RIS 2005-30, Clarification of Post-Fire Safe-Shutdown Circuit Regulatory Requirements
| ML053360069 | |
| Person / Time | |
|---|---|
| Issue date: | 12/20/2005 |
| From: | Charemagne Grimes NRC/NRR/ADRA/DPR |
| To: | |
| Robert Radlinski, NRR, 301-415-3174 | |
| References | |
| RIS-05-030 | |
| Download: ML053360069 (17) | |
ML053360069 UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
Washington, D.C. 20555-0001 December 20, 2005 NRC REGULATORY ISSUE SUMMARY 2005-30
CLARIFICATION OF POST-FIRE
SAFE-SHUTDOWN CIRCUIT REGULATORY REQUIREMENTS
ADDRESSEES
All holders of operating licenses for nuclear power reactors, except those who have permanently ceased operations and have certified that fuel has been permanently removed from the reactor vessel.
INTENT
The U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS)
to clarify regulatory requirements related to post-fire safe-shutdown circuit analyses and protection, particularly the requirements of Title 10 of the Code of Federal Regulations
(10 CFR) Part 50, Appendix R, which have been interpreted by licensees in a manner that is not consistent with regulatory expectations. The results of the cable fire test program carried out by the Electric Power Research Institute (EPRI) and the Nuclear Energy Institute (NEI) in 2001 confirmed the importance of compliance with these regulatory requirements.
The industry and NRC regional inspectors have requested clarification of regulatory expectations for post-fire safe-shutdown circuits. Clarifying the requirements will also assist licensees in deciding whether to transition to a risk-informed, performance-based fire protection program.
This RIS clarifies the scope of the analysis of post-fire spurious actuations that could impact safe shutdown; the use of operator manual actions with respect to protection of associated circuits; and the use of emergency control stations in accordance with Appendix R,Section III.G.1.a. The regulatory requirements with respect to circuit analysis assumptions regarding the timing and sequencing of post-fire spurious actuations will be clarified in a separate generic communication.
The Enclosure to this RIS explains the basis for the regulatory expectations in more detail and discusses the various stakeholder approaches to these issues.
This RIS also gives the NRC staffs views on the use of NEI guidance document NEI 00-01, Guidance for Post-Fire Safe Shutdown Circuit Analysis, Revision 1 (ML050310295), in complying with Appendix R. The deterministic methodology presented in NEI 00-01, when applied in accordance with the regulatory expectations described in this RIS, is one acceptable approach to the analysis of post-fire, safe-shutdown circuits.
Note that RIS 2004-03, Revision 1, Risk-Informed Approach for Post-Fire Safe-Shutdown Circuit Inspections (ML042440791) provides guidance on doing risk-informed circuit inspections, whereas this RIS clarifies the regulatory requirements of Appendix R.
This RIS does not affect the approved license condition for plants that have adopted the fire protection standard license condition that permits changes to the approved fire protection program without prior NRC approval if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.
This RIS requires no action by or written response from addressees.
BACKGROUND INFORMATION
The requirements for post-fire safe shutdown are given in 10 CFR 50.48 and 10 CFR Part 50,
Appendix A, General Design Criterion 3. In addition, all nuclear power plants (NPPs) licensed to operate before January 1, 1979, are required to comply with 10 CFR Part 50, Appendix R,
Section III.G, Fire Protection of Safe Shutdown Capability. All NPPs licensed to operate after January 1, 1979, were evaluated against Section 9.5.1 of NUREG-0800, Standard Review Plan (SRP). All NPP licensees must meet fire protection and license condition commitments made during the establishment of their fire protection program.
The objective of the fire protection requirements and guidance is to provide reasonable assurance that one train of systems necessary to achieve and maintain hot shutdown is free of fire damage. Reasonable assurance requires protection of circuits whose fire-induced failure could prevent the operation, or cause the maloperation, of equipment necessary to achieve and maintain post-fire safe shutdown. Each licensees fire protection program requires that a circuit analysis be done to identify these circuits and that fire-induced failures be adequately protected against.
