ML071630505

From kanterella
Jump to navigation Jump to search
FPIP-0106, Clarification Phone Call Regarding Pilot Plant (Shearon Harris) Transition to NFPA 805. FPIP-0106 Validate Fire Area Shutdown Strategies, Rev.1
ML071630505
Person / Time
Site: Harris Duke Energy icon.png
Issue date: 07/27/2006
From: Began K
Nuclear Generation Group, Progress Energy Co
To:
Office of Nuclear Reactor Regulation
References
FPIP-0106, Rev 1
Download: ML071630505 (50)


Text

I Information Use FIRE PROTECTION INITIATIVES PROJECT PROJECT PROCEDURE FPIP-0106 VALIDATE FIRE AREA SAFE SHUTDOWN STRATEGIES REVISION 1 Began, Keith Reichle, Stephen Ertman, Jeffery Prepared By Reviewed By Approved By 2006.07.27 09:08:29 -04'00' 2006.07.27 09:27:35 -04'00' 2006.07.27 11:12:56 -04'00' Prepared By / Date Reviewed By / Date Approved By / Date FPIP-0106 Rev. 1 Page 1 of 50

TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE .......................................................................................................................3

2.0 REFERENCES

................................................................................................................3 3.0 DEFINITIONS ..................................................................................................................4 4.0 RESPONSIBILITIES ........................................................................................................7 5.0 PREREQUISITES............................................................................................................9 6.0 PRECAUTIONS AND LIMITATIONS ...............................................................................9 7.0 SPECIAL TOOLS AND EQUIPMENT............................................................................10 8.0 ACCEPTANCE CRITERIA.............................................................................................10 9.0 INSTRUCTIONS ............................................................................................................11 9.1 Area Analysis Assumptions.................................................................................11 9.2 Safe Shutdown Strategy Application Criteria.......................................................14 9.3 Fire Area Nuclear Safety Capability Evaluations (within CDM) ...........................21 9.4 Evaluation of Existing Safe Shutdown Strategies................................................23 9.5 Changes to FSSPM(D) Resolution Strategies.....................................................23 9.6 Fire Area Nuclear Safety Capabilities Evaluations (within RDM) ........................24 9.7 Detection and Suppression Assessments...........................................................25 9.8 Validation of Existing Exemptions/Deviations......................................................25 9.9 NRC Information Notice 92-18 ............................................................................26 9.10 Input to Safe Shutdown Analysis Calculation ......................................................26 10.0 RECORDS .....................................................................................................................27 ATTACHMENTS 1 Masking and Exception Processing ...............................................................................28 2 Shutdown Summary Sheet ............................................................................................34 3 NRC IN 92-18 Analysis Methodology.............................................................................35 FIGURES 1 Unmodified Normal Exception........................................................................................45 2 Normal Exception Applied to Model ...............................................................................46 3 Unmodified High Level Exception ..................................................................................47 4 High Level Exception (Previous Methodology) ..............................................................48 5 High Level Exception (Revised Methodology) ...............................................................49 REVISION

SUMMARY

.............................................................................................................50 FPIP-0106 Rev. 1 Page 2 of 50

1.0 PURPOSE This procedure provides guidance for the validation of the fire area assessments. This is Project Sub-task 4.1.6 of the Robinson Nuclear Plant (RNP), Brunswick Nuclear Plant (BNP) and Crystal River 3 (CR3) Safe Shutdown Analysis (SSA) Validation Projects. This project procedure is part of the SSA Validation project to verify compliance with the requirements of these sections of 10CFR50 Appendix R unless granted specific exemptions from the requirements by the NRC.

This procedure will also be utilized by the Harris Nuclear Plant (HNP) to update the current design methodology (CDM) SSA Calculation to address and incorporate the results of the NRC IN 92-18 and ESFAS circuit analyses that were not previously performed under the Task 5 assignment as part of Fire Protection Improvement Incentives Project by Sargent & Lundy.

This procedure was prepared following the guidance and information provided in References 2.14 and 2.15.

The Fire Protection Initiatives Project has issued this procedure for the purpose of providing project level guidance during transition of the Progress Energy nuclear plant fleet to NFPA 805.

At the completion of the tasks covered by this procedure, it will be cancelled or converted to a NGGC procedure as appropriate.

2.0 REFERENCES

2.1 FPIP-0100, Fire Protection Initiatives Project, Project Controls 2.2 CSP-NGGC-2505, Software Quality Assurance and Configuration Control of Business Computer Systems 2.3 CSP-NGGC-2507, Software Documentation and Testing 2.4 Quality Assurance Program Manual, NGGM-PM-0007, Section 15 2.5 EGR-NGGC-0102, Safe Shutdown/Fire Protection Review 2.6 November 29, 2001 letter from Mr. John N. Hannon, Chief Plant Systems Branch, USNRC to Mr. Alexander Marion, NEI, NRC Fire Protection Training Materials, (Enclosure titled The Use of Manual Operator Actions for Achieving and Maintaining Fire Safe Shutdown) 2.7 May 16, 2002 letter from Mr. John N. Hannon, Chief Plant Systems Branch, USNRC to Mr. Alexander Marion, NEI, Use of Manual Actions to Achieve Safe Shutdown for Fire Events 2.8 NEI 00-01, Guidance for Post-Fire Safe Shutdown Analysis, Revision 1, dated January 2005 2.9 CAP-NGGC-0200, Corrective Action Program 2.10 10CFR50.48, Fire Protection 2.11 Appendix R to Part 50 (of 10CFR), Fire Protection Program for Nuclear Power facilities Operating Prior to January 1, 1979 FPIP-0106 Rev. 1 Page 3 of 50

2.12 Section 9.5.1, Fire Protection Program of NUREG-0800, Standard Review Plan 2.13 Users Manual, Progress Energy Fire Safe Shutdown Program Manager Database 2.14 Sargent & Lundy PI-SSA-HNP-0006, Validate Fire Area Safe Shutdown Strategies, Revision 5 (used for HNP) 2.15 Sargent & Lundy PI-SSA-NGG-0006, Validate Fire Area Safe Shutdown Strategies, Revision 1 (prepared for use on RNP, BNP, and CR3) 2.16 NRC Information Notice 92-18, Potential for Loss of Remote Shutdown Capability During a Control Room Fire, dated February 28, 1992 2.17 NRC Regulatory Issue Summary 2005-30,Clarification of Post-Fire Safe-Shutdown Circuit Regulatory Requirements, issued December 20, 2005 3.0 DEFINITIONS 3.1 Terms 3.1.1 May Denotes permission, not a requirement or a recommendation 3.1.2 Shall Denotes a requirement or a mandatory activity 3.1.3 Should Denotes an expected action unless there is justifiable reason not to perform the action.

3.2 Fire Safe Shutdown Program Manager Database (FSSPM(D))

The FSSPM(D) is a program that has been developed for use in managing the post-fire safe shutdown data and analysis for the Progress Energy nuclear fleet. An independent version of this Program has been developed for each nuclear site, and it contains data and information on components, circuits, and cables that are credited in effecting a safe shutdown at that plant in the event of a fire. The Program also has the capability to generate the necessary reports that will document how compliance with NRC regulations is maintained. The Program also includes the capability to produce an augmented fault tree logic file that can be read in Computer Aided Fault Tree Analysis (CAFTA), and in turn generate cut sets that will show where failure in the shutdown logic has occured.

3.3 Fault Tree Logic (FTL) Files A fault tree logic file is a text file written in a format that is suitable for direct input to the CAFTA computer program. The FTL file is a model of the plants safe shutdown functions, systems, and components and documents the logic used to demonstrate safe shutdown. The file includes gates which model failures from the top event down to individual component and cable failure modes.

FPIP-0106 Rev. 1 Page 4 of 50

3.3.1 Basic FTL File The basic fault tree text file is the initial model that is intended to be imported into the FSSPM(D). This basic file contains the basic equipment relationships, but does not include cable, fire zone, or fire area location information, nor does it contain exceptions.

3.3.2 Augmented FTL File An augmented fault tree text file is a file that has been processed by the FSSPM(D) and is suitable for import into the CAFTA Fault Tree Editor. This text file contains the basic FTL file information, but has been augmented by the addition of cable data, fire zone (or fire area) location data, and exceptions.

3.4 Emergent This term is used in the FSSPM(D) as part of an exception code naming process, and is used to track issues raised during the safe shutdown analysis that may be non-compliant. Exceptions that are identified as emergent will require further analysis (e.g.

thermal-hydraulic calculation, fire modeling, etc.), review, or modification to resolve and will later be replaced by another standard exception code upon resolution.

3.5 Exceptions Exceptions consist of gates that represent the safe shutdown strategies for individual components or cables. Exceptions are created during the area analysis evaluation process, and document the strategy that is used to provide compliance with regulation or guidelines. The term exception is used in the FSSPM(D) and is synonymous with the term resolution strategy or compliance strategy used in performing post-fire safe shutdown analyses.

3.6 Cut Sets Cut sets represent the combination of basic events that result in the propagation of failures to the top of the fault tree. The CAFTA program identifies cut sets when it evaluates the augmented fault tree model. In the context of this safe shutdown analysis, single event cut sets represent single analysis areas where combinations of failed components within the area cause the failure of the top event (i.e., failure to achieve safe shutdown).

3.7 Gates Logic points in the fault tree model.

3.8 Masking A term used when working with the FSSPM(D), similar to exception, when applying a strategy that prevents a failure (cable and/or component) from propagating to the top of the fault tree.

FPIP-0106 Rev. 1 Page 5 of 50

3.9 Normal Safe Shutdown A post-fire approach that operates one of two normal safe shutdown trains from the control room that does not utilize non-standard operational practices or plant system or component modifications.

3.10 Alternative Shutdown A post-fire shutdown approach requiring utilization of non-standard operational practices or plant system or component modifications.

3.11 Dedicated Shutdown A post-fire approach using systems or equipment that were installed specifically to shutdown the plant in the event of a fire.

3.12 Project When used in this document, it is referring to the Fire Protection Initiatives Project.

3.13 Recovery Action Activities to achieve the nuclear safety performance criteria that take place outside of the main control room or outside of the primary control station(s) for the equipment being operated, including the replacement or modification of components.

3.14 Resolution Strategy In the context of performing a safe shutdown analysis, a resolution strategy is the method in which the plant compensates for either a component or circuit failure that is postulated to occur during the analysis. These strategies may consist of actions to be taken following the fire (i.e. manually open valve), pre-emptive actions taken to prevent an undesired action from occurring as a result of a fire (i.e. opening an MOV circuit breaker), or analysis performed to demonstrate that postulated failure will not occur (i.e.

fire wrap applied or fire model performed).

3.15 Unrecoverable Condition In this context, an unrecoverable plant condition is defined as one in which fuel damage has occurred or will likely occur given a postulated plant condition.

3.16 Unrecoverable Equipment Damage In this context, unrecoverable equipment damage is damage to safe shutdown equipment that cannot be mitigated by subsequent (manual) actions. For example, the suction valve of the normally running charging pump closes (spurious operation). That charging pump has been credited for shutdown in that fire area and damage occurs before the condition can be mitigated.

FPIP-0106 Rev. 1 Page 6 of 50

3.17 CAFTA Computer Aided Fault Tree Analysis (CAFTA). A Windows based commercially available software program distributed by EPRI and used for the fire safe shutdown failure analysis. When used in this procedure the term CAFTA refers to the Fault Tree Editor portion of the program, and visa versa.

