Text

ATTACHMENT 1 March 11, 1997 Mr. Ralph E. Beedle Senior Vice President and Chief Nuclear Officer Nuclear Energy Institute 1776 I Street, NW, Suite 400 Washington, DC 20006-3708

Dear Mr. Beedle:

I am responding to your letter of January 14, 1997, concerning U.S. Nuclear Regulatory Commission (NRC) Information Notice (IN) 92-18, "Potential For Loss of Remote Shutdown Capability During a Control Room Fire," February 28, 1992. As you are aware, IN 92-18 addressed conditions, found and reported by several licensees, that could have resulted in the loss of capability to achieve and maintain safe shutdown conditions in the event of a control room fire. Specifically, the circuit logic associated with certain motor-operated valves, when subjected to a single fire-induced hot short, could have resulted in a spurious permissive signal.The spurious signal could have caused the valve to operate, bypassing the protective features, and resulting in mechanical valve damage. Such fire-induced damage could have impaired the capability to shut down the plant and maintain it in a safe shutdown condition.

During a public meeting on February 7, 1997, the NRC staff discussed with you and other representatives of the Nuclear Energy Institute (NEI) the questions and issues raised in your letter. During the meeting, the staff indicated that it agreed with your position that information notices should not be used to impose new requirements on licensees or to dispense new staff positions or guidance.

The staff presented its positions regarding fire-induced hot shorts and spurious signals and its position that the safety issue addressed in IN 92-18 (the potential for fire-induced hot shorts to impair the capability to achieve and maintain safe shutdown) is within the scope of the existing fire protection regulation.

The staff also explained how the regulation and published staff positions and guidance support this position and why its review and inspection of the technical and safety issues addressed in IN 92-18 does not constitute a plant-specific backf it.During the meeting, the staff stated that it also agreed with your position that enforcement actions should not be taken against a licensee for failure to comply with information notices.Although specific enforcement actions were not discussed during the meeting, the staff acknowledged that it had recently issued notices of violation to several licensees in response to findings of post-fire safe shutdown deficiencies involving hot shorts. In each case, the enforcement actions were dependent on the circumstances of the case and were taken against a licensee for failure to comply with the applicable regulatory requirements, consistent with established regulatory positions, and not for failure to comply with an information notice.The staff treated your concerns in accordance with its procedures for managing backfits.

After considering the information you submitted in your letter, the discussions with NEI and licensee representatives during the meeting of February 7, 1997, and re-evaluating the fire protection regulation and applicable staff positions and guidance, the staff concluded that its position (that the technical issue addressed in IN 92-18 is within the scope of the existing fire protection regulation) is justified.

On this basis, the staff has also concluded that its continued review and inspection of fire protection issues, including such technical and safety issues as those addressed in IN 92-18, is appropriate.

In addition, the staff is considering the need to take further action to ensure that licensees understand and comply with the applicable regulatory requirements.

With respect to enforcement actions, the staff will continue to enforce the Commission's requirements in accordance with the guidance of NUREG-1600, "General Statement of Policy and Procedures for NRC Enforcement Actions," and the "NRC Enforcement Manual." As you are aware, licensees that question enforcement actions may contest them in accordance with the procedures in 10 CFR Part 2, Subpart B. Furthermore, licensees that believe a staff position is a backfit with regard to its facilities may raise such claim in accordance with established NRC policies and procedures.

This includes submitting the claim in writing to either the Director of NRR or the Regional Administrator supervising the NRC employee who issued the staff position in question, with a copy to the NRC Executive Director for Operations.

The staff's response to the technical issues you raised in your letter are enclosed.

Because you alleged in your letter that the staff was inappropriately backfitting new positions or interpretations regarding fire-induced hot shorts and spurious signals, I have referred your letter to the NRC Office of the Inspector General. If you have questions about the staff positions or IN 92-18, please have your staff contact the NRC point of contact for fire protection matters, Steven West, Chief, Fire Protection Engineering Section. Mr. West can be reached at 301-415-1220.