In 1997 the NRC staff noticed that a series of licensee event reports (LERs) had identified plant-specific problems related to potential fire-induced electrical circuit failures that could prevent operation or cause maloperation of equipment necessary to achieve and maintain hot shutdown. The NRC staff documented these problems in Information Notice 99-17, Problems Associated With Post-Fire Safe-Shutdown Circuit Analysis. Because of the number of similar LERs, the NRC treated the issue generically. In 1998, the NRC staff started interacting with interested stakeholders to understand the problem and develop an effective risk-informed solution to the circuit analysis issue. NRC also issued Enforcement Guidance Memorandum 98-002, Revision 2 (ML003710123), to provide a process for treating inspection findings while the issues were being clarified. Because of the number of different stakeholder interpretations of the regulations, the NRC decided to temporarily suspend associated-circuit fire protection inspections. This decision is documented in an NRC memorandum from John Hannon to Gary Holahan dated November 29, 2000 (ML003773142). 1Additional analysis of the EPRI/NEI test results can be found in NUREG/CR-6776, Cable Insulation Resistance Measurements Made During Cable Fire Tests, which can be accessed from the NRCs public Web site.
In 2001 EPRI and NEI did a series of cable functionality fire tests to advance the nuclear industrys knowledge about fire-induced circuit failures, particularly the potential for spurious equipment actuations initiated by hot shorts. EPRI coordinated this effort and issued the final report, Spurious Actuation of Electrical Circuits Due to Cable Fires: Results of an Expert Elicitation (Report No. 1006961, May 2002).1 NEI considered the results of the testing in preparing NEI 00-01.
Over the past 5 years, the industry and the NRC staff have worked together to get a better understanding of possible and probable modes of circuit failures. They have taken part in numerous meetings and facilitated public workshops. Based on these efforts, the NRC staff has identified circuit configurations that are likely to fail in a fire and circuit configurations that have little or no likelihood of failing. These findings are reflected in RIS 2004-03 and in the revised inspection procedures. The NRC staff resumed inspection of fire-induced safe-shutdown circuits in January 2005.
The issues clarified in this RIS were discussed in an NRC public meeting on October 14, 2004, in Atlanta, GA (Summary of October 2004 Public Meeting on Fire Protection in Atlanta, ML043290020). In preparing this RIS, the NRC staff considered the comments provided by stakeholders during and after the October 2004 meeting and the comments received during the
60-day public comment period beginning May 13, 2005. On August 16, 2005, a public meeting was held to discuss the public comments and the NRC responses to the comments. A
summary of the comments and responses is available in ADAMS (ML053350125).
SUMMARY OF ISSUE
The NRC has issued several guidance documents on complying with fire protection requirements. Licensees have interpreted certain terms and phrases related to post-fire safe- shutdown circuit analysis in a manner inconsistent with NRCs regulatory requirements. In accordance with SECY-99-143, Revisions to Generic Communication Program, dated May 26,
1999 (ML992850037), the NRC staff believes that a RIS is the appropriate regulatory vehicle to address this need for additional clarification. This RIS clarifies issues related to post-fire safe-shutdown circuits and operator manual actions to help licensees understand the NRC
staffs expectations with respect to regulatory requirements.
The variety of interpretations with respect to the issues addressed in this RIS is due in part to the previous lack of knowledge regarding the potential for certain types of circuit failure mechanisms. The cable fire tests performed by EPRI/NEI significantly increased the body of knowledge available to the industry and the NRC with respect to fire-induced circuit failures and their potential to cause spurious actuations that could affect post-fire safe shutdown. The NRC
staff positions presented in this RIS are justified by the potential safety significance of these issues and are based on the current regulations applicable to these circuits. The NRC staff positions are also consistent with the National Fire Protection Association (NFPA) industry consensus standard NFPA 805, Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 edition, with respect to deterministic-based fire protection program features.
