Protecting People and the EnvironmentUNITED STATES NUCLEAR REGULATORY COMMISSION
SSINS No.: 6835
IN 84-09
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF INSPECTION AND ENFORCEMENT
WASHINGTON, D.C. 20555
February 13, 1984
Information Notice No. 84-09: LESSONS LEARNED FROM NRC INSPECTIONS OF
FIRE PROTECTION SAFE SHUTDOWN SYSTEMS (10
CFR 50, APPENDIX R)
Addressees:
All nuclear power reactor facilities holding an operating license (OL) or
construction permit (CP).
Purpose:
This Information Notice is provided as guidance for power reactor facilities
conducting analyses and/or making modifications to implement requirements of
10 CFR 50, Appendix R. It is expected that licensees will review this
information for applicability to their activities. No specific action or
response is required at this time.
Description of Circumstances:
A number of inspections to evaluate licensee implementation of the
requirements of 10 CFR 50, Appendix R have been conducted at power reactor
facilities licensed before January 1, 1979. Significant items of
noncompliance were found at a number of facilities. As a result of these
inspections, the NRC staff has prepared the enclosed Supplemental Guidance
on 10 CFR 50 Appendix R Fire Protection Safe Shutdown Requirements.
The staff intends to conduct workshops on fire protection safe shutdown
requirements at locations near each of the NRC's five Regional offices
during the next two months. At these workshops, an overview of inspection
results and associated lessons learned will be presented and participants
will be provided with the opportunity to present specific questions
concerning Appendix R requirements. Schedules and agenda for the regional
workshops will be forwarded to all utilities with nuclear projects in the
near future.
8401190041
.
IN 84-09
February 13, 1984
Page 2 of 2
If you have any questions regarding this matter, please contact the Regional
Administrator of the appropriate NRC regional office or this office.
Edward L. Jordan, Director
Division of Emergency Preparedness
and Engineering Response
Office of Inspection and Enforcement
Technical Contacts: L. E. Whitney, IE
(301) 492-9668
T. Wambach, NRR
(301) 492-7072
Attachments:
1. Supplemental Guidance on 10 CFR 50 Appendix R Fire Protection Safe
Shutdown Requirements
2. List of Recently Issued IE Information Notices
.
Attachment 1
IN 84-09
February 13, 1984
Page 1 of 9
SUPPLEMENTAL GUIDANCE ON 10 CFR 50 APPENDIX R
FIRE PROTECTION SAFE SHUTDOWN REQUIREMENTS
I. Fire Areas
At one facility inspected, the licensee's fire hazards analysis had not
established fire areas. Therefore, in the absence of alternative means for
safe shutdown in a separate fire area or approved exemptions, the redundant
equipment within the plant was inspected for compliance with the separation
requirements of Appendix R, Section III.G.2. Significant items of
noncompliance were identified at this facility with respect to separation of
redundant trains of systems and components.
Footnote 3 in 10 CFR 50.48 directs attention to documents which provide
basic fire protection guidance for nuclear power plants. One of these
documents, Branch Technical Position Auxiliary Power Conversion System
Branch BTP APCSB 9.5-1, "Guidelines for Fire Protection for Nuclear Power
Plants," for new plants docketed after July 1, 1976, dated May 1976, defined
a fire area as:
that portion of a building or plant that is separated from other
areas by boundary fire barriers (walls, floors, or roofs) with any
openings or penetrations protected with seals or closures having
a fire resistance rating equal to that of the barrier.
"Supplementary Guidance on Information Needed for Fire Protection
Evaluation," dated October 21, 1976, requested, as part of the fire hazards
analysis, "plan and elevation views of the plant that show the plant as
divided into distinct fire areas." Section III.G of Appendix R sets forth
the requirements for the fire protection of safe shutdown capability on the
basis of fire areas.
Fire areas should be delineated in each facility's fire hazards analysis.
NRC Generic Letter 83-33, dated October 19, 1983, restates NRC positions on
Appendix R requirements regarding fire areas and the concept of "fire
zones."
