NRC Fire Protection Training Materials

ML013370302
Person / Time
Issue date:	11/29/2001
From:	Hannon J Division of Systems Safety and Analysis
To:	Marion A Nuclear Energy Institute
References
FOIA/PA-2003-0358
Download: ML013370302 (13)
v • d • e

Text

November 29, 2001 Mr. Alexander Marion Director, Engineering Nuclear Energy Institute Suite 400 1776 I Street, N.W.

Washington, D.C. 20006-3708

SUBJECT:

NRC FIRE PROTECTION TRAINING MATERIALS

Dear Mr. Marion:

On November 27, 2001, at the NEI licensing forum, in Baltimore, Maryland, you requested a copy of the training material, for manual actions, provided to NRC inspectors. Please find enclosed a white paper on this subject. Mr. Fred Emerson of your staff also requested a copy of fire dynamics calculation that was demonstrated by the NRC at the NEI Fire Protection Information Forum in October. Please find enclosed a floppy disk containing the template for performing fire dynamics calculations. The methods on this disk are still under development and may contain errors. Those methods also require that they be applied within the limits of the validity of their correlations.

Sincerely,

/RA/

John N. Hannon, Chief Plant Systems Branch, Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission

Enclosures:

As Stated

November 29, 2001 Mr. Alexander Marion Director, Engineering Nuclear Energy Institute Suite 400 1776 I Street, N.W.

Washington, D.C. 20006-3708

SUBJECT:

NRC FIRE PROTECTION TRAINING MATERIALS

Dear Mr. Marion:

On November 27, 2001, at the NEI licensing forum, in Baltimore, Maryland, you requested a copy of the training material, for manual actions, provided to NRC inspectors. Please find enclosed a white paper on this subject. Mr. Fred Emerson of your staff also requested a copy of fire dynamics calculation that was demonstrated by the NRC at the NEI Fire Protection Information Forum in October. Please find enclosed a floppy disk containing the template for performing fire dynamics calculations. The methods on this disk are still under development and may contain errors. Those methods also require that they be applied within the limits of the validity of their correlations.

Sincerely,

/RA/

John N. Hannon, Chief Plant Systems Branch, Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission

Enclosure:

As Stated DISTRIBUTION:

ADAMS PDR SPLB r/f JHannon EWeiss MSalley PQualls JBirmingham DOCUMENT NAME: NEI LTR ON INSPECTOR TRAINING MATERIALS. WPD OFFICE SPLB:DSSA:NRR SPLB:DSSA:NRR SC:SPLB:DSSA BC:SPLB:DSSA NAME PQualls:bw MSalley EWeiss JHannon DATE 11/29/01 11/29/01 11/29/01 11/29/01

/ /01 OFFICIAL RECORD COPY

Enclosure NRC/NRR/REGIONS I, II, III, IV QUARTERLY WORKSHOP November 14, 2001 THE USE OF MANUAL OPERATOR ACTIONS FOR ACHIEVING AND MAINTAINING FIRE SAFE SHUTDOWN INTRODUCTION:

We are going to discuss a complex issue with an interesting regulatory past and hope to remove some of the current confusion. If nothing else, the various guidance provided here should aid the inspector in evaluating manual actions found during the inspection process.

MANUAL ACTIONS WHY IS THE NRC CONCERNED?

WHAT IS THE BACKGROUND AND HISTORY?

INFORMATION THAT AN INSPECTOR NEEDS TO LOOK AT WHEN REVIEWING A LICENSEES MANUAL ACTIONS.

IMPORTANCE OF DIAGNOSTIC INSTRUMENTATION.

THE CONCERN From a safety system engineering perspective, multiple, complex manual actions appear to present a failure probability greater than having redundant safe shutdown trains separated by the Appendix R, III.G.2 criteria with plant operation and control remaining in the control room.

