ML18054A687

From kanterella
Jump to navigation Jump to search
APR1400 Chapter 14.3, Verification Programs, Safety Evaluation Report with No Open Items
ML18054A687
Person / Time
Issue date: 05/21/2018
From: William Ward
NRC/NRO/DNRL/LB2
To:
Santos C/ 415-2736
Shared Package
ML18054A680 List:
References
Download: ML18054A687 (168)


Text

Inspections, Tests, Analyses and Acceptance Criteria Selection Criteria and Methodology for FSAR Tier 1 Introduction Section 14.3 of this SER describes the U.S. Nuclear Regulatory Commission (NRC) staffs evaluation of the Design Control Document (DCD) Tier 1 for the Advanced Power Reactor 1400 (APR1400) design and the review of the applicants bases, processes, and selection criteria used to develop the Tier 1 material. This section also addresses the technical adequacy and completeness of the inspections tests, analysis and acceptance criteria (ITAAC) given in DCD Tier 1 or references other portions of this safety evaluation report where those items are evaluated. The staff reviewed DCD Tier 1 for the type of information and the level of detail as discussed in Standard Review Plan (SRP) Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, which states in part that the Tier 1 information is based on a graded approach commensurate with the safety significance of the structures, systems, and components (SSCs) for the design. Section 14.3 of this SER also describes the staffs evaluation of information contained in DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and DCD Tier 1.

The Tier 1 information includes the following:

  • Definitions and general provisions.
  • Design descriptions.
  • Significant site parameters.
  • Significant interface requirements.

The applicant intends to have this Tier 1 information certified in a Design Certification (DC) rulemaking pursuant to Subpart B of Title 10 of the Code of Federal Regulations (10 CFR)

Part 52, Standard Design Certifications. To be certified, the Tier 1 information must address the complete scope of the design to be certified. The amount of information in the Tier 1 design descriptions is proportional to the safety significance of the structures and systems in the standard plant design. The Tier 1 design descriptions are binding requirements for the life of a facility referencing the certified design.

The Tier 1 design descriptions, interface requirements, and site parameters are derived from Tier 2 information. The staffs review of how the underlying Tier 2 information satisfies the NRCs regulations is documented throughout this SER, and these conclusions also apply to the same information included in Tier 1. Thus, for the Tier 1 design descriptions, interface requirements, and site parameters, the additional staff review is limited to addressing whether Tier 1 includes appropriate information from Tier 2.

The purpose of the ITAAC portion of the Tier 1 information is to verify that a facility referencing the DC has been constructed and will be operated in accordance with the certified design, the Atomic Energy Act of 1954, as amended, and applicable regulations. The principle performance characteristics and safety functions of the SSCs are verified by the appropriate ITAAC.

14-1

Summary of Application DCD Tier 1: The Tier 1 information associated with Section 14.3 is summarized below and discussed in the SER 14.3 subsections that evaluate the different aspects of the APR1400 standard design.

Definitions and general provisions: The definitions and general provisions are provided in DCD Tier 1 Sections 1.1 and 1.2.

Design descriptions: Design descriptions are provided in each subsection of the DCD Tier 1 Section 2 (Design Description and ITAAC).

ITAAC: The ITAAC are provided in Section 2 of the DCD Tier 1.

Significant site parameters: The significant site parameters postulated for the certified design are provided in DCD Tier 1 Section 2.1. They are applied for the design of the SSCs important to safety of the Certified Design.

APR1400 Interface Requirements identified in the DCD: The APR1400 Interface Requirements are described in DCD Tier 1 Section 3 and are associated with the following areas of review:

  • Electrical System
  • Essential Service Water System DCD Tier 2: DCD Tier 2, Revision 1, Section 14.3, discusses the criteria and methodology for selecting the SSCs to be included in the ITAAC. This section includes definitions and general provisions, design descriptions, ITAAC, significant site parameters, and significant interface requirements.

It specifically addresses the ITAAC for the SSCs within the scope of the APR1400 DCD. In addition, this section addresses the proposed APR1400 design acceptance criteria (DAC) for specific areas for which a design process has been prescribed to produce predictable and acceptable designs. DCD Tier 2, Revision 1, Section 14.3 also includes a proposed approach for completing the design-related ITAAC (i.e., DAC).

Technical Specifications (TS): There are no TS for this area of review.

Combine License (COL) information or action items: There are four COL Information Items associated with the APR1400 ITAAC.

Technical Report(s): There are no technical reports associated with this area of review.

Topical Report(s): There are no topical reports associated with this area of review.

Regulatory Basis The relevant requirements of the Commission's regulations for this area of review, and the associated acceptance criteria, are given in Section 14.3 of NUREG-0800, and are summarized below. Review interfaces with other SRP sections can be found in Section 14.3 of 14-2

NUREG-0800. Acceptance criteria are based on meeting the relevant requirements of the following Commission regulations:

1. Title 10 CFR 52.47(b)(1), which requires that a DC application include the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the DC has been constructed and will operate in accordance with the DC, the provisions of the Atomic Energy Act of 1954, as amended (AEA), and the NRC's rules and regulations.
2. Title 10 CFR 52.47(a)(26), which requires that a DC application provide justification that compliance with the interface requirements of 10 CFR 52.47(a)(25) is verifiable through inspections, tests, or analyses. The method to be used for verification of interface requirements must be included as part of the proposed ITAAC required by 10 CFR 52.47(b)(1).

Specific SRP acceptance criteria acceptable to meet the relevant requirements of the NRC's regulations identified above can be found in Part II of Section 14.3 of NUREG-0800.

NUREG-0800, Section 14.3, describes the regulatory basis for acceptance of the ITAAC associated with a design certification application. In reviewing the ITAAC, the staff also considered the guidance in NRC Regulatory Issue Summary (RIS) 2008-05, Revision 1, Lessons Learned to Improve Inspections, Tests, Analyses, and Acceptance Criteria Submittal.

Regulatory Guide (RG) 1.206, Combined License Applications for Nuclear Power Plants - Light Water Reactor Edition, provides COL applicants referencing a certified design, guidance on the development of site specific ITAAC and the use of ITAAC contained in a certified design. In DCD Tier 2, Section 14.3, the applicant provided the selection criteria and processes used to develop DCD Tier 1 ITAAC. The DCD Tier 1 information provides the principal design bases and design characteristics that are proposed for certification by the 10 CFR Part 52 rulemaking process and that would be included in the APR1400 rule.

Technical Evaluation DCD Tier 2 The staff reviewed the information provided by the applicant in DCD Tier 2, Sections 14.3.1 and 14.3.2 in accordance with SRP Section 14.3. The staff finds it consistent with the staff review guidance and concludes that it is acceptable. As a result, the staff concludes that the applicants implementation of the described selection criteria and methodology results in acceptable Tier 1 design descriptions and the ITAAC necessary to demonstrate that the facility has been constructed and will be operated in accordance with the certified design.

DCD Tier 1 The NRC staff reviewed the following Tier 1 information which is derived from the DCD Tier 2 information: definitions and general provisions, design descriptions, ITAAC, significant site parameters and significant interface requirements.

The staff reviewed the DCD Tier 1 information in accordance with the guidance provided in SRP Section 14.3 and RIS 2008-05, the requirements in 10 CFR 52.47, and the AEA. The applicant organized its DCD Tier 1 information, as described in SRP Section 14.3.

14-3

Definitions and general provisions The staff reviewed the definitions and general provisions in DCD Tier 1 Sections 1.1 and 1.2.

The staff issued RAI 558-9456, Question 14.03.01-1 (ML18074A402) requesting the applicant add or modify the definitions of some of the terms in Tier 1 Section 1.1 and make wording changes to portions of the general provisions in Section 1.2 to clarify the technical content of the ITAAC. In its response to RAI 558-9456, Question 14.03.01-1 (ML18137A480), the applicant stated that the changes were reasonable and provided markups of DCD Tier 1 Sections 1.1 and 1.2. Since the proposed markups are consistent with the changes requested in the RAI, the staff finds the response acceptable. With the proposed changes, the staff finds that the definitions and general provisions are consistent with NRC guidance and reflect lessons learned from experience with Part 52 plants that commenced construction. RAI 558-9456, Question 14.03.01-1 is being tracked as a confirmatory item.

Design descriptions and ITAAC The staff reviewed the Design Descriptions provided in each subsection of the DCD Tier 1 Section 2, together with the associated ITAAC.

In accordance with SRP Section 14.3, DCD Tier 1 information should identify the principal performance characteristics and safety functions of the standard design. The design information includes design commitments that identify those features and capabilities that are necessary for compliance with the AEA and NRC rules and regulations, and that are to be verified by ITAAC. As required by 10 CFR 52.47(b)(1), the proposed ITAAC must be necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the design certification has been constructed and will operate in accordance with the design certification, the provisions of the AEA, and the NRC's rules and regulations.

For the ITAAC to be sufficient as required by 10 CFR 52.47, (1) the inspections, tests, and analyses (ITA) must clearly identify those activities necessary to demonstrate that the acceptance criteria (AC) are met; (2) the AC must state clear design or performance objectives demonstrating that the Tier 1 design commitments (DCs) are satisfied; (3) the ITA and AC must be consistent with each other and the Tier 1 DC; (4) the ITAAC must be capable of being performed and satisfied prior to fuel load; and (5) the ITAAC, as a whole, must provide reasonable assurance that, if the ITAAC are satisfied, the facility has been constructed and will be operated in accordance with the design certification, the AEA, and the NRC's rules and regulations.

Subsections 14.3.2 through 14.3.13 of this SER discuss the ITAAC listed in DCD Tier 1 Sections 2.2 through 2.13, respectively. These SER subsections either document the staffs review of the ITAAC in the associated Tier 1 Sections or identify other sections of the SER where the staffs review is being documented. In addition to the ITAAC review addressed in SER Subsections 14.3.2 to 14.3.13, the staff conducted a comprehensive review of all DCD Revision 1 Tier 1 ITAAC tables against the objectives identified in the previous paragraph and issued RAI 558-9456, Question 14.03.01-1 (ML18074A402), requesting the applicant:

  • to make suggested ITAAC wording changes based on NRC guidance, and lessons learned from plants that are currently under construction that are in the process of implementing ITAAC, to ensure that the DC, ITA, and AC are consistent with each other and are clearly and unambiguously stated 14-4
  • to make suggested ITAAC wording changes so that environmental qualification of Class 1E equipment does not rely solely on an analysis, consistent with 10 CFR 50.49(f).
  • to clarify the technical content of some ITAAC
  • to rectify some discrepancies
  • to delete an ITAAC that could not be completed until after fuel load and to delete a programmatic ITAAC, which the Commission generally does not find necessary as discussed in SECY-05-0197, on a topic that would be the responsibility of a COL applicant
  • to explain why ITAAC were not included to test the leak detection capacity of the containment atmosphere humidity monitor
  • to explain why ITAAC were not included to require type testing, analysis, or a combination of type testing and analysis of the seismic category I components in the Containment Hydrogen Control System, and to require an inspection of the as-built components to verify that the as-built components were bounded by the tested or analyzed conditions.

In its response to RAI 558-9456, Question 14.03.01-1 (ML18137A480), the applicant:

  • made the requested ITAAC wording changes, with a few exceptions where the applicant proposed acceptable alternative language to clarify the ITAAC.
  • made additional ITAAC wording changes not requested in the RAI but which appropriately corrected references to Tier 1 table numbers and grammatical and spelling errors
  • provided sufficient technical clarification when requested by the staff and revised the associated wording when needed
  • corrected the discrepancies identified by the staff to ensure overall consistency
  • agreed to delete the ITAAC when requested
  • provided technical justification for why ITAAC are not included to test the leak detection capacity of the containment atmosphere humidity monitor consistent with responses to RAI 80-8040 Question 05.02.05-1 and RAI 369 8486 Question 05.02.05-3 which are discussed in Section 5.2.5 of this SER
  • provided ITAAC to require type testing, analysis, or a combination of type testing and analysis of seismic category I components in the Containment Hydrogen Control System, and to require inspection of the as-built components to verify that the as-built components were bounded by tested or analyzed conditions 14-5

In addition, the applicant provided ITAAC wording changes incorporating comments provided in other RAIs submitting proposed or revised ITAAC or during public meetings held on March 7, 2018 (ML18068A129) and April 5, 2018 (ML18086B573). The staff finds these changes acceptable because they ensure the DC, ITA, and AC are consistent and clear as well as ensuring that the ITAAC are consistent with other Tier 1 information. Finally, the applicant made conforming changes to the Tier 1 design descriptions to reflect changes to the Tier 1 design commitments.

Therefore, the staff finds the applicants response to be acceptable. The staffs review of this RAI response supports the staffs ITAAC review documented or referenced in Subsections 14.3.2 to 14.3.13 of this SER. RAI 558-9456, Question 14.03.01-1 is being tracked as a confirmatory item.

The staff also finds that the Tier 1 design descriptions, as modified by the response to RAI 558-9456 Question 14.03.01-1, identify the principal performance characteristics and safety functions of the standard design. The staffs review of the Tier 1 design descriptions is based largely on the review of the ITAAC. Each ITAAC verifies a Tier 1 design commitment and corresponding design description describing a performance characteristic or safety function of the standard design. Given this, the NRC staffs conclusion that the ITAAC are sufficient to verify that the as-built plant complies with the AEA and NRC rules and regulations, also reflects a conclusion that the corresponding Tier 1 design commitments and design descriptions include the principal performance characteristics and safety functions of the standard design.

RAI 558-9456, Question 14.03.01-1 is being tracked as a confirmatory item.

Site parameters The staffs evaluation of site parameters is provided in Section 2 of this SER.

Interface requirements Based on engineering judgement, the staff agrees that the applicant has included the significant interface requirements in Tier 1 Section 3.1 of the DCD.

The applicant provided 10 interface requirements for the electrical system in Tier 1 Section 3.1 of the DCD. The staffs evaluation of the interface requirements and the basis for the staffs finding that they meet 10 CFR 52.47(a)(25) can be found in Section 8.2 of this SER. The applicant did not propose specific ITAAC to verify these interface requirements. Therefore, COL applicants referencing the APR1400 have the responsibility for developing ITAAC to verify these interface requirements, as appropriate. Based on engineering judgement and experience in the review of previous site-specific ITAAC, the staff finds that ITAAC could be developed by a COL applicant to verify each of these interface requirements. Therefore, the provisions of 10 CFR 52.47(a)(26) have been met.

The applicant provided 16 interface requirements for the UHS in Tier 1 Section 3.2 of the DCD. The staffs evaluation of the interface requirements and the basis for the staffs finding that they meet 10 CFR 52.47(a)(25) can be found in Section 9.2 of this SER. The applicant did not propose specific ITAAC to verify these interface requirements. Therefore, COL applicants referencing the APR1400 have the responsibility for developing ITAAC to verify these interface requirements, as appropriate. Based on engineering judgement and experience in the review of previous site-specific ITAAC, the staff finds that ITAAC could be developed by a COL applicant 14-6

to verify each of these interface requirements. Therefore, the provisions of 10 CFR 52.47(a)(26) have been met.

The applicant provided two interface requirements for the essential service water system in Tier 1 Section 3.3 of the DCD. The staffs evaluation of the interface requirements and the basis for the staffs finding that they meet 10 CFR 52.47(a)(25) can be found in Section 9.2 of this SER. The applicant did not propose specific ITAAC to verify these interface requirements. Therefore, COL applicants referencing the APR1400 have the responsibility for developing ITAAC to verify these interface requirements, as appropriate. Based on engineering judgement and experience in the review of previous site-specific ITAAC, the staff finds that ITAAC could be developed by a COL applicant to verify each of these interface requirements. Therefore, the provisions of 10 CFR 52.47(a)(26) have been met.

Combined License Information Items The DCD Tier 2 Table 1.8-2 lists four COL items pertaining to ITAAC. These COL item are evaluated in SER Sections 13.3, 14.3.7, 14.3.9, and 14.3.12.

Item No. Description COL The COL applicant is to provide the ITAAC for the site-specific portion of the 14.3(1) plant systems specified in DCD Tier 2, Subsection 14.3.3.

COL The COL applicant is to provide a design ITAAC closure schedule for 14.3(2) implementing the V&V design ITAAC as addressed in DCD Tier 2, Subsection 14.3.2.9.

COL The COL applicant is to provide the proposed ITAAC for the facilitys 14.3(3) emergency planning not addressed in the DCD in accordance with RG 1.206.

COL The COL applicant is to provide the proposed ITAAC for the site specific 14.3(4) facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206.

Conclusions The NRC staff has reviewed the description in DCD Tier 2, Section 14.3 of the applicants criteria and methodology for selecting the SSCs to be included and described in DCD Tier 1, as well as the associated ITAAC, in accordance with SRP Section 14.3. The NRC staff also reviewed the Tier 1 definitions, general provisions, and design descriptions. Finally, the NRC staff reviewed whether ITAAC can be developed for the Tier 1 interface requirements.

The NRC staff concludes that information provided in DCD Tier 2, Section 14.3 describes acceptable criteria and methodology for selecting the SSCs to be included in DCD Tier 1. The staff also concludes that the requirements in 10 CFR 52.47(a)(26) are met because ITAAC can be developed for the Tier 1 interface requirements.

Furthermore, upon incorporation of the confirmatory item above into a subsequent DCD revision, the staff concludes that the Tier 1 definitions, general provisions, and design descriptions are acceptable. Finally, upon incorporation of the confirmatory item above into a subsequent DCD revision, and based on the ITAAC review documented or referenced in SER 14-7

Subsections 14.3.2 to 14.3.13, the staff finds that the requirements of 10 CFR 52.47(b)(1) are satisfied, because the APR1400 ITAAC are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the DC has been constructed and will operate in accordance with the DC, the AEA, and the NRC's rules and regulations.

Structural and Systems Engineering - Inspections, Tests, Analyses, and Acceptance Criteria Piping Systems and Components - Inspections, Test, Analyses, and Acceptance Criteria Introduction ITAAC are identified in Tier 1 of the DCD, and this section of the SER documents staffs review of information provided by the applicant in DCD Tier 2, Section 14.3.2.3, ITAAC for Piping Systems and Components, which covers DCD Tier 1 information and ITAAC applicable to piping systems and components.

Summary of Application DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, discusses the bases, processes, and selection criteria used to develop Tier 1 information. It specifies a graded approach commensurate with the safety significance of the SSCs. The section discusses the organization of the Tier 1 information, and specifies that Tier 1, Section 2.3, Piping Systems and Components, covers the material reviewed in accordance with SRP Section 14.3.3, Piping Systems and Components - Inspections, Tests, Analyses, and Acceptance Criteria. Further discussion on the general approach to Tier 1 material is contained in Section 14.3 of this SER.

DCD Tier 2, Section 14.3.2.3, ITAAC for Piping Systems and Components, specifically discusses the approach to Tier 1 information regarding piping systems and components. The design certification (DC) analysis of ASME Code Class 1 piping includes the reactor coolant system (RCS) main loop, pressurizer surge line, direct vessel injection line, and shutdown cooling line. Main steam and main feedwater piping is analyzed as representative piping for Class 2 and 3. The graded approach is also applied to pipe rupture hazards and leak-before-break (LBB) analyses. This graded approach provides a level of piping design detail sufficient to remove the need for piping design acceptance criteria (DAC), as described in Section 14.3.3.3, Regulatory Basis, below.

The applicant provided ITAAC for Piping Systems and Components in DCD Tier 1, Tables 2.2.6-2, 2.2.7-2, 2.3-3, 2.4.1-4, 2.4.2-4, 2.4.3-4, 2.4.4-4, 2.4.5-4, 2.4.6-4, 2.6.2-3, 2.7.1.2-4, 2.7.1.4-4, 2.7.1.5-4, 2.7.1.8-3, 2.7.2.1-4, 2.7.2.2-4, 2.7.2.3-4, 2.7.2.5-4, 2.7.2.6-4, 2.7.4.3-4, 2.7.4.4-2, 2.11.2-4, and 2.11.3-2, as discussed in SER Sections 3.6.2, 3.6.3, 3.9.5, 3.9.6, 3.10, 3.11, 3.12, and 5.2.1.1.

Regulatory Basis The regulation in 10 CFR 52.47(b)(1) requires that the DC application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that if the inspections, 14-8

tests, and analyses are performed and the acceptance criteria are met, a facility that incorporates the DC has been constructed and will be operated in conformity with the DC, the provisions of the Atomic Energy Act of 1954, as amended, and the rules and regulations of the NRC.

SECY-90-377, Requirements for Design Certification under 10 CFR Part 52, dated November 8, 1990, and its associated staff requirements memorandum (SRM) dated February 15, 1991, provide Commission guidance on the level of detail that a DC application should reflect. Additional Commission guidance on the development and use of ITAAC included in the licensing process described in 10 CFR Part 52 includes the following:

1. SECY-90-241, Level of Detail Required for Design Certification under Part 52, and its associated SRM
2. SECY-91-178, Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) for Design Certifications and Combined Licenses
3. SECY-91-210, Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC)

Requirements for Design Review and Issuance of a Final Design Approval (FDA), dated July 16, 1991

4. SECY-92-214, Development of Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) for Design Certifications, dated June 11, 1992 In SECY-92-053, Use of Design Acceptance Criteria during 10 CFR Part 52 Design Certification Process, dated February 19, 1992, the NRC staff discussed a method for using DAC, together with detailed design information, during the 10 CFR Part 52 process for reviewing and approving designs. The NRC intended DAC to be used for applications that do not provide design and engineering information at a level of detail customarily considered by the staff in reaching a final safety decision, and primarily for areas of design that are subject to rapidly changing technologies or depend on as-built or as-procured information to reach the final safety decision.

SRP Section 14.3, in addition to the other documents listed above, provides the regulatory guidance for staffs acceptance of the ITAAC associated with those presented in the APR1400 DCD. Furthermore, SRP Section 14.3.3 establishes the regulatory guidance for acceptance of the ITAAC specifically related to piping systems and components.

The APR1400 DC avoided the use of DAC by implementing a graded approach consistent with Commission direction and the more detailed information contained in SECY-90-377. This graded approach consists of four main concepts:

1. The DC would continue to present essentially complete designs for the overall systems, consistent with past DCs regardless of the use of DAC.
2. The proposed ITAAC for the DC would continue to include verification of design (including reconciliation), fabrication, installation, inspection, and testing for all American Society of Mechanical Engineers Boiler and Pressure Vessel (ASME B&PV) Code Class 1, 2, and 3 components and piping.
3. The DC application would document the overall methodology to be employed in completing the detailed piping design for all systems.

14-9

4. The NRC review of the piping design in the DC application would employ a graded approach, with the highest level of detail being expected for Class 1 reactor coolant pressure boundary (RCPB) piping, as these piping systems have the most significant effect on plant safety. A similar level of detail would also be expected for the Class 2 steam and feedwater lines from the reactor vessel to the first anchor beyond the containment isolation valves. Less detail would be needed for other portions of Class 2 and 3 piping, for which breaks have lower safety significance, as well as for small-bore piping (nominal pipe size of 2 inches (5.1 cm) or less), for which the final design relies heavily on as-built information and for which breaks also have lower safety significance.

In DCD Tier 2, Section 14.3, the applicant provided the selection criteria and processes used to develop the DCD Tier 1 ITAAC, including those related to piping systems and components. The DCD Tier 1 information provides the principal design bases and design characteristics that are certified by the 10 CFR Part 52 rulemaking process and that would be included in the APR1400 DC rule.

Technical Evaluation Tier 1 Discussion DCD Tier 1, Section 2.3.1, Design Description, discusses four specific areas related to piping systems and components as addressed in the Tier 1 material. They are: piping stress analysis, analysis of protection against the dynamic effects of piping rupture, evaluation of LBB, and analysis of component stress. The staffs evaluation of the piping and component stress analysis, pipe break hazards analysis, and LBB analysis is discussed in Sections 3.12, ASME Code Class 1, 2, and 3 Piping Systems, Piping Components and their Associated Supports; 3.6.2, Determination of Pipe Break Locations and Dynamic Effects Associated with the Postulated Rupture of Piping; and 3.6.3, Leak-Before-Break Evaluation Procedures, respectively.

DCD Tier 2, Section 14.3.2.3, discusses the development of several as-built ITAAC. These include:

  • Dynamic qualification records of seismic Category I mechanical and electrical equipment including anchorage
  • Vendor test records for pumps, valves, and dynamic restraint functionality under design conditions
  • In-situ testing and functional design and qualification records demonstrating that installed pumps, valves, and dynamic restraints have the capability to perform their intended functions under a range of conditions up to and including design basis conditions 14-10
  • LBB evaluation report demonstrates as-built piping and materials comply with LBB acceptance criteria Staff identified a typographical error in the acceptance criteria of many of the ITAAC originally proposed in the DCD, specifically that the phrase exists and concludes was replaced by exits and concludes. In a public meeting held on July 1, 2015 (ML15183A392), the staff discussed this error with the applicant, and the applicants meeting presentation included DCD markups to address the error. The applicant incorporated these modifications in Revision 1 of the DCD, dated March 10, 2017, closing this issue.

The discussion in DCD Tier 2, Section 14.3.2.3, stated that Section 2.3 of the Tier 1 material includes piping systems and components, including the treatment of motor-operated valves (MOV), power-operated valves (POV), and check valves, as well as dynamic qualification, welding, fasteners, and safety classification of SSCs. Upon the staffs review of Tier 1, Revision 0, Section 2.3, Staff noted that portions of this list referenced in DCD Section 14.3.2.3 were not discussed in Tier 1. The staff requested, in a public meeting held on July 1, 2015 (ML15183A392), that the applicant update the list for consistency with the Tier 1 material. The applicant stated that this change (as well as several others) would be made once the standardized ITAAC guidance has been issued. The use of standardized ITAAC was ultimately not pursued by the applicant, and is further discussed below in Section 14.3.3.4.2, Incorporation of Standardized ITAAC Guidance. The applicant subsequently updated the list as part of their response to RAI 546-8782, which is discussed later in this SER, thus resolving this inconsistency.

A consistency issue was identified between DCD Tier 1, Table 2.3-3, High and Moderate Energy Piping Systems, and the rest of Tier 1, specifically that the named systems in the table did not appear as named in later sections. Some were incorrectly named, others were not present in Tier 1, and others were grouped with other systems such that making findings for each system became complicated. This was identified to the applicant at a July 1, 2015, public meeting (ML15183A392). The staff issued RAI 78-8021, Question 14.03.03-2 (ML15196A608),

requesting the applicant to address this issue. In its response to RAI 78-8021, Question 14.03.03-2 (ML15238B430) the applicant provided revisions that resolved all significant consistency issues identified in the RAI. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 78-8021, Question 14.03.03-2. Therefore, RAI 78-8021, Question 14.03.03-2, is resolved and closed.

An additional consistency issue was identified after comparing the DCD Tier 1 and Tier 2 material, namely that the steam generators were identified as ASME Class 1 SSCs, rather than a Class 1/Class 2 SSC. This was identified to the applicant at the July 1, 2015, public meeting and subsequently corrected. In the public meeting held on July 1, 2015, the applicant committed to revise the Tier 1 code applicability to be consistent with Table 3.2-1, Classification of Structures, Systems, and Components. The applicant included this modification in Revision 1 of the DCD, dated March 10, 2017, and the staff confirmed that this modification was incorporated.

Item Numbers Tables in Tier 1 contain a column for Item Number. In Revision 0 of the DCD, the applicant noted that this column was considered information only and was not part of the certified design.

This language could create confusion about the process for changing Tier 1 information described in 10 CFR 52.63, Finality of standard design certifications. In particular, the idea of 14-11

information only material differs from the definitions of Tier 1 information that have appeared in previous DC rule appendices to 10 CFR Part 52. Item numbers are used to identify specific valves and components that serve as boundaries in systems or portions of systems with specific attributes. It is necessary to establish a way of identifying and tracking SSCs of importance within the certified design material. The staff issued RAI 78-8021, Question 14.03.03-1 (ML15196A608), requesting the applicant provide clarification. In its response to RAI 78-8021, Question 14.03.03-1 (ML16175A656), the applicant proposed to remove the information only language and still maintain traceability of SSCs throughout Tier 1 through the use of item numbers, which are defined as not being representative of the actual equipment or tag numbers. The staff finds this approach acceptable, as traceability is maintained throughout Tier 1 through the use of item numbers, and it will be possible to map these item numbers to the actual equipment or tag numbers of SSCs, when needed. The staff confirmed that DCD, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 78-8021, Question 14.03.03-1. Therefore, RAI 78-8021, Question 14.03.03-1, is resolved and closed.

Incorporation of Standardized ITAAC Guidance The staff identified several issues regarding the applicants use of ITAAC. For instance, the applicants proposed ITAAC for pipe break hazards analysis failed to consider the environmental effects of pipe breaks in high energy systems. Additionally, the applicants proposed ITAAC did not adequately address safety-related mechanical equipment harsh environment qualification. A set of standardized ITAAC was provided to the applicant for its review in a letter dated August 3, 2016 (ML16208A548). The applicant had initially indicated plans to adopt the standardized ITAAC, but ultimately decided to not incorporate the standardized ITAAC. The staff issued RAI 546-8782, Question 14.03.03-6 (ML17123A458),

requesting the applicant to resolve deficiencies in the proposed ITAAC contained in the DCD.

In its response to RAI 546-8782, Question 14.03.03-6 (ML17227A608), the applicant proposed incorporating the standardized ITAAC wording for the topic of equipment qualification for nonmetallic parts of mechanical equipment and application of it to the applicable systems. As further discussed in Section 3.11, Environmental Qualification of Mechanical and Electrical Equipment, of this SER, the applicants response is acceptable because it addresses the inadequacy regarding ITAAC for safety-related mechanical equipment harsh environment qualification. RAI 546-8782, Question 14.03.03-6, is being tracked as a confirmatory item pending the incorporation of the response into a subsequent revision of the DCD.

In its response to RAI 546-8782, Question 14.03.03-4 (ML17229B591), the applicant revised an ITAAC for reactor vessel internals to be consistent with other ITAAC within the DCD and to more closely align this reactor vessel internals ITAAC with the standardized ITAAC guidance by using the phrase as-built instead of fabricated when referring to components to be inspected.

The staff finds this to be acceptable as it maintains consistency throughout the DCD. RAI 546-8782, Question 14.03.03-4 is being tracked as a confirmatory item pending incorporation of the response into a subsequent revision of the DCD. Further discussion of reactor vessel internals may be found in Section 3.9.5, Reactor Pressure Vessel Internals, of this SER.

In its response to RAI 546-8782, Question 14.03.03-3 (ML17244A012), the applicant resolved the earlier discussed inconsistency between the discussion in DCD Tier 2 and the contents of Tier 1, Section 2.3. Furthermore, this response clarified that ASME Section III Data Reports are used to verify that as-built systems and components are compliant with ASME Section III requirements as opposed to design reports. RAI 546-8782, Question 14.03.03-3 is being tracked as a confirmatory item, pending the incorporation of the proposed markups into a subsequent revision to the DCD.

14-12

Piping Stress Analysis In DCD Tier 2, Section 14.3.2.3, the applicant described its approach to the piping system design. The applicant has elected to follow a graded approach, as described above, with more emphasis placed on the design of the ASME Class 1 piping systems than Class 2 and 3, due to the higher safety significance of Class 1. The RCS main loop, pressurizer surge line, and two RCS branch lines (the 12 in. (30.5 cm) direct vessel injection line and 16 in. (40.6 cm) shutdown cooling line) comprise the scope of the designed ASME Class 1 piping systems. Only one direct vessel injection line and one shutdown cooling line are analyzed, as subsequent lines are in a symmetric arrangement. The acceptability of this Class 1 piping scope is discussed in Section 3.12 of this SER. The scope of ASME Class 2 and 3 piping systems designed at the DC stage includes the main steam and main feedwater piping located in the containment building. The main steam and main feedwater piping are the largest ASME Class 2 piping lines connected to the steam generators and carry the largest structural load. The scope of design for main steam and main feedwater piping located outside the containment building is from the containment penetration anchors to the main steam valve house (MSVH) penetration anchors beyond the isolation valves, which are located in the break exclusion area in the auxiliary building.

