ML071210341

From kanterella
Revision as of 06:52, 23 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
FPIP-0105, Revision 0 Safe Shutdown Circuit Analysis.
ML071210341
Person / Time
Site: Harris Duke Energy icon.png
Issue date: 04/13/2006
From: Began K, Ertman J
Nuclear Generation Group, Progress Energy Carolinas
To:
Office of Nuclear Reactor Regulation
References
FPIP-0105, Rev 0
Download: ML071210341 (30)


Text

I Information Use FIRE PROTECTION INITIATIVES PROJECT PROJECT PROCEDURE FPIP-0105 SAFE SHUTDOWN CIRCUIT ANALYSIS REVSION 0 Reichle, Stephen Began, Keith Ertman, Jeffery Prepared By Reviewed By Approved By 2006.04.12 12:15:13 -04'00' 2006.04.13 10:45:17 -04'00' 2006.04.13 18:58:28 -04'00' Prepared by Reviewed by Approved by FPIP-0105 Rev. 0 Page 1 of 30

TABLE OF CONTENTS SECTION PAGE 1.0 PURPOSE ...................................................................................................................... 3

2.0 REFERENCES

................................................................................................................ 3 3.0 DEFINITIONS ................................................................................................................. 4 4.0 RESPONSIBILITIES ....................................................................................................... 7 5.0 PREREQUISITES ........................................................................................................... 8 6.0 PRECAUTIONS AND LIMITATIONS .............................................................................. 9 7.0 SPECIAL TOOLS AND EQUIPMENT ............................................................................. 9 8.0 ACCEPTANCE CRITERIA .............................................................................................. 9 9.0 INSTRUCTIONS ............................................................................................................. 9 9.1 Safe Shutdown Circuit Analysis Data ................................................................... 9 9.2 Circuit and Cable Selection .................................................................................. 9 9.3 Safe Shutdown Circuit Analysis.......................................................................... 14 9.4 Revised Design Method (RDM) Safe Shutdown Circuit Analysis ....................... 16 9.5 Common Power Supplies and Common Enclosures.......................................... 16 9.6 Fire Barrier Review for Embedded Conduits (HNP and RNP Only) ................... 17 9.7 Multiple High Impedance Fault ........................................................................... 18 9.8 Raceway Verification (BNP Only)....................................................................... 18 9.9 Documentation ................................................................................................... 18 10.0 RECORDS .................................................................................................................... 18 ATTACHMENTS 1 RNP - Additional Information ................................................................................................... 19 REVISION

SUMMARY

........................................................................................................................ 30 FPIP-0105 Rev. 0 Page 2 of 30

1.0 PURPOSE The purpose of this procedure is to provide requirements for the preparation, or updating, of a site specific fire protection / safe shutdown circuit analysis under the NGG Fire Protection Improvement Initiatives Project. The initial preparation, validation, and completion of the safe shutdown circuit analyses for each of the NGG plants was performed during the Safe Shutdown Analysis (SSA) update process that was performed under Task 5 of the Project by Sargent & Lundy. However, it is anticipated that during the remaining course of this Project, that tasks to be performed by Progress Energy may require additional analyses to be prepared, or existing analyses to be revised, to account for additional systems or components that may be added to the safe shutdown model.

Therefore, this procedure will remain an active project document for the remainder of the Project.

This procedure is provided to ensure compliance with the requirements of 10CFR50 Appendix R, or the guidance of NUREG-0800, unless a plant has been granted specific exemptions/deviations from the requirements/guidance in these documents by the NRC.

The Fire Protection Initiatives Project has issued this procedure for the purpose of providing project level guidance during transition of the Progress Energy nuclear plant fleet to NFPA 805. At the completion of the tasks covered by this procedure, it will be cancelled or converted to a NGGC procedure as appropriate.

2.0 REFERENCES

2.1 NGG Fire Protection Program Improvement Initiatives Project Plan 2.2 FPIP-0100, Fire Protection Initiatives Project, Project Controls 2.3 Software Requirements Specification (FSSPMD - all except CAFTA processing),

Rev. 2, Dated 02/02/2006 2.4 Fire Safe Shutdown Program Manager Database, Users Manual 2.5 Quality Assurance Program Manual, NGGM-PM-0007 2.6 EGR-NGGC-0102, Safe Shutdown/Fire Protection Review 2.7 NEI 00-01, Guidance for Post-Fire Safe Shutdown Analysis, Revision 0, dated May 2003 2.8 EGR-NGGC-0003, Design Review Requirements 2.9 EGR-NGGC-0017, Preparation and Control of Design Analyses and Calculations 2.10 CAP-NGGC-0200, Corrective Action Program 2.11 10CFR50, Appendix R, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979 2.12 NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 9.5.1, Fire Protection Program, Revision 3 July 1981 2.13 Generic Letter 81-12, Fire Protection Rule FPIP-0105 Rev. 0 Page 3 of 30

2.14 Generic Letter 86-10, Implementation of Fire Protection Requirements 2.15 EDC-5, Rev. 3, Electrical Design Criteria - 10CFR50 Appendix R Compliance Review (CR3) 2.16 Sargent & Lundy (S&L) Circuit Analysis Project Instructions

  • PI-SSA-HNP-0005, Establish Site Specific Fire Protection / Safe Shutdown Circuit Analysis, Rev. 0 (prepared for use at HNP)
  • PI-SSA-NGG-0005, Establish Site Specific Fire Protection / Safe Shutdown Circuit Analysis, Rev. 2 (prepared for use at BNP, CR3, and RNP) 2.17 FPIP-0104, Safe Shutdown Equipment List and Fault Tree Logics 2.18 Sargent & Lundy (S&L) SSEL and Fault Tree Logics Project Instructions
  • PI-SSA-HNP-0004, Validate Safe Shutdown Equipment List and Logics, Rev. 0 (prepared for use at HNP)
  • PI-SSA-NGG-0004, Validate Safe Shutdown Equipment List and Logics, Rev. 2 (prepared for use at BNP, CR3, and RNP) 2.19 Sargent & Lundy (S&L) Design Information Transmittal (DIT), Safe Shutdown Circuit Analysis - Coding, Definitions, Abbreviations, Notes, Judgments, and Other Analysis Nuances, Details, and Design Inputs:
  • BNP BNP SSA-301E-0, dated 04/20/2004
  • CR3 CR3-SSA-301E-3, dated 11/24/2004
  • HNP PE-SSA-HNP-101E-1, dated 09/23/2003
  • RNP RNP-SSA-221E-2, dated 01/27/2006 (see Attachment 1) 3.0 DEFINITIONS NOTE In addition to the definitions provided in this section, there are additional terms included in the Reference 2.19 S&L DITs that need to be understood to perform tasks under this procedure.

3.1 Alternative Shutdown: A post-fire shutdown approach requiring utilization of non-standard operational practices or plant system or component modifications.

3.2 Any-and-All/One-at-a-Time: All potential spurious actuations that may occur as a result of fire in a single fire area must be addressed and prevented or their effects must be appropriately mitigated on a one-at-time basis. That is, in evaluating non-high/low-pressure interface components, the analyst must assume that any and all spurious actuations that could occur, will occur on a sequential, one-at-a-time, basis. For each fire area, the analyst should identify all potential spurious operations that may occur as a result of a postulated fire.

While it is not assumed that all potential spurious actuations will occur instantaneously at the onset of fire, the analyst must consider the possibility that each spurious actuation will occur sequentially, as the fire progresses, on a one-at-a-time basis. If not appropriately prevented or mitigated, such sequential failures could result in concurrent failure of multiple devices.

3.3 Associated Circuit: In the context of post-fire safe shutdown analysis, an associated circuit is defined as any circuit that can, through adverse interaction, indirectly affect proper operation of critical equipment/systems due to a shared FPIP-0105 Rev. 0 Page 4 of 30

power supply, shared raceway, or spurious operation. Associated circuits result as a consequence of:

Inadequate electrical coordination (common power supply associated circuit)

Inadequate circuit overcurrent protection (common enclosure associated circuit)

Undesired component operation (spurious operation associated circuit)

Associated circuits are those circuits that are not necessarily required to operate safe shutdown equipment, but whose fire-induced mal-operation could have a detrimental impact on the safe shutdown capability. Note that for some cases, an associated circuit for one function is also a required cable for a different function.