NFPA 805, also notes that where manual operator actions are relied on to provide the primary means of recovery in lieu of providing fire protection features, risk may be increased From a risk perspective, a consultant has recently provided risk information to the office of Research which shows that multiple manual actions could, (based on risk insights), result in an unacceptable low probability of accomplishment of safe shutdown. Multiple manual actions, in a fire area, can result in being a significant contributor to fire induced CDF. Regional risk analysts can further discuss this with Dr. Hyslop. NFPA 805, also noted that where manual operator actions are relied on to provide the primary means of recovery in lieu of providing fire protection features, risk may be increased.

Recent inspection have found that some licensees have taken manual actions to the extreme interpretation such no wrap is provided with operators solely relying on responding to the mal-operations after they occur in III.G.2 fire areas. This condition is similar to the condition Browns Ferry was in prior to the 1975 fire. This method is recognized for Alternative SSD for associated circuits in GL 81-12.

2 A hypothetical example (similar to an actual finding):A licensee program failed to protect the control cables for the charging system pumps or required MOVs. Their argument was that if one train of charging pumps was lost, then the other train pump would be manually started and controlled. However, both trains of charging pump and MOV control cables were unprotected in various fire areas and in close proximity to each other. A single fire that caused loss of one could adversely affect the other.

BACKGROUND REGULATIONS 10 CFR 50.48 backfit 10 CFR 50, Appendix R, Sections III.G, III.J, and III.O, on all reactors licensed to operate prior to January 1, 1979 For plants licensed to operate after January 1, 1979, the identical guidance was put into NUREG-0800, Standard Review Plan. This guidance was to be incorporated during the initial licensing process.

INSIGHTS TO REGULATIONS Appendix R does NOT offer manual actions as an acceptable alternative to comply with the separation requirements of Section III.G.2 of Appendix R. Supplementary guidance to GL 81-12 DOES allow manual actions for associated circuit resolution for Alternative Shutdown.

During the Appendix R program initial review process, the staff approved, via the deviation and exemption process specific manual actions at most utilities on a case by case basis.

During the Thermo-Lag 330-1 resolution activities of the 1990's many utilities, incorporated manual actions to support the removal of the electrical raceway fire barrier system (ERFBS) material WITHOUT prior staff review and approval. This was done using the licensee interpretation of the standard license condition and concluding that the manual actions did NOT adversely affect the ability to achieve safe shutdown.

All of the relevant guidance provided by the staff concerning manual actions were in documents specifically addressing Alternative Shutdown.

GL 81-12 Clarification letter allows manual actions in lieu of protecting associated circuits if a licensee can: detect and defeat the spurious actuation. This will be further developed in later discussion.

It appears that NEIs ongoing effort to resolve associated circuits, NEI 00-01 DRAFT, Rev C, lists manual actions, with no further criteria, as an acceptable solution to comply with Appendix R, III.G.2 criteria.

3 LICENSING BASIS - INSPECTOR GUIDANCE At the beginning of a triennial fire protection inspection, a mutual understanding should be reached with a licensee concerning the licensing basis for their facility. One potential approach is to bring the topic up early (like at an entrance meeting) and say "I consider your licensing basis to be the documents described in 10 CFR 54. If you have basis for a different definition, we need to know this at the beginning of the inspection effort."

10 CFR 54.3 gives the agencies definition of "Current Licensing Basis" (CLB) as used in license renewal. It would make no sense to use a different definition during an inspection.

"Current licensing basis (CLB) is the set of NRC requirements applicable to a specific plant and a licensee's written commitments for ensuring compliance with and operation within applicable NRC requirements and the plant-specific design basis (including all modifications and additions to such commitments over the life of the license) that are docketed and in effect. The CLB includes the NRC regulations contained in 10 CFR Parts 2, 19, 20, 21, 26, 30, 40, 50, 51, 54, 55, 70, 72, 73, 100 and appendices thereto; orders; license conditions; exemptions; and technical specifications.

