Text

Guidance for Post Fire Safe Shutdown Circuit Analysis
	ML091070228
Person / Time
Site:	Browns Ferry
Issue date:	12/31/2008
From:	; Nuclear Energy Institute
To:	; Office of Nuclear Reactor Regulation
References
	NEI 00-01, Rev 2
	Download: ML091070228 (150)
	v • d • e

ENCLOSURE 1 GUIDANCE FOR POST FIRE SAFE SHUTDOWN CIRCUIT ANALYSIS

NEI 00-01 [Revision 2c]

GUIDANCE* FOROST FIRE SAFE SHUTDOWN CIRCUIT December 2008 Nuclear Energ" Institute, 17761 StreetN. W., Suite 400, Washington D.C (2 02. 73 9.8 0 0 0)

NEI 00-01 [Rev 2c]

Nuclear Energy In, Guidance for Post Shutdown Circuit December 2008 Nuclear Energy Institute, 17761 Street N W, Suite 400, Washington DC. (202. 739.8000)

ACKNOWLEDG EM ENTS NEI appreciates the extensive efforts of the utility members of the Circuit Failures Issue Task Force in developing and reviewing this document, as well as their utility management in supporting the members' participation.

Amir Afzali, Dominion Power Gordon Brastad, Energy Northwest Maurice Dingler, Wolf Creek Nuclear Operating Corporation Tom Gorman, PPL, Susquehanna Dennis Henneke, GE Hitachi Robert Kassawara, EPRI Harvey Leake, Arizona Public Service Bijan Najafi, SAIC Clarence Worrell, Westinghouse Chris Pragman, Exelon Vicki Warren, Exelon Woody Walker, Entergy NEI also extends its thanks to the following organizations playing important roles in the completion of this guidance:

EPRI: Funded a sigmifiefit series of circuit failure tests and the Expert Panel who developed spurious actuation probabiitics Irom the test results

" BWR Own rsGroup: Developed the detenninistic portion of the NEI 00-01 guidance

" Westinghouse/CE and B&W OwnersGrou Along with the BWROG, funded the pilot applicatiofns of NEI 00-01 and a s!iniian portion of the report preparation Duke Energy and NMC Corporation: Hosted pilot applications of NEI 00-01

., O0mega Point Laboratories: Provided a cost-effective test facility for circuit failure testing

" The NRC and Sandifi aNational Laboratories: Provided extensive participation in the EPRI/NlTcircuit failure testing, and review and comment on NEI 00-01 Edan En,,ineeing: Wrote the EPRI report on the circuit failure testing and the analysis in Appendix BIIn Muitiple High Impedance Faults.

NOTICE Neither NEI, nor any of its employees, members, supporting organizations, contractors, or consultants make any warranty, expressed or implied, or assume any legal responsibility for the accuracy or completeness of, or assume any liability for damages resulting from any use of, any information apparatus, methods, or process disclosed in this report or that such may not infringe privately owned rights-

EXECUTIVE

SUMMARY

NEI 00-01 was developed to provide a deterministic methodology for performing post-fire safe shutdown analysis.

In addition, NEI 00-01 includes information on risk-informed methods (when allowed within a Plant's License Basis) that may be used in conjunction with the deterministic methods for resolving circuit failure issues related to Multiple Spurious Operations (MSOs). The risk-informed method is intended for application by utilities to determine the risk significance of identified circuit failure issues related to MSOs. The deterministic safe shutdown analysis method described in Revision 0 of this document reflected pratctices in place for many years at a wide cross-section of U.S. nuclear plants and widel accepted by NRC.

These practices were generally reflected in the plant's licensing,,aSis.

In Revision 1, these deterministic methods were revised to address insights gainieid from>EPRI/NEI circuit failure testing and reflected in NRC's RIS 2004-03.

While thesensights:do not change a plant's licensing basis, they reflect the NRC's new emphasis on considering potential safety implications of MSOs.

This emphasis on MSOs 1,came apparent as the* RC revised their inspection guidance to resume the inspection of circuits in Jariuary 2005. The methods presented in Revision 1 were intended to support licensees preipang foi ihe resumed NRC Ircuit failure inspections.

In Revision 2 changes were made to dciument the Resolution Methodology presented by the Industry to the NRC Staff for resolving t1ihSO Issue subsequunt to the rejection of the Staff's generic letter on MSOs by the Commission.

Ile methodologywiiiRevision 2 reflects insights gained from, not only the EPRI/NEI CableFire Testing-hbut atlso the CAROLFIRE Cable Fire Testing, the outcome of ineetings with the NPRC Staff aniiiiiiformation provided within SECY 08-0093 and a draft revion to Rog Guide 11185(189. Thes&"hanges were made to address NRC comments related to

>Iegatiose components necessary for post-fire hot safe shutdow n

("green box", defni n,

10PCR0, Appendix R,Section III.G. l.a as one train of systems necessary to achieve and maintaiII hot shutdowr>Vi onditions) and those whose mal-operation could provide a potential imnpa0ct t1 p Aefe shutdown ("orange box", defined IOCFR50, Appendi*x, S

Ilction T

II iG.

1 ac imponents important to safe-shutdown that could adversely affectisafe shutdown Žapa'*

1bilityorcuse mal-operation of safe shutdown systems)-.).),

The methoudology contained in Revision 2*is one method of addressing post-fire safe shutdown and the MSOIs) e.

This documneither chdiiges nor supports any individual plant's licensing basis.

The assumptions used IIIhe hicensing basis and the nature of any approvals the NRC may have provided for these assumptions, are a plant-specific matter between each licensee and the NRC.

NEI 00-01 Revision 2, Chapter 5, provides a methodology for a focused-scope Fire PRA for assessing the risk significance of specific MSOs. This method is intended for application to circuit failures involving MSOs.

All MSO impacts deemed to be risk significant should be placed in the plant Corrective Action Program with an appropriate priority for action. Since a large number of low significance findings of uncertain compliance status could result from industry applications of this method to MSOs, separate discussions are being held with NRC to address the handling of such issues without unnecessary resource impacts for licensees and NRC alike.

ii

It is expected that plants adopting a new fire protection licensing basis using NFPA 805 will be able to reference certain sections of NEI 00-01 as an acceptable method for addressing circuit failure issues, including the MSO Issue. It is noted that plants adopting the NFPA 805 licensing basis in accordance with NEI 04-02, Revision 1 utilized NEI 00-01 Revision 1 as part of the review and confirmation process of the nuclear safety methodology review. NEI 00-01 Revision I Chapter 3 serves as the basis for nuclear safety methodology reviews performed in accordance with NEI 04-02, Revision 1, Regulatory Guide 1.205, Revision 0, 1 LhTP 05 I

I Ased uesion07-0ý9, ion ADAMS Accessionp No [%11082590466)-

TABLE OF CONTENTS I INTR O D UCTIO N...........................................................................................................................

1.1 PURPOSE....................................................................................................................

1

1.2 BACKGROUND

3 1.3 OVERVIEW OF POST FIRE SAFE SHUTDOWN ANALYSIS......................................... 5 1.3.1 General Methodology Description........................................................

8 1.3.2 Deterministic Method.............................................................................

8 1.3.3 Risk Significance Methods..................................................................

14 2

APPENDIX R REQUIREMENTS AND CONSIDERATIONS.................................................

15 2.1 REGULATORY REQUIREMENTS................................................................

15 2.2 REGULATORY GUIDANCE ON ASSOCIATED CIRCUITS......................... 19 2.3 REGULATORY INTERPRETATION ON LOSS OF OFFSITE POWER.......... 20 3

DETERMINISTIC METHODOLOGY.....................................................................................

23 3.1 SAFE SHUTDOWN SYSTEMS AND PATH DEVELOPMENT..................... 23 3.1.1 Criteria/Assumptions...........................................................................

26 3.1.2 Shutdown Functions.............................................................................

28 3.1.3 Methodology for Shutdown System Selection.....................................

33 3.2 SAFE SHUTDOWN EQUIPMENT SELECTION...........................................

35 3.2.1 Criteria/Assumptions...........................................................................

36 3.2.2 Methodology for Equipment Selection...............................................

37 3.3 SAFE SHUTDOWN CABLE SELECTION AND LOCATION....................... 41 3.3.1 Criteria/Assumptions...........................................................................

41 3.3.2 Associated Circuit Cables.....................................................................

43 3.3.3 Methodology for Cable Selection and Location................................... 44 3.4 FIRE AREA ASSESSMENT AND COMPLIANCE STRATEGIES................ 49 3.4.1 Criteria/Assumptions...........................................................................

50 3.4.2 Methodology for Fire Area Assessment..............................................

52 3.5 CIRCUIT ANALYSIS AND EVALUATION...................................................... 56 3.5.1 Criteria/Assumptions...........................................................................

56 3.5.2 Types of Circuit Failures.....................................................................

58 4

IDENTIFICATION AND TREATMENT OF MULTIPLE SPURIOUS OPERATIONS............. 70 5

RISK SIGNIFICANCE ANALYSIS......................................................................................

87 5.1 COMPONENT COMBINATION IDENTIFICATION...................................

88 5.1.1 Consideration of Consequences..........................................................

88 5.1.2 Selection of MSO Scenarios to be Analyzed.......................................

88

5.2 PRELIMINARY SCREENING........................................................................

88 5.2.1 Screening Factors 89 5.2.2 Six-Factor Frequency of Core Damage (F*P*G*S*C*Z)................... 92 5.2.3 Final Screening Table..........................................................................

93 5.2.4 Example Application............................................................................

95 5.2.5 Sum m ary.............................................................................................

97 5.3 PLANT-SPECIFIC RISK SIGNIFICANCE SCREENING................................

104 5.3.1 EPRI/NEI Test Results.........................................

104 5.3.2 Large Early Release Frequency Evaluation (LERF).............................

109 5.3.3 Uncertainty and Sensitivity Analysis..

w............................

109 5.4 INTEGRATED DECISION MAKING...............

............................... 110 5.4.1 Defense-In-Depth and Safety Margins Coiderations.........................

111 5.4.2 Corrective Action...............

113 5.4.3 Documentation..

..................... 114 5.5 PRA QUALITY.............................

......... 114 5.5.1 Applicability of the ANS FPRA Standard...

14 5.5.2 PEER REVIEW OF T CE FocUSED-SCOPE(OR FULL FIRE PRA................... 115 6

DEFINITIONS.................

................................................. 117 7

R EFER EN C ES..........................................................................................................................

12 5 7.1 NRC GENERIC LETTERS..............................................................................

125 7.2 BULLETINS--,

125

7. R I F0 R',k 4 OT C S............................ :....................................12 7.3 NRC INFORMATION,*NOTICES.....................................

2 7.4 OTHERRELA TED0CU ENTS......................................

................... 129 7.5 A

INSTRTIE

.......................................................... 132 7.64 REGULATOR I

\\ISSUE S

[,RI S............................................................................ 132 tm Vi

A1TACH M ENTS ATTACHMENT I EXAMPLE OF TYPICAL BWR SAFE SHUTDOWN PATH DEVELOPMENT..... 133 ATTACHMENT 2 ANNOTATED P&ID ILLUSTRATING SSD SYSTEM PATHS [BWR EXAMPLE]134 A1TACHMENT 3 EXAMPLE OF SAFE SHUTDOWN EQUIPMENT LIST.......................................

135 A1TACHMENT 4 SAFE SHUTDOWN LOGIC DIAGRAM [BWR EXAMPLE]................................

137 ATTACHMENT 5 EXAMPLE OF AFFECTED EQUIPMENT REPORT.............................................

138 ATTACHMENT 6 EXAMPLE OF FIRE AREA ASSESSMENT REPORT..................

140 APPENDICES APPENDIX A SAFE SHUTDOWN ANALYSIS AS PART OF AN OVERALL FIRE PROTECTION P R O G RA M................................................................................................................................

A-1 APPENDIX B DETERMINISTIC CIRCUIT FAILURE CRITERIA.................................................

B-1 APPENDIX B.1 JUSTIFICATION FOR THE ELIMINATION OF MULTIPLE HIGH IMPEDANCE FA U LTS...................................................................................................................................

B.2 1 APPENDIX C HIGH / LOW PRESSURE INTERFACES..............................................................

C-1 APPENDIX D ALTERNATIVE/DEDICATED SHUTDOWN REQUIREMENTS.................................

D-1 APPENDIX E ACCEPTANCE CRITERIA OPERATOR MANUAL ACTIONS AND REPAIRS........... 13 APPENDIX F SUPPLEMENTAL SELECTION GUIDANCE (DISCRETIONARY)..........................

F-1 APPENDIX G GENERIC LIST OF MSOS.....................................................................................

G-1 APPENDIX H REQUIRED FOR HOT SHUTDOWN VERSUS IMPORTANT TO SSD COMPONENTSH-

FIGURES Figure 1-1 Figure 2-1 Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3.5.2-1 Figure 3.5.2-2 Figure 3.5.2-3 Figure 3.5.2-4 Figure 3.5.2-5 Figure 3.5.2-6 Figure 4.1 Figure 5-1 Figure 5-2 Deterministic Post-fire Safe Shutdown Overview Appendix R Requirements Flowchart Deterministic Guidance Methodology Overview Safe Shutdown System Selection and Path Development Safe Shutdown Equipment Selection Safe Shutdown Cable Selection Fire Area Assessment Flowchart Open Circuit (Grounded Control Circuit)

Short to Ground (Grounded Control Circuit)

Short to Ground (Ungrounded ControlCircu"it)

Hot Short Grounded Control Circut)

Hot Short (Ungrounded Control Circuit)

Common Power Source (Breaker Coordination).

Resolution Methodology Simplified Process Diagram Fragility Curves ThertmSet*

11 17 23 33 38 44 49 54 55 56 59 60 61 66 82 82 Page #

TABLES TABLE 5-1 Maxima forthe Pairings F*P

ý I TABLE 5-2 Maxima That Result from Maximum Credits for G (0.01), S (0.01),

CQ0.0 and Z (0-9)

TABLE 5-3 Point Requirements for Screenin TABLE 5-4 EstablishingRelativek Rilk Ranking When All Zones Preliminarily TABLE ;-5 Generic Location Fire Frequencies TABLE I-6 Probabilities of *pu tActuation Based on Cable Type and Failure Mode (Range)/

TABLE 57 G

Fir Scenaio Characterization Type Bins Mapped to Fire Intensity Characteristics TABLE 5-8

'ýt!istical Inavailability Values for SSD Path-Based Screening CCDP TABLE 5-9 Summaronof the Probabilities (PsAcD) 89 89 90 91 92 93 93 94 98 viii

ATTACH M ENft L Example of Typical BWR Safe Shutdown Path Development 123 Annotated P&ID Illustrating SSD System Paths [BWR Example]

124 Example of Safe Shutdown Equipment List 125 Safe Shutdown Logic Diagram [BWR Example]

127 Example of Affected Equipment Report 128 Example of Fire Area Assessment Report 130

NEI 00-01, Revision 2(c)

January 2008 GUIDANCE FOR POST-FIRE SAFE SHUTDOWN CIRCUIT ANALYSIS I INTRODUCTION For some time there has been a need for a comprehensive industry guidance document for the performance of post-fire safe shutdown analysis to implement existing fire protection regulations. Such a document is needed to consistently apply the rebglatory requirements for post-fire safe shutdown analysis contained in 10 CFR 50.48 (Reference 6*7.4.1) and 10 CFR 50 Appendix R (Reference 67.4.3).

From the standpoint of deterministic safe shutdown analysis, GenefilLLetter 86-10 (Reference 76.1.10) provided standardized answers to certain questions, related to specific issues related to this topic. The answers provided, however, did not comprehensively addiess" the entire subject matter.

The lack of comprehensive guidance' for post-fire safe shutdon analysis, in combination with the numerous variations itLepp r

i-sed by the arl engineers responsible for each plant design, have resulted in wileariaioln in plant-specific approaches to deterministic post-fire safe shutdown analysis.

Some of these approaches are based on ii-held industry interprations of the NRC regulations and guidance.

In many cases, these inLe tions were nodocumented in a manner that indicated a clear NRC acceptance of the position.

h anar,*NRC letter to NEI in early March 1997 (Reference 67.4.30) NRC stated that the regulatory requirements and staff positions are well documented, and that regulatory requirements rccognize that fires can induce multiple hot shorts.

The industry responded (Reference 67.4.31) that industry and NRC staff interpretations of existing regulations mand regulatofry,guidance difffr significantly on at least some aspects of the post-fire safe shutdown analysis requirements and provided reasons for these differing interpretations.

The Boil6i*ng'W.ia Reactof#.

Owners Group (BWROG) developed a comprehensiv,(

enolp,,tiii.iit for',BWs to compile deterministic safe shutdown analysis practices based on cxmsting regulat'iory requirements and guidance. That document was adopted into NEI 00-01ith iminor changesý,

addreP

-specific safe shutdown analysis considerations.

1.1 PURPO*-SE The purpose of this docuiniht is to provide a consistent process for performing a post-fire safe shutdown circuit analsisý While it describes differences between NRC and industry licensing positions, NEI 00-01 does not define what any plant's licensing basis is or should be. Plant licensing bases have been developed over many years of licensee interactions with NRC staff, and the interpretation of these licensing bases is a matter between each licensee and NRC staff.

The guidance provided in this document accounts for differences and uncertainties in licensing basis assumptions about circuit failures.

It also provides a method for the resolution of the differences between the NRC and the industry related to fire-induced circuit failures resulting in MSOs.

I

NEI 00-01, Revision 2(c)

January 2008 This document provides deterministic methods for addressing potential fire-induced circuit failure issues, either within or beyond the existing plant's licensing basis. The deterministic method, derived from NRC regulations, guidance, and plant licensing bases is provided for analyzing and resolving circuit failure issues. Methods are provided to (1) select circuits and appropriate combinations thereof for the analysis of MSOs (note: the terms spurious actuation and spurious operation are considered synonymous. The term "spurious operation" is used in this documnent for consistency), and (2) determine the risk signiFicie of identified circuit failure combinations (MSOs). While the selection of circuit failuiecombinations, MSOs, has not traditionally been included in plant circuit analysis methods tordat, it is appropriate to consider such combinations in the light of the results of recent cable faiiurc esting, both EPRI/NEI and CAROLFIRE. The Resolution Methodology for MSOs mcliuded in thi

,cument will assist the licensee in determining whether potentially risk-sig-ificant interacti'os, could impact safe shutdown, but this Resolution Methodology does not change the plant licensm& asis.

The methods in this document do not require the syStematic re valuation of a *ctt's post-fire safe shutdown circuit analysis. Such a systematic re iý entirely a licensee decision that may be based on NRC inspectio findings, licensee suelI-assessment results, or industry experience. Neither do these methods ek precedence specific requirements accepted by the NRC in a plant's post-fire sate shiutdwmvn analysis.

I eterministic methods in this document rely on approved licensing base 1fT idual planta7In addition, this document provides criteria for assessing the risk signilicanc o

>tt%6*MSO issues that may not be included in current safe shutdown analvses, but tbhat be *i cacem because of potential risk significance.

th~ce.,

at n1 em The guidance in this Jc1enit r IIcts the positl,Jtat licensees should address potential risk-significant issues regardlý of,h therthey involc compliance with the licensing basis. When issues are identified, hei, lices shlld conidwhether they involve violations of the licensing basis, are 1beyond thOibc or are o uncertain compliance status and subject to possible disagreient with N1\\C11 >ticeIccý e

ý*sho>ild also consider the risk significance of the findings consabicnt vith the fire ptc tin '-DIS, Consideration of these parameters is illustrated in the follow iil:: t;ib le:

Action to Address Issue Type of I sie4 Issue Risk Significant Issue Not Risk Significant FindinLg, (iu tide Address in (i_

iGreen finding; action at l-c-nsee-s-scretloT Violation of CLB Address in CAP Address in CAP or provide licensing basis changes (using approved regulatory processes)

Compliance status/

Address in CAP Address in CAP or provide CLB not clear licensing basis changes (using approved regulatory processes) 2

NEI 00-01, Revision 2(c)

January 2008 As seen in the table above, NEI 00-01 concludes that the licensees should address risk-significant circuit failure issues regardless of whether they involve potential violations. Issues that are both risk-insignificant and outside the licensing basis should be treated in accordance with current ROP guidelines as illustrated in the table.

Remaining low significance issues potentially involving compliance should be addressed consistent with current regulatory guidelines; licensing basis changes (using approved regulatory processes) may be in order, supported by the risk analysis performed using Section 5 risk analysis or the fire protection SDP methods.

An example will illustrate the use of NEI 00-01.

In this exmple, assume that the licensee conducts a self-evaluation using this document and determini theat hic hould postulate more than one simultaneous spurious operation in a certain fire area. Fiu1tlier asstic tthat the lieensing basis is inconclusive. The licensee could determine the risksignificance of the issiie using the methods of NEI 00-01, the revised fire protection Significance Detenmination Process,,-or other plant-specific risk analyses. The licensee should place-theeissue in the plant Corrective Action Program (CAP) if it is significant according to the risk crteria,use*ior could request hlcensing basis changes (using approved regulatory processes), or change thi fire protection plan, if it is not. The compliance aspects would also be addressed in cases where it is not clear whether an issue is 1.

within the licensing basis (a compliance i sue") or not.

~otntill i

alarge. number of CXý1mpt10f reqLjieýsts (oan ýin usry-ideb~is) tb ow sign I a

issues could res*iltii i ri s

expenditure d M'siiid adtaf resources.

NRC and indui4> iare disc i' isin' t ors *ij ressing low sillicanei."Lssues 1

wtlA:, uenA

.certain COnipliance<1atus to minimithz-i I'r u

iex1uLidture :while-and stillid addressaddressig reg~r ILto e rements. and pnsi t..

1.2 BACKGROUND

I Reviewin p fr ev),

ents ca substantiate the uncertainty associated with the behavior of actual plant fires. On March 22' '1975, ttei1Browns Ferry Nuclear Power Plant had the worst fire ever to occuirn,. commercial iwiicar power plant operating in the United States. (Reference U.S.

Nuclear Regulatory Comniiassin (NRC) Inspection and Enforcement (,IE) Bulletin Nos. 50-259/75 and -50t260/75-1, dited 2/25/75.)

The Special Review Group that investigated the Browns Ferry fiii:mnade twocreeommendations pertaining to assuring that the effectiveness of the fire protection programs at,6perating nuclear power plants conform to General Design Criterion (GDC) 3.

The NRC should develop specific guidance for implementing GDC 3.

E4 The NRC should review the fire protection program at each operating plant, comparing the program to the specific guidance developed for implementing GDC 3.

3

NEI 00-01, Revision 2(c)

January 2008 In response to the first recommendation, the NRC staff developed Branch Technical Position (BTP) Auxiliary Power Conversion Systems Branch (APCSB) 9.5-1, "Guidance for Fire Protection for Nuclear Power Plants," May 1, 1976; and Appendix A to BTP APCSB 9.5-1, "Guidelines for Fire Protection for Nuclear Power Plants Docketed Prior to July 1, 1976,"

August 23, 1976. The guidance in these documents focused on the elements of fire protection defense-in-depth (DID): (1) prevention; (2) mitigation through the use of detection and suppression (automatic and manual); (3) passive protection of ttactures, systems and components (SSCs) important to safety and post-fire safe shutdov In response to the second recommendation, each operating p anti omared its fire protection program with the guidelines of either BTP APCSB 9.5-) 0r.'pendi*

t BTP APCSB 9.5-1.

The staff reviewed the fire protection programs for cornplianqq with the guAilnce.

The guidance in BTP APCSB 9.5-1 and Appendix 2i to BTP APCSB 9.5

,er, did not provide sufficiently specific guidance for per p

st-fircsafe shutdown ;malysis. Also, independent testing sponsored by the NRC mdicatedhatisme of the separation concepts proposed by licensees under the BTP, such as coating i ing cable trays with fire retardant coatings, would not provide sufficient[roteetion in the eve tii4 a severe fire. Thirdly, some licensees did not implement aspects of tflic #"

ITPithat li the NRCt;lconsidered essential in order to achieve adequate protection. To addreheseissue and to pro;jde the necessary guidance, N

the NRC issued 10 CFR 50.48, "Fire Prote~ton " and Appeiidix R, "Fire Protection Program for Nuclear Power Facilities Operating Prior to Jluam / 1, 1979,"

10 CFR Part 50 (45 FR 36082).

The NRC published infthýF IcdcARegister (4.ýFR 76602)4he final fire protection rule (10 CFR 50.48) and Appendi.4f.to 10 C*FlPart 50 on N*vember 19, 1980. The Appendix R Regulation required compian 1 s 1

III.J, insT t'i 1

for all plants licensed to operate before compliancelih'cees'I January 1, 1979, and ain tuirdildindividual licin~es to comply with. other lettered sections, based on theý t o

ft sunder the BTP review, as reflected by NRC correspondeiice o t~cnIvidthllf th

-iicensees.

Section III.G.2 of Appendix R reflected the results of the Cl s indepenIil ý rle"**ir testing program, overriding any previous approvals the NR, a,ave granted rg ing th e

ction of cables with fire retardant coatings.

This regulati *')aplies to plants licensed to operate prior to January 1, 1979. For plants licensed to operate afltý January 1 1979, the NRC staff, in most cases, required compliance with Appendix A to B APCSB 9.5-1 and Sections III.G, J & 0 of Appendix R. For these licensees, the sections of Appe ix Papply to the plant as a licensing commitment, rather than as a legal requirement imposed1by the code of federal regulations.

Some other licensees provided comparisons to the guidelines of Section 9.5-1, "Fire Protection Program," of NUREG-0800, "Standard Review Plan," which incorporated the guidance of Appendix A to BTP APCSB 9.5-1 and the criteria of Appendix R, or BTP CMEB 9.5-1. Additionally, some plants had aspects of their programs reviewed to the criteria contained in Draft Regulatory Guide 1.120 Revision I

("Fire Protection Guidelines for Nuclear Power Plants," November 1977), which primarily reflected the content of BTP APCSB 9.5-1 Revision 1. Therefore, even though fire protection programs can be essentially equivalent from plant to plant, the licensing basis upon which these programs are founded can be very different. Most plants licensed after January 1, 1979 have also been granted by the NRC a standard fire protection license condition allowing them to self-4

NEI 00-01, Revision 2(c)

January 2008 approve and make changes to their NRC approved fire protection program provided such changes do not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire. Therefore, even for plants with a common regulatory basis traceable back to one of the regulations and or guidance listed above, the details of implementing the fire protection program can be different.

The plant design changes required for passive and active fire protection features and administrative controls required by the regulations discussed were fairly specific. These changes have been implemented throughout the industry.

These changec< h*ve been effective in preventing a recurrence of a fire event of the severity experienced at Browns Ferry.

have increased the likelihood that a fire will be detected rapidy ind extinguished; and have reduced the potential consequences of a fire (see Appendix A\\for a bhrf history of the Browns Ferry fire and a description of the fire protection improvements for acitelar plants since the Browns Ferry fire).

To clarify the regulations, the NRC staff has issued numierous guidance documentsin the form of Regulatory Guides, memorandums, Regulatory Issueý S imaries, Generic Letters and Information Notices. These documents provide insights asý to the NRC staffs interpretation of the regulations, their views on acceptable methods for coimplling with the regulations, and clarity of the requirements necessary in pcerfOring a post-fire sI f&shutdown analysis.

1.3 OVERVIEW OF POST FIRE SAFE SHUIDON 1ANALYSIS A fire in an operating oulear' power plant v, a potentially serious event.

In general, the likelihood of a largel fire witlhtie potential to damage plant equipment important to safe shutdown is considerecd itbe smmi~il The expectedfir-if would be contained in a single electrical panel or a localized prionlo onei room or arei. Typical plant design segregates important cables and equiipeniýt fromn thirc~iltss h as'mi-isiles, flooding, and significant fire sources. The expected Plant respons,: 1) 111 this)yp of eventt would be to maintain continued operation and to dispatch the plant fire brigade to extingui the fire.

Despite toh' the consequences ofani event that damages plant equipment important to safe shutdown can be significant$ The Browns Ferry fire resulted in damage to plant equipment important to saN. shutdowni Although safe shutdown of the Browns Ferry unit was ultimately accomplished, thLe eent was bf sufficient significance to warrant major changes in fire protection design features of a nuclear power plant. Appendix A to this document provides a description of the improvements made in the fire protection design of nuclear power plants in response to the Browns Ferry fire event.

In addition to plants making changes to the fire protection design features, they have also placed increased attention on identifying those systems and equipment important to the post-fire safe shutdown of each unit. A safe plant design is achieved by identifying the systems and equipment important to post-fire safe shutdown, in each area of the plant; making conservative assumptions regarding the extent of fire damage; and assuring adequate separation of the redundant safe shutdown trains, or protection of an alternative/dedicated shutdown train. When applied to the fire protection program of a nuclear power plant, tThese aspects of post-fire safe shutdown 5

NEI 00-01, Revision 2(c)

January 2008 design, in combination with the other changes made in the design of tkethef. eto plant fire protection programsfeatures in response to the Browns Ferry fire, provide reasonable assurance that a plant fire will not prevent safe plant shutdownsolidify the conclusion that current design approaches used for addressing plant fires provide for a safe plant design.

6

NEI 00-01, Revision 2(c)

January 2008 The goal of post-fire safe shutdown is to assure that a single fire in any plant fire area will not result in any fuel cladding damage, rupture of the primary coolant boundary or rupture of the primary containment. This goal serves to prevent an unacceptable radiological release as a result of the fire.

This goal is accomplished by assuring, in accordance with NRC regulatory requirements, the following deterministic criteria are satisfied for a single fire in any plant fire area:

One safe shutdown path necessary to achieve and maintain hot safe shutdown is free of fire damage. The set of components necessary to achliee and maintain post-fire 1_.-

shutdown is referred to throughout this document as th'reqimred for hot shutdown".

Potential fire-related impacts to ee ere.comprnenteompone ith the potential to mal-operate and adversely impact the ability-of the safe shuidi n patlicomponents described above to perform its post-fire safeý shutdown functions are,pevented or can behave been adequately mitigated. The e(ofdomponents whose mal-operation could impact the components on the required safe shuitdown path in a particular fire area are referred to throughout this document as "important to sae shutdown" Potential impactsof Systemis. St`ietures and Componiens_(SSCs) whose mal-operation ofr spurious operation could adversel,.1mpact the abilit

.acyhieve and maintain safe shutdown (previously refierred to assocd.Circ Repairs to systems and equipment rejiiredfa° to, liiveand maintain cold shutdown can be accomplished wit1iiiitfe required timni rame.n)

Any operatorymanual actuoios required to 4support achieving either hot or cold shutdown are identified f

incmeet theapplicable regutffary acceptance requirements.

The deterministic methodii- '

in 3 integitc the requirements and interpretations related to post-fire safe shutdown'ililnto a'L sgl location;, and assure that these criteria are satisfied. These

methods, Ide.;ntify the SITruI~ct systems, equipment and cables required to support the operation of LeUa safe shutdowkipathtrain.

L. Identify t0 equipment and cables whose spurious operation could adversely impact the ability of thse zsafeishutdown paths to perform their required safe shutdown function.

Provide techniLues to mitigate the effects of fire damage to components on or affecting, the required safe shutdown path in each fire area.

Using these methods to perform the post-fire safe shutdown analysis will meet deterministic regulatory requirements and provide an acceptable level of safety resulting in a safe plant design.

It is consistent with the fire protection defense-in-depth concept that addresses uncertainties associated with the actual behavior of fires in a nuclear power plant. Post-fire safe shutdown is one part of each plant's overall defense-in-depth fire protection program. The extent to which the requirements and guidance are applicable to a specific plant depends upon the age of the plant and the commitments established by the licensee in developing its fire protection program.

7

NEI 00-01, Revision 2(c)

January 2008 The information contained in Khapte 4 and 5 are provided for use in resolving the lonstading issues of MSOs.

Using the Resolution Methodology described in these chapters and in the appendices referenced within Chapters 4 and 5 is one way for a licensee to address the MSO issue.

1.3.1 GENERAL METHODOLOGY DESCRIPTION The deterministic methodology described in this document can be used to perform a post-fire safe shutdown analysis to address the current regulatory requirements.

The Resolution Methodology for MSOs evaluates the risk significance of potentialhIir or combinations of failures. [Note:

The term "MSOs" will be used throughout tliis,document to denote one or more fire-induced component failures due to fire-induced c1uiit failures, including, but not limited to spurious operations resulting from hot shorts.]

ICThe Resolution Methodology for addressing MSOs is contained in Chapter 4.

1.3.2 DETERMINISTIC METHOD,

When using the deterministic methodology described ini° pcha 3 of this doC~nfit to address the current regulatory requirements, a basic assumption oi lhe methodology is that there will be fire damage to systems and equipment located within a ctmon fire area. The size and intensity of the fire required to cause this typ' of system and e(jijlpnt damage is not determined.

Rather, fire damage is assumed to occur regardless of the level%

dAcombustibles in the area, the ignition temperatures ofany combustible i lack ofa, it.ion source or the presence of automatic or manual fire suppression and detecff&ipability. I ire damage is also postulated for all cables and equipmentlin the fire area thAt1 may he: use or safe shutdown, even though most plant fire areas do ito onQin sufficient firc >hazards for ibis to occur.