3.4 Cable

In this context, the term cable refers to assemblies designed to conduct electrical current. Hence, a cable is an assembly of one (single-conductor cable) or more (multi-conductor cable) insulated electrical conductors (generally copper, copper alloy or aluminum) that may or may not be surrounded by an outer jacket.

(This definition excludes fiber-optic type cables that are not of interest in the current context.)

3.5 Cable Failure: A cable that is unable to perform its required function.

3.6 Cable Failure Mode: The mode by which a conductor or cable fails due to a fire.

The four modes of cable failure are:

A loss of conductor continuity is a physical break in the conductor that will result in electrical energy being unable to reach the intended circuit destination (i.e., an open circuit).

A short circuit of one or more conductors to ground results in the diversion of electrical energy to ground. Electrical ground may be either external to the cable or one or more of the cable conductors.

A conductor-to-conductor short circuit without ground may result in the diversion of electrical energy from one conductor (the source conductor) to one or more unintended conductors (the target conductor(s)). In Fire Protection Circuit Analysis, this has been referred to as a hot short.

Conductor insulation resistance degradation may result in the partial diversion of the available electrical energy to an unintended conductor path.

Electrical ground may or may not be involved. In Fire Protection Circuit Analysis, this has been referred to as a high impedance fault.

3.7 Circuit

A conductor or system of conductors through which an electric current is intended to flow. In this context, the term circuit refers to a system of electrical cables, wires and devices whose boundaries are an isolation device and all downstream cables, wires and devices. For some circuits, the boundaries are isolation devices both up and downstream from the circuit.

3.8 Circuit Analysis: The process of identifying cables and circuits that, if damaged by fire, could prevent a required component from performing its intended design function.

3.9 Conductor-to-Conductor Short: An abnormal connection (including an arc) of relatively low impedance between two conductors. A conductor-to-conductor short between an energized conductor of a grounded circuit and a grounded conductor results in a ground fault. A conductor-to-conductor short between an energized conductor and a non-grounded conductor results in a hot short. A FPIP-0105 Rev. 0 Page 5 of 30

conductor-to-conductor short between an energized conductor of an ungrounded circuit and the return conductor(s) has the same functional impact as a ground fault.

3.10 Current Design Methodology (CDM): The CDM is as defined in Progress Energy Fire Technical Position, Fire Induced Circuit Failure - Circuit Analysis.

3.11 Fire Induced Circuit Failure (FICF) Effects (e.g. Circuit Failure Mode): The manner in which a circuit fault is manifested in the circuit. Circuit failure modes include loss of motive power, loss of control, loss of or false indication, open circuit conditions (e.g., a blown fuse or open circuit protective device), and spurious operation. The FICF is further defined in Progress Energy Fire Technical Position, Fire Induced Circuit Failure - Circuit Analysis.

3.12 Ground Fault: Synonymous with short-to-ground.

3.13 High/Low Pressure Interface: Reactor coolant boundary valves of which spurious operation as a result of a fire could (1) potentially rupture downstream piping on an interfacing system, or (2) result in a loss of reactor coolant inventory in excess of the available makeup capability.

3.14 Hot Short: A conductor-to-conductor short in which an energized conductor (source conductor) shorts to a separate, ungrounded conductor (target conductor). A hot short is characterized by an abnormal connection between conductors that does not produce a high fault current because of inherent impedance in the connection path attributable to circuit components. A defining characteristic of a hot short is that it is not detectable by normal circuit protective devices and thus will not trigger an overcurrent protective action. A hot short has the potential to cause undesired energization of components connected to the target conductor (i.e., spurious operation); however, the term hot short is not synonymous with the term spurious operation.

3.15 Primary Circuit: In the context of post-fire safe shutdown analysis, primary circuits are those circuits that are required to operate safe shutdown equipment, and whose fire-induced mal-operation could have a detrimental impact on the safe shutdown capability. Note that for some cases, an associated circuit for one function is also a primary circuit for a different function. Reference 2.6 also refers to the cables within the circuit as Required cables.

3.16 Normal Safe Shutdown: A post-fire approach that operates one of two normal safe shutdown trains from the control room that does not utilize non-standard operational practices or plant system or component modifications.

3.17 Open Circuit: A loss of electrical continuity in an electrical circuit, either intentional or unintentional. As applied to wire and cable, open circuit faults may result, for example, from a loss of conductor continuity or from the triggering of circuit protection devices (e.g., a blown fuse or open circuit breaker).

3.18 Safe shutdown circuits: Circuits required to support the operation of a credited post-fire safe shutdown component in a particular fire area.

3.19 Revised Design Method (RDM): The RDM is as defined in Progress Energy Fire Technical Position, Fire Induced Circuit Failure - Circuit Analysis.

3.20 Shall: Denotes a requirement or a mandatory activity.

FPIP-0105 Rev. 0 Page 6 of 30

3.21 Shield: A conductive sheath or wrap around an insulated conductor or group of conductors within a cable. A shield is typically formed from a metallic ribbon, a braided sheath of metallic wires, or a composite metal coated tape. Shields are commonly applied where electromagnetic interference is a potential concern, either as a source (e.g., power cable) or a target (e.g., control, communications and instrument cables).

3.22 Short Circuit (general): An abnormal connection (including an arc) of relatively low impedance between two conductors or points of different potential. A short circuit might involve a ground fault or hot short, as applied to control circuit failures.

3.23 Short-to-Ground: A type of short circuit involving an abnormal connection between a conductor and a grounded conducting medium. The grounding medium refers to any conduction path associated with the reference ground of the circuit. This might include structural elements (tray, conduit, enclosures, metal beams, etc) or intentionally grounded conductors of the circuit (neutral conductor).

3.24 Should: Denotes an expected action unless there is justifiable reason not to perform the action.

3.25 Source Conductor: The energized conductor of a hot short - the conductor representing the source of energy.

3.26 Spurious Operation: An operational occurrence initiated (in full or in part) by the failure(s) of one or more components (including cables) in a system.

3.27 Target Conductor: The non-energized conductor of a hot short - usually connected to one or more circuit components.

4.0 RESPONSIBILITIES The roles of the Safe Shutdown (SSD) Engineers and the Site Safe Shutdown (SSD)

Engineer may be flexible depending upon the needs at the particular site when a circuit analysis is being prepared or modified. The responsibilities outlined in this procedure assume that the SSD Engineers assigned to support this effort, and working for the Site Safe Shutdown Engineer, would perform the roles of the Preparer. However, that is not to preclude the Site SSD Engineer from serving in the role of an Preparer and the other SSD Engineer serving as a Reviewer.

In the event the Site SSD Engineer prepares or reviews a circuit analysis, the responsibility for approving the completed analysis should be performed by the Site Fire Protection Initiatives Project Coordinator.

NOTE In addition to the requirement for having completed the required (post-fire) Safe Shutdown Engineer qualification guide at the specific plant, the Engineer(s) assigned to perform certain circuit analysis reviews may also need to have completed the plants Electrical Engineer qualification guide to perform work under this procedure. This determination will be made by the Site Safe Shutdown Engineer.

FPIP-0105 Rev. 0 Page 7 of 30

4.1 Safe Shutdown Engineer 4.1.1 Maintain, or have access to, plant and industry guidance documentation related to the current post-fire safe shutdown circuit analyses maintained in the FSSPM.

4.1.2 As necessary, review the post-fire safe shutdown documentation to determine the impact of any proposed changes (either to the plant or the post-fire safe shutdown model) to ensure that the circuit analysis remains valid.

4.1.3 Document in the circuit analysis any assumptions that might have been made, and site references as applicable.

4.1.4 Review the common power supplies and common enclosures analysis as necessary to ensure that it remains valid as changes are made to the plant and SSA.

NOTE Cable-to-raceway correlations are not included with the HNP FSSPM.

4.1.5 When additional cable are to be added to the FSSPM, validate the safe shutdown cables along with their raceways are correctly correlated to their fire zone (or fire area). Update the analysis for new cables and equipment.

4.1.6 Ensure that site specific short circuit and coordination calculations changes are captured as necessary to fully document where coordination is credited for post-fire safe shutdown.