This scope of design for Class 2 and 3 piping systems is intended to be consistent with the graded approach discussed in Section 14.3.3.3. Use of the graded approach, as discussed in Section 14.3.3.3, avoids the need for DAC within the DCD. The inclusion of ITAAC for each piping system listed in the tables in subsection 14.3.3.2 of this SER section, which will verify that Seismic Category I and ASME Code SSCs are designed and constructed in accordance with ASME Code Section III requirements, is sufficient to demonstrate that if the acceptance criteria are met, the piping systems within the scope of review for Section 3.12 have been constructed in compliance with 10 CFR 50.55a; 10 CFR 52.47(b)(1); 10 CFR Part 50, Appendix S; and GDCs 1, 2, 4, 14, and 15. Further discussion of the staffs review of piping stress analysis is found in Section 3.12 of this SER.

Review of DCD Tier 1, Table 2.3-1, Systems with ASME Section III Class 1, 2, and 3 Piping Systems and Components, identified that the Containment Isolation System was missing from the listing of systems designed to retain their pressure integrity and functional capability under internal design and operating pressures and design basis loads. The staff issued RAI 546-8782, Question 14.03.03-7 (ML17123A458), requesting the applicant add this system to the table or provide justification to preclude its presence. In its response to RAI 546-8782, Question 14.03.03-7 (ML17223b344), the applicant added the Containment Isolation System to Table 2.3-1 in a proposed markup. RAI 546-8782, Question 14.03.03-7 is being tracked as a confirmatory item pending the incorporation of the proposed markups into a subsequent revision of the DCD.

Pipe Break Hazards Analysis In Tier 1, Section 2.3.1, the applicant stated that SSCs required for safe shutdown are protected from the dynamic and environmental effects of postulated piping failures when the dynamic effects are not eliminated from consideration by LBB analysis. Each postulated piping failure will be documented in an as-built pipe break analysis report prepared by the COL holder and will consider, as applicable, pipe whip, jet impingement, flooding, compartment pressurization, and environmental conditions associated with the postulated piping failure. Analysis of pipe break hazards also follows the graded approach discussed in the Regulatory Basis section above.

The applicant has included the main steam and main feedwater piping in this analysis because 14-13

it is considered the most safety-significant in terms of pipe break hazards and RCS structural analysis. The staffs evaluation of this approach is detailed in Section 3.6.2 of this SER.

Tier 1, Section 2.3 contains two tables that identify piping systems. Table 2.3-1 identifies ASME BPV Code Section III piping systems and references the corresponding Tier 1 section.

Table 2.3-2, High and Moderate Energy Piping Systems, identifies the high and moderate energy piping systems which are evaluated for pipe break hazards analysis. Many of the named systems in Table 2.3-3 did not initially appear as named and classified in the remainder of Tier 1. For instance, the Emergency Diesel Generator System (EDGS) was identified as a high-energy piping system (with a footnote clarifying that there were also moderate-energy portions), but there was only an ITAAC for a moderate-energy piping system. Additionally, some systems were missing, such as the auxiliary steam system, which was identified as a high-energy system in the table. Finally, some systems were grouped together instead of receiving separate entries, such as Safety Injection and Shutdown Cooling Systems. In a public meeting on July 1, 2015 (ML15183A392), the staff discussed these areas for alignment and clarification, and the applicants meeting presentation included DCD markups to address the error. The applicants proposed markups were reviewed and found to appropriately address the error. The applicant included these modifications in Revision 1 of the DCD, dated March 10, 2017, closing this issue.

Upon review of the originally proposed pipe break hazards analysis ITAAC located in various systems, the staff noted that although moderate-energy piping systems were analyzed for environmental effects of pipe break, the high-energy piping systems were not. Rather, they were only analyzed for dynamic effects. The ITAAC also did not verify that the installation of protective features were in accordance with the as-built pipe break hazards analysis report.

Additionally, the system-by-system approach used by the applicant failed to account for interactions across systems. Specifically, the system-by-system approach does not include all systems for which pipe ruptures are to be postulated in accordance with the methodology and criteria described in DCD Tier 2, Section 3.6.2. In order to include all applicable systems within the scope of SRP 3.6.2, a non-system-based (i.e., include both safety-related and nonsafety-related sources) pipe break hazards analysis ITAAC approach should be used. The staff issued RAI 546-8782, Question 14.03.03-5 (ML17123A458), requesting the applicant to address these issues. In its response to RAI 546-8782, Question 14.03.03-5 (ML17235B275), the applicant proposed a non-system-based approach, informed by the guidance of the standardized ITAAC, and the applicant subsequently proposed a non-system-based ITAAC to DCD Tier 1, Table 2.3-3. This proposed non-system-based ITAAC, as well as the other proposed revisions included in the RAI response, adequately addresses the issues raised regarding pipe break hazards analysis ITAAC, and is acceptable to the staff because the full scope of safety-related SSCs is addressed in the proposed non-system-based ITAAC and the wording utilized is consistent with the standardized ITAAC guidance. RAI 546-8782, Question 14.03.03-5 is being tracked as a confirmatory item pending the incorporation of the proposed markups into a subsequent revision of the DCD.

Leak Before Break Analysis In Tier 1, Section 2.3.1, the applicant stated that LBB analysis is applied to the following piping systems:

  • Pressurizer surge line 14-14
  • Direct vessel injection line from the reactor vessel to the safety injection tank and the second isolation valve This analysis considers normal and abnormal loads and combinations to demonstrate compliance with the LBB design criteria. The applicant further stated that the as-built piping and materials are reconciled with the bases for the LBB acceptance criteria. The LBB analysis follows the graded approach discussed in Section 14.3.3.3, above. The pressurizer surge line is modeled as a representative case of thermal stratification. The staffs review of this analysis and the acceptability of the proposed ITAAC for this topic is discussed in Section 3.6.3 of this SER.

Equipment Analysis and Qualification Discussion of the applicants treatment of equipment analysis and qualification is included in various sections. The applicant provided system-based ITAAC in DCD Tier 1, Section 2 to address the seismic qualification of equipment. The staff finds that the system-based ITAAC provide reasonable assurance that the mechanical and electrical equipment will be adequately qualified to withstand the effect of a safe-shutdown earthquake (SSE). Additional discussion of this evaluation may be found in Section 3.10, Seismic and Dynamic Qualification of Mechanical and Electrical Equipment, of this SER.

Section 3.9.6, Functional Design, Qualification, and Inservice Testing Programs for Pumps, Valves, and Dynamic Restraints, of this SER discusses the applicants treatment of the functional design, qualification, and inservice testing programs for pumps, valves, and dynamic restraints. The staff identified multiple ITAAC in the APR1400 DCD that required revision to provide assurance of the verification of the design, qualification, and testing of as-built pumps, valves, and dynamic restraints consistent with the design when certified. The staff issued RAI 546-8782, Question 14.03.03-8 (ML17123A458), to address these issues. In its response to RAI 546-8782, Question 14.03.03-8 (ML17248A364), the applicant proposed ITAAC the staff finds acceptable for meeting the requirements for the functional design, qualification, and inservice testing programs for pumps, valves, and dynamic restraints. Further discussion on the acceptability of these ITAAC may be found in Section 3.9.6 of this SER. RAI 546-8782, Question 14.03.03-8 is being tracked as a confirmatory item pending the incorporation of the proposed markups into a subsequent revision of the DCD.

Combined License Information Items DCD Tier 2, Section 14.3.6, Combined License Information, Revision 0 included a COL item for DAC closure. Based on the discussion above about the implementation of the graded approach (and additional evaluations documented in Section 3.6.2 and Section 3.12 of this SER), the applicant removed this DAC and associated COL item, which the staff confirmed in Revision 1 of the DCD, dated March 10, 2017. There are no COL items associated with Section 14.3.2.3 of the APR1400 DCD.

Conclusion The staff reviewed the Tier 1 information in the APR1400 DCD in accordance with the guidance in SRP Section 14.3.3. Based on this review and a review of the selection methodology and 14-15

criteria for the development of the Tier 1 information in Tier 2, Section 14.3.2.3 of the DCD, the staff finds that, upon incorporation of the confirmatory items above into a subsequent DCD revision, the top-level design features and performance characteristics of the SSCs are appropriately described in Tier 1 and the Tier 1 information is acceptable to meet the requirements of 10 CFR 52.47(b)(1).

Further, the Tier 1 design descriptions can be verified adequately by ITAAC. The staffs review in SER Sections 3.6.2, 3.6.3, 3.9.5, 3.9.6, 3.10, 3.11, 3.12, and 5.2.1.1 support the staffs finding that the ITAAC are necessary and sufficient for reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria are met, then a facility referencing the certified design can be constructed and operated in compliance with the DC and applicable regulations.

These findings are based on:

  • The applicants treatment of piping design information in Tier 1 of the DCD, as supplemented by discussion in Tier 2 of the DCD. This is discussed in Section 14.3.3.4.4 above.
  • The ITAAC tables in Tier 1 of the DCD, listed in subsection 14.3.3.2, which address, in part, conformance with the ASME B&PV Code, seismic and dynamic qualification of equipment, and integrity of the RCPB, consistent with the regulatory guidance, ensuring the proper piping design and the verification of piping and component classification, fabrication, dynamic and seismic testing, and performance requirements.

Reactor Systems - Inspections, Tests, Analyses, and Acceptance Criteria Introduction The DCD Tier 2, Section 14.3, discusses the selection criteria and methods used to develop the DCD Tier 1 information, including the ITAAC. DCD Tier 1 includes the portion of the design-related information that, if acceptable, would be approved, certified, and incorporated by reference into a new design certification rule for the APR1400 design. The design descriptions, interface requirements, and site parameters are derived from DCD Tier 2 information.

The DCD Tier 2, Section 14.3.2.4 addresses ITAAC related to reactor systems. The scope of reactor systems encompasses the reactor coolant system, in-containment water storage system, safety injection system, shutdown cooling system, reactor coolant gas vent system, chemical and volume control system, and leakage detection system, which are all significantly related to normal operation, transients, and accidents.

As part of the review of each of the APR1400s reactor systems, the NRC staff reviewed the ITAAC with respect to reactor systems described in the DCD in accordance with SRP, NUREG-0800, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.4, Reactor Systems - Inspections, Tests, Analyses, and Acceptance Criteria. The NRC staff reviewed the proposed ITAAC to determine whether they are necessary and sufficient to provide reasonable assurance that, if the ITAAC are successfully completed, a facility that incorporates the design certification has been constructed and will be operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and 14-16

the Commission's rules and regulations. In addition, the NRC staff reviewed interface requirements for reactor systems.

The scope of the review of the reactor systems ITAAC included the DCD Tier 1 sections given in Table 14.3.4-1, Cross References for the Staffs Evaluation of Reactor Systems ITAAC, of this report, that are significantly related to normal operation, transients, and accidents. The NRC staffs detailed evaluation of each reactor systems Tier 1 material is documented in the systems respective section of this SER (see Table 14.3.4-1 below).

Summary of Application DCD Tier 1: The applicant provided design descriptions for reactor systems in DCD Tier 1 Section 2.4, Reactor Systems. DCD Tier 1, Chapter 1, Introduction, provides definitions, general provisions, and a legend for figures, acronyms, and abbreviations.

Table 14.3.4-1 Cross References for the Staffs Evaluation of Reactor Systems ITAAC SER Section SER Section DCD Tier 1 Title ITAAC Table for 52.47(b)(1)

Section Finding Reactor Coolant 2.4.1 2.4.1-4 5.4 5.4 System (RCS)

In-containment 2.4.2 Water Storage 2.4.2-4 6.8 6.8 System (IWSS)

Safety Injection 2.4.3 2.4.3-4 6.3 6.3 System (SIS)

Shutdown Cooling 2.4.4 2.4.4-4 5.4.7 5.4.7 System (SCS)

Reactor Coolant 2.4.5 Gas Vent System 2.4.5-4 5.4.12 5.4.12 (RCGVS)

Chemical and 2.4.6 Volume Control 2.4.6-4 9.3.4 9.3.4 System (CVCS)

Leakage Detection 2.4.7 System 2.4.7-1 5.2.5 5.2.5 System design descriptions include relevant information for the ITAAC such as key design features; seismic and ASME code classifications used in design and construction; system operation; alarms, displays, and controls; logic for system actuation; interlocks; class 1E power sources and divisions; equipment to be qualified for harsh environment; interface requirements; and numeric performance values. The design descriptions contain tables and figures that are referenced in the Design Commitment column of the ITAAC tables listed above.

The applicant organized its Tier 1 information in a manner similar to that used for the evolutionary designs as described in SRP Section 14.3 and RG 1.206 Section C.II.1-1. The ITAAC tabular format and content for the reactor systems follows the NRC recommended 14-17

format described and presented in RG 1.206, Table C.II.1-1, Sample ITAAC Format. The ITAAC are presented in a three-column table that includes the proposed design commitment to be verified (column 1), the method by which the licensee will verify (column 2), and specific acceptance criteria for the inspections, tests, or analyses (column 3) that, if met, demonstrate the licensee has met the design commitment in column 1.

DCD Tier 2: DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, provides a general description of the APR1400 ITAAC including its relationship to other DCD Tier 1 information, and the bases, processes, and selection criteria used to develop Tier 1 information.

The applicant specified that the ITAAC for reactor systems were prepared in accordance with the guidance in RG 1.206, Section C.II.1, Inspections, Tests, Analyses, and Acceptance Criteria; NUREG-0800 SRP Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria; and NUREG-0800 SRP Section 14.3.4, Reactor Systems - Inspections, Tests Analyses, and Acceptance Criteria.

ITAAC: The applicant provided ITAAC for reactor systems in DCD Tier 1 sections as listed above in Table 14.3.4-1.

Technical Specifications (TS): There are no TS for this area of review.

Regulatory Basis The relevant requirements of NRC regulations for this area of review, and the associated acceptance criteria, are given in NUREG-0800, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.4 Reactor Systems - Inspections, Tests, Analyses, and Acceptance Criteria. Review interfaces with other SRP sections are also identified in these SRP sections.

Acceptance criteria are based on meeting the relevant requirements of the following NRC regulations:

  • Title 10 CFR 52.47(b)(1), Contents of applications; technical information, as it relates to the requirement that a design certification application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification has been constructed and will be operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC rules and regulations.

Technical Evaluation The NRC staff performed its review of the system and non-system based ITAAC in accordance with SRP Section 14.3 and SRP Section 14.3.4, particularly the applicable review procedures identified in each SRP Section III, as well as the guidance provided by RG 1.206, Section C.II.1, Inspections, Tests, Analyses, and Acceptance Criteria. The NRC staff examined the ITAAC to ensure that they can be inspected by the organization holding the combined license and closed out by the NRC staff. The NRC staff also reviewed the phrasing and format of the ITAAC to determine if the Design Commitment wording; the Inspection, Test, or Analysis; and the 14-18

Acceptance Criteria are parallel and in agreement. In addition, the NRC staff determined that the DCD Tier 1 ITAAC items were derived from the DCD Tier 2 information.

ITAAC Development Criteria The RG 1.206 Section C.II.1.2.4, ITAAC for Reactor Systems, describes the ITAAC development for reactor systems and identifies the aspects to be verified through ITAAC.

These are related to the reactor design, such as core components, fuel, control rods, reactor coolant system, emergency core cooling system, residual heat removal system, chemical and volume control system, and loose parts monitoring system.

During the review, the NRC staff noted that in DCD Tier 2, Section 14.3.2.4, the applicant stated that DCD Tier 1, Section 2.4 includes fuel, control rods, and loose parts monitoring systems.

However, the NRC staff also noted that in DCD Tier 1, Section 2.4, the applicant did not provide any information regarding fuel or loose parts monitoring systems, and very little information regarding control rods. Therefore, the staff issued RAI 83-7962, Question 14.03.04-1 (ML15197A267), to address this issue. In its response to RAI 83-7962, Question 14.03.04-1 (ML16035A514), the applicant clarified that the APR1400 ITAAC for reactor systems includes the RCS, IWSS, SIS, SCS, RCGVS, CVCS, and leakage detection system.

The staff reviewed the fuel system design, control rod design, and core design to determine if it was necessary to develop ITAAC for these areas. For these three areas of review, the staff notes that ITAAC are not typically developed and implemented, as discussed in SRP 14.3.4.

ITAAC are not typically developed for the core design area since ITAAC must be completed before core load, as required by 10 CFR 52.103. This requirement makes it impossible to implement an ITAAC covering the as-built condition of the core. Additionally, the safety aspects of the as-built core design will be verified through start-up testing, thereby addressing the same safety concerns that an ITAAC would address. Therefore, the staff found that developing and implementing ITAAC for the core design is not necessary.

For fuel system design, the staff found that developing ITAAC to verify fuel rod design aspects is also not necessary because the prior staff approval of the fuel rod design (located in the staffs FSER to the specific fuel rod design topical report) included review of testing associated with the proper functioning of the fuel rod. Furthermore, other regulations, such as 10 CFR Part 50, Appendix B, require the appropriate quality assurance standards to be implemented for the fuel prior to its loading into a core. Therefore, the staff found that it is not necessary to develop an ITAAC for the fuel system design due to the testing, inspection, and analyses that have already been reviewed and approved by the staff as part of the applicants topical report submittal.

Lastly, the staff found that control rod design ITAAC verifying the as-built condition are similarly constrained by 10 CFR 52.103 in that the as-built condition cannot be inspected via ITAAC since all ITAAC must be completed prior to fuel load. However, the staff does note that other inspection and testing programs ensure that the control rod assembly is manufactured to the specifications of the NRC approved design (e.g. the QA inspection) and that the safety function is met (e.g. the scram tests and startup physics tests). Therefore, the staff found that developing and implementing ITAAC for the control rod design is not necessary.

The loose parts monitoring system is a nonsafety-related system and does not perform any safety-related function; it only provides for monitoring; therefore, the staff found it acceptable to not have any ITAAC for this system. The applicant also provided a markup to DCD Tier 2, 14-19

Section 14.3.4.2 indicating that fuel, control rods, and the loose parts monitoring system will be deleted from the sentence describing what the Tier 1 reactor systems ITAAC is comprised of.

The NRC staff finds the applicants response acceptable and concludes that the applicant adequately identified the general aspects to be verified through ITAAC, including the ITAAC to verify the top-level design features, as discussed in RG 1.206 Section C.II.1.2.4. On March 10, 2017, the applicant submitted to the NRC, Revision 1 of the DCD (ML17096A325).

The staff confirmed that Revision 1 of the DCD contained the appropriate revisions, which were proposed as part of the applicants response to RAI 83-7962, Question 14.03.04-1. Therefore, RAI 83-7962, Question 14.03.04-1 is resolved and closed.

Reactor Systems Tier 1 The NRC staff reviewed the Tier 1 material for each APR1400 reactor system using the guidance provided in SRP Section 14.3 including Appendix C, Detailed Review Guidance, Fluid Systems Review Checklist, and SRP Section 14.3.4. The NRC staffs detailed review of each reactor systems Tier 1 material is contained within the section of this SER that corresponds to the Tier 2 Section for the reactor system, as described in the cross reference Table 14.3.4-1.

In performing the evaluation of the Tier 1 material, and determining whether the ITAAC appropriately verify the top-level design features, the NRC staff considered the safety function significance in light of the results of transient and accident analyses, core cooling in all modes of operation and shutdown conditions, anticipated transient without scram (ATWS), and severe accident assessments. Specifically, DCD Tier 2, Table 14.3.4-1, Design Basis Accident Analysis Key Design Features, DCD Tier 2, Table 14.3.4-2, PRA and Severe Accident Analysis Key Design Features, and DCD Tier 2, Table 14.3.4-5, ATWS Analysis Key Design Features, were reviewed to confirm that the table entries are complete with respect to the safety analyses in DCD Tier 2, Chapter 4, Reactor, DCD Tier 2, Chapter 5, Reactor Coolant System And Connected Systems, DCD Tier 2, Chapter 6, Engineered Safety Features, and DCD Tier 2, Chapter 15, Transient And Accident Analyses, and consistent with DCD Tier 2, Section 14.2, Initial Plant Test Program.

In addition, the NRC staff used the SRP sections identified in SRP Section 14.3.4 that have a potential impact on the reactor systems ITAAC sections. These included the following SRP sections that provide information related to SRP Section 14.3.4: SRP Section 14.3 (general guidance on ITAAC), SRP Section 14.3.2 (structures, systems, and components (SSCs) ability to withstand various natural phenomena), SRP Section 14.3.3 (piping design), SRP Section 14.3.5 (instrumentation and controls), SRP Section 14.3.6 (electrical systems and components), and SRP Chapter 19 (SSCs design features and functions that should be addressed based on severe accident, PRA, and shutdown safety evaluations).

Also, in accordance with SRP Section 14.3.4, the NRC staff reviewed Chapter 15 systems sequence of events and reviewed the SSCs functional responses to each abnormal event described in the transient and accident analysis. The NRC staff confirmed that the required actions of the SSCs are tested in DCD Tier 1, Section 2.4.1 from initiating test signals that simulate the reactor conditions to the actuation of the systems that mitigate the abnormal events. The NRC staffs findings related to the testing and acceptance criteria of each reactor systems ITAAC are documented in the section of this SER associated with that reactor system.

In general, the NRC staff concludes the ITAAC included the SSCs that are required to mitigate or terminate the abnormal events to be sufficient in demonstrating functional operability as described in DCD Tier 2.

14-20

The NRC staff assessed the reactor systems Tier 1 material (including ITAAC) for the following DCD Tier 2 sections in accordance with the applicable procedures and guidance provided in SRP Sections 14.3 and 14.3.4:

  • Section 5.2.2, Overpressure Protection.
  • Section 5.4.11, Pressurizer Relief Tank.
  • Section 6.3, Safety Injection System.
  • Section 9.3.4, Chemical and Volume Control System.

The NRC staffs specific evaluation results of the above sections relating to the adequacy of the Tier 1 material are presented in the individual technical evaluation of each of the above sections in this report, but one issue common to ITAAC in several reactor systems is addressed in the following subsection.

General Issue Common to ITAAC in Several Reactor Systems In the review of all Reactor Systems ITAAC items, the NRC staff observed that Tier 1 Tables 2.4.1-4, Reactor Coolant System ITAAC, 2.4.2-4, In-containment Water Storage System ITAAC, 2.4.3-4, Safety Injection System ITAAC, 2.4.4-4, Shutdown Cooling System ITAAC, 2.4.5-4, Reactor Coolant Gas Vent System ITAAC, and 2.4.6-4, Chemical and Volume Control System ITAAC, each contain an ITAAC item labeled 6.c which commits to separation being provided between Class 1E divisions, and between Class 1E division and non-Class 1E division. The applicants associated Acceptance Criteria, 6.c., requires:

physical separation or electrical isolation exists in accordance with NRC RG 1.75 between these Class 1E divisions, and also between class 1E division and non-Class 1E division.

The NRC staff noted that the applicants Acceptance Criteria, which incorporates by reference RG 1.75, did not accurately capture what is required by RG 1.75. RG 1.75 states:

the underlying separation criteria are that (1) physical separation and (2) electrical isolation must be provided to maintain the independence of safety related circuits and equipment so that the safety functions required during and following any design-basis event can be accomplished.

Therefore, the NRC staff issued RAI 83-7962, Question 14.03.04-5 (ML15197A267), to address this issue. In its response to RAI 83-7962, Question 14.03.04-5 (ML15259A765) and supplemented (ML16081A340), the applicant stated that the ITAAC items which address physical separation and electrical isolation in accordance with RG 1.75 will be revised to accurately reflect what is required by RG 1.75. Also in its response to the NRC staff, the applicant presented how the revision will look in the next DCD revision. Based upon the NRC staffs review, the NRC staff finds that the applicants Tier 1 Reactor Systems ITAAC revision is acceptable and accurately captures what is stated in RG 1.75; furthermore, the NRC staff 14-21

concludes that this Tier 1 revision supports meeting 10 CFR 52.47(b)(1). On March 10, 2017, the applicant submitted to the NRC, Revision 1 of the DCD (ML17096A325). The staff confirmed that Revision 1 of the DCD contained the appropriate revisions, which were proposed as part of the applicants response to RAI 83-7962, Question 14.03.04-5. Therefore, RAI 83-7962, Question 14.03.04-5, is resolved and closed.

Reactor Coolant System The NRC staff notes that the RCS is a safety-related system whose primary function is to remove heat generated in the reactor core and transfer it to the steam generators. The RCS forms part of the pressure and fission product boundary between the reactor coolant and the containment building atmosphere. The RCS is equipped with overpressure protection and provides cooling during all plant evolutions and anticipated operational occurrences to preclude significant core damage. The NRC staffs review of the RCS Tier 1 information is contained in Chapter 5 of this SER.

In-containment Water Storage System The NRC staff notes that the in-containment water storage system (IWSS) is a safety related system and includes the in-containment refueling water storage tank (IRWST), holdup volume tank (HVT), and the cavity flooding system (CFS). The IRWST provides borated water for the safety injection system and the containment spray system and is the primary heat sink for the RCS depressurization and vent system. The HVT collects water released in containment during design basis events and returns it to the IRWST. The CFS provides water to flood the reactor cavity in response to beyond design basis events. The IWSS is located in containment. The NRC staffs review of the IWSS Tier 1 information is contained in Chapter 6 of this SER.

Safety Injection System The NRC staff notes that the safety injection system (SIS) is a safety-related system, whose primary function is to provide emergency core cooling and reactivity control in response to a design basis accident. The SIS consists of four safety injection pumps, four safety injection tanks, and associated piping and valves. The NRC staffs review of the SIS Tier 1 information is contained in Chapter 6 of this SER.

Shutdown Cooling System The NRC staff notes that the shutdown cooling system (SCS) provides the APR1400 a safety-related function of removing decay heat from the RCS and transferring that heat to the component cooling water system during normal shutdown and accident conditions. The SCS consists of two independent, mechanical trains with associated heat exchangers, pumps, and piping and valves. The NRC staffs review of the SCS Tier 1 information is contained in Chapter 5 of this SER.

Reactor Coolant Gas Vent System The NRC staff notes that the Reactor Coolant Gas Vent System (RCGVS) is a safety related system which provides the RCS with the capability to vent non-condensable gases and steam from the high points of the RCS (e.g. the reactor vessel head and the pressurizer steam space).

The RCGVS provides a safety-related means to depressurize the RCS when pressurizer sprays are unavailable. The RCGVS consists of piping and valves to vent non-condensable gases 14-22

and/or steam directly to the IRWST. The NRC staffs detailed review of the RCGVS Tier 1 information is contained in Chapter 5 of this SER.

Chemical and Volume Control System The NRC staff notes that the chemical and volume control system (CVCS) provides mostly non-safety-related functions of purity, volume, and chemistry control for the APR1400. The CVCS also provides backup spray water to the pressurizer and cooling water to the RCP seals. The safety-related functions of the CVCS consist of maintaining integrity of components in the reactor coolant pressure boundary, containment isolation, and limiting the magnitude of boron dilution sources. The CVCS consists of charging pumps, regenerative and non-regenerative heat exchangers, purification filters and ion exchangers, the volume control tank, and associated piping and valves. The NRC staffs detailed review of the CVCS Tier 1 information is contained in Chapter 9 of this SER.

Leakage Detection System The staff notes that the leakage detection system provides a means for detecting and monitoring reactor coolant system leakage. Indications of leakage are provided by containment sump level indicators, containment airborne particulate radiation monitors, and containment atmospheric humidity indicators. Alarms and displays in the main control room alert the operators of reactor coolant pressure boundary leakage. The NRC staffs detailed review of the Tier 1 information for the leakage detection system is contained in Chapter 5 of this SER.

Interface Requirements The NRC staff notes that interface requirements are defined for: (a) systems that are entirely outside the scope of the design, and (b) the out-of-scope portions of those systems that are only partially within the scope of the standard design. The applicant included the reactor systems designs within the complete scope of the standard design, thus precluding the necessity of having interface requirements for these systems. The NRC staff accepted that interface requirements are not needed for reactor systems.

Combined License Information Items There are no COL Items associated with Section 14.3.2.4 of the APR1400 DCD.

Conclusions In general, the NRC staff concludes that the applicant has adequately identified the reactor systems which need to have ITAAC requirements. The review of each reactor systems ITAAC to determine necessity and sufficiency in regards to 10 CFR 52.47(b)(1) can be found in the associated reactor systems section of this SER. The review completed in this section of the SER supports the 10 CFR 52.47(b)(1) findings made in the system specific sections of the SER.

Instrumentation and Controls- Inspections, Tests, Analyses, and Acceptance Criteria Introduction Inspections, tests, analyses, and acceptance criteria (ITAAC) information is contained in Tier 1 of the APR1400 DCD. The ITAAC evaluation includes a review of the commitments to be 14-23

verified by ITAAC inspection. These commitments also define the scope of the APR1400 design and are identified in the design description for each system that establishes the scope of ITAAC.

The scope of review for instrumentation and controls (I&C) ITAAC includes I&C systems involving reactor protection and control, engineered safety features (ESF) actuation, and other systems using I&C equipment. The review also addresses information related to the design process of digital computers in I&C systems and selected interface requirements related to I&C issues.

Summary of Application DCD Tier 1: There are two material categories in Tier 1: Design descriptions and ITAAC.

  • Design descriptions address the most safety-significant features of a system.

Design descriptions are in the form of descriptions, tables, and figures, and are binding for the lifetime of a facility.

  • ITAAC will be used to verify the APR1400 as-built features. ITAAC material is in tabular format only and will no longer constitute requirements for a facility once the 10 CFR 52.103(g) finding is made for that facility.

Title 10 CFR 52.47(b)(1) requires a design certification application to contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification is built and should operate in accordance with the design certification, the provisions of the Atomic Energy Act, and the NRC's regulations. SRP Section 14.3 provides guidance on the type of information that should be provided in Tier 1 of the application in order to meet the requirements of 10 CFR 52.47(b)(1), including top-level information that describe the principal performance characteristics and safety functions of the structures, systems, and components (SSC)s. Based on the description of Tier 1 information included, the NRC staff finds that additional information is needed to demonstrate that safety functions performed by I&C systems are adequately described. Specifically, the NRC staff requested in RAI 317-8271, Question 14.03.05-13 (ML15321A293) for the applicant to include the safety functions performed by each safety-related I&C systems in the APR1400 DCD, Tier 1 descriptions.

In the March 2, 2016 response to RAI 317-8271, Question 14.03.05-13 (ML16062A317), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.1.1, to include design descriptions of the safety functions performed by the Auxiliary Processing Cabinet-Safety (APC-S), Core Protection Calculator System (CPCS), Excore Neutron Flux Monitoring System (ENFMS), the Plant Protection System (PPS), and Reactor Trip Switchgear System (RTSS).

Based on the commitment to revise APR1400 DCD, Tier 1, Section 2.5.1.1 to include the safety functions performed by these systems, the staff finds the APR1400 DCD, Tier 1 adequately describes the safety functions performed by I&C systems to meet the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-13 resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1. As such, this confirmatory item has been satisfied.

14-24

DCD Tier 2: DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, discusses the selection criteria and methods used to develop the DCD Tier 1 design descriptions and the ITAAC. The applicant states in APR1400 DCD Tier 2, Section 14.3 that the design descriptions, interface requirements, and site parameters are derived from Tier 2 information and that Tier 1 information includes:

  • Definitions and general provisions
  • Design descriptions
  • Significant interface requirements
  • Significant site parameters ITAAC: The APR1400 I&C-related ITAAC are provided in DCD Tier 1, Section 2.5, Instrumentation and Control Systems.

Technical Specifications: DCD Tier 2, Sections 3.3 and B.3.3 provide technical specifications for instrumentation and control systems.

Regulatory Basis The relevant requirements of NRC regulations for this area of review, and the associated acceptance criteria, are given in NUREG-0800, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.5, Instrumentation and Controls - Inspections, Tests, Analyses, and Acceptance Criteria. Review interfaces with other SRP sections can also be found in SRP Section 14.3.5.

The acceptance criteria are based on the relevant requirements of the following NRC regulations:

  • Title 10 CFR 52.47(b)(1), Contents of applications; technical information, as it relates to the requirement that a design certification application contain the ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification is built and will operate in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC regulations.

The applicable acceptance criteria used to meet the above relevant requirement of the NRC regulations as described in SRP Section 14.3.5, are summarized below:

1. The methodology for selecting SSCs that will be subject to ITAAC, as well as the criteria for establishing the necessary and sufficient ITAAC should be appropriate for, and consistently applied to, I&C systems.
2. DCD Tier 1 design descriptions and ITAAC should describe the top-level I&C design features and performance characteristics that are significant to safety.

