NEI 00-01, Guidance for Post Fire Safe Shutdown Circuit Analysis
| ML091070227 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry, Braidwood  |
| Issue date: | 01/31/2008 |
| From: | Nuclear Energy Institute |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| FOIA/PA-2010-0209 NEI 00-01, Rev 2c | |
| Download: ML091070227 (200) | |
Text
NEI 00-01, Revision 2(c)
January 2008 APPENDIX A SAFE SHUTDOWN ANALYSIS AS PART OF AN OVERALL FIRE PROTECTION PROGRAM A.1 PURPOSE This appendix discusses the significant improvements that, have been made within nuclear industry fire protection programs since the BrowtFerry-fire. The discussion will include what defense-in-depth features, in aggreg~teL, constitute a complete and comprehensive fire protection program and what part the saiI shutdown analysis plays in that aggregate.
A.2 INTRODUCTION Each licensee s fire protection program is based on t(Ie concept of defense-in-depth. The Appendix R safe shutdown assumptions related It Iire intensity and damage potential represent a conservative desig ibasis in that they postulate conditions significantly beyond those that are ever expectLc to occur based on h1iexisting defense-in-depth plant features. Fire damage and equipment 'faitures_ to the extent postulated in an Appendix R safe shutdown analysis, have never beeni ex-perienedit in man operating U.S. nuclear power plant. The worst-cage fire ever experienceid 'in a U:SLnuclear power plant was in 1975 at the Browns FerryNiilear Power PlantInit 1. Cianges made in the design of U.S.
nuclear power a
iii s
this fire havcsignificantly improved the fire safety of these units such tha01te I
sequencee of events thaitIccurred at Browns Ferry is not expected to recur.
The scctionS** ht iscussthe Bown's Ferry fire, the investigation of that fire, the recommendaiilonsmade' trpevent recurrence of such a fire and the improvement made t)-,eU.S. nuclear power a i
suýst relative to these recommendations.
A.3 OVERVIEW 1
A.3.1 Browns Ferr e Regulatory History In March of 1b975, a fire occurred at the Browns Ferry Nuclear Plant Unit 1. Due to unusual circumstances, the fire was especially severe in its outcome and resulted in considerable loss of systems and equipment with temporary unavailability of systems that would normally be utilized to safely shut down the plant for such events.
The severity of the fire caused the NRC to establish a review group that evaluated the need for improving the fire protection programs at all nuclear plants. The group found serious design inadequacies regarding general fire protection at Browns Ferry and recommended improvements in its report, NUREG-0050, "Recommendations Related to A-I
NEI 00-01, Revision 2(c)
January 2008 Browns Ferry Fire" issued in February 1976.
This report also recommended development of specific guidance for implementation of fire protection, regulation, and for a comparison of that guidance with the fire protection programs at each nuclear facility.
The NRC developed technical guidance from the recommendations set forth in the NUREG and issued those guidelines as Branch Technical Position (BTP) APCSB 9.5-1, "Guidelines for Fire Protection for Nuclear Power Plants," May 1976.
The NRC asked each licensee to compare their operating reactors or those undrconstruction with BTP APCSB 9.5-1 requirements and, in September 1976, infrmed the licensees that the guidelines in Appendix A of the BTP would be used to anayize the consequences of a fire in each plant area.
In September 1976, the NRC requested that liceniees~provide a lhfIiazards analysis that divided the plant into distinct fire areas and $slhow that systems requmrd 'to achieve and maintain cold shutdown are adequately pro.teted against damage by a fwe Eily in 1977 each licensee responded with a fire prdtection. program evaluation that mcluded a Fire Hazards Analysis. These evaluations and analses* identified aspects of licensees' fire protection programs that did not conform to the NRlC guidelines. Thereafter, the staff initiated discussions with all liýensees aimed at iacieving implementation of fire protection guidelines by Octoberi80The NRC stff*,thasF held many meetings with licensees, has had extensive correspondenc'ewith them, aindlhas visited every operating reactor. As a result, many fire protection openittems were resolved, and agreements were included in fire protection Safety Evaluation Reportsuissued by the NRC.
By early 1980, most operating nuclear plants had implemented most of the basic guidelines in Appendix A of the BTP. However, as the Commission noted in its Order of May 23, 1980, the tfire ¢protection proprins had some significant problems with implementation.
Se'ral licenses d expressed continuing disagreement with the reiomm ts~r~
sý to several generic issues.
These issues included the requirements fuohfire brigalde size and training, water supplies for fire suppression "sstems, alternatrie and dedicated shutdown capability, emergency lighting,,
cqualifications of seals used to enclose places where cables penetrated fire barriers, and the preyention of reactor coolant pump lubrication system fires.
To resolve these contestmý subjects consistent with the general guidelines in Appendix A to the BTP, and to assure: uiely compliance by licensees, the NRC, in May of 1980, issued a fire protection rul&-10, CFR 50.48 and 10 CFR 50 Appendix R. NRC described this new rule as setting forth minimum fire protection requirements for the unresolved issues. The fire protection features addressed in the 10 CFR 50 Appendix R included requirements for safe shutdown capability, emergency lighting, fire barriers, fire barrier penetration seals, reactor coolant pump lubrication system, and alternative shutdown systems. -
Following the issuance of Appendix R, the NRC provided guidance on the implementation of fire protection requirements and Appendix R interpretations at nuclear plants through Generic Letters, regional workshops, question and answer correspondence and plant specific interface. This guidance provided generic, as well as specific, analysis A-2
NEI 00-01, Revision 2(c)
January 2008 criteria and methodology to be used in the evaluation of each individual plant's post-fire safe shutdown capability.
A.3.2 Fire Damage Overview The Browns Ferry fire was a moderate severity fire that had significant consequences on the operator's ability to control and monitor plant conditions. Considerable damage was done to plant cabling and associated equipment affecting vital plant shutdown functions.
The fire burned, uncontrolled, while fire fighting efforts, using,CO2 and dry chemical extinguishers, continued for approximately 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> with little success until water was used to complete the final extinguishing process.-
During the 7-hour fire event period, the plant (UnIiit ) expeieiiced the loss of various plant components and systems.
The loss of certain vital )sytems and equipment hampered the operators' ability to control the plant using the fiill* complement of shutdown systems.
The operators were ccessfu li-n bringing into operation other available means to cool the reactor. SinceUJbothUit I and 2 dep upon shared power supplies, the Unit 2 operators began to lose eontrol of vital equipment also and were forced to shut down. Since only a small amounit of equipment was lost in Unit 2, the shutdown was orderly and without incident.
The results of the Browns Ferry fiire e i,:elded impo)rtdan iformation concerning the effects of a significant fire on the ability of Jeplant to saieifly shut down. Although the Browns Ferry fire event was severe ani> thelduration )f the fire and the loss of equipment were considerable, theinrdiological impac to the public, plant personnel and the environmecntv.i wasý no moresianificant thani From a routine reactor shutdown. At both Unit 1 and Unit 2, the: reco cores remainecd ade(quiately cooled at all times during the event.
Dueo.
h um
,iw g i.i d;ptant operational changes implemented since 1975, includindgpot TMI imp r ovemlents iiemergency operating procedures, nuclear power
,plants in optraltonj today areusignificantly less vulnerable to the effects of a fire event nsuch as that expenericed
,,:wiIns Ferry. Since 1975, a wide range of fire protection features, along with regulatory and industry guided design and procedural modifications and ciihancements, has been implemented.
The combination of these upgrades has
- resultei, in a significant increase in plant safety and reliability, and, along with preventative easures, they help to ensure that events similar in magnitude to the Browns Ferry fire
- 1) occur again.
The improvements in plant design and procedural operations incorporated since the Browns Ferry fire are described below. The designs and operating procedures that existed at Browns Ferry at the time of the fire are also detailed.
A.3.3 Causes of the Browns Ferry Fire, its Severity and Consequences The following factors contributed directly to the severity and consequences of the Browns Ferry fire.
A-3
NEI 00-01, Revision 2(c)
January 2008
" Failure to evaluate the hazards involved in the penetration sealing operation and to prepare and implement controlling procedures.
" Failure of workers to report numerous small fires experienced previously during penetration sealing operations, and failure of supervisory personnel to recognize the significance of those fires that were reported and to take appropriate corrective actions.
" Use of an open flame from a candle (used to check for air leaks) that was drawn into polyurethane foam seal in a cable penetration betwe h
Ie Reactor Building and the cable spreading room.
" Inadequate training of plant personnel in fire iightmg techni ues and the use of fire fighting equipment (e.g., breathing apa!ratuý, extinguisherL and extinguishing nozzles).
" Significant delay in the application of watriightli g the fire.
" Failure to properly apply electrical separation CriteCIa designed to prevent the failure of more than one division of equCiment from cablt Ir y fires. Examples are:
" Safety-related redundant diis lwere surrounded by nonsafety related raceways that became comiustiblh paths, routed between divisions (i.e.,
even though
'A paration between rednndantvdivision cable trays was consistent with theL hecifie'd~horizontal and v(ertical required distances, the intervening space was Tln
)Iee of combustibles aS required by the existing electrical separation critera),.
,C.
ray to e.cnaea sp iii criteria, one division of safety related cabling as 1t1 ysicalJseparated from the redundant division due to cabling of one division irot:ed in onkduitewithin the "zone of influence" of the open redundant division ica Proper application of electrical separation criteria requires ithat a tray cover or other barrier be installed on the top and/or bottom of the open Ftdtudant raceway or between redundant raceways to contain the fire within the opýn*ltray and**iot affect redundant division conduits.
" Failure to properly separate redundant equipment indicating light circuits, leading to the loss of redundant equipment necessary for safe plant shutdown.
" Cabling utilized within the Browns Ferry raceway system included cable jacket and insulation materials that were less resistant to fire propagation (e.g., PVC, nylon, polyvinyl, nylon-backed rubber tape, and neoprene).
A-4
NEI 00-01, Revision 2(c)
January 2008 A.3.4 Fire Protection Program Improvements Since Browns Ferry The Browns Ferry nuclear facility generally conformed to the applicable fire protection and electrical separation criteria and guidelines that existed when it was licensed to operate by the NRC in 1968.
However, the 1975 fire identified a number of areas concerning fire protection design, plant operating criteria, electrical separation and defense-in-depth considerations that required improvement.
As described above, the NRC provided the industry with guidance for improvement of fire protection programs through BTP APCSB 9.5-1, Appendix A, 10 CFR 50 Appendix R and other related regulatory correspondence. The improvements addressedt in NRC guidance are as follows:
- 1. Fire Prevention Features:
Fire hazards, both in-situ and transient are identified and eliminated where possible, and/or protection is providcd.
Sufficient detection systems, portabl&extingui~hers, and standpipe and hose stations have been provided. These systii are designed, installed, maintained, and tested by qualified fire protection persci:*l>
" Ignition sources controlled.>
,q.
- 2. Fire Protection Features:
Fire barriers ndor iautomatic suppression systems have been installed to protect the fýdcton of reduiidant systems or components necessary for safe shutdown.
o Surveillanieprocdures have beenT.established to ensure that fire barriers are in rpLice and marfre suppressioni systems and components are operable.
SWat.euplies for fire protection features have been added, both for automatic and manual fire fightingg-capability.
0 Automatic fir' detection systems have been installed with the capability of ohperating with or without offsite power availability.
E minergency lighting units with at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />' battery capacity were provided in thosc Where safe shutdown system control was necessary as well as in access wad egress areas thereto.
Fire barrier qualification programs have been established to qualify and test prospective barrier materials and configurations to ensure that their fire endurance and resistivity is acceptable.
A-5
NEI 00-01, Revision 2(c)
January 2008
- 3. Fire Hazards Control:
" Administrative controls have been established to ensure that fire hazards are minimized.
The storage of combustibles in safe shutdown areas has been prohibited or minimized. Designated storage areas for combustibles have been established.
" Transient fire loads such as flammable liquids, wood and plastic have been limited.
" The use of ignition sources is controlled through prgocedures and permits.
" Controls for the removal of combustibles froi ýworkýarias, following completion of work activities, have been established.
" Proposed work activities are reviewedL in-P)ant fire protetiotaff for impacts on fire protection.
,rtci*
t o
- Noncombustible or less flammable materials including penetrationi seals, cable jackets, fire retardant wood products, etc., aire beig used.
" Self-closing fire doors he been installed.
Oil collection systems Lav been installed fo, reactor coolant pumps for containments that are not incted.
t
- 4. Fire Brigade/Training:
Site fir bave been established to ensure adequate manual fire fighting capabililys available.
A fire bhigiýdtrainiingprogram has been established to ensure that the capability
- to It rpotenial-fires is maintained. Classroom instruction, fire fighting practice and 11r,e drills areiper[ormed at regular intervals.
Fire brigLade tiing incLudes:
AssignmieI of individual brigade member responsibilities The toxic ;and corrosive characteristics of expected products of combustion Identification and location of fire fighting equipment Ideentification of access and egress routes P opcir se of fire fighting equipment to be used for electrical equipment fires, fire, in cable trays and enclosures, hydrogen fires, flammable liquids fires, hazardous chemical fires, etc.
- Proper use of communication, emergency lighting, ventilation and breathing equipment Review of detailed fire fighting strategies and procedures.
A-6
NEI 00-01, Revision 2(c)
January 2008
- 5. Post-Fire Safe Shutdown Capability
" A comprehensive post-fire safe shutdown analysis program, using the methodology and criteria similar to those described in this report, has been established to ensure that post-fire safe shutdown capability is provided.
Fire damage is limited so that one train of safe shutdown equipment necessary to achieve and maintain hot shutdown is protected and free from fire damage.
Cabling for redundant trains of safe shutdown equipmeint j separated by 1-or 3-hour fire rated barriers. In areas where 1-hour rated barriers are used, additional protection is provided by fire detection and an autfimatic suppression system.
Twenty feet of space, containing no intervening combutibles, is provided in lieu of barriers, where applicable. Additional 1protection is provided by fire detection and an automatic suppression system,,,
Where redundant trains of equipment, iecessa for post-fire safei shLtdown, are located in the same fire area and adtltý tion for onetram cannot be achieved, an alternative or dedicatedfi, safe shutdown system has been established as follows:
Alternative or dedicated fir c afe shutdown i si, remcapable of achieving and maintaining subcritical rea:tivitiýy nditions in theý :
actor, maintaining reactor coolant inventory, and achievg anmli ii( taining hit or cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
Processg!*!i onitori-instrumentaLbin is provided with the capability of directly monim'torig those process variables, ecessary to perform and control post-fire safe shutdown(
tion.
/
Supportg fions (cli
'lubrication, HVAC, etc.) necessary to ensure Scontinuedoperation of post-fire safe shutdown systems/equipment are provided.
A.4 CONCLUSION The changes made to, the plant fire protection programs in response to the Browns Ferry fire as described above provide reasonable assurance that the plant design and operation will be safe; r6mnlte effects of fire., When these changes are integrated into an approach similar to that outlined in the body of this document for assuring the ability to achieve and maintain post-fire safe shutdown, the result is a significantly enhanced plant design with emphasis on precluding any unacceptable consequences resulting from plant fires.
A-7
NEI 00-01, Revision 2(c)
January 2008 A.5 REFERENCES A.5.1 Branch Technical Position BTP APCSB 9.5-1, "Guidelines for Fire Protection for Nuclear Power Plants," May 1976 A.5.2 NUREG-0050, "Recommendations Related to Browns Ferry Fire" issued in February 1976 A.5.3 10 CFR 50.48 Fire Protection (45 FR 76602)
A.5.4 10 CFR 50 Appendix R Fire Protection for Operatinwg, Nuclear Power Plants A-8
NEI 00-01, Revision 2(c)
January 2008 DETERMINISTIC CIRCUIT FAILURE CRITER'IA B.1 PURPOSE The purpose of this appendix is to provide the criteria for ealuating circuit failures related MSOs within a deterministic analysis. This appendix serves to identify the types of circuit failures that need to be considered as part of a dtrministic analysis of MSOs.
It also identifies how these circuit failure types need to be considered in the various circuit types employed in a nuclear power plant. Inaddition i ý,sub-appendix provides information supporting the elimination of multich impedac 1faults from a plant's deterministic analysis criteria. 1Terencet6(),
ana lof 1
"Industry aiU 1,
- nsored fire tt isciults is: made to sýupop (lie crteia related to wt F[Mhe :ertain c
irciflures hudbe considered as-4rediblicin p)ý,foriii,,ýn Lg an'au~ation~of NSM ),
B.2 INTRODUCTION A Fire Protection Program (FPP) licrised to the determimstic requirements of IOCFR50, Appendix R; Appendix A to Branchl TechnicalPosiuion 9t5-i1 or, NUREG 0800 Section 9.5-1 is based on the concept of fire protection deiense-in-depth. The principles of fire protection defense -in-depth are as follows-
" Preventtflie from sItarting.
- Rapidly dvtict and Ipress fires thatfllo occur.
- 1Pi~P~~ide p
ivc'i~
protectionr ICILU to pi 1[Cn fi J)re ~
spred ad damag] _____
N\\Within this enve',ope of firu;nfety, licensees also perform a SSA that demonstrates the ability to achieve andainamtain safe shutdown in the event of a single fire in any plant fire area.
The typical aissumption associated with the deterministic SSA is that the fire dmages, any equipmeit or circuits contained within the fire area. This assumption, when evaluated in light of týe defense-in-depth approach described above, is considered to be a conservaassessentit of the upper bound potential for fire damage. This assumption is used as an alte'anv'e to specifying a design basis fire and assessing the impact of the design basis fire on the components and circuits in each fire area. Due to the level of conservatism inherent in this assumption, essentially all licensees assumed that not all fire failures within a given fire area occurred at the same time and, as a result, fire-induced impacts could be evaluated and mitigated on a one-at-a-time basis. ' Prior NR associated with the assumption of being able to evaluate and mitigate fire-induced effects on safe shutdown equipment and cables on a one-at-a-time basis. This questioning was B-i
NEI 00-01, Revision 2(c)
January 2008 the genesis for a series of efforts on the part of both the NRC and the Industry to attempt to demonstrate and define the proper set of assumptions to be used for a post-fire SSA.
Included within the efforts undertaken by both NRC and the Industry was a series of cable fire tests. The initial cable fire tests were conducted by NEI/EPRI. Subsequent to the NEI/EPRI testing, the NRC conducted the CAROLFIRE cable testing program.
Each of these cable fire testing programs demonstrated that hot shorts resulting in spurious operations were possible. The probabilities developed to capture the likelihood of a hot short resulting in a spurious operation, however, werecconditional and based on the subject cable being damaged by the fire.
For thenmoset cables, cable damage occurred when the cable temperature reached approximately 600 to 700TF.
For thermoplastic cables, cable damage occurred when cable temperatures reached approximately 400 to 500TF. In either of these cases, cable faiiure,was not instantaneous, but took approximately 15 to 30 minutes to Kci1. -When cable damage did result in a hot short with the potential to cause a spurious operation, the hot short wavs tpically of short duration lasting much less than 11.7 minutes in the worst case.
The initial assessment of the test results was that they had demonstrated that multiple hot shorts and MSOs were, in fact, highly likely and tliýit a SSA failing to include such multiple hot shorts and MSOs w deficient and potentially unsafe. This led to NRC issuing draft Generic Letter 2006*X tha`t would have re'quired licensees to address all potential fire-induced circuit failurie*nd hot short induced,purious operations occurring simultaneously.
This response to the cabllfire test results, is problematic for a number of reasons. First, implementing-the cnIterla'1ontained in Generic Letter 2006-XX would require defining multiple design basis firesfor each fire area. The definition of a design basis fire in a deterministic aindksiW\\is widirect coinflict with the assumption historically used by licensees d.i'ieno hdil NR.of*.tire spread throughout the fire area. Second, using am coditional probabkilii (d a hot short and spurious operation predicated on the fire dinaging the cable clh iy.ores all of the defense-in-depth fire protection program features that are higiýhk likely to prevent cable damage from ever occurring and, inplicitly, requires dth use offire modeling to assess cable fire damage. Third, when the defense-in-depth fire Iotection program features are combined with the results of the cable ti }tc1sting, theIIollowing conclusions are as supportable as those derived from the initial assessmiient oI(the test results:
" The current assumption historically used in a post-fire SSA that all circuits within the fire area could be damaged is conservative. The tests results showed that even at temperatures above 700'F, not all cables in each test were damaged. Certainly in most fire areas hIclic ificant rger than the testcftituce, ire damage to cables will be rcstric'jed to, those in close proximnity to the fire.:
The conclusion above, when coupled with the fact that hot shorts and spurious operations in the fire tests took a finite amount of time to develop even for cables directly affected by the fire and the fact that fire spread throughout the fire area will take a finite amount of time to occur, suggests that an assumption allowing B-2
NEI 00-01, Revision 2(c)
January 2008 the evaluation and mitigation of the effects of fire-induced circuit damage on a one-at-a-time basis is not that unreasonable for circuits with some degree of separation.
The current assumption that each conductor in each cable within the fire area must be evaluated for the effects of a hot short, a short-to-ground and an open circuit is a conservative assumption, since the testing showed that not all conductors in all cables in the fire test actually experienced these fire-induced circuit failures.
- Finally,ý
,1gI 'v
)
The
, 1[jthaill Iui biejrspo-1oIan given c
lofdut~III ally caleh to thdamaging efftecths(d
- fir, it :eUs*ely conserveiv d L' Oassume
- that1,
[lit irally s Specific c
cIlictorwi a
lnumbe of cabk1\\,vill Simultaneously experience* tti fffem-indied e ts necessary to rutltý in the comt ain of spurious (operation Cr I to provd a scc st I
cIvel spuiousmi oper:ation impact. The effticacy of singlek spuirious operaitions has been clearlyemonstrated by the Due tcoi tichto te demonstratm p jotential f0r spunous operations seen in the cgle fIr11estmg sn e degree of cdnsidk i of1'simltaneous impacts to i onltikfip onents as'aLult of fire induced hot shioris is, warranted, particularly forhht tsrts wiinmulti-condutor cables, but tILe need, to consider all potential fire-induccd ciwuit Ilures"'and
- hot short inIedg uious< operations t
, simultaneousy:
its Uc1y1lnot ;Ia,ble conclusion that can b edrawn froml the.cabld liretestigl. Appenhdix Gt to NEI 00-01 provides a list of the MSs that should be considered in a post-tire SSA:-
In this appendix, tihecable fire test results.will be examined to determine how the current deterministic criteria, historically used for post-fire SSA circuit failures, iee.s to...
aje*
to mai'mat nan; al~rorpiate lev f fire safety and design conservatism when evaluating the aifflcts of MSOs on post-fire, ufe shutdown.
B.3 CIRCUITFA1LUREWsCS*IDERED IN DETERMINISTIC ANALYSIS B.3-1 OverviewN*of Analysis:
A Itypical deterministiAc ppendix R analysis, as described in this document, includes the following steps:
'i I&ettityIIng Required Safe Shutdown Systems
" IdentilfyI Required Safe Shutdown Equipment Identifying Required Safe Shutdown Cables Identifying Physical Plant Locations for each
- Assuring "One" Safe Shutdown Path with the capability to achieve and maintain safe shutdown in the event of a single plant fire is available for each fire area.
In assuring the availability of a single safe shutdown path in each fire area, the following conservatisms typically apply:
B-3
NEI 00-01, Revision 2(c)
January 2008
" Fire areas represent large areas of the plant and damage throughout the fire area is assumed.
. All unprotected equipment and cables within the fire area are assumed to be damaged by the fire.
All unexamined equipment and cables are not credited for mitigating the effects of fires.
- Equipment-damage is assumed unless the damage, were it to be postulated, provided a benefit to achieving or maintaining safe shutdown.
In assessing the impact to post-fire safe shutdown in each fire area, the guidance in NEI 00-01 does the following:
" It provides a methodology for identifyin eqiipiment and cables of concern for Appendix R Safe Shutdown.
It provides a means of mitigating every equipment impact and aijn impacts to the selected combinations of equipment iirpacts, MS, s, identified in Appendix G.
" It represents an approach that can be consiste applied by licensees throughout the entire industry.
B.3-2, Description of Circuits and Circuit Failure Characteristics:
The types of circuit failures considered in thgdance provided in this document are as follows:
" Open Circuit
" Short-t -Ground iid
" THotl hped~ncuIF l
Short
(
.FITF has recommended that consideration of
!hithe poii -fire safe shutdown analysis be eliminated. Refer to Appendix The'itypes of circuitL that can be affected by the circuit failure types described above are as IollorS:
Power*r CumtsI that provide motive power to components once a control circuit properlyi*igns the component to its busi control circuits that provide operating signals to specific components.
Secondary logic circuits that provide input through auxiliary contacts to primary control circuits based on instrumentation feedback from plant instruments.
Control power to primary control and secondary logic circuits that provide the control power necessary for the primary control power and secondary logic circuits to function.
" Instrument circuits that provide either indication to operators or input to primary control or logic circuits.
B-4
NEI 00-01, Revision 2(c)
January 2008 Tyial,ý f(p fLi ci i
(i i 3oý 1t 11 HCUit types des~cribed aboe has the potentii to result' i a, -,Io f ii tmniori the ci rcuti ty Similarly, a short-to-ground in any of the circuit types described above has the potential to result in a loss of function for the circuit and it has the additional potential to result in loss of power to components powered from electric sources upstream from the affected circuit. To address this potential, the NRC in Generic Letter 81-12 presented the concept ofsCi~flc(_
7 Common Power Supply. Associated Circuits - Common Power Supply is addressed by breaker/fuse coordination. -M-Mul-tiple
-High--I-mpedance Fault-s-(MHIF) are another way that fire -induced circuit failureýs aii result in a loss of power to components powered from electric sources upstream Iiorn the affected circuit. With MHIF, even though all breakers and fuses may be properly coordinated, a combination of cable faults and running loads associated with~mrcmt feed Low a common bus, can result in a loss of the feeder breaker to the bus du*t6tover currenlom the combination of fault and running currents. Appendix Biand the results of theNkC and Industry cable fire testing have concluded that the occurrence of MHIFs is not credible and, as such, it does not need to be included in th gn critenria for post-fire safe shutdown circuit analysis. The concept of MHIFs was introduid ini NRC Generic Letter 86-10.
rto he i e
thtt alurce ltio
-than the tpower source desidned for utatL pe As a iesulyhot shois havethe potential to spuriosy start/stop or openlclose c(mponnts.
Depjdng, on the affected conmponinind its function within the shutdown schemec, thisustaiting/2oppof3 opening/closing_ couild ppseI a 11p tnili piý
' )",-1LýIc" liod valves o illolling'L dhe tiiL]:;rdchianige ofstaite~iasi resfLit of an( 1ojii circuit orshm gud Typically, any, of thecircut1ithfiuetye described above, should they be experienced by a component oni thereqiretiid safe shutdown path in a given fire area, will require mitigation. A cirmponent n4the required safe shutdown path in a given fire area must be
- ible to perform its requiredvsafe shutdown function. Since a hot short, a short-to-ground
. an open circuit needs to be postulated for any conductor in any affected safe shutdown cablein the fire area and since a short-to-ground or an open circuit will result in a loss of functkiio lttle analysis is required to conclude that such a potential cable impact is a concern thateeds to° be addressed.
Conversely, lfoicomponents that are not specifically required to function in support of post-fire safe.ishutdown in a particular fire area, but whose malfunction can result in an impact to the systems and components that must function in support of post-fire safe shutdown, the hot short is the primary circuit failure of concern. This is true because hot shorts have the potential to cause equipment to change state to an undesired position that can result in conditions such as, flow diversions from reactor vessel make-up or decay heat removal systems being used in support of post-fire safe shutdown. The group of components falling into this category has been described by the NRC in Generic Letter 81-12 as Associated Circuit - Spurious Operation (and currently being referred to as Important to Safe Shutdowin).
Within the post-fire SSA, it becomes difficult to B-5
NEI 00-01, Revision 2(c)
January 2008 completely distinguish Required Safe Shutdown Components from components classified as Associated Circuits - Spurious Operationlinportant to Safe Shutdown. This is true because many components of both types are. both depending on the safe shutdown methodology used in any particular fire area. A Safety Relief Valve (SRV) in a BWR may be classified as a Required Safe Shutdown Component in a fire area where SRVs and Low Pressure Systems are used as the required safe shutdown path for achieving and maintaining post-fire safe shutdown. Conversely, that same SRV may be classified as an Associated Circuit - Spurious Operationhinportant to Safe Shutdown in a fire area where a steam-driven RCIC System is used as the required safe shutdown path for achieving and maintaining post-fire safe shutdown. In this latter case, a spuriously opened SRV could be sufficient to remove the required motive steifrom the reactor, thereby impacting the ability of RCIC to perform its required react, or essel make-up function.
ýýa c,11t Imany 1iccns-.c ýs_-i_-e eepost-1le iti shutC'd6~iffltW1 a1~,ss kcuidfo 11,,, ý thoýxSae Shut d&t Crcnj~oriOtpsiioinotss Shmpor,1 antpo!~jt ai ttd~igihý This appendix provides criteria for addressing each of the fie-induced circuit failures described above in each of the circuit types desciribed above based on the traditional approach used for post-fire safe shutdown circuit anaOsis adjusted, as appropriate, by the results of the NRC and Industry calefire testing. The jteria provided in this appendix apply to the evaluation of MSOs. For theievaluation of the affcts of fire-induced circuit failures on other aspects of post-fi sa`f6MM own,te applies, e.g. non-MSO impacts.
BA
[INSIGHTS FROM ( ABLE FIEITYS I.
B.4-1 NETIEPRI
[
Cable sti:
The c onclusions of thc EEIIEPI Ible Fire Testing are documented in Section 14.4 of PRI Report
'1003326 Characterization of Fire-Induced Circuit Failures. Pertinent Key hObservations d onclusonisfrom the EPRI Report are provided below:
Given cable tiamnage, single spurious operations are credible and multiple spurious "operations caimnnot be ruled out. External cable hot shorts are also credible, but nave a significantly lower probability of occurrence than do internal hot shorts.
An imporitntoutcome of the tests is that no external cable hot shorts produced a spundb ý k-peoration in thermoset cable.
- Given, at-- a hot short occurs in a multi-conductor cable, it is highly probable (over 80%) that multiple target conductor cables will be affected (i.e. multiple simultaneous dependent hot shorts).
The proximity of conductors to each other is the predominant influence factor in determining fault mode. "Opportunity" must exist for two conductors to short together.
No open circuit faults occurred during the Test Program. Open circuits do not appear to be a credible primary cable failure mode for fire-induced cable faults.
B-6
NEI 00-01, Revision 2(c)
January 2008 Statistical characterization of fire-induced cable failures is achievable. General trends are predictable and primary influence factors are understood. However, probability estimates still carry a relatively high uncertainty.
Definitive predictions of fire-induced circuit failure outcomes are not viable. The specific behavior and characteristics of any one fault cannot be predicted with full certainty. Failure mode is a function of localized conditions and subtle aspects of geometry and configuration.
A full understanding of the fault dynamics and interdependencies is beyond the current state of knowledge.
S MThe dominant influence factors for the likelihood of sqpuius operations are: cable type; power supply characteristics; tray fill; condu*etor connection pattern, circuit design (grounded vs. ungrounded).
Cablcs lo not fl ediately.
the fire site+ hd t(, ct 1
verageh itunec toa~ilure: ex,(ce(dcd 30l miniities Iortherniostn roe cablesýnd15 minuties,, thfo r
oplastiicb cihs. These statistics~ atre rneaninof_,ul and important in real woid apphc
,I ts* result e time ffamenlhow that eagrl ttion in a fire is highly likely t& 4.ieffective at 'accomiplishigti th1
.desired funhction.
1rcpinned high value acions have a high probabiliy success and should reduce thiike nlihood and conseqsuences of serious furei Sumrilarly, early pre-elil cýitfivactio 1(for high risk, cs tous operatin compo,,gpLwrill sig*ificantly reduce thec riskpse by these comfwiiýhts Spurious operations are a tiansntuand finMte C il Uiimately circuit conditions will degrade to a point that iouiiitfault de-enegizes the source condictor.
Postulating that spurious operations will Ltindefiitely in the absence of intervening aLi'Zmn appears t) unrealric.
Probability calculations for thermose cabl i,'C circuits indicate that over 96% of all spurious operations willttrmmate wiui 10 minutes. This probability estimate carries an uncertainty of appŽI(,
- tely 71ý at the 95% confidence level.
Theollo*
slgs can be gained from a review of the key observations and c'nclusions frromitne NEIIIPRI cable testing relative to various aspects of the criteria in N1 00-01 RevisuionI applhe,,I-apost-fire SSA:
lI<
Addressing Cable Faults one-at-a-time vs. all together at the same time:
thre reSUPt,,Ithe Expert Opinion Elicitation conclude that the effects of hot shrsleading; to spurious operations cannot be ignored. Thbis conclusion is also echoed.1I Ii ie EPRI Report providing the testing r esults. The EPRI Report providing the results of the cable testing, however, also concludes that the predominant factor in determining cable fault mode is proximity. "Opportunity" must exist for two conductors to short together. Given thie~ce 11enIreguIlator*
relmlqdiional se2d t a
t paraioo safetyrelated Ion-sfeIy elatd C Icuits (eý.Pct' g
IRlt ossI vid 411"I -5), proxuIInity ofctbl1s fo fediiantitrainsýIiulddpreclu]
tee (ga t *ynelltim ls !ilun o
.p.
i...........
ponent ' and
!__ What the testinig showed was that conductors within a common cable in a common cable tray could be affected simultaneously. Conductors for redundant trains are precluded from being run B-7
NEI 00-01, Revision 2(c)
January 2008 within a common cable or cable a_ Oiven that the approach ouhithed in INl 00 1, Rvisio1 applies the same criteria to all safe shutdown cables in the fire area, the approach is extremely conservative relative to the "proximity" findings of the EPRI/NEI Testing.
ThI EwiPRI/NEI Testing provides no positive indication thatititltiple spur~io~us ojsettio Iaffectg Iniultiplcreduidantntrains is possible given the current nuclear poý: ~n cii i ldr~t~
~~ieel o divisional separ~ation. To.
address the regulatory concern related to multiple spurious operations, however, consideration of simultaneous fire-induced impacts> tfselected cables and components is warranted. Appendix G to NEI 00trovides a list of the MSOs that should be considered in a post-fire SSA.
I lS appendix provides the circuit failure criteria that should be applied to the comiponents comprising these MSOs.
By applying the criteria in this appendto hMSOs in Appendix G, the issues of simultaneous multiple hot shorts siultaneously affecting multiple components in the potentially high risk scenarios,eeloped b the BWROG aP'WROG are addressed.
-K 2.)
Addressing Cable Faultsfor all conductors in each safe shutdown cable:
The EPRI/NEI Testing provicfd ihformatiOn suggestngthat the approach to post-fire safe shutdown outlined inNEIn 0001oRewsin 1IIs generally conservative, First of all, no cases involving oIp(en cii we.rceitdentified. The approach outlined in NTTE00-01 Revision 1f required that open circuits be postulated for each conductor HiPeach safe shutdiown cable on the required safe shutdown path in the fif area, Secondly, in the testing hot shorting in cables in conduit was deeined to be unlikeley. The approaclihJutlined in NEI 00-01 Revision 1 required K
the postula4ionof: hot hoT on each conductor in each safe shutdown cable
,I Of: thralceway ty Finally, in the testing inter-cable hot short were fwounlotbe highly unlikely. The approach outlined in NEI 00-01 Revision 1 required the postulation of inter-cable hot shorts.
The EPRI/NE I Testing has shown that the approach outlined in NEI 00-01 PRevision 1 to fire-induced circuit failures is generally conservative. Based on the ifults of the cable fire testing, however, consideration of simultaneous fire-induced impacts to selected cables and components may be warranted. Appendix G to NEI,00-0 1 provides a list of the MSOs that should be considered in a post-fire SSA.
3.)
Duration and timing of the hot short causing a spurious operation:
Based on the testing, multi-conductor cable are more likely to experience conductor-to-conductor shorts than conductor-to-ground shorts. By postulating a hot short on each conductor in each safe shutdown cable, the approach outlined in NEI 00-01 Revision 1 addressed this. ý3iven-that redundant train functions ae noit includedwithin the same cablc not.:,ornbjiM, the effects ortlesc hot shorts is B-8
NEI 00-01, Revision 2(c)
January 2008 L
,serous non-conseratt*m Based on the testing, when these intra-cable conductor-to-conductor shorts occur in AC circuits, however, they take approximately 15 to 30 minutes to occur and they last for less than 12 minutes.
This aspect of the testing renders the criterion in the approach outlined in NEI 00-01 Revision 1 requiring the assumption of a hot short lasting until an action is taken to isolate the fault to be conservative. This aspect of the testing also validates assumption made by some licensees that time is available to take an action to mitigate the effect of a potential spurious operation.
The EPRI/NEI Testing has shown that the approach ý fitlined in NEI 00-01 Revision I to fire-induced circuit failures is gen12raillonservative.
4.)
Affect of Testing on Prior Beliefs about other apects of EIr -Induced Circuits Failures PM4 4
The combined opinions of a numbei )Ithe Exprt Panel Members conchuded that best estimate for the overall likelihood o Ia spucI 1is operation tor,a ermoset cable (i.e. cable type used most predominant kLIiiA the industry) lies somewhere between 0.0001 [Brady Williamson] and 0.1*[ISection 7.5.2, Technical Summary]. This is consis t ;vith previously p lished information suggesting that the probability of a ho0 4,u unrious operation was 0.068.
The testing confirmed that thýtdegratuio thireshold temperature for thermoplaqtic itle was approximitely 400-° iud for thermoset cable was approxi 'uilelv -,4 l4'.
This is consistent with the previous test results, particularly the oven caging tests onducted at SLNL years ago.
To a Large xtlent, the EPRINEI' Cablie Testing has confirmed much of the c911&tll%%iv isdom available priur to the testing.
B-9
NEI 00-01, Revision 2(c)
January 2008 B.4-2 CAROLFIRE Cable Testing:
The conclusions of the CAROLFIRE Cable Fire Testing are documented in Section 9 of Volume I of the CAROLFIRE Test Results.
