Latest revision as of 13:28, 15 March 2020

Text

SECY-04-0233Atch3 - Draft Regulatory Guide 1136, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire
	ML043370470
Person / Time
Issue date:	12/22/2004
From:	David Diec; NRC/NRR/DRIP/RPRP
To:	;
	Diec D
Shared Package
ML041940507	List: SECY-04-0233, Atch3 - Draft Regulatory Guide 1136, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire;
References
	SECY-04-0233
	Download: ML043370470 (77)
	v • d • e

U.S. NUCLEAR REGULATORY COMMISSION December 2004 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 DRAFT REGULATORY GUIDE

Contact:

Erasmia Lois, (301) 415-6560 PREPUBLICATION DRAFT REGULATORY GUIDE (DG) 1136 DEMONSTRATING THE FEASIBILITY AND RELIABILITY OF OPERATOR MANUAL ACTIONS IN RESPONSE TO FIRE A. INTRODUCTION The primary objective of fire protection programs at U.S. nuclear plants is to minimize both the probability of occurrence and the consequences of fire. To meet this objective, fire protection programs for operating nuclear power plants are designed to provide reasonable assurance, through defense-in-depth, that a fire will not prevent the performance of necessary safe shutdown functions, and radioactive releases to the environment in the event of a fire will be minimized.

The U.S. Nuclear Regulatory Commission (NRC) recently revised the fire protection program requirements in Paragraph III.G.2 of Appendix R to Title 10, Part 50, of the Code of Federal Regulations (10 CFR Part 50). At issue was the reliance of many licensees on local operator manual actions (i.e., outside the main control room), rather than on fire barriers or separation (plus fire detection and automatic suppression, where required), to maintain safe shutdown capability. That is, licensee operators either take preventive, local manual actions upon detecting a fire to protect critical safety equipment that might be failed or spuriously affected and rendered unavailable by the fire, or they locally and manually align critical safety equipment to perform its function when needed.

Appendix R, Paragraph III.G.2, originally specified only three methods, any of which was acceptable, to provide reasonable assurance that at least one means of achieving and maintaining safe shutdown conditions will remain available during and after any postulated fire in the plant.

This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area.

It has not received staff review or approval and does not represent an official NRC staff position.

Public comments are being solicited on this draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rules and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Comments may be submitted electronically through the NRCs interactive rulemaking Web page at http://www.nrc.gov/what-we-do/regulatory/rulemaking.html.

Copies of comments received may be examined at the NRC Public Document Room, 11555 Rockville Pike, Rockville, MD. Comments will be most helpful if received by .

Requests for single copies of draft or active regulatory guides (which may be reproduced) or for placement on an automatic distribution list for single copies of future draft guides in specific divisions should be made to the U.S. Nuclear Regulatory Commission, Washington, DC 20555, Attention: Reproduction and Distribution Services Section, or by fax to (301)415-2289; or by email to Distribution@nrc.gov. Electronic copies of this draft regulatory guide are available through the NRCs interactive rulemaking Web page (see above); the NRCs public Web site under Draft Regulatory Guides in the Regulatory Guides document collection of the NRCs Electronic Reading Room at http://www.nrc.gov/reading-rm/doc-collections/;

and the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under

The following three methods were considered acceptable to protect at least one shutdown train during a postulated fire when redundant trains are located in the same fire area:

(1) separation of the redundant system by a passive barrier able to withstand a fire for at least 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months (2) separation of the redundant system by a distance of 20 feet containing no intervening combustible material, together with fire detectors and an automatic fire suppression system (3) separation of the redundant system by a passive barrier able to withstand a fire for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , coupled with fire detectors and an automatic fire suppression system After significant study, the NRC and industry came to believe that, in most cases, operator manual actions are a reasonable alternative to separation requirements and that most operator actions used by licensees for operation of a safe shutdown train during a fire would not involve any safety significant concerns. Thus, the rule was modified to allow a fourth acceptable method in lieu of separation requirements:

(4) Operator manual actions that satisfy the acceptance criteria of Appendix R to 10 CFR Part 50], combined with fire detectors and an automatic fire suppression system installed in the fire area.

It was recognized that certain criteria would have to be met in order to ensure that significant increases in risk did not occur as a result of the generic use of operator manual actions as an alternative to separation. Licensees would have to perform thorough evaluations of the manual actions to ensure that safety was maintained. In particular, it was noted that such actions would have to be shown to be both feasible and reliable. The resulting codified acceptance criteria are included as part of the rule change of Appendix R to 10 CFR Part 50, and are summarized in Section C, below. The purpose of this regulatory guide is to provide acceptable practices that licensees can follow to meet the acceptance criteria. In other words, this guide will provide licensees with an acceptable approach for achieving adequate assurance that operator manual actions are feasible and can reliably be performed under a wide range of plant conditions that an operator might encounter when attempting to perform the actions.

Section B, Discussion, of this guide provides a brief history and discussion of the need for the operator manual actions rule and the development of the associated acceptance criteria.

Section C, Regulatory Position, consists of (1) a summary of the acceptance criteria as documented in Appendix R, Paragraphs III.G.2 and III.P, of 10 CFR Part 50, (2) a discussion of the technical basis and an explanation of the acceptance criteria, and (3) specific guidance for meeting the acceptance criteria.

Section D, Implementation, describes how the NRC staff will use this guide.

This guide has been developed to provide a comprehensive discussion of acceptable activities that can be performed by licensees to meet the acceptance criteria and will provide a basis for NRC fire protection inspectors to evaluate the adequacy of those activities.

2

Regulatory guides are issued to describe to the public methods that the NRC staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants. Regulatory guides are not substitutes for regulations, and compliance with regulatory guides is not required. Regulatory guides are issued in draft form to solicit public comment and involve the public in developing the agencys regulatory positions.

Draft regulatory guides have not received complete staff review; therefore, they do not represent official NRC staff positions.

This draft regulatory guide contains information collections that are covered by the requirements of 10 CFR Part 50, which the Office of Management and Budget (OMB) approved under OMB control number 3150-0011. The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information collection request or requirement unless the requesting document displays a currently valid OMB control number.

3

B. DISCUSSION

Background

10 CFR 50.48, Fire Protection, requires that each operating power plant must have a fire protection plan that satisfies General Design Criterion (GDC) 3 of Appendix A to 10 CFR Part 50. GDC 3 requires that structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. The specific fire protection requirements for safe shutdown capability of plant are further discussed in Paragraph III.G of Appendix R to 10 CFR Part 50.

The NRC added the more specific 10 CFR 50.48 and Appendix R requirements following a significant fire that occurred in 1975 at the Browns Ferry nuclear power plant. The fire damaged electrical cables for control and instrumentation. Nonetheless, plant operators, were able to safely shut down the unit using alternative backup systems.

In response to the fire, an NRC investigation revealed that the independence of redundant equipment at Browns Ferry was negated by lack of separation between cables of redundant trains of safety equipment. The investigators subsequently recommended that a suitable combination of electrical isolation, physical distance, fire barriers, and sprinkler systems should be applied to maintain the independence of redundant safety equipment.

In response to these recommendations, the NRC worked with reactor licensees for several years to identify and implement necessary plant fire protection improvements. In 1980, NRC promulgated 10 CFR Part 50.48 to establish fire protection requirements and Appendix R to 10 CFR Part 50 for certain generic issues, including Paragraph III.G, fire protection for safe shutdown capability. The requirements for separation of cables and equipment associated with redundant safe shutdown trains were promulgated in Paragraph III.G.2 of the Appendix R fire protection regulations.

Appendix R applies only to those licensees who received operating licenses before January 1, 1979.1 Paragraph III.G.2 of Appendix R requires that cables and equipment of redundant trains of safety systems in the same fire area must be separated by one of the following:

d. a 3-hr fire barrier

e. a horizontal distance of more than 20 ft with no intervening combustibles combined with fire detection and automatic fire suppression

f. a 1-hr fire barrier combined with fire detection and automatic fire suppression 1

Plants licensed after January 1, 1979, are not required to meet Appendix R. These plants were licensed to meet Branch Technical Position APCSB 9.5-1 which contains criteria similar to the Appendix R requirements. Specific licensing basis information for these plants is usually contained in license conditions issued at the time of licensing.

4

Because the rule was to apply to facilities that were already built, the NRC knew that compliance with the strict, prescriptive requirements of Paragraph III.G.2 might be very difficult at some facilities. Accordingly, the NRC included a provision which allowed licensees to submit alternative acceptable methods for protecting redundant equipment to the NRC for review and approval under the exemption process. When implementing the Appendix R requirements, the NRC reviewed and approved exemptions for 60 licensees who provided acceptable alternative methods of compliance in various areas, including numerous exemptions from Paragraph III.G.2.

In the early 1990s, generic problems were discovered in Thermolag2 fire barriers, many of which were used to comply with Paragraph III.G.2 of Appendix R. Licensees were ultimately required to replace Thermolag material with other fire barriers. Several years later, fire protection inspectors began to notice that many licensees had not upgraded or replaced Thermolag fire barrier material used to satisfy the Paragraph III.G.2 criteria (or had not otherwise provided the required separation distance between redundant safety trains).

Some licensees compensated by relying on operator manual actions which had not been reviewed and approved by the NRC via the exemption process. In 2002, the Committee To Review Generic Requirements and the Office of the General Counsel determined that reliance on operator manual actions does not comply with the requirements as given in Appendix R, Paragraph III.G.2, unless approved as an exemption or deviation from the plant fire protection program.

In 2002, the NRC met with nuclear industry licensees and informed them that the use of unapproved manual actions was not in compliance with Paragraph III.G.2. During a meeting on June 20, 2002, the Nuclear Energy Institute stated that operator manual actions were widely used throughout the industry based on industry understanding of past practice and existing NRC guidance. The industry also stated that licensees use of unapproved manual actions had become prevalent even before the concerns arose about Thermolag material. Shortly thereafter, the NRC developed criteria for inspectors to use in assessing the safety significance of violations resulting from unapproved operator manual actions.

The criteria were based on past practice and experience by NRC inspectors when reviewing operator manual actions used to comply with Appendix R, Paragraph III.G.3, on alternate shutdown.3 Licensees were familiar with these criteria through their experience with the NRC inspection process. These criteria were issued in the March 2003 revision of Inspection Procedure, Attachment 71111.05 (Fire Protection), by adding Enclosure 2 (Inspection Criteria for Fire Protection Manual Actions). While unapproved manual actions were still violations, actions meeting the interim criteria were considered to have low safety significance.

Because of the potentially large number of exemption requests and the anticipated low level of risk imposed by the operator manual actions, instead of continuing the staffs previous 2

Thermolag is a brand-name for a particular type of material used to construct fire barriers for protecting electrical conduits and cable trays. In the early 1990s, issues arose regarding the testing and qualification process used for this material. It was determined that barriers made of this material would not provide protection for the required periods of time.

3 Note that the time margin criterion, discussed later in this document, is an extension of part of the March 2003 verification and validation criterion, which required that the licensee [have] adequately evaluated the capability of operators to perform the manual action in the time available before the plant will be placed in an unrecoverable condition.

5

practice (requiring all noncompliant licensees to submit individual exemption requests for staff review to determine if their operator manual actions were acceptable), the staff determined that amending Appendix R to 10 CFR Part 50 would be the most orderly and efficient way to provide an option for licensees to utilize acceptable operator manual actions in lieu of the separation requirements stated in Paragraph III.G.2. In this manner the staff would codify acceptance criteria for licensees to use in evaluating operator manual actions to ensure that the actions were both feasible and reliable. These criteria would maintain safety by ensuring that licensees perform thorough evaluations of the manual actions in a manner that would be equivalent to NRC review and approval of an exemption request.

The staff developed a rulemaking plan and provided it to the Commission on June 17, 2003 (SECY-03-0100). The rule change would revise 10 CFR Part 50, Appendix R, Paragraph III.G.2, to allow licensees to implement acceptable operator manual actions after documenting that they met the regulatory acceptance criteria. NRC fire protection inspectors would verify that the licensees manual actions met the NRCs acceptance criteria.

The Commission approved the rulemaking plan on September 12, 2003, and after several public meetings with industry and receipt of public comments, the NRC staff updated the draft acceptance criteria. The rule was established on [to be determined].

The rule specifies that licensees can use operator manual actions as an additional alternative method for compliance with Paragraph III.G.2 of Appendix R4 if, coincident with fire detection and automatic suppression capability, they satisfy the acceptance criteria. Thus, the NRC determined that implementing any one of the four alternatives of the rule will provide reasonable assurance that at least one method for achieving and maintaining the hot shutdown condition will remain available during and after a postulated fire anywhere in the plant.

4 The requirements in Appendix R are applicable only to licensees who received operating licenses before January 1, 1979. Post-January 1, 1979, licensees who use operator manual actions without NRC approval may or may not be in compliance with applicable fire protection requirements (GDC-3, §50.48[a], applicable license conditions, or current fire protection programs). Compliance for the post-January 1, 1979, plants depends on the specific licensing commitments, the change control process, and how the change was justified and analyzed to show that the operator manual actions are feasible and reliable and thus do not adversely affect the ability to achieve or maintain safe shutdown.

6

Purpose of this Regulatory Guide Most of the acceptance criteria defined in the operator manual action rule are based on reviews of existing work related to the modeling of human behavior in responses to fires and other accident conditions in nuclear power plants. For example, most of the factors listed were derived from reviews of selected Individual Plant Evaluation of External Events (IPEEE) fire analyses and the IPEEE summary report (NUREG-1742 [Ref. 1]), previous reviews of fire-related operational events to identify important factors influencing human performance in fires

[e.g., Refs. 2-4], lessons learned from the development of human reliability analysis (HRA) criteria for use in the ongoing joint NRC/Electric Power Research Institute (EPRI) fire requantification studies, and general human reliability analysis methods such as SPAR-H

[Ref. 5] and ATHEANA [Ref. 6]. Examples of the general factors covered by the acceptance criteria (discussed in detail in Section C) include the availability of indications for the actions, environmental considerations, staffing and training, communications, the availability of necessary equipment, and the availability of procedures.

While the importance of such factors is generally obvious, determining exactly how to evaluate the factors to ensure that the acceptance criteria are met can be somewhat less straightforward. For example, what things should be covered by procedures appropriate for operator manual actions and what type of training is appropriate? One of the main purposes of this regulatory guide is to provide licensees using operator manual actions with the information necessary for them to ensure that they have adequately addressed all of the issues related to the factors listed in the Paragraph above and stipulated in the acceptance criteria.

Furthermore, in developing the acceptance criteria, it was recognized that in addition to addressing the factors listed above, steps would have to be taken to ensure that operator manual actions are both feasible (can be performed in the time available) and reliable (yield the same or compatible results in different experiments or statistical trials, are dependably repeatable). The operator manual action rule stipulates that there must be time-authenticated demonstrations of the manual actions (involving actual execution of the actions to the extent possible) and that there must be sufficient time available to complete the actions before serious equipment damage occurs and affects safe shutdown.

Showing, with a demonstration, that actions that meet the acceptance criteria, can be completed in the available time documents the feasibility of the actions, but additional issues must be considered to show that the actions can be performed reliably under the variety of conditions that could occur during a fire.

For example, factors that licensees may not be able to recreate in the demonstrations could cause further delay under real fire conditions (i.e., the demonstration would likely fall short of actual fire situations). Furthermore, typical and expected variability among individuals and crews could lead to variations in operator performance (human-centered factors). Finally, variations in the characteristics of the fire and related plant conditions could alter the time available for the operator actions. These issues led to the conclusion that in order to ensure that actions could be performed reliably, licensees would have to show in a demonstration that a sufficient amount of extra time would be available for the actions (i.e., a time margin) and that the process for determining the time available for the actions adequately addressed the potential variations in fire characteristics and plant conditions.

7

Through a series of analyses, the NRC determined that a factor of approximately 2 as a time margin would (under certain conditions) provide a high confidence of a low probability of failure for the operator manual actions (see Appendix A for a discussion of the determination of the factor of 2 time margin).5 However, the NRC determined that in order for a 100-percent time margin to be appropriate and help ensure reliable performance of actions, the demonstration of actions needs certain characteristics, as would the approach for determining the time available for actions. In other words, as long as licensees meet the rule criteria for the actions, perform sound demonstrations of the actions at the plant, perform reasonable calculations of the time available for the various actions, and can show that the time available is at least 100 percent greater than the time obtained in the demonstration, then local operator manual actions in response to fire can be reasonably assumed to be both feasible and reliable. Thus, another important purpose of this regulatory guide is to provide guidance to licensees on how to adequately perform the demonstration of the actions (what should be covered) and on what to consider in calculating the time available.

5 The factor of 2 represents a consensus minimum based on the expert opinion elicitation discussed in Appendix A. There may be situations in which a value greater than 2 is appropriate (e.g., where the demonstration falls short of the guidance provided in this regulatory guide).

8

Scope of this Regulatory Guide This regulatory guide provides guidance to aid licensees in meeting the acceptance criteria for local operator manual actions in response to fire stipulated in 10 CFR Part 50, Appendix R, Paragraph III.P in conjunction with Paragraph III.G.2(c-1). While the guide strives to provide enough information and guidance to allow licensees to be confident that their activities will meet the acceptance criteria for operator manual actions, it does not contain everything that might be known about how to meet the criteria. The guide focuses on unique aspects of the hazard involved (fire) and the potentially unique characteristics of subsequent manual actions during the operators response. Hence, for instance, it is not the intent of this regulatory guide to specify in detail what constitutes adequate procedures. Many other guidance documents and an evolving consensus address this issue. Additionally, each licensee has an already well-established program for identifying, writing, reviewing, issuing, and changing procedures. What is provided here is guidance on the unique aspects of fire and operator manual actions.

Finally, with respect to the types of local operator manual actions that licensees have been crediting, it was determined that there are basically two general types of actions:

(1) preventive or event-based actions and (2) reactive or symptom-based actions. Preventive actions are those actions which, upon entering a fire plan/procedure, the licensee expects (without needing further diagnosis) to take to prevent spurious actuations or other fire-related failures so that adequate equipment is protected and can be used to reach safe shutdown. For these actions, it is generally assumed that once the fire has been detected and located, per procedure, the control room crew will direct personnel to execute a number of actions that will prevent fire-related damage to equipment and thereby ensure the availability of the equipment to achieve its function during the given fire scenario.

