Fault analysis in non-safety-related circuits during design basis events

It is typical when calculating short circuit currents to incorporate the full cable length into the fault analysis. However, you must be careful when analyzing short-circuits during design basis events.

STANDARDS

You have to fully understand the scenario you are analyzing. This requires special knowledge acquired from studying nuclear-specific regulations and standards. Together, those rules create new electrical categories not present in commercial installations. Because of this they add a layer of complexity to the protection engineer’s problem.

In typical cases of electrical fault analysis, you are interested in minimizing the calculated short-circuit current. That’s because the main concern is ensuring that the circuit breaker or fuse that’s installed to protect the circuit will actually operate, and fast enough, in the worst-case conditions. (Obviously, the highest available short-circuit current must also be taken into account for determining equipment interrupt ratings.)

One way to minimize fault current is to maximize the circuit resistance, and one way to do that is to credit the circuit’s full length by assuming the fault happens at the end of the cable nearest the load. The longer a cable is, the higher its overall resistance. So, the longer the cable is, the lower the short-circuit current will be near the load. This is all in accordance with Ohm’s law: V=IR.

Or, rearranged, I = V / R.

The catch is that, depending on various nuclear-specific conditions, you may not be concerned about a fault occurring near the load.

Section 4.11 of IEEE 308-2001 says this: “The non-Class 1E circuits shall meet the independence and isolation requirements as established in IEEE Std 384-1992.”

In turn, Sections 7.1.1 and 7.1.2 of IEEE 384 say that electrical isolation is achieved by installing “Class 1E isolation devices” between 1) non-Class 1E and 2) Class-1E (or associated) circuits.

The key is in Section 7.1.2: “A device is considered to be a power circuit isolation device if it is applied such that the maximum credible voltage or current transient applied to the non-Class 1E side of the device will not degrade below an acceptable level the operation of the circuit on the other side of that device.” [Emphasis supplied.]

In other words, if a short circuit on a non-Class 1E circuit thwarts a breaker or fuse intended to act as an isolation device, then the breaker or fuse cannot be credited as an isolation device. The picture below shows this situation. A fault at the X causes the breaker marked by the arrow to operate. The breaker supplying the non-1E load is not a credible isolation device because a fault in the non-Class-1E circuit takes out the Class-1E load.

Circuit breaker schematic showing that a fault on a non-safety-related branch takes out a Class 1E load

The NRC requires that this level of fault analysis be documented.

AN EXTENDED ANALOGY

To give an analogy, it’d be like having your kitchen toaster shorting out and killing the power to your entire house.

Assume, at the same time, you had your computer plugged into an outlet in a different room, served by a different breaker, while updating your computer motherboard’s firmware (flashing your bios). If that process were to be interrupted by a power failure, it would probably brick your computer and set you back several days in lost time — not to mention repair costs.

The circuit breaker serving your kitchen circuit was supposed to isolate that toaster’s circuit from everything else. It didn’t do its job. It did not properly operate during the fault, causing the upstream breaker (your house’s main breaker) to trip. You might as well have had no breaker installed at all on the kitchen power circuit.

You could say that the fault on the power circuit feeding the toaster degraded below an acceptable level the operation of the circuit on the other side of that device. The circuit on the other side of that device was the electrical bus supplying your critical load, the computer.

In this extended analogy, the computer is the Class-1E load, and the toaster is the non-Class-1E load. The toaster’s circuit breaker that failed to trip upon the toaster’s fault was the unreliable isolation device.

The main problem you are trying to solve is this: will a fault on a non-Class 1E circuit that’s connected to a 1E power source interfere with the operation of the Class 1E loads supplied by that source during or following a design basis event? A short-circuit is a single failure. If a short circuit in a non-Class 1E circuit causes a Class 1E load to malfunction, then the circuit has probably violated the single-failure criterion. It is not sufficiently isolated.

DBE COMPLICATIONS

“Maximum credible current” implies smallest resistance, which can translate into “shortest cable length.”

In general, you need to match the possible fault locations with the design basis event being examined.

One reason you could have to use a shorter cable length in a fault analysis of non-Class 1E circuits is if the circuit’s cables are located in non-seismic raceway when postulating a seismic event. Since IEEE 384 tells us to maximize the current, it is credible that the cables, if installed in non-seismic raceway, may be damaged during a seismic event (i.e. the raceway collapses, or is hit by some other non-seismic object and collapses, or is hit by a missile, etc.).

If the raceway is damaged, then the cables inside probably will be, too. There’s a good chance they’ll short together and fault wherever the raceway collapses. In this case, the max fault current would be developed when the fault is farther upstream from the load (less resistance) than usually assumed.

This analysis is particularly tricky when analyzing faults on non-Class 1E loads that are supplied from Class-1E inverters. That’s because inverters may not be able to supply high enough fault current for a long enough duration to actuate the fuse or whatever device is installed to isolate the non-Class 1E circuit. This is a higher risk for lengthy circuits.

The inverter can only supply a limited fault current level for a brief duration. If the protective device doesn’t isolate the fault quickly enough, then the inverter output may shut off, resulting in a loss of all loads supplied by it. If this is caused by a fault on a non-class-1E circuit during a design basis event (DBE), then the protection scheme fails the independence criteria because the non-safety circuits take out the safety circuits.

There is OE out there on this topic. A plant was cited for an issue in 2015. In their inspection report, the NRC wrote this:

Specifically, prior to June 18, 2015, the licensee failed to check the adequacy of the design by performing an analysis or test that demonstrated that the Class 1E inverters would continue to operate reliably when subjected to the effects of electrical faults that could be postulated to occur at non-Class loads, due to a lack of seismic qualification of the loads, during and after a design basis loss-of-offsite power and seismic event.

You can generally credit the cable length between safety-related panels because the panels on each end, as well as the raceway in between, are (should be) seismically mounted per seismic category 1 requirements. There’s no credible reason that a fault would occur along the circuit somewhere in between the two panels during a seismic event.

CONCLUSION

Typically, fault analysis is most concerned with analyzing a fault closest to the load. This is usually the most credible fault location. It also results in the lowest fault current magnitudes, testing whether the upstream protective device will adequately clear the fault before allowing damage to occur.

Considerations specific to standards in the nuclear industry modify this analysis by positing special circumstances that create credible faults in different locations. The special circumstances can be a range of design basis events that may induce faults elsewhere in the circuit because of missiles, high-energy line breaks, or other phenomena.

One particular scenario is a circuit fault occurring in a non-seismic raceway during a design basis earthquake. In all other cases, this circuit may meet the independence criteria established in IEEE 384, but during an earthquake it may be possible to produce an electrical fault in a non-Class-1E circuit that takes down Class-1E loads.

In those cases, action must be taken to modify the circuit to remove the threat.

What do you think?