If you disagree with the NRC staff positions, or you wish to further your backfitting claim, you can appeal to the NRC Executive Director for Operations.

Sincerely, Original signed by S. J. Collins Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Enclosure:

As stated ENCLOSURE ASSESSMENT OF NEI CONCERNS REGARDING NRC INFORMATION NOTICE 92-18"POTENTIAL FOR LOSS OF REMOTE SHUTDOWN CAPABILITY DURING A CONTROL ROOM FIRE" 1. BACKGROUND On February 28, 1992, the U.S. Nuclear Regulatory Commission (NRC) issued Information Notice (IN) 92-18, "Potential for Loss of Remote Shutdown Capability During a Control Room Fire." The IN addressed the potential for a control room fire to cause electrical short circuits between normally energized conductors and conductors associated with the control circuitry of motor-operated valves (MOVs) required to achieve and maintain post-fire safe shutdown conditions.

Such an event could cause certain valves to spuriously actuate. In addition, because of the location of the circuit fault, the MOV torque and limit switches would be ineffective to stop valve operation.

Moreover, because thermal overload protection had been bypassed at some facilities, the potential existed for fire-induced spurious valve actuations to result in sufficient mechanical damage to prevent the reactor operators from manually operating the affected valves. This could result in a loss of capability to achieve or maintain safe shutdown conditions.

2. APPLICABLE REGULATORY REQUIREMENTS AND GUIDANCE Title 10 of the Code of Federal Regulations, Part 50, Appendix R, Section Ill.G, "Fire protection of safe shutdown capability," paragraph 1 .a, requires that "one train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) be free of fire damage." In addition, Section Ill.G, paragraph 2, requires that"where cables or equipment, including associated non-safety circuits that could prevent operation or cause maloperation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems necessary to achieve and maintain hot shutdown conditions are located within the same fire area," a means be provided for ensuring one train of the redundant safe shutdown trains will be free of fire damage.3 For those plants licensed after January 1, 1979, the applicable regulatory requirement is 10 CFR Part 50, Appendix A, Criterion 3, "Fire protection." Position C.5.b of NUREG-0800, Standard Review Plan 9.5.1 (SRP 9.5.1), "Fire Protection Program," Revision 3, dated July 1981, was used by the staff as review guidance.This guidance is the same as that specified by the technical requirements of Appendix R,Section III.G.In Generic Letter (GL) 86-10, "Implementation of Fire Protection Requirements," dated April 24, 1986, the staff interpreted the term "free of fire damage." In Enclosure 1, "Interpretations of Appendix R," Interpretation 3, "Fire Damage," the staff stated, in part, that "the Commission has provided methods acceptable for assuring that necessary structures, systems and components 3 The safety concerns associated with fire-induced hot shorts, open circuits, or shorts to ground in safe shutdown and associated circuits, which could prevent operation cause maloperation of redundant shutdown trains, were predicated on the numerous adverse conditions that occurred during the Browns Ferry fire of March 25, 1975.

Reference:

NUREG-0050, "Recommendations Related to Browns Ferry Fire,"February 1976.

are free of fire damage, that is, the structure system or component under consideration is capable of performing its intended function during and after the postulated fire as needed." Where redundant safe shutdown trains are susceptible to fire damage, Appendix R, Section Ill.G, paragraph 3, states that "alternative or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area, room or zone under consideration shall be provided." Section lll.L, "Alternative or dedicated shutdown capability," paragraph 1, specifies that the "alternative or dedicated shutdown capability provided for a specific fire area shall be able to (a) achieve and maintain subcritical reactivity conditions in the reactor; (b) maintain reactor coolant inventory; (c) achieve and maintain hot standby for a PWR [pressurized water reactor] (hot shutdown for a BWR [boiling water reactor]); (d) achieve cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />; and (e) maintain cold shutdown conditions thereafter." For plants licensed after January 1, 1979, Position C.5.c of SRP 9.5.1, was used by the staff as review guidance.