It is with these basi(

s..

v....e assumption,.regarding fire damage that use of the Chapter 3 methodology begins.

l ethio y pogresbyproviding guidance on selecting systems and equipment needed for

t a

own, on identifying the circuits of concern relative to these sikms ý!id i

nd on iiiating each fire-induced effect to the systems, equipmeit dcircuits o L

tjt e requiced safe shutdown path in each fire area. This methodology representa comprehensie and sa approach for assuring that an operating plant can be safely shut dow-tii he event of fle hir ii any plant fire area.

To address th IO issue, otsideration is given to the MSO List in Appendix G and the circuit failure criteria crjamined in Appendix B. The circuit failure criteria contained in Appendix B is intended for use %%

wiVt MSO List in Appendix G and the MSO Resolution Methodology described in Chapter 1 It is not intended to supersede any of the circuit failure criteria contained in Chapter 3. Using the Resolution Methodology described in Chapter 4, a licensee can determine the potential fire-induced MSO impacts applicable to its facility. These potential fire-induced impacts can then be dispositioned using the deterministic methods described in Chapter 3 or by using the risk-informed method described in Chapter 5. Additionally, fire modeling, as described in Chapter 4, may be used to assess whether or not a particular MSO in a particular location presents an potential impact to post-fire safe shutdown.

In addressing MSOs, the conservative assumptions discussed above for the Chapter 3 analysis are not necessarily applied, e.g. fire modeling or risk assessment may be an acceptable resolution approach. The mitigating techniques available for use with any particular MSO is a function of whether that MSO is 8

NEI 00-01, Revision 2(c)

January 2008 classified as being comprised of required for hot shutdown components or important to safe shutdown components.

Refer to Appendix H for a description of the criteria to be used to classify components as either required for hot shutdown or important to safe shutdown components.

[li:

t s listed in Appbedt T'

6 ar to b ihi~atd epmii 5 tcly kerelis no need: to 1')a 1at ]

fieSthe comb1'ine etý ff of mlile MSOs.

PThe poentdal

,I echil MS( 61 ~posýf shtdow is tob ozawt: id~dal~

In performing a deterministic post-fire safe shutdown analysis, the analyst must be cautious not to improperly apply the conservative assumptions described above Fq,,r example, one cannot rule out fire damage to unprotected circuits in a given fire area. TlIIIs assumption is conservative only in terms of not being able to credit the systems and equipmctassociated with these circuits in support of post-fire safe shutdown. If the analyst, howeve wec t**iassume that these circuits were to be damaged by the fire when this provided an analytical advantage. this would be non-conservative. For example, assuming that fire damagep results in a loss o offsite power may be non-conservative in terms of heat loads assumptionised in an analysis to determine the need for room cooling systems for the 72-hour fire copuigepe-iod.

The methodology for performing deterministic post-ire safe hutdown analysis is depicted in Figure 1-1. The specific steps are summarized in Sections 1 )3.2. I through 1.3.2.6, and discussed in depth in Section 3. The criteria for\\4etermimng whethýfia component is a required for hot shutdown or important to safe shutdown "kmonent is containeld mAPpendix H.

1.3.2.1 Safe Shutdown Function Ildentification,*

The goal of post-fire safes

-ý lown is to assure thati a single fire in any single plant fire area will not result in any fuel cliding damage, rupture ot the primary coolant boundary or rupture of the primary contaimnentI IThis rs accomplishel b-ydetermining those functions important to safely, shutting down th( eactor i

assuring tha'it stems with the capability to perform these functions are nota&versey Tmpac hb aýbi ngpleufire in any plant fire area. The safe shutdown functionsm iniportitt tolthe plan ar: (1) reactivity control; (2) pressure control; (3) inventory control; and (4) decai 'eat removal.

To accomplish the required safe shutdown functions, certaiiUpport systemfutions (cL, lectrical power, ventilation) and process monitoring capability.g., reactgor are also required.

In addition, thý: ainalyst amu ssure that fire-induced spurious operations do not occur that can prevent equipmentr nle i

ar hut i path fromperforming its intended safe shutdown function. Examples of spurious operations that present a potential concern for the safe shutdown functions diciibed above are those that can cause a: (1) loss of inventory in excess of the make up capability; (2) flow diversion or a flow blockage in the safe shutdown systems being used to accomplish the inventory control function; (3) flow diversion or a flow blockage in the safe shutdown systems being used to accomplish the decay heat removal functiont.

[BWR] Although an inadvertent reactor vessel overfill condition is not a safe shutdown function listed above, the NRC has identified this as a concern.

The acceptability of the current design Licensing Citation: Brown's Ferry SER dated November 2, 1995 Section 3.7.3 third paragraph. Monticello inspection report dated December 3, 1986 paragraph (2) page 16.

9

NEI 00-01, Revision 2(c)

January 2008 features of the BWR to mitigate the effects of an inadvertent reactor vessel overfill condition as a result of either a fire or equipment failure has been addressed by the BWROG in GE Report No.

EDE 07-390 dated April 2, 1990, in response to NRC Generic Letter 89-19.

The NRC subsequently accepted the BWROG position in a Safety Evaluation dated June 9, 1994. Despite this, some of the MSOs listed in Appendix G for BWRs relate to an inadvertent reactor vessel overfill. These will be addressed as a part of the MSO review.

10

NEI 00-01, Revision 2(c)

January 2008 Figure 1-1. Deterministic Post-Fire Safe Shutdown Overview All Nuclear Power Plant Functions,*

)t Shutdown Functions SSD Functions Reroute, Re-analyze or Re-design Circuit Protect in accordance with IIIG.2 Other Plant Unique Approach: 10 Evaluation

- Exemption Request

- Deviation Request - LAR Any of the options available for Required Safe Shutdown Components Operator Manual Action For MSOs

- Fire Modeling

- Focused Scope Fire PRAs 11

NEI 00-01, Revision 2(c)

January 2008 1.3.2.2 Safe Shutdown System and Path Identification Using the safe shutdown functions described above, the analyst identifies a system or combination of systems with the ability to perform each of these shutdown functions. The systems are combined to form safe shutdown paths.

1.3.2.3 Safe Shutdown Equipment Identification Using the Piping and Instrument Diagrams (P&IDs) for the mechanical systems comprising each safe shutdown path, the analyst identifies the mechanical equpmnt qiuired for the operation of the system and the equipment whose spurious operation coul4d flect l_,i.rformance of the safe shutdown systems. Equipment that is required for the aop!eron of a safei shutdown system for a particular safe shutdown path is related to that path (and is designated as a Ie ed hot shutdown component).

From a review of the associated P&IDs, the equipmenai codhI uriously operate and result in a flow blockage, a flow diversion (e.g., inventory makLup Lapability), loss of pressure control (due to overfeeding, excessive steam libjge, etc.), etc. iside tified Similarly, this equipment is related to the particular safe shutdown [jihat it can affect This eqg p

" 'eit sgnae s

Using the criteria in Appendix H, the analysi thc comibnents identifiedabove eitheras required for hot shutdown4,sij9nent or as an important to §SD component.

The required safe,SlhLtvii patih for any par nular fire area is comprised of required and important to SSD compcpents. The classificatio ta particular component in regards to being either a required or an important 'to S"SD component can vary from fire area to fire area. Refer to Appendix H for dlitional details.

V The ianayst reviews the I&IDs fIoi thesystems physically connected to the reactor vessel to detedine the equipment that ican fsult in a loss of reactor inventory in excess of make up capability.

IThis includes a;ispecial class of valves known as "high/low pressure interfaces."

Refer to Apýeidix C for thc special requirements associated with high/low pressure interface valves. Equipm in this ca;tegory is typically related to all safe shutdown paths, since a loss of reactor vessel invewiry,%uld be a concern for any safe shutdown path.

1.3.2.4 Safe Shutdown Cable Identification Using the electrical schematic drawings for the equipment identified above, the analyst identifies all the cables required for the proper operation of the safe shutdown equipment. This will include, in addition to the cables that are physically connected to the equipment, any cables interlocked to the primary electrical schematic through secondary schematics.

The cables identified are related to the same safe shutdown path as the equipment they support.

12

NEI 00-01, Revision 2(c)

January 2008 While reviewing the electrical schematics for the equipment, the analyst identifies the safe shutdown equipment from the electrical distribution system (EDS). The EDS equipment (bus) for the safe shutdown path is associated with the equipment that it powers. All upstream busses are identified and similarly related to the safe shutdown path.

In addition, all power cables associated with each bus in the EDS are identified and related to the same safe shutdown path as the EDS equipment. This information is required to support the Breaker Coordination Analysis.

1.3.2.5 Safe Shutdown Circuit'Analysis I

Using information on the physical routing of the required cableso adthe physical locations of all safe shutdown equipment, the analyst determines equipmcint and cabl( impacts for each safe shutdown path in each plant fire area. Based on the number and types of impacts to these paths, each fire area is assigned a required safe shutdown ptath(s).

Initially, it isassumed that any cables related to a required safe shutdown component in da given fire ara,,tll cause the component to fail in the worst-case position (ie. ilfite sa;fe ;butdown positioin> 4 o a valve is closed, the valve is assumed to open if the required cables ir, tofed in the fire area).

If necessary, a detailed analysis of tlecable for the spb~iy l effect of the fire on that safe shutdown path is performed. This is accomplished by reviewing each conductor in each of these cables for the effects of a hot short, a short-to-2roInWdor an open cri ict (test results indicate that open circuits are not the initial fire-induced fail ureui de) and determining the impact on the required safe shutdown component. The impact is assissed in terms of the effect on the safe shutdown system, the safe shutdown path, the shutdown functions and the goal for post-fire safe shutdown.

For the Plant Specific Is1t o s

developed using the Resolution Methodology outlined in Chapter 4, applyh he CtrclitýFatil c Crniteia outlined in Ipendixr B as 61pposdettotlitrielcult failure criteriadlsctiised i the paragraph abov.

1.32.

Safe Shutdown Equipment Impacts Using the picess described above, the analyst identifies the potential impacts to safe shutdown equipment, v~tems, paths, and functions relied upon. in each fire area, and then fuimiga4emitigatemiitigates thy effects on safe shutdown for each safe shutdown component impacted by the fie &Themitigating techniques must meet the regulations. For example, for required for hot shutdgwn components the mitigating techniques listed in Figure 1-1 for required hot shutdown components apply. For required for hot shutdown components, in addition to the available options of re-designing the systems and/or affected circuits and processing Exemption Requests o4rof or License Amendment Requests (LARs), fh protection ns'c emes lAp-!x: R Section IIlG6.2 arto be1ýappii*e_ If the component, however, is classified as an important to SSD component, mitigating tools in addition to those available for required safe shutdown components applymay be credited as an alternate to those available for required for safe 2 Licensing Citation: Waterford III Submittal to NRR dated February 7, 1985, Item No. 5 on page 3. Susquehanna Steam Electric Station NRC Question 40.97 paragraph 3a. Wolf Creek/Callaway SSER 5 Section 9.5.1.5 second paragraph.

13

NEI 00-01, Revision 2(c)

January 2008 shutdown components. Refer to Figure 1-1 and Appendix H for additional details. One of the mitigating tools for an important to SSD circuit component is the use of an operator manual action. If an operator manual action is relied upon as the mitigating tool, then it must meet the regulatory acceptance criteria related to operator manual actions. Refer to Appendix E for additional information related to the regulatory acceptance criteria for operator manual actions.

The process of identifying and mitigating impacts to the required safe shutdown path(s) described above is explained in more detail throughout this document.

1.3.3 RISK SIGNIFICANCE METHODS The Resolution Methodology for determining the Plant Spchc 1<,] ofMSOs is contained in Chapter 4. Refer to Chapter 4 for additional details. The method detaj<s*both the determination of applicable plant-specific MSOs and the disposition/mitl gation o SOs using either deterministic methods, Fire Modeling or risk (e.g. I oused Scope Fire PRA ithods. The use of risk significance methods, such as a focused-sc ir PRAisdocumented inhiiter5.

14

NEI 00-01, Revision 2(c)

January 2008 2 APPENDIX R REQUIREMENTS AND CONSIDERATIONS This section provides a general overview of the Appendix R regulatory requirements including the criteria for classifying the various shutdown methods. It describes the distinctions between redundant, alternative and dedicated shutdown capabilities and provides guidance for implementing these shutdown methods. In addition, the considerations dealing with a loss of offsite power and associated circuits are also discussed. Refer to Figure 2-1.

2.1 REGULATORY REQUIREMENTS 10 CFR 50 Appendix A, General Design Criterion 3 estabhslses the overarching goals of NRC's fire protection requirements.

Criterion 3 -- Fire protection. Structures,;stems. adto onents imndotAnt tosafet shall be designed and located to minimize, consistent witli other safety requirements, the probability and effect of fires and explosions. Nonrcomiibustible and heat resistant materials shall be used wherever, practical throughouti(he unit, particularly in locations such as the containment and controlroom. Fire detection and fighting systems of appropriate capacity and capabilityhal be provided an1; designed to minimize the adverse effects of fires on structurest;yIsu *and components important to safety.

Firefighting systems shall be desigund to asr thaitlhitranpture or inadvertent operation does not significantly impair the safetycapabflity of'thý e structures, systems, and components.

10 CFR 50 Appendix R\\Section IIG establishe the regulatory requirements for protecting structures, svstems and conmpornents impott safety, in order to satisfy the first sentence of GDC l t ious-1 t

anI IIiG.2 discusstihe requirements for "required for hot shutdown" and "important to safe shutdown ancLSection III.G.3 discusses the requirements for "alternative or deticated" shutdown. Te requirements for each of these shutdown classifications will be considered eparately.

The followingi sections discuss the regulations and distinctions regarding redundant shutdown methods.

Requirerments specifically for altemative/dedicated shutdown methods that are different from those used

ýor redundant shutdown methods are discussed in AppendixýD to this document:

15

NEI 00-01, Revision 2(c)

January 2008 Requirements for Redundant Safe Shutdown.

Section III.G. 1 provides the requirements for fire protection of safe shutdown capability and states the following:

III. G. Fire protection of safe shutdown capability.

1.

Fire protection features shall be providedfor structw7es, systems, and components important to safe shutdown. These features szllhbe capable of limiting fire damage so that:

a.

One train of systems necessary to achievead*,,,

iaintain hiotPshutdown conditions from either the control room or emergenci control station(s) is free of fire damage; and

b.

Systems necessary to achieve and maintain cold iitdown from either the control room or emergency control station(s) can be r "pired within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

U',

.. *V:

16

NEI 00-01, Revision 2(c)

January 2008 Figure 2-1 Appendix R Requirements Flowchart III.G.1 Fire protection features shall be provided for structures, systems, and components important to safe shutdown Systems necessary to achieve and maintain cold shutdown from either the MCR or Emergency Control Stations can be repaired within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Identify and locate the cables and equipment, including associated no safety circuits that could prevent operation or cause mal-operation due to hot shorts, open circuits, oi shorts to ground, of redundant trair of systems necessary to achieve ar maintain hot shutdown Separation of cables and equipment including associated non-safety circuits of redundant trains by a horizontal distance of more than 20 feet with no intervening combustible or fire hazards

/~

Enclosure of cable and equipmeni'*

including associated non-safety circuits of one redundant train in fire barrier having a 1-hour rating Separation of cables and equipmei including associated non-safety circuits of redundant trains by a fir barrier having a 3-hour rating Refer to Appendix D for the requirements of Alternative/Dedicated Shutdown Capabilitv III.G.3 Alternative or dedicated shutdov capability and its associated circuits, independent of cables, systems or components in the areas, room or zon.

under consideration, shall be provided Done

(*) "Free of Fire Damage " is achieved when the structure, system or component under consideration is capable ofperforrning its intended function during and after the postulatedfire, as needed

(') Exemption Requests, Deviation Requests, LARs, GL 86-10 Fire Hazards Evhtiations or Fire Protection Design Change Evaluations may be developed as necessary.

(***) For non-inerted containments, provide one of the protection methods identified in Appendix R Section IIM. G.2 (a), (b), or (c)or provide for 20ft separation with no intervening combustibles or fire hazards, fire detection and automatic suppression, systems. or non-combustible radiant energy shields as specified in Appendix R Section II1. G. 2 (d). te), or (/)

17

NEI 00-01, Revision 2(c)

January 2008 In Section III.G. 1 there are no functional requirements specifically itemized for the structures, systems or components.

The only requirements identified are those to initially achieve and maintain hot shutdown and to subsequently achieve cold shutdown once any required repairs have been completed.

Section III.G. 1 establishes the requirement to ensure that adequate fire protection features exist to assure that one train of systems necessary to achieve and maintain hot shutdown is free of fire damage.

Section III.G.1 presumes that some preexisting fire protection features have been provided, such as barriers (previously approved by the NRC under Appendix A to BTP APCSB 9.5-1).

III. G.2 Except as provided for in paragraph G..? of th ection, where cables or equipment, including associated non-safety circuits thta buld prevent operation or cause mal-operation due to hot shorts, pqncirc o horts to ground, of redundant trains of systems necessay, to achieve and maitain hot shutdown conditions are located within the same /6re area outside of primary *C'ontainment, one of the following means of ensuringthat oneofthe redundant trains is free of fire damage shall be provided:

a.

Separation of cables an'd equipment andt'associated non-safety circuits of redundant trains by a.;,

ier having a _h-our_"rating. Structural steel forming a part of or suppo{ins hjire barriers kadll be protected to provide fire resistance equivalent to that reqauired f he baurier,

b.

Separatio,ý

.f`bles and equi ment and associated non-safety circuits of redundb"cira, isbyý a horizontal distance of more than 20 feet with no intervening combw¶ 2ile or fli hazards. In,ddition, fire detectors and automatic fire suppresso

-nystem shall be installe-4 In the fire area; or

c.

i*nEhd*

sure ab and equipment and associated non-safety, circuits of one

+ redmndant:train in 'a fire barrier having a 1-hour rating. In addition, fire detectors an, an automatic fire suppression system shall be installed in the fire area; Inside non-inerted containments one of the fire protection means specified above or one ofthefoiloivingfire protection means shall be provided:

d.

SepataioW of cables and equipment and associated non-safety circuits of redundant trains by a horizontal distance of more than 20feet with no intervening combustibles orfire hazards;

e.

Installation of fire detectors and an automatic fire suppression system in the fire area; or f

Separation of cables and equipment and associated non-safety circuits of redundant trains by a noncombustible radiant energy shield.

18

NET 00-01, Revision 2(c)

January 2008 Section III.G.2 provides separation requirements that must be utilized where redundant trains are located in the same fire area. To comply with the regulatory requirements in Section III.G. 1 and 2, the analvst must determine which fire barriers are needed 'i is nei; to maintain those barriers previously review~ed and approved by the NRC_ under Ajpeffdix i\\ to APCSB 9.5-11l h-a-to t *---provide separation essential for safe shutdown (this may include active fire suppression equipment originally credited for barrier functionality). Where redundant trains of systems necessary to achieve hot shutdown are located in the same fire area outside of primary containment, one must provide fire protection features consistent with the requirements of Section III.G.2.a, b, or c (III.G.2.d, e, and f are also acceptable4 4 'tions inside non-inerted containments) to protect structures, systems, components and c.bles for one train capable of achieving and maintaining hot shutdown conditions. One rius°t also assure that any repairs required to equipment necessary to achieve and maintain coldhut from either the MCR or emergency control station(s) can be made within 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months sý o

Depending on a plant's current licensing basis Iand ire Protection i iensc Condition, exemptions, or deviations, LARs or GL 86-10 fire4lmazards anal,yses and/or fire proteflion design change evaluations may be used to justify configurations th'lmeet the underlying goals of Appendix R but not certain specific requirements.

2.2 REGULATORY GUIDANCE "N.ASSOCIATED CIR"UI" S 2.2.1 To ensure that safe shutdown systems remami'availabi e to perform their intended functions, the post*firemsafe shutdowian lysis ilo requires that other failures be evaluated to ens~ure that the safe shutdown system functions are not defeated.

The analysis requies. that constideration be given to cable failures that may cause spurious operations resuiltiiiin unixated conditions Also, circuit failures resulting in the loss of support systems such ýas',t1he*electrical er supply from improperly coordinated circuit protectideices must be cosd K

Aýs defined in Generic Letter 81-12, these types of circuits are collectiveyi refrred to as "Associated circuits of concern".3 2.2e2 A"'ssociated clcuitsne to he evaluated to determine if cable faults can prevent the opition or cause th

,al-operation of redundant systems used to achieve and maintain hot shutdown or advksclyv affect the post-fire safe shutdown capability.

From time,thi e NRC has issued Staff Positions (e.g., memorandum, Information Notices, Genw Letters, inspection findings) documenting their positions as to what systems they -onsider necessary to achieve and maintain hot shutdown conditions, as well as documenting what types of fire-induced faults should be considered credible for affecting these necessary systems.

2.2.3 NRC GL 81-12, Fire Protection Rule (45 FR 76602, November 19, 1980), dated February 20, 1981, provides additional clarification related to associated circuits of concernnon-safety circuits that can either prevent operation or cause mal-operation of redundant safe shutdown raI With res e-t to2 these........

shutdow p

W ectto these associated circuits of concern, GL 81-12 describes See the definition of "associated circuits of concern" in GL 81-12.

19

NEI 00-01, Revision 2(c)

January 2008 three types of associated circuits of concern. The Clarification of Generic Letter 81-12 defines associated circuits of concern as those cables and equipment that:

a). Have a physical separation less than that required by Section III.G.2 of Appendix R, and:

b). Have either:

i) A common power source with the shutdown equipment (redundant or alternative) and the power source is not electrically protected from thecircuit of concern by coordinated breakers, fuses, or similar devices, or ii) A connection to circuits of equipment whose sprio operation would adversely affect the shutdown capability (i.e., RI-IR/RS isolation valves, ADS valves, PORVs, steam generator atmospheric du.

vnalves, instrmentation, steam byOpass, etc.), or iii) A common enclosure (e.g., racewg~cý,,panel, junction) with the "s iown cables (redundant and alternative) and, (1) are not electrically protected by circui breakers, fitses or similar devices, or (2) will not prevent propagatonbf the fire into the omtnon enclosure.

Although protecting the fire-induced fa;iue It Ioc I ted circuits of concern is required, to reinforce that Generic Letter 81-12 simgy provlde isgmidance rather than requirements, the Clarification jl eneric Letter81-12 furth'ef states the following regarding alterna catve io safete {

sas alternatives forrotectgmtin e safe shutdown capability:

The gudehne Pr; rotecgthe safe shutoiwn capability from fire-induced failures of assocated, circuits r, nt(

n rqul t

ents.

These guidelines should be used only as guidanc:¢wen neede-.

Thiese guidelines do not limit the alternatives available to the licensee for protecting the1/ sfe shutdown capability. All proposed methods for protection of the shutdown cap /bIilif*r*omfie-induced failures will be evaluated by the [NRC] staff fAo &ceptability.

2.3 REGUL TORY I TERPRETATION ON LOSS OF OFFSITE POWER 2.3.1 The loss of offsite power has the potential to affect safe shutdown capability. In addition, the regulatory requirements for offsite power differ between the redundant and alternative/dedicated shutdown capability. Therefore, consideration must be given for the loss of offsite power when evaluating its effect on safe shutdown.

The Appendix R requirement to consider a loss of offsite power is specified in Section III. L. 3 as follows:

The shutdown capability for specific fire areas may be unique for each such area, or it may be one unique combination of systems for all such areas. In either case, the alternative shutdown capability shall be independent of the specific fire area(s) and shall accommodate post-fire conditions where offsite power is available and where offsite 20

NEI 00-01, Revision 2(c)

January 2008 power is not available for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Procedures shall be in effect to implement this capability.

2.3.2 Alternative/dedicated systems must demonstrate shutdown capability where offsite power is available and where offsite power is not available for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . If such equipment and systems used prior to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after the fire will not be capable of being powered by both onsite and offsite electric power systems because of fire damage, an independent onsite power system shall be provided. Equipment and systems used after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months may be powered by offsite power only.

t 2.3.3 For redundant shutdown, offsite power may be creditedI I#1nonstrated to be free of fire damage, similar to other safe shutdown systems.-

2.3.4 If offsite power is postulated to be lost for a particular fire area, andis not needed for the required safe shutdown path for 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months sctions necessary for its restoration are considered to be performed under the purviiw of the emergency respouis9eorganization and do not require the development of speific recovery strategies or procedures in advance.

2.3.5 Since in an actual fire event offs!tepower may or may not be available, the potential availability of offsite power should als Ibe considered toiLconfirm that it does not pose a more challenging condition. For exanme, t

additional elec(cli. heat loads may affect HVAC strategies.

21

NEI 00-01, Revision 2(c)

January 2008 3 DETERMINISTIC METHODOLOGY This section discusses a generic deterministic methodology ard criteria that licensees can use to perform a post-fire safe shutdown analysis to address regulatory requirements.

The plant-specific analysis approved by NRC is reflected in the plant's licensing basis. The methodology described in this section is an acceptable method of performing a post-fire safe shutdown analysis. This methodology is depicted in Figure 3-1. Other methods acceptable to NRC may also be used. Regardless of the method selected by an individuaillicensee, the criteria and assumptions provided in this guidance document may apply.

ITte mithodology described in Section 3 is based on a computer database oriented approaichich is utilized by several licensees to model Appendix R data relationships. This guidmnce dcuient, however, does not require the use of a computer database oriented approach.

The requirements of Appendix R Sections III.G. 1, I.G 2 and III.G.3 appl3/4tecquipoment and cables required for achieving and maintaining inhutown any fire a.Alo

~ shudownar~.Although equipment and cables for fire detection and suppreswýsysteif'communicatiois systems and 8-hour emergency lighting systems are important featuret his guidance document does not address them. The requirements of Appendix R Section III.G.2 do not apply to the circuits for fire detection and suppression systems, ioimeninications syst(m and 8-hour emergency lighting systems.

Additional information is provided in Appendix B1 totisidocument related to the circuit failure criteria to be applied in assessing the impacto6MSOs on post-fire safe shutdown. The criteria in Appendix B is for MSO 1oulyaN "i it does notpersede the Lriteria contained in Section 3.5.1.1 for assessing*the potential affWdt of fire-induced impacts to individual components on the required safe shutd,%ownipath for a particular fire area.

Chapter 4 provides the Resolution Methodology for determining tii hePlant Specific I~ist of MSOs to be evaluated. Chapter 5 provides a focused-scope F PrePRA i metiodology for assessing, on an individual basis, the risk signofa nyMSOs deterined to be impacted within a common plant tire area. The appropriate use of thlstbols ftdriitigating the effects of fire-induced circuit failures for this sectionijind for the MSOs tihIressed i

Ijliapter 4 and Appendix G are discussed in Appendix H.

3.1 SAFE SHUTDOWN SYSTEMS AND PATH DEVELOPMENT This section disc.usse the. identification of systems necessary to perform the required safe shutdown flmctions. 1i Aso provides information on the process for combining these systems into safe shutdown pýths. Appendix R Section III.G..a requires that the capability to achieve and maintain hot shutdown be free of fire damage. Appendix R Section III.G.1.b requires that repairs to systems and equipment necessary to achieve and maintain cold shutdown be completed within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This section provides some guidance on classifying components as either required or important to SSD circuit components. It also provides some guidance on the tools available for mitigating the effects of fire-induced circuit failures to each of these classes of equipment. For a more detailed discussion of the topic of required and important to SSD components refer to Appendix H.

23

NEI 00-01, Revision 2(c)