4.1.7 Ensure that the Site Safe Shutdown Engineer is aware of any changes to the FSSPM(D) as a result of revisions to the circuit analysis.

4.2 Fire Protection Engineer 4.2.1 Review any embedded conduit configuration that contains safe shutdown cables to ensure that the embedment material provides adequate fire resistance to protect the cables.

4.3 Site Safe Shutdown Engineer 4.3.1 Maintenance and control of the FSSPM(D) and any changes made to its data.

4.3.2 Perform reviews and approvals of any circuit analysis, or changes to existing analysis in the FSSPM.

4.3.3 Determine which qualification guides need to be completed by Safe Shutdown Engineers assigned to perform work under this procedure.

5.0 PREREQUISITES 5.1 The Fire Safe Shutdown Program Manager database software, along with the stations specific safe shutdown data, shall have completed all required Progress Energy QA/software reviews, and been acceptance before it is released for use.

FPIP-0105 Rev. 0 Page 8 of 30

6.0 PRECAUTIONS AND LIMITATIONS 6.1 The results of Project Sub-tasks 4.1.6 (Fire Area Analysis) and 4.1.8 (Manual Action Feasibility) could potentially change the safe shutdown circuit analysis.

7.0 SPECIAL TOOLS AND EQUIPMENT N/A 8.0 ACCEPTANCE CRITERIA N/A 9.0 INSTRUCTIONS 9.1 Safe Shutdown Circuit Analysis Data The detailed structure and format of the circuit analysis and cable data in the FSSPM database has been defined by the FSSPM Software Requirements Specification (Reference 2.3). The Software Requirements Specification and the FSSPM database were prepared as part of Task 3 by Sargent & Lundy. The safe shutdown Circuit and Cable Information forms include information relative to the safe shutdown component control circuit and associated cables. Detailed explanation of the forms and data entry requirements can be found in the Fire Safe Shutdown Program Manager Users Manual (Reference 2.4).

The circuit analysis completed by S&L was performed utilizing project instructions specifically written for this task (Reference 2.16). In addition to these instructions, plant specific information and additional guidance was provided in a S&L Design Information Transmittal (DIT) (Reference 2.19). Applicable information from the Robinson Plant DIT has been included in Attachment 1.

Other plant DITs will be included in a later revision of this procedure.

Changes made to the FSSPM(D) shall be controlled and documented following the guidance provided in Reference 2.2.

9.2 Circuit and Cable Selection The post-fire safe shutdown circuit analysis for each electrically operated safe shutdown component has been documented on the Circuit Information form using the following input criteria, assumptions, notes, definitions and standard abbreviations:

9.2.1 For each equipment item on the SSEL as requiring a circuit review, the corresponding Control Wiring Diagram (CWD) and Block Diagrams (211 series drawings) (for CR3 only) will be reviewed for potentially required circuits and cables. Primary and Associated circuits will be identified. For each potentially required cable, the cable number, function, and insulation type will be recorded on the appropriate FSSPM form.

9.2.2 The power supply buses and any associated circuits identified are recorded in the Power Supplies, Related, Auxiliary, and Other Important Circuits sub-form area of the Circuit Information form.

FPIP-0105 Rev. 0 Page 9 of 30

9.2.3 Components are assumed to initially be in their normal operating position as identified on the Circuit Information form:

  • All relay, position switch, and control switch contacts in the control circuit will be assumed to be in the position that corresponds to the normal plant operating position of that device unless specifically stated otherwise.
  • Test switches in control circuits will be assumed to be in their normal plant operating position.

9.2.4 Automatic logic interlocks and permissives from other circuits (i.e.,

interposing contacts in control circuits) are to be considered in the circuit analysis. Two options exist for analyzing the effects of these circuits:

1) The contacts can be assumed to be in a worst case position, or
2) The circuits associated with the interlock or permissive can be analyzed and included in the safe shutdown cable selection for the component of concern.

NOTE When considering multiple hot shorts within a circuit, interposing contacts will be assumed to be in their worst-case position in lieu of including the cables for the auxiliary circuit (option 1 above). This approach is conservative and will minimize the number of new cables included in the analysis.

9.2.5 Fire damage to cables and electrical components is assumed to render them nonfunctional with regard to ensuring their proper circuit operation.

The insulation and external jacket material of electrical cables are susceptible to fire damage, as are the materials of electrical components.

Cable damage may assume several forms including deformation, loss of structure and loss of function, cracking, and ignition. The relationship between exposure of electrical cables and components to fire conditions, the failure mode, and the time to failure may vary with the configuration and cable/component type. To accommodate these uncertainties in a consistent and conservative manner, for the deterministic aspects of the circuit analysis it will be assumed that the functional integrity of electrical cables and components is lost at the onset of the event when they are exposed to a postulated fire, except where protected by a fire rated barrier within the fire area, or protected by a radiant energy shield if the cable is located within containment.

9.2.6 Failures of systems, equipment, instrumentation, controls, or power supplies, that are not a direct consequence of the fire, will not be assumed to occur before, during, or following the fire.

9.2.7 Instruments exposed to a fire (e.g., RTDs, thermocouples, pressure transmitters, flow transmitters, and mechanically linked remote/local indications) are assumed to suffer damage that results in failure of the instruments. The instrument fluid boundary associated with these devices will be, however, assumed to remain intact.

FPIP-0105 Rev. 0 Page 10 of 30

9.2.8 Instrument sensing lines for level, pressure, and flow transmitters that are exposed to a fire will be considered to have the potential of causing erratic or unreliable indication.

9.2.9 Instrument circuits (cables) that operate at low signal levels (i.e. 4-20 mA, 0-1 V, 1-5 V, etc.), and are enclosed in a grounded metal shield, will not be not considered to be susceptible to hot shorts from other adjacent instrument or control circuits external to the shield. External circuits will be assumed to short-to-ground via the shield and will not have the potential of creating a signal of proper polarity and amplitude to simulate a valid instrument signal.

9.2.10 Instrument circuits (cables) with grounded metallic shields are assumed to be susceptible to short circuits (from conductors within the shield),

open circuits and shorts-to-ground. Conductor-to-conductor shorts within the shield could also result in an erratic instrument signal.

9.2.11 Sub-components such as solenoids, pilot valves, relays, switches, etc.,

have not been explicitly identified in the SSEL. These sub-components have been tied to their primary component (i.e., components listed on the SSEL) via the circuit analysis process that will link circuits associated with sub-components to the primary components. The sub-components are inherently incorporated into the analysis by capturing the field cables that run to the sub-component with the primary component. Failure of sub-components shall be considered in the circuit analysis.

9.2.12 Panel wires that are completely contained within a panel, and do not have cable numbers, will not be explicitly listed as safe shutdown cables.

These wires are inherently included in the safe shutdown analysis in the same manner as sub-components.

CAUTION The safe shutdown analysis may determine as it develops, that certain manual actions to initiate a system or component will not allow for performance goals to be met, and an automatic initiation of a circuit may need to be credited. For example, in certain instances at RNP taking credit for a manual start of the emergency diesel generators was not acceptable as it could not be completed fast enough. As a result credit for the bus under-voltage circuit to auto start the diesel had to be analyzed and credited in the SSA.

9.2.13 Manual initiation of equipment and systems is credited in the safe shutdown analysis. Therefore, circuits associated with automatic system operation (e.g., EDG auto start, AFW auto initiation, etc.) do not need to be identified as safe shutdown circuits unless the circuit could prevent or override manual initiation, or cause spurious operation of the equipment or system. For example, within the EDG auto start and load sequencer circuits, only the cables that can prevent the Control Room operators from manually starting the EDG shall be designated as part of the safe shutdown circuit. However, cables that make up part of the auto start circuit and could cause a spurious EDG operation (e.g., unintentional shutdown, spurious closure of the output breaker, loss of voltage control, etc.) or prevent the EDG from being manually started are to be considered safe shutdown cables in accordance with the guidance in FPIP-0105 Rev. 0 Page 11 of 30

Item 9.2.15 below. This guidance should not be construed to include operator actions that can be taken to mitigate a spurious operation, even if such actions can be taken from the Control Room. For example, circuits that could spuriously reposition a valve will be identified as safe shutdown circuits even if an operator could overcome the spurious operation by manipulating a switch in the Control Room. Should any ambiguity exist, the guidance in Item 9.2.15 shall prevail.