Also by procedure, the only criterion for initiating these actions is the presence of the fire itself (event-based). Reactive or symptom-based actions, on the other hand, are actions taken by a licensee during a fire in response to an undesired change in plant condition. In reactive actions the plant staff detects the undesired change and diagnoses the correct actions to be taken. Thus, with reactive actions, the plant staff responds to indications of changing equipment conditions caused by the fire, and then takes the steps necessary to ensure that the equipment will function when needed (e.g., manually reopen a spuriously closed valve). The plant staff does not initiate the actions until the procedure indicates that, given the relevant indications, the actions must be performed.

It should be noted that the acceptance criteria for the rule apply to both types of actions and, therefore, both types of actions are covered by this regulatory guide.

However, in some cases, the differences in the nature of the actions prompt somewhat different considerations. These are addressed in the guidance.

9

C. REGULATORY POSITION This section contains the NRCs current expectations, criteria, and guidance for determining that operator manual actions in response to fire are acceptable under Appendix R, Paragraph III.G.2. Using this guidance to meet these criteria provides an acceptable approach for achieving adequate assurance that operator manual actions are feasible and can be performed reliably under a wide range of plant conditions that the operator might encounter when attempting to perform the actions.

Section C.1 summarizes the rule. Section C.2 provides additional discussion about the NRCs expectations in meeting the rule as well as justification for the criteria imposed by the rule. Section C.3 provides guidance on acceptable approaches for meeting the rule.

C.1 Rule Acceptance Criteria Operator manual actions are those actions taken by operators to perform manipulation of components and equipment from outside the main control room to achieve and maintain post-fire safe shutdown. These actions are performed locally by operators, typically at the equipment. Operator manual actions comprise an integrated set of actions needed to ensure that a redundant train of systems necessary to achieve and maintain hot shutdown conditions located within the same area as the fire and outside the primary containment is free of fire damage. A licensee relying on operator manual actions for compliance with Appendix R, Paragraph III.G.2, must have fire detectors and an automatic fire suppression system installed in the fire area.

Appendix R, Paragraph III.G.2(c)(1), provides a means of compliance using operator manual actions as long as the operator manual actions satisfy the acceptance criteria in Paragraph III.P. Those acceptance criteria include a number of requirements for an acceptable operator manual action. The requirements are summarized below. The italicized words are discussed in Sections C.2 and C.3 of this regulatory guide:

An analysis should be prepared for operator actions to evaluate the actions feasibility and reliability. The analysis should contain a postulated fire time line showing sufficient time to travel to action locations and perform the actions.

The time line should extend from the time of initial fire detection until the licensee is able achieve and maintain hot shutdown.

The time line should include a time margin that accounts for all variables, including (a) differences between the conditions present during the demonstration and actual conditions and (b) human performance uncertainties.

It should be shown that the actions can be performed under the expected environmental conditions that will be encountered.

10

The functionality of equipment and cables needed to achieve and maintain hot shutdown cannot be adversely affected by the fire; the equipment is to be operable and readily accessible consistent with the analysis. Besides the structures, systems, and components (SSCs) needed to directly perform the desired functions, the necessary equipment also includes:

< indications necessary to show the need for the manual actions, enable their performance, and verify their successful accomplishment

< communications as necessary

< portable equipment as necessary

< life support equipment as necessary.

There are to be plant procedures covering the actions and training on the procedures.

The number of personnel (staffing), exclusive of fire brigade members, needed to perform the actions are to be on site at all times.

There are to be time-authenticated demonstrations of the manual actions, consisting of actual executions of the relevant actions to the extent possible.

C.2 Discussion and Technical Bases for Acceptance Criteria The above acceptance criteria for III.G.2 operator manual actions satisfy three purposes:

(1) Provide a means by which the NRC can provide reasonable assurance that the actions are feasible and can be performed reliably to protect the public health and safety.

(2) Permit both the licensees and the NRC to establish consistency in what operator manual actions will be allowed.

(3) Provide the parameters under which both licensee evaluations and NRC inspections can be conducted in a thorough manner.

The overall requirement is that the actions must be shown to be both feasible and reliable. By feasible, the NRC means that the actions must be shown to be capable of being accomplished. However, this is not sufficient. The NRC also requires licensees to show that the actions are reliable. That is, the actions must yield the same or compatible results in different experiments or statistical trials (be dependably repeatable). It is the NRCs intent that there must be a high confidence of low probability of failure associated with the operator manual actions. Meeting the acceptance criteria will prove that the actions can be both successfully accomplished and accomplished repeatedly by all personnel who perform the actions under a variety of conceivable fire and plant conditions.

The following subsections elaborate on the basis for each of the acceptance criteria.

Section C.3 of this regulatory guide provides guidance for acceptably meeting each criterion.

11

C.2.1 Time Line Showing Sufficient Time To Perform the Actions This criterion addresses the need for a fire time line extending to the point where hot shutdown cannot only be achieved, but can also be maintained. This criterion is based upon regulations requiring that a nuclear power plant always be maintained in a safe condition, even following accidents, consistent with the additional restriction that a hot shutdown state be reached and maintained, as per 10 CFR Part 50, Appendix R, Section III.G. 10 CFR Part 50, Section 72, Paragraph (b)(3)(v)(A), addresses any event or condition that at the time of discovery could have prevented the fulfillment of the safety function of structures or systems that are needed to shut down the reactor and maintain it in a safe shutdown condition. Implicit in these requirements is the analysis of the plants thermal-hydraulic response, including the time needed to fulfill the listed safety functions.

This criterion is also an extension of past NRC practice in approving exemptions to III.G.2. Previous NRC staff reviews and approvals of post-fire operator manual actions included the consideration of whether there was adequate time for the operator manual actions, based on the progression of the fire and the thermal-hydraulic conditions of the plant.

Additionally, this criterion is consistent with current inspection criteria for fire protection manual actions under the verification and validation criterion, ensuring that licensees have adequately evaluated the capability of operators to perform the manual actions in the time available.

C.2.2 Time Margin This criterion addresses the reliability of the operator manual actions. The time margin is a surrogate for addressing two sources of uncertainty inherent in the time line analysis:

(1) Factors that the licensee likely may be unable to recreate in the demonstrations that could cause further delay in performing the operator manual actions under real fire conditions (i.e., where the demonstration would likely fall short of actual fire situations). For example:

The need to recover from/respond to unexpected difficulties or random problems (i.e., not related to the fire), such as problems with instruments or other equipment (e.g., a stiff handwheel or difficulty with communication devices).

Environmental and other effects not easily simulated in the demonstration, such as radiation; smoke and toxic gas effects; increased noise levels from the fire and the operation of suppression equipment and from personnel shouting instructions; water on the floor; fire hoses in the way; or too many people getting in each others way.

12

Limitations of the demonstration to account for (or envelop) all possible fire locations where the actions are needed and for all the different travel paths and distances to where the actions are to be performed. A similar limitation concern is that the location and activities of needed plant personnel when the fire starts could delay their participation in executing the operator manual actions (e.g., they may be on the opposite side of the plant and may need to restore certain equipment before being able to participate).

Inability to execute relevant actions during the demonstration because of normal plant status and/or safety considerations while at power (e.g., operators cannot actually operate the valve using the handwheel, but can only simulate doing so).

(2) Typical and expected variability among individuals and crews leading to variations in operator performance (i.e., human-centered factors).

For example:

physical size and strength differences

cognitive differences (e.g., memory ability, cognitive style differences)

different emotional responses to the fire/smoke

different responses to wearing self-contained breathing apparatuses (SCBAs) to accomplish a task (i.e., some people may be less comfortable with a mask over their face than other people)

differences in individual sensitivities to real-time pressure

differences in team characteristics and dynamics Further, ANSI/ANS-58.8-1994 [Ref. 7] on time response design criteria for safety-related operator actions established time response criteria [that] adopt time intervals to ensure that adequate safety margins are applied to system and plant design and safety evaluations. The standard recognized that in actual practice, the operator should be capable of reacting to design-basis events correctly and performing the safety-related operator actions in less time than specified by the criteria in this standard. This is the essence of the role of the time margin concept in ensuring the reliability of operator manual actions.

To account for the above variables and uncertainty, it is prudent to establish a time margin on the postulated fire time line. This ensures that the operator manual actions can be performed reliably under a wide range of conceivable conditions by different plant crews.

13

C.2.3 Environmental Conditions This criterion addresses the issue that environmental conditions may affect personnels mental or physical performance of operator manual actions to the extent that, if the actions are not entirely precluded, they are severely degraded. The environmental conditions expected when performing the manual actions therefore need to be considered in both the locations where the operator manual actions will be performed and along the access and egress routes.

Personnel performance can be degraded, if not precluded, by the inability to reach the location as well as the inability to perform the action in the conditions existing at the location. The environment along the egress route after completion of the operator manual action should also be considered to ensure personnel health and safety throughout.

Environmental factors are those factors that could negatively impact the ability to perform the manual actions, including radiation, lighting, temperature, humidity (for instance, water on the floor from sprinkler operation), smoke, toxic gases, and noise.

That these factors must be considered follows from such requirements as 10 CFR 20.1201 governing radiation exposure in responding to fires. As stated in 10 CFR Part 50, Appendix A, anticipated operational occurrences mean those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit Fires fall into this category and, therefore, are subject to regulations governing normal operation, such as 10 CFR 20.1201. Similarly, ANSI/ANS-51.1 [Ref. 8] and its counterpart, ANSI/ANS-52.1 [Ref. 9], consider that a fire limited to one fire area (corresponding to plant condition 2) occurs with a frequency of at least once per year. An event in this frequency range is considered part of normal operation.

Further, NUREG-0800, Section 9.5.1 [Ref. 10], states that the strategies for fighting fires in all safety-related areas and areas presenting a hazard to safety-related equipment should designate potential radiological and toxic hazards in fire zones; ventilation system operation that ensures desired plant air distribution when the ventilation flow is modified for fire containment or smoke clearing operation; most favorable direction from which to attack a fire in each area in view of the ventilation direction, access hallways, stairs, and doors that are most likely to be free of fire, and the best station or elevation for fighting the fire.

Emergency lighting is addressed in Appendix R,Section III.J, or by the licensees approved fire protection program, as well as in NUREG-800, Section 9.5.1 [Ref. 10], where it is stated that [l]ighting [is] vital to safe shutdown and emergency response in the event of a fire.

14

Studies such as NUREG/CR-5680 [Ref. 11] attest to the impact on human performance of such variables as heat and cold, noise, lighting, and vibration. NUREG-1764 [Ref. 12], cited in NUREG-800, Section 18.0 [Ref. 10], notes that [q]ualitative assessment [of the human actions] addresses the environmental challenges that could negatively affect task performance Experimental studies, such as the ones cited as references 22 and 23, provide further evidence of the effects of heat and cold stresses on the performance of various physical and cognitive human tasks. NUREG-0711 [Ref. 13], also cited in NUREG-800, Section 18.0 [Ref. 10], states that [human-system interface] characteristics should support human performance under the full range of environmental conditions, e.g., normal as well as credible extreme conditions Accordingly, it needs to be ensured that such habitability issues (including those that may be unique to fire conditions such as additional heat concerns, smoke, toxic gases, effects of ventilation shutdown, the possibility of having to pass through areas and/or manipulate electrical equipment with water on the floor, etc.) will not adversely impact the operator manual actions in the locations where the actions are to be taken and along access and egress routes. Experimental studies, such as those cited in references 24 and 25, provide further evidence of the effects of carbon dioxide, for example, on various measures of human performance.

The importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under the environmental considerations criterion, ensuring that licensees have addressed radiation levels per 10 CFR Part 20, lighting, temperature and humidity, and fire effects such as smoke and toxic gases.

C.2.4 Equipment Functionality (Operability) and Accessibility This criterion addresses the need to ensure that the equipment that is necessary to achieve and maintain post-fire hot shutdown is accessible, operable, and not damaged or otherwise adversely affected by the fire and its effects (such as heat, smoke, water, combustible products, spurious actuation). Plant SSCs are the means by which hot shutdown conditions are achieved and maintained. Systems and components often require active intervention, through either automatic or manual means, to perform their function. Hence, equipment that may involve operator manual actions to perform its safe shutdown function needs to be identified and be both accessible and operable.

The necessary equipment should be based on the general design criteria for nuclear power plants from Appendix A to 10 CFR Part 50. These general design criteria establish minimum requirements for water-cooled nuclear power plants in terms of the SSCs important to safety (i.e., SSCs that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public). To provide this level of assurance, a nuclear power plant must always be maintained in a safe condition, even following accidents, consistent with the additional restriction that a hot shutdown state must be reached and maintained, as per 10 CFR Part 50, Appendix R, Section III.G. SSCs that provide this level of reasonable assurance are listed in 10 CFR Part 50, Appendix A, and 10 CFR 50.72. It is intended that this equipment must also include fire detection and suppression equipment to the extent the equipment contributes to the assurance of safe shutdown under fire conditions.

15

Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire [Ref. 14], identifies the type of functionality issue that should be considered. For example, the bypassing of thermal overload protection devices for motor-operated valves (MOVs) (discussed in Regulatory Guide 1.106, Thermal Overload Protection for Electric Motors on MOVs [Ref. 15]) could jeopardize completion of the safety function or degrade other safety systems due to sustained abnormal circuit currents that can arise from fire-induced hot shorts. Even if the overload protection devices are not bypassed, hot shorts can cause loss of power to MOVs by tripping the devices.

If an operator manual action involves the manual manipulation of a powered MOV, such fire-induced damage (e.g., over-torquing an MOV) could render manipulation physically impossible. Other equipment, such as even manual valves, could have fire-susceptible parts such as valve packing. Therefore, if equipment (including cabling and power and cooling to support the equipment) that could be affected by the fire or its subsequent effects is planned for use via operator manual actions, the licensee should determine that the operability and performance of that equipment will not be adversely affected and the function can be successfully accomplished by manual actions.

Accessibility to these systems and equipment is necessary to enable personnel to perform the operator manual actions on the components. Not only must the personnel be able to find and reach the locations of the components, but they also must be able to manipulate the components.

The importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under the accessibility criterion and other criteria, ensuring, for instance, that the necessary equipment is available and protected from fire effects.

C.2.5 Available Indications Besides the SSCs needed to directly perform the desired functions, the equipment must also include diagnostic indications relevant to the desired operator manual actions.

These indications are needed to (a) enable the operators to determine which manual actions are appropriate for the fire scenario, (b) direct the personnel performing the manual actions, and (c) provide feedback to the operators to verify that the manual actions have had their expected results. These indications include indications necessary to detect and diagnose the location of the fire. As necessary equipment, indications should meet the operability and accessibility requirements provided in the proposed rule.

This indication criterion extends to III.G.2 the guidance in Generic Letter (GL) 81-12 regarding manual actions for associated circuit resolution for alternative shutdown (Paragraph III.G.3) [Ref. 16]. For circuits of equipment and/or components whose spurious operation would affect the capability to safely shutdown provide a means to detect spurious operations and then [provide] procedures to defeat the maloperation of equipment (i.e., closure of the block valve if [a power-operated relief valve (PORV)] spuriously operates, opening of the breakers to remove spurious operation of safety injection).

16

Section IX of Attachment I to IN 84-09 [Ref. 17] lists the minimum monitoring capability to achieve safe shutdown: (1) diagnostic instrumentation for shutdown systems; (2) level indication for all tanks used; (3) pressurizer (PWR) or reactor water (BWR) level and pressure; (4) reactor coolant hot leg temperatures, or core exit thermocouples, and cold leg temperatures (PWR); (5) steam generator pressure and level (wide range, PWR); (6) source range flux monitor (PWR); (7) suppression pool level and temperature (BWR); (8) emergency or isolation condenser level (BWR). However, annunciators, indicating lights, pressure gages, and flow indicators are among the instruments typically not protected under the guidance in IN 84-09 [Ref. 17], although these instruments may be needed to detect that a maloperation or other trigger for action has occurred. IN 84-09 [Ref. 17] does not exclude other alternative methods of compliance. A licensee may employ alternative instrumentation to comply with the regulation (e.g., boron concentration indication).

The importance of providing more indication than recommended in IN 84-09 [Ref. 17] was recognized when the NRC updated its inspection guidance in March 2003 for operator manual actions. Determine whether adequate diagnostic instrumentation,6 unaffected by the postulated fire, is provided for the operator to detect the specific spurious operation that occurred. Suppose the licensee has protected only the instrumentation needed to conform to IN 84-09 [Ref.17]. If due to lack of circuit protection, the licensee has to respond to a maloperation (e.g., decreasing pressurizer level), additional diagnostic instrumentation must be sufficient for the operator to direct the correct response. For example, the decreasing pressurizer level could be due to spurious closure of an in-line MOV. If so, which one?

The licensees fire protection safe shutdown analysis should consider the means to determine which one (i.e., additional indication).

The importance of available indication is also covered in such documents as NUREG-1764

[Ref. 12] and NUREG-0711 [Ref. 13], which are cited in NUREG-800, Section 18.0 [Ref. 10].

NUREG-1764 [Ref. 12] states that a description should be provided for parameters that indicate that the high-level function is available operating[, and] achieving its purpose

[C]onsider not only the personnel role of initiating manual actions but also responsibilities concerning automatic functions, including monitoring the status of automatic functions to detect system failures NUREG-0711 [Ref. 13] discusses the need to provide evidence that the integrated system adequately supports plant personnel in the safe operation of the plant The objectives should be to validate that, for each human function, the design provides adequate alerting, information, control, and feedback capability for human functions to be performed under normal plant evolutions [and] transients.

6 Defined in GL 86-10 [Ref. 18] as instrumentation beyond that previously identified in IN 84-09 [Ref. 17]

needed to ensure proper actuation and functioning of safe shutdown and support equipment (e.g., flow rate, pump discharge pressure) 17

C.2.6 Communications Besides the SSCs needed to directly perform the desired functions, there must also be communications equipment. Such equipment is essential to providing feedback between operators in and personnel outside the main control room to ensure any activities requiring coordination between them are clearly understood and correctly accomplished.

The unpredictability of fires can force staff to deviate from planned activities (hence, the need for constant, effective communications). Communications permit the performance of sequential operator manual actions (where one set of actions must be completed before another set can be started) and provide verification that procedural steps have been accomplished, especially those that must be conducted at remote locations. Therefore, communications should be continuously available and meet the operability and accessibility requirements provided in the proposed rule.