January 2008 Figure 3-1 Deterministic Guidance Methodology Overview

~~~~~I Section 2.0 Section 3.3 Establish Appendix R Requirements Regulatory Requirements Regulatory Guidance on Associated Circuits of Concern Regulatory Interpretatipn on Loss of Offsite Power Select Safe Shutdown Cables Identify cables required for operation or that can cause mal-operation of listed equipment including improperly coordinated power circuits.

4 Associate cables to equipment I

Locate cable raceway & endpoints by fire area i,

Join data & identify SSD cables & equipment by fire area ISection 3.4 Section 3.1 Determine SSD Functions, Systems & Paths Reactivity Control, Pressure Control, Inventory Control, DHR, Process Monitoring, Supporting Functions Include those that can defeat SSD RPV/RCS Loss of Inventory ()

Flow Diversion (*)/Blockage Inventory Makeup System being used for SSD in FA Decay Heat Removal being used for SSD in FA Fire Area Assessment II Determine fire impact to equipment required for SSD functions and establish SSD path for each fire area.

Evaluate effects of a hot short, open circuit, &

short to ground on each conductor for each cable.

Refer to Section 3.5 for Circuit Analysis Criteria.

In excess of required makeul flAv~lnn MAthod~ for Prpvpntinn or n

Me h

d for....re.....

Section 3.2 Select Safe Shutdown Equipment Equipment that may perform or defeat SSD functions Mitigation Required Components:

1. Re-design or re-analyze the circuit or component to eliminate the concern

2. Reroute Cable of Concern

3. Protect Cable of Concern in accordance with III.G.2

4. Perform Repair for Cold Shutdown only

5. Develop Exemption

6. Develop Deviation or LARs

7. Perform GL 86-10 Fire Hazards Evaluation

8. Enter Fire Protection Change Process

9. Identify other equipment to perform same function Important to SSD Components:

1. Perform an operator manual action

2. Address using fire modeling or a focused-scope Fire PRA using the methods of Chapter 5 for MSO impacts (if permitted under current license I

24

NEI 00-01, Revision 2(c)

January 2008 The goal of post-fire safe shutdown is to assure that a one train of shutdown systems, structures, and components remains free of fire damage for a single fire in any single plant fire area. This goal is accomplished by determining those functions important to achieve and maintain hot shutdown. Safe shutdown systems are selected so that the capability to perform these required functions is a part of each safe shutdown path.

The functions important to post-fire safe shutdown generally include, but are not limited to the following:

F:

Reactivity control Pressure control systems Inventory control systems Decay heat removal systems Process monitoring (as defined in NRC Informa-on NuoLice 84-W)

Support systems

" Electrical power and control systems

" Component Cooling systems-IAgHodh 1*I1rng1

" Component Lubrication systems-These functions are of importance becau~ they have a directI'earing on the safe shutdown goal of being able to achieve and maintain hot-shudown, whMih ensures the integrity of the fuel, the reactor pressure vessel and the primary containmimtAf these funcIitions are preserved, then the plant will be safe because the fuel, the reactor and the primar containment will not be damaged.

By assuring that this eqiip~ijnrt is not damaged ;tad remaln functional, the protection of the health and safety of the-puiic i, assured.

The components required to perform these funcltiois are classified as required for hot shutdown components.

These componenits are necessaryv and sufficient to perform the required safe shutdown funotiii;assumi hat fi

-ifidu-cdimpacts to other plant equipment/cables do not occur.

Since firc-in ct mpacts to other plant equipmentlcables can occur in the fire conditioin, these impacts must 11SO be addressed. The components not necessary to complete the requitlreAsafe shutdown 'fniictions, but which could be impacted by the fire and cause a subsequent iimpact to the reLqmired safe shutdown components are classified as either required for hot shutdown

ýor important o SSD components.

Depending on the classification of the components, tlhetools available for mitigating the affects of fire-induced damage vary. The available tools are geneily discussed in this section and in detail in Appendix H.

The classification of a com)onent or its power or control circuits may vary form from fire area to fire area. Therefore, the required safe shutdown path for any given fire area is comprised of required for hot shutdown components and important to SSD components.

The distinction and classification for each required safe shutdown path for each fire area should be discernible in the post-fire safe shutdown analysis.

25

NEI 00-01, Revision 2(c)

January 2008 Generic Letter 81-12 specifies consideration of circuits with the potential for spurious equipment operation and/or loss of power source, and the common enclosure failures. As described above, spurious operations/actuations can affect the accomplishment of the required safe shutdown functions listed above. Typical examples of the effects of the spurious operations of concern are the following:

A loss of reactor pressure vessel/reactor coolant inventory in excess of the safe shutdown makeup capability A flow loss or blockage in the inventory makeup or de&cy heat removal systems being used for the required safe shutdown path.

Spurious operations are of concern because they have thepotntzhal to direcly affect the ability to achieve and maintain hot shutdown, which could affect the fuel and cause damage to the reactor pressure vessel or the primary containment. To adess the issue of multiple spurious operations, Chapter 4 provides a Resolution Methodology for deyelopmg ing lant Specific L rt of MSOs for evaluation. Appendix B provides the circuit failure 1teiajppihcable to the evaluation of the Plant Specific list of MSOs.

,\\

Common power source and common concerns could also affect the these safe shutdown train and must be addressed.

Fire-induced impacts to cables and components classified'as important to SSD may be mitigated using a different set of tool ss well asthaii those classified as required for hot shutdown components. For important to SSD component failures, operator manual actions, fire modeling and/or a focused-scope fire PRAc ay also be used ~to>mitigate the impact. (Focused-scope fire PRAs must are not be permitted in the l4fHsPlantsPlant's current License Basis. If not, aA risk-informed LicenseImend at PoIequest tLAR): nay will be necessary).

3.1.1

(,,CRITERI\\ASUii i ()T\\ON The tu'folloving criteria and 'assumptions may should be considered, as applicable, when identifying, 'sstems available and necessary to perform the required safe shutdown functions and combining thesyStems into10safe shutdown paths. This list provides recognized examples of criteria/assumptionsbut shOUld not be considered an all-inclusive list.

The final set of criteria/assumptionssIoulIbe based on regulatory requirements and the performance criteria for post-fire safe shutdown'o;fr each plant.-

3.1.1.1

[BWR] GE Report GE-NE-T43-00002-00-01-R01 entitled "Original Safe Shutdown Paths For The BWR" addresses the systems and equipment originally designed into the GE boiling water reactors (BWRs) in the 1960s and 1970s, that can be used to achieve and maintain safe shutdown per Section III.G.1 of 10 CFR 50, Appendix R. Any of the shutdown paths (methods) described in this report are considered to be acceptable methods for achieving redundant safe shutdown.

26

NEI 00-01, Revision 2(c)

January 2008 3.1.1.2

[BWR] GE Report GE-NE-T43-00002-00-03-RO0 provides a discussion on the BWR Owners' Group (BWROG) position regarding the use of Safety Relief Valves (SRVs) and low pressure systems (LPCI/CS) for safe shutdown.

The BWROG position is that the use of SRVs and low pressure systems is an acceptable methodology for achieving redundant safe shutdown in accordance with the requirements of 10 CFR 50 Appendix R Sections III.G.1 and III.G.2.

The NRC has accepted the BWROG position and issued an SER dated Dec.

12, 2000.

3.1.1.3

[PWR] Generic Letter 86-10, Enclosure 2, Section 5.3.5 specifies that hot shutdown can be maintained without the uisc of pressurizer heaters (i.e.,

pressure control is provided by controlling ihe makeup/charging pumps). Hot shutdown conditions can be maintained via natural circulation of the RCS through the steam generators.

Thei cooldown rateinunst be controlled to prevent the formation of a bubblW in the reactor head. Tlierefore, feedwater (either auxiliary or emergency) ow rates as well as steamirelease must be controlled.

3.1.1.4 The classification ofshutdown capability as alternative/dedicated shutdown is made independent.& the selection ofI

ýsystems used for shutdown.

Altemative/dedicated.s1htdwn capability is dcermined based on an inability to assure the availabiliitýofa redtuindant safe shutdown path. Compliance to the separation requirements of SeCtlions I.G.1 and III.G.2 may be supplemented by the use ofpoL;erator maniul actions to the extent allowed by the regulations and the liceising basis of the plant (see Appendix E), repairs (cold shutdown*ii nly), exemptions, deviations, GL 86-10 fire hazards analyses or firiprotection design changeevaluations pennitted by GL 86-10, as apprp',fi1te. These'may also bfe ised in conjunction with alternative/dedicated t

11 cshutdown di.cabulsty.

sion of time zero for the fire condition, as it S elatsto oper)a tor manual actions and repairs, is contained in Appendix E.

-3.1.1.5 At thefonset of ttie postulated fire, all safe shutdown systems (including applicable redundti trains) are assumed operable and available for post-fire safe shutdiann.

Systems are assumed to be operational with no repairs,

>'maintenance, testing, Limiting Conditions for Operation, etc. in progress. The Al16ts areICassumed to be operating at full power under normal conditions and nominallineups.

3.1.1.6 No Final Safety Analysis Report accidents or other design basis events (e.g.

loss of coolant accident, earthquake), single failures or non-fire-induced transients need be considered in conjunction with the fire.

3.1.1.7 For the case of redundant shutdown, offsite power may be credited if demonstrated to be free of fire damage. Offsite power should be assumed to remain available for those cases where its availability may adversely impact safety (i.e., reliance cannot be placed on fire causing a loss of offsite power if the consequences of offsite power availability are more severe than its 27

NEI 00-01, Revision 2(c)

January 2008 presumed loss). No credit should be taken for a fire causing a loss of offsite power. For areas where train separation cannot be achieved and alternative shutdown capability is necessary, shutdown must be demonstrated both where offsite power is available and where offsite power is not available for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

3.1.1.8 Post-fire safe shutdown systems and components are not required to be safety-related.

3.1.1.9 The post-fire safe shutdown analysis assumes a 72-hour coping period starting V with a reactor scram/trip.

Fire-induced impacts that provide no adverse consequences to hot shutdown within this o

71hour period need not be included in the post-fire safe shutdown analysis, ALtleast one train can be repaired or made operable within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months using nsite capability to achieve cold shutdown.

3.1.1.10 Manual initiation from the main icotrol room or emergency control stations of systems required to achieve and maintain safe hutdown is acceptable where V permitted by current regulations or approved by NRC (See Appendix E); t>

automatic initiation of systems selected for safe shutdown is not required but may be included as an ojtion, if the additional cables and equipment are also included in the analysis I

er;spurious aeiluiaon of automatic systems (Safety Iiijection, AuxilIary Fedwategr, Highp Pressure Coolant lnlection, Reactor Core Isolation Colin d*e.)

ok ire damage should be evaluated.

3.1.1.11 e

ia single fire can impact more than one unit of a multi-unit plant, the tbility o achieve and maintaini safe shutdown for each affected unit must be dmnstrated.*

3.1.2 SIUThONFiC~N The f6mlowing discussipmn on each of these shutdown functions provides guidance for selecting theystems and equipmnt required for hot shutdown. For additional information on BWR system selection, refer to *GE Report GE-NE-T43-00002-00-01-RO0 entitled "Original Safe Shutdown Pat s for the BWIR.I 3.1.2.1 Reactiyity Control

[BWRl Control RodtDrive System The safe shutdown performance and design requirements for the reactivity control function can be met without automatic scram/trip capability. Manual scram/reactor trip is credited. The post-fire safe shutdown analysis must only provide the capability to manually scram/trip the reactor.

+ach II1nTe& should hýiave \\an operator n i m

ianiual action to ei 1thi venit' the instru ment air header or tce a

RIPS powrp in their post-resf shutdown pi,,icduresY Thpen of this action precluides the need [(, p~erfornm circuit ianalysis for thefr~atvt conitrol furiction and is an acceLptabhle %ay to alc~oiplish this funtion................-

28

NEI 00-01, Revision 2(c)

January 2008 fPWR1 Makeup/Charging There must be a method for ensuring that adequate shutdown margin is maintained from initial reactor SCRAM to cold shutdown conditions, by cpn R'olhiiReaI

%oi iirct)l1nt Systenl tcmpLeratureLC anid ensuring borated water is utilized for RCS makeup/chargmi.ng.

3.1.2.2 Pressure Control Systems The systems discussed in this section are examples of systems that can be used for pressure control. This does not restrict the use of other systems for this purpos

[BWR1 Safety Relief Valves (SRVs)

Initial pressure control may be provided by the SRVs mechanically cycling at their setpoints (electrically cycling for EMRVs). Mechanically-actterated SRVs require no electrical analysis to perform their overpressure protection function. The 4 s m\\ay also be opened to maintain hot shutdown conditions or to depressurize the vessel to all6x*injection using low pressure systems.

These are operated manually. Automatic initiation of tL:e Automatic Depressurization System (ADS) is not a required function. Automatic initiation of the ADS may be credited, if available.

If automatic ADS is not available and Lise oIfADS is an alternative means of initiationginitiation of ADS separate from the auitoiimicinitiation logic for accomplishing the pressure control function should be provided IPWRl Makeup/Char,_,in2 RCS pressure is cbntrolledd by ciontrolling the rit"(f charging/makeup to the RCS. Although utilization of the prssntrh iand/or auxhliary spray reduces operator burden, neither component is1i~uir'Ted to proyi(d adequate pressure control. Pressure reductions are made by allowinh OILRCS to, cool/shrinkthlus reducing pressurizer level/pressure. Pressure increases are madec,,b initiating chargpingmake' p t( maintain pressurizer level/pressure. Manual control of the,relateihlpumps is aceputle.

3.1.2-'3 Inventory Control

[BWR]

Systems seýected lor the inventory control function should be capable of supplying sufficient reactor cooltfitto achieve and maintain hot shutdown. Manual initiation of these systems is acceptable. Automatic initiation functions are not required. However, spurious actuation of automatic systems should be evaluated (High Pressure Coolant Injection, High Pressure Core Spray, Reactor Core Isolation Cooling, etc.)

[PWR]: Systems selected for the inventory control function should be capable of maintaining level to achieve and maintain hot shutdown.

Typically, the same components providing inventory control are capable of providing pressure control. Manual initiation of these systems is acceptable.

Automatic initiation finctions are not required. However, spurious actuation of automatic systems should be evaluated (Safety Injection, High Pressure Injection, Auxiliary Feedwater, Emergency Feedwater, etc.).

29

NEI 00-01, Revision 2(c)

January 2008 3.1.2.4 Decay Heat Removal

[BWR] Systems selected for the decay heat removal function(s) should be capable of Removing sufficient decay heat from primary containment, to prevent containment over-pressurization and failure.

Satisfying the net positive suction head requirements of ann safe shutdown systems taking suction from the containment (suppression pool).

Removing sufficient decay heat from the reactor to achieve Cold shutdown. (This is not a hot shutdown requirement.)

[PWR] Systems selected for the decay heat removal funcjtion(s):should beu 7pable of:

Removing sufficient decay heat from thVieactor to reach hot shutdownconditions.

Typically, this entails utilizing natural ucrulýtion in lieu of forced cilrdaon via the reactor coolant pumps and controlling steam rdiie %iat.Atmospheric Dump valves.

o Removing sufficient decay heat from the reactor to reach cold shutdown conditions.

(This is not a hot shutdown requirement.)

This does not restrict the use of other systems.

3.1.2.5 Process Monitoring The process monitoringuIction is provided fiAll safe shutdown paths. IN 84-09, Attachment 1,Section IX "Lesso6s\\Leanemd from NRC iDspections of Fire Protection Safe Shutdown Systems (10 CFR 50 A*p~pndix R)t'rov"ies es guidance on the instrumentation acceptable to and preferred by the NRC for m, eting the ocess muitoring function. This instrumentation is that which moniv te process s necessary to perform and control the functions specified in Appendi, R Section

II I I.

Such instrumentation must be demonstrated to remain unaffected by the fi TFhe IN 84-091tof pros monitoring is applied to alternative!dedicated shutdown (III.3)ý he use of this samie list for II.G.2 redundant Post-Fire Safe Shutdown is acceptable, but the aialt.'1t needs to review the specific license basis for the plant under evaluation. In general, process, monitoring instruments similar to those listed below are needed to successfully use existing operating procedures (including Abnormal Operating Procedures).

BWR

" Reactor coolant level and pressure

" Suppression pool level and temperature

Emergency or isolation condenser level

" Diagnostic instrumentation for safe shutdown systems Level indication for tanks needed for safe shutdown PWR 30

NEI 00-01, Revision 2(c)

January 2008

" Reactor coolant temperature (hot leg / cold leg)

" Pressurizer pressure and level

" Neutron flux monitoring (source range)

Level indication for tanks needed for safe shutdown

" Steam generator level and pressure

Diagnostic instrumentation for safe shutdown systems The specific instruments required may be based on operator preference, safe shutdown procedural guidance strategy (symptomatic vs. prescriptive), and s nd paths selected for safe shutdown.

3.1.2.6 Support Systems 3.1.2.6.1 Electrical Systems AC Distribution System Power for the Appendix R safeýshutdown equipminetis typically provided by a medium voltage system such as 4.16 KV Class 1E busses either directly from the busses or through step down transformersiloýalccters/distribution'panels`Tor 600, 480 or 120 VAC loads. For redundant safe shutdoKýin perifredin accordaiiCe with the requirements of Appendix R Section III.G.1 and 2,,ower mh aybe sulied from either offsite power sources or the emergenc, diesel generator depending on which has been demonstrated to be free of fire dAage: No4 credit should be taken for any the beneficial effects of a fire [

causing a losgs o( offsIte power. Refer to Section 3.1.1.7.

S N

DC Distribution Sy'stem Ty~~l th 25VDCdistributitio'ystem supplies DC control power to various I25VDC contrlýpanels milutding switchgear breaker controls. The 125VDC distribution

,pAnels may also s wuply po LL the 120VAC distribution panels via static inverters.

Tsdistribution panels may supply power for instrumentation necessary to complete the process monitorig Ifunctions.

For fire events that result in an interruption of power to the AC electrical bus, the station batteries arenecessary to supply any required control power during the interim time period require(I for the diesel generators to become operational. Once the diesels are operational, tlie 125VDC distribution system can be powered from sources feed from the diesels through the battery chargers.

[BWR]

Certain plants are also designed with a 250VDC Distribution System that supplies power to Reactor Core Isolation Cooling and/or High Pressure Coolant Injection equipment.

The DC control centers may also supply power to various small horsepower Appendix R safe shutdown system valves and pumps. If the DC system is relied upon to support safe 31

NEI 00-01, Revision 2(c)

January 2008 shutdown without battery chargers being available, it must be verified that sufficient battery capacity exists to support the necessary loads for sufficient time (either until power is restored, or the loads are no longer required to operate).

3.1.2.6.2 Cooling Systems Various cooling water systems are required to support safe shutdown system operation, based on plant-specific considerations. Typical uses include:

i:. RHR/SDC/DH Heat Exchanger cooling water

!:1 Safe shutdown pump cooling (seal coolers, oil colers),

Diesel generator cooling 3.1.2.6.3 HVAC Systems HVAC Systems may be required to assure tlihat safe shutdown equipmenw remains within its operating temperature range, as specie manufaoturer's literature or demonstrated by suitable test methods, and to assure protectiont operations staff from the effects of fire (smoke, heat, toxic gases, and gaseýouflire suppression agents).

HVAC systems, however, are notio tod upp safe shutdown in all cases.

The need for HVAC system operai sbsi bed ion plant-specific configurations and plant specific heat loads. Typical potential i nc Lde:ý Main contýl olroom, cable sprueadig roon t rlay room ECS pmp cominpartments pi Jesej generator>rom Ditchgear rooms Plant-pec ifitevalu~ aomiisare necessary to determine which HVAC systems could be 2emiwred or

iu ilin supppoing post-fire safe shutdown. Transient temperature response analyses are otihiihtilized to ddeannstrate that specific HVAC systems would or would oi 1be required. I A

systems are credited, the potential for adverse fire effects to th,'ý1 C system must also be considered, including:

SDUmpers closig due to direct fire exposure or due to hot gases flowing through venkiition ducts from the fire area to an area not directly affected by the fire.

WherLeIvided, smoke dampers should consider similar effects from smoke.

Recircultion or migration of toxic conditions (e.g., smoke from the fire, suppressants such as Carbon Dioxide).

In certain situations, adequate time exists to open doors to provide adequate cooling to allow continued equipment operation.

Therefore, the list of required safe shutdown components as it relates to HVAC Systems may be determined based on transient temperature analysis. Should this analysis demonstrate that adequate time exists to open doors to provide the necessary cooling, htg C

.olin..

_ Only those components whose o eration is re qured to rovide 32

NEI 00-01, Revision 2(c)

January 2008

ýmiediat_ HVAC Cooling. for required safe shutdown components are considered themselves to be required safe shutdown components. This latter set of HVAC Cooling Components are required to meet the criteria for required safe shutdown components with regard to the available mitigating tools.

3.1.3 METHODOLOGY FOR SHUTDOWN SYSTEM SELECTION Refer to Figure 3-2 for a flowchart illustrating the various steps involved in selecting safe shutdown systems and developing the shutdown paths.

The following methodology may be used to define the safe shutdown systems and paths for an Appendix R analysis:

<7 74 3.1.3.1 Identify safe shutdown functions 41<

Review available documentation to obtain an understanding,of the available plant systems and the functions required to achieve and maintain sa itdown. Documents such asý he following may be reviewed:

1<

r Operating Procedures (Normal, Emergency, Abnorial).

System descriptions Fire Hazard Analysis Single-line electrical diagrams Piping and Instrumentation Diagrams (P&I II),

[BWR] GE Report GELNE-T43-000021 00-01-R02 entitled "Original Shutdown Paths for the BWR" 33

NEI 00-01, Revision 2(c)

January 2008 Figure 3-2 Safe Shutdown System Selection and Path Development Step I Define Appendix R requirements.

Refer to Figure 2-1 Step 3 Identify combinations of systems thal satisfy each safe shutdown function.

Step 4 Define combination of systems for each shutdown path.

Step 5 Refer to Attachment 1 Assign shutdown path to for an example of a Saf each combination of Shutdown Path systems.

Development List.

34

NEI 00-01, Revision 2(c)

January 2008 3.1.3.2 Identify Combinations of Systems That Satisfy Each Safe Shutdown Function Given the criteria/assumptions defined in Section 3.1.1, identify the available combinations of systems capable of achieving the safe shutdown functions of reactivity control, pressure control, inventory control, decay heat removal, process monitoring and support systems such as electrical and cooling systems (refer to Section 3.1.2). This selection process does not restrict the use of other systems. In addition to achieving the required safe shutdownfiitnctions, consider other equipment whose mal-operation or spurious operation could impa he rquired safe shutdown function. The components in this latter set are classified as either*r e(quired for hot shutdown or as important to SSD as explained in Appendix H.

3.1.3.3 Define Combination of Systems for EachSafe Shutdown Path Select combinations of systems with the capability of performing all of thet required safe shutdown functions and designate this set of systems as a safe shutdown path. In many cases, paths may be defined on a divisional basis since the availabilty of electrical power and other support systems must be demonstrated for each path. During the equipment selection phase, identify any additional support systems.hd list them for the appropriate path.

3.1.3.4 Assign Shutdown Pathsto EAchCombination of6ystems Assign a path designation to each combination ofrstesTe path will serve to document the combination of systems re~i ipon for safe sitdown in eaich fire area. Refer to Attachment I to this document for an oxm table illustating how to document the various combinations of systems for seleetedtshutdo-w Ip fs.

3.2 SAFE SHUt 1DOW NEIQUlI PMENT SELECTION TebprevIous section descibed the mnethodology for selecting the systems and paths necessary to achievetmaintain an exposure fire event (see Section 5.0 DEFINITIONS for "ExposuircFire"). This section describes the criteria/assumptions and selection methodology for identifyinný specific saIe shutdown equipment necessary for the systems to perform their Appendix R funtions. Thicselected equipment should be related back to the safe shutdown systems that they supj o"t d be assigned to the same safe shutdown path as that system. The list of safe shutdown equipment will then form the basis for identifying the cables necessary for the operation or that can cause the mal-operation of the safe shutdown systems. For each path it will be important to understand which components are classified as required safe shutdown components and which are classified as 1ssocltIcrcuCItirn itst to 1

hfl 0

o I:[I, 7VWtzc 2% L lm( Ipact 1toeacn affected cale cImponeht lit fire a. i s

cIamsisficati~ni~dictates the ls avaflablc goi waipation the.aft.. ts.

35

NEI 00-01, Revision 2(c)

January 2008 3.2.1 CRITERLAIASSUMPTIONS Consider the following criteria and assumptions when identifying equipment necessary to perform the required safe shutdown functions:

3.2.1.1 Safe shutdown equipment can be divided into two categories. Equipment may be categorized as (1) primary components or (2) secondary components.

Typically, the following types of equipment are considered to be primary components:

o Pumps, motor operated valves, solenoid valves, fans, gas bottles, dampers, unit coolers, etc.

c All necessary process indicators and recorders (i.e., flow indicator, temperature indicator, turbine peed indicator, pressure indicator, level recorder) c Power supplies or other*lectrical components thatusport operation of primary compondin sent, diese iegenerators, switeligear, motor control centers, load centers, po we Isupplies, distribution panels, etc.).

Secondary componenits iare typically itemýstfund within the circuitry for a primary component.

Le prowde a supporitgnrole to the overall circuit function. Some secondary components may proilde an isolation function or a signal to a primary componeiai leilther *an interlock or input signal processor.

FExamples of-'seeondary components include flow switches, pressur5iz~itches, temperature switches, level switches, temperature elements, speecd elements transmittersconverters, controllers, transducers, signal cntnshdswitches relaysafuses and various instrumentation devices.

5 Iericiiineý wh,ýich Lequipinn opiild L iinh~cd iýHi thSafShuitdown~

ýItiEquipmiiItist (:5 Aan option, include secondary components with a priiiP pnm compone t(s),that would be affected by fire damage to the secondary compoient. By &M*, tihis, the SSEL can be kept to a manageable size and the equipmenyincluded on the SSEL can be readily related to required post-fire safe shutdowý"n systems and functions.

3.2.1.2 thssumeThat exposure fire damage to manual valves and piping does not akIkf*y impact their ability to perform their pressure boundaryor,safe sdelcyt m

heat sensitive _piping materials, including tubing with brazed or soldered joints, are not included in this assumption). Fire damage should be evaluated with respect to the ability to manually open or close the valve should this be necessary as a part of the post-fire safe shutdown scenario.

36

NEI 00-01, Revision 2(c)

January 2008 3.2.1.3 Assume that all components, including manual valves, are in their normal position as shown on P&IDs or in the plant operating procedures, that there are no LCOs in effect, that the Unit is operating at 100% power and that no equipment has been taken out of service for maintenance.

3.2.1.4 Assume that a check valve closes in the direction of potential flow diversion and seats properly with sufficient leak tightnessAlprevent flow diversion.

Therefore, check valves do not adversely affectthflow rate capability of the safe shutdown systems being used for inventorv cIntrol, decay heat removal, equipment cooling or other related safe shutIfIIndLctions.

3.2.1.5 Instruments (e.g., resistance temperaHte detectors, thertuocouples, pressure transmitters, and flow transmitters) 'are assumed to fail upscale, midscale, or downscale as a result of fire simage, whichever is worscAn instrument performing a control function is assumed to proiyde an undesirdl signal to the control circuit.

Ijiliy cq i

tu, h

at could spuriously operate or mal-operate and impact the performance of equipment on a required safe shutdown path during the equipment selection pha.

Additionally refer tChapter 4 for the Resolution Methodology for determiiining the Specific List of MSOs requiring evaluation.

llentif' ginstrume t

iiat may cause subsequent effects on instrument adings or s-ignal as Ia resutof ire. Deternune and consider the fire area locatlii~of thet ent tubingwhen evaluating the effects of fire damage to circluits sid 1e uuIIentIIihheflie area.

3.2.2 MTH)ODOL OGY FOR EQUIPMENT SELECTION Refrs u

own igure 3-3 for a, lowchart illustrating the various steps involved in selecting safe shutdown equIiipment.

Use the followingmeth(odology to select the safe shutdown equipment for a post-fire safe shutdown analysis.

3.2.2.1 Identify the System Flow Path for Each Shutdown Path Mark up and annotate a P&ID to highlight the specific flow paths for each system in support of each shutdown path. Refer to Attachment 2 for an example of an annotated P&ID illustrating this concept.

37

NEI 00-01, Revision 2(c)

January 2008 3.2.2.2 Identify the Equipment in Each Safe Shutdown System Flow Path Including Equipment That May Spuriously Operate and Affect System Operation Review the applicable documentation (e.g. P&IDs, electrical drawings, instrument loop diagrams) to assure that all equipment in each system's flow path has been identified. Assure that any equipment that could spuriously operate and adversely affect the desired system ftnction(s) is also identified.

Criteria for making the determination as to which of these components are to be classified as required for hot shutdown or as imp.ortnt to SSD is contained in Appendix H. If additional systems are identified which are necessary for the operation of the safe shutdown system under review, include these as requi~1r6T hot shutdown systems.

Designate these new systems with the same safe shutdown jlth ali i eprimary safe shutdown system under review (Refer to Figure 3-1).

3.2.2.3 Develop a List of Safe Shutdown Equipment

and Assign the Corresponding System and Sli~feShutdoin Path(s) Designation to Each.

Prepare a table listing the equipment identified for ehids and the shutdown path that it supports. Identify any valves or other equipment that could spuriously operate and impact the operation of that safe shutdown systemn.

Criteria for makin, the determination as to which of these components are to be classified aý iclired for hot shudw or as important to SSD is contained in Appendix H.

Assign the afcshtdow path fo th affected system to this equipment. During the cable selection phase, identifyadditionalequipment required to support the safe shutdown function of the path (e.g.-,lecffical di iiion system equipment). Include this additional equipmentMiLn.tlh>sfe shutdown epquipmentlist. Attachment 3 to this document provides anexample n (S

) The SSE1 identifies the list of equipment within the plant considered for post-hifsafe shui own and it d(cuments various equipment-related attributes used in the analysis.f nmi

32 Ildentify Equipmnt Information Required for the Safe Shutdown Analysi Collect additional equipmen"-related information necessary for performing the post-fire safe shutdown analysis for the eqipment. In order to facilitate the analysis, tabulate this data for each piece of equipment on fthe SSEL. Refer to Attachment 3 to this document for an example of a SSEL. Examples of

,,related equipment data should include the equipment type, equipment description, safe shutcin system, safe shutdown path, drawing reference, fire area, fire zone, and room location ol eýquipment.

Other information such as the following may be useful in performing the safe Shutdown analysis: normal position, hot shutdown position, cold shutdown position, failed air position, failed electrical position, high/low pressure interface concern, and spurious operation concern.

Criteria for making the determination as to which of these components are to be classified as required for hot shutdown or as important to SSD is contained in Appendix H.

38

NEI 00-01, Revision 2(c)

January 2008 3.2.2.5 Identify Dependencies Between Equipment, Supporting Equipment, Safe Shutdown Systems and Safe Shutdown Paths.

In the process of defining equipment and cables for safe shutdown, identify additional supporting equipment such as electrical power and interlocked equipment. As an aid in assessing identified impacts to safe shutdown, consider modeling the dependency between equipment within each safe shutdown path either in a relational database or in the form of a Safe Shutdown Logic Diagram (SSLD). Attachment 4 provides an example of a SSLD that may be developed to document these relationships.

N.

39

NEI 00-01, Revision 2(c)

January 2008 Figure 3-3 Safe Shutdown Equipment Selection 40

NEI 00-01, Revision 2(c)

January 2008 3.3 SAFE SHUTDOWN CABLE SELECTION AND LOCATION This section provides industry guidance on the recommended one acceptable approach to methodology and criteria for selecting safe shutdown cables and determining their potential impact on equipment required for achieving and maintaining safe shutdown of an operating nuclear power plant for the condition of an exposure fire. The Appendix R safe shutdown cable selection criteria are developed to ensure that all cables that could affec:the proper operation or that could cause the mal-operation of safe shutdown equipment,re identified and that these cables are properly related to the safe shutdown equipment whose functionality they could affect.

Through this cable-to-equipment relationship, cables become part of' he safe shutdown path assigned to the equipment affected by the cable. The classification

,I a cable as either an important to SSD circuit cable or a required safe shutdown cable is alo,derived from the classification applied to the component that it supports. This classification ea: vary from one fire area to another depending on the approach used to accomplish post-fire safe shutdown in the area. Refer to Appendix H for the criteria to be used for clas:ifying required and important to SSD components.

3.3.1 CRIThRIAAssUMPTIONS To identify an impact to safe shutdown eqpiipment based on cable routing, the equipment must have cables that affect it identified. Carefully consider howvcablts are related to safe shutdown equipment so that impacts friomthese cables *canbe properly assessed in terms of their ultimate impact on safe shutdown 'cow ncnts, systems and functions.

Consider the followmii'gicteia when selecting cables that impact safe shutdown equipment:

3.3.14 1 The ls o c 1ýwhosefailure could impact the operation of a piece of safe shutdnoI equipment includes more than those cables connected to the equtipment.