The deterministic methodology in Chapter 3 of NEI 00-01 for analysis of post-fire safe- shutdown circuits, in conjunction with the guidance provided in this RIS, is one acceptable approach to performing post-fire safe-shutdown circuit analyses. The risk significance analysis methodology provided in Chapter 4 and Appendix B of NEI 00-01 should only be applied where an NFPA 805 licensing basis has been adopted in accordance with 10 CFR 50.48(c) or to support exemption requests for plants that have not adopted an NFPA 805 licensing basis.
Furthermore, regardless of the plant licensing basis, the NRC endorses the NEI 00-01 guidance that all failures deemed to be risk significant, whether they are clearly compliance issues or not, should be placed in the plant Corrective Action Program with an appropriate priority for action. The remaining sections of NEI 00-01 provide acceptable circuit analysis guidance on both the deterministic approach and the risk-informed, performance-based approach.
Plants that do not adopt an NFPA 805 performance-based fire protection program (including plants licensed after January 1, 1979) but use a risk calculation approach to evaluating plant changes and noncompliances that affect the fire protection program must submit a license amendment for the changes or noncompliances in accordance with 10 CFR 50.90. The exception to 10 CFR 50.90 provided in the standard license condition and in 10 CFR 50.48(f)(3)
that allows licensees to make changes without NRC approval does not apply, because a risk calculation approach to evaluating plant changes deviates from the approved deterministic approach used in the licensing basis. Furthermore, the NRC staff has not reviewed licensees risk assessment tools for evaluating changes that affect the fire protection program against acceptable quality standards. Pending NRC review and approval of these methods, the NRC
staff cannot accept that risk calculation methods adequately demonstrate that a change or noncompliance would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.
The post-fire circuit analysis approach to the timing or sequencing of multiple spurious actuations commonly referred to as one at a time, is not addressed in this RIS. Since some stakeholders may consider the staff position on the regulatory basis for this phrase a new staff position, the staff will address this phrase in a separate generic communication.
This RIS clarifies the scope of the analysis of post-fire spurious actuations that could impact safe shutdown; the use of operator manual actions with respect to protection of associated circuits; and the use of emergency control stations in accordance with Appendix R,Section III.G.1.a. The discussion of each of these issues includes a summary description of the regulatory requirement and a statement of the NRC staff position. The NRC staffs positions are discussed in more detail in the Enclosure.
SCOPE OF SPURIOUS ACTUATION ANALYSIS
A.
NRC Regulatory Requirement: Paragraph III.G.2 of Appendix R states that cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions must be protected.
B.
B.
NRC Staff Position: Post-fire safe-shutdown circuit analyses should address any and all possible failures and combinations of multiple failures caused by spurious actuations resulting from fire-induced circuit failures in redundant systems in fire areas where the failures could impact safe shutdown (fire areas defined by Appendix R,
paragraph III.G.2).
The requirement to protect against any-and-all possible failures includes protecting against the possible failure of a motor-operated valve as a result of a fire-induced spurious signal that could override the valve motors protective features, causing valve failure if such fire-induced valve damage could impair the capability to shut down the plant and maintain it in a safe-shutdown condition.
The NRC staffs position on this issue is described in more detail in the Enclosure.
ASSOCIATED CIRCUITS
A.
NRC Regulatory Requirement: Appendix R, Paragraph III.G.2, states: Except as provided for in paragraph G.3 of this section, where cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, one of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided (emphasis added).
B.
NRC Staff Position: Cables whose fire-induced failure could cause maloperation of redundant trains in a III.G.2 area due to hot shorts must be protected. Operator manual actions are not identified as one of the acceptable methods of circuit protection in Appendix R, Paragraph III.G.2. Therefore, under current regulations for plants that have not adopted an NFPA 805 licensing basis, post-fire safe-shutdown circuit analyses may not credit operator manual actions for protection against spurious actuations caused by fire-induced failure of circuits associated with a redundant safe-shutdown train located in a III.G.2 area, unless the manual actions have been approved by the NRC.
