FPIP-0122, Revision 0 Expert Panel Review of Multiple Spurious Actuations.

ML071210344
Person / Time
Site:	Harris
Issue date:	10/05/2006
From:	Ertman J Nuclear Generation Group, Progress Energy Co
To:	Office of Nuclear Reactor Regulation
References
FPIP-0122, Rev 0
Download: ML071210344 (28)
v • d • e

Text

I Information Use FIRE PROTECTION INITIATIVES PROJECT PROJECT INSTRUCTION FPIP-0122 FIRE PROTECTION INITIATIVES PROJECT EXPERT PANEL REVIEW OF MULTIPLE CONCURRENT SPURIOUS ACTUATIONS Revision 0 Began, Keith Miskiewicz, David N Ertman, Jeffery Prepared By Reviewed By Approved By 2006.10.04 15:27:00 -04'00' 2006.10.04 16:24:15 -04'00' 2006.10.05 08:58:56 -04'00' Prepared By / Date Reviewed By / Date Approved By / Date FPIP-0122 Rev. 0 Page 1 of 28

TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE ................................................................................................................................. 3

2.0 REFERENCES

........................................................................................................................... 3 3.0 DEFINITIONS ............................................................................................................................ 3 4.0 RESPONSIBILITIES .................................................................................................................. 5 5.0 PREREQUISITES ...................................................................................................................... 6 6.0 PRECAUTIONS AND LIMITATIONS ......................................................................................... 6 7.0 SPECIAL TOOLS AND EQUIPMENT........................................................................................ 6 8.0 ACCEPTANCE CRITERIA......................................................................................................... 6 9.0 INSTRUCTIONS ........................................................................................................................ 6 10.0 RECORDS ............................................................................................................................... 15 LIST OF ATTACHMENTS ..16 ..17 ..18 ..23 ..24 ..27 FPIP-0122 Rev. 0 Page 2 of 28

1.0 PURPOSE The purpose of this project instruction is to describe the process used to develop, execute, and administer the Post-Fire Safe Shutdown Expert Panel Review of multiple concurrent spurious component actuations that may result from fire-induced circuit failures.

The Fire Protection Initiatives Project has issued this instruction for the purpose of providing project level guidance during transition of the Progress Energy nuclear plant fleet to NFPA 805.

At the completion of the tasks covered by this instruction, it will be cancelled or converted to a NGGC procedure as appropriate.

2.0 REFERENCES

2.1 NEI 00-01, Revision 1, Guidance for Post-Fire Safe Shutdown Circuit Analysis, January 2005 2.2 NEI 04-06, Revision L, Guidance for Self-Assessment of Circuit Failure Issues, March 2005 2.3 US NRC Regulatory Issue Summary 2004-03, Revision 1, Risk-Informed Approach for Post-Fire Safe-Shutdown Circuit Inspections, December 29, 2004 2.4 EGR-NGGC-0102, Safe Shutdown/Fire Protection Review, Revision 6 2.5 Topical Design Basis Document for Appendix R, Tab 9/1 [CR-3]

2.6 US NRC Regulatory Issue Summary 2005-30, Clarification of Post-Fire Safe-Shutdown Circuit Regulatory Requirements, December 20, 2005 2.7 NEI 04-02 Revision 1, "Guidance for Implementing A Risk Informed, Performance-Based Fire Protection Program Under 10 CFR 50.48(c),"

2.8 NFPA 805, Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants - 2001 Edition 2.9 FPIP-0100, Fire Protection Initiatives Project Project Controls 3.0 DEFINITIONS 3.1 Armored Cable A single or multiple conductor cable that has been provided with metallic outer sheath (or armor) made from interlocked aluminum or steel in order to provide higher degree of physical protection. Normally, the armor sheath is maintained at ground potential. The armored sheath may or may not be covered with an outer jacket.

3.2 Associated Circuits of Concern Any circuit that can, through adverse interaction, indirectly affect proper operation of critical equipment/systems due to a shared power supply, shared raceway, or spurious operation. Associated circuits result as a consequence of:

• Inadequate electrical coordination (common power supply associated circuit)

• Inadequate circuit over-current protection (common enclosure associated circuit)

FPIP-0122 Rev. 0 Page 3 of 28

• Undesired component operation (spurious operation associated circuit)

Associated circuits are those circuits that are not necessarily required to operate safe shutdown equipment, but whose fire-induced mal-operation could have a detrimental impact on the safe shutdown capability. Note that for some cases, an associated circuit for one function is also a required cable for a different function.

3.3 Cable Failure A cable that is unable to perform its required function.

3.4 Cable Failure Mode The mode by which a conductor or cable fails due to a fire. The four modes of cable failure are:

• Open - A loss of conductor continuity is a physical break in the conductor that will result in electrical energy being unable to reach the intended circuit destination (i.e., an open circuit).

• Short-to-Ground - A short circuit of one or more conductors to ground results in the diversion of electrical energy to ground. Electrical ground may be either external to the cable or one or more of the cable conductors.

