ML17313B230

From kanterella
Jump to navigation Jump to search
Korea Hydro & Nuclear Power Co., Ltd. - Response to RAI 271-8290 for Question 19-15 (Rev.4)
ML17313B230
Person / Time
Site: 05200046
Issue date: 11/09/2017
From:
Korea Electric Power Corp, Korea Hydro & Nuclear Power Co, Ltd
To:
Office of New Reactors
Shared Package
ML17313B228 List:
References
MKD/NW-17-0353L
Download: ML17313B230 (61)
v  d  e


Text

Non-proprietary 19-15_Rev.4 - 1 / 5 KEPCO/KHNP REVISED RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION APR1400 Design Certification Korea Electric Power Corporation / Korea Hydro & Nuclear Power Co., LTD Docket No.52-046 RAI No.: 271-8290 SRP Section: SRP 19 Application Section: 19.1 Date of RAI Issued: 10/22/2015 Question No. 19-15 Regulation 10 CFR 52.47(a)(27) requires that a standard design certification applicant provide a description of the design specific PRA. SRP Chapter 19, Revision 3 (Draft),Section I. Areas of Review, Review Interfaces states that the staff should confirm that: All common-cause failure (CCF) mechanisms for digital instrumentation and control (DI&C) systems have been accounted for in the PRA. The staff reviewed APR1400 DCD Section 19.1, Probabilistic Risk Assessment, and did not find sufficient information describing the modeling of the DI&C system, including the hardware and software common-cause failures, to be able to make this conclusion.

Therefore, in order for the staff to reach a reasonable assurance finding that the description of the PRA is adequate, please provide the following details of DI&C modeling in the PRA and include it in the DCD:

System description (e.g., describe the functions, subsystem interfaces, operator actions, etc.)

Key assumptions (e.g., modeling, uncertainties)

CCF analysis of both the hardware and software, including the basis and/or justification of this information Failure effects, if modeled at the system/subsystem level Response - (Rev. 4)

The digital plant protection system (PPS) consists of the digital reactor trip system (RTS) and the digital engineered safety features actuation system (ESFAS). The reactor trip system (RTS) analyses are documented in the Reactor Protection System Notebook (APR1400-K-P-NR-013218-P, Rev. 0), and the engineered safety features actuation system (ESFAS) analyses are documented in the Engineered Safety Features Actuation System Notebook (APR1400-K-P-NR-

Non-proprietary 19-15_Rev.4 - 2 / 5 KEPCO/KHNP 013217-P, Rev. 0), which includes descriptions of the system functions, system interfaces, operator actions, hardware and software common cause failures and modeling uncertainties.

The failure modes and effects analysis of the reactor trip system (RTS) and the engineered safety features actuation system (ESFAS) are provided as Attachments 1 and 2.

The Digital I&C CCF coping analysis is described in APR1400-Z-A-NR-14019-NP. This Digital I&C CCF coping analysis assumed software CCF exists, but also credited the systems which are diverse from the safety I&C (Diversity and Defense-in-Depth Technical Report (APR1400-Z-J-NR-14002-P)). The Diversity and Defense-in-Depth Technical Report provides the design description of the diverse actuation system, and the diversity and defense-in-depth approach for I&C systems which are intended to be used for the application of the APR 1400 Design Certification.

The software reliability analysis specifically has not been evaluated in APR1400.

Also, SRP Appendix 7.1 -B Subsection 4.1 discusses protection system reliability, specifically in the second two paragraphs which state: Staff acceptance of system reliability is based on the deterministic criteria described in IEEE Std. 279-1971 rather than on quantitative reliability goals.

The NRC staff does not endorse the concept of quantitative reliability goals as the sole means of meeting the requirements for reliability of protection systems (see the response of RAI 356-7881, Q07-20, ML16154A870).

Also, in the response of RAI 261-8253, COL item (COL 7.1(1)) is added as The COL applicant is to provide and the software operation and maintenance plan for the safety I&C systems, as described in the Software Program Manual Technical Report. The Software Program Manual Technical Report (APR1400-Z-J-NR-14003-P) contains the software management plan, software quality assurance plan, software verification, validation plan, etc.

The Software Program Manual Technical Report describes the method to reduce safety risk caused by software failure to an acceptable level, and the need to assess hazards at each stage of the software life cycle.

Although the APR1400 is designed with diversity to cope with software failure, the COL applicant needs evaluate software reliability. COL 7.1(2) will be added in DCD Subsection 7.1.4 (Attachment 3).

Regarding the reliability of the APR1400 digital I&C system, International Standard IEC 61226 (Revision 3), Nuclear power plants - Instrumentation and control important to safety -

Classification of instrumentation and control functions, classifies and provides specific requirements for I&C systems. These requirements include reliability assessments, and states that the reliability assessment shall consider the effects of common cause failures, including hardware failures, software failures, and human errors during operation, maintenance, as well as modification and repair activities. In addition, IEC 61226 also states: The techniques used to assess these effects range from purely qualitative engineering judgement to detailed quantitative analyses, which may themselves depend on qualitative estimates. Finally, when evaluating the reliability IEC 61226 states:

For an individual system which is specified and designed in accordance with the highest quality criteria, a figure of the order of 10-4 failure/demand may be an appropriate overall limit to place on the reliability that may be claimed, when all of the potential sources of failure due to the

Non-proprietary 19-15_Rev.4 - 3 / 5 KEPCO/KHNP specification, design, manufacture, installation, operating environment, and maintenance practices, are taken into account. This figure includes the risk of common mode failure in the redundant channels of the system, and applies to the whole of the system, from sensors through processing to the outputs to the actuated equipment. Claims for better reliabilities than this are not precluded, but will need special justification, taking into account all of the factors mentioned. Alternatively, the design of independent I&C systems important to safety with an acceptable level of diversity may be applied.

Based on the above statements from IEC 61226, an assessment of the reliability of various RPS and ESF-CCS signals was made taking into account all of the potential sources of failure due to the specification, design, manufacture, installation, operating environment, and maintenance practices including the whole of the system, from sensors through processing to the outputs to the actuated equipment. Hardware reliability values (including common cause) were derived from various industry sources. Software reliability of [1.2x10-5]TS/demand per application soft-ware common cause failure, and [1.2x10-6]TS/demand for operating system common cause fail-ure based on a proprietary Westinghouse assessment performed to support the APR1400 PRA.

Using these hardware and software reliability values, and including other failure modes such as test and maintenance unavailability and miscalibration errors, an assessment of the reliability of various RPS and ESF-CCS signals was performed. The resultant reliabilities for RPS signals ranged from 1.02x10-4/demand to 3.42x10-3/demand for the RPS signals modeled in the PRA (i.e., P1 - Hi Pressurizer Pressure, P2 - Lo Pressurizer Pressure, P3 - Lo SG1 Level, P4 - Lo SG2 Level, P9 - Hi Containment Pressure and P14 - Lo DNBR). The resultant reliabilities for ESF-CCS signals (SIAS and AFAS) were both about 1.13x10-4/demand.

Based on this reliability assessment, the hardware and software failure rates used within the APR1400 DC PRA are judged to be reasonable where no claims for better reliability are warranted to meet the requirements of IEC 61226.

Several sensitivity cases were performed to better understand the CDF sensitivity to the software reliability values used in the digital I&C system. These sensitivities were performed by cutset manipulation of the at-power internal events model. A total of 12 different cases were evaluated:

1. The PPS and DPS operating system software CCFs were increased by a factor of 10 resulting in a CDF of increase of 3%.
2. The PPS and DPS operating system and application software CCFs were increased by a factor of 10 resulting in a CDF increase of 43%.
3. The PPS and DPS operating system and application software CCFs were increased by a factor of 100 resulting in a CDF increase of 468%.
4. The DPS application software CCF was increased by a factor of 100 resulting in a CDF increase of 1%.
5. The DPS operating system software CCF was increased by a factor of 100 resulting in a negligible increase in CDF.

Non-proprietary 19-15_Rev.4 - 4 / 5 KEPCO/KHNP

6. The PPS bistable processor module application software CCF was increased by a factor of 100 resulting in a CDF increase of 12%.
7. The PPS group controller application software CCF was increased by a factor of 100 resulting in a CDF increase of 94%.
8. The PPS loop controller application software CCF was increased by a factor of 100 resulting in a CDF increase of 315%.
9. The PPS LCL application software CCF was increased by a factor of 100 resulting in a CDF increase of 12%.
10. The PPS operating system software CCF was increased by a factor of 100 resulting in a CDF increase of 32%.
11. All DPS software was assumed to fail (i.e., failure probability =1) resulting in a CDF increase of 432%.
12. All PPS and DPS software was assumed to operate perfectly (i.e., failure probability = 0) resulting in a CDF decrease of about 5%.

These sensitivities reveal the following significant conclusions about the digital I&C system:

Cases 1 - 3 demonstrate the relative insensitivity to the exact software CCF values used in the model up until a very large increase (between a factor of 10 and 100) is postulated.

Although Case 11 demonstrates the importance of a diverse I&C system (DPS); Cases 4 and 5 demonstrate that even relatively large increases (e.g., factor of 100) in DPS software CCF has little impact on CDF.

Cases 6 - 9 demonstrate the importance of operator action to overcome software CCF.

The ability to manually trip the reactor from the MCR/RSR reduces the impact of bistable and LCL software CCF. Furthermore, the ability to start equipment remotely from the MCR/RSR minimizes the impact of software CCF in the group controllers.

However, since these remote signals are input into either the group controller or loop controller, and the loop controller produces the final ESF-CCS output signal to the CIMs, software CCF in the loop controllers fails all remote signals.

Case 12 reveals that limited benefit would be obtained from trying to justify lower software CCF values, since complete perfection (which is not credible) only results in about a 5% decrease in CDF.

In the above analyses, the software CCF accounted for approximately 20 percent of the RPS failures, and about 44 percent of the ESF-CCS failures. This is due to the fact that in addition to bistable and LCL software which are with both RPS and ESF-CCS, the ESF-CCS also include group controller and loop controller application software. In addition to the percent contribution described above (i.e., F-V importance), since software CCF fails the signal, the RAW value of the software CCF is simply the inverse of the signals system unavailability.

Therefore, the software CCF RAW for the RPS signals is between 292 (= 1 / 3.42x10-3) and

Non-proprietary 19-15_Rev.4 - 5 / 5 KEPCO/KHNP 9800 (= 1 / 1.02x10-4), and the software CCF RAW for the ESF signals is about 8850 (= 1 /

1.13x10-4). Note that in all cases, these F-V and RAW importance values demonstrate the risk significance of software. provides clarifications of RAW importance values for operating system software and application software.

Impact on DCD Table 1.8-2 and Section 7.1.4 of DCD Tier 2 will be revised as indicated on Attachment 3.

Chapter 19 will be revised as indicated in Attachment 4 to include discussion on the modeling of digital I&C and software CCF, and the software CCF sensitivity analysis.