For safety systems, this should include a description of system purpose, safety functions, equipment quality (e.g., meet the functional requirements of IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and the digital system life cycle design process),

14-25

equipment qualification, automatic decision-making and trip logic functions, manual initiation functions, and design features (e.g., system architecture) provided to achieve high functional reliability. The functions and characteristics of other I&C systems important to safety should also be discussed to the extent that the functions and characteristics are necessary to support remote shutdown, support required operator actions or assessment of plant conditions and safety system performance, maintain safety systems in a state that assures their availability during an accident, minimize or mitigate control system failures that would interfere with or cause unnecessary challenges to safety systems, or provide diverse back-up to protection systems.

3. SRP Section 14.3, Appendix A, Information on Prior Design Certification Reviews, provides additional guidance on the content of DCD Tier 1 design descriptions and ITAAC.
4. ITAAC should identify the I&C system features upon which the staff is relying to assure compliance with NRC requirements and guidance identified in SRP Appendix 7.1-A, Acceptance Criteria and Guidelines for Instrumentation and Control Systems Important to Safety. Tests, analyses, and acceptance criteria associated with each commitment should, when taken together, be sufficient to provide reasonable assurance that the final as-built I&C system fulfills NRC requirements. SRP Appendix 7.1-C, Guidance for Evaluation of Conformance to IEEE Std 603, provides an expanded discussion of SRP acceptance criteria for safety system compliance with 10 CFR 50.55a(h). SRP Appendix 7.1-D, Guidance for Evaluation of the Application of IEEE Std 7-4.3.2, further discusses SRP acceptance criteria for safety and protection systems using digital computer-based technology. SRP Section 14.3, Appendix A, provides additional guidance on the expected scope, content, and format of ITAAC.
5. For APR1400 applications, DCD Tier 1 design descriptions and ITAAC should be based on and consistent with the DCD Tier 2 material.

The specific areas of review are as follows:

1. DCD Tier 1 information on I&C systems involving reactor protection and control, ESF actuation, and other systems using I&C equipment.
2. DCD Tier 1 information related to design process of digital computers in I&C systems.
3. Selected interface requirements related to I&C issues.
4. Functional requirements of IEEE Std 603-1991 and General Design Criteria (GDC) when implementing the safety system.

Technical Evaluation The applicant provided design information, including associated tables and figures, in accordance with the selection methodology for APR1400 DCD, Tier 1, as described in APR1400 DCD Tier 2, Section 14.3 to support the ITAAC for the APR1400 SSCs. The applicant organized the DCD Tier 1 information in the systems, structures, and topical areas format 14-26

shown in the DCD Tier 1, Table of Contents. The staff reviewed the DCD Tier 1 information provided by the applicant in accordance with SRP Section 14.3.5.

Reactor Trip System and Engineered Safety Features Initiation Systems The applicant provided design descriptions and ITAAC verifying design features for systems that perform reactor trip (RT) and ESF initiation functions in DCD Tier 1, Section 2.5.1, Reactor Trip System and Engineered Safety Features Initiation. In this section, the applicant provided design information, including associated tables, in the manner described in DCD Tier 2, Section 14.3 to identify necessary and sufficient ITAAC for APR1400 systems that perform RT and ESF initiation functions. The staff reviewed the design descriptions and ITAAC to ensure compliance with 10 CFR 52.47(b)(1).

APR1400 DCD, Tier 1, Section 2.5.1, includes a description of systems that perform RT and ESF initiation functions. APR1400 DCD, Tier 1, Section 2.5.1.1 states that the RT system (RTS) consists of four channels of sensors, APC-S cabinets, ENFMS cabinets, and four divisions of CPCS cabinets, the reactor protection system (RPS) portion of PPS cabinets, and RTSS cabinets. The ESF system consists of four channels of sensors, APC-S cabinets, and four divisions of the engineered safety features actuation system (ESFAS) portion of the PPS cabinets and engineered safety feature-component control system (ESF-CCS) cabinets. The ESF initiation is performed by sensors, the APC-S and the ESFAS portion of the PPS. In RAI 317-8271, Question 14.03.05-33 (ML15321A293), the staff requested the applicant to clarify the use of the term ESF initiation. Specifically, it appears that APR1400 DCD, Tier 1, Section 2.5.1.1 uses the term ESF initiation as a portion of the ESFAS from sensors to the output of the PPS. However, the term initiation typically refers to a function and not a system.

As such, the staff requested the applicant to modify the use of this term to reflect the intent of referencing a portion of the ESFAS. In the February 5, 2016 response to RAI 317-8271, Question 14.03.05-33 (ML16036A374), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-5 so that RTS and ESF system is used considering the system perspective, and RT and ESF initiation is used considering the functional perspective.

For consistency, the applicant committed to revising APR1400 DCD, Tier 1, Section 2.5.4.1 and the applicable ITAAC in Table 2.5.4-5 to modify ESFAS initiation to ESF initiation. Based on the proposed changes to the DCD to clarify the use of the term initiation, the staff finds the issues related to RAI 317-8271, Question 14.03.05-33 resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Sections 2.5.1 and 2.5.4. As such, this confirmatory item has been satisfied.

The APR1400 DCD, Tier 1, Table 2.5.1-1, Reactor Trip System and Engineered Safety Features Initiation Equipment Location and Classification, lists the location of equipment that performs RT and ESF initiation functions, seismic category, and IEEE Class 1E divisional power source and environmental qualification category.

The following tables are provided in APR1400 DCD, Tier 1:

  • Table 2.5.1-1, Reactor Trip System and Engineered Safety Features Initiation Equipment Location and Classification
  • Table 2.5.1-3, Engineered Safety Features Initiation Variables
  • Table 2.5.1-4, Reactor Trip System and Engineered Safety Features Initiation Bypasses
  • Table 2.5.1-5, Reactor Trip System and Engineered Safety Features Initiation ITAAC Design Basis Title 10 CFR 50.55a(h)(3) states, in part, that an application filed on or after May 13, 1999, for design certifications must meet the requirements for safety systems in IEEE Std 603-1991 and the correction sheet dated January 30, 1995. Section 4 of IEEE Std 603-1991 is the design bases requirements for a safety I&C system. IEEE Std 603-1991, Clause 4.1, requires the identification of the design basis event (DBE) applicable to each mode of operation, and Clause 4.2, requires documentation of the safety functions and corresponding protective actions of the execute features for each DBE. The safety systems are designed to protect the health and safety of the public by limiting the release of radioactive material following anticipated operational occurrences (AOOs) and postulated accidents (PAs). IEEE Std 603-1991, Clause 4.4, requires the identification of variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured. IEEE Std 603-1991, Clause 4.6, states that for those variables in Clause 4.4 that have a spatial dependence (that is, where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes shall be identified. IEEE Std 603-1991, Clause 4.12, requires the identification of any other special design basis that may be imposed on the system design (example: diversity, interlocks, regulatory agency criteria).

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 4.a, states the PPS provides an automatic [RT]

and ESF initiation signals, as indicated in Tables 2.5.1-2 and 2.5.1-3, if plant process signals reach predetermined setpoints. An ITAAC is provided to verify this design commitment in DCD, Tier 1 Table 2.5.1-5, Item 4.a. DCD Tier 1, Section 2.5.1.1, Item 6, states that each local coincidence logic (LCL) receives trip signals from four channels of bistable processors (BPs) and utilizes a 2-out-of-4 coincidence logic to perform RPS and ESF initiation functions identified in Tables 2.5.1-2 and 2.5.1-3. An ITAAC is provided to verify this design commitment in DCD, Tier 1 Table 2.5.1-5, Item 6. DCD Tier 1, Section 2.5.1.1, Item 15, states that the input signals of PPS through APC-S or ENFMS are derived from RT and ESF measurement instrumentation that measures monitored variables identified in Tables 2.5.1-2 and 2.5.1-3. An ITAAC is provided to verify this design commitment in DCD, Tier 1 Table 2.5.1-5, Item 15. DCD Tier 1, Section 2.5.1.1, Item 18, states that the RTS and ESF initiation instrumentation (referenced in Tables 2.5.1-2 and 2.5.1-3) monitors the normal operating, AOO, and postulated PA events.

Corresponding ITAAC to verify that the as-built system meets these design commitments are provided in APR1400 DCD, Tier 1, Table 2.5.1-5. An ITAAC is provided to verify this design commitment in DCD, Tier 1 Table 2.5.1-5, Item 18.

Based on verification that the applicant provided adequate design descriptions regarding the automatic functions performed by the RT and ESF initiation, signal input to the PPS, and the monitoring of normal operating, AOO and PA events, the staff finds that the APR1400 Tier 1 design descriptions and corresponding ITAAC identified in the preceding paragraph are 14-28

adequate to demonstrate the as-built RT and ESF system meets the requirements of IEEE Std 603-1991, Clauses 4.1, 4.2, and 4.4. Therefore, the staff finds these ITAAC meet the requirements of 10 CFR 52.47(b)(1). However, the staff could not identify design descriptions and corresponding ITAAC to verify that the as-built PPS is provided with the minimum number and locations of sensors required for protective variables that have spatial dependence to meet the requirements of IEEE Std 603-1991, Clause 4.6. As such, in RAI 317-8271, Question 14.03.05-14 (ML15321A293), the staff requested the applicant to provide this information in Tier 1 of the APR1400 DCD. Further, the staff could not find design descriptions and corresponding ITAAC to verify that the as-built PPS provides interlocks when associated conditions are met in order to meet the requirements of IEEE Std 603-1991, Clause 4.12. As such, in RAI 317-8271, Question 14.03.05-15 (ML15321A293), the staff requested the applicant to provide this information in Tier 1 of the APR1400 DCD.

In the May 19, 2016 response to RAI 317-8271, Question 14.03.05-14 (ML16142A002), the applicant proposed to add a design description and corresponding ITAAC item to APR1400 DCD, Tier 1, Section 2.5.1 for identification of the number and locations of the sensors required for protective purposes that have spatial dependence to meet the requirements of IEEE Std 603-1991,Clause 4.6. The number designation for the design description and ITAAC item were changed due to the added information provided in the response to RAI 301-8280, Question 07.01-44. DCD Tier 1, Table 2.5.1-2, Reactor Trip System Variables, will also be revised to identify the protective variables that have a spatial dependence to meet the requirements of IEEE Std 603-1991, Clause 4.6. Based on the proposed revision to APR1400 DCD, Tier 1, Section 2.5.1 and corresponding ITAAC item in Table 2.5.1-5, Item 25 to verify the as-built PPS includes the appropriate number of spatially dependence sensors at specified locations, the staff finds issues related to RAI 317-8271, Question 14.03.05-14 is resolved. As such, the staff finds that the as-built PPS will be verified to meet IEEE Std 603-1991, Clause 4.6. Therefore, the staff finds the ITAAC provided in Table 2.5.1-5, Item 25 is adequate to meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1. As such, this confirmatory item has been satisfied.

In the June 12, 2017 response to RAI 317-8271, Question 14.03.05-15 (ML17163A171), the applicant states: the revised response to RAI 46-7879, Question No. 07.06-2 has been submitted (ref. MKD/NW-16-1037L dated October 14, 2016; ML16288A864) and includes the related design description, a table, and ITAAC items to be inserted into DCD Tier 1 Section 2.5.4 for interlock systems important to safety and are applicable to this question. The staff reviewed the response to RAI 46-7897, Question 07.06-2, in which the applicant proposed to revise APR1400 DCD, Tier 1, to include a new Table 2.5.4-4, ESF-CCS Interlocks Important to Safety; and an Item 22 to DCD Tier 1, Section 2.5.4.1, Design Descriptions along with the corresponding ITAAC in Table 2.5.4-5. The original Table 2.5.4-4, Engineered Safety Features-Component Control System ITAAC, is now Table 2.5.4-5. Based on the provision of a Tier 1 table containing the interlocks important to safety and a design description and ITAAC to verify these interlocks, the staff finds that the interlocks important to safety will be adequately verified in the as-built ESF-CCs to meet the requirements of 10 CFR 52.47(b)(1). The staff verified the incorporation of the proposed markups in APR1400 DCD, Tier 1, Section 2.5.4, Revision 1. As such, the staff considers the issue identified in RAI 317-8271, Question 14.03.05-15, to be resolved and closed.

14-29

Completion of Protective Action IEEE Std 603-1991, Clause 5.2 states that the safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operator action shall be required to return the safety systems to normal.

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 4.b states that once RT is initiated (automatically or manually), the reactor trip breakers remain open until completion of the protective action, and do not automatically return to normal after the trip condition is reset. The corresponding ITAAC in DCD Tier 1, Table 2.5.1-5, Item 4.b verifies this design commitment in the as-built system.

Based on the design commitment and corresponding ITAAC provided in DCD Tier 1, Table 2.5.1-5, Item 4.b, the staff finds that this ITAAC will verify that the as-built PPS and RTS meet completion of protective actions requirements for reactor trip initiation, and thus the ITAAC in DCD Tier 1, Table 2.5.1-5, Item 4.b meet the requirements of 10 CFR 52.47(b)(1).

Quality Standards and Records IEEE Std 603-1991, Clause 5.3, requires, in part, components and modules be of a quality that is consistent with minimum maintenance requirements and low failure rates. This clause also states that "Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program."

10 CFR Part 50, Appendix A, GDC 1 requires SSCs important to safety to be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Branch Technical Position (BTP) 7-14 provides guidance on performing reviews for software-based safety-related, I&C systems.

The staff reviewed DCD Tier 1, Table 2.5.1-5, to ensure sufficient ITAAC were provided for systems that perform RTS and ESF initiation functions. Based on the information provided, the staff finds that additional information is needed to verify that the as-built system meets the quality requirements of IEEE Std 603-1991, Clause 5.3 and the inspectability requirements of 10 CFR 52.47(b)(1). Technical Report (TeR) APR1400-Z-J-NR-14003-P, Rev. 0, Software Program Manual [SPM], describes the software engineering process for digital computer-based I&C systems of the APR1400. Section 1.1 of this TeR states this report provides generic guidance for the software program plans based on the BTP 7-14. Section 2.2 of this TeR defines the software life cycle phases for the development of safety I&C system software, which includes the concept, requirements, design, implementation, test, installation and checkout, and operation and maintenance phases. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 11, states RTS and ESF initiation software is implemented according to the software life cycle process.

The staff finds that this section does not describe what lifecycle process (e.g. specific lifecycle phases of the lifecycle process) the RTS and ESF initiation software follow. In RAI 71-7906, Question 14.03.05-1 (ML15196A597), the staff requested the applicant to:

1. Identify and define the lifecycle phases for the lifecycle process in Tier 1 (design descriptions and ITAAC) of the APR1400 DCD and verify that these phases are consistent with the SPM TeR in order to demonstrate compliance to the requirements of IEEE Std 603-1991, Clause 5.3, and 10 CFR 52.47(b)(1).
2. Ensure the Tier 1 design description and ITAAC address all RTS and ESF software. The current description implies that the design commitment on following the software lifecycle development process only applies to the RTS and 14-30

ESF initiation software and not all system software of the RTS and ESF system (e.g. self-diagnostic software, communications software).

3. For the Tier 1 design description and ITAAC, state that the output of each life cycle phase will conform to the requirements of that phase. The acceptance criterion for the corresponding ITAAC states that a summary report with the results of each phase exists and this summary report will conclude that the phase activities are performed. The staff finds that the acceptance criterion does not verify that the output of each phase meets the requirements of that phase.

Modify the ITAAC to verify that the output of each phase meets the requirements of that phase.

In the May 18, 2016 response to RAI 71-7906, Question 14.03.05-1, the applicant committed to revise Item 11 of Section 2.5.1.1 and Table 2.5.1-5 of DCD Tier 1 to identify each phase of the software lifecycle as defined in the Software Program Manual Technical Report. In addition, the applicant clarified that the RTS and ESF initiation software implies the application software portion of the safety system. The initiation software utilizes the platform software, which has already been qualified, including self-diagnostic and communication in order to generate reliable reactor trip and ESF initiation signals and accomplish the intended safety functions within the safety system. The applicant committed to modify the term, RTS and ESF initiation software, to The application software for RTS and ESF initiation. In addition, the applicant committed to modify APR1400 DCD Section 2.5.1.1 and Table 2.5.1-5, Item 11 to verify by inspection and analysis that the outputs, including documentation, of each lifecycle phase in the software development process conforms to the requirements of that phase. The staff finds the proposed changes to APR1400 DCD Section 2.5.1.1 and Table 2.5.1-5, Item 11 adequate to verify the as-built RTS and ESF system application software will conform to the requirements of each phase of the software lifecycle in the software development process. Thus, the staff finds the as-built PPS will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.3, and therefore, the staff finds the ITAAC in Table 2.5.1-5, Item 11 satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues related to RAI 71-7906, Question 14.03.05-1 resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1. As such, this confirmatory item has been satisfied.

Equipment Qualification IEEE Std 603-1991, Clause 5.4, requires, in part, that safety system equipment be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. GDC 2 requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. GDC 4 requires, in part, structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 1, and the corresponding ITAAC in Table 2.5.1-1, Item 1, states that the seismic Category I equipment, identified in Table 2.5.1-1 withstand seismic design basis loads without loss of safety function. In addition DCD Tier 1 14-31

Section 2.5.1.1, Item 2, states that the Class 1E equipment identified in Table 2.5.1-1 withstand the electrical surge, electromagnetic interference (EMI), radio frequency interference (RFI), and electrostatic discharge (ESD) conditions that would exist before, during, and following a design basis accident without loss of safety function for the time required to perform the safety function.

A corresponding ITAAC for this design description is provided in Table 2.5.1-1, Item 2. DCD Tier 1, Section 2.5.1.1, Item 17, states that the Class 1E equipment listed in Table 2.5.1-1 is protected from accident related hazards such as missiles, pipe breaks, and flooding. A corresponding ITAAC for this design description is provided in Table 2.5.1-1, Item 17. DCD Tier 1, Section 2.5.1.1, Item 19, states that the Class 1E instrument identified in Table 2.5.1-1 as being qualified for a harsh environment can withstand the environmental conditions that would exist before, during, and following a design basis accident without loss of safety function for the time required to perform the safety function. A corresponding ITAAC for this design description is provided in Table 2.5.1-1, Item 19.

Based on the design commitments and corresponding ITAAC provided to verify that the as-built Class 1E equipment listed in APR1400 DCD, Tier 1, Table 2.5.1-1 will be able to withstand seismic design basis loads, and EMI, RFI and ESD conditions, are protected from missiles pipes breaks and flooding, and are qualified for the expected environmental conditions, the staff finds that the as-built systems that perform RT and ESF initiation functions will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.4, GDC 2, GDC 4.

Therefore, the staff finds the ITAAC in Table 2.5.1-1, Items 1, 2, 17, and 19 meet the requirements of 10 CFR 52.47(b)(1). However, it is unclear to the staff whether type tests, analyses, or a combination of type test and analyses will be performed again for those types of Class 1E Common-Q equipment for plant-specific conditions or if the qualification tests performed for the approved Common-Q platform will be credited for the closure of ITAAC. As such, the staff issued RAI 323-8281, Question 07.03-09 (ML15334A336) for the applicant to clarify this information and provide supporting information in relevant DCD Tier 1 and Tier 2 sections. In the March 4, 2016 response to RAI 323-8281, Question 07.03-09 (ML16064A060),

the applicant states, The ITAAC associated with equipment quality or qualification in APR1400 DCD Tier 1, Tables 2.5.1-5, 2.5.3-3, and 2.5.4-5, includes all Class 1E equipment in the scope of the Common Q platform for the APR1400 system. The type tests, analyses, or combination of type test and analyses performed for all Class 1E equipment are not to be re-performed for the Common Q platform. The qualification of the NRC approved Common Q platform itself will be credited during the closure stage of the ITAAC. To verify the installation of Common Q in accordance with the approved Common Q topical report, Section 2.5 of DCD Tier 1 and Section 7.1 of DCD Tier 2 will be revised, as the response of the Question No. 07.01-44 of the RAI 301-8280. The staff finds this response needs to be clarified. Specifically, this response states the ITAAC associated with equipment quality includes all Class 1E equipment within the scope of the Common Q platform. However, it also states that the type tests, analyses, or combination of type test and analyses performed for all Class 1E equipment are not to be re-performed for the Common Q platform. It is unclear whether the applicant intends to state the qualification activities will only be done on Class 1E equipment implemented on the Common Q platform and independent qualification of the generic platform itself will not be performed. In the March 9, 2017, supplemental response to RAI 323-8281, Question 07.03-9 (ML17068A069), the applicant clarified that the type tests, analyses, or a combination of type test and analyses will be performed for the safety I&C system cabinets, including the Common Q platform, for plant-specific conditions. However, the tests and analyses for the Common Q platform itself are not expected to be re-performed because the original components of the Common Q platform have already been qualified, as described in the Common Q topical report. Based on this clarification made in this supplemental response to RAI 323-8281, Question 07.03-9 (i.e. tests and analyses 14-32

for the Common Q platform itself will not be re-performed), the staff finds the issues identified in RAI 323-8281, Question 07.03-9, to be resolved and closed.

System Integrity IEEE Std 603-1991, Clause 5.5, requires that the safety system accomplishes its safety functions under the full range of applicable conditions enumerated in the design basis. GDC 23 requires that the protection system be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy, or postulated adverse environments are experienced.

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 13, and the corresponding ITAAC in DCD Tier 1, Table 2.5.1-5, state that the RT logic of the PPS is designed to fail to a safe state such that loss of electrical power to a division of PPS results in a trip condition for that division but the ESFAS logic of the PPS is designed to fail to a safe state such that loss of electrical power to a division of PPS does not result in ESF initiation for that division. Based on the information provided, the staff finds that additional information is required to determine whether the as-built system will fail in a safe state during conditions indicative of a PPS processor lock-up. As such, in RAI 317-8271, Question 14.03.05-16 (ML15321A293), the staff requested the applicant to provide design descriptions and corresponding ITAAC to verify that failures of the PPS that result in lock-up of the PPS processors would be detected (e.g. via watchdog timers) and the PPS would be designed to fail in a safe state upon these conditions in order to demonstrate that the requirements of IEEE Std 603-1991, Clause 5.5 are met for the as-built PPS.

In the March 2, 2016 response to RAI 317-8271, Question 14.03.05-16 (ML16062A319), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.1.1, Item 13 to include descriptions of PPS testing to ensure fail-safe conditions are achieved on a processor lock-up.

The applicant also committed to include corresponding ITAAC to demonstrate acceptability of the as-built system. Based on the proposed revisions to the APR1400 DCD, Tier 1 to verify that the as-built PPS will fail in a safe state upon processor lock-ups, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-16 resolved. As such, the staff finds that the as-built PPS will be verified to meet IEEE Std 603-1991, Clause 5.5. Therefore, the staff finds the ITAAC provided in Tier 1, Table 2.5.1-5, Item 13 meets the requirements of 10 CFR 52.47(b)(1).

The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Sections 2.5.1 and 2.5.4. As such, this confirmatory item has been satisfied.

New Common Q Platform watchdog timer design information was submitted to the NRC via a Westinghouse Nuclear Safety Advisory Letter (NSAL)-17-2, dated July 5, 2017 (ML17213A208).

The NSAL-17-2 information states that for the NRC approved Common Qualified Platform Topical Report, Revision 3:

  • The software stall timer was never activated in the AC160 base software, as designed;
  • The inactivated software stall timer also disabled the hardware stall timer.

Therefore, due to the new and conflicting design information presented in NSAL-17-2 and the docketed APR1400 design certification application information, the staff issued RAI 555-9163, 14-33

Question 07.02-19, requesting the applicant to review the applicable safety Common Q platform based systems design descriptions of the APR1400 design certification application and demonstrate that the APR1400 design certification application is not affected by the design information contained within NSAL-17-2. As part of this RAI request, the staff requested the applicant to expand the design descriptions in DCD Tier 1, Sections 2.5.1.1, Item 13 and 2.5.4.1, Item 10 and corresponding ITAAC in Tier 1, Tables 2.5.1-5, Item 13 and 2.5.4-5, Item 10, respectively, to verify that the WDTs used to generate trip and fail-safe conditions for reactor trip and ESFAS functions, respectively, are hardware based.

In the applicants April 12, 2018 response to this RAI (ML18102B220), the applicant provided markups to show the expanded and additional design descriptions to be added to DCD Tier 1, Section 2.5.1.1 design descriptions and its corresponding ITAAC Table 2.5.1-5, Item 13, as well as Tier 1, Section 2.5.4.1 design descriptions and its corresponding ITAAC Table 2.5.4-5, Item 10. The design descriptions and ITAAC clarify that a hardware-based window watchdog timer from the NRC approved safety I&C platform located in the processor module will be used to achieve the trip condition in the PPS and alarms in the ESF-CCS. The staff finds the applicants proposed changes to ITAAC Table 2.5.1-5, Item 13 and Table 2.5.4-5 acceptable because the implementation of the watchdog timer will be consistent with the approved NRC topical report for the Common Q platform. As such, the staff finds the revised ITAAC in Table 2.5.1-5, Item 13 and ITAAC Table 2.5.4-5, Item 10 meet the requirements of 10 CFR 52.47(b)(1). The verification of the proposed markups in the next revision of the DCD is a confirmatory item. The staff finds that due to the applicant taking a deviation from the approved WCAP-10697-P-A, Revision 3, Common Q Platform Topical Report, for the CPCS central processing units (CPU)s by increasing the CPU maximum load limit from 70 percent to 75 percent, and requiring that the CPCS be designed and developed with sixteen (16) additional programming configuration restrictions and several additional tests to assure deterministic operations (i.e., ensure all safety function tasks are performed within the required response time) above the 70 percent CPU load limit, the staff finds that the additional sixteen configuration restrictions, as listed in Section 2 of the Common Q Supplemental TeR, are safety significant. SRP Section 14.3.5, Instrumentation and Controls - Inspections, Tests, Analyses, And Acceptance Criteria,Section II, Acceptance Criteria, Item 2 states that:

Tier 1 Design Descriptions ... and ITAAC Design Descriptions ... should describe the top-level I&C design features and performance characteristics that are significant to safety. For safety-related systems, this should include a description of system purpose, safety functions, equipment quality equipment qualification and design features ... provided to achieve high functional reliability.

Therefore, the staff issued RAI 554-9146, Question 07.02-18 (ML17261B310), requesting the applicant to either:

  • Include the 16 configuration restrictions in Section 2.5.1, Reactor Trip System and Engineered Safety Features Initiation, Tier 1, of the DCD or, 14-34
  • Incorporate by reference, the proprietary APR1400-A-J-NR-14004-P, Common Q Platform Supplemental Information in Support of APR1400 Design Certification, Technical Report (Common Q Supplemental TeR), and identify it as a Tier 1 document.

The applicant submitted their response to RAI 554-9146, Question 07.02-18 on November 27, 2017 (ML17331A231). In their response, the applicant provided DCD Tier 1 markups that contained a modified listing (i.e., paraphrased and simplified) of the 16 configuration restrictions for increasing maximum CPU load, as DCD Tier 1, Section 2.5.1.1, Item 27. This modified listing of the configuration restrictions combined the original sixteen configuration restriction criteria items 12 and 13 into one criteria item such that DCD Tier 1, Section 2.5.1.1, Item 27 consists of listing of fifteen (15) design criteria (Note: This Tier 1 modification does not affect or change the original 16 configuration restrictions listed in Section 2 of the Common Q Supplemental TeR). In addition, the applicant also provided a DCD Tier 1, Table 2.5.1-5, ITAAC Item 27 markup that will verify that the 16 configuration restrictions have been properly and correctly implemented in the as-built plant. Based on the proposed revisions to DCD Tier 1, Section 2.5.1.1 to include the configuration restrictions for the CPCS, and the proposed additional ITAAC in Table 2.5.1-5, Item 27, the staff finds that the issues identified in RAI 554-9146, Question 07.02-18 are resolved. As such, the staff finds that the as-built CPCS will be verified to meet IEEE Std 603-1991, Clause 5.5. Therefore, the staff finds the ITAAC provided in Tier 1, Table 2.5.1-5, Item 27 meets the requirements of 10 CFR 52.47(b)(1). The incorporation of the proposed Tier 1 markups into the next revision of the DCD is a confirmatory item.

Independence IEEE Std 603-1991, Clause 5.6.1, requires redundant portions of safety systems provided for a safety function be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function during and following any design basis event requiring that safety function. IEEE Std 603-1991, Clause 5.6.3, requires that the safety system design to be such that credible failures in and consequential actions by other systems, as documented in Clause 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard. IEEE Std 603-1991, Clause 5.6.3.1, states, in part, Isolation devices used to effect a safety system boundary shall be classified as part of the safety system. GDC 24 states requires that the protection system be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.

Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. The DCD Tier 1 design descriptions and ITAAC discussed in the three subsections below on physical separation, electrical isolation and communications independence address the independence requirements discussed in this paragraph.

Physical Separation APR1400, DCD, Tier 1, Section 2.5.1.1, states, The RTS and ESF initiation equipment is located in the auxiliary building and reactor containment building. APR1400, DCD, Tier 1, Section 2.5.1.1, Item 3.b, states, Redundant Class 1E divisions listed in Table 2.5.1-1 and 14-35

associated field equipment are physically separated and electrically independent form each other and physically separated and electrically independent form Class 1E equipment. The acceptance criteria states, in part, The physical separation of as-built redundant Class 1E divisions identified in Table 2.5.1-1 and associated filed equipment is provided by distance or barriers in accordance with NRC [Regulatory Guide (RG)] 1.75. IEEE Std 603-1991, Clause 5.6.1, requires physical separation between redundant portions of safety systems, and Clause 5.6.3, requires physical separation between Class 1E equipment and non-safety systems. RG 1.75 provides guidance for meeting the physical separation requirements of IEEE Std 603-1991, Clause 5.6. Based on the information presented in APR1400 DCD, Tier 1, Table 2.5.1-1, the staff could not identify where in the auxiliary building and reactor containment building the redundant divisions of safety equipment will reside in order to demonstrate that sufficient separation exists between the redundant divisions of safety equipment or between safety and non-safety equipment in order to meet the requirements of IEEE Std 603-1991, Clause 5.6. As such, in RAI 71-7906, Question 14.03.05-3 (ML15196A597), the staff requested the applicant to include this information in Tier 1 of the DCD and modify the corresponding ITAAC accordingly to verify via inspection that the as-built system meets the design commitment in order to demonstrate compliance to 10 CFR 52.47(b)(1).

In the October 8, 2015 response to RAI 71-7906, Question 14.03.05-3 (ML15281A303), the applicant stated the redundant Class 1E divisions and associated equipment listed in Table 2.5.1-1 of APR1400 Tier 1 are located in a separated I&C equipment room for each division and the location configuration meets the independence requirements of IEEE Std 603-1991, Clause 5.6. Also, the ex-core neutron detectors are located in the reactor containment building in a manner that the detectors for each measurement channel meet the independence requirements of IEEE Std 603-1991, Clause 5.6. The applicant committed to revise APR1400 DCD, Tier 1, Table 2.5.1-1 to include the specific locations of redundant Class 1E divisions and associated equipment. The staff finds the proposed changes to APR1400 DCD, Tier 1, Table 2.5.1-1 to include the location configuration of Class 1E divisions and associated equipment acceptable to support verification that as-built redundant Class 1E divisions are sufficiently separated to meet the requirements of IEEE Std 603-991, Clause 5.6.

Therefore, the ITAAC provided in DCD, Tier 1, Table 2.5.1-5, Item 3.b meets the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 71-7906, Question 14.03.05-3 resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-1. As such, this confirmatory item has been satisfied.

Electrical Isolation APR1400 DCD, Tier 1, Section 2.5.1.1, Item 3.a, and the associated ITAAC state Class 1E equipment identified in Table 2.5.1-1 is powered from its respective Class 1E train. DCD Tier 1, Section 2.5.1.1, Item 3.b states Redundant Class 1E divisions listed in Table 2.5.1-1 and associated field equipment are physically separated and electrically independent from each other and physically separated and electrically independent from non-Class 1E equipment.