Pertinent Key Observations and Conclusions from the CAROLFIRE Report are provided below:
The following is 1 12 quoted directl i
Sl--...........
"Intercable shorting for thermoset cables, since thi failure mode is considered to be substantially less likely than intrf "ble shorting."
Based on the available data with respect to Bi1 2 Item A the CAROLFIRE project has reached the following conclusfionS:
Inter-cable shorting between two IS-insulated cables thati ould cause hot shorts and the spurious operati of -plan1 quipment was )fohld to be a plausible failure mode, although the lIikelihoodLfthis failure Vm1ode is low in comparison to intra-cable short circuitsoleading to spurious operation. While no detailed statistical analysis has been 1erformed, it appears that the conditional probability (give cable failure) olgpurious operations arising from this specific failure 'modei*s small n co(mirzson to that previously estimated for spurious operation fromntcb The following i 'Bin 2 ItemLi qsuoted difrctly from the RIS:
"Intercable shorting between thegoplastic and thermoset cables, since this failure moae is considered less lib!e, than intracable shorting of either cable type or nte r esot o
cables."
Bascd on the ava ilble data with respect to Bin 2 Item B the CAROLFIRE projectha sireac hed liowing conclusions:
Inter-cable s6h rting between two a TP-insulated cable and a TS-insulated cable ia could cau hot shorts and the spurious operation of plant equipment was f
d to be -y, plausible failure mode, although the likelihood of this failure mo
,low in comparison to intra-cable short circuits leading to spurious operatio! While no detailed statistical analysis has been performed, it appears that the conditional probability (give cable failure) of spurious operations arising firom this specific failure mode is very small in comparison to that previously estimatedfor spurious operations from intra-cable shorting.
The following is Bin 2 Item C as quoted directly from the RIS:
"Configurations requiring failures of three or more cables, since the failure time and duration of three or more cables require more research to determine the number offailures that should be assumed to be "likely ".
B-10
NEI 00-01, Revision 2(c)
January 2008 Given the available data relevant to Bin 2 Item C, the CAROLFIRE project has reached the following conclusions:
The currently available data provide no basis for establishing an a -priori limit to the number of spurious operations that might occur during a given fire. We fiurther find that the timing of spurious operation is a strong function of various case-specific factors including in particular the relative location of various cables relative to the fire source, the routing coifigvation (e.g., open cable trays or air drops versus conduits), the thermn'l roblstness of the cables insulation material, and the characteristics olrihe!fie source.
The following is Bin 2 Item D as quottd drectly from the RIS:
"Multiple spurious operations in control circuits with propeurly sized control power transformers (CPTs) on the source conductors, since CPTs in a circuit can substantially reduce the likelihoodJ -I purious operation. Specifically, where multiple (i.e., two or more) concurrent spurious operations due to control cable damage are)postulated, and it, a
be verified that the power to each impacted control circui.?
iIi.upplied via a P'T wi ih a power capacity of no more than 150 percent of the pow ert t,/ red to suýpply the control circuit in its normal mode of operation (e.g., requitredtonJ power one actuating device and an)'
circuit monitting or indicationu eatures).
Givei*
1heavailadble ata relevant to Bin 2 Item D, the CAROLFIRE project has ictched ith_ following coiicluw5i&:
rr*Ient
(;i pride no basis for establishing an a -priori limit o ih, nber ofspurious operations that might occur during a given fire even S
given that(the crct,
,iu powered by a "properly sized" CPT. We fiirther find that, as witah7on-CPT1 ases, the timing of spurious operations is dependent on the timing qi.-able.ectrical failure which is in turn a strong function of various case-specific factors including the relative location of different cables rt/eL;tive to thieire source, the routing configuration (e.g., open cable trays or aii d vrsus conduits), the thermal robustness of the cables insulation mater.il and the characteristics of the fire source.
e The following is Bin 2 Item E as quoted directly from the RIS:
"Fire-induced hot shorts that must last more than 20 minutes to impair the ability of the plant to achieve hot shutdown, since recent testing strongly suggests that fire-induced hot shorts will likely self-mitigate (e.g., short to ground) in less than 20 minutes. This is of particular importance for devices such as air-operated valves (AOVs) or power-operated relief valves (POR Vs)
B-1I
NEI 00-01, Revision 2(c)
January 2008 which return to their de-energize position upon abatement of the fire-induced hot short."
Given the available data relevant to Bin 2 Item E, the CAROLFIRE project has reached the following conclusions:
Whle the availabl, data can fi il/, upport the coniclusionthatno hot snort,<?woula ever persist f r
gr irti 20 minutes the a(;!"e
/ad proy1de1a;stý bs r c oncldiht hst shorts lasýtn g1 eater ta 20 a i st M,
I o
probablity Hel l:-
nce1weC'c high probabdv i i
Npiiwi
ý;,17lsi11l"a it 1hin jess thAY
- hinlitý We t
f it"I cocu-e a of1 (o
t ohort, signal, 'the effects of thez sprius
,paion bn plant equipmnent could Persisl fo~r a longer time dipendl~ing on thintur of the imipactedeqpiiA F'or example, a norinally s
Motor Operatedi Valve might well re
......p..
or partiallY open even of,,, l le hot short-i;,ce
,d spurious operation sina is mitigated a
Opera ted
- dlve would. return to its /fail f cnr4?dition On o/
hoc 7t short-binitited sp
ýou~peratiqmzna The following insights can belained a re kt the key observations and conclusions from the CAROLFIRE,.iblutestig relahve to various aspects of the criteria currently applied in a post-fire SSA.
1.)
Addressing able Faults one-,itatme vs. alltogether at the same time:
he results ?of the*
OLF.IRE tshg t
cOci deia (the probabilit,,
cablehiotshort, either-.liermoscsett em)*;<
ll
- il",,to lciillli or loe;,mroe th: ermoplastic or plastic to thermoplastic, i**mill ito>*very smicompans'liito i that pieviously estimated for intra-cai hots liorts.i A'dditionally, ttlicAPOLFIRE testing provided no basis for establishing a limiton the number of spurious operations thatmight occur.
he however, did conclude that the oric d'
'" the major 1. ors in dletenriningmtge potential for a hot short ad/or spurious
~operation is, iic r 1ative loction of-the cableost6 the fire soue. This concusiori Sith dtesting that concluded that thel preidominant factor*II determfill,-,cabe faut mode isproximity"portunity' must1 exCist for titsio taI 11(111 Given the currentiurelattory reqireminents for isiona sepiaranoa epaiiion (o safety related and nonislct related circuits (eg*Re t
Gl 5,rxmylcal'oiednan*iA
,1 Of
- xm CyaIieslork)- reaunmdant trmus shoilld prclude 1ne
,eleff)Itoultiple SpUiouseratons: at1 the componeit'an!d 'iem 1-el Wa the'GAROLFIRE testing! showed w 1tha conductors wi*thi aconmion cable in a omirion cable tray could bue afecte su o C dutors f k'T lQ~iihdu trains are precluded l efrm being run vmimhiii a common caleh ori cable t ra tht theapproach outlined in NI 00-0f Revision 1I applied the samne criteria~ to, all salL shutdown cables in the tu ireae,L tdie approach is extremely conservative rýlativ to e"proximity" *indin(, the CAROLFIRE testing B-12
NEI 00-01, Revision 2(c)
January 2008 h Eid:IIN1I Ing Iidiic-es miop osit% eindicati ointhat imultiplespuuiouis' r
)wer Indesign and regu ry iq&jufcro*eu lrs*
rVdivislonal separatoni.. To address the regulatory concern related to multiple spurious operations, however, consideration of simultaneous fire-induced impacts to selected cables and components may be warranted. Appendix G to NEI 00-01 provides a list of the MSOs that should be considered in a post-fire SSA. This appendix provides the circuit failure criteria that should be applied to the components comprising these MSOs. By applying the criteria in this appendix to the MSOs in Appendix G, the issues of simultaneous multiple hot shorts simultaneously affecting multiple components in the potentially high risk scenarios developed by the BWROG and PWROG are addressed.
2.)
Addressing Cable Faults for all conductors in each safe shutdown cable:
The CAROLFIRE testing provided information suggesting that the approach outlined in NEI 00-01 Revision I to post-fiae safe shutdown is conservative. In the testing, inter-cable hot shorting between cables was deemed to be far more unlikely than intra-cable hot shorting. The appro-ch outlined in NEI 00-01 Revision 1 required the postulatioh *f a hot short on each conductor in each safe shutdown cable regardless of the ca"lc typeI The approach outlined in NEI 00-01 Revision I required the postulation o inter-cable hot shorts.
The CAROULFI'iesting has shovn that the approach outlined in NEI 00-01 RevisionI to fire-induced circuit faiilures is generally conservative. Based on the results of the cable hire testing, however, consideration of simultaneous fire-induced impacts to selcted cables aud components may be warranted. Appendix 6t6 NEI 00-ovidsai the MSOs that should be considered in a post-Duration anýiing o the hot short causing a spurious operation:
Ihe CAROLFIIRE testing provided no indication that AC hot shorts will last long*er than 20 minutes. Therefore, the criterion in the approach outlined in NEI 00-)1 Revision I requiring the assumption of a hot short lasting until an action is taken toI islate the fault is conservative.
The CAROLFIRE testing has shown that the approach outlined in NEI 00-01 Revision 1 to fire-induced circuit failures is generally conservative relative to the timing and duration of spurious operations._ Note: This result applies to ac circuits. Subsequent dc circuit testing could alter this conclusion.]
4.)
Affect of Testing on Prior Beliefs about other aspects of Fire-Induced Circuits Failures B-13
NEI 00-01, Revision 2(c)
January 2008 The CAROLFIRE testing concluded that the probability of an inter-cable hot short is mallslot a
lin comparison to probabilities previously determined for intra-cable hot shorts.
The CAROLFIRE Testing also provided no indication that all cables in a given temperature environment will behave similarly. The potential for cable damage and conductor to conductor hot shorting to occur is a function on many variables.
ý7lble f*lluresý and hot short, are rancd6 urrerini iiies tiat cjanot be accurately predictec by the analysis of a Icgusiaivai ebluc ýicas ltemnperature in th*,ic iiit of the cable-To a large extent, the CAROLFIRE testing h onfi ricthe collective wisdom available prior to the testing related to inter-cabýle hot shi B.4-3 Overall Implications from the Cable Fire Testing:
Industry & NRC Cable Fire Testing conduc d to d"t
- Demonstrated that mnany aspects IIIý:CF
- ]ý ~
ofte rti prdvled in NEI 00 - 1 Revi1or1 are generally conserva I
xeption to thsis the reati
)
tfmlit conductor cables with the-poitetial to cause n multiple siniusmulaneousspurious operations.
The si.multa...
M:SOs, as a result of'i the d:es n,,d regulatory requirements for dlvisionailseparation, will impact (oly a simlc division of post-fire
<sat t
sluiiit.
>equipmenCt.
Based on the results of the cable fire testing, however, consideration of simultaneous fire-induced impacts to selected cables and components may be warranted. Appendix G to NEI 00-01 provides a list of the MSOs that should be considered in a post-fire SSA.
Proi,) ded anT indisputalble basis frnot requiiriig_ the t34)es of chan~ges to, the post-I'm: safe shtdown fire-induced
- irciuit luoposed b
Lk &aftd ricltte '(06-XX.{-e itra heNCn Provided clear information that hot shorts resulting in spurious component operations can occur. MSOs are also possible, but the concern should be limited to multi-conductor cables with the potential to cause MSOs. The simultaneous MSOs, as a result of the design and regulatory requirements for divisional separation, will impact only a single division of post-fire safe shutdown equipment.
Based on the results of the cable fire testing, however, consideration of simultaneous fire-induced impacts to selected cables and components may be warranted. Appendix G to NEI 00-01 provides a list of the MSOs that should be considered in a post-fire SSA.
B-14
NEI 00-01, Revision 2(c)
January 2008 Provided valuable information suggesting that the occurrence of fire-induced hot shorts are affected by many variables. The postulation of multiple, simultaneous spurious operations affecting both divisions of safe shutdown equipment is highly unlikely given the divisional separation requirements applied in the design of a nuclear power plant.
'Provided valuable mforatoi lthe occureci f! fire-induced hot shorts is a random event, not predictaL hbv studyinL,-s igle variable suchlas air temperature in the vicinity of a cable Provided valuable information that the occUrrce oI fire-induced hot shorts that are not in close proximity to each other are to occur in a manner that supports the conditions required for MSOs withou tth-e prior interveniifi by other aspects of the Fire Protection Defense-in-Depipt Program. {
SOsare also possible, but the concern should be limited to niilti-conductor wes
\\vith the potential to cause MSOs. The simultaneous MSOs as a result o tIlie design and regulatory requirements for divisfional separatin will impact, IIi asingle division of post-fire safe
- ~
hutdown c~pipmnent Based on the results of the cable fire testinghoeer consideration of MSOs for selected cables and components man, be warrante*d Appendix G to NEI 00-01 provides a list of the MSOs that should be considered m a post-fire SSA.
Provided \\aluabjlinformation tugarding the types of fire-induced circuit failures that areg os lik to occur given damage to the cable.
Provied(.vauabe ii*formation regarding the failure temperature of cables, the timee to fapeiur a that die length of time that a fire-induced hot short Iin A(, -.,
611 be sus-ewd and the fact that the hot shorts are, generally, followed **,
a short-to-ground.
Provided valuable inforinstion uggesting that by usinm a firminduced circuit Sifailure approachilike that outlined NEI 00-0tRevi sionI inhe deterministic post-
>fire SSA reasonable assurancuof the ability to achieve and maintain post-fire safe shutdown in the event of a plant fire wilt beLaitined.
B-15
NEI 00-01, Revision 2(c)
January 2008 B.5 CONCLUSIONS RELATIVE TO CIRCUIT FAILURE TYPES:
Despite the body of evidence from the NRC and Industry cable fire testing supporting the acceptability of the approach outlined in NEI 00-01 Revision 1, adjustments to the Revision I criteria will be made in Revision 2 to address those aspects of the NRC and Industry cable fire testing that suggest a change is warranted to increase the level of conservatism.
The conclusions relative to the types of fire-induced circuit failures required to be considered in the deterministic post-fire SSA outlined in Revision 2 to NEI 00-01 are contained in Table B.1-0.
Based on the results of the cable fire testing, however, consideration of simultaneous fire-induced impacts to selected cables and components may be warranted. Appendix G to NEI 00-01 provides a list of the MSOs that should be considered in a post-fire SSA.
B.6 CONCLUSIONS RELATIVE TO CIRCUIT TYPES:
The conclusions relative to the types of fire-inducd circuit failures required to be considered in the evaluation of fire-induced impacit to components in an MSO are outlined for each circuit type in Table B.2-0.
B.7 CONCLUSIONS:
The criteria provided in Table B. 1-0 Lthis appendi escribe the types of fire-induced circuit failure,,sfat eto be considied in evaluating fire-induced impacts to MSO components.
the informataon in Table B32-0 provides information on how each of the, fire-induced circuit ifailure*]tdescribed in T il B. 1-0 needs to be considered in evaluating the impact of fireducencireinit failureson an MSO component's control and power circuitr Ithe critenaoi-rille ale B. 1-0, when combined with the information in Tilbl B2-U, piovide a comprehensive method for assessing the response of an individual cimponent that is piai of ain lSOtolt, any fire-induced circuit failure. The information in Appendix G, MSs,_ provis mthe criteria for combining the impacts to individual couiponents into pottial system and safe shutdown path impacts. The component level fire-iduuced circuit filure criteria from this appendix, when combined with the informatiý from Appendix G, MSOs, provides the criteria to assess the overall impact of the affect utf'ifire( on an MSO in a given fire area.
The overall conclusions of this appendix are as follows:
Based on the review performed herein, neither the CAROLFIRE nor the EPRI/NEI Cable Functionality Tests yielded results that are drastically different than the collective wisdom available prior to the testing!In hfcctit could be conckidcdth*t the results validated the psitioii hlcd Within he in~Cmdustry and docum ied in NEI 00-01 Revision
- prior to thetesting.% -Despite this, certain
- a. j...
.me
.ts, rel... ted to e
.re..*l t..............
.conductor bl.S, as ou.tl.ie. in B-16
NEI 00-01, Revision 2(c)
January 2008 Tables B. 1 0 and B*0.20will enhance the level of safetvyand add conservatism to the post-fire SSA, A clear design criteria for addressing fire-induced circuit failures in a post-fire SSA has not been provided in any NRC correspondence on the topic, including the proposed draft generic lettei lie criteram pro\\itd herein does not conflict with11' any 4Ui1iUied R: i r
equirements) oriNCStf P o siti~n ci cu it:
ur Clear design criteria is are needed prior to any licensee being able to assess the level to which compliance is achieved.
g
[h I IC Inee i(tified by I1cNRC for requiring a chage in the,current IIC[Iit fi iiccteria applied i i, Ie ;post-fire SSA is based on the ictn ation containeiii~n NRC IN 99-17, the CAROLFIRE Cable Firc'esii2P,,rarad RIPP INEI Cable Functionality conducted in 2001 iNb of these souirce, pioided an indication that multiple fire-ind~dceýd spurious, opeationsý isarcl likely.t
ýn independent and objectverevict o the iloimation pr ed clatdt~o these two topics has beeniKjnahle to idep~~n eed forim~~l1,[
le chaiL-cýproposed in draift NRC Generic Lttu 20)X.
A more plausible and eff*vc way ofaddressing the issues identifiedin NRC IN 99-17, the CAROIIE I
ýle Fire Testin*g Program ad the EPRI/NEI Cable FunctionalityFire swould be toadopt the circuit failure criteria proposed in NEI 0~0-01Revisio~n 2
B-17
Table B.I-0 Types of Fire-induced Circuit Failures Reauired to be Considered II m I
Discussion:
The criteria provided below describes the types of fire-induced circuit failures that need to be1 considereod in an evaluation of the impact of the components in an MSO on post-fire SSA. The information in Table B.2-0 provides criteria on how ead&hf the i
lir-induced circuit failures described below needs to be considered in evaluating the impact of fire-induced circuit failures on a safe shutdown'component inm andSO's control and power circuitry. The criteria provided below, when combined with the information in Table B.2-0, provides$,a.comprehensive metlhd or assessing the response of an individual component in an MSO to any fire-induced circuit failure. The information iAppendix G, MSOs, provides the criteria for combining the impacts to individual components in an MSO into potential system and safe shutdown path. impacts. The component le-"I fire-4iduced circuit failure criteria, when combined with the information from Appendix G, MSOs, provides the criteria to ýasssss t&.overall fire-inducedl impact of an MSO on post-fire safe shutdown in a given fire area.
'f%'j The evaluation provided below begins with NEI 00-01 Revision 17ý below shows how the original requirements of NEI 00-01 Revision 1I to the fire-induced circuit failure criteria and the assumptions regardii of the NRC and Industry Cable Fire Testing.
the insights gained from the NRC and Industry Cable Fire Testing, the table eadjusted for inclusion into Revision 2 of NEI 00-01. The adjustments made tmi nof damage tothe individual circuits of concern are based on the results Recommended elimination lxýqullv'u tv L)C; of need to address
- can occuri
- ambinatioi pre~en. a co included in a post-fire SSA.
uired to t'PPt;J1UIA
_-t FIUV[UCb iIUUJLIUIldl juMIJ AdLIuIi for the industry position that consideration of multiple high impedance faults is not required.
The results of the NRC & Industry cable fire testing reinforce the position outlined in An~nendix B-I 3 phase hot Need to assess forI H ILo No indi:ation that these Need to assess for Hi/Lo Multiple hot shorts for high low pressure shorts Pressure Interfaces can ocqci in the Pressure Interface Valves interface components are discussed in NRC Kcombmations required to only, due to the regulatory Generic Letter 86-10. All licensees should Present a concern precedent for this issue, have already addressed the 3-phase hot shorts on both hi/lo pressure interface valves simultaneously.
B.1-1
I IHVVI PVJaIJLy DC motor hot shorts INU LU I
LU! I Pressure Interfaces INU IIIUtt..aLUaIJ uIaLL lIC3 can occur in the combinations required to present a concern tIvlUlIpIC IIUlL blIUll.
IVU MI611 IUW plbbULV interface components are discussed in NRC Generic Letter 86-10 All licensees should have already addressed the 3-phase hot shorts on both hi/io pressure interface valves Open Circuit Need to assess for all safe shutdown components No indication that these can occur, as a primary circuit failure Need asse'ss for all safe shutdown components, icto the regulatory precedent for thlilissue.
.ppendix R Section II.G.2 requires n of open circuits.
Short-to-ground Need to assess for all safe shutdown components.
Need to assess for Associated Circuits -
Common Power Supply.
Will occur as a primary circuit failure or as a sequel to a hot short of limited duration Need toLa*sess for all safe shutdownfmponents.
Need to assessfor Associated Circitu i, Comimon Ptower Supply.
IOCFR 50 Appendix R Section 11I.G.2 requires consideration of shorts-to-ground. NRC Generic Letter 81-12 requires consideration of the upstream effects of hot shorts under the requirements for Associated Circuits -
I ki..uJ l I %-.,lit,*
sNhU LU t
c UL do l pnet shutdown components llrL LImly LU dSt loln c
lmp Sdet iprimary shutdown components nidrat of oppenuum c ircuit s n.u./ requires consideration of open. circuits.
Short-to-ground Need to assess for all safe shutdown components cir-cuitd Jiqull ary Nid to assess for all safe h*
iutdown components.
10CFR 50 Appendix R Section III.G.2 requires consideration of shorts-to-ground.
nort Need to assess for all safe Table 8.2-0 provides the criteria for the Hot short" -
generic without consideration of cable and/or Need to ass'ds,ýýfor all safe shutdown compneý,,nts. In all cases, assumesc the.,hot short potential exists uless Tiejotential forda lot shortnsidetermnmed not only bypresence in the fire ar*&bof concern, but Need to assess for all safe shutdown components.
cikutt*Ithe duratiounof the Table B.2-0 provides the criteria for the number of hot shorts that need to be considered in each components control circuitry. Appendix G of NEI 00-01 provides I
H1 lot shorts need to be addressed either generically or they can be addressed based on the characteristics of the cable type or cable/raceway type using the information from the sub-types listed below. If the hot short is addressed in a way that it takes credit for the cable and/or raceway type associated with the cable, then the important characteristics of the assessment must be included in the design configuration control program. This is required to be done so that as future plant changes are made with the potential to affect these important characteristics of the cable and/or raceway, the important characteristics are either maintained or a re-review of the condition is performed should they be changed.
B. 1-2
Table B.1-0 Types of Fire-induced Circuit Failures Required to be Considered II I m
raceway characteristics proven otherwise.
also based on a time/temperature and duration thresholds for each occurrence.
Lko _0muts ktter 2U minutes the hot short may be assumed to go to ground. At this point, the effects of a short-to-ground must be evaluated and addressed.
_equipment impacts must be considered on a component/system level to address the issue of
%I4SOs. The 20 minute duration criteria cannot be applied to dc circuits. Results of the upcoming dc circuit testing will determine whether the 20 minute duration criterion is appropriate for dc circuits.
Inter-cable Need to assess for all safe Very limited potenti&I of.
Need to assesfý all safe See footnote I below.
shutdown components.
occurrence. Probability is shutidown componenclts!
thermoset Not specifically addressed, very low compared to" but included under the intra-cable hot shorts.
overall criteria for addressing a hot short.
tv>
Inter-cable Need to assess for all safe
\\
}'Ver limitil potential-of Theed to assess for all safe See footnote 1 below.
hot short-shutdown components.
occu i r*obability is shutdown components.
thennoplastic Not specifically addressed, ve, low comtpared to but included under the intrab h'sllo ts]
?
overall criteria for addressing a hotshort*
ý Intra-cable Need to assess fr all safe uPotential to occurifrcable Need to assess for all safe See footnote I below.
shutdown components.
is damaged, but actual shutdown components.
thermoset Not specifically iddicssed, likeltiood of occurrence is but included under th a funcfn of many overall criteria for
~
variables such that a given addressing a hot short.
time/remperature environment does not necessarily guarantee occurrence.
B. 1-3
Intra-cable hot short-thermoplastic Need to assess for all safe shutdown components.
Not specifically addressed, but included under the overall criteria for addressing a hot short.
Potential to occur, if cable is damaged, but actual likelihood of occurrence is a function of many variables such that a given time/temperature environment does not necessarily guarantee occurrence.
Need to assess for all safe shutdown components.
See footnote I below.
11 Inter-cable Need to assess for all safe No occurrences identified.
Not requiredL t6 Ib, See footnote I below.
hot short-shutdown components.
addressed.
armored Not specifically addressed,
/
cable but included under the overall criteria for addressing a hot short.
Intra-cable Need to assess for all safe Potential to)c**, IfI cable Need to assess for all safe See footnote I below.
shutdown components.
is damaged, but g
otacual shutdown components.
armored Not specifically addressed, likehhood of occurrence is cable but included under the Iminc(iin ofmany overall criteria for
ýW riaalle s such that a given addressing a hot short.
tiiiie/temperatnre
- necessaruly guarant'ee occurenct &
wt,__
Inter-cable Need to asse'sfor all safe Ngot rquired "7<
Not required See footnote I below.
shutdown comnponents.
raceway to Not specifically addiressed, raceway but included under th overall criteria for addressing a hot short.
Intra-cable Need to assess for all safe 1'P(f'ftial to occur, if cable Need to assess for all safe See footnote I below.
shutdown components.
i-damaged, but actual shutdown components.
conduit Not specifically addressed,
- likelihood of occurrence is but included under the a function of many overall criteria for variables such that a given 11 B. 1-4
Table B.I-0 Tvnes of Fire-induced Circuit Failures Reauired to be Considered Tvnes of Fire-induced Circuit Failures Reouired to be Considered addressing a hot short.
time/temperature environment does not necessarily guarantee occurrence.
11 i
i i
iEl Inter-cable hot short thermose t to thermopI astic Need to assess for all safe shutdown components.
Not specifically addressed, but included under the overall criteria for addressing a hot short.
Very limited potential of occurrence. Probability is very low compared to Need to assess for all safe shutdown components.
'Srrfootnote I below.
11 intra-cable hot shorts.
upen tircuit iqeeu to assess ior aii sare shutdown components.
oNt specmicaiiy testeo.
Neeto~assess ror au sare Assuring selectea instruments (Kererence.NKtI shItdown t
II mponents.
IN 84-09) are protected from the effects of fire in each fire area is an effective strategy for addressing the effects of a hot short using this criteria.
Need to assess for all safe Assuring selected instruments (Reference NRC shutdown components.
IN 84-09) are protected from the effects of fire in each fire area is an effective strategy for addressing the effects of a short-to-ground using this criteria.
Need to assess for all safe Assuring selected instruments (Reference NRC shutdown components.
IN 84-09) are protected from the effects of fire in each fire area is an effective strategy for addressing the effects of an open circuit using this criteria.
B. 1-5
NEI 00-01, Revision 2(c)
January 2008 ilO1 flOrn iNo inpact irom a singie hot short on a 3 phase cables apurious uperanon or a single component with 3 hot shorts of the proper polarity on a 3 phase cable inere is no neea~io consider a hot short on poweri orcuits, xcept for hi/lo "IeSSUrO interface valves where 3 hl&-shorts of the proper polarity-Must be assumredn uenenc Letter a -
.z aiscusses m/no
- ure interfaces. NRC Generic Letter 86-idresses hot shorts on 3 phase cables for oressure interface valves hi/I Short-to-ground Loss of power and potential for tripping of upstream loads No additional imp, from multiple/simultane shorts-to-ground Consider a i)Lgleshort-to-ground on each onductor niieach affected Ca.d tNe'*o address Asso*, tCircuits -,
Loss of upstream loads is addressed by.the requirement of Generic Letter 81-12 for Associated Circuits - Common Power Supply [i.e. breaker coordination]
Open Circuit Loss of power impacts i
aneous ir isider a single open uit on each conductor 9h affected cable.
This effect is bounded by the effects of a short-to-ground, since the short-to-ground causes a loss of power and has the potential O
L.LttL tO U
f O
om 011 ar pr f-i 22 The criteria for hot shorts in this coiumnlylr be adjusted using the information from Table B. 1-0 for the hot short sub-types. If the information on a particular hot short i iied, then the important characteristics of the assessment must be included in the design configuration control program. This i required to be done so that as future plant changes are made with the potential to affect these important characteristics of the cable and/or raceway, the important characteristics are either maintained or a re-review of the condition is performed should they be changed.
B.1-6
Table B.2-0 Types of Fire-induced Circuit Failure Required for each Circuit Type cases, however, for this conducLtors, ire tocatedh:
hi hrtim heprm to occur input from a dnemultlc11'onjnjuetori hot short in a secondary cal n t lhe primar IIJC 11ýIII C
control circuit is circuit. (Refer to darn;j's" o su"1 centy' required. (See Example:s I and 2 attached be 'orisidered 1re1iistic' comment to the right.)
to..his appedix. In reqgired FXA m1ple I only a hot short NRC & lnidustry Cable Fii k~n Cable 6 needs to be L Mnsidered. In Example 2, iif addition to the hot short on the tw'o CondiJ
_,Jab(: 3 need to be~
considered. All other aalN I
fkIilt[ure combinations c 1nee
,nt be considered sincer these other combinations require multiple hot shorts to co-exist in separate cables in the primary Land/or
/ scondary circuits.),
For ungrounded DC C Ircu nits, if it can be shown il ibii oly two hot shorts of the prioper polarity witho6ut spurious opemtaion, no utrther evaluation is B.I-7
NEI 00-01, Revision 2(c)
January 2008 ITVsfing 11111C spU tions have II I o
!ngrou n i
r its ajin giouuddit ctracent shorts-to-grouii may be req ired in order to cause a oss of control powNer t.-onsiaer an iniviouai, single short-to-ground on each conductor in each affected cable in a grounded circuit.
Consider the combined effects of shorts-to-ground if conductors are located in the same multiconductor cable in For ungrounded circuits, two shorts-to-ground are required for the loss of control power. The recommended approach either assumes or evaluates for a second short-to-ground causing a loss of control power in the components control circuit for ungrounded circuits.
I I
B.I-8
Table B.2-0 Types of Fire-induced Circuit Failure Renuired for each Circuit TyDe the primary cirt:iit.
Additiondill
- hII, itr assume i
second short-to-ground exists impan ungrounded circuit, resultiw'ika lo
'f N
control po~er or evaluate for an actual fire I
nduced cable impact wilthhe potential to cause tIi P
secone short-to-ground the fiarea>>.r*
I
__I Open Circuit Loss of a single control function, e.g. loss of manual start/stop, loss of auto-start/stop, loss of indication I
m Lossbofrultiple iucfions %within the o'cotrol circumt e.g. loss ofMmanual startstop, loI,-ofiauto
- nstop, loss ofindtcation ~'<
C6oisider an ini*'Midual, single open circuit on each conductor in each affected cable in the circuit.
Consider the combined e1ffects of open circuits if conductors are located in the same multiconductor cable in the primary circuit.
This effect is bounded by the effects of a short-to-ground. Typically losing a single control function, other than indication, is sufficient to require a mitigation strategy2 or II Hot Short I Spurious operation of a UP iaLU a
I-B.1-9
NEI 00-0 1, Revision 2(c)
January 2008 primary component provided the contact that is closed has this direct effect on the primary circuit.
primary component provided the contacts that are closed have this direct effect on the primary circuit.
singie not snort ocn conductor in e affcl te cable in the cir uit.
Consider, thecombined effectsý ot 1sorts if condr ors are located in t
multicoductor cable iiitseco r
circuit. ( R o
Examples I uid2. attached 5E111111i-all t-L 2I, _iIUwý_, u11 LU1IWVV1UKt W1 controlled by the primary circuit has already changed position, the spurious operation will not be reversed by the elimination of the hot short in the secondary circuit. Depending on the damage to the primary circuit by other fire-induced effects, reversal of the position of the spuriously operated component may be possible.
For multiple hot shorts within secondary circuit to cause a spurious operation of the component controlled by the primary circuit, the multiple hot shorts must co-exist and either have a direct effect on the primary circuit or co-exist with another hot short in the primary circuit. This condition of sequentially selected fire-induced circuit damage is of sufficiently low probability to be considered unrealistic and beyond the required design basis given the results of the
,NRC & Industry Cable Fire Testing, except for the case of multi-conductor cables in secondary circuits that have a direct effect B.I-10
Table B.2-0 Types of Fire-induced Circuit Failure Required for each Circuit Type
,,undi ng could cause on the primary circuit and that cannot be spurious6Operation, no overrtidden by an operate action in the fIurt er valuation is Control Room without assuming any neTessa,ý,,except for any additional fire-induced circuit failures on a cases invOlvinLg High/Low different cable.
pressure ifterlfces ef*.
[R GL 86-10 EnJcl. _.2Qe
.n 5.3.1]
For cases involviig'direct current (DC) control circuits,, consider the I Spotexitial s~puriou,,
"operation due to f*ilures of
,the control cables (even if the spurious operation "equires two concurrent hot shorts of the proper polarity, e.g., plus-to-plus and minus-to-minus),
.i 4*
when the source and target conductors are each located in the same multiconductor cable."
[Ref. RIS 2004-03 Rev. 1]
If multiple hot shorts in multi-conductor cables associated with secondary circuits can directly result B.I-11
NEI 00-01, Revision 2(c)
January 2008 in a spurious operati on Or a primary comp n at cannot occur d1e to a single ho dkointhe second(tu ircuit, then this mus e addressed, unless overri dct)y t\\Ioerator in the Co o ioom. In making the &tcrmination about the opeLra1r ability to override the eff tA theL i'!ple hot shorls In the s;econdarý circ uiituit utdditional
-iduLed*
circuiit tfailuru H 1 sC'LIFit(
the ope'rnlre ccabiity th~lt the2 overrFide :Jjlfli~itX by th&pervr' Short-to-ground Loss of coni 6ol power/f nctIon grounded circuit1; I rl*grounILjded, its an addOtional ckcrrent shortsto-ground may be requI ied in order to cause.
oss of control poWeP.
Consider an individual, single short-to-ground on each conductor in each affected cable in a grounded circuit.
Consider the combined effects of shorts-to-ground if conductors are located in the same multiconductor cable in For ungrounded circuits, two shorts-to-ground are required for the loss of control power. The recommended approach either assumes or evaluates for a second short-to-ground causing a loss of control power in the components control circuit for ungrounded secondary circuits.
I1
-i h
B.1-12
Table B.2-0 Types of Fire-induced Circuit Failure Required for each Circuit Type the secondaryciicuit.
Amdditionali, r
assume a second short-to-ground exists in an ungrounded circuiti resultmgn a
in s oi1*ý control pow.or evaluate for an actual fire (iduced cable impact with tli kotential to cause the*:,
sec6nhl's hort-to-groud in thýfr ra*:i, U
U ____________________________________
Open Circuit Loss of control function impacts
( nsider an individual, single open circuit on each conductor in each affected This effect is bounded by the effects of a short-to-ground.
tiple/
mneous No impac circuit circuit B.1-13
NEI 00-01, Revision 2(c)
January 2008 Short-to-Loss of control
-No additional impacts ground power/function with the from potential for tripping of multiple/simultaneous upstream loads shorts-to-ground t-onslwer ground on in each a Assunc arou¶ld in
..onductor c:ble.
short-to-
,!rounded
,Ioss of t
Open Circuit Loss of control function No additional impacts from multiple/simultan, t-onsioer aII circuit on eac in each affect
)pen iductor ITIOtL 3IOrt Erroneous reaulng iNO auuauonai impact due ftomult iple hot
,ie hot short oeach ductor in eah affected le in the circuit.
1 o aaaress tis ior instruments proviaing an indication only function, for each fire area identify the specific instrumentation that is protected from the effects of fire. Capture this information in the post-fire safe shutdown procedure so that the operator can distinguish an erroneous fire-induced reading from a valid reading based by looking at the protected instrumentation.
For initruments pkprforming a control Zfiunction, assume the signal affects the respective contact in the control circuit in a worst case manner for safe shutdown.
For instruments performing a control function, assume the signal affects the respective contact in the control circuit in a worst case manner for safe shutdown.
h _______________________________________________________________________________________________
Consider an individual, single short-to-ground on each conductor in each affected cable in a grounded circuit.
Assuring selected instruments (Reference NRC IN 84-09) are protected from the effects of fire in each fire area is an effective strategy for addressing the effects of a short-to-around.
I B.l-14
Table B.2-0 Types of Fire-induced Circuit Failure Required for each Circuit Tvpe Upen Cir cult Loss ot reading or control function No additional impacts from multiple/simultaneous open circuits.
Consider an individual, single open circiit on eacli conductor in each affected cable-iin the circuit.
AK:
suring selected instruments (Reference RC IN 84-09) are protected from the
'ects of fire in each fire area is an effective atogm for addressing the effects of an open B.1-15
NEI 00-01, Revision 2(c)
January 2008 Rx Pressure - Cable I X Low Reactor Level - Cable 2 X Secondary Circuit B.1-16
NEI 00-01, Revision 2(c)
January 2008 B.1-17
NEI 00-01, Revision 2(c)
January 2008
- 1.
A hot short on Cable 6.
- 2.
A hot short on Cable 4 in combination with thot hort on Carble 3.
- 3.
A hot short on Cable 4 in combination nth a hot short on Cabl.'es " & 2.
- 4.
A hot short on Cable 5 in combination with a ho short on Cable
- 5.
A hot short on Cable 5 in combination ý\\
la hio sit on Cablel IJ& 2.
- 6.
A hot short on Cable 7 in combination with a o short on Cable 3.
- 7.
A hot short on Cable 7 in combination with a l hort on Cables I & 2.
- 8.
A hot short on Cable 8 in conibiation with ahot short on Cable 3.
- 9.
A hot short on Cable 8 in combLu)iton with a hot sd*oto Cables 1 & 2.
Examp.le 1 Spuriopus O1eration - Hot S-mdrn binations B.1-18
NEI 00-01, Revision 2(c)
January 2008 B.1-19
NEI 00-01, Revision 2(c)
January 2008
- 1. A hot short on Cable 6.
- 2.