9.2.14 Components with isolation and transfer switches (alternate power or control capability) will be analyzed such that cables associated with the normal and alternate positions are uniquely identified:

NOTES

1. The analysis description provided in this section, assumes that the switches are of the brake-before-make type construction.
2. The term normal in the following discussion refers the normal position the switch is found in, and that places control of the component at a remote location (i.e. MCR). The term local refers to the switch being a position where control of the component has been transferred to a remote or alternate location in the plant, and is other that its normal control location (i.e. alternate shutdown panel, MCC, etc.).
  • For normal safe shutdown scenarios, isolation and transfer switches are not operated during or after the fire and are assumed to be in the normal position. Only cables that affect proper operation of the component with the switch in this position will be identified as safe shutdown cables.
  • For alternative shutdown scenarios, isolation and transfer switches are analyzed in both their normal and local positions since the switches will initially be in the normal position and will be subsequently placed in the local position. Circuits exposed to the fire must be assumed damaged prior to operation of the switch. Only cables that can affect proper operation of the component with the switch in thelocal position will be identified as alternate safe shutdown cables. However, potential damage to the circuit prior to the switch being operated shall be considered. For example, it must be assumed that control power fuses associated with the normal switch alignment are damaged prior to the switch being actuated, and a redundant set of fuses is generally necessary for the circuit to work.

9.2.15 Components requiring circuit analysis, along with their functional parameter, have been identified in the SSEL (i.e. no check mark in the Mechanical Only field). The functional parameters include normal and required positions, status upon loss of power and air (as applicable), and high/low pressure interface designation. These parameters establish the framework for circuit analysis. Cable selection can not be performed if any of this information is missing.

9.2.16 Each required circuit shall be evaluated to determine which cables are necessary to support the safe shutdown function of the component. If a fire induced fault of the cable can place the component in a position/condition other than the desired position/condition, the cable will be identified as a spurious (S) safe shutdown cable. If a fire induced FPIP-0105 Rev. 0 Page 12 of 30

failure of the cable cannot spuriously reposition or prevent the desired operation of the component; the cable will not be considered a safe shutdown cable.

9.2.17 In performing the circuit analysis, it is assumed that electrical coordination exists for power supplies. Cables downstream of the coordinated protective devices have not been identified as safe shutdown cables nor included in the circuit analysis for the subject component. This assumption has been validated in the Common Power Supply Evaluation Step (see Section 9.5) below, and any circuits not coordinated will be added back into the analysis.

9.2.18 Except for power supply circuits discussed in Item 9.2.17 above, when electrical coordination is credited for isolation within a specific components circuit, the specific protective devices that are assumed to coordinate will be documented.

9.2.19 Components for which a circuit analysis is to be performed should not have any assumptions made with respect to the presence, or lack of, motive/control power, or supporting air. All functional states of the components shall be considered to ensure that analysis performed is bounding.

9.2.20 Safeguards Actuation Signals.

(BNP) For components with an Engineered Safeguard Actuation Signal input (ESFAS), the circuit analysis will include the initiating logic and input circuits associated with each ESFAS contact that are required to support the safe shutdown function for the component or that may cause spurious operation. This will also include input devices and power supplies that are required to support the safe shutdown function or that may cause a spurious signal if lost during a fire.

(CR3) An analysis of the Engineered Safeguards (ES) Engineered Safeguards Actuation Signal (ESFAS) system will include both input and initiating logic circuits. Minimal cable correlations to fire zones and areas will be performed. The following steps are within the scope of the ES analysis.

  • Identify the circuits that could initiate ES / ESFAS and that also leave the Main Control Room and Cable Spreading Room Fire Areas.
  • Perform circuit analysis for the population of ES / ESFAS circuits leaving the Main Control Room and Cable Spreading Room.
  • Correlate this population of cables to fire zone or fire area.
  • Document the bounding analysis. The document should identify the documents reviewed and provide a list of ES / ESFAS cables considered.

(HNP) A review of the Safeguards Actuation signals and circuits is currently (April 2006) being reviewed and evaluated by NISYS Corporation, and the methodology will be included here when it is finalized and available.

FPIP-0105 Rev. 0 Page 13 of 30

(RNP) The guidance utilized to perform the ESFAS circuit analysis at the Robinson plant is contained in Reference 2.19 (also included as Attachment 1 to this procedure).

9.2.21 All circuits that are electrically connected to the circuit under analysis shall be dispositioned by the analysis. A technical basis shall be documented in the Contacts and General Notes field of the Power Supply sub-form on the Circuit Information form in FSSPM(D) whenever a device is credited as providing isolation from other portions of the circuit.

9.2.22 Before starting a circuit analysis, available information on the component and its system should be collected. This information should consider system descriptions, system training materials, design basis documents, FSAR, and other descriptive information will be reviewed before attempting to analyze complex circuits.

9.2.23 Any documents that were necessary to complete the circuit analysis shall be referenced on the Analysis Input Circuit Drawings form in FSSPM(D).

This will include references in addition to the main schematic/control wiring diagrams (CWD).

9.2.24 For each component analyzed, any aspects of the analysis that are unique or not readily apparent will be identified. This will include the rationale used to select or screen out cables when the reason is not clearly evident.

9.2.25 Circuit selection will be completed for each component using the circuit analysis module of Fire Safe Shutdown Program Manager Database.

The Circuit and Cable Information forms have been designed to input relevant information for the circuit analysis on a component-by-component basis.

9.2.26 Reactor Trip is assumed to occur based upon the information provided by the NRC in their Generic Letter 86-10. Therefore, the RPS automatic and manual trip capabilities are not analyzed. Based on this, cables associated with these functions are not included in the overall circuit analysis.

9.2.27 If other trip circuits (Turbine, ESFAS, ESAS, etc) are to be analyzed, the boundaries for what is to be reviewed needs to be defined so that there is a clear understanding as to what input signals are, or are not included.

9.2.28 In the event cable construction data or information is not available to identify the material used for the jacketing and insulation, a conservative assumption that the material is thermoplastic should be made.

NOTE Some of the items described in the remaining sections of this project procedure also contain input criteria for the circuit analysis and visa versa.

9.3 Safe Shutdown Circuit Analysis 9.3.1 The safe shutdown circuits analysis shall be reviewed and updated as necessary for credible circuit failures as a deterministic analysis utilizing the Current Design Method (CDM). These failures include:

FPIP-0105 Rev. 0 Page 14 of 30

  • Multiple shorts to ground or grounded conductor.
  • Multiple open circuits.
  • (RNP) Cable-to-cable shorts are postulated to occur.
  • (HNP) Cable-to-cable shorts are not postulated to occur.
  • (CR3) Hot shorts between two or more conductors are postulated to occur only between conductors within a common cable jacket for most Appendix R applications (i.e., cable-to-cable shorts are not credible).

The only conditions for which cable to cable shorts are credited are (1) cables located in the Main Control Room, Cable Spreading Room and Remote Shutdown Room, and (2) circuits used for valves that are relied upon to secure a high/low pressure interface (Reference 2.15).

9.3.2 Within CDM, two types of cable hot short conditions are considered to be of sufficiently low likelihood that they are not assumed credible, except for analysis involving high/low pressure interface components. These hot shorts are:

  • 3-phase ac power circuit cable-to-cable proper phase sequence faults.
  • 2-wire ungrounded dc circuit cable-to-cable proper polarity faults.

9.3.3 Use the following standardized notes, document the selection on the Circuit Information form for the analysis:

Note: A) Referenced Safe Shutdown Associated Circuit (SSAC) and its cables are required.

Note: B) NO other cables are required.

Note B is used when the referenced SSAC and its cables are NOT required for any of the following reasons:

1) The SSAC is the power supply and the safe shutdown equipment does not need power to complete the safe shutdown function.
2) The safe shutdown equipment remains, or fails to the desired state even if the SSAC contact or other automatic devices misoperate.
3) If the SSAC and other contacts in the circuit misoperate, the result can be mitigated by a control switch in the Main Control Room.
4) No other power, control or instrument cables are required to support control of this contact. The device that drives the contact is either manually operated or operates automatically from a direct connection to the process system.