It also includes the plant-specific design-basis information defined in 10 CFR 50.2 as documented in the most recent final safety analysis report (FSAR) as required by 10 CFR 50.71 and the licensee's commitments remaining in effect that were made in docketed licensing correspondence such as licensee responses to NRC bulletins, generic letters, and enforcement actions, as well as licensee commitments documented in NRC safety evaluations or licensee event reports."

Appendix R Section III.G states:

"G. Fire protection of safe shutdown capability.

1. Fire protection features shall be provided for structures, systems, and components important to safe shutdown. These features shall be capable of limiting fire damage so that:

a. One train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage; and

b. Systems necessary to achieve and maintain cold shutdown from either the control room or emergency control station(s) can be repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

2. Except as provided for in paragraph G.3 of this section, where cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, one of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided:"

a. Separation of cables and equipment and associated non-safety circuits of redundant trains by a fire barrier having a 3-hour rating. Structural steel forming a part of or supporting such fire barriers shall be protected to provide fire resistance equivalent to that required of the barrier;

4

b. Separation of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustible or fire hazards. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area; or

c. Enclosure of cable and equipment and associated non-safety circuits of one redundant train in a fire barrier having a 1-hour rating, In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area;

3. Alternative or dedicated shutdown capability and its associated circuits, {2} independent of cables, systems or components in the area, room or zone under consideration, shall be provided:

l{2} Alternative shutdown capability is provided by rerouting, l relocating or modificating of existing systems; dedicated l shutdown capability is provided by installing new structures l and systems for the function of post-fire shutdown.

a. Where the protection of systems whose function is required for hot shutdown does not satisfy the requirement of paragraph G.2 of this section; or

b. Where redundant trains of systems required for hot shutdown located in the same fire area may be subject to damage from fire suppression activities or from the rupture or inadvertent operation of fire suppression systems.

It is important for the inspector to understand the origins of this requirement. In the Statements of Consideration for Appendix R, the basis for III.G.2 was provided.

STATEMENT OF CONSIDERATIONS FOR 10CFR50.48 AND 10CFR PART 50, APPENDIX R FR 76606, Vol. 45 No. 225, November 19, 1980:

"G. Protection of Safe Shutdown Capability Technical Basis. The objective for the protection of safe shutdown capability is to ensure that at least one means of achieving and maintaining safe shutdown conditions will remain available during and after any postulated fire in the plant. Because it is not possible to predict the specific conditions under which fires may occur and propagate, the design basis protective features are specified rather than the design basis fire. Three different means for protecting the safe shutdown capability outside of containment are acceptable. The first means is separation of redundant safe shutdown trains and associated circuits by means of 3-hour fire rated barriers. The second means is a combination of separation of redundant safe shutdown trains and associated circuits by a 1-hour fire rated barrier and automatic fire suppression and detection capability for both redundant trains. The third means, which may be used only when redundant trains and associated circuits are separated by 20 feet or more of clear space, requires automatic fire suppression and detection systems in the area. An alternative or dedicated safe shutdown capability independent of the fire area is required if fire protection for safe shutdown capability cannot be provided as outlined above.... "

5 Understand also that a "statement of consideration" provides insights into the regulation but is NOT legally enforceable on its own.

Recently a licensee stated that the NRC had provided old guidance, concerning Appendix R, that manual actions were adequate and that by meeting III.G.1 (one train free of fire damage) they were not required to meet the requirements of III.G.2. No specific reference was cited.

Our review of early NRC guidance given in GL 81-12 would tend to contradict the licensees view.