ThIe relationship between cable and affected equipment is based on a review of the electrical or elementary wiring diagrams. To assure th at all aibles that could affect the operation of the safe shutdown equipment are identified, investigate the power, control, instrumentation, interlock, and equipment status indication cables related to the equipment.

",Review additional schematic diagrams to identify additional cables for interlocked circuits that-also need to be considered for their impact on the

,ability of the equipment to operate as required in support of post-fire safe shutdown. As an option, consider applying the screening criteria from Section 3.5 as a part of this section. For an example of this see Section 3.3.1.4.

3.3.1.1.2 In cases where the failure (including spurious operations) of a single cable could impact more than one piece of safe shutdown equipment, associate the cable with each piece of safe shutdown equipment.

41

NEI 00-01, Revision 2(c)

January 2008 3.3.1.1.2.1 Electrical devices such as relays, switches and signal resistor units are considered to be acceptable isolation devices. In the case of instrument loops and electrical metering circuits, review the isolation capabilities of the devices in the loop to determine that an acceptable isolation device has been installed at each point where the loop must be isolated so that a fault would not impact the performance of the safe shutdown instrument function.

Refer to Section 3.5 for the types of faults that should be considered when evaluating the acceptability of the isolation device being credited.

3.3.1.1.3 Screen out cables for circuits that do 'no impact the safe shutdown function of a component (i.e., annunciator ciitriits, space heater circuits and computer input circuits) unless some reljianý on these circuits is necessary. To be properly screened out, however, the, circuits associated with these devices must be isolated from the componeutiscontrol scheme in such a way that a cable fault would "not impact the peffirmaance of the circuit.

Refer to Section 3.,5for the lces of faults that should be considered when evaluating the acceptability of the isolation device being c r e d i t e d.

It & -

3.3.1.1.4 For each circuit requiring power to perfI

,n its safe shutdown function, identify the cable supply ingI ower to each safe shutdown and/or required interlock component. InitiLalk, i'niify only the power cables from the immediate upstream powr source'jfor these interlocked circuits and coumiponent(i.e., the clogest power supply, load center or motor control center).

Review further the electrical distribution system to capture the

remaining equipment froi,,, the electrical power distribution system necessarto<,, support delihery of power from either the offsite power

ýsource, ic>he einergencycdiesel generators (i.e., onsite power source) to the siafe shutdwn equipment.

Add this equipment to the safe shutdown equipment list The set of cables described above are classified as requited sate sbutdown cables.

Evaluate the power cables for breaker coordinaoion concerns.

The non-safe shutdown cables off of the safe shutd6wh buses are classified as required for hot shutdown or as important to SSDIbased on the criteria contained in Appendix H.

3.3.1.1.4.1 l Theautomatic initiation logics for the credited post-fire safe shutdown

,%sytems are generally not required to support safe shutdown. Typically, each system can be controlled manually by operator actuation in the main control room or emergency control station. The emergency control station includes those plant locations where control devices, such as switches, are installed for the purpose of operating the equipment. If operator actions to manually manipulate equipment at locations outside the MCR or the emergency control station are necessary, those actions must conform to the regulatory requirements on operator manual actions (See Appendix E).

If not protected from the effects of fire, the fire-induced failure of 42

NEI 00-01, Revision 2(c)

January 2008 automatic initiation logic circuits should be considered for their potential to adversely affect any post-fire safe shutdown system function.

3.3.1.1.5 Cabling for the electrical distribution system is a concern for those breakers that feed circuits and are not fully coordinated with upstream breakers.

With respect to electrical distribution cabling, two types of cable associations exist.

For safe shutdown considerations, the direct power feed to a primary safe shutdown component is associated with the primary component and classified as a requiredsaf shutdown cable. -For example, the power feed to a pump is necessary to support the pump.

Similarly, the power feed from the load ce;ner to an MCC supports the MCC. However, for cases where sufficient branch-circuit coordination is not provided, the same cables discussed abocwýould also support the power supply. For example, thefpower feed to the pump discussed above would support the bus from¶whiich it is fed because, for the case of a common power source analmis, the concern is the lossý oIh upstream 4, *,

ft power source and not the connected load., Similarly the cfble feeding the MCC from the load center would., so be necessary to support the load center. Additionally, the non-safsiuitdown circuits off of each of the required safe shýdwn components ii the electrical distribution system can impact safe shuLtii-if not properly¢oordinated. These cables are classified as requiredo hotls,ýhutdown býasd on the criteria contained in Appendix H.

3.3.1.1.6 Fxcus inalysis may b~ used to demonstrate a lack of potential for any to e safe-shutdown from a component or group of compomnentson gardless of the cable routing.

For these cases, ngorous cabl ci ndcable to component associations may not be required.

3.3.2 Assocl~TED'-

I ItCIAtS OF CONCERN CABLES AppendixR, through the guidance jp)rovid in NRC Generic Letter 81-12, requires that separation features be provided for asociated non-safety circuits that could prevent operation or cause mal-operation due to hot shorts, open circuits, or shorts to ground, of redundant trains of systems nece~ss o achieve jiot shutdown. The three types of associated circuits of concern were identified im Reterence 76.1.5 and further clarified in a NRC memorandum dated March 22, 1982 from R. Mattito D. Eisenhut, Reference 6.7.1.6. They are as follows:

Sp ur*gosact*oans!

Common power source Common enclosure.

Each of these cables is classified as an associated circuit of concern cable.

Cables Whose Failure May Cause Spurious Operations 43

NEI 00-01, Revision 2(c)

January 2008 Safe shutdown system spurious operation concerns can result from fire damage to a cable whose failure could cause the spurious operation/mal-operation of equipment whose operation could affect safe shutdown. These cables are identified in Section 3.3.3 together with the remaining safe shutdown cables required to support control and operation of the equipment.

Common Power Source Cables The concern for the common power source associated circuits of concern is the loss of a safe shutdown power source due to inadequate breaker/fuse coordination.

In the case of a fire-induced cable failure on a non-safe shutdown load circuit supplied o thfine safe shutdown power source, a lack of coordination between the upstream supply breaker/fuse feeding the safe shutdown power source and the load breaker/fuse supplying the non-safe shutdown faulted circuit can result in loss of the safe shutdown bus. This wouild result i the loss of power to the safe shutdown equipment supplied from that power source preventinw e safe shutdown equipment from perfonming its required safe shutdown ifunction. Identify dthesecables together with the remaining safe shutdown cables requuiwd to supplort control and*

of the equipment. Refer to Section 3.5.2.4 for an acceptablc method!obgy for analyzi-g the impact of these cables on post-fire safe shutdown.

Common Enclosure Cables The concern with common enclosure associat&IJ rcuits of coner is fire damage to a cable whose failure could propagate to other safe lshutdo les in the-same enclosure either because the circuit is not properly protected by an isolationimlevicei:ebreaker/fuse) such that a fire-induced fault could result in ignitionfliipg its length, or 1y the fire propagating along the cable and into an adjacent fire area-This fir pread to an adjacent fire area could impact safe shutdown equipment in that fire *area, thereby resulting in -, condition that exceeds the criteria and assumptions of this methodology, (i u,multiple fires). Refer to Section 3.5.2.5 for an acceptable inethodology.for, analyzing thp impact,I ese,,cables on post-fire safe shutdown.

3.3.3 MET HODLG FOR CABLElSELECTION AND LOCATION Refer to g....

ure-4 Lfor_

a flolwchart illustrating the various steps involved in selecting the cables I

necessary for 1erf ing a sit-flre safe shutdown analysis.

Use the following-ethodology to define the cables required for safe shutdown including cables that may be circuits Ofencrn;Ms for a post-fire safe shutdown analysis. Criteria for making the determination as to which circuits are to be classified as required for hot shutdown or as important to SSD is contained in Appendix H.

3.3.3.1 Identify Circuits Necessary for the Operation of the Safe Shutdown Equipment For each piece of safe shutdown equipment defined in section 3.2, review the appropriate electrical diagrams including the following documentation to identify the circuits (power, control, instrumentation) required for operation or whose failure may impact the operation of each piece of equipment:

44

NEI 00-01, Revision 2(c)

January 2008

" Single-line electrical diagrams Elementary wiring diagrams Electrical connection diagrams Instrument loop diagrams.

For electrical power distribution equipment such as power supplies, identify any circuits whose failure may cause a coordination concern for the bus under evaluation.

If power is required for the equipment, include the closest upstream poýer distribution source on the safe shutdown equipment list. Through the iterative process describedmin Figures 3-2 and 3-3, include the additional upstream power sources up to either the'd1ffsite or the emergency power source.

3.33.2 Identify Interlocked Circuits an les Whose purious Operation or Mal-operation Could Affect Shutdown n In reviewing each control circuit, investigate itrlocks thalmay lead to addiional circuit schemes, cables and equipment. Assign to the equipment ny'ca bles for interlocked circuits that can affect the equipment.

45

NEI 00-01, Revision 2(c)

January 2008 Figure 3-4 Safe Shutdown Cable Selection Step 1 Define safe shutdown equipment Refer to Figure 3-3 Step 2 Identify circuits (power, control, instrumentation) required for the operation of each safe shutdown equipment. (*)

Step 3 Identify equipment whose spurious operation or mal-operation could affect safe shutdown Step 4 Identify interlocked circuits and cables whose failure may cause spurious actuations. (*)

Y Step 7 Assign cables to equipment.

No Step 6 Identify closest upstream power supply and verify that it is on the safe shutdown list.

Step 8 Identify routing of cables.

Step 9 Identify location of cables by fire area.

46

NEI 00-01, Revision 2(c)

January 2008 Figure 3-4 Safe I

Define safe shutdown equipment Refer to Figure 3-3 Identify circuits (power, control, instrumentation) required for the operation of each safe shutdown equipment. (*)

Sat 3

Identify equipment whose spurious operation or mal-operation could affect safe shutdown Step 4 Identify interlocked circuits and cables whose failure may cause spurious actuations. (*)

No Step 6

Identify closest upstream power supplA and verify that it is on the safe shutdown list.

47

NEI 00-01, Revision 2(c)

January 2008 Figure 3-4 Safe Shutdown Cable Selection Step I Define safe shutdown equipment Refer to Figure 3-3 Step 2 Identify circuits (power, control, instrumentation) required for the operation of each safe shutdown equipment. (*)

Step 3 Identify equipment whose spurious operation or mal-operation could affect safe shutdown I

4r Step 4 Identify interlocked circuits and cables whose failure may cause spurious actuations. (*)

Step 7 Assign cables to equipment.

Step 8 Identify routing of cables.

Is power required for equipment Identify closest upstream power supply and verify that it is on the safe shutdown list.

Step 9 Identify location of cables by fire area.

48

NEI 00-01, Revision 2(c)

January 2008 While investigating the interlocked circuits, additional equipment or power sources may be discovered.

Include these interlocked equipment or power sources in the safe shutdown equipment list (refer to Figure 3-3). if they can impact the operation of the equipment under consideration in an undesirable manner that impacts post-fire safe shutdown.

3.3.3.3 Assign Cables to the Safe Shutdown Equipment Given the criteria/assumptions defined in Section 3.3. 1, identify the cables required to operate or that may result in mal-operation of each piece of safe shutdown equipikAnt. Cables are classified as either required for hot shutdown or important to SSD base!on4' the classification of the component to which they are associated and the function of thatEinponent in supporting post-fire safe shutdown in each particular fire area. Refer to Appendix I IHI0i iadditional guidance.

Tabulate the list of cables potentially affecting each piecef ol *quipmenmill a, relational database including the respective drawing numbers, their revision and any anterlock, dthaire investigated to determine their impact on the operation of t hecuiipmentt.:

In certain casesthegsame cable may support multiple pieces of equipment. Relate cables to each piece of eqlipment, but not necessarily to each supporting secondary component.

If adequate coordination does not exisýl for a particular circuit, relate the power cable to the power source. This will ensure that the p(ower source is idenibfIed asaffected equipment in the fire areas where the cable may be damaged

(,iteiai for makingh ie detenmination as to which cables are to be classified as required for hot shutdtow oT as important to SSD is contained in Appendix H.

3.3.3.4 Ildentify Routing of Cables Identify the routing for each cablýi:ncluding all raceway and cable endpoints. Typically, this information is obtained fr oinmg(tliu11t

,1 sate shutdown cables with an existing cable and raceway database.

3.3.3.5 Identify Location of Raceway and Cables by Fire Area frdentify the fire' aa ocution of each racew4aýanlcable endpoint dentified in the previous step and join thisni~ioimati, i i hhe cable-routing data. In addition, identify the location of field-routed cable by fl iarea ThI Iproduces a database containing all of the cables requiring fire area analysis, their locations byifire area, and their raceway.

3.4 FIRE AREA ASSESSMENT AND COMPLIANCE STRATEGIES By determining the location of each component and cable by fire area and using the cable to equipment relationships described above, the affected safe shutdown equipment in each fire area can be determined. Using the list of affected equipment in each fire area, the impacts to safe shutdown systems, paths and functions can be determined.

Based on an assessment of the number and types of these impacts, the required safe shutdown path for each fire area can be detennined. The specific impacts to the selected safe shutdown path can be evaluated using the 49

NEI 00-01, Revision 2(c)

January 2008 circuit analysis and evaluation criteria contained in Section 3.5 of this document.

Knowing which components and systems are performing which safe shutdown functions, the required and important to SSD components can be classified. Once these component classifications have been made the tools available for mitigating the affects of fire induced damage can be selected. Refer to Appendix H for additional guidance on classifying components as either required for hot shutdown or important to safe shutdown. For MSOs the Resolution Methodology outlined in Section 4, Section 5, Appendix B and Appendix G should be applied. Components in each MSO are classified as either required for hot shutdown or important to safe shutdown components using the criteria from Appendix H. Similarly, this classification detinhies the available tools for mitigating the affects of fire-induced damage to the circuits for1these components.

Having identified all impacts to the required safe shutdown path in aparticular fire area, this section provides guidance on the techniques available for individually<

i n the effects of each of the potential impacts.

/

,a te s

3.4.1 CRITERIA/ASSUMPTIONS The following criteria and assumptions apply wheniŽjperforming "determinlistic" fire area compliance assessment to mitigate the consequences

,I Ilei circuit failures identified in the previous sections for the required safe sttdown path in eaclicfi~e area 3.4.1.1 Assume only one fire iiii%

le fire area at aýime.

3.4.1.2 Assume that the fire may aIfect all tnprotcted cables and equipment within the firearea

ýi '

fThis assumes that neither the fire size nor the fire intensity is knowb iiŽ4i conservativezind bounds the exposure fire that is postulated in 3.4.1.3 Address 11c IcabIe andqipment i mp acts affecting the required safe shutdown pai IIIIthbfi area.

N.1,. potential impacts within the fire area must be addressecd. The focus of this section is to determine and assess the potential

' lmpact:I'to the requirea safe shutdown path selected for achieving post-fire safe shiudo, wn and t, assure that the required safe shutdown path for a given fire area isiroperiy protected.

3.4.1.4 U'-se the criteria from Appendix H to classify each impacted cable/component asiietheraI required or important to SSD cable/component.

3.4.1.5 Use operator manual actions where appropriate, for cable/component impacts classified as important to SSD cable/components, to achieve and maintain post-fire safe shutdown conditions in accordance with NRC requirements (refer to Appendix E). For additional criteria to be used when determining whether an operator manual action may be used for a flow diversion off of the primary flow path, refer to Appendix H.

3.4.1.6 Where appropriate to achieve and maintain cold shutdown within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , use repairs to equipment required in support of post-fire shutdown.

50

NEI 00-01, Revision 2(c)

January 2008 3.4.1.7 For the components on the required safe shutdown path classified as required hot shutdown components as defined in Appendix H, Appendix R compliance requires that one train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage (III.G.L.a).

When cables or equipment are within the same fire area outside primary containment and separation does not already exist, provide one of the following means of separation for the required safe shutdown components impacted circuit(s):

Separation of cables and equipment and associated nonsafety circuits of redundant trains within the same fi e c area by a fire bamer having a 3-hour rating (III.G.2.a)

Separation of cables and equipment iand associated nonsafety circuits of redundant trains within the same fire area by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards.

In addition, fire detectors and an automatic fire suppression system shall be installed in the fire area (III.G.2.:b).

Enclosure of cable and equipment and associated non-safety circuits of one redundaittramin within a fire area in a fire barrier having a one-hour rating.

In addition, fire detectors-and an automatic fire suppression system shall be installed in the fire area (III.G.2.c).

For fire areas inside non-inerted containments, the following additional options: are also available:

Separation of cables a-rd,,oquipment and associated nonsafety circuits

,of redundant trains by a1horizontal distance of more than 20 feet with no intervening combusiubles or fire hazards (III.G.2.d);

h K:Installation of fire detectors and an automatic fire suppression system

,iiitle fire area (III.G.2.e); or Separiation of cables and equipment and associated non-safety circuits of-redundant trains by a noncombustible radiant energy shield

(III (G.2. f).

Ue*,ex ptions, deviations, LARs and licensing change processes to satisfy the irequirements mentioned above and to demonstrate equivalency depending upon the plant's license requirements.

3.4.1.8 Consider selecting other equipment that can perform the same safe shutdown function as the impacted equipment.

In addressing this situation, each equipment impact, including spurious operation, is to be addressed in accordance with regulatory requirements and the NPP's current licensing basis. With respect to MSOs, the criteria in Chapter 4, Appendix B, Appendix G and Appendix H should be used.

51

NEI 00-01, Revision 2(c)

January 2008 3.4.1.9 Consider the effects of the fire on the density of the fluid in instrument tubing and any subsequent effects on instrument readings or signals associated with the protected safe shutdown path in evaluating post-fire safe shutdown capability.

This can be done systematically or via procedures such as Emergency Operating Procedures.

3.4.2 METHODOLOGY FOR FIRE AREA ASSESSMENT Refer to Figure 3-5 for a flowchart illustrating the various steps involved in performing a fire area assessment.

Use the following methodology to assess the impact to safe sIi

_ aind demonstrate Appendix R compliance:

3.4.2.1 Identify the Affected Equipment by Fire Area Identify the safe shutdown cables, equipment aidstms located in each fire aireta hat may be potentially damaged by the fire. Provide this informauio iinia port format. The report may be sorted by fire area and by system in order to understand I impact to each safe shutdown path within each fire area (see Attachment 5 ' for an example of an'Aiffected Equipment Report).

3.4.2.2 Determine the Shutdown Paths Least Impacted By a Fire in Each Fire Area Based on a review of the ssteins, equipment and cables within each fire area, determine which shutdown paths are either unaffected or least impacted by a postulated fire within the fire area.

Typically, the safeshutdlown*,

,path with the least number of cables and equipment in the fire area would be selected as the reuiredsafe shutdown 1"th.

Consider the circuit failure criteria and the possible mnitigating strategies *however, in selecting the required safe shutdown path in a particular fireae, eview support systemsai a part of this assessment since their availability will be itportant to theaiblc ty toachieve and maintain safe shutdown. For example, impacts to the electric power distribton systefr a particular safe shutdown path could present a major impediment, to using a particular path for safe shutdown.

By identifying this early in the assessmentprocess, an unnccessary amount oftime is not spent assessing impacts to the frontline systems that 'iilTHrequire thisp'ower to support their operation. Determine which components are required hot shwtdown components and which components are important to SSD components using the guidance in Appeidix H.

Based on an assessmeit as described above, designate the required safe shutdown path(s) for the fire area. Classify the components on the required safe shutdown path necessary to perform the required safe shutdown functions as required safe shutdown components. Identify all equipment not in the safe shutdown path whose spurious operation or mal-operation could affect the shutdown function. Criteria for classifying these components as required for hot shutdown or as important to SSD is contained in Appendix H. Include the affected cables in the shutdown function list. For each of the safe shutdown cables (located in the fire area) that are part of the required safe shutdown path in the fire area, perform an evaluation to determine the impact of a 52

NEI 00-01, Revision 2(c)

January 2008 fire-induced cable failure on the corresponding safe shutdown equipment and, ultimately, on the required safe shutdown path.

When evaluating the safe shutdown mode for a particular piece of equipment, it is important to consider the equipment's position for the specific safe shutdown scenario for the full duration of the shutdown scenario. It is possible for a piece of equipment to be in two different states depending on the shutdown scenario or the stage of shutdown within a particular shutdown scenario. Document information related to the normal and shutdown positions of equipment on the safe shutdown equipment list.

~K.

V 53

NEI 00-01, Revision 2(c)

January 2008 Figure 3-5 Fire Area Assessment Flowchart Step I Identify and locate safe shutdown cables by fire area Refer to Attachment 5 for an example of an Affected Equipment Report by fire area.

equipment affected in the fire area.

I Step 3 Determine the shutdown path least impacted by I'>.

the fire in each fire area and designate it as the I>

Required Safe Shutdown Path.

Step 4 Determine the equipment impacts to the Required Safe Shutdown Path using the circuit failure criteria in Section 3.5.

Step 5 Develop a compliance strategy or disposition to mitigate tht effects due to fire damage to each required equipment or cable.

Step 6 Document the compliance strateg or disposition determined to mitigate the effects of the potentia fire damage to each piece of equipment or cable of the requirec safe shutdown path.

Required Components:

1. Re-design the circuit or component to eliminate the concern

2. Reroute Cable of Concern

3. Protect Cable of Concern in accordance with III.G.2

4. Perform Repair for Cold Shutdown only

5. Develop Exemption

6. Develop Deviation or LARs

7. Perform GL 86-10 Fire Hazards Evaluation

8. Enter Fire Protection Change Process

9. Identify other equipment to perform same function Important to Safe Shutdown Components:

1. Perform an operator manual action

2. Address using fire modeling or a focused-scope Fire PRA usini the methods of Chapter 5 for MSO impacts.*

I Refer to Attachment 6 for ar example of a Fire Area Assessment Report

Seek regulatory approval where necessary 54

NEI 00-01, Revision 2(c)

January 2008 3.4.2.3 Determine Safe Shutdown Equipment Impacts Using the circuit analysis and evaluation criteria contained in Section 3.5 of this document, determine the equipment that can impact safe shutdown and that can potentially be impacted by a fire in the fire area, and what those possible impacts are.

.3.4.2.4 Develop a Compliance Strategy or Disposition to Mitigate the Effects Due to Fire Damage to Each Required Component or Cable The available deterministic methods for mitigating the effects'of IICircut failures are, summarized as follows (see Figure 1-1):

Required Safe Shutdown Components:

Re-design the circuit or component to eliminate the concern. This optiotn will require a revision to the post-fire safe shutdown analysis.

4 Re-route the cable of concern. This option will r

ireuu, a revision to the post-fire safe shutdown analysis.

Protect the cable in accordance wIIith lY.2."

Provide a qualified 3-fire rated barrie..

Provide a I-hour fire rated barrier with auto mi( csuppressioon and detection.

Provide separation of 20 feet or greater with atomiatic suppression and detection and demonstrate that there are no intervening combustibles within the 20 foot separation distance.

Perform a cold shutdown repair in accordance with regulatory requirements.

q Identify other equipment not affected by the fire capable of performing the same safe shutdown funcition.

J Develop exemptions, deviations, liAUs, Generic Letter 86-10 evaluation or fire 4protection design>lchange evaluations with a licensing change process.

Important to Safe Shutdown Components:

i Any of the options provided for required for hot shutdown components.

Perform and operat6o manual action in accordance with Appendix E.

ý1 Address using fire modeling or a focused-scope fire PRA using the methods of Chapter 5 for MSO impacts.

Additional options are available for non-inerted containments as described in 10 CFR 50 Appendix R section III.G.2.d, e and f.

3.4.2.5 Document the Compliance Strategy or Disposition Determined to Mitigate the Effects Due to Fire Damage to Each Required Component or Cable 55

NEI 00-01, Revision 2(c)

January 2008 Assign compliance strategy statements or codes to components or cables to identify the justification or mitigating actions proposed for achieving safe shutdown.

The justification should address the cumnulative effect of the actions relied upon by the licensee to mitigate a fire in the area. Provide each piece of safe shutdown equipment, equipment not in the path whose spurious operation or mal-operation could affect safe shutdown, and/or cable for the required safe shutdown path with a specific compliance strategy or disposition. Refer to Attachment 6 for an example of a Fire Area Assessment Report documenting each cab], disposition.

3.5 CIRCUIT ANALYSIS AND EVALUATION This section on circuit analysis provides information on the.potential inipat.Kof fire on circuits used to monitor, control and power safe shutdov"n equipment. Applying th" circuit analysis criteria will lead to an understanding of how fire damage to the cables may affect the ability to achieve and maintain post-fire safe shutdown in a particular fire,area. This section should be used in conjunction with Section 3.4, to evaluate the potential fire-induced impacts that require mitigation. When assessing fire-induced damage to that could potentially result in MSOs, the circuit failure criteria in Appendix B shouild be used. ForI a, on-Mti(fire-induced circuit Cal failure impacts, the criteria in this section applyZ.

app Appendix R Section III.G.2 identifies the fire-induced circuit failure types that are to be evaluated for impact from extosure fires on saffe shutdown equipment.

Section III.G.2 of Appendix R requires consTherailio of hot shorts.,shorts-to-ground and open circuits.

3.5.1 CRITERIA/AsIP IONS i, Apply the o

ving criteia/aissumptioins when performing fire-induced circuit failure evaluations.

.5.1.1 Conidc the fl,,fdlýniig circuit failure types on each conductor of each unproitee d isafe shiutdown cable to determine the potential impact of a fire on the sate Slhutdown equipment associated with that conductor.

Ahot short may result from a fire-induced insulation breakdown between conductors of the same cable, a different cable or from some other external source resulting in a compatible but undesired impressed voltage or signal on a specific conductor. A hot short may cause a spurious operation of safe shutdown equipment.

An open circuit may result from a fire-induced break in a conductor resulting in the loss of circuit continuity. An open circuit may prevent the ability to control or power the affected equipment. An open circuit may also result in a change of state for normally energized equipment.

(e.g. [for BWRs] loss of power to the Main Steam Isolation Valve (MSIV) solenoid valves due to an open circuit will result in the closure of the MSIVs).

56

NEI 00-01, Revision 2(c)

January 2008 A short-to-ground may result from a fire-induced breakdown of a cable insulation system, resulting in the potential on the conductor being applied to ground potential. A short-to-ground may have all of the same effects as an open circuit and, in addition, a short-to-ground may also cause an impact to the control circuit or power train of which it is a part.

knsider tIhe,three types of. circu11i failuesl 1dentified1 aboveC tou occur ijidwilly on each conductor ofdch af sIrihutdown cable on the required lsafe shiitilown path in the fire are&.1-

[Ehere is one speccific. exception to "the crHii~fiades-ribed above,wher&e ]L evaluationi of' multipldc.ot short

,ii ýLIi~t oiu t~ýi iýiiL ijli esal t

tsson searate~conductors~ *In a~m s

m~c~ultP conductor ciable are b evailuated.

The exception is the double: dc break[, slokii(idcircuit dlesign discussed in the NRC Memlo lomGii6ry Hlolahan, Deputy Director Division of Systemus Technology, dated~

December 4,

t 990 and" filed contaI-inedl un1der 1ML062300011 I*

[Refe~rence Figure 1.3-33(f) oft4FPA 805 -2001.

There is also (o1especic *examplofwnrc nimultifi s o

nould be Lonsidered for themimiipacib n' thewt-_iwf o

n igoilte

'htllIll exception is'disctussd inFgure 3.5.2-3.

lexc ths~er gr~igmacsn:te ity ofY WUa*ungoundedti~rcuit*

Thi The.

exceptions are a stand alone eXLCjtl0ns that does:

nj1 impl it(:heneed to extand circuit file criteria appiind in a aetermmistic* analysis eyond th specific cases. Should similar e sarise, hoeve,.

i

-lioul b

ruih (, i icrivc th IIC - ITF-Ifor thirdc confi'deration ii cluding-adiiiiionallceponsin

___iinst

ýl 111 S For Lhe 'lant Specific list of MSOs use the circuit failure criteria outlined in

\\

Appendix 1, 3.5. L.2_

Assume that circuit contacts are initially positioned (i.e., open or closed) consistent %vith the normal mode/position of the safe shutdown equipment as shiown o(,inthe schematic drawings. The analyst must consider the position of theesife shutdown equipment for each specific shutdown scenario when determining the impact that fire damage to a particular circuit may have on the operation of the safe shutdown equipment.

3.5.1.3 Assume that circuit failure types resulting in spurious operations exist until action has been taken to isolate the given circuit from the fire area, or other actions have been taken to negate the effects of circuit failure that is causing the spurious operation. The fire is not assunmed to eventually clear the circuit fault. For MSOs involving AC circuits, the criteria in Appendix B of hot 57

NEI 00-01, Revision 2(c)

January 2008 shorts clearing and going to ground within 20 minutes may be fisedi with the_ -

risk-informed approach using the Limited Scope Fire PRA..-

3.5.1.4 When both trains are in the same fire area outside of primary containment, all cables that do not meet the separation requirements of Section III.G.2 are assumed to fail in their worst case configuration.

3.5.2 TYPES OF CIRCUIT FAILURES Appendix R requires that nuclear power plants must be designed to( prevent exposure fires from defeating the ability to achieve and maintain post-fire safe shutydon. Fire damage to circuits that provide control and power to equipment on the requiredý safe' shutdown path and any other equipment whose spurious operation/mal-operation could affect shutdown in each fire area must be evaluated for the effects of a fire in that fire area. Ontly one fire at a timncjs assumed to occur.

The extent of fire damage is assumed to be limited bythe boundaries of the fI area. Given this set of conditions, it must be assured that one redundant train of equipment necessary to achieve and maintain hot shutdown is free of fire damage foi fires in evcry plant locati To provide this assurance, Appendix R requires that equipment and circuits required for hot shutdown be free of fire damage and that these circuits be designed for the fiFe-induced effects of a hot short, short-to-ground, or an open circuit. Will' respect to the electrirc. distribution system, the issue of breaker coordination must also be addressed.4Citeria for making the determination as to which breakers are are to be classified as required fofhli6t shutdown is contained in Appendix H.

This section will discuss specific examples of eacli ft. following types of circuit failures:

Open circuit Short-to-ground Hot short.

Also, refer, to Appendix B 1o 1e circuit failuii criteria to be applied in assessing the impact of the Plant Specific List ofM on safe shutdown.

3..2.1 Circuit failures Due to an Open Circuit This section provides guidance for addressing the effects of an open circuit for safe shutdown equipment. An open circuit'is a fire-induced break in a conductor resulting in the loss of circuit continuity. An open circuit will typically prevent the ability to control or power the affected equipment.

An openikircuit can also result in a change of state for normally energized equipment. For example, a loss of power to the main steam isolation valve (MSIV) solenoid valves [for BWRs] due to an open circuit will result in the closure of the MSIV.

Loss of electrical continuity may occur within a conductor resulting in de-energizing the circuit and causing a loss of power to, or control of, the required safe shutdown equipment.

In selected cases, a loss of electrical continuity may result in loss of power to an interlocked relay or other device.

This loss of power may change the state of the equipment. Evaluate this to determine if equipment fails safe.

58

NEI 00-01, Revision 2(c)

January 2008 Open circuit on a high voltage (e.g., 4.16 kV) ammeter current transformer (CT) circuit may result in secondary damage, possibly resulting in the occurrence of an additional fire in the location of the CT itself.

59

NEI 00-01, Revision 2(c)

January 2008 Figure 3.5.2-1 shows an open circuit on a grounded control circuit.

Figure 3.5.2-1 Open Circuit (Grounded Control Circuit) 0 0.

0 iT Open Circuit No. 1 t-Open circuit No. 1:

An open circuit at location wIl llprevent o[0peration of the subject equipment.

Open circuit No. 2:

\\

An,~~ circuit at location N.

2 wil pire:vent opening/starting of the subject equipment, but will not impactt,.theability to clh sctop the equipment.

3.5.2.2 Circuit Faiilures Due to a Short-to-Ground This section provides gýuidance for addressing the effects of a short-to-ground on circuits for safe shutdown equipment*