The requirement to protect associated circuits includes protecting circuits that are themselves not directly used to perform a safe-shutdown function but can cause a spurious actuation and affect safe shutdown. Therefore, unapproved operator manual actions may not be credited for such circuits.
The NRC staffs position on this issue is discussed further in the Enclosure. USE OF EMERGENCY CONTROL STATIONS
A.
NRC Regulatory Requirement: 10 CFR Part 50, Appendix R, Section I, Introduction and Scope, states: One train of equipment necessary to achieve hot shutdown from either the control room or emergency control station(s) must be maintained free of fire damage by a single fire, including an exposure fire. Paragraph III.G.1.a of Appendix R also refers to emergency control stations.
B.
NRC Staff Position: III.G.1 protection for redundant safe-shutdown systems may not be claimed for redundant systems in a III.G.2 area by crediting an operator manual action at an emergency control station. Unless alternative or dedicated shutdown capability is provided, redundant circuits credited for post-fire safe shutdown and located in the same fire area must be protected in accordance with III.G.2 without the use of emergency control stations of any kind.
The NRC staffs position on this issue is discussed further in the Enclosure.
BACKFIT DISCUSSION
This RIS does not change any NRC staff position on the issues addressed herein and does not require an action by or a written response from licensees. Accordingly, this RIS is not a backfit under 10 CFR 50.109, and the NRC staff did not prepare a backfit analysis.
FEDERAL REGISTER NOTIFICATION
The subject matter of this RIS was discussed on October 14, 2004, at a public meeting in Atlanta, Georgia. Stakeholder feedback was considered in developing the final version of this RIS.
A notice of opportunity for public comment on this RIS was published in the Federal Register
(70 FR 25622, May 13, 2005). Public comments received during the 60-day public comment period were also considered in developing the final version of this RIS.
SMALL BUSINESS REGULATORY ENFORCEMENT FAIRNESS ACT OF 1996 In accordance with the Small Business Regulatory Enforcement Fairness Act of 1996, the NRC
has determined that this action is not a major rule, and the Office of Information and Regulatory Affairs of OMB has confirmed this determination.
PAPERWORK REDUCTION ACT STATEMENT
This RIS does not contain any information collections and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
CONTACT
Please direct any questions about this matter to the technical contact or the lead project manager listed below, or to the appropriate Office of Nuclear Reactor Regulation (NRR) project manager.
/RA/ By Herbert N. Berkow For/
Christopher I. Grimes, Director Division of Policy and Rulemaking Office of Nuclear Reactor Regulation Enclosure: Regulatory Expectations for Post-Fire Safe-Shutdown Circuit Analysis
Technical Contact:
Bob Radlinski, NRR/ADRA/DRA
301-415-3174 E-mail: rfr1@nrc.gov Lead Project Manager:
Chandu Patel, NRR/ADRO/DORL
301-415-3025 E-mail: cpr@nrc.gov Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under Electronic Reading Room/Document Collections.
ML053360069 OFFICE
SPLB:DSSA
Tech Editor SPLB:DSSA
BC:SPLB:DSSA
SC:TSS:IROB:DIPM
IIPB:DIPM
NAME
RRadlinski*
PKleene*
SWeerakkody*
JHannon*
TBoyce*
RGibbs*
DATE
10/ 12/05
10/05/05
10/12/05
10/12/05
10/28/05
11/01/05 OFFICE
D:DORL
BC:EEEB
DD:DRA
OGC:(SBREFA)
PMAS
NAME
CHaney RJenkins JLyons CHolzle*
STreby VTharpe*
DATE
12/12/05
12/9/05
12/14/05
10/25/05
12/14/05
11/01/05 OFFICE
OIS
PGCB:DPR
BC:PGCB:DPR
D:DPR
NAME
BShelton*
JLuehman AWMarkley CJackson CIGrimes/HNBerkow for DATE
10/25/05
12/8/05
12/15/05
12/20/05
12/20/05 REGULATORY EXPECTATIONS FOR
POST-FIRE SAFE-SHUTDOWN CIRCUIT ANALYSIS
This enclosure discusses the background of each of the terms that have been clarified in the RIS. This background discussion identifies the various interpretations that have been applied to the issues and notes the regulatory position and the basis for that position for each interpretation.