The associated acceptance criteria in DCD Tier 1, Table 2.5.1-5, Items 3.b.ii and 3.b.iii, state A report exists and concludes that independence of as-built redundant Class 1E divisions listed in Table 2.5.1-1 and associated field equipment is achieved by independent power sources and electrical circuits for each division, and by fiber optic cable interfaces, qualified isolation devices at interfaces between redundant divisions, and at interfaces between safety and non-safety systems. The staff finds that additional information is needed to clarify whether the qualified isolation devices at interfaces between redundant divisions and at interfaces between safety 14-36

and non-safety systems are Class 1E qualified. In addition, an ITAAC was not provided to verify via inspection that Class 1E qualified isolation devices exist between redundant portions of safety systems and between safety and non-safety systems. As such, the staff requested in RAI 317-8271, Question 14.03.05-17 (ML15321A293) for the applicant to modify the DCD Tier 1, Table 2.5.1-5, Items 3.b.ii and 3.b.iii, to clarify that these qualified isolation devices are Class 1E as required by IEEE Std 603-1991, Clause 5.6, and to provide an ITAAC to verify via inspection that Class 1E qualified isolation devices exist between redundant portions of safety systems and between safety and non-safety systems.

In the July 26, 2016 response to RAI 317-8271, Question 14.03.05-17 (ML16208A563), the applicant proposed to revise the design description in Item 3.b of APR1400 DCD, Tier 1, Section 2.5.1.1 to state Class 1E qualified isolation devices such as fiber optic modems or interposing relays will be applied at interfaces of redundant safety divisions and at interfaces between safety and non-safety systems. Accordingly, inspection and acceptance criteria will be added in APR1400 DCD, Tier 1, Table 2.5.1-5, Item 3.b to verify the inclusion of these qualified isolation devices in the as-built system. Based on the proposed changes to Tier 1 to include descriptions of Class 1E qualified isolation devices and corresponding ITAAC to verify inclusion of these isolation devices in the as-built system, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-17 resolved. As such, the staff finds that the as-built PPS will be verified to meet the electrical requirements in IEEE Std 603-1991, Clause 5.6, and therefore, the ITAAC provided in DCD, Tier 1, Table 2.5.1-5, Items 3.a and 3.b meets the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-5. As such, this confirmatory item has been satisfied.

Communications Independence APR1400 DCD, Tier 1, Section 2.5.1.1, Item 3.c, states, Communication independence is achieved between redundant divisions of the Class 1E equipment listed in Table 2.5.1-1 or between non-safety systems and the Class 1E equipment listed in Table 2.5.1-1. This design commitment implies that communication independence will either be achieved between redundant divisions of Class 1E equipment or between non-safety systems and Class 1E equipment. The staff believes the wording should be modified to Communication independence is achieved between redundant divisions of the Class 1E equipment listed in Table 2.5.1-1 and between non-safety systems and the Class 1E equipment listed in Table 2.5.1-1 in order to demonstrate that communications independence will be achieved between redundant divisions of Class 1E equipment and between non-safety systems and Class 1E equipment. The staff finds that the design commitment and the associated ITAAC do not provide sufficient design information to demonstrate how communications independence will be achieved in the as-built system (e.g. types of communications faults that will be mitigated, key safety I&C features that will be used to mitigate these faults) in order to meet the requirements of 10 CFR 52.47(b)(1). For instance, the design description and the ITAAC should be more specific as to how communication independence is achieved for the various interdivisional communication links. Further, the staff did not find ITAAC to verify the uni-directional gateway between the maintenance and test panel (MTP) and the information processing system (IPS), and between the integrated test panel (ITP) and qualified information and alarm system - non-safety (QIAS-N) in order to verify that communications independence is achieved between safety and non-safety systems. In RAI 71-7906, Question 14.03.05-2 (ML15196A597), the staff requested the applicant to modify Tier 1 of the DCD, including the ITAAC to resolve these issues related to communication independence.

14-37

In the October 8, 2015 response to RAI 71-7906, Question 14.03.05-2 (ML15281A303), the applicant clarified A report as specified in item 3.c of the Acceptance Criteria in APR1400 DCD, Tier 1, Table 2.5.1-5 refers to the Safety I&C System Technical Report, which provides the detailed design information on how there is communications independence between redundant divisions of the Class 1E equipment listed in Table 2.5.1-1 and between the Class 1E equipment listed in Table 2.5.1-1 and the non-safety systems. Sections C.4.1.5 and C.4.2 of the Safety I&C System Technical Report provide detailed descriptions on communication from the MTP to the IPS and the ITP to the QIAS-N, which is all unidirectional. The applicant clarified Item 3.c of the design description in APR1400 DCD, Tier 1, Section 2.5.1.1 includes both between redundant divisions of the Class 1E equipment listed in Table 2.5.1-1 and between Class 1E equipment listed in Table 2.5.1-1 and non-safety systems. The applicant committed to revise Item 3.c of the design description in APR1400 DCD, Tier 1, Section 2.5.1.1 to provide the design description only for communication between redundant divisions of the Class 1E equipment listed in Table 2.5.1-1. In addition, Item 3.d will be added to DCD Tier 1, Section 2.5.1.1 and Table 2.5.1-5 to provide the design description for communication from non-safety systems and Class 1E equipment listed in APR1400 DCD, Tier 1 Table 2.5.1-1. In the June 28, 2016 supplemental response to RAI 71-7906, Question 14.03.05-2 (ML16180A280),

the applicant committed to revise the design description to incorporate additional communications independence features into the proposed ITAAC. Specifically, the verification of key design and software features (e.g. use of dual port RAM, separate communication and function processor, only accepting predefined messages and error checking) for ensuring communications independence will be included as acceptance criteria to Items 3.c and 3.d in Table 2.5.1-5. Based on the proposed changes to APR1400 DCD, Tier 1, Section 2.5.1.1 and Table 2.5.1-5, Items 3.c and 3.d, the staff finds communications independence will be adequately verified in the as-built system to meet the requirements of IEEE Std 603-1991, Clause 5.6. Therefore, the staff finds the ITAAC provided in Table 2.5.1-5, Items 3.c and 3.d satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 71-7906, Question 14.03.05-2, to be resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-5. As such, this confirmatory item has been satisfied.

DI&C-ISG-04, Revision 1, Highly-Integrated Control Rooms - Communications Issues (HICRc), provides guidance for achieving communications independence to meet the requirements of IEEE Std 603-1991, Clause 5.6. Under interdivisional communications, Staff Position 10, the staff states that a physical cable disconnect, or a keylock, which can physically open the data transmission circuit or interrupt the hardwired logic connection should be used to protect software from unintended modifications. Based on the staffs review of the information provided in DCD Tier 1, Section 2.5, the staff could not locate design commitments or associated ITAAC to verify that a physical cable disconnect, or a keylock, which can physically open the data transmission circuit or interrupt the hardwired logic connection are employed in the as-built safety system to protect safety system software from unintended modifications. In RAI 317-8271, Question 14.03.05-18 (ML15321A293), the staff requested the applicant to modify Tier 1 of the DCD to include this information. In the June 30, 2016 response to RAI 317-8271, Question 14.03.05-18 (ML16182A581), the applicant proposed to add the following ITAAC items to each system in Section 2.5 of the APR1400 DCD, Tier 1: Hardwired disconnections exist between the PPS, CPCS, QIAS-P, ESF-CCS cabinets, and the portable workstation used to download the PPS, CPCS, QIAS-P, ESF-CCS software. The hardwired disconnections protect the PPS, CPCS, QIAS-P, ESF-CCS software from unintended 14-38

modifications. Based on the proposed additional ITAAC in DCD Tier 1, Table 2.5.1-5, Item 26 to verify that hardwired disconnections exist between portable workstation used to download safety system software and the cabinets of these systems, the staff finds software modification controls will be adequately verified in the as-built system to meet the requirements of IEEE Std 603, Clause 5.6. Therefore, the staff finds the ITAAC provided in DCD Tier 1, Table 2.5.1-5, Item 26 satisfies the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-18, to be resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Sections 2.5.1, 2.5.3, and 2.5.4 and Tables 2.5.1-5, 2.5.3-3 and 2.5.4-5. As such, this confirmatory item has been satisfied.

Capability for Test and Calibration IEEE Std 603-1991, Clause 5.7, states, in part, the capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions. BTP 7-17 provides guidance on self-test and surveillance test provisions to meet the requirements of IEEE Std 603-1991, Clause 5.7. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 22 and the corresponding ITAAC in Tier 1, Table 2.5.1-5, Item 22, state that input sensors from each channel of the RTS and ESF initiation as identified in Tables 2.5.1-2 and 2.5.1-3 are compared continuously in the IPS to allow detection of out-of-tolerance sensors. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 20, and the corresponding ITAAC in Tier Table 2.5.1-5, Item 20, state, The PPS providing RTS and ESF initiation signals has the testing functions. It is not clear to the staff what is meant by the design description in Section 2.5.1.1, Item 20. Specifically, it is not clear whether this design description intends to state that the capability to test and calibrate the PPS exists or there are self-testing functions within PPS. In addition, the design description regarding testing functions does not include criteria for testing features included in the design to meet the requirements of IEEE Std 603-1991, Clause 5.7 (e.g. ability to detect faults in a manner that meets the design requirements of the PPS). In RAI 71-7906, Question 14.03.05-4 (ML15196A597), the staff requested the applicant to modify the design description in Tier 1 of the APR1400 DCD to address these issues (including the acceptance criteria to the corresponding ITAAC) in order to meet the requirements of IEEE Std 603-1991, Clause 5.7 and 10 CFR 52.47(b)(1).

In the October 8, 2015 response to RAI 71-7906, Question 14.03.05-4 (ML15281A303), the applicant clarified the testing functions described in item 20 of the design description in APR1400 DCD, Tier 1, Section 2.5.1.1 and design commitment in APR1400 DCD, Tier 1, Table 2.5.1-5 means the testing function that can be manually initiated for periodic surveillance tests during power operation. The testing function includes a bistable processing logic test and a coincidence processing logic test. This testing function is initiated via the maintenance and test panel (MTP) and the test request and test values are transmitted to the bistable processor and coincidence processor to confirm the intended safety functions of those processors. The applicant committed to revise the design description in APR1400 DCD, Tier 1, Section 2.5.1.1 and design commitment in APR1400 DCD, Tier 1, Table 2.5.1-5, Item 20 to reflect this clarification. The staff finds the proposed changes to APR1400 DCD, Tier 1, Section 2.5.1.1 and Table 2.5.1-5 to clarify the meaning of testing functions acceptable, and thus finds the issues identified in RAI 71-7906, Question 14.03.05-4, to be resolved. The staff also finds the design description in Tier 1, Section 2.5.1.1, Item 22 and the corresponding ITAAC in Tier 1, Table 2.5.1-5, Item 22 will adequately verify the as-built IPS will detect out of range sensors. As such, the staff finds that the as-built PPS will be verified to meet IEEE Std 603-1991, Clause 5.7, and therefore, the ITAAC in DCD, Tier 1, Table 2.5.1-5, Item 20 and Item 22 meet 14-39

the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-5, Item 20. As such, this confirmatory item has been satisfied.

Information Displays IEEE Std 603-1991, Clause 5.8.1, states that the display instrumentation provided for manually controlled actions for which no automatic control is provided and the display instrumentation required for the safety systems to accomplish their safety functions shall be part of the safety systems. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator. IEEE Std 603-1991, Clause 5.8.2, states, in part, that display instrumentation shall be provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. IEEE Std 603-1991, Clause 5.8.3, states, in part, that if the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.

APR1400 DCD Tier 1, Section 2.5.1.1, Item 5 and the corresponding ITAAC in Tier 1, 2.5.1-5, Item 5, state, The [Operator Module (OM)] in the MCR displays the status information of the variables listed in Table 2.5.1-2 and 2.5.1-3. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 7.c and the corresponding ITAAC in Tier 1, Table 2.5.1-5, Item 7.c, state that The PPS provides indications of the bypassed or inoperable status indication (BISI) on the OM in the MCR for the variables identified in Tables 2.5.1-2 and 2.5.1-3 for RT and ESF initiation. the staff finds that the design commitments in Tier 1 Section 2.5.1.1, Item 5, and associated ITAAC in Table 2.5.1-5, Item 5 adequately verifies that the status of plant variables are displayed on the as-built OM to meet IEEE Std 603-1991, Clause 5.8.2. The staff finds that design commitment in Section 2.5.1.1, Item 7.c, and associated ITAAC in Table 2.5.1-5, Item 7.c adequately verifies that BISI is provided for the as-built PPS to meet IEEE Std 603-1991, Clause 5.8.3. Therefore the staff finds the ITAAC in Table 2.5.1-5, Items 5 and 7.c meet the requirements of 10 CFR 52.47(b)(1). The staffs evaluation on demonstrating conformance to IEEE Std 603-1991, Clauses 5.8.1 is provided in Section 14.3.5.4.4 of this safety evaluation.

Control of Access IEEE Std 603-1991, Clause 5.9, states The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 12 and the corresponding ITAAC in Table 2.5.1-5, Item 12 state, The cabinets listed in Table 2.5.1-1 have key locks and door open alarms, and are located in a vital area of the facility. Based on this design commitment and associated ITAAC in DCD Tier 1, Table 2.5.1-5, Item 12, the staff finds that the control of access features for the as-built equipment listed in Table 2.5.1-1 are verified to meet the requirements of IEEE Std 603-1991, Clause 5.9. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.1-5, Item 12 meet the requirements of 10 CFR 52.47(b)(1).

14-40

Identification IEEE Std 603-1991, Clause 5.11, requires, in part, that safety system equipment be distinctly identified for each redundant portion of a safety system in accordance with the requirements of IEEE Std 384-1981 and IEEE Std 420-1982. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 14, and the corresponding ITAAC in Table 2.5.1-5, Item 14 state that redundant safety equipment listed in Table 2.5.1-1 is provided with means of identification. Based on this design commitment and associated ITAAC in DCD Tier 1, Table 2.5.1-5, Item 14, the staff finds that identification for the as-built equipment listed in Table 2.5.1-1 will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.11. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.1-5, Item 14 meet the requirements of 10 CFR 52.47(b)(1).

Automatic Control IEEE Std 603-1991, Clause 6.1 states, in part, that Means shall be provided to automatically initiate and control all protective actions except as justified in [Clause] 4.5. The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in [Clause] 4.5 following the onset of each design basis event.

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 4a and the corresponding ITAAC in DCD Tier 1 Table 2.5.1-5, Item 4.a, state The PPS provides an automatic RT and ESF initiation signals, as indicated in Tables 2.5.1-2 and 2.5.1-3, if plant process signals reach predetermined setpoints.

The associated acceptance criterion for this design commitment states, Each as-built RTSS opens upon receipt of the automatic reactor trip signal identified in Table 2.5.1-2 from respective division of the as-built RTS, and as-built ESF initiation signals are sent to ESF-CCS upon receipt of the automatic ESF initiation signal identified in Table 2.5.1-3. Based on the design commitment and associated ITAAC presented, it is not clear whether a reactor trip signal and a ESF actuation signal are automatically initiated for each function listed in DCD Tier 1, Table 2.5.1-2 and Table 2.5.1-3, respectively. As such, in RAI 317-8271, Question 14.03.05-19 (ML15321A293), the staff requested the applicant to clarify this information in Tier 1 of the APR1400 DCD in order to demonstrate that the as-built system meets the requirements of IEEE Std 603-1991, Clause 6.1. In the February 5, 2016 response to RAI 317-8271, Question 14.03.05-19 (ML16036A374), the applicant proposed to clarify APR1400 DCD, Tier 1, Section 2.5.1.1, and the associated ITAAC Item 4.a in Table 2.5.1-5 to indicate that each condition listed in APR1400 DCD, Tier 1, Tables 2.5.1-2 and 2.5.1-3 will provide a reactor trip and ESF initiation signal. Based on this proposed revision to APR1400 DCD, Tier 1, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-19, to be resolved. As such, the staff finds that the as-built PPS will be verified to meet IEEE Std 603-1991, Clause 6.1, and therefore, the ITAAC in DCD Tier 1, Table 2.5.1-5, Item 4.a meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.1 and Table 2.5.1-5, Item 4.a. As such, this confirmatory item has been satisfied.

Manual Control IEEE Std 603-1991, Clause 6.2.1, states, in part, that means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. APR1400 DCD Tier 1, Section 2.5.1.1, Item 4.c and the corresponding ITAAC in Tier 1, Table 2.5.1-5, Item 4.c, state, Manual reactor trip switches are provided in the MCR and the RSR for reactor trip. Based on the provision of design descriptions in APR1400 DCD Tier 1, 14-41

Section 2.5.1.1, Item 4.c and corresponding ITAAC in Table 2.5.1-5, Item 4.c to verify the as-built MCR and RSR will contain manual reactor switches to trip the reactor, the staff finds the requirements of IEEE Std 603-1991, Clause 6.2.1 are met for reactor trip functions. Therefore, the staff finds the ITAAC provided in Table 2.5.1-5, Item 4.c meet the requirements of 10 CFR 52.47(b)(1).

Bypasses IEEE Std 603-1991, Clause 6.6, states, in part, that Whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function. IEEE Std 603-1991, Clause 6.7, states, in part, that Capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of [Clauses] 5.1 and 6.3.

APR1400 DCD, Tier 1, Section 2.5.1.1 and the corresponding ITAAC in Tier 1, Table 2.5.1-5 provide the following design commitments with respect to operating and maintenance bypasses.

  • Item 7.a states The PPS provides manual trip bypasses on the MTP switch panel, for RT and ESF initiation identified in Tables 2.5.1-2 and 2.5.1-3, respectively.
  • Item 7.b states The PPS automatically removes the operating bypasses listed in Table 2.5.1-4 when permissive conditions are not met.
  • Item 9 states The PPS utilizes a 2-out-of-4 coincidence logic when no channels are in trip channel bypass. The PPS converts to a 2-out-of-3 coincidence logic whenever a trip channel bypass is present.
  • Item 21 states A single channel of RTS and ESF initiation is bypassed to allow testing, maintenance or repair and this capability does not prevent the RTS and ESF initiation from performing its safety function.

Based on the above design commitments and associated ITAAC in DCD Tier 1, Table 2.5.1-5 Items 7.a, 7.b, 9, and 21, the staff finds that operating and manual bypass functions will be adequately verified in the as-built PPS to meet the requirements of IEEE Std 603-1991, Clauses 6.6 and 6.7. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.1-5 Items 7.a, 7.b, 9, and 21 meet the requirements of 10 CFR 52.47(b)(1).

Setpoints IEEE Std 603-1991, Clause 4.10, requires the identification of critical points in time or the plant conditions, after the onset of a design basis event. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 10 and the corresponding ITAAC in Tier 1, Table 2.5.1-1, Item 10, state that accuracy, response time testing, surveillance testing, and maintenance are applied to determine setpoints for variables of RT and ESF initiation. Section 2.5.1.1, Item 16 and the corresponding ITAAC in Tier 1, Table 2.5.1-1, Item 16, state, that The PPS provides RT and ESF initiation signals to meet the required response time for trip and initiation conditions identified in Tables 2.5.1-2 and 2.5.1-3. The acceptance criteria in the corresponding ITAAC in DCD Tier 1 Table 2.5.1-5 states, A report exists and concludes that the PPS initiates the RT and the ESF initiation signals identified in Tables 2.5.1-2 and 2.5.1-3 within the response time requirements as described in the design basis. Based on the design commitment and the associated ITAAC 14-42

provided, it is not clear to the staff where the response time will be measured from (e.g. from output of sensors to the RTSS breakers/ESF-CCS input). In RAI 317-8271, Question 14.03.05-20 (ML15321A293), the staff requested the applicant to clarify where the response time will be measured from to verify this design commitment. In the March 2, 2016 response to RAI 317-8271, Question 14.03.05-20 (ML16062A317), the applicant states, Section A.3.1 of the Response Time Analysis of Safety I&C System technical report, the allocated response time covers not only the internal and external communication delays caused by communication modules and cables, but also includes adequate communication margins between equipment. Accordingly, the descriptions of the inspections, tests, analyses and the acceptance criteria for Item 16.a in Table 2.5.1-5 will include the communication delays from the BP to the LCL. The description of the acceptance criteria for Item 20.a in Table 2.5.4-5 will include the communication delays from the LCL of the PPS to group controllers of the ESF-CCS. Based on the proposed changes to ITAAC Item 16.a in APR1400 DCD, Tier 1, Table 2.5.1-5 and Item 20.a in Table 2.5.4-5 to clarify the response time will include the communication delays from the BP to the LCL and from the LCL of the PPS to the group controllers of the ESF-CCS, the staff finds the response time of the entire ESFAS actuation path will be verified, and thus demonstrates the requirements of IEEE Std 603-1991, Clause 4.10 will be met in the as-built system, and thus these ITAAC (Item 16 in APR1400 DCD, Tier 1, Table 2.5.1-5 and Item 20 in Table 2.5.4-5) satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-20 resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Tables 2.5.1-5 and 2.5.4-5. As such, this confirmatory item has been satisfied.

Diversity GDC 22 states The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. APR1400 DCD, Tier 1, Section 2.5.1.1, Item 23 and the corresponding ITAAC in Tier 1, Table 2.5.1-5, Item 23, state that two sets of RTSS which consists of four RTSGs are diverse each other. The acceptance criterion for the corresponding ITAAC identified in APR1400 DCD, Tier 1, Table 2.5.1-5, Item 23, states, Two sets of the as-built RTSS which consists of our RTSGs are diverse each other: One set of RTSGs is supplied from a different manufacturer than the other set of RTSGs. APR1400 DCD Tier 2, Section 7.2.1.9, states that for additional diversity, the RTSS consists of one set of four RTSGs (RTSS 1) and another set of four RTSGs (RTSS 2) with diverse design features.

However, this section does not provide description of the attributes that make the design diverse (e.g. RTSGs supplied by different manufacturer). As such, in RAI 317-8271, Question 14.03.05-21 (ML15321A293), the staff requested the applicant to provide descriptions of the attributes that make the design diverse in APR1400 DCD Tier 2 to support the design descriptions in APR1400 DCD, Tier 1. Further, the staff requested the applicant to define the acronym RTSG as it is not defined in Tier 1 of this application.

In the February 5, 2016 response to RAI 317-8271, Question 14.03.05-21 (ML16036A374), the applicant committed to revise APR1400 DCD, Tier 2, Section 7.2.1.9 to include a description of the design and manufacturing differences that make the two different sets of RTSS diverse.

Further, the applicant committed to add the term RTSG (reactor trip switchgear) to the 14-43

acronym and abbreviation list in the APR1400 DCD, Tier 1. Based on the added description in APR1400 DCD, Tier 2 to support the information in Tier 1 regarding the diversity between the two RTSS sets, and the definition of the acronym for RTSG in Tier 1, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-21, to be resolved. As such, the staff finds that the as-built RTSS will be verified to meet GDC 22, and thus the ITAAC in DCD Tier 1, Table 2.5.1-5, Item 23 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, acronym and abbreviation list and DCD Tier 2, Section 7.2.1.9.

As such, this confirmatory item has been satisfied.

Control Room Title 10 CFR Part 50, Appendix A, GDC 19, states, in part, A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidentsEquipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

APR1400 DCD, Tier 1, Section 2.5.1.1, Item 8, and the corresponding design commitment in DCD Tier 1, Table 2.5.1-5, Item 8, state, Each PPS division is controlled from either the MCR or RSR, as selected from MCR/RSR master transfer switches. The ITA of this ITAAC states, A test of the as-built PPS will be performed to demonstrate the transfer function between the MCR and RSR. The acceptance criteria for this ITAAC states, The as-built master transfer switches transfer controls between the MCR and RSR separately for each as-built PPS division, as follows: [1] Controls at the RSR are disabled when controls are active in the MCR. [2]

Controls at the MCR are disabled when controls are active in the RSR. Based on the above descriptions, it is unclear whether this ITAAC is intended to verify the RSR will have controls for the PPS to meet the requirements of the GDC 19 since the design description and corresponding ITAAC only focuses on verifying the operation of the transfer switch. As such, in RAI 317-8271, Question 14.03.05-22 (ML15321A293), the staff requested the applicant to provide design descriptions and corresponding ITAAC to verify that the as-built RSR contain sufficient controls to meet the requirements of GDC 19. In the May 19, 2016 response to RAI 317-8271, Question 14.03.05-22 (ML16142A002), the applicant proposes to revise APR1400 DCD, Tier 1, Table 2.5.1-5, ITAAC Item 8 to include the control functions based on the transfer capability between the MCR and the RSR to be consistent with the design commitment, Section 2.5.1.1, Item 8 and in compliance with GDC 19. Based on the proposed revision to APR1400 DCD, Tier 1 to include verification of the control functions in addition to the transfer capability between the MCR and RSR in the as-built PPS, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-22, to be resolved. As such, the staff finds that the as-built PPS will be verified to meet the requirements of GDC 19, and thus the ITAAC in Tier 1, Table 2.5.1-5, Item 8 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Tables 2.5.1-5 and 2.5.4-5. As such, this confirmatory item has been satisfied.

The staff also identified the following ITAAC regarding safe shutdown systems and the RSR:

14-44

  • DCD Tier 1, Table 2.4.1-4, Items, 8.b, 8.d, 8.e, and 8.f
  • DCD Tier 1, Table 2.4.2-4, Items 8.b and 8.d,
  • DCD Tier 1, Table 2.4.3-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.4.4-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.4.5-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.4.6-4, Items 8.b and 8.d,
  • DCD Tier 1, Table 2.5.1-5, Items 4.c
  • DCD Tier 1, Table 2.5.4-5, Items 8 and 11
  • DCD Tier 1, Table 2.5.5-2, Item 3
  • DCD Tier 1, Table 2.6.1-3, Items 3.b and 3.d
  • DCD Tier 1, Table 2.6.2-3, Items 6.b and 6.d
  • DCD Tier 1, Table 2.6.3-3, Item 11.b
  • DCD Tier 1, Table 2.6.4-3, Item 3.b
  • DCD Tier 1, Table 2.7.1-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.1.4-4, Items 8.b and 8.d,
  • DCD Tier 1, Table 2.7.1.5-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.1.8-3, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.2.1-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.2.2-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.2.3-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.2.5-4, Items 7.b and 7.d
  • DCD Tier 1, Table 2.7.2.6-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.3.1-3, Items 5.b and 5.d
  • DCD Tier 1, Table 2.7.3.2-3, Items 5.b and 5.d
  • DCD Tier 1, Table 2.7.3.3-3, Items 4.b and 4.d
  • DCD Tier 1, Table 2.7.3.5-3, Items 5.b and 5.d 14-45
  • DCD Tier 1, Table 2.7.4.3-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.7.5.2-3, Item 8.b
  • DCD Tier 1, Table 2.7.6.4-3, Item 3
  • DCD Tier 1, Table 2.11.2-4, Items 8.b and 8.d
  • DCD Tier 1, Table 2.11.3-2, Items 8.b and 8.d
  • DCD Tier 1, Table 2.11.4-3, Items 5.b and 5.d The staff reviewed DCD Tier 1, Table 2.7.6.2-4 and DCD Tier 1, Table 2.7.6.5-3, and could not identify any ITAAC to verify that indications and alarms exist in the RSR for the Gaseous Radwaste System (GRS) or the Area Radiation Monitoring System (RMS). As such, the staff issued RAI 276-8304, Question 07.04-07 (ML15302A317), to request the applicant to resolve this issue. In the December 31, 2015, response to RAI 276-8304, Question 07.04-07 (ML15365A574), the applicant proposed to revise the ITAAC in APR1400 DCD, Tier 1, Sections 2.7.6.2.1 and 2.7.6.5.1, and Tables 2.7.6.2-4 and 2.7.6.5-3 to include verification that indications and alarms exist in the RSR for the GRS and Area RMS. Based on the proposed DCD changes to verify the as-built plant RSR contains indications and alarms for the GRS and Area RMS, the staff finds the issues identified in RAI 276-8304, Question 07.04-07, to be resolved. As such, the staff finds that the as-built system will be verified to meet IEEE GDC 19, and therefore the ITAAC identified in the list above and the proposed ITAAC addition to Tables 2.7.6.2-4 and 2.7.6.5-3 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Sections 2.7.6.2.1 and 2.7.6.5.1, and Tables 2.7.6.2-4 and 2.7.6.5-3. As such, this confirmatory item has been satisfied.

Diverse Actuation System The applicant provided design descriptions and ITAAC verifying design features for the diverse actuation system (DAS) in APR1400 DCD, Tier 1, Section 2.5.2, Diverse Actuation System.

APR1400 DCD, Tier 1, Section 2.5.2, states that the DAS is a non-safety system which provides a diverse mechanism to decrease risk from the anticipated transients without scram (ATWS) events. The DAS also assists the mitigation of the effects of a postulated software common cause failure (CCF) within the PPS and the engineered safety features component control system (ESF-CCS). The DAS equipment are located in the auxiliary building as described in APR1400 DCD, Tier 1, Table 2.5.2-1. The DAS consists of the diverse protections system (DPS) the diverse manual ESF actuation (DMA) switches, and the diverse indication system (DIS). The DPS initiates reactor trip, turbine trip, auxiliary feedwater actuation, and safety injection actuation. The DPS consists of four channels of non-safety equipment. The DMA switches are provided to permit the operator to actuate ESF systems from the MCR after a postulated software CCF of the PPS and ESF-CCS. The DIS provides functions to monitor critical variables and to control heated junction thermocouple (HJTC) heater power when the CCF of digitalized safety I&C systems occurs.

The following APR1400 DCD, Tier 1 tables are provided for the DAS:

  • Table 2.5.2-1, Diverse Actuation System Equipment Location and Classification 14-46
  • Table 2.5.2-2, DPS Automatic Functions and Actuation Signals
  • Table 2.5.2-3, Functions manually Actuated by the DMA Switches
  • Table 2.5.2-4, Variables Monitored and Controlled by the DIS
  • Table 2.5.2-5, Diverse Actuation System ITAAC GDC 1 states in part that structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. BTP 7-14 provides guidance for software reviews for I&C systems. The SPM TeR describes the software engineering process for digital computer-based I&C systems of the APR1400. Section 1.1 of this TeR states that this report provides generic guidance for the software program plans based on the BTP 7-14. Section 2.2 of this technical report defines the software life cycle phases for the development of I&C system software, which includes the concept, requirements, design, implementation, test, installation and checkout, and operation and maintenance phases. This TeR applies to both protection class software and important-to-safety (ITS) software. Appendix A of this TeR indicates that the DPS and DIS contain ITS software. Tier 1, Section 2.5.2.1, Item 6, and the corresponding ITAAC in Table 2.5.2-5, Item 6 state, The DPS software is implemented according to the software lifecycle process. The staff finds that the design commitment does not state that the output of each life cycle phase will conform to the requirements of that phase. In addition, the acceptance criterion for the corresponding ITAAC states that a summary report with the results of each phase exists and this summary report will conclude that the phase activities are performed. However, the staff finds that this acceptance criterion does not verify that the output of the phase meet the requirements of that phase. Further, no design description and ITAAC exists to verify the DIS is implemented in accordance to a software development lifecycle process, if it contains programmable technology. In RAI 71-7906, Question 14.03.05-5 (ML15196A597), the staff requested that the applicant modify Tier 1 of the DCD, including the corresponding ITAAC, to resolve these issues in order to demonstrate compliance to GDC 1 and 10 CFR 52.47(b)(1). In the May 18, 2016 response to RAI 71-7906, Question 14.03.05-5 (ML16139B055), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.2.1 to clarify the design commitment, inspections, tests, analyses, and acceptance criteria for each phase of the software lifecycle, as defined in the SPM. The applicant committed to add a design description and ITAAC to verify the DIS is implemented according to each development phase of the software lifecycle process. The outputs, including documentation, of each development phase of the software lifecycle process will be verified by inspection and analysis to conform to the requirements of that phase. The staff finds the proposed changes to APR1400 DCD, Section 2.5.2.1, and Table 2.5.2-5, Item 6, and the addition of Item 9 to Table 2.5.2-5 adequate to verify the as-built DPS and DIS software will conform to the requirements of each phase of the software lifecycle in the software development process.

Thus, the staff finds the as-built DIS and DPS will be verified to meet the quality requirements of GDC 1, and therefore, the ITAAC in Tier 1, Table 2.5.2-5, Items 6 and 9 satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues related to RAI 71-7906, Question 14.03.05-5, to be resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.2 and Table 2.5.2-5. As such, this confirmatory item has been satisfied.