The need to emphasize communications equipment is cited, for instance, in NUREG-0800, Section 9.5.1 [Ref. 10]: two-way voice communication [is] vital to safe shutdown and emergency response in the event of a fire. Suitable communication devices should be provided Further, NUREG-0800, Section 18.0 [Ref. 10], references NUREG-1764 [Ref. 12],

NUREG-0711 [Ref. 13], and NUREG-0700 [Ref. 19], which state that qualitative assessment [of the human actions] addresses the level of communication needed to perform the task When developing functional requirements for monitoring and control capabilities that may be provided either in the control room or locally in the plant, the following should be considered: communication, coordination workload [, and] feedback. Examples cited include loudspeaker coverage page stations personal page devices suitable for high-noise or remote areas [and] communication capability for personnel wearing protective clothing [such as] voice communication with masks Experimental studies, such as the ones cited in Reference 26, provide further evidence of the effect of respirators on human task performance.

The importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under the communications criterion, which ensure that the communications capability will be protected from the effects of a postulated fire.

18

C.2.7 Portable Equipment Besides the SSCs needed to directly perform the desired functions, the necessary equipment must also include portable equipment relevant to the operator manual actions.

Portable equipment, especially unique or special tools (such as keys to open locked areas or manipulate locked controls, flashlights, ladders to reach high places, torque devices to turn valve handwheels, and electrical breaker rackout tools), can be essential to access and manipulate SSCs in the successful accomplishment of operator manual actions. Hence, these are an extension of the equipment needed to achieve and maintain safe shutdown. It is NRCs intent that this equipment must be staged so that its location is known and constant, ensuring that the equipment is readily available. Access to this equipment must be unimpeded so that it will not unduly delay the operator manual actions, and this equipment needs to be in working order (operable).

The importance of this criterion is recognized in current inspection criteria for fire protection manual actions under the special tools criterion ensuring that such equipment is dedicated and available.

C.2.8 Life Support Equipment Besides the SSCs needed to directly perform the desired functions, the necessary equipment must also include life support equipment relevant to the operator manual actions such as protective clothing, gloves, and SCBAs. Such equipment may need to be worn to permit access to and egress from locations where the operator manual actions must be performed since the routes could be negatively affected by fire effects, such as smoke, that propagate beyond the immediate fire area. Hence, this equipment is an extension of the equipment needed to achieve and maintain safe shutdown. Access to this equipment must be unimpeded so that it will not unduly delay the operator manual actions, and this equipment needs to be in working order (e.g., an SCBA must provide a tight seal against any smoke ingress, be in working order when donned, and not malfunction while being used).

NUREG-0800, Section 18.0 [Ref. 10], references NUREG-0700 [Ref. 19], which supports the need to consider this equipment: [t]he operation of controls should be compatible with the use of protective clothing, if it may be required The likelihood of operators requiring protection is greater outside the control room.

Further, current inspection guidance treats this equipment as subject to the special tools criterion cited previously.

19

C.2.9 Procedures and Training This criterion reflects the need for written plant procedures and associated training for the operator manual actions. The role of written plant procedures in the successful performance of operator manual actions is threefold: (1) they assist the operators in correctly diagnosing the type of plant event that the fire may trigger (usually in conjunction with indications), thereby permitting the operators to select the appropriate operator manual actions; (2) they tell the operators which manual actions are appropriate to place and maintain the plant in a stable, hot shutdown condition; and (3) they minimize the potential confusion that can arise from fire-induced conflicting signals, including spurious actuations, thereby minimizing the likelihood of personnel error during the operator manual actions.

Written procedures contain the steps of what needs to be done, how and where it should be done, and what tools or equipment should be used.

Training on these procedures serves three supporting functions: (1) it establishes familiarity with the procedures, equipment, and potential (simulated) conditions in an actual event; (2) it provides the level of knowledge and understanding necessary for the personnel performing the operator manual actions to be well-prepared to handle departures from the expected sequence of events; and (3) it gives personnel the opportunity to practice their response without exposure to adverse conditions, thereby enhancing confidence that they can reliably perform their duties in an actual event.

Appendix B to 10 CFR Part 50 requires quality assurance procedures for nuclear power plants. Activities affecting quality shall be prescribed by documented instructions [or]

procedures of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings. Instructions [or]

procedures shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished.

Appendix A to Regulatory Guide 1.33 [Ref. 20] on quality assurance programs for power operation describes a method acceptable to the NRC staff for complying with these Appendix B requirements. Appendix A of the regulatory guide identifies the following as typical safety-related activities that should be covered by written procedures: (1) the plant fire protection program (administrative procedures); (2) mode change from plant shutdown to hot standby and operation at hot standby (general plant operating procedures); (3) changing modes of operation for a wide range of safety-related PWR and BWR systems (specific plant operating procedures); and (4) plant fires (procedures for combating emergencies and other significant events). In addition, there should be procedures for abnormal, off-normal, and alarm conditions, with each safety-related annunciator having its own written procedure. In conformance with the above, it is NRCs intent that the procedures covering operator manual actions in response to fire must be controlled procedures like those covering other plant operations.

20

The training portion of this criterion is an extension of the requirement of 10 CFR 50.120 that nuclear power plant personnel be trained and qualified. Each nuclear power plant licensee shall establish, implement, and maintain a training program derived from a systems approach to training as defined in 10 CFR 55.4 [Operators Licenses Definitions]

The training program must incorporate the instructional requirements necessary to provide qualified personnel to operate and maintain the facility in a safe manner in all modes of operation.

Some fire brigade training expectations from Appendix R, Paragraph III.I, have been extrapolated to apply to operator manual actions. Just as fire brigade training is to consist of an initial classroom instruction program followed by periodic classroom instruction, fire fighting practice, and fire drills, the personnel performing operator manual actions (operators, maintenance staff, electrical technicians) need to undergo parallel training for their individual responsibilities. The instruction is to be provided by qualified individuals who are knowledgeable, experienced, and suitably trained. Instruction is expected to be provided to all personnel who perform operator manual actions. Practice sessions are expected to be held for each operating crew to provide the crews with experience in performing the operator manual actions under conditions as closely approximating actual fire situations as reasonably achievable (see the Demonstration criterion).

Analogous to the fire brigade drills, drills for operator manual actions are expected to include assessment of alarm effectiveness; operator time response; use of portable equipment, including communication devices and life support; each operators knowledge of his or her role; and conformance with established plant procedures.

The importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under both the procedures and the training criteria. Under these criteria, inspectors are to (a) ensure that operators do not have to study procedural guidance at length to operate the equipment in the manner intended, and (b) ensure that training on the manual actions and the procedure is adequate and current.

C.2.10 Staffing The intent of the staffing criterion is that qualified personnel be on site at all times so that hot shutdown conditions can be achieved and maintained in the event of a fire.

Individuals dedicated to the performance of operator manual actions may not have collateral duties, such as fire fighting or control room operation, during the evolution of the fire scenario in that they must be dedicated to the performance of operator manual actions during a fire situation. Therefore, all operating shift staffing levels must include enough dedicated personnel to perform any operator manual actions that could arise since any fire could occur at any time.

NUREG-0800, Section 18.0 [Ref. 10], cites NUREG-1764 [Ref.12] and NUREG-0711

[Ref.13], which in turn provide general expectations with regard to staffing. NUREG-1764

[Ref. 12] states that [s]taffing levels should be evaluated based on [r]equired actions [t]he physical configuration of the work environment [a]vailability of personnel considering other activities that may be ongoing and for other possible responsibilities outside the control room NUREG-0711 [Ref. 13] states that [t]he basis for staffing and qualifications should 21

address the knowledge, skills, and abilities needed for personnel tasks availability of personnel crew coordination concerns that are identified during the development of training. Also, validate that the shift staffing, assignment of tasks to crew members, and crew coordination (both within the control room as well as between the control room and local control stations and support centers) is acceptable. This should include validation of nominal shift levels, minimal shift levels, and shift turnover In addition, address personnel response time and workload the job requirements that result from the sum of all tasks allocated to each individual both inside and outside the control room the requirements for coordinated activities between individuals [and] the interaction with auxiliary operators

[V]alidate that specific personnel tasks can be accomplished within time and performance criteria, with a high degree of operating crew situation awareness, and with acceptable workload levels that provide a balance between a minimum level of vigilance and operator burden The subject of staffing has also been addressed many times before with regard to NRCs intent in this area. For instance, in Information Notice 91-77 [Ref. 21] it is stated that

[t]he number of staff on each shift is expected to be sufficient to accomplish all necessary actions to ensure a safe shutdown of the reactor following an event Licensees may wish to carefully review actual staffing needs to ensure that sufficient personnel are available to adequately respond to all events. This is especially relevant to the backshift when staffing levels are usually at a minimum This criterion on staffing is an extension to Appendix R, Paragraph III.G.2, of Paragraph III.L for Alternative or Dedicated Shutdown Capability (Paragraph III.G.3). The number of operating shift personnel, exclusive of fire brigade members, required to operate the equipment and systems comprising the means to achieve and maintain the hot standby or hot shutdown conditions shall be on site at all times. The NRC contends that, if the fire brigade could be expected to perform actions other than those solely involved with fire fighting, the potential exists for interfering with either their firefighting activities or the operator manual action, such that successful performance of one or the other, or both, could be impaired. Although it may seem redundant to require an operator, independent of any firefighting responsibility, to perform an action that could simply be performed by a member of the fire brigade, one can conceive of situations where this dual responsibility could be a problem. Hence the requirement that operators be independent of the fire brigade duties and even control room duties since operator manual actions take place outside the control room.

Further, the importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under the staffing criterion to determine whether adequate qualified personnel are available to perform the operator manual actions.

22

C.2.11 Demonstrations This criterion provides a degree of overall assurance that the operator manual actions indeed can be performed in the analyzed time period for a range of conceivable fire situations (i.e., the actions are feasible). This criterion provides a test (by at least one randomly selected crew initially and by the rest of the crews with a frequency consistent with that established by the licensee in compliance with 10 CFR 50.120) that all the other criteria have been and continue to be met. As a result, the desired operator manual actions are shown to be accomplishable within the constraints, including the analyzed time, using the minimum staffing levels, with the expected operable equipment, under the expected environmental conditions, using the procedures and training provided for the manual actions.

This criterion and the time margin criterion complement each other. The demonstration serves as a benchmark against which the time margin, which more directly addresses the reliability concept, can be developed. As with training, the demonstration provides the crew with practical experience. All elements of the fire scenario, including the use of equipment and procedures, adequacy of staffing levels, response to indications, etc., must be integrated into the demonstration to develop this benchmark. In this way, any complexities, such as the number of operator manual actions and their dependence upon one another, and the handling of multiple procedures [emergency operating procedures (EOPs), as well as fire plans and procedures] at the same time, are evaluated and identified for appropriate consideration in the development of the time margin. Failure to show in a demonstration that the operator manual actions can be accomplished in a manner that is consistent with the analysis indicates that the manual actions are not feasible. In such cases, the licensee could try modifying the actions (e.g., different access/egress routes, redeployment of critical equipment by placing it at the location where the manual action will be performed vs. carrying it to that location, dividing the activities among a greater number of staff, etc.), such that a new demonstration satisfies the analysis. Alternatively, the licensee could conclude that operator manual actions are not feasible and, therefore, opt for compliance via Paragraph III.G.2(a), (b), or (c).

Licensees may determine that operator manual actions are feasible after an initial demonstration has been successfully accomplished. Subsequent demonstrations should be performed eventually by all the crews at a frequency consistent with that established by licensees for their plant training programs in compliance with 10 CFR 50.120. Subsequent periodic demonstrations provide valuable training and experience for licensee personnel and also serve to verify that plant configuration and conditions (access, egress, etc.) have not changed over time so that the manual actions may no longer be accomplished in accordance with the required fire time line analysis. If a licensee is unable to successfully complete a subsequent demonstration, the licensee must take prompt corrective action to modify the manual action or the plant conditions so that the demonstration is successful. This agrees with Criterion XVI of Appendix B to 10 CFR Part 50, which requires corrective action measures for conditions averse to quality. If a licensee is unable to complete a successful demonstration, the licensee must take prompt actions to otherwise comply with Paragraph III.G of Appendix R.

23

The intent of this criterion is to provide reasonable assurance that any crew that might be on duty at the time of a fire can reliably perform the operator manual actions, allowing for variability and uncertainties. The NRC considers it sufficient that an established crew illustrate the ability to perform the operator manual actions through time-authenticated demonstrations of the relevant actions, the results of which are documented. Such demonstrations would become part of periodic operator training. To reasonably ensure that all crews (i.e., the ones only receiving training but not performing the demonstration during a particular training cycle) could reliably perform the actions, the time margin criterion would be applied to account for variability that exists among crews as well as for likely shortcomings of the demonstration as discussed previously. In this way, the demonstration by the established crew, with an appropriate time margin, would reasonably assure that any of the crews could likewise perform the operator manual actions under a wide range of fire situations.

The use of such demonstrations is supported, for instance, by NUREG-1764 [Ref.12]

and NUREG-0711 [Ref. 13], cited in NUREG-0800, Section 18.0 [Ref. 10]. NUREG-1764 [Ref. 12]

states that [a] walkthrough of the human actions under realistic conditions should be performed The scenario used should include any complicating factors that are expected to affect the crews[] ability to perform the human actions NUREG-0711 [Ref. 13] states that an integrated system design (i.e., hardware, software, and personnel elements) is evaluated using performance-based tests Plant personnel should perform operational events using a simulator or other suitable representation of the system to determine its adequacy to support safety operations For this criterion, some fire brigade training expectations from Appendix R, Paragraph III.I, have been extrapolated to apply to operator manual actions. Just as fire brigade training includes fire fighting practice and fire drills, the personnel performing operator manual actions must participate in a similar program of practice and drills for their actions under fire conditions. Practice sessions shall be held for each shift [crew] to provide them with experience in [performing the operator manual actions] under strenuous conditions encountered [during the fire]. These practice sessions shall be provided at least once per year for each [operating crew][and] performed in the plant so that the [crew] can practice as a team. It is impractical for all the operating crews, unlike the plant fire brigades, to perform the operator manual action demonstrations within a 12-month training cycle. As an alternative, feasibility will be shown through time-authenticated demonstrations utilizing an established crew at a frequency that is consistent with the licensees training program in compliance with 10 CFR 50.120 until all the crews eventually demonstrate all the credited actions. However, since only one crew actually performs the demonstration within a training cycle, additional considerations are needed to provide reasonable assurance that the credited operator manual actions can be performed reliably (i.e., repeated successfully by any crew at any time). Also, the demonstration cannot simulate all the conditions that might be encountered in an actual situation, making it necessary to extrapolate the demonstration to the expected fire conditions. These concerns are addressed via the time margin criterion.

Additionally, the importance of this criterion is also recognized in current inspection criteria for fire protection manual actions under the verification and validation criterion to determine whether the manual actions have been verified and validated by simulating the actions using the current procedure.

24

C.3 Additional Guidance for Meeting the Acceptance Criteria The overall goal to be met for operator manual actions under Paragraph III.G.2 of Appendix R to 10 CFR Part 50 to be considered acceptable can be succinctly stated as follows:

As long as licensees meet all the rule criteria for the actions (individually addressed below), they perform sound demonstrations of the actions at the plant (addressed below),

they perform reasonably bounding calculations of the time available for the various actions (addressed below), and they can show that the time available relative to the time to perform the actions includes an appropriate time margin to address uncertainties (addressed below),

then local operator manual actions in response to fire can be credited.

This section provides additional guidance for specifically meeting the acceptance criteria that are in the rule and summarized in Section C.1 above. As discussed in Section B regarding the scope of this regulatory guide, this guidance focuses on the unique aspects of the hazard involved (fire) and the potentially unique characteristics of subsequent manual actions during the operators response.

C.3.1 Guidance Regarding the Time Line Showing Sufficient Time To Perform the Actions For all the manual actions to be credited under Appendix R, III.G.2, the analyses must contain a time line or lines showing there is sufficient time to diagnose the need for the actions, travel to action locations, perform the actions, and confirm the expected response. An acceptable time line should have the following elements, as illustrated in Figure C.3-1:

(1) The time of fire detection (T0), which begins the time line and represents the first indication that a fire may exist, or at least suspect that a fire has begun.

Detection may be via alarms, indicators, an observation from a roving operator, etc.

(2) An expected diagnosis time (that is, the expected time to confirm the fire and determine its location). This time is to be obtained from the demonstration (see the demonstration criterion discussion later) and T1, the end of the diagnosis time, is to be marked on the time line.

25

Figure C.3-1. A time line (3) An expected implementation time that is the expected time to implement the desired action or actions. This time is to be obtained from the demonstration (see the demonstration criterion discussion later) and includes such activities as main control room staff pulling out the correct fire plan and procedures once the fire location is confirmed; informing the plant staff of the fire; calling for fire brigade assembly and actions; calling for and/or communicating with local staff responsible for taking the desired local manual actions; providing instructions to the responsible local staff for the manual actions; having the local staff collect any procedures, checking out communications equipment, and obtaining any special tools or clothing necessary to perform the actions; traveling to the necessary locations; implementing the desired actions (some actions may have to be done sequentially, i.e., cannot start until prior actions are completed)and communicating with the main control room staff or others as necessary, who in turn may be simultaneously dealing with the fire brigade, handling multiple procedures (EOPs and fire procedures), etc.; and telling the main control room staff and others as necessary that the actions have been completed and the expected effect has been achieved. The implementation time ends at T2, as shown in the figure. Hence, the total time to be obtained from the demonstration begins at T0 and ends at T2.

Note that after the initial diagnosis time, subsequent actions may or may not include subsequent diagnosis times. For instance, in the case of performing proceduralized preventive actions, no other diagnosis time may be needed for some actions. Alternatively, if the desired action is a reactive action in the sense that it can be taken only after diagnosis of an undesired equipment status (e.g., loss of feedwater after a valve spuriously closes), then that diagnosis time needs to be included (e.g., deciding what action to take and by whom) as illustrated in Figure C.3-2. The time available (T3) for these reactive actions will need to be measured from the worst-case point at which the equipment could be affected. In other words, since spurious effects caused by the fire could, in principle, occur at any time, licensees will need 26

to determine the point at which the least amount of time would be available to complete the reactive action and successfully restore the availability of the equipment. As illustrated in Figure C.3-2, the starting point for the reactive actions will not necessarily be tied to the time associated with detecting and diagnosing the fire (T1 in the figures). The symptoms for the reactive actions will occur whenever the fire affects the relevant equipment, which could be before T1 is reached or anytime after that point.

Thus, to repeat, the time available for the reactive actions will have to be determined assuming the worst-case point for the spurious effects.