Impact on PRA The PRA will be updated to include software CCF in both the PPS and DPS. The Reactor Protection System Notebook (APR1400-K-P-NR-013218-P) and the Engineered Safety Features Actuation System Notebook (APR1400-K-P-NR-013217-P) will be updated to include details of software CCF modeling.

Impact on Technical Specifications There is no impact on the Technical Specifications.

Impact on Technical/Topical/Environmental Reports There is no impact on any Technical, Topical, or Environmental Report.

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (1/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Dummy Module 1 1-752-J-PA14A-R01-S01 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Communication Interface Module 2 1-752-J-PA14A-R01-S02 PPS cabinet, PA14A (CI631) Operation Fails to operate Yes

- No impacts

- Bistable Logic Processor 3 1-752-J-PA14A-R01-S03 PPS cabinet, PA14A (PM646A) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Dummy Module 4 1-752-J-PA14A-R01-S04 PPS cabinet, PA14A (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 5 1-752-J-PA14A-R01-S05 PPS cabinet, PA14A (AI688) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Digital Input Module 6 1-752-J-PA14A-R01-S06 PPS cabinet, PA14A (DI620) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Analog Input Module 7 1-752-J-PA14A-R01-S07 PPS cabinet, PA14A (AI688) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Dummy Module 8 1-752-J-PA14A-R01-S08 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Digital Output Module 9 1-752-J-PA14A-R01-S09 PPS cabinet, PA14A (DO620) Operation Fails to operate Yes - It is for SOE (Sequence Of Events).

- No impacts

- Dummy Module 10 1-752-J-PA14A-R01-S10 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Dummy Module 11 1-752-J-PA14A-R02-S01 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Communication Interface Module 12 1-752-J-PA14A-R02-S02 PPS cabinet, PA14A (CI631) Operation Fails to operate Yes

- No impacts

- Bistable Logic Processor 13 1-752-J-PA14A-R02-S03 PPS cabinet, PA14A (PM646A) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Dummy Module 14 1-752-J-PA14A-R02-S04 PPS cabinet, PA14A (PM646A) Operation Fails to operate Yes

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (2/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Analog Input Module 15 1-752-J-PA14A-R02-S05 PPS cabinet, PA14A (PM646A) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Digital Input Module 16 1-752-J-PA14A-R02-S06 PPS cabinet, PA14A (PM646A) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Analog Input Module 17 1-752-J-PA14A-R02-S07 PPS cabinet, PA14A (RB601) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Dummy Module 18 1-752-J-PA14A-R02-S08 PPS cabinet, PA14A (DO620) Operation Fails to operate Yes

- No impacts

- Digital Output Module 19 1-752-J-PA14A-R02-S09 PPS cabinet, PA14A (DO630) Operation Fails to operate No - It is for SOE (Sequence Of Events).

- No impacts

- Dummy Module 20 1-752-J-PA14A-R02-S10 PPS cabinet, PA14A (DO630) Operation Fails to operate Yes

- No impacts

- Dummy Module 21 1-752-J-PA14A-R03-S01 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Communication Interface Module 22 1-752-J-PA14A-R03-S02 PPS cabinet, PA14A (CI631) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Bistable Processor Logic 23 1-752-J-PA14A-R03-S03 PPS cabinet, PA14A (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 24 1-752-J-PA14A-R03-S04 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

- Analog Input Module 25 1-752-J-PA14A-R03-S05 PPS cabinet, PA14A (AI688) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Digital Input Module 26 1-752-J-PA14A-R03-S06 PPS cabinet, PA14A (DI620) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Analog Input Module 27 1-752-J-PA14A-R03-S07 PPS cabinet, PA14A (AI688) Operation Fails to operate No

- Coincidence logic changes to two out of three

- Dummy Module 28 1-752-J-PA14A-R03-S08 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (3/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Digital Output Module 29 1-752-J-PA14A-R03-S09 PPS cabinet, PA14A (DO620) Operation Fails to operate Yes - This is for SOE (Sequence Of Events)

- Ni Impacts

- Dummy Module 30 1-752-J-PA14A-R03-S10 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes No impacts

- Dummy Module 31 1-752-J-PA14A-R04-S01 PPS cabinet, PA14A (RB601) Operation Fails to operate Yes No impacts

- Communication Interface Module 32 1-752-J-PA14A-R04-S02 PPS cabinet, PA14A (CI631) Operation Fails to operate No

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 33 1-752-J-PA14A-R04-S03 PPS cabinet, PA14A (PM646A) Operation Fails to operate No

- Coincidence logic changes to two out of three 34 1-752-J-PA14A-R04-S04 PPS cabinet, PA14A (PM646A) Operation Fails to operate No - Coincidence logic changes to two out of three

- COM HSL input only 35 1-752-J-PA14A-R04-S05 PPS cabinet, PA14A (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 36 1-752-J-PA14A-R04-S06 PPS cabinet, PA14A (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two ouf of three

- Dummy Module 37 1-752-J-PA14A-R04-S07 PPS cabinet, PA14A (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 38 1-752-J-PA14A-R04-S08 PPS cabinet, PA14A (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 39 1-752-J-PA14A-R04-S09 PPS cabinet, PA14A (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 40 1-752-J-PA14A-R04-S10 PPS cabinet, PA14A (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 41 1-752-J-PA14B-R01-S01 PPS cabinet, PA14B (RB601) Operation Fails to operate Yes

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (4/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Communication Interface Module 42 1-752-J-PA14B-R01-S02 PPS cabinet, PA14B (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Bistable Processor Logic 43 1-752-J-PA14B-R01-S03 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 44 1-752-J-PA14B-R01-S04 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 45 1-752-J-PA14B-R01-S05 PPS cabinet, PA14B (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Input Module 46 1-752-J-PA14B-R01-S06 PPS cabinet, PA14B (DI620) Operation Fails to operate No - No impacts Coincidence logic changes to two out of three

- Analog Input Module 47 1-752-J-PA14B-R01-S07 PPS cabinet, PA14B (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 48 1-752-J-PA14B-R01-S08 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 49 1-752-J-PA14B-R01-S09 PPS cabinet, PA14B (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Dummy Module 50 1-752-J-PA14B-R01-S10 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 51 1-752-J-PA14B-R02-S01 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 52 1-752-J-PA14B-R02-S02 PPS cabinet, PA14B (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 53 1-752-J-PA14B-R02-S03 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (5/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- ESF functions with HSL to group controller 54 1-752-J-PA14B-R02-S04 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 55 1-752-J-PA14B-R02-S05 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- COM HSL input only 56 1-752-J-PA14B-R02-S06 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 57 1-752-J-PA14B-R02-S07 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 58 1-752-J-PA14B-R02-S08 PPS cabinet, PA14B (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 59 1-752-J-PA14B-R02-S09 PPS cabinet, PA14B (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 60 1-752-J-PA14B-R02-S10 PPS cabinet, PA14B (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 61 1-752-J-PA14B-R03-S01 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 62 1-752-J-PA14B-R03-S02 PPS cabinet, PA14B (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Bistable Processor Logic 63 1-752-J-PA14B-R03-S03 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts Coincidence logic changes to two out of three

- Dummy Module 64 1-752-J-PA14B-R03-S04 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 65 1-752-J-PA14B-R03-S05 PPS cabinet, PA14B (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (6/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Digital Input Module 66 1-752-J-PA14B-R03-S06 PPS cabinet, PA14B (DI620) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Analog Input Module 67 1-752-J-PA14B-R03-S07 PPS cabinet, PA14B (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 68 1-752-J-PA14B-R03-S08 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 69 1-752-J-PA14B-R03-S09 PPS cabinet, PA14B (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Dummy Module 70 1-752-J-PA14B-R03-S10 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 71 1-752-J-PA14B-R04-S01 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 72 1-752-J-PA14B-R04-S02 PPS cabinet, PA14B (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 73 1-752-J-PA14B-R04-S03 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 74 1-752-J-PA14B-R04-S04 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- COM HSL input only 75 1-752-J-PA14B-R04-S05 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 76 1-752-J-PA14B-R04-S06 PPS cabinet, PA14B (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 77 1-752-J-PA14B-R04-S07 PPS cabinet, PA14B (RB601) Operation Fails to operate No

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (7/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Digital Output Module 78 1-752-J-PA14B-R04-S08 PPS cabinet, PA14B (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 79 1-752-J-PA14B-R04-S09 PPS cabinet, PA14B (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 80 1-752-J-PA14B-R04-S10 PPS cabinet, PA14B (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 81 1-752-J-PA14C-R01-S01 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 82 1-752-J-PA14C-R01-S02 PPS cabinet, PA14C (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Bistable Processor Logic 83 1-752-J-PA14C-R01-S03 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 84 1-752-J-PA14C-R01-S04 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 85 1-752-J-PA14C-R01-S05 PPS cabinet, PA14C (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Input Module 86 1-752-J-PA14C-R01-S06 PPS cabinet, PA14C (DI620) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Analog Input Module 87 1-752-J-PA14C-R01-S07 PPS cabinet, PA14C (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 88 1-752-J-PA14C-R01-S08 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 89 1-752-J-PA14C-R01-S09 PPS cabinet, PA14C (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (8/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Dummy Module 90 1-752-J-PA14C-R01-S10 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 91 1-752-J-PA14C-R02-S01 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 92 1-752-J-PA14C-R02-S02 PPS cabinet, PA14C (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 93 1-752-J-PA14C-R02-S03 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 94 1-752-J-PA14C-R02-S04 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 95 1-752-J-PA14C-R02-S05 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- COM HSL input only 96 1-752-J-PA14C-R02-S06 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 97 1-752-J-PA14C-R02-S07 PPS cabinet, PA14C (RB601) Operation Fails to operate No No impacts