II. Fire Barrier Testing and Configuration
At some of the facilities inspected, fire barriers (both walls and one-hour
fire barriers) were installed without basis for their fire rating (such as
U/L listing or testing conducted by a nationally recognized testing
laboratory for the configuration used in the plant). Fire barriers installed
to meet the requirements of Section III.G.2 of Appendix R must have such a
rating. Boundary fire barriers may have previous NRC acceptance documented
in a Safety Evaluation Report. Some one-hour enclosures or wraps inspected
have not been complete. Cable wraps which do not extend from fire barrier to
fire barrier cannot constitute a one-hour barrier.
.
Attachment 1
IN 84-09
February 13, 1984
Page 2 of 9
III. Protection of Equipment Necessary To Achieve Hot Shutdown
At one facility, redundant pressurizer heater control and power cables were
separated by a partial horizontal pyrocrete barrier suspended from the
overhead. At the same facility, two auxiliary feedwater pumps were located
adjacent to each other and separated by a partial steel missile shield
coated on one side with fire-retardant material. The separation criteria of
Appendix R, Section III.G.2, were not met in that the coated shield did not
meet the definition of a fire barrier of BTP APCSB 9.5-1. No alternative
means of feedwater supply was designated.
At a second facility, redundant pressurizer heater load centers were located
within the same cabinet. At a third facility, redundant steamline isolation
valves control cables for HPCI and RCIC pumps were located in close
proximity without a fire rated barrier.
Appendix R, Section III.G.1, requires that fire protection features shall be
provided for structures, systems, and components important to safe shutdown.
These features shall be capable of limiting fire damage so that one train of
systems necessary to achieve and maintain a hot shutdown condition from
either the control room or emergency control station(s) is free of fire
damage.
Sections III.G.2 and III.G.3 specify four alternatives that may be
implemented outside of primary containment to assure that one redundant
train of equipment, cabling and associated circuits necessary to achieve and
maintain hot shutdown remains free of fire damage. The alternatives are:
1. Separation of redundant trains of equipment, cabling, and associated
circuits by a three-hour fire barrier.
2. Enclosure of redundant trains of equipment, cabling, and associated
circuits by a one-hour fire barrier with fire detection and automatic
fire suppression systems installed in the area.
3. Separation of redundant trains of equipment, cabling, and associated
circuits by a horizontal distance of 20 feet with no intervening
combustibles and with fire detection and automatic fire suppression
systems installed in the area.
4. Installation of alternative or dedicated shutdown capability
independent of the equipment, cabling, and associated circuits under
consideration, and installation of fire detection and fixed fire
suppression systems in the area containing this alternative or
dedicated shutdown capability.
It should be noted that Sections III.G.2.d, e and f of Appendix R, provide
additional options for the separation of redundant trains of equipment and
cables within non-inerted containments.
.
Attachment 1
IN 84-09
February 13, 1984
Page 3 of 9
In addition, a licensee may request and receive exemptions from the
requirements of Appendix R, Section III.G, under the Appendix R review
process. Such exemptions should be for configurations and/or procedures that
provide an equivalent level of safety to that provided by the four
alternatives above.
IV. Licensee's Reassessment for Conformance with Appendix R
Problems found during the inspections with respect to providing redundant
hot shutdown capability appear to be indicative of inadequate reassessment
of plant configuration by the licensees. Also, at each facility inspected,
documentation was lacking to provide assurance that a comprehensive
associated circuits analysis had been conducted for all fire areas.
At one facility visited in FY 1983, the inspectors could find no evidence
(direct or indirect) that a thorough engineering review had been conducted
against the requirements of Appendix R. At most facilities visited, the
analyses provided for inspector review were developed prior to the issuance
of Appendix R.
Two letters were sent by NRR to the licensees of plants licensed prior to
January 1, 1979. These letters clearly stated the requirement for licensee
reassessment to ensure compliance of Appendix R, Sections III.G, III.J, and
III.O, regardless of previous reviews and approvals by the NRC (e.g., SERs
issued during the BTP APCSB 9.5-1 review process).
A November 24, 1980 letter from the Director, Division of Licensing, Office
of Nuclear Reactor Regulation, to the above licensees states, in part:
The provisions of Appendix R that are applicable to the fire
protection features of your facility can be divided into two
categories. The first category consists of those provisions of the
Appendix that are required to be backfit in their entirety by the
new rule, regardless of whether or not alternatives to the specific
requirements of these Sections have been previously approved by the
NRC staff. These requirements are set forth in Sections III.G, Fire
Protection of Safe Shutdown Capability; III.J, Emergency Lighting;
and III.O, Oil Collection Systems for Reactor Coolant Pump. The
fire protection features of your facility must satisfy the specific
requirements of these three Sections by the dates established by
Paragraph 50.48(c), unless an exemption from the Appendix R
requirements is approved by the Commission.
