Text

Letter Discussing Guidance for Post-Fire Safe Shutdown Analysis
	ML020660025
Person / Time
Site:	Nuclear Energy Institute
Issue date:	03/06/2002
From:	Hannon J; Division of Systems Safety and Analysis
To:	Marion A; Nuclear Energy Institute
References
	Download: ML020660025 (35)
	v • d • e

March 6, 2002 Mr. Alex Marion, Director Engineering Department Nuclear Generation Division Nuclear Energy Institute 1776 I Street, NW, Suite 400 Washington, D.C. 20006-3708

Dear Mr. Marion:

By letter to Eric Weiss, dated October 18, 2001, you provided the NRC a copy of NEI 00-01, "Guidance for Post-Fire Safe Shutdown Analysis," Draft Revision C. You stated that NEI was not seeking formal NRC comment at this time but that you were interested in any additional comments NRC could provide before the final submittal. The staff has reviewed the draft you provided and enclosed for your use are staff comments on NEI 00-01, Draft Revision C. The staff notes that, as indicated in your October 18, 2001 letter, the informal staff comments on NEI 00-01, Draft Revision A, were not yet addressed in Revision C; therefore some staff comments may duplicate our previous comments.

We wish to bring to your attention two key points. First, the NEI 00-01 proposed resolution of the circuit analysis issue is a risk screening tool that we may be able to use as guidance for focusing inspections, prioritizing corrective actions, or finding the proper significance determination process (SDP) color. We understand that NEI 00-01 can be used within the bounds of the current deterministic regulations to identify and potentially support exemptions or deviations. Also, it may be used to implement the proposed rule which endorses NFPA 805.

Another point is that certain aspects of the NEI 00-01 methodology screen out from further analysis certain high consequence events. There are problems of statistical confidence with respect to judgements involving high consequence events where little data exist. Therefore, it may be appropriate to retain some deterministic acceptance criteria for high consequence events, i.e., not screen them out, unless an appropriate degree of rigor can be attached to the screening process. In any case, the treatment of uncertainty associated with a risk tool such as NEI 00-01 should be explicitly and carefully considered.

We believe that NEIs efforts thus far, in particular the testing performed, have been an important and valuable contribution to the understanding of fire protection circuit analysis. The attached comments are offered in the spirit of moving forward in the resolution of this significant issue. In our telephone conversation on March 5, 2002, we discussed the potential implications of our comments and agreed to meet to discuss them in the near future. We would propose that subsequent to addressing our comments it would be appropriate to get on the ACRS calendar.

Mr. Alex Marion 2

I and my staff look forward to working with NEI toward completion of NEI 00-01. Please contact Mr. Mark Salley (301-414-2840) or Mr. Eric Weiss (301-415-3264) of my staff concerning questions regarding this response.

Sincerely,

/RA/

John N. Hannon, Chief Plant Systems Branch Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation Project No. 689

Enclosure:

As stated cc: See list

I and my staff look forward to working with NEI toward completion of NEI 00-01. Please contact Mr. Mark Salley (301-414-2840) or Mr. Eric Weiss (301-415-3264) of my staff concerning questions regarding this response.

Sincerely,

/RA/

John N. Hannon, Chief Plant Systems Branch Division of Systems Safety and Analysis Office of Nuclear Reactor Regulation Project No. 689

Enclosure:

As stated cc: See list DISTRIBUTION:

ADAMS SPLB r/f EConnell EWeiss JHannon JSHyslop GHolahan STreby DOudinot JBirmingham SMorris NSiu BSheron LWhitney MSalley DFrumkin GParry PQualls MReinhart MRubin RBarrett WBorchardt ASingh SCollins/JJohnson ISchoenfeld Internet:fae@nei.org

See Previous Concurrences DOCUMENT NAME: G:\\SPLB\\SECTION C - WEISS\\SALLEY\\NEI 00 01 COMMENTS R4.WPD OFFICE SPLB:DSSA:NRR SC:SPLB:DSSA DRIP:NRR OGC BC:SPLB NAME MSalley:bw

EWeiss

JBirmingham

STreby

JHannon DATE 02/11/02 02/11/02 02/11/02 02/13 /02 03/01/02*

OFFICE D:DSSA NAME GHolahan DATE 03/06/02 Nuclear Energy Institute Project No. 689 cc:

Mr. Ralph Beedle Ms. Lynnette Hendricks, Director

Senior Vice President Licensing and Chief Nuclear Officer Nuclear Energy Institute Nuclear Energy Institute Suite 400 Suite 400 1776 I Street, NW 1776 I Street, NW Washington, DC 20006-3708 Washington, DC 20006-3708 lxh@nei.org reb@nei.org Mr. Anthony Pietrangelo, Director Risk & Performance Based Regulation Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, DC 20006-3708 avp@nei.org Mr. Fred Emerson, Project Manager Engineering Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, DC 20006-3708 fae@nei.org

Page 1 of 31 Enclosure I. Background Proper identification and analysis of electrical circuits is important to ensure post-fire safe shutdown due to the existence of fire-induced circuit failures (hot-shorts, open circuits, and shorts to ground) which could prevent the operation or lead to maloperation of equipment necessary to achieve and maintain post-fire safe shutdown. In a letter dated May 30,1997, and later in a meeting on June 4, 1997, the Nuclear Energy Institute (NEI) informed the NRC Office of Nuclear Reactor Regulation that industry and NRC staff interpretations of requirements governing fire-induced circuit failure issues differ significantly. Thorough understanding is important to ensure compliance with regulatory requirements and avoid problems with licensee implementation of regulatory guidance and staff positions in this technical area. On June 3, 1999, the NRC issued Information Notice 99-17, Problems Associated with Post-Fire Safe-Shutdown Circuit Analysis, that identifies some of these problems on a plant-specific basis.

However, in view of the reports of circuit analysis problems discussed in the IN, and a number of similar reports, the NRC staff is treating this issue generically. As a result of this ambiguity of the regulation, on November 29, 2000, the NRC temporarily suspended inspections in this area (NRC letter to Holahan from Hannon) while the staff works with industry to resolve interpretation differences.

In an effort to resolve differences between the staff and industry regarding the interpretation of regulatory requirements governing the fire protection of nuclear power plants, the NEI has undertaken a program in attempt to resolve the issue. NEI has developed, "Guidance for Post-Fire Safe Shutdown Analysis, NEI 00-01," Draft Revision C, dated October 2001 as the resolution. The NRC staff was provided a copy of the document for information. During discussions with NRC management, it was determined that it would be to everyones benefit if the staff reviewed the draft and provided their comments to NEI. NRC staff comments and questions resulting from this review are delineated in the following sections of this report. The NEI document is organized into five major sections and seven appendices. The comments here are broken down into two groups: General Comments, that are applicable to the entire document; and, Specific Comments that are ordered by the specific section or appendix of the NEI document.

II. General Comments 1.

The stated objective of Draft Revision C of NEI 00-01 in "providing a consistent process for performing a fire safe shutdown analysis" that "will meet regulatory requirements," does not appear to have been achieved for reasons described in the following NRC staff comments.

2.

As stated in Section I of the NEI document, the numerous variations in plant designs have resulted in wide variation in plant-specific approaches to post-fire safe shutdown analysis.

Since Appendix R was promulgated after many plants were either already operating or well past their initial design phase, it was expected that implementation of its fire protection design features may not be practical or feasible at all plants. Through a plant-specific evaluation process, the staff has approved, on a case-by case-basis, alternative approaches that were deemed to provide an equivalent level of fire safety. Staff approvals documented in safety evaluations, were specifically applicable to the plant under consideration and do not represent

Page 2 of 31 staff endorsement of a particular approach for industry-wide application. Further, plant-specific exemptions granted in accordance with 10CFR 50.48 and 50.12 do not constitute a new regulatory position generically applicable to all licensees.

3.

In general, the NEI document quotes interpretations and criteria for industry-wide application that have been derived from alternative approaches described in plant-specific safety evaluation reports (SER) issued by the staff. For example, in Section 1.3.2 the document cites the Browns Ferry SER as a basis for its position on spurious actuations of concern to post-fire safe shutdown. Justification of industry positions and interpretations should provide a technical justification for these approaches rather than to refer to plant-specific SERs, which were not intended to be applied generically.

4.

The title for this document should be revised as the document discusses primarily circuit failure analysis, and is not a comprehensive guide to post-fire safe-shutdown analysis. For example, emergency lighting is not discussed. Therefore, the title should be changed to accurately reflect the subject matter; i.e., circuit analysis.

5.

On page 5, the NEI guidance states that; This approach is in concert with the principle that risk-significant failures, or combinations thereof, should be addressed and non-significant ones need not be. The origin or basis of this principle is not provided by NEI and it appears to conflict with the existing NRC fire protection regulations, guidance and Commission policy.

6.

Also on page 5, the NEI guidance states that; The methods in this document are not intended to require systematic re-evaluation of a plants post-fire safe shutdown analysis, nor do they take precedence over specific requirements accepted by the NRC in a plants post-fire safe shutdown analysis. This appears to allow a selective implementation of this methodology by licensees when issues related to post-fire safe shutdown are identified and to discourage intentions to use the approach to identify risk-significant vulnerabilities in a plants safe shutdown analysis.

7.

NEI 00-01 relies on a risk-based methodology to attempt to demonstrate adequate levels of safety, but the levels of uncertainty are not addressed. There could be a large enough degree of uncertainty in the analysis that could significantly change the results.

III. Specific Comments by Section

1. Section 1 Comments 1.1 Section 1.1.1 states that implementation of the deterministic methodology "will meet regulatory requirements" while Section 3 states that the methodology "meets the intent of requirements of Appendix R.". During prior discussions with the staff, NEI representatives stated that the document would provide a consistent process for performing a post-fire safe-shutdown analysis in a manner that fully complies with established regulatory requirements.

The difference in terminology should be reconciled.

1.2 Section 1.3.1.2 states that the licensing basis includes the FSAR, docketed commitments, SERs and inspection finding resolutions. There is a discrepancy between this statement and the licensing basis definition provided in 10 CFR 54.3(a).

Page 3 of 31 1.3 Section 1.3.2 states that the only spurious operations that present a potential concern are those that can cause, (1) a loss of inventory in excess of the makeup capability, (2) flow diversion or flow blockage in the safe shutdown systems being used to accomplish the inventory control function; (3) flow diversion or flow blockage in the safe shutdown systems being used to accomplish the decay heat removal function. This makes no provisions for a safety margin. Under NEIs approach, any loss of inventory smaller than the design makeup capability would be acceptable without any further analysis. Under that approach, an un-isolated loss of coolant (i.e. high/low pressure interface) would be acceptable provided it were less than the design makeup capability. In addition, only a single spurious operation is considered, therefore two or more spurious operations that result in a loss of inventory would not be considered. This listing should also consider the spurious operations that can impact reactor coolant system (RCS) pressure control. In Generic Letter 81-12, the staff identified RCS pressure control as a required function for hot standby/shutdown.