A hot short on Cable 4 in combination with a hot*s ort on Cable 3 -
Conductor 1.
- 3.
A hot short on Cable 4 in combination with4'Ihotdhort oni ables 1 & 2.
- 4.
A hot short on Cable 5 in combination with a hot short on Cie 3-Conductor 1.
- 5. A hot short on Cable 5 in combination \\th a ho s ort on Cables.%
2.
- 6.
A hot short on Cable 7 in combination wit laot on Cables -
Conductor 1.
- 7.
A hot short on Cable 7 in comiibiiition with a ho shor on Cables I & 2.
- 8.
A hot short on Cable 3 - Con*higt Iin combination with a hot short.
on Cable 3 - Conductor 2.
- 9.
A hot short on Cable 3 - Conduc or in cobjiation with a hot short on Cablesr I & 2 Example 2 - Spurious 0eration - Hot Short dmbinations B.1-20
NEI 00-01, Revision 2(c)
January 2008 APPENDIX B.1 JUSTIFICATION IFOR' THE ELIMINATION OF MULTIPLE HIGH IMPEDANCE FAULTS B.1-1 PURPOSE This appendix is provided to demonstrate that the probability of Multiple High Impedance Faults (MHIFs) is sufficiently low such that they do, mit pose a credible risk to post-fire safe shutdown when certain criteria are met.
This appendix analyzes and characterizes cable fault ihaio th respect to the MHIF concern to determine if and under what conditions this circuit failure mode poses a credible risk to post-fire safe shutdown. In thiseaacity, the M1HIF analysis is intended to serve as a generic analysis for a Base Case set of conditions. TItielhase case approach is recognized as a viable means of establishing 'specific boundi.y conditions for applicability, thereby preserving the integrity of the anaslyis.
B.1-2 INTRODUCTION B.1-2.1 Overview In 1986 the NRC issued Generic Letter 86-10 [11to provide further guidance and clarification for a bt Idrange of 10 CFR 50 Appendix R issues. Included in the generic letter was confinýation that the NRC expected utilities to address MHIFs as part of the Appendix Rciated circuits analysis. 2 % MHIFs are a unique type of common power supply associated circuit issue, as discussed in Section B. 1-2.2 below.
Regulatory (Mide 1.189 (Section 5.5.2) [2] reiterates the NRC's position that MHIFs s6iould be considered in the evaluation of common power supply associated circuits. Of Ainiportance is tgeu reglatoryiguide's endorsement of IEEE Standard 242, IEEE L
)nReiommended Practices for Protection and Coordination of Industrial and Commercial Power*Svstems, [7] as an acceptable means of achieving electrical coordination of circuit protectiw-devices. Confirmation of adequate electrical coordination for safe shutdown power supplies is the primary means of addressing common power supply associated circuits.
B.1-2.2 Defining the MHIF Concern The MHIF circuit failure mode is an offshoot of the common power supply associated circuit concern. A common power supply associated circuit is considered to pose a risk to safe shutdown if a fire-induced fault on a non-safe shutdown circuit can cause the loss of a safe shutdown power supply due to inadequate electrical coordination between 2' A general discussion of associated circuits is contained in Section 2.2 and 3.3.2 of this guidance document. NRC intends that a future generic communication will clarify associated circuits.
B.1-21
NEI 00-01, Revision 2(c)
January 2008 upstream and downstream overcurrent protective devices (e.g., relays, circuit breakers, fuses).
The accepted method for evaluating the potential impact of common power supply associated circuits is a Coordination Study. A coordination study involves a review of the tripping characteristics for the protective devices associated with the electrical power distribution equipment of concern - post-fire safe shutdown power supplies in this case.
The devices are considered to "coordinate" if the downstream (feeder or branch circuit) device trips before the upstream (supply circuit) device overiIe(range of credible fault 24 t,.
current.
In conducting a traditional coordination study, eachi circuit fault is evaluated as a single event.
The concept of MHIFs deviates from baseline assump ions as o ted with conventional electrical coordination. The MHIF failure modn b t
s d on the umption that a fire can cause short circuits that produce abnorrii~lly high currents tho e* below the trip point of the individual overcurrent interruptitgh 1evlce: or the affected cif tti Faults of this type are defined by Generic Letter 86-10 as high imbaldance faults (H-I:S).
Under the assumed conditions, circuit overcurrent protectiyve,-dcices will not detect and interrupt the abnormal current flow. Consequently, the fatlu rent is assumed to persist for an indefinite period of time. Sincc s are not rapidlyiVLred by protective devices, the NRC position is that simultaneous. PIIFs should b oTssidered in the analysis of associated circuits. The specific c',e is t the cwumultive fault current resulting from multiple simultaneous HI-Fs cp exce;tJ ip pdit of a safe shutdown power supply incoming protective device, causing It to10ctuate and de-energize the safe shutdown poweis uppl'1before the downstream (lad-side) protective devices clear individual cirit faults.
Figure B.1-1 illustates tc IlMHIF failur dme iode. Note that the description of MHIFs ntremdu icindan setic w
equipment is affected by the postulated fire.
Det~iis, can beews,dced to etermine exactly which cables and scenarios are J*otlaliilly susceptible to M Fs. However, this type of "spatial" analysis typically M.ylves a hghly effort to trace the routing of hundreds of non-safe shikgdwn cables. J Ftkhermoe, ongoing configuration control of such analyses is overly burt lc*oe. For thi, reason, the preferred means of addressing the issue is at a system perfor*a:ce level, independent of cable routing. The systems approach offers a great deal of cousisvaatlsfmbecause, in actuality, not all circuits will be routed through every fire area and no atji circuits are non-safe shutdown circuits.
-y 24 The range of credible fault current includes short circuit current levels up to the maximum possible fault current for the configuration. For simplicity, the maximum credible fault current is usually based on a bolted fault at the downstream device. However, in some cases the maximum credible fault current is refined further by accounting for additional resistance of the cable between the downstream device and the fault location of concern.
B. 1-22
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-1 Example MHIF Sequence B. 1-23
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-1 Example MIUF Sequence
'*i shutdown com )lnents A-1 and B-1 are redundant, as are A-2 and B-2. A fire in Fire Area B is assumed to render, B-1 and B-2 inoperable, and thus A-1 and A-2 are credited as available for safe shutdL jirci; Breakers 4 - 7 supply non-safe shutdown equipment via circuits that traverse Fire Area B.The fire is assumed to create high impedance faults on several of these circuits si multaneously. The nature of the faults is such that an abnormal current is produced in each circuit, but in eai hcase the current is not sufficient to cause the affected branch feeder breaker to trip. The cumulative effect of the fault current flowing in each branch causes the incoming supply breaker (Circuit Breaker 1) to trip before the downstream breakers are able to isolate the individual faults. The safe shutdown power supply is de-energized, causing a loss of power to the credited safe shutdown equipment, A-1 and A-2.
B. 1-24
NEI 00-01, Revision 2(c)
January 2008 B.1-2.3 Framework for Resolution From inception, debate has persisted regarding the technical validity of MHIFs. The NRC's concern with MHIFs can be traced to a November 30, 1984, NRC internal correspondence [3]. The stated purpose of the correspondence was to "...present one paper which can be used in the evaluation of safe shutdown submittals."
The paper describes the MHIF issue as an "...expansion on associated circuits" and describes the concern in much the same manner as covered in Section B.1-2.2 above. Noteworthy is that the document limits the issue to AC power circuits. The NRE's concern with MMIFs on AC power circuits does not appear to stem from amyip I ic test data or operating experience.
Rather, the concern is voiced as one o,&f onservative judgment for a postulated failure mode in the absence of definitive inmfmatii ito the contrary.
With this understanding as a starting point, thefaiewiork for adressinmg the MHIF issue is based on the following tenets:
A Base Case set of conditions must be defined to ensure the limits of applicability are bounded. Within the dfhedlirits, the MHIF aiialysis serves as a generic evaluation and is considered to sliisfy the regulatory requirement that high impedance faults beýconsidered in tl ysi of associated circuits.
To ensure consistency andi*griucent in the fundamental bases for analysis, technical positions should bli basedtý i
on a referenced to test results, industry consensus tandards, and NRCenerated or approved documents. Test data and technical 6efrncifes must be representative otf he Base Case.
El1ien4l<f the analysis may F.probabilistically-based and employ risk-informed
- a'utis approachliis deemed acceptable within the framework
(-of -I detminstic antlyis ajidis not without precedent.5 However, consistent V.w~
kninloid dectsin making, consequence of failure shall be addressed by the 6
N; 6
analysis.
Analysis unjcrtaints must be included in the evaluation to ensure conservative
~appicaionof r Lsults.
B.1-3 ANALYSIS ETHOD AND APPROACH The approach for conducting this analysis is depicted by the flow chart of Figure B.1-2.
A brief description of each step is provided. The most important aspect of this analysis is the ability to characterize fire-induced cable faults. Research and test data to accomplish this characterization for all voltage levels of interest has until recently been scant, forcing past assessments of MHIFs (both industry and NRC assessments) to make assumptions and extrapolate theories beyond a point that achieved general agreement. Test data from 25 Generic Letter 86-10, Question 5.3.1 excludes on the basis of low probability the need to consider three-phase hot shorts and proper polarity hot shorts for ungrounded DC circuits in the analysis of spurious actuations (except for high/low pressure interfaces).
B.1-25
NEI 00-01, Revision 2(c)
January 2008 recent industry and NRC fire testing [3, 12] allows fault behavior to be characterized at a level not previously possible.
Interpretation of test data and application of analysis results will follow accepted and prudent engineering principles, as set forth by consensus standards and other acknowledged industry references.
B. 1-26
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-2 MHIF Analysis Flow Chart Establish Analysis Criteria and Principles Define Base Case B.1-27
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-2 MHIF Analysis Flow Chart MHIF Analysis Flow Chart Establish Analysis Establish Analysis Criteria and Principles Criteria and Principles F
Define Base Case Define Base Case Characterize Characterize Fire-lndluced Cable Faults LFire-lnduced Cable Faults MHIF Concern MHIF Concern Step 1 7-Establish Analysis Criteria and Principles: Analysis criteria and relevant engin"iihg principles are identified.
The rationale behind the analysis criteria is explainediiand the engineering principles relied upon to evaluate results are. documented.
Step 2 - DefineNBase Case: A base case set of conditions is defined. These conditions establish the limits of applicability for the analysis.
Step 3 -
Characterize Fire-Induced Cable Faults:
Relevant fire test data and engineering research are analyzed to characterize fire-induced cable faults.
Recent industry and NRC fire tests, as well as other credible industry tests and research studies, are considered in the evaluation.
Step 4 - Analyze MHIF Concern: The characteristic behavior of fire-induced faults is considered within the context of the MHIF concern to determine if and under what B. 1-28
NEI 00-01, Revision 2(c)
January 2008 conditions MHIFs pose a credible risk to post-fire safe shutdown for the defined Base Case conditions. Analysis uncertainty is included in the evaluation.
B.1-4 ANALYSIS CRITERIA AND PRINCIPLES The criteria and engineering principles that form the basis of this analysis are discussed below.
- 1. The legitimacy of the MHIF concern is centered on the premise that a fire can create HIFs that are not readily detected and cleared by the intended overcurrent protective device [1, 4]. Thus, characterizing the expected behavi.r of fire-induced faults is paramount in determining the potential risk posed by this 1ilure mode. If fires are able to initiate faults that "hang up" and producedow-level faultcurrents (near or just below the trip device setting) for extendeod peorids, MHIFs should be considered a viable failure mode. If, however, the fijilts do not exhibit this beh or. but instead reliably produce detectable fault kctitfl a properly designed electrical protection scheme can be relied upon to-cleari the fault in a tinely manner in accordance with its design intent. Based on this pr inciple, the primary line of inquiry for this analysis is to quantitatively characterize fiti behavior for the voltage classes of interest. Analysis uncertawi, Will be included iin theassessment to further quantify the results.
- 2. MHIFs are not usually considere in the l analysis of electrical protection systems, primarily% bause operati:, ngexpenienceias not shown them to be a practical concern [6. - 10]7 Io this reasonndustry has not established nor endorsed any particulai analytical approach for MHIFs: Acknowledging the lack of consensus industry standrds andionventions thianalysis relies on objective evidence and the application of recogzedLImeenng principles; however, some element of enganeeringjudgment is inevltaille because of the unconventional nature of the 3."VAs constrained 1-ý h ase Case requirements, this analysis is considered sufficiently representative ot tnuclear plant electrical power system and protective device design, consirction, and,peration:
0 lega2dlessIof make, model, or vintage, electrical protective devices conforming to the ff oval, application, and test/maintenance requirements specified for the Base Catse can be expected to function in the manner credited by this analysis [5, 7, 9].
Electrical power systems satisfying the design and performance requirements specified for the Base Case will respond to electrical faults in the manner assumed by this analysis [6, 7, 10].
- 4. This analysis assumes that electrical protection and coordination have been achieved following the guidance of ANSI/IEEE 242, or other acceptable criteria. Regulatory Guide 1.189 recognizes this ANSI standard as the primary reference for this subject.
B. 1-29
NEI 00-01, Revision 2(c)
January 2008 A more detailed investigation into supporting references listed by the standard reveals a substantial number of tests and research studies that have applicability to this MI-LF analysis [13 - 22]., These documents provide additional insight into the expected behavior of high resistance electrical faults and accordingly are considered by this analysis. As these documents have essentially shaped the engineering basis for the ANSIIIEEE 242 recommended practices, they are considered viable and credible source references for this analysis.
- 5. The test data obtained from the recent industry and NRC ts [3, 7] is considered directly applicable to nuclear plant installations. The4ti parameters (including test specimens, circuit configuration, and physical arrana*et) were specifically tailored to mimic a typical nuclear plant installation. Theb vera lesTplan was scrutinized by utility and NRC experts before implementatioin.
- 6. The actual impedance of a fault can varv*dely and depends on y factors. These factors include such things as fault geometry, system characteristics%
ýtvironmental conditions, and the circumstances causiing_'the kfault. Different fatit impedances produce different levels of fault current;h electrical coordination studies generally consider a range ocredible fault curren1,[7]. Circuit faults resulting from fire damage are highly dynamic but do exhibit, I)dAictable and repeatable pattern that can be characterized nd p\\lained by enginering principles and an understanding of material propei Ies iT : sam nera characteristics have been observed by several different tests'and st1dies j
i3l2j3l3-22].
- 7. The upon for this MHIF analysis is the recent nuclear industry and NRC tests [hI2]. The electrical circuits for these tests were 120 V, single-phase, liihuted-energyýs!%stems.
The analytical results for the 120 V data indicate these low energIyll, c tSILehave diffently than high-energy circuits operating at distribtionlt evel voltages, Tae s for this position are:
0
- 1The ability1
, of electrical system hardware to sustain and withstand local fault 0ýoditons 01decreases as the fault energy increases. Highly energetic sfaults on ysteius operating above 208 V release tremendous amounts of eneCrY at the fault location. These faults are explosive in nature and will S.
destro,equipment in ai matter of seconds, as confirmed by recent industry 1 (expenence.
Conversely, fault energy associated with 120 V, single-phase
.systems is considerably less punishing to the equipment and will not niecessarily cause immediate wide-spread damage.
Test results from the recent industry and NRC fire tests confirm a correlation between the rate of localized insulation breakdown and the available energy (applied voltage gradient and available fault current).
For example, once insulation degradation began, the rate of breakdown for instrument cable was notably slower than the rate observed for cables powered by 120 V laboratory power supplies.
The lower energy circuits are less able to precipitate the cascading failure of insulation that characteristically occurs during the final stages of insulation breakdown because the rate of energy transfer to the fault is B.1-30
NEI 00-01, Revision 2(c)
January 2008 lower. The final cascading failure of a 480 V power circuit can be expected to occur within milliseconds, where the final stage of insulation failure for a 120 V circuit might last several seconds, as demonstrated by the test results. Note that the final cascading failure is typically preceded by a period of much slower insulation degradation.
During this phase of degradation, the cable can be expected to exhibit higher levels of leakage current; however, the leakage current levels are not sufficiently high to affect proper operation of power and control circuits. The point at which the slow, low-level degradation transitions to rapid breakdown and failure is termed the transition phase. (Cable failure characteristics are discussed in detail in Section B. 1-6.1.)
M Arcing faults become increasingly more likelyias system voltage increases because of the higher voltage gradient and longer creepage distances.2 The "effective" current for arcing faults increases as a function of the applied voltage. A higher fault current will hasten the time for protective action. (The arcing fault phenomena are discussed in detail in Section B. 1-P62*) )
- 8. High impedance faults on conductors of po syiemsioperating at 480 V and above manifest themselves as arcing faults [13 - 22]. Thus, the analysis of postulated HIFs for these systems assumes -nfarcing fault (detailed discussion contained in Section B.1-6.1). The bases for this position are:
With respect to cables, disio between energized conductors and between energized conductors and grounded surfaces are not appreciably different from 120 V systems. Thus, as insulation integrity is lost, te high voltage gradient associated with these systems more readily strikes an arc in the absence of a sufficient air gap.
As discussed in Item 7 above, the highly energetic nature of faults on higher voltage power systems results in a significant release of energy at the fault location, which rapidly elevates localized temperatures to vaporization levels. This large release of energyat the faulft fests itself in one of three ways:
I,"
Metal o are fused, thereby creating a bolted fault.
Material is vaporized and forcibly ejected, blowing the fault open Material-is vaporized and ejected, but the conductive vapor cloud allows an arcing fault to develop, which may or may not be sustained A
The elctrical power industry conducted numerous studies and tests pertaining to faults on high energy electrical power systems in the 1960s and 1970s. These efforts were sparked by a rash of significant property losses and extensive outages resulting from highly damaging electrical faults.
These studies significantly increased our understanding of high energy faults and resulted in numerous changes to recommended electrical protection practices (primarily IEEE 242). High impedance, non-arcing faults were not observed by these studies.
26 Creepage distance is defined as the shortest distance between two conducting parts measured along the surface of the insulating material.
B.1-31
NEI 00-01, Revision 2(c)
January 2008 B.1-5 BASE CASE AND APPLICABILITY The intent of defining a Base Case is to establish set limits for application of the analysis 2 results. This approach places measurable bounds on the analysis and ensures results are not inadvertently applied to conditions not considered in the study.
The following requirements constitute the Base Case conditions inherent in this analysis:
The power supply in question must operate at a nominal AC or DC voltage greater than 110 V. Specifically, this analysis does not apply'to AC and DC control power systems operating at 12 V, 24 V, or 48 V. Nor is the analysis applicable to instrument loops regardless of operating voltage.
For the power supply in question, electricancoordination must exist between the supply-side overcurrent protective dev,ýic(s) and load-side ovrcucrrent protective devices of concern27. Achievement ()of pker:. selective tripping shall be based on the guidance of IEEE 242, or other acceptableýriteria S
For 120 V AC and 125 V D C power supljie, in addition to adequate electrical coordination, a minimum size* ratio of 2:1 shall exist between the supply-side protective device(s) and load-side devices of concern (for example, a distribution panel with a 50 A main circuit bfeakiýicannot have any load-side breakers larger than 25 A).
This stipulation adds additioinl margin to account for slower protective device clearing times of low-energy ctiruits.
The electrical s. :emmust be capable of supplying the necessary fault current tor sufficienti*
to su predictable operation of the overcurrent protective devices in accordance with ricth liw-current characteristics.
" 4 i
Pa c
ircircre proective device credited for interrupting fault current shall:
Be applied witiun its ratings, including voltage, continuous current, and interrupting capacity Be List(d or Approved by a nationally recognized test laboratory (e.g., UL, ETL* CSA, etc.) to the applicable product safety standard (fuses, molded circuit breakers, circuit protectors, GFI devices) or be designed and constructed in accordance with applicable ANSI and NEMA standards (protective
- relays, low and medium voltage switchgear) 27 Coordination is not required for circuits that are inherently not a common power supply associated circuit of concern - for example, a circuit that is entirely contained within the same fire area as the power supply itself. Similarly, coordination is only required up to the maximum credible fault current for the configuration, which might include an accounting of cable resistance between the load-side protective device and the fault location of concern.
B. 1-32
NEI 00-01, Revision 2(c)
January 2008 0
Proper operation of the overcurrent devices shall be ensured by appropriate testing, inspection, maintenance, and configuration control.
The electrical system associated with the power supply in question shall conform to a recognized grounding scheme.
Recognized schemes include solidly grounded, high impedance or resistance grounded, or ungrounded.
B.1-6 CHARACTERIZATION OF FAULTS B.1-6.11 Characterization of Fire-Induced Cable Faults for 120V'Systems This section contains an analysis of fault behavior forfie-induced faults on single-phase, 120 V systems. The primary source data for the analysis is recer t industry and NRC fires tests conducted specifically to characterize fire-riducefd cable fault,:
B.1-6.1.1 EPRI/NEI Fire Test esu
- .t.,
The EPRI/NEI fire tests are documented in EPRI Rpcort 1003326, Chai acterization of Fire-Induced Circuit Failures: Results of Cak ire Testing [12].
The functional circuits developed for this testing were heavily monitored, allowing significant insights into the nature and behavior of flfcinduced cable faults.
B.1-6.1.1.1 Cable Failure Sequence
/
When driven to failure, cables followcd ; predictab-,i and repeatable sequence. Initial degradation was first observed as a relatively slow reduction in insulation resistance down to approximately 10 M - 1,000 L. At these levels the circuits remained fully functional and leakage current w the milliamp range.
The next phase of degradation has b)en temned ffh'etrasititn phase. In the transition phase, the fault undetg&.
ac ade e1ffct and thcirate of insulation resistance (IR) degradation increases sigirficantly, c faiult resistance to drop rapidly. The circuit remains functional, but leakage current ramps upward quickly. The fault resistance associated with this phase is approximately 5 k.0 dwn to 600 Q. Note that at 600 Q the leakage current is only about 0.2Aand the circuiis still functioning. The transition phase lasts from seconds to minutes. The final phase involves full failure of the cable. Insulation resistance drops to a very low level and' leakage current now becomes fault current.
The fault current escalates abov the fl se rating, causing the fuse to open and de-energize the circuit. This final phase typiatly occurs within seconds or 10s of seconds for low-energy 120 V circuits. Figures B.1-3 and B.1-4 show current and fault resistance for a typical set of cables driven to failure.
Figure B.1-3 Fault Current for Fire-Induced Cable Failure B. 1-33
NEI 00-01, Revision 2(c)
January 2008 Cable Failure Characteristics (Test #8)
Fault 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 1.8 2.0 Time (Minutes)
B. 1-34
NEI 00-01, Revision 2(c)
January 2008 Cable Failure Characteristics (Test #8) 0.0 0.2 04 0-6 0.8 1.0 1.2 1.4 1.6 1.8 20 Time (Minutes)
Figure B.1-3 Fault Current for Fire-Induced Cable Failure Cable Failure Characteristics (Test #8) 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 1.8 2.0 Time (Minutes)
B.1-35
NEI 00-01, Revision 2(c)
January 2008 The observed results can be explained by an understanding of the localized phenomena at the fault location. As the insulation degrades leakage current increases. At some point, the leakage current measurably contributes to localized heating, accelerating the rate of insulation degradation.
As current increases, the rate of degradation increases until it finally cascades to a full fault. Important in this observation is that the power source must be able to supply sufficient energy to drive the cascading effect to completion. Test circuits with limited current capacity demonstrated the same basic failure sequence; however, the final phase typically took longer and did not produce predicable final fault B. 1-36
NEI 00-01, Revision 2(c)
January 2008 resistances. This behavior can be seen in the NRC/SNL data in which the test circuit was limited to 1.0 A. This observation leads to the Base Case condition that the power supply must be able to produce sufficient fault current to ensure the protective devices operate predictable.
A key observation of the failure characteristics is that once the insulation resistance enters the transition phase it does not "hang up" at an intermediate point; it cascades to full failure within seconds or 10s of seconds. From the data it appears that once leakage current exceeds about 0.2 A, the fault can be expected to cascade to levels that trgger protective action.
N11 In a few cases this process was dynamic. The fault adetfnd produced a high fault current momentarily (a few seconds), but quickly sulsided back(low levels. This cycle generally repeated itself two or three times bef re*fault curreýt ranped and remained high. Importantly, in no cases did fault current stabilize for an extended period at an intermediate level such that it was not detected and cleared by the fuse.
B.1-6.1.1.2 Fault Clearing Times S,
The fire test data was analyzedftoestablish a correlation
,t between fault current level and the time required to clear the ciresti se. The resultsI thlis tabulation are presented in Table B.1-1.
The data here deal,~ny~ wth~cases in wlit i
m a fault caused the fuse to clear.
Data for thermoset and thermoplastic athble are,shown separately because the different insulation material exhibited sllghtly diCffere-iharacteristics.
The table providý*s statistics for the anmiint of time it took to clear the fuse once current had reachediciain thresibld level. TW:clearing times are shown for three thresholds:
0.25 A, 1.0 A, ýad 2.0 )A.
The 0.25 A llevel was selected because it represents the approxinate lowerhotuind of t.he transition phase.
2.0 A was selected because it representsIacurrent flow',:well below-a value considered to pose a HIF concern for the established cicunIl.0 A isan intermediate point that provides additional understanding.
he,table is interpreitd as follows: For thermoset cable, once fault current reached a level of 0.25 A, it took on average 0.46 minutes for the fuse to clear; once fault current reached'10 A it tookcoa average 0.23 minutes to clear the fuse; and so on.
Table B.1-1 Fault Clearing Time Table B.1-1 Fault Clearing Time Fault Clearing Time Time to Clear Fault (min)
Current Threshold 0.25 A 1.0 A 2.0 A B.1-37
NEI 00-01, Revision 2(c)
January 2008 Thermoset Cable Population 75 75 75 Average 0.46 0.23 0.14 Range 0.1 to4.8 0.1 to2.1 0.1 to0.7 Std Dev 0.67 0.29 0.13 2 Std Dev 1.33 0.59 0.26 Thermoplastic Cable Population 39 39 f,
39 Average 0.12 0.10 0.10 Range 0.1 to 0.3 0.1 *.
0.1 Std Dev 0.07
.0.00Q,
0.00 2 Std Dev 0.14
- 0900 7
0.00 The statistics presented in the table lend.
1%
nve to dte following obse- %tions:
The values contained in the table are highly consevative. The sample rate for the test monitoring system was limited to Ql mrin (6 sec). Inniimny cases the fuse cleared between sample times. For these cases, the clearing time has beeiin cnservatively assigned a value of 0.1 min. This approach holds true fo lues in that the 1xma1um possible clearing time I
has been s Inherent in this
,tthe analysis uncertainty associated with determining the statistical values is compnQtelyiub'crported into the values.
All cables that re lekaanugm current of 0.25 A ultimately cleared the fuse.
This is evident Hihat the population for all ttree threshold currents is the same. This is an important observatiO: becaus
- it demonstrate 1t once fault resistance has degraded to the transition point, the ceaadeleffýŽl'ominate h(-lie ultimate outcome and the fault does not then
" intcediate re, isttae value that results in a prolonged abnormal low-level cmntl flowý SOanke fault current Ias 10A, the cascade effect accelerated, as evidenced by the smallci dta between The I.0*A to 2.0 A average and the 0.25 A to 1.0 A average.
SOnce faulL irrent for ermoset cable exceeded 2.0 A, the average clearing time was 0.14 min, with a 95'o ard deviations) upper bound of 0.4 min. From this it can be stated that 95% of the faultsleared within 24 sec.
Thermoset cable fails much more quickly than thermoplastic cable.
B.1-6.1.1.3 Assessment of Probability A different - and arguably better - way to tabulate the data is to determine the fraction of faults that were cleared by the fuse within a specified time. This tabulation is shown in Table B. 1-2.
B.1-38
NEI 00-01, Revision 2(c)
January 2008 Viewed from this perspective, the data represents a go - no go or success - failure data set. In this format the data is readily analyzed in manner useful in addressing the MHIF concern. The table is interpreted as follows: For thermoset cable, once fault current reached a level of 0.25 A, 62.7% of the faults were cleared within 0.2 min; 78.7% of the faults were cleared within 0.5 min; and so on.
B. 1-39
NEI 00-01, Revision 2(c)
January 2008 Table B.1-2 Probability of Clearing Faults Within a Specified Time Percentage of Faults Cleared Time (min) 0.25 A 1.0 A 2.0 A Thermoset Cable 0
0.0%
0.0%'
0.0%
0.1 46.7%
77.3,ý%,
89.3%
0.2 62.7%
,6.7%
'*90.7%
0.3 70.7%
A?89 *g3o*
92.0%
0.4 74.7%
90.7%
93-3%,
0.5 78.7%
1 90.7T, 94.7%
0.6 84.0%
9"
.L0)',
96.0%
0.7 85.3%
92.0o 96.0%
0.8 89.3%
N9./3 100.0%
1.0 90.7%
94 7",
100.0%
1.5
'96-0' %
9773,%',,
100.0%
2.0 96 98.7' 100.0%
Thermoplastic Cable o 0.01.
- 0. 00 0.0%
- 40.
87.2%
ý
° 100(0%
100.0%
-0.2 94.9%
100.0%
100.0%
0.3 100.0%
100.0%
100.0%
Figureq I I -and
.ý B.6mrdphie.AIE itrate the data contained in Table B.1-2.
B. 1-40
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-5 Percent Faults Cleared for Specified Time - Thermoset Cable!
B.1-41
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-6 Percent Faults Cleared for Specified Time - Thermoplastic Cable B. 1-42
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-5 Percent Faults Cleared for Specified Time - Thermoset Cable 100o0%
90.0%
800%
70.0% -
60.0%
50.0%
-f-0.25 A
40.0%
0 L
30.D%
_2.A 20.0%
10.0%
0.0%
0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 1.8 2.0 Time to Clear Fuse (min)
\\N\\
B. 1-43
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-6 Percent Faults Cleared for Specified Time - Thermoplastic Cable 100.0%
90.0%
80.0%
70.0%
60.0%
ýO 50.0%
40.0%
- u.
30.0%
20.0%
10.0%
0.0%
0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 Time to Clear Fuse (min)
The following ob i
can be made bout the pirbability data:
Faults oi ermopat i
cable essenial egrade to full failure ýmmedlatcly. Given the limitations ( the fmnitoring system sample rate (6 sec) and the conservative treatlmentcof 1te ata, it is s dute t the actual failure times are in the millisecond raiie and fnot secn On this basis the observations for thermoset cable are Uconidered'todoiund ili(ermoplastic cable.
SFigure B.1-5 sýows that the
.OA curve is approaching the 2.0 A curve.
This graphically illustr~t(ýs that once current has surpassed the 1.0 A threshold, the cascade effctdriesthe outcome and full failure is inevitable.
Again, with respect to the MWPC oihcejniii~s confirms that the inherent fault behavior does not support the concept tLilit current can stabilize at some intermediate value. Once cascading begins, thl ault will progress to full failure, provided the system is capable of delivering sufficient energy to the fault.
Once fault current reaches 2.0 A, 89% of the faults are cleared within 0.1 min and 100% of the faults are cleared within 0.8 min. Again, considering the limitations of the monitoring circuit, the actual times are less than indicated.
From the IA current threshold only one fault took longer than 2 min to clear - it cleared in 2.1 mrin.
B. 1-44
NEI 00-01, Revision 2(c)
January 2008 B.2-6.1.1.4 Uncertainty Analysis An uncertainty analysis of the data contained in Section B. 1-6.1.1.3 is needed to establish a confidence level in the results. The dataset conforms to the requirements for a binomial distribution [23, 24], and thus a binomial confidence interval will be used to assess uncertainty. The confidence interval will be calculated at the 95% level. Only thermoset cable data is included in the calculation since it bounds the thermoplastic cable data.
The binomial confidence interval calculation is particulafly punishing in this case because of the relatively small sample population and lomi iimber of failures. This factor adds additional margin to the calculated values of uncrtamtinty.
The binomial confidence limits are calculated as follows, x
n
+
+xe~i where: PI = Probability cofidence limits n = Sample populai~,t io x = Number ofob$krvationsfdiling crteria z= Desired confidence le1,Sifacfo, 11.96for 95%l)
Table B.1-3 shIws theNcalculated 95/confidence factors and Table B. 1-4 shows the 95% lower cLnidece linmit values for the 'dataset.
B.1-45
NEI 00-01, Revision 2(c)
January 2008 Table B.-3 Binomial Distribution 95% Confidence Factors Binomial Distribution 95% Confidence Factors Time (min) 0.25 A 1.0 A 2.0 A 0
0.0%
0.0%
0.0%
0.1 11.3%
9.5%
7.0%
0.2 10.9%
7.7%
6.6%
0.3 10.3%
7.4%
.64.1%
0.4 9.8%
6.6% Ai 5.6%
0.5 9.3%
6.6o"/,N 5.1%
0.6 8.3%
6.,
4.4%
0.7 8.0%
4.1%,
.4%
0.8 K
7.0%
0 0o 1.0 6.6%
5.1%
0.___
1.5 4.4%
o 3.6%
2.0 4.4%
, 2.6%,
0.0% "/
Table B.1-4 Fault Clearing Fim 95% Lower Confidcace Limit 95%' Lo hr Cofidence Limit Time*(ri'if,)
0.25,A, 1..01K 2.0 A 0.0% \\
0.'0%
0.0%
00.1 35.4% \\
67.9%
82.3%
f
,- 2 51.7%
79.0%
84.1%
'0.3-60.4%
7 80.6%
85.9%
0.4, 64,84ý 84.1%
87.7%
0.5 "
69.4%"
84.1%
89.6%
Q06 N j 75.7%
85.9%
91.6%
,0 7, 7j7.3%
85.9%
91.6%
089 82.3%
87.7%
100.0%
1.0 84.1%
89.6%
100.0%
1.5 91.6%
93.7%
100.0%
2.0 91.6%
96.1%
100.0%
B. 1-46
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-7 shows the 1.0 A and 2.0 A fuse clearing probabilities with the 95%
'confidence limits applied. Note that the t = 0 confidence limits have no real meaning since no fails have occurred at this point.
Figure B.1-7 Probability of Clearing Fault Within Specified Time With 95% Uncertainty Bound Applied U.
100.0%
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0% A 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 1.8 2.0 Time to Clear Fuse (min)
B.1-6.1.1.5 Lea!1 Cu rrent for Non-Failures The data presented in Sections B.1-6.1.1.2 and B.1-6.1.1.3 demonstrates the behavior of faults for those cases in which the fuse did not clear. Just as important in addressing the MHIF concern is: What was the behavior for cases in which the fuse did not clear? The key issue, of course, is whether any cases occurred in which fault current increased to a level of concern without triggering the fuse.
A review of the data for all cases in which the fuse did not clear indicates that the highest fault current observed without the fault ultimately cascading to full failure and clearing the fuse was 0.17 A, which correlates to a fault resistance of 700 Q. No cases existed in which the failure progresses to the cascade point and did not ultimately fully fail.
B. 1-47
NEI 00-01, Revision 2(c)
January 2008 B.1-6.1.2 NRC /SNL Fire Test Results The NRC/SNL fire tests are documented in NUTREG/CR-6776, Cable Insulation Resistance Measurements Made During Cable Fire Tests [3]. It is not intended that this analysis conduct a comprehensive review of the data associated with the NRC/SNL report. Rather, the test results are reviewed to ascertain any trends or insights different than observed in the EPRI/NEI test results.
The NRC/SNL test results show the same basic progression fori ýcable failure. Insulation resistance drops predictably down to the 10 kQ to 1,000 range, at which points the failure cascades rapidly to full failure.
The monitog quipment sample rate was approximately 75 sec, and thus the measurements do i capture the dynamics of the cascade effect.
Like the EPRI/NEI data ini niany ca*,.
the IR is high one measurement then low for the subsequent meaiu;ii~ent. The finialJR values are more erratic than observed in the EPRI/NEI test data. This is attributed to te limited-energy circuit used for the testing. The circuit, w
-esignel to limit current i 0
kO A, which prevented the system from consistently divig flt to their concl usion.
This observation further supports the Base Case mej re nt that the system be capable of supplying sufficient energy to the fault. A typica k~ of insulation resistance from the NRC/SNL fire tests is shown in iFigure B.1-8.
B. 1-48
NEI 00-01, Revision 2(c)
January 2008 Figure B.1-8 Insulation Resistance Values for Typical Test Series (Courtesy of USNRC and Sandia National Laboratories)
(Courtesy of USNRC and Sandia National Laboratories)
(Courtesy of USNRC and Sandia National Laboratories)
- 1. E+06
- 1. E+05
- 1. E+04 E
- 1. E+03
- 1. E+02
- 1. E+01
- 1. E+O0 0
1000 2000 3000 4000 Time (seconds)
Characterization of Arcing Faults 5000 B.1-6.2 As di-sussed in Section B.1-4.0, high impedance faults on systems operating at 480 V and ab(oy,,e are manifested as arcing faults. Arcing-type faults are unique in their behavior and must be treated differently than conventional bolted faults [7, 13 - 22].
Arcing faults are characterized by relatively high fault impedance and low, erratic fault current. The rms current for an arcing fault can be substantially lower than the maximum available fault current (bolted fault). Arcing faults on high energy systems are extremely damaging and must be cleared rapidly to avoid extensive damage.
B.1-6.2.1 Fire as an Initiator of Arcing Faults Operating history for electrical power systems shows the most common cause of arcing faults to be:
B. 1-49
NEI 00-01, Revision 2(c)
January 2008
" Loose connections that overheat, causing minor arcing that escalates into an arcing fault
" Surface conduction due to dust, moisture, or other contaminates on insulating surfaces
" Electrical mishaps involving conducting materials (e.g., dropping a metal wrench into energized switchgear) or foreign objects in enclosures
" Insulation damage.
From a circuit failure perspective, fire is an externalhent wivthýe propensity to damage any circuits in the vicinity of the fire; however, industr*experi c, does not identify fire as a major initiator of faults on high energy stem*s t is surmise. hat in many cases, operators take action to de-energize high voltage equipment before it Isengulfed by an escalating exposure fires.
Nonetheless t1ire-nducedtarcing faults ca llCcr on high energy systems and must be addressed.