4.0 RESPONSIBILITIES The roles of the Safe Shutdown (SSD) Engineers and the Site SSD Engineer may be flexible depending upon the needs at the particular site when the strategies are to be developed. The responsibilities outlined in this document assume that the SSD Engineers assigned to support this effort, and working with the Site Safe Shutdown Engineer, would perform the roles of the Assessment Preparer and Reviewer. However, that is not to preclude the Site SSD Engineer from serving in the role of an Assessment Preparer or Reviewer.

In the event the Site SSD Engineer prepares or reviews an assessment, the responsibility for approving the completed Fire Area Assessment should be performed by the Site Fire Protection Initiatives Project Coordinator.

4.1 Safe Shutdown Engineer (Assessment Preparer) 4.1.1 Perform the fire area assessments for each fire area per Section 9.3 of this procedure.

4.1.2 Evaluate the adequacy of the existing safe shutdown strategies per Section 9.4 of this procedure.

4.1.3 Evaluate the safe shutdown strategies taking into account multiple concurrent spurious actuations per Section 9.5 of this procedure.

NOTE The portion of any exemption or deviation that credits fire protection systems or features as part of their basis should be reviewed by a Fire Protection Engineer.

4.1.4 Validate the bases of existing exemptions or deviations for those fire areas that utilize safe shutdown strategies that rely upon existing exemptions or deviations.

4.1.5 When conditions are identified that represent potential inadequacies or concerns in the existing analysis or documentation, promptly bring the condition to the attention of the site SSD Engineer or his designated alternate.

4.1.6 Make necessary changes to the FSSPM database. This will include changes to data previously entered into the FSSPM database as well entering of new or revised exceptions (compliance strategies).

4.1.7 Document the completed assessment for each Fire Area in a Fire Area Assessment Report.

FPIP-0106 Rev. 1 Page 7 of 50

4.2 Safe Shutdown Engineer (Assessment Reviewer)

NOTE The process for the review of the Current Design Method Safe Shutdown Area Assessments has been defined because the reviewer cannot re-perform the exact same steps performed by the preparer. For all other deliverables, the reviewer will follow the steps of the preparer during the review 4.2.1 Run the CAFTA model and confirm that safe shutdown can be achieved for all fire areas.

4.2.2 Review the stations FSSPM(D) report entitled SSD Report that is accessed through the Fault Tree Logic Menu. This report contains a list of all the affected components (equipment and cables) in each fire area.

4.2.3 Review the stations FSSPM(D) report entitled Fire Area Summary Report that is also accessed through the Fault Tree Logic Menu. The review of this report, entitled Safe Shutdown Strategy by Fire Area, will consist of ensuring that all the affected components in the SSD Report appear on this report, a safe shutdown strategy exists for each of the affected components that results in a failure to achieve safe shutdown and that the safe shutdown strategy will resolve the issue of the failed component.

4.2.4 Review changes made to the FSSPM database, and resolve any comments with the preparer of the change.

4.2.5 Review the results of the completed Fire Area Assessment for each fire area, and discuss any comments or alternative safe shutdown strategies for mitigating the effects of the fire.

4.2.6 When the Preparer identifies conditions that represent a potential deficiency in the existing analysis or documentation, review the findings with the Site SSD Engineer to determine if the component could have failed in the existing analysis.

4.2.7 Upon concurrence that a condition identified represents a potential deficiency in the existing SSD analysis or supporting documentation, process a Nuclear Condition Report (NCR) in accordance with the CAP (Reference 2.9).

4.3 Site Safe Shutdown Engineer 4.3.1 Review of completed Fire Area Assessment, and any technical input to a new exemption/deviation request.

4.3.2 Approval of completed Fire Area Assessment packages, changes to the Fire Safe Shutdown Program Manager database, and any technical input to a new exemption/deviation request.

4.3.3 Initiation of a Nuclear Condition Report (NCR) in accordance with the CAP (Reference 2.9) when conditions are identified that represent inadequacies or flaws in existing analysis or documentation.

FPIP-0106 Rev. 1 Page 8 of 50

4.3.4 Upon concurrence that the condition identified represents a potential deficiency in the existing analysis, the designated site personnel shall process the identified condition via the CAP.

4.4 Fire Protection Engineer 4.4.1 Perform detection and suppression assessments for those fire areas that utilize safe shutdown strategies that credit detection and suppression.

4.4.2 Validate the bases of existing exemptions or deviations for those fire areas that credit fire protection systems or features as part of any safe shutdown strategy.

4.4.3 Upon concurrence that the condition identified represents a potential deficiency in the existing analysis, the designated site personnel shall process the identified condition via the CAP.

4.5 Site Fire Protection Initiatives Project Coordinator 4.5.1 Acceptance of any unresolved items associated with Project Sub-tasks 4.1.3, 4.1.4, and 4.1.5 as not being a restraint to beginning work to be performed under this procedure, and ensuring that these items have been entered in the Project Open Items List.

4.5.2 Approval of completed Fire Area Assessment packages, changes to the Fire Safe Shutdown Program Manager database, and any technical input to a new exemption/deviation request in the event the Site Safe Shutdown Engineer serves in either the role of the Preparer or Reviewer of that document.

5.0 PREREQUISITES 5.1 The Fire Safe Shutdown Program Manager database software, and the stations specific data, prepared under Project Sub-task 4.1.3, SSA Fire Protection Database shall have completed all required reviews, and appropriate CRTNs processed documenting acceptance.

5.2 The validation of the safe shutdown circuit analysis, under Project Sub-task 4.1.5, Circuit Analysis and Selection should be complete and released for use. It is possible that some Fire Area safe shutdown validations may be performed if data for the areas to be validated is complete.

6.0 PRECAUTIONS AND LIMITATIONS NOTE Any unresolved items associated with prerequisite Project Sub-tasks need to be accepted by the Site Fire Protection Initiatives Project Coordinator as not being a restraint to beginning work performed under this procedure.

6.1 The resolution of any Progress Energy comments on the documentation associated with Project Sub-tasks 4.1.3, 4.1.4 and 4.1.5 prepared by Sargent & Lundy shall be reviewed for incorporation into the Fire Safe Shutdown Program Manager database.

FPIP-0106 Rev. 1 Page 9 of 50

6.2 The results of Project Sub-tasks 4.1.8, Manual Action Feasibility could potentially change the deliverables produced in this Project Procedure, and the use of a manual action can not be considered an appropriate exception (resolution strategy) until this Sub-task is complete.

6.3 The incorporation of exceptions (compliance strategies) into the FSSPM(D) during the course of performing Task 6 (Project Sub-task 4.1.6) should be done through the use of forms built into the FSSPM(D). However, it is possible, and may at times be more efficient, to add data to the FSSPM(D) by updating the various tables in the FSSPM database.

6.4 Any changes made to the FSSPM(D) shall be documented using the change control process described in Reference 2.1.

6.5 The FSSPM(D) and CAFTA programs do not have time based functional capabilities, and the extent of certain failures may necessitate the need for additional reviews such as thermal-hydraulic analysis.

7.0 SPECIAL TOOLS AND EQUIPMENT N/A 8.0 ACCEPTANCE CRITERIA NOTE In the following performance goals, the word shall is to be replaced with should when performing work associated with the HNP as these performance goals are only guidance under NUREG 0800.

The performance goals for the shutdown functions shall be:

8.1 The reactivity control function shall be capable of achieving and maintaining cold shutdown reactivity conditions.

8.2 The reactor coolant makeup function shall be capable of maintaining the reactor coolant level above the top of the core for BWRs and be within the level indication in the Pressurizer for PWRs.

8.3 The reactor heat removal function shall be capable of achieving and maintaining decay heat removal.

8.4 The process monitoring function shall be capable of providing direct readings of the process variables necessary to perform and control the above functions.

8.5 The supporting functions shall be capable of providing the process cooling, lubrication, etc., necessary to permit the operation of equipment used for safe shutdown functions.

FPIP-0106 Rev. 1 Page 10 of 50

9.0 INSTRUCTIONS 9.1 Area Analysis Assumptions 9.1.1 Fire Area / Analysis Areas boundaries are adequate for the hazard.

Basis of Assumption: Fire Area/Analysis area boundaries have been qualified or evaluated appropriately in the plants Fire Hazards Analysis.

9.1.2 The Plant is operating at 100 percent power, equilibrium Xenon conditions (at the end of core life), and is in a normal plant lineup at the onset of the fire.

Basis of Assumption: Generally accepted initial plant conditions for accident analysis.

9.1.3 The reactor is tripped automatically or manually from the Control Room after fire initiation.

Basis for Assumption: Generic Letter 86-10, Enclosure 2, Section 3.8.4.

9.1.4 For Fire Areas crediting Alternative / Dedicated Shutdown Safe Shutdown Strategies, off-site power is assumed lost at the onset of the fire. However, off-site power is assumed available for those cases where availability of off-site power could adversely impact safe shutdown.

Basis for Assumption: 10CFR50, Appendix R, Sections III.G and III.L; Generic Letter 81-12.

9.1.5 For Fire Areas that credit normal shutdown methods (i.e. alternate or dedicated shutdown strategies are not utilized) offsite power sources can be credited, if it has been shown by analysis that it will not be lost as a result of the postulated fire.

Basis for Assumption: Generally accepted strategy in the nuclear industry for performing post-fire safe shutdown analysis.

9.1.6 Failures of systems, equipment, instrumentation, controls, or power supplies, that are not a direct consequence of the fire, do not occur before, during, or following the fire.

Basis for Assumption: 10CFR50, Appendix R, III.L.6.

9.1.7 Independent events (i.e., another separate fire, an earthquake, flooding, lightning, tornadoes or other severe weather, an act of sabotage, etc.) do not occur before, during, or following the fire.

Basis for Assumption: Generic Letter 86-10, Enclosure 2, Section 7.2 and 10CFR50, Appendix R, III.L.6.

FPIP-0106 Rev. 1 Page 11 of 50

9.1.8 Abnormal system transients or behavior, or design basis accidents, do not precede the onset of the fire; nor do any of these events, that are not a direct consequence of fire damage, occur during or following the fire.

Basis for Assumption: Generic Letter 86-10, Enclosure 2, Section 7.2 and 10CFR50, Appendix R, III.L.6.

9.1.9 The Reactor Protection System (RPS) and the associated reactor trip breakers are of a fail-safe design. Therefore, the safe shutdown analysis credits either automatic or manual trip after fire initiation. In the event of Control Room evacuation, the action of manually tripping the reactor prior to Control Room evacuation is assumed. As a result, the RPS may be excluded from the safe shutdown analysis separation analysis and the associated circuit analysis.

Basis for Assumption: Generic Letter 86-10, Enclosure 2, Section 3.8.4.

9.1.10 Within the Current Design Methodology, the "worst case" fire-induced plant transient shall consider the following for a fire in any single fire area:

One worst-case spurious actuation or signal.

The loss of all automatic function (signal, logic) from the circuits located in the fire area in conjunction with one worst case spurious actuation or signal.

Spurious actuation of the redundant valves in any one high/low pressure interface line when the valves or associated circuits are located in the same fire area.

Basis for Assumption: Generic Letter 86-10, Enclosure 2, Section 5.3.10.

9.1.11 The following damage is assumed to occur due to the postulated fire:

Fire damage occurs throughout the fire area under consideration.

Fire damage results in an unusable cable that cannot be considered functional with regard to ensuring proper circuit operation.

Basis for Assumption: The insulation and external jacket material of electrical cables is susceptible to fire damage. Damage may assume several forms including deformation, loss of structure, cracking, and ignition. The relationship between exposure of electrical cable insulation to fire conditions, the failure mode, and time to failure may vary with the configuration and cable type. To accommodate these uncertainties in a consistent and conservative manner, this analysis assumes that the functional integrity of electrical cables is lost when cables are exposed to a postulated fire in a fire area, except where protected by a fire rated barrier within the fire area (or radiant energy shield within containment). Please note that this assumption will change based on the Progress Energy Fleet Fire Induced Circuit Failures Position contained in Attachment 4, Fire Induced Circuit Failure - Circuit Analysis of Reference 2.5.