SUBJECT:

FIRE PROTECTION RULE (45 FR 76602, NOVEMBER 19, 1980) -

Generic Letter 81-12 Paragraph 50.48(b) of 10 CFR Part 50, which became effective on February 17, 1981, requires all nuclear plants licensed to operate prior to January 1, 1979 to meet the requirements of Section III.G, III.J and III.O of Appendix R to 10 CFR Part 50 regardless of any previous approvals by the Nuclear Regulatory Commission (NRC) for alternative design features for those items. This would require each licensee to reassess all those areas of the plant "... where cables or equipment, including associated non-safety circuits, that could prevent operation or cause maloperation due to hot shorts, open circuits or shorts to ground or (sic) redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment..."* to determine whether the requirements of Section III.G.2 of Appendix R are satisfied. If not, the licensee must provide alternative shutdown capability in conformance with Section III.G.3 or request an exemption if there is some justifiable basis. "

The complexity of associated circuits was also addressed by additional guidance in the supplement to Generic Letter 81-12. Please note that this section does not apply to circuits of systems REQUIRED for SSD, This guidance is specifically in the section concerning Associated Circuits for Alternative Shutdown (III.G.3). This generic letter guidance would also conflict with the requirement, as stated in the regulation, if the licensee applied it to redundant train safe shutdown circuits.

In paragraph B., Associated Circuits, the Supplemental Guidance states:

"The shutdown capability may be protected from the adverse affect of damage to associated circuits of concern by the following methods....

2.b.3 provide a means to detect spurious operations and then procedures to defeat the maloperation of equipment (e. g.., closure of the block valve if PORV spuriously operates, opening of the breakers to remove spurious operation of safety injection)."

Please also note that the paragraph above involves either a control room manipulation or an operator performing a breaker manipulation, using installed plant equipment. Also, implicit in this allowance is that the reactor not exceed the bounds of compliance (e.g. the III.L performance criteria) in the time needed to recognize the maloperation and take corrective actions. The performance goal for this would be Hot Shutdown conditions (as defined by that plants technical specifications) for a III.G.2 area or the performance criteria listed in Section III.L of Appendix R for Alternative Shutdown areas. Also, if multiple circuit failures may occur, the licensee should be able to justify why they do not occur simultaneously.

6 Another common presumption used by licensees in an attempt to justify manual actions is the guidance provided in GL 80-10 concerning "Free of Fire Damage". Some licensees will put forth the argument that this was intended to approve use of manual actions Generic Letter 86-10 defines "Free of Fire Damage" in interpretation 3.

"3. Fire Damage Appendix R to 10 CFR Part 50 utilizes the term "free of fire damage." In promulgating Appendix R, the Commission has provided methods acceptable for assuring that necessary structures, systems and components are free of fire damage (see Section III.G.2a, b and c), that is, the structure, system or component under consideration is capable of performing its intended function during and after the postulated fire, as needed. Licensees seeking exemptions from Section III.G.2 must show that the alternative proposed provides reasonable assurance that this criterion is met.

(Note also that Section III.G.2 applies only to equipment needed for hot shutdown. Therefore, an exemption from III.G.2 for cold shutdown equipment is not needed. The term "damage by fire" also includes damage to equipment from the normal or inadvertent operation of fire suppression systems."

The basis for the fire damage definition is discussed in SECY 306/306B dated March 7, 1986.

The clarification was provided in Generic Letter 86-10 because licensees were not including fire suppression damage as fire damage. This clarification was needed to ensure that licensees were considering fire suppression damage as fire damage. There is NO mention of manual actions as an acceptable alternative in either the generic letter or in the SECY letter which provided background for the generic letter.

WHAT SHOULD AN INSPECTOR LOOK FOR WHEN REVIEWING MANUAL ACTIONS (MAs)

Listed below is a list of suggested questions the inspector may wish to ask the licensee. Please note that this is NOT and all inclusive list. Also note that not all may be licensing basis requirements but may be needed for risk determination if a finding exists.

Was the MA previously approved by the staff? Refer to specific approval in the licensing basis.

Is the MA a manual valve operation or switch manipulation to prevent maloperation, or to achieve SSD, or is the MA done in response to a maloperation (spurious actuation)? Is it a REQUIRED circuit or an ASSOCIATED circuit?