1.4 The second paragraph of Section 1.3.2 says that spurious operations concerns are limited in number to 3 potential concerns. What is the basis for this limitation? Why is it exhaustive? [Note, for example, that pumps that are stopped are neither flow diversions nor flow blockages, yet can affect the inventory control function of the second listed cause.]

1.5 Section 1.3.5 states that power cables associated with each bus in the electrical distribution system (EDS) are identified and related to the same safe shutdown path as the EDS equipment. Does this approach include identification of instrumentation and control cables related to the shutdown path?

1.6 Section 1.3.6 states that each conductor in each cable is reviewed for the effects of a hot short, a short to ground, or an open circuit. Does this approach include the potential for multiple hot shorts, shorts to ground, or open circuits, in the safe-shutdown circuit analysis?

1.7 Section 1.3.7 introduces a new approach that suggests that mitigating the impacts to the required safe shutdown paths is an acceptable alternative to providing the protection required in Section III.G.2 of Appendix R to 10 CFR Part 50 to maintain the equipment free of fire damage.

What is the basis for this interpretation?

2. Section 2 Comments 2.1 Figure 2-1: The term Remote Control is not defined (in section E.5.0) and manual operation using the definition in section E.5.0 does not agree with the definition used in the regulations. According to the regulations, in order to meet III.G.1 of Appendix R, actions must be performed in the control room or emergency control station(s). With regard to the definition of Free of fire damage, Appendix R constrains it to mean that no spurious actuations occur and the safe-shutdown function may be performed automatically or manually from the control room or emergency control station(s).

2.2 Figure 2-1 indicates that free of fire damage is achieved when the structure, system or component is capable of performing its intended function during and after the postulated fire, as needed. It may perform this function automatically by remote control, or by manual operation.

The staffs definition of free of fire damagestates that the structure, system or component under consideration is capable of performing its intended function during and after the

Page 4 of 31 postulated fire, as needed, without repair. The NEI definition represents a relaxation from the current NRC regulations and guidance. The flowchart in Figure 2-1does not address cables and equipment located inside non-inerted primary containments (i.e. III.G.2.d, e, and f of Appendix R) nor does it address the requirement in Section III.L.5 of Appendix R to be able to repair equipment and achieve cold shutdown within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months when relying on alternative or dedicated shutdown capability. The last diamond in the lower right hand corner needs clarification.

2.3 Section 2-1 states that the phrase free of fire damage allows the operator to perform a manual actions/operations of safe shutdown equipment to accomplish its required safe shutdown functions in the event the remote/automatic functions of the equipment is impacted.

This position is not consistent with the existing NRC regulations or guidance. It is correct that the automatic functional capability of redundant systems is not required to be protected from a fire unless the circuits related to the automatic function of a safe shutdown system can prevent operation or cause maloperation of that system. In this instance such circuits would be considered associated circuits and would require protection in accordance with III.G.2 of Appendix R. Operator initiation of systems required to achieve and maintain safe shutdown from the control room is allowed. For redundant systems located outside containment in the same fire area, Appendix R only provides three options for ensuring that one train is free of fire damage. Manual operator actions outside the control room to recover hot shutdown/standby systems that have been impacted by the fire is not recognized as an acceptable alternative under III.G.2 of Appendix R.

This section also implies that licensees have the option of complying with either III.G.1 or III.G.2 of Appendix R. However, compliance with III.G.1 of Appendix R is required in all plant areas important to safe shutdown.Section III.G.1 of Appendix R requires that fire protection features must be provided to ensure that one train of systems required for hot shutdown is maintained free of fire damage. If redundant safe shutdown trains are located in the same fire area the separation criteria specified in III.G.2 of Appendix R must be met, or the licensee must meet the requirements specified in III.G.3 and III.L of Appendix R for providing alternative/dedicated shutdown capability. The only alternative available to licensees is to request exemptions from the technical requirements of Appendix R through the process specified in 10 CFR 50.12, or request a deviation for the plants licensed post-Appendix R.

3. Section 3 Comments 3.1 As stated in other sections of the guidance document, this section restates that the use of manual operator actions to complete safe shutdown functions complies with the requirement to maintain a system free of fire damage. As previously noted, this is not consistent with existing NRC regulations and guidance.

3.2 This section states that the effects of spurious operations of concern are limited to: (1) a loss of reactor pressure vessel/reactor coolant inventory in excess of the safe shutdown makeup capability; and (2) a flow loss or blockage in the inventory makeup or decay heat removal systems being used for the required safe shutdown path. These criteria are not listed in Generic Letter 81-12 as implied by the document. As noted in the comment on Section

Page 5 of 31 1.3.2, these criteria exclude other spurious actuation concerns identified in Generic Letter 81-12 and are therefore not consistent with existing staff guidance.

3.3 This section should include a discussion of high/low pressure boundaries consistent with the information provided in Generic Letter 86-10.

3.4 In Paragraph 2, under Methodology, the last sentence states that this document does not address safe shutdown requirements such as fire detection, fire suppression, and barriers.

Since fire impact mitigation is only casually discussed in this document and is not part of the purpose of this document, the title and scope should be clarified.

3.5 Section 3, states that the circuit analysis and fire impact mitigation techniques described in the document are not applicable to communications systems and 8-hour emergency lighting equipment. This statement may be interpreted to mean that emergency communication and lighting systems need not be evaluated for the effects of fire damage. The document should clearly state that where these systems are deemed necessary to facilitate the accomplishment of safe shutdown functions, the potential effects of fire damage on their operability must be fully considered.

3.6 Section 3.1, paragraph 1, sentence 4: this sentence should include the requirement that manual actions must be performed from the control room or emergency control stations. If NEI wishes to have manual actions performed at locations other than the control room or designated emergency control stations, which is generally understood as remote shutdown panel or alternate shutdown facilities, this guidance should include all locations that qualify as an emergency control stations.

3.7 Section 3.1, paragraph 1, sentence 6: although operators are permitted to shut down the plant from the control room or emergency control stations which are free of fire damage, this does not allow the mitigation of spurious actions. If spurious operation could occur then the systems are not free of fire damage. For example, if spurious operations must be mitigated by racking out breakers and closing manual valves, and these actions are not in the control room or at emergency control stations, III.G.1 of Appendix R does not apply, and such manual actions are not allowed. Therefore III.G.2 or III.G.3 of Appendix R must be followed to achieve compliance. III.G.1 of Appendix R applies to completely independent systems located in separate fire areas. Note, as the rule is written, III.G.2 requires preventing the maloperatiion rather than mitigation of spurious operations.

3.8 Section 3.1, paragraph 2, sentence 1: The goal of post-fire safe shutdown is to assure that a single fire in any single plant fire area will not result in any fuel cladding damage, rupture of the primary coolant boundary or rupture of the primary containment. Protection at nuclear plants is not to prevent fuel damage, etc., the goal is to achieve safe shutdown, and prevent radiological releases. The goal is much higher, i.e., safe shutdown must be assured. Assuring safe shutdown means that at least one train of shutdown structures, systems, and components (SSC) must be available in the event of any fire. The NRC recommends that discussion of the goal of preventing fuel damage should be replaced with discussion of one train of shutdown SSCs being available. Obviously fuel damage should be prevented, but the goal of the NRCs fire protection rule is to assure safe shutdown, not simply to only prevent fuel damage.

3.9 Section 3.1, paragraph 2, sentence 4: Because the list of functions is not exhaustive,

Page 6 of 31 Paragraph 2 should be rewritten to state: The functions important to post-fire safe shutdown generally include, but are not limited to the following.

3.10 Section 3.1 states: "Appendix R Section III.G.1.a requires that the capability to achieve and maintain hot shutdown be free of fire damage. Free of fire damage allows for the use of manual operator actions to complete the required safe shutdown functions."

This statement does not appear to be consistent with established regulatory criteria.

Specifically,Section III.G.1 of Appendix R states: "Fire protection features shall be provided for structures, systems, and components important to safe shutdown. These features shall be capable of limiting fire damage so that: a. One train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage;" Fire protection design features necessary to ensure this capability for redundant systems located in the same fire area outside of containment are delineated in Section III.G.2.a, b, and c of Appendix R. Clearly, manual operator recovery actions would not be necessary if the affected systems, components, or cables were provided with suitable fire protection features. Additionally, as noted in NFPA 805, where manual operator actions are relied on to provide the primary means of recovery in lieu of providing fire protection features, risk may be increased.

Depending on the nature and extent of fire damage, the desired shutdown function of an affected component or system may frequently be restored through the use of manual operator recovery actions and, on a case-by-case basis, recovery actions have been found to provide a suitable means of satisfying regulatory objectives. It should be noted, however, that because the acceptability of their use must be substantiated by additional engineering evaluations, shutdown methodologies that rely on the use of manual operator actions do not provide prima-facie evidence of compliance with established regulatory requirements. Specific factors that must be considered include: time-critical consequences of the fire-initiated event/maloperation being mitigated; availability and capability of diagnostic instrumentation necessary to detect the event; time available for operators to perform required actions; number of actions that may be required; feasibility; accessibility; lighting; potential effects of the products of combustion (smoke, heat, toxic gasses) on operator performance; staffing needs; need for procedural guidance; communications; training; human performance factors under high stress conditions; and special tools. Additionally, one should consider that the implementation of manual recovery actions may increase risk, and the risk presented by their use should be carefully considered and compared to the risk associated with maintaining the system or component free of fire damage per Section III.G.2 of the regulation.

3.11 As currently worded, Section 3.1 appears to arbitrarily limit "spurious operations of concern" to only those that can cause: (1) a loss of reactor pressure vessel inventory in excess of makeup capability, and (2) a flow loss or blockage in coolant makeup or decay heat removal systems. This statement requires a more substantial technical basis. Inspection experience has shown that spurious equipment operations or maloperations in other (non-safe shutdown) systems may have a significant effect on the credited method of achieving shutdown conditions.

Specific examples include: Ventilation (HVAC), Component Cooling Water, Service Water, plant protection system logic circuitry, false start of non-essential electrical equipment (e.g.

pressurizer heaters and large pumps), false instrument indications and equipment that could initiate a plant transient such as an uncontrolled injection into the reactor coolant system. The definition of "spurious actuations of concern" should be expanded to include all equipment

Page 7 of 31 whose fire-induced operation or maloperation could adversely affect the successful accomplishment of the specified performance goals of each shutdown function.