- Digital Output Module 98 1-752-J-PA14C-R02-S08 PPS cabinet, PA14C (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 99 1-752-J-PA14C-R02-S09 PPS cabinet, PA14C (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 100 1-752-J-PA14C-R02-S10 PPS cabinet, PA14C (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 101 1-752-J-PA14C-R03-S01 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 102 1-752-J-PA14C-R03-S02 PPS cabinet, PA14C (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (9/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Bistable Processor Logic 103 1-752-J-PA14C-R03-S03 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 104 1-752-J-PA14C-R03-S04 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 105 1-752-J-PA14C-R03-S05 PPS cabinet, PA14C (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Input Module 106 1-752-J-PA14C-R03-S06 PPS cabinet, PA14C (DI620) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Analog Input Module 107 1-752-J-PA14C-R03-S07 PPS cabinet, PA14C (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 108 1-752-J-PA14C-R03-S08 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 109 1-752-J-PA14C-R03-S09 PPS cabinet, PA14C (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Dummy Module 110 1-752-J-PA14C-R03-S10 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 111 1-752-J-PA14C-R04-S01 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 112 1-752-J-PA14C-R04-S02 PPS cabinet, PA14C (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 113 1-752-J-PA14C-R04-S03 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 114 1-752-J-PA14C-R04-S04 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- COM HSL input only 115 1-752-J-PA14C-R04-S05 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (10/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- RT digital output 116 1-752-J-PA14C-R04-S06 PPS cabinet, PA14C (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 117 1-752-J-PA14C-R04-S07 PPS cabinet, PA14C (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 118 1-752-J-PA14C-R04-S08 PPS cabinet, PA14C (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 119 1-752-J-PA14C-R04-S09 PPS cabinet, PA14C (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 120 1-752-J-PA14C-R04-S10 PPS cabinet, PA14C (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 121 1-752-J-PA14D-R01-S01 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 122 1-752-J-PA14D-R01-S02 PPS cabinet, PA14D (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Bistable Processor Logic 123 1-752-J-PA14D-R01-S03 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 124 1-752-J-PA14D-R01-S04 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 125 1-752-J-PA14D-R01-S05 PPS cabinet, PA14D (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Input Module 126 1-752-J-PA14D-R01-S06 PPS cabinet, PA14D (DI620) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Analog Input Module 127 1-752-J-PA14D-R01-S07 PPS cabinet, PA14D (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 128 1-752-J-PA14D-R01-S08 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (11/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Digital Output Module 129 1-752-J-PA14D-R01-S09 PPS cabinet, PA14D (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Dummy Module 130 1-752-J-PA14D-R01-S10 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 131 1-752-J-PA14D-R02-S01 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 132 1-752-J-PA14D-R02-S02 PPS cabinet, PA14D (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 133 1-752-J-PA14D-R02-S03 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 134 1-752-J-PA14D-R02-S04 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 135 1-752-J-PA14D-R02-S05 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- COM HSL input only 136 1-752-J-PA14D-R02-S06 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 137 1-752-J-PA14D-R02-S07 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 138 1-752-J-PA14D-R02-S08 PPS cabinet, PA14D (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 139 1-752-J-PA14D-R02-S09 PPS cabinet, PA14D (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 140 1-752-J-PA14D-R02-S10 PPS cabinet, PA14D (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 141 1-752-J-PA14D-R03-S01 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (12/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- Communication Interface Module 142 1-752-J-PA14D-R03-S02 PPS cabinet, PA14D (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Bistable Processor Logic 143 1-752-J-PA14D-R03-S03 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 144 1-752-J-PA14D-R03-S04 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Analog Input Module 145 1-752-J-PA14D-R03-S05 PPS cabinet, PA14D (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Input Module 146 1-752-J-PA14D-R03-S06 PPS cabinet, PA14D (DI620) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Analog Input Module 147 1-752-J-PA14D-R03-S07 PPS cabinet, PA14D (AI688) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 148 1-752-J-PA14D-R03-S08 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 149 1-752-J-PA14D-R03-S09 PPS cabinet, PA14D (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Dummy Module 150 1-752-J-PA14D-R03-S10 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Dummy Module 151 1-752-J-PA14D-R04-S01 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Communication Interface Module 152 1-752-J-PA14D-R04-S02 PPS cabinet, PA14D (CI631) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- ESF functions with HSL to group controller 153 1-752-J-PA14D-R04-S03 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 154 1-752-J-PA14D-R04-S04 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Reactor Trip System (RP) (13/13)

Component Normal No. Component ID Failure Mode Screening Function Description Status

- COM HSL input only 155 1-752-J-PA14D-R04-S05 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- RT digital output 156 1-752-J-PA14D-R04-S06 PPS cabinet, PA14D (PM646A) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Dummy Module 157 1-752-J-PA14D-R04-S07 PPS cabinet, PA14D (RB601) Operation Fails to operate No

- No impacts

- Digital Output Module 158 1-752-J-PA14D-R04-S08 PPS cabinet, PA14D (DO620) Operation Fails to operate No - No impacts

- This is for SOE (Sequence Of Events)

- Digital Output Module 159 1-752-J-PA14D-R04-S09 PPS cabinet, PA14D (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

- Digital Output Module 160 1-752-J-PA14D-R04-S10 PPS cabinet, PA14D (DO630) Operation Fails to operate No - No impacts

- Coincidence logic changes to two out of three

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Remove this column Failure Mode Evaluation of Engineered Safety Features Actuation System (EF)

Component Component Failure No. Component ID Normal Screening Remark Type Description Mode Group Controller - A1 D C P P P P P D D D Note) Add U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Dummy at Group Controller 1 Fails to - Dummy Module 1 1-752-J-PA03A-R01-S01 N/A in ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 1 Fails to - It impacts on when the coincidence failure of GC-2 1-752-J-PA03A-R01-S02 Operation Yes Processor in ESF-CCS Group Controller operate 2 CI631.

Cabinet, PA03A - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

- Group Controller 1 Processor Module 1 (GC-1 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

3 1-752-J-PA03A-R01-S03 Operation No Module 1 in ESF-CCS Group operate - It causes the loss of the (A or C) coincidence Controller Cabinet, PA03A logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-1 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

4 1-752-J-PA03A-R01-S04 Operation No Module 1 in ESF-CCS Group operate - It causes the loss of the (B or D) coincidence Controller Cabinet, PA03A logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 3 (GC-1 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 5 1-752-J-PA03A-R01-S05 Operation No coincidence logic performed by PM 3.

Module 1 in ESF-CCS Group operate

- It causes the loss of MCR CPM signals.

Controller Cabinet, PA03A

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-1 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 6 1-752-J-PA03A-R01-S06 Operation No - It causes the loss of RSR CPM signals.

Module 1 in ESF-CCS Group operate

- Redundant RSR CPM signal is available in the Controller Cabinet, PA03A redundant group controller.

- Group Controller 1 Processor Module 5 (GC-1 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 7 1-752-J-PA03A-R01-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 1 in ESF-CCS Group operate CCG to LC via PM5.

Controller Cabinet, PA03A

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 1 in ESF- Fails to 8 1-752-J-PA03A-R01-S08 Operation Yes one GC in that channel, but the redundant GC is Module CCS Group Controller Cabinet, operate still functional.

PA03A

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital Output at Group Controller 1 in ESF- Fails to - It is no impact on the safety function.

9 1-752-J-PA03A-R01-S09 Operation Yes Module CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer PA03A Switch status to the PPS.

Dummy at Group Controller 1 Fails to - Dummy Module 10 1-752-J-PA03A-R01-S10 N/A in ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 Component Component Component Failure No. Normal Screening Remark ID Type Description Mode CCG - A1 D C P D D D D D D C Note) Add U I M U U I O U U I Remove this column M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 Fails to - Dummy Module 11 1-752-J-PA03A-R02-S01 N/A in ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 12 1-752-J-PA03A-R02-S02 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03A control manual control

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-1 PM)

Processor (PM646A) at CCG 1 in ESF- Fails to 13 1-752-J-PA03A-R02-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 2 PM PA03A

- It impacts corresponding channel's ESCM control Dummy at Group Controller 2 Fails to - Dummy Module 14 1-752-J-PA03A-R02-S04 N/A in ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A Dummy at Group Controller 2 Fails to - Dummy Module 15 1-752-J-PA03A-R02-S05 N/A in ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 16 1-752-J-PA03A-R02-S06 CCG 1 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03A

- It is for transfer switch status

- Digital Output Module Digital Output Module (DO620)

Digital Output Fails to - No impact, because no safety function depends 17 1-752-J-PA03A-R02-S07 at CCG 1 in ESF-CCS Group Operation Yes Module operate on DO contact input.

Controller Cabinet, PA03A

- It is for transfer switch status Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 18 1-752-J-PA03A-R02-S08 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03A Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 19 1-752-J-PA03A-R02-S09 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03A

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 20 1-752-J-PA03A-R02-S10 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03A control manual control Group Controller - A2 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Group Controller (RB601) at Group Controller 2 in ESF-CCS Fails to - Dummy Module 21 1-752-J-PA03A-R03-S01 N/A Operation Yes Group Controller Cabinet, operate - No impacts PA03A

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 2 in Fails to - It impacts on when the coincidence failure of GC-1 22 1-752-J-PA03A-R03-S02 Operation Yes Processor ESF-CCS Group Controller operate CI631.

Cabinet, PA03A - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

- Group Controller 1 Processor Module 1 (GC-2 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

23 1-752-J-PA03A-R03-S03 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence logic Cabinet, PA03A performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-2 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

24 1-752-J-PA03A-R03-S04 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence logic Cabinet, PA03A performed by PM2.

- Redundant component control signal is available in the redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 3 (GC-2 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 25 1-752-J-PA03A-R03-S05 Operation No coincidence logic performed by PM 3.

Module 2 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03A

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-2 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 26 1-752-J-PA03A-R03-S06 Operation No - It causes the loss of RSR CPM signals.

Module 2 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03A redundant group controller.

- Group Controller 1 Processor Module 5 (GC-2 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 27 1-752-J-PA03A-R03-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 2 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03A

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 2 in ESF-CCS Fails to 28 1-752-J-PA03A-R03-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03A

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 2 in ESF- Fails to - It is no impact on the safety function.

29 1-752-J-PA03A-R03-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03A Switch status to the PPS.

ESF-CCS group controller Fails to - Dummy Module 30 1-752-J-PA03A-R03-S10 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode CCG - A2 D C P D D D D D D C Note) Add U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 31 1-752-J-PA03A-R04-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03A

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 32 1-752-J-PA03A-R04-S02 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03A control manual control.

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-2 PM)

Processor (PM646A) at CCG 2 in ESF- Fails to 33 1-752-J-PA03A-R04-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 1 PM PA03A

- It impacts corresponding channel's ESCM control ESF-CCS group controller Fails to - Dummy Module 34 1-752-J-PA03A-R04-S04 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 35 1-752-J-PA03A-R04-S05 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 36 1-752-J-PA03A-R04-S06 CCG 2 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03A

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 37 1-752-J-PA03A-R04-S07 Output at CCG 2 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03A

- It is for transfer switch status ESF-CCS group controller Fails to - Dummy Module 38 1-752-J-PA03A-R04-S08 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 39 1-752-J-PA03A-R04-S09 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 40 1-752-J-PA03A-R04-S10 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03A control manual control

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode Group Controller - A3 Note) Add C C P P D D D D D C I I M M I O U U U I 6 6 6 6 6 6 M M M 6 3 3 4 4 2 2 M M M 3 1 1 6 6 1 0 Y Y Y 1 Component Interface Module - Component Interface Module CI Interface (CI631) 1 at Group Controller 3 Fails to - It causes the loss global memory.

41 1-752-J-PA03A-R05-S01 Operation Yes Processor in ESF-CCS Group Controller operate - Redundant CI module provides redundant global Cabinet, PA03A memory for the chassis.

Component Interface Module - Component Interface Module CI Interface (CI631) 2 at Group Controller 3 Fails to - It causes the loss global memory.

42 1-752-J-PA03A-R05-S02 Operation Yes Processor in ESF-CCS Group Controller operate - Redundant CI module provides redundant global Cabinet, PA03A memory for the chassis.

