At U. S. nuclear power plants, achieving compliance with fire protection regulations is a storied endeavor. Whether because a plant was constructed prior to the Nuclear Regulatory Commission (NRC) imposing detailed fire protection regulations or because the fire protection programs were so plant-specific, there is no generic way to describe how to comply with fire protection regulations.

In addition, since nuclear power plants are enormous buildings and all activities are highly regulated, it is expensive and challenging to retrofit, or back fit them with features after they're built. Also, since the level of understanding about certain phenomena has evolved over the years, compliance has further complicated the matter. Because of this, it has been challenging to bring all of the plants into compliance with deterministic requirements.

Therefore, the introduction of the new regulatory option, the National Fire Protection Association's Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants1 (NFPA 805), has become more appealing.2

An analogy can be used to frame the subject of regulatory compliance as it pertains to fire protection in nuclear power plants. Imagine a very expensive new sports car. Next, imagine that a year into owning this new car, the local authority on automobile safety decides that the car isn't safe enough to have only two doors and mandates that all cars have at least four doors. This decision just changed the sporty coupe to a family sedan and cost a lot more money in the process. This was the 1980s for the U. S. nuclear industry, but instead of cars it was commercial nuclear power plants and instead of safety doors it was fire safety requirements known as Appendix R.3

BACKGROUND

The first fire protection regulation for nuclear power plants was adopted by the Atomic Energy Commission, the predecessor to the Nuclear Regulatory Commission (NRC), in February 1971. This regulation, known as 10 CFR 50, Appendix A, General Design Criterion (GDC) 3,4 provided relatively high-level guidance, which stated that:

Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Noncombustible and heat-resistant materials shall be used wherever practical throughout the unit, particularly in such locations as the containment and control room.

Figure 1. Browns Ferry Nuclear Plant, Athens, AL (courtesy of TVA)

The term, "important to safety," refers to equipment in the plant that is relied upon to safely shut down the reactor in the event of a problem at the plant. Nuclear plants in the U. S. have always been designed with the intent of having redundant systems available to bring the reactor to a safe and stable condition. GDC 3 required that the equipment used to bring the reactor to a safe and stable condition be protected from fires. At the time, GDC 3 was considered met through the use of fire protection design standards from the insurance industry model for special industrial facilities.

In 1975, a fire occurred at the Browns Ferry Nuclear Plant in Alabama, which damaged redundant "important to safety" equipment (see Figure 1). The fire displayed a number of phenomena and concerns that weren't considered in the industrial fire protection model that had been previously applied – specifically fire damage to electrical control cables causing spurious operations of equipment important to safety. This prompted the development of more explicit fire protection regulations for the nuclear industry.5,6

DETERMINISTIC STRATEGIES

Fire protection at nuclear power plants is a bit different than that to which many fire protection engineers might be accustomed. Instead of focus being placed on traditional fire protection issues, such as tenability, means of egress, property loss, etc., the focus is on protecting equipment important to safety in order to maintain or preserve the ability to place the reactor in a safe condition, i.e., safely shutdown.

It's not that the traditional fire protection issues don't matter, but that they are not the primary objective of plant fire protection engineers or the regulator, the NRC. What matters most at a nuclear power plant is the ability to shutdown the reactor in an emergency. To protect important equipment, fire protection at nuclear power plants relies on what is known as a defense-in-depth (DID) concept, which employs multiple layers of protection so that no single failure results in a loss of control. Appendix R to Title 10 of the Code of Federal Regulations, Part 503 (Appendix R) defines DID as the ability to:

  • Prevent fires from starting;
  • Detect rapidly, control and extinguish promptly those fires that do occur
  • Provide protection for structures, systems and components important to safety so that a fire that is not promptly extinguished by the fire suppression activities will not prevent the safe shutdown of the plant.

To accomplish this, the NRC wrote a number of guidance documents that included information on topics such as administrative controls, fire brigade staffing, quality assurance, and even minimum levels of fire protection for specific plant areas. All licensees evaluated their plants in accordance with these guidance documents, which upon subsequent approval by the NRC comprises their fire protection licensing basis.