In some cases the A or B notes may require further explanations. In those cases, the explanation shall be provided in the Contacts and General Notes field of the Power Supply sub-form on the Circuit Information form in FSSPM(D).

FPIP-0105 Rev. 0 Page 15 of 30

9.4 Revised Design Method (RDM) Safe Shutdown Circuit Analysis In addition to the items in Section 9.3 above, credible circuit failures for expanded analysis associated with fire induced circuit failures beyond RDM are described in Attachment 4 of Reference 2.6, and include:

  • Multiple concurrent hot shorts for conductors within a single cable if the cable contains a viable source conductor.
  • Proper polarity conductor-to-conductor 2-wire ungrounded dc circuits where the source and target conductors are internal to the same multi-conductor cable.
  • Two concurrent but independent hot shorts (i.e., different source conductor for each hot short) for any one component.

9.5 Common Power Supplies and Common Enclosures 9.5.1 An evaluation of common power supply and common enclosure associated circuits should be performed as necessary. This task shall verify that the correct cables have been evaluated and that the correct criteria have been selected. If changes are required of any common power supply or enclosure calculation they should fully describe the change made as a result of this post-fire safe shutdown review, or changes required to existing circuits. Circuits not meeting the required criteria shall be dispositioned. A detailed review of protective device curves should be performed as necessary.

9.5.2 The guidelines that will be used in the evaluation of the common power supplies are as follows:

  • Using the single-line drawings, ensure that all safe shutdown power supplies required have been included.
  • For each safe shutdown power supply, review the following documents (as necessary): existing short circuit calculations, load studies, coordination calculations, protective device setting sheets, and time current curves as appropriate to confirm proper coordination between upstream and downstream protective devices to ensure that they are up to date.
  • In reviewing coordination, electrical system line-ups credited in the safe shutdown analysis shall be considered.
  • For cases in which coordination between series protective devices cannot be demonstrated, a common power supply associated circuit will be assumed to exist. These circuits will be dispositioned by one of the following means:

- Demonstrate coordination by refining the available short circuit current and/or trip device characteristics.

- Demonstrate that the lack of coordination does not adversely affect safe shutdown (e.g., equipment located in same fire area as power supply).

- Identify readily achievable protective device setting changes (including changes in fuse size and/or clearing characteristics) that will establish coordination.

FPIP-0105 Rev. 0 Page 16 of 30

- Incorporate the Associated Circuits and Cables into the post-fire safe shutdown analysis when protection devices do not provide the desired coordination.

  • Site specific short circuit and coordination calculations shall be updated as necessary to fully document where coordination is credited for post-fire safe shutdown. The electrical portion of the Safe Shutdown Analysis Report, to be completed under Project Sub-task 4.1.10, will include a complete description of the common power supply associated circuits analysis, including reference to applicable supporting calculations and documents.

9.5.3 The following guidelines shall be used in the evaluation of common enclosure associated circuits:

  • Perform an evaluation of the common enclosure associated circuits by reviewing design and installation criteria for cable and electrical penetrations. Confirm that cables are adequately protected against short circuits and will not propagate a fire from one fire area to another. In evaluating common power supply circuits the acceptance criteria shall not be limited to standard cable damage temperatures, which are based on not degrading cable insulation (typically 250ºC for thermoset cable). Rather, the criteria will be based on not exceeding temperatures at which self ignition or damage to surrounding cables could occur.
  • If a common enclosure associated circuit is determined to exist, the concern shall be resolved by one of the following means:

- Demonstrate by analysis that the cable does not pose a risk to cables within the common enclosure under fault conditions (i.e.,

the cable exceeds its recommended temperature rise but does not represent a hazard to surrounding cables),

- Demonstrate that the lack of fault protection does not adversely affect safe shutdown,

- Identify readily achievable protective device setting changes (including changes in fuse size and/or time-current characteristics) that will establish cable protection without affecting other performance requirements, or

- Incorporate the cables of concern into the safe shutdown analysis as post-fire safe shutdown cables for the affected power supply.

9.5.4 Existing short circuit and electrical protection calculations shall be updated as necessary. The electrical portion of the Safe Shutdown Analysis Report will be completed by Project Sub-task 4.1.10, and should include a complete description of the common enclosure associated circuits analysis, including reference to applicable supporting calculations, analyses, and documents.

9.6 Fire Barrier Review for Embedded Conduits (HNP and RNP Only)

If additional cables are added to the SSA, and they are routed through embedded conduit, the conduit shall be evaluated to determine if the configuration can provide adequate protection for the cables in the conduit.

FPIP-0105 Rev. 0 Page 17 of 30

For the HNP, the conduit must be evaluated as acceptable per the evaluation done by S&L and documented in the HNP SSD calc HNP-E/ELEC-0001.

9.7 Multiple High Impedance Fault A multiple high impedance fault (MHIF) evaluation will be performed and will be documented in a calculation. The MHIF evaluation may use the method described in NEI 00-01 (Reference 2.7), or other engineering approved methods.

(CR3 only) Existing MHIF Calculation E96-0001 is to be revised.

9.8 Raceway Verification (BNP Only)

A walkdown will be conducted for a sample size of 60 cable trays, including air drops. This sample size will demonstrate a confidence level and reliability for a population from a few hundred to over 10,000 (Ref. Irwin Miller and John E.

Freund, Probability and Statistics for Engineers, Second Edition, Prentice-Hall, Inc. 1977). A separate walkdown of conduits will be performed to document the fire area location of each conduit containing safe shutdown cables. A final report will be generated to document the methodology and results of these walkdowns.

This report will be included in the Safe Shutdown Documentation identified in Section 9.9.

9.9 Documentation In the event the post-fire safe shutdown circuit analysis or cable selection changes, and these changes affect the results of the Safe Shutdown Documentation, the SSA to be prepared, or prepared, under Project Sub-task 4.1.10 shall be updated.

10.0 RECORDS N/A FPIP-0105 Rev. 0 Page 18 of 30

ATTACHMENT 1 Sheet 1 of 11 RNP - Additional Guidance The purpose of this attachment is to provide additional guidance and define standard safe shutdown circuit analysis - coding, terms, abbreviations, notes, judgments, and other analysis nuances, details, and design inputs not included in the main body of this procedure.

Furthermore, this information is used to provide a consistent level of detail within the Circuit Analysis form. This attachment elaborates on the details provided on the Circuit Analysis form.

The following provides the additional information:

1. Abbreviations:

This abbreviation listing is for some but not all abbreviations. Furthermore, this document will repeat the abbreviation in the written paragraphs below. Some abbreviations use the same codes but they have different meaning dependant where on the form that they are used. Some sections will completely spell out the word so that misunderstanding is minimized.

ARC: Another Related Circuit, For RNP the ARC circuits are shown under Support, Power, and Circuit CWD: Control Wiring Diagram E-Ckt: Electrical Circuit FMEA: Failure Modes and Effects Analysis ESFAS: Engineered Safeguards Actuation Signal MR-50: Miscellaneous Relay Rack 50 P-Ckt: Primary Circuit RTGB: Reactor Turbine Generator Board in the Main Control Room RNP: Robinson Nuclear Plant SEQ: Sequencer SFGD: Safeguard SSAC: Safe Shutdown Associated Circuit SSCA: Safe Shutdown Circuit Analysis SSE: Safe Shutdown Equipment SSEL: Safe shutdown Equipment List SSF: Safe Shutdown Function

2. Circuits 2.1. Circuits are characterized, subdivided, and organized into the following groups:

2.1.1. Electrical Circuit or E-Ckts are circuits whose boundaries are an isolator and all the downstream cables, wires, and other devices. For some circuits the boundaries are isolators both up-stream and down-stream of the E-cCkt.

2.1.2. Devices within the E-Ckt include cables, wires, terminal blocks, lugs, relays, contacts, starters, contactors, meters, controllers, switches, diodes, varistors, indicating lights, transducers, annunciators, motors, heaters, power supplies, transformers, etc.