- Primary Processor Module

- It causes the loss of Actuation of BOP ESF or Load Sequencing.

PM Processor Module 1 - Redundant GC-3 secondary processor module Processor (PM646A) at Group Controller Fails to provides the logic for actuation of BOP ESF and 43 1-752-J-PA03A-R05-S03 Operation No Module 3 in ESF-CCS Group Controller operate Load Sequencing.

Cabinet, PA03A - The redundant PM acquires the RMS and Loss of Offsite Power (LOOP) input signals, performs the BOP ESF and Load Sequencing Logic and transmits the corresponding initiation signals.

- Secondary Processor Module

- It causes the loss of Actuation of BOP ESF or Load Sequencing.

PM Processor Module 1 - Redundant GC-3 secondary processor module Processor (PM646A) at Group Controller Fails to provides the logic for actuation of BOP ESF and 44 1-752-J-PA03A-R05-S04 Operation No Module 3 in ESF-CCS Group Controller operate Load Sequencing.

Cabinet, PA03A - The redundant PM acquires the RMS and Loss of Offsite Power (LOOP) input signals, performs the BOP ESF and Load Sequencing Logic and transmits the corresponding initiation signals.

- Digital Input Module

- It causes the loss of internal cabinet status Digital Input Module (DI621) at information, and it causes the loss of Actuation of Digital Input Group Controller 3 in ESF-CCS Fails to 45 1-752-J-PA03A-R05-S05 Operation No BOP ESF or Load Sequencing.

Module Group Controller Cabinet, operate

- Redundant GC-3s are provided by ESF-CCS PA03A Channels A and B, thus the redundant GC-3 maintains the function.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Digital Output Module

- It causes the loss of internal cabinet status Digital Output Module (DO620)

Digital information, and it causes the loss of Actuation of at Group Controller 3 in ESF- Fails to 46 1-752-J-PA03A-R05-S06 Output Operation No BOP ESF or Load Sequencing.

CCS Group Controller Cabinet, operate Module - Redundant GC-3s are provided by ESF-CCS PA03A Channels A and B, thus the redundant GC-3 maintains the function.

ESF-CCS group controller Fails to - Dummy Module 47 1-752-J-PA03A-R05-S07 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 48 1-752-J-PA03A-R05-S08 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 49 1-752-J-PA03A-R05-S09 N/A Operation Yes cabinet, PA03A (RB601) operate - No impacts

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) 3 at Group Controller 3 Fails to - It impacts on the actuation of BOP-ESF and load 50 1-752-J-PA03A-R05-S10 Operation Yes Processor in ESF-CCS Group Controller operate sequencing.

Cabinet, PA03A - Redundant GC-3s are provided by ESF-CCS channel A and B, thus the redundant GC-3 maintains the function.

Group Controller - A1 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Dummy at Group Controller 1 in Fails to - Dummy Module 51 1-752-J-PA03B-R01-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 1 in Fails to - It impacts on when the coincidence failure of GC-52 1-752-J-PA03B-R01-S02 Operation Yes Processor ESF-CCS Group Controller operate 2 CI631.

Cabinet, PA03B Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening - Remark Type Description Mode

- Group Controller 1 Processor Module 1 (GC-1 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

53 1-752-J-PA03B-R01-S03 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03B logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-1 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

54 1-752-J-PA03B-R01-S04 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03B logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-1 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 55 1-752-J-PA03B-R01-S05 Operation No coincidence logic performed by PM 3.

Module 1 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03B

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-1 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 56 1-752-J-PA03B-R01-S06 Operation No - It causes the loss of RSR CPM signals.

Module 1 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03B redundant group controller.

- Group Controller 1 Processor Module 5 (GC-1 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 57 1-752-J-PA03B-R01-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 1 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03B

- Redundant RSR CPM signal is available in the redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 1 in ESF-CCS Fails to 58 1-752-J-PA03B-R01-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03B

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 1 in ESF- Fails to - It is no impact on the safety function.

59 1-752-J-PA03B-R01-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03B Switch status to the PPS.

Dummy at Group Controller 1 in Fails to - Dummy Module 60 1-752-J-PA03B-R01-S10 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B CCG - A1 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 61 1-752-J-PA03B-R02-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 62 1-752-J-PA03B-R02-S02 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03B control manual control

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-1 PM)

Processor (PM646A) at CCG 1 in ESF- Fails to 63 1-752-J-PA03B-R02-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 2 PM PA03B

- It impacts corresponding channel's ESCM control Dummy at Group Controller 2 in Fails to - Dummy Module 64 1-752-J-PA03B-R02-S04 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B Dummy at Group Controller 2 in Fails to - Dummy Module 65 1-752-J-PA03B-R02-S05 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 66 1-752-J-PA03B-R02-S06 CCG 1 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03B

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 67 1-752-J-PA03B-R02-S07 Output at CCG 1 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03B

- It is for transfer switch status Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 68 1-752-J-PA03B-R02-S08 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03B Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 69 1-752-J-PA03B-R02-S09 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03B

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 70 1-752-J-PA03B-R02-S10 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03B control manual control Group Controller - A2 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Group Controller (RB601) at Group Controller 2 in ESF-CCS Fails to - Dummy Module 71 1-752-J-PA03B-R03-S01 N/A Operation Yes Group Controller Cabinet, operate - No impacts PA03B

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 2 in Fails to - It impacts on when the coincidence failure of GC-72 1-752-J-PA03B-R03-S02 Operation Yes Processor ESF-CCS Group Controller operate 1 CI631.

Cabinet, PA03B - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 1 (GC-2 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

73 1-752-J-PA03B-R03-S03 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03B logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-2 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

74 1-752-J-PA03B-R03-S04 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03B logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-2 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 75 1-752-J-PA03B-R03-S05 Operation No coincidence logic performed by PM 3.

Module 2 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03B

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-2 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 76 1-752-J-PA03B-R03-S06 Operation No - It causes the loss of RSR CPM signals.

Module 2 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03B redundant group controller.

- Group Controller 1 Processor Module 5 (GC-2 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 77 1-752-J-PA03B-R03-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 2 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03B

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 2 in ESF-CCS Fails to 78 1-752-J-PA03B-R03-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03B

- Redundant group controller and redundant initiation signals are provided within the channel.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 2 in ESF- Fails to - It is no impact on the safety function.

79 1-752-J-PA03B-R03-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03B Switch status to the PPS.

ESF-CCS group controller Fails to - Dummy Module 80 1-752-J-PA03B-R03-S10 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts CCG - A2 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 81 1-752-J-PA03B-R04-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03B

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 82 1-752-J-PA03B-R04-S02 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03B control manual control.

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-2 PM)

Processor (PM646A) at CCG 2 in ESF- Fails to 83 1-752-J-PA03B-R04-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 1 PM PA03B

- It impacts corresponding channel's ESCM control ESF-CCS group controller Fails to - Dummy Module 84 1-752-J-PA03B-R04-S04 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 85 1-752-J-PA03B-R04-S05 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 86 1-752-J-PA03B-R04-S06 CCG 2 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03B

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 87 1-752-J-PA03B-R04-S07 Output at CCG 2 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03B

- It is for transfer switch status

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode ESF-CCS group controller Fails to - Dummy Module 88 1-752-J-PA03B-R04-S08 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 89 1-752-J-PA03B-R04-S09 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 90 1-752-J-PA03B-R04-S10 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03B control manual control Group Controller - A3 Note) Add C C P P D D D D D C I I M M I O U U U I 6 6 6 6 6 6 M M M 6 3 3 4 4 2 2 M M M 3 1 1 6 6 1 0 Y Y Y 1 Component Interface Module - Component Interface Module CI Interface (CI631) 1 at Group Controller 3 Fails to - It causes the loss global memory.

91 1-752-J-PA03B-R05-S01 Operation Yes Processor in ESF-CCS Group Controller operate - Redundant CI module provides redundant global Cabinet, PA03B memory for the chassis.

Component Interface Module - Component Interface Module CI Interface (CI631) 2 at Group Controller 3 Fails to - It causes the loss global memory.

92 1-752-J-PA03B-R05-S02 Operation Yes Processor in ESF-CCS Group Controller operate - Redundant CI module provides redundant global Cabinet, PA03B memory for the chassis.

- Primary Processor Module

- It causes the loss of Actuation of BOP ESF or Load Sequencing.

PM Processor Module 1 - Redundant GC-3 secondary processor module Processor (PM646A) at Group Controller Fails to provides the logic for actuation of BOP ESF and 93 1-752-J-PA03B-R05-S03 Operation No Module 3 in ESF-CCS Group Controller operate Load Sequencing.

Cabinet, PA03B - The redundant PM acquires the RMS and Loss of Offsite Power (LOOP) input signals, performs the BOP ESF and Load Sequencing Logic and transmits the corresponding initiation signals.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Secondary Processor Module

- It causes the loss of Actuation of BOP ESF or Load Sequencing.

PM Processor Module 1 - Redundant GC-3 secondary processor module Processor (PM646A) at Group Controller Fails to provides the logic for actuation of BOP ESF and 94 1-752-J-PA03B-R05-S04 Operation No Module 3 in ESF-CCS Group Controller operate Load Sequencing.

Cabinet, PA03B - The redundant PM acquires the RMS and Loss of Offsite Power (LOOP) input signals, performs the BOP ESF and Load Sequencing Logic and transmits the corresponding initiation signals.

- Digital Input Module

- It causes the loss of internal cabinet status Digital Input Module (DI621) at information, and it causes the loss of Actuation of Digital Input Group Controller 3 in ESF-CCS Fails to 95 1-752-J-PA03B-R05-S05 Operation No BOP ESF or Load Sequencing.

Module Group Controller Cabinet, operate

- Redundant GC-3s are provided by ESF-CCS PA03B Channels A and B, thus the redundant GC-3 maintains the function.

- Digital Output Module

- It causes the loss of internal cabinet status Digital Output Module (DO620)

Digital information, and it causes the loss of Actuation of at Group Controller 3 in ESF- Fails to 96 1-752-J-PA03B-R05-S06 Output Operation No BOP ESF or Load Sequencing.

CCS Group Controller Cabinet, operate Module - Redundant GC-3s are provided by ESF-CCS PA03B Channels A and B, thus the redundant GC-3 maintains the function.

ESF-CCS group controller Fails to - Dummy Module 97 1-752-J-PA03B-R05-S07 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 98 1-752-J-PA03B-R05-S08 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 99 1-752-J-PA03B-R05-S09 N/A Operation Yes cabinet, PA03B (RB601) operate - No impacts

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) 3 at Group Controller 3 Fails to - It impacts on the actuation of BOP-ESF and load 100 1-752-J-PA03B-R05-S10 Operation Yes Processor in ESF-CCS Group Controller operate sequencing.

Cabinet, PA03B - Redundant GC-3s are provided by ESF-CCS channel A and B, thus the redundant GC-3 maintains the function.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode Group Controller - A1 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Dummy at Group Controller 1 in Fails to - Dummy Module 101 1-752-J-PA03C-R01-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 1 in Fails to - It impacts on when the coincidence failure of GC-102 1-752-J-PA03C-R01-S02 Operation Yes Processor ESF-CCS Group Controller operate 2 CI631.