B.1-6.2.2 Classification of Faults, Arcing faults may take the form of-ale-to-line fault e-to-ground fault. Arcing faults include:-
Three Phase (3-0) Svstems: 3-0lineto-l,11e 4
3-0 line-tib-ground 1-0) line-toSine 1-0) line-to-_ro d.
inglePhas (
yst s1 s
I-0 line-to-line 1109 line-to-ground.
LI ne$toground arcihgkfults pose less of a concern than line-to-line arcing faults for electricad distributions ystems equipped with ground fault protection.
Ground fault sensors 1),e set iith high sensitivity to low magnitude currents because ground current is noL:(xqpted under normal conditions. In contrast, line-to-line arcing faults can take longer
, detect since the phase overcurrent devices are less capable of discriminating between a relatively harmless overload and a highly damaging, low-magnitude arcing fault.
Line-to-ground faults on solidly grounded electrical systems that are not equipped with ground fault sensors can produce faults that are not instantaneously cleared. Systems of this design rely on the phase overcurrent devices for protection, which do not offer the same degree of sensitivity to ground faults as do ground fault sensors. It is important to maintain perspective on this point. A highly energetic ground fault that is allowed to persist for even several seconds will generally cause widespread damage. Concern over B.1-50
NEI 00-01, Revision 2(c)
January 2008 this type of fault has initiated changes to recommended practices for protection against arcing ground faults. High-resistance grounded systems are generally not susceptible to damaging ground current flow because a grounding resistor or reactor limits the current to a very low level. Ungrounded systems require a fault on at least two phases to produce fault current flow. This type of fault is essentially a line-to-line fault.
Operating experience shows that arcing faults are most prevalent in metal-enclosed switchgear and open busways containing uninsulated bus bar. Insulated cables in conduit or tray more frequently suffer bolted faults. These characterisucs are attributable to the nature of the arc. Arcing faults on uninsulated conductorsitend to travel away from the source because of magnetic force interactions with the nmized arc. Movement of the arc minimizes the concentration of fault energy. In contiast, iýilated cable does not allow rapid movement of the arc. Consequently, the arc energy anJ the damage it inflicts remain concentrated at the initial arc location, causin more
,asag a, mrrapiegradatio of the fault to a bolted fault.
B.1-6.2.3 Arc Voltage Drop and Waveshape The arc voltage drop ranges from 100 -
150 volts for fault currents between 500 and 20,000 amps. The voltage is effectively constant ov&
ea wide range of current. The length of the arc for distribution l
%oAtages varies but iusually ranges between 1 and 2 inches.
Test data shows that the arc voltage wI"es11p cantly distorted. The waveshape is initially sinusoidta and then quickl a
magnitude of 100 -
150 volts, depending onihe exact arilength and local conditions. The arc voltage waveshape does not increase nm~iimear faslhibn as a function of the system voltage. The voltage contains a significant thiric1hhrmoric component, which is on the order of five times the normal value.
ma ar~isin itiateifit extinguishes at current-zero and then reignites when s~tantaneous vu e reaches, sme threshold value. A key relationship exists between the 'reignition, or rekstke vplage, and the level of fault current.
The lower the re-igniion, voltage the h igher the fault current. As reignition voltage approaches zero, fault curreiit pproachesl i,, maximum value (bolted fault).
And, as reignition voltage appro ystem %1tage, fault current approaches zero (open circuit). As a result of this inverse relatiow ihip, it is evident that higher reignition voltages represent more of a concern than ljwer voltages with respect to the MHIF concern. Analyses of distribution-level arcing faults generally assume a reignition voltage of 375 V (peak instantaneous).
This voltage is considered a conservative practical upper limit for reignition based on typical system designs.
Arcing fault reignition has several important implications:
u Arcing faults with a reignition voltage above the system voltage are self-extinguishing. Thus, a lower threshold of fault current exists for which a fault can sustain itself beyond one cycle.
B.1-51
NEI 00-01, Revision 2(c)
January 2008 An arc is not self-extinguishing at or above voltage levels with a peak instantaneous voltage greater than approximately 375 volts.
375 volts instantaneous corresponds to 265 volts rms.
Sustained arcing faults on single phase 120/208 V AC systems are exceedingly rare. Two factors are involved: (1) the low system voltage reduces the likelihood of exceeding the reignition voltage, and (2) unlike three phase faults, periods of no current flow exist for single phase configurations aff.rding the ionized hot gasses a better chance of dissipating. This is not o say that arcing faults cannot occur at these voltage levels and cause equi i \\n amage. It does, however, support a position that "sustained" arcing faults thi very seldom occur.
The fault current associated with arcing faults increases percentage of the bolted fault current as system voltaý'-ncreases. This char trenistic is due the nature of the arc voltage, which rAni ns relatLively constant reguik-ýss of system voltage. Thus, the higher the systemr ae ng will bejthe conduction portion of the arc ignition-extinguishmentcc1(2y' High impedance arcing iti ae primarily Ak C system phenomenon. The low-magnitude current assoiatd %tith an arcig rault is largely due to the ignition - extinguishment cyce o It, faul erves to lower the rms fault current. In a DC system, a p\\:eriion,,
-engnish cycle does not exist. Voltn*u "i constant andthis currei
,*ws continuously once an arc is establish***d B.1-6.2.4 Arc' Faut Curre.t The.ctili~t avý'eshpleý consists ef on-continuous alternating pulses, with each pulse f~las, igbult ' I4 of I
The arc is extinguished each half cycle and reignited in t4ec succeeding h*!lcbcle i
sed in Section B.1-6.2.3 above.
Thi generally accept multipliers (expressed in % of bolted fault current) for estimating rms ýHing fault cureit for 480/277 V systems are listed below. The multipliers are based u tcablishing tdie lower values of probable fault current for realistic values of arc voltage. A: l In I;is assumed to be 2 inches and arc voltage 140 V (line-to-neutral) /
275 V (line-fo-I me), independent of current. Neither of these assumptions is strictly true because of the dynamic movement of the arc and other configuration variables at the fault location. Thus, actual fault current may also vary. The estimated current values are, however, representative of the values produced during testing.
3-0 Arcing Fault:
89%
Line-to-Line Arcing Fault:
74%
Line-to-Ground Arcing Fault:
38%
B. 1-52
NEI 00-01, Revision 2(c)
January 2008 Note: Some industry papers addressing arcing fault protection suggest a multiplier of 19% for line-to-ground arcing faults. However, documented occurrences of cases below 38% appear exceedingly rare and appear to be associated with switchgear faults, which tend to have longer arc lengths.
The 38% value is considered reasonable for this assessment since the concern is with cables and not switchgear.
Minimum values of arcing fault current have not been established for medium voltage systems. However, as noted in Section B. 1-6.2.3 above, theu alues will increase with system voltage, and as minimum will be higher than the1480 V values listed above.
Practical experience indicates that arcing fault currentr, f
medium voltage systems actually approach bolted fault levels.
B.1-6.2.5 Arc Energy Even though the rms current for an arcing fault is less than that of a bolted fault, arcing faults can cause a great amount of damage. Most of thcenergy in the arc is released as heat at the arcing points; very little heat is cniddited away from 'the arc by the conductors. In contrast, a bolted fault dissipates energy throughout all resistive elements in the distribution system and does not cause the concentrated energy release seen in arcing faults.
Fire can cause unspecified damage t o zc andtequipment insulation, which in turn can initiate an arcing fault in energized Lconuctors.
Jhe failure sequence starts with a progressively decreasiii>insulation re nce. At sume point under the applied voltage stress, the insulation allows sufficient leakage current to cause excessive localized heating in the insulation (usually at some minor imperfection in the cable). The localized heating escalates, rpidlydue l
o the higth,
ergy capacity of the system, and within moments i;lconductlr 11linsuah ntemperature reach their vaporization point.
Condluctive material lsepelled, forming a vapor cloud in the vicinity of the fault. The
,vapor cloud readily condiicts electricity and an arc is formed. The cloud of vaporized mietal tends to quickly conidiense on surrounding surfaces, which creates a cascading effelt for the arcing fault as a*dditional arc paths are created. The loss of material due to vaporization contributes to the dynamic nature of arcing faults. Depending on the fault geoimcfr yý<ad conditions, the arc might persist, blow open, or degrade to a bolted fault.
The amountoof con'ductor vaporized during an arcing fault is directly related to the energy released at the failt. The industry-accepted correlation(supported by test results) is that 50 kW/sec of energy will vaporize approximately 1/20 m3 of copper. The significance of this characteristic is that arcing faults at medium voltage levels (above 1,000 V) cannot sustain themselves beyond a few seconds. The tremendous energy release at these higher voltages vaporizes conductor material so fast that the fault degrades almost immediately or blows open. This category of fault can completely demolish equipment in a matter of seconds if not cleared.
B.1-53
NEI 00-01, Revision 2(c)
January 2008 B.1-7 ANALYSIS OF MHIFS This section analyzes the MHIF concern within the framework of knowledge about fire-induced fault behavior developed in Section B. 1-6.
This characterization of fault behavior shows that faults manifest themselves differently at different voltage levels.
Accordingly, the analysis conducted here is broken down by voltage classification.
B.1-7.1 Medium Voltage Systems (2.3 kV and Above)
Medium voltage systems at nuclear plants typically operat y.ithii-the 2.3 kV to 13.8 kV range.
Overcurrent protection for this class of equitictt usually includes electro-mechanical or solid state overcurrent relays that actuate pov circuit breakers. High voltage fuses may be used for some installations. Mýost sysm also include sensitive ground fault detection designed to rapidly cld touind fault< khich can be highly volatile and damaging.
HIFs for this class of power manifes(Ydic lves a, arcing faults.
I "le electrical properties and characteristics for arcing fault, zi ued in Section B.1-6.2.
The expected impact of arcing faults at the medium level is addressed by the items below:
t",
The typical arc voltage drop of 10 0 volts is 11 in relation to the overall system voltage. Thus, an arcing fauli iQuedium voltage levels will not appreciably reduce fault current in the same manner as it o
r low-voltage systems. Based on the 480V
- nultipliers presented in Section Hi-6.2.4, very conservative assumed lower arcing fatlrrents of 4V', (line-ground) and 80% (line-to-line) of the symmetrical rs bolte*d fault cutrreia produce highly damaging levels of current flow. An idk*qigaed proteLtivoe system can be expected to clear faults at
.....th se*,;,*ev ls if' id.
a te levels
, i ly,
,few seconds).
Systems coordinated in
-a-o withthe guidancel of ANSI/IEEE 242 (or other acceptable criteria) are
"'/considgr o hL,e edesigned.
ost all meduti vlta,, power systems include sensitive ground fault protection
,Ibvices. These devices are set to clear ground faults at very low levels (20 A -
100
. - velI below the assumed 40% lower fault current limit. Systems that are high resie grouuided inherently limit fault current to a low value. Accordingly, these insare designed to be extremely sensitive to ground fault current, and are expecte5 Irapidly clear any type of ground fault.
Certain cable runs may not be protected by overcurrent relays, but instead may use differential protection schemes. Differential protection is very sensitive and any cable protected this type of circuit will clear in-zone faults within milliseconds.
Sensitivity varies, but is in the 10s to hundreds of amps and not thousands of amps.
Arcing faults on medium voltage systems produce explosive energies. An arcing fault with an arc voltage of 140 volts (very conservative for this voltage level) and B. 1-54
NEI 00-01, Revision 2(c)
January 2008 fault current of 2,000 A (also a conservative value) will vaporize copper conductor at a rate of:
Volume Vaporized = (140 x 2.00 x 1/20) / 50 = 0.4515 in3 copper / see At this vaporization rate for busbar or cable, the fault conditions cannot be sustained for more than a few moments before the dynamic nature of the fault produces near bolted conditions or blows open.
N Operating experience shows that even with highly sitive protection that clears arcing faults within a fraction of a second (or in the %orst case seconds) severe localized damage is likely. Given the energies ivolve'd com a hardware integrity perspective it is not plausible that arcing faulotscan be zthtined for a prolonged period of time at medium voltage levels.
Conclusion HIFs at medium voltage levels will manifest themsl ves as arcing faults. The minimum credible fault current producedtby these faults wiii~rapidly detected by an adequately designed protective scheme and the:4ault will be cIeAeCd immediately, typically within milliseconds.
The energies produced¢ b arcing faults f 1,[this class of power system cannot be sustained by the hardware for tire than ai few seconds due to physical destruction of the conductor, insulating maitrikalsand surrounding equipment.
The analysis supports arqiiclusion that, forK nedinmm voltage power supplies conforming to the Base Case, the pi-rbabl-ity of MHIFs is sufficiently low to classify the failure mode as an incredible evetithat does1not pose a credible risk to post-fire safe shutdown.
B.1-7.2 480 V-600 V Low.,NViitage Systems 480 V systemsi! are mi)oirmmon at nuclear plants; however, some 600 V systems exist.
. A variety of overchUrrent protective devices are used for this class of equipment. Load centers are generally,protect"d4by low voltage power circuit breakers configured with an intemal electro-mechanical or olid-state trip unit. Motor control centers and distribution panels typically contain molded case circuit breakers or fuses. Some 480 V systems are configured Idith sepCarte ground fault detectors and some are not.
HIFs for this class of power manifest themselves as arcing faults.
The electrical properties andicharacteristics for arcing faults are discussed in Section B.1-6.2.
The expected impact of arcing faults at this voltage level is addressed by the items below:
E Credible lower limits for sustained arcing faults on 480 V systems are presented in Section B. 1-6.2.4. Arcing fault currents of 38% (line-ground) and 74% (line-to-line) of the symmetrical rms bolted fault current produce damaging levels of current flow. An adequately designed protective system can be expected to clear faults at these levels rapidly (although maybe not instantaneously). Systems coordinated in accordance with the guidance of ANSI/IEEE 242 (or other acceptable criteria) are B.1-55
NEI 00-01, Revision 2(c)
January 2008 considered to be adequately designed. A worst-case example is developed below to substantiate,this position.
A worst-case scenario might involve an arcing ground fault on a solidly grounded system that is not configured with individual ground fault detection. Assume an end-of-line fault has a symmetrical rms bolted fault current of 5,000 A (highly conservative as most 480 V systems produce fault current in the range of 10 kA to 25 kA). This case would result in an arcing fault current of 1,900 A (.38 x 5,000).
It is conceivable that this level of fault current might nt' t tger the instantaneous trip element of the affected overcurrent device; how(er, the inverse time element will assuredly detect and clear the fault as no 4etdisc system contains feeders operating at 1,900 A continuous. In this case it'is'-Liýhpla hat the fault might take 10 -
15 see to clear.
However, due to Icdestructiv'v er this fault would unleash, it is doubtful that the hardware swlurvive these coIndlitions.
If the above scenario is postulated t oce at the switchgear, it is "isuic ly possible that the switchgear main breaker might DO dil d tect the fault, asThese breakers can be rated at 800 A - 4,000 A. Literafii L),ecuments such cases, and complete destruction of the switchgear was the outcome. fHowever, switchgear and bus faults requiring main breaker protective action are nt L04 concern for the MHIF issue.
480 V systems configured wi popierlv cordinate ground fault detection can be expected to clear low-level arcr d
gioaii i*r f
eU diately.
As witl
- ieiiuil voltage systems,,- arcing laults on 480 V systems produce tremenduis* nerg ie it lt 1ýaion. An arcing fault with an arc voltage of 100 voltslý
,onserrvalve) and fault itirrent of 1,900 A will vaporize copper conductor at' rate VoumeVponze (100 x 1.90 x 1/20) / 50
= 0.190 in3 copper / sec
.Although nots s
that seen on medium voltage systems, this vaporization rate for busbar ot cabl*annot be sustained, and the fault will progress rapidly to a bolted condition or will blow open as localized destruction escalates.
Conclusioni HIFs on 480WV - 600 V power systems manifest themselves as arcing faults.
The minimum credible fault current produced by these faults will be detected by an adequately designed protective scheme and the fault will be cleared (although maybe not instantaneously). The energies produced by arcing faults for this class of power system cannot be sustained by the hardware for extended periods of time before physical destruction of the conductor, insulating materials, and surrounding equipment result in widespread and catastrophic damage. The analysis supports a conclusion that, for 480 V
- 600 V power supplies conforming to the Base Case, the probability of MHIFs is B. 1-56
NEI 00-01, Revision 2(c)
January 2008 sufficiently low to classify the failure mode as an incredible event that does not pose a credible risk to post-fire safe shutdown.
B.1-7.3 120 V and 208 V Systems 120 V systems are most often used for control and control power circuits; 208 V systems are typically associated with lighting, small motors, heaters, etc.
120 V single-phase circuits are of greatest interest for this study. For nuclear plant applications, overcurrent protective devices are generally molded case circuit breakersor fuses located within power distribution panels.
The systems are most often'powered by battery-backed inverters or relatively small transformers.
The recent industry and NRC fire tests confirm that thehbehavl(i of cable faults on 120 V systems is fundamentally different than that for faultI on 480 V and higher systems.
Theory predicts that sustained arcing faults at'the 120 V level are not credible because the system is not able to repeatedly overcome, thc reignition voltage of 375V_. Indeed testing appears to confirm this point. This is not to s\\yvthait arcmig faults cannot occur at the 120 V level, but rather that they cannot be sustained
- Arcing faults on 120 'V systems have been said to be "sputtering" faults. They arc, extwnguish, and then re-arc and extinguish in a random manner based on the local conditions and geometry at the fault. The test data identified two cases that may have falle into this category*. These cases are included in the data set analyzed in Section B.
1.-*t-s notewortlIy that the current profiles for these cases show current to be erratic and unpredictable, but at no time did current rise to HIT levels and remain there for more thanL few'seconi*s.
Ultimately, the fault in each case degraded to, a lu tvel and was cleared by the fuse. These faults may also have simply been aicase in which the localizedinsulation breakdown effect shifted as a result of the fire spnam-cs.
Regardless of the ecific phenomena at work, these cases are included in the analysi s The test data clearly show, that faults at these levels on average do not clear as rapidly as faiults at higher voltages.- %With our understanding of fault behavior, the reason for this is somewhat intuitih.
T*e appeihd voltage stress and available fault current are orders of magnitude lower than,for higler voltage power systems. Hence, the local conditions are not njearly as violent and the cable failure sequence simply progresses at a slower rate.
That iý, the energy released at the fault is much lower, and thus the insulation is not driven to' full failure as rapidly. Additionally, the magnetic forces at this level do not cause the dynamic effects (movement of conductors) observed for high energy system faults.
The electrical properties and characteristics for faults on 120 V systems are discussed in Section B. 1-6.1. The expected impact of these faults is addressed by the items below:
m The test data indicates that 120 V faults do not manifest themselves in a manner conducive to sustained HIF conditions. Once the fault has progressed to a certain level, it cascades rapidly to full failure within seconds or 10s of seconds, as shown by the test data (summarized below). This phenomenon was observed consistently in all the EPRINEI test data and NRC/SNL data, B.1-57
NEI 00-01, Revision 2(c)
January 2008 with the exception of instrument circuits,2 8 which are not within the scope of this analysis.
The transition region at which the cascading effect begins appears to range from approximately 10 kK to 1,000 0. But in all instances, when leakage current exceeded 0.25 A the fault was driven to failure and the fuse cleared.
The 0.25 A (480 fK fault resistance) threshold is important because this level of fault current (more appropriately classified as leakage current at this level) poses no conceivable risk for any realistic circuit with respect to the MHIF concern.
M This analysis uses 2 A as the benchmark vale for fault current flow that represents a lower limit of current poteCati~fVll concern from a MHIF perspective. This value represents 67% uf the tcst circuit continuous current capability (i.e., 3 A fuses). Analyqis f tlhe test rovides us with the following probabilities associated w.itlht time frames r
earing faults once fault current has risen to 2 A.
e 95% confidence lel Pis, also shown to quantify uncertainty in the data si
\\I N
28 The inability of instrument power supplies to transfer appreciable energy to the fault appears to preclude rapid failure in some cases. The impact of this effect on instrument circuits is discussed in the NRC/SNL report [3].
B.1-58
NEI 00-01, Revision 2(c)
January 2008 Probability of 95% Lower Time (min)
Clearing Fault Confidence Limit 0.1 89.3%
82.3%
0.2 90.7%
84.1%
0.3 92.0%
85.9%
0.4 93.3%
87.7%
0.5 94.7%
89.6%
0.6 96.0%
91.6%
0.7 96.0%
91.6%
0.8 100.0%
, l 100.0%
1.0 100.0%
100.0%
The two key observations gleaned from the probability values are:
Over 80% of the faultSiare cleared in less than 0. 1 min at a 95%
confidence level 100% of the faults (6rýfearly 100o% if some margii is added for general uncertainty) clearwýithin 0.8 mm at a 95% confidence level The EPRI/NEI test`data revealed NO~
s in which the test circuit fuse failed to clear once curent exceed 0.17 A (7100 0 fault resistance) -
an important observation supporting the prermiseXlh;ta faults do not "hang up" once cascade failure begins.
The test circuits upon which' the probablility values are based contained 3 A fusie A fair question to ask is whether the probability values are applicable to circuits with larger protective devices, for instance a 5 A or 10 A branch circuit fuse. Based on the fault characteristics, applying the results to high rated devices appears justified.
Once current has passed 2 A, the fault resistance has degraded to a low level and the system, rather than the fault, becomesgthe primary determinant of the fault current magnitude. Provided the protedtiseof devices are adequately coordinated and the system provides sufficierinticult current, the relative timing of the devices will be maintained demonsover the ontire fault current range. The important behavior here is that taue faults 1d niot "hang up" and thereby jeopardize the coordination scheme by prnea 0 a thie lowerault currents below detectable levels.
Conclusion ~~
A detailed analysis of fault behavior for 120 V systems indicates that these faults do not exhibit characteristics that are conducive to sustained Ht conditions.
The analysis demonstrates that once fault current surpasses a certain threshold level, the fault repeatedly and reliably degrades to a low level that will trigger overcurrent protective action for an adequately designed system. This threshold level varies but appears to be near 0.2 A at the lower limit. This level of "abnormal current flow" does not pose a risk with respect to the MHIF failure mode and in fact does not even render the affected circuit inoperable. The fundamental fault characteristics upon which this conclusion is B.1-59
NEI 00-01, Revision 2(c)
January 2008 based were readily apparent in the EPRI/NEI tests and the NRC/SNL tests. Additionally, a similar utility-sponsored test conducted in 1987 revealed the same basic behavior [27].
The analysis supports a conclusion that, for 120 V power supplies conforming to the Base Case, the probability of MHIFs is sufficiently low to classify the failure mode as an incredible event that does not pose a credible risk to post-fire safe shutdown.
B.1-7.4 125 V and 250 V DC Systems 125 V and 250 V DC systems provide control power andgibtive power to essential equipment, including switchgear and motor control circui,5notor-operated and solenoid operated valves, instruments, and emergency lighting. O(ereurrent protective devices are generally molded case circuit breakers or fuses locate4lvi(hin power distribution panels.
Low voltage power circuit breakers are sometimes used at the DC control centers.
The test data and industry information prested in Section B. 1-6.0 a y
ly to AC power systems and thus cannot be directly a 1lied to DC systems.
Howce the well-understood differences between AC andD Dpower allw the results to b reasonably applied to DC systems as explained below:
M Arcing type faults o1w voltage DC svrtems cannot be ruled out using the same logic applied to l oltage AC syst nce an arc is struck on a DC system, it has no sinusoidal výteorw to initi**e the ignition-extinguishment cycle, and thus the conce~pt od i mwimum re-lgaton voltage does not apply.
However, high impedance*
arcing faults are primarily an AC system phienomeioti
.The low-magitude current associated with an arcing fault is due he ignition - extinguishment cycle of the fault, which serves to largely,*
to*de* iinto-
- 2
,1 1Wet÷ r fault current. IniDC system, fault current more readily flows withotitri on oncea shoit ircuit begins. This continuous current flow not coiduncive to prolon*::* d, sporadic arcing conditions.
Once the fault ibs, theoicts that1d will quickly escalate in magnitude and will be rapilyk
ýieýredbi asroperly designed protective system.
Operating exerii spports, 1his theory in that high impedance arcing faults are not ied a
concern by industry standards and literature.
For non-cing faults on 125 V DC systems, the analytical results for 120 V AC systems can be conservatively applied.
The key failure phenomenon o
in the test data is the cascading effect once leakage current exceeds the thieshold level. Here again the continuous nature of DC power supports a position that energy will be transferred to the fault faster in a DC system because the voltage stress applied at the fault is constant and will precipitate a quicker breakdown of the insulation.
M As a second factor affecting the rate of cascade failure, the test data shows a correlation between available fault current and the expected clearing time.
DC systems at nuclear power plants are battery-backed, and thus are capable of delivering high fault currents almost instantaneously. These fault currents are often an order of magnitude larger than exists on 120 V AC systems.
B. 1-60
NEI 00-01, Revision 2(c)
January 2008 Virtually all DC power distribution systems at nuclear plants operate ungrounded. Thus, ground faults are not of concern in a manner similar to AC power systems.
Operating experience with faults on battery-backed DC power systems is that the fault will likely blow open but it can also quickly weld itself. In either case, whatever is going to happen happens almost instantaneously.
Conclusion Test data and industry literature pertaining to fault characterstics for representative DC power systems are not readily available. However, a reasoia*ie extrapolation of the analysis results for AC systems is accomplished lif!iig.
engineering raionale based on the differences between AC and DC power. The iiherent characteristicsLof'DC power do not introduce any known factors that precluhdappcation of the analysis results to DC systems. To the contrary, DC power chara steiics lend credence to a position that the AC results are conservative with respect to DC poersystem performance. Although not a technical basis, it is noteworthy that the NRC hii it, its stated concern with MHIF to AC power systems [4].
It wouldappear that NRC technical experts investigating the issue concur that the postulated pheromena are limited to uower systems.
B.1-7.5 Failure Consequence Analysis o
Elements of this MiF ýevaluation cdiain risk-informed arguments.
As such, it is' prudent to asses not ony likelihood ofthc postulated failure mode, but also the potential consequencesf oikalure.
B.1-7.5.1 LossofSafe Shutdmon Pow-Sp 1Th1 MI.I..
1Ffiluic1 mode
- a result in a safe shutdown power supply becoming de-energized, whicl m tur ciii111potentially lead to de-energization of safe shutdown tq uIi pment. This fiaiIihie moduis fundamentally different than electrical failures resulting frum iIfdirect effect Iof fire. The direct effect failure modes (i.e., shorts-to-ground, hot shorts. open circuits) cause circuit damage that can only be rectified through repairs. The MHIF fallimir odes i not unrecoverable in the sense that restoration involves resetting an overcurrent relayclosing a circuit breaker, or replacing a fuse. (It is acknowledged that fuse replacement is generally classified as a "repair activity" within the compliance guidelines for Appendix R. Nonetheless, from a "consequence" point of view, replacing a fuse - which typically requires no tool or a simple tool - is fundamentally different than a repair involving the replacement of cables and components.)
It is understood that operators are credited with identifying the problem and taking steps to restore the affected power supply to service. Given that almost all safe shutdown power supplies require some local action for alternative shutdown or spurious operation mitigation, it is also probable that critical power supplies are covered by emergency lights and that access/egress paths have been considered. On this basis, the MHIF failure mode is considered to have a low consequence and is not a significant contributor to fire risk.
B. 1-61
NEI 00-01, Revision 2(c)
January 2008 B.1-7.5.2 High-Low Pressure Interface Components This analysis strives to maintain consistency with existing regulatory perspective.
Accordingly, it is considered prudent that in applying this criteria, it be confirmed that a postulated MHIF does not have the capability to initiate an opening of a high/low pressure interface, due to the potentially severe consequences.
[his clonsraint should T* prove'IIIhmitf IntLhat, high/lowprDessffc jkimteace components aremostýalways 0esig de:toan( sae in the "closed" or "isohols saie and the M4HIFfailuremoi(de2 will dVwajsi~iivove de-energizatillon B. 1-62
NEI 00-01, Revision 2(c)
January 2008 B.1-8 CONCLUSIONS This analysis investigates fire-induced circuit failure characteristics to determine if and under what conditions the MHIF failure mode poses a credible risk to post-fire safe shutdown.
The analysis is based on objective test data and recognized engineering principles as documented in test reports, consensus standards, and other credible industry references. The analysis considers both likelihood and consequence, and also addresses analysis uncertainty for critical results.
A Base Case set of conditions has been established to define the limits of applicability for the analysis. Within the defined limits, this MHIF alysis is-intended to serve as a generic evaluation and is considered to satisfy 'the regulatory requirement that high impedance faults be considered in the analysis of associated circuts., Circumstances that fall outside the defined Base Case will require a plant-specific analysis.-
A detailed analysis of fault characteristics for the voltage levels of interest indicates that these faults do not exhibit characteristics that coincide with that of concern for MHIFs.
The analysis supports a conclusion that the probability of MFIFs for power supplies conforming to the Base Case is sufficiently low to classify the failure mode as an incredible event that does not pose a ceýible risk to post-ffre safe shutdown.
The results and conclusions of this analysirs:lmay*
be usd to support a licensing basis change (using an approved regulatory pjrocess) und,; th0 following conditions:
The poxverysupppv conforms to the Base Case requirements.
The power suppl wAilli niNtcuse opening of a high/low pressure interface boundary if dec-eneraiz B. 1-63
NEI 00-01, Revision 2(c)
January 2008 B.1-9 REFERENCES NRC Documents I.
Regulatory Guide 1.189, Fire Protection for Operating Nuclear Power Plants, U.S. Nuclear Regulatory Commission: April 2001.
- 2.
Generic Letter 86-10, Implementation of Fire Protection Requirements, U.S.
Nuclear Regulatory Commission: April 24, 1986.
- 3.
F.J. Wyant and S.P. Nowlen, Cable InsulationReist Measurements Made During Cable Fire Tests, Sandia National aboratorie§ lbuqiuerque, NM: June 2002. USNRC NUREG/CR-6776, SANT2-02;0447P.
- 4.
Olan D. Parr to ASB Members Notehdated November 30, 1981.
Subject:
Fire Protection Review Guidance.
Consensus Codes & Standards
- 5.
ANSI/IEEE C37 Series Stdirds, Power SEner Switchgear Collection, 1998 Edition.
- 6.
IEEE 141-1993 (R1999), IEEE¢Rem ld* Practice for Electric Power Distribution for.Ininustrial Plant. (Red Book)"
- 7.
ANSI/IEEE1242-1986 (2001), IEEERecommended Practice for Protection and Coordination ofIln taLand Conrn2ercial Power Systems. (Buff Book)
N S1I.fIEEE 1015 9
-97 11EEE Recommended Practice for Applying Low-Voltage CircmiO*B kers Usedin Industrial and Commercial Power Systems. (Blue B:::
ook).
- 9.
ýNSI IEEE 38--1974 (R1980), IEEE Standard for Type Test of Class 1E Electric Ceables, Field, h,'pices and Connections for Nuclear Generating Stations.
- 10.
ANSIINP1 70, National Electrical Code, 2002 Edition.
- 11.
NEMA ICS-1-1993, Table 7-2, "Clearance and Creepage Distance for Use Where Transient Voltage are Controlled and Known."
Industry Documents
- 12.
Characterization of Fire-Induced Circuit Failures: Results of Cable Fire Testing, EPRI, Palo Alto, CA: 2002. 1003326.
B.1-64
NEI 00-01, Revision 2(c)
January 2008
- 13.
J.R. Dunki-Jacobs, "The Effects of Arcing Ground Faults on Low-Voltage System Design," IEEE Transactions on Industrial Applications, Vol. IA-8 No. 3:
May/June 1972, pp 223-230.
- 14.
J.R. Dunki-Jacobs, "The Escalating Arcing Ground-Fault Phenomenon," IEEE Transactions on Industrial Applications, Vol. IA-22 No. 6: November/December 1986, pp 1156-1161.
- 15.
L.E. Fisher, "Resistance of Low-Voltage AltematingCurrent Arc," Conference Record of the 1970 Annual Meeting of the IEEE Industry and General Applications Group. October 1970, pp 237-254.>
- 16.
J.A. Gienger, O.C. Davidson, and R.W. Brinde1, "Determination of Ground-Fault Current on Common A-C Grounded-Neutral Systems iiw :*Standard Steel or Aluminum Conduit," AIEE Transacttons on Applications and 1ndustrV Part I1 Vol. 79: 1960, pp84-90. *
- 17.
R.H. Kaufmann, "Some Fundamentals of I qupment Grounding Circuit Design,"
AIEE Transactions on Applications and Indist,t, Part 11, Vol. 73: 1954, pp 227-231.
- 18.
R.H. Kaufmann and J.C. Page, Arcing Eault Protection for Low-Voltage Power Distribution Systems - Natureof droblen.)/
Transactions Part II1, Power Apparatus anidSvems Vol 79 (Paper 60-83i: June 1960, pp 160-167.
- 19.
R.H Kaufmann Ignition and Spread of Arcing Faults," 1969 Industrial and Comhmenrcial Power, Svstenis and Electric Space Heating and Air Conditioning Joint Techmcal fereh'e:,May 1969, pp 70-72.
- 20)
Kusko and S MP ýran, "Arcing Fault Protection of Low-Voltage Distribution Systems mikBuildings" Conference Record of the 1987 IEEE Industry Applicationsý Socty Annual Meeting, Part I: October 1987, pp 1385-1389.
21 1 1JShields, "The Problem of Arcing Faults in Low-Voltage Power Distribution 6, tems," IEEE Transactions on Industrial and General Applications, Vol. IGA-3 No/.! tnu
/February 1967, pp 15-25.
- 22.
C.F. Wagner and L.L. Fountain, "Arcing Fault Currents in Low-Voltage A-C Circuits," AIEE Transactions, Part I, Vol. 67: 1948, pp166-174.
Miscellaneous
- 23.
William, J.
Statistics for Nuclear engineers and Scientists, Part 1:
Basic Statistical Inference, Department of Energy, Washington DC:
February 1981.
WAPD-TM-1292.
B. 1-65
NEI 00-01, Revision 2(c)
January 2008
- 24.
Hahn, Gerald J. and Meeker, William 0.
Statistical Intervals, A Guide for Practitioners, John Wiley & Sons, Inc., Canada: 1991-
- 25.
Stevenson, William D. Elements of Power System Analysis, McGraw-Hill: 1992.
- 26.
Power Plant Practices to Ensure Cable Operability, EPRI, Palo Alto, CA: July 1992. NP-7485.
- 27.
Appendix R Multiple High Impedance Cable Lu*i, Flame Test Report, Philadelphia Electric Company, Philadelphia, PA:
tMaiy 27, 1988.
N e,7 B. 1-66
NEI 00-01, Revision 2(c)
January 2008 APPENDIX C HIGH / LOW PRESSURE INTERFACES C.1 PURPOSE The purpose of this appendix is to identify considerations necessary to address the issue of circuit analysis of high/low pressure interface components i
C.2 INTRODUCTION 10 CFR 50 Appendix R analyses must evaluate tihe potential for spurnous operations that may adversely affect the ability to achieve and maintain safe shutoown. A subset of components considered for spurious operation involves reactor coolant pressure boundary (RCPB) components whose spurious operation can le.
to uan unacceptable loss of reactor pressure vessel/Reactor Coolant System (RPV/RCS kventory via an interfacing system loss of coolant accident (ISLOC%),,Because an ISLQ(A is a significant transient, it may be beyond the capability of a gi eri safe shutdown path to mitigate. As a result of this concern, selected RCPB valves eare defined as highýllw pressure interface valve components requiring special consideration and c iteria.
Note: As part of industry efforts to support transition of fire protection programs to 10 CFR 50.48(c) (NFPA 805), a Frequently Asked Question (FAQ) 06-0006 was written to clarify the definition of hiplow pressure interface components. In the closure memo for FAQ 06-0006 dated March 12, 2007, the NRC stated:
".-theuded that0 thb definition provided in NEI-O0-01 for the term
,* high-lopressure;w1nterface" is acceptable.
C.3 IDENTIFYING HIGJLO'W PRESSURE INTERFACE COMPONENTS Regulatory Guidance The criteria for defining high/low interface valve components are described in the following NRC documents.
Generic Letter 81-12 states, in part:
The residual heat removal system is generally a low pressure system that interfaces with the high pressure primary coolant system. To preclude a LOCA through this interface, we require compliance with the recommendations of Branch Technical Position RSB 5-1. It is our concern that this single fire could cause the two valves to open resulting in afire initiated LOCA.
C-1
NEI 00-01, Revision 2(c)
January 2008 BTP RSB 5-1, Rev. 2 Dated July 1981 states in part:
B. RHR System Isolation Requirements The RHR system shall satisfy the isolation requirements listed below.
- 1. The following shall be provided in the suction side of the RHR system to isolate it from the RCS.
- a. Isolation shall be provided by at leastýivo power-operated valves in series. The valve positions shall be i
&id in the control room.
- b. The valves shall have indepe i*deldiverse iter.locks to prevent the valves from being opened uless the RCS pressuire below the RHR system design pressure Failurce fa power suppy hall nota cause any valve to change positiond.
4
- c. The valves shall have independent diverse interlocks to protect against one or both Ivalves being open during an RCS increase above the design pressuire9 th(hefIHR system.-V,,
- 2. One of the followir system to isolate it
- , position
- rbove, Sheckvalves in series with a normally closed power-ot ied v~~a iTh, Pwer-operated valve position shall be indicated in ~~ec rol room. If the RHR system discharge line is used for an 1( Sflinctionthe power-operated valve is to be opened upon receipt Ssafet~yinjection signal once the reactor coolant pressure has decreasedkbelow the ECCS design pressure.
T 2 e check valves in series, or
,Two check valves in series, provided that there are design provisions to permit periodic testing of the check valves for leak tightness and the testing is performed at least annually.
NRC Information Notice 87-50 reiterates:
Appendix R also states that for these areas, the fission product boundary integrity shall not be affected, i.e., there shall be no rupture of any primarv coolant boundary. Thus, for those low pressure systems that connect to the reactor coolant system (a high pressure system), at least one isolation valve must remain closed despite any damage that may be caused by fire. Since the low pressure C-2
NEI 00-01, Revision 2(c)
January 2008 system could be designed for pressures as low as 200 to 400psi, the high pressure from the reactor coolant system (approximately 1000 to 1200 psi for BWRs and 2000 to 2200psi for PWRs) could result in failure of the lowpressure piping. In many instances, the valves at the high pressure to low pressure interface are not designed to close against full reactor coolant system pressure and flow conditions. Thus, spurious valve opening could result in a LOCA that cannot be isolated, even if control of the valve can be reestablished.