2.1.3. Isolators include protection devices, control power transformers, current transformers, general transformers, transmitters, instrument circuit isolators, power supplies, computer interface devices, optical isolators, relay coil to contact interface, resistor configurations (typically 2500 ohms but occasionally 1200 ohms and higher), etc.

FPIP-0105 Rev. 0 Page 19 of 30

ATTACHMENT 1 Sheet 2 of 11 RNP - Additional Guidance 2.1.4. Protection devices include breakers, fuses, overloads, relay protected switchgear, etc.

2.1.5. Transfer switches include two position control switches, dual instrument power supplies, power transfer switches, un-wired secondary circuits, and other types.

2.1.6. Primary Circuits, or P-Ckts, are composed of one or more E-Ckts that are needed for performance of a Safe Shutdown Equipment (SSE) function.

2.1.7. Switchgear bus primary circuits contain the bus up to the breakers, the undervoltage and differential relay circuits, the 125VDC power feed cable and other bus related circuits.

2.1.8. Safe Shutdown Functions (SSF) are only those listed on the Safe Shutdown Equipment List. Examples include powering a pump, changing the position of a valve, closing a breaker, monitoring a critical system temperature or pressure, etc.

2.1.9. Circuit functions that are not SSF unless specifically listed on the SSEL include indicating lights, meters, transducers, annunciators, computer interfaces, alarms, monitors, etc.

3. Circuit Numbering Circuits, both primary and support type are numbered with the following general numbering scheme:
  • The major equipment number from the SSEL.
  • The support equipment number from the SSEL.
  • If the circuit is a support type that refers to Standard Note B, then a generic number shown on the CWD can be used. Examples include using the referenced drawing or panel abbreviated name. Examples include MR-50 and 5379-3235.
  • A number that is used based on the information shown on the referenced drawing. This may include the drawing number.
4. Circuit Analysis Form Coding The Circuit Analysis form incorporates coding and abbreviations in a computerized database. It documents the results from implementing the circuit analysis process performed under Reference 2.16 and this procedure. The following describes the details of the various tables, columns, rows, and other form fields:

CWD: Row:

Refers to the Principal or Main Control Wiring Diagram (CWD) RNP document number B-190628 of the various sheets or Power Distribution Diagram (PD) RNP document number B-190627 of the various sheets. Typically only one sheet number is shown in this field.

Cable Column:

The values in the Cable column refer to the Cable Numbers that form the circuit for the listed equipment. The source of the cable numbers is the CWDs. Numbers were also created to represent bus duct and other cables that have different numbering schemes (like those in the switchyard).

FPIP-0105 Rev. 0 Page 20 of 30

ATTACHMENT 1 Sheet 3 of 11 RNP - Additional Guidance Role Column:

The values in the Role column is left blank. This field maybe used by other plants within the Progress Energy Fleet.

Prim / Assoc Column:

P - Primary Circuit, Identifies the cable is in the Primary circuit for the SSE.

A - Associated Circuit, Identifies the cable is in an Associated circuit to the SSE. Typically associated cables are from another CWD. Associated cables are included with primary cables when only a few of the cables within the Associated cables are required for the SSF. When all or most of the cables of an Associated circuit are required for a SSF then the circuit is referred to in the lower portion of the form. See below for more details.

NA - Not Applicable cable, This code identifies the cable is not designated as a safe shutdown cable for the listed SSE circuit. It does not perform a SSF and the cable didnt need to be listed in the analysis. It is isolated from the Safe Shutdown Circuit. Listing the cable documents that it was reviewed and is no longer required.

Cable Type Column:

The values in the Cable Type column refer to the cable size and number of conductors. The source of the information is the existing plant database CAMS. Generally, this information is the same as shown on the CCL type drawings B-190634 of various sheets, RNP Cable and Conduit List.

Gen. Func. Column:

The values in the Gen. Func column refer to the General Function the cable provides. The codes used are:

General Function Column Codes P - Power Cable C - Control or Instrument Cable FMEA Columns:

The values in the FMEA columns refer to the results of the Safe Shutdown Analysis as implemented per Reference 2.16 or this procedure. Each failure (i.e., open, short, hot short, etc.) is applied to the cables circuit and the summary results are documented in the corresponding column. The included FMEA Flow Chart (see Section 12 of this Attachment) elaborates on the details. The analysis considers each different case dependent on the method and other design inputs. The analysis considers cases where transfer switches are in their normal and alternate positions. Detailed descriptions of these various cases are described below:

FPIP-0105 Rev. 0 Page 21 of 30

ATTACHMENT 1 Sheet 4 of 11 RNP - Additional Guidance Exist Basis Column The values in the Exist Basis column refer to the cables SSF classification from the existing (Year 2003) CP&L calculation number FPP-RNP-300, RNP-E-8.051, and database HBR2 App R Rev 7. The information was electronically transferred and simplified to a code. This allows for easy comparison between the cables existing classification and any new analysis. The codes used are:

R- Required Cable, Cable required to perform a safe shutdown function.

Blank - If the column is blank the data either did not exist in HBR2 App R Rev 7, existed in HBR2 App R Rev 7 but was contained within a note and hence could not be imported into the database or the cable has been added to the analyses.

CDM Column The values in the CDM columns refer to the Current Design Method for applying failures to the circuit under the FMEA. The CDM is defined in documents RNP FPP-RNP-300, RNP-E-8.051, and the Progress Energy Fire Technical Position, Fire Induced Circuit Failure - Circuit. One key attribute of this method is that a hot short is applied independent of the cable configuration and is applied as a hot probe. The probes power is postulated to be present, and its source is not identified.

RDM Column The values in the RDM columns refer to the Revised Design Method for applying failures to the circuit under the FMEA. The RDM is defined in the Progress Energy Fire Technical Position, Fire Induced Circuit Failure - Circuit.

One key attribute of this method is that a hot short is applied dependent on the circuit, cable configuration, and cable jacket type. RNP cable type is thermoplastic. Hence, the hot short can occur within the cable and between cables. The circuit analysis is performed postulated that all cables are in raceways where another cable exists that has a hot conductor (i.e., hot probe).

Therefore, there is no difference between RDM and CDM for RNP.

With both the CDM and RDM the circuit analysis could be refined if the physical configuration is different than postulated.

Although not expected to be of any value the FMEA coding shown on the form is bolded when the codes differ between CDM and RDM.

Design EC Column The values in the Design EC columns refer to the Design being submitted for the Engineering Change Package. The value in this column is the most conservative conclusion from the CDM and RDM columns unless a note is added and justified or discussed. See the below FMEA Codes Order of Priority section for more details.

FPIP-0105 Rev. 0 Page 22 of 30

ATTACHMENT 1 Sheet 5 of 11 RNP - Additional Guidance NOR and ALT Transfer Switch FMEA Columns The values in the NOR and ALT columns refer to the transfer switch position that may be in the circuit. The FMEA value in the column corresponds to the transfer switch aligned in the given position. RNP has 43 transfer switches within some circuits. The normal position for the switches is that the RGTB has control of the circuit and the local control is disconnected from the circuit. Hence, NOR refers to the normal position and ALT refers to the alternate position.

When the circuit has no transfer switches the FMEA applies only for the appropriate control location. Hence, for a circuit that has no transfer switches and a control switch on the RGTB only, FMEA results are shown in the NOR column.

NOR - Normal specifies that the equipment under analysis is being controlled remotely from the RGTB and is generally in a normal configuration. When the circuit has a transfer switch it is aligned to the RGTB controls.

ALT - Alternate specifies that another location other than the RGTB will control the equipment under analysis. Local controls are typically located on the local panel or mounted on the equipment itself. When the circuit has a transfer switch it is aligned to the alternate controls.

Note that for some cases the RGTB will not be the normal condition and similarly with ALT.

For the different cases notes will be added to specify the difference.

FMEA Column Codes The following FMEA codes have been used define the worst case failure, and are listed in their order of importance:

S - Spuriously Failed SSF: The applied failure caused the SSE to have a spurious action driven failure. The cable is needed for the SSE to function, but the applied failure mode, i.e., open, ground, short, or hot short has caused the SSE to Spuriously Operate resulting in a failure to achieve the Safe Shutdown Function as stated on SSEL.