Cabinet, PA03C - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

- Group Controller 1 Processor Module 1 (GC-1 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

103 1-752-J-PA03C-R01-S03 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03C logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-1 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

104 1-752-J-PA03C-R01-S04 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03C logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-1 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 105 1-752-J-PA03C-R01-S05 Operation No coincidence logic performed by PM 3.

Module 1 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03C

- Redundant component control signal is available in the redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 4 (GC-1 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 106 1-752-J-PA03C-R01-S06 Operation No - It causes the loss of RSR CPM signals.

Module 1 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03C redundant group controller.

- Group Controller 1 Processor Module 5 (GC-1 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 107 1-752-J-PA03C-R01-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 1 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03C

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 1 in ESF-CCS Fails to 108 1-752-J-PA03C-R01-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03C

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 1 in ESF- Fails to - It is no impact on the safety function.

109 1-752-J-PA03C-R01-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03C Switch status to the PPS.

Dummy at Group Controller 1 in Fails to - Dummy Module 110 1-752-J-PA03C-R01-S10 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C CCG - A1 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 111 1-752-J-PA03C-R02-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 112 1-752-J-PA03C-R02-S02 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03C control manual control

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-1 PM)

Processor (PM646A) at CCG 1 in ESF- Fails to 113 1-752-J-PA03C-R02-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 2 PM PA03C

- It impacts corresponding channel's ESCM control Dummy at Group Controller 2 in Fails to - Dummy Module 114 1-752-J-PA03C-R02-S04 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C Dummy at Group Controller 2 in Fails to - Dummy Module 115 1-752-J-PA03C-R02-S05 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 116 1-752-J-PA03C-R02-S06 CCG 1 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03C

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 117 1-752-J-PA03C-R02-S07 Output at CCG 1 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03C

- It is for transfer switch status Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 118 1-752-J-PA03C-R02-S08 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03C Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 119 1-752-J-PA03C-R02-S09 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03C

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 120 1-752-J-PA03C-R02-S10 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03C control manual control Group Controller - A2 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Group Controller (RB601) at Group Controller 2 in ESF-CCS Fails to - Dummy Module 121 1-752-J-PA03C-R03-S01 N/A Operation Yes Group Controller Cabinet, operate - No impacts PA03C

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 2 in Fails to - It impacts on when the coincidence failure of GC-122 1-752-J-PA03C-R03-S02 Operation Yes Processor ESF-CCS Group Controller operate 1 CI631.

Cabinet, PA03C - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

- Group Controller 1 Processor Module 1 (GC-2 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

123 1-752-J-PA03C-R03-S03 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03C logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-2 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

124 1-752-J-PA03C-R03-S04 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03C logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-2 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 125 1-752-J-PA03C-R03-S05 Operation No coincidence logic performed by PM 3.

Module 2 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03C

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-2 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 126 1-752-J-PA03C-R03-S06 Operation No - It causes the loss of RSR CPM signals.

Module 2 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03C redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 5 (GC-2 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 127 1-752-J-PA03C-R03-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 2 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03C

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 2 in ESF-CCS Fails to 128 1-752-J-PA03C-R03-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03C

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 2 in ESF- Fails to - It is no impact on the safety function.

129 1-752-J-PA03C-R03-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03C Switch status to the PPS.

ESF-CCS group controller Fails to - Dummy Module 130 1-752-J-PA03C-R03-S10 N/A Operation Yes cabinet, PA03C(RB601) operate - No impacts CCG - A2 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 131 1-752-J-PA03C-R04-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03C

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 132 1-752-J-PA03C-R04-S02 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03C control manual control.

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-2 PM)

Processor (PM646A) at CCG 2 in ESF- Fails to 133 1-752-J-PA03C-R04-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 1 PM PA03C

- It impacts corresponding channel's ESCM control

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode ESF-CCS group controller Fails to - Dummy Module 134 1-752-J-PA03C-R04-S04 N/A Operation Yes cabinet, PA03C (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 135 1-752-J-PA03C-R04-S05 N/A Operation Yes cabinet, PA03C (RB601) operate - No impacts

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 136 1-752-J-PA03C-R04-S06 CCG 2 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03C

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 137 1-752-J-PA03C-R04-S07 Output at CCG 2 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03C

- It is for transfer switch status ESF-CCS group controller Fails to - Dummy Module 138 1-752-J-PA03C-R04-S08 N/A Operation Yes cabinet, PA03C (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 139 1-752-J-PA03C-R04-S09 N/A Operation Yes cabinet, PA03C (RB601) operate - No impacts

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 140 1-752-J-PA03C-R04-S10 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03C control manual control Group Controller - A1 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Dummy at Group Controller 1 in Fails to - Dummy Module 141 1-752-J-PA03D-R01-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03D

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 1 in Fails to - It impacts on when the coincidence failure of GC-142 1-752-J-PA03D-R01-S02 Operation Yes Processor ESF-CCS Group Controller operate 2 CI631.

Cabinet, PA03D - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 1 (GC-1 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

143 1-752-J-PA03D-R01-S03 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03D logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 2 (GC-1 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

144 1-752-J-PA03D-R01-S04 Operation No Module 1 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03D logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-1 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 145 1-752-J-PA03D-R01-S05 Operation No coincidence logic performed by PM 3.

Module 1 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03D

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-1 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 146 1-752-J-PA03D-R01-S06 Operation No - It causes the loss of RSR CPM signals.

Module 1 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03D redundant group controller.

- Group Controller 1 Processor Module 5 (GC-1 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 147 1-752-J-PA03D-R01-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 1 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03D

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 1 in ESF-CCS Fails to 148 1-752-J-PA03D-R01-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03D

- Redundant group controller and redundant initiation signals are provided within the channel.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 1 in ESF- Fails to - It is no impact on the safety function.

149 1-752-J-PA03D-R01-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03D Switch status to the PPS.

Dummy at Group Controller 1 in Fails to - Dummy Module 150 1-752-J-PA03D-R01-S10 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03D CCG - A1 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in 1-752-J-PA03D-R02- Fails to - Dummy Module 151 N/A ESF-CCS Group Controller Operation Yes S01 operate - No impacts Cabinet, PA03D

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of 1-752-J-PA03D-R02- CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 152 Operation Yes redundant CI631 module in CCG2 S02 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03D control manual control

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-1 PM) 1-752-J-PA03D-R02- Processor (PM646A) at CCG 1 in ESF- Fails to 153 Operation Yes - It impact on when the coincidence failure of CCG-S03 Module CCS Group Controller Cabinet, operate 2 PM PA03D

- It impacts corresponding channel's ESCM control Dummy at Group Controller 2 in 1-752-J-PA03D-R02- Fails to - Dummy Module 154 N/A ESF-CCS Group Controller Operation Yes S04 operate - No impacts Cabinet, PA03D Dummy at Group Controller 2 in 1-752-J-PA03D-R02- Fails to - Dummy Module 155 N/A ESF-CCS Group Controller Operation Yes S05 operate - No impacts Cabinet, PA03D

- Digital Input Module Digital Input Module (DI621) at 1-752-J-PA03D-R02- Digital Input Fails to - No impact, because no safety function depends 156 CCG 1 in ESF-CCS Group Operation Yes S06 Module operate on DI contact input.

Controller Cabinet, PA03D

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620) 1-752-J-PA03D-R02- Fails to - No impact, because no safety function depends 157 Output at CCG 1 in ESF-CCS Group Operation Yes S07 operate on DO contact input.

Module Controller Cabinet, PA03D

- It is for transfer switch status 158 1-752-J-PA03D-R02- N/A Dummy at CCG 1 in ESF-CCS Operation Fails to Yes - Dummy Module

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode S08 Group Controller Cabinet, operate - No impacts PA03D Dummy at CCG 1 in ESF-CCS Fails to - Dummy Module 159 1-752-J-PA03D-R02-S09 N/A Group Controller Cabinet, Operation Yes operate - No impacts PA03D

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 1 in ESF-CCS Fails to 160 1-752-J-PA03D-R02-S10 Operation Yes redundant CI631 module in CCG2 Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03D control manual control Group Controller - A2 Note) Add D C P P P P P D D D U I M M M M M I O U M 6 6 6 6 6 6 6 6 M M 3 4 4 4 4 4 2 2 M Y 1 6 6 6 6 6 1 0 Y Group Controller (RB601) at Group Controller 2 in ESF-CCS Fails to - Dummy Module 161 1-752-J-PA03D-R03-S01 N/A Operation Yes Group Controller Cabinet, operate - No impacts PA03D

- Component Interface Module

- It causes the loss of ability to communication by Component Interface Module AF1000 Internet network.

CI Interface (CI631) at Group Controller 2 in Fails to - It impacts on when the coincidence failure of GC-162 1-752-J-PA03D-R03-S02 Operation Yes Processor ESF-CCS Group Controller operate 1 CI631.

Cabinet, PA03D - Redundant group controller has its own CI module which provides global memory and provides AF 100 access.

- Group Controller 1 Processor Module 1 (GC-2 PM1).

PM Processor Module 1 - It causes the loss of the A and C ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

163 1-752-J-PA03D-R03-S03 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (A or C) coincidence Cabinet, PA03D logic performed by PM1.

- Redundant component control signal is available in the redundant group controller.

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode

- Group Controller 1 Processor Module 2 (GC-2 PM2).

PM Processor Module 2 - It causes the loss of the B and D ESF Initiation Processor (PM646A) at Group Controller Fails to signals.

164 1-752-J-PA03D-R03-S04 Operation No Module 2 in ESF-CCS Group Controller operate - It causes the loss of the (B or D) coincidence Cabinet, PA03D logic performed by PM2.

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 3 (GC-2 PM3).

PM Processor Module 3

- It causes the loss of the selective two out of four Processor (PM646A) at Group Controller Fails to 165 1-752-J-PA03D-R03-S05 Operation No coincidence logic performed by PM 3.

Module 2 in ESF-CCS Group Controller operate

- It causes the loss of MCR CPM signals.

Cabinet, PA03D

- Redundant component control signal is available in the redundant group controller.

- Group Controller 1 Processor Module 4 (GC-2 PM Processor Module 4 PM4).

Processor (PM646A) at Group Controller Fails to 166 1-752-J-PA03D-R03-S06 Operation No - It causes the loss of RSR CPM signals.

Module 2 in ESF-CCS Group Controller operate

- Redundant RSR CPM signal is available in the Cabinet, PA03D redundant group controller.

- Group Controller 1 Processor Module 5 (GC-2 PM5).

PM Processor Module 5

- It causes the loss of component control signal Processor (PM646A) at Group Controller Fails to 167 1-752-J-PA03D-R03-S07 Operation Yes propagation (ESCM signals and MI signals) from Module 2 in ESF-CCS Group Controller operate CCG to LC via PM5.