The NRC has taken the position that high/low pressure interface equipment must be evaluated to more stringent requirements than non-high/low pressure interfaces when considering spurious operations. The purpose of the requllents is to ensure that a fire-induced LOCA does not occur.
The NRC concern is one of a breach of the R-- boundary, by failhife f the downstream piping due to a pipe rupture or other failures4suih as relief valve operatins. However, if the spurious opening of RCS boundaT alves cainnot result in a pe*upture or unintended relief valve operations (i.e., downstrcam pilnig is rated for thýange of RCS pressures), then the subject boundary valves d nt constitute,high/low pressure interfaces. The following combinations of valves are typically considered as high/low pressure interface concerns:
- a. RCS to shutdown cooling ssysi ii(e.g., Resild alHeat Removal/Decay Heat Removal, etc.) suction vaes,.,
main
&eonstu
- c.
,RiS'hlgh point vent isolation valves
ý;ote thatino ailll of these valves metthe origIihl ciitra iidenificd in GL 81-12,,
'r is RSB *O*... l..
a to each e Liample. io* I i
ll s...jS. the res.lt czonsearemtrattisis homdhe NRC iiensafc hatdown comp.ian.
,IsItrga1in ti Luat plans Ihave evolv'e B11d ce (t1 on theabo ve guidanie 1 n s
to enmine itf a RC PB valveI 01'ýIIL is considered V~k( componentAl,11 valve whose spurious~
Moeig~~l, e~bi a /ossfo4 ~RPFIVR0 S iive Jo and
'u.~othe lower p'e'w"'
tngor oihe,b1,e,aches scha. ;, reie vtl'Mhedownstreami pipýing i interaczn Lo( - (i~e., ptpe mpture in the lowpressur, pipi~ng)......................
C.4 CIRCUIT ANALYSIS CONSIDERATIONS The specific differences made in addressing circuit analysis of high/low pressure interface components are described in NRC Generic Letter 86-10, Question 5.3. 1, which requests a clarification on the classification of circuit failure modes. The question and the response are provided below.
C-3
NEI 00-01, Revision 2(c)
January 2008 5.3.1 Circuit failure modes Question What circuit failure modes must be considered in identifi~g circuits associated by spurious actuation?
Response
Sections III. G.2 and III.L. 7 ofAppendix R definehe circuitfainlur as hot shorts, open circuits, and shorts to ground. For 4onsideration of spurlows actuations, all possible finctional failure states must be at-luated, that is, the comnponent could be energized or de-energized by one or more of the aboveiailure modes. Therejore, valves could fail open or closed; pumps could fail ru2hing oruot rnning, electrical distribution breakers could fail open or closed. For threI1hI'se AC circuits, the probability of getting a hot short on all three phases in the propeseMuenee to cause spurious operation of a motor is considered sufficiein
? as to not reqmuireevauhation except for any cases involving Hi/Lo pressure interface Fob'ungrounded )(DC', itsr _ if it can be shown that only two hot shorts of the proper pthtr ding could cause spurious operation, no fiurther evaluation is nc, r
exc or any cases involving Hi/Lo pressure interfac The respo t,.
t
- 3. 1 establisLes a basis for limiting the number of credible circuit failure m(,&-e ta eed to be poiwlated for non-high/low pressure interface colnponents.
A ic fsam m1 i( itsoplles that further evaluation is required when considcr ircuit ai r o
highjlov pressure interface components.
Further evaluation is, reiredIm a
ses involving high/low pressure interfaces, specifically, the ease of two hot rTlI on a unded DC circuit. The discussion involving the DC c;irt*uit implies thatatwo hot shorts need not be postulated except for high/low pressure intdi,:ecomponent*
High/low ptessure interface valves are identified separately from other safe shutdown componenti ue the cable fault analysis and the effects on safe shutdown due to spurious operiaiin of the high/low interface valves are evaluated more stringently than the safe shutduwn components. The potential for spuriously actuating redundant valves in any one high/low pressure interface as a result of a fire in a given fire area must also be postulated. This includes considering the potential for a fire to spuriously actuate both valves from a selective hot short on different cables for each valve:
C-4
NEI 00-01, Revision 2(c)
January 2008 C.5 FIRE AREA ASSESSMENT OF HIGH/LOW PRESSURE INTERFACES Figure C-1 High/Low Pressure Interface Example Figure C-1 High/Low Pressure Interface Example Figure C-1 High/Low Pressure Interface Example Low Pressure Piping In this example the postulated fire damage is evaluated for two cases. In the first case, Case (a), thebFis assumed to have the potential to cause the spurious opening of one of the two seriesnrmally closed high/low pressure interface valves. In the second case, Case (b), the fire is assumed to have the potential to cause the spurious opening of both series high/low pressure interface valves.
Case (a):
For this case, the spurious opening of either one of the two series high/low pressure interface valves can be justified on the basis that the other valve will remain closed and prevent an interfacing system LOCA.
C-5
NEI 00-01, Revision 2(c)
January 2008 Case (b):
For this case, the argument applied above would be unacceptable.
Examples of acceptable alternatives would be to protect the control circuits for either valve in the fire area, to reroute the spurious circuits or to de-i qw of the a,,,"
.*: r<evetspu opening.
A mitigating action may be taken prior to the start of the fire event that precludes the condition from occurring, or a post-fire action may be taken th tmitigates the effects of the condition prior to it reaching an unrecoverable conditio.i.relative to safe shutdown, if this can be shown to be feasible. When mitigating acticns are taken, they must comply with the applicable regulations and licensing bases.
C.6 REFERENCES C.6. 1 Branch Technical Position BTP RSB ev 2 July 198I.
C.6.2 Generic Letter 81-12, "Fire Protection Rlu e ebruary 20, 1981.
C.6.3 Generic Letter 86-10 "Ifup hnatentation o Fir otection Requirements," April 24, 1986.'*
C.6.4 IN 87 Potential LC Damage, OctoMr*r 9, 1987.
Interfaces from Fire C-6
NEI 00-01, Revision 2(c)
January 2008 APPENDIX D ALTERNATIVE/DEDICATED SHUTDOWN REQUIREMENTS D.1 PURPOSE The purpose of this appendix is to provide the requirements for alternative and dedicated shutdown that are distinct and different from the requirement fr redundant shutdown.
Refer to the introduction to Appendix G for information/oni the tratment of MSOs for III.G.3 areas.
D.2 INTRODUCTION The use of alternative/dedicated shutdown a
,iityis required in pliL s
ecific fire areas where protection of a redundant safet shutdown pathfrom the effectsotffire was not possible. Alternative/dedicated shutdown caplit'i, isgenerally specified for the control room.
Other plant areas where alternative/dedicataed shutdown capability may be required include the cable spre~ing room, electricail di'tribution room, relay room(s), or other plant areas where significa u natities of control cleq are routed and redundant trains of safe shutdown equipimci inot been sep tL:d in accordance with the requirements specified in Section III0.2 oT' p
)
ejndiLx R. fhe areas where alternative or dedicated shutdown is credited are fin1ed inm ilie
-icensing basis documents for each plant. Use of thcttýlrm a1ternative or dkicated shut16dwn is applied to the specific plant area(s) and notrio the equipment or methiodology (capability) employed to achieve safe shutdown.
I l en tatzv~ledicated shwdown capability may be different for each of the defined areasti* an jactions may 1icutilized for alternative/dedicated shutdown capability accordanIewhMW mqii ents and guidance.
tenatvededc..d.hut.w capability requires physical and electrical independence lom the area o'corrIcern.
isiusually accomplished with isolation/transfer switches, 6
pefic cable ro1atiug andi'protection, and remote shutdown, panel(s).
The alterN tve/dedicated sI(fe shutdown system(s) must be able to be powered from the onsite powei plies, which must be physically and electrically independent from the area under c6o sderatioGnThe availability or loss of offsite power and loss of automatic initiation liug ls must be accounted for in the equipment and systems selected or specified.
All ictivities comprising the alternative/dedicated shutdown capability are considered miftgating actions and need to be evaluated against regulatory acceptance criteria to ensure that the goals and criteria in Section III.L are met.
Appendix R Section III.G.3 requires that the equipment, cabling, and associated circuits required for alternative shutdown must be independent of the fire area being evaluated.
Therefore, in the case of a control room fire, the safe shutdown systems and components may be similar to those used in other areas for redundant shutdown; however, they must be physically located outside the fire area and, if required, the control of the components must be electrically isolated by transferring control to a remote shutdown control D-I
NEI 00-01, Revision 2(c)
January 2008 station(s). Examples of components and cables that must be physically and electrically independent of the control room for alternative or dedicated shutdown use include the components that can be controlled from a remote shutdown panel and the cables that provide control from that panel once they are isolated from the control room circuit. GL 81-12 required that each Appendix R plant submit its modification plans for their alternative shutdown capability for prior staff review and ippBii _ These submittals typically included details of the proposed isolation/transfer design.
This appendix describes those aspects of the method6logy and guidance for alternative/dedicated shutdown that are different from the Methodology and guidance applied for redundant post-fire safe shutdown in the bodyAf this document. Section D.3 overviews the methodology as it relates to control roomnL firesislnce the control room is the fire area where alternative shutdown is predominantly use "Section D.4 describes the regulatory requirements for alternative and1,d deicated shutdowni Section D.5 itemizes the differences in shutdown methodologybcween alternative/dediCated shutdown and those supplied in the body of this docunaent for recjundant shutdown.
Section D.6 recommends additional operator actions that should be considered for us* on a plant-unique basis for fires requiring control room evacuatib'n.
D.3 OVERVIEW Since the many nuclear plants use thbe ale dedicatedshutdown scheme exclusively for a control room fire this overviewA dries liifiocation only. An exposure fire in the Control Room 'o ýin operating nuclear power plant would be a potentially serious event. The likelihood odfý control rooii *fire, however, is considered to be small. The worst-case expe.:ctid fiictre f5control roon ~would be one that is contained within a single section of a control panel. This is true because the control room is continuously manned, the introductioni of combutlc juibinctrials and ignition sources is strictly controlled, and the fii1 pj'LCroteclon and1, seaaio eaiiis designed into the control room are focused on the preventioni of suLiiich an'
~tt The expected plant response to this type of event would h'to immediately extin~is,,h the fire and to determine the need to initiate aliltýnative/dedicated shutdown.
While the fire is being extinguished, assuming that the Contr ofRoom remnainsý habitable, the remaining Control Room operators would continue to perfoir their dutýiesi as trained, responding to alarms and monitoring important plant parameters.
Despite this, tieupost-fire safe shutdown analysis for a control room fire must assume fire damage to all of the systems and equipment located within the Control Room fire area.
Additionally, the analysis assumes that all automatic functions will be lost and a loss of offsite power will *Ccui._ _CConsequtently, the operators will be forced to evacuate the control room and to safely shut down the unit from an emergency control station(s). The size and intensity of the exposure fire necessary to cause this damage are not determined, but are assumed to be capable of occurring regardless of the level of combustibles in the area, the ignition temperatures of these combustible materials, the lack of an ignition source, the presence of automatic or manual suppression and detection capability, and the continuous manning in the control room.
D-2
NEI 00-01, Revision 2(c)
January 2008 Generic Letter 86-10, Response to Question 5.3.10, states, "Per the criteria of Section Il.L ofAppendix R a loss of offsite power shall be assumed for afire in any fire area concurrent with the following assumptions:
- a.
The safe shutdown capability should not be adversely affected by any one spurious actuation or signal resulting from afire in any plant area; and
- b.
The safe shutdown capability should not be adversely affected by afire in any plant area which results in the loss of all automatic finction (signals, logic) from the circuits located in the area in conjunction with one woro e
- spurious actuation or signal resulting from the fire; and
- c.
The safe shutdown capability, should not be advers, affeocted by afire in any plant area which results in spurious actuation of the.r dilmeia valves in any one high-low pressure interface line.
The analysis must consider the effects of ch potential spuriou operation and the mitigating action(s) that may be necessaijo.r each.:
_These conservawitvjeissumptions form the design basis for control room fire mittga. n As with the post-fire safe shutdown analysis perff red in areas where redundant safe shutdown 'paths are used, the zmana1is must be ca not to improperly apply the conservative assumptions describcdlhe, for example, l imssunption that unprotected circuits in a given fire area are dama ed 1ythe ir This assýutmption is conservative only in terms of not being able to creditthe sIi: !s nd uýl Lpment associated with these circuits in support of post-fire safe su tdbown. i the analyst, however, were to assume that these circui were to, be damage4hby the fire when this provided an analytical advantage, th
ý(swould b: nonconservative.
For example, assuming that fire damage results in os o oite power ma nonconservative in terms of heat load assumptions s
use Hi an determine the need for HVAC systems.
D.4 APPEIN DIX R EG'U LA 'TORY REQUIREMENTS AND GUIDANCE A )pLndix R Sectio I
pIrovides the requirements for alternative or dedicated shutdo capability jus to provide post-fire safe shutdown.Section III.G.3 states:
'lternati, or dedicated shutdown capability and its associated circuits,1 injdeendeFnt of cables, systems or components in the areas, room or zone untic consideration, shall be provided:
- a. Where the protection of systems whose fiunction is required for hot shutdown does not satisfy the requirement of paragraph G.2 of this section; or
- b. Where redundant trains of systems required for hot shutdown located in the same fire area may be subject to damage from fire suppression activities or from the rupture or inadvertent operation offire suppression systems.
D-3
NEI 00-01, Revision 2(c)
January 2008 In addition, fire detection and a fixed fire suppression system shall be installed in the area, room, or zone under consideration.
III.G.3 Footnote 1 - Alternative shutdown capability is provided by rerouting, relocating or modification of existing systems; dedicated shutdown capability is provided by installing new structures and systems for the function of post-fire shutdown.
To satisfy the requirements of Section III.G.3 and use alternativ*
or dedicated shutdown capability, the cables, systems or components comprisinjtte~
alternative or dedicated shutdown capability must be independent of thel area under consideration.
Alternative/dedicated shutdown capability meeting" th irements of Section III.G.3 must satisfy the requirements of Section III.L. Secti III.L. I pro ides requirements on the shutdown functions required for the syfumsrlected foPr ttemative/dedicated shutdown. It also provides the minimum ign criterion for the
, stems performing these functions.
L. Alternative and dedicated shutdown a
.abflit1.
- 1. Alternative or dedica' 4hutdown capabfV provided for a specific fire area shall be able to (a) a v,::nd maintain s..
tical reactivity conditions in the reactor; (b) maintain c (-!ant (c) achieve and maintain hot standby2 conditions fý ý/'r a P O
shutdowvn2 for a BWR), (d) achieve cold shutd wn conditions wi u72 ou ind (e) maintain cold shutdown condiftio erafier. Dunn,,,gihe posDfire shutdown, the reactor coolant sys e1mprce 0riables sha~llbe maintained within those predicted for a loss 4of lra
,a.c.
po)ower, and thebor i.ion product boundary integrity shall not be affec i,
teroýhall be nljuel clad damage, rupture of any primary colat n ~~ar*yln rwl'pre W the containment boundary.
JI.II Fo~~~oo
.te 2
sdefined in the Standard Technical Specifications.
111.G.j Foinote IAlternative shutdown capability is provided by rerouting, relocating wr modification of existing systems; dedicated shutdown capabilityP is providedý/by installing new structures and systems for the function of post-
"ir w
shutdown.
Section III.L.2 identifies the performance goals for the shutdown functions of alternative/dedicated shutdown systems as follows:
- 2.
The performance goals for the shutdown functions shall be:
- a. The reactivity control finction shall be capable of achieving and maintaining cold shutdown reactivity conditions.
- b. The reactor coolant makeup function shall be capable of maintaining the reactor coolant level above the top of the core for B WRs and be within the level indication in the pressurizer for PWRs.
D-4
NEI 00-01, Revision 2(c)
January 2008
- c. The reactor heat removal function shall be capable of achieving and maintaining decay heat removal.
- d. The process monitoring function shall be capable of providing direct readings of the process variables necessary to perform and control the above functions.
- e. The supporting functions shall be capable of providing the process cooling, lubrication, etc., necessary to permit the operation of the equipment used for safe shutdown functions.
When utilizing the alternative or dedicated shutdownii capab:ility, transients that cause deviations from the makeup function criteria (i c2.b above)'have been previously evaluated.
A short-duration partial core uncovery, (approved 1F*BWRs when using alternative or dedicated shutdown capability) and a short duratiol,RCS level below that of the level indication in the pressunrpc for PW\\Rs are two such kianqsients. These transients do not lead to unrestorable %on°diliions and,thus have beel emed to be acceptable deviations from the performanc al For Appendix IR plants, these conditions may not meet the requirements of II.L and an exemption request may be n e e d e d.
p i e n t Section III.L.7 also highlights t[1 imiportance of con sidering associated non-safety circuits for alternative shutdown capability 1,,tating the following:
"The safe,,ýu equipment d
systems.f*
r each fire area shall be known to be isolktedfroni'sociated non-safety circuits in the fire area so that hot shorts, ircwtI ts orts to. ground, in the associated circuits will not prevent operationýý t
sifhutdown equiJ,?nent.
Additionial gidance on the topic ofalteative/dedicated shutdown has been provided in MU CGeneric Ir8-
,2 NRC Information Notice' 84-09 (7Generic Letter 86-10.
Furthermoribasedn the guidance information in IN 85-09 as indicated below, the availability ot reudndant fusing should be considered when relying on transfer switches.
During a recent NRC fire protection inspection at the Wolf Creek facility, it was discovered that a fire in the control room could disable the operation of the plant's alternate shutdown system. Isolation transfer switches of certain hot shutdown systems 29 NRC Letter December 12, 2000 (ML003776828) states, with respect to BWRs, "The staff reiterates its longstanding position that SRV/LPS is an appropriate means of satisfying Section II.G.3 of Appendix R (regardless of whether SRV/LPS can be considered to be a means of redundant hot shutdown capability)." Later the staff also concludes that "SRV/LPS meets the requirements of a redundant means of post-fire safe shutdown under Section mI.G.2 of 10 CFR Part 50, Appendix R."
D-5.
NEI 00-01, Revision 2(c)
January 2008 would have to be transferred to the alternate or isolated position before fire damage occurred to the control power circuits of several essential pumps and motor-operated valves at this facility. If the fire damage occurred before the switchover, fiuses might blow at the motor control centers or local panels and require replacements to make the affected systems/components operable. This situation existed because the transfer scheme depended on the existing set offuses in the affected circuit and did not inchlde redundant fuses in all of the alternate shutdown system circuits. For most of the transfer switches, the situation would not cause a problem because the desired effect after isolation is the deenergization of power. In instances where the systemn/co wone has to be operable or where operation might be required to override a spurious
ýuation of a component (such as a motor-operated valve), replacement of fuses mail,.
7vebecome necessary. In such cases, troubleshootingrepair would be required to ac ve m*ailtain hot shutdown.
Additional guidance for selecting the proccs monioring funoirns for alternative shutdown is provided in IN 84-09 as indicatd ii the following excei om GL 86-10.
- 1. Process Monitoring Instrumentation'Section III.L.2.d of Ap endix R to 10 Ci.1?.NPart 50 states that "the process monitoring function sha b capable of providi direct readings of the process variables necessary to pe.Ior a nd control" tJ reac ivity control function. In I&E Information Notice o8-,
,**staff provid a, listing of instrumentation acceptable to and preferred *y t/ ialo deionstrate compliance with this provision. While this g method for compliance prvsin I~
it*
guidanc povde an ccetabl with theidoes not eld other alternative methods of compliance.
Accordngly a lzc~rijee may propose*Z to the staff alternative instrumentation to comnq)/a th, rg,,lation (e.g., hwn concentration indication). While such a stbmittali~snot a emrtion request, it must be justified based on a technical F1or Appendix YR Scion1TG.3 the area/room/zone under consideration should be rovided with a flxeds
.n system and fire detection.
Additional guidance regarding the requirements for suppression and detection in rooms or firtNoes relyingii alternative/dedicated shutdown is provided in GL 86-10 Question 3.1.5.
3.1.5 Fire Zones QUESTION Appendix R,Section III. G.3 states "alternative or dedicated shutdown capability and its associated circuits, independent of cables, systems or components in the area room or zone under consideration...." What is the implied utilization of a room or zone concept under Section III.G of Appendix R?
The use of the phraseology "area, room or zone under consideration" is used again at the end of the Section III. G. 3. Does the requirement for detection and fixed suppression D-6
NEI 00-01, Revision 2(c)
January 2008 indicate that the requirement can be limited to afire zone rather than throughout a fire area? Under what conditions and with what caveats can the fire zone concept be utilized in demonstrating conformance to Appendix R?
RESPONSE
Section lIu.G was written after NRC's multi-discipline review teams had visited all operating power plants. From, these audits, the NRC recognized that it is not practical and may be impossible to subdivide some porii,, of an operatingplant into fire areas. In addition, the NRC recognized 1 iin ome cases where fire itintmocss hrefr areas are designated, it may not be possibl r)ovide alternate shutdown capability independent of thefire area and, th for WOld have to be evaluated on the basis of fire zones within the fire nar. The NRC also recognized that because some licensees had not yet perforn, a safe shu wn analysis, these analyses may identify newunique cofigturations.
To cover the large variation u fiýibe co gfrations the ofqdrements Of Section II1. G were presented in three Pit,s.
Section III. G. 1 requires one train of hot shut systems be free offire damage and damage to cold shutdownhystems be it NRChas stated that 1)Section III.G.2 does not allow the Useof operator manualr actions without prior approval to demonstrate compliance.w.ith Section IlIG.2 whien redundant trains are located in the same fire area, and 2) despite Scti~oifi. G. 1, compliance with Section III.G.2 needs to be demonstrated when reduldant trains are located in the same fire area, Rulemaking currently inprogress will impact this position. Repairs to, or manual operation of, equipment required for cold shutdown are allowed in accordance with current regulations and regulatory guidance.]
,Section11I. G.f2provides certain separation, suppression and detection requirements within,fire areas; where such requirements are met, analysis is not necessaiy.
[As clarified in Section 3.4.1.6 of this document (excepting emergency control stations), depending on a plant's licensing basis, exemption requests, deviation requests and GL 86-10, Fire Hazards Evaluations or Fire Protection Design Change Evaluations may be used to demonstrate equivalency to
[i separation requirements of Section III.G.2 as long the ability to achieve and maintain safe shutdown is not adversely affected.]
[Note the current NRC position above on the use of unapproved operator manual actions]
Section III.G.3 requires alternative dedicated shutdown capability for configurations that do not satisfy the requirements of III.G.2 or where fire suppressants released as a result of fire fighting, rupture of the system or inadvertent operation of the system may damage redundant equipment. If alternate shutdown is provided on the basis of rooms or zones, the provision of fire detection and fixed suppression is only required in the room or zone under consideration.
D-7
NEI 00-01, Revision 2(c)
January 2008 Section 11I.G recognizes that the need for alternate or dedicated shutdown capability may have to be considered on the basis of afire area, a room or afire zone. The alternative or dedicated capability should be independent of the fire area where it is possible to do so (See Supplementary Information for the final rule Section IlG). When fire areas are not designated or where it is not possible to have the alternative or dedicated capability independent of the fire area, careful consideration must be given to the selection and location of the alternative or dedicated shutdown capability to assure that the performance requirement set forth in Section III. G. I is met. Where alternate or dedicaed shutdown is provided for a room or zone, the capability must be physically and electrically independent of that room or zone. The vulnerability of the equipment and personnel required at the location of the alternative or dedicatedhj s down capability to the environments produced at that location asresult of thefir or fire suppressant's must be evaluated.
These environments may be dueto e hot lae r, smoke, dryftnsppressants, common ventilation systems, comma drain ysýtens or floodig. In addition, other interactions between the lorii uimy be possible in unique configurations.
If alternate shutdown is pi, ded the bas
ý) sfor zones, the provision of fire detection and fixed supj7 rs;(misýon rq.7u*wie in the room or zone under consideration. Compliance with Sýecton 11.'.
cannot be based on rooms or zones.
See allýJ fS7ectio> r0iand #6 of the "Interpretations of AppendiL R."
Additional guidanei, alternative shutdown is found in GL 86-10 Enclosure 1 "Inte rrciaions of A d
I anEncl'osure 2 "Appendix R Questions and Answers" SeCtiol k Qstion 0
o1 G(
(
10 addresses the plant transients to be considered when desgrign
- tiine, ive or dedicated shutdown system:
5.3.10 DesigtrHasis Pipnt Transients QUESTION Whdt plqntransients should be considered in the design of the alternative or dedicated'shutdown systems?
RESPONSE
Per the criteria of Section III.L of Appendix R a loss of offsite power shall be assumed for afire in any fire area concurrent with the following assumptions:
- a. The safe shutdown capability should not be adversely affected by any one spurious actuation or signal resulting from afire in any plant area; and D-8
NEI 00-01, Revision 2(c)
January 2008
- b. The safe shutdown capability should not be adversely affected by a fire in any plant area which results in the loss of all automatic function (signals, logic) from the circuits located in the area in conjunction with one worst case spurious actuation or signal resulting from the fire; and
- c. The safe shutdown capability should not be adversely affected by afire in anv plant area which results in spurious actuation of the redundant valves in any one high-low pressure interface line.
This response defines a bounding design basis plant transient atshould be considered to result during a fire that ultimately requires control room evacuation (this could be a control room fire or a fire in another area, dependingp pon thI pant design). During such a fire, the operator would be expected to performoas twind I m nIlperator would respond to any alarms, follow all plant procedures, andct' iely and s I control the unit.
The fire causing control room evacuation, hoiwever, could cause damae that affects the, operator's ability to use all systems available for connolling the unit In the unlikely event that control room evacuation is required, tbcre Lo' to question 5,st provides a bounding plant transient that describes the exp£cec orst-case conditions for such an event.
0 The first condition that must be'met is to be able' to achieve and maintain safe shutdown in the event that offsite is lost. ThIndition was specified as a part of the design basis because tthe pot*i*h 4
,a
,os) 1
'f offsite power exists during a fire, since, in most plants, breakeriont fol luh 1off!te power breakers is installed in the control room*"K 0
The seeon,eonditionu'hm at must be itisfiod is that a single spurious operation may occur as a resiltof h1e fire and this spmious operation cannot adversely impact the own Lility*Ii condition was specified as a part of the fire design
~,i,,,isehere iwn, potejtial for a spurious operation to occur due to the high
..".conetratum nf equipment controls within the control room. The specific worst-case single spuriow rationipiever, was not defined. The requirement for addressing a w*orst-case spimius signul is met by identifying any spurious operation that has the p ciitial to adverseily affect the safe shutdown capability and to evaluate the effects on t Ae safeshutdown capability on a one-at-a-time basis.
0 The third\\ondition is that it should be assumed that all automatic functions capable of mitigating the effects of the postulated spurious operation are also defeated by the fire. This condition was prescribed in order to prevent crediting automatic functions for mitigating the effects of a worst-case single spurious signal when the controls for these automatic functions are also contained in the control room and other fire areas.
0 The fourth condition is that protection must be provided to assure that the safe shutdown capability is not adversely affected by a fire that causes the spurious operation of two redundant valves in any high-low pressure interface line. Preventing the spurious operation of two redundant valves in. a high-low pressure interface can D-9
NEI 00-01, Revision 2(c)
January 2008 be important because the systems available may not be specifically designed to mitigate the effects of a LOCA.
Because of its specialized nature, the alternative/dedicated shutdown capability needs to be specifically directed by plant procedure(s). The EOP in combination with off-normal procedures identifying specific potential fire impacts is an acceptable approach to meeting the requirement for plant procedures. Other regulatory acceptance criteria must also be met.
D.5 METHODOLOGY DIFFERENCES APPLICABLETO NTO TERNATIVEI DEDICATED SHUTDOWN The following are the differences between the "baseline" methodoogy provided in the body of this document and the requirements thdat must be applied to alternative/dedicated shutdown.
" The ability to achieve and maintain safeshutdon must be demonstrated for the condition of a loss of offsite power.
" Specific shutdown procedures t,
m
,bc developed Iorilternative/dedicated shutdown.
Use of Emergency Operating Pnrce(uwihcthii conjuncti ith off-nonnal procedures identifying specific potential fin timp ttr n acceptable means of meeting this requirement for both post-fi?
aMi* al:ernAtive post-fire safe shutdown.
" The alternaive/dediaJited shutdown apability and its associated circuits must be physicallyýand electritcaly independent of the cables, systems, and components in the area under consideratii Isolation tranIfer switches and redundant fusing unaffected by thee or electrical and' py i'alation and manual manipulation of equipment rcouIld ej)rovided to ensure alternative or dedicated shutdown.
Cold shutdown equipmen catnbe repaired and operated to achieve cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
For the case of the alterniti%*.dedicated shutdown area fire, one worst case spurious Operations is auiimed to occur as noted earlier in the discussion of GL 86-10 Question 5 3 10.
Cold shutdown iiinust be achievable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
N Areas whE L;r alternative safe shutdown is used must have a fixed fire suppression system and fire detection installed.
D.6 ADDITIONAL OPERATOR ACTIONS RECOMMENDED FOR CONTROL ROOM EVACUATION The primary goal for Control Room fires is to achieve safe shutdown. Guidance on actions to be taken is found in Generic Letter 86-10 Question 3.8.4. As a secondary consideration, in helping to minimize the impact of the effects of a fire on the potential D-10
NEI 00-01, Revision 2(c)
January 2008 property loss, additional operator actions could be useful if included in the plant procedures for control room evacuation,. The following are examples of some beneficial actions. Licensees should identify actions that provide a positive benefit in terms of alternative post-fire safe shutdown and include these in the governing procedures.
- The following actions should be considered for inclusion in the control room evacuation procedures as immediate operator actions to be performed prior to leaving the control room. These actions are in addition to performing the reactor scram/trip that is already endorsed for this event.
- a. Closing the Main Steam Isolation Valves.
- b. [BWR] Closing the Main Steam drain lines.
- c. [BWR] Tripping the feed pumps and closing the feed pump dischaip valves.
- d. [PWR] Isolation of letdown.
This is done at the Auxiliary Shutdown Panel for s IPWRs.
These actions could be a benefii i oimizing the po ttial#for flooding of the main steam lines outside of primary contlwmainmn BWs), minflimizing the potential of an overcooling event (PWRs), and conscr%
ving, Ck' iin enrto, WRs).
To prevent damage Lto,euipment impofrtan to alterative post-fire safe shutdown at the emergency cotol stati the followin_, actions should be considered for immediate operator actfonsmIIthe procedures governlig: hutdown at the emergency control stations (some of these 'ILI are erformed by oprators not at the auxiliary shutdown panel):
(I u*at*ival tthe emerge
,cy control station, assure that the pumps (Service Water Co mponi toolýng Water, etc.) that provide cooling to the Emergency Diesel Gnerato unning.
If the pumps are not running, start them irimmediatelý.
[In Je event of a loss of offsite power, the Emergency Diesel Generatorsk ay receive a start signal. If the pumps providing cooling to the I fEmergenc 1) iesel Generators are not running, then the Diesel Generators could d ma*. Performing this action as an immediate operator action upon armalat IIhe emergency control station will provide added assurance that the DieseIGenerators will not be damaged.]
(2) Upon arrival at the emergency control station, assure that an open flow path exists for any pumps that are running. If the pump is running, but not injecting, then assure that the pump minimum flow valve is open. If the pump minimum flow valve cannot be opened, trip the pump. Performing this as an immediate operator action upon arrival at the emergency control station will provide added assurance that these pumps will not be damaged.
D-11
NEI 00-01, Revision 2(c)
January 2008 (3) [PWR] Upon arrival at the emergency control station, trip the Reactor Coolant Pump (RCP) to protect the RCP seals.
D.7 REFERENCES D.7.1 Generic Letter 81-12, "Fire Protection Rule," February-u981.
D.7.2 Generic Letter 86-10, "Implementation of Fire Prtoection Requirements," dated April 24, 1986.
D.7.3 10 CFR 50 Appendix R, Fire Protection Fo e,r t(p -*ing Nuicilar Plants.
D.7.4 IN 84 Lessons Learned fromiNRC Inspections of Fir(: Protection Safe Shutdown Systems (10 CFR 50 4pd R), R vision 1, March 7, 1984.
D.7.5 IN 85 Isolation Transfer Switcheýsii st*-Fire Safe Shutdown Capability, January 31, 1985, VN D-12
NEI 00-01, Revision 2(c)
January 2008 APPENDIX E ACCEPTANCE CRITERIA OPERATOR MANUAL ACTIONS AND REPAIRS PURPOSE This appendix provides guidance regarding the use of operator manrunii actions and repairs to equipment required for post-fire safe shutdown.
II.
INTRODUCTION Operator manual actions may involve manual coni, local control or manual operation of equipment. Operator manual actions on equipmentInI support of achieving safý shutdown are allowed as follows:
10
" For components classified as important to safe shutdownIwhere:
- The operator manual action is 't I inside of the Control Room or at the emergency Control Station.
- The operator manual action or repaIr is taken to clii'eve and maintain cold shutdown.
Th ne 0peratorma[nmaan l
__a swikk/valve ei a
e ignd for pli tl~ii the ii fu ioii e:g. kec" 'ýk~ lwtý chsII ý iPAReI% koom ooprt SRs13i'[a B3WR, :opeiniiesloeaimatoal vdlv for
~~
~
A L'tmislto I
~i6spec Ui) [11 1
The operator manual aijon is taken for Appendix R Section IlI.G.3111I.L.
1
,The operator ma tioI is approved by the NRC.
" For comportents classified's either required for hot shutdown where:
The operiator manual action is taken for Appendix R Section III.G.3/III.L.
The operator manual action is approved by the NRC.
Repairs may be performed to equipment required for cold shutdown. This appendix provides the criteria to assure that the reliance on operator manual actions or repairs is appropriate. These criteria are intended to assure that the actions specified are capable of being performed, and that reliance on them is balanced within the overall safe shutdown strategy for a given fire area.
E-13
NEI 00-01, Revision 2(c)
January 2008 III.
RELIANCE ON OPERATOR MANUAL ACTIONS Automatic control functions are a design feature provided to mitigate or limit the consequences of one or more design basis accidents. NRC Generic letter 86-10 Section 5.3.10 suggests that post-fire safe shutdown be able to be accomplished without reliance on these automatic functions. Therefore, automatic control functions are not required for post-fire safe shutdown.
As a result, manual operation of the systems available for mitigating the effects of plant fires is required. This Appendix provides the criteria for determining when an operator manual action is allowed by NRC and when NRC approval for the use of an opperato
- a. AIl action in support of post-fire safe shutdown is required.
Specific plant protective functions, due to the nature of their sigin ;alssuring safe and reliable plant operation, require special consideration for a fire everit.
IThe P cram function is one such system.ýHýt h
C11~
LIý11 features ot O'S 'Scimi stm i,iautomaic or manual-Reco crmci i cuitiy cannot be fullI y'iiot(ctIcd kromn dth eIfI(I ts (
1ifi e-induceI ci[ciit failIure s-Due to the importance of this system to reactor saeslhutdown' Io1r multiple desrgn c,4ditions, re-design of the RPS Scram circuitry is not feasible. 1o(
ure the 1-eactor is scried for all fire conditions, it is recommended that each licensee assureiergencv g1pertigl'Procedure (EoP' act2ion to rmipleme tner leet 111C 1resaýshtd C
jprluresi _This action is considere bhe acceptable, feaible and reliable for all fire conditions, i.e.II_. /IlI -. 2 and/orie 1-3
[eference Paper on NRC IN 2007-07.]
h" IV.
DIFFERENTIATING BETWEEN OPERATOR MANUA ACTIONS AND REPAIRS The fundamental diffce...
between operator manual actions and repairs is definitional. Both are subject to timing lliitations, feasibility, and isource constraints. The NRC has placed' additional limitations on the Hse of repais,, ch that they may only be used to achieve and maintain cold* t*sftdi,'n conditions. Tis distinction provides the opportunity for licensees to maintainliot shutdown for1an e;xteded period of time, if necessary, while repairs are performed to eqmipment that is requiird to eitherl'tranition to, or maintain cold shutdown.
From an operational perspective, there is no meaningful distinction whether an action is defined as an operator rriainal action or a repair, since the same considerations apply.
V.
DEFINITIONS This appendix on operator manual actions relies upon definitions contained in Section 6. For the definition of terms used in this appendix, refer to Section 6, Definitions.
VI.
CRITERIA To credit the use of operator manual actions or repairs to achieve post-fire safe shutdown, certain criteria must be met. :Ifcirst criterionofor at oimpi iniial nu*cons isý (li)[heoiierator manual acLtonm wustlbe allowecd.
For those actions that are allowed, the remaining sections of this Appendix apply in determininIng whether the specific allowed action is feasible. To credit an D-14
NEI 00-01, Revision 2(c)
January 2008 operator manual action not allowed based on the criteria in this appendix, NRC approval through an exemption request or a license amendment is required. In processing an exemption request and/or license amendment, the licensee submitting the exemption request or amendment should consider the requirements of NUREG 1852. NRC has stated that exemption requests and license amendments for operator manual actions will be evaluated for feasibility and reliability against the criteria contained in NUREG 1852.