This guidance is the same as that specified by the technical requirements of Appendix R,Section III.L.Section Ill.L, paragraph 3, states, "[t]he shutdown capability for specific fire areas may be unique for each such area, or it may be one unique combination of systems for all such areas." In addition, this paragraph specifies that "the alternative shutdown capability shall be independent of the specific fire area(s)..." Section 1111, paragraph 7, states, "[t]he safe shutdown equipment and systems for each fire area shall be known to be isolated from associated non-safety circuits in the fire area so that hot shorts, open circuits, or shorts to ground in the associated circuits will not prevent the operation of the shutdown equipment." In Enclosure 3 to GL 81-12, "Fire Protection Rule," dated February 20, 1981, the staff stated,"[i]n evaluating alternative shutdown methods, associated circuits are circuits that could prevent the operation or cause the maloperation of the alternative train which is used to achieve and maintain hot shutdown conditions due to the fire induced hot shorts, open circuits, or shorts to ground." The guidance of GL 81-12 recognized that a fire is capable of inducing multiple hot shorts, shorts to ground, or open circuits.

Therefore, in order for the alternative shutdown capability to perform its intended function, the shutdown equipment that it relies on must be capable of performing its functions after it has been electrically isolated from the fire area of concern (e.g., control room and the cable spreading room).In GL 86-10, the staff issued additional guidance regarding the regulatory requirements regarding the need to isolate fire-damaged circuits, mitigate spurious actuations (more than one), and retain functionality of the safe shutdown components after their transfer.

In its response to Question 3.8.4, "Control Room Fire Considerations," the staff stated, "[t]he damage to the systems in the control room cannot be predicted.

A bounding analysis should be made to assure that safe shutdown conditions can be maintained from outside the control room." In addition, the staff stated, "[t]he analysis should demonstrate that the capability exists to manually achieve safe shutdown conditions from outside the control room by restoring a.c.power to designated pumps, assuring that valve lineups are correct, and assuming that any malfunctions of valves that permit the loss of reactor coolant can be corrected before unrestorable conditions can occur." The staff's response to this question recognized that a fire can induce signals that cause operational changes (e.g., valves changing position) to the plant.In IN 92-18, the staff addressed such conditions.

That is, actual reported conditions related to the design of post-fire safe shutdown components and the potential for certain components to be damaged by fire-induced faults to unrestorable conditions before the licensee could transfer electrical transfer and isolate required equipment at local control stations outside the control room.

In its response to Question 5.2.1, "Shutdown and Repair Basis," the staff identified that fire damage can cause multiple-system unavailabilities and spurious system or component actuations and that methods for restoring needed systems and mitigating spurious actuation should be stated in procedures.

The staff stated, "[s]afe shutdown capabilities including alternative shutdown capabilities are all designed for some maximum level of fire-damage (system unavailabilities, spurious actuations).

Since the extent of the fire cannot be predicted, it seems prudent to have the post-fire shutdown procedures guide the operators from full system availability to the minimum shutdown capability." In its response to Question 5.3.1, "Circuit Failure Modes," the staff addressed the circuit failure modes that "must be considered in identifying circuits associated by spurious actuation." The staff stated, "Sections III.G.2 and III.L.7 of Appendix R define the circuit failure modes as hot shorts, open circuits, and shorts to ground. For consideration of spurious actuations, all possible functional failure states must be evaluated, that is, the component could be energized or de-energized by one or more of the above failure modes. Therefore, valves could fail open or closed; pumps could fail running or not running; electrical distribution breakers could fail open or closed." In this response, the staff, reiterated the regulatory requirement that multiple spurious actuations caused by fire-induced hot shorts, shorts to ground, or open circuits must be considered and evaluated.