SCOPE OF SPURIOUS ACTUATION ANALYSIS
Appendix R, Paragraph III.G.2, does not identify any exceptions to the type of post-fire safe- shutdown circuit failures that must be protected against in accordance with III.G.2. However, the response to Question 5.3.1 of Generic Letter 86-10 specifies two exceptions to the circuit evaluation requirement of all possible functional failure states. The two exceptions are (1)
three-phase hot shorts in proper sequence and (2) more than two hot shorts of the proper polarity in ungrounded DC circuits (the response does not allow either of these exceptions to be applied to high/low pressure interfaces). Since these two exceptions were not called examples in GL 86-10, they are the only exceptions allowed by GL 86-10 to the type of post-fire safe- shutdown circuit failures that must be protected against in accordance with III.G.2.
Furthermore, unless protection is provided in accordance with III.G.2, it is generally agreed that in a deterministic approach to fire protection, such as the approach required by Appendix R, a fire is assumed to damage all circuits and equipment in a fire area. Therefore, any and all other post-fire safe-shutdown circuits must be protected in accordance with III.G.2 unless an alternative or dedicated shutdown system is provided in accordance with III.G.3.
In letters from R. E. Beedle of NEI dated January 14, 1997, to F.J. Miraglia of the NRC and from D.J. Modeen of NEI dated May 30,1997, to L.B. Marsh of the NRC, the industry challenged the scope of circuit failures defined by Appendix R and GL 86-10. These letters were in response to Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire (IN 92-18). The letters stated the industrys position on the possible failure of motor-operated valves as a result of a fire-induced spurious signal that could override the valve motors protective features, causing valve failure. The industry agreed that IN 92-18 describes a credible failure and that some licensees had addressed this failure mechanism in response to IN 92-18, but stated that this type of failure is highly improbable and not worthy of consideration.
As noted in IN 92-18, the NRC position on this issue is that such fire-induced valve damage could impair the capability to shut down the plant and maintain it in a safe-shutdown condition.
Furthermore, in Regulatory Guide 1.106, Thermal Overload Protection for Electric Motors on Motor-Operated Valves (RG 1.106), the staff stated that if thermal overload protection devices are bypassed, it is important to ensure that the bypassing does not jeopardize the completion of the safety function or degrade other safety systems because of sustained abnormal circuit currents. After receiving NEIs January 14, 1997, letter the NRC held a public meeting with NEI on February 7, 1997, to discuss the questions and comments in NEIs letter. S.J. Collins of the NRC sent a letter dated March 11, 1997, to R.E. Beedle of NEI to further document and clarify the NRCs position on this issue. During the meeting and in the followup letter, the staff stated that the safety issue addressed in IN 92-18 is not a new staff position and is within the scope of the existing fire protection regulation. Consequently, a fire-induced failure - whether direct (a failure to perform a safe-shutdown function) or indirect (a maloperation that affects safe shutdown) - of a motor-operated valve that is required for post-fire safe shutdown must be addressed. The May 30, 1997, letter response from NEI did not change the NRCs original position.
The second NEI letter also questioned whether the potential risk is applicable to fires in areas other than the control room because IN 92-18 discussed a potential failure resulting from a control room fire. The regulatory requirements do not identify any exceptions for fires in other areas of the plant. Consequently, if the mechanical failure of a motor-operated valve, as described in IN 92-18, can be caused by the fire-induced failure of an electrical circuit and prevent safe shutdown, the circuit must be protected.