Figure C.3-2. Initial fire detection and multiple action (one action dependent on a separate diagnosis of an undesired equipment failure) with a single overall time margin and T3 Another consideration is relevant to the case of preventive actions. If it is reasonably possible that the fire could negatively affect the relevant equipment before the preventive actions are completed, then the implementation time (T2) should also include the time it will take plant personnel to take the reactive actions necessary to manually place the affected equipment in the desired state. In other words, when reasonable, licensees should assume the worst-case for the time to complete preventive actions, which in fact may involve reactive actions if the fire effects occur before the preventive actions are completed. This issue is addressed further in the guidance for performing the demonstration.

(4) An added time margin as discussed later under the time margin criterion.

(5) The time available for performing the actions to ensure hot shutdown can be achieved and maintained (T3). To be acceptable, T2 plus the time margin should be less than or equal to T3.

27

The acceptability of the time margin and the demonstration are discussed in detail later. In calculating an acceptable T3, the licensee must show that the available time is the most conservative (generally the shortest) time, considering the fire, its location and anticipated growth rate, the fire effects, and expected plant and operator responses to the fire effects, including thermal-hydraulic calculations as necessary. To determine the most conservative T3, the analyst needs to consider what failures (including spurious events) may occur and when they may occur. For example, if it is most conservative to assume the equipment failure occurs at the quickest possible time for the fire being analyzed (which may be even before any preventive actions could be taken for the fire, requiring subsequent response-type actions instead), then T3 should be based on that assumption. For instance, loss of the feedwater function is generally more severe if it happens early in the scenario than if it happens later after a period of successful decay heat removal. If instead it is most conservative to assume the equipment failure occurs at some later time in the scenario, that time should be assumed in deriving T3 (e.g., if failure of service water to a diesel after the diesel has been running and loaded is more severe than before the diesel is demanded because the diesel could fail in 3 minutes without cooling, so that the operator would likely prevent diesel operation, thereby saving it for future use if service water is restored).

As shown in Figure C.3-3, when developing any time line showing multiple actions, any interdependence among actions need to be accounted for, such as when actions by one operator cannot start before another action or actions are completed by another operator, or when multiple actions are to be performed by a single operator who must travel to multiple locations to perform his/her assigned actions in a sequential manner, etc.

Figure C.3-3. Initial fire detection and multiple actions (one action dependent on completion of a prior action) with a single overall time margin and T3 28

Figure C.3-4. Initial fire detection and multiple actions illustrating the application of multiple time margins and T3s Depending on the desired actions, one overall time margin or multiple time margins and T3s (as illustrated in Figure C.3-4) may be necessary or appropriate to show that individual actions are performed before their specific analyzed T3 times and that the collective set of actions to fully achieve and maintain hot shutdown are successfully performed considering the fire and its effects. Also, the licensee may wish to use a most conservative time line for a range of fires, locations, and effects (in which case the time line must envelop the needs of all the fires) or to develop separate time lines for different fire locations or even different fires in the same location.

Key inputs and assumptions associated with the time line should be evident in the analysis documentation.

C.3.2 Guidance Regarding the Time Margin The main reason for including a time margin in the acceptance criteria is to help ensure that the operator manual actions can be performed reliably. If licensees can show (a) through well-thought out demonstrations that the actions are feasible, (b) that relatively conservative assumptions will allow extra time for the actions with respect to the fire scenario time line, and (c) that the actions meet all of the other acceptance criteria, then it is likely that unexpected delays can be absorbed and that the actions can be performed reliably.

This regulatory guide provides guidance for how to perform acceptable demonstrations, how to calculate acceptable time lines, and how to address the other relevant acceptance criteria. By assuming that an appropriate set of conditions will be adequately addressed in the demonstration, in the determination of the fire scenario time line, and in the other criteria, the NRC has determined that a factor of 2 time margin (or greater) would provide a high confidence of a low probability of failure for given operator manual actions in response to fire (see Appendix A for a discussion of the determination of the factor of 2 time margin).

29

The factor of 2 represents a consensus minimum based on the expert opinion elicitation discussed in Appendix A. There may be situations in which a value greater than 2 is appropriate (e.g., where the demonstration falls short of the guidance provided in this regulatory guide). The factor of 2 time margin is assumed to absorb delays that might be caused by the following set of factors (also listed in Section C.2.2).

(1) Factors that the licensee likely may not be able to recreate in the demonstration that could cause further delay under real fire conditions (i.e., where the demonstration would likely fall short of actual fire situations). For example:

The need to recover from or respond to unexpected difficulties or random problems (i.e., not related to the fire), such as a stiff handwheel or a problem with a communication device.

Environmental and other effects not easily simulated as part of the demonstration, such as radiation, smoke and toxic gas effects, increased noise levels (due to the fire and suppression equipment operation and personnel shouting instructions), water on the floor, fire hoses in the way, and too many people in the way.

Limitations of the demonstration to account for (or envelop) all possible fire locations that may call for the actions, resulting in different travel paths and distances to where the actions need to take place. A similar limitation is that the location and activities of needed plant personnel at the time the fire starts could delay their participation in executing the operator manual actions (e.g., they may be on the opposite side of the plant and may need to restore certain equipment before being able to participate).

Inability to execute relevant actions during the demonstration because of safety considerations while the plant is at power (e.g., personnel cannot actually handwheel the valve, can only simulate doing so).

(2) Typical and expected variability among individuals and crews that could lead to variations in operator performance (i.e., human-centered factors).

For example:

physical size and strength differences

cognitive differences (e.g., memory ability, cognitive style differences)

emotional response differences to the fire/smoke

different responses to having to wear an SCBA to accomplish a task (i.e., some people may be less comfortable with a mask over their face than other people)

differences in individual sensitivities to real-time pressure

differences in team characteristics and dynamics.

The factor of 2 time margin is also intended to allow personnel enough time to recover from any initial errors in performing the actions. Since it is not realistic for licensees to model such recoveries in their demonstrations, it was determined that an adequate time margin would have to account for delays caused by recovering from mistakes. Thus, to ensure the acceptability of operator manual actions in response to fire, the NRC recommends that licensees show that the time available for actions is at least 100 percent greater than the time 30

obtained from the demonstration (hence the factor of 2 mentioned above). Assuming all other factors are met satisfactorily, providing such a time margin will allow the NRC to conclude that the desired manual actions are acceptable.

C.3.3 Guidance Regarding Environmental Conditions Environmental conditions encountered by operators while traveling to and from action-related areas, accessing the areas, and performing the operator manual actions should be shown to be consistent with established human factor considerations, including the following:

Emergency lighting shall be provided as required in Appendix R,Section III.J, or by the licensees approved fire protection program.

Radiation shall not exceed 10 CFR Part 20, Section 20.1201, limits.

Temperature and humidity conditions shall not prevent successful performance of the operator manual actions or jeopardize the health and safety of the operator. Heat stress analysis should be performed as necessary.

Smoke and toxic gases from the fire shall not prevent accessing the necessary equipment or hinder successful performance of the operator manual actions nor jeopardize the health and safety of the operator. Licensees should do a careful analysis of expected smoke and toxic gas levels to ensure that they will not affect performance.

If these environmental conditions are present where the relevant activities need to take place, the criterion will generally be easily met. However, several other issues also need to be considered:

The donning and wearing of special gear such as SCBAs, fire suits, gloves, or other protective items to accomplish the operator manual actions in the fire-impacted environment can slow personnel down because of limited visibility or loss of manual dexterity and may hinder their ability to communicate effectively.

Reliable communication may be essential if multiple personnel are involved. As discussed in Section C.3.11, if such special gear might be needed in order to successfully complete the operator manual actions, then the gear should be used during the demonstration to substantiate its effectiveness and its impact on the time to complete the actions. While it is possible to perform the desired actions by meeting in clear areas to communicate or by going to clear areas where communication devices are located, at a minimum, time delays during the response should be considered. Certainly such activities should be included in the demonstration if they are going to be used.

Licensees should make certain that any special equipment related to environmental conditions, such as protective clothing or flashlights that might be needed for activities in especially dark areas, are staged in the area or else that personnel pick up the equipment in a common area per the relevant procedure. These types of activities should always be included as part of the demonstration and included in the time to complete the actions.

Another concern is the potential effect of environmental conditions on personnels mental state. Although it might be determined that the environmental conditions fall within acceptable limits with respect 31

to individuals physical well-being, the licensee should ensure that none of the personnel expected to support the operator manual actions have specific fears associated with the actions (e.g., strong fear of fire or problems with wearing SCBAs). Relevant training in these areas should be conducted.

C.3.4 Guidance Regarding Equipment Functionality (Operability) and Accessibility This criterion addresses the need to ensure that the equipment that is necessary to achieve and maintain post-fire hot shutdown is accessible, operable, and not damaged or otherwise adversely affected by the fire and its effects, so that the desired operator manual actions can be successfully performed per the applicable procedures and training.

In crediting the functionality (operability) of the equipment, the following should be considered:

Consider unique fire effects (In addition to those normally encountered such as heat, smoke, water, combustible products), and spurious operation that may render the component inoperable by manual or remote manipulation.

No credit for operator manual actions and the related equipment should be taken involving the use or manipulation of equipment located where it could be exposed to the fire and its effects. If crediting the use of equipment potentially exposed to the fire and its effect is necessary [and this should occur only in rare and exceptional circumstances (e.g., using equipment in an area well after the fire is extinguished)], the licensee should provide justification as to the continued operability of the component or components for the intended manipulation and use.

All the needs of the equipment are to be met for the equipment to be operable. For instance, if the operator manual actions involve the use of a switch and subsequent control signal to a component, the supporting electrical power and signals and associated cabling need to be operable. Further, if the equipments functionality relies on certain supports (e.g., cooling, ventilation, power, air from a nearby tank, etc.) to be manipulated and continue to function (if needed) in the desired manner, those equipment support functions must also be functional and available.

32

Knowledgeable personnel must have adequate accessibility to all the necessary equipment and other aids (e.g., diagnostic indications, components to be manipulated, clothing, special tools, keys, procedures, communication equipment, etc.), and be able to readily locate the equipment and use or otherwise manipulate the equipment in the desired manner per the procedures and training under the anticipated range of fire-related conditions.

Considerations in meeting the adequate accessibility criterion should include the following:

the range of conceivable environmental conditions (see the environmental considerations criterion) under which the actions will be performed, especially radiation and fire-related conditions such as abnormal temperature, radiant energy, and smoke,

physical access or manipulation constraints, especially for locations likely to be congested or where routine operations do not occur or for manipulations not normally performed

the possibility that preferred access/egress routes may become inaccessible and alternate routes may need to be used

the possibility that security doors or similar restraints could be physically or electrically affected by the fire Consistent with guidance for equipment operability, no credit for operator manual actions should be taken in locations exposed to the fire and its effects except in justifiable rare cases.

An example of the type of functionality issue that should be considered was discussed in Section C.2.4 with regard to Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire [Ref. 14]. The information notice concerned motor-operated valves (MOVs). The bypassing of thermal overload protection devices (discussed in Regulatory Guide 1.106, Thermal Overload Protection for Electric Motors on MOVs [Ref. 15]) could jeopardize completion of the safety function or degradation of other safety systems due to sustained abnormal circuit currents that can arise from fire-induced hot shorts. Even if these overload protection devices are not bypassed, hot shorts can cause loss of power to MOVs by tripping the devices. If equipment (including cabling and other support needs such as power and cooling) that could be affected by the fire or its subsequent effects is to be used for operator manual actions, the licensee should determine that the operability and performance of that equipment will not be adversely affected so that the function can be successfully achieved by the manual actions.

33

C.3.5 Guidance Regarding Available Indications Diagnostic indicating instrumentation should be among the equipment identified as needed to (a) enable the operators to determine which manual actions are appropriate for the fire scenario, (b) tell the personnel how to properly perform the manual actions, and (c) provide feedback to the operators to verify that the manual actions have had their expected results. The available indications should include those indications necessary to detect, and diagnose the location of, the fire. As part of the necessary equipment, indicating instruments should meet the operability and accessibility requirements provided in the proposed rule and guidance discussed earlier, especially in light of the possible harsher than-normal conditions in which the indications may need to operate. In addition:

The available indications should be any that are needed, either in the main control room or in local areas, to meet a, b, and c above, including annunciators, indicating lights, pressure gauges, flow indicators, and local valve position indicators.

A review to identify the needed indications should include where there are no alarms for potential spurious equipment operations nor any other compelling signal that the equipment status has changed and is detrimental to the safety functions (e.g., a valve shutting changes the indication of an open lit light to a closed lit light). In such cases, the operator is more likely to miss the change in status and, therefore, not respond to it. To the extent feasible, compensatory measures should be provided. For example, a local operator observes the equipment (part of the staffing requirement), or there are warnings in the procedure to watch for and frequently check specifically identified equipment status relevant to the fire.

The available indications, where necessary, should be sufficiently redundant or diverse that the operators will suspect potential faulty indications as a result of the fire (such as may be caused by failure or spurious operation due to the fire or due to loss of power caused by the fire and the subsequent plant trip) and can determine the true plant status by viewing other indications or by getting other independent local operators to verify the suspect indication.

Such redundancy and/or diversity considerations need to address where multiple indications could be affected by one spurious fault or failure, such as the loss of a common power supply or a cascading circuit (e.g., a faulty wide range reactor coolant system pressure signal will affect not only the pressure indication but also the subcooling indication because the signal is used to calculate subcooling). Such erroneous indications could be particularly troublesome since, taken together, they may appear appropriate.

The indications should be maintained to ensure adequate configuration control and proper protection.

34

C.3.6 Guidance Regarding Communications Adequate communications capability should be illustrated for operator manual actions that must be coordinated with other plant operations and personnel. Any necessary communications capability should be routinely and continuously available for all personnel involved in the actions and should be protected from the effects of a postulated fire. It should be noted that the unpredictability of fires can force staff to deviate from planned activities (hence, the need for constant, effective communications). In addition, communications permit the performance of sequential operator manual actions (where one action must be completed before another can be started) and provide verification that procedural steps have been accomplished, especially those that must be conducted at remote locations. More guidance on communications follows:

For the fire and actions of interest, it should be shown that a potential fire will not damage or disable communications equipment (e.g., electrical interference, burning of cables), and that the ability of personnel to successfully use that equipment given other factors introduced by the fire (e.g., the need to wear protective clothing) will not be adversely affected.

There should be confirmation that the desired means of communication will work in particularly noisy environments (best done by testing under the noisy condition).

Personnel should have substantial training on activities that involve coordination and communication, including how to clearly state important information.

Further, as the means of communication must be set up or otherwise made available, the time to do so should be considered in the time to implement the desired actions.

As noted in other sections of this regulatory guide, the licensee should have shown the ability to communicate while wearing protective gear such as SCBAs during the demonstration.

C.3.7 Guidance Regarding Portable Equipment Portable equipment is also needed for operator manual actions. Portable equipment, especially unique or special tools (such as keys to open locked areas or manipulate locked controls, flashlights, ladders to reach high locations, torque devices to turn valve handwheels, and electrical breaker rackout tools), can be essential to access and manipulate SSCs in accomplishing operator manual actions. Therefore, portable equipment should also meet the operability and accessibility requirements provided in the proposed rule as discussed earlier. The criteria for crediting the use of portable equipment are as follows:

The portable equipment should be staged so that its locations are known by those who need to use the equipment, the locations are constant, and the equipment is readily available.

The portable equipment should be under configuration control and it should be routinely verified that the portable equipment is indeed located where it is supposed to be and has not been misplaced or otherwise moved.

35

Personnel should be trained to use the special tools and equipment in the planned application.

If the use of the portable equipment may slow down action implementation, the delay should be considered in the time estimated (and subsequently included in the demonstration) to implement the desired actions.

C.3.8 Guidance Regarding Life Support Equipment The necessary equipment must also include life support equipment as it is needed to successfully perform the manual actions and prevent harm to personnel. Such equipment could include protective clothing, gloves, and SCBAs. Therefore this component also needs to meet the operability and accessibility requirements and guidance discussed earlier.

The criteria for crediting the use of life support equipment are as follows:

Consideration needs to be given not only to the locations for the operator manual actions, but also to access and egress paths to and from the locations, considering the fire and its effects.

The life support equipment should be readily available so that its locations are known by those who need to use it, and there will be no undue delay in obtaining and donning the life support equipment.

Personnel should be trained to use the life support equipment in the planned application.

If the use of the life support equipment may slow down action implementation because of limited visibility, loss of manual dexterity, making it difficult to communicate, etc., the delay should be considered in the time estimated (and preferably included in the demonstration) to implement the desired actions.

Use of SCBAs, including any credit for communication while they are being worn, can only be credited if their capability has been illustrated by trained personnel. While it may still be possible to perform the desired actions by meeting in clear areas to communicate or by going to clear areas where communication devices are located, at a minimum, time delays during the response should be considered and such activities should be included in the demonstration if life support equipment is going to be used.

36

C.3.9 Guidance Regarding Procedures and Training Procedures To help ensure that operator manual actions are performed successfully, procedural guidance for the actions should be readily available, easily accessible, and contained in an emergency procedure. Operators should not have to rely on having adequate time to locate, review, and implement seldom used plant procedures to know when and how to operate plant equipment during a fire event. The procedures should accomplish the following:

Assist the operators (usually in conjunction with indications) in correctly diagnosing the type of plant event that the fire may trigger, thereby permitting them to select the appropriate operator manual actions.

Direct the operators as to which manual actions are appropriate to place and maintain the plant in a stable, hot shutdown condition for a fire in a given area.

Minimize the potential confusion that can arise from fire-induced conflicting signals, including spurious actuations, thereby minimizing the likelihood of personnel error when personnel are performing the operator manual actions.

In addition, the written procedures should contain the steps of the manual actions, how and where they should be done, using what tools or equipment, and what kinds of personnel and how many are needed to accomplish them. For infrequently visited locations or when the fire or fire fighting activities might interfere with normal routes, directions for the most efficient ways to reach the action locations should be provided.

The procedural guidance, especially for the desired operator manual actions, should be as specific as possible (e.g., not just align the train) unless it can be justifiably claimed that the available guidance is sufficient for the average operator with typical skill-of-the-craft to implement the guidance without step-by-step instructions. Such skill-of-the-craft should be illustrated on a periodic basis (see training section below).

Given the variety of conditions that can occur during a fire, the procedures should alert personnel to any potentially hazardous conditions that might be generated by fires in particular locations (e.g., expected hazards such as water on the floor caused by firefighting activities in nearby areas). Furthermore, during the development of the procedures, the licensee should try to identify any potential informal rules that might exist in the plant or biases that might be held by plant personnel about fire conditions and make sure they are addressed in the procedures and during training (e.g., conditions under which personnel should be concerned about interactions between water and electricity).