F - Failed SSF: Cable is needed for the SSE to function, but the applied failure mode, i.e.,

open, ground, short, or hot short has caused the SSE to Fail to achieve the Safe Shutdown function as stated on SSEL. Note that power cable under the CDM can only fail and cannot fail spuriously except for Hi to Low pressure interface valves.

A - Accomplished SSF: Even with an applied failure the SSE Function was ACCOMPLISHED. The cable is needed for the SSE to function and the applied failure mode, i.e., open, ground, short, or hot short did not prevent the SSE to Operate and accomplish the Safe Shutdown function as stated on SSEL.

IC - Isolated Cable: The cable is necessary to perform the SSF, but with the transfer switch (or other device that achieves a similar function of a transfer) in the stated position, the cable is completely isolated from the PCKT and the FMEA case does not apply.

NT - No Transfer Switch: The cable is an important cable but there is no transfer switch in the circuit for the stated position and the FMEA case does not apply.

NA - Not Applicable: This code identifies the cable is not designated as a safe shutdown cable for the listed SSE circuit. It does not perform a SSF and the cable didnt need to be listed in the analysis. It is isolated from the Safe Shutdown Circuit. Listing the cable documents that it was reviewed and is no longer required. The FMEA cases do not apply to the cable.

FPIP-0105 Rev. 0 Page 23 of 30

ATTACHMENT 1 Sheet 6 of 11 RNP - Additional Guidance Analysis Input Documents: Row:

The values in the Analysis Input Document row refer to the documents used for the Primary circuit analysis. Analysis inputs shown on other forms like those for Associated circuits should not be referenced on other Primary circuits. The document number should be selected from the pull-down menu that lists numbers taken from the RNP Passport database in the correct format.

Support Power Supplies and Circuits Section:

This section documents the support circuits of the SSE, also referred to as ARC. A check in the PWR box indicates the referenced circuit is a power supply. These support circuits include Power Supplies, Related, Auxiliary, and other Important Circuits. Each circuit is listed and a standard A or B note is applied. The standard notes are stated in the procedure, on the form, and enhanced below:

A Referenced SSAC and its cables are required (ARC type A). The position of the contact or the state of the power supply must operate properly for the SSF. Some or all of the referenced cables within the associated circuit apply to the Primary circuit. The A also denotes that any automatic contacts are considered in their normal configuration based on the given plant conditions. The engineer performing the analysis determines whether the A circuit is referenced as a separate Primary circuit or if the A circuits cables will be included as part of the analysis of the SSE.

B Cables and/or the power supplies associated with this circuit are not required (ARC type B). The power supply can be de-energized. The position of the contact or the state of the power supply can operate in any mode for the SSF. Hence, no other cables are related to the Primary circuit. The B also denotes that any automatic contacts are considered in any and all configurations independent of plant conditions. As stated in the procedure Postulate that the contacts are in the permissive (worst case) position.

5. ESFAS Reference 2.16 required a bounding analysis for the RNP ESFAS system. Specifically at RNP the ESFAS means the SFGD system. Each step of the referenced project instructions was implemented. After the bounding analysis was completed a standard circuit analysis was completed to eliminate any circuit assumptions and documented in the circuit analysis forms.

FPIP-0105 Rev. 0 Page 24 of 30

ATTACHMENT 1 Sheet 7 of 11 RNP - Additional Guidance RNP determined that a Safeguard System analysis was required for safe shutdown. The original task was to identify cables that would initiate a Safeguards Actuation Signal and that were outside of a given set of fire zones. However, it was determined that a detailed, rather than bounding, analysis of the Safeguards system was required to account for the cables that are required for safe shutdown. To implement the analysis, the following tasks were performed:

1. A-type safeguards contacts were highlighted on their associated elementary diagrams (For Racks 51/52 and 63/64) to indicate that they are required. B-type contacts were not highlighted for this task.
2. Associated contacts that could change the state of the Primary A-type contacts were also highlighted. This process continued until the external auxiliary relay contacts that initiated safeguards were identified.
3. If the external circuits were already analyzed, then they were listed as an ARC circuit.

Otherwise, a new circuit was created and named as the auxiliary relay tag number. This auxiliary relay was included in the safeguard analysis as an ARC circuit.

4. The instrument loops driving the auxiliary relays were analyzed in full. All paths were verified and the analysis detailed to the transmitter level.

Safeguards Circuit Control Summary De-energizing the 125VDC circuits that supply electrical power to Safeguards Logic will not defeat all of the safeguards functions if it has been actuated prior to de-energizing the power.

The MG-6 Relays are designed with Operate / Reset Coils, both of which require electrical power to function. Should a spurious hot short actuate the Operate Coil and subsequently power be lost to the Safeguards Logic scheme, safeguards cannot be defeated.

The safeguards logic scheme is designed with two type of relays as part of the standard design convention. The MG-6 Relays are known as Latching Type relays with an Operate Coil to latch the relay, and Reset Coil to mechanically release the latch. The other relay commonly used in the Safeguards logic is the Westinghouse BFD standard relay. It is energized to actuate (pick-up) and de-energized to drop-out and fails to the shelf state.

Safeguards output circuits connected to Westinghouse Type BFD relays are failed safe when de-energized. Once power has been removed from the safeguards logic scheme, these relays fail safe, positioning the components to the required state.

Safeguards output signals connected directly to MG-6 type relays are not fail safe given the postulated failure described above. If the MG-6 power supply de-energizes, the relays do not change state. If the instrument signal reaches the set point to trip and the electrical power to the MG-6 de-energizes, the safeguard system will not trip.

Conclusion While removing power to the safeguards logic scheme will fail safe the vast majority of Safe Shutdown components, some components will remain in the undesired state. To mitigate this, the following resolution strategy is available.

1. Safeguards pump operation can be mitigated by de-energizing electrical power to the pump motor.

FPIP-0105 Rev. 0 Page 25 of 30

ATTACHMENT 1 Sheet 8 of 11 RNP - Additional Guidance

2. 125VDC SOVs can be failed safe by de-energizing electrical power to the affected component.
3. Motor operated valves are de-energized and manually re-positioned as required by procedure.
6. Ungrounded Circuits All ungrounded and resistive grounded circuit FMEAs are performed postulating that one ground of the opposite polarity already exists due to the fire.
7. Common Standard Reference Drawings Common drawings that apply for many circuits are listed below and not on the circuit analysis forms:

Document Number Rev. Title B-190628 SH00036 004 SWITCH DEVELOPMENT B-190628 SH00037 014 SWITCH DEVELOPMENT B-190628 SH00038 008 PUSHBUTTON AND SWITCH DEVELOPMENT B-190628 SH00039 007 SWITCH DEVELOPMENT B-190628 SH00040 003 SWITCH DEVELOPMENT B-190628 SH00041 001 P. A. S. S. SWITCH DEVELOPMENT

8. General Assumptions Verified Assumptions The hot probe characteristics including the following:
1. Probe has the voltage to operate the circuit. The voltage is not too high and not too low for proper operation.
2. The probe connection in the circuit is a low impedance connection at the point of contact.
3. A short circuit protection device interrupts the probes before the wires of the analyzed circuits are damaged.

A hot short (fault) on the ground conductor is expected to de-energize the probes power source by its overcurrent protection device. The hot short will be de-energized before the common neutral wires fail.

9. SSEL Refinements The SSEL for the electrical power and other systems follows the rules and guidelines stated in Reference 2.17 with the following exception. Additional items that are not specifically major equipment such as required pumps and fans were included in the SSEL. Generally, some control circuits were added as equipment for consistency, per the clients request. Circuits that provided a high level function were included in the SSEL. These items include the 27UV undervoltage relays for the 480VAC system that provided a load shedding function. Notes were added to the SSEL to describe the function and other details. In general, electrical control circuits that provided support function were not listed on the SSEL. Additionally, circuits for FPIP-0105 Rev. 0 Page 26 of 30

ATTACHMENT 1 Sheet 9 of 11 RNP - Additional Guidance major equipment that provided a support function would not be listed on the SSEL, as they are listed as circuits only.

