Text

UNITED STATES NUCLEAR REGULATORY COMMISSION

'NAOHIHOTOH, O.C. 20$d4001 Narch 11, 1997 Mr. Ralph E. Beedle Senior Vice President and Chief Nuclear Officer Nuclear Energy lnstitvte 1776 I Street, NW, Svite 400 Washington, DC 20006-3708

Dear Mr. Beedle:

I am responding to yovr letter of January 14, 1997, concerning U.S. Nuclear Regulatory Commission (NRC) Information Notice (IN) 92-18, "Potential For Loss of Remote Shutdown Capability During a Control Room Fire," February 28, 1992.

As you are aware, IN 92-18 addressed conditions, found and reported by several licensees, that could have resulted in the loss of capability to achieve and maintain safe shutdown conditions in the event of a control room fire. Specifically, the circuit logic associated with certain motor-operated valves.

when svbjected to a single fire-induced hot short, could have resulted in a spurious permissive signal.

The spurious signal covld have caused the valve to operate, bypassing the protective features, and resulting in mechanical valve damage.

Such fire-i>>duced damage could have impaired the capability to shut down the plant and maintain it in a safe shvtdown condition.

During a public meeting on February 7, 1997, the NRC staff discussed with you and other representatives of the NuJear Energy Institute (NEI) the questions and issues raised in your letter.

During the mee!ing, the staf indicated that it agreed with your position that information notices should not be used to impose new requirements on licensees or to dispense new staff positions or guidance The staff presented its positions regarding fire-induced hot shorts and spvrious signals and ia position that the safety issue addressed in IN &2-18 (the potential for fire-inCuced hot shorts to impair the capability to achieve and maintain safe shutdown) is within the supe of the existing fire protection regulation.

The staff also explained how the regula!en and published staff positions and guidance svpport this position and why its review and inspediori of the technical and safety issues addressed in IN 92-18 does not constitute a plant-specific backfit.

During the meetiiig, the s'ta.f stated that it also agreed with your position that enforcement actions should not be taken against a licensee for failure to comply with information notices.

Although specific enforcement ac'.ions were not discussed during the meeting, the staff acknowledged that it had recently issued notices of violation to several licensees in response to findings of post-fire safe shutdown deficiencies involving hot shorts.

In each case, the enforcement actions were dependent on the circumstances of the case and were taken against a licensee for failure to comply with the applicable regulatory requirements, consistent with established regulatory positions. and not for failure to comply with an information notice.

The staff treated yovr concerns in accordance with its procedures for managing backfits.

After considering the information you submitted in your letter. the discussions with NEI and licensee representatives during the meeting of Febrvary 7. 1997, and re-evaluating the fire PDR paad 689 Enclosure 2

Mr. Ralph E. Beedle protection regulation and applicable staff positions and guidance, the staff concluded that its position (that the technical issue addressed in IN 92-18 is within the scope of the existing fire

. protection regulation) is justiTied. On this basis, the staff has also concluded that its continued review and inspection of fire protection issues, including such technical and safety issues as those addressed in IN 92-18, is appropriate.

In addition, the staff is considering the need to take further action to ensure that licensees understand and comply with the applicable regulatory requirements.

With respect to enforcement actions, the staff will continue to enforce the Commission's requirements in accordance with the guidance of NUREG-1600, "General Statement of Policy and Procedures for NRC Enforcement Actions," and the "NRC Enforcement Manual." As you are aware, licensees that question enforcement actions may contest them in accordance with the procedures in 10 CFR Part 2, Subpart B. Furthermore, licensees that believe a staff position is a backfit with regard to its facilities may raise such claim in accordance with established NRC policies and procedures.

This includes submitting the claim in writing to either the Director of NRR or the Regional Administrator supervising the NRC employee who issued the staff position in question, with a copy to the NRC Executive Director for Operations.

The staffs response to the technical issues you raised in your letter are enclosed.

Because you alleged in your letter that the staff was inappropriately backfitting new positions or interpretations regarding fire-induced hot shorts and spurious signals, I have referred yo'ur letter to the NRC Office of the Inspector General.

If you have questions about the staff positions or IN 92-18, please have your staff contact the NRC point of contact for fire protection matters. Steven West, Chief, Fire Protection Engineering Section.

Mr. West can be reached at 301-415-1220.

If yoti disagree with the NRC staff positions, or you wish to further your backfitting claim, you can appeal to the NRC Executive Director for Operations.