,Iase tghe acceptabilityof an operator mntiil ii~tion, timInI,,
a<&nosideration. To define the time avaiable to*perform an operator imanua1 ationte tijm wien fire damage to safe shutd6, i components and circuits occurs needs ticdeflnei(d fIs tiiiie is referred I;asI time zero WAith turiezeroand Li deflnud timiicline for2?III( post-f-ire safýd htd ncenario definied, the~
- tises, teiclp fire-wdliced 1ilure: to fpse*ie igspecific safe shutdown f, wions Ierelt III rse
ý mpaIctas st to If u
c an det1rmmned0
-1Te time mle (rpost1 f
- ili
'Iir sAfe shutildk I" :sdtrnine d*be d orittdiec bl e otilth systemsi 5 d c onp entfits'being uised to aIchievu and(1 11aintainposý0t-fIre safeC shu~tdown in I eaýcII part1ic:ular fIr ~rea 1This r ui reLI~
a pantuo1nique an]alysi Ticm
- zeo, howev I" s'an a
l incitial conditon that mIust beC specCIIeWdan1d, whMi pcifid usiieda to its esoalees liVL 'l11ýthI~I)ir zero is speICified to 10 miniutes after thierfrmtb by plant persdnnecl that the 11111t is c..p.iic. icin..
a..
c..g........
l ndic*n oIhe f lat thatt e fire being experienced Is chllengmgt t
onobservations by plant operaItions pei*donnl that results,,. ine need to scram fthe uitali t10close lthef MSIs.,Based oni tis definiltion 1uit crain and MSIVclowsure mAy~lo bc uwsd as, in~itiail
ý(ofrditions;,applicabIeCt a( iiy analyisassssin planti im~pic~týs as resut 0f ItIr-indUCedIamageC
ýinkinv :onfiiiiiiatimno ci alengmginactive fire to the hcegiingu of the 10 minute time frame eore1an einduced failures,n:mcluding spunioust equipment pminons, occur isot only consi
- 0et 0i ur(enWIIt llcensmn}lbasIs, it is also211
%e withi dh practical iiimpleientation o any eshutdonstrategy re rgperator iiiio dpit system,, Addtionaly, Induýtiy tet data cu a diiissed in a recent draft revision to NE O
()
L080310056) while not jsupptsý the aisumptior that firiiducl ciiiit failures:, inclu!din.g-spurious
%\\erauo wil not oc curmIaneiaMtely upon C`exposiln c
,l tIrLafflctsAcordijlng
-,to,I draft rvi to I
EI I 00-01,*11 tlýý the ave I1td a m r
d cables anId 15 iiiihfsfPlit>
,0 11 inopiastic ca ls 1'ina11y% init]Llt](ib of at uI1t~c~
and11 IT~
MS V
losure ae ctic u
thiceiltyii st~ar e thal OLthe-operaJtion of (11C 11it Is bIeItig-CIIalllenged1 Diu to the si rty beteen operator mnual aictioins aiid rcpaiisfrom the:operatilonali perspecýtive, most of these ciiteria<
nndh, ixpply to bothi
~there areu
- hioiever, a
ml uimberihc of addittional c~ioteia applied
- onl1, to repairs.
Ths a1I'ýdditional
&ritwiin for
- repairs, onlly
,re idciitifed as iuh~blw Criteria Applicable to Both Operator Manual Actions and Repairs NOTE: The generic term "actions" is used below, in order to refer to operator manual actions and repairs collectively, without creating cumbersome language. If the specific term Operator Manual Action or Repair is used below, it is used intentionally to show some specific distinction.
E-15
NEI 00-01, Revision 2(c)
January 2008
" There shall be sufficient time to travel to each action location and perform the action.
Actions should be verified and validated by plant walkdowns using the current procedure.
The action must be capable of being identified and performed in the time required to support the associated shutdown function(s) such that an unrecoverable condition does not occur. Previous action locations should be considered when sequential actions are required.
SFi,1C tests inIdicateC thaIt ýpuriouuatius do not typically occu,: for 30 minutes or more,
- peciall`f itleromset cable, allowing for additionl l'action tiid For examnple, actions toI lock outI chargingx pumps prior to pumip start w6i close PORWV block valves prior to P(RXopeningm ay be considered ffeable. In 111ie LUC[ cas, closIgytheb Nel:kalvc mayd of the b ock-al:edu to
" There shall be a sufficient number of plant sta iav le to pe or aill of the required actions in the times required, based on the imum shift staffing. The e of personnel to perform actions should not interfere NiW-I any collateral fire brigade
-o control room duties they may need to perform as a result 61, ie c nistrative contiols shall exist to ensure that the personnel necessary to perform, c s are available when required, and that unexpected absences are promptly corrected..
taff augmentation consistent with the licensee's Emergency Plan Implementing Proce lur is credited, then the licensee must demonstrate that un-recoverable conditions woui notoccur in the time period before staff augmentation is achieved.
" The action location shall be accessible. In evaluawng actions and the route through the plant for performing any acations, consideration should be given to the potential effects of temperature, hunidity, radiation levels, snoke, and toxic gases. Actions required in a fire area expernnIIImg a fire or that requiiretriývel through a fire area experiencing a fire, may be credited if itr, demonstated these actions are not required until the fire has beeniicntly e
ýompltn of necessary actions in the fire area.
Generally, onehU r postfir, start is a reasonable time frame for meeting this criterion.
III iddition, ifthtlcion i irequred is to be performed in the fire area experiencing the fire, It miiust be assured hat ftire damage within the tire area does not prevent completion of the aict(n*.
IOIENREG-073-I
&e*daesesosehlt**
pertors perforrniný"
emergencyi'response actions'.tpecifiesý at tfGDC1() 9pphl lie FL1operator actions post
&idenýkhlt i.:
" remn whole ho o
C q~~ln to anywpart ftheý b'dv)~ for the
" The action locations and the access and egress path for the actions shall be lit with 8-hour battery-backed emergency lighting. Tasks that are not required until after 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> do not require emergency lights as there is time to establish temporary lighting. The path to and from actions required at remote buildings (such as pump house structures) does not require outdoor battery backed lights, if other lighting provisions are available (portable lights, security lighting, etc.).
" There should be indication, which is unaffected by the postulated fire, that confirms that an action is necessary and that the action, once completed, has achieved its objective.
D-16
NEI 00-01, Revision 2(c)
January 2008 This indication is not required to be a direct reading instrument and may be a system change (level, pressure, flow, amps, temperature, etc.). Additional instrumentation may be needed to properly assess spurious operation, however it may not be necessary to make a diagnosis of the specific spurious operation that occurred, if symptom-based plant procedures provide the appropriate guidance to respond to the situation. If pre-emptive actions will be taken to preclude spurious actuations, then event-based procedures should be provided for the situation.
Administrative controls shall be provided to ensure that an ypols, equipment or keys required for the action shall be functional, available, andi ;icessible. This includes consideration of self-contained breathing apparatus (SCBA) and personnel protective equipment, if required.
This also includes the a afl*iht of ladders or special equipment, if these items are required for access.
N ->
" There shall be provisions for communications o allow coordinati 0f actions with the main control room or the alternative shutdown facility, if required. TIlienature of the action, and the need for coordination "itli
)t related actions or t
.l ntrol room should be considered when determining what top f Icoimunication is required.
" Guidance (e.g., procedures, prefireplan, etc.) should b!provided to alert the operator as to when actions may be require;i iesponse to potýial) fire, damage. This guidance shall be provided in locations tha will i[taccessible during and after the fire. The guidance may be prescriptive or spt Specicic event-based procedures are required for activities not addressed inestig operTafing procedures (normal, abnormal, emergency) forT-cftion*
ind repairs as a result oftfire-induced failures that are pre-emptive. Pre-Lmijptive spe1cific event based procedures should be used for those situations where theAr-induced
-fhilure cannote*,,4readily diagnosed using fire protected information, i.e ý plicitor.explicit indication, available to the operator.
Use of Emergency0)eratingprocedures is aiiacceptable approach for all other conditions, since EO h
Ili(:peratorto tuse all available systems to achieve safe shutdown and, in all l.IkCelihood., fire dmaged to2 plant systems will be limited. The "skill of the craft" should lb iconsidered wheno dtermnin ihe level of procedural guidance to provide. Typically, plant 'operators shfrild be capable of performing actions without detailed instructions.
DetLad*tinstructionsiay be required for non-routine evolutions and, in these cases, should b readily aviLable. Guidance should likewise be provided to the operator as to when to pierformn repairs in response to potential fire damage. The guidance shall provide the level of detailiequired to enable plant personnel to perform the task.
II ;1Y:Al1LCCordan h INPO'sý to Ifi~h The complexity and number of operator manual actions required for safe shutdown shall be limited, such that their successful accomplishment under realistically severe conditions is ensured for a given fire scenario.
Additional Criteria Specific to Repairs E-17
Ot NEI 00-01, Revision 2(c)
January 2008
" Repairs may only be used to achieve and maintain cold shutdown (not hot shutdown).
- Hot shutdown must be capable of being maintained for the time required to perform any necessary repairs to equipment or systems needed to transition to and/or maintain cold shutdown.
" Additional non-operating personnel (e.g. maintenance, instrument and control technicians, electricians) may be relied upon to perform repairs, provided their availability is consistent with plant's Emergency Plan Implementing Procedures and/or the plant's licensing conmnitments..
her Types of Actions
- hen performing t1h p tf afe shutown an alysi sa o
atn trit' credlted'iir th ost-firese
.LIitdown anfyis Imybe ide:iitihied th~a Ishu' aK'
'K',ItV
,to the 111 fe shutdowin sCenno iasmm II1niizing, t shutdown trani ',f
]or en ucing commercial tpiopei~y dli:ce thI ýctionS*e no
- lfall*
byh ieguallrequired:
tt
,afidrtins or IIIsae Shutdowik it nencssary tal~y9l*
n-hS*roi emrrr ghenc tii or comuniliciatilo'I ese actIon1s.
It-is also ~iio[required to -specifically addrles t[III uIre[d tining for thcse Kctions.
Sýimilarzly,. operator manuital actions specified as precautoionary or Lbhfirmatory. b611 p acIkLI
ýýtions (prudenit, buit unneccCsýWny OT rcredundnt) for a, pruar rt~l'inýmIL'tcIIIIq(Ue 'tfIit areC nIot ýICdIted in flie sin i do11(u4 reqeuire/84coýii:'ei Iigenc",ghtscommumcatlons or timing considerat"ion s.
REFERENCES K
\\K K
VTII 10 CFR 50 Appendix R'Fiei Protection for OperatngT Nuclear Power Plants Draft NRC cRspoise to 03-2-06 EPM letterzMay 25, 2006 (ML061440237)
DraftNRC Response to'0 NEAeletter, May 25; 2006 (ML061440251)
NRC Inspection Procedure 7 1 11.05, March 18, 2005 NRC letter to NE,
'Use of \\4anual Actions to Achieve Safe Shutdown for Fire Events, dated May 16, 2002 (Ml02) 41 0026)
NRC Meeting Summary of 06-09-06 OMA Meeting, July 19, 2006 (ML061950327)
NRC Revision to Draft Response to EPM March 2006 letter, July 19, 2006 (ML061980016)
NRC Revision to Draft Response to NEI May 2006 letter, July 19, 2006 (ML061980035)
NUREG-1778, Knowledge Base for Post-Fire Safe-Shutdown Analysis, January 2004 Public Meeting Notice 20060609 on Manual Action Clarifications, May 26, 2006 (ML061390156)
D-18
NEI 00-01, Revision 2(c)
January 2008 RIS 2006-10 Regulatory Expectations with Appendix R Paragraph III.G.2 Operator Manual Actions, June 30, 2006 (ML061650389)
SECY-03-01 00, Rulemaking Plan on Post-Fire Operator Manual Actions, June 17, 2003 E-19
NEI 00-01, Revision 2(c)
January 2008 APPENDIX F SUPPLEMENTAL SELECTION GUIDANCE (DISCRETIONARY)
F-1 INTRODUCTION This appendix is be used to supplement the information in Section 4 in support of the plant specific review of the Generic List of MSO in Appendix* ;to supplement the list of MSOs to be reviewed on a Plant Unique basis.
F-2 P&ID OR LOGIC DIAGRAM REVIEW The first step is to select target components combinations that could impact safe shutdown.
This first step limits consideration to combinations ofmuiltiple spurious actuation evaluations whose mal-operation c iciesult in loss of a key safety function, or immediate, direct, and unrecoverable consequences c:," arable to high/low pressure interface failures.
These consequences are noted hereafter as "unacceptable consequences."
Potential clrcit failures affectig~these safe shutdown target components may have been cons]itedmin previous c1rcuit1analyses, but perhaps not for IN 92-18 or multiple spurious actua oncern..
A system engineer can identify component combiations that can result in a loss of system safety fiti';kctn or inmediateiand unrecoverable consequences.
Then, an electrical or.4safe shutdmwn engineer;can identify areas where these component combinationstiiye power control or instrument cables routed in the same fire area.
The review for component comiihationc.uc be performed with P&IDs or safe shutdown logic diagranis, (if available) or 15tliiThe review should focus in on "pinch points" where the system functil6n or safe shutdown (SSD) function would be failed. Failure of
,kthe entire SSD funtion is not necessary for identification of component combinations but would be a lilitin ase assuming all identified components can fail with the same fire.
Comnponent combinations that do not fail the entire SSD function can be as important as combiijtions failing te entire function, especially if there is only a single component or manual/op rator action remaining for the SSD function, or if the remaining SSD equipment is potentially unreliable. Some internal events PRA input may be helpful for determining potentially unreliable equipment or manual/operator actions.
The results of the P&ID or logic diagram review would be a list of potentially important component combinations to be treated with the NEI 00-01 methodology.
Since the internal events PRA scope and fire protection SSD scope are different, the SSD review may provide potential combinations that have not been included in the internal events PRA.
Also, it is possible for this review of the P&ID to identify component combinations not identified by SSD analysis (because it requires multiple spurious F-I
NEI 00-01, Revision 2(c)
January 2008 operations) or internal events PRA (because of a high level of redundancy). The final list of identified component combinations should be combined with any internal events PRA combinations (from the PRA review below) for a final list for analysis.
F.3 PRA REVIEW The internal events PRA can be used to determine potentially important component combinations through either cutset review or through modelreanalysis. These are both described below. Note that a PRA review may identify combinations which include equipment not included in the Fire Protection Safe Shutdown list.
The important components identified in the pilot applications were already in the Safe Shutdown Equipment List, but the internal events PRA scope iiim1udes a~ddfonal equipment that is not in this list.
F.3.1 Cutset or Sequence Review The plant analyst may review cutsets or sequence results (in this discussion, this is simplified to "cutsets") with high= contributios to 1,
damage frequency, including common cause failures that include combinations with unacceptable consequences as noted above.
These cutsets will 'genera-ll contamin few terms, have a significant contribution to core damage frequency; andýmdcluide)oIe r more basic events that can be affected by fire eithelicthrough directi,)lamage or through spurious operation. Cutsets reviewed shouldr clude cuitsets sorted bvy probability, and cutsets sorted by order (from least number ýf events tihhe cutset to most). Review of the cutsets would identify combinations whert oneýrI more components may spuriously operate, and whose spurious operation maylbe sgiLwficant. The pilot project showed the spurious operation components ae typiAcallyinot In tlhe itcutsets, since random (non fire-induced) spurious operation Is tyLplcaly a lowprobability event. It may be helpful to manipulate the cutsets ung a cutset editor by I
et tOi the basic event probabilities associated with spurious operation events to0, and rý 2sorting the cutsets3 0. For example, by setting all of the motorioperated valv : CM ) spurious operation events to 1.0 and re-sorting, the top cutsets may now mclpie potentially important component combinations for MOV cables.
Generally, the>s-fiiicance of each combination cannot be determined from a cutset review. However, the relative significance of one combination versus another can be performed when the cutsets include similar equipment. For example, when two similar cutsets, one with two spurious operations required and one with the same two and one additional spurious operation required are compared, the latter combination is probably less important. This type of comparison would require review of the other events in the cutsets, and the fire characteristics for the event causing equipment damage.
30 If the licensee has a full internal events PRA model, re-running with spurious failures set to a high screening value
(>O.1) could recover cutsets truncated in the internal events PRA that could contribute non-negligibly to the core damage frequency due to fire.
F-2
NEI 00-01, Revision 2(c)
January 2008 One additional consideration is that the cutset review does not need to include review of cutsets for initiating events that cannot be fire induced. For example, cutsets for steam generator tube rupture or large LOCA need not be reviewed. Typically, the review can be performed on turbine/reactor trip cutsets, loss of offsite power cutsets, and induced small LOCA cutsets.
.:Simirly, cutsets requ lilure o(fdi clponents i.nb'11 redundant trains can be dismissed as long as it can be ssd thaone redundant tral*'s component rotected in eacýhire area. A review of the plant's fire Individual plant Examination of External Events (IPEEE) can determine
- Iwhat initiating events can result from a fire.
F.3.2 PRA Model Manipulation If a logic model of the plant core damage sequences'including all possible fire events is available, this model can be exercised/manipulated to identify component combinations of interest to risk significance evaluation descrbed in Section 5 of this document.
The level and amount of model manipulation can range from a single re-solution of the model, to many re-solutions following modeling changes. The analysis discussed below is based on the limited analysils.iused in support of e pilot application of NEI-00-01, with discussion of additional runs cons-iered during theilot.,
A basic analysis that can provide sig..ificantre1ults, is solution of the internal events PRA model with all basic events set to 1.,0 ( hrue) tklit can potentially spuriously operate following a major fire. The McGuire.pilot performed this analysis by also setting the transient and loss of offs'cpower initiating events to 1.0. The types of components and PRA basic evets,,at should be set to 1.0 in the model include:
MON riousyp1"u oI L A
-OV uusly open or close "lPORV spuriouslY openIor close
, Spurious actuaion o automatic actuation signals The cutsets or sequence results can be reviewed to identify component combinations that are potentially signifieint. Review of the results will show patterns of cutsets that can be grouped ocomblnedl For example, a cutset with a PORV spuriously operating and charging injecatonillures could repeat hundreds of times with both PORVs combined with the multiple combinations failing injection and the random failures not set to 1.0 in the model. These hundreds of cutsets can be grouped into limiting combinations based on order (less spurious operations leading to core damage) and/or likelihood (less random failures leading to core damage). Initial review of the cutsets should also look for other component basic events that could occur due to spurious operation following a fire. If additional basic events are identified, additional model solutions may be necessary prior to selection of the component combinations to be analyzed.
ýVhy"'didjm re ov
l1ý11 1, ý1a il 1 ýýo'a b o F-3
NET 00-01, Revision 2(c)
January 2008
-If the PRA model includes some fire PRA sequences, additional runs with the fire PRA initiating events set to 1.0 should be performed.
In this case, the PRA results would identify component combinations important for particular fire areas (or fire areas with similar characteristics).
If the PRA model does not include any fire PRA sequences, model manipulation can be performed to simulate fire PRA results. For example, in the McGuire pilot analysis, additional internal events PRA runs were performed where the 4160 VAC switchgear was failed. This included two PRA runs, one with A trainiVl6O VAC failed, and one with B train failed.
These runs simulated a switchgear fire, but also provided representative runs important if opposite train componentsvere located in the same area.
For example, cutset were identified where A train cooling r failed due to the A train 4160 VAC failure, and B train cooling water failed due to spurious operation. This sequence could be potentially important if the cables causing tlh: 11 train failure were located in an A train fire area. The B train failure (in this example) couid be as a result of a diversion due to an A train valve spuriously opening.
Additional PRA runs can be performed based on the IPEEE results. The IPEEE can provide a list of important fire areas, and the equipment that potentially fails due to a fire in these areas. By setting the component basic events,,o 1.0 for a selected fire area, and also setting our list of spurious operation componeits< to,.0, a list of potentially important component combinations can be developed for the selected fire areas. This type of analysis was not performed for the pilobtsother than the fire sequences already included in the PRAFmodels.
F.3.3 Analysis of the New PRA Sequences Some important fire-idueed accident seq *unices of interest involving spurious operation may have been screened froi the internal events and Fire PRAs. New scenarios or accidenftequences not previously considered may result from Fire-Induced damage or as a ressult of operator actions taken in response of a fire. For example, manual action to c,,c ýe a PORV or PORV block valve in response to spurious operation concerns would res0t* in the Pressurizer Safety Valve (PSV) being challenged following a pressure increase.
Spurious injection could also challenge the PSV, and if water relief were to occur, it is likely the PSV would stick open. A stuck open PSV is generally considered a low probability event in an internal events PRA, but may show up as significant in a Fire PRA. Scena ioswivolving Steam Generator overfeed may not be considered important for an internal ents PRA, but may be important for sequences involving control room evacuation where a turbine driven pump is the credited safe shutdown equipment.
Performing a Fire PRA update in order to develop possible multiple spurious combinations would not be an efficient method for developing a complete list of combinations.
However, if a Fire PRA were being updated, either the scenario development process or PSA cutset results could provide insight to developing a complete list. The scenario development, including the development of new event trees or accident.sequences, could provide a useful input to the SSA analyst.
F-4
NEI 00-01, Revision 2(c)
January 2008 NUREG/CR-6850 (EPRI TR-101 1989) methods for consideration for MSOs includes the following additions to the PRA in step 2.5.1:
" Sequence Considerations that were screened out of the Internal Events PRA may become relevant to the Fire PRA and need to be implemented in the Fire PRA model.
For example, spurious safety injection is often screened out from the Internal Events PRA and yet may be important for fires that could cause both the spurious injection and damage to one or more pressurizer PRA such that the jressurizer SR Vs are challenged. These SR Vs could subsequently stick-open cauiinýg;a complicating LOCA accident sequence. A review should be conducted forsuch scenarios originally eliminated from the Internal Events PRA to determinthe.
nalysis needs to add components to the Fire PRA Component List as we4il as model'those components (and failure modes) in new sequences in the Fire PRA Model.
- Particularly when considering thepossibleeffects of spurious operatiin, new accident sequences and associated comlponents of interest may be iddhtzfie-d that should be addressed in the Fire PRA and g i ol,ýey cZsiderations injhe Internal Events PRA. Typically, these new sequences
,arise as a result of spurious events that:
o Cause a LOCA: 0g., PORVopenmng,1r1actor Cooling pump sealfailure, o Adversely affect pla w pressure controi e
ý6Ael or steam generator overfill that if unmitigated couldýubsequent! jail credited safe shutdown equipment such as a tuibine-drivenf2kldewter or auziliary feedwater o.iitroduce other "new" sceharios that may not be addressed in the ntenal Events PRA.
Thes-eindmental stepsjfor performinang a baseline PRA review (for possible scope irLeases) canhalbe p1) rmned in support of a review for new MSO scenarios.
A A dditional guidanceis g veni iLIN1REG/CR-6850 in the following sections:
Fire-induced imntiating events, including those not modeled in the Level 1 PRA
- Equipmýt with Lthe potential for spurious actuation for failing Safe Shutdown Equipmen
.5.4), including new accident sequences not previously modeled.
Additional Mitigating, Instrumentation and Diagnostic equipment important to Human Response (2.5.5).
One of the key areas of screened sequences from the internal events PRA is the modeling of Interfacing Systems LOCA (ISLOCA) accident sequences. The internal events screening criteria for ISLOCA pathways would screen flow paths with 3 normally closed MOVs due to the low random failure rate of an MOV to remain closed. However, the fire-induced failure rate of an MOV spurious operation is significantly higher, and the F-5
NEI 00-01, Revision 2(c)
January 2008 screened scenario may need to be considered in the plant specific MSO list, given the scenario is possible (if one or more of the MOVs have power removed, then the cable criteria considerations in Appendix H would indicate the MSO is not likely).
In reviewing the Internal Events PRA for screened (or even combined) initiating events, the following should be considered:
- 1) The Initiating Event is more likely than the internal events PRA estimate (i.e.,
pressurizer heaters fail on).
- 2) The resulting Consequences can be worse (i.e., losqs,fIHIVAC coincident with a fie).
- 3) The Fire introduces new accident seq considered in t e Internal Events PRA (i.e., spurious injection with PORVs cl&,,d, result in waterh:lieve from the SRVs).
During the review of the PRA scope for possibe *new M-Ss, the plant and operator response to a fire, should be understood. In paart if the plant procedures direct the operator to turn off power to a train of SSE, isolate a:tii or function, or otherwise disable equipment, then this should hbe -accounted for ixtlitereview. In this regard; Credit for plant procedures to mitigateaI anSO should not be used during the MSO scenario identification step, but should 1bc iJ use*!s disposition of the MSO in the SSA..
- Negative effects of plant procedures !perator actions) should be considered when determinini iifa new SMSO scenario shlould be considered.
These assumptions for the PR
fiput tothe MSO list are conservative, but will result in a more coitelist of >ASOs for cnicferation.
The output of the ýibove rewe-can be used as either an input to a Fire PRA, or as consideration for a dditional MSOs to be identified by the Expert Panel.
See the ifrnrmation below fortadditional information on this topic.
F.4 EXPERT PANEL REVIEW F.4.1 Expert Panel Review The expert panel process described herein supplements the information provided in Section 4.
The team for an expert panel review includes operations, engineering, electrical, PRA, and others. This process involves four phases:
F-6
NEI 00-01, Revision 2(c)
January 2008 Phase.1: Preparation, including an initial list of potential accident sequences
& Phase 2: Training of the expert panel on Safe Shutdown Analysis and Multiple Spurious Operation Phase 3: Performance of the Expert Panel Review Phase 4: SSA review of the Expert Panel Results The preparation would involve developing a list of scenarios to consider for review, including input from the PRA as described above, and the potential list of, ceL!irios from NEI-04-06, if performed. Training will be required for participants not familiar with both the SSA process and issues related to multiple spurious. The scope of the original SSA should also be discussed.
The Expert Panel Review involves group what-if discussionsPf both general and specific scenarios that may occur. Documentation of both issues and non-issues, and Ohe ieason they were either, was important. For example, ifa possible scenar[iowas considered iiotpiOssible due to power being removed from a valve, then this is documentedTchcIis documentation can be carried over into the SSA. The expert panel process also 1i11iv, i 4P&ID review of each system credited in the SSA including discussions of how the flow path would change for each type of Fire Area (redundant and alternate shutdbwn).
The expert panel process can be run in a numberofý i ays A typicil.,expert panel process involves a structured team review of systems and fction' usinga P&ID review. The P&ID review progresses through each*.P&ID by having the group review each possible flow path and consider the possibility, and ;ffeLt(of a fire-induced MSO for that flow path. This consideration includes:
a) Consideiatnion c( a N4SO resulting in failure of the primary flow path or fun...Ctoridatn 6I2n*
b) Consideration c' an MSO that combines the failure of the flow path being considered in co, ýb tion with other possible spurious operation to tail the primary flow path, or function.
The first examp*le would occ ur if two or more valves spuriously open, resulting in a diversion and failure of the cfeditedtrain. The second example could occur given spurious closure of an RCP seal-cooling valve, and a simultaneous spurious closure of a seal injection valve, resulting in a possible RCP seatl-LOCA.
The expert panel review can also be performed using a review of flow diagrams, PRA events trees, Safe Shutdown Logic Diagrams, or similar logic structure. The general process for review of each is similar, although the methods for discussion may differ, given the variation in the information being presented to the expert panel.
Key to the expert panel process is the diverse review of Safe Shutdown Functions. This diverse review is performed by an expert panel comprised of experienced personnel in the major aspects F-7
NEI 00-01, Revision 2(c)
January 2008 of plant operation and fire safe shutdown. The expert panel should include the following expertise:
" Fire Protection
" Fire Safe Shutdown Analysis: This expert should be familiar with the SSA input to the expert panel and with the SSA documentation for existing spurious operations.
PRA: This expert should be familiar with the PRA input to the expert panel.
Operations System Engineering
" Electrical Circuits Additional experts may be needed, depending on the system rnteractionsohat are discussed. For example, water relief from a safety valve may require expertise in relief valves. Additionally, a single individual may provide expertise in multiple areas, sucfi as Fire Proteuction and Fire Safe Shutdown Analysis.
The expert panel will review and discuss one Safe Shutdow FIUnction at a time. LFor that Safe Shutdown Function, the panel will identify possible failuýre echanisms that can result from spurious operation or a combination of spurious operation anidtlirect fire damage. Using various tools, identify "Choke Points" that could Jefeat sf shutdown 10thugh the previously identified failure mechanisms:
Flow Diagrams
" Safe Shutdown I agrms P/ia ra
" PRA Even(Trees PRA Resultsr(i orensiiyfity Analysis The panel will Nuild, these C o
tino fire scenarios to be investigated. The scenario descriptions"that rultk shouldM, clude the identification of specific components whose failure or spurious operation wouuldresult iii laoss of a safe shutdown function or lead to core damage.
Training is performed priorit the begiiming of the expert panel. This training should include:
- a. Purpose apd scope of the SSA
- b.
RA over iew and results
- c. Overyew training on the MSO issue, including
- i. Appendix G to this document ii. Background on Fire-Induced Multiple Spurious iii. Types of circuit failures that can occur, including shorts to ground that can cause spurious component operation.
iv. Results of the Fire Testing (EPRI/NEI Testing), including:
- 1. Likelihood of various spurious operation probabilities.
- 2. Timing including the likelihood that failures will occur close in time, and issues affecting time to damage.
- 3. Duration F-8
NEI 00-01, Revision 2(c)
January 2008 The Expert Panel will then systematically review the systems (P&IDs, etc) affecting safe shutdown and the core, for the following Safe Shutdown Functions:
o Reactivity Control o Decay Heat Removal o Reactor Coolant
" Inventory Control
" Pressure Control o Process Monitoring o Support Functions Safe Shutdown Failure Mechanisms to be considered are dicusin Appendix B. These mechanisms are supplemented with input from:
o The PRA Results and sensitivit.,,thin o Additional scenarios asprevioul1v tp inspections, or other identificatioi' uiified issues).
The expert panel should make a conservative determinationit ite impact and likelihood of the scenario. This determination should be do umented for each sci.rio, with specific information on each scenario being provided. Where 4the expert paisi i6fd identify where additional information is needed to justify aý1 ispos iot no or example, if a diversion flow path is considered too small to affect flow in a mainf flow paith býut some additional calculations are needed to justify the opinion, then the additioiol ualculatioirs should be noted. These open items should be closed prior to completion of the expert panel report.
As a final measure, the expert panel should reviewIiceplant specific list of MSOs to determine whether any of the individual MSOs should be couibined due to the combined MSO resulting in a condition~qw siifl 1%
worýe than eithlrMS individually. This step may involve a review of MSOs which were preiusl crened as too insignificant to impact safe shutdown by themselves, but which fitgt proviei gnificant impact to safe shutdown when combined with anodM 1SO. Considerations might include MSOs where the timing of critical actions could be significan(.ti mpacted, and 01availaile time to perform a required operator manual action is significantly rediuced for the new combined MSO scenario. Consideration might also include situations wheire[hiecombimel affect of flow diversions from systems credited for post-fire safe shutdown provides a drastically different result than the affect of any of the individual flow diversions. In this review, consideration of key aspects of the MSOs should be factored in, such as the overall number of spurious operations in the combined MSOs, the circuit attributes in Appendix B, and other physical attributes of the scenarios. The combiiliionlof these affects be used to determine that the new combined MSO has too lowa lih ood of occurrence toarrairt futher consideration. The goal of this additional step is to indentify any new MSO combinations (which are combinations of other MSOs) that could be potentially provide worse consequences or timing than any of the individual MSOs of which it is comprised. The results of this review should be documented. New combined MSOs that are potentially significant should be added to the Plant Specific MSO List. New combined MSO should also be forwarded to NEI and the responsible OG for their consideration in revising the generic list of MSOs.
F-9
NEI 00-01, Revision 2(c)
January 2008 The expert panel will likely have to meet several times to initially disposition all possible systems and flow paths potentially affecting plant safe shutdown. Additional follow-up meetings may be needed, if open items are found to not support the initial disposition of the expert panel.
If, for example, the small diversion flow path discussed above does result in a significant diversion where the main flow path does not provide sufficient flow to fulfill its function, the expert panel would need to meet again on this issue.
A report of the expert panel findings should be developed. This repoi t ould be treated as a living calculation, and updated if any new information is developed or if an'y additional multiple spurious scenarios require disposition. The expert panel reportoiould identify a list of scenarios that need to be addressed by the safe shutdown analysis.
One of the lessons learned from the initial expert panels performed was that all scenarios considered, including those considered low likelihood or scenarios that woiil~,not go to core damage, should be documented. Additionally, the rson the ýeenario was not gdoed tohe plant specific MSO list should be documented in the report. Any supporting or supplemental analysis should be either added to the report or referenced.
F.5 SELECTION OF POTENTIALLY ICPORTANT COMPONENT COMBINATIONS4 Based on the results, performaice of some or all of the types of analysis discussed above will provide hundreds of thousands, opossible component combinations for review. Analysis of all these combinations is not possiblt The PRA tiiiit provides the largest number of possible combinations.
These conmbiatmins;'can be screened in the expert panel or self assessment process to reduce.11the sceai l
o' t
[ath can actually occur and those of potential significance. !"Thie fmalselectioi component combinations for analysis needs to account for vaniousifators affec.ie.
ifinal e xpected risk for the combinations, including:
U athappened Io the b~illet on pre-knowl[edge of cable routing is missing2E I-\\
Expected spuniou toperation probability, including the combined frequency for m..tijle componnts. For example, it could be shown that for an MSO involving a large number of,spurious operation components that component locations would most N
likely beLunitnportant, since the probability of spurious operation alone is on the order of 1E-06.
Conditional core damage probability listed in the cutsets
" Additional factors not in the cutsets affecting the core damage probability, including both positive factors where additional equipment may be available and negative factors such as human actions that may be less reliable following a fire
" Expected fire frequencies (i.e., combinations in high fire frequency areas may be more important than those in low fire frequency areas).
F-10
NEI 00-01, Revision 2(c)
January 2008 These and other factors should be used by the analysts in determining the potentially important component combinations for review, and the number of combinations that need to be evaluated for risk'significance. Combining the PRA-identified combinations with the P&ID or logic diagram review should provide a comprehensive list of potentially important component combinations that should be added to the Generic List of MSOs from Appendix G.
F.6 DETERMINATION OF MSO COMPONENT CATEGORYy4 MSO scenarios identified above are categorized as involving eithLerquired for hot shutdown components or important to SSD components. Guidance on categoizAtion of components and the related MSOs in provided in Appendix H.
F-11
NEI 00-01, Revision 2(c)
January 2008 APPENDIX G GENERIC LIST OF MSOS The attached tables, provide examples of BWR and PWR MSO scenarios to be included in the generic MSO lists. Presently, these lists are in development and trial n.ýwhen published, should provide a comprehensive list of MSOs for consideration fori ach reactor type.
The generic MSO lists provided below include scenarios that bc licable to only III.G.3 areas. For the MSOs listed as being applicable to III. G.3yo p
specific review should be performed to confirm that the scenarios are, in fact, i[pli i ib to I1I.G.1 3.rýAs only.
[AdditIonally, smeui of ehcNMSO( sLc~iiayio sona' have lw tniripic afioiiýi 111-C G, a, ll a L1 67 2, areais. MSOs with ~pricability to III.
3 aas are not ntenieo to altca h*ensee's current.licensing basis related to I.G.3 wh.er..theMG. 3II*,T 3!areas asMe'en approved b NRC. The licensing basis for NRC approved IIleG.3 areasis, aitli'd in A[pjii. D or in a licensee'
ýtiilcll iLCesing basis. 'IihtIy,
ýtit1, 1
To '
ct liG3ae~~oi hese hicsc iicr~
intendeda l)ý II a furtiosltol
,Li (fordIi islcci~ý to II, Fiskin HI lG 3~
s Since thIs ypc u! a review i a v oluntal reieýw, ayiiIcensee s clecting to assess risk intheseý, preiqusly~~k iappoved llI.G.3 areas, mayr ulse any of th~eavi~labileh tools to 4lios-ý it) iLon the MSO, inctuding,- F )tse-c Fire PRA %\\iithdutprior NRC ajtprol. I-..
o pioaval-lale-to 3 nsost n
previously approved by theN RC in an SER, but r-clasified from III.G.2 to III.G.3 by an individual licensee usi he4gLdard license, ondition should evaluate the MSOs as though the area were a III.G-'2ea. J G-1
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Drat Required for Hot Shutdown (No, Yes or plant specific VIPL Scenario Description Not(-,
Plant type analysis required)
ReactivityControl C71 PS SCRAM Circuits: Refer to the May be a 1dressed by actions already BWROG,-
"'White Paper" on IN 20072 included lidthe plant EOPs. Thlis is an I)- I
\\\\ h Paper" explains thata *ssue insi&deand*ou*ide of..
.the Control
[iik oc t
,m
ýhtievllJt[ cl~,L c oui ii he rgt Room. /R a tvt Co t oli;s Z:
oPlant specific analysis loato intergtcruiddressed by having as link'rqie[t prevent 1/4 ofth'e rods fioninse t*kween the Fire Safe Shutdown demonstrate 1 irnilarly, two (2) hot shors in I*e r**ght Prcedures and the Procedure to I
cmin with locatiion in the right circuit couldt ei'ther vent the instrument air generic analysis, ie.
preerit a*full scrarn. F cens ee ic header or depowe"PS0--
BWROG White-
.-^
h...ould cont:rm th.. irsig accomplhS CRAM should Paper].
,onsistent with the des:g1l*]escrie I
n"a, scram from the Control e BWROG Whitei p~e~'L ~'. ~
Room not be effective.
~Reactor CoolantiVIctiMkep Contr ol
~
~
jl G-2
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL cenario Description eNutcs Plant type analysis required)
B21 Main.Steam) Head vent valves (2)
Valve Numbers MS-V2 1
-. 2r Spuriously Open.
similar. Scenario may be s reened, dependigW n line size and Hnteija fo Lnijý i, bnea Refer to PR\\ riteria, 2a about how hif a-T----i-brefsi--
R2/4IN/q No of concern,d us'e that to-determine if the Scenario ifaoinereS.
B21 Main Steam) MSIV's hot sh~ FI.results aVI e numbers MS-1V22A-D, MS-V-in MSIVs failing to close or re-opeLing. _A-o i
e postulated cenariio in cv Ifailure of redundant, 4ormally open, Main Steam Isolation ave I%(MsSIV) in one of the four Main 2b
'teanm ies (MSL) to close on B,
2/3.......No aemad,.
In one popular MýTV esign ppnergizeratt ch MSIV haf an AC.and
-nergize to close the MSIV. May need
-o look at MSIV reopening, if closed on G-3
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL Scenario Description Plant type analysis required)
B21 (Main Steam), Main Steam Line Drain Shutoffs spuriously open.