ASSOCIATED CIRCUITS
The Appendix R requirement to protect circuits from the effects of fire does not exempt any type of circuits and specifically mentions nonsafety circuits to emphasize that all circuits whose fire-induced failure could prevent safe shutdown must be protected from the effects of fire, even nonsafety circuits. The term associated circuit has been used to identify circuits that do not directly perform a safe-shutdown function (e.g., the control circuit cable to a pump suction valve that is normally in the correct position for post-fire shutdown) but can cause a spurious actuation that affects safe shutdown. However, no distinction is made in Appendix R between circuits whose failure could directly affect safe shutdown and circuits whose failure could indirectly affect safe shutdown (e.g., by causing spurious actuations).
The term associated circuit has a different meaning in Regulatory Guide 1.75, Criteria for Independence of Electrical Safety Systems, than for fire protection. Regulatory Guide 1.75 defines associated circuits as non-safety-related circuits that are not physically separated or not electrically isolated from safety-related circuits by acceptable separation distance, safety class structures, barriers, or isolation devices. The Appendix R associated circuit requirement applies to both safety-related and non-safety-related circuits. Post-fire safe-shutdown capability is distinctly different from, and credits the operability of different equipment than, the safety- related equipment required for the emergency shutdown of a nuclear power plant.
In 1981 the NRC issued Generic Letter (GL) 81-12, Fire Protection Rule (45 FR 76602, November 19, 1980), to clarify and provide guidance on alternative and dedicated shutdown systems. Enclosure 2 of GL 81-12 gives the following definition of associated circuits (called associated circuits of concern) with respect to alternative and dedicated shutdown systems:
In evaluating alternative shutdown methods, associated circuits are circuits that could prevent operation or cause maloperation of the alternative train which is used to achieve and maintain hot shutdown condition due to fire induced hot shorts, open circuits or shorts to ground. The NRC provided additional guidance on alternative and dedicated shutdown systems in a followup March 22, 1982, memorandum from R.J. Mattson to Darrell G. Eisenhut (ML050140137). This publicly available memorandum defined associated circuits of concern as follows:
Associated Circuits of Concern are defined as those cables (safety related, non- safety related, Class 1E, and non-Class 1E) that:
1.
Have a physical separation less than that required by Section III.G.2 of Appendix R, and;
2.
Have one of the following:
a.
A common power source with the shutdown equipment (redundant or alternative) and the power source is not electrically protected from the circuit of concern by coordinated breakers, fuses, or similar devices, or b.
A connection to circuits of equipment whose spurious operation would adversely affect the shutdown capability (e.g., RHR/RCS isolation valves, ADS valves, PORVs, steam generator atmospheric dump valves, instrumentation, steam bypass, etc.), or c.
A common enclosure (e.g., raceway, panel, junction) with the shutdown cables (redundant and alternative) and,
(1) Are not electrically protected by circuit breakers, fuses or similar devices, or
(2) Will allow propagation of the fire into the common enclosure.
As noted above, these definitions of associated circuits were presented in the context of alternative and dedicated shutdown systems and apply to the categories of circuits specified in the definitions. The industry has also used associated to refer to all post-fire safe-shutdown circuits with the potential to cause spurious actuations that could prevent or adversely affect safe shutdown. This broader definition of associated circuits has caused confusion about the protection required for post-fire safe-shutdown circuits.
The Mattson/Eisenhut memorandum of March 1982 and Regulatory Guide 1.189, Fire Protection for Operating Nuclear Power Plants, noted acceptable methods for mitigating spurious actuations, including operator manual actions. However, these methods are only applicable to alternative and dedicated shutdown systems and do not comply with regulations for protection of post-fire safe-shutdown circuits in III.G.2 fire areas (the next revision to Regulatory Guide 1.189 will clarify this position). The NRC has specifically noted in correspondence with licensees that it is essential to remember that these alternative requirements (i.e., III.G.3 and III.L) are not deemed to be equivalent... to III.G.2 protection (ML011150521). The examples of equipment identified in the above definition belong to a category of systems and components that does not include redundant shutdown components and systems.