The staff also indicated that a component could be energized or de-energized by hot shorts, shorts to ground, or open circuits which could result in valves failing open or closed; pumps could fail running or not running, etc. The principal purpose of this guidance was to ensure that licensees performed an analysis of sufficient scope and depth to identify and mitigate the potential adverse consequences of hot shorts, shorts to ground, and open circuits on safe shutdown-related control circuits and their associated logic. These could include, for example, spurious pump start without injection or a minimum flow path, and spurious opening or closing of MOVs by signals that bypasses the valves' protective features.Later, in IN 92-18, the staff alerted licensees to the potential for fire-induced hot shorts to cause valves to fail open or closed and that hot shorts could bypass the protection features of the valve motors.To limit the scope of the plant equipment needed to meet the reactor performance goals of Section III.L of Appendix R, the staff, in its response to GL 86-10, Question 5.3.10, "Design Basis Plant Transients," specified the plant transient that licensees should consider to determine the design capacity and capabilities of the alternative or dedicated shutdown system.This guidance established the design input limits for the reactor coolant inventory loss, flow diversion affecting systems needed to perform the reactor coolant makeup function, onsite power sequencing logic, etc. The design criteria specified by the staff were: Loss of offsite power shall be assumed for a fire in any fire area concurrent with the following assumptions:

a. The safe shutdown capability should not be adversely affected by any one spurious actuation or signal resulting from a fire in any plant area;and b. The safe shutdown capability should not be adversely affected by a fire in any fire area which results in the loss of all automatic function (signals, logic) from the circuits located in the area in conjunction with one worst case spurious actuation or signal resulting from the fire; and

c. The safe shutdown capability should not be adversely affected by a fire in any plant area which results in spurious actuation of the redundant valves in any one high-low pressure interface line.The staff expected licensees to apply this guidance to establish the capacity and capability (e.g., size the pumps and support systems needed to maintain reactor coolant inventory, define the scope of onsite electrical power distribution and power needs, and establish an operational baseline and set of plant conditions that would define the scope of initial manual actions needed to restore those systems necessary to accomplish the required reactor performance goals).Application of this guidance is based upon the alternative shutdown system being (1) physically and electrically independent of the fire area of concern, and (2) isolated from associated circuits so that hot shorts, shorts to ground, and open circuits in these circuits will not prevent the operation of safe shutdown equipment or components.

3. ASSESSMENT OF CURRENT ISSUES AND NEI CONCERNS In the enclosure to its letter of January 14, 1997, the Nuclear Energy Institute (NEI) stated,"[t]he postulated fire is quite large and results in control room evacuation.

Additionally, the loss of remote shutdown capability would require a hot short that occurs during the narrow time window between the evacuation of the control room and manning of the emergency control stations(s), such that MOVs are mechanically damaged and their function cannot be recovered.

The potential for this type of fire in a continuously manned area coincident with the theoretical hot short is remote." On the basis of the information provided by NEI in its letter, it appears that there may be some uncertainty about the size and duration of the fire needed for spurious component or equipment actuations to occur. As stated in the staff responses to Question 3.8.4 and Question 5.2.1 of GL 86-10, it is the staff's position that it is not possible to predict the number of spurious signals that would occur or the changes to the operational configuration of the plant that would occur in the event of a fire. The staff has found that evacuation criteria for control room fires are plant specific.

The shift supervisor is responsible for deciding when to evacuate.

In its interviews with control room operators, the staff has found that alternative shutdown (control room abandonment and shutdown from outside the control room) would not be implemented until significant functional capability of the control room had been lost. A small fire, even if it does not necessitate control room evacuation, could cause equipment maloperations due to shorts to ground, hot shorts, and open circuits.