3.12 Section 3.1.1 criteria/assumptions should be grouped into three major groups, 1) NRC regulation, 2) NRC guidance, and 3) long standing industry guidance. Any regulatory approvals for long standing industry guidance (e.g., NRC Safety Evaluation Reports) should reference the approvals and technical justification on why it is applicable to this application. References should be provided for all criteria/assumptions.

3.13 In section 3.1.1.1, it is not clear why this General Electric (GE) report is considered to be acceptable. How does this document address plant-specific designs, equipment location, cable routing etc.

3.14 Section 3.1.1.3 states that any systems capable of achieving natural circulation are acceptable for achieving redundant safe shutdown in Pressurized Water Reactors (PWRs).

This guidance would allow the use of feed and bleed (i.e. using a charging pump and a pressurizer power operated relief valve PORV) as the only fire protected safe shutdown path.

Feed and bleed has not been accepted by the staff as an acceptable post-fire shutdown method. This position would also allow the use of safety injection pumps as redundant to charging pumps. This is inconsistent with the staff position. For example, in a memorandum from Marsh to Hebdon, dated October 2, 1997, the staff most recently restated this position concerning the use of safety injection pumps for compliance with III.G.2 of Appendix R at Turkey Point.

3.15 Section 3.1.1.4 allows the use of manual actions and repairs for compliance with III.G.1 and III.G.2 of Appendix R. Repairs can only be used for cold shutdown capability unless previously reviewed and approved by the NRC. The NEI guidance should make a distinction between hot and cold shutdown in this regard.

3.16 Section 3.1.1.5, last sentence, states that the unit(s) are assumed to be at full power.

For a two-unit plant, it may be appropriate to assume that the fire-affected unit is at full power.

But other units relied upon for alternate shutdown, should be analyzed as if they are in the most limiting condition, which may be shutdown or low power. For example, in a PWR with cross connects, the opposite unit in shutdown with the charging/safety injection pumps out of service would be of no help to the fire affected unit. This should be considered in an analysis.

3.17 Section 3.1.1.7. should be revised to read: For the case of redundant shutdown, offsite power may be credited if demonstrated to be free of fire damage. Offsite power should be assumed to remain available for those cases where its availability may adversely impact safety (i.e., reliance cannot be placed on fire causing a loss of offsite power if the consequences of offsite power availability are more severe than its presumed loss). No credit should be taken for a fire causing a loss of offsite power. For areas provided with an Alternative Shutdown capability, shutdown must be demonstrated both where offsite power is available and where offsite power is not available for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

3.18 Section 3.1.1.8 states that safe shutdown systems can be either safety related or nonsafety related. The exception for the use of nonsafety related systems is applicable only to alternate/dedicated safe shutdown capability defined in III.G.3 and III.L of Appendix R.

Redundant systems used for compliance with III.G.1 and III.G.2 of Appendix R are normally one

Page 8 of 31 train of systems necessary to achieve and maintain hot shutdown conditions. Hot shutdown conditions are defined in the plants Technical Specifications. In the Technical Specifications, the equipment necessary to support hot shutdown conditions are normally safety related or important-to-safety equipment. The guidance should make a distinction between redundant systems and alternative/dedicated shutdown capability in this regard.

3.19 Section 3.1.1.10 should be clarified to state that for certain situations, e.g., III.G.1 compliance, manual initiation is only allowed from the control room or emergency control stations.

3.20 Section 3.1.2.3 allows level to fluctuate beyond the pressurizer level indication range.

According to Appendix R,Section III.L.2.b, the reactor coolant makeup function shall be within the level indication in the pressurizer for PWRs. The statement "Temporary fluctuations outside this range are permissible..." should be deleted or justified by an analysis acceptable to staff.

3.21 In section 3.1.2.6.1 the following sentence should be added: Offsite power should be assumed to remain available for those cases where its availability may adversely impact safety (i.e., reliance cannot be placed on fire causing a loss of offsite power if the consequences of offsite power availability are more severe than its presumed loss). No credit should be taken for a fire causing a loss of offsite power.

3.22 Section 3.1.2.6.2. The phrase "operating temperature range" (of equipment) should be clearly defined (e.g., operating temperature range specified in manufacturer literature or demonstrated by suitable test methods) and the phrase "room temperatures acceptable for performing operator actions" should be quantified.

3.23 Section 3.1.2.6.2 discusses HVAC systems for post-fire safe shutdown. This section should be expanded to address habitability and smoke control/removal concerns (i.e.,

ventilation systems and equipment necessary to assure protection for plant operations staff from the effects of fire (smoke, heat, toxic gases) and gaseous fire suppression agents).

Specific areas of concern are the control room, areas where post-fire shutdown activities are performed and access and egress pathways.

3.24 Section 1.1.1 states that the methodology "will meet regulatory requirements."

However, the safe shutdown system performance criteria described in Section 3 do not incorporate the regulatory requirement (i.e. Appendix R, section III.L.1.) that during post-fire shutdown, the reactor coolant system process variables shall be maintained within those predicted for a loss of normal A.C. power. Depending on the plant-specific shutdown methodology, the deletion of this criterion may result in a significant reduction in safety margin from that which would be achieved through full compliance with the regulation.

3.25 Section 3.1.2.5 appropriately identifies diagnostic instrumentation for safe shutdown systems as a required process monitoring function. However, the document does not provide any further guidance in this area. The purpose and function of diagnostic instrumentation should be defined in the document. Additionally, the document should state that, where reliance on diagnostic instrumentation is required, the instrumentation must be demonstrated to remain unaffected by the fire. (For example, the analyst should not credit control room annunciators as a means of detecting system perturbations unless it can be shown that their operation will not be affected by the fire).

Page 9 of 31 3.26 In section 3.2, the need to consider the potential for a single fire to cause various combinations of equipment to maloperate should be more clearly stated. The following sentence should be added to Section 3.2.2.2: "The potential for multiple spurious operations or maloperations must be considered during the equipment identification process."

3.27 Section 3.2 should clarify the definition of exposure fire to include the possibility that the safe shutdown SSC fire is the initiating event.

3.28 According to section 3.2.1.2, it appears that manual operation of a valve in the fire-affected area is acceptable for achieving and maintaining hot shutdown/standby conditions.

This is not consistent with NRC interpretations. In order to meet the requirements of III.G.1 of Appendix R, one train of systems must be operable during and following a fire. A manual operation of a valve in the fire affected area is not possible during the fire. Actions in the fire affected area are allowed only for repair and operation of equipment necessary for achieving and maintaining cold shutdown.

3.29 Section 3.2.1.5 states that instruments should be assumed to fail as a result of fire damage. This statement should be revised to state that, in the absence of further evaluation, the specific failure mode of instruments (full up-scale, full down-scale or midrange) can not be determined, and the worst case should be assumed.

3.30 Section 3.2.1.5 states that instrument fluid boundaries and sight glasses remain undamaged by a fire. There is no technical basis provided for this assumption.

3.31 Section 3.2.1 should include the assumption that instrument air is considered unavailable unless there is a separate redundant system located outside the fire exposed area, or the instrument air system is otherwise protected from fire. Also, Section 3.2.1.2 should clarify that heat sensitive piping materials, e.g., soldered/brazed piping or copper tubing, and any valves or piping that have pressure boundary components which are heat sensitive are not included in this assumption.

3.32 In section 3.3-Safe Shutdown Cable Selection and Location, the statement, "This section provides industry guidance on the recommended methodology and criteria for selecting safe shutdown cables and determining their potential impact...," should be further defined.

3.33 Section 3.3.1.3 should state that this only applies if the switch controls do not also enter the fire-affected area.

3.34 Section 3.3.1.4 should note that although these components may be screened in this step, they may lead to high impedance faults or breaker coordination problems, and therefore will be considered later.

3.35 Section 3.3.2 states that the consideration of spurious actuations need only be considered for cables whose failure could cause the spurious actuation/operation of safe shutdown equipment. This needs to be clarified to include that spurious actuations need to be considered if those spurious actuations could impact safe shutdown capability regardless of whether or not the spurious actuation is of required safe shutdown equipment.

Page 10 of 31 3.36 Sections 3.3, 3.4, 3.5 - General Comment on the Scope of the Evaluation of Cable Damage. Section 3.3 states, "The Appendix R safe shutdown cable selection criteria is developed to ensure that all cables that could affect the proper operation or that could cause the maloperation of safe shutdown equipment are identified and that these cables are properly related to the safe shutdown equipment(s) whose functionality they could effect." Section 3.3.1.6 states, "If not protected from the effects of fire, the fire-induced failure of automatic initiation logic circuits must not adversely affect any post-fire safe shutdown system function."

Section 3.4 states: "By determining the location of each component and cable by fire area and using the cable to equipment relationships described above, the affected safe shutdown equipment in each fire area can be determined... The specific impacts to the selected safe shutdown path can be evaluated using the Circuit Analysis and Evaluation criteria contained in Section 3.5 of this document; and Section 3.5 states, "This section on circuit analysis provides information on the potential impact of fire on circuits used to control and power safe shutdown equipment" (emphasis added).

The above statements presuppose that the scope of the evaluation need only focus on an assessment of the effects of fire damage to the relatively limited set of equipment that comprises the selected shutdown paths. Under this approach, consideration of the effects of fire damage to cables/circuits of equipment whose operation is not specifically required to accomplish a specified shutdown function does not appear to be warranted. More specifically, it appears that while the approach recognizes that failures in other "non-essential" equipment will occur, as long as those failures do not have a direct effect on the operation of the selected equipment the effect of these failures on the shutdown capability does not need to be considered further. This premise appears to run counter to inspection experience which has shown that the failure to evaluate the effects of fire damage to certain non-essential equipment had the potential to initiate transients that were beyond the recovery capability of the credited (i.e., protected) shutdown path. For example, at one Boiling Water Reactor (BWR) it was noted that the loss of a non-essential source of electrical power (due to fire damage or loss of offsite power, LOOP) would result in the failure of equipment necessary to prevent unacceptable levels of water hammer in the piping of essential reactor coolant makeup systems. Additionally, the inspection of one PWR revealed that fire damage to a motor-operated valve (MOV) located within a flow path that was not deemed by the licensee to be required for safe shutdown, had the potential to cause a collapse of the steam bubble in the pressurizer and rapid depressurization of the RCS. Other examples include the start of makeup pumps that could lead to a reactor overfill condition and the energization of large electrical loads (e.g. pressurizer heater banks) that could overload the credited source of emergency electrical power. With the current wording of Section 3.3, it is not clear how to identify cables and circuits of equipment that are not part of the selected shutdown path but whose damage due to fire could adversely affect the ability of credited shutdown systems to achieve and maintain hot shutdown conditions.