Redundant safe-shutdown systems are defined in the response to Question 3.8.3 in GL 86-10
as follows: If the system is being used to provide its design function, it generally is considered redundant. If the system is being used in lieu of the preferred system because the redundant components of the preferred system do not meet the separation criteria of paragraph III.G.2, the system is considered an alternative shutdown capability. The GL 81-12 definition of associated circuits specifically refers to both redundant and alternative shutdown trains with respect to circuits associated by common enclosures and common power supplies (2.a and 2.c above), but does not mention redundant systems with respect to circuits associated by spurious actuation (2.b above). The examples given in GL 81-12 for components that could spuriously actuate and affect the safe-shutdown capability are not components of normal redundant safe- shutdown systems (the RHR/RCS isolation valves are in a normal redundant safe-shutdown system, but the post-fire function of these valves is to prevent a loss-of-coolant accident).
These components were included in the definition as possible alternative shutdown components.
The response to Question 5.3.8 of GL 86-10 allows operators to clear multiple high-impedance faults by manual breaker trips governed by written procedures. This question and response apply to a unique set of circuits associated with redundant safe-shutdown systems by virtue of having a common power supply so that multiple high impedance faults can cause a loss of power to the safe-shutdown equipment. The response refers to III.G.2 fire areas and allows operator manual action to mitigate the fault. Some licensees have interpreted this response to imply that the regulations allow them to credit operator manual actions in III.G.2 fire areas for any associated circuit, including circuits whose failure can cause spurious actuations. However, multiple high-impedance faults are not the same as spurious actuation faults. Consequently, this response does not provide a basis for crediting operator manual actions for mitigation of spurious actuations.
The reference to III.G.2 in the GL 86-10 response to Question 5.3.8 recognizes that a high- impendence fault could affect a redundant shutdown train located in a III.G.2 fire area and does not imply that manual actions may be credited in these areas for other types of faults. The questions and responses in GL 86-10 are under the heading Alternative and Dedicated Shutdown Capability. It is not appropriate to apply this guidance for protecting redundant safe- shutdown systems in III.G.2 fire areas of the plant against spurious actuation circuit faults.
The staff position on associated circuits in this RIS is consistent with Section 9.5.1 of the SRP,
which gives separate definitions for associated circuits and associated circuits of concern.
Associated circuits are circuits within a fire area that may be subject to fire damage that can affect or prevent post-fire safe shutdown capability. Associated circuits of concern are cables (safety-related, non-safety-related Class 1E and non-Class 1E) that do not meet fire separation requirements and have 1) a common power source with the safe shutdown equipment, 2) a connection to circuits for equipment whose spurious operation could adversely affect safe shutdown, or 3) a common enclosure with safe shutdown circuits. This section of the SRP also states: Manual actions may not be credited in lieu of providing the required separation of redundant systems or associated circuits located in the same fire area unless alternate, dedicated, or backup shutdown capability is provided.
To summarize, circuits that are associated with the operation of credited redundant post-fire safe-shutdown systems in accordance with III.G.2 such as cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions must be protected in accordance with III.G.2 and operator manual actions may not be credited for III.G.2 redundant train circuits under regulations for plants that have not adopted an NFPA 805 licensing basis (except through staff- approved exemptions for specific manual actions). This staff position was reiterated in a May 16, 2002, NRC letter from J.N. Hannon to A. Marion of NEI (ML021410026). Committee To Review Generic Requirements (CRGR) Meeting Minutes No. 367 (ML021750218) noted that this letter did not contain any new staff positions. Plants that were licensed after January 1,
1979, use operator manual actions without NRC approval may or may not be in compliance with applicable fire protection requirements. Compliance depends on the specific licensing commitments (usually specified in license conditions for these licensees), the change control process, and how the change was justified and analyzed to demonstrate that the operator manual actions are feasible and reliable and thus do not adversely affect the ability to achieve or maintain safe shutdown.
This staff position is also supported by the results of the EPRI/NEI fire testing. The distinction between associated circuits and other safe-shutdown circuits has been used as a basis for addressing hot shorts and spurious actuations that could prevent safe shutdown by crediting operator manual actions to keep redundant safe-shutdown trains free of fire damage. The tests demonstrated that operator manual actions may not be practical or possible for the required mitigation between multiple spurious actuations because there may not be enough time to act.