GDC 2 requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena, such as earthquakes, tornadoes, 14-47

hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. GDC 4 requires, in part, structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. APR1400 DCD Tier 1, Section 2.5.2.1, Item 1 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 1, state, The seismic Category I equipment identified in Table 2.5.2-1 can withstand seismic design basis loads without loss of protective function. APR1400 DCD Tier 1, Section 2.5.2.1, Item 5 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 5, state, The DPS cabinets listed in Table 2.5.2-1 are located in separate rooms. Based on the provision of design descriptions in APR1400 DCD Tier 1, Section 2.5.2.1, Items 1 and 5, and ITAAC in Table 2.5.2-5, Items 1 and 5 to verify that the as-built DPS can withstand seismic loads and the DPS cabinets are located in separate rooms to prevent the effects of natural phenomena from affecting multiple DPS cabinets, the staff finds the as-built DPS meet the requirements of GDC 2 and 4. Therefore, the staff finds the ITAAC in Table 2.5.2-5, Items 1 and 5 meet the requirements of 10 CFR 52.47(b)(1).

GDC 22 states: The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. The SRM to SECY-93-087, Item II.Q, provides requirements for addressing software common cause failures within safety I&C systems. Point 3 of this item states, If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions. Point 4 of the SRM to SECY-93-087, Item II.Q, state, A set of displays and controls located in the main control room shall be provided for manual, system level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above. BTP 7-19 provides guidance on meeting the requirements of GDC 22 and SRM to SECY-93-087, Item II.Q. Section 3.1 of BTP 7-19 states, For each anticipated operational occurrence [(AOO)] in the design basis occurring in conjunction with each single postulated CCF, the plant response calculated using realistic assumptions should not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary.

APR1400 DCD Tier 1, Section 2.5.2.1, Item 2 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 2, state, The DPS is physically separate, electrically independent, and diverse from the PPS and ESF-CCS including a diverse method for the reactor trip, the turbine trip, the auxiliary feedwater actuation and safety injection actuation. APR1400 DCD Tier 1, Section 2.5.2.1, Item 3 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 3, state, The DPS provides the automatic functions as shown in Table 2.5.2-2, if plant process signals exceed predetermined setpoints. APR1400 DCD Tier 1, Section 2.5.2.1, Item 4 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 4, state, The DPS utilizes a 2-out-of-4 coincidence logic for the initiation of automatic functions shown in Table 2.5.2-2.

The staff reviewed APR1400 DCD, Tier 1, Section 2.5.2, and could not identify design commitments or corresponding ITAAC that verify the response time of the as-built DPS will be 14-48

sufficient to demonstrate that the plant response will not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary. In RAI 71-7906, Question 14.03.05-6 (ML15196A597), the staff requested the applicant to modify APR1400 DCD, Tier 1 to provide a design commitment and corresponding ITAAC to verify that the as-built DPS response time from sensor output through equipment actuation is less than the value required to satisfy the diverse actuation function response time assumptions.

In the October 8, 2015, response to RAI 71-7906, Question 14.03.05-6 (ML15281A303), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.2.2 and Table 2.5.2-5 to add an Item 10 with the following design description and ITAAC to verify the response time of the DPS:

The DPS initiates diverse [RT], auxiliary feedwater actuation signal (AFAS), and safety injection actuation signal (SIAS) within the required response time for trip/initiation conditions identified in Table 2.5.2-2.

The staff finds the proposed revisions to APR1400 DCD, Tier 1, Section 2.5.2.1 and Table 2.5.2-5, Item 10 is acceptable because this ITAAC item ensure the verification of the response time of the as-built DPS meets the timing requirements for the functions performed by the DPS. As such, the staff finds the issues identified in RAI 71-7906, Question 14.03.05-6, to be resolved. The staff finds the proposed design description in APR1400 DCD, Tier 1, Section 2.5.2.1, Item 10 and ITAAC in Tier 1, Table 2.5.2-5, Item 10 will verify the as-built DPS meets the requirements of GDC 22.

In the January 29, 2018 supplemental response provided by the applicant to RAI 33-7880, Question 07.08-1 (ML18029A859), the applicant provided further clarification in support of their claim that the PPS and DPS are diverse. The applicant stated that the field programmable gate array (FPGA) logic devices for the DAS use hardware in the FPGA that is diverse from the hardware in the EEPROM-based programmable logic devices (EPLDs) used in the common safety programmable logic controller (PLC) platform. In addition to this, the FPGA for the DAS is programmed by a diverse programming tool as compared to the tool used to program the EPLDs for the common safety PLC platform. The applicant committed to revise DCD Tier 1, Table 2.5.2-5, Item 2 to incorporate the diversity attributes described in this RAI response.

Since the DPS and PPS are implemented using two diverse technologies the staff finds there is adequate design diversity between the DPS and PPS. The staff also finds the proposed changes to DCD Tier 1 Table 2.5.2-5, Item 2 are acceptable and thus this ITAAC meets the requirements of 10 CFR 52.47(b)(1). The incorporation of the proposed markups into the next revision of the DCD is a confirmatory item.

The staff finds the design description in APR1400 DCD, Tier 1, Section 2.5.2.1, Items 2, 3, and 4 and corresponding ITAAC in Tier 1, Table 2.5.2-5, Items 2, 3, and 4 will verify the as-built DPS is diverse and independent from the PPS and ESF-CCS, and the as-built DPS will perform the protective functions required with sufficient reliability to meet the requirements of Point 3 to the SRM to SECY-93-087. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.2-5, Items 2, 3, 4, and 10 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.2 and Table 2.5.2-3. As such, this confirmatory item has been satisfied.

14-49

APR1400 DCD Tier 1, Section 2.5.2.1, Item 7 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 7, state, The DMA switches in the MCR are used to provide the functions identified in Table 2.5.2-3. APR1400 DCD Tier 1, Section 2.5.2.1, Item 12 and the corresponding ITAAC in Tier 1, Table 2.5.2-5, Item 12, state, The DIS is diverse and independent from the QIAS-P. Section 5.2 of Technical Report APR1400-Z-J-NR-14002-P, Revision 0, "Diversity and Defense-in Depth [D3]," states, The DIS is a single channel of non-safety equipment to meet the requirements of BTP 7-19, Point 4, position on D3 for the safety I&C systems. This section of the TeR states that the DIS is diverse from the QIAS-P and QIAS-N. In addition, this section of the TeR states that the typical DIS variables are listed in Appendix C of this TeR and the display parameters include inadequate core cooling monitoring information, accident monitoring information, and emergency operation-related information. The DIS independently calculates a representative core exit temperature, saturation margins and reactor vessel levels for the display. It also provides the heated junction thermo-couple heater power control function for the reactor vessel level detector as a backup of the QIAS-P calculated function which is potentially lost due to a postulated CCF of the safety I&C systems. The staff reviewed APR1400 DCD, Tier 1, and could not find any design commitments and corresponding ITAAC to verify that the as-built DIS performs the functions stated in the D3 TeR. The staff also could not find design commitments and corresponding ITAAC to verify that the as-built DIS is diverse and independent from the QIAS-P and QIAS-N to address the SRM to SECY-93-087 and GDC 22. The staff requested in RAI 71-7906, Question 14.03.05-7 (ML15196A597), for the applicant to provide design commitments and ITAAC in Tier 1 of the APR1400 DCD to verify that the as-built DIS performs these functions and is diverse and independent QIAS-P and QIAS-N to meet the requirements of 10 CFR 52.47(b)(1).

In the October 8, 2015, response to RAI 71-7906, Question 14.03.05-7 (ML15281A303), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.2.1 and Table 2.5.2-5 to describe the diversity and independence of the DIS. Specifically, Section 2.5.2.1, Design Description, Item 8 will be revised, and Item 9 and 11 will be added, to indicate that the DIS monitors and displays the variables presented in Tier 1, Table 2.5.2-4, and is independent and diverse from the QIAS-P. The staff finds the proposed revisions to APR1400 DCD, Tier 1, Section 2.5.2.1 and Table 2.5.2-5, Items 8, 9, and 11 are acceptable because these ITAAC will verify the functions performed by the DIS and verify the DIS is independent and diverse from the QIAS-P are acceptable. As such, the staff finds the issues identified in RAI 71-7906, Question 14.03.05-7 are resolved. Based on the provision of ITAAC in DCD Tier 1, Table 2.5.2-5, Items 8, 9, and 11 to verify the as-built DIS satisfy the diversity requirements of GDC 22, the staff finds these ITAAC meet 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.2.1 and Table 2.5.2-3. As such, this confirmatory item has been satisfied.

Based on the provision of design descriptions in Tier 1, Section 2.5.2.1, Item 7 and the corresponding ITAAC in DCD Tier 1, Table 2.5.2-5, Item 7 to verify the as-built DMA switches will provide the capability for manual actuation of protective functions list in Table 2.5.2-3, the staff finds the manual controls requirements in Point 4 of the SRM to SECY-93-087 are met.

Based on the provision of design descriptions in Tier 1, Section 2.5.2.1, Item 12 and the corresponding ITAAC in DCD Tier 1, Table 2.5.2-5, Item 12 to verify the as-built DIS is diverse and independent from the QIAS-P, the staff finds the diverse and independent display requirements of Point 4 of the SRM to SECY-93-087 are met. Therefore, the staff finds the ITAAC in Table 2.5.2-5, Items 7 and 12, meet the requirements of 10 CFR 52.47(b)(1).

14-50

Qualified Indication and Alarm System The applicant provided design descriptions and ITAAC verifying design features for the qualified indication and alarm system (QIAS) in APR1400 DCD, Tier 1, Section 2.5.3, Qualified Indication and Alarm System. APR1400 DCD, Tier 1, Section 2.5.3, states that the QIAS is a monitoring system that is used to display safety-related information and non-safety information.

The QIAS consists of two subsystems, the QIAS-P, Divisions A and B, and the QIAS-N. The QIAS-P is safety-related and the QIAS-N is non-safety. APR1400 DCD, Tier 1, Section 2.5.3.1 provides design descriptions for the QIAS-P.

The following APR1400 DCD, Tier 1 tables are provided for the QIAS-P:

  • Table 2.5.3-1, Qualified Indication and Alarm System-P Equipment Classification and Location
  • Table 2.5.3-2, Accident Monitoring Instrumentation Variables The staff reviewed the design descriptions and ITAAC to ensure compliance with 10 CFR 52.47(b)(1).

Quality Standards and Records IEEE Std 603-1991, Clause 5.3, requires, in part, components and modules to be of a quality that is consistent with minimum maintenance requirements and low failure rates. This clause also states that "Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program." 10 CFR Part 50, Appendix A, GDC 1, requires structures, systems, and components (SSCs) important to safety to be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Branch Technical BTP 7-14 provides guidance on performing reviews for software-based safety-related, I&C systems.

The SPM TeR describes the software engineering process for digital computer-based I&C systems of the APR1400. Section 1.1 of this TeR states that this report provides generic guidance for the software program plans based on the BTP 7-14. Section 2.2 of this TeR defines the software lifecycle phases for the development of safety I&C system software, which includes the concept, requirements, design, implementation, test, installation and checkout, and operation and maintenance phases. These lifecycle phases apply to both protection class software and important-to-safety software. This TeR states that the QIAS-P contains important-to-safety software. APR1400 DCD, Tier 1, Section 2.5.3.1, Item 5, states The QIAS-P software is implemented according to the software lifecycle process. However, this Tier 1 section does not describe what this lifecycle process will be (e.g. the different lifecycle phases). The applicant should define the specific lifecycle phases within this lifecycle process and this information should be consistent with the SPM TeR in order to demonstrate compliance to the requirements of IEEE Std 603-1991, Clause 5.3. The staff finds that the design commitment does not state that the output of each lifecycle phase will conform to the requirements of each lifecycle phase. Further, the acceptance criterion for the corresponding ITAAC states that a summary report with the results of each phase exists and this summary report will conclude that the phase activities are performed. The staff finds that this acceptance criterion does not verify that the output of each phase meets the requirements of that phase. The staff requested in 14-51

RAI 71-7906, Question 14.03.05-8 (ML15196A597), that the applicant modify Tier 1 of the DCD, including the ITAAC to resolve these issues.

In the May 18, 2016, response to RAI 71-7906, Question 14.03.05-8 (ML16139B055), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.3.1 to clarify the design commitment, inspections, tests, analyses, and acceptance criteria for each phase of the software lifecycle for the QIAS-P, as defined in the SPM will be verified by inspection and analysis to ensure the outputs, including documentation, of each lifecycle phase in the software development process conforms to the requirements of that phase. The staff finds the proposed changes to APR1400 DCD, Tier 1, Section 2.5.3.1, and Table 2.5.3-3, Item 5 adequate to verify the as-built QIAS-P software will conform to the requirements of each phase of the software lifecycle in the software development process. As such, the staff finds the issues related to RAI 71-7906, Question 14.03.05-8, to be resolved. The staff finds the as-built QIAS-P will be verified to meet the quality requirements in IEEE Std 603-1991, Clause 5.3, and therefore, the ITAAC in DCD Tier 1, Table 2.5.3-3, Item 5 satisfy the requirements of 10 CFR 52.47(b)(1).

The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3. As such, this confirmatory item has been satisfied.

APR1400 DCD Tier 1, Section 2.5.3.1, Item 7 and the corresponding ITAAC in Tier 1, Table 2.5.3-3, Item 7, state The QIAS-P is installed in accordance with the dedicated process of commercial grade hardware and software. The staff finds this design description and ITAAC are adequate to verify the as-built QIAS-P will meet the requirement for use of commercial grade hardware and software to meet the requirements of GDC 1. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.3-3, Item 7 meet 10 CFR 52.47(b)(1).

Equipment Qualification IEEE Std 603-1991, Clause 5.4, requires, in part, that safety system equipment to be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. GDC 2 requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. GDC 4 requires, in part, structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

APR1400 DCD, Tier 1, Section 2.5.3.1, Item 1, and the corresponding ITAAC in Table 2.5.3-3, Item 1, state that the seismic Category I equipment, identified in Table 2.5.3-1 can withstand seismic design basis loads without loss of safety function. In addition, DCD Tier 1, Section 2.5.3.1, Item 2, and the corresponding ITAAC in Table 2.5.3-3, Item 2, state that QIAS-P equipment, identified in Table 2.5.3-1, can withstand the electrical surge, EMI, RFI, and ESD conditions that would exist before, during, and following a postulated accidents without loss of its safety function for the time required to perform the safety function. Based on the design commitments and corresponding ITAAC provided to verify that the as-built Class 1E equipment listed in APR1400 DCD, Tier 1, Table 2.5.3-1, will be able to withstand seismic design basis loads, and EMI, RFI and ESD conditions, and are protected from missiles pipes breaks and flooding, the staff finds that the as-built QIAS-P will be verified to meet IEEE 14-52

Std 603-1991, Clause 5.4, GDC 2, GDC 4. Therefore the staff finds the ITAAC in Table 2.5.3-3, Items 1 and 2 meet the requirements of 10 CFR 52.47(b)(1).

Independence IEEE Std 603-1991, Clause 5.6.1, requires redundant portions of safety systems provided for a safety function be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function during and following any design basis event requiring that safety function. IEEE Std 603-1991, Clause 5.6.3, requires that the safety system design to be such that credible failures in and consequential actions by other systems, as documented in Clause 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard. IEEE Std 603-1991, Clause 5.6.3.1 states, in part, Isolation devices used to effect a safety system boundary shall be classified as part of the safety system.

APR1400 DCD Tier 1, Section 2.5.3.1, Item 3.a and the corresponding ITAAC in Table 2.5.3-3, Item 3.a, state that Class 1E equipment identified in Table 2.5.3-1 is powered from its respective Class 1E train. APR1400 DCD, Tier 1, Section 2.5.3.1, Item 3.b and the corresponding ITAAC in Table 2.5.3-3, Item 3.b, state that the Class 1E equipment identified in Table 2.5.3-1, and associated equipment are physically separated and electrically independent from each other and physically separated and electrically independent from non-Class 1E equipment. APR1400 DCD, Tier 1, Table 2.5.3-1 lists QIAS-P Processors A and B, and QIAS-P Flat Panel Display (FPD), Division A and B. It is not clear based on the design commitment which equipment within Table 2.5.3-1 will be physically separated and electrically independent from each other (e.g. redundant divisions of QIAS-P equipment listed in Table 2.5.3-1 are physically separated and electrically independent from each other). In addition, the acceptance criteria provided for the corresponding ITAAC in APR1400 DCD, Table 2.5.3-3, Item 3.b.i, states, the physical separation of as-built redundant Class 1E equipment identified in Table 2.5.3-1 and associated field equipment is provided by distance or barriers. The acceptance criteria provided for the corresponding ITAAC in APR1400 DCD, Table 2.5.3-3, Item 3.b.ii, states, a report exists and concludes that independence of as-built redundant Class 1E equipment identified in Table 2.5.3-1, and associated field equipment is achieved by independent power sources and electrical circuits for each channel, and by fiber optic cable interfaces, conventional isolators, or other proven isolation methods or devices at interfaces between redundant divisions, and at interfaces between safety and non-safety systems. It is unclear to the staff what the specific acceptance criteria will be to ensure that the amount of distance or barriers provided is adequate to ensure physical separation (e.g. in accordance with RG 1.75). In addition, it is not clear to the staff whether the conventional isolators or other proven isolation methods or devices will be Class 1E qualified as required by IEEE Std 603-1991, Clause 5.6.3. As such, the staff requested the applicant to provide the following in RAI 317-8271, Question 14.03.05-23 (ML15321A293):

1. Clarify whether APR1400 DCD Tier 1, Section 2.5.3.1, Item 3.b, are intended to address physical separation and electrical isolation requirements for redundant divisions of safety equipment identified in APR1400 DCD, Tier 1, Table 2.5.3-1.
2. Provide criteria for determining what sufficient distance or barrier is adequate to meet the physical separation requirements of IEEE Std 603-1991, Clause 5.6.
3. Amend the acceptance criteria for physical separation to address physical separation of QIAS-P equipment from non-Class 1E equipment.

14-53

4. Clarify whether the conventional isolators, or other prevent isolation methods or devices used will be Class 1E qualified.

In the February 5, 2016, response to RAI 317-8271, Question 14.03.05-23 (ML16036A374), the applicant clarified:

1. APR400 DCD, Tier 1, Section 2.5.3.1, Item 3.b and the design commitment of Item 3.b in Table 2.5.3-3 are intended to address the physical separation and electrical isolation requirements for redundant divisions of the QIAS-P equipment listed in DCD Tier 1, Table 2.5.3-1, as well as the physical separation and electrical isolation requirements of them from non-Class 1E equipment (Refer to DCD Tier 2, Sections 7.5.2.1 a.1 and 7.5.2.1.a.3). The applicant committed to revise both DCD Tier 1, Section 2.5.3.1 Item 3.b, and the design commitment of Item 3.b in Table 2.5.3-3 to include this clarification. The phrase and associated field equipment will be deleted from all the related descriptions in DCD Tier 1, Section 2.5.3.1 and Table 2.5.3-3, because the associated field equipment is not within the QIAS-P boundary.
2. The acceptance criteria of Item 3.b.i in DCD Tier 1, Table 2.5.3-3 will be revised to provide the criteria on the amount of distance or barrier that is adequate to meet the physical separation requirements.
3. The acceptance criteria of Item 3.b.i and 3.b.ii in DCD Tier 1, Table 2.5.3-3 will be revised to address the physical separation of QIAS-P equipment from the non-Class 1E equipment.
4. As stated in DCD Tier 2, Section 7.5.2.1 a.4, all of the isolation devices used between the QIAS-P and IPS and between the QIAS-P and QIAS-N meet the requirements of IEEE Std 384. For clarification, the acceptance criteria of Item 3.b.ii in DCD Tier 1, Table 2.5.3-3 will be revised to verify the application of Class 1E qualified isolation devices.

Based on the above proposed changes to APR1400 DCD, Tier 1, Section 2.5.3.1 and associated ITAAC in DCD Tier 1, Table 2.5.3-3, Item 3.b, the staff finds these items will adequately verify the as-built QIAS-P will meet the physical separation and electrical isolation requirements in IEEE Std 603-1991, Clause 5.6. As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-23, to be resolved. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.3-3, Items 3.a and 3.b satisfy the requirements of 10 CFR 52.47(b)(1).

The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3. As such, this confirmatory item has been satisfied.

Information Display IEEE Std 603-1991, Clause 5.8.1, states that the display instrumentation provided for manually controlled actions for which no automatic control is provided and the display instrumentation required for the safety systems to accomplish their safety functions shall be part of the safety systems.

14-54

In RAI 38-7878, Question 07.05-1 (ML15169A320) the staff requested the applicant to justify why Type A variables are not required for this design when it appears that manually controlled actions were credited for cases where no automatic controls exist during several events analyzed in Chapter 15. As such, if the applicant determines that Type A variables are needed in response to this RAI, the staff requested the applicant to provide design descriptions and a corresponding ITAAC to verify that the as-built design provides indications for manually controlled actions for which no automatic control is provided as required by IEEE Std 603-1991, Clause 5.8.1, as documented in RAI 317-8271, Question 14.03.05-24 (ML15321A293). In the June 29, 2016, response to RAI 317-8271, Question 14.03.05-24 (ML16181A324), the applicant stated in response to RAI 38-7878, Question 07.05-1, a list of Type A variables as well as Type B and C variables are provided. The applicant states the revised response will address all of the related changes associated with incorporating Type A variables into the APR1400 design, including the list of monitored variables in APR1400 DCD, Tier 1, Table 2.5.3-2 and corresponding design descriptions and ITAAC in Section 2.5.3.1, Item 4 and Table 2.5.3-3, Item 4, respectively. Although the applicant referenced the response to RAI 38-7878, Question 07.05-1, the staff finds the response June 23, 2017, response to RAI 317-8271, Question 14.03.05-30, provides the needed information to respond to this RAI. The staffs evaluation to RAI 317-8271, Question 14.03.05-30, is provided in Section 14.3.5.4.4 of this safety evaluation report. As such, RAI 317-8271, Question 14.03.05-24, is considered to be resolved and closed. Based on the provision of Type A variables in Table 2.5.3-2 and ITAAC in Table 2.5.3-3, Item 4 to verify the as-built QIAS-P displays the variables listed in Table 2.5.3-2, the staff finds the as-built QIAS-P will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.8.1. Therefore, the staff finds the ITAAC in Table 2.5.3-3, Item 4 meet the requirements of 10 CFR 52.47(b)(1).

Control of Access IEEE Std 603-1991, Clause 5.9 states: The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof.

The staff could not identify any design descriptions or corresponding ITAAC to verify that the control of access features exist for the QIAS-P equipment identified in APR1400 DCD, Tier 1, Table 2.5.3-1. As such, in RAI 317-8271, Question 14.03.05-25 (ML15321A293), the staff requested the applicant to clarify whether any control of access features are employed to prevent unauthorized or unintended access of QIAS-P equipment identified in APR1400 DCD, Tier 1, Table 2.5.3-1. If such features exists, the staff requested the applicant to provide an ITAAC that verifies that control of access features exist for the QIAS-P equipment identified in APR1400 DCD, Tier 1, Table 2.5.3-1. Otherwise, the staff requested the applicant to justify why such features are not required. In the June 29, 2016 response to RAI 317-8271, Question 14.03.05-25 (ML16181A324), the applicant stated the as-built QIAS-P will have the control of access features in accordance with IEEE Std 497-2002, Clause 6.10 as described in APR1400 DCD, Tier 2, Section 7.5.2.1.a.7. Specifically, the QIAS-P cabinets listed in APR1400 DCD, Tier 1, Table 2.5.3-1 will have key locks and door open alarms and are located in a vital area of the facility which is a controlled access area. The applicant proposed to include design descriptions and corresponding ITAAC in APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3, Item 8, respectively, to verify that control of access features exist for the as-built QIAS-P equipment identified in DCD Tier 1, Table 2.5.3-1. Based on the proposed addition of design descriptions APR1400 DCD, Tier 1, Section 2.5.3.1, Item 8 and corresponding ITAAC in Table 2.5.3-3, Item 8, to verify control of access features for QIAS-P equipment, the staff finds 14-55

the issues identified in RAI 317-8271, Question 14.03.05-25, to be resolved. In addition, as discussed in Section 14.3.5.4.1 of this report, in response to RAI 317-8721, Question 14.03.05-18 (ML16182A581) the applicant proposed to add Item 9 to the design description in Tier 1, Section 2.5.3.1 and corresponding ITAAC in Table 2.5.3-3, Item 9, to state, Hardwired disconnections exist between the QIAS-P cabinets, and the portable workstation used to download the QIAS-P software. The hardwired disconnections protect the QIAS-P software from unintended modifications. The staff finds this design description and corresponding ITAAC are adequate to verify the as-built QIAS-P will have controls for software modification. As such, the staff finds that the as-built QIAS-P will be verified to meet the control of access requirements in IEEE Std 603-1991, Clause 5.9. Therefore, the staff finds the ITAAC in Table 2.5.3-3, Items 8 and 9 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3. As such, this confirmatory item has been satisfied.

Identification IEEE Std 603-1991, Clause 5.11, requires, in part that safety system equipment shall be distinctly identified for each redundant portion of a safety system in accordance with the requirements of IEEE Std 384-1981 and IEEE Std 420-1982. The staff could not identify any design descriptions or corresponding ITAAC to verify that the as-built QIAS-P equipment are distinctly identified for each redundant portion of the QIAS-P to meet the requirements of IEEE Std 603-1991, Clause 5.11. As such, in RAI 317-8271, Question 14.03.05-26 (ML15321A293),

the staff requested the applicant to provide design descriptions and a corresponding ITAAC to verify that to the as-built QIAS-P equipment are distinctly identified for each redundant portion of the QIAS-P. In the February 5, 2016, response to RAI 317-8271, Question 14.03.05-26 (ML16036A374) the applicant proposed to include an Item 6 in APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3 that provides design description and corresponding ITAAC to verify the as-built QIAS-P equipment are distinctly identified for each redundant portion of the QIAS-P. Based on these proposed changes to the DCD include an Item 6 in APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3 to address identification requirements in IEEE Std 603-1991, Clause 5.11, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-26, to be resolved. As such, the staff finds that the as-built QIAS-P will be verified to meet the equipment identification requirements in IEEE Std 603-1991, Clause 5.11.

Therefore, the staff finds the ITAAC in Table 2.5.3-3, Item 6 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.3.1 and Table 2.5.3-3. As such, this confirmatory item has been satisfied.

Post Accident Monitoring Title 10 CFR Part 50, Appendix A, GDC 13, requires in part that instrumentation be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Regulatory Guide 1.97, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plant, provides guidance for complying with the requirements of GDC 13.

14-56

APR1400 DCD, Tier 1, Section 2.5.3.1, Item 4, and the corresponding ITAAC in Table 2.5.3-3, Item 4, state that the QIAS-P monitors and displays the accident monitoring instrumentation variables identified in Table 2.5.3-2. Based on the design commitments and corresponding ITAAC provided to verify that the QIAS-P will monitor and display accident monitoring instrumentation variables, the staff finds that the as-built QIAS-P will be verified to meet GDC 13. Therefore, the staff finds the ITAAC in Table 2.5.3-3, Item 4 meet the requirements of 10 CFR 52.47(b)(1).

Engineered Safety Features-Component Control System The applicant provided design descriptions and ITAAC verifying design features for the ESF-CCS in APR1400 DCD, Tier 1, Section 2.5.4, Engineered Safety Features-Component Control System. APR1400 DCD, Tier 1, Section 2.5.4.1, states that the ESF-CCS provides automatic actuation of ESF systems. The ESF-CCS performs the NSSS ESFAS function, balance of plant (BOP) ESFAS function, and emergency diesel generator (EDG) loading sequencer function.

The ESF-CCS generates the NSSS ESF actuation signals upon receipt of ESFAS initiation signals from the PPS. The ESF-CCS generates the BOP ESF actuation signals upon receipt of initiation signals from the process and effluent RMS. The ESF-CCS generates the EDG loading sequencer signals upon receipt of loss of power to Class 1E train buses, safety injection actuation signal (SIAS), containment spray actuation signal (CSAS), and auxiliary feedwater actuation signal (AFAS). The ESF-CCS provides the capability for manual actuation of ESF systems and manual control of ESF components. The ESF-CCS consists of four divisions of group controller cabinets and loop controller cabinets. The ESF-CCS equipment and manual control components are identified in Table 2.5.4-1. The ESF-CCS components are located in auxiliary building.

The following APR1400 DCD, Tier 1 tables are provided for the ESF-CCS:

  • Table 2.5.4-1, ESF-CCS Equipment and Components Classification
  • Table 2.5.4-2, Functions Automatically Actuated by the ESF-CCS
  • Table 2.5.4-3, ESF-CCS Manual ESF Actuation Switches
  • Table 2.5.4-4, ESF-CCS Interlock Important to Safety
  • Table 2.5.4-5, Engineered Safety Features-Component Control System ITAAC The staff reviewed the design descriptions and ITAAC to ensure compliance with 10 CFR 52.47(b)(1) as documented below.

Design Basis The IEEE Std 603-1991, Clause 4.2, requires documentation of the safety functions and corresponding protective actions of the execute features for each DBE. APR1400 DCD, Tier 1, Section 2.5.4.1, provides the following design descriptions with corresponding ITAAC in DCD Tier 1, Table 2.5.4-5 regarding safety functions and corresponding protective features performed by the ESF-CCS:

  • DCD Tier 1 Section 2.5.4.1, Item 4 and Table 2.5.4-5, Item 4: Each ESF-CCS division receives ESFAS initiation signals from four divisions of the PPS and 14-57

performs selective 2-out-of-4 coincidence logic to perform NSSS ESF actuation functions identified in Table 2.5.4-2.

  • DCD Tier 1, Section 2.5.4.1, Item 5 and Table 2.5.4-5, Item 5: Each ESF-CCS division receives ESFAS initiation signals from two divisions of the RMS as shown in Tables 2.7.6.4-2 and 2.7.6.5-2 and performs 1-out-of-2 logic taken twice except the fuel handling area emergency ventilation actuation signal which has one 1-out-of-2 logic to perform the BOP ESF actuation functions identified in Table 2.5.4-2.
  • DCD Tier 1, Section 2.5.4.1, Item 6 and Table 2.5.4-5, Item 6: Upon receipt of a SIAS, CSAS, or AFAS, the ESF-CCS initiates an automatic start of the EDGs and automatic EDG loading sequencer of ESF loads identified in Table 2.5.4-2.
  • DCD Tier 1, Section 2.5.4.1, Item 7 and Table 2.5.4-5, Item 7: Upon detecting loss of power to Class 1E buses, the ESF-CCS initiates startup of the EDGs, shedding of electrical loads, transfer of Class 1E bus connections to the EDGs, and EDG loading sequencer to the reloading of safety-related loads to the Class 1E buses.

Based on the design descriptions provided in DCD Tier 1 Section 2.5.4.1, Items 4, 5, 6, and 7 and corresponding ITAAC provided in Table 2.5.4-5, Items 4, 5, 6, and 7, respectively, regarding the performance of NSSS ESF actuation functions and BOP ESF actuation functions, the initiation of automatic EDG load sequencing, and the performance of load shedding and sequencing upon loss of power, the staff finds that the as-built ESF-CCS will be verified to meet the requirements of IEEE Std 603-1991, Clause 4.2. As such, the staff finds the ITAAC in Table 2.5.4-5, Items 4, 5, 6, and 7, meet the requirements of 10 CFR 52.47(b)(1).

Completion of Protective Action The IEEE Std 603-1991, Clause 5.2, states that the safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operator action shall be required to return the safety systems to normal.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 9, and the corresponding ITAAC states Once a BOP ESF actuation has been actuated (automatically or manually), the ESF actuation logic is latched in the actuated state and is not reset automatically. The corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 9, verifies this design commitment in the as-built ESF-CCS. Based on the design commitment and corresponding ITAAC provided in DCD Tier 1, Table 2.5.4-5, Item 9, the staff finds that this ITAAC will verify that the as-built ESF-CCS meet completion of protective actions requirements for BOP ESF functions, and thus the ITAAC in Table 2.5.4-5, Item 9 meet the requirements of 10 CFR 52.47(b)(1). However, the staff could not find design descriptions and corresponding ITAAC to verify the as-built ESF-CCS meets completion of protection requirements for other ESFAS functions (e.g. NSSS ESF actuation functions identified in DCD Tier 1, Table 2.5.4-2).