3.37 Section 3.3.3.5 should include the verification of cable routing data obtained from a review of plant drawings (e.g., field walk-downs).

3.38 In section 3.4.1.2, the statement, "This does not imply that the fire instantaneously spreads throughout the fire area..." does not include a technical basis and if a technical basis is not available, it should be deleted. Specifically, this statement could be interpreted to mean that it is not necessary to postulate concurrent failures (i.e., there is some finite, but undefined, time interval between failures).

Page 11 of 31 Basis: Section I of Appendix R states that one train of equipment necessary to achieve hot shutdown from either the control room or emergency control station(s) must be maintained free of fire damage by a single fire, including an exposure fire. Acceptable methods for assuring components remain free of fire damage are delineated in Section III.G of the regulation.

3.39 Section 3.4.1.3 suggests that mitigation of potential fire impacts is an acceptable alternative to providing the required fire protection features for structures, systems and components important to safe shutdown. This is not in accordance with the requirements specified in Section III.G.1 and III.G.2 of Appendix R or the existing NRC staff fire protection guidance.

3.40 Section 3.4.1.4 states that the use of manual actions is an acceptable alternative to providing the fire protection features required by Section III.G.1 and III.G.2 of Appendix R. This does not meet current regulations.

3.41 Section 3.4.1.6: Editorial comment: Insert nonsafety between associated and circuits in all three subparagraphs. Basis: consistency with wording of regulation (See Section III.G.2 a, b, and c of Appendix R) 3.42 Section 3.4.1.6 uses the phrase "demonstrate equivalency." To assure consistency, the document should provide additional guidance and criteria for performing equivalency evaluations used to demonstrate compliance with specific fire protection design requirements specified in the regulation.

3.43 Section 3.4.1.7: States, "...each equipment impact, including spurious operations, is to be addressed on a one-at-a-time basis. The focus is to be on addressing each equipment impact or each potential spurious operation and mitigating the effects of each individually" This criterion does not appear to satisfy regulatory requirements for assuring one train is free of fire damage and is not supported by a technical basis. For example, under this criterion, if the start circuit of a required makeup pump and control cabling associated with the pumps suction valve are both subject to damage as a result of a single fire, it appears that the potential for fire to cause a spurious closure of the pump suction valve and an automatic start of the pump (resulting in pump damage) would need not to be considered.

3.44 Section 3.4.1.8: This criterion nonconservatively limits the evaluation of the effects of fire damage to instrument sensing lines to those instrument readings or signals "associated with the protected safe shutdown path." Depending on plant-specific conditions, fire damage to instruments not associated with the credited shutdown path may adversely affect the shutdown capability. This statement should be modified or deleted from the criterion. A more appropriate version of this criterion is contained in Section 3.4.1.8 of the BWR Owners Group guidance document (GE-NE-T43-00002-00-02).

3.45 Section 3.4.2.3 states, "Using the Circuit Analysis and Evaluation criteria contained in Section 3.5 of this document, determine the equipment on the required safe shutdown path that can potentially be impacted by a fire in the fire area, and what those possible impacts are." In Section 3.5 it states: "Appendix R Section III.G.2 identifies the fire-induced circuit failure types that are to be evaluated for impact from exposure fires on safe shutdown equipment.Section III.G.2 of Appendix R requires consideration of hot shorts, shorts to ground and open circuits."

Additionally, paragraph B.2.0 of Appendix B states: "Appendix R requires that equipment and

Page 12 of 31 circuits required for safe shutdown be free of fire damage and that these circuits be evaluated for fire induced effects of hot shorts, open circuits and shorts to ground."

Application of the criteria described above could result in a failure to provide fire protection features necessary to ensure that essential hot shutdown equipment remains free of fire damage.

The fire protection requirements specified in 10 CFR 50.48 require that the fire protection program have a means to limit fire damage to SSC important to safety so that the plants safe shutdown capability is ensured. Additionally,Section III.G of Appendix R to 10 CFR 50 requires, in part, that associated non-safety circuits and cables that could prevent operation or cause maloperation of systems and components important to safe shutdown, be provided with a level of fire protection necessary to ensure such circuits will remain free of fire damage. As stated in the staffs clarification of Generic Letter 81-12, the requirements of Appendix R address hot shutdown equipment which must be free of fire damage. Acceptable options for providing this level of fire protection are delineated in Section III.G.2 of the regulation. Because these features are expected to preclude fire damage, alternative approaches that rely on an analysis of the types of circuit faults that may occur as a result of fire damage may significantly reduce the safety margin that would be achieved through compliance with regulatory requirements.

Recent inspections of licensee implementation of analytical approaches similar to those described in NEI 00-01 have resulted in some fairly significant inspection findings. For example, at one PWR control cables of redundant Auxiliary Feedwater System valves were not provided with fire protection features sufficient to meet III.G.2 of Appendix R on the basis that the inadvertent closure of both valves would require multiple circuit failures (i.e., one fault in the control circuit of each valve). Inspections of other facilities identified similar concerns including one licensees decision not to include normally open, automatically actuated valves located in required shutdown flow paths in its list of required equipment, and another licensees general lack of fire protection features for control cables of hot shutdown components on the unsupported position that multiple operator recovery actions could effectively mitigate any equipment failures and/or maloperations that may be initiated by fire.

Because the consequence of failure may be high, NEI 00-01 should be revised to assure that the use of analytical methods for determining the potential effects of fire damage be limited to circuits of equipment whose failure or inadvertent actuation would not have a direct and immediate impact on the ability of selected hot shutdown systems to perform their intended function. In the absence of a plant-specific exemption or deviation, required flow path components such as pumps and automatically actuated valves should be provided with fire protection features sufficient to meet Section III.G.2 of Appendix R. It is believed that such an approach would be more consistent with the Commissions statements of consideration regarding the Final Rule on Fire Protection (Ref: Enclosure A to SECY-80-438A) which states:

"When considering the consequences of fire in a given area, it must be concluded that one train of equipment that can be used immediately to bring the reactor to hot shutdown conditions remains unaffected by a fire."

3.46 Section 3.4.2.4 restates options, beyond those permitted by the regulations, for resolving circuit failures that can have an adverse impact on safe shutdown capability.

Comments on these noncompliant alternatives have been previously identified.

Page 13 of 31 3.47 Section 3.5.1.1: The first bullet should be revised to read "...resulting in an undesired impressed voltage or signal on a specific conductor," for clarification purposes. A hot short between conductors of certain instrument circuits may result in an undesired signal other than voltage.

3.48 Section 3.5.1.1 suggests that circuit failures need only be considered for safe shutdown cables. This is inconsistent with current regulations since any cable that could prevent operation or cause maloperation of redundant trains of safe shutdown systems must be protected. This section also limits the consideration of open circuits to power and control cables. Instrumentation circuits are not included. If an open circuit in an instrumentation circuit can prevent operation or cause maloperation, it must be protected.

3.49 Section 3.5.1.1, last paragraph, states that circuit failures should be assumed to occur individually on each conductor of each safe shutdown cable, and the effects of each circuit failure are to be evaluated one at a time. Based on this criterion, the evaluation of the potential effects of fire damage to multiconductor cables need only consider the occurrence of a single fault on a single conductor of a multiconductor cable. This criterion is not consistent with regulatory requirements and its application may result in a failure to consider potentially high consequence fire events. For example, at one BWR it was determined that two short circuits between twisted pairs of conductors located within a single multi-conductor cable were sufficient to cause all 16 safety relief valves to spuriously open.

Page 14 of 31 Basis: Section III.G of Appendix R, Generic Letter 86-10 Response to Question 5.3.1, Memorandum From G. Holahan (NRR/DSSA) to D. Crutchfield (NRR/DRP) dated December 4, 1990. Additionally, the assumption that only a single fault will occur in multiconductor cables does not appear to be consistent with the results of recent fire tests performed by NEI.

3.50 Section 3.5.2 states that fire damage to circuits that provide control and power to equipment on the required safe shutdown path must be evaluated. This excludes instrumentation circuits and associated circuits. Circuits that provide for process monitoring necessary for hot shutdown such as pressurizer pressure and level, reactor coolant cold leg temperature, and core exit thermocouples or hot leg temperature, steam generator pressure and wide range level, source range flux, diagnostic instrumentation, and tank level indication for PWRs, or reactor water level and pressure, suppression pool level and temperature, isolation condenser level, diagnostic instrumentation and tank level indication for BWRs must be protected. Instrumentation circuits whose failure could result in erroneous indications to plant operators who, as a result, would take improper actions or fail to take appropriate and prompt action in response to the indications, must also be protected. In addition associated circuits that could prevent the operation or cause the maloperation of systems needed for safe shutdown must also be protected.

3.51 Section 3.5.2.2. Two or more shorts to ground on ungrounded D.C. systems may result in an undesired actuation of equipment. This failure mode should be thoroughly described in the document.

3.52 Section 3.5.2.4. The third bullets statement, "demonstrate proper coordination by comparing the time current characteristic (TCC) curve for the largest size load breaker to the TCC curve for the incoming source breaker supplying the bus," may not be accurate. This "rule of thumb" is only valid if all protective devices under consideration are of the same type and manufacturer and are operating in similar environmental conditions.

3.53 Section 3.5.2.4 the third bullets statement, "Fuses of the same type are assumed to coordinate when an upstream to down stream fuse size ratio of at least two to one is applied,"

is not presented with a technical basis. This "rule of thumb" is generally only applicable to low voltage fuses of the same type and manufacturer that are installed in the same operating environment (i.e., operating temperature). For all other cases, it must be ensured that the total clearing energy of the load side fuse is less than the melting energy of the line side fuse. This is typically demonstrated by a comparison of time/current characteristic curves developed by the manufacturer for the specific fuse type in question.

3.54 In section 3.5.2.4, third bulleted paragraph, the assumption that fuses will trip prior to an upstream molded case circuit breaker in response to a short-circuit current should be supported by reference to a valid technical basis such as a national consensus standard.

3.55 In section 3.5.2.4, the discussion of circuit coordination should provide additional guidance with regard to circuit breaker and relay maintenance and administrative controls for fuse replacement.

3.56 Section 3.5.2.5, second paragraph, states, "Adequate electrical circuit protection and cable sizing is included as part of the original plant electrical design and this may be demonstrated by reviewing the plants electrical design criteria for compliance with the National

Page 15 of 31 Electrical Code." The objective is to ensure non-essential cables, that are routed in a common enclosure with cables of required shutdown equipment, are provided with adequate electrical protection. The document should clearly state that protection should be provided to ensure that the ampacity rating of the cable is not exceeded. Additionally, inspection findings have identified instances where uncontrolled plant modifications (such as fuse replacements) have resulted in cases where the as-found electrical configuration did not match the plants design criteria. Therefore, it is not apparent, from the above statement, how a review of the plant design criteria will effectively confirm actual plant configurations.