To clarify this issue for all stakeholders, future NRC documents on post-fire safe-shutdown circuits will not distinguish between associated circuits and other post-fire safe-shutdown circuits, except for alternative and dedicated shutdown systems as defined by GL 81-12. RIS 2004-03, Risk-Informed Approach for Post-Fire Safe-Shutdown Associated Circuit Inspections (ML040620400), has been revised and reissued as RIS 2004-03, Revision 1, Risk-Informed Approach for Post-Fire Safe-Shutdown Circuit Inspections (ML042440791), to eliminate this distinction in inspection guidance. NFPA 805 takes a similar approach, noting that any circuit whose function or absence of malfunction, including circuits whose failure can cause a spurious actuation, is required for safe shutdown and should be protected from fire.
USE OF EMERGENCY CONTROL STATIONS
The NRC has not clearly defined and the industry has not consistently used the term emergency control station. The term was most recently defined in Regulatory Guide 1.189 as a location outside the main control room where actions are taken by operations personnel to manipulate plant systems and controls to achieve safe shutdown of the reactor. This definition does not say whether an emergency control station is a control panel with multiple functions or a single device such as a valve or breaker. The definition also does not say how many emergency control stations are considered reasonable and acceptable to maintain a single train free of fire damage.
Since Appendix R does not require post-fire protection of automatic functioning of systems, manual actions may be credited to maintain a train free of fire damage in accordance with III.G.1, as noted in an NRC memorandum of July 2,1982, from R.J. Mattson to R.H. Vollmer (ML050140106). This publicly available memorandum notes that for fire areas with III.G.1 protection, manual operation of valves, switches and circuit breakers is allowed to operate equipment and isolate systems and is not considered a repair. This allowance of manual operation of individual devices for fire areas with III.G.1 protection has led to the interpretation that individual valves, switches, and circuit breakers can be emergency control stations.
Some licensees have used the interpretation of emergency control station to include individual devices as a basis for substituting operator manual actions for the protection of redundant safe- shutdown trains located in the same fire area. The industry position is that if operator manual actions can restore a post-fire safe-shutdown train to a free-of-fire-damage condition, the criteria for a III.G.1 level of protection have been met; therefore the protection requirements of III.G.2 are not applicable, even where redundant trains are located in the same fire area.
During an internal NRC meeting on May 7, 1986, to discuss SECY-85-306, Appendix R, Post- Fire Safe Shutdown (ML050140123), a staff member expounded the same industry position.
In that meeting, the NRC Office of the Executive Legal Director (now Office of General Counsel) confirmed that the line of reasoning proposed only applies to licensees that have requested and received an exemption, because this position does not meet regulatory requirements. These meeting minutes later became publicly available.
Paragraph III.G.2 states: Except as provided for in paragraph G.3 of this section, where cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area outside of primary containment, one of the following means of ensuring that one of the redundant trains is free of fire damage shall be provided. Consequently, unless alternative or dedicated shutdown capability is provided, circuits which could cause maloperation or prevent operation of redundant trains for post-fire safe shutdown and are located in the same fire area must be protected in accordance with III.G.2 without the use of emergency control stations of any kind. The regulatory requirement to provide either III.G.2 or III.G.3 protection was noted in the response to Question 5.1.2 of GL 86-10.
This staff position was reiterated in the May 16, 2002, NRC letter from J.N. Hannon to A.
Marion of NEI (ML021410026), and Committee To Review Generic Requirements (CRGR)
Meeting Minutes No. 367 (ML021750218) noted that this letter does not contain any new staff positions.
This RIS does not give a precise definition of emergency control stations, but clarifies that under the current regulations manual actions may not be credited to claim that a III.G.2 fire area provides III.G.1 protection. When redundant trains are located in the same fire area and an alternative shutdown capability is not provided, the protection required by III.G.2, including detection and suppression (where noted), must be provided.