FPIP-0106 Rev. 1 Page 12 of 50

9.1.12 Electrical equipment located in a fire area is assumed to fail as a result of the postulated fire in the fire area, and is considered unavailable to ensure completion of safe shutdown functions unless it meets the separation criteria of 10CFR50 Appendix R, guidance of NUREG 0800, or is shown to be acceptable as-is based on an approved exemption / deviation. This electrical equipment includes motors, instruments, I/P converters, controllers, switches, MCC's, switchgear, transformers, generators, batteries, panel boards, etc.

Basis for Assumption: The components contained within electrical equipment are susceptible to fire damage. Damage may assume several forms. The relationship between exposure of electrical equipment to fire conditions, the failure mode, and time to failure may vary with the configuration and component type. To accommodate these uncertainties in a consistent and conservative manner, this analysis assumes that the functional integrity of electrical components is lost when these components are exposed to a postulated fire in a fire area.

However, consideration should also be given to the possibility that total failure of the electrical component may not be the worst case failure. Spurious operation of a component may occur such that it introduces additional concerns (i.e. NRC IN 92-18) that need to be considered and addressed.

9.1.13 The adverse effects of fire to piping, tubing, heat exchangers, and tanks, is assumed to have no adverse impact on their ability to function as pressure boundaries or as safe shutdown components. Brazed and soldered lines are assumed damaged in the event of a fire. For valves, the fire damage is limited to power-assisted operators such as motors, air operators, hydraulic and/or solenoid operators.

Basis for Assumption: Due to the substantial nature of equipment and nature and location of combustibles, fire will not impact the pressure boundary function. A fire does not cause a valve to change position unless the fire also affects the electrical equipment or circuits capable of inducing spurious operation of the valve. Manual stroking of a valve once the fire is extinguished will be evaluated as part of the Manual Action Feasibility Evaluation (i.e., will the valve handwheel, stem and other mechanical elements of the valve remain intact), along with demonstrating re-entry into the area and access to the valve. Refer to Attachment 3, Manual Action Feasibility Assessment Criteria of Reference 2.5.

9.1.14 Instruments exposed to a fire (e.g., RTDs, thermocouples, pressure transmitters, flow transmitters, and mechanically linked remote/local indications) are assumed to suffer damage that results in failure of the instruments. The instrument fluid boundary associated with these devices, however, remains intact. Instrument sensing lines exposed to a fire may cause erratic or unreliable indication and shall be evaluated. Sight glass indicators are considered to be mechanical equipment, and, as such, are not susceptible to fire damage.

Basis for Assumption: Due to the substantial nature of equipment and nature and location of combustibles, fire will not impact the pressure boundary function. If a local instrument gage is credited in the fire area of concern, then a specific evaluation of the feasibility of that action will be performed as part of Project Sub-task 4.1.8.

FPIP-0106 Rev. 1 Page 13 of 50

9.2 Safe Shutdown Strategy Application Criteria The strategies contained in this section address both Appendix R and NUREG-0800 plants. When appropriate, the strategies are differentiated as either being applicable to Appendix R or NUREG-0800. When a criterion is based upon an Appendix R requirement, the Section number within Appendix R is identified. When a criterion is based upon NUREG-0800, it is identified by reference to the appropriate Paragraph in the BTP CMEB 9.5-1.

When a fire within a single fire area cannot prevent safe shutdown as determined by CAFTA (i.e., no single event cut sets are generated for the fire area), then it is not necessary to assign a safe shutdown strategy. Safe shutdown components within the fire area meet the separation criteria of 10CFR50 Appendix R or NUREG-0800. The safe shutdown strategy is: One train of systems necessary to achieve and maintain safe shutdown conditions from the control room remains free of fire damage (Section III.G.1.a, or Paragraph C.5.b(1)(a)).

When a fire within a single fire area can prevent safe shutdown as determined by CAFTA (i.e., a single event cut set is generated for the fire area), then safe shutdown strategies must be evaluated and assigned to affected components. To the extent practical, standardized statements will be used. The safe shutdown strategies identified in this Section will be evaluated and assigned in the resolution notes and code names described below.

CAUTION The incorporation of exceptions (compliance strategies) into the FSSPM(D) during the course of performing Task 6 (Project Sub-task 4.1.6) should be done through the use of forms built into the FSSPM(D). It is possible, and may at time be more efficient, to add data to the FSSPM(D) by updating the various tables in the FSSPM(D) database.

However, this should be performed by individuals who are both familiar with the safe shutdown analysis process, working with Microsoft Access databases, and the relationships of the tables in the FSSPM(D).

NOTE In the FSSPM(D), the code name will be entered in the Compliance Strategy field on the EXCEPT_CS form, and the resolution note will be added on the Exception Descriptions form in the Description field 9.2.1 Separation of cables and equipment and associated non-safe shutdown circuits of redundant trains by a fire barrier having a 3-hour rating. Structural steel forming a part of or supporting such fire barriers shall be protected to provide fire resistance equivalent to that required of the barrier. (Section III.G.2.a, or Paragraph C.5.b(2)(a)). This strategy includes fire raceway barriers (e.g. Interam or Mecatiss) or other fire resistant construction.

FPIP-0106 Rev. 1 Page 14 of 50

A standard statement for this situation is: The cable associated with this component are enclosed in a 3-hour rated fire barrier and therefore are not susceptible to fire damage. (Code name: BARRIER3)

NOTE The Code name suffix (-xxx) is a sequential number assigned to the strategy when the statement wording is varied. If the wording of a strategy utilized is the exact same wording of another Code name, the expectation is that the suffix number would be the same.

9.2.2 Separation of cables and equipment and associated non-safety (i.e. safe shutdown) circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards. In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area.

Detection and suppression shall be full area coverage. (Section III.G.2.b, or Paragraph C.5.b(2)(b)).

A standard statement for this situation is: This [fill in success path statement] is separated from [fill in success path statement] by 20 feet, with no intervening combustibles and appropriate suppression and detection, and therefore one safe shutdown success path will remain available. (Code name: SEPARATION-xxx) 9.2.3 Enclosure of cable and equipment and associated non-safety (safe shutdown) circuits of one redundant train in a fire barrier having a one-hour rating (wrap must be barrier to barrier in the fire area). In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area. Detection and suppression shall be full area coverage. (Section III.G.2.c, or Paragraph C.5.b(2)(c)).

A standard statement for this situation is: The cables associated with this component are enclosed in a 1-hour rated barrier with appropriate detection and suppression, and therefore are not susceptible to fire damage. (Code name:

BARRIER1-xxx) 9.2.4 Systems necessary to achieve and maintain cold shutdown (but not required for hot standby) from either the Control Room or emergency control station(s) can be repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Repair procedures and materials must be maintained onsite, systems necessary to maintain hot standby must be available to achieve and maintain hot standby until repairs are complete and cold shutdown can be initiated. (Section III.G.1.b, or Paragraph C.5.b(1)(b)).

A standard statement for this situation is: This cold shutdown equipment can be repaired within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Material, procedures, and manpower is available on site. (Code name: REPAIR-xxx)

FPIP-0106 Rev. 1 Page 15 of 50

9.2.5 Alternative or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area, room, or zone under consideration shall be provided. In addition, procedures and material shall be in place for alternate shutdown scenarios. (Section III.G.3, Paragraph C.5.c(1))

NOTE Per 10CFR50 Appendix R, Section III.G.3 fire detection and fixed fire suppression shall be installed in the area, room or zone under consideration.

However, this is not a stipulation of NUREG-0800.

A standard statement for this situation is: Alternative shutdown capability is available for a fire in this Analysis Area. (Code name: ALTERNATE-xxx) 9.2.6 New exemption/deviation request or clarification of an existing exemption/deviation request without plant and/or procedure modification.

A standard statement for this situation is: The [component/flowpath] is not susceptible to fire damage because [summarize the exemption/deviation request in bullet format]. (Code name: EXEMPTION -xxx, or DEVIATION -xxx as appropriate) 9.2.7 New exemption/deviation request or clarification of an existing exemption/deviation request with plant and/or procedure modification.

A standard statement for this situation is: The [component/flowpath] is not susceptible to fire damage because [summarize the exemption/deviation request in bullet format]. (Code name: EXEMPTION_CH -xxx, or DEVIATION_CH -xxx as appropriate) 9.2.8 An engineering evaluation (i.e. GL 86-10 evaluation) to demonstrate the equivalency of the fire protection features required by 10CFR50 Appendix R, or NUREG-0800. (i.e., partial area suppression and/or detection, and/or the adequacy of fire barriers). This evaluation must contain approval by a Fire Protection Engineer who is Member Grade in the Society of Fire Protection Engineers, or equivalent.

A standard statement for this situation is: The [component/flowpath] is not susceptible to fire damage because [summarize the engineering evaluation in bullet format and reference engineering evaluation]. (Code name:

ENG_EVAL-xxx) 9.2.9 Manual Actions. Existing manual actions are to be eliminated and replaced with a different safe shutdown strategy if feasible. New manual actions are to be added only as a last resort. Recent NRC positions on manual actions shall be considered when evaluating the addition of a new manual action (References 2.6 and 2.7). Manual action feasibility will be demonstrated during the performance of Project Sub-task 4.1.8. However, manual actions must meet the feasibility guidance provided in Attachment 3 of ERG-NGGC-0102, and these criteria should be considered when developing a new strategy that relies on a manual action.

FPIP-0106 Rev. 1 Page 16 of 50

Different standard statements are suggested for each type of component.

NOTE In the following statements, the term fire area has been substituted for fire zone.

A standard statement for diesels, pumps, fans, chillers is: Manually

[disable/trip/stop/start] [component no.] at local panel [panel no.] in Fire Zone

[___].

A standard statement for power panels is: De-energize [panel no.] by opening circuit breaker [breaker no.] at [panel no.] located in Fire Zone [___].

A standard statement for instruments is: Monitor [system function] using local instrument [component no.] located in Fire Zone [___].

A standard statement for motor operated valves is: De-energize [valve no.] at

[panel no.] [breaker no.] located in Fire Zone [___]. Then verify

[open/closed]/manually [open/close] [valve no.] in Fire Zone [___].

A standard statement for solenoid operated valves or dampers is: De-energize

[valve/damper no.] at [panel no.] [disconnect switch] in Fire Zone [___] in order to fail the [valve/damper] [opened/closed].

A standard statement for manual valves is: Manually [open/close] [component no.] located in Fire Zone [___].

(Code names: MANUAL_ACTION_HOT-xxx and/or MANUAL_ACTION_COLD-xxx as appropriate) 9.2.10 Actions taken in the Control Room (operator actions versus operator manual actions).

A standard statement for this situation is: [Verb (e.g., bypass, start, stop, etc.)]

[component] and control [insert function] in the Main Control Room. (Code name: CONTROL_ROOM_ACTION-xxx)

NOTE Strategies coded as EMERGENT in the FSSPM(D) do not need to be entered into the CAP unless the issue affects the current licensing basis (CLB) for the plant.

9.2.11 For potential non-compliances or open issues that required further analysis enter an Emergent Code.

A standard statement for this situation is: [Explain emergent issue or open statement]

This statement will be used until the issue is closed by the station (e.g.,

modification installed), then the standard statement for final closure will be used.

(Code name: EMERGENT-xxx)

FPIP-0106 Rev. 1 Page 17 of 50

9.2.12 Components where compliance is achieved through a redundant logic success path (except power supplies).

NOTE When utilizing this compliance strategy, the statement should provide indication as to what path or component provides the redundancy.