4. Section 4 - Risk Significance Analysis 4.1 From a risk analyst view point, the document is complex and difficult to follow. The role of Chapter 4 is defined in the last paragraph of section 1.1, Purpose, where it is stated, This document provides criteria for assessing the risk significance of those issues that are not included in current safe shutdown analyses, but which.... From then on, the terminology changes, so that, instead of issues, the analyst first identifies potential failures and combinations, and determines whether these failures/combinations should be addressed, (section 1.3.1.2, first paragraph). Presumably there is a connection between an issue and potential failures and combinations, in the sense that an issue (maybe some problem with fire protection), leads to the potential for a component or several components to be unprotected, and therefore susceptible to failure during a fire. A few examples of issues and their consequences would help increase the clarity of the document. It would also help to clarify what the combinations are (i.e., combinations of failures or fire caused failures combined with other failures?).

4.2.

The risk-based approach presented in this section of the document should give consideration to the potential consequences of fire-induced circuit failures. Due to the high level of uncertainty in the ability to accurately predict the nature of fire initiation, fire spread, and damage that may occur (either as a direct result of fire damage or from subsequent fire suppression activities), it is suggested that a qualitative evaluation of the potential consequence of fire damage be performed. If this evaluation determines that the consequence of failure may be significant, then compliance with the separation/protection and evaluation criteria specified in the regulation and/or established NRC guidance documents must be assured. Specific examples of fire-induced failures that should be specifically excluded from further consideration under the risk-based screening process described in this section are those that could have a direct and immediate impact on the ability of the selected hot shutdown systems to perform their required function such as valves and pumps located in the required flow path (as credited/defined in the plants safe shutdown analysis for the fire-affected area), components whose operation is "time critical" (i.e., required to be operable within the first two-hours of the fire event), such as emergency diesel generators, and components whose fire induced failure or maloperation could initiate a potentially unrecoverable condition, such as reactor coolant system boundary isolation valves.

4.3.

The fire protection program must provide reasonable assurance, through a defense-in-depth approach, that the probability of fire is minimized, and that the effects of fires that start in spite of the fire prevention program and burn for a considerable time in spite of fire protection activities will not prevent essential plant safety functions from being performed. The multiple levels of protection that are embodied in the defense-in-depth philosophy assure fire

Page 16 of 31 safety throughout the life of the plant by minimizing both the probability and consequence of fires. While strengthening any one element of defense-in-depth (e.g., fire prevention or suppression) can compensate in some measure for known or unknown weaknesses in the others, all elements must be provided and meet minimum requirements (e.g., BTP 9-5.1).

NEI 00-01 concurrence with this philosophy is articulated in Section 1.1.1, which states:

"Because of the uncertainties associated with the actual behavior of fires in a nuclear power plant, each of the echelons of the defense-in-depth fire protection program is important in assuring that the plant is safe from the adverse effects of fire."

However, Section 4 suggests that it is only necessary to achieve a "balance" in defense-in-depth elements and appears to introduce a new interpretation of the defense-in-depth concept by concluding that it is not necessary to consider the effects of fire damage provided a suitable means of fire detection and extinguishment are provided.

Specifically, Section 4.1.3 states, "the components can be screened out as risk insignificant if at least two other reducing factors (such as automatic detection and suppression and manual suppression) can be credited qualitatively as effective." From this screening criterion, it appears that the effects of fire damage to unprotected circuits or cables located in areas typically provided with automatic detection and suppression, such as the cable spreading room at most plants, need not be considered. Given the high degree of uncertainty in determining potential causes for fire initiation, growth and type of damage that may occur to exposed equipment and cables, this approach may result in a significant reduction in safety margin from that which would have been achieved through application of all elements of the well established concept of defense-in-depth.

4.4 Section 4.1.2 states that only those issues that could affect the safe shutdown system flow path are considered when evaluating the risk significance of identified circuit failure issues. This excludes instrumentation and associated circuits that can have an adverse impact on safe shutdown capability as previously noted. This section also limits consideration to those circuit issues whose maloperation could result in a loss of a key safety function, or in immediate, direct and unrecoverable consequences comparable to high/low pressure interface failures. While these terms are not defined in NEI 00-01, this approach is not consistent with current NRC requirements that specify that, during the post-fire shutdown, the reactor coolant process variables be maintained within those predicted for a loss of offsite power. The NEI approach should provide for margin of safety to account for uncertainty in the risk analysis. If adequate margins of safety are not included, it is a substantial reduction in the defense-in-depth concept required by the current regulations.

4.5 Comments on Section 4.1.4 Defense-In-Depth. An issue will not screen out unless defense-in-depth (DID) elements are met. Therefore, As a result, efforts to clearly define the meaning of DID should be made in NEI 00-01. For example, the first item indicates that fire protection DID preserves a reasonable balance among prevention of fires, early detection, suppression of fire, and fire confinement. The term reasonable should be clarified. For example, it appears that in the bottom, far right block of Table 4-1, low frequency of fires satisfies fire protection defense-in-depth, i.e., credits the lack of significant ignition sources as a fire protection defense-in-depth attribute.

Also, NEI 00-01 indicates that over-reliance upon programmatic activities due to spurious actuations, in addition to added time or risk from programmatic activities must exist for defense-

Page 17 of 31 in-depth not to be met. Yet, Reg.Guide 1.174 identifies only over-reliance upon programmatic activities as a means of not meeting defense-in-depth. Please clarify the difference.

Concerning Large Early Release Frequency (LERF), Reg. Guide 1.174 identifies LERF as a metric for licensee applications. However, the contribution of spurious actuations to LERF is not discussed in NEI 00-01, and therefore no limit is placed upon the contribution of a spurious actuations to LERF. It is suggested that the impact of LERF be considered, and a limit be placed upon LERF contributions from spurious actuations.

4.6 Section 4.1.4.2 has expanded on the guidance specified in Regulatory Guide 1.174 concerning safety margins by asserting that screening out fire induced circuit failures, based solely on fire frequency and the probability of spurious actuation, provides sufficient margin to account for analysis and data uncertainty. Safety margin, as described in Regulatory Guide 1.174, refers to compliance with NRC endorsed codes and standards and safety analysis acceptance criteria in the licensing basis. The approach in NEI 00-01 appears to conflict with both of these criteria. Please provide additional information to resolve this discrepancy.

4.7 Section 4.2.2, consistent with the philosophy throughout the NEI guidance, states that even if the resultant increase in fire risk is greater than 1E-06/year, corrective actions should be considered. Therefore, NEI 00-01 should specify when corrective actions are required (or even recommended).

The variables in the NEI guidance used to calculate the delta Core Damage Frequency (CDF) due to fire appear to be treated as independent variables. This would exclude the dependencies that exist between some of the factors used in the formula. The NEI formula appears to be also susceptible to the double counting phenomenon that was observed in the IPEEE program by the use of a severity or fire size parameter that allowed double credit for manual and automatic suppression probabilities. The NEI fire frequency parameter states that it is representative of the total number of fires of any size anywhere in a fire area. This may not be correct. The data used to develop this parameter is based solely on reported fire events.

Most fires that occur at licensees facilities are below the threshold for reporting, therefore, the stated values are not representative of all fires. The values used for automatic suppression capability are categorized as representative of the likelihood that the fires are controlled prior to damage occurring to safe shutdown equipment. It appears that NEI 00-01 has non-conservatively interpreted data on the reliability of a fire suppression systems (i.e. failure to actuate on demand) as equivalent to data on how effective a suppression system is in preventing damage. This may not be correct because, in some cases, damage to equipment can occur prior to system activation or even subsequent to system activation.

The parameter to account for the effectiveness of manual suppression in preventing damage is also not well defined.

The reliance on fire brigade response times, as needed in the NEI document, as a surrogate for fire brigade effectiveness may not be appropriate. The fire brigade response time is only one factor in assessing the effectiveness of the brigade. For example, fire brigade effectiveness is dependent upon several factors such as: (1) the fragility of the component, (2) the severity of the fire, (3) the location of the fire, (4) the location of the equipment, (5) the compartment geometry, (6) interior finish, (7) fire detection time, (8) confirmation time, (9) brigade notification

time,

Page 18 of 31 (10) brigade response time, (11) the time required for the brigade to don protective clothing and breathing apparatus, (12) the time to initiate fire attack and (13) the time to control the fire. The amount of uncertainty in the basis and use for the values could result in non-conservative estimates of fire induced CDF and will therefore screen out potential circuit failure scenarios that are potentially risk significant that should have been identified and corrected.

4.8 Concerning the basis for Table 4-1, Preliminary Screening, i.e., Appendix G, sequences with core damage frequency of less than 1E-6/yr are screened from consideration.

However, because a spurious actuation could impact multiple areas, many of these sequences may apply for a single spurious actuation. As a result, a smaller cutoff for each sequence in Appendix G is suggested to screen potentially insignificant sequences.

4.9 Table 4-2, Fire Frequency. Component frequencies developed in the Fire Induced Vulnerability Evaluation (FIVE) methodology were based upon an average. In this approach, frequencies for a cable spreading room with electrical cabinets are above 1E-3, regardless of the number of cabinets in the cable spreading room. If NEI 00-01 chooses to identify the frequency of a cable spreading room by the number of cabinets (and as a result, postulate frequencies lower than average), then the method must also realize that some cable spreading room configurations will have frequencies larger than the average, as well. Deviations from the average frequencies in FIVE for components, rooms, or fire areas in general should be supported by technical justification. Severity factors should not be used at this stage because their application should be highlighted in the method under 4.2.2.

4.10 Table 4-2, Probability of spurious actuation of components. Failure probabilities for momentary and sustained hot shorts are given without providing a technical basis. A technical basis needs to be provided as well as a means for determining when sustained or momentary hot shorts occur.

4.11 Table 4-2, Safe shutdown capability. It is not clear that all safe shutdown schemes can be credited as much as 0.1 (for the failure probability). The full set of influences identified in Appendix E should be used to determine if credit for manual actions can be used at 0.1.

Number of actions, time, and availability of procedure should be supplemented by these remaining influences in Appendix E as they may pose additional constraints/impediments to manual actions. As indicated on the bottom of Table 4-2 for safe shutdown capability, this credit must be examined and justified on a case-by-case basis. As a result, the screening may be non-conservative when assuming 0.1 for safe shutdown capability.