Cabinet, PA03D

- Redundant RSR CPM signal is available in the redundant group controller.

- Digital Input Module

- It is no impact on the safety function.

Digital Input Module (DI621) at

- It causes the loss of local manual actuation in Digital Input Group Controller 2 in ESF-CCS Fails to 168 1-752-J-PA03D-R03-S08 Operation Yes one GC in that channel, but the redundant GC is Module Group Controller Cabinet, operate still functional.

PA03D

- Redundant group controller and redundant initiation signals are provided within the channel.

Digital Output Module (DO620) - Digital Output Module Digital at Group Controller 2 in ESF- Fails to - It is no impact on the safety function.

169 1-752-J-PA03D-R03-S09 Output Operation Yes CCS Group Controller Cabinet, operate - It causes the loss of transmission the Transfer Module PA03D Switch status to the PPS.

ESF-CCS group controller Fails to - Dummy Module 170 1-752-J-PA03D-R03-S10 N/A Operation Yes cabinet, PA03D(RB601) operate - No impacts

Non-proprietary Remove this column RAI 271-8290 - Question 19-15_Rev.2 Component Component Failure No. Component ID Normal Screening Remark Type Description Mode CCG - A2 Note) Add D C P D D D D D D C U I M U U I O U U I M 6 6 M M 6 6 M M 6 M 3 4 M M 2 2 M M 3 Y 1 6 Y Y 1 0 Y Y 1 Dummy at Group Controller 2 in Fails to - Dummy Module 171 1-752-J-PA03D-R04-S01 N/A ESF-CCS Group Controller Operation Yes operate - No impacts Cabinet, PA03D

- Component Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 172 1-752-J-PA03D-R04-S02 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03D control manual control.

- Control Channel Gateway 1 Processor Module PM Processor Module 1 (CCG-2 PM)

Processor (PM646A) at CCG 2 in ESF- Fails to 173 1-752-J-PA03D-R04-S03 Operation Yes - It impact on when the coincidence failure of CCG-Module CCS Group Controller Cabinet, operate 1 PM PA03D

- It impacts corresponding channel's ESCM control ESF-CCS group controller Fails to - Dummy Module 174 1-752-J-PA03D-R04-S04 N/A Operation Yes cabinet, PA03D (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 175 1-752-J-PA03D-R04-S05 N/A Operation Yes cabinet, PA03D (RB601) operate - No impacts

- Digital Input Module Digital Input Module (DI621) at Digital Input Fails to - No impact, because no safety function depends 176 1-752-J-PA03D-R04-S06 CCG 2 in ESF-CCS Group Operation Yes Module operate on DI contact input.

Controller Cabinet, PA03D

- It is for transfer switch status

- Digital Output Module Digital Digital Output Module (DO620)

Fails to - No impact, because no safety function depends 177 1-752-J-PA03D-R04-S07 Output at CCG 2 in ESF-CCS Group Operation Yes operate on DO contact input.

Module Controller Cabinet, PA03D

- It is for transfer switch status ESF-CCS group controller Fails to - Dummy Module 178 1-752-J-PA03D-R04-S08 N/A Operation Yes cabinet, PA03D (RB601) operate - No impacts ESF-CCS group controller Fails to - Dummy Module 179 1-752-J-PA03D-R04-S09 N/A Operation Yes cabinet, PA03D (RB601) operate - No impacts

- Communication Interface Module Component Interface Module

- It impacts on when the coincidence failure of CI Interface (CI631) at CCG 2 in ESF-CCS Fails to 180 1-752-J-PA03D-R04-S10 Operation Yes redundant CI631 module in CCG1.

Processor Group Controller Cabinet, operate

- It impacts on corresponding channel's ESCM PA03D control manual control

Non-proprietary 5$,4XHVWLRQB5HY

RAI 271-8290 - Question 19-15_Rev.3 Add Note)

The Group Controller Cabinets (GCCs) contain two Control Channel Gateways (CCGs) and two Group Controllers. For Channel A and B, they have also contain third GC. The CCG 1 and CCG 2 are on racks R02 and R04. The GC1, GC2 and GC3 are on rack R01, R03 and R05.

The table summarizes the rack configurations and component ID.

R05 (GC3)

R01 (GC1) R02 (CCG1) R03 (GC2) R04 (CCG2)

(Only Channel A and B)

Slot Component ID Component ID Component ID Component ID Component ID RB601 RB601 RB601 RB601 1 R01-S01 R02-S01 R03-S01 R04-S01 CI631 C

(Dummy) (Dummy) (Dummy) (Dummy) 2 CI631 R01-S02 R01-S02 R01-S0 2 CI631 R03-S02 03-S02 03-S02 CI631 CI R 3 PM646 R01-S03 PM646 R02-S03 R02-S03 03-S03 03-S03 PM PM646 PM646 R RB601 RB601 4 PM646 R01-S04 R02-S04 R02-S04 PM646 P R04-S04 PM646 P

(Dummy) (Dummy)

RB601 RB601 5 PM646 R01-S05 R02-S05 PM646 P R04-S05 R04-S05 DI621 D

(Dummy) (Dummy) 6 PM646 PM646 R01 DI621 R02-S06 0 PM646 03-S06 DI621 R04-S06 R04-S06 R05-S06 RB601 7 PM646 R01-S07 DO620 R02-S07 PM646 R03 DO620 R04 R05-S07 (Dummy)

RB601 RB601 RB601 8 DI621 R01-S08 R02-S08 R 02-S08 DI621 D R04-S08 R05-S08 (Dummy) (Dummy) (Dummy)

RB601 RB601 RB601 9 DO620 R01-S09 R02-S09 DO620 R03-S09 R04-S09 R05-S09 (Dummy) (Dummy) (Dummy)

RB601 RB601 10 R01-S10 CI631 R02-S10 R03-S10 R03-S10 CI631 R R04-S10 (Dummy) (Dummy)

Non-proprietary Add RAI 271-8290 - Question 19-15_Rev.3





Note)



The Group Controller Cabinets (GCCs) contain two Control Channel Gateways (CCGs) and two Group Controllers. For Channel A and B, they have also contain third GC. The CCG 1 and CCG 2 are on racks R02 and R04. The GC1, GC2 and GC3 are on rack R01, R03 and R05.



The table summarizes the rack configurations and component ID.



   

R05 (GC3)

 R01 (GC1) R02 (CCG1) R03 (GC2) R04 (CCG2)

(Only Channel A and B)

Slot    

Component ID Component ID Component ID Component ID Component ID



RB601 

RB601 RB601 RB601 1 R01-S01 R02-S01 R03-S01 R04-S01 CI631 R05-S01 (Dummy) (Dummy) (Dummy) (Dummy)

    

2 CI631 R01-S02 CI631 R02-S02 CI631 R03-S02 CI631 R04-S02 CI631 R05-S02

    

3 PM646 R01-S03 PM646 R02-S03 PM646 R03-S03 PM646 R04-S03 PM646 R05-S03

  

RB601 RB601 4 PM646 R01-S04 R02-S04 PM646 R03-S04 R04-S04 PM646 R05-S04 (Dummy) (Dummy)

  

RB601 RB601 5 PM646 R01-S05 R02-S05 PM646 R03-S05 R04-S05 DI621 R05-S05 (Dummy) (Dummy)

    

6 PM646 R01-S06 DI621 R02-S06 PM646 R03-S06 DI621 R04-S06 DO620 R05-S06

    

RB601 7 PM646 R01-S07 DO620 R02-S07 PM646 R03-S07 DO620 R04-S07 R05-S07 (Dummy)

  

RB601 RB601 RB601 8 DI621 R01-S08 R02-S08 DI621 R03-S08 R04-S08 R05-S08 (Dummy) (Dummy) (Dummy)

  

RB601 RB601 RB601 9 DO620 R01-S09 R02-S09 DO620 R03-S09 R04-S09 R05-S09 (Dummy) (Dummy) (Dummy)



RB601  

RB601 

10 R01-S10 CI631 R02-S10 R03-S10 CI631 R04-S10 CI631 R05-S10 (Dummy) (Dummy)



Non-proprietary APR1400 DCD TIER 2 RAI 217-8290 - Question 19-15_Rev.1 5$,4XHVWLRQB5HY

Table 1.8-2 (9 of 29)

Item No. Description COL 6.1(1) The COL applicant is to identify the implementation milestones for the coatings program.

COL 6.2(1) The COL applicant is to identify the implementation milestone for the CILRT program.

COL 6.3(1) The COL applicant is to prepare operational procedures and maintenance programs as related to leak detection and contamination control.

COL 6.3(2) The COL applicant is to maintain complete documentation of system design, construction, design modifications, field changes, and operations.

COL 6.4(1) The COL applicant is to provide automatic and manual operating procedures for the control room HVAC system, which are required in the event of a postulated toxic gas release.

COL 6.4(2) The COL applicant is to provide the details of specific toxic chemicals of mobile and stationary sources and evaluate the MCR habitability based on the recommendations in NRC RG 1.78 to meet the requirements of TMI Action Plan Item III.D.3.4 and GDC 19.

COL 6.4(3) The COL applicant is to identify and develop toxic gas detection requirements to protect the operators and provide reasonable assurance of the MCR habitability. The number, locations, sensitivity, range, type, and design of the toxic gas detectors are to be developed by the COL applicant.

COL 6.5(1) The COL applicant is to provide the operational procedures and maintenance program as related to leak detection and contamination control.

COL 6.5(2) The COL applicant is to maintain the complete documentation of system design, construction, design modifications, field changes, and operations.

COL 6.6(1) The COL applicant is to identify the implementation milestones for ASME Section Xl inservice inspection program for ASME Code Section III Class 2 and 3 components.

COL 6.6(2) The COL applicant is to identify the implementation milestone for the augmented inservice inspection program.

COL 6.8(1) The COL applicant is to provide the operational procedures and maintenance program for leak detection and contamination control.

COL 6.8(2) The COL applicant is to provide the preparation of cleanliness, housekeeping, and foreign materials exclusion program.

COL 6.8(3) The COL applicant is to maintain the complete documentation of system design, construction, design modifications, field changes, and operations.

COL 6.8(4) The COL applicant is responsible for the establishment and implementation of the Maintenance Rule program in accordance with 10 CFR 50.65.

Add COL 7.5(1) The COL applicant is to provide a description of the site-specific AMI variables such as wind speed, and atmosphere stability temperature difference.

COL 7.5(2) The COL applicant is to provide a description of the site-specific EOF.



COL 7.1(2) The COL applicant is to provide the feasibility of software reliability.

The COL applicant is to provide justifiable software reliability data for software used in the digital I&C systems (i.e., PPS and DPS).

1.8-13 Rev. 0

Non-proprietary APR1400 DCD TIER 2 RAI 217-8290 - Question 19-15_Rev.1 5$,4XHVWLRQB5HY

Compliance with safety criteria for software is described in the Software Program Manual Technical Report.

