in detail in the attachment.

EVALUATION

SUMMARY

Instead of trying to estimate a specific change in risk (which would be highly plant specific) the goal of the evaluation was to characterize fire areas, if any, where there might be a relatively large increase in risk as a result of changing fire protection feature requirements associated with designating the SRV/LPS as "redundant". The evaluation does provide an estimate of the relative difference in risk between an area assuming that there are fire protection features installed - and the same area assuming there are no fire protection features installed. If a CDF estimate for one or the other of these situations is known, the change in risk can also be estimated.

The evaluation indicates that for areas with small fire loads (e.g., a fire would only affect nearby equipment) the CDF arising from fires in the fire area may increase by less than a factor of two if existing fire protection features were removed. Such small fire loads tend to leave much plant equipment other then that required in the HPI/SDC and SRV/LPS scenarios operational and usually have very small risk associated with them. Therefore, the change in risk arising from fire areas with small loads is expected to be negligible. The evaluation also indicates, however, that for areas with large fire loads (e.g., a fire could fail most if not all equipment in the area) the CDF arising from fires in the area may increase by about a factor of ten if existing fire protection features were removed.

Specifically, the evaluation indicates that, in fire areas that have the four characteristics described below, the CDF arising from fires in the area may increase by about a factor of ten if full advantage of the differences between Appendix R requirements for redundant and alternative paths is taken.

The fire area contains cables or other equipment that would cause the loss of both HPCI and RCIC if destroyed by a fire, and does not contain equipment that would cause the direct loss of all trains of SRV/LPS if destroyed by fire.

The fire area contains equipment that would cause the loss of feedwater for more than one half hour if destroyed by a fire.

There is a large fire load (e.g., a fire could fail most if not all equipment in the area).

Either the HPCI or the RCIC equipment is protected from fires according to Appendix R requirements, and designating the SRV/LPS as "redundant" would allow the removal of these fire protection features.

Eric W. Weiss Three of the criteria are physical; that is the presence of equipment that would cause loss of HPCI and RCIC (but not SRV/LPS) if destroyed by a fire, the presence of a large fire load; and the presence of equipment that would cause loss of feedwater if destroyed by a fire. The fourth criteria is that there are currently fire protection features protecting either the HPCI or RCIC equipment because of Appendix R requirements, and that all this protection will be removed after changing the designation of the SRV/LPS to "redundant."

The absolute magnitude of any risk increase is, of course, very situation specific. The IPEEE results indicate that some areas in the plants, such a cable spreading rooms and switchgear rooms, can have CDF's around and above 1OE-6/yr including credit for detection and automatic suppression. Removal of the fire protection features from these areas could thus result in the area CDF changing from 1 E-6/yr to 1 E-5/yr, a CDF increase on the order of 1 E-5/yr.

CONCLUSION The fire protection features in areas that have the three physical characteristics identified in this technical note may be controlled by design requirements other than Appendix R. If this is the case, fire protection features could not be removed from these areas and, if the features are not removed from these areas, there is no risk impact of designating the Low Pressure Methodology as redundant.

If fire protection features are currently installed in a fire area that would no longer be required if the SRV/LPS is designated as redundant, a risk increase in these fire areas would occur if the features are removed. If there are no instillation of fire protection features to ensure that at least one train of SRV/LPS remains free from fire damage, the sum of all fire area CDF increases would be the CDF increase for the plant. If fire protection features are not currently installed in these fire areas, the estimated risk increase represent the potential risk decrease that could be obtained if the features were installed.

The evaluation in the BWROG report does not generally support the conclusion, "that there is no increased risk associated with using a low pressure shutdown methodology for redundant post-fire safe shutdown." For fire area that do not have the four characteristics identified in the evaluation, any potential risk increase is expected to be negligible. For the few fire areas that have all four characteristics, however, the potential risk increase of 1 E-5/yr per fire area would warrant further investigation. If there were several such rooms at one plant, a change that could lead to the removal of the fire suppression equipment would likely fall in the Region I Acceptance Guidelines for CDF in RG 1.174.