A standard statement for this situation is: [Success path or redundant component] remains available [from the Control Room/through local manual action]. (Code name: REDUNDANT-xxx)

OR Components appearing on multiple logic diagrams or components used to satisfy more than one performance goal A standard statement for this situation is: [Performance goal statement],

[success path or redundant component] remain(s) available [from the Control Room/through operator manual action]. (Code name: REDUNDANT-xxx) 9.2.13 A situation where a component is de-energized pre-fire.

A standard statement for this situation is: [Insert component number] is not susceptible to spurious operation because the breaker for this component is normally open and [insert component name] is de-energized. (Code name:

NO_POWER-xxx) 9.2.14 A situation where support systems are not credited in the fire area.

NOTE When appropriate, the following statement should include an explanation as to why the support system ( or component) is not required.

A standard statement for this situation is: This component provides support/power [safety function, success path, performance goal statement, etc.]

that is not required for a fire in this area. Therefore, loss of this component will not affect safe shutdown. (Code name: NO_SUPPORT-xxx) 9.2.15 Areas where ventilation may be lost.

A standard statement for this situation is: To establish [Area/Room HVAC],

manual control of [fan/damper], the use of portable fans, and/or opening room doors is required. (Code name: VENTILATION-xxx) 9.2.16 An engineering review during the safe shutdown validation determined the consequences of the effects of the fire on achieving safe shutdown.

A standard statement for this situation is: The [component no.] [explain the consequences of the loss of the component or why the component is available due to the reviews during the safe shutdown validation]. (Code name:

ENG_REVIEW-xxx)

FPIP-0106 Rev. 1 Page 18 of 50

9.2.17 Mechanical components that are impervious to fire induced damage and will be available during and after the fire.

A standard statement for this situation is: The [component name and no.] is not susceptible to fire induced damage, and will remain available to support safe shutdown (Code name: MECHANICAL-xxx)

Containment Strategies In addition to the above, the following strategies shall be considered for use in resolution of separation issues inside noninerted containments:

9.2.18 Separation of cables and equipment and associated non-safety (i.e. safe shutdown) circuits of redundant trains by horizontal distance of more than 20 feet with no intervening combustibles or fire hazards (Section III.G.2.d)

CAUTION This strategy is for Appendix R plants, and if used on HNP, it would require a new deviation from NUREG 0800, BTP CMEB 9.5-1. Therefore, it would be designated as emergent-containment.

A standard statement for this situation is: This [fill in success path statement] is separated from [fill in success path statement] by 20 feet, with no intervening combustibles and therefore, one safe shutdown success path will remain available. (Code name: CNTMNT_SEP-xxx for Appendix R plants, and EMER_CNTMNT1-xxx for HNP),

OR NOTE For HNP the following strategy should be used for all components and cables separated by more than 20 feet with no intervening combustibles, even for those areas without an automatic suppression system, which are covered by a deviation from NUREG-0800, BTP CMEB 9.5-1.

Separation of cables and equipment and associated circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards. In addition, fire detectors and an automatic fire suppression system should be installed in the fire area (Paragraph C.5.b(2)(b)).

A standard statement for this situation is: This [fill in success path statement] is separated from [fill in success path statement] by 20 feet, with no intervening combustibles and appropriate suppression and detection, and therefore, one safe shutdown success path will remain available. (Code name: CNTMNT_SEP-xxx) 9.2.19 Installation of fire detectors and an automatic fire suppression system in the fire area (Section III.G.2.e)

CAUTION This strategy is for Appendix R plants, and if used on HNP, it would require a new deviation from NUREG 0800, BTP CMEB 9.5-1. Therefore, it would be designated as emergent-containment.

FPIP-0106 Rev. 1 Page 19 of 50

A standard statement for this situation is: Appropriate fire detection and suppression is provided in the area and therefore, one safe shutdown success path will remain available. (Code name: CNTMNT_DET_SUPP-xxx for Appendix R plants, and EMER_CNTMNT2-xxx for HNP),

OR Fire detection systems should be provided for each fire hazard. The type of detection used and the location of the detectors should be the most suitable for the particular type of fire hazard identified by the fire hazard analysis.

(Paragraph C.7.a(1)(c)).

A standard statement for this situation is: Appropriate fire detection is provided in the area of the fire hazards and therefore, one safe shutdown success path will remain available. (Code name: CNTMNT_DET-xxx) 9.2.20 Separation of cables and equipment and associated non-safety (i.e. safe shutdown circuits of redundant trains by a non-combustible radiant energy shield.

(Section III.G.2.f)

A standard statement for this situation is: The cables associated with [name component] are separated from redundant safe shutdown components by a radiant energy shield; therefore, at least one safe shutdown method will remain available. (Code name: CNTMNT_SHIELD-xxx),

OR Separation of cables and equipment and associated non-safety (i.e. safe shutdown) shutdown circuits of redundant trains by a non-combustible radiant energy shield having a minimum fire rating of one-half hour (Paragraph C.7.a(1)(b)).

A standard statement for this situation is: The cables associated with this component are separated from redundant safe shutdown components by a radiant energy shield having a minimum fire rating of one-half hour; therefore, at least one safe shutdown method will remain available. (Code name:

CONTAINMENT3-xxx) 9.2.21 The following strategy (an Appendix R strategy) is included for reference and for completeness. If used, it will require a new deviation from NUREG-0800, BTP CMEB 9.5-1. Therefore, it is designated as emergent-containment.

Separation of cables and equipment and associated non-safe shutdown circuits of redundant trains by horizontal distance of more than 20 feet with no intervening combustibles or fire hazards (Section III.G.2.d)

A standard statement for this situation is: This [fill in success path statement] is separated from [fill in success path statement] by 20 feet, with no intervening combustibles and therefore, one safe shutdown success path will remain available. (Code name: EMER_CNTMNT1-xxx)

FPIP-0106 Rev. 1 Page 20 of 50

9.3 Fire Area Nuclear Safety Capability Evaluations (within CDM)

The Current Design Methodology (CDM) for only analyzing fire induced circuit failures is provided in Attachment 4, Fire Induced Circuit Failure - Circuit Analysis of Reference 2.5. This document includes consideration of postulated spurious component actuations. Any and all components susceptible to spurious actuations may spuriously actuate and with the spurious actuations occurring one at a time. The initial assessments for each fire area shall be performed in accordance with the Current Design Methodology 9.3.1 Generate an augmented fault tree model following the instructions in Sections 5.2, 5.3, and 5.4 of Reference 2.13. For the initial evaluation, this will involve adding cable and fire area location data to the basic fault tree model. For subsequent evaluations, the augmented fault tree model will also include exceptions. The process of evaluating the area analysis results is an iterative process that may take several iterations for any given fire area.

NOTE Each single event cut set generated using the following steps represents a single fire area where safe shutdown cannot be achieved because of fire damage to one or more components and/or cables located within the area.

9.3.2 The (CAFTA) Fault Tree Editor will be used to generate a cut set for the fire area to be evaluated. This cut set is generated by selecting the Edit, Find command from the menu bar to locate a fire area to be evaluated. Right click on the fire area basic event. Select True. The basic event will turn red, and now all failures caused by this basic event will propagate through the fault tree.

9.3.3 Choose the View, Show Tops command from the menu bar. To navigate to the desired top event of the fault tree, select the desired top event. If the top event is now failed (i.e., it has turned red), then it is necessary to determine which components and/or cables are causing the failure.

9.3.4 Choose the Edit, Find command to navigate to the component(s) that is (are) affected by the postulated fire. Locate the failed input(s). Review the failure propagation through the fault tree by following the logic.

9.3.5 To evaluate the effect of the individual failure, right click on the component and/or cable and select False. The gate will turn green. Navigate back to the top event, and determine if the failure still propagates to the top event. This process may need to be repeated several times to identify all of the new failures that cause the fault tree to fail. Repeat as necessary until the fault tree is no longer failed. The Safe Shutdown Engineer should keep a list of each failed gate that requires a resolution strategy.

9.3.6 For each fire area with a single event cut set, assemble the CAFTA output listing failed gates, and obtain a copy of the current safe shutdown analysis results for the area that lists the current safe shutdown strategies.

FPIP-0106 Rev. 1 Page 21 of 50

9.3.7 Review the existing safe shutdown area analysis. Determine if an existing fire area assessment is available for each failed component (or cable) within the analysis area. For those components (or cables) where there is an existing approved safe shutdown strategy it should be reviewed to ensure it is still acceptable under the guidance of this document. If the previously approved strategy is still acceptable it should be entered as an exception, or create a new exception if the existing safe shutdown strategy is not acceptable, and apply it to the failed input for the subject fire area. Follow the guidance in Section 9.2 of this procedure in creating and developing the exceptions.

NOTE If during the validation process changes were made that involve deletions of any components or cables, it is possible that previous failures in a given fire area may have been eliminated. The impact could be to make a component or function available in a fire area where it previously was unavailable. If there as been any component or cable changes, the next following step may be skipped.

9.3.8 If the validation process involved the deletion of a component or cable it will be necessary to evaluate the fault tree logic to determine if previously applied resolution strategies are no longer required. The general method to perform this review is to review the affected fault tree logic sections and visually look for failed gates blocked by exception gates, that would not propagate otherwise. These can be checked by right clicking on the intermediate blocking gate and setting it to "True", then checking to verify that it has not propagated to the top event. The Safe Shutdown Engineer should keep a list of any such gates found.

9.3.9 For failed gates without an existing safe shutdown strategy, create a new safe shutdown strategy following the evaluation method outlined in Section 9.2. When evaluating potential resolutions, it is important to be aware of the issue of masking. The general subject and basic methodology to address masking is described in Attachment 1 9.3.10 Enter the exception into the FSSPM(D) utilizing the guidance provided in the FSSPM(D) Users Manual.

9.3.11 Repeat Steps 9.3.1 through 9.3.10 until no further cut sets are generated when CAFTA evaluates the augmented fault tree model.

9.3.12 When the evaluation is completed for each fire area, present the results to the Site SSD Engineer for discussions regarding different safe shutdown strategies (in conjunction with the multiple spurious signals evaluation performed under Section 9.5).

9.3.13 Revise the safe shutdown strategies (exceptions) as necessary to reflect changes identified during the review and approval cycle for the fire area assessment.

FPIP-0106 Rev. 1 Page 22 of 50

9.3.14 It is recommended that a Shutdown Summary Sheet similar to that shown in Attachment 2 be prepared for this. This sheet provides a general overview of the proposed shutdown at an operations level to identify power sources available (off-site and on-site), along with busses, procedure(s) to be utilized and/or systems credited as being available. If major changes to existing shutdown procedures will be needed as a result of this validation effort, these changes should also be outlined in this summary.

9.3.15 Assemble a documentation package for the Fire Area that includes, as a minimum, a copy of the SSD Report, Fire Area Summary Report, and the Shutdown Summary Sheet. The package should then be signed by the preparer, reviewer, and approved by the Site Safe Shutdown Engineer.

9.4 Evaluation of Existing Safe Shutdown Strategies 9.4.1 Once the fault tree model has been resolved for each fire area, compare the newly generated safe shutdown strategies against the existing safe shutdown strategies. Evaluate differences between the new analysis and the existing analysis to determine if an affected component could be damaged such that safe shutdown could not be achieved in the area, and no safe shutdown strategy for that component exists within the existing analysis.

Differences that would not result in failure to achieve safe shutdown shall not be considered concerns with the existing analysis. Following are some examples of differences that would not be considered concerns in the existing analysis.