Valve numbers MS-V-l6'"M'-V-19 (F016 andF019) or similar."1%ai be an additioniddow stream manuad vafe 2c ddti-on 0 1
h o
BWR2/4/5/6 No bypass. valve Motor May.,e removed BWR
/6 or have powerdýtsconneeted. May be ale to analyze flow rate as-i aeptable inveawory loss.
B31 R= itor seal leakaA.OSpurious closure 1\\,C-7D-()2, loss OifRBCLC pumps Recirc pump seal failureL d o (ss of
\\ice water, results in Appicabe to oneNo o.*s of RBCLC and consequential seal BWR2
- .e** "
LO:A, G-4
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, DraftJ__
j Required for Hot Shutdown (No, Yes
-or plant specific MPL Scenario Description Plantype analysis required)
C11 RPV coolant drain through the SDV vent and drain this scenario isa ASO initiated drain of reactor coolant fromethSCRAM Discharge Volume eto the'Rearctr 2d Building sump. The scenario is SWRi 2 No
.iggered by.MSO. opening of the solen*oid valves thiat supply control air tI ic ilr operated isliation valves.
E12 Inventory controII i Lo pressure RHRIV-8, RH.R-V-9 (F008, F009) or interface valve spmnwi operation -
imilar.
f DC Control Power 2e Residual Heat Removolrjj)DC Sucton" i
tuSeS
.naeso%
.:'rThis is the BWR3/4/5/6 Yes Isolation Valves traditional Hi/Lo pressure interface.
G-5
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft,_
Required for Hot Shutdown (No, Yes or plant specific MPL 3cenario Description Nutt's Plant tye analysis required)
E12 Inventory control valve spurious Possible path includes he'i: ý-mup*
operation - (Residual Heat Removal) line. Valves RHR-V-53A &k, RHR-Discharge to Recirc Loop Isolation V-50A P3 (F0 15A&B, F0i 7,,&B) or Valves imilar. Td1 c!heck valve willgo*
2f closed on o nsider BWR4/5/6 No whether RhiCrosI o
T-HI analysis of pipigi..
suro e
mp.;rature
" ay resolve. Pov er may beiumoved 01]_]_ypass.*
\\
E12 nventory control valve spurivii,
\\
1*V -F022, MOVe-23 or similar.
operation - (Residual Heat Removl
% ayl e cut and Capped for some Plant specific analysis 2g RHR Head Spray Valv*s-c h
eck valve to prevent BWR3/4 required.
ow I'k equired E 12 Spurious Opefatiicns that creates RHR' floe..
ihverted to ttie Pump Flow Dive sibn from RHR/L*PCI.*
o onaih ent
- t:-
Contaiinimýent 2h BWR4 Plant specific analysis Spray isolaton.
E! !
- 0.
(I-I required.
a n d E I 1 F I A, B O F J ') W h ii]
E12 Spurious Operations that tk Ates RHR RHR flow can be diverted to the Pump Flow Diversion from RIH ILPCI, containment through the RHR Torus or Plant Specific 2i including diversion to the Torus or Suppression Pool return line isolation Suppression Pool.
valves (El 1-F024A, B and El -F028A, Analysis Required B).
II G-6
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL
- ýcenario Description
-NUtCs Plant type analysis required)
E12 Spurious Operations that creates RHR RHR flow can be dive&hted-o te Pump Flow Diversion from RHR/LPCI, containment through the' TFoii, or including diversion to the Torus or Suppre s'ion Pool Spray HeL Suppression Pool Spray Header.
isolationv c(E I I -17027A, IBa aindE Plant specific analysis 2j-F2AB F028 or simiila orRHR Warm-uN required.
Line (El 1-F02(6PB) i. 102 icall has power removd ;and 53 its in lie,
_i ically normdI closed.
E12 Deleted 2k E12 Spurious operation (open) (d\\,alve 1vesF49,F040 or si m.lar. FO10 RFIR A DISCH I )P,\\I)DWVSTE C(Crosst ie) spurious operation or if FO 10 21 INBOARD ISOLATION and RHR\\
i divert flow from opposite No
-adwaste iso(
alen
,ve N* *:
a seot lrain.F010 may have power removed.
E12 Plant Unique Analysis 2m,purious opening of twoseries RH-IR BR nit cross tie valves BFN Only required E12 2n purious opening of two seesicRIIR F010 valve or similar. Breaker power WR4 Plant Unique Analysis loop cross tie valves
ý-nay be removed, required G-7
NEI 00-01, Revision 2(c)
January 2008 Table G-1 RWR Generic MSO lTist.. Draft*.
Required for Hot Shutdown (No, Yes or plant specific MPL
- ýcenario Description Notes Plant type analysis required)
E21 Bypass Valve is normally doý.'i powerea DC MOV. 2 DC hot shorts Spurious Operation of normally closed can open the val dve, resulting inaWN 2o Core Spray Discharge Check bypass alignment i
essure RCSI BWR5 No valve (equalizing valve) or testable pressure to the Li ss\\
Core heck valves, and core spray discharge* Spray Piping.
(e-tabe C
" ave alve F005.
hould go closed pon DP a, rss valve.
E21 2p Deleted
,BWR4 E21 Spurious Operations that Creite Core S',flow can be di ti d to the Torus or Spray Pump Flow Diversion for i uppr*so Poo rough the CS test injection to the RPV.ine MOV1
§ 1 )
0 105A, B or similar).
sctiLine is typically a 10" line with O)i
.is is a single spurious oper*atwn, so should already be
ýJan Unique Analysis addressed in SSA (unless the line BWR2/4 PatRequiredýi.......
includes 2 series valves). Should r*<
eview for MSOs not addressed in SSA,
/
such as combinations of CS test Line MOV opening and CS Discharge Valve
_Opening (Scenario 20).
G-8
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL
- kcenario Description Nbtvs Plant e
analysis required)
E21 Address flow diversion to the
..,e to 1Y,
-*1, -32 and equipment drains IV-40-30, 31.32, 33 and to thtecontainnent
,p
\\a ter 33(high pakomt v 4owoint drains Applicable to one to Reactor Building E Dra11..
No
_ysten.
1--
T k RBEDT J*MN 2sý h 1-
,ul2 pulled out as a separatets e c
.e E21 Path from CS injection discharge valve Spurious act ia i"on ol (t V-4-30, to reactor building equipment drair-and CS Injectioon (10 or']l) or loop tank vent isolation valves, scen io is 2( V-40-31, 33] nd 09 or 08) requires Applicable to one No NMPI specific
-p3hase proper polarity hot shorts on BWR2 I
- [I A0-30 and 31 because power is E21 2r Deleted G-9
NEl 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft>_
Required for Hot Shutdown (No, Yes or plant specific MdlPL
- kcenario Description
- Nus Planittype analysis required)
E22 Spurious HPCS/HPCI oper*tiion.
Impair.RClC-operation due tovesse*l overfill and water in the steam line.
Can occu[ as a result of: a) Spurious valve Operation: Turbine Stop Valve and HPCI Dischgl eAhutoff Valve Spurious Operation i(HPl1q0.F006 No or similar), b) Damiage to Cahling for
.. ansmitters (tvwoequired to start NCI), c) Dama.e to High Level Trip i rc u itry, or d) HPCI pump controls 2s
- hothort, E41 2t Deleted E41 2u Deleted E41 2v Deleted E41 fIPCI drain to thies*Ufnp failing open aon OV F004/F005 (F028, F029, and loss of air pressure.
bypass is F055.) or similar. Open drain 2w flow path may not be sufficient to fail BWR4 No HPCI function.
G-10
NEI 00-0 1, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description Plant type analysis required)
E41/E22 Spurious operation (open) of both of MSOs to the HPCI/HP '
h d
risiha HPCI/HPCS CST Test Return/Bypass test line valves can divert to the valves.
Conden ate Storage Tank. f uction is from the *upprs ion Pool, the 2uppressio*r Poot invetory is d1 6%ivo BWR4I6 Plant specific analysis 2x o the CST. alv,
,41-1, E4Lt reqire F008 [E22*M(bI Oud required.
2 *MOVFO0JI IM02316, CV2315),
IIII -F042, E41-1 41 (M0232 1, 02322), or simniI r E51 2y Deleted E51 2z Deleted E51 RCIC Test flow CST Stp V, iIc numbers F022 and FOIl or throttle valveslw diversion
/
1 ir1iiar. Me throttle valve and isolation Aa cein the return line to the ondensate Storage Tank are normally closed and at least one of the valves Plant Specific 2aa must remain closed to prevent flow BWR6 Analysis Required diversion from the RCIC pump to support the reactor inventory control fnction (RCIC is the credited train).
G-II
NEI 00-01, Revision 2(c)
January 2008 G-12
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Drafti*
Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description OSte cs Plant ype analysis required)
E51 RCIC Pump Diversion through Mini Flow Line to the Suppression Pool or test return Line.
The RCIC punip discharge can be diverted thIrI'l'Ilt I tIt C tet rtu IneJI Wb the CST throgdh a (O) iýolation*
2acalve and the"c......n HP'C. AOV Plant Unique Analysis
- lirottle valve. [R\\'IC mm flow line BWR4 O
E5 1 1-F0 19 is another path and a from the pump, suction to the p,ý ipression pool thiough MOVs E5I-1029) a...I
-F 1.
G-13
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft; Required for Hot Shutdown (No, Yes or plant specific MPL
- kcenario Description PNntesx-tp analysis required)
E51 Spurious operation (open) of both of Valves 1E5 1*MOVF022 andf RCIC TEST RETURN TO I E5 1 *MOVF059 and a Spurious CONDENSATE STORAGE TANK startup sinal or valves RCIýo1pUMP valves with suction on the Suppression DISCHAP (IMST LINE Pool may route the RCIC inventory to
'he CST.
ORUS SUCTLOION IN*OARD ISOLATION I
R
_K P MP Plant specific analysis 2ad ORUS SUCT O, OUTBOARD BWR4/6 required.
IO£LATION E5f1-F029, and IIPI RCIC TE STýRETURN PI [ )DUNDANTSi[-jiTOFFVALVE
-FO I imi r. For this scenario, lJC is not the credited train, but can I Fii i C"the pool to the CST or CST to the
_"()(,I__ oolrding on the valve line-up.
E51 Deleted 4,
2ae G-14
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft','
Required for Hot Shutdown (No, Yes or plant specific MPL kcenario Description
______,Plant pe analysis required)
E51 RCIC Suction Valves FO10, F031 or similar) CST and Suppression Pool SuctiojVi%1ves -
There ispotential to isolat*,tti\\
injection pa hs* Frm the CST and
,uppressiuo l oo]the 1C purri.
Plant specific analysis 2af BWR4 required.
G31 R.PV bottomf drain iolations to reaci building equipment dmin tank purious operation of valves BV-37-08 spuriously opening diid BV-37-09 (Dwg. C-I18009).
2aglThermal overload removed to prevent Applicable to one N
spurious operation as Hi/Lo pressure BWR2 nterface. *his is a 3-hasehotl roper polarity.
G-15
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft_
Required for Hot Shutdown (No, Yes or plant specific MPL cenaro Description
-Notes Plant type analysis required)
G33 Spurious operation (open) of BOTH 1G33:*MOVF001l, G33*NMIV004 or REACTOR WATER CLEAN-UP simiar. Closed loop system, btia*
2ah ISOLATION Valves may route RPV be a conceii duet to hgnteerature_
All No nventory into the RWCU system.
eih p ing.
G33 Spurious operation of RX Water Clean Valves RWV U--FC1-('\\
iand RUL.
Up valves V-34 or RWCL-\\-3 im=
BR 4N 2ai dlo require; addit ional NVs open BWR2/3/4/5 No to RWC; MOv o r 4 (or similar).
4r G-16
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL cenario Description Ntc Pat e
analysis required)
G38 Suppression Pool Drain down: Example Example 1: May be unique floýv paths I: Suppression Pool Water for each BWR, involvingamy drain Management system suction flow is down fr esuppe poo*.
diverted or that the return flow is One exaipll:
e one of twoI o
ju diverted Water Manige tem pumpsre either runningL or @10ti Ioikstartsud 1xamnple Spurious operation (open) one of two no
- a.
W closed 1
ii. on Tjli* SN1tPR ESSIONPQOOL
-solation MOVs open, and tlec normally Example 1: BWR4 2ajk loed condenser isolation valve opens No 2:
h enr Suppression tl~ol]water is pumped Example 2: BWR
.. the condenser. hNus Cleanup may e
ec*
- cd lsed for many plants. Drain o
th-Condenser typically a 3" line.
4xaripl:
Drain down of suppression
\\ oolj Ilow minimal level.
IRHS*AOV62, IRHS*AOV63 or similar N21 Spurious Operations that C e e Applicable to BWRs with SBFW 2ak Standby Feedwater (SBFW) A system or other motor driven FW BWR4 No Driven FW Pump) Flow Divei In ump.
from RPV v,
G-17
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Ge~neric MSO Tlst. Draft Required for Hot Shutdown (No, Yes or plant specific MPL
_cena__o Description
_______________e analysis required)
N21 Valves 1FWS-P IA(BC, 1F, I IWS-N OV26A(B, C), 1C33-LCVI01A(B, C, D) I'C33-LVF002 or similah"I Condensate/Booster Pump operation No 2at puousoperation ofla feedwatr or would require ecreased vesse-puresaelou qirdcastervessel eNel BWR2/316 ondensate/boostet and av \\,
ressure. Feeacwater pumps may notbte control valve may cause uncontiollc cocern if steaimdriven.
SL f
..ent
.to
.ot
.P...
p th.at can cause a...................
Pil Loss of CST Inventory to.H(-,t tWel I raýld paths ý o that can cause a lI ty drami of teI:(CST to the Hotwell.
Ile condition can happen due to
'1punius o0pjIeatioln of MOVs alone, and I he normal iotwell pump or
_migency hotwell pumps spuriously
- tart, tliec ondition is worsened.
3tandpipes for drain paths may limit he minimum level in the CST. Should
- eview Fire SSA assumptions for ninimum level and effect of drain 2am BWR2/4 No G-18
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List. Draft.
Required for Hot Shutdown (No, Yes or plant specific MPL Scenario Description ePlant type analysis required)
P11 CST supply to Condensate Return Tank his MSO involves spUIOU' opeý ratlon (CRT) supply shutoff MOV spurious ofMOVs in the piping conirecting the operation CST an CPT. If either of ti valves spuriousli 1 opma gravity transer o an 2an ccur whih :,anklo er Lthe water BWR4 significantly)I in the STeeý discussion above on Staii )pz. Sctnio not pi fiplicable to pl antS without a CRT or uivalent.
P11 2ao I
-ST discharge to Radwaste system
- hutoffMOV spurious o, ration
,pfII operatio of two MOVs in the
- oensate,em can set up a gravity IFin path from the CST to the zia\\aste system. The water loss may eedo evaluated to support the time
.me to reach such a step in a manual iction feasibility study. See discussion ibove on Standpipes.
BWR4 No Reactor Coolant Syýstern Pressure ICon11trol G-19
NEI 00-01, Revision 2(c)
January 2008 G-20
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description
- NotA.
Plarttype analysis required)
B21 Spurious ADS: Safety Relief Valve-This postulated scenarii*featuesa e
Failure of ADS Initiation Logic, failure that will open multSiple RVs opening SRVs simultaneously due to simultaineously and requires\\:.
nergization of relays nergizatioUo6fxrelays K6Aand K7IAor*
K61B and k-HB miniýaftwo out or two taien twice logic *schem e/(
,,iAED-B21 -
018<2>). As suchýtlis faiujIýle ires 3co sustained fire induced failures BW.ý14 Plant specific analysis vithin the control[room panel with no required-Jamage to the individual SRV control
, iF'*riitsto initiate ADS. It should be oled ** ae*
ýf**iendrvidual SRV control uIk-cts are powered from and contain onto logic within the panel.
4,*
- eaief:~iva G-21
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draf\\
Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description.
ýNuts Plant e
analysis required)
E12 MSIV closure/reactor vessel isolation A fire causes a loss of feedwater, loss and loss of both loops of RHR f containment instrument aýiito all suppressjon pool cooling. Fire related MSIVs (closure of MOV C I20 simultaneous failures of MOVs RHR-ue to hot shi 0, 9SRVs (closure V-64A and MOVs RHR-V-6B (hot IA-V-20, (- 1 0,A, CIA-V-3013 short), CIA-V-20 (hot short), CIA-V-due to hot sor t) anii S6the fireu 30A (hot short), CIA-V-30B (hot short) auses the los, o t both loopsofRHR
... ppression pool cooling (flow control 4a
\\,,ie for RHR iinavailable due to BWR3/4/5/6 No h ictdamage to cab ls;lhot short causes hiUtdoA'ncooling suction MOV RHR-
)6B fo p
Ix I
vhich fails RHR B iippression pool cooling due to initer!ocks). Loss of suppression pool cads to Containment Failure the containment failure location fails G-22
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes M#D ptP or plant specific MPL Scenario Description
_Notes Plant, type analysis required)
E12 MSIV closure/reactor vessel isolation fire causes a loss of fed er, loss and loss of both loops of RHR of instrument air to all MSI kVs suppression pool cooling. Fire related a
it al l MSIV R*s 4b simultaneous failures of MOVs RHR-and alsofth fire causes the los ( both V-64A and MOVs RHR-V-16B& 17B loops of.R Is, mppr:esion Poo
>1 BWR3/4/5/6 No cooling. l_* of.lp,*eso poo)l leads (hot short), CIA-V-20 (hot short), CIA-ooning. L of ailmead V-30A (hot short), CIA-V-30B (hot at Contaitm,°i [tAieIhic P*ojtament short) failure locationIO i1s HPCS.
E12 4c Deleted E14 4d Spurious opening of SDC heat Spurious opening ofnormally closed xchanger bypass valves(FCV 128, eat exchanger bypass air operated Applicable to one 131, and 134) alves FCV 128, 131, and 134.
BWR2, however, These valves fail open on loss of similar scenarios 4
nstruttent air and control power. ISDC may be applicable No i,-s i manually operated systema atd is to other BWR's
& sd several hours after the evenit. If (likely single
- ý eed&d, these valves can be operated spurious) u anually..i...
E15 Spurious closure of Containmient Spray V-80-01,02,21 and 22. Spurious Plant specific analysis 4e Pump suction valves from torus (IV osr0-0 1
8012, shn2.
2i BWR2l reqired 01,02, 21 and 22) closure {DWG 18012, sh. 22 required.
G-23
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes 4
or plant specific MPL Scenario Description Notes Plant type analysis required)
E15 Spurious closure of Pump discharge to IV-80-15,16,35and Su drywell valves (IV-80-15, 16, 35 and closure 1{DWG 18012, sh. 1 ;Note: All Plant specific analysis 4f
- 36) four IV-8045,7 16, 35 and 36 val es go BWR2 required.
open and h
ý£i nrot be re-posifioned on loss of in.struinejfl air,.
E15 Spurious closure of the normally open ontainment spray raw water disc piurious clo f the norm I y open 4g alves(MOVsBV-93-2526,27 and
%OVs BV 5, 26, 27 anid 28.
Applicable to one No 8.)
{A)G 18012, stil}
II E15 puipor pening fialclosd closed
- otmetsr*+'*
÷*:*¢*
p
- urlQ0.up~engof normally closed 4h 11Avalve11vs FIV-93-72 and 73. {DWG Moitý tsprGV-ct an),r%
I 802, sh. I }FCV-93-72 and 73 are Applicable to one
- 1erloc1id with BV-93-28 and 26 BWR2 N
iýspecfikrely (per system description.
SDBD 203).
E15 Spurious opening of no Kal closedo ontainment spra ra aegoci purious opening of normally closed Containment spray raw wkelF t#) Lc
'OVs FCV-93-71 and 74. FCV-93-71 4i spray supply valves (MOVs 1(A`93-71 nd 74 are interlocked with BV-93-25 blo e
and 74) nd 27 respectively (per system BWR2 eescription SDBD 203).
G-24
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft
_A6 Required for Hot Shutdown (No, Yes or plant specific MPL
ýcenario Description NUtes_
Plant type analysis required)
E15 Spurious opening of normally closed Spurious opening of no lmoal s*
A Containment spray venting valves(
IOVs IV-80-114 and I5 115*ing flow No 4j MOVs IV-80-114 and 115) liversioJninicontainment spr*{DWG BWR2 18012, sh }
E21 Spurious closure of normally open Spurious clowsur Of Ta Plant specific analysis 4k orus suction valves (MOVs IV-81-01, OVs IV-81 f1 02.'1 2
.2'2 BWR2 required.
P2,21 and 22)
I{"WG 18007,h}
,J required.
E21 Spurious closure of normally n RPV
[tirious closur bfFnormally open Plant specific analysis 41 njection valve (MOVs IV-4b!1 hnd O~s IV-40-02 aid 12. {DWG BWR2 required.
- 12)
\\\\
l07;,sb. I}
required.
E52 Spurious closure of Sieamrn ine isola'ti0* *u ure*
fIV-39-07, 08, 09 or valves (IV-39-0 7 ',
09 r 100estllts" 10-Lesults in failure of d&cay heat
- n failure of deeayheat* removal.
infailure tof isoat frpipebrk.s.
emo ýal Failure to isolate for pipe Failure to isl 1W pe break.
hrAý.Based on the RIS evaluation, it 4m A
as shi"own that credible circuit failure BWR2/3 Plant specific analysis 4m iodes may exist to spuriously close the required.
DC motor operated valves IV-39-07 and IV-39-08. This spurious closure is based on conductor to conductor hot short failures of two cables.
G-25
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes Plantor plant specific MPL Scenario Description
- Nots Panalysis required)
E52 Condensate return isolation valve AOVs IV-39-05, 06 fail to opien failure to move/remain in correct resulting in failure of EC s\\ytem.B Plant specific analysis position Failure To say closed for pipe)bheaks.
BWrequired.
p___
- 117 1
ks.require__
d E52 4o Failure of Vent to main steam line Failure ofi 02' and 03 to clofe6rI valve (IV-05-02 and 03) to close or hot hot short(s) that keeps b1)th valves open short(s) that keeps both valves open results in loss of in"ento"i%
results in loss of inventory.
valves receive
ýignal to close on I,
BWR2/3 No
,, essel Lo-Lo level. IV-05-01, 04, 11, 1 do not receiveý signal to close on E(actuation. {D:M6 18017, sh. 1}
E52 4p Failure of Vent to miain steamnIine Fi ure of IV 01, 11, 12, 04 to close alves (IV-05-01; 11, 12, 04) ltocose esults in loss of inventory. These results in lossf invet do not receive a signal to close on ECactuation. {DWG 18017, sh. 1)
BWR2/3 No E52 4q Spurious opening ofnormiIlly:closed Spurious opening of normally-closed Vent to torus valves (BV-0510'janjd 07) BV-05-05 and 07 results in loss of results in loss of inventory.
inventory. {DWG 18017, sh. 1}
BWR2/3 No G-26
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL Scenario Description Planttype analysis required)
E52 4r Spurious closure of Cross-connect Spurious closure of B3' 13 rsulfts in valve(BV-60-13) on makeup line loss of cross-connect capability of results in loss of cross-connect TiakeupI5oorce. {DWG 18017 h. }
BWR2/3 No capability of makeup source.
T23 Containment Over Pressure (COP),
r-1 NPSH loss due to spurious initiation of *
- ,eneral eie i
fNPHad.
containment spr:ays.
- enrme~t for*
po~tarathways 4s Mark I (BWR2/3/4)
No Ilcic ('01 1,.**'**
onk III for rii t cr e
(W IC I S
T23 Containment
]rfPressure (COP),
p*,iopening of Containment Vent, NPSH loss, Spurious opening of esulting in Containment ontainment ConVent.n Containment Vent epressurization, following a loss of 4t Suppression pool cooling. Containment Mark I (BWR2/3/4)
No vent through pathways not including the rupture disc. COP is only an issue for plants that credit COP for NPSH lconcems.
G-27
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description Ot Plant type analysis required)
T23 Containment Over Pressure (COP),
Spurious opening of thie drywllF floor NPSH loss, Spurious opening of the drain sump, since it isn't dir tecly 4u drywell floor drain sump valves.
connectd tdothe airspace. COP is only Mark I (BWR2/3/4)
No an issue fýq p nts that credit CO for NPSH. cone msiiL.
4w Spurious opening of torus vent and Spurious opehning o r1,\\ ent ard purge valves.
purge valves !*20-o 1 l, 6, ýand 17 r V-201-21 iil22 will lead to loss BWR2 No of containment isolation.
rI23ý ark I containment kxitPhTorus*Rg i!
ea*Sder: too much flow through thc r PH Issue for the opeiatin redited I'ea S urius o eraion of ult jI~ ) pr M
ay be caused by a false LOCA Plants pecific analysis npamthe ring headerequired
~~~Support Systemns___________
E12
,Scenario causes diesel generator overloading and inoperability. Note:
Scenario very site specific. Interlocks 5a may prevent this from occurring.
All No.
dditional components load into In addition, overloading may also occur
_redited diesel generator if proper load sequencing is bypassed G-28
NEI 00-01, Revision 2(c)
January 2008 Table G-1 RWR Generic MSO ITi*/ Draift)**
Required for Hot Shutdown (No, Yes or plant specific MPL enario Description Plant type analysis required) via hot shorts, causing simuti tan6o*ois loading of multiple components onto the EDG.
G38 Spurious operation (open) of both Drain down ot suppressionpool below 5b SUPPRESSION POOL CLEAN-lW 1)jninimal level.
NIR1 fPIS*AOV62, BWR6 No ISOLATION Valves.
IR1 HS*AOV63 similar G1l 5c
_Deleted P41 Deleted. [Combine@withb2aJj].
P41 Spurious oeratinii (open) of both RHRW I IT2fl: OVF094 AND I ISR ATION I IE2*MOVF096 or similar 5e
\\rssre)
- va
'I lamo 1ay1\\
IsuIti BWR6 No idversmion of serview n yom G-29
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO ITist. TDraft*
Required for Hot Shutdown (No, Yes or plant specific MPL Scenario Description Planttype analysis required)
R43 Scenario causes damagecio diesel N generator by closing into ýiI bus out-5f of-phase.
ote: Scenarios avte rysite All Plant specific analysis 5 on-synchronous paralleling of EDG ic may revent Alleuied vith on-site and off-site sources lpom occur1in
.N I
m through spurious breaker operations f
t R43 Non-Synchronous Paralleling -
inadvertent cross tie breaker operatip n id between opposite divisions (e S160V, 480V) of Div 1(2) ý,Ds eý:nario causes dimage to diesel Plant specific analysis 5g hrough Spurious Operation of 48&; V iinrator by closingto a live bus out-All required.
Breakers or the Divisionil Cross-Ti f-pha'ce.
Not
'Scenario very site through 4160 V Maiifcn,,jicc Ie
ýpcificý. htea'rks may prevent this
_reakers fIrm moccurring.
/
\\
G-30
NEI 00-01, Revision 2(c)
January 2008 Table G-1 BWR Generic MSO List, Draft 4
Required for Hot Shutdown (No, Yes or plant specific MPL
- Scenario Description Plant type analysis required)
R43 Spurious Diesel generator operation The fire causes the start *oi~ot the without cooling water Emergency Diesel Generator, puous closure ortbe ESW Pump Diýcharge Valve or l'fpo e ESW Pump wuld*
stop the cuolin a r upply to the v, Emergencye.snGnrator. R uning the Emergenc D sel Generitor with a 5h
/
oss of cooling
ýater could t'ip the All Yes iesel on high temperature. If the fire Isresulted in the actuation of a LOOP
,N OCA bypass of the high I, Iemp ertiIetrip,,the diesel could ontinue to run until damage from C
- Iv
-temperature conditions stop it.
5i Deleted R43 Spurious operation (qpen) of both I SWP*MOV505A, I SWP* MOV505B cross-connection valves %'oid cause an or similar, for RHR Service Water, Plant specific analysis 5j uncontrolled loss of servic wate t 1h tleF19A/B or similar would have to All required.
opposite division.
opend G-31
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draft___
Required for Hot Shutdown (No, Yes or plant specific MJlPL Scenario Description 6Notesx Plant type analysis required)
N/A Spurious motor-operated valve General scenario is that fire damage to operation, AND Wire-to-wire short(s) motor-operated valve circuitry causes bypass torque and limit switches spurious operation, If the same fire causesA ii c-iowirc short(s) SU~h that the valve ind iit switches are bypassed, the!n the icmot, mr may stall at the e~nd e v vl
. This can cause exceŽ:*current in tl-* valve molor windings well as valve 5k e:hanical damagý. This mechanical Plant specific analysis 5 a"ge may be sutikcient to prevent All aiiakPerciT9ooI'f the valve. Scenario
,'l apphes to motor-operated valves.
ot,ý this generic issue may have already een addressed during dspntiion of NRC Infornation Notice 92-18. This disposition should be reviewed in the context of multiple purious operations and multiple hot s~horts.
G-32
NEI 00-01, Revision 2(c)
January 2008 Table G-I BWR Generic MSO List, Draftr Required for Hot Shutdown (No, Yes or plant specific MPL cenario Description Nut e
analysis required)
Perforne view to identify ýprious failures thd-could cause isolatioriaf Heating Vet lmoii-,pand Air ConditioningL(IHV\\( to credIited/
loads. Credited load may incudýe Plant specific analysis piump rooms, r
vihgear roos, and required.
00 os containin, solid state control siterms. Example of spurious failures nelude spurious dhmper isolation and Loss of HVAC: Spurious isola ul ipuriosis ol cooling flow to 5L HVAC to credited lojad hillers.
All
____Pc 6Moneitorings
_identified______
6a ýo generic Sc,nario identified I
Possible New MS() combinations`fonider4 1
Fire-induced darnage causes a I 'sol D)C con i)I power to a 4KV switchgear (or-600V/480V Load Center); fire also damages a power feeder from that same switchgearL
- a. on-sat I shutdown load in the same fire area; the fire damage causes a bolted fault to ground on the power feeder (either at the load itst or in h, cable) in the fire area; the overcurrent trip of the circuit breaker is disabled as a result of the loss of DC control power, resulting in cAcding the capacity of the cable, and propagating the fire into fire areas between the fault and the switchgear (note that technically, this 4.es not involve a hot short).
G-33
NEI 00-01, Revision 2(c)
January 2008
- 2.
Fire-induced hot short causes a higher voltage conductor to energize a lower voltage conductor; results in overcurrent through lower voltage cable, in addition to exceeding the design voltage for the lower voltage conduc~to, causes fire propagation through associated circuit by common enclosure where ever the lower voltage cable runs.
- 3.
Fire-induced damage causes loss of both cool:ing fans and cooling pumps on starttu ransformer when off'site power is available in combination with lire damage that fails the EDGs.
- 4.
Fire-induced damage causes a failure of the load shedding features and isolaton of lov rvoltage power boards, resulting in overload of lower voltage power transformer (4K.V to 600/480VAC).
h+
- 5.
I-lot short causes motorization of main generator, resulting in failure.ltman turbine, numrc;ro,. learing failures and possible oil and hydrogen fires (this is in addition to the fire that caused the hot sho :
- 6.
For a BWR, fire-induced damage causes a loss of.RI3CLC to the vllt ioolerssubsequent lire !,xnage also causes a spurious initiation ofdrywell sprays (one spurious signal starts one containment spray pup) the hoti,ry di'wxell expceriences rapid evaporative cooling to the extent the drvwell pressure drops so fast that the drywell to torus vacuum buakers can not relieve the differential pressure, resulting in the pressure in the Torus airspace causing a failure of thýn dJwell to torus doncomer and ring header; subsequent lire damage (shorts to ground on instrumentation) causes automatic initiation of I
WC!w vith failure of thehigh level trip; water rises to the point where water discharge fails the Electromatic Relief Valves (6); Either fir d1ragcor operatur acIions remove IIPCI from service, decay heat causes Reactor Pressure to increase to the point where the Reactor Ilad Safey ier Valve!s open to control pressure; SRVs discharge directly to the Drywell, pressurizing containment; with the failed ring heaelere is opresjisure suppression function maintaining containment pressure low. Direct pressurization ofd i
lvetually caust ýc.ntainmncn failure (note, this particular scenario would apply to NMI' I, but similar problems could be present -,,1nn11o[1otjher BWRs).
- 7.
For a Westinghouse Ice Condenser P~ia iire Inauced hot short cau'es a spurious actuation of containment sprays. With a hot dry containment, the initiation of sprays resultsaiiwa rapid 11evaporative cotling process, resulting in exceeding the minimum design pressure for containment, failing containment (Conttn{
1 t spra5sCital11thetR WS to the emergency suinp. Appendix R analysis did not assume the need to protect the ability fobis piggyba2ck mod: ole RIli an,1dI PSI. Core damage occurs due to loss of inventory to the high pressure injection pumps. Coren mett progresses w. Ith I
tailed clnam iment.
G-34
NEI 00-01, Revision 2(c)
January 2008 Spurious isolation of seal injection header flow, AND Spurious isolation of CCW flow to thermal barrier heat exchanger I
Loss of all RCP Seal Cooling Scenario causes loss of al FCP seal cooling and subsequent RCP spa LOCA, challengingi theRCS Inventory Control FunctiorF.*
Westinghorle Tech Bulleti r04-22 Rev 1 (Reference 10) provides summary of is
>uech, ulletin references provide additional detil Note CE plants genkralty do not have seal injection. These
,t Ican lose all seal cooling due to spurious isolation of
<dCCV' Re'rFtorWCAP 16175 (Referencell).
Seal inecton flow isolation can occur at main header or at supply to each individual pump. In addition, scenarios that cause loss of all charging (i.e., multiple pump failure due to loss of suction, non-spurious pump failures such as loss of power, etc.) can also cause loss of seal injection.
Loss of all seal cooling to any individual RCP is a problem (i.e.,
does not have to occur on all RCPs to be a problem)
G-35
NEI 00-01, Revision 2(c)
January 2008 Spurious opening of charging injection valves causing diversion flow away from seals, AND Scenario caiusesjf6s RCP seal LOCA, chN Function.
ýooling and sfiýbsquent
Spurious isolation of CCW flow to Thermal Barrier Heat Exchanger (TBHX) 2 Loss of all RCP Seal Cooling I
Westinghbuse Tech Bulletin 04-2 Rv. 1 (Reference 10) provides suimrary cf issue. Tech BUletin references provide additional detail Jote CE plants gene-ally do not have seal injection. These pla3 ts can lose all soal cooling due to spurious isolation of 0GW4. Refer to WOAP 16175 (Referencell).
'Loss of all seal cooling to any individual RCP is a problem (i.e.,
dol rot have to occur on all RCPs to be a problem) 3 Thermally Shocking RCP Seals Loss oflaeea cooling to any RCP(s). See 6-harios 1 & 2 Spurious re-initiation of seahc (i.e., seal injection or CCWo TBHX) 4; Scenario causes RCP seal failure and subsequent RCP seal LOCA, challenging the RCS Inventory Control Function.
Westinghouse Tech Bulletin 04-22 Rev. 1 (Reference 10) provides summary of issue. Tech Bulletin references provide additional detail.
G-36
NEI 00-01, Revision 2(c)
January 2008 Note CE plants general plants can lose all seal CCW. Refer to WCAP s7eal injection., These spurious isolation of mncel1)t.
I.
+
Loss of all seal cooling to any RCP(s). See Scenarios 1 & 2, AND 4
Catastrophic RCP Seal Failure Scenario>cuses catastrophic RGFseal failure and subsequer RCP seal LQ *Achallenging the RCS Inventory Control Function. Ko, Westinghouse Tech Bulletin 0422 Rev. 1 (Reference 10) provides summary of issue. Tech Bulletin references provide
'aýddtional detail. VK 1 nt B&W CE W
Fire prevents tripping, or spurioutslY starts, RCP(s)
Isolatinof theNo. c1 seal leakoff line during a loss of all seal Losofallseay, cooling evetwt(JId force the No. 2 RCP seal into a high preossure mode of operation at high temperature, which is RCP(s). Se2 AND beyond the design bases of the No. 2 seal. This could cause catastrophic failure of the No. 2 seal and increase RCS RCP Seal leakage.
5 No. 2 W
Failure Spurious isolation f seal Westinghouse Tech Bulletin 04-22 Rev. 1 (Reference 10) leakoff valve(s) provides summary of issue. Tech Bulletin references provide additional detail.
Also reference Letter WOG-05-163 DW-04-004 "Isolation RCP#1 Seal Leakoff" (Reference 12).
G-37
NEI 00-01, Revision 2(c)
January 2008 Table G-2 ID
~PWR Generic MSO List
?SCENARIO~
DESCRIPTION NOT~ES PLANT DESIGN~h Spurious opening of (or failure to close) letdown isolation valve(s),
Scenario causes"loss fRCS iventory challenging t RCS AND Inventory Control Function.r B&W CE In a typical oýt-Fire.Safe Shutdown (PFSS) Analysis, the CVCS do% stream of te~letdown isolation valve(s) and Spurious opening of (or failure to upstream of thfe Volume rahtrol Tank (VCT) isolation valve(s)
Letdown close) letdown orifice valve(s) is not evaluate.d anddtthe lCSmventory (letdown) is Letdown conservatively assumed lost 4ind unavailable for makeup. In Fails to
~~
ieaty, additionall failures downstream of the letdown isolation 6
Isolate and valves would have to occur for this RCS inventory to be Inventory unavailable for makeup.'
Lost to CVCS AlCS-so note thatthe letdown isolation valves and letdown orifice valves are often interlocked such that the isolation valves will not open without the orifice valves being open. Letdown failure to islaie can be a single spurious operation with interlocked valves.
Note B&W plants do not have letdown orifice valves. Scenario applicable to B&W is spurious operation of multiple letdown isolation valves.
Letdown Letdown fails to isolate (see Scenario causes letdown flow to Pressurizer Relief Tank (PRT) 7 Fails to Scenario 6), AND through relief valve. This letdown flow is assumed unavailable B&W Isolate and for RCS makeup.
CE G-38
NEI 00-01, Revision 2(c)
January 2008 inventory Spurious closure of downstream Lost to PRT containment isolation valve W
4.