• Hot Short - A conductor-to-conductor short circuit without ground may result in the diversion of electrical energy from one conductor (the source conductor) to one or more unintended conductors (the target conductor(s)). In Fire Protection Circuit Analysis, this has been referred to as a hot short.

• High Impedance Fault - Conductor insulation resistance degradation may result in the partial diversion of the available electrical energy to an unintended conductor path. Electrical ground may or may not be involved. In Fire Protection Circuit Analysis, this has been referred to as a high impedance fault.

3.5 Concurrent Multiple Spurious Operations In this context, concurrent means that multiple faults causing spurious operations occur at discrete points in time, but that they endure for a sufficient period of time that the spurious operations overlap.

3.6 High/Low Pressure Interface Reactor coolant boundary valves whose spurious opening could potentially rupture downstream piping on an interfacing system or could cause a loss of inventory that could not be mitigated in sufficient time to achieve the nuclear safety performance criteria.

3.7 Inter-Cable Short A specific subset of conductor-to-conductor short circuit cable failures wherein the short circuit formed involves the conductors of two or more separate cables 3.8 Intra-Cable Short A specific subset of conductor-to-conductor short circuit cable failures wherein all conductors involved in a given short circuit are within a single multi-conductor cable.

FPIP-0122 Rev. 0 Page 4 of 28

3.9 Key Safety Function In this context, those system functions that are credited for achieving and maintaining safe shutdown.

3.10 Risk Significant Those combinations of concurrent spurious actuations (based on RIS 2004-03 Bin 1 circuits) that could result in the likelihood of unrecoverable damage to equipment credited for safe shutdown, or an unrecoverable condition, within the first hour of the event.

Note: In the context of the Expert Panel review, "risk significant", (or potentially risk significant) is used qualitatively to reflect a level of importance of the Expert Panel's judgment of the scenario, and it is not meant to imply that a PRA analysis was performed to support the Expert Panel's determination.

3.11 Sequential Multiple Spurious Operations In this context, sequential means that one fault causing a spurious operation is mitigated before being followed by another fault at a later time. This is synonymous with any and all, one at a time.

3.12 Simultaneous Multiple Spurious Operations In this context, simultaneous means that faults causing spurious operations occur at essentially the same moment in time.

3.13 Spurious Operation An operational occurrence initiated (in full or in part) by the failure(s) of one or more components (including cables) in a system such that the inadvertent operation or repositioning of a piece of equipment occurs.

3.14 Unrecoverable Condition A plant condition in which fuel damage has occurred or will likely occur given a postulated plant condition 4.0 RESPONSIBILITIES 4.1 CES Fire Protection Initiatives Project Manager 4.1.1 Overall responsibility for ensuring that personnel assigned to prepare and review Project documents under their direct control have the required training and/or experience to perform the role to which they are assigned.

4.1.2 Ensuring that work performed under their supervision is performed in accordance with this instruction.

FPIP-0122 Rev. 0 Page 5 of 28

4.2 Site Fire Protection Initiative Project Coordinator 4.2.1 Ensuring that Fire Protection Initiative Project tasks and deliverables associated with their plant is performed in accordance with this procedure.

4.3 Expert Panel Chairman 4.3.1 Preparing meeting agenda, and distributing information package(s) that include, as appropriate, Process Flow Diagrams (P&IDs, Piping Diagrams, Safe Shutdown Diagrams, etc); and includes the list of potential failure scenarios that will be reviewed. Distribute information to panel members in advance of planned meeting.

4.3.2 Ensuring meeting minutes are adequately documented. Minutes should include, as a minimum, attendees, discussion of decisions reached, basis for decisions reached, and documenting and disposition of dissenting opinions.

4.3.3 Ensuring project files are updated with the meeting information in accordance with FPIP-0100, Fire Protection Initiatives Project Controls.

4.4 Expert Panel Members 4.4.1 Providing constructive input based on area of expertise, and maintaining objectivity to be able to challenge others so as to prevent group think.

5.0 PREREQUISITES 5.1 A Safe Shutdown Analysis shall be completed that documents sequential fire-induced spurious component actuations (commonly referred to as any and all, one at a time).

6.0 PRECAUTIONS AND LIMITATIONS N/A 7.0 SPECIAL TOOLS AND EQUIPMENT N/A 8.0 ACCEPTANCE CRITERIA N/A 9.0 INSTRUCTIONS 9.1 Background Expert Panel Experience has shown that one of the most effective ways to analyze complex issues and events is to utilize a multi-disciplined team of personnel (i.e. an expert panel) to brainstorm possible plant impacts, equipment performance as well as integrated plant operation. Use of an expert panel is expected to add diversity and thoroughness to the review of fire-induced multiple spurious operation scenarios related to a plants Safe Shutdown Analysis.

FPIP-0122 Rev. 0 Page 6 of 28

The Expert Panel Review involves group what-if discussions of both general and specific scenarios that may occur. It is important to document decisions/conclusions reached for both emergent issues and non-issues such that the scenarios reviewed and the decisions reached are retrievable and understood later. For example, if a potential scenario was considered not possible due to power being removed from a valve, then this decision should be documented. This documentation should be carried over into the SSA.