A short-to-ground is a fire-induced breakdown of a cable insulation system resulting in the potential on the conductor being applied to ground potential. A short-to-ground can cause a loss of power to or control of required safe shutdown equipment. In addition, a short-to-ground may affect other equipment in the electrical power distribution system in the cases where proper coordination does not exist.

There is no limit to the number of shorts to ground caused by the fire.

60

NEI 00-01, Revision 2(c)

January 2008 Consider the following consequences in the post-fire safe shutdown analysis when determining the effects of circuit failures related to shorts-to-ground:

A short to ground in a power or a control circuit may result in tripping one or more isolation devices (i.e. breaker/fuse) and causing a loss of power to or control of required safe shutdown equipment.

In the case of certain energized equipment such as HVAGt da:ipjers, a loss of control power may result in loss of power to an interlocked rela other device that may cause one or more spurious operations.

Short-to-Ground on Grounded Circuits

/

Typically, in the case of a grounded circuit, a shoit-tound on any part of the circuit would present a concern for tripping the circuit isolatiqei ice therelby causing a loss of controlpower.

Figure 3.5.2-2 illustrates how a short-to-ground fault may impact a grounded circuit.

Short-to-ground No. 1:

A short-to-ground at location No. 1 will result in the control power fuse blowing and a loss of power to the control circuit. This will result an inability to operate the equipment using the 61

NEI 00-01, Revision 2(c)

January 2008 control switch. Depending on the coordination characteristics between the protective device on this circuit and upstream circuits, the power supply to other circuits could be affected.

Short-to-ground No. 2:

A short-to-ground at location No. 2 will have no effect on the circuit until the close/stop control switch is closed. Should this occur, the effect would be identical to tht for the short-to-ground at location No. I described above. Should the open/start control switch be closed prior to closing the close/stop control switch, the equipment will still be able to Ne opened/started.

Short-to-Ground on Ungrounded Circuits In the case of an ungrounded circuit, postulating only a short-to-ground on any part of the circuit may not result in tripping the circuit isolahon device, Another shoil-t-ground on the circuit or another circuit from the same sourcelwould need ioexist to cause plLss of control power to the circuit.

Figure 3.5.2-3 illustrates how a short totground fault may impact an ungrounded circuit.

iK Fuse~yp.)

LL 41 Short-to-Ground o

No. 1 Z~

o Figure 3.5.2-3 Short-to-Ground Ungrounded Control Circuit)

Control Switch Short-to-Gro4LNo.

No. 2 Energize to Energize to Open/Start Close/Stop I'

Short-to-Ground No. 3 Short-to-ground No. 1:

A short-to-ground at location No. 1 will result in the control power fuse blowing and a loss of power to the control circuit if short-to-ground No. 3 also exists either within the same circuit or on any other circuit fed from the same power source. This will result in an inability to operate the equipment using the control switch. Depending on the coordination characteristics between the protective device on this circuit and upstream circuits, the power supply to other circuits 62

NEI 00-01, Revision 2(c)

January 2008 could be affected. If multiple grounds can occur in a single fire area, they should be assumed to occur simultaneously unless justification to the contrary is provided.

Ai~

4 l7i 63

NEI 00-01, Revision 2(c)

January 2008 Short-to-ground No. 2:

1sith

ýsed. 'Shoil hI d

c I

1cur the efI w': ould be id&entical to that fortb (

shicr-to-gounid at lo.atonNo I describeliabove. Should the open/start control switch be closed prior to closing the close/stop control switch, the equipment will still be able to be opened/started. If multiple grounds can occur in a single fire area, they should be assumed to o&eur simultaneously unless justification to the contrary is provided.

3.5.2.3 Circuit Failures Due to a Hot Short

\\

This section provides guidance for analyzing the effects, a Ahot short on circuits for required safe shutdown equipment.

A hot short is definedas a fire-induced insulation breakdown between conductors of the same cable, a different cble or some other external source resulting in an undesired impressed voltage on a specific cdiuctor. Thle potential effect of the undesired impressed voltage would be to cause equipment to operate: or tail to operate in an undesired manner.

Consider the following specific circuit fillutrs related to hot shorts as part of the post-fire safe shutdown analysis:

A hot short between an energized con iii de-energized conductor within the same cable may_.c ia spurious opeation of equipment.

The spuriously operated device (e.g., relay) ma,,be interlockedwith another circuit that causes the spurious deic (eg, reay, operation olioMer equipment. This type,:of hot short is called an intra-cable hot short (also known asoIuctor-tconductor hotsthit or an internal hot short).

A h6t shot between anyexternal% energized source such as an energized conductor from another cable,id *a dc-cnrgized conductor may also cause a spurious operation of equipment. Ths i, callecd an inter-cable hot short (also known as cable-to-cable hot shiort/external hot shor).

A Hot Short on Grounded Circuits A short-to-ground nother failure mode for a grounded control circuit. A short-to-ground as described above woiillY'result in de-energizing the circuit.

This would further reduce the likelihood for the circuit to change the state of the equipment either from a control switch or due to a hot short. Nevertheless, a hot short still needs to be considered. Figure 3.5.2-4 shows a typical grounded control circuit that might be used for a motor-operated valve. howevIIII proteecctivewCe an s

pos iti~on lication lights that would normally be inluded in the cotl cici or a) motor-Ee1hav been omitted, since these devi~cs, aie not requue4-1 o i

iiridst iap,-*et*tc* *sjg*oiLiui 1ing eplind in this section. hin the discussion provided below, it is assumed that a single fire in a given fire area could cause any one of the hot shorts depicted.

64

NEl 00-01, Revision 2(c)

January 2008 The following discussion describes Lhe

_p&act of these individual cable faults on the operation of the equipment controlled by this circuit.

A}{*

65

NEI 00-01, Revision 2(c)

January 2008 Figure 3.5.2-4 Hot Short (Grounded Control Circuit)

Fuse (Typ.)

Control Switch a-C Z

No. Io eEnergize to Energize to Open/Start Close/Stop Grounded Circuit Hot short No. 1:

A hot short at this loca ould nergize the tlose relay and result in the undesired closure of a motor-operated valve Hot short No. 2:

A hot shorIt at this locatio15n wouliInrgze the open relay and result in the undesired opening of a motoroperated valve.

A Hot Sbort"on Uneroundd Circuits In the case of ahiungrounded circuit, a single hot short may be sufficient to cause a spurious operation. A singl t 't shocan cause a spurious operation if the hot short comes from a circuit from the positive leg

,4tle' same ungrounded source as the affected circuit.

In reviewing each of these cases, the common denominator is that in every case, the conductor in the circuit between the control switch and the start/stop coil must be involved.

Figure 3.5.2-5 depicted below shows a typical ungrounded control circuit that might be used for a motor-operated valve. However, the protective devices and position indication lights that would normally be included in the control circuit for a motor-operated valve have been omitted, since these devices are not required to understand the concepts being explained in this section.

1.

66

NEI 00-01, Revision 2(c)

January 2008 In the discussion provided below, it is assumed that a single fire in a given fire area could cause any one of the hot shorts depicted. The discussion provided below describes how to address the impact of these cable faults on the operation of the equipment controlled by this circuit.

Figure 3.5.2-5 Hot Short (Ungrounded Control Circuit)

Control Svitch H-

__4 ot Short No. 1 1i Energize to Energize to Open/Start Close/Stop 0

Hot short No. 1:

A' hot short at this location fronithe same contir power source would energize the close relay and result in the undesredclosure of a motor operated valve.

Hot short No. 2..

A hot short at this location fromtlhinie same control power source would energize the open relay and result in the undesireid pening o1 a motor operated valve.

3.5.2. 4 Circuit Failures Due to Inadequate Circuit Coordination The evaluationx I'circuits of a common power source consists of verifying proper coordination between the supply breaker/fuse and the load breakers/fuses for power sources that are required for hot shutdown.

The concern is that, for fire damage to a single power cable, lack of coordination between the supply breaker/fuse and the load breakers/fuses can result in the loss of power to a safe shutdown power source that is required to provide power to safe shutdown equipment.

For the example shown in Figure 3.5.2-6, the circuit powered from load breaker 4 supplies power to a non-safe shutdown pump. This circuit is damaged by fire in the same fire area as the circuit providing power to froom the Train B bus to the Train B pump, which is redundant to the Train A pump.

67

NEI 00-01, Revision 2(c)

January 2008 To assure safe shutdown for a fire in this fire area, the damage to the non-safe shutdown pump powered from load breaker 4 of the Train A bus cannot impact the availability of the Train A pump, which is redundant to the Train B pump. To assure that there is no impact to this Train A pump due to the circuits' common power source breaker coordination issue, load breaker 4 must be fully coordinated with the feeder breaker to the Train A bus.

Figure 3.5.2-6 Common Power Source (Breaker Coordination)

Common rower SOME-(Breaker Coordination)

Train A. B

____rain B Bus Feeder Load Breakei (Typ)'

1 (Typ.)

_ _ I Safe Shutdown Non-Safe A AA Pump Train A Shutdown

/MV' Safe Shutdown (Redundant Pump)

Pump X Pump Train B Exposure Fire (Redundant Pump)

Exposure Fire (Re Fi Area BoundaI S

(Typical)

Fire Area Boundary (Typical)

A coor-dination study shiould demonsitrate the coordination status for each required common poxo suce. For cooriiii~on to exsthe time-current curves for the breakers, fuses and/or protective rflayIng must demonstrate that a fault on the load circuits is isolated before tripping the upstream'hbiaker that supplies the bus. Furthermore, the available short circuit current on the load circuit must K' econsIdefed to ensure that coordination is demonstrated at the maximum fault level.

The methodology for identifying potenitial circuits of a common power source and evaluating circuit coordination cases on a single circuit fault basis is as follows:

i Identify the power sources required to supply power to safe shutdown equipment.

For each power source, identify the breaker/f-use ratings, types, trip settings and coordination characteristics for the incoming source breaker supplying the bus and the breakers/fuses feeding the loads supplied by the bus.

68

NEI 00-01, Revision 2(c)

January 2008 For each power source, demonstrate proper circuit coordination using acceptable industry D For power sources not properly coordinated, tabulate by fire area the routing of cables whose breaker/fuse is not properly coordinated with the supply breaker/fuse. Evaluate the potential for disabling power to the bus in each of the fire areas in which the circuit of concern are routed and the power source is required for hot shutdown. Prepare a list of the following information for each fire area:

" Cables of concern.

" Affected common power source and its path.

" Raceway in which the cable is enclosed.

Sequence of the raceway in the cable rou,,

" Fire zone/area in which the raceway is locatedi.

For fire zones/areas in which the powersorce is disabled, the effects are iiitigated by appropriate methods.

o Develop analyzed safe shutdown circuit dispositibrý fr the circuit of concern cables routed in an area of the same p as,required by the power source. Evaluate adequate separation and other mitigation measuresnbased up on lthe citeria in Appendix R, NRC staff guidance, and plant licensing Liases.

3.5.2.5 Circuit Failures Due to Common Enclosure Concerns The common enclosureeconcern'deals with the possibility of causing secondary failures due to fire damage to a circmti either whose isolation dev ce fails to isolate the cable fault or protect the faulted cable from reachin Its,,iiioi temperature, or the fire somehow propagates along the cable into adjOiriiigire areas The electrical circuit desi tor t plants provides proper circuit protection in the form of circuitbreakers, fuses an i

1:%r dei cthat are designed to isolate cable faults before ignition temperatureis reached. A electrical circuit protection and cable sizing are included as part of the 'olginal plant elctrical design maintained as part of the design change process.

Proper protection can be verified by review of as-built drawings and change documentation.

Review the fire rited barifr and penetration designs that preclude the propagation of fire from one fire area to th t

,ne Lo demonstrate that adequate measures are in place to alleviate fire propagation concern-d 69

NEI 00-01, Revision 2(c)

January 2008 4

IDENTIFICATION AND TREATMENT OF MULTIPLE SPURIOUS OPERATIONS USING RISK-INFORMED METHODS

4.1 INTRODUCTION

The purpose of this section is to provide a methodology for addressing multiple fire-induced circuit failures and multiple spurious operations (MSOs) by individual licensees. This methodology uses identification and analysis techniques similar toAinthods applied under NEI 04-02 for Risk-Informed Fire Protection, but do not include stej, i self-issued change analysis as allowed under NEI 04-02 and NFPA-805. MSOs identifieduring this process will include both required for hot shutdown and important to SSD circuit components, with different mitigation strategies for each type of MSO as shown on Figure 3-1 above.

With NRC acceptance, the methodology presented ithis document addresses ulfiphle spurious operations resulting from fire-induced circuit failures1o0sae shiutdown in accordance with 10 CFR 50 Appendix R, Sections III.G. 1 and III.G.2.

The basic philosophy behind this methoitisthat the Fire SafecShutdown Procedures and associated Operator Actions should focu,(iipotentially risk importantscenarios. tagýjý ith

4 ilSdI200401I.Z hich was developed for inspection criteria.

Application of the deterministic criteria in Cliapter 3. fdl[is (docenint to multiple spurious operations would require allpotential fire-indmuce sp" urious:ope.rations to be identified and a mitigating action to be d tveloplr each. ThirnitigatingUition may be an action taken prior to the start of the fire event that piecludes the coniition from occurring or as a post fire action that mitigates the efft ol the coniition prior to icteaching an unrecoverable condition relative to safe shutdown. The correspondiig mtiatmg action for each potential spurious operation must be knownvanddthis aci

ust 1ieicapab6f Ihmiting the potential adverse affects of the spurious per1ti1v ithout rehiance n any other equipment that is also potentially susceptible to a spurious operation resultig fron Iii the same fire area.

If the procedures and actions were expanded to include very low risk scenarios, the operator actions would hecome too complex, resulting in higher expected operator failures for the important scearios. Additionally, if the required timing for actions were to consider all low risk scenarios, the resul ing procedural actions would likely be modified to include actions that can raise the overall plantwiský such as implementing a Self-Induced Station Blackout. Mitigation might also require sigificant modification to plant safety-related systems and logics that could have the undesired consequence of reducing their reliability in mitigating the affects of other events, thereby causing an overall increase in plant risk. By placing bounds on the number of scenarios that the procedures address, this results in lower plant risk by ensuring optimal operator response for the potential risk important scenarios.

This philosophy is similar to the development of plant emergency operating procedures, where low risk scenarios are not included in the procedures while potentially high-risk scenarios and "Design Basis" scenarios are addressed.

70

NEI 00-01, Revision 2(c)

January 2008 If a mitigating action is not taken for multiple spurious operations identified using the methods described below, a regulatory submittal (Exemption/Deviation) must be developed. In order to minimize the number of regulatory submittals, the method provided must limit the multiple spurious operations to be consistent with RIS 2004-03 by concentrating identification on circuit failures that have a relatively high likelihood of occurrence.

Additionally, the methodology must provide a process for incorporating new information on spurious operations that are determined to be likely to occur. This mayvinclude new information gained from additional fire testing, or as a result of feedback from plalit.implementing this method (or NFPA 805).

The list of Generic Multiple Spurious Operations developed by he OwLer's Groups and required to be considered in conjunction with the information in this, apendix are contained in Appendix G. The Generic MSO lists include both required for hot,sliuiiidown and important to SSD component MSO combinations. Many MSOs on theAhst is arc identified as e ler~required for hot shutdown or important to SSD, based on generc reyvew of'each MSO. The generic classification provided in Appendix G for each MSOshJould beeonfirmed by eacl ihcensee depending on the safe shutdown methodology used in cahdIfi I eir fire areas. Analysis or further review of the MSOs not initially classiifiecd as either required I ~ itshutdown or important to safe shutdown component MSO combiethoid isoy required, ban (ein the guidance discussed in Appendix H. The types of circuit failuresý aniid t heý'nu mber of IheIic L:tvp~e's of circuit failures that are to be considered in each circuit type whL fi n evau~in t I

e impact o

)lC f an MSO on post-fire safe shutdown are described in Appendix B.~

Appendix B is used to ad Iimultiple spuriou. operations (both required for hot shutdown and important to SSD MS@s). The affects of single piurious operations due to single fire induced circuit failure is to be adUessed usig the methods in (Chapter 3 of this document.

The pr csýd e*

below nlII CIuding I

e,-genenc MSO lists, do not artificially limit the number of spuriouýs opetions orhiot shorts included in each scenario considered. In some cases, spunoiLSj)ýeration of a specific component may require multiple hot shorts. Depending on the type vi cicuit involved, guidance on-ie appropriate assumptions to be made relative to this condition.ýontained in Aplje'dix B_ It is also intended that if multiple hot shorts are required to cause the M1SO, this shoultd not result in any screening of MSOs from consideration prior to the inclusion ofhll MSO combination in the Safe Shutdown analysis. The multiple hot shorts would be considere drhen{i-viewing the hot shorts against the cable criteria in Appendix B or in the PRA calculatiom5 4.2 OVERVIEW OF THE MSO IDENTIFICATION AND TREATMENT PROCESS Figure 4-1 provides an overview of the MSO Identification and Treatment Process. Sections 4.3 to 4.5 below provide a description of each of the steps in the figure.

71

NEI 00-01, Revision 2(c)

January 2008

-PR

-NRC Inspedon 72

NEI 00-01, Revision 2(c)

January 2008 4.3 GENERIC LIST OF MSOS Appendix G provides a list of generic scenarios to consider in a plant specific evaluation for multiple spurious. The generic list of MSOs was developed from an industry survey of all US plants. The survey asked the plants to "Describe the extent to which multiple hot shorts and multiple spurious operations (MSOs) have been addressed for your facility in each of the following areas:"

1) Licensing Basis Safe Shutdown Analysis

2) Assessments performed for NRC RIS 2004-03 usti, NEI U41-06

3) Evaluations performed as a result of NRC I etions

4) MSO Expert Panel Reviews conducteJ dfor Fire PNRAor NFPA 805

5) Other Instances where MSOs [Combined Equiieii It Impacts] with potential risk signlicance been identified (e.g. PRA AnalysisI iitcmal Events Model, Fire PRA or other source)

The results of the survey responses were thein ctmpi IClIinto a table; and the final list is a composite list of applicable scenarios for each reactroi Itvy*p.

Although not all scenarios)tr. i ireactor type areeonsidered applicable to every reactor, the list is provided here as an inut to theI O identificatkiý) and treatment process.

The generic MSO list in ApIpendi G

ý includes a cul~iification of each MSO as either requiring a plant specific analtysis, requlreiiif hot shutdowiiu i

or important to SSD component MSO. The "Rfequirimg, Plant,-Sec Ic I

\\Aa'lsisu rTiHring a plant specific analysis classification is used where~te classifiCatoion ld beeit~her required for hot shutdown or important to SSD dep~e on its use in anmýdiid 1area. MSOs for required circuit components are addressedi fferently than iOs fortimportant to SSD components, with the use Operator Manual Actions; Fire Modeling or Focused-scope FPRA not generically authorized by the NRC to be applied to MSOs categorized as required for hot shutdown component MSOs. Exemptions, deviations or LARs, depending on a licensee's current licensing basis, maywill be required to use operator manual actionstfiire modeling or focused-scope fire PRAs for required for hot shutdown MSOs. The "gGenerick",ene4e or "Requiring A Plant Specific Analysis"fequiring i p!ng :t

,peeifie analysji, classifications provided in Appendix G for each MSO should be confirmed by licensees depending on the safe shutdown methodology used in each of their fire areas.

As can be seen from Figure 4-1, generic Owner's Group analysis can be performed for a given reactor type to disposition generic MSO scenarios. The generically dispositioned scenarios do not need to be included in the plant specific MSO list, provided an individual licensee performs a review of the generic analysis, verifies plant specific parameters bound those critical parameters used in the generic analysis and obtain the concurrence of its plant specific Expert Panel. The method and the critical parameters used for each generic analysis will vary, depending on the 73

NEI 00-01, Revision 2(c)

January 2008 MSO. These aspects of the generic analysis are not described further in this document. Refer to each generic analysis for the required information.

4.4 PLANT SPECIFIC LIST OF MSOS The method described below provides steps to provide a more accurate and complete list of MSO to be addressed in the plants SSA. This includes steps that both a) screen the generic list of MSO scenarios that are not applicable to a plant and b) add new scenarios that are not listed in the generic scenarios. The generic classification provided in Appendi\\ ('T or each MSO should be confirmed by each licensee depending on the safe shutdown menhodology used in each of their fire areas. Additionally, any new MSOs that are identified reviewed to determine if the MSO involves required for hot shutdown or important to SSDT)comp iNets.

JA 6%

A 4o 74

NEI 00-01, Revision 2(c)

January 2008 4.4.1 SCREENING (DELETION) OF GENERIC MSO SCENARIOS The screening of generic MSO scenarios can be performed to remove from consideration scenarios not applicable for a given plant. The screening process involves the review of each scenario in the generic list for applicability and disposition. Scenarios can be screened from the plant specific MSO list, given the following:

1) Components identified in the scenario do not exist in the plant, and the scenario is not applicable to similar components or systems, or

2) Specific plant design features (see additional comment, below) make the scenario either not possible, or does not fail the safe shutdown (ciitim on.

Some of the scenarios that are listed in Appendix G are described as beinE applicable to a specific vintage of plant design. For example, most of the scenarios listed flor WR 2's, might be assumed to have no applicability to BWR 3's or This may be the case for theparticular scenario listed. Item 1 above, however, requires haech licensee look at the scenarios provided and examine them for similar components or systems useud in The design of the planat under evaluation. Conversely, even when the scenario is listedL f&'aýprticular design vintage of plants, such as the BWTR 2's, a scenarios relatjldto isolationi condense

-,urs would only be applicable to BWVR 2's that have isolation condensers. ThI osdeain decr.ibed-a~bove need to be employed in each licensee's plant specific %eva, i ýicýint'of MSk, s.

Additionally, scenarios screened from the plant specific N lis.should be reviewed with the following considerations*

A)

If deign feture that makesfthe scenario not possible for the plant involves cable o

routig, ctrcuit design, eletrical protection, or other similar design FeaItureC'tihscenao6Winsoufldnot be screened from consideration at this step.

S "imlarly i1f aoperator acton is in place that would prevent the scenario, the býsýenaioho iitot be screened at this step. The process for these scenarios would b) to inclu& the scenario in the MSO list, and to use the design feature as a disp i tion foittie MSO.

H)Documen ttIon that the scenario does not fail the safe shutdown function should be Iased on the original Safe Shutdown Analysis assumptions. If specific analysis is performed to show the MSO doesn't fail the function, then thL:M-SO should be included in the plant specific MSO list, and the analysis used in the disposition of the MSO.

C) If a generic analysis is available for an MSO, the generic analysis should be reviewed to verify that the analysis is applicable to the plant being reviewed and that no plant unique features invalidate the inputs, assumptions, methodology, results or conclusions of the generic analysis. The expert panel should review the MSO in conjunction with the generic analysis and, if acceptable, disposition the MSO for the plant under review without additional consideration in the plant unique analysis. The MSO, the generic analysis 75

NEI 00-01, Revision 2(c)

January-2008 used to disposition the MSO and any additional considerations should be documented in the expert panel report and in the licensee's safe shutdown analysis.

For item A) above, the general concept is that if the design feature can possibly change as a result of a design change, the MSO needs to be included in the site specific MSO list. This would ensure that changes to the design would be reviewed against the MSO to ensure the MSO remains not possible as changes are made to the plant over the course of time. For item B) it is intended that whatever is credited in the original SSA, this is carried forard to the MSO list.

For example, if there are two injection trains credited for all "A" train fire areas, and an MSO fails only one of the two trains, then the MSO can be screened at this point. In this example, however, the post-fire safe shutdown analysis must be revised to make it clear that only a single injection train is credited in all "A" train fire areas. Another example wi1ld be a scenario that drains a water supply tank into the containment sump, and analysis is peformed to show the water can be provided from the sump to an injection pump. In this example, if the sump flow path was not in the original SSA, the MSO shouIdnot be screened.

76

NEI 00-01, Revision 2(c)

January 2008 Deletions from the Generic List of MSOs are subject to review and concurrence by the Expert Panel. One alternative to the initial screening of generic MSOs is to perform the screening during the expert panel process. This can be done simultaneous to the expert panel exploration of new MSO scenarios,. icmeyrplantspcci fIicorsimnuar' tothe screened MSO. Documentation of screened MSOs would be required, with performed with the initial screening or by the expert panel.

4.4.2 PLANT SPECIFIC ADDITIONS TO MSO LIST An Expert Panel Review of the MSO list determines plant Specific Additions. The additions can come from a number of sources, including:

1) MSOs resulting from review of the existing Safe SliutdII"ownAA-sis

2) MSOs resulting from review of the PRA sensiltiity runs or results

3) MSOs identified by the Expert Panel

4) Required Hot Shutdown System Full Flow Divegent Paths, as defined within the Plant's specific IST Programn w

The first two inputs are as a result of preparator.work for the ExperttPanel review. These preparatory steps and the performance of a

described in the following sections. Plant specific additions include both recuncd oi

,tn*hutdown and important to SSD component MSOs.

4.4.2.1 Review of Existing Safe Shutdown Analysis As an input to the Expert el prIIsI a list of ethe;xisting SSA spurious operations componentsVzndkenarios s1hrld b ie ud

'>Much of the information for this list is already availableii SSA supporting documents, but may not be in a form to support external review or anexpertpae. This list should prioide both a description of the scenario of concern and the dispeyantofthescenan.

ý,ý,AeSSAperator Manual Actions associated with any disposition should ale, le documented incu ding documentation of feasibility criteria (timing, etc.). Key to the documentation are any assumptions made for the SSA, since these assumptions may not be valid for multipl,rurious oerations scenarios. Both generic and scenario specific assumptions should be documentd qas aniuput to the expert panel review.

Scenarios that are dispositioned as not needing operator manual action (or other compliance strategies), due to the presence of additional components down stream of the initial component, should be reviewed by the expert panel in detail. Pre-identification of these scenarios as additions to the MSO list should be performed. For example, ifa diversion includes two MOVs, and the first MOV is dispositioned as not a concern due to the presence of the second MOV, then the expert panel should consider spurious operation of both MOVs as a potential multiple spurious operation scenario. Similarly, if a non-post-fire safe shutdown credited pump start is not a concern due to a closed discharge MOV/AOV, then the expert panel should consider the scenario (Pump spuriously starts and valve spuriously opens).

77

NEI 00-01, Revision 2(c)

January 2008 Similarly, for a post-fire safe shutdown credited pump start with a normally open minimum flow valve, then the expert panel should consider the scenario (Pump spuriously starts and the minimum flow valve spuriously closes).

Scenarios where positive operator manual action is taken where both single and multiple spurious operations are addressed may need to be considered further. The scenario would need to be reviewed for the effect on timing and operator action feasibility to ensure no further review is required. For example, if operator action on a flow path is determined to have 20 minutes prior to reaching an unrecoverable state, but a second spurious can ch,iige the timing to 10 minutes, then a review by the expert panel is needed. This timing issue is especially critical for spurious pump operation. For example, for PWR SG overfeed orftorthe pressurizer going solid, the timing for single pump spurious start/run can be much different that iwhen two or three pumps start/run, and the credited operator manual action imyn iot be completed in time for the MSO.

An Example SSA Results Table is provided in Table I below ) Notice that in table, there are several examples where Expert Panel Consideration will be required. For example) for MOV-1, the expert panel will need to consider the timing to see if adlditional spurious operations will result in failure of the feasibility criteria,, For MOV-2, the credited disposition is the use of another valve, MOV-3. If the same fire cai damage this MOV-3>then a multiple spurious scenario may result. MOV-4 is likely to not be a concern for miiipiple spurious scenarios, unless it can be involved in scenarios involving hot standby. In this case, it could affect the timing of an existing scenario or result in a new scenario being iiuced.

Table 1 (example)

Existing SSA Spurious Operafions Components and Scenarios Component Scenario >4=

Disposition Reference for Disposition

,tMOV-1 SpurIous penmg Local Operator ManumldActions SResult in Manual Action Fasibility IExcess Letdown per procedure OP-3 MOV-2 Spurious Closure results Use of second Procedure OP-3, in a loss of injection injection valve, step 17 MOV-3 MOV-4 Spurious Closure will Manual Action per Manual Actions result in failure of procedure OP-3 Feasibility letdown. This will result in the inability to achieve cold shutdown in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months 78

NEI 00-01, Revision 2(c)

January 2008 4.4.2.2 PRA Input to the Plant Specific MSO List A review of PRA results should be performed in preparation for the expert panel review. If this PRA review was provided as a part of the development of the generic MSO list, this step may not be necessary, depending on the completeness of the information provided for the generic MSO list, and whether item 3 below (new accident sequence review) was performed as input to the generic MSO list.

PRA input to the Expert Panel Review (below) can include a number if inputs, depending on the status and completeness of the PRA and Fire PRA effort. Appendix 1F includes a broad discussion of PRA reviews that can be performed, including the followihg:

1) Cutset. or Sequence or Risk Im portance MeasutieReview - a review of cutsets sorted by probability or order to indicate where fire-indiuced damage can result in apotentially high-risk sequence. Cutsets can also be manipulated by etting basic events representing fire-induced spurious operation (e.g., fail to remain open or closed) to 1.0 4nad resort the cutsets. This review should result in an identification*o*

spunous operation failure modes (fail to remain opened or closed),with a high Risk Achievement Worth or F-V importance.

2) Resolve the model, by assuming a fire-induc initiating ev:nit has occurred (Reactor Trip, Loss of Offsite Power) and spuio u 9perat ion events are set to 1.0, including (but not limited to):

" MOV spuriouslg open or close AOV',

unously open or close KS SPORkv sptiously

(

opn orclose Spurious actuation of iatomatic acwtaion signals 3)4,**".

Ie s

Fire-Induced Accident Sequences. This would include a review similat to that peormed in preparation for a Fire PRA model development, where fire daniame ori the 1formance of operator actions following a fire are assumed, and any accident sequences not already included in the PRA are identified.

Details of this review are provided in Attachment H.

The above PRA r c ý s do not include a complete list of sensitivity studies or analysis that can be performed using aniex iSting PRA. In addition, a simple review of risk importance measures, especially Risk Achievement Worth (RAW) of spurious operations, would be useful.

For Event tree linking models, Fussel-Vesely and Risk Achievement Worth of individual basic events representing spurious actuations can be calculated in a similar manner to that performed for fault tree linking models. However the process of identifying potentially risk significant multiple spurious actuations is slightly more involved with a linked event tree model due to the lack of sequence cutsets. In this case the spurious actuation basic events are set to 1.0 and the sequences (combinations of split fractions leading to core damage) are resolved. The new set of dominant sequences should then be compared with those derived from the base case 79

NEI 00-01, Revision 2(c)

January 2008 quantification to identify those sequences that have risen significantly in value. This is followed by an investigation of the cutsets associated with those split fractions which contribute to the inflated sequence values to identify spurious and multiple spurious actuation combinations.

If a full Fire PRA is available, then the results of the Fire PRA can be used as a direct input to the Expert Panel Review (or directly to the Safe Shutdown Analysis, if expert panel review is determined to be not needed for important scenarios). In this case, the following should be included in the safe shutdown analysis:

1) Components whose'spurious operation in combination wit I her components results in a risk for the combination (including all cutsets for all fire aremYascenarios) that is above the criteria in Section 5.4.2.

2) ingle spu'rious operatio, WhMCI dirc t ore damage wouldf occuiwhniire-induced damage of 6o~ter compon e

tLie":scenario, occurs, and post-Fire operator action is assumed failed.

The output from any PRA review should be assessed and summarized The results of this assessment will be provided to the expert panel for additiol contsiderations.

4.4.2.3 Expert Panel Identification oNfIMSO New Scenarios The Expert Panel Review is performed to sys-itematic'dll ian; d compl1etely review all spurious and MSO scenarios and determine whether or not each individual scenario is to be included or excluded from the plant peific list of multiple Ipurious operations to be considered in the plant specific post-fire safesutdown anilysis. Input to the Expert Panel is provided from a number of sources discussed abov, resultingtIn a comprehensiiveI'review of spurious operation scenarios.