Figure 2. Cable Tray

The most significant change that was required to existing plants – i.e., the additional doors in the car analogy above – was a prescriptive requirement to backfit protection for safe shutdown equipment. This requirement mandated that critical safe shutdown equipment be separated either by physical, fire-rated barriers or spatial separation in conjunction with fire detection, automatic fire suppression systems and alternative shutdown equipment. This was important because many plants were not initially designed with this level of protection, and significant plant modifications were required.

All plants have multiple success paths or "trains" of equipment to safely shutdown, but these success paths weren't originally designed to be separated from a fire exposure. For instance, some plants had trains of equipment that were electrically separate but not physically separate.

For example, Figure 2 shows a case where two redundant cables are located adjacent to each other in a single cable tray. A single fire near this particular cable tray could damage both trains whereas a single circuit failure in one of the cables might not. The modifications that many of the licensees had to make were to verify that they could rely on one train of shutdown equipment for most normal operating periods (credited) and one they could rely on in the event that the credited train is damaged or otherwise unavailable (redundant). This is akin to having a Plan A and a Plan B where Plan B is a fallback for Plan A and provides added safety in the form of redundancy.

In some cases, separation of the installed safe shutdown trains was impossible. For example, each plant was designed with a single main control room, so there was no way to provide separation of those controls without building a separate control room. The NRC understood that this was impractical, so the fire protection regulations included a provision for an alternative shutdown capability. When the use of redundant systems is not possible (because the equipment itself or the electrical cables associated with the equipment are both located in the same area), alternative shutdown configurations are required. For most plants, this alternative shutdown involved installing controls at a location remote and independent of the main control room, so that if a fire were to occur in the main control room, safe shutdown could be achieved from the alternate location.

In addition, plant owners had a third option, in addition to protecting a redundant train or installing alternative shutdown capability: submit a plant-specific exemption to the regulations. Most fire protection engineering professionals are likely more familiar with terms such as "modification" or "alternative methods and materials. " However, their purpose is similar to the exemption process for nuclear power plants.

That is, prescriptive regulations rarely can anticipate all of the possible designs and circumstances related to a particular project, so alternate methods of compliance or processes are allowed in order to establish or maintain a consistent level of safety without meeting the strict letter of the regulation. In the nuclear industry, that process is the exemption process during which licensees, unable to comply with strict letter of the regulation and able to demonstrate special circumstances, can pursue an exemption to comply with the intent of the regulation even though they may not have all of the active or passive features required by the regulation. Since many plants had already been built, the NRC received hundreds of these exemptions. The agency approved many of them after performing a review and determining that the plant configuration was safe enough.

One common exemption requested by licensees to address fire-induced damage to electrical circuits, in lieu of physical protection as required by the regulation, was the use of operator manual actions (OMAs) to accomplish tasks needed to preserve safe shutdown capability in a plant. OMAs typically consist of a series of tasks – e.g., operating valves, switches, breakers,etc. – from outside the main control room in the event that monitoring or confirmation of actions performed in the main control room are unsuccessful or unverified. However, OMAs must be demonstrated to be feasible and reliable by the licensee and submitted to the NRC for review.

OMAs are considered part of a larger compliance strategy where DID is provided or maintained. An example of where an OMA might serve as a legitimate part of a plant's post-fire safe shutdown strategy would be if the cables for a required safe shutdown component (e.g., a motor operated valve) run through a fire area where that component is needed to achieve and maintain safe shutdown during and following a fire. In this example, an operator might turn a crank on the valve to open it, thereby providing an alternate means of operating the valve, aside from within the main control room, in the event that fire damages the cables running through the area.

Much of this regulatory framework was developed in response to the 1975 Browns Ferry fire and continued to evolve and mature throughout the 1980s and 1990s. Following the Browns Ferry fire, the NRC contended with a series of other important operating events such as the Three Mile Island accident in 1979 and the Chernobyl accident in 1986. The recent Fukushima Daiichi accident in 2011 will likely bring about more change within the nuclear industry to avoid future mistakes. By analyzing and scrutinizing past events, engineers often find it necessary to make adjustments to how they approach problems. Deterministic regulations are not always capable of integrating new information, so a performance-based strategy, which sets performance-based goals, is often more effective at integrating new information.