A February 20, 1981 letter from the Director, Division of Licensing, Office
of Nuclear Reactor Regulation, to the above licensees states, in part:
Paragraph 50.48(b) of 10 CFR Part 50, which became effective on
February 17, 1981, requires all nuclear plants licensed to operate
prior to January 1, 1979 to meet the requirements of
.
Attachment 1
IN 84-09
February 13, 1984
Page 4 of 9
Sections III.G, III.J, and III.O of Appendix R to 10 CFR Part 50
regardless of any previous approvals by the Nuclear Regulatory
Commission (NRC) for alternative design features for those items.
This would require each licensee to reassess areas of the plant
where redundant trains of systems necessary to achieve and maintain
hot shutdown conditions are located within the same fire area to
determine whether the requirements of Section III.G.2 of Appendix
R are satisfied. If not the licensee must provide alternative
shutdown capability in conformance with Section III.G.3 or request
an exemption if there is some justifiable basis.
The NRC expects that, when a reassessment has been performed at a facility,
a documented record of this engineering activity would be available within
the utility. The availability of documentation of (and personnel familiar
with) a licensee's reassessment activities helps to confirm the licensee's
methodology and subsequent implementation of reassessment results.
Therefore, this documentation helps to confirm adequate licensee control of
Appendix R reassessment activity.
V. Identification of Safe Shutdown Systems and Components
At two facilities inspected, redundant systems and components necessary for
safe shutdown (within the same fire area) were not listed or otherwise
identified in the licensees' fire hazards analysis or associated
documentation.
At these facilities, the inspectors used the lists of required safe shutdown
systems provided in connection with the alternative shutdown analyses
provided by the licensees in their original fire hazards analyses. At one of
these facilities, the licensee felt the list used was too restrictive (in
that it did not include existing potentially redundant systems). At another
facility, the licensee felt that the list used was too broad (in that the
list contained systems that the licensee subsequently realized were not
actually necessary for safe shutdown). This situation should not have
occurred since identification of required safe shutdown systems for each
area of the plant is a logical starting point for reassessment of areas
where redundant trains are located.
The systems and equipment needed for post-fire safe shutdown are those
systems necessary to perform the shutdown function defined in Section III. L
of Appendix R. These functions are reactivity control, reactor coolant
makeup, reactor heat removal, process monitoring, and associated support
functions. The acceptance criterion for systems performing these functions
is also defined in Section III. L:
During the post-fire shutdown, the reactor coolant system process
variables shall be maintained within those predicted for a loss of
normal a.c. power, and the fission product boundary integrity shall
not be affected; i.e., there shall be no fuel clad damage, rupture
of any primary coolant boundary, or rupture of the containment
boundary.
.
Attachment 1
IN 84-09
February 13, 1984
Page 5 of 9
These guidelines apply to the systems needed to satisfy both Section III.G
and III.L of Appendix R.
VI. Combustibility of Electrical Cable Insulation
At a number of facilities, findings of noncompliance were made because of
the presence of insulated electrical cable between redundant trains of
equipment necessary for safe shutdown. At one facility, the space between
redundant electrical cabling at the internal and external containment
electrical penetration areas was nearly filled with a high density of
insulated electrical cabling. At another facility, four redundant trains of
pressurizer heater control and/or power cables were routed in trays in the
overhead of one room with numerous other cables and cable trays.
Several comprehensive flammability tests conducted by the Electric Power
Research Institute (EPRI NP-1200, EPRI EL-1263), Factory Mutual (Contract
RP-1165-1), and Sandia National Laboratories (NUREG/CR-2431, among others)
have shown that burning cable insulation represents a significant fire
hazard. These tests were conducted on both IEEE-383 qualified and
unqualified cable. While the qualified cable exhibited a tendency to ignite
and propagate flame less rapidly, combustion of grouped cables continued at
significant levels. In particular, grouped vertical cables which are not
protected by a fire propagation retardant, such as metal tray covers or fire
retardant coatings, can result in rapidly developing fires with high heat
release rates.