Changes to the safe shutdown strategy. Changes are considered as enhancements or changes to the analysis.

The omission of a cable in the existing analysis, when other cables for the affected component are present, and the applied exception (e.g., fire wrap, manual action) is also applicable to the new cable. This is considered as an enhancement to the analysis.

9.4.2 If the existing fire area assessment for the fire area is determined to be a concern, promptly bring this matter to the attention of the Site Safe Shutdown Engineer, or designated alternate personnel in their absence.

9.5 Changes to FSSPM(D) Resolution Strategies In general, changes to resolution strategies will be made following evaluation of the revised Augmented FTL file using the CAFTA program. Section 9.2 of this procedure provides specific guidance for selecting safe shutdown strategies. However, in two specific cases, it will be necessary to make changes to the resolution strategies prior to using CAFTA to evaluate the augmented fault tree logic. These are discussed below.

9.5.1 If a component has been deleted from the SSEL and the fault tree model, then it will be necessary to also delete all resolution strategies related to the component prior to evaluating the new logic using CAFTA. Failure to remove the related resolution strategy records prior to processing fault tree logic may result in error messages that preclude exporting a valid Augmented FTL file for use by CAFTA.

Perform the following steps:

FPIP-0106 Rev. 1 Page 23 of 50

1. Open the Normal Exception form and find exceptions for the component using the Search CGATE button. Delete all records containing the deleted component number. Deleting records from the Normal Exception form should also delete daughter records in table tbl_EXCEPT_CS.
2. Open the High Level Exception form and find exceptions for the component using the Search CGATE button. Delete all records containing the deleted component number. Deleting records from the High Level Exception form should also delete daughter records in table tbl_EXCEPT_CS.

9.5.2 If cables have been deleted from the SSEL, then it will be necessary to also delete all resolution strategies related to these cables prior to evaluating the new logic using CAFTA. Failure to remove the related resolution strategy records prior to processing fault tree logic may result in error messages that preclude exporting a valid Augmented FTL file for use by CAFTA. Perform the following steps:

1. Open the Normal Exception form and find exceptions related to the cable using the Search CGATE button. Delete all records containing the deleted cable number. Deleting records from the Normal Exception form should also delete daughter records in table tbl_EXCEPT_CS.
2. Open the High Level Exception form and find exceptions for the cable using the Search CGATE button. Delete all records containing the deleted cable number. Deleting records from the High Level Exception form should also delete daughter records in table tbl_EXCEPT_CS 9.5.3 For all other additions, deletions and changes to resolution strategy records, use the Add, Delete, or Edit buttons on the appropriate exception forms to make the required changes.

9.6 Fire Area Nuclear Safety Capabilities Evaluations (within RDM)

In accordance with the Progress Energy technical position on circuit analysis (Attachment 4, Fire Induced Circuit Failure - Circuit Analysis of Reference 2.5), the new analysis shall also consider multiple concurrent spurious operations. Once the initial fire area nuclear safety capabilities evaluations in accordance with the Current Design Methodology have been completed, then the areas shall be re-assessed within the Revised Design Methodology (RDM) taking into consideration multiple concurrent spurious actuations. This involves two separate aspects of the same issue. The first category of this issue involves simultaneous spurious actuations of two components caused by faults on two different cables. This review is addressed by step 9.6.1. The second category involves simultaneous spurious actuations caused by multiple hot shorts within the same cable, and this is addressed by step 9.6.2 below. The following steps define the process of performing this evaluation.

9.6.1 For each analysis area, postulate possible combinations of two concurrent spurious actuations resulting from fire-induced circuit damage to affected components, and determine whether each combination could result in an unrecoverable condition or unrecoverable equipment damage.

FPIP-0106 Rev. 1 Page 24 of 50

9.6.2 Run the report titled Cables Spuriously Operate more than One Component from the menu. This report will identify all cables for which multiple components can spuriously operate. If evaluating a specific fire area, it is necessary to compare the cables listed in this report against the list of cables present in the fire area in question.

9.6.3 For each analysis area, determine and document if the area is susceptible to the combinations identified.

9.6.4 Document in the Fire Area Assessment each combination and the resulting unrecoverable condition or equipment damage. A report summarizing the results of this review shall be prepared for inclusion with Project Sub-Task 4.1.10, Revise SSA Calculation.

9.6.5 Bring the results to the attention of the Site Safe Shutdown Engineer or his designated alternate for resolution. The resolution of any such results will be reviewed on a case-by-case basis, and binned in accordance with the guidance provided in Attachment 4, Fire Induced Circuit Failure - Circuit Analysis of Reference 2.5. The resolution may possibly need to be resolved under the NFPA 805 transition. If appropriate, this deferral to the NFPA 805 transition phase of the project should be entered into the CAP (Reference 2.9).

9.6.6 Incorporate resolutions into SSA analysis.

9.7 Detection and Suppression Assessments 9.7.1 For each fire area where a safe shutdown strategy that relies upon the presence of area-wide detection and suppression, an evaluation of the adequacy of the installed fire detection and suppression systems must be performed (NOTE: For CR3 use the code of record).

9.7.2 Obtain a sort of the database to identify all exceptions with safe shutdown strategies that rely upon detection and suppression. Obtain the descriptions of installed detection and suppression systems for all such areas. Also obtain descriptions of existing deviations or exemptions which may be applicable to the area in question. Verify that the installed systems meet the regulatory requirements/guidance, or have an existing deviation or exemption.

9.7.3 If the installed detection and suppression systems for the fire area are determined to be inadequate, promptly bring this matter to the attention of the Site Safe Shutdown Engineer and the Site Fire Protection Program Manager, or designated alternate personnel in their absence.

9.7.4 Upon concurrence that the installed detection or suppression systems are inadequate, the identified condition shall be entered into the CAP (Reference 2.9).

9.8 Validation of Existing Exemptions/Deviations 9.8.1 For each fire area where a safe shutdown strategy is based on an existing exemption or deviation, the bases for the exemption or deviation must be validated.

FPIP-0106 Rev. 1 Page 25 of 50

9.8.2 Obtain a sort of the database to identify all exceptions that rely upon an existing exemption/deviation. Obtain the licensing documentation related to the existing exemption or deviation in question.

9.8.3 Review the bases for the exemption/deviation to determine whether they are still valid.

9.8.4 Prepare an engineering report that documents the review of the exemption/deviation bases. This report should document the exemptions/deviations that were reviewed and concurrence that the bases are still valid.

9.8.5 If the bases for any existing exemption/deviation are determined to no longer be valid, promptly bring this matter to the attention of the Site Safe Shutdown Engineer or designated alternate personnel in their absence. A copy of the existing exemption/deviation request shall be marked up.

9.8.6 Upon concurrence that the bases for the existing exemption/deviation are no longer valid, the identified condition shall be entered into the CAP (Reference 2.9). The NCR number should be added to the engineering report noted in Step 9.7.4.

9.8.7 If any concerns with respect to the bases of an exemption/deviation were entered into the CAP, the report shall also identify the actions taken to resolve those concerns.

9.8.8 Resolve comments resulting from reviews of the engineering report.

9.8.9 Upon satisfactory resolution of comments, the engineering report shall be signed by a reviewer and approver and issued for use.

9.9 NRC Information Notice 92-18 Attachment 3 of this document provides guidance that should be used when evaluating valves with respect to the issues identified in Information Notice 92-18.

9.10 Input to Safe Shutdown Analysis Calculation 9.10.1 After development of the Fire Area Assessments for each fire area, the success path for each fire area shall be summarized. This is the input to the Safe Shutdown Analysis calculation to be prepared under project Sub-task 4.1.10.

9.10.2 The completed Fire Area Assessment packages for each fire area shall be turned over to the Site Safe Shutdown Engineer for incorporation into the Safe Shutdown Analysis calculation.

FPIP-0106 Rev. 1 Page 26 of 50

10.0 RECORDS NOTE Documents generated during the performance of this procedure shall be filed in accordance with Reference 2.1.

10.1 Fire Area Assessment Reports 10.2 Report documenting the review performed under the Revised Design Methodology (RDM) 10.3 Report documenting the review of exemptions/deviations 10.4 Engineering evaluations generated to support new exceptions.

FPIP-0106 Rev. 1 Page 27 of 50

ATTACHMENT 1 Sheet 1 of 6 Masking and Exception Processing Introduction The augmented FTL file is a comprehensive model of the safe shutdown equipment and cables in the plant required to safely shutdown the plant in the event of a fire. It models the complex functional, system level and component level relationships, and the physical location of the equipment and cables.

The basic fire safe shutdown model, down to the component level, is contained in the basic FTL text file. The equipment-to-cable, equipment-to-fire zone (or fire area for HNP), cable-to-raceway and raceway-to-fire zone (or cable-to-fire area for HNP), and fire zone to fire area relationships are stored in the FSSPM(D). Under the Fault Tree Logic File menu in the FSSPM(D), menu buttons are available to perform the tasks of 1) importing the fault tree text file into FSSPM(D), 2) processing the data to add equipment-to-cable, equipment-to-fire area, cable-to-fire area, and exceptions, and 3) exporting the augmented fault tree model. The augmented fault tree model file is suitable for loading directly into the CAFTA Fault Tree Editor program.

When the augmented fault tree model is read into CAFTA and analyzed for the first time, no resolutions will have been developed. For any given fire area of the plant, the combinations of equipment and cables located in the fire area may cause sufficient failures in the model to propagate to the top of the tree, causing failure of the model. This tells the analyst that if any of the required cables and/or components within the fire area were damaged, it would not be possible to safely shut down the plant.

For each fire area where this occurs, the task of the analyst is to determine which of the cable(s) and/or component failures are critical, and to determine resolutions for these failures. The resolutions are entered into the FSSPM(D), which modifies the exported fault tree file the next time it is processed.

The modified file is then re-evaluated by the fault tree analysis program. This is generally an iterative process that continues until the fault tree analysis program determines that the fire area in question no longer causes failure of the top gate.

Resolutions entered into the FSSPM(D) are referred to as exceptions. Exceptions can be applied in one of two ways. 1) An exception applied directly to a component or cable gate at the fire area level is referred to as a Normal Exception, or 2) An exception applied to higher level gate (e.g. loss of power) is referred to as High Level Exception. Each situation is discussed below.

Detailed Description of Normal Exception Processing by FSSPM(D)

Three tables were provided within FSSPM(D) related to exception processing by the program. The three tables and their structures are explained below.

tbl_EXCEPT Field Name Description / Use CGATE The gate name of the gate which IGATE is an input to IGATE The new intermediate gate that replaces the previous gate or basic event EXCEPT Unique identifier for the exception FI The failed input (basic event or gate) that requires the exception FNCT Not used REV Not used FPIP-0106 Rev. 1 Page 28 of 50

ATTACHMENT 1 Sheet 2 of 6 Masking and Exception Processing tbl_EXCEPT_CS Field Name Description / Use EXCEPT Unique number that identifies the exception Affected Component The component that is directly affected by the failure in question Failed Component The component or cable directly affected Failed Input The basic event (fire area) or gate (upper level gate) that caused the failure Exception Name The name of the exception (resolution) tbl_EXCEPT_DESC Field Name Description / Use Exception Name The name of the exception (resolution)

Exception Detailed description of the resolution strategy Description The tbl_EXCEPT table is used by the FSSPM(D) to generate new gate structures for the augmented fault tree file that is exported to the fault tree analysis program. An example that best illustrates this process is described below.