NEI 04-0, poids*scope of circuits to be reviewed, including specific examples, ofcrcuit combinatioris to,be, included in a review. For example, A-2.1.2.2.1 includes specificiPWR exampleobe revleed.,

Ilkhese examples should be reviewed in detail by the expertiel to determine scmnarios tIole reviewed further.

Prior to performing the exprt panel review, the following is performed in preparation:

1) Provide to Lexpe}i panel, the results of the SSA and PRA performed above.

2) Provide to thce~xrt panel the generic MSO list and any plant specific review of this list.

3) Provide training to the expert panel.

If the expert panel is held over a several day period, and substitute expert panel members are used, substitute members should also be provided the above information and training prior to participating.

The expert panel as used for the review of MSOs, results in a list of potential MSO that supplements the previously screened generic MSO list. Scenarios identified by the expert panel 80

NEI 00-01, Revision 2(c)

January 2008 that should be considered in the SSA are documented and added to the generic MSO list for disposition using the process described in 4.5 below.

As discussed in Appendix F, complete documentation of the expert panel review for new MSOs is important. This documentation should include details of the new MSOs to be considered, as well as possible MSO scenarios that were not considered for treatment under the SSA and the reasoning for not recommending them for consideration. See appendix F for further discussion on documentation of the process, training and results.

4.4.3 Expert Panel Review of MSO List Deletions.,.

The MSO Expert Panel will review all recommended deletions of the gene:ric MSO list. In this review, the expert panel will perform the following functions-

1) Review the justification for deletion. Ensure the justification followsthlie guidance above in 4.4.1, and the justification is adequate.

2) Discuss the possible addition of alternate and similar MSO scenarios applicable for the plant.

The expert panel review of the deletions should be documented m azrport and retained i support of the MSO review process. Refer to 0Appedix* Ffor additional guidance on the Expert Panel review.

4.5 ADDRESSING THE PLANT SPECIFIC LIST OF MSOS 4.5.1 CABLE SELECTION,&

ASSOCIATION FOR EACH COMPONENT IN AN MSO ComponentsýtVi uc einot alr cl udetithe'b 5ase SSA are added to the Safe Shutdown Equipment list and analyzed in the same manner as other components in that list The approach outline-dn Section 3.3*be usedýt: determine the cables associated with each component in an MSO combination. Cables are associated with MSO components in the same manner as they are associated ýw*ith any other sa shutdown component. In some cases, only those cables with the potential to spuriously operatethe component need to be added to the SSA.

4.5.2 DETERMI*N:k1ATION OF MSO CATEGORIZATION Prior to performing the Fire Area Assessment and developing the compliance strategy for the MSOs, each MSO must be reviewed to determine if it involves required for hot shutdown components. The criteria for determining whether a component is a required for hot shutdown or important to SSD component is contained in Appendix H. Each MSO on the plant specific MSO list is reviewed against the criteria in Appendix H and categorized as either a required component MSO or an important to SSD component MSO in each affected fire area, depending on the manner in which safe shutdown is achieve in each fire area.

81

NEI 00-01, Revision 2(c)

January 2008 Each MSO that is derived from the Generic MSO list is provided a preliminary classification.

This classification, however, needs to reviewed and verified on a plant specific basis.

Additionally, a classification needs to be developed for the plant specific MSO additions.

4.5.3 FIRE AREA ASSESSMENT AND COMPLIANCE STRATEGIES FOR MSOS Impacts to specific MSOs are assessed on a fire area basis in the same manner as other impacts to post-fire safe shutdown components. PIch coinpoi0net nan MSOcombination is assigned to a safe, shtdw Path IfI the: iindiidualsafe shutdown component's safe, s1nitdow~n path associationidifferent thain al e a htitdmirn path associated with the:orpoieint when assessed as ptoftan MSO, thci the additoni l safe shutdown path(s) associated wth'theMSO must also be assgd

toeach component in that MSO.1 If allcompone associated with a

...............-,. - - W,

?

particular safe shutdown path are located in a common irei area where tdeiyvhave the potential, if damaged by a fire, to impact the required safe shutdown1tth for that fire ar4eaýthen a mitigating strategy must be provided for the MSO.

Mitigation strategies applicable to MSOs include 1

heolowing 1

addition to the traditional mitigation strategies described in Section 3.4.2.4 for reuI t 1)e F

L shutdown components:

1) Disposition based on consideratin" of Circui" t Fai'ir Criteria.

2) Disposition based on Fire Modcli...

3) Disposition based on a Focused-Scope F

-Iire PRA Mitigation strategy 2 and '3'ie ntgenerically 'authorizedbb the NRC for use with required for hot shutdown component MSs. Exeumptions, deviations or'LARs, depending on a licensee's current licensing basis, mayc, bear required to use mnitigation strategies 2 and 3 for required for hot shutdown MSOs.

Several considerations affct the disposution method chosen for an MSO. First, the least expensiveminethod fordispositioning an MSO may be the traditional compliance strategy, such as a design change or use' operator manual action. If the PRA or Fire Modeling ofadapprovedipraomaulatn analysis takes more resources..to perform than fixing the design or adding a simple operator manual action:,then cost may Jicate'ihe approach used. If an approved operator manual action is used, however, consideration of the effect of this operator manual action on other fire response operator manual actions should be considered. For example, if the addition of a new operator manual action means thle fi response procedure is more difficult, then the existing actions may become less reliable. li this case, the addition of the operator manual action may increase overall risk rather than reducing risk as intended.

This balance is to be considered prior to selecting a mitigating strategy that relies upon operator manual action.

4.5.3.1 Mitigation through Consideration of Circuit Failure Criteria Circuit failure criteria applicable to MSOs is contained in Appendix B. When evaluating the impact of an MSO on a particular fire area, the circuit failure types for the circuit types contained in Appendix B should be considered. Using the circuit failure criteria, MSOs should be 82

NEI 00-01, Revision 2(c)

January 2008 considered as potential "combined equipment impacts". Stated differently, if any of the fire induced circuit failures, fail---as described in Appendix B can cause an impact to the group of components in the MSO, this must be evaluated. For example, if the listed MSO were the failure of the block valve to close in conjunction with a spurious opening of a PORV, the block valve would need to be evaluated for circuit failure types that could prevent closure of the block valve, (i.e. a short-to-ground causing a loss of control power or an open circuit causing a loss of circuit continuity). Similarly, if an immediate operator manual action to close the block valve at the start of the fire were credited and, if a hot short could subsequently spuriously open the block valve in the same fire area where another hot short could cause the spurious opening of the PORV, then this condition also needs to be addressed.

If all potential fire-induced circuit failures outlined in Appendix B, areaddressed and, if none leads to all components in the MSO being damaged in a manier that ilmpcts the required post-fire safe shutdown path, then the MSO is dispositionedc0,n the.basis of cirIIanalysis.

If mitigation by the use of circuit analysis is not sible, then another means of mifigation, either one of the traditional means described in Sectioi I42.

4oione of the Ineas listed below, must be developed. If either of the means listed below is uset"d is the mitigating strategy for the MSO, then review and acceptance of the disposition by ti eExp ert Panel is required.

4.5.3.2 Fire Modeling Disposition Licensees currently perform qualitative fire

initin fio re pread and fire damage analysis as a part of fire hazard analyses, engineering equixiLenL tons deviation requests and/or exemption requests, as appropnte._

Use of induyaccepted Fire Modeling Programs serve as an upgrade to this current practic:As an alternative to obtaining NRC review and concurrence for these types of equivalency evaluations, the Resolution Methodology proposes an additional enhancement to the equiivalncyi-Al.tion proces§b'y the introduction of an Expert Panel review and concgnf ce for ge th imt

%wheiefire modeling is used to disposition an identified MS&uimpact Fire Modeling used during for the disposition of MSOs must be pertormed consistent with the methods descnibed in NUREG/CR-6850, using verified fire models as described in NUREG-1824. Additionally, process improvements developed for NFPA-805 applications should be considered, a, applicable.

When selecting a hir si/e for the analysis, the 98% upper bound of the fire size should be used.

Additionally, the location of the fire would include consideration of the pinch points for the cables, possible ignition of secondary combustibles, etc. For transient combustibles, any location within the plant should be considered unless it is physically impossible.

As discussed above, dispositions using Fire Modeling are not generically authorized by the NRC to be applied to MSOs categorized as required for hot shutdown component MSOs. Exemptions, deviations or LARs, depending on a licensee's current licensing basis, may be are required to use fire modeling for required for hot shutdown MSOs.

4.5.3.3 Fire PRA Disposition 83

NEI 00-01, Revision 2(c)

January 2008 Disposition using a Focused-Scope Fire PRA is performed using Chapter 5, Risk Significant Screening. As discussed above, dispositions using Focused-scope Fire PRA are not generically authorized by the NRC to be applied to MSOs categorized as required for hot shutdown component MSOs. Exemptions, deviations or LARs, depending on a licensee's current licensing basis, will may be required to use Focused-scope Fire PRAs for required for hot shutdown MSOs. The Licensee will need to review their existing Licensing basis to determine if a focused-scope Fire PRA is currently permitted. If not, a License Amendment may be required.

4.5.4 4.5.4 EXPERT PANEL REvIEV OF MSO DISPOSITION As can be seen from Figure 4-1 above, MSOs dispositioned. uing the methods described in 3.4.2 or using the circuit failure criteria from Appendix B as expiinkd above d4bt need to be reviewed by the Expert Panel. All other methods of disposition, however, n&&d to be reviewed by the Expert Panel.

In this review, the Expert Panel will review the disposition for

Udeqacy, as well as take into account additional deterministic factors, including whether the MSO is for a required for hot shutdown or an important to SSD component combination.

sii review includes:

1) Review the justification for dispositioni :I iure the justification follows the guidance above (or in Chapter 5), and the justIficatilon ialequate.

M,

2) Discuss the possible ilicinative dispositions for the MS6 scenario, including traditional compliance methods discussed in 3.4.2.

The review in item 2 sti[ould inclu(d the uncertainty

,nsitivity of the evaluation being performed, the effect the trditio nalIcmpIance phance strategy would have on other MSOs or spurious operations th!6i*iat ive It of Ions and fire risk in the area, and other factors the Expe;tPanel deteiimines are important.

The revi,\\of the dispositioivof an %S) using Fire PRA will vary slightly between the MSO using a fýcused-scope Fire PA and a Full Fire PRA. With a full Fire PRA, the analysis of a compartment Or area will intcjde analysis of all potentially important fire scenarios. The expert panel should becomihe familiarýWith the general compartment/area results, and the characteristics of the area that a-tf

,,rerall risk and the risk for the MSO. These characteristics should be consistent, and given ih."e are consistent; the expert panel review of the MSO analysis is somewhat simpler. W)ih a Focused-scope Fire PRA, the expert panel will need to ensure that the characteristics affecting the MSO analysis are consistently and accurately applied. The sensitivity and uncertainty analysis should include the affects of assumptions made for the fire characteristics, including basic factors such as fire size assumptions, non-suppression probabilities, etc.

Refer to Appendix F for additional guidance on the Expert Panel review.

4.5.5 4.5.5 FEEDBACK TO THE GENERIC MSO LIST 84

NEI 00-01, Revision 2(c)

January 2008 As this and other MSO methods are implemented (e.g., implementation of NFPA 805), the MSO list has the potential to grow. For the method above, the following criteria should be used to determine if any new MSO should be added to the generic MSO list:

a. Any new MSO not on the generic list,

b. The MSO does not screen using the conservative screening in Chapter 5 (i.e.,

requires detailed Fire PRA to determine the risk), or is not analyzed using Fire PRA resulting in a compliance strategy being applieJ Each new MSO is to be provided to NEI and the responsible Owner',s Group. When provided, the new MSO should include a preliminary classification as to ecetifthe MSO is for a required for hot shutdown or an important to SSD component combiri it1on. The responsible Owner's Group will review the new MSO for generic applicabfli tand re ise their generic MSO list, as appropriate. NEI will add the new MSO list to thei bpage and notify the LHstry of the change. The list of MSOs will be maintained on thecNEI Webpage and by eaclh'reponsible Owner's Group.

4.6 DOCUMENTATION Documentation should be included in the e

ea Assessmenta, H

discussed in 3.4.2.5 above.

The Fire Area Assessment may refer to additiolanalysis suppormg the disposition such as the PRA or Fire Modeling Analysis.

85

NEI 00-01, Revision 2(c)

January 2008 5

RISK SIGNIFICANCE ANALYSIS This section provides a method for determining the risk significance of identified fire induced circuit failure component combinations (MSOs) to address the risk significance of the current circuit failure issues.

Section 5.1 provides a translation of the plant specific MS*@s that are selected for focused-scope fire PRA review into scenarios that can be aniayzed by in a Fire PRA.

Section 5.2 focuses on the preliminary screening of these cLIILIt failures to determine if more detailed analysis methods are warranted.

ction 5.

rovides a quantitative method for evaluating the risk significance of identified compo'nent combinations.

Section 5.4 covers integrated decision making for the riskalysis, including consideration of safety margins and defenwe-n-depth considerations.

Figure 5-1 Simplified Process Diagram Fire-induced circuit failure combination is identified (Section 5. 1) 87

NEI 00-01, Revision 2(c)

January 2008 5.1 COMPONENT COMBINATION IDENTIFICATION The purpose of this initial step is to translate the plant specific MSOs that are selected for Focused-scope Fire PRA review into scenarios that can be analyzed by in a Fire PRA.

5.1.1 CONSIDERATION OF CONSEQUENCES This first step limits consideration to component combinations whose mal-operation could result in loss of a key safetysafe shutdown function, or in immediate dirct, and unrecoverable consequences comparable to high/low pressure interface

ýfaiiures The component combinations identified in Chapter 4 above, would initinall. be' ewed to ensure that the MSO scenario results in a consequence of concern. 1Itthe sNelnr do t re:ulft in one 1.11f c

Ný_ m&b

+4iO"lldBI S~LCC dS 10Vd1AThis review must take into account all possible fire-induced failures, and the overallalifect effect of the MSO on the plant 5.1.2 SELECTION OF MSO SCENARIOS TOBE ANALZ

/H)D The purpose of this review is to ens rcthe proper ]eve0risk is assessed for the possible component combinations prior to screeniing ýacombination torcosideration. Given an MSO combination is provided, this combination ifllscilt in one orwoiPRA scenarios scenario of interest. The MSO scenario may need furher flcfinoni-at this 4 int, including identification of additional fire-damaged components, timing issues, etci.*imng issues may include details such as component A woul 4~red to spuriouslyperate component B for the scenario to affect safe shutdown.

At the end of this st e, tIc M

,SO description would be translated into one or more scenarios that can be analmyzed usi fcused scope FirePRA. The scenarios may be slightly different for eachfir'ent wher' th~e)MS for each finea te o MSO is possible, but this differentiation would occur);ircin the si;p 5.2 PREKIMINARY SCREENING The "risk screenLi tool" presented here is taken directly from Reference 7.4.43, as updated by the original autlio'r t h

'1NRI. It is the result of the NRC's effort to develop this method.

Adapted from NEI 0o0I Rev 0 [Ref. 7.4.46], it is relatively simple, based on measures readily available from the FP SDP [Ref. 7.4.45], but conservative in that credits are limited to ensure the likelihood of "screening out" a circuit issue that could be of greater-than-very-low-risk-significance is minimized. Examples of this conservatism include use of generic fire frequencies based on fire zone or major components; treatment of potentially independent spurious actuations as dependent (i.e., no multiplication of more than two probabilities);

crediting of manual suppression in a fire zone only if detection is present there; and choice of the most stringent screening criterion from Ref. 7.4.46. Note that none of the "additional considerations" among the screening factors below is permitted to introduce a factor <0.01 as a multiplier.

88

NEI 00-01, Revision 2(c)

January 2008 5.2.1 SCREENING FACTORS The following screening factors are used.

5.2.1.1 Fire Frequency (F)

Table 1.4.2 of the FP SDP [Ref 7.4.45] (modified here as Table 4-5 for use in the subsequent example application) and Table 4-3 of EPRI-1003111 [Ref. 7.4.44] list the mean fire frequencies at power by plant location and ignition source. The frequelncies are characteristic of a fire occurring anywhere within the location. The mean fire freqICuies by location range from a minimum of -0.001/yr (Cable Spreading Room in Ref7:4.45; Battery Room in Ref 7.4.44) to maximum of -0.1/yr (Boiling Water Reactor Buildmin in Ref. 674.45; Turbine Building in both Ref.7.4.44 and Ref. 7.4.45). These values used in iefkL..4.44 and Ref. 7.4.45 eliminate fire events judged to be "non-challengimg Cnsidering uicertainties in their probability distributions (somewhat reflected in the 4 *k-sided 90% upper alo1 wer confidence bounds in Ref. 7.4.44), the following ranges for fte ifiequencies are used:

HIGH, >0.03/yr but <1/yr.

MEDIUM, >0.003/yr but <0.03/yr.

LOW, <0.003/yr 5.2.1.2 Probability of Spurious Actuaion (1.)

Table 2.8.3 of the Ref. 7 4.4*5(modified hers Table 5-1 or use in the subsequent example application) and Table,_lI awd72 of Ref. 7.4, (1 provide point estimates for the probability of spurious actuation rang-ng a minimum o(f"virtually impossible" (armored inter-cable interactions in Ref. 7.14.5_ armored thermoset miiter-cable interactions in Ref. 7.4.40) to a maximum approaching I

0,I()n (1avaýible*information about cable type or current limiting devices" iiikPT/*7 445 any ira-cable s1.t-in Ref. 7.4.40). Ref. 7.4.40 also provides ranges for thes;e estimates. T lowes*fiin-zero values are 0.01 for "in-conduit, inter-cable only" in Ref 7.4.45.

4 NRC Regulatory Issue Suimmary 2004-03 [Ref. 6.6.1] states that "for cases involving the potential damage of more thian one multiconductor cable, a maximum of two cables should be assumed to be: ),lmaged

,&uncurrently".

Therefore, no more than two multiple spurious actuations withnnsparate, cables are assumed to be independent when calculating the probability P, i.e., nmjfore than two of the spurious actuation probabilities in Ref. 7.4.40 or Ref. 7.4.45 should be multiplied together. Consideration of this conservative assmnption and the ranges cited in these reports suggests the following ranges for conditional probability of spurious actuation:

HIGH, >0.3 but <1

" MEDIUM,>0.03 but <0.3

" LOW, >0.003 but <0.03 VERY LOW, <0.003 89

NEI 00-01, Revision 2(c)

January 2008 Multiplying F and P over their respective ranges yields the maxima shown in Table 5-1 for the pairings F*P.

5.2.1.3 Additional Considerations The F*P pairings represent the frequency of a fire-induced spurious actuation of a component combination. Core damage will occur only if (1) the fire is localized and severe enough to induce spurious actuation; (2) the fire is not suppressed prior to inducing the spurious actuation; and (3) other non-fire related contingencies, including humanactions and equipment operation, are unsuccessful.

Thus, for core damage to occu there must also be a "challenging" fire; failure to suppress the fire prior to the spirlous actuation; and failure to avoid core damage via non-fire means, represented by the conti core damage probability (CCDP). The number of potentially vulnerable locations (zones) adesses, possible variation in the screening threshold frequency depending upon the number of zones that the equipment traverses where there is a potential for fire damage, 5.2.1.4 Challenging Fire (G)

Fires can vary in magnitude, ranging from small, essentially self-extinguishing, electrical relay fires to complete combustion of an entire compartment. To estimate how challenging a fire could be for screening purposes, we'Lonisder the largest fire source in the zone and combustible type. Ref. 7.4.45 specifies s(bins) or lr 4fire type and size.4 The factor (G), independent from the fire frequiency, "fi ahallenging fire is based on combustible type.

Table 2.3.1 of the,Rf. 7.4.45I(modified here as 5-7 for use in the subsequent example application) assigusb1oth 50th and 95th percentile fires for various combustibles to fire size bins ranging from he release rsof70 kW t[,,

o MW Fires in the 70 kW-200 kW range are considered,small 20()

+%50 mWk*t0oderaqt; and >650 kW large. Typically, some train separation 1,built intoplant dsignsi accordance with NRC Regulatory Guide 1.75 [Ref.

7.4.501]fherefore, small fires ýarcnot likely to damage separated trains. Although moderate fr mre,,

tmore damaging; some creit f4*, train separation can still be expected.

Bsdon'mh[

b]1 r m Based ~tabove, for small or moderate size fires that are not expected to be challenging, such as smalkelectrical fires3a factor of 0.01 is applied. For moderate severity fires, including larger electricalqfires, a factor of 0.1 is applied. For large fires, including those from oil-filled transformers or veýIry fire sources, the factor is 1.

5.2.1.5 Fire Suppression (S)

Both automatic and manual fire suppression (including detection by automatic or manual means) are creditable. It is assumed that automatic is preferred and a more reliable suppressor than manual, suggesting a non-suppression probability of 0.01 for automatic and 0.1 for Room size and other spatial factors also influence how challenging a fire can be. However, we do not consider these for screening purposes.

90

NEI 00-01, Revision 2(c)

January 2008 manual. If automatic can be credited, then manual will not. Manual will only be credited if automatic cannot.

Thus, the product F*P will be reduced by a factor of either 0.01 (if automatic suppression is creditable) or 0.1 (if automatic suppression is not creditable, but manual is).6 Both, implying a reduction by 0.001, will never be credited. Thus, the maximum reduction in the product F*P that can be achieved through consideration of fire suppression is 0.01.

Note the following exception. Energetic electrical fires and oil fires, which are likely to be the most severe fires at a nuclear power plant, may grow too quickly or touo large to be controlled reliably by even a fully creditable automatic suppression system.

This is not due to degradation of the system but to the characteristics of the fire PTheforef for fire zones where energetic electrical 7 or oil fires may occur, no credit will be g tven tiomnual suppression, while that for automatic will be reduced to 0.1.

5.2.1.6 CCDP (C)

There should be at least one fire-independent' cohiinatilon ol human actions and equipment operation to prevent core damage, provided these are not precluded by the fire itself or its effects.

To-incorporate this, a CCDP, given the precedig-ignition and failures, must be appended to the F*P*G*S value. Table'2.1.1 of the FPSDP (mtibdified here as Table 5-8 for use in the subsequent example applicationi) specifies three tp of "remaining mitigation capability" for screening CCDP unavailabilities based on safe shutd1:wn path. These are (1) 0.1 if only an automatic steam-driven train can be credited;' (2) 0.01 if a train that can provide 100% of a specified safe"yfiinction can be credited; andl( 0) 0.1 or 0.01 depending upon the credit that can be assigrisd ooperator actions-'

For this last group, 7 tlit of 0. 1 is assumed if the human error probability (HEP) lies between 0.05 and 0.5, and 0.0* IfIhe HE-lPies between 0.005 and 0.05. Credit is based on additional criteria beingsatisfied, as litd in Tableilc 'Iof1the FPSDP.9 l3To credit manual supjressi.on ti, method assumes that detection must be present in the fire zone.

If neither is credita

., no 'Ltomatic suppression system and timing/location/nature/intensity of fire precludes manual suppression), there will be no reduction in the product F

P. This would apply to scenarios iAhere the soU Cand target are the same or very close to one another. Fire suppression may not be rerditle due to'insufficient time for suppression prior to cable damage. This is expected to be a rare event an~llsIoulld not be considered unless the configuration clearly shows that immediate component dami"

i likely to occur.

'Ref. 7.4.48 documents energetic faults only in nuclear power plant switchgear >4 kV. The FP SDP considers both switchgear and load centers as low as -400 V subject to energetic faults. Consistent with the nature of this screening tool, the FP SDP approach is suggested (i.e., considering switchgear and load centers down to -400 V as subject to energetic faults).

'Even the lower value of 0.01 is considered conservative based on Ref. 8, which cites several examples where non-proceduralized actions by plant personnel averted core damage during severe fires. Of the 25 fires reviewed, none resulted in core damage.

9 These criteria include available time and equipment; environmental conditions; procedural guidance; and nature of training.

91

NEI 00-01, Revision 2(c)

January 2008 5.2.1.7 Factor for Number of Vulnerable Zones (Z)

While there is no way to know a priori the exact number of fire zones through which the vulnerable equipment will pass, or the number of these where there is potential for fire damage, something on the order of 10 zones will be conservatively assumed for screening purposes.

Typically, plant control wiring follows a relatively direct path from control cabinet to actuated device, so it is unlikely that 10 fire zones would be involved. In many plants, the number of fire zones involved could be as small as 2 or 3. Theoretically, the total frequency of core

.~

A.

damage from spurious actuation would be the sum of the frequencies from the individual zones. In general, a higher value would be expected for a higher numiber of zones. Thus, some type of credit is given for a scenario where the number of vutlnerable zones is less than the assumed generic number of 10, say, e.g., five zones or less.

This type of credit would translate into an increase it screening thlreshold frequency per zone (call it X), or equivalently a decrease in the zonal core damage frequency (call it D). If we assume limiting the number of vulnerable zones to fiveor less producestý t;1east a 10%

increase in the allowable frequency for zonal screening Ll.IX, this translates into a decrease in the zonal core damage frequency (D) byafacttor Z. To estimate Z, consider the following.-

For zonal core damage frequency (D) to rn t the threshold IX)

D-must be <X For five or less vulnerable zones, we allow an increae tlo tast 1.lX, sIuc that the zonal core damage frequency meets this new threshold, D < 1. 1 X.

R ehiive to the original threshold, X, we require X> D/il, or X >Q DThe factor 0.9 cOrresponds to a maximum value for Z for five or less vulnerable zones.

5.2.2 SIX-FACTOR1,RQ IENCY9pF CORE DAMAGE (F*P*G*S*C*Z)

The maximumrfrequencies that irtul ffm iasuming the maximum credits for G (0.01), S (0.01), C (0.01)an /( 0 9) I a jU oicditof 9E-7, for the F*P pairings are shown in Table 4-2.

TR\\vcision 0 6 d

thsaocume1nt stated that "[t]he criteria for risk significance are...

wih eulTe ish......

consistent with RegulatoGide l

,I14 [Reference 7.4.50] guidance." The plant-specific risk significance screening in Revision)0 states that "the criteria for determining that component combinaosqii,'are not risk sliiificant are as follows:

If the chaue Mn cor,,damage frequency (delta-CDF) for each component combination for any fir*z necis less than IE-7 per reactor year, AND

" If the delta-CDF for each component combination is less than IE-6 per reactor year for the plant, i.e., sum of delta-CDF for all fire zones where circuits for the component combinations (circuits for all) are routed, AND _

" If the delta-CDF for each fire zone is less than 1E-6 per reactor year for the plant, i.e.,

the sum of delta-CDF for all combinations of circuits in the fire zone."

,~

1~> ~

~

-3/4

~4V.

~

1~.

92

NEI 00-01, Revision 2(c)

January 2008 Of these three criteria, the most stringent is the first, requiring the delta-CDF to be <IE-7/yr. This seems to be the appropriate criterion to apply to the Six-Factor Frequency of Core Damage since this is the preliminary screening stage.10 In Table 5-2, neither of the shaded boxes satisfies this criterion exclusively, while the unshaded boxes may satisfy this criterion in certain cases.

5.2.3 FINAL SCREENING TABLE Restricting the values for challenging fires (G), fire suppression (S),*CDP (C), and the factor for number of vulnerable zones (Z) as shown via the point asinmenats below," the cases where this criterion is satisfied are indicated in Table 5-3. These correspond to the cases where preliminary "screening to green" can be assumed successful.'2 5.2.3.1 Steps to Use Table 5-3

1. Determine the fire frequency. Use either the generic fire zone frequencyor the fire frequency refined by the component-based fi-c tequency tool in the FPSDP.

2. Determine the probability of spurious actuation, from the FPSDP. If multiple spurious actuations are involved, no mo~e-than two of the spurious actuation probabilities should be multi plied together.

3. Determine the block on the table that correspons to tfife frequency and probability of spurious actuation.

4. Determine if the fire 1ischallenging and.ltf so, to what degree. Use the fire type for the single largest, fijre r

)i the zone. For example, a zone with both small and large fires would be: cosider(e subject to large( iies only (i.e., there is no combination).

5. Deterfii*

spesso factor f both manual and automatic suppression can be creditedthel, more cffctv c(automatic) is the only one receiving credit (ie., there is no

combination).

6. Determine the CCDU1

[f no mitigation capability remains, assume a CCDP = 1.

7. Determhine the numlbei of vulnerable zones.

8. Sum the poi iý, assigned below to determine if the zone can be screened to green.

For this preliminary screening delta-CDF is conservatively approximated by CDF itself.

' Each point is roughly equivalent to a factor often reduction or the negative exponent of a power of 10, e.g., 1 point corresponds to IE-1 = 0.1, 2.5 points correspond to 1E-2.5 = 0.003 12 "Screening to green" in the FPSDP indicates a finding of very low risk-significance that need not be processed further.

13 Credit is reduced for energetic electrical and oil fires.

93

NEI 00-01, Revision 2(c)

January 2008 Challenging Fires (G)

Large fires = 0 point Moderate fires = 1 point Small fires = 2 points Fire Suppression (S)

None fully creditable 0 point Only manual fully creditable = I point 14 (reducet

) potfor energetic electrical or oil fires) _

Automatic fully creditable = 2 points (reduced to 1 point for energetic electrical or oil fires)

CCDP (C)

No mitigation capability creditable point)

Only an automatic steam-driven train or operator actions with 0.05 < HEP < 0.5 creditable = 1 point15 _

A tram providing 100% of a specified safety function creditable = 2 points Factor for Number of Vu riý;i"thkZones (Z)

Greater than five zones = 0 point i

Five zones or 1esi = 0.5 point As shown in able 5->l screening at this preliminary stage is not possible if the fire frequency is I GH ialn probability of spuious actuation is HIGH or MEDIUM. All other combinationsi maI be sc eenable if te point criteria are satisfied.

5.2.3.2 Rlative Ragnkijg Evaluation For, aai~lyses where all zones screeiiIable 5-4 can be used to evaluate which zone is likely to be the mosnisk-significant-Table,5"A converts the F*P maximum frequencies from Table 5-1 into their point equivalents for each F*P pairing.t 6 The pairing point equivalent should be added to the'total point credits from the preliminary screening to establish the total risk-significance of each zone.- The zone with the lowest point total is viewed as the most risk-As mentioned tarlier, detection must be present in the fire zone to take credit for manual suppression.

15 As mentioned earlier, the credit for operator actions is based on additional criteria being satisfied, including available time and equipment; environmental conditions; procedural guidance; and nature of training.

16 Recall that each point is roughly equivalent to a factor often reduction, or the negative exponent of a power of 10. Thus, the F*P pairing for HIGH-HIGH in Table 1 (I/yr = 1E-0/yr) receives 0 point in Table 4, while that for LOW-VERY LOW (1E-5/yr) receives 5 points.

94

NEI 00-01, Revision 2(c)

January 2008 significant.

At least this one zone should be processed through the FPSDP to verify the validity of the tool, i.e., to verify that the tool did not give a false positive. These FPSDP results, and not the results from the preliminary screening tool, should be used to determine the risk-significance of the finding in Phase 2 of the FPSDP.

5.2.4 EXAMPLE APPLICATION The following example, somewhat exaggerated for illustration purposes, presents the use of the preliminary screening tool. Assume an FPSDP inspection finding th,t cables for a pressurized water reactor (PWR) power-operated relief valve and its accompanying block valve are routed through the following five fire zones: the auxiliary buildingbattery room, cable spreading room, emergency diesel generator room, and main control room. Ft iramage to the cables can result in the spurious opening of these valves. The cablei Are theinuset throughout and are encased in an armor jacket only in the battery room['

ITable 5-6 assigns a probability of spurious actuation of 0.6 to thermoset cables for which no other informationis known, which lies in the HIGH range in Table 5-3.

The auxiliary building and emergency diesel generioor.i trom are protected by automatic sprinkler systems. The switchgear room has an automatic HIalon-1301 system. The battery room and main control room have smr~ke detectors but rel. on hand-held extinguishers and hoses for manual fire suppression.

5.2.4.1 Auxiliary Building Table 5-5 indicates a generic fire frequency lor an auxiliEy building of 0.04/yr. which lies in the HIGH range in Ttble 5-3' Snce the corresponding probability of spurious actuation is also HIGH, this zone cannothe screened using this tool.

5.2.4.2o Battecr Room Table 5-indicatesagen,,eric fre equency for a battery room of 0.004/yr, which lies in the MEDIUM range. Sincu thecable iýs armoed in this room, the probability of spurious actuation is viirtuall nonexistent, coirespondiig to the VERY LOW range. Table 5-3 indicates that preliminair screening is po(sible for this zone with> 3 points.

Small fires caniibheexpected in the battery room, which earns 2 points from Table 5-7 for fire size (G). Only manual sippression can be credited because of the portable fire extinguishers and automatic detection; producing 1 point for fire detection/suppression (S). No mitigation capability is creditable since both DC trains could be lost in a battery room fire; no point is i assigned from Table 5-8 for CCDP (C).17 There are a total of 5 vulnerable zones, so 0.5 point is assigned for the number of vulnerable zones (Z). The points for the battery room total to 3.5, therefore permitting preliminary screening.

17 This conservative assumption of total loss of DC power is for illustration only.

95

NEI 00-01, Revision 2(c)

January 2008 5.2.4.3 Cable Spreading Room - Cables Only Table 5-5 indicates a generic fire frequency for a cable spreading room with cables only of 0.002/yr, which lies in the LOW range. With no other information known, the thermoset cable has a probability of spurious actuation of 0.6 from Table 5-6, i.e., lying in the HIGH range in Table 5-3. As a result, >4.5 points are needed to screen this zone.