Section III.G.2.b of Appendix R requires redundant train "separation.. with
no intervening combustibles...." The NRC staff position is that insulation
of electrical cables, including those which are coated, should be considered
as intervening combustibles.
VII. Detection and Automatic Suppression
At one facility, redundant trains of safe shutdown equipment located within
the same fire area were found to be separated by at least 20 feet of
horizontal empty space (no intervening combustibles). Yet, because no
general area automatic fire suppression system was installed, the area was
found not to meet the separation requirements of Appendix R, Section III.G.
NRC Generic Letter 83-33, dated October 19, 1983, restates detailed NRC
positions on Appendix R requirements regarding detection and automatic
suppression.
At another facility, some automatic sprinkler systems were not installed in
ceiling spaces occupied by obstructions such as ventilation equipment, cable
trays/conduit, etc. The effectiveness of these automatic sprinkler systems
in extinguishing or suppressing fires in the overhead was therefore
compromised. NFPA 13 should be referred to when determining sprinkler
arrangement.
.
Attachment 1
IN 84-09
February 13, 1984
Page 6 of 9
VIII. Applicability of 10 CFR 50, Appendix R, Section III.L
Some of the inspected licensees had not considered Section III.L of Appendix
R when attempting to meet Section III.G. The acceptance criteria for Section
III.G.3. are listed in Section III.L. Although 10 CFR 50.48(b) does not
specifically include Section III.L with Sections III.G., J, and O of
Appendix R as a requirement applicable to all power reactors licensed prior
to January 1, 1979, the Appendix, read as a whole, and the Court of Appeals
decision on the Appendix, Connecticut Light and Power, et al. v. NRC, 673
F2d. 525 (D. C. Cir.), cert. denied (1982), does mean that Section III.L
applies to the alternative safe shutdown option under Section III.G.
IX. Instrumentation Necessary for Alternative Shutdown
At one facility inspected, hot shutdown source range neutron flux monitoring
capability could not be provided until approximately 12 hours subsequent to
a postulated fire in the control room. At another facility inspected, no
alternative hot shutdown source range neutron flux monitoring capability,
cold leg temperature indication, or wide-range hot leg temperature
indication was provided.
Section III.L.1 of Appendix R requires that alternative shutdown capability
achieve and maintain subcritical reactivity conditions in the reactor.
Section III.L.2 requires provision for direct readings of the process
variables necessary to perform and control the reactor shutdown function.
The following lists provide the minimum monitoring capability the NRC staff
considers necessary to achieve safe shutdown:
Instrumentation Needed for PWRs
a. Pressurizer pressure and level.
b. Reactor coolant hot leg temperature or exit core thermocouples, and
cold leg temperature.
c. Steam generator pressure and level (wide range).
d. Source range flux monitor.
e. Diagnostic instrumentation for shutdown systems.
f. Level indication for all tanks used (e.g., CST).
Instrumentation Needed for BWRs
a. Reactor water level and pressure.
b. Suppression pool level and temperature.
c. Emergency or isolation condenser level.
d. Diagnostic instrumentation for shutdown systems.
e. Level indication for all tanks used.
.
Attachment 1
IN 84-09
February 13, 1984
Page 7 of 9
X. Procedures for Alternative Shutdown Capability
At some facilities inspected, the alternative shutdown procedures have been
deficient. Typical deficiencies identified have been: (1) inaccurately
identified components, circuit breakers, wires, or terminals; (2) failure to
address the effects on alternative shutdown capability of circuitry damage
in the fire area; and (3) failure to identify the specific equipment and
actions required to achieve cold shutdown.
Section III.L.3 of Appendix R requires that alternative shutdown procedures
be in effect which accommodate post-fire conditions, where offsite power is
available and where offsite power is not available for 72 hours.
XI. Fire Protection Features for Cold Shutdown Systems
During inspection of one facility, the inspectors noted that the two
residual heat removal (RHR) pumps were located in separate rooms in the
Auxiliary Building. The wall separating the pumps (and other enclosing
walls) had open penetrations. Also, the access doors to the rooms were
constructed with non-closing ventilation louvers. Transient combustibles
consisting of anti-C clothing, paper tape, etc., were stored on open shelves
in the access area outside the RHR rooms. Also, the RHR pump power cables
were not protected to preclude the loss of both trains of equipment from a
fire in either of the pump rooms or the adjacent access area. Therefore,
reasonable assurance was not provided that a single fire would not damage
redundant RHR components or cables.