The software design throughout the software life cycle is implemented in accordance with various software development plan documents described in the Software Program Manual Technical Report. The software development process is carried out throughout the software life cycle, which consists of the following:

a. Concept phase
b. Requirements phase
c. Design phase
d. Implementation phase
e. Test phase
f. Installation and checkout phase
g. Operation and maintenance phase Software is classified based on the functionality and importance related to safety, as described in the Software Program Manual Technical Report. The software that is used within the APR1400 I&C systems is assigned to one of the following classes:
a. SC (Protection)
b. ITS
c. Important-to-availability (ITA)
d. General purpose 7.1.4 Combined License Information No combined license (COL) information is required with regard to Section 7.1.

COL 7.1(2) The COL applicant is to provide the feasibility of software reliability.

The COL applicant is to provide justifiable software reliability data for software used in the digital I&C systems (i.e., PPS and DPS).

7.1-29 Rev. 0

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2 19.1.3 Special Design/Operational Features Design and operational characteristics of the APR1400 that result in improved plant safety as compared to currently operating nuclear power plants, include the following:

a. An in-containment refueling water storage tank (IRWST)
b. A four-train safety injection system (SIS) that injects borated water directly into the reactor vessel (RV) through direct vessel injection (DVI) nozzles
c. Four pumps for component cooling water and essential service water systems (CCWS and ESWS)
d. An emergency containment spray backup system (ECSBS)
g. A Diverse Protection System (DPS) which,
e. A cavity flooding system (CFS) in addition to generation of a reactor trip, turbine trip and auxiliary feedwater actuation signals, also
f. A hydrogen control system (HG) initiates a diverse safety injection actuation signal (SIAS) upon low pressurizer pressure.

The PRA has influenced the selection of design changes such as:

a. Four emergency diesel generators (EDGs)
b. The inclusion of an alternate ac source (AAC) gas turbine generator (GTG),

which can be used as an independent ac source to cope with station blackout (SBO) scenarios following loss of offsite power (LOOP)

Table 19.1-2 provides a summary of the APR1400 systems. The table includes the systems key structures, systems, and components (SSCs) and the key functional descriptions with respect to the design features for preventing core damage, mitigating the consequences of core damage and preventing releases from containment, and mitigating the consequences of releases from containment.

19.1.3.1 Design/Operational Features for Preventing Core Damage Key preventive features that are intended to minimize initiation of plant transients, mitigate the progression of plant transients, and prevent severe accidents include the following safety systems:

a. Safety Injection System (SIS) 19.1-10 Rev. 1

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2 injection water when RCP seal injection is not available through the two centrifugal charging pumps. The ACP takes suction from the VCT or the BAST and supplies seal injection water to the RCPs through the normal CVCS seal injection flow path. The ACP is considered as a diverse capability from the two centrifugal pumps.

The charging pumps are powered by the safety-related buses which are normally supplied by Class 1E onsite or offsite power. Following a loss of offsite power (LOOP), the buses will be re-energized by the emergency diesel generators.

However, the charging pumps will not automatically restart. It needs to be manually re-started by the operators after bus voltage has been restored (COL 19.1(7)).

g. Reactor Protection System (RPS) Insert from 'A.'

The RPS is a part of the plant protection system (PPS). Nuclear steam supply system (NSSS) parameters and containment conditions are monitored by the PPS continuously. If monitored conditions approach specific safety limits, the PPS through the RPS rapidly shuts down the reactor to protect the fuel design limits and prevent a breach of the RCS pressure boundary. The PPS also communicates with the engineered safety features - component control system (ESF-CCS), which actuates mitigating systems.

The PPS is based on a digital I&C that includes plant parameter bistable comparator functions, coincidence logic functions, and initiation logic functions to actuate a reactor trip and operation of engineered safety features.

The coincidence trip signals are used in the initiation of the reactor trip switchgear system (RTSS) and the ESF-CCS. A coincidence of two-out-of-four like trip signals is required to generate a reactor trip signal.

A trip is generated when a coincidence of two like trip signals of the monitored plant parameters or containment conditions reach a preset safety limit. The RPS initiates a reactor trip for the following conditions:

1) Variable overpower trip signal (VOPT)
2) High logarithmic power level trip signal 19.1-17 Rev. 1

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 A

g. Plant Protection System (PPS)

The PPS is a safety system that includes electrical, electronic, network, mechanical devices, and circuits. The PPS is based on a digital I&C platform that includes plant parameter bistable comparator functions, coincidence logic functions, and initiation logic functions to actuate a reactor trip and engineered safety features. The safety systems are implemented by safety-grade hardware and previously developed software components that are dedicated or qualified for use in nuclear power plants. The programmable logic controller (PLC) platform is loaded with the APR1400-specific application software to implement various safety functions. The PPS performs the following protective functions:

  • Engineered safety features actuation system (ESFAS) - the ESFAS is that portion of the PPS that activates the engineered safety features (ESF) systems described in Chapter 7, Section 7.3.

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2

3) High local power density (LPD) trip signal
4) Low departure from nucleate boiling ratio (DNBR) trip signal
5) High pressurizer pressure trip signal
6) Low pressurizer pressure trip signal
7) Low steam generator water level trip signal
8) High steam generator water level trip signal
9) Low steam generator pressure trip signal
10) High containment pressure trip signal
11) Low reactor coolant flow trip signal
12) Manual trip The APR1400 design includes the diverse actuation system (DAS). The DAS consists of the diverse protection system (DPS), the diverse manual ESF actuation (DMA) switches, and the diverse indication system (DIS). The DPS provides additional trip capability to the RPS.
h. Engineered Safety Features Actuation System (ESFAS)

The engineered safety features (ESF) I&C consists of sensors, auxiliary process cabinet - safety (APC-S), the ESFAS portion of the PPS, and ESF-CCS.

Insert from 'B.'

The ESFAS monitors selected parameters to initiate the operation of necessary ESF systems to prevent damage to the core and the RCS components. It also provides reasonable assurance of containment integrity and prevents unacceptable levels of radioactivity release to the environment as well as protecting the control room operators during fuel handling accidents. The system uses bistable trip functions and coincidence logic in the PPS and component control logic in the ESF-CCS to generate actuation signals. The following actuation signals are generated by the ESFAS:

1) Safety injection actuation signal (SIAS) 19.1-18 Rev. 1

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 B

The engineered safety features (ESF) system consists of four channels of sensors, the auxiliary process cabinet-safety (APC-S), four divisions of the engineered safety features actuation system (ESFAS) portion of the plant protection system (PPS), and the engineered safety features-component control system (ESF-CCS).

The ESFAS portion of the PPS includes the following functions: bistable trip logic, local coincidence logic (LCL), ESFAS initiation, and testing functions.

The ESF-CCS receives ESFAS initiation signals from the PPS, electrical panel, or from the operators.

The ESF-CCS generates ESF actuation signals to actuate the ESF system equipment. The ESF-CCS also generates emergency diesel generator (EDG) loading sequencer signals following loss of offsite power. The control circuitry for the components provides the proper sequencing and operation of the ESF systems.

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2

2) Containment isolation actuation signal (CIAS)
3) Containment spray actuation signal (CSAS)
4) Main steam isolation signal (MSIS)
5) Auxiliary feedwater actuation signal (AFAS)

Insert from 'C.'

i. AC Power System Insert from 'D.'

The ac power system comprises two qualified circuits from the offsite transmission network to the switchyard, two qualified circuits from the switchyard to the onsite Class 1E distribution system, four diesel generators (each capable of supplying one train of the onsite Class 1E ac distribution system, and automatic load sequencing for four trains of supported equipment that must be operable in Modes 1, 2, 3, and 4).

The non-Class 1E 13.8 kV power system consists of four non-safety switchgears.

Each of two unit auxiliary transformers (UATs) normally supplies two of the 13.8 kV switchgears. The non-Class 1E 13.8 kV power system furnishes power to large motors such as the RCP motors, condensate pump motors, circulating water pump motors, and associated 480V load centers.

The Class 1E safety systems are divided into four redundant and independent distribution systems. Each distribution system can be powered from the following sources:

1) Unit auxiliary transformer (UAT)
2) Standby auxiliary transformer (SAT)
3) Emergency diesel generator (EDG)
4) Alternate AC (AAC)

If both the offsite power sources and the standby EDGs are unavailable, 4.16 kVac buses may be powered from the AAC power source. The AAC provides an independent and diverse power source, which is furnished with a battery and charger to provide power to its associated dc loads.

19.1-19 Rev. 1

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 C

The ESF-CCS is a digital system that controls and actuates ESF system components. The ESF-CCS provides interface and signal fan out capability for the ESF actuation signals via the component control logic within the ESF-CCS. The logic produces digital output signals to control the component through the component interface module (CIM), which performs signal prioritization.

The CIM transmits signals to the final actuated device (e.g., switchgear, motor control center, solenoids).

The CIM is a qualified safety module that uses hardware logic devices to cope with a CCF of the digital protection and safety systems. The CIM receives component control signals from the ESF-CCS, DPS, DMA (see paragraph h. below for DPS and DMA) switches, and front panel control (FPC) switch. The CIM combines these control signals through conventional hardware priority logic and then sends the resulting signal to the controlled component.

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 D

h. Diverse Actuation System (DAS)

The diverse actuation system (DAS) consists of the diverse instrumentation and control (I&C) systems that are provided to protect against potential common-cause failure (CCF) of PPS digital safety I&C systems including the RPS and the ESF-CCS. The DAS consists of the diverse protection system (DPS),

the diverse manual engineered safety features (ESF) actuation (DMA) switches, and the diverse indication system (DIS).

The DPS and DIS are not installed on the same qualified PLC platform as is the PPS, but rather are implemented on non-safety independent platforms. In addition, DMA is hardwired, and not software based. Therefore, the DAS subsystems (DPS, DIS and DMA) are all unaffected by software CCF of the PPS. Likewise, software CCF within the DAS (DPS and DIS subsystems) will not impact the PPS subsystems (i.e., RPS and ESFAS).

Sensors and analog signal processing equipment (e.g., pressurizer pressure transmitter) are shared by the DPS and PPS; however, these are analog equipment, and are not affected by the software CCF. (The linked fault tree methodology employed in the APR1400 PRA ensures that failures of the sensors and analog signal processing equipment impacts both the PPS and DPS systems.)

The DPS design includes reactor trip, turbine trip, auxiliary feedwater actuation, and safety injection actuation functions. The DPS reactor trip provides a simple and diverse mechanism to decrease the risk from ATWS events and mitigates the effects of a postulated software CCF of the digital computer logic within the RPS and/or ESF-CCS. The DPS turbine trip is automatically initiated whenever the DPS reactor trip conditions are met (with 3 second time delay). The DPS auxiliary feedwater system actuation provides additional reasonable assurance that an ATWS event could be mitigated if it occurred. The DPS safety injection system actuation assists the mitigation of the effects of a large break loss of coolant accident (LOCA) event with a concurrent software CCF within the PPS and ESF-CCS.