The expert panel process may also involve a P&ID review of systems credited in the SSA, including discussions of how the flow path would change based on the Fire Area compliance methodology (redundant or alternate shutdown). This review may be exclusive of other areas normally covered by the expert panel, or in addition to.

Circuit Analysis The Expert Panels primary effort should be focused on high risk circuit failure scenarios (Bin 1 in RIS 2003-04) or those which could significantly impair the ability to achieve and maintain hot shutdown based on the following general guidelines:

• Most Risk Significant Failures Relative to Timing

- Failures that impede hot shutdown within the first hour of event

• Cable Failures to Consider

- Two cable failures per scenario

- Intra-cable failure for Thermoset and Thermoplastic (up to 3-4 circuit failures)

- Any number of conductors/combinations possible within a cable with multiple components

- Inter-cable failures possible for Thermoplastic cable The Expert Panel Review should apply the general guidelines stated above. Included below are examples that apply these guidelines as they may actually be present.

9.1.1 General Example Use of Criteria Established Above Given this example, the following conclusions would apply:

• Stop evaluation at two cables per scenario

• If 1 cable contains conductors for all 3 components (A, B, and C), then all 3 could spuriously operate

• If 2 cables contain conductors for all 3 components (A, B, and C) then all 3 could spuriously operate

• If 3 cables contain conductors for all 3 components (A, B, and C) then the spurious operation of all 3 would not be postulated FPIP-0122 Rev. 0 Page 7 of 28

9.1.2 Specific Examples 9.1.2.1 Intra-cable hot short (wire-to-wire or internal cable hot short)

For any individual multiconductor cable (thermoset or thermoplastic),

failure that may result from intracable shorting of any possible combination of conductors within the cable may be postulated to occur concurrently regardless of number. For cases involving the potential damage of more than one multiconductor cable, assume a maximum of two cables to be damaged. Consider only a few (three or four) of the postulated combinations whose failure is likely to significantly impact the ability to achieve and maintain hot shutdown.

Internal Cable Hot Short Motor Control Center Cubicle Control Panel Control Terminal 2-Conductor Terminal Control Transformer Fuse Block Field Cable Block Switch 1 Fire damages the insulation of both conductors, allowing the conductors to make contact.

Contactor Coil 2 A conduction path is created that circumvents the control switch.

3 Power is applied to the contactor coil. The coil energizes and closes the main-line contacts causing the motor to spuriously start.

Motor Note: Spurious actuations from up to two multi-conductor cables should be considered with the concurrent failure of other components in the fire area. Although these failures require damage to additional cables, that damage could occur prior to or shortly after the damage resulting in the spurious actuation(s), and should be taken into account.

FPIP-0122 Rev. 0 Page 8 of 28

9.1.2.2 Inter-cable hot short (cable-to-cable or external cable hot short) on a grounded ac control circuit For any two thermoplastic cables, failures of any combination of conductors that may result from inter-cable shorting (i.e., between two cables) may be postulated to occur concurrently. Consider only a few (three or four) of the postulated combinations whose failure is likely to significantly impact the ability to achieve and maintain hot shutdown.

Cable-to-Cable Hot Short Motor Control Center Cubicle Control Panel Control Terminal Terminal Control Transformer Fuse Block Block Switch 1 Fire damages the jacket and insulation of both cables, allowing an energized conductor (of proper polarity and magnitude) from the Contactor external cable to make contact with Coil the conductor connected to the downstream side of the control switch.

2 A complete circuit is created independent of the normal power supply and control switch.

3 Power is applied to the contactor coil. The coil energizes and closes the main-line contacts causing the motor to spuriously start.

Motor FPIP-0122 Rev. 0 Page 9 of 28

9.1.2.3 Two wire (+ to + and - to - hot short in same ungrounded dc cable)

For cases involving direct current (DC) control circuits, consider the potential spurious operation due to failures of the control cables (even if the spurious operation requires two concurrent hot shorts of the proper polarity, e.g., plus-to-plus and minus-to-minus). Consider potential spurious actuations when the source and target conductors are each located in the same multiconductor cable.

(+)

short HS R G Cable of Concern SV Solenoid short HS

(-)

FPIP-0122 Rev. 0 Page 10 of 28

9.1.2.4 3-phase ac hot short Decay heat removal (DHR) system isolation valves at high-pressure/low-pressure interfaces may be subject to three-phase, proper-polarity hot short cable failures. Although this failure is unlikely, it could cause the opening of these valves which would pressurize the low-pressure portion of the DHR system piping outside of containment with the reactor coolant at or near normal reactor operating pressure. These 3-phase power cables (either thermoset or thermoplastic jacketed) should be inspected to ensure that they are not subject to 3-phase hot shorts that could cause the DHR valves to spuriously open.