The licensee had not performed an analysis to determine the limits of RHR
system fire damage, the associated onsite repair material storage
requirements, or the time required to complete necessary repairs.
Section III.G.1.b requires that fire protection features for cold shutdown
systems be capable of limiting fire damage so that systems necessary to
achieve and maintain cold shutdown from either the control room or emergency
control station(s) can be repaired in 72 hours. To satisfy this requirement,
the licensee should have an analysis which supports conclusions that the
design features provided will limit the fire damage. The requirements for
such repairs specified in Section III.L.5 should also be met:
Materials for such repairs shall be readily available on site and
procedures shall be in effect to implement such repairs.
Repairs for cold shutdown systems are allowed by Section III.L.5 of Appendix
R. For cold shutdown capability repairs, the removal of fuses for isolation
and the replacement of cabling is permitted. Also, selected equipment
replacement (e.g., such as replacing a valve, pump or control room controls
and instruments) should be reviewed on a case-by-case basis to verify its
practicality. Procedures for repairing damaged equipment should be prepared
in advance with replacement equipment (i.e., cables made up with terminal
lugs attached) stored on site in a controlled manner. All repairs should be
of sufficient quality to assure
.
Attachment 1
IN 84-09
February 13, 1984
Page 8 of 9
safe operation until the plant is restored to an operating condition.
Repairs not permitted include the use of clip leads in control panels (which
means that hard-wired terminal lugs must be used), and the use of jumper
cables other than those fastened with terminal lugs.
When repairs are necessary in the fire area, the licensee should demonstrate
that sufficient time is available to allow the area to be re-entered, that
expected fire and fire suppressant damage will not prevent the repair from
taking place, and that the repair procedure will not endanger operating
systems. The licensee may, at his option, modify the plant so that cold
shutdown can be achieved without reliance on repairs.
XII. RCP Oil Collection Systems
At some facilities, the lube oil collection systems for the reactor coolant
pumps were not sized to accept the entire lube oil inventory from all
reactor coolant pumps without overflow. This does not protect against the
consequences of simultaneous failure of more than one lube oil system during
a seismic event.
Section III.O, Oil Collection Systems for Reactor Coolant Pump, is written
for a single pump. The collection container is required to hold the entire
inventory of the oil system of the pump. It follows that if additional pumps
are present they would each be provided full collection capacity. There are
usually from 2 to 4 reactor coolant pumps in a plant. The oil inventory of
one large pump is approximately 275 gallons. Some licensees have provided
several containers connected in parallel for each pump.
The NRC staff position on the capacity of a reactor coolant pump oil
collection system which meets Section III.O of Appendix R to 10 CFR 50 is:
One or more tanks need to be provided with sufficient capacity to
collect the total lube oil inventory from all reactor coolant pumps
draining to the container.
Alternatives which have been found acceptable under the exemption process
are:
1. One or more tanks need to be provided with sufficient capacity to hold
the total lube oil inventory of one reactor coolant pump with mar in if
the tank(s) is/are located such that any overflow from the tank(s) will
be drained to a safe location where the lube oil will not present an
exposure fire hazard to or otherwise endanger safety-related equipment;
or
2. Where the RCP lube oil system is shown, by analysis, to be capable of
withstanding the safe shutdown earthquake (SSE) (eliminating the
consideration of simultaneous lube oil system ruptures from a seismic
event), protection is required for random leaks at mechanical joints in
the lube oil system (e,g, flanges, RTD connections, sightglasses).
Alternative methods of protection may be deemed acceptable for such
designs. In RCP lube oil collection systems of such designs, one or
more tanks need to be
.
Attachment 1
IN 84-09
February 13, 1984
Page 9 of 9
provided with sufficient capacity to hold the total lube oil inventory
of one reactor coolant pump with margin. Because protection is required
only against possible leakage resulting from random leaks from the one
pump at a time, any overflow from the tanks need not be considered; or
3. For those pumps where the lube oil is contained entirely within the
pump casing, an oil collection system may not be required, provided it
can be shown that there are no potentially significant leakage points.