37

Due to the unusual demands that can be associated with a plant fire, it is possible that unrealized conflicts between procedures may exist. That is, certain conditions may make certain actions incompatible. In particular, operator manual actions taken earlier in a scenario may render actions to be taken later more difficult or inappropriate. Thus, the entire set of procedures that may be used during a given scenario should be reviewed for potential conflicts. Adequate demonstrations of the operator manual actions should help in revealing such conflicts. The review of procedures should watch for and address the following items:

ambiguous, unclear, or non-detailed steps for the desired actions in the context of the sequence of interest

situations in which the operators, under ceratin conditions, may have trouble identifying a way to proceed forward

situations in which operators rely heavily on memory

situations in which operators must perform calculations, especially in a rush Talk-throughs with operations and training staff can be helpful in uncovering difficulties in using the relevant procedures.

Finally, there are special considerations for the two general types of operator manual actions in response to fire.

In the case of preventive actions (i.e., actions that the licensee expects to take on the basis of the occurrence of a particular fire, without needing further diagnosis, in order to prevent spurious actuations or other fire-related failures),

the procedures should be written to cover the possibility that the fire effects occur before the preventive actions are completed. For such cases, the procedures should direct the operators to verify equipment state and position and manually align the equipment as necessary to reach safe shutdown.

For reactive or symptom-based actions (that is, actions taken by plant staff during a fire in response to an undesired change in plant status when the staff must diagnose the need for the actions), relevant procedures should clearly describe the indications on which the actions should be initiated. If redundant cues are available, they should also be addressed in the procedure to aid the operators when the fire causes spurious effects. Crews should be aware that the cues for such actions can, in principle, occur at any time during a fire. If necessary due to timing considerations, such actions may need to be made continuous action statements in the fire procedures.

38

Training Since plant procedures must include operator manual actions credited to achieve and maintain hot shutdown, each operator must be appropriately trained on those procedures. Training on the procedures should accomplish three goals:

Establish familiarity with the procedures, equipment/controls, and potential (simulated) conditions in an actual event, including the necessary indications and human-machine interfaces.

Provide the level of knowledge and understanding necessary to prepare the personnel performing the operator manual actions to handle departures from the expected sequence of events.

Give the personnel the opportunity to practice their response without exposure to adverse conditions, thereby enhancing confidence that they can reliably perform their duties in an actual event.

Such training should involve both classroom activities and related plant exercises.

In addition to initial and regular training on the actions, since acceptable demonstrations are one of the criteria that must be met in order to credit operator manual actions and they must be performed under as realistic conditions as possible, each operator should participate in the periodic demonstrations with a frequency consistent with that established by the licensee in compliance with 10 CFR 50.120. It is important that personnel practice the full set of actions, including interacting with the main control room crew while they are performing the related activities in the simulator. In other words, participating in as complete as possible a simulation of the fire scenario should be part of training.

There are several areas in which special (but not unusual) training will be needed to support operators ability to complete the manual actions:

All plant personnel that may need to wear protective clothing to perform the actions should receive training in donning the clothing, traveling to the action locations while wearing the clothing, and conducting the relevant actions while wearing the clothing.

Personnel should train on the use of SCBAs and should practice all aspects of the relevant operator manual actions while wearing the SCBAs. They should wear the SCBAs for as long as the SCBAs would be needed in an actual fire.

If communication among personnel is necessary to accomplish the actions, the communications should be part of the training on the actions and should be practiced under as realistic conditions as possible (e.g., at the expected noise levels). The personnel should also be well trained on the range of communication equipment that might be necessary. In addition, licensees should provide guidance and practice on how to best state the relevant information to be understood.

39

Along similar lines, if personnel must work as a team to accomplish certain actions, they should be given guidance on how to perform effectively as a team to achieve the particular actions and they should practice the actions as a team.

Since it is unlikely that fixed teams will always be available for specific actions, individuals should have the opportunity to train on the range of activities to achieve the actions.

The training should include any technical knowledge regarding fires that will be important to ensure adequate response to the fire scenario.

The training program on the use of operator manual actions and associated procedures during a postulated fire should be shown to be in effect, current, and adequate. Training on the desired actions should be done in a classroom context on a regular basis consistent with other types of operator training during the licensees regular plant training cycle. With a frequency consistent with that established by the licensee in compliance with 10 CFR 50.120, the licensee should conduct time-authenticated demonstrations of the actions with established crews of operators, showing that the manual actions needed to achieve and maintain the plant in a hot shutdown condition can be accomplished under conditions closely resembling those anticipated in a real fire event.

Note that if it is assumed that skill-of-the-craft will be adequate to ensure performance of certain actions, then that skill should be illustrated on a periodic basis.

C.3.10 Guidance Regarding the Staffing Criterion To meet the staffing criterion, it is important that the persons involved in performing the operator manual actions be numerous enough and sufficiently qualified to collectively perform the desired actions to achieve and maintain hot shutdown in the event of a fire.

Per the rule:

These persons are to be on site at all times.

Individuals performing the operator manual actions need to be exclusively dedicated to the performance of the manual actions during a fire.

Acceptable staffing largely depends on the activities that need to be performed in accordance with the time line analysis discussed earlier. Besides the above rule requirements, the following should be considered in determining the acceptability of the staffing for the performance of operator manual actions:

The number of persons should be sufficient to meet the workload assumed in the time line analyses and, as shown under the demonstration criterion, successfully achieve and maintain hot shutdown. Decisions about staffing levels should take into account all of the operator manual actions that are expected in a particular fire scenario. Since different scenarios may involve different sets of operator manual actions, staffing levels should meet the worst-case scenario in terms of the number of staff needed to meet the time line requirements.

40

The staff should be trained and qualified in their assigned duties for performing the operator manual actions. This should be performed per the licensees normal training practices and include special considerations given the desired actions will need to be carried out during a fire (see the procedure and training criterion). Special considerations may include verification of the availability and reliability of instrumentation and equipment, assessing damage to equipment, de-energizing critical equipment to protect it, re-energizing buses, manually manipulating equipment that normally is automatically controlled, implementing fire-specific procedures (including important plant site and offsite notifications), assisting or supporting firefighting activities, and potentially dealing with injuries to plant personnel.

No single individual should have task assignments nor a task load that results in excessive physical or mental stresses, nor coincident tasks that unduly challenge each persons ability to perform the desired actions in the analyzed times under the range of reasonably anticipated conditions. Licensees should be able to defend their assumptions regarding the ability of the relevant staff to perform under the expected conditions.

C.3.11 Guidance for How To Perform an Acceptable Demonstration The acceptance criterion for operator manual actions in response to fire is that periodically (consistent with that established by the licensee in compliance with 10 CFR 50.120), the licensee shall conduct time-authenticated demonstrations of the relevant actions, utilizing an established crew of operators to show that manual actions required to achieve and maintain the plant in a hot shutdown condition can be accomplished consistent with the analysis An important purpose of the demonstration of the actions per the acceptance criteria and showing that they can be completed in the time available is to document the feasibility of the actions. However, for the demonstration to be valid, it must be conducted under conditions that are as realistic as possible. Of course, it is clear that in spite of licensees best efforts, there may be conditions that are very difficult, if not impossible, to simulate. This is one of the reasons the time margin was developed (i.e., to provide a way to account for potential shortcomings in the ability of licensees to adequately simulate the actual plant conditions during the demonstration).

The validity of the time margin relies on an acceptable demonstration being performed, along with an acceptable time line analysis and adequate consideration of the remaining criteria. This section provides guidance on what must be considered and how to ensure that an acceptable demonstration is done.

One of the first steps of performing an acceptable demonstration is to ensure that all relevant aspects of the other acceptance criteria are met and that the important characteristics of those criteria are included in the demonstration to the extent possible. In other words, all aspects that could influence the outcome of the actions should be included in the demonstration if it is reasonable to do so. Things to consider under each of the criteria are discussed below.

41

Before proceeding, it should be noted that, to the extent possible, an entire accident scenario should be simulated for the demonstration, including all the expected main control room activities, if the response to the fire is expected to credit operator manual actions. More details on the nature of the simulation are given below.

Furthermore, as will be discussed in the section on developing a time line, all actions associated with detecting and diagnosing the presence of the fire (T1) and diagnosing the need for and executing the relevant manual actions (T2), should be timed during the demonstration.

Obviously, this information will be important in determining whether there will be enough time available to perform the actions.

Environment Once it is determined (per the guidance in this document) that the relevant actions will be possible under the environmental conditions expected to be present in the areas which operators will have to go to complete the actions, as well as in the locations of the actions, then those conditions should be simulated to the extent possible. For example, the following conditions should be simulated in all relevant areas, including areas through which the operators may have to travel:

The lighting levels expected to be present during the actual fire

If the environmental conditions are assumed to involve the use of SCBAs at any time in the scenario, then they should be donned and worn during those periods.

If protective clothing will be needed at any time, it should be donned and worn during those periods.

If SCBAs may be needed, then any communications anticipated during those periods will need to be simulated when the SCBAs are worn. Personnel who use SCBAs must receive training in their use.

The noise levels expected to be present during the fire scenario Equipment Functionality (Operability) and Accessibility Accessibility to the relevant systems and equipment is necessary to enable the personnel to perform the operator manual actions. To the extent possible, the personnel participating in the demonstration should literally carry out the actions if the actions can be done without affecting the safety of the plant (e.g., manually open a valve with the handwheel).

If the demands of the task and the time to complete the actions must be based on the judgments of plant personnel, then a process should be used to help ensure that the estimates are reasonable (e.g., get multiple independent judgments). A preferred approach is to obtain estimates of the time to execute specific actions when safety is not be a concern (e.g., during shutdown or when the system is out of service for some reason).

In addition, if the plant history indicates that certain equipment tends to have persistent types of problems (e.g., a tendency for valve hand wheels to be stiff), then those conditions should be assumed for the demonstration and not pre-conditioned solely for the demonstration.

42

Available Indications (and Main Control Room Response)

In conducting the demonstration, to the extent possible the actual effects of the fire conditions should be simulated in the plant training simulator and the operators should diagnose the need for the relevant actions based on the expected pattern of indications.

In other words, the presence of the cues needed to detect the fire should be simulated, and the crew should have to respond accordingly. The main control room response to the scenario should be the same as during an actual fire. The main control room crew should enter the relevant procedures based on the expected indications and take the necessary steps to respond to the fire and reach safe shutdown. The parameters indicating the need for the operator manual actions in response to the fire should also be simulated, and the crew should have to summon the staff necessary for the manual actions, retrieve the relevant procedures, provide the necessary guidance, and interact with the individuals as necessary while they complete the actions for the demonstration. In addition, the personnel executing the actions should have to check relevant indications of successful completion of the actions and verify completion. These indications should be accurately simulated to the extent possible.

All aspects of the scenario associated with diagnosis and the execution of the actions should be timed. This will provide information relevant to determining the time to diagnose the need for the actions (T1) and the time needed to implement the actions (T2). If any aspects of the scenario cannot be simulated, their potential impact on the time should be estimated.

Communications The communications necessary to complete the operator manual actions should be part of the demonstration. This should include communications necessary from the detection of the fire through completion of the actions. Examples of conditions that should be included in the demonstration include the following.

If it cannot always be assumed that the personnel expected to perform the actions will be in the control room at the time they will be needed, then worst-case scenarios for where the personnel might be with respect to being able to communicate with the control room should be included in the demonstration. If personnel might be in areas where someone would have to be sent to go get them, then this activity should be simulated.

If personnel must be able to communicate with each other and with the control room, then those communications should be part of the demonstration.

43

Portable Equipment Any portable equipment that will be needed to conduct the operator manual actions during a real fire should also be accessed and used to the extent possible during the demonstration. Portable equipment includes unique or special tools, such as keys to open locked areas or manipulate locked controls, flashlights, ladders to reach high places, torque devices to turn valve handwheels, and electrical breaker rackout tools. Such equipment should be located where it would be expected to be located during a real fire. The equipment should not be gathered together and made easily accessible just for purposes of the demonstration (i.e., no pre-conditioning).

Life Support Equipment Similar to the portable equipment noted above, any life support equipment such as protective clothing, gloves, and self-contained breathing apparatuses (SCBAs) should be located, accessed, and donned as during an actual fire.

Procedures and Training All activities associated with the use of procedures should be addressed in the demonstration, including the following:

detection of the entry conditions for the procedures

their retrieval

the potential need for multiple copies

usability of the procedures under the expected condition (e.g., lighting levels, a place to put them during their execution if they must be closely followed)

In addition, if training on the actions occurs only periodically, then variability in terms of how recently a crew received training should be considered in selecting participants for the demonstration (i.e., the most recently trained crew should not automatically be selected for the demonstration, as this could be considered pre-conditioning).

Staffing All staff that will have duties associated with successful completion of the actions (including diagnosis and execution of the actions) should participate. Staffing issues such as the following should be considered in the demonstration:

If personnel will have to be summoned from outside the main control room, the worst reasonable case in terms of how long it will take them to get to the control room should be assumed for the demonstration. To the extent possible, licensees should consider the potential for the personnel to be in remote locations from which it is difficult to egress and that the personnel may have to complete some actions before they can leave an area. These considerations should be included in the demonstration.

44

If the actions will involve multiple staff in certain sequences, then these activities, their coordination, and their associated communication aspects should be included.

If the main control crew is likely to be directing and coordinating multiple teams involved in executing manual actions, these activities should be simulated.

Furthermore, if the individuals in the main control room coordinating these activities will have other significant responsibilities, those responsibilities should also be simulated.

Other Aspects Important to the Demonstration There are several other important issues or aspects that licensees should consider in conducting an acceptable demonstration:

If the operator manual actions being examined are preventive actions and it is reasonably possible that the fire could negatively affect the relevant equipment before the preventive actions are completed, then the participating personnel should verify equipment state and position and manually align the equipment as necessary. Thus, the implementation time (T2) for the actions will include the time it would take plant personnel to complete the reactive actions necessary to manually place the affected equipment in its desired state.

If the operator manual actions being examined are reactive actions, then the licensee should be aware that the cues for the need for such actions and the associated effects could, at least in principle, occur at any time after the fire starts. Thus, the effects could occur early, during the diagnosis stage of the scenario, or sometime after that. For purposes of the demonstration, licensees should try to determine when the worst-case timing for the occurrence of the spurious fire effects on the relevant equipment would be with respect to the level of activity in the main control room and the plant in general. Other factors to consider are the decay heat levels present and potential interactions with and effects on other equipment.

If the fire or other factors could affect where personnel have to travel (e.g., what routes they have to take) and where they have to enter various rooms, then reasonable worst case effects should be modeled in the demonstration.

If the conditions that could be generated by the fire have the potential to vary significantly, in general the worst reasonable case should be included in the demonstration.

If smoke could significantly affect visibility, the action should not be credited.

To perform an acceptable demonstration, in general licensees should strive to make the demonstrations as realistic as possible and make conservative assumptions as necessary.

If this is done and the above guidance is followed, then the resulting demonstrations, in conjunction with the time margins, should help achieve the goal of crediting only feasible and reliable operator manual actions.

45

D. IMPLEMENTATION The purpose of this section is to provide information to applicants and licensees regarding the NRC staffs plans for using this draft regulatory guide. No backfitting is intended or approved in connection with the issuance of this guide.

The NRC has issued this draft guide to encourage public participation in its development.

Except when an applicant or licensee proposes or has previously established an acceptable alternative method for complying with specified portions of the NRCs regulations, the methods to be described in the active guide will reflect public comments and will be used in evaluating (1) submittals in connection with applications for construction permits, design certifications, operating licenses, and combined licenses, and (2) submittals from operating reactor licensees who voluntarily propose to initiate system modifications that have a clear nexus with this guidance.

REFERENCES

1. NUREG-1742, Volumes 1 and 2, Perspectives Gained From the Individual Plant Examination of External Events (IPEEE) Program, U.S. Nuclear Regulatory Commission, April 2002.

2. S.P. Nowlen, M. Kazarians, N. Siu, and H.W. Woods, Fire Risk Insights from Nuclear Power Plant Fire Incidents, Fire and Safety 2001, Elsevier Publishing Co., London, UK, February 2001.

3. S.E. Cooper, D.C. Bley, J.A., Forester, A.M. Kolaczkowski, A. Ramey-Smith, C. Thompson, D.W. Whitehead, and J. Wreathall, Evaluation of Human Performance Issues for Fire Risk, Proceedings of the International Topical Meeting on Probabilistic Safety Assessment PSA 99: Risk-Informed, and Performance-Based Regulation in the New Millennium, August 22-26, 1999, Washington, DC, M. Modarres, ed.,

pp. 964-969, American Nuclear Society, La Grange Park, Illinois 1999.

4. J.A. Forester, S.E..Cooper, D.C. Bley, A.M. Kolaczkowski, N. Siu, E. Thornsbury, H.W. Woods, and J. Wreathall, Potential Improvements in Human Reliability Analysis for Fire Risk Assessments, Proceedings of the OECD/NEA/CSNI Workshop on Building the New HRA: Errors of Commission from Research to Application, May 7-9, 2001, Rockville, Maryland, USA.

5. INEEL/EXT-02-10307, SPAR-H Method, Idaho National Engineering and Environmental Laboratory, November 2002.

6. NUREG-1624, Rev. 1, Technical Basis and Implementation Guidelines for A Technique for Human Event Analysis (ATHEANA), U.S. Nuclear Regulatory Commission, May 2000.

7. American National Standard Time Response Design Criteria for Safety-Related Operator Actions, ANSI/ANS Standard 58.8-1994, American Nuclear Society, La Grange Park, Illinois.

46

8. American National Standard Nuclear Safety Criteria for the Design of Stationary Pressurized-Water Reactor Plants, ANSI/ANS-51.1-1983, R1986, American Nuclear Society, La Grange Park, Illinois.

9. American National Standard Nuclear Safety Criteria for the Design of Stationary Boiling-Water Reactor Plants, ANSI/ANS-52.1-1983, R1988, American Nuclear Society, La Grange Park, Illinois.

10. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 9.5.1, Fire Protection Program, BTP CMEB9.5-1, Guidelines for Fire Protection for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, February 2004.

11. NUREG/CR-5680, Volumes 1 and 2, The Impact of Environmental Conditions on Human Performance, U.S. Nuclear Regulatory Commission, September 1994.

12. NUREG-1764, Guidance for the Review of Changes to Human Actions, U.S. Nuclear Regulatory Commission, February 2004.

13. NUREG-0711, Rev. 1, Human Factors Engineering Program Review Model, U.S. Nuclear Regulatory Commission, February 2004.