+
8 Excess Letdown Fails to Isolate Spurious opening of (or failure to close) multiple series excess letdown isolation valves Scenario cae oss of RCS invento ythe CVCS system challenging he RCS:nventory Contl61 Function. The RCS inventory (letdown) is0i rvatirty assumed lost and unavailable fornmakeup. Inr eality, additional failures downstream of the excess letdoýwn isolation valves would have to occur for this RCS inventory to be unavailable for makeup.
&This sýenario *oten requires three spurious operations.
B&W IW r
r r..
9 RCS Makeup Isolation Spurious isolation of sealinjection flow path, AND/OR Spurious isolationkof normal charging flow path, AND/OR Scenario isolates all high head RCS makeup flow paths, cai aliengfrig the RCS Inventory Control Function.
Each flow path contains a number of series and/or parallel valves. P&ID review is required identify each relevant combination of valves.
G-39
NEI 00-01, Revision 2(c)
January 2008 Spurious isolation of charging injection flow path Note that isolation of all lýCS n spurious failures. For examplec are normally closed, and a fireV-i (not a spt 9 sJ would cause the' the otherhai *these valves cOý have beennE n nd:
qp°may also involve non-charging injection valves ced loss of valve power valves to fail closed. On
ýpuriously close after they
-9
- 9*
+
10 Charging Pump Inoperability Initial condition is charging pump running with normal lineup takinq suction from VCT.
Spurious isolation of suction fr*m VCT to running charging pump, AND Spuriousisoltion of (or failure t7 open) suCtio11 fr0m RWST to running charging pump Scenario causes charging prnpinmoperability, challenging the RCS Inventory'Coctrol Function. This is especially challenging if'the credited charging pump is running at the time of the fire.
-anLe a single sp rious if the RWST valves are normally cla-sed,e g-nc pu1 s ii.
e r n a
Note that spurious starting of idle charging pump(s) may cause inoperability of additional pumps. Spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurious Engineered Safety Features Actuation System (ESFAS) signal.
Potential Resolution: Valve interlocks may prevent scenario if they prevent VCT and RWST outlets from both being in closed oosition simultaneously.
G-40
NEI 00-01, Revision 2(c)
January 2008 Initial condition is charging pump running and drawing suction from RWST.
11 Charging Pump Inoperability Scenario causes loss bof dargingiguirpD suction, causing subsequent pump cavitation and inoperability. This challenges the RCS Inventory Control Fuicto*n.
Note that spurious starting of idle charging pump(s) may cause inoperability c, additi.n,ýlpumps..purious pump starting can occur for seveialr ~ons, including fire damage to control
ýercuitrv or a sour'ius ESFAS lanal.
Spurious isolation of two parallel RWST outlet valves.
-t
+
12 Charging Pump Inoperability Scenario causes V9*';,l'drain down and hydrogen cover gas etiailnment into charging pump suction, ultimately causing chap nhrperability and challenging the RCS Inventory control Function. This is especially challenging if the credited echarging pump is running at the time of the fire. Note this scenoa ssumes that VCT makeup has been isolated (i.e.,
letd isolated).
Note that spurious starting of idle charging pump(s) may cause inoperability of additional pumps. Spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurious ESFAS signal.
i G-41
NEI 00-01, Revision 2(c)
January 2008 Potential resolution is c'6np header pressure provided b, Specifically, the RWST may that the chneck valve to the \\
is not entra ieid 1to the nun om f charging pump~suction
Jide sufficient pressure such emmains seated and hydrogen
+
Letdown fails to isolate (see Scenario 6), AND 13 Charging Pump Inoperability Scenario causes elevatedth carginqgýpump suction temperature and subsequent puyp inoperability. Charging pump
~iiiperability chaIleanges the ROSý Inventory Control Function.
This is especially' challenging if the credited charging pump is runoing at the time, of the fire.
Starting of additional charging pumps can cause inoperability of additional pumps. Spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurous ESFAS signal.
Spurious isolatinfn - CCWv c61ing to' the letdown peat exchanger 14 RWST Drain Down via Containment Sump Spurious opening of iiltiple series" containment sump valves Scenario causes RWST drain down to the containment sump.
Since typical PFSS analyses do not credit alignment of containment sump, the RWST inventory becomes unavailable for RCS makeup, challenging the RCS Inventory Control Function.
NEI 00-01, Revision 2(c)
January 2008 F
Scenario may be applicab to cý providing suction to the Residua and/or ontainment spray !ui Number ova erquired to sp plant.
tirtment sump va9s leat Removal (RHR) pumps Cerate varies by 15 RWST Drain Down via Containment Spray Spurious opening of containment spray header valve(s), AND Spurious icntainwe spray pyrie's) nd/or RHR punips)
C 7cenaro cuses a purhW IST ra~ind,,ia the__
corit,-+nm~ent spray rfing.The-R'%Tietr ut~
ete to the cntainment sum'p. Since typical PFSS analysesdo not cr-edit alignment of the containment sum-[P te RWVST tinientory is a ssumed unavailable for RCS ni c h* 4en ng the RCS.
tory Co.tro.l Function NJte that either the RHR pumps or the containment spray pumJps ld cause this RWST pumped diversion to the spray Note that the spurious pump starting can occur for several reasons, including fire damage to control circuitry or spurious ESFAS sianal.
16 Interfacing System LOCA Spurious opening of multiple series RHR suction valve from RCS Scenario causes interfacing system LOCA, challenging the RCS Inventory Control Function.
NEI 00-01, Revision 2(c)
January 2008 The valve operaters are during normal plant op'e each valve would gener tnaintained de-energiýZd spurious operation of e three proper phase hot Note B&p*6anfts have three vaves' From a Fire R*A _ip isnterfacing system LOCA
.scenario geneisll~y creens biifat least two series valves are normally de-enerzed.l 4
FrmP, nalysis perspective,' this is classified~
as high/ilow*pressure interface and maintaining the v s.vt*s de energized generally complies wth fire protection regulato#r Scenari**causes loss of RCS inventory through the pressurizer P.
PORys, challenging the RCS Inventory Control Function.
Scenario also causes pressurizer depressurization, challenging Multiple Spurious opening Of Mltiple (two or 4 the RCS Pressure Control Function.
CE 17 surtizer three) Pressurizer P*Vs with W
17 resuriercorresponding block vatl esin PORVs normal, open positiong bc v
Note some CE plants do not have any PORVs. Scenario would not be applicable to these plants.
Note B&W plants only have one PORV. Scenario would not be applicable to these plants.
G-44
NEI 00-01, Revision 2(c)
January 2008
-J Spurious opening of Pressurizer PORV(s), AND Scenario causes loss of RCS PORV(s), challenging the RC(
Scenario also causes pressui the RCS Pressure Control Fu 6ntory through the pressurizer ventory Control Function.
depressurization, challenging B&W CE W
Spurious opening of block valve(s) after it has been closed.
In this scenario, operatoeFs my have closed the block valve either to 1) mitigatea fire-indiicd PORV LOCA or as a 2) pre-emptive action to'prevent PORV LOCA from occurring. The
,first spurious operation is the PORV and the second is the block valve that has been closed.
N
{te that initi3' PORV LOCA, caused by spurious operation of PORV aloin,
!s a single spurious since block valve is normally
'_P e r Scenariocauses loss of RCS*Sinventory through open rrector head ve*tfowpath(s), chHallengingthe RCS Inventory Cont'Ll Function t.
Spurious operation of one head vent flowpath generally requires two spurious operations. Likewise, spurious operation of two head vent flowpaths generally requires four spurious operations.
G45
NEI 00-01, Revision 2(c)
January 2008 Note B&W plants only have one-reavent flowpath.
ot leg vents should also be eviluafed for BeW plants.
From a P perspective, note tha-tthis`Aenario may screen out due to he 1 Sn Y ientor y Ioss rate through these flowpaths. Thenescenai.rnomay also screen ithe eadveni valves are normall~y deenergized From a PFSS aneayis perspective, a head vent LOCA may be acceptable if the av.*Itable makeup mass flow rate exceeds the LOCA mass flow rate.
I Senrarioo casrn tas in-creasing RCS inventory, leading to a water Spurious starting offddpm isAND solid pressurizer and PORV or safety valve opening.
This h*ea h rging mp(s), AN tsscenario challenges both RCS Inventory and RCS Pressure Conýtrol Functions.
B&W CE 20 Excess RCS Spurious opening ofadditional RCS W
Makeup makeup flow paths'(ie., charging injection)
N
+/-
Similar to spurious safety injection signal.
Note that the spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurious ESFAS signal.
G-46
NEI 00-01, Revision 2(c)
January 2008 I
Dpurious opening OT M-) sample valve(s) (i.e., hot leg, pressurizer liquid space, pressurizer steam space, etc.), AND 21 Primary Sample System Spurious opening of inside containment isolation valve, AND Spurious opening of outs*id containment isolatioW,Alve, AND Spur png cf ownstream sample valve(s.,*).
Scenario causes loss ef reactor coolant through the primary sample system, challenigtiig tneJCS Inventory Control Function.
-o3, 1 o ýw llýgerally screen due to requirement f 3+ spuous operations and the small magnitude of the Ilak Alsonote that existing thermal lhydraulic evaluation of loss of coolant through head vents may bound loss of coolant via the primary sample system.
Scenario can be sc.reened from consideration if a manual isolatiovalve orevents the flow. Scenario may also screen if it is wi,,thiri c
loop capable of withstanding expected pressure.
"DECAYHEATRIEMOVAL<
Inadvertent 22 Steam Dumping S
tScenario causes RCS over-cooling. Also, the Spurious opening of multiple' a:*,pheric overcooling can cause RCS shrinkage, causing low steam dump valves upstrearn of Main Steam pressurizer level, and challenging the RCS Inventory Isolation Valve (MSIV)
Control Function.
NEI 00-01, Revision 2(c)
January 2008
'Note that-si dump valve of each individ tiple hot shorts.
W
.Note some B&W not have MSIVs.
-r I
MSIV(s) spurious opening, or failure to close, AND 23 Inadvertent Steam Dumping Spurious opening, or failure to'cOseo downstream steam loads ine
-onden e
r steam dumps, turbine inletdvalves eýc.
Scenario causes RCS over-cooling. Also, the oyere*>ngcain cause RCS *snnkage, causing low prLssuri ýý1r e nd challe,ý°nging the RCS Inventory ConNro! Function-.
110 Note thaltspurious operation of each individual MSIV may requiremOltiple hot shorts.
Nc VI
- OW 14 4k.
If t,
Scenario causes RCS over-cooling. Also, the MSIV ~
~
~ ~
1 byas vaves
_prou peigO vercooling can cause RCS shrinkage, causing low failure tIonad tAND epressurizer level, and challenging the RCS Inventory Inadvertent r
Control Function.
B&W 24 StearnC Dumping Spurious opening, -r Ilre to cosal, of W
downstream steam loads (e.g., condenser steam dumps, turbine inlet aly.*s; etc.)
Note some B&W designs do not have MSIVs.
25 Inadvertent Steam Dumping Spurious operation of main"team header drain valve(s)
Scenario may cause RCS over-cooling. Also, the overcooling can cause RCS shrinkage, causing low pressurizer level, and challenging the RCS Inventory Control Function.
B&W G-48
NEI 00-01, Revision 2(c)
January 2008 CE W
Thermal hydr~i valve flowDath
- rnay show that tle drain ienough to be a oroblem 1-t 26 Turbine Driven AFW Pump Inoperability Spurious isolation of redundant steam supply valves to turbine driven AFW pump Scena4ri causes turbine dri incperaiqhiitv, which challen2 Remova%-l Function.
AFFW pump the Decay Heat Scenarijo isoDlates AFW flow to the steam generator(s),
challengirq the Decay Heat Removal Function.
B&W 27 AFW Flow Spurious closure of multiple.,alves in AFWV CE Isolation pump discharge flow path(s) i or W
~gf oato can occur due topah
)several combi..altons of valve closures in the pump discharge i and/or discharge cross-connect flow paths. Review P,&IDs to identify specific valves.
Spuriouýs lre of steam supply valve(s) to turbine drivenrAFvW. pump, AND B&W 28 AFW Flow CE Isolation Scenario isolates AFW flow to the steam generator(s)
Spurious isolation cf EW pump discharge and causes turbine driven AFW pump inoperability, W
flow path(s) ii challenging the Decay Heat Removal Function.
G-49
NEI 00-01, Revision 2(c)
January 2008 Table.G-2 PWR Generic MSO List ID 2
SCENARIO.
DESCRIPTION
,NOTES PLANT DESIGN Scenario causes AFW flow diversion to a no'-credited steam generator(s), challenging the Decay Neat Removal Function. A steam generator may be "non-credited" by the SSA for a number of reasons einluding unavailability of instrumentation, inoperability AFW Flow Combination of spurious valve operations in of steam dumps on that loop, etc.
B&W 29 Diversion the AFW pump discharge flowpaths to the CE steam generators Scenario maibe a single spurious event in some W
cases.
Also note that plants with unit-crossties may be subject toD f Iodiversion to steam generators for another unitt e
n o
S c* enario may cause AFW pump run out and inoperability, challenging the Decay Heat Removal Function.
a&w 30 AFW Pump Spurious futl;pening of multiple AFVN flow F
CE Run Out control and/orisolation valves CE Note that this scenario may occur even without W
spurious operations if the fail-safe position of relevant
_valves is full open.
31 CST Diversion to Condenser Spurious opening of valves betw "-n the Condensate Storage Tank (CST) and condenser hotwell Scenario causes inadvertent draining of CST inventory to the condenser. This CST inventory becomes unavailable as an AFW source, challenging the Decay Heat Removal Function.
NEI 00-01, Revision 2(c)
January 2008 NOTES In some.;lantthis reqijres spurious operatioof multiplevalvesnr, plants, this only requires spurious operationof oe valve.
OerST draindownpths may exist. P&ID review required-Potential esoL tlon:,Sorne plants may have a standpir-etha,*
prevcntthe CST from draining below a certain, level.
W
- auses RCS over-cooling and/or steam ovetIill, both challenging the Decay Heat V inction. RCS over-cooling can cause RCS and low pressurizer level. Steam generator n affect operability of turbine-driven AFW B&W CE W
Note that the spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurious ESFAS signal.
33 Steam Generator Blowdown Spurious opening of, or fal to close, multiple series steam generat& blowdown valves 4
Scenario causes drain down of steam generator inventory through the blowdown system, challenging the Decay Heat Removal Function.
The number of valves required to spuriously open varies by plant design.
CE W
G-51
NEI 00-01, Revision 2(c)
January 2008 I
-. 4 PLANT B&W plants do no system, so this sc steam generator blowdown not *tno3in~hle to B&.W Potential"Resolution: Scenrao may screen if available AFW"mass 1 ateexce!ds steam generator inventprymass losrthrough blowdown.
34 Secondary Sample System Spurious opening of steam gnratrr sample valve(s) inside containmentAND Spurious opening sflion cutsile containment, ND Spurious openingýgofdownstream samnpie valve(s)
Scenario causes dramdown of steam generator inventoryhtrough the sample system, challenging the Decay Heat Removal Function.
,Frot~n a PRA perspective, scenario will generally screen'due to requirement of 3+ spurious operations and the small magnitude of leak.
I Scenario can be screened from consideration if a manual isolation valve prevents the flow or if the system is closed loop capable of withstanding expected pressure.
B&W plants sample directly from the steam generator (i.e.. not throuah blowdown svsteml B&W CE W
1,RCS PRES$URECONTROL G-52
NEI 00-01, Revision 2(c)
January 2008 Spurious opening of pressurizer spray valve(s),
N.
Scenario caiues a RP challenging the RCS Typical PFSS analys
>hften consider screna rjeajl hreat of core un' ssure transient,'
ire Control Function.
ress this issue; PRAs ligible since there is ho 35 RCS Pressure Decrease B&W CE W
Inability to trip, or spurious operation of, RCP, AND P(-tentirt3'1raridlate for gener ic analysis to evaluate vanous spray
,iy/heatercmbinations and show no adverse imrpact on safeshutdown capability.
Inoperability of pressurizer h~e*ater(s)
Spurious operation of miltipie pressurizer RS
.heaters, AND j"
eB&W RCS c as, e3 a
s a RCS pressure transient, B&C 36 Pressure CE<
36 Preassue nchalijeging the RCS Pressure Control Function. RCS Increase Inoperability r
auxila pressure increase could cause PORV(s) and/or safety W
spray valve(s) to open.
REACTIVTY CONTROL__________________
37 Inadvertent Boron Dilution Unborated water, supply to the RCS can occur due to combmrinatins of the fo'holing:
-Spurious start of reactor makeup pump(s)
(supplies unborated water to the VCT),
Scenario decreases RCS boron concentration, potentially causing reactivity increase, and challenging the Reactivity Control Function.
The reactor makeup flow control valve would normally provide the setpoint flowrate instead of being fully open.
G-53
NEI 00-01, Revision 2(c)
January 2008 damag& o Reactor Protection System S) may prev nfreactor trip. Fo xampe, i shorts may prevent tripping of RPS motor erator sets.
Boiling Water Reactors (BWR) have identified scenarios where fire-induced hot shorts could prevent all control rod groups from inserting when required.
Reference NRC Information Notice 2007-07 (Reference 13).
G-54
NEI 00-01, Revision 2(c)
January 2008 39 CCW Header Isolation t.A,VV "1OW can ue isoiateo via severali combinations of spurious valve *lsljres Pertinent valves include:,
-pump discharge valves,
-pump crosstie valves;.
-CCW heat exchanger in e talves, 'a
-CCW heatexchanger outlt Vales
-CCW heat exchanger crosstie Valves,
-Etc.
Review P*&1sto identify relevant valve combinations.
-I' 4
1 4
40 CCW to Redundant Loads Spurious isolation obf&CO9 cooling t redundant loads (including lube oil roolers, RHR heat exchangers, etic Scenario isolates CCW cooling to redundant loads causing safe shutdown equipment inoperability of redundant trains.
G-5 5
NEI 00-01, Revision 2(c)
January 2008 For examp!lý a plani charging pumps E2 lube oil system thatt train of CCW. If CC
,Pur=ously isolates, t becioe inoperable.
/e two redundcit.
ling pump may;have a by the corresponding both lube oil coolers charging pumps would All be reviewed.
41 CCW Flow Diversion to Non-Credited Loop Flow diversion can occur via sevkra I combinations of spurious valve operati,ý nin the CCW pump discharg ardCCW 1oo0 crosstie flowpaths.
4 Scenai credite of cred iuses CCW flow to be diverted to the non-
)p. This u**imately prevents CCW cooling safe shutdown loads.
- Review PiLDs to identify relevant valve combinations.
.W 42 ESW Header Isolation Emergency SerqiýeA
.!ter (ESW) flo"kw to' credited loads can be isl.atedvia sev-rai combinatiogsof spurious va**T*'.surts.
Pertinent valves
-pump discharge valvies
-pump crosstie valves,
-ESW heat exchanger inlet valves,
-ESW heat exchanger outlet valves,
-ESW heat exchanger crosstie valves, Scenario causes isolation of ESW, which can fail cooling to the CCW system and other safe shutdown components directly cooled by ESW. (e.g., Emergency Diesel Generator (EDG) cooling).
All credited ESW loads should be reviewed for spurious isolation.
G-56
NEI 00-01, Revision 2(c)
January 2008
-i"c.
Review P&IDs to identify relevant combinations.
-~
.4-4 -~
43 ESW to Redundant Loads Spurious isolation of ESW cooling to redundant loads (including CCW heat exchangers, EDG cooling, et risolates ESWVcooling to redundant loads c
fe shutdown eq*uipmen't inoperability of reddrndantuiailns For example, redundant EDGs may be cooled by ESW. If ESW flow to both EDGs spuriously isolates, then both EDGs would become inoperable.
All credited*ESW loads should be reviewed.
ESW Flow I Scen-ar io causes ESW flow to be diverted to a non-Diversion to Flow diversion can occ;u..,j soeral credited loop or system. This ultimately prevents 44 Non-combinations Yf spurious valve ra,'ýi*s in cooling oredited loads.
B&W Credited the ESW purp discharge andloopcrossti Wv i
of credited CE Loops /
flowpat,.
C Systems Review P&IDs to identify relevant valve combinations.
W
- .B&W 4
Emergency Additional component'soad onto credited CE Power diesel generator Scenario causes diesel generator overloading and CE inoperability. Note: Scenario very site specific.
W
____Interlocks may prevent this from occurring.
G-57
NEI 00-01, Revision 2(c)
January 2008 46 Emergency Diesel generator overloading Power I
NOTES Scenarios ca'use diesel gen inoperability. Note: Scenari Interlocks may prevent thes In addition to Scenario 45,0 if prop'erioad sequencingr is causing simnultaneous loadir ontn the EG erator overloa os very site sl e from occurri B&W CE W
ýrloading may also occur yp assed via hot shorts, of multiple components B&W The fire causes startup of the Emergency Diesel 4
Emergency Diesel generator spuriously stirts wýithout Generatcr and spurious isolation of ESW cooling (See Power service water cooling
\\ \\
A Scenarios* 427 &' 44). Running the Emergency Diesel SGeneratorwith a loss of cooling water could trip an-d datnage the diesel on high temperature.
CE Emergency Non-sync'ro*nous paralleling of ED
.with on-48 Power site and off-siýte sources through spurnous Scenario causes damage to diesel generator by B&W breaker operations e
closing into a live bus out-of-phase.
Note: Scenario very site specific. Interlocks may prevent this from CE occurring W
OTHEIRS$CENARIO 7
G-58
NEI 00-01, Revision 2(c)
January 2008 Suctionflow pa hý reviewed for MSC and pump inoperi suction MSO was edited pumps shoutd be s'causing loss of Suction n example of a pump ly identified in which both J RWST outlet valve(s)
Spurious isolation of various pump suction valves
- iTbtl'es pump suction cross-.
ThreeS umps may be supplied from a header that includes several cross If two valves spuriously isolate, the iction from the common header isolated valves can lose suction and T~he spurious operation of idle pumps after suction has b'een spuriously isolated should also be considered.
Spurious pump starting can occur for several reasons, including fire damage to control circuitry or a spurious ESFAS sianal.
I" Discharge flow paths for all credited pumps should be reviewed for MSO scenarios that isolate those flow paths. One example is spurious isolation of two parallel charging injection valves.
NEI 00-01, Revision 2(c)
January 2008 r
VV Another example involv connect valves'.or eF a common dischafre h, cross connect valves. I
.purmp flow feeding the two is-lated valves will Pump discharge cross-
-,IP three pumpsimay feed er that includes several
'o valves spuriously isolate, "non header between the
-t I
4" I.
Spurious isolation of pump discharge flow, AND 51 Generic -
Pump Shutoff Head Spurious isolation of recircu-lýion valve(s)
Scenarj oauses..pump operation at shutoff head and subsequent ionperab'ikty,, *credited pumps should be revie..eiod for this sonanao.
Note thai spurious starting of idle pump(s), in combination WVth isolation of discharge flow and iprecirculation, may cause inoperability of additional
- PUps Spurous pump starting can occur for several rea"sns, including fire damage to control circuitry or a spurious ESFAS signal.
Spurious isolation of HV to cr editd loads YV 52 Loss of HVAC Perform review to identify spurious failures that could cause isolation of HVAC to credited loads. Credited loads may include pump roon~s, switchgear rooms, and rooms containing solid state control systems.
Examples of spurious failures include spurious damper isolation and spurious isolation of cooling flow to chillers.
NEI 00-01, Revision 2(c)
January 2008 ri(
Spurious motor-operated valve operation, AND General scenario is hat fr damage to motor-operated valve circuitry causes spurious operation. If the same fire causes wire;to-wire short(s) such that the**vave torque and limiit switches are bypassed, then the vaIve motor may stall at the end of the valve cycle.
This can cause excess current in the valve motor windings as I.w a valvs mechanical damage. This mecnaicaldamage may De sufficient to prevent manui;l Oeration of Ith valve.
53 Valve Inoperability Wire-to-wire short(s) bypas torque and liit switches B&W CE W
Scenario c'nly applies to motor-operated valves.
Note this generic issue may have already been addressed during disposition of NRC Information
- Notice 92-18 (Reference 14). This disposition should be reviewed in the context of multiple spurious ts.
G-61
NEI 00-01, Revision 2(c)
January 2008
-4 54 Fire-Induced Spurious ESFAS Fire-induced spurious ESFAS signals (e.g., safety injection, containmiet isolation, etc), combined with other fire-induced failures, can adversely affect safe shutdown capabilimti i1A example of a fire-induced ESFAS signal is a fire causing open circuits on 2,3inam
ýteam pressure ins ments on one loop resulting in a spurious safety injection signal. ESFAS signalý n result from open circuits, shorts to ground, and/or hot shorts. Fire-induced failure of insriume, ern, may also cause spurious ESFAS signals. The plant should perform a systematic re, to asses the potential for fire-induced spurious ESFAS to adversely aff e~t fe shutdown capa*b iy Below are some examples.
RCS 54a Makeup Safety injection signal starts multiple RCS makeup Pump Spurious su MpAmps.
Fire causes makeup pump suction valves to B&W Inoperability
\\fail closed. Scenario results in cavitation /
CE Spurious isolationc,, makeup pump suction inoperability of multiple RCS makeup pumps.
W Spurious containent isolation siginalisolates CCW to the thermal bam heat ex,angers Loss of all for all RCPs, AND B&W 54b Seal Cooling CE Spurious isolation of seal injOction header Scenario causes loss of all RCP seal cooling and flow subsequent RCP Seal LOCAK W
G-62
NEI 00-01, Revision 2(c)
January 2008 Spurious containment isolation signal isolates CCW to the thermal barrier heat exchangers for all RCPs, AND 54c Loss of all Seal Cooling B&W CE Spurious opening of charging injection valve~s'/causina insufficient flow to seals Scenario causes loSS ofc subseCient RCP Seal Li CP seal cooling and W
vales usinri insfficien.
fow to seal I
-I.
RWST Drain Down Scenari cuss p~numped R'1ST drarin do6,,r via the1 and roi~et
'~
Spurious high containment pressure on multiple channels causing spurious containment sorav sianal**
5 e PO RV(s).
Open Spurious high pressurizer presre on Spurious high pressurizer pressure signal causes B&W multiple channels causes high pressurizer PORV(s) to open and challenges the RCS Inventory CE pressure signal 7 and Pressure Control Functions W
G-63
NEI 00-01, Revision 2(c)
January 2008 APPENDIX H REQUIRED FOR HOT SHUTDOWN VERSUS IMPORTANT TO SSD COMPONENTS H-1.0)
Introduction:
The purpose of this appendix is to define required for hot shutdown components versus important to safe shutdown components. The reason for the distinction between these two (2) groups of components is that required for hot shutdown component's tire protection features eeiinpeients are governed specifically by the requirements of Appendix R Sections II.G.l.a and III.G.2, whereas, important to safe shutdown component's protection ce+Amr+ieft,-are not directlyi addressed in terms of specific fire protection features under Appendix R III.G..
or piants required by lofFR50.48 to miet the requirements of Appendix *'RSection IIl.G, the only available mitigating actions for addressing fire-induced impacts to the circuits for the required fdorhot shutdown components governed by Appendix R Sectioji11.G. 1, other than re-design, re-routing, exemptions or deviations, is protection of thee*cirMuits under using the specific fire protection featuresthe requirements required by-of Appendix R Section III.G.2. For fire-induced impacts to circuits fori iponents classified as important to safe shutdown components, additional mitigating_
ienre availabltdefined in this appendix and within the body of NEI 00-01a H-2.0)PDefinitioni This appendei'
'rovides a efinition of the required for hot shutdown components and important L sOte Ihutdownicomponents.
Thquire 1 *I It cponents are those components on the required
-Ufe t
gwn i for a paiticular fire area that are designated to perform the followigA fe hu i fiinctions: reactivity control, pressure control, inventory control, de'cav ht rý'e al, process monitoring, as defined in NRC information Notice 84-09 an'l support systems, including electrical power, component cooling
'Ind lube oil co!ýling.
>jBase'd oni the !I3WROG *b~ite7 Paper on N-RC-F i'Q007-07,_post-fire, safe-shutdown
.... e r h n circuit analysis-ar required to assure the reactivity control Ifun For the remaining required for hot shutdown functions, fire-induced impacts to circuits for any required for hot shutdown components must be protected by a means meeting the requirements of the appropriate section of Appendix R or kpproved licenrsing ha p
'-plants),.--The use of operator manual actions is not allowed to mitigate the effect of fire-induced circuit damage resulting from a hot short, a short-to-ground or an open circuit. Re-routing or re-design of components and/or circuits may be used to eliminate safe shutdown impacts. Deviation or exemption requests may also be used.
H-1
NEI 00-01, Revision 2(c)
January 2008
" [Fhose PTIAC Conipoiiexits forwic~~Yh ýir alnalysis L~inidn~srt lc feasibl*yý of longeid im manual actiinsiý suca s1 openl door to provide roomn cool*n gare classfioedare required oitsutdouwconponentsj
" Fire-induced circuit damage to valves resulting in a flow diversion from the main flow path for a required for hot shutdown systems are classified as required for hot shutdown components. Only when an engineering evaluation concludes that a flow diversion will not impact the required safe shutdown function can these components be re-classified as,ip~orant to safe shutdown.
Each flow path is to be evaluated individua Ily Totbe re-classified as an important to safe shutdown component, th diversion must meet the following criteria:
o AIf a,,\\- i Of the IIOw (Ie\\ C ss10 A 01C VJIVe:HI th1el 74w01on psath ppi he sat of th fire; i-iAustttakes longer than) hour3 ' f or anir of thef tI o, I hIL:hld conditions to be imet Ihen a valve woukl haracterizeil as important to safeshutdo1n lor multiple series vakces in a tlo\\% divrs~
i~h the first'valve isiýsumed to be o0p ed1 gt Ith starLft Of til l(A 1 II d i ~ld1ý ý Ih gi~ntefie l~b assu ed~
b ffected a~imezr*+F modelilnu lay u l tocdetermoi nme amount of tie,requiim0OL anysumi s Since thie threshold criteri 'lied
,elIII dIot be exceeded until all series valves in a gron flwA diversionl ~piIh areC oeethe time detcmiined throug_,ihfire modefing-, 1,,pen sbeun valves mrmayac :fLfitcd partofth requiitimC>to the 1
e0 e d
Cfoth r shot hiutd~
NOt' systemntoformio Ion [III: d efiniOTIo0of tiW 'L
- I*f fothen itI
- Core Da11mage (PCIV 00F w d rsof the Priicaifr% Coelant Boundary Rvupte Of theL PI'M11ry1,Containment.
oIf the L. aluation indicates that there is no impact to the required for hot shiutdown system to perform its required khfe shut~down finiction, then it_
th ow diversion is classified as "non-impacting". The lack of impact can be as a result of a quantitative evaluation addressing the parameters described above or as a results of a qualitative evaluation related to the small size of the flow diversion path, e.g. flow diversion paths < 1", or the flow diversion path having no adverse consequence, e.g. flow diversion through the Suppression Pool Spray line in a Mark II BWR when RHR is being used in the Suppression Pool Cooling mode.
3 The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> criterion is based onNUREG 1852.
H-2
NEI 00-01, Revision 2(c)
January 2008 The threshold criteria described above should be viewed as a measure of risk of the flow diversion to post-fire safe shutdown as opposed to an acceptable time frame for performing an alternate mitigating strategy.
Even though the threshold criteria described above may not be exceeded for a period in excess of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the use of an operator manual action as a mitigating measure for a particular flow diversion must still justify that there is sufficient time to diagnose and perform the operator manual action. For example, if the threshold criteria are ot exceeded for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, but the only available operator manual action qýuld take 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to accomplish, the use of the operator manual ic on would not be justified in this case.
o Any impacts associated with simultaneh s flow tss through multiple flow diversion paths on the same required, safe shutdoi -ystem should be captured as a part of the MSO review.
o In evaluating flow diversionis
&ion should aksos1,citici [0,e eC Ath:
f 1ve s1n o 1
1the disc__
ýtem d the.
potential for a subsequent waterhammer:
> Fire-induced damage otoassocmited circuits oncern for a breaker off of a bus for a required c0mponent' are classified as required components.
Coordination is required fr, these ereakers.
Circuit, for required for hot sutdown cm*ponents are classified as required fornot shutadowii circuits.
> Important1 safe shutdown comporents are all components not classified as
.required for[ 'hotshlutdon ompon'ents. Important to safe shutdown components
- ciii:ha ct post-fife safe shutown in other ways, e.g. flow diversions off of tanks providingaucto 1isurce for a required for hot shutdown pump.
Circuits or, imp oi
't to SSD components are classified as important to SSD circuits.
- Refer to]Fiure H-1 f a pictorial presentation of this information.
H-3.0) Regulatory BasI H-3.1 Required for Hot Shutdown Components:
The origin for the requirements associated with required for hot shutdown components is Appendix R Section III.G. 1.a. Appendix R Section III.G. 1.a requires that one train of systems necessary to achieve and maintain hot shutdown be "free of fire damage".
The information in italics is intended to be wording taken verbatim from the Code of Federal Regulations.
NEI 00-01, Revision 2(c)
January 2008 III. G. Fire protection of safe shutdown capability.
- 1.
Fire protection features shall be provided for structures, systems, and components important to safe shutdown. These features shall be capable of limiting fire damage so that.
- a.
One train of systems necessary to achieve and maintain hot shutdown conditions from either the control room or emergency control station(s) is free of fire damage; and
- b.
Systems necessaiy to achieve and maintain cold f*rom either the control room or emergency control station(s) can be rpiredwithin 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
If circuits for the components required to perforth liot shutdo ctions on the systems selected for safe shutdown in any firpTL11ea coul(dbe damage he fire, then protection of these circuits in accordance %vi ithe requIiements of Appd Section III.G.2 is required.
H-3.2 Important to Safe Shutdown Coiipnents7 Important to Safe Shutdown coMPONCl
,et described m Paihgraph 111G.1 of Appendix R not specifically addressed in AppcdiLx R1%'
)
aP h IIIG. 1 reads as follows:
Fire protection f4 Oi~ill be providdr for structures, systems, and components important to c4, shutdown n,
Paragraph III.GI1 1 evdoes not specifitally describe the requirements for the fire protection features c
in 1
p)tant to safe shutdown components. Because o [IIIli1,oe Id selng the fire protection features that can be used to
- rfrtigate the 1
of fire ced damage with the potential to impact the required cumponents.
H-4.0 Requied for Hot ankiIportant to Safe Shutdown Components H-4.1 Criteriao gregag Required Safe Yuiatdown Components:
" Review the safe shutdown methodology for each fire area.
Identify those systems being used to support each of the required hot shutdown fumctions.
" Identify the components required for those systems to be able to perform the required safe shutdown function for the system.
" Identify the potential flow diversion off of the systems being used to perform the required safe shutdown functions.
H-4
NEI 00-01, Revision 2(c)
January 2008
" Evaluate whether or not the size of the flow diversion can impact the ability to achieve and maintain safe shutdown based on the threshold criteria provided above.
" For flow diversions where the flow diversion size exceeds the threshold criteria in less than or equal to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, classify the flow diversion component as a required for hot component. Classify the remaining flow diversion components as important to safe shutdown or non-impacting depending on whether the flow diversion needs to be isolated using an operator manual action or its affect can be tolerated.
" Identify the power supplies for each of required safe shutdownr components.
" Identify the circuits for all breakers coming off of a bus pod<cing a required safe shutdown component.
" Determine if these circuits represent associated circis concern.
- Provide breaker coordination for all breakers asscited ý,thssociated circuits of concern.
7
" component cooling and lube oil cooling (te afcdiscussed ab ye For any component classified as a requirq oponen,,lassify its power for both motive and control power as required safc tdom, nponents forihe particular fire area under review. Any cable required fori the o.ration of this set of components is a required safe shutdown cable.
Important to Safe Shutdown Componetsr
" Component, other than those des'ibed 0,vc, ose~efire-induced spurious operation can cause a flOýJib ý ye sion with the1pdtemlal to jlnact a system performing one of the required safIe sih don fimctions an impoitant to safe shutdown component.
" Any comj),Aent hose foire-induced spurious operation can cause a flow loss from the RPV or froim atank providing a suctioii rce for a system performing a required safe shutdown cti n anpjTon1jL) safe shutdown component.
" A cot ith 1t(
al*otit Ia loinpact a system performing a required safe lautdown tionc t is not classified as a required component is classified as an important to -sfeshUItd wo
-i ponent.
C, sablessociated ":hdthe important to safe shutdown components described above are class1:fi'i,!kas importarntto safe shutdown circuits.
H-4.2 AcceptabliNI ing Tools Required SafelShutdown Components:
" Assure they are free of fire damage by re-routing or re-designing the component or circuit.
" Protect the circuits in accordance with Appendix R Section III.G.2.a, b or c.
" Process a licensing change in accordance with the licensee's current licensing basis (CLB) to demonstrate the acceptability of the condition. Tepend) onictgIange and the lfeicsý ieLL:sýCLB, NRC approval of the hange inay rpied H-5
-NEI 00-01, Revision 2(c)
January 2008 o Ptrfni a rislkm M 5ied dalysis usmig the tol% ailable.for impointo saýýfeshutdowncom iponentsi!hinaccordance Yxt Regu 1c,latory Gud& I1-4~7 Important to Safe Shutdown Components:
" Either protect as outlined for required safe shutdown components above, or
- Use a feasible and reliable operator manual action with defense-in-depth.
- Use fire modeling analysis with defense-in-depth, or
- Provide a license amendment to use a focused-scope4ire PRA to justify the acceptability of the condition using the criteria i Chlapter 5 with the proper NRC approval.
ii H-6
NEI 00-01, Revision 2(c)
January 2008
NEJ 00-01, Revision 2(c)
January 2008
NEI 00-0 1, Revision 2(c)
January 2008
NEI 00-01, Revision 2(c)
January 2008 Power Source: Diesel Generators or Offsite Power 4.16 KV Bus F
2 II Pump DC ControlCict r--r 12 40 VPa Disribtio
[ane Note I the mair to be re compon requirer conside scheme:
of Cono