Such failures occurred during the Browns Ferry fire.From an operational perspective, most essential plant equipment is controlled and monitored from the main control board. The timing of control room evacuation in the event of a fire can be a critical factor in preserving the operability of the safe shutdown functions that are controlled from outside the control room by the alternative shutdown system. For example, a small fire in the main control board may not result in a smoke or heat environment that would necessitate immediate evacuation of the control room or the actuation of the alternative (or remote)shutdown system. However, such a fire could, in a short time, adversely affect plant annunciators and change the plant configuration due to fire-induced spurious signals. The staff is concerned that such fire-induced spurious signals could cause maloperation of MOVs required by the post-fire alternative safe shutdown systems before control is transferred from the control room to the remote shutdown panel. In addition, the spurious signal may bypass the MOVs' protective features which could lead to MOV damage. This could adversely affect the ability to achieve and maintain safe shutdown conditions.

The potential for hot shorts during a control room fire that could adversely affect MOV operation was found and reported by licensees (Washington Public Power Supply System, Pennsylvania Power and Light Company, and Northern States Power Company) as an unanalyzed condition regarding fire protection and the capability to achieve and maintain post-fire safe shutdown.

In view of the generic nature of the concern, its potential safety significance, and concerns about the depth and scope of analyses performed by licensees of post-fire safe shutdown associated circuits, the staff issued IN 92-18 to alert the industry to the reported conditions.

It was the staff's position at that time that this unanalyzed condition was within the scope of existing NRC fire protection regulations.

The staff expected that licensees would evaluate the information in the IN, and its safety significance with respect to its potential impact on plant-specific post-fire safe shutdown implementation and take appropriate actions.In a letter to its administrative points of contact dated August 13, 1992, the Nuclear Management and Resources Council (NUMARC, now NEI) advised licensees that it considered conditions resulting from a control room fire as identified in IN 92-18 to be very unlikely.

In addition, NUMARC advised licensees to give careful consideration to any of its plans regarding plant design changes in response to IN 92-18. NUMARC based its advice on the assumption that fire-induced hot shorts, shorts to ground, or open circuits that can prevent operation or cause maloperation of plant equipment can only occur as a result of a fire condition that causes the control room to be evacuated and only during the time it takes to evacuate the control room and establish control of the required safe shutdown equipment at the respective emergency control stations.

The staff notes that NUMARC did not provide technical justification or bases for this assumption.

In addition, for the reasons stated above, the staff disagrees with this position.

It appears that the NUMARC guidance may have encouraged some licensees to dismiss IN 92-18 and to forego assessing the technical and safety issues. The staff also noted that NUMARC, in its letter of August 23, 1992, did not question the applicability of the IN 92-18 issues to existing NRC regulatory requirements.

4. CONCLUSIONS As discussed above, the regulatory requirements and supporting staff positions are well-documented.

NRC regulatory requirements recognize that fires can induce multiple hot shorts, shorts to ground, and open circuits.

The regulatory requirements also specify that such circuit failures shall not prevent the operation or cause the maloperation of required post-fire safe shutdown components.

In IN 92-18, the staff described conditions related to the design of post-fire safe shutdown components and the potential for certain components to be damaged by fire-induced faults before electrical transfer and isolation could be accomplished at local control stations outside the control room. This could result in shutdown-related equipment and components being incapable of performing their intended functions after they have been electrically isolated from the fire area of concern. Therefore, the staff concluded that such design do not provide reasonable assurance that the minimum and limited shutdown functions controlled by the alt configurations ernative shutdown system can be performed as required by regulatory requirements.

The staff also concluded that the safety issue addressed in IN 92-18 is within the scope of the existing fire protection regulation.

Therefore, staff review and inspection of the technical and safety issues addressed in IN 92-18 does not constitute a plant-specific backfit. Finally, the staff has also concluded that its continued review and inspection of fire protection issues, including such technical and safety issues as those addressed in IN 92-18, is needed to emphasize the importance of compliance with NRC fire protection requirements and to verify licensee compliance with those requirements and the existing licensing basis.