Small fires can be expected in the cable spreading room, which earns 2 points from Table 5-7 for fire size. The automatic Halon extinguishing system results in acredit of 2 points for fire detection/suppression. A remote shutdown station can be credited-ieniting 1 point from Table 5-8 for CCDP.-8 There are a total of 5 vulnerable zones, so 01,Apiji is assigned. The points for the cable spreading room total to 5.5, therefore penmitting preliminýar screening.

5.2.4.4 Emergency Diesel Generator Building,.w Table 5-5 indicates a generic fire frequency for an jemergency. diesel generatuior, of 0.03/yr(

which lies in the HIGH range. With no other nfrmiatlon known, the thermoset. cable has a probability of spurious actuation of 0.6 from Table 5-c.,lyingin the HIGH ange in Table 5-3. As a result, this zone cannot be screened using this tlooI 5.2.4.5 Main Control Room K

Table 5-5 indicates a generic fire frequen,y;for a mi nýontrol room of 0.008/yr, which lies in the MEDIUM range. With no other infornmiaoi kivtii thcIhermoset cable has a probability of spurious actuation of0 1fr:om Table 5-6, 1 eu, ying in the' HIGH range in Table 5-3.

As a result, >5.5 points are needed to screen this zone.

Moderate-sized fires are expected in the main contol room due to the large number of cables and electrical ecqipment present ThieTefore, I point is assigned from Table 5-7 for fire size.

The portabl*111gsierad ;

fiiatic smoke detection merit 1 point fire detection/

suppression One oft o, completely independent and redundant trains providing 100% of the specifieat safety function (r1esidua'IH eatsRemoval)19 remains fully creditable, meriting 2 points from Tlaile 5-8 for CCDW lŽ*There are a total of 5 vulnerable zones so 0.5 point is assigned.

The points for the main control ioom total to only 4.5, therefore preventing preliminary screening.

's A human error probability for Operator Action between 0.05 and 0.5 is assumed for operator actions at a remote shutdown station, which yields a credit of 1 point. As per Table 8, this credit also assumes that:

(1) sufficient time is available; (2) environmental conditions allow access, where needed; (3) procedures describing the appropriate operator actions exist; (4) training is conducted on the existing procedures under similar conditions; and (5) any equipment needed to perform these actions is available and ready for use.

19 Residual Heat Removal need not be the only safety function to achieve safe shutdown. This is an assumption for illustration only.

96

NEI 00-01, Revision 2(c)

January 2008 5.2.4.6 Conclusions Only the Battery Room and Cable Spreading Room could be screened using this tool. The remaining zones would require more detailed analyses to assess each delta-CDF through the FPSDP.

In this example the cables ran through fire zones with different fire initiator frequencies, cable types (and therefore spurious actuation probabilities), potential fire sizes, suppression systems, and core damage mitigation capabilities. The example illustrates that it is easier to screen zones with lower fire initiator frequencies and probabilities of spurious actuation than zones with higher values. Fire zones with lower F*P pairings require less credit from the "additional considerations" (G*S*C*Z) to satisfy thescreenlng threshold of delta-CDF < IE-7/yr.

5.2.5

SUMMARY

This risk-screening tool can be applied to fire-idiýed circiuit spurious actuation scenarios identified in 5.1 above. These findings typically involve the 1muliple fire zones through which the circuits pass. To streamline the FPSDP, the tool screoes zones where the circuit issue" is expected to be of very low risk-significance based on (1) thirleiI, frequency in the zone where the circuits are. located; (2) the probabiliyof spurious actuatioii and (3) automatic or manual suppression, or an alternate means to achieve hoIt shutdown The tool estimates six factors to calculat ede

f core damage: (1) zonal fire frequency; (2) spurious, acuatioinprobability, i() challenging fire factor; (4) probability of non-suppression; (5) CCDP; and (6) factor based on number of vulnerable zones.

The tool determines if a fire%,zone, oncei.t* has been assigned to a fire frequency-spurious actuation probability pairing (i.., the first to factors), 'can be screened at a maximum delta-CDF threshold of 1-/yr basedon ak i

ýIytem 1,fori the remaining four factors.

97

NEI 00-01, Revision 2(c)

January 2008 Fire frfequencý ()

TABLE 5-1. Maxima for the

HIGH, MEDI0UM b'

LOW, Pairings F*P (With Round off to the

-0.03/yr but 1.003/yr but

<0.003/yr Nearest "3" or "1" for Convenience)

<I/yr

<0.03/yr_

HIGH, >0.3 but l03 S1/yr o ýJ09/yr 0903/yr MEDIUM, >0.03 0.3/yr 0109/yr 9E-4/yr Probability but <0.3 k 1),l /yr)

('-0.001/yr) of spurious

1*..

actuation LOW, >0.003 but OUL "I

.9E-Ii 9E-5iyr (P-00 "0.03/yr' E-/r E 5y (P)

<0.03 0i/yr)

(-IE-4/yr)

VERY LOW 0.010/yr

-9E-5/yr 9E-6/yr

<0.003 I

(-1E-4/yr)

(-iE-5/yr)

TABLE 5-2. Maxm That Fire frequency (F)

Result from MaximumnCredits for(OR.01), S (0.01

MEDIUM, and Z (0.9), i.e., a Joint( Credit HIGH, >0.03/yr

>0.003/yr but

LOW, o :7but

<1/yr

<.0.003/yr bt

<0.003/yr

<0.03/yr HtGH, >0.3 9E-7/yr 3E-8/yr 3E-9/yr pbut <1

MEDIUM, 3E-7/yr 9E-9/yr 9E-10iyr Probability of

>-0.03 but <0.3 spurious actuation (P)

LOW,_>0-003 3E-8/yr 9E-10/yr 9E-I I/yr but <0.03 VERY LOW, 3E-9/yr 9E-I 1/yr 9E-12/yr

<0.003 11 1

1 98

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-3. Point Fire frequency (F)

Requirements for Screening (Note use of ">" vs.

HIGH, MEDIUM,

LOW,

">.," i.e., points must EXCEED

>0.03/yr but

>0.003/yr but

<OOO3Iyr numbers shown)

<Il/yr

<0.03/yr\\

<0.003Iyr HIGH, >0.3 but Screen*tý een Screen to green

<1 Do not screen Wilh> 5.5 with > 4.5

-__________points Probability MEDIUM, >0.03 Do not screen Screen itogreen Screen to green of but <0.3 with > 5 p),nts with > 4 points spurious screen gre 1k* ýi -i actuation LOW, >0.003 but withn5 Screen to gre5 creen to green (P)

<0.03 with > 4 points wthe,> 3 points Screen to mgeen Screen to green VERY LOW, withScreen to green with

<0.003 wt hI points with >

pipoints 10/

99

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-4. Establishing Relative Risk Ranking When All Zones Preliminarily Screeni Fire Probability of Points frequency spurious P

T (F) actuation (P)

Preliminary euTablen4 t Risk-ranking total screen total equivalents HIGH (Zone A - 4) 0 (Zone A - 4)

MEDIUM 0.5, HIGH LOW (Zone B-3)

(Zone B-4.5)

VERY LOW 5

HIGH (Zone C - 2) 1.5 (nneC-3.5)

MEDIUM 2

MEDIUM (Zone D - 2.5) 3 (Zone D - 5.5)

LOW (Zonv-

3)

(Zone E - 6)

VERY LOW

.1 HIGH 2.5 MEDIUM (Zone F - 3.-5) 3 (Zone F - 6.5)

LOWW 4

VERY'LOW N

(Zone G - 1.5) 5 (Zone G - 6.5)

Table 5-4inclIides an example (it si parentheses) where none of a total of seven zones satisfied the prelinLiimny screening iteriafTabl

3. When ranked relative to one another using the point equivalents fro-n I ale 5-1, Zone C proed to be of bihest relative risk-significance (lowest total points, 3.5). At a mnmi*" jjiZone C-n would be processed throgh Phase 2 of the FPSDP (followed by Zone A, Zone B, etc., if the analyst ct, o process moreii anls 3/4 100

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-5. Generic Location Fire Frequencies Generic Fire Room Identifier Frequency (Range)

Auxiliary Building (PWR) 4E-2 (HIGH)

Battery Room 4E-3 (MEDIUM Cable Spreading Room - Cables Only 2E-3 (LOW)

Cable Spreading Room - Cables Plus Other Electrical'Equipment 6E-3 (MEDIUM Cable Vault or Tunnel Area - C(ables Only 2E-3 (LOW)

Cable Vault or Tunnel Area - Cables Plus Othe(*Electrical Equipment o*

-3 (MEDIUM Containment - PWR or Non-inerted Boiling Water Rýveactor (BWR)

I E-2 (MEDIUM Emergency Diesel.Generator Building 3E-2 (HIGH)

Intake Structure.

2E-2 (MEDIUM Main Control Room 8E-3 (MEDIUM

-Radwaste A-ea 1 E-2 (MEDIUM:

Reactor Building (BWR) 9E-2 (I-GH)

Switchgear Room:

2E-2 (MEDIUM I ransforier Yard 2E-2 (MEDIUM I ' urbine Building - Main Deck (per unit) 8E-2 (HIGH)

-i 101

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-6. Probabilities of Spurious Actuation Based on Cable Type and Failure Mode (Range)

State of Cable Knowledge Thermoset Thermoplastic No available information about cable 0.6 (HIGH) type or current limiting devices Cable type known, no other n

iqH) information known (NOI)

Inter-cable interactions only 0.02 (LOW) 02 (EDIUM)

In conduit, cable type knowvn, NOI 0.3 (HIGH,)

0.6 (HIGH)

In conduit, inter-cable only 0.,(L01O) 0.2 (MEDIUM)

In conduit, intra-cable 0,

S %11HDIU1%),

0.3 (IGH)

TABLE 5-7 General Fire Scenario Characterization *'ype Bins Mapped toEire Intensity Characteristic Generic Fire Type Bins with.Simple Piedefined Fire Characteristics (Points Assignc Small Large Indouo Oil-X ry Large Engines Solid an FrElectrical IF illed Fire and Transiei Fire Electrical Fire Fire Transformers Sources Heaters Combustil Size (2Qp*in (t)

(

n2 Bins ~

(1~point)

(0 point)

(2 points)

(2 point Bins 70 kW 150

%ile

'50th

%ile 50th %ile I fire 200**

6ý65%ile 95th %ile 95th 9 51th %il Io r

r

~kWA fire fire 650 95ah %ile 50& %ile fire 50t %ile fire kW fire 2 MWV 95th %ile fire 10 95t %ile fire MW 102

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-8. Total Unavailability Values for SSD Path-Based Screening CCDP Screening Type of Remaining Mitigation Capability Unavailability Factor (Points I

Assigned) 1 Automatic Steam-Driven Train: A collection of associated equipmenttthat includes a single turbine-driven component to provide 100% ofa specified safety function. The probability of such a train being unavailable due to 0.1 (1 point) failure, test, or maintenance is assumed to be approximately 0.1 when credited as "Remaining Mitigation Capability."

-A 1 Train: A collection of associated equipment (e.g., pumps, valves, breakers, etc.) that together can provide 100% of ý specified safety function. The probability of this equipment bng, unavailable due to 0 (01r2 points) failure, test, or maintenance is approximately 0.01 when credited as "Remaining Mitigation Capability."

Operator Action Credit: Major actions performed by) operators during accident scenarios (e.g., primary heat removal using bleed and feed, etc.).

These actions are credited using three categories of human error probabilities: -

(1) Operator Action = 1.0, which represents no credit fgiven; :

(2) Operator Action= 0.1, which represents a failure probability between 0.05 and 0.5; and (3) Operator Action 0.01, iNhich represents a failure probability between 1.0 (0 point).

0.005 and 0.05.

0.1 (1 point), or Credit is based upon te fol loiing criteria being satisfied:

0.01 (2 points)

(1) sufficient ltime is avaiVlale; (2) eN irourmental condfoiiondallow access where needed; (3) pr ocedures desc ibing th e apropriate operator actions exist; (4) training is condiuctd on the ex sting procedures under similar conditions; and (5) any equipment needed to perform these actions is available and ready for use.

103

NEI 00-01, Revision 2(c)

January 2008 5.3 PLANT-SPECIFIC RISK SIGNIFICANCE SCREENING Based on the evaluations performed in Section 5.2 and Section 3 of this document, the licensee may determine that additional.safet significance analysis is warranted. The NRC's revised Fire Protection SDP (FPSDP) [Ref 7.4.45] is a useful tool for this purpose; it will be used by NRC inspectors evaluating the risk significance of circuit failure findings. It calculates the change in Core Damage Frequency for the finding. Other deterministic or probabilistic means may be employed, including plant-specific PRA calculations.

lantspecih PRA calculatioin

,Should I util i/e thc I Cýsult o (f EPR Repo lOO)(it 0823916 1'l-ý,'IITINRC-fS, Fire PRA Methodology for Nucleýr ower Fcilties UR1G/CR-680.) asuthe NIA-805 FAQ process r-

[

.....wlr la,

5.3.1 EPRI/NEI TEST RESULTS EPRI TR-*l 0069611, "Spurious Actuation of ElecltnicalýClrcdu due to Cable Ire, Results of an Expert Elicitation" (Reference 7.4-39)), is referencer m bottii the preliminary,screenmig and detailed screening in the determination of delta-CDF.

ioiinformation about these results is provided here..

I The expert panel report provides a general. *methodoloy for determining spurious operation actuation probabilities. PSA is given by the produt,'t PsA PCD

PSACD PCD = The proýb:iýlity of cble damage given a specified set of time-temperature and fire-severity conditions, atnd PSACD = IThe probailty1 o spuir ious actuatin given cable damage PCD can b calculatcdU111ig fhre ýmdehing, taking into account the factors affecting damage and the expected time response, for m1anual suppressing.

Additionally, the expert panel report.

proVide'sIriagility curves f1r c1able damage versus temperature for thermoset, T-thermnoplastic and armored 1,& This curve is-provided below:

104

NEI 00-01, Revision 2(c)

January 2008 FIGURE 5-2 Fragility Curves for Thermoset, Thermoplastic, and Armored Cable Anchored to the the 5%, 50%, and 95% Probability Values for PCD (Reference 76.4.39 Figure 7-1)

.* 0.9.

0.3.

0.1-0.-

5

-Thermoplastic o

Armored 02 0.1 ~

0 02 IDo 0.1. '#

if,,

4 e

4P4 eee e

ee'ee'e' 105

NEI 00-01, Revision 2(c)

January 2008 There is a considerable body of test information on cable damageability tests, the results of which are not significantly different from these curves. Information on cable damageability is available from these other tests that the analyst may use in lieu of this curve.

This figure is not used in the preliminary screening process, meaning PcD = 1 and the spurious operation probability is conservatively estimated as PSACD. For the detailed screening (Section I* 3A, PCD can be factored in, given analysis is performed to determne maximum cable temperature for the fire scenario being analyzed. The pilot reports did not use PCD for either screening process.

4 106

NEI 00-01, Revision 2(c)

January 2008 PSACD can be estimated using Table 5-9. Some general guidance on this is as follows:

D Values in the table, other than B-15, assume control power transformers (CPTs) or other current limiting devices are in the circuit. To determine the probability of a spurious actuation without a CPT or other current limiting device in the circuit, the listed value should be multiplied by a factor of 2 * [PsAcD(B_15/PsAcD(B.1)]

Based on the Reference 7.54(PsA) values aused in the fire PRA, they should be taken treated as independent events, RrT7 led the phenomena occur in different conductors conductors, i.e.., - thus, the two PRA probabilities should be multiplied together.

Additional guidance on the use of this table is provided in the expert panel report (Reference 7.4-39).,S, EPRI TR-1003326, Characterization o Fire-bndu

'zCircuit Failures: Results of Cable Fire Testing, provides supplemental information tot he expert panel report. This report provides detailed analysis for *ch, of the tests and characterizes the factors affecting circuit failures in much more detfiithnhe expert panel report. One area discussed by this report is duration of spurious Ipertiovents.

The t data used for the EPRI report shows that a majority of the circuit failrrst iin spurious operation had a duration of less than 1 minute. TLess than 10% o l

it[ h more than 5 minutes, with the longest duration t decdt for the tests c<eiual to(10minmutes.

The results of the testing described in thi eport ;aeflected in,,IS2004-03. Note that all testing being referenced in these doiumentswas pejioruied on AC.gro, unded circuits. Hot short durations on DC circuits can not

ýi h

'rcic, uing this dt4 107

NEI 00-01, Revision 2(c)

January 2008 TABLE 5-9 (SEE REFERENCE 7667.4-39, TABLE 7-2)

SUMMARY

OF THE PROBABILITIES (PsAcD)

Case #

Case Short Description PSAC5 Best Higli Confidence Discbssiion Estimate Range Referenc....

P__co BASE CASE B-1 PsAco base M/C Tset cable 0.30 0 10j r.50 7.2.3.1 case intra-cable 0.1 B-2 PsacD base i/C cable, Tset, t020:"i 0.05 -030 7.2.3.2 case inter-cable________

B-3 P.c base M/C with 1/C, Tset, Inter-cable

.0.01 0.005 - 0.020.

7.2.3.3 as casemoiidb

,*-,* *'**-*i"

EPRI test report B-4 PeWs base MWC with M/C, Tset 0,001*,0005

' 1 7.2.3.4 as case inter-cable modified by T *%

EPRI test report P-VARIANTS Thermoplastic Variants B-5 Psece variant Same as #B-1 except 0.30.

0.10-0.50 7.3.1, last thermoplastic paragraph B-6 Psco varant Sameas#W2 except 0.20 0.05-0.30 7.3.1, last

!rý fie paragraph B-7 PsAcf variant

,Same as#B3 except 0.10 0.05-0.20 7.3.1, last Sthiermo a tc-,**

paragtraph B-8 Pýo variant Sarne as#B-4xcept

"'001 - 0.05 7.3.1, last thempastI&e,,

_jI pararaaph Armored Variant*,"

B-9 PcD variant vSdme as #B-"-except armored 0.075 0.02-0.15 7.3.2 ce tabullet5 Conduit Variants B-1I PSCD vant Same as #B-1 except 0.075 0.025 - 0.125 7.3.3

_in conduit last bullet B-12 Pwý vaiant\\.

Sa~meas#B-2except 0.05 0.0125 -0.075 7.3.3

_________in

~ca&ýuit last bullet B-13 PWAC variant

\\.Same as #B-3 except 0.025 0.0125 -0.05 7.3.3 conduit last bullet B-14 PSACD variant Same as #B-4 except 0.005-0.01 7.3.3 in conduit last bullet Control Power Transformer (CPPT) Variant B-15 PS3 D variant Same as #B-1 except without 0.60 0.20-1.0 7.4.1 11 CPT

'0 Recent fire-damage testing of armored cables indicates that the recommended value above is not applicable for ungrounded armored circuits.

108

NEI 00-01, Revision 2(c)

January 2008 5.3.2 LARGE EARLY RELEASE FREQUENCY EVALUATION (LERF)

Screening of any component combination requires the consideration of LERF prior to screening.

LERF screening can be performed quantitatively or Aihiiltativelyi, dependinrg on the availability of quantitative analysis. The quantitative screening criteria for LERF are an order of magnitude lower than CDF:

No LERF review is needed if the screened scenario is shown to have a CDF 1E-08vr with a siiii less than 1E-07,"_3r.

For these scenarios, ýeci o

ifcontaimrent function has failed, the LERF screening criteria have been met.

If quantitative LERF analysis, such as that f.i aiiuternl eve

.RA, is available to meet the criteria above, then this analysis caii be used to demontriae LERF screening criteria have been met.

a If no detailed quantitative LERF analysis is avallablethen a qualtative Hondin

uaiii~t*ive~evaluation can be performed. Thisaalys should show that containment function will remain intact following the fire scenaI6; and that a LERF event given core damage is unlikely. Barriers to containment releaiould be reviewed to ensure that they are free of fire damage.

Qualitative evaluation of LERF should consider thei chairacteristics of LERF given core damage, and what failures would be required. If. a Ire&lv e not occur from the postulated comnbination of everLs-I, t

scenario :ai be afitatively removed from furthe.r consideration. Aniv sceno rhatemains possible, no matter how unlikely-, is then subjected to the quanltitative sLreening;. wlicl--ean be faciitatd,,,ibv the use of bounding analyses in cases where the scenario woulf &higlb,',unhkelv. For.example, a PWR large dry containment may have a low pirobabilit of IER P, evi Iill okainment fans, coolers, spray and igniters have failed. In case'containment*,solatlon may be the only contaimnent function required to be revieweAd for a

uahtativebouudigiuatiltative LERF review. Another example is that of ice

q.

.A e

e xample.is...at.of.i condenser plants which might requtic i&inaiters and fans to prevent a likely LERF event. In this case, operation of the igniteriind fans following the fire scenario would need to be reviewed.

Factors used i iscreening component't combinations against the LERF criteria above should also be considered in the uncetLainty evaluation discussed below.

5.3.3 UNCERTAINTY

-ND SENSITIVITY ANALYSIS The intent of the screening process and associated analysis is to demonstrate with reasonable assurance that the risk from a circuit failure scenario is below the acceptance criteria described in Regulatory Guide 1.174 (Ref. 7.4.50). The decision must be based on the full understanding of the contributors to the risk and the impacts'of the uncertainties, both those that are explicitly accounted for in the results and those that are not. The consideration of uncertainty is a somewhat subjective process, but the reasoning behind the decisions must be well documented.

The types of uncertainty are discussed in Regulatory Guide 1.174. Guidance on what should be addressed for the screening process above is discussed below.

109

NEI 00-01, Revision 2(c)

January 2008 Uncertainty analysis may includes include traditional parameter uncertainty, or may include and model or completeness uncertainty considerations.

For scenarios involving circuit failures, parameter uncertainty can become less important than other types of uncertainty. These scenarios typically involve a single accident sequence and a limited number of cutsets. Thus the variability calculated mean value would be very close to the mean value calculated w*e'*g-usingresulting from the convolution (or simulation) of the parametric distributions would not involve many combinations, and therefore should be essentially the same as the dominant variability from the parameters within the limited number of cut sets. Model and parameter uncertainty is sometimes more effectively treated with sensitivity analysis rather than statistical uncertainty. Sensitivity analysis for this application is discussed below.

Generally, it should be possible to argue, on the basis of anni iderstanding of the contributors to the risk. that the circuit failure scenario iposes is an "acceptable risk"* (asper Regulatory Guide 1.17 4).

The contributors include the defense-in-de pth and safety r*n.:

attributes, plus additional considerations such as spatial informationihe type of cable failuresirequired, whether the failure needs to be maintained, etc.

The closer the scenario risk is to the acceptanc (ri teria thresholds, the more detail is required for the assessment/screening and the uncertainty. In contrast, if the estimated risk for a scenario is small in comparison to the acceptance criteria, a simple bounding analysis may suffice with no need t d'ailed uncertaintw aalysis.

Factors to be considered in the uncertainty and w"sni iitnalysimnclude:

a) Sensitivity of the riiltsio uncertainty (o He factors"in the risk equation. This includes factors such Lisiniititing,:eyent frequency, suppression probabilities, severity factors, circuit failure probabilitiesfactors affectinTERF, etc.

b) Fire modeling u, ii c) Unceitiutýyf,(4hysicol~lration of CablLs and equipment.

UncerNinty and sensitivity discussioni should include any conservative assumptions made as a part ofr analysis.

For example, if fire modeling is not performed, and conservative assumption-, are made about fire spread and/or damage, this should be noted.

5.4 INTEGRATED DECISION MAKING The results of the diffierient elements of the analysis above must be considered in an integrated manner. None of the individual analysis steps is sufficient in and of itself, and the screening of a circuit failure scenario cannot be driven solely by the numerical results of the PRA screening.

They are but one input into the decision making and help build an overall picture of the implications of the circuit failures being considered. The PRA has an important role in putting the circuit failures into the proper context as it characterizes the potential impacts on the plant as a whole. The PRA screening is used to demonstrate the acceptance criteria have been satisfied.

As the discussion in the previous section indicates, both qualitative and quantitative arguments may be brought to bear within their separate and distinct capacities. Even though the different pieces of the process are not combined in a formal way, they need to be formally documented.

110

NEI 00-01, Revision 2(c)

January 2008 The integrated decision process therefore includes consideration of the following:

The screening PRA results Safety margins and defense-in-depth Uncertainty of the results.

5.4.1 DEFENSE-IN-DEPTH AND SAFETY MARGINS CONSIDERATIONS The information in Section 5.4.4.1 is derived from Appendix A to N-,A 805 2001 Edition, and Ref. 7.4.50. These methods should be applied to issues that arei creeend out either after the application of Tables 5-1 through 5-3, or after the quantitative ri,,kignificance screen in Section 5.3.

5.4.1.1 Defense-In-Depth Defense-in-depth is defined as the principle aimed ýat providing a high degree-of fire protection and nuclear safety. It is recognized that, indepen*deni1 tno one, means is completeStrengthening any means of protection can compensate for weakness, known or unknown, in the other items.

Balance amnong DID elements is a cornerstone of risk-infoire applications, and is described in Ref. 7.4.50, Section 2.2.1.1. This document provides the folloýwjg guidance:

If a comprehensive risk analysis is dbne, it Qc'an bc ud tokhelp determine the appropriate extent of defense in td defense-im-depthleg balaiiee* among core damage prevention, containment failure and consequence mitigation) to ensure protection of public health and safety.

Further, the evalLuat1on should consider the impact of the proposed licensing basis change on barriers (both tpreyentive and mitigatiye) to core damage, containment failure or bypassaniabllance among.

.iii.......

d c

d ense-ini-depth attributes.

For fire p c

icomplished by achieving a balance of the following:

Preventing fires from starting r

DetLe"ihg fires rapidly, controlling and extinguishing promptly those fires that do occur Providwig protection for SSCs important to safety so that a fire that is not promptly extinguihtd: by theufre suppression activities will not prevent the shutdown of the plant For nuclear safety, defense-in-depth is accomplished by achieving a balance of the following:

Preventing core damage Preventing containment failure z Mitigating consequence For fire protection and fire PRA, both traditional fire protection defense-in-depth (DID) and traditional nuclear safety DID are represented. Fire protection DID has been treated in the past as a bala*ee.

Fire areas with likely or poe ntially large or rapid-growing fires should have automatic suppression, : areas with less likely and or smaller fires do may not have il1

NEI 00-01, Revision 2(c)

January 2008 aitonatieautomaticrely more on manual suppression, ; some areas may allow transient combustible storage and some do may not, etc. The DID review in this document attempts to balance both the level of traditional fire protection DID and the DID for protection of public health and safety (as measured by CDF and LERF).

Consistency with the defense-in-depth philosophy is maintained if the following acceptance guidelines, or their equivalent, are met:

I.

A reasonable balance is preserved among 10 CFR 50 Appendix R DID elements in addition to prevention of core damage, prevention

ýtaminment failure, and consequence mitigation..

2. Over-reliance on, and or permitting increased lengthoofjtime or ikwhen,-in performing programmatic activities to compensate for weaknesses imi plant d,;in is avoided.

3. Pre-fire nuclear safety system redundancy, dindiependence, and dlivers*ity are preserved commensurate with the expected frequency 'nd consequences of chaflengscqtothe system and uncertainties (e.g., no risk outliers).' (I Whii '

this should not be *onstrued to mean that more than one safe shutdown train m be pmaintained free of fire damage, it should also not be construed to mean that one su61*trin is always adequate. A risk-informed, rather than a deteirium ti, approach is wv*a*riried.)

4. Independence of defense-in-depth elemenitss i not degradled

5. Defenses against human errors are preserve d.

6. The intent of the General Design Critejia~i iin Appendi\\,

to 10 CFR Part 50 is maintained.,

It should be noted iti~elements, of fire protectiln DID may not exist for beyond design basis fire scenarios. For ex a

lea1 N' T I

-*incoe.

d age is possible if enough fire barriers are breached (CcDT

',Such hbeyond dcqsigtasms scenarios, however, should be demonstrated to be of less er t

n significance, with certainty. A very-low-risk scenario with all elements of DID ihf place, and a GDF of 9E1081year would be treated differently than a scenario with a CDP of 1.0, and a CDF )I relies solely on a low ignition-initiating frequency flr its vein, risk. In the! end, Lhe balance results in consideration of all aspects of the component combination, including the risk, 'DID, SMsalety margin, uncertainty, and other relevant issues.\\*

Defense-in-depth revi*w*for multiple spurious operations should consider whether the scenario affects more than one element of DID. The example above with a CCDP at or near 1.0 may be considered unacceptable if detection/suppression is ineffective.

For example, if we found a scenario from a fire inside a cabinet, where suppression prior to damage to all target cables was unlikely, and the CCDP was near 1, then DID would be inadequate. In most cases, this lack of DID would correspond to a high calculated risk, since the DID elements for fire protection are integrated into the risk calculation. However, if the risk calculation relies heavily on a low fire frequency to screen the scenario, the risk calculation could screen such a scenario. The DID review would, however, not show a balance between DID and risk, and the scenario would not screen.

112

NEI 00-01, Revision 2(c)

January 2008 Applying a DID review to a screening process needs to account for conservatism in the screening. It is common to use a screening assignment of 1.0 for human error CDP or manual non-suppression probabilities during screening in order to perform the analysis with minimal resources. The DID review needs to qualitatively asse*sassessweigh these factors to assure DID is maintained if a detailed quantitative assessment is not available. Additional* analysis may be required to complete the DID assessment in this case, since the information available may not have been sufficient to perform a detailed quantitative assessment.

The above criteria and discussion should be used to evaluate wlether defense-in-depth is maintained if a potential fire-induced circuit failure is screened ou*'

5.4.1.2 Safety Margins The licensee is expected to choose the method of enginciing aalysis appripriate for evaluating whether sufficient safety margins would be maintained if the fire induceJ circuit failure were screened out. An acceptable set of guidelines ftii'tl lWig that assessment is sfiuicien rized below.

Other equivalent acceptance guidelines may dlsbu e ucsed.)c )ith sufficient ety margins (Reference 7.4.50):

Codes and standards or their alterna-tives approved for w~e by the NRC are met.

N zSafety analysis acceptance criteriaii*te licensing btasis~s(e.g., FSAR, supporting analyses) are met, or proposed revi.ous provide sufficient margin to account for analysis and data uncertainty.

5.4.2 CORRECTIVE ACTION If, when all evaluatiojnphases arLompleted, the ACDF for a component or a component pair remains greater than or equal to IE -6per reactor year for all fire areas or the ACDF for a fire area remainsF rater.cthan or equal to IE 6 per reactor year for all component pairs within the fire area (summining eaich se onlyite Screen5 5 results), further analysis using detailed plant fire PRA models or actions to reduce etbe summed ACDF below -E-6/year will be e-ak perfornied to

-1de Ile if the stmmed reduces below IE-6/year (also. <I]-7-year for AL FRF).e-) luated. The complexity of possible corrective measures can be kept to a mimmum by defining ali additional ri k* reduction needed to render the ACDF less than 1E-7 per reactor year for any ficarea (also'<,E-S;,'vr for AI,...;I.).

As an example, if a potential spurious actuation has beedIteimIined to, have a ACDF of 1E-5 per reactor year for any fire area after completing the screeiinmg process, a corrective action that applies an additional reduction factor of at least 100 would,,result in an acceptable configuration (after ALERF considerations as well).

Component combinations or fire areas that do not meet the screening criteria above should be placed within the plant's Corrective Action Program> (see Section 1.1 of this document).

Evaluation of the corrective action should be performed using the existing plant procedures and criteria, and using the screening analysis results as part of the evaluation. If the component combination or fire area is within the existing licensing basis, develop a compliance strategy or nieans of disposition to mitigate the effects due to fire damage for each component or its circuit.

Any regulatory reporting should be in accordance with existing regulations.

113

NEI 00-01, Revision 2(c)

January 2008 5.4.3 DOCUMENTATION The accurate and comprehensive documentation of this assessment will be prepared and maintained as a retrievable plant record following established practices. The documentation should be maintained in accordance with existing plant procedures.

As discussed in Chapter 4 above, the documentation is referenced or included in the Fire Safe Shutdown Analysis for the area or areas affected by the MSO 5.5 PRA QUALITY 5.5.1 APPLICABILITY OF THE PAMT 3 ON INT-1NI Fi PR OF Tt

'uiE ASMEiANS COMBINED PRA STANDARDANS FPRA STANDARD

'\\

Part 3 on Internal Fire PRA of The ANS Fire PR"Standard (which is being integraLed into the ASME/ANS Combined PRA Standard (the "Fire Standi

)}'hich incorporates the ANSI-ANS-58.23 Fire PRA Standard),) provides high level and supportin Lorgrequirements for all steps performed in a detailed PRA used for lSO analysis The appliaibility and use of the Fire Standard would depend somewhat on the\\1PRA process usea discussed in the following sections.

In general, as greater deta.!-sremnploved and c,,!

nsaism removed in the process of obtaining the as-the PRA results foraSi

.approach theiacceptance crnteria described above, and as conservatism is remove, from thei analysis, the applicable capability category for the analysis can be increased. lb re to wti.:_h a highcr

!aa ty category may be deemed necessary to assure technical adequacd nay dedon how t

.in ow the acceptance thresholds of R.egulatorv (.*,detl174 t, sults

ýtromthe nalsis he.

I or example, if the thresholds are met with signihi:ait ngnd mi:iial unnertaintv, perhaps Capability Categorv I will suffice. It' the thretiods ori th, fcerýaintv is large, perhaps even Capability Category 3 will not.

a nt p) oLral modificaton mia be warranted for therapplication As the discuss.ion below points out, if the screening method above is used, no capability category in the Fire Standarh d can be niet. As more detailed Fire PRA is perfonmed, the e&Capabilitycapabilit category may be Category I may suffice for lower risk MS~is or MSOs meeting the acceptanenyeinsolds when analyzed using conservative PRA assumptions.

Capability, or may be C ategory 2 or 3 miay be needed for detailed Fire PRA results approaching the acceptance criteria above, or ones where thec uncertainty is large. This general philosophy may not be applicable to all SRs, and a review of SRs not meeting, in general, at least Category 2 for this last example would have to include an assessment of the impact of a lower capability category on the results.

5.5.1.1 Screening Fire PRA If an MSO or group of MS Os is screened using the preliminary screening method as described in Sections 5.2 above, the Fire Standard requirements do 114

NEI 00-01, Revision 2(c)

January 2008 not apply. The method is generally conservative, and review against the standard would result in a "not met" assessment for many of the supporting requirements.

5.5.1.2 Focused Scope Fire PRA If the Fire SDP or NUREG/CR-6850 is used to analyze the MSO, then the applicable supporting requirements of the standard can must be reviewed against the analysis. However, many of the Fire Sthi)dard SRs are not applicable to a Focused-Scope Fire PRA, since the focused scope analyzes the fire features related to the MSO alone, and n6toýasciated with the whole plant or whole room risk estimate. For examplef itnon of the MSO analysis involved Hydrogen Fires, Bus Duct Fires, Reactor Crolant Pump Fires, etc.,

then the various SRs related to these2f ires*or areas conta"iing these fires may not need to be reviewed for the MSOi) analysis.

For a Focused-Scope Fire PRA, only the applicable SRs wouldn;eed to be reviewed in support of the MSO analysis*.

dditionally, SRs that are reviewed may not be applied i Rmmlar level of detas a full Fire PRA. For example, non-suppressxonioanalyzed for an indtividual scenario would be reviewed against the appleihcab

s. V,,%

HoweveF;4lSRs may be applicable to many other possible scei*aios n-otassociated wviththe MSOs. The review of the SR would be limited tO the ap iapliatiofriand as a result, the associated grade for6the'SR would onik iassigned 1r the limited scope review. As a reslfthePe6 erReview scope would need to be specified and documented as a part of the overall MSO documentation process. This includes both the scope of theSRs rewi, ed or not revewed and the limitations or scope of each of tereviewed SR*

Caution musl bec rcised heibre dismissing, any. SRs as outside the analyticail boudt e ocdScore Fire PRA. Experience has shown that there are often subtlt dpene'ncies among seemingly unrelated elements of a full-scope PRA thaculd be eitToneously dismissed a priori when setting the analytictal bounds fo*,e Focused Scope version.