Motor Control Center Cubicle 1

2 3

Breaker @ MCC 480V / 120V Valve Control Circuitry 42 49 (TOL) 1 2 Energized Power Source "Target" 3 Power Cable Hot Short "Source" Power Cable M

Valve Motor Note: RIS 2004-03 Revision 1, in its discussion on high-low pressure interface valves, only discusses the decay heat removal system isolation valves and three-phase ac hot shorts. There is no discussion on two-wire dc hot shorts on ungrounded dc systems and its applicability to high-low pressure interfaces (although Bin 1 Item C of RIS 2004-03 states that multiple hot shorts on ungrounded dc systems must be considered if the conductors are in the same cable), although Question 5.3.1 of Enclosure 2 to Generic Letter 86-10 specifically discusses this failure mode. In addition, there is no discussion of likelihood of failure of dc motor power cables in RIS 2004-03.

One could interpret the information in the RIS to mean that multiple proper polarity hot shorts (plus-to-plus and minus-to-minus) are not considered credible unless the conductors are within the same multi-conductor cable.

Therefore, multiple proper polarity hot shorts (plus-to-plus and minus-to-FPIP-0122 Rev. 0 Page 11 of 28

minus) are not considered credible on ungrounded dc cables if the conductors are in different cables, even for high-low pressure interface valves. For the purposes of the Expert Panel Review, inter-cable faults should be considered for all high-low pressure interfaces, regardless of whether the valves are AC or DC powered.

9.2 Assumptions 9.2.1 The fire can cause an unlimited number of shorts to ground and/or loss of power to energized circuits.

9.2.2 There is no automatic initiation of safe shutdown equipment if the fire can damage the automatic portion of a circuit.

9.2.3 Loss of continuity (open circuit) is not an initial failure mode.

9.2.4 For MOV circuits, it is possible for fire damage to bypass the MOV torque and limit switches resulting in either/both mechanical and electrical damage to actuator and/or valve, preventing subsequent electrical or local manual operation. This failure mode needs to be considered when evaluating scenarios.

9.2.5 Individual wires bundled together inside control boards are treated as a single, multi-conductor cable. Analysis should consider a total of two bundles, if fire damage can impact two.

9.3 Expert Panel Administration 9.3.1 Members The membership of the Expert Panel consists of personnel with technical backgrounds in Engineering (Fire Protection, Appendix R/Safe Shutdown, Systems - Electrical and/or Mechanical), Operations, and PRA. Typical individuals who make up the Expert Panel include:

a. Site Fire Protection Supervisor or Manager

b. Site App R/Safe Shutdown Program Engineer

c. Site Fire Protection Engineer

d. Plant Operations (current or previously licensed SRO)

e. Probabilistic Risk Assessment Engineer (PRA)

f. System Engineers

g. Additional engineering personnel with appropriate expertise (including contracted Industry Consultants) 9.3.2 Designated Chairman and Alternate The Chairman is normally filled by a Site Lead (App R/Safe Shutdown Engineer, Fire Protection Engineer, or Fire Protection Supervisor/Manager). In addition to the Chairman, an Alternate should be designated to perform the duties of the Chairman in his/her absence. The Alternate will be selected by the Chairman.

9.3.3 Quorum FPIP-0122 Rev. 0 Page 12 of 28

• A Quorum for the Expert Panel is five (5) members. All attempts to have continuous representation from Engineering, Operations, and PRA on the Panel should be made. The Chairman is ultimately accountable for quorum make-up.

• Members may be experts in more than one field; however, excessive reliance on any one member's judgment should be avoided.

• Consistent participation is important, and although it is acceptable to substitute members (for example, during a 4-day Expert Panel there is a need to provide an alternate Operations contact for 1 day), these situations should be minimized, and avoided if possible.

9.3.4 Attendance Records Attendance shall be recorded daily while the Expert Panel is convened. A form for recording attendance is included as Attachment 2, and is to be included in the meeting minutes package.

9.3.5 Agendas The Expert Panel Chairman is responsible for preparing meeting agendas for panel meetings. Prior to each Expert Panel meeting, an agenda will be developed and distributed to the panel members. In addition to the agenda, a package related to the potential failure modes for the safe shutdown function should be supplied for member review.

9.3.6 Process for Decision Making 9.3.6.1 The expert panel process is based on a diverse review of the Safe Shutdown Functions.

9.3.6.2 The Expert Panel meeting will review/discuss the potential failure modes for the safe shutdown function as stated on the meeting agenda.

a. For that Safe Shutdown Function, the panel will identify possible failure mechanism(s)

b. Using the following tools, identify Pinch Points that could defeat safe shutdown through those failure mechanisms:

Flow Diagrams Safe Shutdown Logic Diagrams PRA Event Sequence Diagrams

c. The panel will build these Pinch Points into fire scenarios to be investigated 9.3.6.3 Safe Shutdown Functions BWR (To be added later) a.

PWR

a. Reactivity Control

b. Decay Heat Removal

c. Reactor Coolant FPIP-0122 Rev. 0 Page 13 of 28

Inventory Control Pressure Control

d. Process Monitoring

e. Support Functions 9.3.6.4 Typical Safe Shutdown Failure Mechanisms to be considered BWR (To be added later) a.