4.12 Section 4.2.2.1, General Description of Method. The definition for a component combination should be clarified. An evaluation of a component combination should not only take into account the spurious actuation, but also multiple spurious actuations, if appropriate, per fire area. It is suggested that examples for component combinations be provided to clarify the definition.

Also, in the last few sentences of the next to last paragraph on page 73, it is stated that, Unless all screening steps are complete, screening against these two criteria would provide an overly conservative result. All three criteria must be satisfied for an issue to screen out. It would appear that satisfying fewer criteria would provide non conservative results. Please clarify this sentence.

Page 19 of 31 With respect to the equation on page 76 for core damage frequency, the credit for detection, suppression should be predicated on the fire determined by fire size parameter.

With respect to credit for the fire brigade, time available for control and extinguishment of a fire should be offset by the time required for an operator to verify a fire exists. The development of the probability for failure of the fire brigade should incorporate this delay. (Note that Table 4-2, under detection and manual suppression, did not mention this delay.)

4.13 Section 4.2.2.2, Screening Analysis. Nuclear Safety Analysis Center, (NSAC) and Electric Power Research Institute (EPRI) documents are referenced as sources of data in the various screening steps. The use of these data may be subject to review on a case-by-case basis unless the respective results in these documents have been reviewed and approved by NRC.

4.14 Section 4.1.2, Identification. The purpose is to, provide guidance for identifying potential plant-specific spurious actuation issues for further review. However, there is no guidance on a systematic way to identify issues. The two bullets only state that if NRC inspectors or the self assessment process at the plant have found issues, they should be included.

4.15 Tables 4-2, and 4-3, The information required for comparison with the criteria appears to be similar to that required for the more detailed screening analysis discussed in Section 4.2.

Please explain how this first screening stage is of value.

4.16 It should be further explained how the general equation addresses the following issues:

1) the deterministic method assumes multiple simultaneous fires not to occur, however this should not be assumed for a risk-informed method, 2) multiple fires originating from same source (e.g. Palo Verde fire), and 3) frequency that redundant equipment is out of service.

(Note that if plants use alternate shutdown techniques, this could be significant.) Additional information should be provided on how these factors are included in the Chapter 4 methodology. None of the assumptions in Chapter 3 (section 3.4.1, et al) of the document should be automatically applied to the risk-informed methodology and should be factored into the risk calculation.

4.17 In Screening and Analysis, the fire frequency numbers for the screening and the analysis are different. This could be a cause for error. Fire frequencies should not be different for the same area.

4.18 Table 4-1: The meaning of the terms detection and suppression should be provided.

Would a sprinkler system which provides an alarm meet the requirements of detection and suppression? For example, detection and suppression from a wetpipe sprinkler system should not be counted together because there is no redundancy. One valve closed for maintenance would defeat the entire system.

4.19 Table 4-1: Manual suppression should not be credited in this table. In fact, if there is a Safe Shutdown or Safety Related area for which manual suppression is not available, this would be considered a significant deficiency in the current program.

Page 20 of 31 4.20 Table 4-1: Provide additional information on what is meant by, safe shutdown capability can be credited. If safe shutdown, (i.e., completely redundant trains such as III.G.1), capability is provided then there would not be a need to use this method.

4.21 Table 4-2: Fire Frequency. It is unclear why a fire frequency classification should be impacted by potential to damage critical equipment if left alone. Fire frequency should only be based on frequency and not the potential to damage critical equipment. This bundling of elements could lead to double counting.

4.22 Table 4-2: High, Medium, Low: Fire frequency should be the total of fire frequency, and not the frequency of a damaging fire. Bundling of fire frequency and potential of damaging fire leads to double counting. Small, non-damaging fires, are precursors of damaging fires and should be counted in fire frequency calculations.

4.23 Table 4-2, last sentence: Turbine buildings may contain safety-related and safe shutdown equipment and tend to have high fire frequency. How could they be ruled out from this category?

4.24 Table 4-2, High Category: It appears that dry-type transformers are excluded from this category. It may be true that they generally do not have a large quantity of combustibles but they do have the potential for causing fires.

4.25 Table 4-2, Medium, Basis, last sentence: It does not appear that discussion of severity factor is related to fire frequency. It is recommended that fire frequency should be its own factor and not bundled with other factors.

4.26 Table 4-2, Low Category: All locations of plants that contain safety-related or safe shutdown equipment are required to have programs for controlling transient combustibles.

Administrative controls for ignition sources is also required for all areas and should not be credited. This may be credible if the criteria requires a fire watch to be in effect for any transient fire load in the area but to rely on provisions is not sufficient protection.

4.27 Table 4-2, Possibility of Spurious Actuation Portion: This portion of the table should not be included until the expert panel has completed its review. Following the expert panel conclusions, this table should be issued for comment.

4.28 Table 4-3, Automatic Suppression: This discussion of automatic suppression should state that code compliant systems are credited and non-code compliant systems should be evaluated using NRC guidelines or otherwise accepted by Authority Having Jurisdiction (AHJ i.e., the NRC in an SER).

4.29 Table 4-3, Detection and Manual Suppression: Current regulations require that a plant maintain a fire brigade that meets NFPA requirements. It is unclear how uncertainties in the long term performance of a fire brigade can be permanently credited in this screening criteria or in any long lived probabilistic risk assessment. Please provide justification.

4.30 Figure 4-3: How does this methodology correct an unacceptable result when one is reached? If the result is unacceptable after the screen, is it acceptable to rework the analysis and screen again? If the screens are unsuccessful, then there should be steps such as,

Page 21 of 31

1) perform plant modification, 2) request exemption/deviation.

4.31 Figure 4-3 and delta CDF formula: A number of SSCs which were assumed to be available for the deterministic approach should be factored into this figure or this formula. For example, there is always a chance, however small, of a LOOP at any time. A LOOP would significantly degrade the chance to recover from a fire, yet this is not factored into the formula.

4.32 Section 4.2.2 Screening Criteria: It appears that each component combination is assessed independently of all others. For example, for the third criterion, the sum over CDF for each component combination in one location is taken one at a time. This might be nonconservative. The EPRI tests showed several cases where more than one spurious actuation occurred. In areas where more than one component/combination is susceptible to fire damage and spurious actuation, then other technical justification is needed.

4.33 In Section 4.2.2.1, page 76: In the equation for CDF, the terms PAS and PDM should be defined as probability that... will control the fire before damage to the cable is such that spurious actuation could occur. Considering the sequence of events, moving PSA after PDM, would provide a logical progression, even though the screening is currently done in a different order.

4.34 Screen One (page 78), item 3: The current draft of the expert panel report does not present estimates of PSA as it is defined in this report. It is suggested that estimates for PSACD, the probability of spurious actuation given cable damage, be withheld until completion of the panel review.

4.35 Screen Four, item 9: An IPEEE would probably have to be restructured to include the impact of any spurious actuations, as they are unlikely to be already included in the model.

There may be some practical difficulties here. If the model is modified to include the impact of all possible spurious actuations, then in order to deal with just one, the others will have to be turned off in the model. An alternative is to treat the spurious actuations off-line by interpreting their effect in terms of failure of a train or system associated with a critical safety function and requantifying the model appropriately.

4.36 The EPRI experiments have shown that, multiple spurious actuations cannot be factored out. The increase in PCCD caused by the impact of two or more spurious actuations over that considering only one spurious actuation may be greater than the reduction in probability considering the joint probability of two actuations compared to a single spurious actuation.

While there is little data on correlation between failures, there is one strong coupling factor and that is the occurrence of the fire which has the capability of damaging two or more cables simultaneously. Whether two or more cables are susceptible to the same fire is a function of their proximity to each other and to the region of influence of the fire. Provide additional guidance or technical justification on how NEI 00-01 addresses this.

5. Section 5 - Definitions The definitions for the following terms should be changed because they differ from current established NRC definitions: design basis fire, fire protection design change evaluation, free of

Page 22 of 31 fire damage, manual operation, raceway, remote shutdown, redundant, alternative, and redundant.

5.1.

Hot Short: The definition should be revised to read: "...undesired impressed voltage or signal on a specific conductor."

5.2.

Free of Fire Damage: For reasons previously discussed in the comments, the sentence "It may perform this function automatically, by remote control, or by manual operations" should be corrected.

NEI 00-01 should cite the definition provided in Generic Letter 86-10, Enclosure 1, Item 3.

Because the intent of the phrase "free of fire damage" may not appear obvious to those who are unfamiliar with the evolution of staff positions regarding fire protection, it may be helpful to provide a brief background discussion of the circumstances that led to the need for further clarification of this phrase.

5.3.

The document should define "safe shutdown."

5.4.

Safe Shutdown Capability - Redundant: The definition should be revised to clearly state that the systems and equipment must be capable of accomplishing the shutdown functions defined in Section III.L of Appendix R and that with the exception of a temporary, short-duration, core uncovery that may occur as a result of using low-pressure injection systems at BWRs, the equipment and systems selected to perform these functions must be capable of satisfying acceptance criteria that are is also defined in Section III.L.

5.5.

Required Safe Shutdown Equipment/Component: The definition suggests that the evaluation need only focus on an assessment of the effects of fire damage to the relatively limited set of equipment that comprises the selected shutdown paths.

5.6.

Safe Shutdown Capability - Alternative: The statement, "The shutdown systems used are classified as alternative" is inconsistent with Appendix D which states, "Use of the term Alternative...is applied to the specific plant areas and not to the equipment or methodology employed." It is suggested that a consistent definition be used throughout the document.

6. Section 6 - References This section should be reviewed for completeness. The list of references should include Reg Guide 1.189 and documents that have been withdrawn (e.g., Reg Guide 1.120) should be removed.

7. Appendix A - Safe Shutdown Analysis:

7.1 Section A.2: The established definition for defense-in-depth. as it appears in the regulation, should be used.

7.2 Section A.2: Item 5 under defense-in-depth states that the ability to safely shutdown must be demonstrated. The regulation states that the means to safely shutdown must be protected. In theory, you could use fire frequency arguments to demonstrate that the ability to

Page 23 of 31 safely shutdown would not be affected. This would not meet the regulatory definition of DID which is to protect the means to safely shutdown.

7.3 Section A.3.2, first paragraph, the Browns Ferry fire was severe due to its effects on the plant. The fire only affected two areas and an isolated area of a building. It should be specified that this fire was not a severe fire, but a moderate fire that had severe consequences on the plant.

7.4 Section A.3.2, last paragraph, change ensure that events similar in magnitude to the Browns Ferry Fire do not occur again. to help to ensure or reduce the chances of. An absolute statement is not appropriate.

7.5 Section A.3.3, bullet 6: The separation requirements prior to Appendix R were for electrical separation and provided little protection against fire spread. This bullet should state that separation criteria was inadequate to protect against fire.