Sincerely, Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Enclosure:

As stated cc w/encl.:

See next page Project No. 689 DISTRIBUTION:See attached list DOCUMENT NAME: NEI92 18.RSP

'See previous concurrence Letter reviewed by STreby, OGC.

Comments incorporated.

To recerre a copy ot thrs document. rndcate rn Ihe box, M ~ copy wrthovt attachmentrenctosvre. p ~ copy wrth ~ttachment/enclosure.

N' no copy OFFICE NAME NRR:SPLB PMadden NRR:SPLB SWest'RR:SPLB LBMarsh.'Holahan AThadani':DSSA:NRR ADT:NRR DATE 02/11/97 02/11/97 02/11/97 02/20/97 02/28/97 OFFICE D:NRR D:OE D:

NAME DATE BCalure 01/31/97 JLieberman 02/24/97 S

li

)

03 7

NEI Project No.

689 CC:

Mr. Ralph Beedle Senior Vice President and Chief Nuclear Officer Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, OC 20006-3708 Mr. Alex Marion, Director Programs'uclear Energy Institute Suite 400 1776 I Street, NW Washington, OC 20006-3708 Hr. David Hodeen, Director Engineering Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, OC 20006-3708 Hr. Anthony Pietrangelo, Director Licensing Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, OC 20006-3708 Hr. Ronald Simard, Director Advanced Technology Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, DC 20006-3708 Mr. Thomas T>pton, Vice President Operations Nuclear Energy Institute Suite 400 1776 I Street, NW Washinton, OC 20006-3708 Hr. Jim Davis, Director Operations Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, DC 20006-3708 Hs. Lynnette Hendricks, Director Plant Support Nuclear Energy Institute Suite 400 1776 I Street, NW Washington, OC 20006-3708 Hr. Nicholas J. Liparulo, Manager Nuclear Safety and Regulatory Activities Nuclear and Advanced Technology Division Westinghouse Electric Corporation P.O.

Box 355 Pittsburgh, Pennsylvani~

15230

ENCLOSURE ASSESSMENT OF NEI CONCERNS REGARDING.

NRC INFORMATION NOTICE 92-18 "POTENTIAL FOR LOSS OF REMOTE SHUTDOWN CAPABILITY DURING A CONTROL ROOM FIRE" 1

BACKGROUND On February 28, 1992, the U.S. Nuclear Regulatory Commission (NRC) issued Information Notice (IN) 92-18, "Potentlai for Loss of Remote Shutdown Capability During a Control Room Fire." The IN addressed the potential for a control room fire to cause electrical short circuits between normally energized conductors and conductors associated with the control circuitry of motorwperated valves (MOVs) required to achieve and maintain post-fire sale shutdown conditions.

Such an event could cause certain valves to spuriously actuate.

In addition, because of the location of the circuit fault, the MOV torque and limit switches squid be Ineffective to stop valve operation.

Moreover, because thermal overload protection had been bypassed at some facilities, the potential existed for fire-induced spurious valve actuations to result in sufficient mechanical damage to prevent the reactor operators from manually operating the affected valves.

This could result in a loss of capability to achieve or maintain safe shutdown conditions.

2 APPLICABLE REGULATORY REQUIREMENTS AND GUIDANCE Title 10 of the f F d r I R lati n, Part 50. Appendix R,Section III.G, "Fire protection of safe shutdown capability," paragraph 1.a, requires that "one train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) be free of fire damage."

In addition,.Section III.G, paragraph 2,

requires that "where cables or equipment, including associated non-safety circuits that could prevent operation or cause maioperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area," a means be provided for ensuring one train of the redundant safe shutdown trains will be free of fire damage.'or those plants licensed after January 1, 1979, the applicable regulatory requirement is 10 CFR Part 50. Appendix A, Criterion 3, "Fire protection."

Posit:on C.5.b of NUREG-0800, Standard Review Plan 9.5.1 (SRP 9.5.1), "Fire Protection Program," Revision 3. dated July 1981, was used by the staff as review guidance.

This guidance is the same as that specified by the technical requirements of Appendix R, Section ii).G.

In Generic Letter (GL) 86-10, "Implementation of Fire Protection Requirements," dated April 24, 1986, the staff interpreted the term "free of fire damage."