APPENDIX DETAILED EVALUATION An evaluation of the change in risk associated with the proposed change requires 1) the impact of the current rule on the operability of equipment following a fire, 2) the physical change at the plant arising from the proposed change in definition, and 3) the impact of that physical change on the operability of equipment following a fire 4) the impact of the change in operability of equipment on plant risk. These items are discussed below.

1.) Impact of current rule on the operability of equipment following a fire If an area through which both HPCI and RCIC equipment pass is currently designated as having SRV/LPS as an alternative shutdown means under III.G.3, the area must currently have detection and suppression in addition to 20 feet separation or a one hour barrier between the HPCI and RCIC trains. Alternatively, the trains could be separated by a three-hour barrier. The impact of this suppression, the barriers, the separation, and the lack of intervening combustibles is collectively labeled "fire protection" in this memo. The impact of the current fire protection on the operability of the RCIC and HPCI systems following a fire is assumed to be as follows (these assumptions are consistent with current fire risk analysis methods).

A.) Large fire Load Fire protection succeeds - will lose HPCI or RCIC but combination of suppression, the fire barriers, and/or the separation will protect one long enough to extinguish fire 0

Fire protection fails - will lose both HPCI and RCIC B.) Small fire load Fire protection succeeds - will lose neither HPCI nor RCIC Fire protection fails - will lose either HPCI or RCIC (whichever is closer to the fire) but small load fire will not fail both even without a fire barrier 2.) Physical change at the plant arising from the proposed change in definition Designating the SRV/LPS as a third redundant train would allow the removal of fire protection features from areas where HPCI and RCIC are considered the only two redundant trains, and from areas where SRV/LPS is credited as an alternative train. The specific physical changes are listed below.

If an area is currently designated as having SRV/LPS as an alternative shutdown means under III.G.3, the III.G.3 detection and suppression in the fire affected area could be removed by the licensee if SRV/LPS were declared to be an III.G.2 redundant shutdown means. This is potentially true for each and every area for which SRV/LPS is currently declared to be an alternative shutdown means.

If an area currently has redundant cables in it, but under III.G.2.a a three-hour fire barrier has been installed, after proper analysis to establish lack of redundant SRV/LPS interactions, the three-hour fire barrier could cease to be maintained by the licensee and removed if inconvenient.

If an area currently has redundant cables in it, but under IIl.G.2.b. 20 feet of horizontal space free of intervening combustibles exists with detection and suppression, after proper analysis to establish lack of redundant SRV/LPS interactions, the detection and suppression could be abandoned by the licensee, and the 20 feet separation could be eliminated or intervening combustibles could be introduced by plant modifications.

If an area currently has redundant cables in it, but under IIl.G.2.c a one hour wrap and detection and suppression has been installed, after proper analysis to establish lack of redundant SRV/LPS interactions, the one hour wrap and the detection and suppression could be abandoned by the licensee.

3.) The impact of that physical change on the operability of equipment following a fire Eventually, suppression and/or barriers will be abandoned such that the above areas would be identical to the "Protection fails" scenarios following a fire. It is recognized that the three-hour fire barriers and the 20-foot separation with any intervening combustible may not necessarily be removed, but, unless other regulations prevent removal, over the remaining life of a plant, design changes could be made which defeats the protection provided.

Manual suppression is implicitly credited. For areas with small fire loads manual suppression is implicitly credited by only failing either HPCI or RCIC. For areas with large fire loads, manual suppression is also implicitly credit because automatic suppression does not extinguish fires, just provides sufficient time for effective manual suppression. Equipment in areas with high fire loads and no, or failed, automatic suppression will be quickly damaged and manual suppression will not be effective.

4.) The impact of the change in operability of equipment on plant risk Event trees for small fires and large fires corresponding to the operability assumptions under 1.) above are given in Figures 1 a and 1 b, and Figures 2a and 2b. The (a) event trees were quantified for both with fire protection nominally available, and the (b) event trees without fire protection available. The following values were used to characterize the event tree events.