7.6 Section A.3.3, bullet 6, sub-bullet 1: Provide more information about separation distances, the distances which were in place were 5 feet. Even without intervening combustibles fire could propagate across such a short distance.

7.7 Section A.3.4, paragraph 1: This paragraph could be misread to conclude that all of these improvements were performed at plants. This is simply a list of recommended improvements. The last sentence of this paragraph should state, The improvements listed in NRC guidance are as follows.

7.8 Section A.4.0, paragraph 1, the words necessary assurance could imply that a fire can not cause a situation where safe shutdown can not be achieved. It would be more accurate to state that, if the modifications were performed in accordance with NRC guidance, then there is reasonable assurance that plants are safe from fire.

8. Appendix B - Deterministic Circuit Failure Characterization 8.1 Appendix B should be revised in light of the comments made earlier. The circuit failure criteria and interpretations are not consistent with previously established requirements and staff guidance. Many of the comments previously discussed are also applicable to this section.

Specific examples include:

1.

Interpretation of Appendix R requirements regarding the use of analytical techniques in lieu of providing fire protection features 2.

Lack of a technical or regulatory basis for limiting the number of circuit faults that are expected to occur to one single fault (ref: Section B.2.0, "determine the effects of each type of circuit failure on each conductor one at a time."

3.

Section B.4.0, "In recent years growing concern has been expressed regarding the combination of spurious actuations... There is no consistent way to address the multitude of scenarios that may occur when postulating combinations of circuit failure types and/or combinations of component spurious actuations. To consider the effects of multiple concurrent

Page 24 of 31 circuit failure types and affected components...becomes a daunting and overwhelming task."

The resolution for this "concern" is presented in Section D.4.0 (Page D6) of the document which states: "Section III.G.2 provides certain protection requirements. Where such requirements are met, analysis is not necessary."

9. Appendix B.1 - Justification for the Elimination of Multi-conductor Hot Shorts Involving Power Cables 9.1 This section presents a risk-based justification for eliminating consideration of three-phase faults on power cables of high/low pressure interface boundary isolation valves.

This argument has been presented many times by various licensees in the past. Historically, the staff has agreed that the probability of this failure mode is very low. However, because the consequence of a fire-induced LOCA event is unacceptable and because there exists a high degree of uncertainty in the ability to accurately predict the manner in which fire-damaged cables may fail, the staff has consistently concluded that suitable fire protection features or administrative controls must be provided to preclude such an occurrence.

9.2 Section B.1-1 is not in agreement with the long held NRC staff position that multiconductor three phase AC hot shorts and multiconductor ungrounded DC need to be addressed for high/low pressure interfaces. The NEI position that such circuit failures are highly unlikely and need not be postulated is based solely on the probability of the initiating event (based on uncertain data) and does not consider the consequences if such faults occur.

This is clearly within the current licensing basis for all operating plants.

10. Appendix B.2 - Justification for the Elimination of Multiple High Impedance Faults 10.1 Many of the assumptions presented in this section, such as the low probability of multiple faults that may be caused by fire, time for high-impedance faults to propagate to a bolted-fault, the self extinguishing characteristics of arcing faults, and likelihood of high-impedance fault occurrence at various voltage levels, should be supported by reference to an acceptable technical basis such as industry consensus standards, NRC guidance documents, and/or industry documents and fire test results that have been reviewed and endorsed by the staff. The documents referenced in this section do not appear to have been reviewed and endorsed by the NRC.

10.2 Section B.2.0 states that combinations of failures (e.g., multiple hot shorts) are generally considered by the industry to be outside plant licensing basis. We note that several licensees have reported combinations of failures that have been identified during a re-assessment of the plants safe shutdown analysis and have voluntarily taken corrective action to address the deficiencies. Some examples are provided in Information Notice 92-18. The NRC has informed NEI of its position that this is within the scope of the existing fire protection regulations in a letter from S. Collins to R. Beedle dated March 11, 1997.

10.3 Section B.2: In regard to the treatment of high impedance faults resulting from a fire, NEI has concluded that, at various voltage levels, multiple high impedance faults will not occur, at voltage levels where they are possible the fault current is too low to be of a concern and the probability of such faults is sufficiently low to eliminate the need to evaluate the impact. NEI appears to have used a risk argument that does not consider the consequences, even though

Page 25 of 31 the concern is clearly within the licensing basis for all operating plants. NEI should provide sufficient technical basis to support its conclusions.

10.4 Appendix B, Section 5, should list the test objectives that were in the test plan.

10.5 Appendix B, Section 5: During the fire tests the cables were not exposed to direct flame, yet they ignited. NEI 00-01 should contain a discussion on the insights derived from the fire tests. The Institute of Electrical and Electronics Engineers (IEEE) standard 383 qualified and unqualified cables used in the testing should also be discussed.

10.6 Appendix B Section 5.0: The insights from the cable fires should be more specific including a discussion on which factors contributed to cable damage and which factors did not.

10.7 Appendices B.1 and B.2 rely on risk-informed methods to eliminate deterministic requirements. The conservative deterministic requirements are in balance with the non-conservative assumptions that are also used in the deterministic analysis. If these requirements were to be eliminated, the deterministic analysis could then be non-conservative.

11. Appendix C - High/Low Pressure Interfaces:

11.1 The criteria, definitions, and interpretations presented in this appendix need additional information to fully address established concerns regarding high/low pressure interfaces. As described in Generic Letter 81-12, and Information Notice 87-50, the fundamental concern for high/low pressure interfaces is the potential for a single fire to initiate an unrecoverable loss of reactor coolant system inventory that is in excess of the available makeup capability (i.e., LOCA). The language in other sections of the NEI 00-01 appear to be consistent with this interpretation. For example, in describing the potential effects of fire-induced spurious operations, Section 3.1 states that one of the concerns is, "a loss of reactor pressure vessel/reactor coolant inventory in excess of the safe shutdown makeup capability..."

Additionally, Appendix B, paragraph B.3.0, states that selected high/low pressure interface equipment are evaluated to more stringent requirements, "to ensure that a fire induced LOCA does not occur." Contrary to the above, Appendix C defines high/low pressure interfaces of concern as only those valves whose fire-induced spurious operation would cause "a breach of the RCS boundary by failure of the downstream piping due to a pipe rupture." Using this criterion, certain valves whose spurious operation could initiate a loss of reactor coolant inventory in excess of makeup capability, such as the Pressurizer PORVs in a PWR or SRVs in a BWR, that credits the use of a high-pressure/low volume pump to accomplish the RCS makeup function, may not be evaluated against the more stringent requirements established, "to ensure that a fire induced LOCA does not occur."

11.2 This appendix states that valves that open directly to the atmosphere are not high/low pressure interfaces and, therefore, would not be considered to be subject to increased protection (such as protection from 3-phase faults). A valve opening to atmosphere would be a much more severe event than a high/low pressure interface accident as discussed in this chapter. How would high pressure to atmospheric pressure interfaces be treated?

11.3 Consistent with its position in Section B.1-1, NEI 00-01 does not consider multiple circuit faults that result in a high/low pressure interface. An acceptable technical basis needs to be

Page 26 of 31 provided to support the relaxation of current NRC positions. The NEI positions and definitions concerning high/low pressure interfaces are inconsistent with established NRC positions and would be unacceptable without an adequate technical basis.

12. Appendix D - Alternative / Dedicated Shutdown Requirements 12.1.

Paragraph D.2.0: The document should fully describe "physical and electrical independence" and provide specific examples of components, cables, and circuits that must be provided with this capability.

12.2.

Paragraph D.2.0: The sentence, "Use of the term "Alternative" or "Dedicated" shutdown is applied to the specific plant areas and not to the equipment or methodology (capability) employed to achieve safe shutdown." requires further clarification as to its intent. Sections III.G and III.L of Appendix R specifically refer to "Alternative Shutdown Capability."

12.3.

Paragraph D.4.0 states, "When utilizing Alternative or Dedicated shutdown capability, transients that cause...a short duration of RCS level below that of the level indication in the pressurizer for PWRs...have been deemed to be acceptable deviations from the performance goals. Provide a technical justification (reference to NRC guidance document, safety evaluation, or memorandum) that has found this to be an acceptable deviation from PWR performance goals.

12.4.

Paragraph D.4.0: A technical justification and regulatory basis for the statement, "As is the case in all other fire areas, potential spurious operations are assumed to occur one-at-a-time," should be provided.

12.5.

Paragraph D.4.0 states, "...the availability of redundant fusing should be considered when relying on transfer switches" needs further clarification. What level of "consideration" is necessary? What factors must be considered? Section D.5.0 states that either isolation transfer switches with redundant fusing or electrical and physical isolation and manual manipulation of equipment must be provided. If the alternative shutdown capability is not provided with transfer switches, would fuse replacement be an acceptable means?

12.6.

Paragraph D.4.0 states: "As clarified in the body of this document the term free of fire damage allows for the use of operator actions to complete required shutdown functions." For reasons described in previous comments above, this "statement" is inconsistent with regulatory requirements.

12.7.

Paragraph D.5.0 states that actuation of an isolation transfer switch is an acceptable technique for mitigating the effects of spurious operation. This statement may not be valid for all cases and should be further defined. In general, the purpose of an isolation transfer switch is to preclude the maloperation of equipment by providing a means to isolate circuits that may be affected by fire. The ability of isolation transfer switch actuation to mitigate the effects of fire damage that may have occurred prior to transfer is a function of circuit design. For example, an isolation/transfer scheme that switches in a new source of electric power upon transfer of control to the Alternate Shutdown Panel would certainly mitigate the effects of fire damage to the "normal" source of electric power. The ability of similar schemes to mitigate (i.e. alleviate)

Page 27 of 31 the effects of fire damage that caused an MOV to spuriously change position prior to actuation of the transfer switch has not been technically justified.

12.8 Section D.2.0, paragraph 1, states that Alternative/Dedicated shutdown is generally provided for the control room. Are there any known exceptions to this? If not, the word generally should be deleted.

12.9 Section D.3.0, overview: Many control panels (bench boards/backboards) use nonrated cables, and are not sealed from adjoining panels. A technical justification should be provided as to why it is assumed that a fire would not be expected to affect multiple panels. Also, the smoke generated from a fire in one panel could cause problems in other panels. There are also implications that there is a lack of ignition sources. However, experience has shown that where there is electricity there are always potential ignition sources. This section also implies that all main control rooms have automatic fire suppression, which is not the case.

12.10 With regard to the NEI positions concerning "short duration" partial core uncovery or loss of pressurizer level indication, there should be some supporting analysis acceptable to the NRC staff. This analysis should establish limits on the duration and the acceptability of these transients. That analysis may be cited in NEI 00-01 or in plant specific analyses.