PWR

a. Loss of Reactivity Control

b. Loss of Reactor Coolant System (RCS) Inventory

c. Excessive RCS Injection

d. Loss of RCS Pressure Control

e. RCS Overcooling

f. Loss of Steam Generator Cooling

g. Loss of Electrical Power 9.3.6.5 Typical Safe Shutdown Failure Scenarios BWR (To be added later) a.

PWR

a. Loss of Reactivity Control Boron Dilution

b. Loss of RCS Inventory Reactor Coolant Pump Seal LOCA Stuck Open Pressurizer Safety Valve Spurious Opening of Head Vents Spurious Opening of Letdown Line Loss of Electrical Power

c. Excessive RCS Injection Spurious SI beyond letdown with failure of Pressurizer Safety Valve open Spurious Containment Spray

d. Loss of RCS Pressure Control Spurious Auxiliary Pressurizer Spray Spurious Pressurizer Heater Actuation Spurious Start of RCP with subsequent pump heat Spurious Start of RCP with spurious normal pressurizer spray

e. RCS Overcooling Spurious SG Dump Valve, PORV opening Excessive Feedwater Flow

- Spurious AFW actuation with spurious AFW Control Valve opening

- Failure to trip/isolate Main Feedwater Pumps Excessive Steam Flow

- Spurious Turbine Bypass Valve actuation

f. Loss of Steam Generator Cooling Spurious isolation of Feedwater flow path FPIP-0122 Rev. 0 Page 14 of 28

Loss of Electrical Power

g. Loss of Electrical Power EDG out of sequence loading 9.3.7 Documentation and resolution of dissenting opinions Decisions reached regarding multiple spurious combinations will be arrived at by consensus. Dissenting opinions should be documented and resolved. If a resolution can not be achieved concerning the risk significance of a combination, then the combination shall be considered as risk significant.

9.3.8 Minutes Expert panel meeting minutes should be issued and include:

• documentation cover sheet (Attachment 6)

• attendance record (Attachment 2)

• discussion of decisions reached (Attachment 1)

• basis of decisions reached (Attachment 1)

• dissenting opinions (Attachment 1)

• associated actions (Attachment 1)

• ranking of scenarios reviewed (Attachment 5) 9.4 Training 9.4.1 There are no specific training requirements. The knowledge of the Panel Members in their specific area(s) of expertise is sufficient for Panel Members to perform their duties.

9.4.2 Upon initial convening of the Expert Panel, the Chairman (or designee) should provide a briefing (to the extent necessary to provide the Expert Panel with a level of knowledge needed to adequately evaluate the multiple spurious operations) regarding the history in developing the original SSA as well as relevant regulatory issues such as RIS 2004-03.

9.5 Guidelines for Selection of Additional Circuit Failure Combinations Refer to Attachment 3 for additional guidelines to assist the Expert Panel in identifying additional multiple spurious combinations.

9.6 Process Flowchart A process flowchart is included as Attachment 4, which summarizes the sequence of steps (including pre-meeting, meeting, and post-meeting) for conducting the Expert Panel Review.

10.0 RECORDS Results of the Expert Panel review should be maintained as part of the Safe Shutdown Analysis documentation, either directly as part of the Safe Shutdown Analysis, or referenced in the Safe Shutdown Analysis and readily retrievable in the document control system. Refer to FPIP-0100 for guidance on electronic storage/filing of project documents.

FPIP-0122 Rev. 0 Page 15 of 28

Attachment 1 Sample Template for Documenting MSO Expert Panel Review CASE # xxx 1.0 Affected SSD Function 2.0 Scenario Reviewed 3.0 Potential Consequences 4.0 Time Available to Mitigate Transient 5.0 Evaluation 6.0 Dissenting Opinions 7.0 Additional Actions 8.0 AR (Yes/No) 9.0 AR #

FPIP-0122 Rev. 0 Page 16 of 28

Attachment 2 MSO Expert Panel Review - Attendance Record Name Company Location Area of Expertise Date Signature Example Example Example Example Example Example John Doe Progress Energy HNP Safe Shutdown Todays John Doe date FPIP-0122 Rev. 0 Page 17 of 28

Attachment 3 Guidelines for Selection of Additional Circuit Failure Combinations These guidelines provide potential methods that can be used to select additional circuit failure combinations. The methodology below is just one of several ways to identify component combinations for review.

1.0 P&ID or Logic Diagram Review The first step is to select target components/combinations that could impact safe shutdown. This limits consideration to combinations of multiple spurious actuation evaluations whose mal-operation could result in loss of a key safety function, or immediate, direct, and unrecoverable consequences, such as to high/low pressure interface failures, for example. These consequences are noted hereafter as unrecoverable condition. Potential circuit failures affecting these safe shutdown target components may have been considered in previous circuit analyses, but perhaps not for multiple spurious actuation concerns.

An individual with systems / operations background can identify component combinations that could result in a loss of system safety function or immediate and unrecoverable consequence. An individual with knowledge of electrical and /

or safe shutdown requirements could then identify areas where these component combinations have power, control, or instrument cables routed in the same fire area.