RG 1.189 notes that manual operation of valves, switches, and circuit breakers is allowed to operate equipment and isolate systems that are normally manually operated. In order, to perform some system lineups, not all control was provided in the control room. The guidance allows manual operation for SSD where the normal operation of the components was achieved normally by manual operation.

7 Several issues should be reviewed by the inspector for all MAs questioned. Some of these are deterministic performance criteria and will need to be evaluated by the inspector, while others are information that may be required by a risk analyst to perform a risk evaluation. These include:

How can the licensee DETECT that a mal-operation occurred? (NOTE: Most licensees read the guidance in IN 84-09 and protected ONLY those circuits specified in 84-09.). Annunciators, indicating lights, pressure gages, and flow indicators are among those instruments typically not protected and thus should not be credited.

How can the licensee DEFEAT the mal-operation prior to unrecoverable conditions occurring?

How many MAs are required to accomplish SSD?

How many locations have MAs required? If coordination is required then communications capability must be considered.

How complex are the MAs? Are special tools and training required? Are the tools dedicated and placed in a nearby location? Is the training adequate and current?

Are the MAs in the fire affected area or in an area that may be affected by smoke, toxic combustion products, or hot gas?

If normal lighting can be lost due to the fire, is emergency lighting provided?

Accessability should be reviewed. Is a ladder need? Is a containment entry needed? Can an operator even reach the required location?

Can the MA be accomplished before unrecoverable conditions occur based on the licensees thermo-hydraulic timeline?

Is staffing adequate? Have operators been trained on special manual actions?

Is procedural guidance adequate? Have operators been trained on the procedure?

Have the MAs been verified and validated by plant walkdowns using the current procedure? Who performed the walkdowns? Were the walkdowns timed to assure accomplishment within required timeframes specified in the plants safe shutdown analysis?

DIAGNOSTIC INSTRUMENTATION Section IX of attachment I to IN 84-09 lists instrumentation thought to be needed for ALTERNATIVE shutdown. It states:

"The following lists provide the minimum monitoring capability the NRC staff considers necessary to achieve safe shutdown:

8 Instrumentation Needed for PWRs

a. Pressurizer pressure and level.

b. Reactor coolant hot leg temperature or exit core thermocouples, and cold leg temperature.

c. Steam generator pressure and level (wide range).

d. Source range flux monitor.

e. Diagnostic instrumentation for shutdown systems.

f. Level indication for all tanks used (e.g., CST).

Instrumentation Needed for BWRs

a. Reactor water level and pressure.

b. Suppression pool level and temperature.

c. Emergency or isolation condenser level.

d. Diagnostic instrumentation for shutdown systems.

e. Level indication for all tanks used."

(bold added to highlight for training purposes)

Generic Letter 86-10, interpretation 1 provides the following guidance for instrumentation for Alternative Shutdown.:

"1. Process Monitoring Instrumentation Section III.L.2.d of Appendix R to 10 CFR Part 50 states that "the process monitoring function shall be capable of providing direct readings of the process variables necessary to perform and control" the reactivity control function. In I&E Information Notice 84-09, the staff provides a listing of instrumentation acceptable to and preferred by the staff to demonstrate compliance with this provision. While this guidance provides an acceptable method for compliance with the regulation, it does not exclude other alternative methods of compliance. Accordingly, a licensee may propose to the staff alternative instrumentation to comply with the regulation (e.g., boron concentration indication). While such a submittal is not an exemption request, it must be justified based on a technical evaluation".

Generic Letter 86-10 also address diagnostic instrumentation:

"5.3.9 Diagnostic Instrumentation

9 QUESTION What is diagnostic instrumentation?

RESPONSE

Diagnostic instrumentation is instrumentation, beyond that previously identified in to I&E Information Notice 84-09, needed to assure proper actuation and functioning of safe shutdown equipment and support equipment (e.g., flow rate, pump discharge pressure). The diagnostic instrumentation needed depends on the design of the alternative shutdown capability. Diagnostic instrumentation, if needed, will be evaluated during the staff's review of the licensee's proposal for the alternative shutdown capability."