PROTECTION: The value used here is for the failure of automatic suppression systems. The Electric Power Research Institute's (EPRI) Fire-Induced Vulnerability (FIVE) Methodology (Reference 1) suggests a value of 5E-2 per demand which includes automatic detection, actuation, and operation of most types of suppression systems. For large fires, successful suppression will lead to loss of one train while failure of suppression will lead to lose of both trains. For small fires, successful suppression will lead to no equipment failures while failure of suppression will lead to the loss of whichever train is most exposed to the fire. Use of this 5E-2 per demand will underestimate the impact of removing three-hour fire barriers (e.g.,

greater increase in risk when removed) because the barriers are more reliable and therefore provide more protection that would be lost if removed. However, use of three-hour barriers to meet Appendix R requirements to protect redundant trains in the same fire area is apparently unusual.

HP-1 and HP-2: These event models HPCI or RCIC (whichever is protected) failing independently of the fire. Depending on the scenario, one or both trains may be failed by the fire in which case there is no branch under one, or both of these events in the event tree. Most PRA's and the Accident Sequence Precursor (ASP) models use values on the order of 2E-2/demand for the random failure of the one train HPCI and 4E-2 for the one train RCIC systems. This risk evaluation treats the two systems as nominally identical such that it does not matter if RCIC or HPCI is protected by, for example, the one-hour wrap. The BWROG report states that HPCI is manually initiated. This seems to be plant specific. In any case, high pressure injection is the preferred procedure and should have a low enough human error probability that it would not contribute to the relatively high failure on demand probability. A value of 2E-2/demand was used.

SDC: This event models the failure of shut down cooling independently from the fire.

NUREG 4550 use 1 E-5/demand as the operator failure probability to aline SDC. This alignment to SDC is performed after successful HPCI or RCIC operation and therefore many hours (up to

72) after the initial fire. The failure of Operator errors of alignment should therefore not dominate the failure of SDC. Equipment failures for low pressure injection for a nominally available RHR system tend to be on the order of 5E-4/demand as used in the ASP models. It is assumed that the fire may reduce the number of trains available. On the other hand, when high pressure injection succeeds, there is a long time to both prepare for SDC, or plan and implement alternatives. A value corresponding to the generic failure of both trains of a two train system (1 E-3/demand) was chosen. This could be two trains of RHR or one train or RHR and some other injection train that could be made available within the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

SRV/LPSI: This event models the failure of SRV/LPS function independently of the fire.

Section 3.2.1 of the September 1999, BWROG report discusses automatic depressurize in time to prevent core damage following a main steam line break (assuming the LPI is running).

Section 3.2.2, the Appendix R scenario indicates however, that the operator must initiate blowdown to be successful. Many PRA's assume that the operators will suppress auto blowdown and therefore they must eventually initiate the blowdown. It is therefore assumed that successful blowdown in the SRV/LPS path requires timely operator action. NUREG 4550 uses an operator error probability of 1 E-2 for failure of the operator to depressurize the reactor with the ADS system. These scenario require the alignment of SRV/LPS to be complete and depressurization within 35 minutes of the transient and thus no credit should be taken for recovery actions or the use of other systems. Although the equipment failure estimates are expected to be slightly higher than the long term estimates of SDC equipment failure above, the failure probability is dominated by the operator error. The value of 1 E-2 is chosen.

-4 All calculations are done assuming a fire in a given area. That is, the estimates are core damage probability conditional on a fire in a given area. As illustrated by the figures, the following results are obtained Small fires loads with fire protection in place:

Small fire loads with fire protection removed:

Large fire loads with fire protection in place:

Large fire loads with fire protection removed:

1.OE-3 core damage probability given a fire 1.2E-3 core damage probability given a fire 1.7E-3 core damage probability given a fire 1.OE-2 core damage probability given a fire This indicates that removing the fire protection from areas with small fire loads has a negligible impact on the conditional core damage probability. Removing fire protection from areas with large fire loads may increase the conditional core damage probability by a factor of ten.

Because the frequency of fire initiation is not affected by the fire protection features, the CDFs for each area would increase by the same factors.

REFERENCES 1.)

Fire-Induced Vulnerability Evaluation (FIVE), EPRI TA-1000370, April, 1992