As such, in RAI 317-8271, Question 14.03.05-27 (ML15321A293), the staff requested the applicant to provide design descriptions and ITAAC to verify that the as-built ESF-CCS meets completion of protection requirements for these ESFAS functions. In the March 2, 2016 response to RAI 317-8271, Question 14.03.05-27 (ML16062A317), the applicant proposed to 14-58

add a design description and ITAAC for the NSSS ESFAS actuation to APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5, Item 9.b, respectively. The description and ITAAC will confirm that once the NSSS ESFAS has been actuated, the logic is latched in the actuated state and can be manually reset once the initiating condition has been cleared. The new ITAAC Item 9 in Table 2.5.4-5 will contain an Item 9.a to address BOP ESF functions and Item 9.b to address NSSS ESF functions. Based on the proposed design description and ITAAC to verify that the as-built ESF-CCS will ensure completion of NSSS ESFAS functions in Table 2.5.4-5, Item 9.b, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-27, to be resolved. As such, the staff finds that the as-built ESF-CCS will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.2, and thus the ITAAC in DCD Tier 1, Table 2.5.4-5, Items 9.a and 9.b, meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5. As such, this confirmatory item has been satisfied.

Quality Standards and Records The IEEE Std 603-1991, Clause 5.3, requires, in part, components and modules to be of a quality that is consistent with minimum maintenance requirements and low failure rates. This clause also states that Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program. 10 CFR Part 50, Appendix A, GDC 1, requires SSCs important to safety to be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

The SPM TeR describes the software engineering process for digital computer-based I&C systems of the APR1400. Section 1.1 of this TeR states that this report provides generic guidance for the software program plans based on the BTP 7-14. Section 2.2 of this TeR defines the software lifecycle phases for the development of safety I&C system software, which includes the concept, requirements, design, implementation, test, installation and checkout, and operation and maintenance phases. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 15, states, The ESF-CCS software is implemented according to the software lifecycle process. The staff finds that this section does not describe what this lifecycle process will be (e.g. the different lifecycle phases). The applicant should define the lifecycle phases within this lifecycle process and ensure that they are consistent with the SPM TeR in order to demonstrate compliance to the requirements of IEEE Std 603-1991, Clause 5.3. The staff also finds that the design commitment does not state that the output of each lifecycle phase will conform to the requirements of each lifecycle phase. Further, the acceptance criterion for the corresponding ITAAC states that a summary report with the results of each phase exists and this summary report will conclude that the phase activities are performed. The staff finds that this acceptance criterion does not verify that the output of the phase meet the requirements of each phase. As such, in RAI 71-7906, Question 14.03.05-9 (ML15196A597), the staff requested that the applicant modify Tier 1 of the DCD, including the ITAAC to resolve these issues.

In the March 9, 2016, response to RAI 71-7906, Question 14.03.05-9 (ML16069A389), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.4.1 and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 15 to clarify the design commitment, inspections, tests, analyses, and acceptance criteria for each phase of the software lifecycle for the ESF-CCS, as defined in the SPM. For each development phase of the software lifecycle process, inspection and analysis will be performed on the outputs, including documentation of that phase 14-59

to verify conformance to the requirements of that phase. The staff finds the proposed changes to APR1400 DCD Section 2.5.4.1 and Table 2.5.4-5, Item 15 adequate to verify the as-built ESF-CCS software will conform to the requirements of each phase of the software lifecycle in the software development process. As such, the staff finds the issues related to RAI 71-7906, Question 14.03.05-9, to be resolved. Thus, the staff finds the as-built ESF-CCS will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.3, and therefore the ITAAC in Table 2.5.5-4, Item 15 satisfy the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5. As such, this confirmatory item has been satisfied.

In addition, the applicant provided design description in Tier 1, Section 2.5.4.1, Item 24 and corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 24, to state, The ESF-CCS is installed in accordance with the dedicated process of commercial grade hardware and software. The staff finds this design description and ITAAC are adequate to verify the as-built ESF-CCS will meet the requirement for use of commercial grade hardware and software to meet the requirements of GDC 1. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.4-5, Item 24 meet 10 CFR 52.47(b)(1).

Equipment Qualification The IEEE Std 603-1991, Clause 5.4, requires, in part, that safety system equipment to be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. GDC 2 requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. GDC 4 requires, in part, structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 1 and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 1, state: The seismic Category I equipment components identified in Table 2.5.4.1 withstand seismic design basis loads without loss of the safety function. DCD Tier 1, Section 2.5.4.1, Item 16 and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 16, state: The ESF-CCS equipment and components identified in Table 2.5.4-1 withstand the electrical surge, [EMI], [RFI], and [ESD] conditions that would exist before, during, and following a design basis event without loss of its safety function for the time required to perform the safety function. DCD Tier 1, Section 2.5.4.1, Item 18 and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 18, state, The Class 1E equipment and components listed in Table 2.5.4-1 are protected from accident related hazards such as missiles, pipe breaks and flooding.

Based on the design commitments and corresponding ITAAC provided to verify that the as-built Class 1E equipment listed in APR1400 DCD, Tier 1, Table 2.5.4-1 will be able to withstand seismic design basis loads, and EMI, RFI and ESD conditions, and these equipment are protected from hazards such as missiles pipes breaks and flooding, the staff finds that the as-built ESF-CCS will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.4, 14-60

GDC 2, GDC 4. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.4-5, Items 1, 16, and 18 meet the requirements of 10 CFR 52.47(b)(1).

System Integrity The IEEE Std 603-1991, Clause 5.5, requires that the safety system accomplishes its safety functions under the full range of applicable conditions enumerated in the design basis. GDC 23 requires that the protection system be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy, or postulated adverse environments are experienced.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 10 and the corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 10, state that loss of power in an ESF-CCS division results in the respective ESF-CCS division output assuming fail-safe output condition. Based on the information provided, the staff could not identify design descriptions and corresponding ITAAC to verify that the ESF-CCF will fail in a safe state upon conditions indicative of an ESF-CCF processor lock-up. As such, the staff requested in RAI 317-8271, Question 14.03.05-16 (ML15321A293), that design descriptions and corresponding ITAAC be provided to verify that failures of the ESF-CCF that result in lock-up of the ESF-CCF processors would be detected (e.g. via watchdog timers) and the ESF-CCF would be designed to fail in a safe state upon these conditions in order to demonstrate that the requirements of IEEE Std 603-1991, Clause 5.5 are met for the as-built ESF-CCF. In the March 2, 2016, response to RAI 317-8271, Question 14.03.05-16 (ML16062A317), the applicant committed to revise APR1400 DCD, Tier 1, Section 2.5.1.1, Item 13 and Section 2.5.4.1, Item 10 to include descriptions of ESF-CCS testing to ensure fail-safe conditions are achieved on a processor lock-up. The applicant also committed to include corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 10 to demonstrate acceptability of the as-built system. Based on the proposed revisions to the APR1400 DCD, Tier 1 to verify that the as-built ESF-CCS will fail in safe state upon processor lock-ups, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-16, to be resolved. As such, the staff finds that the as-built ESF-CCS will be verified to meet the system integrity requirements of IEEE Std 603-1991, Clause 5.5. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.4-5, Item 10 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Sections 2.5.1 and 2.5.4. As such, this confirmatory item has been satisfied.

Independence The IEEE Std 603-1991, Clause 5.6.1, requires redundant portions of safety systems provided for a safety function be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function during and following any design basis event requiring that safety function. IEEE Std 603-1991, Clause 5.6.3, requires that the safety system design to be such that credible failures in and consequential actions by other systems, as documented in Clause 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard. IEEE Std 603-1991, Clause 5.6.3.1, states, in part, Isolation devices used to effect a safety system boundary shall be classified as part of the safety system. GDC 24 requires that the protection system be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the 14-61

protection and control systems shall be limited so as to assure that safety is not significantly impaired.

Physical Separation and Electrical Isolation:

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 2 and the corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 2, states that redundant Class 1E divisions listed in Table 2.5.4-1 and associated field equipment are physically separated and electrically isolated from each other and physically separated and electrically isolated from non-Class 1E equipment. The associated acceptance criteria in DCD Tier 1, Table 2.5.4-5, Items 2.b and 2.c, state A report exists and concludes that independence of as-built redundant Class 1E divisions listed in Table 2.5.4-1 and associated field equipment is achieved by independent power sources and electrical circuits for each division, and by fiber optic cable interfaces, qualified isolation devices at interfaces between redundant divisions, and at interfaces between safety and non-safety systems. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 3, and the corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 3, state that the Class 1E equipment and components identified in Table 2.5.4-1 are powered from its respective Class 1E train.

The staff finds that additional information is needed to clarify whether the qualified isolation devices at interfaces between redundant divisions and at interfaces between safety and non-safety systems are Class 1E. In addition, it is not clear whether an inspection will be performed to verify that that Class 1E qualified isolation devices exist between redundant portions of safety systems and between safety and non-safety systems in the as-built ESF-CCS. As such, the staff requested in RAI 317-8271, Question 14.03.05-28 (ML15321A293), for the applicant to modify APR1400 DCD, Tier 1, Table 2.5.4-5, Item 2, to clarify that these qualified isolation devices are Class 1E as required by IEEE Std 603-1991, Clause 5.6.3.1, and to verify via inspection that Class 1E qualified isolation devices exist between redundant portions of safety systems and between safety and non-safety systems. In the May 19, 2016 response to RAI 317-8271, Question 14.03.05-28 (ML16142A002), the applicant committed to revise the design description in APR1400 DCD, Tier 1, Section 2.5.4.1, Item 2, and the corresponding ITAAC in DCD, Tier 1, Table 2.5.4-5, Item 2 to clearly identify and verify that the isolation devices used in these applications are Class 1E and are installed to prevent fault propagation.

Based on the proposed changes, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-28, to be resolved. The staff also finds design description in APR1400 DCD, Tier 1, Section 2.5.4.1, Item 3, and the corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 3 will adequately verify the as-built Class 1E equipment will be powered from its respective Class 1E train. As such, the staff finds design description and corresponding ITAAC in APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5, Items 2 and 3, respectively, will adequately verify the as-built ESF-CCS and Class 1E equipment in Table 2.5.4-1, meet the electrical isolation requirements of IEEE Std 603-1991, Clause 5.6. Therefore, the staff finds the ITAAC in Table 2.5.4-5, Items 2 and 3 satisfy the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5. As such, this confirmatory item has been satisfied.

Communications Independence:

Technical Report APR1400-Z-J-NR-14001, Rev. 0, Safety I&C System Technical Report, Section 4.2.4, states, The PPS sends the ESFAS initiation signals to the ESF-CCS GCs [group controllers] in all ESF-CCS divisions through the fiber optic SDL [safety data link]. In addition, 14-62

Section 4.4.2 of this TeR states: The ESCM [(ESF-Soft Control Module)] provides the operators with primary manual control means for other safety components as well as ESF components. There is one ESCM per division at each operator console in the MCR [main control room] and RSR [remote shutdown room] and SC [Safety Console] in the MCR. The divisionalized ESCM has access to all ESF safety components within its division. The ESCMs on the operator consoles work in conjunction with the IPFDs [(Information Flat Panel and Display)], but the ESCMs on the SC work independently of the IFPDs. DI&C-ISG-04 compliance for communication between the IFPD and ESCM is described in Appendix C.5.1.5.

These design descriptions indicate that data communications exist between redundant divisions of ESF-CCS and between the ESF-CCS and non-safety systems. However, the staff could not identify any Tier 1 descriptions or corresponding ITAAC to verify that communications independence is achieved between these interfaces. As such, in RAI 71-7906, Question 14.03.05-11 (ML15196A597), the staff requested the applicant to modify Tier 1 of the DCD, including the ITAAC to include this information to verify communication independence is achieved in the as-built ESF-CCS. The design commitment and associated ITAAC should include sufficient information regarding the types of data communications faults that the system will be protected from and software features to mitigate these faults.

In the January 4, 2017, response to RAI 71-7906, Question 14.03.05-11 (ML17004A014), the applicant committed to add a design description Items 23 and 28 to APR1400 DCD, Tier 1, Section 2.5.4.1 and corresponding ITAAC in Table 2.5.4-5 to provide the key features used to mitigate data communication faults and ensure that communications independence is achieved between redundant divisions of the ESF-CCS and between the ESF-CCS and non-safety systems. The staff finds the added items to include key features used to mitigate data communications faults and ensure data communications independence between redundant portions of the ESF-CCF and between the ESF-CCF and non-safety systems are adequate because these features are consistent with the guidance of DI&C-ISG-04. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD is a confirmatory item.

DI&C-ISG-04, Section 2, Command Prioritization, provides guidance on use of priority modules in safety I&C systems. Position 3 of this section states: Safety-related commands that direct a component to a safe state must always have the highest priority and must override all other commands. Commands that originate in a safety-related channel but which only cancel or enable cancellation of the effect of the safe-state command (that is, a consequence of a Common-Cause Failure in the primary system that erroneously forces the plant equipment to a state that is different from the designated safe state.), and which do not directly support any safety function, have lower priority and may be overridden by other commandsThe priority module itself should be shown to apply the commands correctly in order of their priority rankings, and should meet all other applicable guidance. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 13, and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 13, state, The component interface module (CIM) provides state-based priority logic to prioritize the ESF-CCS and DPS signals. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 14, and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 14, state The CIM provides system-based priority logic for the front panel control switch signals on the CIM, the signals generated by the DMA switches, the signals from the ESF-CCS, and the signals from the DPS. The front panel control switches have the highest priority, and the signals from the DMA switches have priority over signals from the ESF-CCS and DPS. The staff finds that the applicant has provided adequate design descriptions and corresponding ITAAC to verify the priority scheme of the as-built CIM. Thus the staff finds the ITAAC in Table 2.5.4-5, Items 13 and 14, meet the requirements of 10 CFR 52.47(b)(1). However, the staff could not find any design descriptions 14-63

or corresponding ITAAC to verify the priority scheme of the ESF-CCS for commands from the automatic safety functions and the manual controls from the ESCM and IFPD. Technical Report APR1400-Z-J-NR-14001, Rev. 0, "Safety I&C System Technical Report," Section 4.4.2 states, The priority interlock in the LC [(loop controller)] is used to block any effect on ESF control from the control demand signals generated from the ESCM. The ESF actuation signals from the GC

[(group controller)] overrides the control demand signal of the ESCM at any time. In RAI 317-8271, Question 14.03.05-29 (ML15321A293), the staff requested the applicant to provide design descriptions and corresponding ITAAC to verify this design feature.

In the March 2, 2016, response to RAI 317-8271, Question 14.03.05-29 (ML16062A317), the applicant stated the ESF-CCS LC performs prioritization logic between automatically actuated ESFAS signals and manually actuated component control signals from the minimum inventory (MI) switch and ESCM. The ESFAS signals always have priority over manually actuated component control signals from the MI switch and ESCM. The ESF-CCS LC implements this ESFAS signal priority by blocking the opposite state command from the MI switch and ESCM until the protective actions are completed. The applicant proposed to add a description in APR1400 DCD, Tier 1, Section 2.5.4.1 to state that the ESF-CCS LC provides the priority logic to assure the actuation of automatically actuated ESFAS signals. In addition, a corresponding ITAAC, Item 22 will be added to DCD, Tier 1, Table 2.5.4-5 to verify by test the prioritization logic of the ESF-CCS LC. Based on the propose revisions to APR1400 DCD, Tier 1 Section 2.5.4.1 and Table 2.5.4-5, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-29, to be resolved. The staff finds the proposed additional design descriptions in Tier 1, Section 2.5.4.1, Item 22 and corresponding ITAAC in Table 2.5.4-5, Item 22 to verify the as-built ESF-CCS implements priority logic to assure the actuation of automatically actuated ESFAS signals meet the requirements of IEEE Std 603-1991, Clause 5.6. Therefore, the staff finds the ITAAC in Table 2.5.4-5, Item 22 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5, Item 25. Note, because the applicant inserted other ITAAC in Table 2.5.4-5, the original numbering of Item 22 proposed by the applicant in the RAI response has changed to Item 25. As such, this confirmatory item has been satisfied.

Capability for Test and Calibration The IEEE Std 603-1991, Clause 5.7, states, in part, the capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 21, and the corresponding ITAAC in Table 2.5.4-5, Item 21, state, The ESF-CCS has the testing functions.

It is not clear to the staff what is meant by the design description, the testing functions.

Specifically, it is not clear whether this design description intends to state that the capability to test and calibrate the ESF-CCS exists or the ESF-CCS system has self-testing functions within it. Further, the design description does not include criteria for the testing features included in the ESF-CCS (e.g. ability to detect faults in a manner that meets the design requirements of the ESF-CCS). As such, in RAI 71-7906, Question 14.03.05-10 (ML15196A597), the staff requested the applicant to modify the design description and corresponding ITAAC in APR1400 DCD, Tier 1 to address these issues.

In the October 8, 2015, response to RAI 71-7906, Question 14.03.05-10 (ML15281A303), the applicant clarified the testing functions described in Item 21 of the design description in Section 2.5.4.1 and design commitment of Table 2.5.4-5 in DCD Tier 1 means the testing 14-64

function of the ESF-CCS, which can be manually initiated during an authorized surveillance test.

The applicant committed to revise design description in APR1400 DCD, Tier 1, Section 2.5.4.1 and design commitment in APR1400 DCD, Tier 1, Table 2.5.4-5 to reflect this clarification. The staff finds the proposed changes to APR1400 DCD, Tier 1, Section 2.5.4.1, Item 21 and Table 2.5.4-5, Item 21 to clarify the meaning of testing functions acceptable. Thus, the staff finds the as-built ESF-CCS will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.7. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.4-5, Item 21, satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 71-7906, Question 14.03.05-10, to be resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.4.1 and Table 2.5.4-5. As such, this confirmatory item has been satisfied.

Information Display The IEEE Std 603-1991, Clause 5.8.2, states, in part, that display instrumentation shall be provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 12, and the associated ITAAC in DCD Tier 1, Table 2.5.4-5, Item 12 state, The operator modules (OMs) in the MCR display ESF actuation status, manual ESF actuation status, and ESF-CCS status information including the test status for ESF actuations identified in Tables 2.5.4-2 and 2.5.4-3.

Based on the verification that information for ESF actuation and test status will be displayed on the OM, the staff finds that the as-built design meets the requirements of IEEE Std 603-1991, 5.8.2. Therefore, the ITAAC in Table 2.5.4-5, Item 12 meet the requirements of 10 CFR 52.47(b)(1).

Control of Access The IEEE Std 603-1991, Clause 5.9, states The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 19, states, The ESF-CCS cabinets listed in Table 2.5.4-1 have key locks and door position alarms, and are located in a vital area of the facility. Based on this design commitment and associated ITAAC in DCD Tier 1, Table 2.5.4-5, Item 19, the staff finds that the control of access features for the as-built equipment listed in Table 2.5.4-1 will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.9. In addition, as discussed in Section 14.3.5.4.1 of this report, in response to RAI 317-8721, Question 14.03.05-18 (ML16182A581) the applicant proposed to add Item 27 to the design description in Tier 1, Section 2.5.4.1 and corresponding ITAAC in Table 2.5.4-5, Item 27, to state, Hardwired disconnections exist between the ESF-CCS cabinets, and the portable workstation used to download the ESF-CCS software. The hardwired disconnections protect the ESF-CCS software from unintended modifications.

The staff finds this design description and corresponding ITAAC are adequate to verify the as-14-65

built ESF-CCS will have controls for software modification to meet the requirements of IEEE Std 603-1991, Clause 5.9. Therefore, the staff finds the ITAAC in Table 2.5.4-5, Items 19 and 27, meet the requirements of 10 CFR 52.47(b)(1).

Identification The IEEE Std 603-1991, Clause 5.11, requires, in part that safety system equipment shall be distinctly identified for each redundant portion of a safety system in accordance with the requirements of IEEE Std 384-1981 and IEEE Std 420-1982. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 17 and the corresponding ITAAC in Tier 1, Table 2.5.4-5, Item 17, states redundant safety equipment and components of the ESF-CCS listed in Table 2.5.4-1 and related field equipment are provided with means of identification.

Based on this design commitment and associated ITAAC in DCD Tier 1, Table 2.5.4-5, Item 17 the staff finds that the identification of as-built equipment listed in Table 2.5.4-1 will be verified to meet the requirements of IEEE Std 603-1991, Clause 5.11. Therefore, the staff finds the ITAAC in Table 2.5.4-5, Item 17, meet the requirements of 10 CFR 52.47(b)(1).

Manual Control IEEE Std 603-1991, Clause 6.2.1, states, in part, that means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. IEEE Std 603-1991, Clause 6.2.2, states Means shall be provided in the control room to implement manual initiation and control of the protective actions identified in [Clause] 4.5 that have not been selected for automatic control under 6.1. The displays provided for these actions shall meet the requirements of [Clause] 5.8.1. APR1400 DCD, Tier 1, Section 2.5.4.1, Item 11, states, Manual ESF actuation switches are provided in the MCR and RSR for the manual ESF actuations identified in Table 2.5.4-3. In addition, DCD Tier 1, Table 2.5.4-1, indicates that the Manual ESF actuation switch are divisionalized. Based on this design description and the corresponding ITAAC in DCD Tier 1, Table 2.5.4-5, Item 11, the staff finds that the operation of the as-built manual ESF-actuation switches will be verified to meet the manual control requirements in IEEE Std 603-1991, Clause 6.2.1, and thus meet the requirements of 10 CFR 52.47(b)(1). In RAI 38-7878, Question 07.05-1 (ML15169A320), the staff requested the applicant to justify why Type A variables are not required for this design when it appears that manually controlled actions were credited for cases where no automatic controls exist during several events analyzed in Chapter 15. As such, if the applicant determines that Type A variables are needed in response to this RAI, the staff requested the applicant to provide design descriptions and a corresponding ITAAC to verify means are provided for manual initiation and control of the protective actions that have not been selected for automatic control as required by IEEE Std 603-1991, Clause 6.2.2, as documented in RAI 317-8271, Question 14.03.05-30.

In the June 23, 2017 response to RAI 317-8271, Question 14.03.05-30 (ML17174B279), the applicant stated:

In response to RAI 294-8302 Question 07.05-6, KHNP has determined that Type A variables are to be included in the APR1400 design. The applicable Type A variables, (e.g., related operator actions), pertain to the component and are listed in a new Table 2.5.4-6 to be added to the APR1400 [DCD], Tier 1. Steam Generator Level is being clarified in Table 2.5.4-6 to specify that the wide range level is the credited variable. A description will be added to Section 2.5.4.1 of APR1400 [DCD], Tier 1 to state that means are provided for manual initiation and 14-66

control of the protective actions that have not been selected for automatic control. A corresponding ITAAC, Item 26, will be added to Table 2.5.4-[5] to detail.

The staff reviewed the response to RAI 38-7878, Question 07.05-6 (ML16153A476) and found it acceptable. The staffs detailed review of the response to RAI 38-7878, Question 07.05-6, is in Section 7.5 of this safety evaluation report. Because the staff found the list of Type A variables acceptable and the applicant committed to provide a list of Type A variables, corresponding design descriptions for safety-related division level manual controls and ITAAC to verify these features in the as-built system, the staff finds the requirements of IEEE Std 603-1991, Clause 6.2.1 have been met. As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-30, to be resolved. Thus, the ITAAC in Tier 1, Table 2.5.4-5, Item 26 meets the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 FSAR is a confirmatory item.

Setpoints The IEEE Std 603-1991, Clause 4.10, requires the identification of critical points in time or the plant conditions, after the onset of a design basis event.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 20, states that The ESF-CCS provides ESF actuation within required response time for ESF functions identified in Table 2.5.4-2. The corresponding inspections, tests, and analyses in DCD Tier 1, Table 2.5.4-5, Items 20.b states, An inspection will be performed on the as-built ESF-CCS to determine if the response time of ESF actuation functions identified in Table 2.5.4-2. The corresponding acceptance criterion states, The as-built ESF actuation functions identified in Table 2.5.4-2 with response time requirements are bounded by type tests or a combination of a type test. Based on the design commitment and the associated ITAAC provided, it is not clear to the staff where the response time will be measured from (e.g. from the input of the group controller to the output of CIM). In addition, it is not clear whether this ITAAC item in combination with ITAAC Item 16 in DCD Tier 1, Table 2.5.1-5, provides full coverage of ESFAS function response times verification since it is unclear whether the communication path between the ESF portion of the PPS and the ESF-CCF group controllers are covered in either ITAAC. Further, the ITA identified in DCD Tier 1, Table 2.5.4-5, Item 20.b, does not appear to be a complete sentence. In RAI 317-8271, Question 14.03.05-20 (ML15321A293), the staff requested the applicant to address these issues.

In the March 2, 2016, response to RAI 317-8271, Question 14.03.05-20 (ML16062A317), the applicant states:

As described in Section A.3.1 of the Response Time Analysis of Safety I&C System technical report, the allocated response time covers not only the internal and external communication relays caused by communication modules and cables, but also includes adequate communication margins between equipment.

Accordingly, the descriptions of the inspections, tests, analyses and the acceptance criteria for Item 16.a in Table 2.5.1-5 will include the communication delays from the BP to the LCL. The description of the acceptance criteria for Item 20.a in Table 2.5.4-[5] will include the communication delays from the LCL of the PPS to group controllers of the ESF-CCS.

14-67

Based on the proposed changes to ITAAC Item 16.a in APR1400 DCD, Tier 1, Table 2.5.1-5 and Item 20.a in Table 2.5.4-5 to clarify the response time will include the communication delays from the BP to the LCL and from the LCL of the PPS to the group controllers of the ESF-CCS, the staff finds the response time of the entire ESFAS actuation path will be verified, and thus demonstrates the requirements of IEEE Std 603-1991, Clause 4.10 will be met in the as-built system. Therefore, the staff finds the ITAAC in Table 2.5.1-5, Item 16.a and Table 2.5.4-5, Item 20.a, satisfy the requirements of 10 CFR 52.47(b)(1). As such, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-20, to be resolved. The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Table 2.5.4-5. As such, this confirmatory item has been satisfied.

Control Room Title 10 CFR Part 50, Appendix A, GDC 19, states, in part, A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidentsEquipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

The APR1400 DCD, Tier 1, Section 2.5.4.1, Item 8, and the corresponding design commitment in DCD Tier 1, Table 2.5.4-5, Item 8, state: Each ESF-CCS division is controlled from either the MCR or RSR, as selected from MCR/RSR master transfer switches. The ITA of this ITAAC states, A test of the as-built system for one control within each ESF-CCS division will be performed to demonstrate the transfer of control capability between the MCR and RSR. The acceptance criteria for this ITAAC states, The as-built master transfer switches transfer controls between the MCR and RSR separately for each as-built ESF-CCS division, as follows: [1]

Controls at the RSR are disabled when controls are active in the MCR. [2] Controls at the MCR are disabled when controls are active in the RSR. Based on the above descriptions, it is unclear whether this ITAAC is intended to verify the RSR will have controls for the ESF-CCS to meet the requirements of the GDC 19 since the design description and corresponding ITAAC only focuses on verifying the operation of the transfer switch. As such, in RAI 317-8271, Question 14.03.05-22 (ML15321A293), the staff requested the applicant to provide design descriptions and corresponding ITAAC to verify that the as-built RSR contain sufficient controls to meet the requirements of GDC 19. The applicant also provided APR1400 DCD, Tier 1, Section 2.5.4.1, Item 11, and the corresponding design commitment in DCD Tier 1, Table 2.5.4-5, Item 11, state, Manual ESF actuation switches are provided in the MCR and RSR for the actuations identified in Table 2.5.4-3.

In the May 19, 2016, response to RAI 317-8271, Question 14.03.05-22 (ML16142A002), the applicant proposes to revise APR1400 DCD, Tier 1, Table 2.5.4-5, Item 8 to include the control functions based on the transfer capability between the MCR and the RSR for the ESF-CCS to demonstrate compliance with GDC 19. Based on the proposed revision to APR1400 DCD, Tier 1 to include verification of the control functions in addition to the transfer capability between the MCR and RSR in the as-built ESF-CCS, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-22, to be resolved. As such, the staff finds that the as-built ESF-CCS will be verified to meet the requirements of GDC 19, and therefore, the ITAAC in Tier 1, Table 2.5.4-5, Item 8, meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed 14-68

markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Table 2.5.4-5. As such, this confirmatory item has been satisfied.

Control Systems The applicant provided design descriptions and ITAAC verifying design features for the control systems in APR1400 DCD, Tier 1, Section 2.5.5, Control System Not Required for Safety.

APR1400 DCD, Tier 1, Section 2.5.5.1, states control systems which are not required for safety consists of power control system (PCS) and process-component control system (P-CCS). The PCS includes the reactor regulating system (RRS), the digital rod control system (DRCS), and the reactor power cutback system (RPCS). The P-CCS includes nuclear steam supply system (NSSS) process control system (NPCS) and balance of plant (BOP) control systems. The NPCS consists of the feedwater control system (FWCS), the steam bypass control system (SBCS), the pressurizer pressure control system (PPCS), the pressurizer level control system (PLCS), and other miscellaneous NSSS control systems which include reactor makeup control function of the chemical and volume control system (CVCS). The PCS and P-CCS provide control of functions to maintain the plant within its normal operating range for all normal modes of plant operation.

The following APR1400 DCD, Tier 1 tables are provided for control systems:

  • Table 2.5.5-1, Controller Group Arrangement of the PCS and NPCS
  • Table 2.5.5-2, Control System Not Required for Safety ITAAC The staff reviewed the design descriptions and ITAAC to ensure compliance with 10 CFR 52.47(b)(1) as documented below.

Instrumentation and Controls The 10 CFR Part 50, Appendix A, GDC 13 states, Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges. GDC 1 requires SSCs important to safety to be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

The APR1400 DCD, Tier 1, Section 2.5.5.1, Item 2, and the corresponding design commitment in DCD Tier 1, Table 2.5.5-2, Item 2 state: The digital equipment and software used in the PCS and P-CCS are independent from those of the [PPS] and the [ESF-CCS]. The acceptance for this ITAAC will verify that the PCS and P-CCS use a platform which is independent from the platform used in the PPS and ESF-CCS and the design group(s) which developed the PCS and P-CCS software is independent from the design group(s) which developed the PPS and ESF-CCS software. APR1400 DCD Tier 2, Section 7.7.1.1, states that the control systems are implemented on a digital platform that is diverse in both hardware and software from the safety common platform. Section 4.1 of Technical Report APR1400-Z-J-NR-14002-P, Rev. 0, "Diversity and Defense-in-Depth states: The plant-wide data networks are composed of safety 14-69

networks and non-safety networks. The safety network is independent and diverse from the non-safety network. The non-safety network utilizes different communication hardware, software and communication protocol from the safety network. Section 6.1.2 of this technical report states, In addition, to correspond with the hardware diversity of these fluid/mechanical systems, the APR1400 employs both hardware and software diversity between control and protection I&C systems to eliminate the potential for CCFs. The staff could not find discussion of how the plant control system platform and software is diverse from the safety common platform in APR1400 DCD Tier 2 or its referenced documents to support the acceptance criteria in DCD Tier 1, Table 2.5.5-2, Item 2. In addition, APR1400 DCD Tier 2 does not use the term independent when discussing the differences between platform and software used for the control system and the platform and software used for the PPS and ESF-CCS. As such, in RAI 317-8271, Question 14.03.05-31 (ML15321A293), the staff requested the applicant to resolve this discrepancy in terminology and provide additional information in Tier 2 to support the Tier 1 descriptions regarding the platforms used for the PCS and P-CCS.

In the February 5, 2016, response to RAI 317-8271, Question 14.03.05-31 (ML16036A374), the applicant stated KHNP had previously addressed the discrepancies related the term independent in the response for RAI 68-7892, Question 07.07-1, where the applicant proposed to revise APR1400 DCD, Tier 1, Section 2.5.5 and Table 2.5.5-2 to remove references to the term independent. The DCD will state, The digital equipment and software used in the PCS and P-CCS are diverse from those of the [PPS] and [ESF-CCS]. In addition, the applicant clarified, in this response, that the non-safety related I&C system of the APR1400 will be designed by using different hardware and software from the Common Q platform to achieve diversity in the design. Adequate diversity will be verified in ITAAC Item 2, in DCD Tier 1, Table 2.5.5-5.