PERFORMANCE-BASED STRATEGY

Performance-based design is a method for designing buildings and other assets to achieve performance objectives or goals in lieu of meeting prescriptive requirements. Referring back to the car analogy, not all cars have a back seat let alone the ability to transport additional occupants to necessitate the addition of two more doors for safety purposes. The owner and driver of the car might argue that his or her circumstances don't entail the same level of risk or hazard that the new automobile safety requirements, i.e., two additional doors,were intended to address.

Therefore, one might use a probabilistic risk assessment to support his or her argument and show that not only does the car lack a back seat to warrant the extra doors but that those traveling in the sporty two-door coupe are just as safe as four people traveling in a four-door family sedan. In doing so, one would be making a performance-based (it's just the driver and perhaps one passenger), risk-informed (the driver and passenger are no less safe than those in a sedan) argument. Quantifying the possibility of an event and then calculating its probability to understand the risk associated with it is a tool used at the NRC as part of a performance-based approach to a problem, and is often called probabilistic risk assessment (PRA).

The use of risk information in design and engineering is not a new concept. It has been used in different industries for decades. Cost-benefit analyses, insurance, automobile safety, etc., all inherently deal with risks associated with various events occurring and the measures necessary to avert tragedy. Even high-profile government agencies, such as the National Aeronautics and Space Administration (NASA), use risk assessments to better inform their decisions on matters such as space travel and vehicle launches. They calculate the probability of certain failures occurring and include these probabilities in their evaluation of program objectives to decide which features or components should be included in a mission and which ones might provide minimal or maximum benefit to the overall mission success.

For the nuclear industry, performance-based fire safety regulation arrived in the form of NFPA 805 and with the NRC adopting the 2001 edition of the consensus code in 2004. NFPA 805 is a performance-based standard that also incorporates deterministic requirements, fire modeling and probabilistic risk assessment (PRA) into the decision-making process, i.e., risk-informed, performance-based.

Considering risk is important in the nuclear industry because in 2002 the NRC established that fire can be a potentially important contributor to overall plant core damage frequency (CDF), which is the annual probability of damage to the reactor core as a result of an accident. That is, fires in nuclear power plants have the potential to cause serious damage that could jeopardize the ability of plant operators to safely shut down the plant. By understanding the risk attributed to various fire-induced damage or failures, it is possible to make more informed decisions, both as an operator and a regulator, as to where to focus one's efforts and attention. Minimal risk then becomes one of many performance objectives to be achieved through performance-based design and regulations.

The way the Authority Having Jurisdiction (the NRC) has implemented NFPA 805 allows licensees to perform evaluations and changes without requesting NRC approval as long as the changes don't increase risk above established thresholds and safety margins and defense-in-depth are not affected. The NRC's primary mission is to ensure public health and safety, promote common defense and security, and protect the environment so long as the performance objectives, defined at the outset of the performance-based process, align with this mission and are maintained throughout the plant's operation. The licensee gains reduced regulatory burden and is considered compliant with their applicable fire protection regulations. As in other industries and applications, the performance-based approach is intended to provide equivalent protection to that intended by a more traditional, deterministic or prescriptive approach but with tertiary benefits such as financial economics, increased design or operating flexibility, or increased plant safety.

In the nuclear industry, licensees identify areas of the plants where certain fires could affect safe shutdown. Licensees then make decisions about whether to make modifications, such as adding more sophisticated detection and suppression systems or improving the reliability of other equipment, to reduce the risk that such scenarios represent to an acceptable level. An approach that incorporates protective measures tailored to address specific hazards and an understanding of the risk significance of scenarios involving those hazards makes up a risk-informed, performance-based approach.

A purely performance-based example could be a plant area that has redundant safe shutdown trains passing through it, and in accordance with Appendix R, would require an automatic fire suppression system. Using fire modeling, fire protection engineers might determine that there are no credible fire hazards that could damage both trains. After evaluating the defense-in-depth and safety margins, the evaluation might conclude that there is sufficient protection without the suppression system, and therefore the licensee would be able to forego the financial outlay to install and maintain a system. To further support the analysis, engineers could also calculate the likelihood or probability of possible fires in the area as well as possible equipment damage or failures due to such fires in order to provide a quantitative understanding of the risks involved and enhance the decision-making process with this added risk information (risk-informed).

Licensees may elect to transition from the deterministic compliance strategy to the performance-based strategy but are not required to do so. The licensees' decisions to transition depend on various factors, but the NRC remains committed to making sure that plants are safe. The NRC recently issued the first licenses for plants that have elected to transition to the NFPA 805 licensing and compliance methodology.