14. NRC Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire.

15. NRC Regulatory Guide 1.106, Thermal Overload Protection for Electric Motors on Motor Operated Valves, March 1977.

16. NRC Generic Letter 81-12, Fire Endurance Test Acceptance Criteria for Fire Barrier Systems Used to Separate Redundant Safe Shutdown Trains Within the Same Fire Area (Supplement 1 to Generic Letter 86-10: Implementation of Fire Protection Requirements).

17. NRC Information Notice 84-09, Lessons Learned From NRC Inspections of Fire Protection Safe Shutdown Systems (10 CFR 50, Appendix R),

Section IX of Attachment I.

18. NRC Generic Letter 86-10, Implementation of Fire Protection Requirements, Enclosure 2, Appendix R Questions and Answers.

19. NUREG-0700, Rev. 2, Human-System Interface Design Review Guidelines, U.S. Nuclear Regulatory Commission, May 2002.

20. NRC Regulatory Guide 1.33, Quality Assurance Program Requirements (Operation),

Rev. 2, Appendix A, February 1978.

21. NRC Information Notice 91-77, Shift Staffing at Nuclear Power Plants.

47

22. J.J. Pilcher, E. Nadler, and C. Busch, Effects of Hot and Cold Temperature Exposure on Performance: a Meta-analytic Review, Ergonomics, Vol. 45, No. 10, pp. 682-698, 2002.

23. I. Vasmatzidis, R.E. Schlegel, and P.A. Hancock, An Investigation of Heat Stress Effects on Time-Sharing Performance, Ergonomics, Vol. 45, No. 3, pp. 218-239, 2002.

24. J.B. Sheehy, E. Kamon, and D. Kiser, Effects of Carbon Dioxide Inhalation on Psychomotor and Mental Performance During Exercise and Recovery, Human Factors, Vol. 24, No. 5, pp. 581-588, 1982.

25. M. Sun, C. Sun, and Y. Yang, Effect of Low-concentration Co2 on Stereoacuity and Energy Expenditure, Aviation, Space, and Environmental Medicine, Vol. 67, No. 1, January 1996.

26. N.J. Zimmerman, C. Eberts, G. Salvendy, and G. McCabe, Effects of Respirators on Performance of Physical, Psychomotor, and Cognitive Tasks, Ergonomics, Vol. 34, No. 3, pp. 321-334, 1991.

48

REGULATORY ANALYSIS TBD BACKFIT ANALYSIS TBD 49

APPENDIX A

SUMMARY

OF EXPERT OPINION ELICITATIONS TO DETERMINE TIME MARGINS FOR OPERATOR MANUAL ACTIONS IN RESPONSE TO FIRE (April 1-2 and May 4-5, 2004)

A.1 Introduction This appendix summarizes the results from two expert opinion elicitation meetings held at NRC headquarters in Rockville, Maryland, to develop quantitative criteria to support the operator manual actions rulemaking [Ref. 1]. The NRC has developed these criteria to ensure that feasible operator manual actions could also be accomplished reliably, even when considering different levels of complexity, number of actions, etc. Based on an initial meeting held on January 22-23, 2004, among NRC staff and contractors to discuss potential options for quantitative criteria, it was agreed that the use of time margins was appropriate as a surrogate for ensuring a high reliability in the credited local operator manual actions. As a result of that meeting, a plan was implemented to derive the best approach for providing defensible time margins.

The basic idea was to identify a time margin (or margins) for fire-related operator manual actions to ensure that they would be successful a very high percentage of the time (i.e., there is a high confidence of a low probability of failure). In other words, if the licensee can meet all of the operator manual action acceptance criteria, which includes showing in a demonstration that at least one randomly-selected, established crew can successfully perform the actions, and show that the actions can be performed within an acceptable time frame that allows for adequate time margin to cover potential variations in plant conditions and human performance, then the operator manual action rule would be met. For example, as long as the licensee can show there is an X-percent time margin to perform a particular set of operator manual actions (e.g., the actions are shown during the demonstration to take less than 15 minutes, but even if they were assumed to take 30 minutes [or 100-percent time margin], plant damage or an undesirable plant condition will still be avoided) and all of the other criteria have been met, then we can be confident that the actions can be done reliably. Another approach may be to add a prescribed time (e.g., Y minutes) to the time obtained in a demonstration of any actions as a means to produce the desired increase in reliability.

The use of the time margin concept involves the derivation of appropriate time margins and a technical basis to support them. While the best technical basis would be empirical data from which the time margins could be derived, a database search was unable to find relevant data that could be used directly or generalized to the operator manual actions of interest.

One potential exception was ANSI/ANS Standard 58.8 [Ref. 2], which addresses time response design criteria for safety-related operator actions. However, it was determined that the data in ANS 58.8 relevant to operator manual actions were limited and too broad to generalize well, they were probably overly conservative for most of the types of fire-related operator manual actions being considered, and they lacked clear and sufficient technical basis for our purposes.

Note that just one time margin was not necessarily being advocated; that is, the time margin could vary with the fire scenario, such that different margins may apply to different cases, regardless of whether the margins are measured in absolute (e.g., minutes) or relative (e.g., percent) time. Since varying time margins would most likely depend upon considerations such as fire frequency, magnitude, and consequences, this could be viewed as a form of risk-informing the criteria.

1

Thus, it was decided that an expert panel would be convened and that a facilitator-led, expert judgement process following the Direct Numerical Estimation approach discussed in NUREG/CR-2743 [Ref. 3] and NUREG/CR-3688 [Ref. 4], in conjunction with the guidance and examples found in NUREG/CR-6372 [Ref. 5], would be used to identify the appropriate time margins. The premise is that experts in the areas of nuclear power plant safety, risk assessment, inspection, fire safety and analysis, fire-related plant operations, human factors, and human reliability analysis could, in the context of a structured expert opinion elicitation process, make reasonable estimates of appropriate time margins.

A.2 First Expert Elicitation Meeting A panel of six experts met at the NRC in Rockville, Maryland, on April 1 and 2, 2004. One week prior to the meeting, each expert was provided with a description of the goals of the meeting, which discussed many of the issues that would be addressed to generate the desired time margins.

A.2.1 Expert Panel and Qualifications The six experts were as follows:

(1) A Team Leader, Plant Engineering Branch, Division of Reactor Safety, in Region IV of the NRC; also serving as a project manager and inspector (covering plant engineering and maintenance) for the NRC over the past 14 years.

(2) A Reliability and Risk Engineer in the Probabilistic Risk Analysis Branch in the NRC Office of Nuclear Regulatory Research (RES); formerly a Principal Engineer (Supervisor) and Senior Reactor Operator at a commercial nuclear power plant licensee.

(3) A Senior Level Advisor for Probabilistic Risk Assessment, Division of Systems Safety and Analysis, NRC Office of Nuclear Reactor Regulation (NRR); formerly a Project Manager in the Energy Risk and Reliability Department at a contractor for the nuclear power industry.

(4) A principal of an independent contracting firm, especially contracting to Sandia National Laboratories, and recognized expert in the probabilistic analysis of fire and flood risk for nuclear and non-nuclear facilities; also a published author of numerous articles on this subject.

(5) An Engineering Psychologist in NRR/NRC with expertise in the area of human factors for more than 20 years; also serving as an NRC human factors expert on a national standards development committee in the area of Human Reliability Analysis.

(6) A Senior Operations Engineer in NRR/NRC; formerly an NRC inspector for 20 years, starting as a region-based construction and fire protection inspector and including 8 years as a resident and senior resident at pressurized-water reactors (PWRs).

2

A.2.2 Summary of Topics Discussed During the First Meeting Much of the first day, the discussion among the expert panel members and other meeting participants from NRR, RES, and RES contractors, including the elicitation facilitators, covered the following topics:

(7) What is this expert opinion elicitation all about?

(8) What are the operator manual actions for which we are considering time margins?

(9) What are the human performance influences that should be accounted for by the time margins?

(10) What empirical data or other expert knowledge or experience may be relevant to developing the time margins and their bases?

(11) How will the elicitation process work?

A.2.2.1 What Is this Expert Opinion Elicitation All About?

With regard to topic 1, it was agreed that the overall goal was to derive time margins that would provide reasonable assurance that local operator manual actions in response to fire, in general, can be achieved with a high confidence of a low probability of failure (e.g., 95 percent confidence of a 0.01 failure probability). While it was thought that specific numerical goals on confidence and probability were not practical, the experts were easily able to understand the intent of what we wanted to achieve. Further, so that all the experts conception of the time margin was the same, the model shown in Figure A-1 was agreed upon as generally representative of the time margin concept.

Alarm Diagnosis Implementation Time Margin Early (demonstrated) (demonstrated)

(undetected)

To T1 T2 T3 Fire Growth Time Available to take action (s)

Figure A-1. Conceptual illustration of a time margin 3

A.2.2.2 What Are the Operator Manual Actions for Which We Are Considering Time Margins?

There was much discussion on topic 2. In particular, while it was agreed that we were addressing local (ex-control room) operator manual actions in lieu of meeting the current requirements of Appendix R,Section III.G.2, there was confusion as to whether only licensee preventive actions were included or whether licensee symptom-based response (reactive) actions were also included. Further, there were clearly some differences in opinion as to when an action is a repair. Preventive actions are those which, upon entering a fire plan/procedure, the licensee expects (without needing further diagnosis) to take to prevent spurious actuations or other fire-related failures so that adequate equipment is protected and safe shutdown can be achieved. Reactive actions constitute those taken by a licensee during a fire in response to an undesired change in plant status and for which there is more of an element of detection of the undesired plant status and a diagnosis as to the correct actions to be taken. Further, there is precedence that repairs not be allowed for achieving hot shutdown.

While the expressed differences were not completely resolved, it was agreed that, in general, the following types of actions were illustrative of the types of actions we were concerned about:

pulling fuses

disconnecting power leads

performing breaker manipulations (e.g., tripping, opening drawers, closing, changing switch positions) related to buses as well as individual loads such as valves, pumps, fans

opening/closing/throttling of valves (e.g., with local switches, governor devices, handwheels)

starting/stopping equipment, such as pumps and fans by either local switches/pushbuttons or breaker control

installing jumpers or temporary power cables

verifying or monitoring plant equipment or parameter status (and taking other actions as may be necessary based on these monitoring activities)

It was not the intent of this panel to define specifically what actions would or would not be allowed per the rulemaking. Therefore, the list above should not be construed as a list of acceptable operator manual actions. Nevertheless, it was agreed that the list was useful to generally define the typical kinds of actions for which time margins were to be considered, and that at least for purposes of the elicitation, both preventive and reactive actions would be addressed.

4

A.2.2.3 What Are the Human Performance Influences That Should Be Accounted for by the Time Margins?

With regard to topic 3, a number of observations were made. First, the rulemaking staff offered the following suggestions for the criteria:

It should perhaps be made clear that the Available Indications criterion includes those indications necessary to detect and diagnose the location of the fire.

It should perhaps be made clear that the Staffing and Training criterion allows both operators and maintenance staff to be involved as long as they are trained to take the desired actions.

It should perhaps be made clear that the Communications criterion not only specifies that the communications systems must be adequate, but also that they must be readily available.

It should perhaps be made clear that the Portable Equipment criterion specifically notes that such equipment includes what would be commonly referred to as tools, such as keys, ladders, flashlights, gloves, and that these should be staged so that their locations are known and constant.

It should perhaps be made clear that the Procedures criterion requires the use of controlled procedures.

It should perhaps be made clear that, when multiple procedures will be required to be used simultaneously during a real fire (e.g., emergency operating procedures [EOPs] and the fire procedures), their simultaneous use will need to be part of the Demonstration of operator manual actions in response to fires.

The staff offered these suggestions because it was clear that, in order to reasonably bound what the time margin was to account for, it was desirable that the other criteria be as specific and encompassing as possible. In this way, the time margin did not have to address potential inadequacies in meeting the other criteria and could focus on just those likely differences between what is expected in a typical demonstration of the actions vs. what might be experienced in a real fire situation (this became the basic premise for the time margin).

With this basic premise for the time margin, the discussion further elaborated upon what the time margin needed to account for. Three possibilities were considered:

(1) The time margin should account for what the licensee is not likely to be able to recreate in the demonstration that could cause further delay (i.e., where the demonstration falls short). Examples include:

Random problems (i.e., not related to the fire) with instruments, indications, or other equipment such as a stiff handwheel or faulty communications device.

5

Environmental and other effects not easily included in the demonstration, such as smoke and toxic gas effects, increased noise levels due to the fire (e.g., alarms), water on the floor, fire hoses in the way, or too many people getting in each others way.

Limitations of the demonstration to account for (or envelop) all possible fire locations where the operator manual actions are needed, resulting in different travel paths and distances to these locations. A similar limitation concerns the location and activities of needed plant personnel at the time the fire starts that could delay their participation in executing the operator manual actions (e.g., they may be on the opposite side of the plant and may need to restore certain equipment before being able to participate).

Inability to execute relevant actions during the demonstration because of normal plant status or safety considerations while at power.

(2) The time margin should account for the fact that fire and related plant conditions can vary (e.g., fast energetic fire failing equipment quickly vs. slow-developing fire with little or no equipment failures for some time, variable fire detector response times and sensitivities, variable air flows affecting the fire and its growth, specific fire initiation location relative to important targets, presence [or not] of temporary transient combustibles, possible communication problems in some fires or in some noisy areas).

(3) The time margin should account for the typical variability in human performance among individuals and among different crews and for the effects of human-centered factors that could become relevant during fire scenarios, such as stress, issues related to human factors and ergonomics (e.g., height at which task is performed), time pressure, and fear of fire. Examples include:

physical size and strength differences

cognitive differences (e.g., memory ability, cognitive style differences)

emotional response to the fire/smoke

response to wearing a self-contained breathing apparatus (SCBA) to accomplish a task (i.e., some people may be very uncomfortable with masks over their faces)

individual sensitivity to real-time pressure

team characteristics 6

Further, it was agreed that these items did need to be part of the time margin for the following reasons:

They address likely shortcomings of the demonstration (e.g., operators may not actually do the demonstration while wearing SCBAs or they may not perform the demonstration with full replication of environmental conditions, such as propagation of water on the floor into the rooms where the actions are to take place as a result of suppression system actuation in the room with the fire). [It was felt such shortcomings could result in potentially significant differences between times for actions during a demonstration and the times during real fires.]

The demonstration can attempt to replicate only a small subset of all possible fires and resulting variability in fire and plant conditions (see examples cited under item 2 above), some of which could be worse than assumed in the demonstrations. [It was felt such variability could result in potentially significant differences between times for actions during a demonstration and the times during real fires.]

It was recognized that some degree of human performance variability is to be expected, some of which could further delay the times to perform the desired actions during real fire situations. [It was felt such variability needed to be estimated and included in any derivation of time margins.]

Beyond this, it was agreed that the illustrative influences provided below, considering the categories mentioned above, were indeed representative of the influences that should be accounted for in the time margin.

wearing SCBAs to complete the actions, which could affect performance in many ways, including the ability to communicate, etc. (use of SCBAs is not explicitly addressed by the rule criteria)

substantial amounts of water on the floor from fighting the fire

visibility problems due to smoke that is worse than assumed by the licensee for the location of a given set of actions

individual differences in the psychological effects of having to perform actions in proximity to a fire (even if the fire is not, in reality, physically threatening)

inability to perform all of the sub-actions related to an action during a demonstration (e.g., the plant was at-power during the demonstration and certain actions could not be completely conducted while maintaining safety)

time pressure (not sensed during demonstrations)

the presence of less experienced staff, even though trained

the need to identify alternate routes to and from the location of the operator manual actions because of the fire and its effects 7

unexplained or unexpected equipment problems, e.g., a stuck handwheel, failures in communication equipment, misplaced tools, loss of lighting, loss of instrumentation

shortcomings in training not revealed during the demonstration

inaccuracies in procedures for certain unique situations not previously identified (i.e., simply not thought of and not detected during the demonstration because the actual process could not be fully conducted)

cases where the fire is larger than expected and less time is available Further, it was agreed that there could potentially be delays in either or both the diagnosis and decision to execute operator manual actions in response to fire as well as in the implementation of the desired manual actions; hence both effects should be considered when deciding on appropriate time margins.

While there was some discussion about how the analyzed time available (T3) could be ascertained when it cannot be precisely known when a spurious or other fire-induced failure might occur, those discussions are not reproduced here since it was agreed that concerns about the appropriateness of T3 (particularly as related to how to measure the time available for preventive actions) were not critical to the specific task before the experts. That is, determining the relevant time margins does not depend on the calculation of T3.7 A.2.2.4 What Empirical Data or Other Expert Knowledge or Experience May Be Relevant to Developing the Time Margins and Their Bases?

Regarding topic 4, literature searches of easily available sources (only a short-time frame was available prior to the first elicitation) were performed in preparation for this meeting to seek any additional information that may be helpful to establish defensible time margins.

Unfortunately, little was found. The following observations are provided to the extent they may be useful, but none of them are directly relevant to how to derive an appropriate time margin.

Actual events, recent inspections, and analytical processes suggest that, in spite of attempts to anticipate actual fire conditions and their effects, and then provide procedures, training, tools, communication devices, etc., so as to be able to perform the necessary or desired actions within expected time periods, the times to actually take the actions are often longer than prejudged estimates. The panel was prepared to discuss examples of this as may be desirable during the meeting. In some cases the difference between the actual time to perform the actions and the estimated time to take the actions has been small.

7 But the time margin is certainly relevant when evaluating whether the operator manual actions satisfy the time line determined by T3.

8

However, in extreme cases as high as a threefold increase has been observed (i.e., it was estimated the actions could be taken within 30 minutes and the somewhat realistic time from a demonstration took nearly 90 minutes) for complex actions such as aligning, starting, and controlling a whole train of an injection system. In NUREG/CR-1278 [Ref. 6], it is noted that judgmental estimates are often low compared with actual times and that a factor of 2 difference should not be unexpected.

The above observations should be moot from our standpoint since the actions and their execution times are supposed to be obtained using the demonstration criteria. That is, the differences between judgmental estimates and times from the demonstration should not be an issue. Nevertheless, the above findings indicate that there may be time-delaying factors that are difficult to foresee, especially when other things can (and often do) go wrong.

Thus, to the extent that the times from the demonstrations are still not entirely representative of all relevant actual fire situations (and demonstrating the actual times may be difficult, if not impossible, to achieve), it should not be surprising that the real times may still be even longer than what is obtained in a demonstration.