Because the applicant proposed changes to replace the term independent with diverse in accordance with the guidance of NUREG/CR 6303, Method for Performing diversity and defense-in-Depth Analyses of Reactor Protection Systems, and the clarification on how adequate diversity will be verified in the as-built system, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-31, to be resolved. The staff finds the design description in Tier 1 Section 2.5.5.1, Item 2 and the corresponding ITAAC in DCD Tier 1, Table 2.5.5-1, Item 2, are adequate to verify the as-built PCS and P-CCS are diverse from the PPS and ESF-CCS to meet the requirement of GDC 13. As such, the staff finds the ITAAC in DCD Tier 1, Table 2.5.5-1, Item 2 meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Table 2.5.5-2. As such, this confirmatory item has been satisfied.

Technical Report APR1400-Z-J-NR-14001, Rev. 0, "Safety I&C System Technical Report,"

Section 4.4.2 of this TeR states The ESCM provides the operators with primary manual control means for other safety components as well as ESF components. There is one ESCM per division at each operator console in the MCR and RSR and SC in the MCR. The divisionalized ESCM has access to all ESF safety components within its division.

The ESCMs on the operator consoles work in conjunction with the IFPDs, but the ESCMs on the SC work independently of the IFPDs.

It appears that the IFPD is used as the primary control and indication (including alarms), during normal, abnormal, and accident conditions. As such, the staff considers the IFPD important-to-14-70

safety. As such, in RAI 317-8271, Question 14.03.05-32 (ML15321A293), the staff requested the applicant to provide design descriptions, including corresponding ITAAC regarding the system development of the IFPD in order to demonstrate that the requirements GDC 1 and 13 are met for the as-built IFPD. In addition, the staff requested the applicant to modify the APR1400 DCD to provide a description of what augmented quality is associated with the IFPD, including its classification in Technical Report, APR1400-Z-J-NR-14003, Rev. 0, Software Program Manual.

In the October 5, 2016, response to RAI 317-8271, Question 14.03.05-32 (ML16279A538), the applicant stated that the IFPD will be used during all plant conditions for control and indications.

However, the IFPD are not the credited control and display to meet the requirements of GDC 13. The applicant finds the requirements of GDC 1 are applicable to the IFPD. The IFPDs are considered important-to-safety device consistent with APR1400 DCD, Tier 2, Section 3.2.

The IFPDs are qualified to augmented quality grade, are seismic Category II, and adapted important to availability (ITA) software defined in Technical Report, APR1400-Z-J-NR-14003-P APR1400, Software Program Manual. The applicant proposed to modify the SPM, Table A-1.

The applicant also proposed to modify DCD Tier 1, Section 2.5.5, Control System Not Required for Safety, with corresponding ITAAC added to Table 2.5.5-2, Items 4 and 6 to include ITAAC for validating the functionality and quality development of IFPDs, respectively. Because the applicant committed to meet the requirements of GDC 1 for the IFPDs, proposed inclusion of the IFPD software as ITA in the SPM, and added design descriptions and ITAAC to verify the functionality and quality development of IFPDs, the staff finds the quality and functionality of the as-built IFPD will be adequately verified. As such, the issues identified in RAI 317-8271, Question 14.03.05-32, are resolved. Therefore, the staff finds the ITAAC in Tier 1 Table 2.5.5-2, Items 2, 4 and 6, meet the requirement of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Section 2.5.5.1 and Table 2.5.5-2. As such, this confirmatory item has been satisfied.

Independence IEEE Std 603-1991, Clause 5.6.3, requires that the safety system design to be such that credible failures in and consequential actions by other systems, as documented in Clause 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard. APR1400 DCD, Tier 1, Section 2.5.5.1, Item 5 and the corresponding ITAAC in Tier 1, Table 2.5.5-2, Item 5, state The IFPDs are independent from Class 1E [Human Systems Interface (HSI)] devices. The staff finds this design description and ITAAC are adequate to verify the as-built IFPD are independent of Class 1E HSI devices to meet the requirements of IEEE Std 603-1991, Clause 5.6.3. Therefore, the staff finds the ITAAC in Tier 1, Table 2.5.5-2, Item 5, meet the requirement of 10 CFR 52.47(b)(1).

Equipment Qualification GDC 2 requires, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena, such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. APR1400 DCD, Tier 1, Section 2.5.5.1, Item 7 and the corresponding ITAAC in Tier 1, Table 2.5.5-2, Item 7, state The IFPDs do not adversely affect safety devices in the MCR during seismic conditions that would exist before, during, and following a design basis event. The staff finds this design description and ITAAC are adequate to verify the as-built 14-71

IFPD will not adversely affect safety devices during design basis events to meet the requirements of GDC 2. As such, the staff finds the ITAAC in Tier 1, Table 2.5.5-2, Item 7, meet the requirements of 10 CFR 52.47(b)(1).

Control System Arrangement IEEE Std 603-1991, Clause 4.8, requires the applicant to identify the conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).

The APR1400 DCD, Tier 1, Section 2.5.5.1, Item 1, and the corresponding ITAAC in DCD Tier 1, Table 2.5.5-2, Item 1, state: The major controllers of the PCS and NPCS are arranged in separate controller groups as identified in Table 2.5.5-2. Technical Report APR1400-Z-J-NR-14012, Rev. 0, Control System CCF Analysis, provides descriptions on how arranging PCS and NPCS functions into separate controller groups reduces the likelihood of control system failures in order to bound transients induced by such failures within the Chapter 15 safety analysis limits. Based on the provision of this ITAAC in DCD Tier 1, Table 2.5.5-2, Item 1, to verify that the major controllers of the PCS and NPCS are arranged in separate controller groups, the staff finds that the requirements of IEEE Std. 603-1991, Clause 4.8, are met for the PCS and NPCS. Therefore, the staff finds the ITAAC in DCD Tier 1, Table 2.5.5-2, Item 1 meet the requirements of 10 CFR 52.47(b)(1).

Control Room The 10 CFR Part 50, Appendix A, GDC 19, states, in part, A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidentsEquipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

The APR1400 DCD, Tier 1, Section 2.5.5.1, Item 3, and the corresponding design commitment in DCD Tier 1, Table 2.5.5-2, Item 3, state, The PCS and P-CCS are controlled from either the MCR or RSR, as selected from master transfer switches. The ITA of this ITAAC states, A test of the as-built system will be performed to demonstrate the transfer of control capability between the MCR and RSR. The acceptance criteria for this ITAAC states, The as-built MCR/RSR master transfer switches transfer controls between the MCR and the RSR for as-built PCS and P-CCS, as follows: [1] Controls at the RSR are disabled when controls are active in the MCR for the as-built PCS and P-CCS. [2] Controls at the MCR are disabled when controls are active in the RSR for the as-built PCS and P-CCS. Based on the above descriptions, it is unclear whether this ITAAC is intended to verify the RSR will have controls for the PCS and P-CCS to meet the requirements of the GDC 19 since the design description and corresponding ITAAC only focuses on verifying the operation of the transfer switch. As such, in RAI 317-8271, Question 14.03.05-22 (ML15321A293), the staff requested the applicant to provide design descriptions and corresponding ITAAC to verify that the as-built RSR contain sufficient controls to meet the requirements of GDC 19.

14-72

In the May 19, 2016, response to RAI 317-8271, Question 14.03.05-22 (ML16142A002), the applicant proposes to revise APR1400 DCD, Tier 1, Table 2.5.5-2, Item 3 to include the control functions based on the transfer capability between the MCR and the RSR for the PCS and P-CCS to demonstrate compliance with GDC 19. Based on the proposed revision to APR1400 DCD, Tier 1 to include verification of the control functions in addition to the transfer capability between the MCR and RSR in the as-built PCS and P-CCS, the staff finds the issues identified in RAI 317-8271, Question 14.03.05-22 resolved. As such, the staff finds that the as-built PCS and P-CCS will be verified to meet the requirements of GDC 19, and thus the ITAAC in Tier 1, Table 2.5.5-2, Item 3, meet the requirements of 10 CFR 52.47(b)(1). The verification that the proposed markups are incorporated into the next revision of APR1400 DCD was a confirmatory item. The staff verified that the proposed markups have been incorporated into the Revision 1 of the APR1400 DCD, Tier 1, Table 2.5.5-2. As such, this confirmatory item has been satisfied.

Standalone I&C Systems The 10 CFR 52.47(b)(1) requires an application to contain the proposed inspections, tests, analyses, and acceptance criteria that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the design certification has been constructed and will be operated in conformity with the design certification, the provisions of the Act, and the Commission's rules and regulations. The staff reviewed the Tier 1 descriptions and ITAAC and could not find information regarding the standalone safety I&C systems such as the RMS and the essential chiller condenser system. In RAI 71-7906, Question 14.03.05-12 (ML15196A597),

the staff requested the applicant to modify Tier 1 of the APR1400 DCD to include this information.

In the April 22, 2016, response to RAI 71-7906, Question 14.03.05-12 (ML16113A416), the applicant stated that the design description for the safety-related divisional cabinet (SRDC) of the RMS is in the APR1400 DCD, Tier 1, Subsection 2.7.6.4.1, Item 5 and Subsection 2.7.6.5.1, Item 6. The corresponding ITAAC are addressed in the Item 5 of Table 2.7.6.4-3 and the Item 6 of Table 2.7.6.5-3. The essential chilled water system is not a standalone I&C system, but a mechanical safety related process system which is controlled by the safety related I&C system ESF-CCS. The design description for the essential chilled water system controls is addressed in DCD Tier 1, Item 8 of Subsection 2.7.2.3 and the ITAAC is addressed in Item 8 of Table 2.7.2.3-4. Since the APC-S and the ENFMS are parts of the RTS and the ESF system, the design description and ITAAC for the APC-S and the ENFMS are not addressed individually in APR1400 DCD, Tier 1, but are included in the Section 2.5.1 discussion of RTS and ESF Initiation. The design description for the APC-S and the ENFMS are addressed in APR1400 DCD, Tier 1, Section 2.5.1.1, Item 15 of and the corresponding ITAAC is addressed in Item 15 of DCD, Tier 1, Table 2.5.1-5. Although the response references to DCD Tier 1, Section 2.7.2 and Item 8 in DCD, Tier 1, Table 2.7.2.3-4 for more information relating to the control of the essential chilled water system, the staff finds that additional information is needed in Tier 2 to support the verification of the as-built essential chilled water system controls. Specifically, Tier 2 of the APR1400 DCD does not contain the information describing how the essential chilled water system is controlled in the ESF-CCS to support the design descriptions in APR1400 DCD, Tier 1. The staff requested similar information in RAI 328-8281, Question 07.03-12 (ML15334A336). Thus, the staff will track the issue identified in RAI 71-7906, Question 14.03.05-12, through the evaluation of the response to RAI 328-8281, Question 07.03-12. The staffs evaluation of the response to RAI 328-8281, Question 07.03-12, is in Section 7.3 of this SER.

14-73

Combined License Information Items There are no COL items associated with Section 14.3.2.5 of the APR1400 DCD.

Conclusions Based on the above discussion of I&C ITAAC, including the ITAAC discussions in Chapter 7 of this report, the staff finds the DCD Tier 1 design descriptions associated with the scope of SRP Section 14.3.5 for I&C system ITAAC acceptable. The staff concludes that, upon incorporation of the confirmatory items above into a subsequent DCD revision, the design descriptions and I&C ITAAC discussed in APR1400 DCD, Tier 1, Section 2.5 meet 10 CFR 52.47(b)(1), such that, if the inspections, tests, and analyses are performed and the acceptance criteria met, then a facility referencing the APR1400 certified design has been constructed, and will be operated, in compliance with the design certification, the Atomic Energy Act of 1954, and applicable NRC regulations.

Electrical Systems- Inspections, Tests, Analyses, and Acceptance Criteria Introduction This section provides the criteria and processes used to review and evaluate the APR1400, DCD Tier 1 Section 2.6, Electric Power, and DCD Tier 2 Section 14.3.2.6, ITAAC for Electrical Systems. DCD Tier 2 Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, provided the bases, processes, and selection criteria used to develop Tier 1 information. DCD Tier 2 Section 14.3.2.6 also addressed the inspections, tests, and analyses, that the applicant proposes to perform as well as the acceptance criteria that are necessary and sufficient to provide reasonable assurance that, if the proposed inspections, tests, and analyses are performed and the acceptance criteria are met, the facility has been constructed and will operate in conformance to the Design Certification (DC), and in compliance with the provisions of the Atomic Energy Act of 1954, as amended, and NRC regulations. The applicant proposes ITAAC in APR1400 DCD Tier 1 Section 2.6 and provides supporting information in DCD Tier 2 Section 14.3.2.6, that addressed the review guidance given in the NUREG-0800, Standard Review Plan (SRP) Section 14.3.6, Electrical System, Inspections, Tests, Analyses, and Acceptance Criteria, and guidance of RG 1.206, Combined License Applications for Nuclear Power Plants (LWR Edition), for electrical systems.

Summary of Application DCD Tier 1: In the APR1400 DCD Tier 1, Section 2.6, the applicant provided design descriptions for the alternating current (AC) electric power distribution system, emergency diesel generator system, DC power system, instrumentation and control power system, containment penetration assemblies, AAC source, lightning protection and grounding system, and lighting systems. DCD Tier 1 Section 2.6, which addresses electrical systems, was prepared in accordance with the guidance given in RG 1.206, SRP 14.3, and SRP 14.3.6. DCD Tier 1, Section 2.6 provided information related to whether electrical equipment is classified as Class 1E and whether electrical equipment is qualified for harsh environment.

DCD Tier 2: DCD Tier 2 Section 14.3 provided a general description and supporting information on ITAAC for Electrical Systems. In DCD Tier 2 Chapter 14, technical information on ITAAC were provided for the plants electrical system, including Class 1E portions of the 14-74

system, major portions of the non-Class 1E system, equipment qualification and portions of the plant lighting, grounding, lightning protection systems, and containment electrical penetrations.

Specifically, DCD Tier 2 Section 14.3.2.6 provided the electrical criteria for which the ITAAC verify. Design descriptions for electrical systems follow NRC guidelines for electric systems ITAAC in Appendix C.II.1-A of RG 1.206.

These design descriptions address electrical equipment that is involved in performing safety functions. Such equipment includes the complete Class 1E electrical system, including power sources (which include offsite sources even though they are not Class 1E) and direct current (dc) and ac distribution equipment. Design descriptions also address additional relevant factors related to the electrical equipment that are not part of the Class 1E system, but are included to improve the reliability of the individual Class 1E divisions. Brief design descriptions are included for the non-Class 1E portions of the electrical system that power the balance of plant loads although these descriptions generally focus on the aspects needed to support the Class 1E portion.

Consistent with Appendix C.II.1-A of RG 1.206, the applicant has provided ITAAC entries in DCD Tier 1 Section 2.6 for verifying the electrical ITAAC for the following aspects of their design as stated in DCD Tier 2 Section 14.3.2.6: (1) equipment qualification for seismic and harsh environment; (2) redundancy and independence; (3) capacity and capability; (4) electrical protection features; (5) displays, controls, and alarms; (6) offsite power; (7) containment electrical penetrations; (8) AAC power source; (9) lighting; (10) electrical power for non-safety plant systems; and (11) physical separation and independence.

ITAAC: The applicant has provided ITAAC tables for each of the systems listed in Tier 1 Section 2.6 for which Tier 1 Design Descriptions were provided.

TS: There are no TS for the electrical ITAAC since the TS do not apply to ITAAC. DCD Tier 2 Chapter 16 Section 3.8, Electrical Power Systems, addresses the TS related to electrical equipment and systems.

Regulatory Basis The relevant requirements of NRC regulations for this area of review, and the associated acceptance criteria, are given in SRP Section 14.3.6. Review interfaces with other SRP sections also can be found in SRP Section 14.3.6. (The requirements listed in SRP Section 14.3.6 that are related to the technical adequacy of the ITAAC are not included here, as they are addressed in this report.)

Acceptance criteria are based on the relevant requirements of the following NRC regulations:

1. Title 10 CFR 52.47(b)(1), Contents of the application; technical information, which requires that a DC application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the DC is built and will operate in conformity with the DC, the provisions of the Atomic Energy Act of 1954, as amended, and the NRCs rules and regulations.
2. Title 10 CFR 50.49, Environmental qualification of electrical equipment important to safety for nuclear power plants, as it relates to the applicant establishing a 14-75

program for qualifying electrical equipment important to safety located in a harsh environment.

3. Title 10 CFR 50.63, Loss of all alternating current power, as it relates to an AAC power source (as defined in 10 CFR 50.2) provided for safe shutdown in the event of and the capability to withstand and recover from a Station Blackout (SBO).
4. Title 10 CFR Part 50, Appendix A, General Design Criteria, GDC 2, Design Basis for Protection against Natural Phenomena, as it relates to structures, systems and components (SSCs) of the ac power system being capable of withstanding the effects of natural phenomena without the loss of the capability to perform their safety functions.
5. GDC 17, Electric power systems, as it relates to the offsite and onsite ac power system's: (1) capacity and capability to permit functioning of systems, structures, and components (SSCs) important to safety assuming no offsite power is available; (2) independence, redundancy, and testability to perform its safety function assuming a single failure; and (3) provisions to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit or the loss of power from the transmission network.
6. GDC 18, Inspection and testing of electric power systems, as it relates to inspection and testing of the offsite and onsite power systems.

The associated acceptance criteria are summarized below:

1. RG 1.206, Combined License Applications for Nuclear Power Plants, as it relates to power system analytical studies and stability studies to verify the capability of the offsite power systems and their interfaces with the onsite power system.
2. SRP 14.3.6 refers to SRP 14.3 for guidance on the content and format of ITAAC.

For DC applications, DCD Tier 1 Design Descriptions and ITAAC design commitments should be based on and consistent with the DCD Tier 2 material.

Technical Evaluation The staff reviewed the following DCD information on Tier 1 and Tier 2. The DCD Tier 1, Section 2.6, provides design description, including the principal performance characteristics and safety functions of the SSCs. DCD Tier 1, Section 2.6 provides ITAAC to be used to provide reasonable assurance that the as-built plant will operate in conformity with the COL, and applicable NRC regulations. The DCD Tier 2 Section 14.3.2.6, provides information on the plant electrical design description with more detail. Information contained in the Tier 1 document is derived from the Tier 2 document that supports ITAAC for the APR1400 DC application.

The staff reviewed the DCD Tier 1 system design descriptions, Section 2.6 and, DCD Tier 2 Section 14.3.2.6 to ensure, in part, that Tier 1 contains summary design, fabrication, testing, and performance requirements for SSCs important to safety. Also, the staff reviewed the information for conformance to the guidance given in RG 1.206, Section C.II.1.2.6, ITAAC for 14-76

Electrical Systems (SRP Section 14.3.6), and Appendix C.II.1-A, General ITAAC Development Guidance, and SRP Chapter 14.3, Inspections, Tests, Analysis, and Acceptance Criteria.

The staffs review documented in this section, is limited to DCD Tier 1 Sections 2.6.1 through 2.6.8 and DCD Tier 2 Section 14.3.2.6, and addresses ITAAC for electrical systems and selection methodology for SSCs to be included in the ITAAC. DCD Tier 1 Section 2.6.9, Communication Systems, and Table 2.6.9-1, Communication Systems ITAAC, are evaluated in Sections 9.5.2 and 14.3.12 of this SER. Design descriptions and ITAAC proposed by the applicant were reviewed to verify that this information and Tier 2 requirements (or design commitments) are met when the plant is built.

ITAAC for Electrical Systems The Class 1E electrical systems of the APR1400 design in DCD Tier 2, Section 14.3.2.6 include: (1) the Class 1E electrical power distribution system, (2) the emergency diesel generators (EDGs), (3) the Class 1E dc power supply, and (4) the Class 1E instrument and control power supplies. The staff reviewed the APR1400 design to determine whether the applicant established design commitments for the Class 1E electrical systems and that they are verified by ITAAC. The design commitments proposed by the applicant in DCD Tier 2 Section 14.3.2.6 for the electrical systems include design aspects related to the following, are discussed below: (1) equipment qualification for seismic and harsh environment; (2) redundancy and independence; (3) capacity and capability; (4) electrical protection features; (5) displays, controls, and alarms; (6) offsite power; (7) containment electrical penetrations; (8) AAC power source; (9) lighting; (10) electrical power for non-safety plant systems; and (11) physical separation and independence.

14.3.6.4.1.1 Equipment qualification for seismic and harsh environment The staff identified the following ITAAC regarding equipment qualification for seismic and harsh environment:

Table 14.3.6-1 Equipment Qualification ITAAC Table Item Number 2.6.1-3 2 2.6.1-3 4 2.6.1-3 13a 2.6.1-3 13b 2.6.2-3 5a 2.6.2-3 5b 2.6.2-3 5c 2.6.2-3 24 2.6.2-3 25 14-77

Table Item Number 2.6.3-3 2 2.6.3-3 3 2.6.3-3 4 2.6.4-3 2 2.6.4-3 9 2.6.5-1 2 2.6.5-1 3 The acceptance criteria in SRP 14.3.6, Electrical System-ITAAC, identify equipment qualification for seismic and harsh environments to ensure that the seismic design requirement of GDC 2, and the EQ requirements of 10 CFR 50.49 are met. The staff reviewed the design descriptions and ITAAC listed above to ensure compliance with 10 CFR 52.47(b)(1).

The staff issued RAI 234-8284, Question 14.03.06-2 (ML15296A005), requesting the applicant to provide additional information regarding other buildings that house Class 1E equipment be classified as seismic Category 1 buildings, other than the auxiliary and EDG buildings. In its response to RAI 234-8284, Question 14.03.06-2 (ML16020A513), the applicant stated that two Essential Service Water (ESW) buildings also house Class 1E equipment. The applicant also revised design commitment and ITAAC item 4 in DCD Tier 1, Section 2.6.1.1, Design Description, and Table 2.6.1-3, AC Electric Power Distribution System ITAAC, to incorporate the ESW buildings. The staff considers this issue resolved since the ITAAC ensures that all buildings that house Class 1E equipment are also seismic Category I buildings. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-2. Therefore, RAI 234-8284, Question 14.03.06-2, is resolved and closed.

The DCD Tier 1, Table 2.6.1-3, Design Commitment item 13 states that Class 1E electric power distribution system cables are routed in seismic Category I structures and in their respective raceway trains. The staff issued RAI 234-8284, Question 14.03.06-2 (ML15296A005),

requesting the applicant to provide additional information to explain why analyses of the cables are not needed to show that seismic design basis requirements are bounded. In its response to RAI 234-8284, Question 14.03.06-2 (ML16020A513), the applicant revised DCD Tier 1, Sections 2.6.1.1 and Table 2.6.1-3 to add an ITAAC Item 13 in DCD Tier 1, Table 2.6.1-3 to verify that the raceway systems for the Class 1E cables are designed to meet seismic Category I requirements. Since the ITAAC provides verification that raceway systems for Class 1E electric power distribution system cables are designed to meet seismic Category I requirements, the staff finds the response acceptable and considers the issue resolved. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-2. Therefore, RAI 234-8284, Question 14.03.06-2, is resolved and closed.

14-78

The staff issued RAI 234-8284, Question 14.03.06-3 (ML15296A005), requesting the applicant to provide additional information on whether the Class 1E EDGs are seismic Category I and can withstand seismic design basis loads without loss of safety function and to discuss how verification is achieved. In its response to RAI 234-8284, Question 14.03.06-3 (ML16020A513),

the applicant stated that Item 5a in DCD Tier 1, Table 2.6.2-3, Emergency Diesel Generator System ITAAC, addressed verification of the seismic Category 1 diesel engines and generators and that they can withstand seismic design basis loads without loss of safety function. Since verification of the seismic classification of the EDGs is included in DCD Tier 1, Table 2.6.2, the staff finds the response acceptable and the issue resolved and closed.

In DCD Tier 2 Section 14.3.2.6, the applicant committed to have ITAAC to verify that the Class 1E equipment is seismic Category 1 and that equipment located in a harsh environment is qualified. The staff finds that the applicant, with this commitment, will meet the design requirements of GDC 2 and the EQ requirements of 10 CFR 50.49, therefore satisfying the NRC regulations. DCD Tier 1, Table 2.6.1-1, AC Electric Power Distribution System Safety-related Equipment Characteristics, shows electrical and seismic classifications of major Class 1E ac electrical power distribution equipment. The applicant has identified in columns 2 and 3 of the DCD Tier 1, Table 2.6.1-1, the seismic and harsh environment classification of the major Class 1E ac electrical distribution equipment.

GDC 2 requires, in part, that SSCs of the electrical power system be capable of withstanding the effects of natural phenomena without the loss of the capability to perform their safety functions. The ITAAC listed above states that seismic Category I equipment can withstand seismic design basis loads without loss of safety function or that equipment is located in seismic Category 1 structures. Furthermore, the ITAAC listed above discuss qualification of equipment under expected environmental conditions. Based on the ITAAC provided to verify that the as-built equipment will be able to withstand seismic design basis loads and are qualified for the expected environmental conditions, the staff finds that the as-built systems will be verified to meet the requirements of 10 CFR 50.49 for EQ and GDC 2. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.2 Redundancy and independence The applicant in DCD Tier 2 Section 14.3.2.6 has committed to have ITAAC to verify that the Class 1E electrical divisional equipment and systems are independent, i.e., meet the single failure requirements. The applicant proposed to have ITAAC to verify the Class 1E divisional assignments and independence of electric power by both inspections and tests. DCD Tier 1 Table 2.6.1-3 described the ITAAC for the onsite electric power system to assess the independence within Class 1E electric power distribution equipment, and between Class 1E electric power distribution equipment and non-safety-related electrical power distribution equipment.

The staff identified the following ITAAC regarding redundancy and independence for Class 1E equipment:

Table 14.3.6-2 Redundancy and Independence ITAAC Table Item Number 2.6.1-3 1 14-79

Table Item Number 2.6.1-3 9 2.6.1-3 10a 2.6.1-3 10b 2.6.1-3 10c 2.6.1-3 16 2.6.1-3 17 2.6.2-3 1 2.6.2-3 7 2.6.2-3 16 2.6.3-3 1 2.6.3-3 8 2.6.3-3 9 2.6.3-3 10a 2.6.3-3 10b 2.6.3-3 10c 2.6.3-3 13 2.6.3-3 14 2.6.4-3 1 2.6.4-3 5 2.6.4-3 6 2.6.4-3 7 2.6.4-3 8 2.6.5-1 4 2.6.5-1 6 14-80

The staff issued RAI 234-8284, Question 14.03.06-4 (ML15296A005), requesting the applicant to provide additional information on why an ITAAC was not included to confirm that each redundant division of the Class 1E battery and associated charger is located in a separate room. In its response to RAI 234-8284, Question 14.03.06-4 (ML16020A513), the applicant added two new ITAAC items 13 and 14 to DCD Tier 1, Section 2.6.3.1 and Table 2.6.3-3.

Specifically, Item 13 confirms by inspection that each train of the Class 1E batteries is located in a separate room, and Item 14 confirms by inspection that each Class 1E train dc distribution panel, dc control center, and battery charger are located in a separate room. The staff finds the response acceptable and the issue resolved since DCD Tier 1 Table 2.6.3-3 includes two ITAAC for verification of physical separation of the Class 1E battery and associated equipment.

The staff confirmed that DCD, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-4. Therefore, RAI 234-8284, Question 14.03.06-4, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-4 (ML15296A005), requesting the applicant to provide additional information regarding how the qualification of the isolation devices between Class 1E and non-Class 1E equipment is verified considering the isolation devices provide independence between the Class 1E dc system and the non-Class 1E dc loads. In its response to RAI 234-8284, Question 14.03.06-4 (ML16020A513), the applicant added Items 10a, 10b, 10c, and 16 in DCD Tier 1, Table 2.6.3-3. Specifically, the applicant modified the ITAAC of the ac power system such that Items 10a, 10b, and 10c verify that: (1) independence is provided between each of the four trains of Class 1E dc distribution equipment and circuits, (2) independence is provided between Class 1E dc distribution equipment and circuits and non-Class 1E dc distribution equipment and circuits, and (3) Class 1E qualified isolation devices provide independence between Class 1E dc distribution equipment and non-Class 1E dc loads.

ITAAC Item 16 was added to DCD Tier 1, Table 2.6.3-3 to confirm by inspection and analysis that the Class 1E protective devices (circuit breakers/fuses) in the dc power system are rated to supply their required loads and withstand fault currents for the time required to clear the fault from the power source. The staff finds that the revisions in DCD Tier 1 Table 2.6.3-3 discussed above, adequately address the independence between the dc system trains and between Class 1E and non-Class 1E equipment in the dc system and provide verification of the aforementioned independence. The staff finds the issue resolved. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-4. Therefore, RAI 234-8284, Question 14.03.06-4, is resolved and closed.

Accordingly, the staff finds that the subject ITAAC verify the divisional assignments and independence of the Class 1E electric power system equipment by both inspections and tests.

Because the ITAAC verify the divisional assignments and independence of the Class 1E electric power system equipment, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.3 Capacity and Capability To ensure that the electrical systems have the capacity and capability to supply the safety-related electrical loads, ITAAC are required to verify the adequate sizing of the electrical system equipment and its ability to respond (e.g., automatically in the time needed to support the accident analyses) to postulated events, as discussed in SRP Section 14.3.2.6. This includes the Class 1E portion and the non-Class 1E portion to the extent that it is involved in supporting the Class 1E system. The ITAAC analyze the as-built electrical system and installed equipment 14-81

(EDGs, transformers, switchgear, dc systems, batteries, etc.) to verify its ability to power the loads. In addition, the ITAAC should include tests to demonstrate the operation of the equipment. Testing should be included in the ITAAC to verify EDG capacity and capability based on the TS. The ITAAC should verify the capacity and capability of the Class 1E equipment necessary to mitigate postulated events for which the equipment is credited (e.g.,

loss of coolant accident (LOCA), loss of offsite power (LOOP), and degraded voltage conditions). The ITAAC should be included to analyze the as-built electrical power system for its response to a LOCA, LOOP, combinations of LOCA and LOOP, and degraded voltage, including tests to demonstrate the actuation of the electrical equipment in response to postulated events. Analyses to demonstrate the acceptability of a voltage drop should be included in ITAAC to verify adequacy for supporting the accomplishment of a direct safety function. Testing should be included in ITAAC to verify the EDG voltage and frequency response to assure that it is acceptable, and is the same as that specified in the TS, DCD Tier 2, Chapter 16, Technical Specification.

The staff identified the following ITAAC regarding capacity and capability for the Class 1E equipment and the non-Class 1E equipment to the extent that it is involved in supporting the Class 1E system:

Table 14.3.6-3 Capacity and Capability ITAAC Table Item Number 2.6.1-3 14 2.6.1-3 19 2.6.1-3 22 2.6.1-3 26 2.6.2-3 8a 2.6.2-3 8b 2.6.2-3 9 2.6.2-3 10 2.6.2-3 11 2.6.2-3 12 2.6.2-3 13 2.6.2-3 14 2.6.2-3 15 2.6.2-3 17 14-82

Table Item Number 2.6.2-3 18 2.6.2-3 19 2.6.2-3 20 2.6.2-3 22 2.6.2-3 23 2.6.3-3 5 2.6.3-3 6 2.6.3-3 7 2.6.3-3 15 2.6.4-3 4 2.6.6-1 2 2.6.6-1 3 2.6.6-1 4 2.6.6-1 6 2.6.6-1 7 2.6.6-1 8a 2.6.6-1 8b 2.6.6-1 9 2.6.6-1 10 2.6.6-1 12 The staff issued RAI 234-8284, Question 14.03.06-2 (ML15296A005), requesting the applicant to provide additional information on verification that each Class 1E bus automatically connects to the EDG when both offsite power sources are not available. In its response to RAI 234-8284, Question 14.03.06-2 (ML16020A513), the applicant stated that connection of the Class 1E EDGs during a LOOP is addressed in Item 15 of DCD Tier 1, Section 2.6.2, Emergency Diesel Generator System. Specifically, Item 15 of DCD Tier 1, Table 2.6.2-3, addressed that a loss of power to a Class 1E medium voltage safety bus automatically starts its respective EDG and following attainment of required voltage and frequency, the EDG automatically connects to its respective train bus. The staff finds this response acceptable since a LOOP would result in a 14-83

loss of power to the Class 1E bus, initiating the start of the EDG and subsequently, results in the connection of the EDG to the safety bus.