The review for component combinations can be performed with P&IDs or safe shutdown logic diagrams (if available), or both. The review should focus on pinch points, where system function and / or safe shutdown (SSD) function could fail. Note that failure of the entire SSD function is not necessary for identification of component combinations; however, these would certainly be a limiting case. Component combinations that do not fail the entire SSD function can be as important as combinations failing the entire function, especially if there is only a single component, or a recovery action remaining for the SSD function; or if the remaining SSD equipment is potentially unreliable. Use of PRA input for determining potentially unreliable equipment or manual/operator actions is recommended.

Some pre-knowledge of component cable routing is useful in this review. This would save time in the process by eliminating component combinations where cables are known to not be located in the same fire area. Without some cable routing knowledge, an identified component combination would be analyzed through several steps of NEI-00-01 prior to screening, and may require detailed cable routing.

The results of the P&ID or logic diagram review should be a list of potentially important component combinations to be treated with the NEI 00-01 methodology. Since the PRA scope and fire protection SSD scope are different, the SSD review may provide potential combinations that have not been included in the PRA. Also, it is possible for this review of the P&ID to identify component combinations not identified by SSD analysis (because it requires multiple spurious operations) or PRA (because of a high level of redundancy). The final FPIP-0122 Rev. 0 Page 18 of 28

Attachment 3 Guidelines for Selection of Additional Circuit Failure Combinations list of identified component combinations should be combined with any PRA combinations (from the PRA review below) for a final list for analysis.

1.1 PRA Review The PRA can be used to determine potentially important component combinations through either cutset review or through PRA model manipulation.

These are both described below. Note that a PRA review may identify combinations which include equipment not included in the Safe Shutdown Equipment List.

1.1.1 Cutset or Sequence Review The PRA Engineer may review cutsets or sequence results (in this discussion, this is simplified to cutsets) with high contributions to core damage frequency, including common cause failures that include combinations with unrecoverable conditions as noted above. These cutsets will generally contain few terms, have a significant contribution to core damage frequency, and include one or more basic events that can be affected by fire, either through direct damage or through spurious operation. Cutsets reviewed should include cutsets sorted by probability, and cutsets sorted by order (from least number of events in the cutset to most). Review of the cutsets would identify combinations where one or more components may spuriously operate, and whose spurious operation may be significant. Spurious operation components are typically not in the top cutsets, since random spurious operation is typically a low probability event. It may be helpful to manipulate the cutsets using a cutset editor by setting the basic event probabilities associated with spurious operation events to 1.0, and re-sorting the cutsets.

Generally, the significance of each combination cannot be determined from a cutset review. However, the relative significance of one combination versus another can be performed when the cutsets include similar equipment. For example, when two similar cutsets, one with two spurious operations required and one with the same two and one additional spurious operation required are compared, the latter combination is probably less important. This type of comparison would require review of the other events in the cutsets, and the fire characteristics for the event causing equipment damage.

One additional consideration is that the cutset review does not need to include review of cutsets for initiating events that can not be fire induced.

For example, cutsets for steam generator tube rupture or large LOCA need not be reviewed. Typically, the review can be performed on turbine/reactor trip cutsets, loss of offsite power cutsets, and induced LOCA cutsets. A review of the plants Individual Plant Examination of External Events (IPEEE) can determine what initiating events can result from a fire.

FPIP-0122 Rev. 0 Page 19 of 28

Attachment 3 Guidelines for Selection of Additional Circuit Failure Combinations 1.1.2 PRA Model Manipulation If a logic model of the plant core damage sequences including all possible fire events is available, this model can be exercised/manipulated to identify component combinations of interest to risk significance evaluation described in Section 4 of this document. The level and amount of model manipulation can range from a single re-solution of the model, to many re-solutions following modeling changes. The analysis discussed below is based on the limited analysis used in support of the pilot application of NEI-00-01, with discussion of additional runs considered during the pilot.

A basic analysis that can provide significant results is solution of the PRA model with all basic events set to 1.0 (True) that can potentially spuriously operate following a major fire. The types of components and PRA basic events that should be set to 1.0 in the model include:

• MOV spuriously open or close

• AOV spuriously open or close

• PORV spuriously open or close

• Spurious pump operation

• Spurious actuation of automatic actuation signals The cutsets or sequence results can be reviewed to identify component combinations that are potentially significant. Review of the results will show patterns of cutsets that can be grouped or combined. For example, a cutset with a PORV spuriously operating, and charging injection failures could repeat hundreds of times with both PORVs combined with the multiple combinations failing injection and the random failures not set to 1.0 in the model. These hundreds of cutsets can be grouped into limiting combinations based on order (less spurious operations leading to core damage) and/or likelihood (less random failures leading to core damage).

Initial review of the cutsets should also look for other component basic events that could occur due to spurious operation following a fire. If additional basic events are identified, additional model solutions may be necessary prior to selection of the component combinations to be analyzed.