Cable 1944H is a control cable for valve 1AF-49 (See Figure 1). It is also a control cable for valves 1AF-50 and 1AF-51. This cable is routed through Fire Areas 12-A-CRC1, 1-A-ACP, 1-A-BAL-B1, 1-A-BAL-B2, 1-A-CSRA and 1-A-SWGRA. For the purposes of demonstrating the operation of the FSSPM(D), let us assume that in Fire Area 1-A-BAL-B1, a fire-induced fault on this cable contributes to failure of the AFW system, and the failure propagates to the top of the model. Evaluation of the failures reveals that a manual action to operate valve 1AF-49 will restore AFW and prevent the failure. The unmodified fault tree model for this valve is partially shown in Figure 1.

The analyst would enter the following information onto the fields listed below, and on Normal Exception Form which will in turn add the information to the table tbl_EXCEPT. Only those fields used by the FSSPM(D) are shown, as the others are not used.

Field Name: CGATE IGATE EXCEPT FI Data ^1944H %1944H_1-A-BAL-B1 #00033 1-A-BAL-B1 On the form, CGATE is the name of the gate into which the previously failed basic event (in this case, 1-A-BAL-B1) was an input, and into which new intermediate gate IGATE will now feed in its place.

IGATE is the name of the new intermediate gate. This new intermediate gate has two inputs, EXCEPT and FI. FI is the old basic event, and EXCEPT is the designation of the exception that represents the new resolution code in the augmented fault tree model.

Figure 2 shows how the new fault tree structure will look after exception has been processed and exported from FSSPM(D), and input to the fault tree analysis program. The old basic event (1-A-BAL-B1) and the new exception (#00033) are both input into intermediate gate IGATE through an AND gate. The effect is that the failure is blocked. In this example, the new intermediate gate applies to all gates that the old gate ^1944H fed into. Therefore, the new gate would also apply to gates for valves 1AF-50 and 1AF-51.

FPIP-0106 Rev. 1 Page 29 of 50

ATTACHMENT 1 Sheet 3 of 6 Masking and Exception Processing In the FSSPM(D), this is addressed by table tbl_EXCEPT_CS. This table allows different resolution codes to be applied to different components affected by the same failure (in the example, the failure of cable 1944H). For the example, three entries would be made to table tbl_EXCEPT_CS, and two entries to table tbl_EXCEPT_DESC. One entry would assign a manual action resolution code for component 1AF-49. Different resolution codes would be assigned to valves 1AF-50 and 1AF-51.

tbl_EXCEPT_CS Entries:

Field EXCEPT Affected Failed Failed Input Exception Name Name: Component Component Data: #00033 1AF-49 1944H 1-A-BAL-B1 MANUAL_ACTION-001 Data: #00033 1AF-50 1944H 1-A-BAL-B1 REDUNDANT-001 Data: #00033 1AF-51 1944H 1-A-BAL-B1 REDUNDANT-001 tbl_EXCEPT_DESC Entries:

Field Exception Name Exception Description Name:

Data: MANUAL_ACTION-001 De-energize 1AF-49 at MCC 1A31 breaker 1 located in fire zone 1-A-EPA. Then verify open/manually open 1AF-49 in fire zone 1-A-BAL-B2.

Data: REDUNDANT-001 A redundant AFW flowpath is credited in this fire area.

Forms EXCEPT_CS and Exception Descriptions are used to modify table tbl_EXCEPT_CS and related table tbl_EXCEPT_DESC. These tables are not used to generate revised structures for the augmented fault tree model, but the data contained in the tables is used for reporting. In this example, the fire area summary report for fire area 1-A-BAL-B1 would identify that all three valves are affected by a fire in the fire area, that for all three affected components, cable 1944H is the component failed in the fire area, and the resolutions for each valve.

Masking In the example above, the exception applied to cable 1944H in fire area 1-A-BAL-B1 is required for component 1AF-49 to prevent the failure from propagating to the top of the fault tree model. This treatment also makes it appear to the fault tree analysis program as if cable 1944H is not failed for components 1AF-50 and 1AF-51, since the application of the exception to cable 1944H is a direct input to all three components. In other words, the application of the exception for component 1AF-49 to cable 1944H masks the failure of the cable for components 1AF-50 and 1AF-51.

Masking also occurred when exceptions were applied at higher levels in the fault tree model. In these cases, the application of an exception intended for one or more fire areas masked the failure of the gate for all fire areas. Figure 3 shows the unmodified logic for the unavailability of valve 1SI-246, with the loss of power gate failed. Any failure to either the valve power cable or the power supply (MCC) would create this failure. Figure 4 shows the application of a high level exception into the loss of power gate, per the previous methodology. The exception blocks all loss of power failures from propagating. This approach masks the failures for ALL fire areas.

FPIP-0106 Rev. 1 Page 30 of 50

ATTACHMENT 1 Sheet 4 of 6 Masking and Exception Processing Detailed Description of High Level Exception Processing by FSSPM(D)

In order to eliminate the masking issue, changes were made to the structure and operation of the FSSPM(D) data and program during the integration of this program for the Harris plant. Changes were made in the way FSSPM(D) relates and processes data for export to the augmented fault tree model.

The primary change will consist of adding the Equipment Tag number as a suffix to the cable number when processing the data to generate the augmented fault tree file. The effect of this change resulted in making each cable unique to the component to which it applies in the exported fault tree model. The cable data within the FSSPM(D) is not altered in any way. This change allow exceptions applied at the cable - fire area level to be applied just to the specific component to which it is intended. One effect of this approach is that the size of the augmented fault tree model will be increased. Approximately one fourth of the cables in FSSPM(D) that get exported to the augmented fault tree model, get applied to more than one component. Previously, these cables would be added to the augmented file as a single gate, with the single gate input into each component to which it applies. With this revised approach, these cables will be added to the augmented file as multiple gates, with the number being equal to the number of components to which it applies. Each of the gates will have identical structure, with the same fire area inputs, the only difference being the gate name. Therefore, the increase in the size of the augmented fault tree file due to this approach will be manageable.

Another alternative that was also considered, and later rejected early in the Harris phase of the project, was to apply the exception at a higher level in the tree. In the example cited above, the exception for cable 1944H in fire area 1-A-BAL-B1 could be applied at the 1AF-49_LOC gate instead of at the cable

- basic event level. The exception would be applied in accordance with the methodology described below for high level exceptions. This approach was rejected because it would potentially be far more cumbersome in the long term. For example, the loss of control gate for component 1AF-49 has three cables as input, and these are shared with two other valves. If one assumes that exceptions would be required for each of the three cables in two fire areas each, six high level gates would be added to the input for gate 1AF-49_LOC. A similar amount could be required for valves 1AF-50 and 1AF-51. The number of gates added to the model by appending the Equipment Tag number to the cable number is six in this example (three cables become nine in the augmented model).

The majority of exceptions are applied at the component - basic event level. Exceptions applied at this level result in the addition of one new gate and one new input.

High level exceptions are dealt with differently. To handle this exception process an additional table is utilized, and a separate set of forms are utilized to enter the data into the four (4) exception tables. The additional table has been named tbl_UL_EXCEPT_FA, and is structured as follows.

Field Name Description / Use Failed Input The failed input to an upper level gate (from table tbl_EXCEPT, field FI)

Fire Area Fire area for which the upper level exception applies Assume for the purposes of illustration that the analyst has completed the evaluation of all 41 fire areas in the plant, and determined that a high level exception must be applied to the loss of power gate for valve 1SI-246 in only four (4) fire areas. In the example shown in Figures 3 and 4, the entries in tables tbl_EXCEPT and tbl_UL_EXCEPT_FA would be as follows:

FPIP-0106 Rev. 1 Page 31 of 50

ATTACHMENT 1 Sheet 5 of 6 Masking and Exception Processing tbl_EXCEPT CGATE IGATE EXCEPT FI 1SI-246_UNAV %1SI- #00056 1SI-246_LOP 246_LOP_ALL tbl_UL_EXCEPT_FA Failed Input Fire Area 1SI-246_LOP 1-A-BAL-A2 1SI-246_LOP 1-A-BAL-B1 1SI-246_LOP 1-A-SWGRA 1SI-246_LOP 1-A-CSRA Once the data is entered into the FSSPM(D), and a new augmented FTL files is generated the higher level exception will appear as depicted in Figure 5. The exception will be a gate with fire areas as the inputs. The list of fire areas that will be input to the gate will be all fire areas not listed with the failed input in table tbl_UL_EXCEPT_FA. In this case the 37 fire areas not listed with 1SI-246_LOP will be the basic event inputs to gate #00056. For the four (4) fire areas listed in the table, failures of 1SI-246_LOP will be blocked from propagating higher by the AND gate. For all other fire areas (i.e., all fire areas input to gate #00056 as basic events), the AND gate will enable the propagation of faults, if present, to pass through.

For high level exceptions, the use of table tbl_EXCEPT in the FSSPM(D) is not changed by the proposed new methodology. The processing of the information in this table in conjunction with the information in new table tbl_UL_EXCEPT_FA will be different, as it will now create the gate as shown in Figure 5.

Resolution Strategies for Components that dont cause CAFTA Basic Event Failures Forms EXCEPT_CS and Exception Descriptions are also used to input resolution strategies for components that are identified in the Fire Area's Safe Shutdown Compliance Report, but do not cause direct failures in the fault tree model. This process is performed for completeness so that each identified component in a fire area report is either provided with an exception or a resolution strategy.

For these instances (where there is no direct failure to the fault tree model), the tbl_EXCEPT is not modified; however, performing this step allows resolution strategies for all Exceptions (whether the result of a direct fault tree failure or not) to be printed in the Safe Shutdown Compliance Reports.

To identify the Exceptions that are written against components that do not directly fail the fault tree model, a RES prefix is used. Typical examples are shown below, and others may be created as necessary, as long as they contain a RES prefix to distinguish them from Exceptions that are written to recover CAFTA fault tree model failures.

  • RES_MA-xxx (for exceptions that describe a manual action or operator action)
  • RES_RED-xxx (for exceptions that document a redundant component is available)
  • RES_OTH-xxx (for other exceptions that are not a manual action or operator action)

NOTE: Any resolution strategy that credits a manual action or operator action should use the RES_MA-xxx format to insure it is included in the manual action output reports.

FPIP-0106 Rev. 1 Page 32 of 50

ATTACHMENT 1 Sheet 6 of 6 Masking and Exception Processing Typical examples for inputting these Exceptions is shown below:

tbl_EXCEPT_CS Entries:

Field EXCEPT Affected Failed Failed Input Exception Name Name: Component Component Data: #xxxxx SW-739 SW-739 G3 RES_MA-001 Data: #xxxxx SW-PMP-B SW-PMP-B G3 RES_RED-001 tbl_EXCEPT_DESC Entries:

Field Exception Name Exception Description Name:

Data: RES_MA-001 Manually throttle SW-739 to maintain adequate service water header pressure.

Data: RES_RED-001 A redundant component is credited. Thus, this component is not required for a fire in this fire area.

FPIP-0106 Rev. 1 Page 33 of 50

ATTACHMENT 2 Sheet 1 of 1 Shutdown Summary Sheet FIRE AREA: A1 (EDG B ROOM)

SAFE SHUTDOWN STRATEGY:

FOR A POSTULATED FIRE IN FIRE AREA A1, THE B EMERGENCY DIESEL GENERATOR AND SUPPORTING EQUIPMENT ENCLOSED IN THIS AREA ARE ASSUMED TO BE LOST AS A RESULT OF THE FIRE. FIRE DAMPERS ARE ASSUMED TO OPERATE AND OTHER FIRE BARRIERS SUCH AS DOORS ARE ASSUMED TO BE CLOSED, LIMITING THE SPREAD OF THE FIRE TO THIS AREA.