It was also observed that with regard to assessing risk significance, NEI-00-01 [Ref. 7]

cites potential types of scenarios that should not be screened out as unimportant during the preliminary screening step of the guidance. Such a scenario includes one involving operator actions where both time is short (less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ) and the estimated time to perform the actions is greater than 50 percent of the available time. While not directly useful to deriving a defensible time margin, this step does seem to recognize that there may be factors that could make the time to perform the actions longer than estimated. The guidance implies that a factor of up to 2 increase is desirable between the estimated time and the available time in order to provide adequate comfort that the actions can easily be performed in the available time.

For the same reasons as cited earlier, this observation was not directly helpful as to how to derive a defensible time margin for action times obtained from a demonstration; however, it did support the idea that there are probably factors that can delay action times.

Thus, a time margin is desirable to ensure that the actions can be reliably implemented.

A.2.2.5 How Will the Elicitation Process Work?

With regard to topic 5, the following process was used as initial expert opinion elicitations were performed on some sample cases:

The facilitators summarized the relevant characteristics for which the time margin was being elicited (particularly, the types of actions and any relevant contexts for which the time margin applies, the relevant influences to be captured by the time margin, other applicable knowledge, experience, data, etc., and the form of the time margin). This was done in a facilitator-led discussion allowing experts to clarify these characteristics as necessary.

Each expert privately estimated an appropriate recommended time margin.

9

The experts time margins were shared among the group and the experts were given the opportunity to provide their rationale for their estimates in a facilitator-led discussion. This identified legitimate considerations that were not accounted for by some experts, and it uncovered considerations that should not have been included by other experts. In either case, the results of the discussion caused some experts to provide a revised estimate.

The experts were given a second (final) opportunity to privately arrive at a revised time margin.

While we strove to reach a consensus on the identified time margins, the final elicited time margins from the experts were recorded and, as feasible, subsequently treated in a statistical manner to arrive at a single recommended time margin. [Following the completion of both expert opinion elicitation sessions, the facilitators decided that a strict statistical analysis could not be warranted based on the limited results.]

Notes were taken during the entire meeting to subsequently and properly document the entire meetings key discussions and decisions.

To support the experts in determining how best to derive their estimates of appropriate time margins, to help them decide what the forms of the time margins should be, and to determine how many different time margins were needed, the experts agreed that it would be helpful to consider a few sample operator manual actions and associated scenarios.

The general goal was to see what could be learned by thinking about specific examples. From trying to determine appropriate time margins for a couple of specific cases, the experts thought they might be able to see trends, improve their understanding of the issues and drawing some general conclusions about time margins. In addition, it was proposed that, by examining specific cases of the types of fire operator manual actions being addressed and by considering the different types of influences thought to be important, the panel would better understand the nature of operator manual actions in response to fire and the ways in which the different influences might affect crew performance.

With these thoughts in mind, and with the remaining time available for the meeting, expert opinion elicitations were conducted on two example cases.

10

A.2.3 Example Elicitation Cases Addressed at the First Meeting Two scenarios and related actions and timing were described to the experts for the example elicitations. One involved a preventive, or event-based, action that would be initiated as soon as the fire was detected, while the other was a reactive, or symptom-based, action that would be diagnosed on the basis of plant symptoms and relevant procedures.

However, the cases were similar in that they both concerned the inappropriate opening of power-operated relief valves (PORVs) as a result of the fire. This is an important issue because the unexpected opening of the PORVs in a PWR can result in a significant loss-of-coolant accident (LOCA).

A.2.3.1 First Scenario/Action Case In the first example scenario, a fire starts in an area that has the potential to cause inappropriate opening of the PORVs. Per the procedure associated with a fire in this area, once the fire is detected and located, a plant equipment operator (PEO) is summoned to the main control room (MCR) if necessary (although PEOs generally report to the MCR when events such as fires occur), provided with the relevant procedure, and directed to travel to the correct cabinet, find the correct terminal block, and pull the appropriate fuses to prevent the PORVs from opening. The PEO was assumed to then need to inform the MCR to provide verification that the PORVs were de-energized.

For purposes of the exercise, it was assumed that, during the plant's demonstration of this fire-related operator manual action (actually a set of sub-actions), likely fires in this area would normally be detected and located within approximately 5 minutes. Since by procedure the presence of the fire indicates the need for the appropriate fuses to be pulled, it was assumed that under most conditions the diagnosis for the need for the actions and the retrieval of the relevant procedures would be made in the same time frame. Thus, T1 was assumed to take about 5 minutes.

With respect to the time to execute the operator manual actions (T2), it was assumed that the demonstration conducted at the plant revealed that a randomly-selected, established crew accomplished the actions within about 4 minutes. That is, the responsible MCR person assigns a PEO and gives him the relevant procedure and instructions (about 1 min.), the PEO travels to the appropriate cabinet (1 min.), identifies and pulls the relevant fuses (1 min.),

and notifies the MCR that the action was completed (1 min.), for a total of 4 minutes. (The experts at the meeting [including a former operator] agreed that this was a reasonable estimate of the time necessary to complete such an action for many plants.) The analyzed time available to complete the action before a problem would occur (T3) was assumed to be approximately 20 minutes.

Given this scenario, it was the experts job to identify and consider the factors that might delay performance of this task under realistic plant fire conditions. Per the guidelines discussed above, it was assumed that all of the operator manual action criteria had been met by the plant.

11

For this initial exercise, the panel members considered the three influence factors from Section A.2.2.3, focusing mainly on the factors that might not be covered adequately during the demonstration (i.e., aspects of the rule criteria that would not be easily addressed during the demonstration and could cause delays if problems arose). However, and especially during their modified responses, the experts also considered variations in plant conditions and human-centered factors in determining their time margins.

Table A-1 displays the increases in the time that were suggested by the experts to account for factors that might not be covered completely by the demonstration, as well as potential variability in plant conditions and fire scenarios and additional human influences.

The suggested time increases cover factors that could reasonably delay the performance of the preventive actions associated with pulling fuses to prevent the PORVs from inadvertently opening due to the fire.

Table A-1. Initial and Revised Additional Times Added to Combined T1 and T2 Panel Increase (Added to Original 9 min.) Factor (Total Time to Original 9 min.)

Member Initial Estimate Revised Estimate Initial Estimate Revised Estimate

1 23 min 10 min 3.5 2.1

2 6 min 10 min 1.7 2.1

3 11 min 12 min 2.2 2.3

4 6.5 min 9 min 1.7 2

5 30 min 18 min 4.3 3

6 1 min 10 min 1.1 2.1 A review of Table A-1 reveals a significant amount of variability in initial estimates of the amount of time that should be added to T1 and T2 to account for uncovered influences.

After the panel members had the opportunity to discuss their results and share their reasoning with one another, much closer agreement was reached and, for the most part, the expert panel was converging on a factor of approximately 2 as an acceptable time margin for this case. That is, if the licensee assumed that the time to pull the fuses to prevent the opening of the PORVs might be twice as long as was obtained in the demonstration and still fall within T3, then it would be appropriate to credit the action. In this case, since T3 was assumed to be 20 minutes, and increasing the original time from the demonstration of 9 minutes by a factor of two results in a total of 18 minutes, then the time margin criterion would be met.

However, it should be remembered that, as discussed at the end of Section A.2.2.5, the goal of the exercise was to see what could be learned by thinking about specific example cases. It was hoped that the exercise would support the experts determination of how best to derive their estimates of appropriate time margins, to help them decide what the forms of the time margins should be, to familiarize them with the different types of influences thought to be important and how to consider their effects, and to determine how many different time margins might be needed.

12

A.2.3.2 Second Scenario/Action Case The second scenario and action case examined at the meeting essentially served the same purpose as the first. That is, the goal was to continue to familiarize the panel members with the process and the factors to be considered to identify reasonable time margins for operator manual actions in response to fire.

For the second example (as with the first), the scenario involved a fire that starts in an area with the potential to lead to inappropriate opening of the PORVs. However, in this case, it was assumed that the licensee relies on a reactive process to deal with the potential opening of the PORVs. That is, the crew waits until there are some indications that the PORVs have opened, and then they send personnel out to pull the fuses to allow the PORVs to close (as a backup to the likely attempted closure of the PORV block valves).

For purposes of the exercise, it was once again assumed that it would take approximately 5 minutes to detect and locate the fire. In addition, it was assumed that another 2 minutes would pass before the fire caused the PORVs to open. Once the PORVs opened, it was assumed that the plant was able to show in the demonstration that diagnosis of the presence of the opened PORVs and contacting personnel to perform the needed actions could be done in about 1.5 minutes. Moreover, as in the preventive case, 3 minutes were assumed to travel to the cabinet, pull the fuses, and verify completion of the task with the MCR. Thus, in this case it was assumed that 4.5 minutes would be necessary to diagnose the need for the actions and to complete them, such that T1 + T2 = 4.5 minutes for the reactive case.

A difference between the reactive case and the preventive case is that the detection and location of the fire is not part of the assessment of the time margin.8 Since the time between the start of the fire and the opening of the PORVs can be quite variable, the plant will be concerned with ensuring that, regardless of when the PORVs open, the PORVs will be closed in time to prevent any serious damage. Thus, the analyzed time available (T3) is the worst-case time between the opening of the PORVs and the point at which serious damage would occur.

The only time that the activities associated with detecting and locating the fire would be relevant in the reactive case would be when the PORVs opened within the first 5 minutes after the fire starts. However, for this example it was assumed that the PORVs did not open until 2 minutes after the fire was located and detected. Thus, the panel focused on how much time they would need to add to the 4.5 minutes of T1 and T2 in order to account for the three influence factors discussed in Section A.2.2.3.

8 Note that not all the panelists dismissed this time as irrelevant and included time margins in their overall assessment to account for influences that could arise during this specific interval.

13

However, two caveats are relevant to this second example exercise. First, only a short period of time was available at the end of the second day of the elicitation session to perform the exercise, compelling the expert panel members to rush their judgments somewhat.

Furthermore, based on discussions with the panel members, at least some did not agree that, for the case we were addressing, the activities occurring before the PORVs opened would not be relevant to the crews performance in diagnosing the open PORVs and ensuring their closure by pulling the fuses. Thus, some panel members included adjustments to the fire location and detection phase and added that to their time adjustments, while others did not.

Due to the limited time available for this example exercise, it was not possible in all cases to separate these extra time additions from the panels estimates. In addition, there was not time for the panel to revise their initial estimates.

Table A-2 displays the increases in the time that were suggested by the experts to account for factors that might not be covered completely by the demonstration, as well as potential variability in plant conditions and fire scenarios, and additional human influences.

The suggested time increases cover factors that could reasonably delay the performance of the reactive actions associated with pulling fuses to allow the PORVs to go closed before serious damage occurs.

Table A-2. Initial Time Added for Diagnosing the Need and Successfully Closing Open PORVs Panel Increase (Added to Original 4.5 min.) Factor (Total Time to Original 4.5 min.)

Member

19 13 min 2.1

2 7.5 min 2.7

3 7.5 min 2.7

4 7.5 min 2.7

5 25 min 6.6

6 8.5 min 2.9 Despite some potential confounds with this example as discussed earlier in this section, it is worth noting that several experts were fairly close in their estimates.

Based on the discussions with the expert panel members and the results above, it was considered possible that the time margin for reactive operator manual actions could be higher than for preventive actions.

9 Panelist 1 added time for fire detection and location as well as to diagnosis of the open PORVs.

Thus, the 13 additional minutes were compared relative to a total original time of 11.5 minutes rather than 4.5 minutes.

14

A.2.4 Conclusion from First Meeting As a result of the meeting, considerable insight was gained into reasons why it may be necessary to add a time margin to licensee demonstration times and how large that time margin may need to be. At the end of the meeting, it was agreed that an additional elicitation meeting was necessary to pursue other representative examples of scenarios and actions to further learn what time margins would be appropriate for local operator manual actions in response to fire.

A.3 Second Expert Elicitation Meeting The same panel of six experts (described in Section A.2.1) participated in the second expert opinion elicitation session held at the NRC in Rockville, Maryland, on May 4 and 5, 2004. Approximately two weeks prior to the second meeting, each expert was provided with a summary of the first meeting and given the opportunity to review the report, verify its contents (in particular the results of the example expert opinion elicitations), and make recommendations for changes. All panel members concurred with the summarized results of the first meeting as presented. In addition, a few days prior to the second meeting, an agenda for the second meeting was sent to the expert panel. The agenda noted the general steps planned for the meeting, reviewed important results from the first meeting, discussed the goals of the second meeting, outlined outstanding issues related to the time margins still to be addressed, and provided initial discussions of two possible examples for the second meeting.

A.3.1 Summary of Topics Discussed During the Second Meeting In the first meeting, two general types of local operator manual actions in response to fire were addressed and issues associated with the two types were discussed. The two types were preventive (event-based) and reactive (symptom-based) actions. Because some panel members and the facilitators had given additional thought to these types of actions since the last meeting, it was decided that the second meeting would begin by returning to a discussion of these types of actions.

A.3.1.1 Preventive Actions It was repeated that for the preventive actions, it is generally assumed that once the fire has been detected and located, per procedure, the MCR crew directs someone to execute a number of actions that will prevent fire-related damage to equipment to ensure its availability to achieve its function during the fire scenario. Also by procedure, the only criterion for initiating these actions is the presence of the fire itself (event-based). However, in reality it is possible that crews may delay initiation of the actions for some period just to make sure that the fire is significant enough to initiate the actions. Moreover, it may take time for the appropriate crew member to retrieve the relevant procedures and assign plant personnel to complete the actions, etc.

15

During the second meeting some additional points were discussed about the preventive actions relevant to crediting them under the operator manual action rule. First, it was noted that there are no guarantees that all preventive actions can be completed before the relevant equipment might be affected by the fire. There are many different kinds of fires in terms of initial size, growth rate, etc., and they can start in different locations within a room.

Thus, while in many cases it may be relatively unlikely that a fire would spuriously affect equipment before the equipment could be protected by the operator manual actions, it is probably impossible to say that given actions can always be completed prior to the relevant equipment being affected by the fire. This being the case, it was argued that to take credit for such actions, licensees would need to assume that they may have to perform reactive actions to restore the equipment to its functional state.

While panel members noted that plant procedures for preventive actions generally include steps to verify that the actions were successful, and if not, to take actions to ensure the equipment is placed in the appropriate state, they also noted that when demonstrating the feasibility of the actions as required by the rule and measuring the time it takes to complete the actions, these potential additional steps should be included. In other words, all preventive actions have the potential to involve reactive actions to ensure the availability of the equipment and, therefore, those additional steps should be included in demonstrating the actions and measuring the time to complete the action. The panel pointed out that while the resulting time estimates to complete the actions may be conservative for the cases where the preventive actions are successful, if such aspects are included in the plant demonstration, then they should not have to be accounted for in the time margin.

The latter point became a critical aspect of the second expert elicitation meeting.

The panel members argued that to be able to develop a reasonable time margin for operator manual actions in response to fire, the demonstrations of the actions should cover as many potential influences on performance as possible. Furthermore, the most reasonably conservative cases for the various conditions that could influence the ability of crews to complete the actions should be incorporated into the demonstration. In this way, the more extreme and less frequent variations in performance may be accounted for in the identified time margins, thereby making their development simpler and easier to justify.

16

It was argued that the appropriate range of conditions to be included in the plant demonstrations should be described in the operator manual action regulatory guide.

The result would be that the applicability of the time margins identified from this exercise would be contingent on licensees demonstrating the actions as specified in this regulatory guide. Aspects to be included in the demonstration are discussed in Section A.3.1.4.

A final aspect about preventive actions discussed by the panel concerned how to measure the time to complete the actions (T3). If there are at least some fire events that could affect important equipment before the preventive actions could be completed, then the time available to complete the actions (before serious equipment damage could occur and affect safe shutdown) should be measured from the earliest point at which the relevant equipment could be affected. Thus, if it is at all reasonable, licensees should assume that the fire could start exactly in the area where the equipment of concern would be affected at the earliest possible time. This may result in less time being available for preventive actions than might normally be assumed, which should be considered when licensees develop their time lines for operator manual actions in response to fires.

17

A.3.1.2 Reactive Actions For the reactive actions, operators do not initiate the actions until they have detected and diagnosed that the relevant equipment has been affected by the fire and that it may be needed for safe shutdown. That is, they do not initiate the actions until the procedure, given the relevant indications, calls for the reactive actions (i.e., symptom-based actions). However, the panel noted that the symptoms indicating that the equipment has been affected could occur very early in the scenario when the crew is still in the process of detecting and locating the fire, entering initial EOPs, and possibly entering abnormal procedures. Alternatively, the symptoms could occur later in the scenario after the crew has been responding to the situation for a while and fire-specific procedures have been initiated. It was argued that, since the effect on the equipment could occur very early (e.g., as a result of an explosive switchgear fire), potential delays due to initial competing activities should be considered in determining the time margins. However, the panel was unable to conclude that the activities occurring during early stages of a fire scenario would necessarily be any more demanding that those occurring somewhat later in a scenario. It would seem that the demands of a given scenario across time would be plant- and scenario-specific; thus, this would be a factor that should be addressed by each plant for reactive actions, and the most reasonably conservative case with respect to potentially competing tasks should be modeled in the plant demonstration. If this is done, then any developed time margins would not have to take such effects into account.

The panel acknowledged that crews may find themselves dealing with dueling procedures at any point in a fire scenario and that the effects of possibly being in multiple procedures should be modeled to the extent possible during the demonstration of operator manual actions in response to fire.

Regarding the time available to complete reactive actions, T3 would be determined by how much time would be available to restore the critical equipment after the fire effects had occurred in the context of the accident scenario.10 Licensees should assess the worst case for when the effects could occur and calculate the time available on that basis. In many instances, it would seem that fire damage occurring as early as possible in the scenario would be the most serious (due to more time to build up to the expected high heat levels), but there may be some scenarios where this would not be the case. Again, licensees should consider such aspects in developing their time lines for the actions.

10 However, time zero would still be measured at initial fire detection, such that a licensee with symptom-based procedures would not necessarily have as much time to take actions as one with event-based procedures, due to the time delay between fire detection and initiation of operator manual actions.

18

A.3.1.3 Other Types of Actions Two other general categories of actions were considered by the panel. They included simple vs. complex actions and short-term vs. long-term actions. With respect to the latter, it was argued that essentially all local operator manual actions in response to fire would be relevant only in the short-term case (i.e., within the first hour of the scenario). Thus, it was decided that this distinction would not be relevant for developing the time margin.