BRIEF EXAMPLE The following example will serve to illustrate the importance of diagnostic instrumentation.

Suppose the licensee may have protected only the instrumentation needed to show conformance to IN 84-09. If, due to lack of circuit protection, the licensee has to respond to a mal-operation, additional diagnostic indication must be sufficient for the operator to direct the correct response.

For example; With the minimum indications, the operator observes the Pressurizer level decreasing.

What caused it? Potential causes could include spurious closure of a in-line motor operated valve, and if so, which MOV? Is a pump lost? Has a bypass valve opened? Has a PORV or head vent opened? Is a plant cooldown occurring due to steam loss? Has something else happened? It should be clear that additional diagnostic instrument would be needed to answer these questions. This information should be a part of the licensees fire protection safe shutdown analysis.

SUMMARY

In summary, the Regional Inspectors should understand the following:

Most nuclear power plants have manual actions that have been reviewed and approved by the staff. However, manual actions in excess of what has been previously approved by the staff, or that have never been approved have been found in recent inspections.

Some system operations and some normal system alignments may require manual actions. These activities differ from responding to a mal-operation due to not complying with the regulatory fire protection separation requirements.

10 The use of manual actions to satisfy the requirements of Appendix R,Section III.G.2 has not been accepted by the staff in prior generic guidance for REQUIRED components and cables..

For redundant (III.G.2 fire areas) safe shutdown, the regulations require that manual actions, necessary to respond to a mal-operation (spurious actuation), receive prior review and approval by the staff in the exemption/deviation process.

Manual actions may result in higher or unacceptable risk to the plant.

Inspectors need to review all manual actions to ensure that a licensee is capable of performing the action within the time needed by the plant response.

CONCLUSION Manual actions have not been accepted, without prior approval, in lieu of complying with the separation requirements of Appendix R,Section III.G.2, for required equipment. When manual actions are identified during an inspection, the inspectors should review the manual actions to determine if they can be performed and if they have had prior staff review and approval. The use of manual actions, in lieu of protecting circuits appears to increase the risk associated with a fire in a fire area.

MANUAL ACTION EVALUATION EXAMPLE FOR CLASS DISCUSSION PROBLEM STATEMENT During an inspection at a nuclear power station, the inspection team noted while performing a review of the fire procedure for fire area A-4, that the procedure directs operator to manually start an Auxiliary Feedwater Pump. Licensee management states that they believe that this is OK. A review of the approved fire protection program determines that the fire area is NOT an Alternative Shutdown area. According to the licensees Safe Shutdown Analysis (SSA) control cables for both AFW pumps and suction valves are in the FA and could potentially be affected by the same fire.

QUESTION What actions would I as an inspector take?

SOLUTION 1.

Determine why the manual action (MA) is required.

11 For example, the team determines that the MA is required to isolate the AFW pump from a mal-operation and to prevent a mal-operation of the suction valve while the pump is operating, because adequate electrical cable protection was not provided.

2.

Review the CLB for the station.

If the MA was permitted as an NRC reviewed and approved exemption or deviation, then the MA is allowed and compliance with the NRC requirements is NOT in question. The inspector should however ensure that adequate procedures, accessibility, lighting, training, etc. are available or have been accomplished to ensure that the operators can safely perform the MA within the time required by the timeline.

If the MA has NO NRC reviewed and approved exemption, deviation, or SER, then the licensee should be cited for violating Appendix R,Section III.G.2 (for a pre-1979 unit). If the plant is a post-1979 plant, the inspector would cite against the approved fire protection program.

3.

The inspector should then review the list of inspection questions listed in the previous section, determine which are applicable, and answer them, as best as possible.

This is necessary to be able to properly assess the impact the manual action has on SSD and to address the potential increase in risk.