5.5.1.3 YF IrePRA If a-itll Fire PRA is performed, and the MSO scenario analysis is included in the full Fire PRA, then all of the Fire PRA Standard SRs would apply. As with any application, SRs where a requirement is not met or Category I is assessed would need to be documented as a part of the MSO analysis, demonstrating the associated F&OOFinding does not affect the analysis results.

5.5.2 Peer Review of the Focused-Scope or Full Fire PRA 115

NEI 00-01, Revision 2(c)

January 2008 A peer review of the focused-scope Fire PRA is required once the initial screening of MSOs is complete. The peer review will may differ considerably from a peer review of a complete Fire PRA in the following aspects:

1) The focused-scope Fire PRA will contain screening analysis as described above, which is not designed to meet the Fire PRA standard Standard Supporting Requirements. The screening analysis is not reviewed against any of the Fire PRA Standard SRs (such would be deemed as "'not met").

2) The detailed Fire PRA for MSO scenarios is an analysis of the MSO scenarios only, and would may not provide a Fire PRA for a Fire Area or Compartment. As such, the Fire PRA would only apply specific Fire PRA steps neede'to shoe.MSO risk is low. The corresponding Fire PRA standard Standard requirements for the applied steps would be applicable for the peer review, but other steps W(A'i may not neeho be reviewed.

Additionally, many of the SRs reviewed would only be applicable to te \\MSOs analyzed,-

and not to the entire plant. Of course. tbpv cautio mus be kept i.

Prior to the performance of a peer review against a Focused "Scope Fire PRA, the expected scope should be documented by a pre-review of the MSO analys sults. This scope would then be used to determine the number and capabi11(v, if the Fire PRA Per rReview Team. Upon completion of the peer review, the limitatmons iioIthe review for eacli SR should also be specified in the documentation.

VIi I

i V

116

NEI 00-01, Revision 2(c)

January 2008 6

DEFINITIONS The following definitions are consistent with NRC-recognized definitions.

The numbers in brackets [ ] refer to the IEEE Standards in which the definitions are used. Refer to Section 2 of IEEE Standard 380-1975 for full titles.

Those definitions without a specific reference are consistentwith those in reference 7.4.32.

Important to Safe Shutdown (Previously called Associated circ uits)*of concern Generic Letter 81 Those cables (safety related, non-safety related, Class 1E, and non-Class 1E) that have a physical separation less than that required by Appendix R Section III.G.2 and have one of the following:

Common Power Source A common power source with the shutdown equipnient (redundant or alternative) and the power source is not electricall otected from thel uit of concern by coordinated breakers, fuses, or similar devices, Spurious Operation A connection to cirits 9fequipment "rhose spuriouis operation would adversely affect the shutdown capaility111 (%, Residual Heat Removal/Reactor Coolant System isolation valves, Auitomtic epressuization System>"valves, Pressure-Operated Relief Valves, steam generator atmoshenc ývalves, instruimentation, steam bypass, etc.), or Common Enclosure A :ommon encloure (e.g cway, panel, junction, etc.) with the shutdown cables (redundant or alternive), and are not electrically protected by circuit breakers, fuses or similr devices, or wi llow the propagation of the fire into the common enclosure.

Cable IEEE Standard 1004 - A conductor with insulation, or a stranded conductor with or without insulation and other Loverings (single-conductor cable) or a combination of conductors insulated from one another (multiple-conductor cable). [391]

117

NEI 00-01, Revision 2(c)

January 2008 Circuit IEEE Standard 100-1984 - A conductor or system of conductors through which an electric current is intended to flow. [391]

Circuit failure modes The following are the circuit failure modes that are postulated in the post-fire safe shutdown analysis as a result of a fire:

Hot Short A fire-induced insulation breakdown between conductors of the Samewcable, a different cable or from some other external source resulting in a compautilbut undesired impressed voltage or signal on a specific tonductor.F Open Circuit A fire-induced break in a conductor resulting in a loss of cLicuit continuity.

Short-to-Ground A fire-induced breakdown of a cable's iinulation system resulting in the potential on the conductor being tip*ped to "ground/neutal.

Cold Shutdown Rcpniur Repairs made to fire dau requii-ed to support achieving or maintaining cold shutdown tfor equited safe isutdown pathi.

Conductor IEEE StanLda*rd 100-1984 -

substance or body that allows a current of electricity to pass contidnuousls Ulng it. [210, 244, 63] Clarification. a single "wire" within a cable; conductors could also be cosii,ýidered a c iricuit or a cable.

Desigtn Basis Fire A postulated event used in the post-fire safe shutdown analysis. See Exposure Fire.

Emergency Control Station m1aputsnid themnisii cotitiol t..nichr iiic to 111i"1uiate, [1ilint systerisý ahld con1trls'l t ahdv~ltC~sl'>iL:1ItdoWnoIh L

re11 Ciuu

[NRC RS21)05-30 11

- --act--

- - r.

118

NEI 00-01, Revision 2(c)

January 2008 Enclosure,

IEEE Standard 380-1975 - An identifiable housing such as a cubicle, compartment, terminal box, panel, or enclosed raceway used for electrical equipment or cables. [384]

Exposure Fire SRP Section 9.5.1 - An exposure fire is a fire in a given area that involves either in-situ or transient combustibles and is external to any structures, systems, or components located in or adjacent to that same area. The effects of such fire (e.g., smoke, heait, or ignition) can adversely affect those structures, systems, or components important to saf-e,%yThus, a fire involving one train of safe shutdown equipment may constitute an exposureeffre foIT the redundant train located in the same area, and a fire involving combustibles ohethan eihr redundant train may constitute an exposure fire to both redundant trains locatediin thIe same aire.

Fire Area Generic Letter 86 The term "fire area" as used In Apl

-dix R means an Area sufficiently bounded to withstand the hazards associated with the,re area and, as necessary, to protect important equipment within the fire are&wrom a fire outside 6)c area.

In order to meet the regulation, fire area boundares need not be comipletely sealed with floor to ceiling and/or wall-to-wall boundaries. W, ir ire area were not approved under the Appendix A process, or where such bo iindaits are n Vall-to-wall or floor-to-ceiling boundaries with all penetrtioino sealed to thNfire rating required of the boundaries, licensees must perform an evajuation s

to asess the adequiacy of fire area boundaries in their plants to determine if the bouindires wýil xithstand the hazards associated with the area and protect important equipment within the area from a fire out.ide the area.

Fire Barrier SRP Secti 9_ý.. - those'conents ýpIof construction (walls, floors, and their supports), including beai

,i*,jits, columns, penetration seals or closures, fire doors, and fire dampers that are rated by approwvnglaboratones in hours ofiesistance to fire and are used to prevent the spread of fire.

Fire Frequency4Ff)l The frequency of lfiriIli a potential to damage critical equipment if left alone.

Fire Protection Desipn Chance Evaluation The process replacing the 50.59 evaluation process (described in NEI 02-03) that is used by a licensee to document compliance with the fire protection license condition to assure that changes to the approved fire protection program do not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

119

NEI 00-01, Revision 2(c)

January 2008 Fire Protection Program 10 CFR 50, Appendix R, Section II.A - the fire protection policy for the protection of structures, systems, and components important to safety at each plant and the procedures, equipment, and personnel required to implement the program at the plant site. The fire protection program shall extend the concept of defense-in-depth to fire protection in fire areas important to safety, with the following objectives:

Prevent fires from starting.

Rapidly detect, control, and promptly extinguish those fires that do occur.

Provide protection for structures, systems, and components important to safety so that a fire that is not promptly extinguished by the fire suppression activities will not prevent the safe shutdown of the plant.

Fire Zone The subdivision of fire area(s) for analysis purposes that is not necessarily bound by fire-rated barriers.

Free of Fire Damage It is expected that the term "free of fire ill be:utther clarified in a forthcoming Regulatory Issue Summary.Thntil this occursNR recommends using the following guidance in Regulatory Guide I189i>

"The structure, syseim, ot component under considleration is capable of performing its intended function during and after fie dp tuhtedtfire as neT.eded, without repair."

GenericLetter 86-10 Fire Ha;ztards Evaluation A teclmcal engineering eluatio ud to evaluate equivalency of fire protection features to those requiid by the regulations ornto evaluate fire protection features that are commensurate with the poiential fire hazariFor plants licensed prior to 1979, these evaluations may form the basis for an Appendix R exemption request or support a plant change evaluation using accepted regulatory processes For plants licensed after January 1, 1979, these evaluations may be used in conjunction with a fire protection design change evaluation to alter the current licensing basis or they may be submitted to the NRC for review and acceptance as a deviation request. (Note:

Previously approved deviation requests may be altered using a fire protection design change evaluation without re-submittal to the NRC.)

High Impedance Fault Generic Letter 86 electrical fault below the trip point for a breaker on an individual circuit.

See "Multiple High Impedance Fault."

120

NEI 00-01, Revision 2(c)

January 2008 Hiah/Low Pressure Interface Refer to Appendix C to this document.

Hot Short See "Circuit failure modes."

Important to Safe Shutdown (SSD) 10 CFR 50, Appendix R, Section III.G. 1 describes StructuresISystemsýand Components (SSC) important to safe shutdown for which fire protection featdres apply. Components classified as important to SSD in accordance with Appendix H ma ply different mitigatIo tools than components classified as required for hot shutdowa.

Isolation Device IEEE Standard 380-1975 - A device ina.n circuit that prevents malfunctions in one section of a circuit from causing unacceptable influei~ies in other section'of the circuit or other circuits.

[384]

Local Operation Operation of safe shutdown equipment by an operator outside the Main Control Room when automatic, remote manual, or manual operation are no longer available (e.g. opening of a motor operated valve using ihhand wheii l).

Operator Manail Action

>' K.

Actionberformed by opeiators itiiipulate components and equipment from outside the main contro room to achieve iaimaiit iitý t-fire hot shutdown, not including "repairs."

Multiple High4mpedance Fault(s)

A condition where iultiple circuits fed from a single power distribution source each have a high impedance fault. S(Appjmdix B. 1.

Open Circuit See 'Circuit Failure Modes'.

Probability of Spurious Actuation (PsA)

The probability of undesirable spurious operation(s) of the component, or of component being potentially impacted by the fire-induced circuit failure.

121

NEI 00-01, Revision 2(c)

January 2008 Raceway IEEE Standard 380-1975 - Any channel that is designed and used expressly for supporting wires, cable, or busbars. Raceways consist primarily of, but are not restricted to, cable trays, conduits, and interlocked armor enclosing cable. [384]

Remote Control Plant design features that allow the operation of equipment through a combination of electrically powered control switches and relays. Remote control can typicaly be performed from the control room or from local control stations, including the remote sAhtdown panel and other locations with control capability outside the control room Remote Manual Operation Operation of safe shutdown equipment on the requiredlait shItdown path using remote controls (e.g., control switches) specifically designed for this puIp o rom a location other than the main control room.

Remote Shutdown Location A plant location outside the control room withi remote2 ýcontroblcapability for shutdown.

Remote Shutdown Panel Th acI i wi~jd'ýIth I TI 1C1 IH Lantýkvgn lor the puxpose 6K I n~er in'I(~o 10 w IlýIý(IIIrHc CFR 5 p~Ii A Geneafiei~d

ý_riterion 19. If el,:ctriiýl isolai5kd icdudhtii fusin are provided at this locatinon~ii iý as be suitable foi ui'eiin~ciein ndý main amnisf shut down for an event si aa control room fire._

Repair Activity Those actions required to rs tore operation to post-fire safe shutdown equipment that has failed as a result of fire-induced anmage.

Repairs may include installation, removal, assembly, disassembly, or replacemenciof components or jumpers using materials, tools, procedures, and personnel available to site (e.g., replacement of fuses, installation of temporary cables or power supplies, installation of air jumpers, the use of temporary ventilation). Credit for repair activities for post-fire safe shutdown may only be taken for equipment required to achieve and maintain cold shutdown. Repairs may require additional, more detailed instructions, including tools to be used, sketches, and step-by-step instructions for the tasks to be performed. Repair activities are intended to restore functions and not equipment since the equipment may be destroyed in a fire event. Repair activities may rely on exterior security lighting or portable lighting if independent 8-hour battery backed lighting is unavailable.

122

NEI 00-01, Revision 2(c)

January 2008 Required Safe Shutdown Path The safe shutdown path selected for achieving and maintaining safe shutdown in a particular fire area. This safe shutdown path must be capable of performing all of the required safe shutdown functions described in this document.

Required Safe Shutdown System A system that performs one or more of the required safe shutdown unctions and is, therefore, a part of the required safe shutdown path for a particular fire area.

Required Hot Shutdown Component Equipment that is required to either function orunot malfunction so thatlth required safe shutdown path will be capable of achieving and;'maintaininghot shutdown in al particular fire area and meet the established regulatory criteria.

Required Hot Shutdown Cable/Circuit, Cable/circuit required to support the operaliwi prevent thi l-operation of required hot shutdown component in a particular fire area v

Safe Shutdown

[Reference 7.4.38]*uA shutdownt.th (1) the ractivity of the reactor kept to a margin below criticality consistent,w sith chnical specificationsi(2) the core decay heat being removed at a controlled rate suffiicint to prvnt -0C' or reactor coolant system thermal design limits from being exceedc*d,)

omponentsand

%syýte~nýecessary to maintain these conditions operating within thedesign iwt and (4) components and systems necessary to keep doses within prescribed limits operatin roper*-.*l

[Reference7.4.14]

For fiei events, those plant conditions specified in the plant Technical Specifications a Hot Standby, Hot Shutdown, or Cold Shutdown.

For those plants adopntng-NFPA 805, the term "safe shutdown" is not explicitly defined. Please refer to the discussliinof "Nuclear Safety Performance Criteria" in NFPA 805 for more information about performance criteria that, if met, provide reasonable assurance in the event of a fire that the plant is not placed in an unrecoverable condition.

123

NEI 00-01, Revision 2(c)

January 2008 Safe Shutdown Capability Redundant Any combination of equipment and systems with the capability to perform the shutdown functions of reactivity control, inventory control, decay heat removal, process monitoring and associated support functions when used within the capabilities of its design.

Alternative For a given fire area/zone where none of the redundanti ýfeý sutdown capability are "free of fire damage" and dedicated equipment is not provided thuhlutdown strategy used is classified as alternative.

Dedicated A system or set of equipment specifically installed to pi o vile one or moreo the post-fire safe shutdown functions of inventory control, reactivity control, decay heat removal, process monitoring, and supportaS, a separate train or path.

Safe Shutdown E uipment/Component isl Equipment that performs a function that is rired

'0irýslafeýhutdown either by operating or by not mal-operating.

Short-to-Ground See "Circuit Failure Modes.">

Spurious Oper altion The possble inadvertent.pc ýt i, oTr epositioning of a piece of equipment.

124

NEI 00-01 Revision 2 - Draft October 2008 7

REFERENCES 7.1 NRC GENERIC LETTERS

7.1.1 80-45

Proposed Rule Fire Protection Program for Nuclear Power Plants 7.1-2 80-48: Proposed Rule Fire Protection Program for Nud1(ar Power Plants

7.1.3 80-56

Memorandum and Order RE: Union of Cnicrned Scientists Petition

7.1.4 80-100

Resolution of Fire Protection Open h\\

7.1.5 81-12

Fire Protection Rule, dated FeburY-20, 1981

7.1.6 81-12

Clarification of Generic 4Leýter81-12, LJter from the NR o SE&G, dated April 20, 1982, Fire Protection Rule - 10 1R50.48(c) - Altrnate Safe Shutdown - Section III.G.3 of Appendix R l CFR 50

7.1.7 82-21

Tech Specs for F iP ection Audits

7.1.8 83-33

NRC Positions onA en i

7.1.9 85-01

Fire t, ctionPolicy Ste&Ing Comn1i c Report 7.1.10 86-1.

plementton of Fire Pr tection Requirements, dated April 24, 1986 7.1.11 86-10:

1 t Generic

rcticm, Implementation of Fire Protection

.,,quiremen

712 18812.i2

ýol Prtection Requirements from Tech Specs 1

88-20: Sulppent 4 EEE 7.1.11 )89-13: Supplement 1 Biofouling of Fire Protection Systems 7-1.15 921V TIhIepo-Lag Fire Barriers 7.1.16 93-064ise of Combustible Gases in Vital Areas 7.1.17 95-01: Fire Protection for Fuel Cycle Facilities 7.2 BULLETINS

7.2.1 75-04

Browns Ferry Fire

7.2.2 77-08

Assurance of Safety 125

NEI 00-01, Revision 2(c)

January 2008

7.2.3 81-03

Flow Blockage Due to Clams and Mussels

7.2.4 92-01

Failure of Thermo-Lag

7.2.5 92-01

Supplement 1 Failure of Thermo-Lag 7.3 NRC INFORMATION NOTICES

7.3.1 80-25

Transportation of Pyrophoric Uranium

7.3.2 83-41

Actuation of Fire Suppression System sing Inoperability of Safety-Related Equipment, June 22, 1983

7.3.3 83-69

Inproperly Installed Fire Damners

7.3.4 83-83

Use of Portable Radio Transmitters In'side Nuclear Power Plants

7.3.5 84-09

Lessons learned from NRC Impections ok Fire ProtectionSafe Shutdown Systems (10 CFR 50, Appendix. R1,,tevision 1, March 7, 1984

7.3.6 84-16

Failure of Automiiti_ Sprinkle System.Waves to Operate

7.3.7 84-92

Cracking of Flywheels o ire Pump DiestlEngines

7.3.8 85-09

Isolation Transfer Switches and Post-fire Shutdown Capability, January

7.3.9 85-85

Svstem 5lteraction Even¶Kýsulting in Reactor Safety Relief Valve 73.10 86-C7 I

.KŽUpdate,-Failure of Automatic Sprinkler System Valves j

11 86-35:

Fireiin Comupressible Material

7.3. 6-106

Sur eedwater Line Break 7.3.13 8-*,6: Supplement 1 Surry Feedwater Line Break 7.3.14 86-106L Supplement 2 Surry Feedwater Line Break 7.3.15 86-106: Supplement 3 Surry Feedwater Line Break 7.3.16 87-14:

Actuation of Fire Supp. Causing Inop of Safety Related Ventilation 7.3.17 87-49:

Deficiencies in Outside Contaimnent Flooding Protection 7.3.18 87-50: Potential LOCA at High and Low Pressure Interfaces from Fire Damage, October 9, 1987 126

NEI 00-01, Revision 2(c)

January 2008 7.3.19 88-04:

Inadequate Qualification of Fire Barrier Penetration Seals 7.3.20 88-04:

Supplement I Inadequate Qualification of Fire Barrier Penetration Seals 7.3.21 88-05:

Fire in Annunciator Control Cabinets 7.3.22 88-45:

Problems in Protective Relay and Circuit Breaker Coordination, July 7, 1988 7.3.23 88-56:

Silicone Fire Barrier Penetration Seals 7.3.24 88-60:

Inadequate Design & Installation of Wate ihit Penetration Seals 7.3.25 88-64:

Reporting Fires in Process Systems 7.3.26 89-52:

Fire Damper Operational Problems 7.3.27 90-69:

Adequacy of Emergency and Essentiail ighting, October31 1990 7.3.28 91-17:

Fire Safety of Temporary Installations 7.3.29 91-18:

Resolution of Degraded & Nonconfloimiig Conditions 7.3.30 91-37:

Compressed Gas Cyinderlissile Hazards...

7.3.31 91-47:

Failure of Thermo-Lag.

7.3.32 91-53: ýFailure of Remote Shutdown Instrumentation 7.3.33 91-77:

Shiftt Staffing at Nuclear Power Plants 7.3.34.91-79:

Deficiencies in Installing Thermo-Lag 73.35 91-79:

Supplemenit 7.u3:6 92-14:

Uramtin Oxide Fires 7.3.37 92-18:

Loss o, Remote Shutdown Capability During a Fire, February 28, 1992 7.3.38 92-28'ýjnadequate Fire Suppression System Testing 7.3.39 92-46:

Thermo-Lag Fire Barrier Special Review Team Final Report 7.3.40 92-55:

Thermo-Lag Fire Endurance Test Results 7.3.41 92-82:

Thermo-Lag Combustibility Testing 7.3.42 93-40:

Thermal Ceramics Fire Endurance Tests 7.3.43 9341:

Fire Endurance Tests - Kaowool, Interam 127

NEI 00-01, Revision 2(c)

January 2008 7.3.44 93-71:

Fire at Chernobyl Unit 2 7.3.45 94-12:

Resolution of GI 57 Effects of Fire Prot. Sys. Actuation on SR Equip.

7.3.46 94-22:

Thermo-Lag 3-Hour Fire Endurance Tests 7.3.47 94-26:

Personnel Hazards From Smoldering Material in the Drywell 7.3.48 94-28:

Problems with Fire-Barrier Penetration Seals 7.3.49 94-31:

Failure of Wilco Lexan Fire Hose Nozzles 7.3.50 94-34:

Thermo-Lag Flexi-Blanket AmpacityCtin oncerns 7.3.51 94-58:

Reactor Coolant Pump Lube Oil Fire\\

7.3.52 94-86:

Legal Actions Against Thermal Science Inc.

7.3.53 94-86:

Supplement 1 7.3.54 95-27:

NRC Review ofNEI Thermo-Lag d'ombustibility Evaluation Methodology 7.3.55 95-32:

Thermo-Lag 330-1 Flam S[pread Test Results 7.3.56 95-33:

Switchgear Fire at Waterfod I nit 3 7.3.57 95-36:

Probls with Post-Fire Emergency Lighting 7.3.58 95-36:

Supplemeni>

7.3.599..954*>>Re kul Shift Survey 3.60 95-49:

SeTJi1mic Ad 1ecy of Thermo-Lag Panels 7

-, 95-49:

Supplement1 7.3.62 95-52:

Fire ILst Results of 3M Interam Fire Barrier Materials 7.3.63 95-52:

Supplement I 7.3.64 96-23:.

Fire in Emergency Diesel Generator Exciter 7.3.65 97-01:

Improper Electrical Grounding Results in Simultaneous Fires 7.3.66 97-23:

Reporting of Fires at Fuel Cycle Facilities 7.3.67 97-37:

Main Transformer Fault 7.3.68 97-48:

Inadequate Fire Protection Compensatory Measures 128

NEI 00-01, Revision 2(c)

January 2008 7.3.69 97-59:

Fire Endurance Tests of Versawrap Fire Barriers 7.3.70 97-70:

Problems with Fire Barrier Penetration Seals 7.3.71 97-72:

Problems with Omega Sprinkler Heads 7.3.72 97-73:

Fire Hazard in the Use of a Leak Sealant 7.3.73 97-82:

Inadvertent Control Room Halon Actuation 7.4 OTHER RELATED DOCUMENTS 7.4.1 10 CFR 50.48 Fire Protection (45 FR 76602)j*

7.4.2 10 CFR 50 Appendix A GDC 3 Fire Protectioný 1

7.4.3 10 CFR 50 Appendix R Fire Proteci1k)n r OperatIig Nuclear Power P-lants 7.4.4 Branch Technical Position APCSB 9.5-1 (Gitdeines for Fire Protection 7.4.5 Appendix A to Branch Tech Position 9.5-1 Guidelines for Fire Protection 7.4.6 NUREG-0800 9.5.1 Fire Protection rogram 7.4.7 NRC Insp TTor-cdure 64100 1io c Safe Shuiiitdown, Emergency Lighting, Oil Collection 7.4.8 NRC InsP, r ocedure 64150 Trienni1 aIPostfire Safe Shutdown Capability 7.4.9 NR,Insp. Procedurei64704 Fire Protection Program S1710 NUREG/BR-0195 Enforcement Guidance 71.11 N*REG-75,087 StanK d Review Plan (No revision level listed) 7.4.12 NURE.G-75/087 Standard Review Plan, Rev. 1 7.4.13 NUIJRLG-75/087 Standard Review Plan, Rev. 2 7.4.14 Reg Guide 1.120 Fire Protection Guidelines for Nuclear Power Plants 7.4.15 Reg Guide 1.120 Rev. 1, Fire Protection Guidelines for Nuclear Power Plants 7.4.16 Reg Guide 1.189 Fire Protection for Operating Nuclear Power Plants 7.4.17 NUREG-0654 Criteria for Preparation of Emergency Response Plans 7.4.18 Temporary Instruction 2515/XXX Fire Protection Functional Inspection 7.4.19 SECY-82-13B (4/21/82) Fire Protection Schedules and Exemptions 129

NEI 00-01, Revision 2(c)

January 2008 7.4.20 SECY-82-267 (6/23/82) FP Rule for Future Plants 7.4.21 SECY-83-269 FP Rule for Future Plants 7.4.22 SECY-85-306 Recommendations Regarding the Implementation of App R to 10 CFR 50 7.4.23 NRC Temp Instruction 2515/62 Inspection of Safe Shutdown Requirements of 10 CFR 50 7.4.24 NRC Temp Instruction 2515/61 Inspection of cEmiergency Lighting & Oil Collection Requirements 7.4.25 NUREG-0050, 2/76; Recommendations Related to Browserry Fire 7.4.26 NRC Letter (12/82), Position Statement on Use of ADS/LPC1,to meet Appendix R Alternate Safe Shutdown Goals, discusses need for exemptiaiitgore uncovery occurs.

7Ao 7.4.27 SECY-93-143 Assessment of Fire Protection Programs 7.4.28 SECY-95-034 Re-assessmentQf, Fire Protectioii Pi(ýograms 7.4.29 SECY-96-134 Fire Protectwit lao nImprovemient 7.4.30 Appendix SProposed RulemaP ng 7.4.31 NRC ltter to NEfLdated March 11 1997; general subject NRC positions on fire-indufcýe;d:l rctii faiiures issues 7.4.3'2 NEI letter to NRC dateM j

ývl

,t)1997, general subject industry positions on fire-induc-d circuit filues issues 74.33 GE-NE-T43-00002-00-62,Revision 0, "Generic Guidance for BWR Post-Fire Safe Shutdoi AnalyIs,'"

November 1999 7.4.34 805, 'crformance-Based Standard for Fire Protection for Light Water Readtor Electrc Generating Plants," November 2000 ROP 7.4.35 NSAC-1I "Automatic and Manual Suppression Reliability Data for Nuclear PowerPlant Fire Risk Analyses", February 1994

'7.4.36 EPRI TR-1003 70, "Fire-Induced Vulnerability Evaluation (FIVE)", April 1992 7.4.37 EPRI TR-105928, "Fire PRA Implementation Guide", December 1995 7.4.38 ANSI/ANS-52.1-1983 "Nuclear Safety Criteria for the Design of Stationary Boiling Water Reactor Plants" and ANSI/ANS-51.1-1983 "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants" 130

NEI 00-01, Revision 2(c)

January 2008 7.4.39 SU-105928, "Guidance for Development of Response to Generic Request for Additional Information on Fire Individual Plant Examination for External Events (IPEEE), a Supplement to EPRI Fire PRA Implementation Guide (TR-105928)"

EPRI, March 2000 7.4.40 EPRI Report 1006961, "Spurious Actuation of Electrical Circuits Due to Cable Fires: Results of An Expert Elicitation" 7.4.41 EPRI Report 1003326, "Characterization of Fire-Induced Circuit Faults: Results of Cable Fire Testing" 7.4.42 NRC Memorandum J. Hannon to C. Carpenter, "Proposed Risk-Informed Inspector Guidance for Post-Fire Safe-Shutdon% Associated Circuit Inspections,"

March 19, 2003, ADAMS Accession Number ML0307026 7.4.43 NRC Paper to ANS Topical Meeting tionperating Reactor S;fety, Preliminary Screening of Fire-Induced Circuit Failures f6 Risk SignlfiCanc

November, 2004

/

7.4.44 EPRI Report 1003111, Fire Events Datalase and Generic Ignition Frequency Model for U.S. Nuclear Pbwer Plants" 7.4.45 NRC Inspection Manual Chiaptc1609, Appendix IFire Protection Significance Determination Process," Ma2004 7.4.46 NEI 00-01 RýViiýon 0, "Guidance for Post-Fire Safe Shutdown Analysis," May 2003*,,/"

Re4.4atory )quide 1.75, "Phy'sical Independence of Electric Systems,"

Revision 2p toei (lf978 *+,*

7.4.48 Raughley), 1, and G. Lanik, "Operating Experience Assessment - Energetic Faults in 4.16 kV toi 13.8kV Switchgear and Bus Ducts That Caused Fires in Nuclear Power Plants, 1986-2001," NRC Office of Nuclear Regulatory Research, February 2002 7.4.49 Nowlen, S., and M. Kazarians, "Risk Methods Insights Gained from Fire Incidents, " NUREG/CR-6738, September 2001 7.4.50 NRC Regulatory Guide 1.174, " An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 1, November 2002.

7.4.51 NEI 04-06, Draft Revision K, "Guidance for Self-Assessment of Circuit Failure Issues," October 2003 7.4.52 NUREG/CR-6850, "EPRIINRC-RES Fire PRA Methodology for Nuclear Power Facilities Volume I and 2, Draft for Public Comment."

131

NEI 00-01, Revision 2(c)

January 2008 7.4.53 ANSI/ANS-58.6-1983 and 1996, "Criteria for Remote Shutdown for Light Water Reactors" 7.4.54 ANSI/ANS-58.11-1983 "Cooldown Criteria for Light Water Reactors" 7.4.55 ANSI/ANS-59.4-1979 "Generic Requirements for Light Water Reactor Nuclear Power Plant Fire protection" 7.4.56 NRC Letter to Licensees dated June 19, 1979 "Staff Position - Safe Shutdown Capability" 7.4.57 NRC Letter to BWROG dated December 12 2000 "BWR Owners Group Appendix R Fire Protection Committee Posiion-i'i oSRVs + Low Pressure Systems Used As 'Redundant' Shutdown Systems LLdc IAppendix R (Topical Report GE-NE-T43-0002-00-03-RO0)

TAC No. MA8545)

%fL003776828]

7.5 ADMINISTRATIVE LETTERS 7.5.1 95-06 Relocation of Techti'cal Specification Administrative Controls 7.6 REGULATORY ISSUE SUMMARIES 7.6.1 2004-01 3Ris-Itformed Approach for Post-Fire Safe-Shutdown Associated Circuit] Jj.....peCt...

132

NEI 00-01 Revision 2 - Draft October 2008 ATTACHMENT 1 EXAMPLE OF TYPICAL BWR SAFE SHUTDOWN PATH DEVELOPMENT Safe Shutdown Path 1 1

Safe Shutdown Path 2 1

Safe Shutdown Path 3 Reactivity Control Reactivitv Control Reactivity, Control CRD (Scram Function)

Manual Scram and/or Operator Manual Action to remove RPS Power or to vent the instrument air header CRD (Scram Function)

CRD (Scram Function)

Manual Scram and/or

ýMYfual Scram and/or Operator Manual Action to Operator Manual Action to remove RPS Power or to vent eimove RPS Power or to vent the the instrument air header I instrument air header Pressure Control Manual ADS/SRVs using available Control Room and Remote Switches Inventori' Control Core Spray Decav Heat Removal RIHR Supp. Pool Cooling Mode Service Water Core Spray, Alt. SDC Mod&

RHR LPCI N (

Decay Heat Removal

-RI*R Supp. Pool Cooling Mode Service Water RHR, Alt. SDC Mode Process Monitoring Supp. Pool Monitoring Nuc. Boiler Instru.

Associated Support Function Cooling Systems Service FRHR Room Coolers RHR Room Co RCIC Room Coolers Service Water Pumphouse Service Water Purr HVAC HVAC EDG HVAC EDG HVAC Electrical Electrical olers iphouse Electrical EDGs or Offsite Power EDGs or Offsite Power Electrical Distribution Electrical Distribution Equipment Equipment EDGs or Offsite Power Electrical Distribution Equipment 133

NEI 00-01, Revision 2(c)

January 2008 NTTACHMENT ANNOTATED P&ID ILLUSTRATING SSD SYSTEM PAT H S [1BWR-MPLE]

S E-PkIr-MA-Y A-O DIV. I COMPONENTS CO7,&NLJ 134

NEI 00-01, Revision 2(c)

January 2008 ATTACHMENT 3 EXAMPLE OF SAFE SHUTDOWN EQUIPMENT LIST (Sorted by Ecubtment ID) <

Equipment ID Logic System Unit Equipment SSD Equipment Description lEquip Norni*il Shutdown H

igh/ Air Power Reference D

ypAPt Mode Mode(s)

Low Fail Fai 414 4o**

135

NEI 00-0 1, Revision 2(c)

January 2008 (Continued)

A description of the Safe Shutdown Equipment List column headings is provide*as foJl'0 s:

Equipment ID Logic Diagram System Unit Equipment Type SSD Path Equipment Description Equip FA Normal Mode Shutdown Mode(s)

High/Low Air Fail Power Fail Reference Identifies the equipment/component ID No. from the P&ID oriior line diagram.

Identifies a safe shutdown logic diagram reference that may illustate the relationship between the equipment and other system components Identifies the Appendix RRtpost-fire safe shutýdo{vn System of which the equipment is part.

Identifies the Unit(s) that theiequipment supports.>

Identifies the type of equipment (e.g., MoV, pump, So)).

Identifies the safe shutdown path(s) for \\*whi,,h the equipment is necessary to remain. functional or not mal-operate.

Provides a bref descriiption of the equipment.

Identifies the fire:area where the equipmennt is located.

Identifies the position or mode of operation of the equipment during normal plant operation.

Identifies the positiorn i mode of operation of the equipment during shutdown conditions.

i dentifies whether the equipment is considered part of a high/low pressure interface.

If apjplicable, identifies the position of equipment resulting from a loss of air supply.

Identifies the position of equipment resulting from a loss of electrical power.

Identifies a primary reference drawing (P&ID or electrical) on which the equipment can be found.

136

NEI 00-01, Revision 2(c)

January 2008 ATTACHMENT 4 SAFE SHUTDOWN LOGIC DIAGRAM [BWR EXAMPLE]

(-)il lw 11 137

NEI 00-01, Revision 2(c)

January 2008 ATTACHMENT 5 EXAMPLE OF AFFECTED EQUIPMENT REPORT wSo by Fire Area, System, Unit & E mI*

D2 138

NEI 00-01, Revision 2(c)

January 2008 (Continued)

A description of the Affected Equipment Report column headings is provided as f01lows, Fire Area Required Path(s)

FA Description Suppression Detection System Unit Logic Diagram Equipment ID Equip Type SSD Path Equip FA Equipment Description Normal Mode Shutdown Mode(s)

High/Low Air Fail Power Fail Disp Code Compliance Strategy Identifies the fire area where the equipment or :ables are locatedlmc Identifies the safe shutdown path(s) relieduiipon to achieve safe shutdown in the fire area.

Provides a brief description of the fireA Identifies the type of fire suppression (e.g. rmmn

, -ut6o none) withinthe fire area.

Identifies the type of fire detection within the fire area.

identifies the Appendix Rt4tpost-fire safe shutdown System of which the equipment is part.

Identifies the Unit(s) that the equipment supports.

Identifies a safe shutdown logic diagrai-,

reference tiit may illustrate the relationship between the equipment and other system components Identifies the equipment/component [D No. from the P&ID or one line diagram.

Identifies thetype o(&Ilpment (e.g.

OV, pump, SOy).

Identifies the safe shadldwn path(s) fe~r which the equipment is necessary to remain functional or not mal-operate.

Identifies the fire, ea where the equipment is located.

Po,,I*esg iaIriefdescIption of the equipment.

'P~ideniis°=:N a.. bfd

==:*,

Identifies the position or moode of operation of the equipment during normal plant operation.

kdentifies the position or mode of operation of the equipment during shutdown conditions.

Itenticfies whether the equipment is considered part of a high/low pressure interface.

If japlicable, identifies the position of equipment resulting from a loss of air supply.

Idenh e,ýthe j*o*sition of equipment resulting from a loss of electrical power.

A code that corrsponds to specific compliance strategies and enables sorting and grouping of data.

A brief discussion of the method by which the equipment is resolved to meet Appendix R compliance.

139

NEI 00-01, Revision 2(c)

January 2008 ATTACHMENT 6 EXAMPLE OF FIRE AREA ASSESSMENTREPORT

_ by, Fire Area, System, Unit & EciuIpmenzID) krea:

Required Path(s):

System:

I I

mert Logic Equip SSD Equip Equipment Normal Shutdown

Hi1h,-

Air IPower Diagram Type Path FA Description Mode Mode(s)

IlLow Fail Fail 140

NEI 00-01, Revision 2(c)

January 2008 (Continued)

A description of the Fire Area Assessment Report column headings is provided as folos,ý Fire Area Identifies the fire area where the cables or equipment are located.

Required Path(s)

Identifies the safe shutdown path(s) relied upon m ichieve safe shutdmynin the fire area.

System Identifies the Appendix R System of which th equipment is part.

Unit Identifies the unit(s) that the equipment supports.

Equipment ID Identifies the equipment/component ID No. from the P&IDor one line diagram.

Logic Diagram Identifies a safe shutdown logic diagram reference thaat may illustrate the relationship between the equipment and other system components I

Equip Type Identifies the type of equipment N(I.gMOV, pump, SOV}

FA Description Provides a brief description of thetI I[rC r.*

Suppression Identifies the type of fire suppressionig auto, none) within the fire area.

Detection Identifies the type of fire detection within thei*firebrea Equip Type Identifies the ot fo&uipment (e.g.,IV, pump, SOV).

SSD Path Identifies th*safei i nsu path(s) for m

which the equipment is necessary to remain functional or not maloperate.

Equip FA Identifies re fearea were the equipment is located.

Equipment Description Provides a brie tdescription of the equipment.

Normal Mode

[denfies.the posihtonr mode e

oipration of the equipment during normal plant operation.

Shutdown Mode(s) l 1nPtitfipsto d of operation of the equipment during shutdown conditions.

High/Low Identifies whether the eqipments considered part of a high/low pressure interface.

Air Fail If applicable, identifies the position of equipment resulting from a loss of air supply.

Power Fail Identifies the position of equipment resulting from a loss of electrical power.

Cable Identi fies the safe shutdown cable located in the fire area.

Cable Funct Identifies-the function of the cable (e.g., power, control) and whether its failure can result in a spurious operation.

.Disp Code A code tht ýonrresponds to a specific compliance strategy and enables sorting and grouping of data.

Compliance Strategy A brief discussion of the method by which the cable is resolved to meet Appendix R compliance.

141

ML091070228

Contents

Text

SUMMARY

1.2 BACKGROUND

1.2 BACKGROUND

4.1 INTRODUCTION

SUMMARY

SUMMARY

7.1.1 80-45

7.1.3 80-56

7.1.4 80-100

7.1.5 81-12

7.1.6 81-12

7.1.7 82-21

7.1.8 83-33

7.1.9 85-01

7.2.1 75-04

7.2.2 77-08

7.2.3 81-03

7.2.4 92-01

7.2.5 92-01

7.3.1 80-25

7.3.2 83-41

7.3.3 83-69

7.3.4 83-83

7.3.5 84-09

7.3.6 84-16

7.3.7 84-92

7.3.8 85-09

7.3.9 85-85

7.3. 6-106

Navigation menu

ML091070228

Text

SUMMARY

1.2 BACKGROUND

1.2 BACKGROUND

4.1 INTRODUCTION

SUMMARY

SUMMARY

7.1.1 80-45

7.1.3 80-56

7.1.4 80-100

7.1.5 81-12

7.1.6 81-12

7.1.7 82-21

7.1.8 83-33

7.1.9 85-01

7.2.1 75-04

7.2.2 77-08

7.2.3 81-03

7.2.4 92-01

7.2.5 92-01

7.3.1 80-25

7.3.2 83-41

7.3.3 83-69

7.3.4 83-83

7.3.5 84-09

7.3.6 84-16

7.3.7 84-92

7.3.8 85-09

7.3.9 85-85

7.3. 6-106

Navigation menu

Search