12.11 This section should address the method to be used to identify that spurious actuations have occurred such that credit can be taken for operator actions. This differs from established staff positions that a means to detect spurious operation must be protected. This section also allows the crediting of numerous operator actions prior to control room abandonment. The established staff position in Generic Letter 86-10, question 3.8.4, is that only a reactor trip should be credited prior to the abandonment of the control room. This section assumes that

Page 28 of 31 alternative/dedicated shutdown only applies to scenarios that require the evacuation of the control room. Alternative/dedicated shutdown must be provided for any fire area that contains redundant trains of safe shutdown equipment that have not been separated in accordance with the requirements specified in Section III.G.2 of Appendix R. Some plants have several alternative/dedicated shutdown areas that do not necessitate control room abandonment.

13. Appendix E - Manual Actions and Repairs 13.1.

Paragraph E.2.0 states, "Manual actions on equipment... is allowed under the definition of free of fire damage." As previously discussed, this statement is not consistent with current established regulatory criteria.

13.2.

Paragraph E.3.0: The statement that the use of manual operator recovery actions will provide an "equivalent mitigation capability to automatic operation" if they can be "performed in a time frame sufficient to restore level prior to the onset of core damage" truncates the minimum capabilities and performance goals of shutdown systems specified in Section III.L of Appendix R. This appears to contradict staff guidance established in Generic Letter 91-18, "Information to Licensees Regarding Two Inspection Manual Sections on Resolution of Degraded and Nonconforming Conditions and Operability," dated November 7, 1991.

Specifically, in Section 6.7, the Generic Letter states, "Although it is possible, it is not expected that many determinations of operability will be successful for manual action in place of automatic action.

Credit for manual initiation to mitigate the consequences of design basis accidents should have been established as part of the licensing review of the plant." Additionally, the statement appears to be predicated on the assumption that operators will always accomplish desired activities in a satisfactory manner under high-stress conditions.

13.3.

Paragraph E.4.0: The statement, "From an operational perspective, there is no meaningful distinction whether an action is defined as a manual action or repair since the same considerations apply." requires further clarification / explanation. In general, repairs are more complex than manual actions, typically involving the use of tools (fuse puller, screwdriver, wrench etc.) and/or may expose personnel to additional hazards. Additionally, because the NEI document acknowledges that hot shutdown conditions must be achieved without repairs (but allows manual actions), this statement further reinforces the position that reliance on manual actions does not provide an equivalent level of safety to that which would be provided by fire protection features specified in the regulation.

13.4.

Paragraph E.6.0, Criterion 1: The phrase "such that an unrecoverable condition does not occur" should be replaced with "such that performance criteria of Appendix R Section III.L.1 and III.L.2 are met." The basis for this is in Information Notice 84-09,Section V, which states, "The systems and equipment needed for post-fire safe shutdown are those systems necessary to perform the shutdown functions defined in Section III.L of Appendix R... The acceptance criteria for systems performing these functions is also defined in Section III.L... These guidelines apply to the systems needed to satisfy both Section III.G and III.L of Appendix R."

Page 29 of 31 13.5.

Paragraph E.6.0, Criterion 3: In general, no credit may be taken for operator recovery actions in the fire affected area or for actions that require an operator to traverse a fire affected area. However, these types of actions have been approved on a case-by-case basis where it has been clearly demonstrated that the actions are not "time critical" to post-fire safe shutdown (will not be required to be performed for some time after the initiation of fire) and the actions are tenable from a human performance/environmental perspective. The document should define the set of minimum performance standards/criteria for demonstrating the acceptability of performing manual operator actions in the fire affected area or in traversing fire affected areas.

13.6.

Paragraph E.6.0, Criterion 4: Provide a technical and regulatory basis for stating that the path to and from remote buildings need not be provided with outdoor battery-backed emergency lighting. The need for this type of lighting may vary widely between plants and should be evaluated. Depending on the plant-specific features and post-fire shutdown strategy employed, such an evaluation may identify specific locations such as outdoor stairwells or other locations where battery-backed emergency lighting units may be needed to prevent personal injury.

13.7.

Paragraph E.6.0, Criterion 5: Provide a technical basis for relying on a system change as a means of confirming that a manual operator action has achieved its objective. A "system" change may be caused by any one of a number of variables. For example, would reliance on pressurizer level indication alone be sufficient to diagnose the specific reason that pressurizer level is dropping?

13.8.

Paragraph E.6.0, Criterion 6: The phrase "available and accessible" should be defined.

13.9.

Paragraph E.6.0, Criterion 7: The phrase "provisions for communications" should be defined.

13.10. Paragraph E.6.0, Criterion 8: Provide additional specific guidance for determining when procedures are required.

13.11. Paragraph E.6.0 - Other Types of Actions: states that the need for emergency lights, communications, and timing considerations need not be addressed for manual actions specified as backup or confirmatory actions. This statement should be substantiated. For example, when an operator needs to confirm proper system alignment by monitoring indication of a local flow instrument, there is a need for emergency lighting and communications at the flow instrument. As another example, consider the case where the post-fire shutdown strategy relies on operator actions to remove motive power from certain motor-operated valves (i.e., trip the MOV breaker at the MCC) as a means of preventing their spurious actuation as a result of fire damage to unprotected control cables. Because the MOV control circuits have not been provided with suitable fire protection features necessary to prevent spurious actuations there is a potential that the valve(s) may have changed position prior to the removal of motive power.

Due to this lack of assured protection, operators are procedurally directed to "confirm" or "verify" the position of potentially affected motor-operated valves. Under the criterion provided in NEI 00-01, it is not clear if such "confirmatory" actions would require the need for emergency lighting and communications to be considered.

13.12 Section E.5: Clarify the following definitions manual means not automatic. Local typically means that the function is performed at the location of the device, i.e., valve or

Page 30 of 31 breaker. What is listed as Local Control would more commonly be known as Remote Manual. The Manual Control would more commonly be known as Manual. Manual Operation would be known as Local. The terms control and operation are typically used interchangeably. If they mean different things they should be defined separately.

13.13 Section E.5, Definitions: It should be stated that repair activities are intended to restore functions and not equipment, especially since equipment may be destroyed in a fire event.

13.14 Section E.6, Criteria, bullet 4: Provide the technical basis for the statement that access/egress/emergency lighting is not required for actions not required for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . In the same paragraph, last sentence: This sentence should state that exterior security lighting may be relied upon if independent 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months power supply is available.

13.15 Section E.6, Criteria 5 and 8: Replace should with shall.

13.16 Section E.6, Additional Criteria Specific to Repairs, bullet 2: This bullet should be clarified. For example, if hot shutdown can be maintained indefinitely, would there still be a requirement to be equipped to go to cold shutdown? If cold shutdown repairs are expected to be able to be completed in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months and hot shutdown can only be maintained for a little more than 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months would this be acceptable?

13.17 This section combines criteria for hot shutdown/standby with cold shutdown which could confuse users as the requirements are different. NEI 00-01 states that the same considerations apply both to manual actions and repairs, which may not be true. This section also allows operator actions in, and travel through, the fire affected area to achieve hot shutdown/standby which is inconsistent with current NRC requirements.

14. Appendix F - Supplemental Selection Guidance for Pilot Evaluation 14.1 Bullets on the first page F-1. Are the two approaches complementary, or are they sequential? Identifying the potential for flow diversion and blockages, and identifying those SSCs that could lead to diversions and blockages is certainly a necessary step. It is a prerequisite to modifying the Probabilistic Safety Analysis (PSA) model. Is the intention here to modify the model to include the impact of spurious actuations? However, even if the model were modified, the quantification will be a function of what has been assumed for the probability of spurious actuation. Is the intention that a high probability be assumed so that possible spurious actuations are not prematurely screened?

14.2 The three steps describing the use of a plant logic model that includes all possible fire events should provide more useful guidance. The first sentence in Step 1(a) appears to be open-ended and provides little guidance on how to identify missing sequences. The remainder of the paragraph needs more substance. Step 1(b) is a reiteration of the first bullet (Identify flow diversions etc.) on the previous page. Step 2 gives examples of what components are NOT susceptible to fire, but gives no indication on how to identify which components are susceptible to fire. Its not clear what is meant by the first sentence in Step 3. Should it be interpreted as Run the new model, and exclude (i.e., screen out) components/combinations

Page 31 of 31 with a...? Provide the metric for the screening criterion. With a screening value of 1E-02, it clearly should not be CDF.

14.3 Appendix F: Provide additional guidance on how unacceptable consequences can be evaluated using a PSA. There is no CDF where an unacceptable consequence becomes acceptable. The consequence is unacceptable regardless of the probability.

14.4 NEI 00-01 provides guidance on resolving potential circuit failures that represents an alternative to established NRC requirements and guidance. NEI 00-01 states that only those multiple spurious actuations that result in immediate and unrecoverable consequences comparable to high/low pressure interfaces (as redefined in the NEI document) need to be considered. This is inconsistent with NRC requirements. The NEI guidance excludes components that provide space/heating or cooling even if required for hot shutdown/standby from consideration based on the potential for recovery by plant personnel which would need to be technically justified. The NEI guidance also allows the elimination of components from consideration if the probability is less than 1E-2 without consideration of the consequences of the event and without appropriate treatment of the uncertainty in the determination of the probability.

15. General Comment The staffs safety concerns regarding a self-induced station blackout following a fire have not been addressed in the NEI document. Risk assessments conducted by the Brookhaven National Laboratory for the NRC staff have indicated that fire events that cause plants to enter a self-induced station blackout to resolve spurious operation concerns can be significant contributors to plant risk. Staff guidance contained in Regulatory Guide 1.189 addresses this concern.

Summary In order for this proposed approach to be more useful in the regulatory arena, it should retain sufficient margins of safety, so that it could be considered risk-informed rather than risk-based.

Some conservative elements of a deterministic approach may be useful towards that end in addressing high consequence events and areas where there is a high degree of uncertainty involved. Key to the application of a valid risk methodology is a careful consideration of these uncertainties. Within the context of application of a risk methodology for circuit analysis, the defensible selection of input data and rigorous analysis of that data is critical.

One test of a defensible risk screening methodology would be that the methodology not only reduces unnecessary regulatory burden, but that the methodology also identifies configurations that present unacceptable risk so that they can be addressed. NEI 00-01 in its final form should be able to meet this challenge and represent a balanced risk perspective on the safety of circuit configurations for fire protected safe shutdown.

ML020660025

Contents

Text

Dear Mr. Marion:

Enclosure:

Enclosure:

Navigation menu

ML020660025

Text

Dear Mr. Marion:

Enclosure:

Enclosure:

Navigation menu

Search