In Enclosure 1, "Interpretations

. of Appendix R," Interpretation 3, "Fire Damage," the staff stated, in part, that "the

'he safety concerns associated with fire-induced hot shorts, open circuits, or shorts to ground in safe shutdown and associated circuits, which could prevent operation or cause maloperation of redundant shutdown trains. were predicated on the numerous adverse conditions that occurred dunng the Browns Ferry fire of March 25. 1975 Reference NUREG-0050, "Recommendations Related to Browns Ferry Fire," February 1976,

Commission has provided methods acceptable for assuring that necessary structures, systems and components are free of fire damage.

that is, the structure system or component under consideration is capable of performing its intended function during and after the postulated fire as needed."

Where redundant safe shutdown trains are susceptible to fire damage, Appendix R,Section III.G, paragraph 3, states that "alternative or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area, room or zone under consideration shall be provided."Section III.L. "Alternative or dedicated shutdown capability," paragraph 1, specifies that the 'alternative or dedicated shutdown capability provided for a specific fire area shall be able to (a) achieve and maintain subcritical reactivity conditions in the reactor; (b) maintain reactor coolant inventory; (c) achieve and maintain hot standby for a PWR (pressunzed water reactor] (hot shutdown for a BWR fboiling water reactor]); (d) ac"eve cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />; and (e) maintain cold shutdown conditions thereafter."

For plants licensed after January 1, 1979, Position C.5.c of SRP 9.5.1.

was used by the staff as review guidance.

This guidance is the same as that specified by the technical requirements of Appendix R,Section III.L.

Section III.L, par" raph 3, states, "[t]he shutdown capability for specific fire areas may be unique for each such area, or it may be one unique combination of systems for all such areas."

In addition, this paragraph specifies that "the alternative shutdown capability shall be independent of the specific fire area(s)..."

Section III.L, paragraph 7, states, "[t]he safe shutdown equipment and systems for each fire area shall be known to be isolated froin associated non-safety circuits in the fire area so that hot shorts, open circuits, or short.- to ground in the associated circuits will not prevent the operation of the shutdown equipment."

ln Enclosure 3 to GL 81-12, "Fire Protection Rule," dated February 20, 1981. the staff stated,

"(i]n evaluating alternative shutdown methods, associated circuits are circuits that could prevent the operation or cause the maioperation of the alternative train which is used to achieve and maintain hot shutdown conditions due to the fire induced hot shorts, open circuits, or shorts to ground."

The guidance of GL 81-12 recognized that a fire is capable of inducing multiple hot shorts, shorts to ground, or open circuits. Therefore, in order for the alternative shutdown capability to perform its intended function, the shutdown equipment that it relies on must be capable of performing its functions after it has been electrically isolated from the fire area of concern (e.g., control room and the cable spreading room).

In GL 86-10, the staff issued additional guidance regarding the regulatory requirements regarding the need to isolate fireMamaged circuits, mitigate spurious actuations (more than one), and retain functionality of the safe shutdown components after their transfer.

In its response to Question 3.8.4, "Control Room Fire Considerations," the staff stated. "ft]he damage to the systems in the control room cannot be predicted.

A bounding analysis should be made to assure that safe shutdown conditions can be maintained from outside the control room."

In addition, the staff stated, "(t]he analysis should demonstrate that the capability exists to manually achieve safe shutdown conditions from outside the control room by restoring a.c. power to designated pumps, assuring that valve lineups are correct, and assuming that any malfunctions of valves that permit the loss of reactor coolant can be corrected before unrestorable conditions can occur." The staffs response to this question recognized that a fire can induce signals that cause operational changes (e.g.. valves

~

~ changing position) to the plant.

In IN 92-18. the staff addressed such conditions.

That is, actual reported conditions related to tt e design'of post-fire safe shutdown components and the potential for certain components to be damaged by fire-induced faults to unrestorable conditions before the licensee could transfer electrical transfer and isolate required equipment at local control stations outside the control room.

r In its response to Question 5.2.1, "Shutdown and Repair Basis," the staff identified that fire damage can cause multiple-system unavailabilities and spurious system or component actuations and that methods for restoring needed systems and mitigating spuriou: actuation should be stated in procedures.

The staff stated, "[s]afe shutdown capabilities including alternative shutdown capabilities are all designed for some maximum level of fire4amage (system unavailabilities, spurious act'ations).

Since the extent of the fire cannot be predicted, it seems prudant to have the post-fire shutdown procedures guide the operators from full system availability to the minimum shutdown capability."