THE PLANT IS SHUTDOWN USING EPP-4, REACTOR TRIP PROCEDURE UTILIZING THE CHARGING PUMP, CCW PUMP, AFW PUMP, RHR PUMP AND SERVICE WATER PUMPS SUPPLIED FROM EMERGENCY BUS 1. EMERGENCY BUS 1 WILL BE SUPPLIED ELECTRICAL POWER FROM THE START-UP TRANSFORMER IN THIS EVENT. THE A EDG WOULD BE AVAILABLE TO PROVIDE ELECTRICAL POWER TO EMERGENCY BUS 1 IN THE EVENT OF THE UNAVAILABILITY OF OFFSITE POWER.

SPURIOUS OPERATIONS CONSIDERED:

1. SPURIOUS EMERGNECY DIESEL GENERATOR OPERATION,
2. SPURIOUS CLOSURE OF THE GENERATOR OUTPUT BREAKER,
3. SPURIOUS OPERATION OF THE FUEL OIL DAY TANK INLET SOV.

RESULTS OF SPURIOUS OPERATIONS CASES:

1. CONTROL ROOM ACTION TO ISOLATE EMERGNECY BUS 1, 2 ANALYSIS DEMONSTRATES THAT SPURIOUS OPERATION OF THE DAY TANK FUEL OIL INLET SOV IS ACCEPTABLE BASED ON ADDITIONAL INVENTORY READILY AVAILABLE AND ANALYZED IN THE SAFE SHUTDOWN ANALYSIS.

MANUAL ACTIONS OUTSIDE THE CONTROL ROOM:

NONE TIME CRITICAL OPERATOR ACTIONS / BASES:

1. RESTORE RCP SEAL COOLING IN LESS THAN 15 MINUTES (EC 61818),
2. RCS MAKE-UP, 30 MINUTES (APPENDIX R CALCULATION)
3. RE-ESTABLISH AFW, 20 TO 25 MINUTES (APPENDIX R CALCULATION).

APPLICABLE EXEMPTION REQUEST:

NONE FPIP-0106 Rev. 1 Page 34 of 50

ATTACHMENT 3 Sheet 1 of 10 NRC IN 92-18 Analysis Methodology 1.0 Purpose The purposes of this attachment is document the history of the USNRC Information Notice (IN) 92-18 relative to the Progress Energy NGG fleet, and provide common guidance for addressing this issue.

2.0 Background 2.1 Definitions Classic IN 92-18 failure: Is a failure that can result from a single hot short condition in a motor operated valve control circuit, such that the hot short condition bypasses the actuators protection provided by the torque and/or limit switches. This condition could potentially result in the valve torque seating itself in the non-credited safe shutdown position (e.g. required Operating position is Open, but the valve torque seats itself Closed). This could impact operations ability to re-position the valve, either manually or electrically from a remote station, to the required operating position for safe shutdown. The Classic IN 92-18 is limited to a postulated fire in the Control Room only.

Revised Design Method (RDM): Under the RDM, a failure is not limited to a single hot short condition, but also includes the consideration of multiple hot shorts. This method addresses hot short conditions which could result in the loss of capability to re-position the valve, either manually or electrically, if required. It is not restricted to a postulated fire in the Control Room, and includes a fire in any area of the plant that could result in the above condition. It also includes postulated fires at the motor control centers, and cable to cable hot shorts.

2.2 History Information Notice 92-18 identified potential circuit configurations which, during a Control Room fire, could cause hot short circuit paths resulting in spurious valve actuations. These hot shorts could potentially bypass MOV protective devices (i.e. torque switches, limit switches, and thermal overload relays), resulting in mechanical damage to the valve, actuator, or motor. This issue was originally identified in LERs by three utilities. (One utility later retracted their LER based on reevaluating the condition to be outside their original design bases.) NUMARC, now NEI, provided initial industry advice for the utilities to give careful consideration to any plans regarding plant design changes in response to this Information Notice. NUMARC based its advice on the assumption that fire-induced hot shorts, shorts to ground, or open circuits that can prevent operation or cause maloperation of plant equipment were limited. These conditions could only occur as a result of a fire condition that caused the Control Room to be evacuated and only during the time it took to evacuate the Control Room and establish remote control.

Since IN 92-18 was originally issued in February 1992 there has been a number of industry activities relative to the notice. The following is a summary of these activities:

  • Industry activity related to this issue was limited from 1992 to 1996 until the NRC issued a civil penalty against Davis Besse in 1996 related to their failure to implement corrective actions associated with Information Notice 92-18.
  • This was followed up by a NRC directive in 1997 to Salem and Quad Cities to correct their IN 92-18 configurations prior to start-up from an outage.

FPIP-0106 Rev. 1 Page 35 of 50

ATTACHMENT 3 Sheet 2 of 10 NRC IN 92-18 Analysis Methodology

  • The NRC and NEI held meetings in early 1997 which resulted in a series of letters explaining the NRC and the Industry positions related to this matter.
  • The Staff continued to identify this as an issue during their pilot Fire Protection Functional Inspections conducted in 1997 and 1998, leaving River Bend and St. Lucie with Unresolved Items.
  • The NRC issued a violation to Nine Mile in May 1998 for failure to implement changes to correct their configurations associated with IN 92-18.
  • Prairie Island issued an LER on 8/07/98 concerning potential mechanical damage to 32 MOVs occurring from a hot short (IN 92-18). This LER was issued 5 days before Prairie Island was scheduled to receive an NRC Fire Protection Functional Inspection.
  • The NRC issued Enforcement Guidance Memorandum 98-002, Revision 1, dated July 21, 1999, which stated that the NRC would continue to perform assessments in these areas. If deficiencies are identified they would be identified as Apparent Violations until the end of a 180 day grace period. After the 180 day grace period the NRC would determine if the finding would be reclassified as a Violation with potential enforcement action.
  • NEI created a Circuit Analysis Issue Task Force to address various safe shutdown concerns including those described in Information Bulletin 92-18.
  • The BWROG Appendix R Committee developed a Safe Shutdown Methodology document which also took the position that IN 92-18 is not a high safety significant item. This position has not been reviewed by the Staff and it is not clear if the NRC will accept this position or require additional site specific analysis.
  • The NRC provided some further clarification relative to IN 92-18 in their Regulatory Issue Summary (RIS) 2005-30 dated December 20, 2005. In this RIS, which was issued to clarify the scope of analyses of post-fire spurious actuations, the NRC included their position on a couple of points (assumptions) that had been made by the Industry relative to the scope of IN 92-18 reviews. The Industry had previously stated that the probability of event was not worthy of consideration, but NRC reiterated that this potential condition needs to be addressed. The NRC also clarified that potential mechanical failure addressed in IN 92-18 is not limited to a Control Room fire, but is also applicable to fires in other areas of the plant.

3.0 Assumption 3.1 Thermal overloads will not be credited as providing protection under this analysis effort.

Basis for Assumption: Limited testing performed at the RNP on thermal overloads in MCC compartments showed that they did not open when they were heated to 180°F.

FPIP-0106 Rev. 1 Page 36 of 50

ATTACHMENT 3 Sheet 3 of 10 NRC IN 92-18 Analysis Methodology 4.0 Progress Energy Methodology Utilized The flow chart at the end of this attachment provides a flow chart of an analysis method that can be used to identify and screen motor operated valves from the list of valves that need to be considered under IN 92-18, and identify strategies for providing resolution. It should be noted that the order in which some of the steps identified in this mythology are performed may be adjusted to serve the need of the analyst and the availability of data.

The following is a description of the steps outlined in the analysis flow chart.

NOTE Steps 1 and 2 should have been completed under a separate effort, and under the guidance of other procedures and/or instructions.

Step 1: Includes those activities performed by the plant to identify those systems and components that will be required to mitigate the effects of a fire, and safely shutdown the plant. The result of this activity is to develop a safe shutdown equipment list (SSEL).

Step 2: This activity includes a review of components on the SSEL to determine their failure modes, and identify which valves will require action to reposition the valve to the position needed to accomplish its safe shutdown function(s). This information is noted in the SSEL and SSA.

Step 3: Using the plants SSEL a separate list of valves identified as motor operated valves in the SSEL is prepared.

Step 4: The list of valves prepared in Step 3 is reviewed to identify those valves that do not need to be subjected to the rigors of a detailed IN 92-18 review as outlined in the remaining steps. Any valve that is deleted from the scope of this review needs to be documented. Examples of valves that could be deleted from the scope include, but not limited to, the following reasons:

  • Any valve where there has not been identified a local manual action to be performed by an Operator, AND the valve is not required to be operated electrically from either the Control Room or a remote location either during or after the fire. This would also include those valves that may have an alternate power supply that would restore operability after taken certain actions. To complete this assessment it will be necessary to have reviewed all post-fire related procedures to ensure that all anticipated valve operations (local manual, as well as remote electrical) have been identified and considered in this review.
  • Any valve that has a pending modification that would eliminate the IN 92-18 issue for all fire areas.
  • Those valves where its motive power supply has been permanently disconnected, and fire induced damage to its control circuit could not cause the valve to spuriously operate.
  • Valves that are not true MOVs. For example, in some situations, a component type may have been classified as motor operated valve (i.e. MOA, MOV, etc.) on the SSEL, but it is not susceptible to the same failure modes as identified in IN 92-19. This would include components such as motor operated HVAC FPIP-0106 Rev. 1 Page 37 of 50

ATTACHMENT 3 Sheet 4 of 10 NRC IN 92-18 Analysis Methodology dampers where a fire induced failure to its control circuit could not cause the device to fail such that it can not be repositioned.

  • Any valve that can only fail in its desired post-fire safe shutdown position to ensure the safe shutdown function can be performed, or the pressure boundary is maintained intact.
  • Those valves with no identified functional failures or spurious actuations.

Step 5: The plants MOV Program documentation should be reviewed with the MOV Program coordinator to determine if it contains data on valve and actuator stall torque and thrust load limitations and capabilities.

Step 6: If stall torque and thrust load data is part of the plants MOV program it should be reviewed with the support of the plants MOV Program coordinator to determine if the calculated MOV stall torque and stall thrust is less than the stall and torque limits of the valve and actuator. If the stall torque and thrust are less than the torque and thrust limits of the valve and actuator, the MOV can be screened from the IN 92-18 valve list. However, if the stall torque and thrust is greater than the torque and thrust limits of both the valve and the actuator continue to the next step.

Step 7: In this step a review of the valves circuit analysis data is performed to identify the specific cables that could result in a potentially damaging spurious operation, and which fire areas the cable is associated with.

Step 8: Review the SSA and identify if there are any areas where fire induced damage to the subject valves control circuit requires either a local manual operation of the valve, or repositioning of the valve electrically from another location to perform the required safe shutdown function. For these fire areas determine if that area contains a cable that is also an IN 92-18 cable of concern. If the fire area does not contain a spurious operation cable that can cause an IN 92-18 failure, the MOV can be screened from the IN 92-18 valve list. Otherwise continue to the next step.

Step 9: At this point a review of available data should be performed to determine if weak link analysis or system analysis is the best course of action to resolve the issue with a specific valve. It should be noted that the valve and actuator data that is included with the MOV Program could be conservative. If a revised analysis (i.e. calculation) is performed with updated input and assumptions, the results could show that actuator or valve failure is not possible. This decision should be made with the input of the site and/or corporate WLA Subject Mater Expert(s). If the weak link analysis option is chosen, continue with the next step. Otherwise, proceed to Step 16.

Step 10: Mechanical/Civil engineering support is obtained to perform a weak link analysis of the motor operated valve.

NOTE EGR Procedures NGGC-0359, Motor Operated Valve Structural Evaluation, NGGC-0101, Electrical Calculation of Motor Output Torque for AC and DC Motor Operated Valves (MOV), and NGGC-0203, Motor-Operated Valve Performance Prediction, Actuator Settings, and Diagnostic Test Data Reconciliation will need to be considered in performing the weak link analysis.