Pre-knowledge of general component cable location is helpful when reviewing PRA results and identifying the component combinations. The top cutset may contain two components whose cables are not located in the same fire area or zones, making this combination unimportant. More commonly, you may see two components whose cables are located near each other only in the cable spreading room and control room. Selection and analysis of a group of component combinations with no common fire areas damaging all components would result in wasted effort. This is an instance where pre-knowledge of component cable routing would be beneficial to determine the recommended combinations for review.

If the PRA model includes some fire PRA sequences, additional runs with the fire PRA initiating events set to 1.0 should be performed. In this case, FPIP-0122 Rev. 0 Page 20 of 28

Attachment 3 Guidelines for Selection of Additional Circuit Failure Combinations the PRA results would identify component combinations important for particular fire areas (or fire areas with similar characteristics).

If the PRA model does not include any fire PRA sequences, model manipulation can be performed to simulate fire PRA results. For example, in a pilot plant analysis, additional PRA runs were performed where the 4160 VAC switchgear was failed. This included two PRA runs, one with A train 4160 VAC failed, and one with B train failed. These runs simulated a switchgear fire, but also provided representative runs important if opposite train components were located in the same area.

For example, cutsets were identified where A train cooling water failed due to the A train 4160 VAC failure, and B train cooling water failed due to spurious operation. This sequence could be potentially important if the cables causing the B train failure were located in an A train fire area. The B train failure (in this example) could be as a result of a diversion due to an A train valve spuriously opening.

Additional PRA runs can be performed based on the IPEEE results. The IPEEE can provide a list of important fire areas, and the equipment that potentially fails due to a fire in these areas. By setting the component basic events to 1.0 for a selected fire area, and also setting our list of spurious operation components to 1.0, a list of potentially important component combinations can be developed for the selected fire areas.

This type of analysis was not performed for the pilots, other than the fire sequences already included in the PRA models.

1.2 Expert Panel Review The team for an expert panel review involves individuals from Operations, Engineering, and PRA. The complete process can be generically broken down in to four (4) phases:

• Phase 1: Preparation, including an initial list of potential accident sequences The preparation involves developing a list of scenarios to consider for review, including input from the PRA as described above, and the potential list of scenarios from NEI-04-06.

• Phase 2: Briefing of the expert panel on Safe Shutdown Analysis and Multiple Spurious Operations, including applicable regulatory guidance.

A briefing should be performed for participants not familiar with the SSA process and issues related to multiple spurious operations, including a discussion of the history in developing the original SSA as well as regulatory issues such as RIS 2004-03.

• Phase 3: Performance of the Expert Panel Review The Expert Panel Review involves group what-if discussions of both general and specific scenarios that may occur. Documentation of both issues and non-issues, and the reason they were either, FPIP-0122 Rev. 0 Page 21 of 28

Attachment 3 Guidelines for Selection of Additional Circuit Failure Combinations should be recorded (see Attachment 1 for a sample template that can be used as a guide for documenting scenarios that were reviewed). For example, if a possible scenario was considered not possible due to power being removed from a valve, then this should be documented. This documentation should be carried over into the SSA. The expert panel process also may involve a P&ID review of systems, including discussions of how the flow path would change for each type of Fire Area (redundant and alternate shutdown).

• Phase 4: SSA review of the Expert Panel Results The SSA review of the results involves expansion of the types of scenarios that were potentially identified as an issue during the review. This process would be similar to the SSA addressing Self Assessment findings. It would be difficult for either the expert panel or self assessment process to identify all ways for a scenario to occur. However, once a potential scenario is identified, the SSA team can systematically review the potential scenarios, and document the results, as necessary, into SSA project documents.

1.2.1 Selection of Potentially Important Component Combinations Performance of some or all of the types of analysis discussed above may provide numerous component combinations such that it is impossible to review every possible scenario. The final selection of component combinations for analysis needs to account for various factors affecting the final expected risk for the combinations, including:

• Pre-knowledge of component cable locations, if possible.

• Expected spurious operation probability, including the combined frequency for multiple components. For example, it can easily be shown that three or more spurious operations for armored cable (with fused armor) components would most likely be unimportant, since the probability of spurious operation alone is on the order of 1E-06.

• Conditional core damage probability listed in the cutsets.

• Additional factors not in the cutsets affecting the core damage probability, including both positive factors where additional equipment may be available and negative factors such as human actions that may be less reliable following a fire.

• Expected fire frequencies (i.e., combinations in high fire frequency areas may be more important than those in low fire frequency areas).

These and other factors should be used in determining the potentially important component combinations for review, and the number of combinations that need to be evaluated for risk significance. Combining the PRA identified combinations with the P&ID or logic diagram review should provide a comprehensive list of potentially important component combinations.

FPIP-0122 Rev. 0 Page 22 of 28

Attachment 4 Process Flowchart Pre-Meeting Meeting Post-Meeting Chairman (or designee) prepares Meeting Agenda and sends out meeting notice to participants. Chairman (or designee) Chairman (or designee) verifies that Quorum is compiles and formalizes present (5), and that there is meeting minutes using a representation from Documentation Cover Sheet Engineering, Operations, (Attachment 6).

and PRA.