However, over the 1.5 days of the meeting, the simple vs. complex distinction was discussed on several occasions. The issue was whether separate time margins would be needed for simple actions, such pulling a fuse, vs. more complex actions, such as multiple-task actions that involve coordination and communication among plant personnel. After examining the potential ways in which complexity might vary, it was decided that the nature of the specific actions being carried out by plant personnel would not vary significantly. That is, the actions being conducted by individuals would be of the general types of actions on which plant personnel are trained and perform routinely as part of their jobs. Thus, the complexity would more likely come from the coordination and communication associated with some activities and the associated time aspects.

The panel eventually concluded that, since both simple and complex actions would have to meet the same criteria in the rule, and because time differences between tasks could be accounted for by using a common multiplier (e.g., a factor of 2 as a time margin multiplier on the demonstration) across all tasks, separate time margins as function of complexity would not be needed. In fact, the panel eventually concluded that, as long as all the rule criteria were met, the operator manual action demonstrations were performed appropriately (as described in this regulatory guide), and the time available for the various tasks was calculated appropriately, then a single time margin could be adopted. The single time margin would cover all the remaining influences unaccounted for by the demonstration and could be applied generally to all types of operator manual actions in response to fire, including preventive and reactive actions. The influences on performance to be covered by the time margin and those to be covered by the demonstration are discussed below.

A.3.1.4 Influences on Performance Based on the results of the first meeting, the three influence factors listed in Section A.2.2.3 were again assumed to be relevant to identifying an appropriate time margin. That is, it was thought that there were three factors that could lead to variations in the performance of the operator manual actions that would not generally be accounted for by meeting the rule criteria. Thus, it would be necessary to account for such influences in the time margin.

After further consideration of these sets of influences during the second meeting, the panel agreed that many of the aspects of the influence factors could be covered by assuming worst-case scenarios in both the conditions associated with a plants demonstration of actions and in their calculation of how much time would be available to complete actions before serious equipment damage would occur and affect safe shutdown.

As discussed above, such conservatism would limit the number of influence aspects that would have to be covered by the time margin.

19

The panel ultimately agreed that influence factor 2 (variability in fire and related plant conditions) should be addressed in the licensees calculation of the time available for actions (T3). Licensees should assume the worst-case reasonable variations in fire characteristics and plant conditions that could affect the time available to complete actions in that calculation.

In addition, the panel agreed that some aspects of influence factor 1 (where the demonstration falls short) could be adequately addressed by making certain assumptions or simulating certain conditions during the demonstration. The demonstration should address the following aspects (among others):

If it is reasonably likely that operators will wear SCBAs to complete actions, then they should wear them during the demonstration. Furthermore, if communication is necessary between operators under conditions where they would wear SCBAs, then the communication should be achieved while wearing the SCBAs.

If normal plant noise levels could affect communication in some areas, the demonstrations should be conducted under those conditions.

If smoke could significantly affect visibility, then actions should not be credited.

If it is possible that needed operator manual actions will involve plant personnel (e.g., plant equipment operators) being summoned from other locations in the plant to obtain instructions and relevant procedures and proceed to the area of the actions, then the worst-case reasonable time for them to travel to the various locations, which may include traveling to the MCR, should be included in the time to execute the actions. In other words, in conducting the demonstration, necessary personnel should be located as far away as reasonable at the start of the simulation. In addition, the potential for such personnel to have to complete what they were doing before responding should also be considered in the demonstration and, therefore, in the time to complete the actions.

If the fire or other factors could affect where personnel have to travel (e.g., what routes they have to take) and where they have to enter various rooms, then the worst-case reasonable effects should be modeled in the demonstration.

If multiple actions (or multiple sets of actions) will have to be performed and coordinated and potential interference could occur, then all should be simulated in the demonstration.

The main point is that licensees should carefully analyze the potential context for given operator manual actions in response to fire and strive to model the worst-case, reasonable scenarios in their demonstrations. That is, they should do a good job of setting up their demonstrations to avoid being overly optimistic. For example, they should not select their most recently trained crew and then allow them to prepare for the demonstration (i.e., no pre-conditioning). Inspectors will be looking for licensee failures to simulate reasonable influences and conditions that might delay performance in the plant demonstrations.

20

A.3.1.5 Impact of Human Errors Another topic of discussion concerned the impact of potential human errors in performing operator manual actions and the associated recovery actions. It was pointed out that, while the main goal of developing a time margin for local operator manual actions in response to fire was to cover the range of influences that could delay performance of the various actions, it is also possible that personnel could make errors in performing the actions. Although the probabilities of such errors may be relatively low, when they do occur, operators should identify that an error has occurred and recover from the failure. Since verification is required for the operator manual actions (the rule requires that there be reliable indications available that actions have been completed), then it is reasonable to expect that the existence of any incorrectly performed actions or omissions to be detected. However, since it is probably not realistic to assume that licensees will model such recoveries in their demonstrations, the panel agreed that there should be at least some time built into the time margin to cover recovery actions (even if the likelihood of such errors occurring and not being caught immediately would be relatively low).

A.3.2 Determination of Time Margin In order to determine an acceptable time margin, as in the first meeting, the panel thought that the process of stepping through reasonable examples of local operator manual actions in response to fire for estimating time margins was a useful exercise. By examining the various actions in some detail and thinking about how much delay could occur due to specific influences, it was thought that a good sense of what a reasonable time margin would be obtained.

For this exercise in the second meeting, a somewhat more complex example of a preventive action (set of sub-actions) was addressed. This scenario was the third addressed across the two expert opinion elicitation meetings.

21

A.3.2.1 Third Scenario/Action Case In this scenario, a fire starts in an area that has the potential to lead to inappropriate alignment or otherwise failure of the component cooling water (CCW) system. Per the procedure associated with a fire in this area, once the fire is detected and located, and in order to prevent CCW failure (the fire can supposedly affect all the equipment in Division A [Div-A] CCW, which is supposed to keep running, and the fire can potentially affect the Division B [Div-B] CCW valves, but not the Div-B pump, which does not start unless the Div-A train malfunctions), two PEOs are summoned to the MCR if necessary (PEOs generally report to the MCR when events such as fires occur). They are provided with the relevant fire procedure and are directed to travel to two locations; PEO 1 goes to the East Switchgear Room (ESWGR) and PEO 2 travels to the Div-B CCW room (the division to be protected). These rooms should not be affected by smoke from the fire, but the Div-B CCW room could, in a real fire, have a little water on the floor from nearby sprinkler operation if drains become partially plugged and some overflow occurs (this cannot be part of the demonstration).

Upon reaching their respective locations, PEO 1 is to communicate via radio with the MCR supervisor. The MCR staff then manually starts the Div-B CCW train and, after ensuring it is operating properly, the MCR staff shuts down the Div-A CCW train and pulls-to-lock the Div-A CCW pump. To protect the continued operability of the Div-B CCW train, PEO 1 is to pull three of many specifically-labeled breakers (two breakers in one electrical cabinet at one end of the ESWGR and one breaker in a different cabinet at the other end of the ESWGR) that remove power from three Div-B CCW valves so they will stay in the proper position. PEO 1 is then to confirm with the MCR supervisor (via radio) that this is done and that Div-B CCW is continuing to adequately handle heat removal from the various loads. The MCR then informs PEO 2 (who has been listening in on his radio from the Div-B CCW room) that the Div-B CCW train is operating and that the manual crosstie valve between the CCW trains needs to be closed. PEO 2 then closes the manual crosstie valve in the Div-B CCW room and contacts the MCR and PEO 1 to confirm closure of the valve.

In the meanwhile, PEO 1 moves to the West Switchgear Room (WSWGR) and pulls the Div-A CCW pump breaker to ensure the pump cannot spuriously operate. PEO 1 then informs the MCR supervisor that the alignment is complete. The MCR supervisor verifies the alignment of the system via indicator lights, flows, and temperature indications and then releases the PEOs so they can attend to other matters.

Steps of the actions and times from the demonstration (or assumed times) are as follows:

Step 1. For purposes of the exercise, it was assumed that, during the plant's demonstration of this fire and the operator manual actions, it was simulated that likely fires in this area would normally be detected and located within approximately 5 minutes.

Step 2. Three additional minutes are expended for the PEOs to have reached the MCR and obtained the procedure and directions for the CCW manipulations (so now 8 total minutes have passed).

22

Step 3. PEO 1 and PEO 2 reach their locations (travel time) and call in on the radios to ensure communication with each other and the MCR:

4 minutes (so total time is now 12 min).

Step 4. MCR staff starts Div-B CCW train, shuts down Div-A CCW train, pulls-to-lock the CCW A pump, and tells PEO 1 it is OK to pull breakers: 1 minute (so total time is now 13 min).

Step 5. PEO 1 pulls the breakers in the ESWGR and communicates with the MCR who ensure continued operation, and the MCR then informs it is OK to close the manual CCW valve: 3 min (so the total time is now 16 min).

Step 6. PEO 2 closes the manual valve and informs the MCR and PEO 2 of its closure: 4 min (so the total time is now 20 min)

Step 7. PEO 1 travels to the WSWGR, opens pump breaker, and communicates to MCR that this act is complete: 3 min (so the total time is now 23 min).

Step 8. MCR verifies all is OK and communicates to PEOs that they are released:

1 min (so the total time is now 24 min).

Table A-3 summarizes the expert panels judgments for this scenario. In particular, the table shows the various steps of the actions being addressed, the time (assumed) for the actions obtained during the demonstration, and each panel members judgment regarding what the total time for each step would be after adding time to account for various influence factors. Note that, at this point during the meeting, firm conclusions had not yet been reached regarding which factors should be addressed by licensees during the demonstration in calculating available time, as opposed to what should be included in the time margin. In fact, much of that information came out of discussions held during and after the scenario exercise. Which of the three general influences from Section A.2.2.3 that the panel considered potentially relevant for each step of the action is noted in the table?

Table A-3. Total Time for Each Step of the Action for the Third Scenario, by Panel Member (Base Time Plus Time Added for Influence Factors)

Step Relevant Influence Panel Members Total Times for Each Step (min.)

and (Base Time) Factors #1 #2 #3 #4 #5 #6 1 - (5 min.) #3 5 5 5 5 5 5 2 - (3 min.) All 4 5 4 4 3 3 3 - (4 min.) All 6 4 6 6 7 5 4 - (1 min.) #1, #3 1.5 1 2 2 2 1.5 5 - (3 min.) All 5 5 5 6 5 4.5 6 - (4 min.) All 7 5 8 14 7 5 7 - (3 min.) All 5 3 3 7 3 3 8 - (1 min.) All 1.5 2 1 2 3 1 Total (24 min.) 35 30 34 46 33 28 23

Each panel member considered how he or she thought the different influence factors might lead to increases in the time to complete each step of the action. A review of the table indicates that the total increases range from a factor of 1.25 to about 2, with an average of about 1.5, or an increase of 50 percent in the time. After the panel members had discussed the reasons for their additions, many thought that a factor of 1.5 to 2 might be a reasonable time margin for operator manual actions. However, they also recalled that, in working through the earlier examples, some panel members had identified greater relative time increases and had been considering significantly larger time margins.

A.3.2.2 Fourth Scenario/Action Case By the time the fourth scenario was addressed, several discussions had taken place and the panel had agreed that influence factor 2 associated with fire characteristics and plant conditions should be addressed by licensees in determining the time available to complete the actions (as discussed in Section A.2.2.3). Similarly, they had identified several important factors that might lead to significant variation in performance that should also be addressed by licensees in conducting the demonstrations and noted that this should be made clear.

Thus, in the final exercise, there were two major goals. One was to assess actions assuming the plant had performed a proper demonstration. The second was to address a preventive action that included the situation in which the equipment was affected by the fire before the preventive measures were completed, requiring the operators to perform the relevant reactive actions. The idea was that by addressing a hybrid, they would have the opportunity to assess a range of potential influences under conditions different from those considered before.

The example used was similar to that used for the third scenario, except that in this case, in addition to PEO 1 having to pull the breakers for the Div-B CCW valves in the ESWGR and communicating with the MCR and PEO 2, PEO 1 will have to travel to the relevant room and verify and check on the valve positions of the Div-B CCW valves and readjust as necessary. In this case, it is assumed that the Div-B CCW system has been affected by the fire and the operators enter a more reactive mode. For the exercise, it was assumed that three alignment valves in Div-B CCW have spuriously closed. PEO 1 will need to reopen the valves and take the steps necessary to restore flow.

The steps considered in the elicitation were the same as before (Section A.3.2.1) with the following exceptions:

Step 5. Normally, PEO 1 pulls the breakers in the ESWGR and communicates with the MCR crew, who ensure continued operation, and the MCR then informs PEO 2 that it is OK to close the manual CCW valve: 3 min (so the total time is normally 16 min). However, now PEO 1 discovers that three of the valves have spuriously closed and need to be repositioned. PEO 1 needs to reopen the valves, restore flow to the Div-B CCW system, and inform the MCR: 12 minutes added (so now the total is 28 minutes).

Step 7. Deleted (small effect; limited time remaining to panelists).

24

Step 8. Deleted (small effect; limited time remaining to panelists).

For this exercise the scenario was ended after Step 6, so the total time was 32 minutes (previous 24 total minutes plus additional 12 minutes from Step 5 minus 4 minutes from Steps 7 and 8).

For this final exercise, the expert elicitation was done in a manner slightly different from the other examples. This was partially attributable to the limited time remaining on the second day; it was viewed as an approximate but expedited way to combine both the initial and revised estimation steps. In this case, each member decided how much time he or she thought needed to be added to each step of the operator manual action based on the influences, and the panel discussed the basis for the selected times among themselves.

Finally, each member settled on a value he or she thought was reasonable and the facilitators documented the range of values proposed by the panel. In cases where several panel members were in agreement about the values, the mode (most repeated value) was also identified.

Table A-4 presents the results of the final elicitation, displaying the times added by panel members from considering influence factors that could not be covered in the demonstration (influence factor 1 in Section A.2.2.3) and the times added by considering human-centered influences (influence factor 3 in Section A.2.2.3). As noted above, aspects associated with fire characteristics and plant conditions (influence factor 2 in Section A.2.2.3) were assumed to be addressed by the plant and were not covered in the example.

25

Table A-4. Time Added to Each Step of the Manual Action for the Fourth Scenario (Hybrid Case of a Preventive and a Reactive Action)

Influence Factor 1 Influence Factor 3 Step and (Base Time)

(Demonstration Shortfalls) (Human-Centered Factors) 1 - Fire detected and verified No time added No time added (5 min.)

1 min. (panel agrees) - minor 2 - PEOs to MCR (3 min.) 0.5-1.5 min.

smoke, obstacles, etc.

3 - PEOs to remote locations 1-2 min. - minor smoke, 0.5-2 min.

(4 min.) communications delays 4 - MCR starts CCW B train 0.2-1 min. - MCR activities (fire 0-0.5 min.

and stops the A train (1 min.) distractions) 5 - PEO 1 initially pulls 0-0.5 min. 1-3 min (mode = 1.5 min.)

breakers (3 min.)

5a - PEOs 1 and 2 determine that three valves on Div-B CCW have already spuriously 2-6 min. 2-3 min. (mode = 3 min.)

closed. Re-open valves and restore system (12 min.)

6 - PEO 2 closes cross-tie 2-4 min. (assumed water 1-3 min. (mode = 2 min.)

(4 min.) on the floor, etc.)

Total (32 min.) Total of 6.2-14.5 min. added Total of 5-13 min. added When the total time added for the two influences categories are combined, the range of times to be added to cover their impact is 11.2-27.5 min. When these times are added to the base times (in the first column), the range is 43-60 minutes, which once again would represent an increase in the base time of roughly 50-100 percent.

A.4 Identification of Time Margin and Conclusion Based on their reviews of the influence factors, the results of the example elicitations, and the need to allow some time for potential recovery actions, the panel members agreed that a time margin factor of at least 2 would allow for a high confidence of a low probability of failure for local operator manual actions in response to fire. The implication is that, as long as licensees meet the rule criteria for the actions, they perform sound demonstrations of the actions at the plant (as described in this regulatory guide), perform reasonable calculations of the time available for the various actions (guidance for which is discussed in this regulatory guide), and can show that the time available is at least 100 percent greater than the time obtained in the demonstration, then local operator manual actions in response to fire can be credited.

26

A.5 References

1. J.A. Forester and A.M. Kolaczkowski, Summary of Expert Opinion Elicitation on Determining Acceptable Time Margins for Local Operator Manual Actions in Response to Fire: Results of Initial Meeting Held April 1 and 2, 2004, and Final Meeting Held May 4 and 5, 2004, Sandia National Laboratories, June 2, 2004.

2. American National Standard Time Response Design Criteria for Safety-Related Operator Actions, ANSI/ANS Standard 58.8-1994, American Nuclear Society, La Grange Park, Illinois.

3. D.A. Seaver and W.G. Stillwell, Procedures for Using Expert Judgment To Estimate Human Error Probabilities in Nuclear Power Plants, Washington, DC, NUREG/CR-2743, U.S. Nuclear Regulatory Commission, 1983.

4. M.K. Comer, D.A. Seaver, W.G. Stillwell, and C.D. Gaddy, Generating Human Reliability Estimates Using Expert Judgment, Washington, DC, NUREG/CR-3688, Volumes. 1 and 2, U.S. Nuclear Regulatory Commission, Washington, DC, 1984.

5. R.J. Budnitz, G.M. Apostolakis, D.M. Boore, L.S. Cluff, K.J. Coppersmith, C.A. Cornell, and P.A. Morris, Recommendations for Probabilistic Seismic Hazard Analysis:

Guidance on Uncertainty and Use of Experts, Washington, DC, NUREG/CR-6372, U.S.

Nuclear Regulatory Commission, 1997.

6. A.D. Swain and H.E. Guttman, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications Final Report, Washington, DC, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, 1983.

7. Nuclear Energy Institute, Guidance for Post-Fire Safe Shutdown Analysis, Washington, DC, NEI 00-01, Revision 0, May 2003.

27

SECY-04-0233, Atch3 - Draft Regulatory Guide 1136, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire: Difference between revisions

Latest revision as of 13:28, 15 March 2020

Contents

Text

Contact:

Background

SUMMARY

Navigation menu

SECY-04-0233, Atch3 - Draft Regulatory Guide 1136, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire: Difference between revisions

Latest revision as of 13:28, 15 March 2020

Text

Contact:

Background

SUMMARY

Navigation menu

Search