Step 11: Review the data obtained from the previous step, and determine if the valve would be damaged as a result of IN 92-18 spurious operation. If the capabilities of the FPIP-0106 Rev. 1 Page 38 of 50

ATTACHMENT 3 Sheet 5 of 10 NRC IN 92-18 Analysis Methodology actuator are less than the valves limits, the MOV can be screened from the IN 92-18 valve list. However, if the actuator capabilities are greater than the valves limit, continue to the next step.

Step 12: Using the results obtained from the weak link analysis, and with the support of Mechanical/Civil engineering support, determine if there is a possibility of showing no valve damage if finite element analysis is used. If it is determined that finite element analysis might show that there is no valve damage, proceed to the next step.

Otherwise, proceed to Step 15.

Step 13: Perform the finite element analysis.

Step 14: Review the data obtained from the previous step, and determine if the valve could be damaged as a result of IN 92-18 spurious operation. If the capabilities of the actuator are less than the valves limits, the MOV can be screened from the IN 92-18 valve list. However, if the actuator capabilities are greater than the valves limit, continue to the next step.

Step 15: If the system analyses approach to resolving the IN 92-18 failure has not yet been performed proceed to the next step. However, if the weak link analysis was performed after the system analysis approach did not yield and satisfactory results, proceed to Step 21.

NOTE If there are more than 2 flow paths available to satisfy the SSD function (e.g. 3 parallel injection lines to RCS), does it require more than 2 concurrent spurious operations in the FA of concern to fail the SSD function? If yes, this scenario is beyond the current design methodology Step 16: A systems analysis shall be performed by a Safe Shutdown Engineer, and an Operations Department representative to determine if there is an alternative approach to performing the safe shutdown function that required the subject valve to be in a specific position. This approach should consider alternate flow paths and system(s) that were not previously considered in the original safe shutdown analysis, and evaluation of equipment availability at the system level and circuit analysis at the component level.

Step 17: If the results of the systems analysis performed in the previous step results in a new method (revised compliance strategy) that includes a differnet and additional component (MOV) that was not previously considered in the SSA, proceed to Step 19. Otherwise, proceed to Step 18.

Step 18: At this point the reviewer needs to make a decision as to whether a weak link analysis or a review utilizing NFPA 805 methodologies would be the best course of action to resolve the issue. The WLA decision process should consider the same points that were identified in Step 9. If the weak link analysis is expected to be the best option, proceed to Step 10. Otherwise proceed to Step 21.

Step 19: The additional MOV which was identified from the system analysis shall be subjected to the reviews outlined in Steps 5 through 14 above. If the valve is found NOT to fail under the IN 92-18 review methodology for the fire area of concern, the alternate MOV needs to be added to the list of valves needing to be addressed under FPIP-0106 Rev. 1 Page 39 of 50

ATTACHMENT 3 Sheet 6 of 10 NRC IN 92-18 Analysis Methodology IN 92-18, and the acceptable resolution needs be documented under Step 27.

However, if the valve does fail, proceed to the next step.

NOTE Any revised compliance strategy (including new components to be credited in the safe shutdown analysis) that is developed as part of this review effort needs to be included in the plants Safe Shutdown Analysis (SSA).

Step 20: If the systems analysis approach was taken at Step 9, the Reviewer may wish to reconsider the weak link analysis option that was originally dismissed if it is now thought that it might result in no valve failure. If the weak link analysis approach is to be considered, proceed to Step 10. Otherwise, proceed to the next step.

NOTES

1. With the adoption of NFPA 805 as part of the NGG plants Fire Protection licensing basis, additional methods to disposition valves that show the potential for spuriously operating and potentially being damaged has been made available.

These methods include the use of fire modeling, performing a risk evaluation using probabilistic safety assessment (PSA) methods, or showing that the valve is only needed for cold shutdown and the plant can wait to transition to cold shutdown until the issue is resolved. Fire modeling could be used to show that the target cable that could result in the spurious operation can not be damaged such that the event would occur based upon the plant configuration and fuel loads in the fire area. PSA methods could also be used to show that risk to the plant is low due to a small change in the core damage frequency based upon the probability of a series of events occurring. One approach using the PSA method to address IN 92-18 failures was outlined in a draft methodology prepared by NEI (Draft Method for IN 92-18 Failures, dated 12-13-99).

2. A process for evaluating the impact of a potential deficiency with a IN 92-18 valve utilizing NFPA 805 methodologies is addressed in Attachment 4 of the NGG Fire Protection Program Improvement Initiatives Project Plan.

Step 21: If methodologies provided within NFPA 805 (e.g. fire modeling, or PRA risk tools) are likely to provide resolution by showing that the valve will not be subjected to IN 92-18 spurious operation, or the risk associated with the probability of valve damage is low, proceed to the next step. Otherwise, proceed to Step 25.

Step 22: If the NFPA 805 assessment is to be performed at a later time, the need to perform this assessment shall be entered into the Corrective Actions Program with a long term resolution flag. If the NFPA 805 assessment will be deferred until a later point in the Transition Project, this proposed resolution strategy and A/R shall be noted in Step 27. When the Project is ready to evaluate the specific valve compliance issue under NFPA 805, go to Step 23.

Step 23: Evaluate the valves specific configuration issue as part of the NFPA 805 transition.

This evaluation may include the utilization of fire modeling tools and/or a PSA on the valves control circuit and cables of concern.

Step 24: Did the results obtained in the previous step show that the valve is not susceptible to failure, or the risk associated with potential valve failure is acceptable? If the results FPIP-0106 Rev. 1 Page 40 of 50

ATTACHMENT 3 Sheet 7 of 10 NRC IN 92-18 Analysis Methodology were acceptable, the MOV can be screened from the IN 92-18 valve list. If the results were not acceptable, proceed to the next step.

Step 25: At this point in the IN 92-18 analysis process if the valve is still shown to be subject to failure, one of the alternate mitigating strategies listed below needs to be selected, and utilized to eliminate the potential for valve failure, or provide an alternate means of coping with the failure.

  • Valve modification (i.e. stiffen the actuator, replace bolts, etc.)
  • System modification
  • Procedural modification
  • Fire protection modification
  • Rectify operator feasibility evaluation issues
  • Repair mitigation strategy (for CSD valves only)

Step 26: The need to complete the alternate mitigation strategy shall be captured in the Corrective Action Program and the A/R number documented in Step 27.

Step 27: The resolution strategy utilized (or proposed) to resolve the failure concern, or disposition the valve on the list of IN 92-18 valves needs to be documented on the IN 92-18 valve list.

Step 28: The completed IN 92-18 valve listed shall be incorporated in the plants SSA Report.

FPIP-0106 Rev. 1 Page 41 of 50

ATTACHMENT 3 Sheet 8 of 10 NRC IN 92-18 Analysis Methodology START (1) Develop list of components required for safe shutdown (2) Perform evaluation of identified safe shutdown components (3) Prepare a list valves from SSEL that are identified as motor operated valves.

(4) Valves to Delete from Scope:

  • No identified manual actions (*)
  • Planned modifications that would eliminate the IN 92-18 issue. DOCUMENTATION
  • Power permanently removed
  • Is not a true MOV
  • Only fails in their SSD position
  • No identified functional failures or spurious actuations

(*) see discusstion (5) Review existing valve and actuator stall torque and thrust load calculations in plants MOV Program.

(6) Is actuators stall torque and YES thrust load less than valve limits?

NO (7) Identify (from circuit analysis)

IN 92-18 component failures by cable and fire area. Utilize EGR-NGGC-0102, Attachment 4.

Continued on Continued on next Sheet next Sheet FPIP-0106 Rev. 1 Page 42 of 50

ATTACHMENT 3 Sheet 9 of 10 NRC IN 92-18 Analysis Methodology Continued from previous Continued from previous (8) For Fire Areas where manual action is required for NO subject valve, does the Fire Area contain a IN 92-18 cable of concern?

YES (9) Most likely WLA success path by (10) Perform WLA System Analysis (SA) to determine valve or Weak Link damage potential Analysis (WLA)?

From A below, or on next Sheet SA (11) Is valve NO or actuator damaged?

YES (12) Could finite element NO analysis show no valve or actuator damage?

(15) Was a YES System NO Analysis YES Go to B on approach next Sheet previously performed?

(13) Perform finite element analysis (14) Is either (16) Perform YES the valve OR NO system analysis actuator damaged?

Go to A (17) Is an alternate (18) Is WLA or component NFPA 805 NO WLA available? (not Methodology the previously best option at this considered in SSA) point?

YES NFPA 805 Go to B on Continued on Continued on next Sheet next Sheet next Sheet FPIP-0106 Rev. 1 Page 43 of 50

ATTACHMENT 3 Sheet 10 of 10 NRC IN 92-18 Analysis Methodology Continued Continued from previous from previous (19) Does alt Update SSA component fail by NO for new or IN 92-18 in same revised FA xx?

component YES Go to A on previous Sheet (20) Is most likely success path by Alternate Mitigation Strategy (AMS), or Weak WLA Link Analysis (WLA)?

From B on AMS previous Sheet (21) Could potential failure be resolved NO utilizing methodologies provided under NFPA 805?

YES DOCUMENTATION (22)

CAP (23) Prepare fire model, or perform Probabilistic Safety Assessment (PSA) on valve circuit.

(24) Is relief YES provided under NFPA 805?

NO (27) Acceptable (25) Utilize alternate mitigation strategy. (26)

CAP Resolution Documented (28) SSA Report FPIP-0106 Rev. 1 Page 44 of 50

FIGURE 1 Sheet 1 of 1 Unmodified Normal Exception OR OR FPIP-0106 Rev. 1 Page 45 of 50

Figure 2 Sheet 1 of 1 Normal Exception Applied to Model OR OR AND FPIP-0106 Rev. 1 Page 46 of 50

FIGURE 3 Sheet 1 of 1 Unmodified High Level Exception FPIP-0106 Rev. 1 Page 47 of 50

FIGURE 4 Sheet 1 of 1 High Level Exception (Previous Methodology) 1SI-246_UNAV 1SI-246_DBF 1SI-246_LOC %1SI-246_LOP_ALL

  1. 00056 1SI-246_LOP Modified Logic for Unavailability of Valve 1SI-246 High Level Exception Applied to LOP Gate per Previous Methodology FPIP-0106 Rev. 1 Page 48 of 50

FIGURE 5 Sheet 1 of 1 High Level Exception (Revised Methodology)

FPIP-0106 Rev. 1 Page 49 of 50

REVISION

SUMMARY

Sheet 1 of 1 Revision 1 incorporates the following changes:

Page Section/Step Description 19 9.2.17 Added new Step for mechanical components that are impervious to fire damage.

21 9.3.3 Editorial change; revised wording.

From:

Choose the View, Show Tops command from the menu bar to navigate to the top event of the fault tree.

To:

Choose the View, Show Tops command from the menu bar. To navigate to the desired top event of the fault tree, select the desired top event.

23 9.3.14 Editorial change; revised wording.

From:

It is recommended that a Shutdown Summary Sheet similar to that shown in Attachment 2 be prepared at this.

To:

It is recommended that a Shutdown Summary Sheet similar to that shown in Attachment 2 be prepared for this.

25 9.6.3, 9.6.4 Swapped the order of these Steps to reflect the actual process.

29 2nd paragraph Added a reference to Figure 1.

32 NA Added new discussion Resolution Strategies for Components that dont cause CAFTA Basic Event Failures.

FPIP-0106 Rev. 1 Page 50 of 50