Chairman (or designee) distributes information package of failure scenarios to be reviewed to participants. Chairman (or designee) records daily attendance Chairman (or designee) using Attachment 2. distributes Meeting Minutes to Panel Members for review and comment.

Participants review Chairman (or designee) information package prior to provides briefing to Panel scheduled meeting. Members to provide appropriate background information concerning Chairman (or designee) historical development of the incorporates comments.

SSA and relevant regulatory issues.

Chairman (or designee)

Chairman (or designee) files assigns individual to documentation such that it is document Meeting Minutes, readily retrievable in the including decisions reached, document control system.

basis for decisions, and dissenting opinions.

Designated individual records Meeting Minutes, using Attachment 1 to document scenarios reviewed.

Expert Panel assigns importance ranking to each scenario reviewed.

Designated individual records results of scenario importance ranking using Attachment 5.

FPIP-0122 Rev. 0 Page 23 of 28

Attachment 5 Qualitative Assessment of Scenarios Reviewed Purpose and Scope This attachment provides a method of establishing a relative importance of each scenario reviewed by placing each scenario in an appropriate bin, as discussed below in the Methodology.

Methodology The following information should be documented:

Affected component/system Nature of SSA Validation 'hit' - cable in area, etc.

Fire Area/Fire Zone Extent of suppression/detection in the area Specific qualitative screening criteria are used for the review. Because this review may take place prior to development of the Fire PRA, quantitative screening is not practical in most cases. The Expert Panel may develop additional screening criteria as appropriate (NEI 00-01 Chapter 4 provides additional methods/guidance that could be utilized). One or more of the following screening criteria being present provides indication that margin may be available using the performance based approach (e.g. Fire Modeling) and/or the Fire PRA approach.

The screening criteria are:

Spatial separation (large space fire area may be evaluated for fire effects on equipment and cables)

Early screen in the IPEEE or an existing risk evaluation is low (such as GREEN NRC SDP results)

Suppression / Detection in the area Low ignition sources / ignition frequency Ability to use alternate or previously non-credited SSA systems / components Cold Shutdown Items Simple recovery actions Concurrent multiple spurious operations required (more than that assumed in Section 9.1)

Bins or categories are developed to facilitate grouping the scenarios reviewed. The bins are as follows:

Bin # Description Bin I: There are no / minimal changes in resolution strategy expected under compliance to NFPA 805 program. Quantitative analysis and/or corrective actions may be required.

Bin II: Gray - Follow up actions are required to make a determination. Items in this bin will be treated as Bin I until resources are applied and follow up work, if any, is completed that either confirms the Bin I categorization, or supports re-categorization to Bin III.

Bin III: High Potential / likely to be changes in compliance strategies under NFPA 805 that could reduce scope or eliminate the issue. A category III does not preclude investigating and determining the best resolution strategy and/or implementing it, if determined prudent to do so.

FPIP-0122 Rev. 0 Page 24 of 28

Attachment 5 Qualitative Assessment of Scenarios Reviewed The Expert Panel should review each scenario to identify applicable screening criteria. The criteria considered most important should be identified. The Panel then makes a judgment on the appropriate category of the non-compliance. In general, the Panel should be in full consensus. Exceptions to full consensus should be included as part of the documentation of the Expert Panel.

Note that the process focuses on identifying those issues that are potentially reduced or eliminated by compliance to NFPA 805 performance based criteria. By their nature, these issues are also likely to be low significance under the current licensing basis. Each plant will need to appropriately address the significance level of items that are extended until after NFPA 805 transition. The NRC (NRR) staff has stated that items that are put in CAP for long term lay-up until NFPA 805 is implemented should be appropriately justified as low significance.

An example table for compiling results is provided on the following page, and the results should be included as part of the documentation of the Expert Panel.

FPIP-0122 Rev. 0 Page 25 of 28

Attachment 5 Qualitative Assessment of Scenarios Reviewed Sample table for documentation of ranking of scenarios reviewed:

Category Case Plant Description (Bin #) Results Comments Current Status 001 BNP Basis for the existing exemption relative to III NFPA 805 compliance Presently being the Control Room emergency lights is no allows this evaluation to be evaluated.

longer valid. The exemption allows the use of performed on site without EDG backed lights and station batteries for NRC prior approval.

the time period between loss of offsite power and establishing onsite power. As part of the basis for exemption, the station batteries are credited as having a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> capacity. Recent calculation demonstrates approximately 1.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> capacity. This requires re-submittal of the exemption request under the CLB.

Example FPIP-0122 Rev. 0 Page 26 of 28

Attachment 6 Expert Panel Documentation Cover Sheet Date:

Subject:

Location:

Purpose:

Attached Documentation # of Pages Attendance Record Documentation of Cases Reviewed Importance Ranking of Cases Reviewed Other Documentation Prepared by:

Printed Name Signature Date Reviewed by:

Printed Name Signature Date FPIP-0122 Rev. 0 Page 27 of 28

Revision Summary Sheet 1 of 1 Rev. 0 Initial Issue FPIP-0122 Rev. 0 Page 28 of 28