In its response to Question 5.3.1, "Circuit Failure Modes," the staff addressed the circuit failure modes that "must be considered in identifying circuits associated by spurious actuation."

The staff stated, "Sections III.G.2 and III.L.7 of Appendix R define the circuit failure modes as hot shorts, open circuits, and shorts to ground.

For consideration of spurious actualions, all possible functional failure states must be evaluated, that is, the component could be energized or de-energized by one or more of the above failure modes.

Therefore, valves could fail open or closed; pumps could fail running or not running; electrical distribution breakers could fail open or closed."

ln this response, the staff, reiterated the regulatory requirement that multiple spurious actuations caused by fire-induced hot shorts, shorts to ground, or open circuits must be considered and evaluated.

The st'iff also indicated that a component could be energized or dewnergized by hot shorts, shorts to ground, or open circuits which could result in valves failing open or closed; pumps could fail running or not running, etc.

The principal purpose of this guidance was to ensure that licensees performed an analysis of sufficient scope and depth to identify and mitigate the potential adverse consequences of hot shorts, shorts to ground, and open circuits on safe shutdown-related control circuits and their associated logic. These could include, for example, spurious pump start without injection or a minimum flow path, and spurious opening or dosing of MOVs by signals that bypasses the valves'rotective features.

Later, in IN 92-18, the staff alerted licensees to the potential for fire-induced hot shorts to cause valves to fail open or closed and that hot shorts could bypass the protection features of the valve motors.

To limit the scope of the plant equipment needed to meet the reactor performance goals of Section III.Lof Appendix R, the staff, in its response to GL 86-10, Question 5.3.10, "Design Basis Plant Transients," specified the plant transient that licensees should consider to determine the design capacity and capabilities of the alternative or dedicated shutdown system.

This guidance estab'ished the design input limits for the reactor coolant inventory

e

loss, flow diversion affecting systems needed to perform the reactor coolant makeup function, onsite power sequencing logic, etc.

The design criteria specified by the staff were:

Loss of offsite power shall be assumed for a fire in any fire area concurrent with the following assumptions:

a.

The safe shutdown capability should not be aoversely affected by any one spurious actuation or signal resulting from a fire in any plant area; and b.

The safe shutdown capability should not be adversely affected by a fire in any fire area which results in the loss of all automatic function (signals, logic) from the circuits located in the area in conjunction with one worst case spurious actuation or signal resulting from the fire; and c.

The safe shutdown capability should not be adversely affected by a fire in any plant area which results in spurious actuation of the redundant valves in any one high-low pressure interface line.

The staff expected li pensees to apply this guidance to establish ihe capacity and capability (e.g., size the pumps and support systems needed.to maintain ieactor coolant inventory, define the scope of onsite electrical power distribution and power needs. and establish an operational baseline and set of plant conditions that would define the scope of initial manual.

actions needed to restore those systems necessary to accomplish the required reactor performance goals).

Application of this guidance is based upon the alternative shutdown system being (1) physically and electi'cally independent of the fire area of concern, and (2) isolated from associated circuits so that hot shorts, shorts to ground, and open circuits in these circuits will not prevent the operation of safe shutdown equipment or components.

3 ASSESSMENT OF CURRENT ISSUES AND NEI CONCERNS In the enclosure to its letter of January '4, 1997, the Nuclear Energy Institute (NEI) stated,

"(t]he postulated fire is quite large and results in control room evacuation.

Additionally, the loss of remote shutdown capability would require a hot short that occurs during the narrow time window between the evacuation of the control room and manning of the emergency control stations(s),

such that MOVs are mechanically damaged and their function cannot be recovered.

The potential for this type of fire in a continuously manned area coincident with the theoretical hot short is remote."

On the basis of the information provided by NEI in its letter, it appears that there may be some uncertainty about the size and duration of the fire needed for spurious component or equipment actuations to occur. As stated in the staff responses to Question 3.8.4 and Question 5.2.1 of GL 86-10, it is the staffs position that it is not possible to predict the number of spurious signals that would occur or the changes to the operational configuration of the plant that would occur in the event of a fire. The staff has found that evacuation criteria for control room fires are plant specific.

The shift supervisor is responsible for deciding when to evacuate.