10. Final Equipment and Circuit Analysis Iteration During the circuit analysis performed in preparation to load data into the FSSMP(D)

References 2.16 and 2.18 were used. The analysis required iterations for determining the final set of equipment and circuits. The following documents some of the specific steps and tools used during the iteration process:

1. The FSSPMD database report titled Equipment By Related Circuits and Equipment By Power Supply were produced. These lists were used in the following steps.
2. Verified that the ARC A-type power supplies identified on the lists were included in the SSEL and analyzed as circuits.
3. The plant single-line key diagram, and other diagrams were used to identify electrical connecting equipment upstream of the A-type ARC and included in the SSEL and as a circuit.
4. The marked-up Safe Shutdown single-line diagrams were marked to indicate the major flow paths that are consistent with the existing plant analysis.
5. Verified that the final SSEL lists all required equipment and does not list B-type ARCs that are not critical for safe shutdown.
6. Verified that a circuit analysis was performed for each A-Type ARC.
11. Fast Bus Transfer Scheme 11.1 Fast Bus Transfer Scheme Analysis The purpose of this analysis is to provide a circuit analysis for the initiation of the Fast Bus Transfer sequence via the tripping of the Main Generator Turbine. This analysis postulates that the reactor has tripped due to a fire event, beginning the safe shutdown sequence. The turbine trip system interfaces with the 86P and 86BU lockout relays to initiate the fast bus transfer sequence. This is detailed in the Fire Protection Technical Position statement below:

Fire Protection Technical Position When evaluating the prioritization of manual actions note that the control room evacuation guidance provided in Generic Letter 86-10 Response to Question 3.8.4 states in part: " Note that the only manual action in the control room prior to evacuation usually given credit for is the reactor trip.

Based on the above guidance the Safe Shutdown Circuit Analysis considers a manual reactor trip as a postulated input. A manual trip from the RTGB to trip the Reactor Trip Switchgear breakers will cause the control rods to drop and trip the reactor. The reactor trip provides a signal to actuate the turbine trip system. This will cause the turbine trip solenoid valves to energize, tripping the Main Generator Turbine. When either of the turbine trip solenoid valves (20/ET and 20/AST) trip, hydraulic fluid in the turbine will dump, causing the turbine to trip. The 20/ET solenoid valve will dump emergency trip fluid causing the governor stop and control valves to close, hence tripping the turbine and providing a permissive signal to the 86BU circuit.

FPIP-0105 Rev. 0 Page 27 of 30

ATTACHMENT 1 Sheet 10 of 11 RNP - Additional Guidance The 20/AST solenoid valve will dump auto stop trip oil causing the governor stop and control valves to close while actuating the 63/AST-1, -2 and -3 permissives for the 86P circuit. This will provide a permissive signal for both the 86BU and 86P circuits. Additional details for this operation are listed in RNP System Description #SD-032, Rev. 7, Section 5.1. The reactor trip and turbine trip initiation are expected to occur within milliseconds of the start of the event.

Turbine trip initiation will begin dumping hydraulic fluid in an effort to trip the turbine. The turbine will trip in a short amount of time (~20 sec.) when the turbine hydraulic fluid is successfully dumped. The fast bus transfer will occur one minute after tripping the turbine when either the 86P or the 86BU lockout relay energizes. If the reactor trip signal fails, a manual turbine trip signal can energize the 20/AST solenoid via control room action. Once the turbine has tripped and the fast bus transfer is initiated, the turbine can not be reset except via extensive manual actions. The fast bus transfer will cause the Main Generator OCBs 52/8 &

52/9 to trip immediately. Fast bus transfer will also trip the 4160V Bus 1 and Bus 4 main breakers (4160V-52/7 and 4160V-52/20 respectively), close the Bus 2 & Bus 3 Main Breakers (4160V-52/12 and 4160V-52/17 respectively), and close the associated cross-tie breakers (4160V-52/10 and 4160V-52/19). This will transfer power from the Unit Auxiliary Transformer to the Start Up Transformer to transition from on-site power to off-site power.

The group of circuits: Reactor Trip Switchgear, 20/ET, 20/AST, 86P and 86BU; form the boundary between circuits that are analyzed in detail and those that are not analyzed. Those circuits analyzed are assumed to operate properly as discussed above. Circuit 20/AST was included due to providing redundancy for 20/ET.

11.2 Fast Bus Transfer Methodology A review of the mechanical system identified that certain equipment should be de-energized during a safe shutdown event. Large loads including RCPs and MFWs could spuriously start, causing degraded voltage conditions on the 4160V Buses and their subsequent buses. The majority of these large loads are supplied from 4kV Buses 1 and 4. Based on this, and to preclude extensive circuit analysis of equipment supplied electrical power from these buses, the bus cross tie breakers are intentionally opened as part of the safe shutdown strategy when off-site power is available and after the fast bus transfer has occurred. The remaining components are analyzed using the current methodology. MHIF and electrical coordination for the BOP Buses are considered in a separate analysis.

FPIP-0105 Rev. 0 Page 28 of 30

ATTACHMENT 1 Sheet 11 of 11 RNP - Additional Guidance

12. FMEA Flow Chart The following flow chart summarizes some key attributes of the FMEA:

SSCA (RDM & CDM)

NO SSE YES Hi / Low Pressure Interface present?

Postulate sequential Postulate Multiple spurious failures. Failures (9.4, Any and all, one at FICF) a time.(9.4, FICF)

Perform SSCA:

Do the following combinations of failures for all possible Perform SSCA: combinations:

Do the following combinations of failures for all 1. Multiple shorts-to-ground or grounded conductor (A possible combinations: few, three or four), (NRC 3-19-03)

1. Multiple shorts-to-ground or grounded conductor 2. Multiple open circuits (A few, three or four)
3. Multiple hot shorts (A few, three or four)

(Maximum 1) at any conductor.

2. Multiple open circuits (Maximum 1) at any 4. 3-phase AC power circuit cable-to-cable proper phase conductor. sequence faults.(A few, three or four)
3. Multiple concurrent hot shorts for conductors 5. 2-wire ungrounded DC circuit cable-to-cable proper polarity fault (A few, three or four) within a single cable if the cable contains a viable source conductor. Two concurrent, but independent, 6. Multiple concurrent hot shorts for conductors within a hot shorts (where viable) for any one component single cable if the cable contains a viable source within any one cable. (Maximum 2) conductor.
7. Proper polarity conductor-to-conductor 2-wire
4. Proper polarity conductor-to-conductor 2-wire ungrounded DC circuits where the source and target ungrounded DC circuits where the source and target conductors are internal to the same multi-conductor conductors are internal to the same multi-conductor cable.

cable. 8. Two concurrent, but independent, hot shorts (where Viable) for any one component within any one cable.

NO YES Does SSE fail the SSCA?

Document "A" Document the Failure type in the FMEA (Accomplished) in RDM column:

the FMEA RDM S - Spurious Failed operation, F - Failure, column etc.

RDM & CDM FMEA COMPLETE FPIP-0105 Rev. 0 Page 29 of 30

REVISION

SUMMARY

Sheet 1 of 1 Rev. 0 - Initial issue This procedure is the initial issuance under this Progress Energy document number, but was developed from combining the information and guidance provided in Sargent

& Lundy project instructions (PI-SSA-HNP-0005 and PI-SSA-NGG-0005) that were developed under an outsourced task. Major differences between the Sargent &

Lundy instructions and this document include:

Context and references to who is performing the tasks in the document were change changed from Sargent & Lundy to Progress Energy.

Added additional references and definitions Revised Responsibilities section to delete references to S&L, and identify the responsibilities for the various Project personnel for the Fire Protection Initiatives Project.

Deleted Data Acquisition (Section 9.1) and Develop Safe Shutdown Circuit Analysis Worksheet (9.2) from the S&L instructions and replaced with Safe Shutdown Circuit Analysis Data, to provide a brief overview of the circuit analysis date to be recorded.

Deleted Cables, Panel, Equipment, and Raceways Correlated to Fire Zone/Area section from the S&L instructions as this was a one time operation performed by S&L to verify cable routing information.

Added Attachment 1. This attachment incorporated information that was included in the S&L Circuit Analysis Design Information Transmittal, and reworded as required to adapt to this Progress Energy procedure.

FPIP-0105 Rev. 0 Page 30 of 30