Figure 3. Shearon Harris Nuclear Plant, New Hill, NC (courtesy of Progress Energy)

The first license was issued to Progress Energy's Shearon Harris Nuclear Plant located in North Carolina (Figure 3), followed by Duke Energy's Oconee Nuclear Station located in South Carolina (Figure 4).

Figure 4. Oconee Nuclear Station, Seneca, SC (courtesy of Duke Energy)

These two particular plants were pilots for the new performance-based regulation; the NRC is currently reviewing additional requests to complete similar transitions. With roughly half of the operating fleet of plants having submitted letters of intent to transition to NFPA 805, the performance-based approach has the potential to resolve compliance challenges while preserving safety in a performance-based manner amongst U. S. nuclear power plants.

MOVING FORWARD

Transitioning plants to the NFPA 805 approach has identified several areas that require better understanding. As part of the process, many plants utilized calculation methods to quantify various factors, such as fire event frequencies, proper characterization of fire events or resultant fire damage. Several of these methods contained assumptions that resulted in conservatisms in determining the risk associated with fires as part of the risk-informed, performance-based approach.

For instance, some licensees found that several of the methods being used resulted in calculated risk values that were higher than operating experience seemed to indicate. Undue conservatism in risk-informed, performance-based analysis can mask more severe hazards by overstating the risk of less severe hazards. In an effort to reduce these conservatisms, several calculation methods used in NFPA 805 are being revised to increase realism and calculate more realistic risk numbers.

The NRC is unique as a federal regulatory agency in that it also performs research as needed to meet the needs of the agency. This arrangement was originally intended to provide confirmatory research (to independently verify research performed by industry or academia), but in many cases, the NRC has performed much-needed original research in areas critical to regulatory decision making. The NRC has completed many studies to better inform the regulatory process, and nuclear and fire protection industries, on fire protection issues. Many of these research activities directly relate to performance-based methods being used under NFPA 805.

Since the NFPA 805 standard has only been applied to two plants, and each plant is unique, the NRC is working with the nuclear industry to improve the process and the level of detail that goes into it. For instance, there is a new PRA standard7 that both the staff and industry stakeholders are using for the first time along with new regulatory and industry guidance. In order to facilitate the application of all this new information, the NRC is working with the nuclear industry by holding monthly public meetings so that licensees are informed and able to use and apply it to determine fire risk and make regulatory decisions accordingly.

Of the 104 operating commercial power reactor units in the U. S., all are similar to the two-door coupe in the car analogy. Many have been retro fitted with the extra doors to meet the deterministic requirements. Currently, 48 nuclear units are planning to complete the transition to a performance-based fire protection program under NFPA 805. Over the next few years, a major focus of NRC fire protection engineers is to review the applications for these NFPA 805 license amendment requests and reconcile the remaining units with their respective deterministic regulations, there by achieving compliance with fire protection regulations.

Brian Metzger is with the U.S. Nuclear Regulatory Commission. This paper was prepared by employees of the U.S. NRC. The views presented do not represent an official staff position.

References:

  1. NFPA 805, Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, National Fire Protection Association, Quincy, MA, 2010.
  2. Barrett, H., "Implementation of a Performance-Based Standard for Fire Protection of Nuclear Power Plants," Fire Protection Engineering, 36, Fall 2007, pp. 36-46.
  3. Title 10, Code of Federal Regulations, Section 50, Appendix R, U.S. Government Printing Office, Washington, DC, 2012.
  4. Title 10, Code of Federal Regulations, Section 50, Appendix A, General Design Criterion (GDC) 3, U.S. Government Printing Office, Washington,DC, 1971.
  5. Stroup, D., et al. "The Browns Ferry Nuclear Plant Fire of 1975 and the History of NRC Fire Regulations," NUREG/BR-0361, U.S. Nuclear Regulatory Commission, Washington, DC, 2009.
  6. Till, B., "Quantifying Total Losses Due to Fire – Remembering the Browns Ferry Nuclear Plant Fire," Fire Protection Engineering, 26, Spring 2005, pp. 38-42.
  7. ASME/ANS RA-Sa, "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications,"American Society of Mechanical Engineers, New York, 2009.