In its interviews with control room operators, the staff has found that alternative shutdown (control room abandonment and shutdown from outside the control room} would not be implemented until significant functional capability of the control room had been lost. A small fire. even if it does not necessitate control room evacuation, could cause equipment maloperations due to shorts to ground, hot shorts, and open circuits.

Such failures occurred during the Browns Ferry fire.

From an operational perspective, most essential plant equipment is controlled and monitored from the main control board.

The timing of control room evacuation in the event of a fire can be a critical factor in preserving the operability of the safe shutdown functions that are controlled from outside the control room by the alternative shutdown system.

For example, a small fire in the main control board may not result in a smoke or heat environment that would necessitate immediate evacuation of the control room or the actuation of the alt mative (or remote) shutdown system.

However, such a fire."ovid, in a short time, adversely ~ffect plant annunciators and change the plant configuration due to.'ire-induced spurious signals.

The

'taff is concerned that such fire-induced spurious signals could cause maloperation of MOVs required by the post-fire alternative safe shutdown systems before control is transferred from the control room to the remote shutdown panel.

In addition, the spurious signal may bypass the MOVs'rotective features which could lead to MOV damage.

This could adversely affect the ability to achieve and maintain safe shutdown conditions.

The potential for hot shorts during a control room fire that could adversely affect MOV operation was found and reported by licensees (Washington Public Power Supply System, Pennsylvania Power and Light Company, and Northern States Power Company) as an unanalyzed condition regarding fire protection and the capability to achieve and maintain post-fire safe shutdown.

In view of the generic nature of the concern, its potential safety significance, and concerns about the depth and scope of analyses performed by licensees of post-fire safe shutdown associated circuits, the staff issued IN 92-18 tn alert the industry to the reported conditions.

It was the staffs position at that time that this unanalyzed condition was within the scope of existing NRC fire protection regulations.

The staff expected that licensees would evaluate the information in the IN, and its safety significance with respect to its potential impact on plant-specific post-fire safe shutdown implei>>entation and take appropriate actions.

ln a letter to its administrative points of contact dated August 13, 1992, the Nuclear Management and Resources Council (NUMARC, now NEI) advised licensees that it considered conditions resulting from a control room fire as identified in IN 92-18 to be very unlikely. In addition, NUMARC advised licensees to give careful ci nsideration to any of its plans regarding plant design changes in response to IN 92-18.

NUMARC based it". advice on the assumption that fire-induced hot shorts, shorts to ground, or open circuits that can prevent operation or cause ma!operation of plant equipment can only occur as a result of a fire condition that causes the control room to be evacuated and only during the time-it takes to evacuate the control room and establish

-.ontrol of the required safe shutdown equipment at the respective emergency control stations.

The staff notes that NUMARC did not provide technical justification or bases for this assumption.

In addition, for the reasons stated above, the staff disagrees with this position.

It appears that the NUMARC guidance may have encouraged some licensees to dismiss IN 92-18 and to forego assessing the technical and safety issues.

The staff also noted that NUMARC, in its letter of August 23. 1992. did not question the applicability of the IN 92-18 issues to existing NRC regulatory requirements.

4 CONCLUSIONS As discussed above, the regulatory requirements and suppr rting staff positions are well-documented.

NRC regulatory requirements recognize that fires can induce multiple hot shorts, shorts to ground, and open circuits.

The regulatory requirements also ~oe ify that such circuit failures shall not prevent the operation or cause the maloperat:on of required post-fire safe shutdown components.

In IN 92-18. the staff described condit'ons related to the design of post-fire safe shutdown components and the potential for cerlaii'omponents to be damaged by fire-induced faults before electrical transfer and isolation coii!d be accomplished at local control stations outside the control room.

Th's could result in shutdown-related equipment and components being incapable of p~itciming their intended functions after they have been electrically isolated from the fire area of concern.

Therefore, the staff concluded that,such design configurations do not provide reasonable assurance

'.hat the minimum and limited shutdown functions controlled by the alternative shutdown system can be performed as required by regulatory requirements.

The staff also concluded that the safety issue addressed in IN 92-18 is within the scope of the existing fire protection regulation.

Therefore, staff review and inspection of the technical and safety issues addressed in IN 92-18 does not constitute a plant-specific backfit.

Finally, the staff has also concluded that its continued review and inspection of fire protection issues, including such technical and safety issues as those addressed in IN 92-18, is needed to emphasize the importance of compliance with NRC fire protection requirements and to verify licensee compliance with those requirements and the existing licensing basis.