The DMA switches permit the operator to manually actuate ESF trains from the MCR safety console after postulated failures (including software CCF) of both the PPS and DPS. The DMA switches include SIAS, CIAS, CSAS, MSIS, and AFAS. The functions of the DMA switches are enabled by the DMA enable switch on the safety console. The DMA switches are hardwired to the component interface module (CIM) through isolation devices and are independent and diverse from the safety system. Each signal of the DMA switches actuates necessary ESF systems to perform the ESF functions.

The DPS and DMA signals are routed directly to the CIM. Isolation is provided at the ESF-CCS loop controller cabinet to maintain electrical isolation between the DPS/DMA and the CIM.

The DIS provides functions to monitor critical variables following a postulated software CCF of safety I&C systems. Because the DIS receives hardwired signal inputs via isolation devices in the auxiliary process cabinet-safety (APC-S) as well as in qualified indication and alarm system - P (QIAS-P), the DIS is independent from the APC-S and QIAS-P. The DIS is diverse from the QIAS-P.

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2 d) Flow diversion (SY-A13) is considered a potential system failure if the flow diversion pathway occurs due to failures that do not meet the screening criteria of SY-A15 and can result in failure to meet the system success criteria. The flow diversion paths that are excluded are documented.

Insert from 'E.'

Dependency Analysis The systems that are included in the systems analysis for internal events are provided in Table 19.1-9. Simplified diagrams of major systems are shown in Figures 19.1-1 through 19.1-14. Tables are provided to summarize the initiator-to-system and system-to-system dependencies.

a. Dependency between Initiating Events and Front Line Systems (Table 19.1-10a)
b. Dependency between Initiating Events and Support Systems (Table 19.1-10b)
c. Dependency between Front Line System and Supporting Systems (Table 19.1-11a)
d. Dependency between Supporting System and Other Supporting Systems (Table 19.1-11b) 19.1.4.1.1.5 Data Analysis The purpose of the data analysis task is to tabulate estimates of the failure rates, demand failure probabilities, and unavailability data for basic events in the PRA model. The data developed during this task include:
a. Component unreliability data
b. Component unavailability data due to test and maintenance
c. CCF data
d. Special event data including recovery action failures For each component type and failure mode identified in the system analysis, the failure rates are extracted from available generic data sources. Potential sources of generic failure data are:

19.1-52 Rev. 1

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 E

8) Common cause failures within Digital I&C systems (PPS and DPS) are implemented as follows:

a) The PPS and the DPS are designed using different hardware to address postulated common-cause failures. Hence, hardware CCFs of PPS components only include PPS components of the same type (e.g., bistable, LCL processor, etc.) within the common cause component group (CCCG).

Likewise, hardware CCFs of DPS components only include DPS components of the same type with the CCCG.

b) The PPS and the DPS are designed using different software platforms to address postulated software common-cause failures. Hence, PPS software CCFs only impact PPS, and DPS software CCFs only impact DPS.

c) Both the PPS and DPS are assumed to be susceptible to both operating system and application software CCFs.

d) Operating system software CCF is assumed to be equal to [1.2x10-6]TS per demand, and applica-tion software CCF is assumed to be equal to [1.2x10-5]TS per demand based on a similar software plat-form as with APR1400. System reliability analyses were performed which demonstrated that these software CCF probabilities result in an overall system reliability that is consistent with the 1x10-4 limit stated in IEC 61226 (Reference XX).

e) PPS software CCF includes operating system CCF, and individual application software CCFs for bistables, LCL modules, group controllers (GC) and loop controllers (LC).

1) PPS operating system CCF is assumed to fail all PPS bistables, LCL modules, GCs and LCs.

Hence, PPS operating software CCF is assumed to fail all RPS and ESFAS signals generated by PPS.

2) Each PPS application software CCF only fails the components it supports (e.g., PPS GC software CCF fails all PPS GCs).
3) Two pairs of manual trip switches are provided in the MCR, and one pair of manual trip switches is provided in the remote shutdown room (RSR) for reactor trip. These manual reactor trip switch signals are connected directly to the undervoltage trip device of the trip circuit breaker (TCB) in each reactor trip switchgear (RTSG). Hence, manual action can over-ride PPS software CCF.
4) Local and remote (MCR) manual ESF-CCS initiation signals are implemented at the GC level.

Hence, software or hardware failures in the PPS bistables or LCL modules can be over-ridden by operator action. However, PPS GC and LC CCF result in failure of ESF-CCS signals to all associated equipment.

f) DPS software CCF includes operating system CCF, and application software CCF. Failure of either results in failure of all DPS signals.

g) The component interface module (CIM) is a hardware based device associated with a specific component, and is include in the boundary of the component. This is consistent with NUREG/CR-6928 (Reference 11), and its successive updates, which state that component boundaries used in the data collection include the local instrumentation and control circuitry. The CIM receives component control signals from the ESF-CCS, DPS, DMA switches, and front panel control (FPC) switch. The CIM combines these control signals through conventional hardware priority logic and then sends the resulting signal to the controlled component (e.g., MOV, pump motor, SOV). The CIM is not subject to software CCF.

Non-proprietary APR1400 DCD TIER 2 RAI 271-8290 - Question 19-15_Rev.2 is only a minor decrease in CDF. This sensitivity case impacts only SBO sequences.

e. Hot Leg Injection Sensitivity Case: For medium break LOCA, a hot leg injection (HLI) is assumed not needed. A sensitivity case was performed that required HLI for a medium break LOCA, and the result showed the CDF increases by 10 percent to 1.4 x 10-6/year.

Insert from 'F.'

19.1.4.1.2.8 Risk Insights The APR1400 is an evolutionary PWR plant, and CDF is dominated by LOOP events (approximately 39 percent). Still, total LOOP CDF is small at less than 1.5 x 10-7/year, which is a result of the high redundancy in trains and diversity in emergency power supplies.

Loss of cooling systems (CCWS and ESWS) and seal LOCA contributions to CDF are approximately 26 percent, which includes the total/partial losses of CCW or ESW. This relatively large contribution, which contributes to RCP seal LOCA, is a result of the lack of diversity in the redundant cooling trains.

The top cutsets show that the plant risk is strongly influenced by the performance of support systems (i.e., CCWS and ESWS). This is because the support systems are common dependencies of highly redundant safety systems.

19.1.4.2 Level 2 Internal Events PRA for Operations at Power A description of the Level 2 internal events PRA for operations at-power, including the results of the analysis, is provided in the following subsections.

19.1.4.2.1 Description of Level 2 Internal Events PRA for Operations at Power The PRA comprises two major areas of analysis: 1) identification of sequences of events that could lead to core damage and estimation of their frequencies of occurrence (the Level 1 analysis); and 2) evaluation of the potential response of the containment to these sequences, with emphasis on the possible modes of containment failure and the corresponding radionuclide source terms (the Level 2 analysis).

19.1-69 Rev. 1

Non-proprietary RAI 271-8290 - Question 19-15_Rev.2 F

f. Several sensitivity cases were performed to better understand the CDF sensitivity to the software reliability values used in the digital I&C system. These sensitivities were performed by cutset manipulation of the at-power internal events model. These sensitivities reveal the following significant conclusions about the digital I&C system:
  • The relative insensitivity to the exact software CCF values used in the model up until a very large increase (between a factor of 10 and 100) is postulated.
  • Relatively large increases (e.g., factor of 100) in DPS software CCF has little impact on CDF.
  • The importance of operator action to overcome software CCF was also evaluated. The ability to manually trip the reactor from the MCR/RSR reduces the impact of bistable and LCL software CCF. Furthermore, the ability to start equipment remotely from the MCR/RSR minimizes the impact of software CCF in the group controllers. However, since these remote signals are input into either the group controller or loop controller, and the loop controller produces the final ESF-CCS output signal to the CIMs, software CCF in the loop controllers fails all remote signals.
  • Another sensitivity case showed that limited benefit would be obtained from trying to justify lower software CCF values, since complete perfection (which is not credible) only results in about a 5% decrease in CDF.

Non-proprietary The purpose of this attachment is to provide additional explanation regarding the CCF of operating software and application software RAWs are almost the same in Table 19.1-22.

From Table 19.1-22:

CCF Event Description RAW PPSO-OS-PPS CCF OF PPS OPERATING SYSTEM SOFTWARE 2426 PPSO-AP-LC CCF OF PPS LC APPLICATION SOFTWARE 2376 PPSO-AP-GC CCF OF PPS GC APPLICATION SOFTWARE 771 PPSO-AP-BPM CCF OF PPS BPM APPLICATION SOFTWARE 87 PPSO-AP-LCL CCF OF PPS LCL APPLICATION SOFTWARE 87 Based on these results it is clear that the operating system software CCF (which fails all applications),

and each application software CCF are all risk significant with respect to RAW since RAW >> 2 for each CCF event. The amount of importance with respect to RAW is based on both the base failure probability of the event as well as its impact on the model. If the impact on the model is the same, the event with the smaller failure probability will have a higher RAW. If the events have the same probability, but one event is involved in more sequences, the more involved event will have a higher RAW. If both the model impact and failure probability are the same, we would expect to see the same RAW value.

Recall that the failure probability of the operating system software is [1.2E-06]TS/demand, and the failure probability of all application software is [1.2E-5]TS demand. Also, recall that a failure of the operat-ing system fails all applications. For example, all bistables are assumed to fail if either the bistable pro-cessor module application software fails (PPSO-AP-BPM) or if the operating system software fails.

Hence, one would expect to see that the operating system CCF has a higher RAW than any individual application software CCF (which we see).

Regarding the application software, the bistable (PPSO-AP-BPM) and LCL module (PPSO-AP-LCL) have the same function (i.e., develop output signals to both RPS and ESF), and the same failure probability; hence, their RAWs should be identical (which we see). Note that for RPS, both of these application software failures can be compensated for by DPS, or manual reactor trip. In addition, recall that all LOOP/SBO events (which represent about 35% of the CDF) result in automatic trip, so failure of LCL or BPM software has no impact on 35% of all CDF. For ESF, both of these application system failures can be compensated for by remote manual ESF actuation, remote manual component control via ESCM (ESF-CCS soft control module), DPS and DMA. Therefore, although they support both RPS and ESF, there are several methods to compensate for their failures, and they end up having the lowest RAW.

Group controller software CCF only fails ESF equipment (i.e., does not impact reactor trip), but their failure also fails remote manual ESF signals (e.g., manual SI or AFAS from the MCR). However, signals to individual components can still be actuated via signals sent to the Loop Controllers from the ESCM. In addition, DPS and DMA can still actuate equipment.

For LC software failure, all ESF and ESCM signals are failed, and only DPS and DMA are available to start ESF equipment.

Hence, we would expect that the LCs are more important than the GCs which are more important than the LCLs or BPMs (which we see).

Finally, as previously stated, failure of the operating system fails all application software; hence, it has to have the highest RAW of all (which we see).

Retrieved from "https://kanterella.com/w/index.php?title=ML17313B230&oldid=2538041"