The staff issued RAI 234-8284, Question 14.03.06-2 (ML5296A005), requesting the applicant to provide additional information on verifying Class 1E cable sizing with consideration for derating due to ambient temperature and raceway loading. In its response to RAI 234-8284, Question 14.03.06-2 (ML16020A513), the applicant revised DCD Tier 1 Section 2.6.1.1 and Table 2.6.1-3 to add new ITAAC Item 22 for Class 1E cable sizing to consider derating due to ambient temperature, cable grouping and other derating effects as applicable. The staff finds this acceptable and the issue resolved since: (1) Class 1E cables are sized to consider derating factors, and (2) inspections will be performed to verify that the as-built cable sizes bound the minimum sizes. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-2. Therefore, RAI 234-8284, Question 14.03.06-2, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-3 (ML15296A005), requesting the applicant to provide additional information to verify the air intake and exhaust system for the EDGs is capable of supplying combustion air and of disposing of exhaust gases. In its response to RAI 234-8284, Question 14.03.06-3 (ML16020A513), the applicant revised DCD Tier 1, Section 2.6.2.1, Design Description, and Table 2.6.2-3 to add ITAAC Item 23 in DCD Tier 1, Table 2.6.2-3 regarding the capability of the combustion air intake and exhaust system. The staff finds this acceptable and the issue resolved since the capability of each air intake and exhaust system for the Class 1E EDGs is verified by test. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-3. Therefore, RAI 234-8284, Question 14.03.06-3, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-3 (ML15296A005), requesting the applicant to provide additional information on verifying the fuel storage capacity of the EDGs and specifically, verification that the as-built storage tank capacity bounds the analysis. In its response to RAI 234-8284, Question 14.03.06-3 (ML16020A513), the applicant revised ITAAC Item 9 in DCD Tier 1 Section 2.6.2 and Table 2.6.2-3 to verify that inspection will be performed to verify that each as-built fuel oil storage tanks capacity bounds the analysis. Since: (1) EDG fuel storage capacity is verified to operate the EDG for seven days with the EDG supplying the power requirements for the most limiting design basis event by analyses and inspection and (2)

EDG is verified to have fuel to meet its intended function, the staff finds this acceptable and the issue resolved. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-3. Therefore, RAI 234-8284, Question 14.03.06-3, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-3 (ML15296A005), requesting the applicant to provide additional information on verifying the fuel day tank capacity of the EDGs and specifically, the verification of the as-built day tank capacity. In its response to RAI 234-8284, Question 14.03.06-3 (ML16020A513), the applicant revised ITAAC Item 10 in DCD Tier 1 Section 2.6.2 and Table 2.6.2-3, to verify that inspection will be performed to verify that each as-built fuel oil day tanks capacity bounds the analysis. The staff finds this acceptable and the issue resolved since EDG fuel day tank capacity is verified to provide fuel oil for at least 60 minutes plus a minimum additional margin of 10 percent at EDG rated load by analyses and inspection of the as-built day tank capacity. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-3. Therefore, RAI 234-8284, Question 14.03.06-3, is resolved and closed.

14-84

The staff issued RAI 234-8284, Question 14.03.06-3 (ML15296A005), requesting the applicant to provide additional information on verifying the lube oil makeup tank capacity of the EDG specifically verification that the as-built storage tank capacity bounds the analysis. In its response to RAI 234-8284, Question 14.03.06-3 (ML16020A513), the applicant revised ITAAC Item 12 in DCD Tier 1 Section 2.6.2 and Table 2.6.2-3 to include inspection to verify that each as-built lube oil makeup tank capacity bounds the analysis. The staff finds this acceptable and the issue resolved since the lube oil makeup tank capacity is verified by inspection to bound the analysis. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-3. Therefore, RAI 234-8284, Question 14.03.06-3, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-4 (ML15296A005), requesting the applicant to provide additional information on why an ITAAC is not needed to confirm that the Class 1E dc power cables are sized to carry the required load currents and to provide the minimum design basis voltage at load terminals. In its response to RAI 234-8284, Question 14.03.06-4 (ML16020A513), the applicant added ITAAC Item 15 to DCD Tier 1, Section 2.6.3.1 and Table 2.6.3-3. This new ITAAC item confirms by inspection and analysis that the Class 1E dc power system cables are sized to carry the required load currents and to provide minimum design basis voltage at the load terminals, considering derating due to ambient temperature, cable grouping, and other derating effects as applicable. The staff finds this response acceptable and the issue resolved since there is verification that the Class 1E dc power system cables are sized to meet their intended function. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-4. Therefore, RAI 234-8284, Question 14.03.06-4, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-4 (ML15296A005), requesting the applicant to provide additional information on why an ITAAC is not needed to confirm that the Class 1E batteries have enough capacity to carry the worst case load profile assuming the chargers are unavailable. In its response to RAI 234-8284, Question 14.03.06-4 (ML16020A513), the applicant stated that the design commitment and ITAAC in DCD Tier 1, Table 2.6.3-3, Item 6, verifies that each Class 1E battery is sized to supply its design basis event (DBE) loads, at the end of installed life, for pertinent required hours without recharging. The staff issued follow-up RAI 455-8553, Question 14.03.06-9 (ML16096A307), requesting the applicant to state whether the DBE load profile is the worst case load profile for the Class 1E batteries, considering that the SBO load profile could be of a longer duration. In its response to RAI 455-8553, Question 14.03.06-9 (ML16181A333), the applicant stated that the worst case load profile for the Class 1E batteries is the DBE load profile, which bounds the SBO load profile. The staff finds these responses acceptable, and the issue resolved since verification exists in DCD Tier 1, Table 2.6.3-3, DC Power System ITAAC, Item 6, that the Class 1E batteries are sized based on the worst case load profile.

The applicant provided ITAAC to verify 1) the adequate sizing of electrical system equipment, its ability to respond, and its ability to power the loads, and 2) the initiation of Class 1E equipment necessary to mitigate postulated events for which the equipment is credited. The staff reviewed the DCD Tier 1, Section 2.6 and DCD Tier 2, Section 14.3.2.6 information to ascertain whether the above stated requirements are met. The staff finds that the subject ITAAC verify that electrical systems have the capacity and capability to supply the safety-related electrical loads by both inspections and tests. Because the ITAAC verify the capacity and capability of the as-built systems, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14-85

14.3.6.4.1.4 Electrical Protection Features ITAAC are required to verify the adequacy of the electrical circuit protection design to ensure that the electrical power system is protected against potential electrical faults. Operating experience and NRC Electrical Distribution System Functional Inspections (EDSFIs) found inadequacies in the short circuit rating of certain electrical equipment and breaker and protective device coordination. ITAAC are required to analyze the as-built electrical system equipment for its ability to withstand and clear electrical faults. Further, ITAAC are included to analyze the protection coordination to verify its ability to limit the loss of equipment due to postulated faults.

Similarly, emergency power (i.e., EDGs) protective trips (and bypasses if applicable) are to be verified by ITAAC.

The staff reviewed the Tier 1 and Tier 2 information in the APR1400 DCD to verify that the applicant had included ITAAC for the above stated requirements. The applicant has provided ITAAC for the electrical protection features including attributes such as analyzing the ability of the as-built electrical system equipment to withstand and clear electrical faults and to possess protection feature coordination. These ITAAC items are identified as follow:

Table 14.3.6-4 Electrical Protection Features ITAAC Table Item Number 2.6.1-3 18 2.6.1-3 11 2.6.1-3 12 2.6.1-3 15 2.6.1-3 20 2.6.2-3 20 2.6.3-3 12 2.6.3-3 16 2.6.4-3 10 2.6.4-3 11 2.6.5-1 5 2.6.7-1 1 2.6.7-1 2 2.6.7-1 3 2.6.7-1 4 14-86

Table Item Number 2.6.7-1 5 2.6.7-1 6 The DCD Tier 1 Table 2.6.1-3, AC Electric Power Distribution System ITAAC, Item 10 provides ITAAC on independence between the trains of the Class 1E equipment, as well as between Class 1E and non-Class 1E equipment for the ac systems.

The staff issued RAI 234-8284, Question 14.03.06-4 (ML15296A005), requesting the applicant to provide additional information regarding how the qualification of the isolation devices between Class 1E and non-Class 1E equipment is verified considering the isolation devices provide independence between the Class 1E dc system and the non-Class 1E dc loads. In its response to RAI 234-8284, Question 14.03.06-4 (ML16020A513), the applicant revised DCD Tier 1, Table 2.6.3-3, to add ITAAC Item 16 to confirm by inspection and analysis that the Class 1E protective devices (circuit breakers/fuses) in the dc power system are rated to supply their required loads and withstand fault currents for the time required to clear the fault from the power source. The staff finds this response acceptable and the issue resolved since the added ITAAC provides verification of the protective devices in the dc power system. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-4. Therefore, RAI 234-8284, Question 14.03.06-4, is resolved and closed.

The staff issued RAI 234-8284, Question 14.03.06-7 (ML15296A005), requesting the applicant to provide additional information on whether DCD Tier 1, Section 2.6.7, Lightning Protection and Grounding System, Table 2.6.7-1, Grounding and Lightning Protection System ITAAC, Item 4, on equipment grounding includes the ground bus of switchgear, load centers, motor control centers (MCCs), and switchboards. In its response to RAI 234-8284, Question 14.03.06-7 (ML16020A513), the applicant revised DCD Tier 1 Section 2.6.7, Table 2.6.7-1 and DCD Tier 2, Section 8.3.1.1.8, Grounding and Lightning Protection Criteria, to include the ground bus of switchgear, load centers, and MCCs. The staff finds the response acceptable and the issue resolved since the ITAAC for equipment grounding includes the grounding busbar. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-7. Therefore, RAI 234-8284, Question 14.03.06-7, is resolved and closed.

The staff finds the applicant has included ITAAC in the APR1400 electrical design for analyzing the as-built electrical system equipment to withstand and clear an electrical fault and to maintain protection coordination. The staff determined that the information in DCD Tier 1 Section 2.6, which addresses electrical protection features, has been prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the adequacy of the electrical circuit protection included in the design.

Furthermore, the applicant has addressed protection features related to grounding. Therefore, the staff finds that the subject ITAAC verify that the as-built equipment will be able to withstand and clear an electrical fault and to maintain protection coordination by both inspections and tests. Because the ITAAC verify the electrical protection features, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this 14-87

report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.5 Displays, Controls, and Alarms To ensure that the electrical power system is available when required, ITAAC are required to verify the existence of monitoring and controls for the electrical equipment. The minimum set of displays, alarms, and controls is based on the emergency procedure guidelines. In some cases, additional displays, alarms, and controls may be specified based on special considerations in the design and/or operating experience. The applicant included ITAAC to inspect, retrieve the information (displays and alarms), and control the electrical power system in the main control room (MCR) and/or at locations provided for remote shutdown.

Section 14.3.6.4.1.8, Alternate AC Power Source, discusses the controls associated with the AAC source. Detection of undervoltage conditions along with the starting and loading of EDGs were included in ITAAC by the applicant, under Items 15 and 17 of DCD Tier 1 Table 2.6.2-3.

The staff identified the following ITAAC regarding displays, controls, and alarms:

Table 14.3.6-5 Displays, Controls and Alarms ITAAC Table Item Number 2.6.1-3 3a 2.6.1-3 3b 2.6.1-3 3c 2.6.1-3 3d 2.6.1-3 7b 2.6.2-3 6a 2.6.2-3 6b 2.6.2-3 6c 2.6.2-3 6d 2.6.3-3 11a 2.6.3-3 11b 2.6.4-3 3a 2.6.4-3 3b 2.6.6-1 11 14-88

The staff finds the applicant has included ITAAC in the APR1400 electrical design for verifying the existence of monitoring and controls for the electrical equipment. The staff determined that the information in DCD Tier 1 Section 2.6, which addresses displays, controls, and alarms, has been prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the existence of monitoring and controls. The staff finds that the subject ITAAC verify the existence of monitoring and controls for the electrical equipment by both inspections and tests. Because the ITAAC verify the existence of monitoring and controls for the electrical equipment, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

In addition to the Class 1E systems addressed above, other aspects of the electrical design that are deemed to be important to safety and the design commitments (Tier 1) were reviewed by the staff for ITAAC compliance. These electrical systems are discussed in the remaining sections below.

14.3.6.4.1.6 Offsite Power To ensure that the requirements of GDC 17 for the adequacy and independence of the preferred offsite power sources within the standard design scope are met, an ITAAC should verify the capacity and capability of the offsite sources to feed the Class 1E divisions, and the independence of those sources. ITAAC should be included to inspect the direct connection of the offsite sources to at least one Class 1E division, and to inspect for the independence/separation of the offsite sources, and offsite sources and onsite power sources.

ITAAC should include appropriate lightning protection and grounding features associated with the offsite power system. In addition, the design description should include COL interface requirements for the portions of the offsite power outside of the standard design scope.

The staff reviewed the DCD Tier 1 Chapter 2.6 Electrical system, and DCD Tier 1 Chapter 3, Interface Requirements, and Tier 2, Section 14.3.2.6 information in the DCD for ITAAC to verify the above requirements. Specifically, DCD Tier 1, Table 2.6.1-3, addresses the ac electric power distribution system ITAAC, including ITAAC to verify the capacity and capability for the offsite power sources to provide power to the Class 1E onsite system.

The staff identified the following ITAAC regarding offsite power:

Table 14.3.6-6 Offsite Power ITAAC Table Item Number 2.6.1-3 1 2.6.1-3 5 2.6.1-3 6 2.6.1-3 7a 2.6.1-3 7b 14-89

Table Item Number 2.6.1-3 8 2.6.1-3 18a 2.6.1-3 18b 2.6.1-3 19 2.6.1-3 23 2.6.1-3 24 2.6.1-3 25 The staff finds the applicant has included ITAAC in the APR1400 electrical design for verifying the adequacy and independence of the preferred offsite sources. The staff determined that the information in DCD Tier 1, Section 2.6, which addresses offsite power, has been prepared in accordance with the guidance in SRP Section 14.3.6, Electrical Systems - Inspections, Tests, Analyses, and Acceptance Criteria, and RG 1.206, which states that the applicant should develop ITAAC to verify capacity and capability of the offsite sources to supply power to the Class 1E divisions and the independence of those sources. The staff finds that the applicant provided ITAAC to verify 1) the direct connection of the offsite sources to the Class 1E divisions,

2) the capacity and capability of the offsite sources to supply power to the Class 1E divisions, and 3) the independence and separation of offsite sources. Therefore, the staff finds that the subject ITAAC verify capacity and capability of the offsite sources to supply power to the Class 1E divisions and the independence of those sources by both inspections and tests. Because the ITAAC verify the capacity and capability of the offsite sources to supply power to the Class 1E divisions and the independence of those sources, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.7 Containment Electrical Penetrations The ITAAC for containment electrical penetrations (both Class 1E and non-Class 1E circuits) verify that the containment electrical penetrations do not fail due to electrical faults and potentially breach the containment. The ITAAC should verify that all electrical containment penetrations are protected against postulated fault currents, i.e., currents greater than the continuous current rating. The applicant in DCD Tier 2, Section 14.3.2.6, has committed to have ITAAC to verify that the containment penetrations are protected against postulated fault currents greater than their continuous current rating. DCD Tier 1 Table 2.6.5-1, Containment Electrical Penetration Assemblies ITAAC, Items 1, 2, 3, 4, 5, and 6 capture the applicants containment electrical penetration assemblies ITAAC.

The staff issued RAI 234-8284, Question 14.03.06-5 (ML15296A005), requesting the applicant to provide additional information regarding why an ITAAC was not necessary to confirm that separate electrical penetrations are provided for medium voltage circuits, low voltage circuits, control power circuits, and instrumentation signal circuits. In its response to RAI 234-8284, 14-90

Question 14.03.06-5 (ML16020A513), the applicant responded by revising DCD Tier 1, Section 2.6.5.1, Design Description, and Table 2.6.5-1, to include separation of penetrations per voltage level as a new ITAAC Item 6. The staff finds this acceptable and this issue resolved since there is verification of separate electrical penetrations for the different circuits. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-5. Therefore, RAI 234-8284, Question 14.03.06-5, is resolved and closed.

The staff determined that the information in DCD Tier 1, Section 2.6.5, Containment Electrical Penetration Assemblies, which addressed containment electrical penetrations, was prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify that all containment electrical penetrations are protected against postulated currents greater than their continuous current rating. The staff finds that the applicant has adequately addressed this item and the information submitted is acceptable. Furthermore, the ITAAC for containment electrical penetrations verify that the containment electrical penetrations do not fail due to electrical faults and potentially breach the containment. Therefore, the staff finds that the subject ITAAC verify that all containment electrical penetrations are protected against postulated currents greater than their continuous current rating by both inspections and tests. Because the ITAAC verify that all containment electrical penetrations are protected against postulated currents greater than their continuous current rating, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.8 Alternate AC Power Source The ITAAC for AAC power source are required to verify through inspection and testing the availability of the AAC power source for SBO events, and the AAC power sources and its auxiliaries are independent from other ac sources. The applicant in DCD Tier 2 Section 14.3.2.6, has committed to have ITAAC to verify through inspection and testing the AAC power source and its auxiliaries provide reasonable assurance of the availability of the AAC power sources for SBO events as well as its independence from other ac sources. DCD Tier 1 Table 2.6.6-1, Alternate AC Source ITAAC, Items 1, 2, 3, 4, 5, 6, 7, 8a, 8b, 9, 10, 11, and 12, capture the applicants commitment.

The staff issued RAI 234-8284, Question 14.03.06-6 (ML15296A005), requesting the applicant to provide additional information regarding the AAC source, specifically why ITAAC are not necessary: (1) to confirm that the AAC source is capable of providing power at the set voltage and frequency to the Class 1E bus after receiving a start signal and (2) to confirm that controls exist in the MCR and remote shutdown room (RSR) to start, stop and synchronize the AAC power source. In its response to RAI 234-8284, Question 14.03.06-6 (ML16020A513), the applicant revised DCD Tier 1 Section 2.6.6.1, Design Description, and Table 2.6.6-1 and DCD Tier 2 Table 14.3.4-2, PRA and Severe Accident Analysis Key Design Features, to add verification that: (1) the AAC is started, brought up to the required voltage and frequency, and (2) all controls required by the design exist in the MCR and RSR to start and stop the AAC gas turbine generator (GTG) and to synchronize the AAC GTG to its respective Class 1E bus.

Furthermore, the applicant revised DCD Tier 1 Table 2.6.6-1, Item 2, to verify the AAC source is sized with sufficient capacity to accommodate SBO or LOOP conditions, tests will be performed and a report exists to verify that the AAC is capable of supplying rated power at proper voltage and frequency. The staff finds the response acceptable, the issue resolved since verification is provided to show that the AAC source can be brought up to the required voltage and frequency 14-91

as well as controls in the MCR and RSR exist to start, stop and synchronize the AAC source to its respective Class 1E buses. The staff confirmed that DCD Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 234-8284, Question 14.03.06-6. Therefore, RAI 234-8284, Question 14.03.06-6, is resolved and closed.

The DCD Tier 1 Table 2.6.6-1, captures the applicants commitment regarding the inspection of the as-built circuit breakers in series (i.e. one Class 1E circuit breaker at the Class 1E bus and the other non-Class 1E AAC bus) between each AAC power source and the emergency Class 1E power supply systems. The staff finds that the applicant has addressed separation of the non-1E AAC system and the Class 1E electrical system. The staff reviewed the alternate lighting information in DCD Tier 1, Section 2.6.8, and determined it was prepared in accordance with the guidance in SRP Section SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the functional arrangement of electrical power systems provided to support non-safety systems to the extent that those systems perform a significant safety function. Therefore, the staff finds that the applicant has adequately verified the functional arrangement of electrical power systems provided to support non-safety systems to the extent that those systems perform a significant safety function and the information submitted is acceptable.

The staff determined that the information in DCD Tier 1 Section 2.6.6, Alternate AC Source, has been prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify through inspection and testing the AAC power source (GTG) and its auxiliaries to ensure the availability of the AC power source for SBO events as well as its independence from other ac sources. Therefore, the staff finds that the subject ITAAC verify that AAC power source (GTG) and its auxiliaries to ensure the availability of the AC power source for SBO events as well as its independence from other ac sources by both inspections and tests. Because the ITAAC verify that AAC power source (GTG) and its auxiliaries to ensure the availability of the AC power source for SBO events as well as its independence from other ac sources, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.9 Lighting The ITAAC for lighting are required for verifying the continuity of power sources for plant lighting systems to ensure that portions of the plant lighting remain available during accident events, partial loss of power, and SBO conditions. The applicant in Section 14.3.2.6 of the DCD Tier 2 has committed to have ITAAC to verify the continuity of power sources for plant lighting systems to provide reasonable assurance that a portion of the plant lighting remains available during accident scenarios and power failures. DCD Tier 1 Table 2.6.8-1, Lighting Systems ITAAC, Items 1, 2, 3, 4, and 5 capture the applicants commitment.

The staff issued RAI 234-8284, Question 14.03.06-8 (ML15296A005), requesting the applicant to provide additional information regarding why an ITAAC is not necessary to confirm that supports for the emergency lighting fixtures in Class 1E equipment areas can withstand seismic design basis loads. In its response to RAI 234-8284, Question 14.03.06-8 (ML16020A513), the applicant stated that the lighting system equipment, which includes normal, emergency ac and emergency dc lighting fixtures, located in safety-related areas are classified as seismic Category II. In addition, the applicant stated that because verification of seismic Category II equipment is not included in DCD Tier 1, Chapter 2, Design Description and ITAAC, the 14-92

ITAAC for verification of structural integrity of the lighting system equipment located in safety-related areas is not included. DCD Tier 2, Section 3.2.1, Seismic Classification, defines seismic Category II SSCs and states that seismic Category II SSCs meet augmented quality assurance requirements as described in DCD Tier 2, Section 17.5, Quality Assurance Program Description - Design Certification. The staff finds this response acceptable and the issue resolved since the lighting fixtures located in areas with Class 1E equipment are classified as seismic Category II and verification of the seismic Category II equipment is not included in DCD Tier 1.

The staff determined that the information in DCD Tier 1 Section 2.6.8, Lighting Systems has been prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the continuity of power sources for plant lighting systems to ensure that portions of the plant lighting remain available during accident scenarios and power failures. Therefore, the staff finds that the subject ITAAC verify that continuity of power sources for plant lighting systems to ensure that portions of the plant lighting remain available during accident scenarios and power failures by both inspections and tests.

Because the ITAAC verify that continuity of power sources for plant lighting systems to ensure that portions of the plant lighting remain available during accident scenarios and power failures, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapters 8 and 9 of this report. Therefore, the staff finds the ITAAC are necessary, sufficient, and meet the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.10 Electrical Power for Non-Safety Plant Systems The ITAAC are required to ensure that electrical power is provided to support the non-safety plant systems, including the functional arrangement of electrical power systems to the extent that those systems perform a significant safety function. The applicant in DCD Tier 2 Section 14.3.2.6 has committed to have ITAAC to verify the functional arrangement of electrical power systems provided to support non-safety systems to the extent that those systems perform a significant safety function.

The staff identified the following ITAAC regarding electrical power for non-safety plant systems:

Table 14.3.6-7 Electrical Power for Non-Safety Systems ITAAC Table Item Number 2.6.1-3 1 The staff issued RAI 234-8284, Question 14.03.06-1 (ML15296A005), requesting the applicant to provide additional information on the DCD Tier 2 Section 14.3.2.6, ITAAC for Electrical Systems, Part j, discussion of electrical power for non-safety plant systems and whether this includes testing of the main generator system. In its response to RAI 234-8284, Question 14.03.06-1 (ML16020A513), the applicant stated that testing of the main generator is included in the initial test program as part of the unit main power system test, as described in DCD Tier 2, Section 14.2.12.1.110, Unit Main Power System Test. Since the initial test program of the unit main power system, as discussed in DCD Tier 2, Section 14.2.12.1.110, demonstrates: (1) the ability of the main generator to generate designed voltage and (2) that the unit main power system is capable of supplying power to designated loads, the staff considers the issue resolved.

14-93

The staff reviewed the electrical systems and equipment in DCD Tier 1, Section 2.6, and determined that it was prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the functional arrangement of other electrical systems and equipment that are not part of the Class 1E system, but are included to improve the reliability of the individual Class 1E systems. Therefore, the staff finds that the subject ITAAC verifies electrical power for non-safety plant systems by both inspections and tests. Because the ITAAC verifies electrical power for non-safety plant systems, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC is necessary, sufficient, and meets the requirements of 10 CFR 52.47(b)(1).

14.3.6.4.1.11 Physical separation and independence Design descriptions in the APR1400 DCD also address electrical equipment that are not part of the Class 1E system, but are included to improve the reliability of the individual Class 1E systems. Also, brief design descriptions are included for the non-Class 1E portions of the electrical system that power the balance of plant loads and these generally focus on the aspects needed to support the Class 1E portion. The applicant has provided description of these non-Class 1E systems that power the balance of the plant loads and are included to improve the reliability of the individual Class 1E divisions. Appendix A to RG 1.206, (pages C.II.1-A C.II.1-A-22) lists ITAAC for ac distribution equipment in items A through P. Similarly, SRP Section 14.3, Appendix C.II, lists electrical systems review checklist that should be included in the Tier 1 information. The equipment and systems identified in the ITAAC in the DCD do not include several of the ac distribution equipment that are identified by the RG 1.206 and SRP review checklists.

The staff identified the following ITAAC regarding physical separation and independence of non-Class 1E portions of the electrical system:

Table 14.3.6-8 Physical Separation and Independence ITAAC Table Item Number 2.6.1-3 1 DCD Tier 1, Figure 2.6.1-1 depicts, in part, the non-Class 1E and Class 1E AC electrical power system.

The staff reviewed the electrical systems and equipment in DCD Tier 1, Section 2.6, and determined that it was prepared in accordance with the guidance in SRP 14.3, SRP 14.3.6, and RG 1.206, which states that the applicant should develop ITAAC to verify the functional arrangement of other electrical systems and equipment that are not part of the Class 1E system, but are included to improve the reliability of the individual Class 1E systems. The staff finds that the subject ITAAC verifies the functional arrangement of other electrical systems and equipment that are not part of the Class 1E system by both inspections and tests. Because the ITAAC verifies the functional arrangement of other electrical systems and equipment that are not part of the Class 1E system, the staff finds that the as-built systems will meet the requirements of GDCs 17 and 18, as discussed in Chapter 8 of this report. Therefore, the staff finds the ITAAC is necessary, sufficient, and meets the requirements of 10 CFR 52.47(b)(1).

14-94

Combined License Information Items The DCD Tier 2, Section 14.3.2.6 contains no COL information items.

Conclusion The staff has reviewed all the relevant ITAAC information that is applicable to the electrical power system design and evaluated its compliance with 10 CFR 52.47(b)(1), 10 CFR 50.49, 10 CFR 50.63, GDC 17, and GDC 18, and its conformance with relevant NRC guidance in SRP Section 14.3. On the basis of the information provided in the DCD, the general description of ITAAC for electrical review areas found in DCD Tier 1, Sections 2.6.1 through 2.6.8 and DCD Tier 2, Chapter 14, Section 14.3.2.6, the staff finds that the APR1400 Tier 1 has provided sufficient information to satisfy the guidance in SRP Section 14.3. Therefore, the staff concludes that the ITAAC provides reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, then a facility referencing the certified design can be constructed and operated in compliance with the design certification and applicable regulations. DCD Tier 1 Section 2.6.9, Communication Systems, and Table 2.6.9-1, Communication Systems ITAAC, are evaluated in Sections 9.5.2 and 14.3.12 of this SER.

Plant Systems - Inspections, Tests, Analyses, and Acceptance Criteria Introduction The DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, discusses the selection criteria and methods used to develop the DCD Tier 1 information and the ITAAC. DCD Tier 1 chapters include the portion of the design-related information contained in a generic DCD that is approved and certified by the design certification rule, 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. The design descriptions, interface requirements, and site parameters are derived from DCD Tier 2 information.

The staffs evaluation addresses ITAAC related to most of the fluid systems that are not part of the core reactor systems. The specific areas addressed in this section include:

  • New and spent fuel handling systems; power generation systems; air systems; cooling water systems; radioactive waste systems; and heating, ventilation and air conditioning (HVAC) systems; and
  • Issues which affect multiple structures, systems, and components (SSCs), such as equipment qualification and protection from fires, floods and wind-borne missiles.

The staff reviewed the ITAAC with respect to plant systems described in the DCD in accordance with NUREG-0800, Standard Review Plan (SRP) for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.7, Plant Systems - Inspections, Tests, Analyses, and Acceptance Criteria. The staff reviewed the proposed ITAAC to determine whether these ITAAC are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification is built and will operate in accordance with the design certification, the Atomic Energy Act of 1954, as amended, and the NRCs regulations. In addition, the staff reviewed the justification that compliance with the interface requirements is verifiable through 14-95

ITAAC, and also reviewed the method that the applicant will use for verification of the interface requirements.

The scope of the review in this subsection is the plant systems ITAAC included in the DCD Tier 1 and listed in Table 14.3.7-1, Cross References for the Staffs Evaluation of Plant Systems ITAAC, of this safety evaluation report (SER), that are significantly related to normal operation, transients, and accidents. The detailed evaluation of each plant systems proposed ITAAC is in the SER section identified in Table 14.3.7-1. For systems that did not contain any proposed ITAAC, the staff verified that no ITAAC were required.

Summary of Application DCD Tier 1: The applicant provided design descriptions for plant systems in DCD Tier 1 sections in Tables 14.3.4-1 through 14.3.4-6 of the DCD that are directly or indirectly related and impact these sections. DCD Tier 1, Chapter 1, Introduction, provides definitions, general provisions, and a legend for figures, acronyms, and abbreviations.

Table 14.3.7-1 Cross References for the Staffs Evaluation of Plant Systems ITAAC SER Section for DCD Tier 1 Title ITAAC Table SER Section 52.47(b)(1)

Section Finding 2.7.1.1 Turbine Generator 2.7.1.1-1 10.2 10.2 2.7.1.2 Main Steam System 2.7.1.2-4 10.3 10.3 2.7.1.3 Turbine Bypass No entry for this System system 2.7.1.4 Condensate and 2.7.1.4-4 10.4.7 10.4.7 Feedwater System 2.7.1.5 Auxiliary Feedwater 2.7.1.5-4 10.4.9 10.4.9 System 2.7.1.6 Condenser Vacuum No entry for this System system 2.7.1.7 Circulating Water No entry for this System system 2.7.1.8 Steam Generator 2.7.1.8-3 10.4.8 10.4.8 Blowdown System 2.7.1.9 Auxiliary Steam 2.7.1.9-1 10.4.10 10.4.10 System 14-96

SER Section for DCD Tier 1 Title ITAAC Table SER Section 52.47(b)(1)

Section Finding 2.7.2.1 Essential Service 2.7.2.1-4 9.2.1 9.2.1 Water System 2.7.2.2 Component Cooling 2.7.2.2-4 9.2.2 9.2.2 Water System 2.7.2.3 Essential Chilled 2.7.2.3-4 9.2.7 9.2.7 Water System 2.7.2.4 Plant Chilled Water 2.7.2.4-1 9.2.7 9.2.7 System 2.7.2.5 Equipment and 2.7.2.5-4 9.3.3 9.3.3 Floor Drainage System 2.7.2.6 Process and Post- 2.7.2.6-4 9.3.2 9.3.2 Accident Sampling System 2.7.2.7 Turbine Generator No entry for this Building Closed system Cooling Water System 2.7.2.8 Turbine Generator No entry for this Building Open system Cooling Water System 2.7.3.1 Control Room 2.7.3.1-3 9.4.1 9.4.1 HVAC System 2.7.3.2 Fuel Handling Area 2.7.3.2-3 9.4.2 9.4.2 HVAC System 2.7.3.3 Auxiliary Building 2.7.3.3-3 9.4.3 9.4.3 Clean Area HVAC System 2.7.3.4 Turbine Generator No entry for this Building HVAC system System 14-97

SER Section for DCD Tier 1 Title ITAAC Table SER Section 52.47(b)(1)

Section Finding 2.7.3.5 Engineered Safety 2.7.3.5-3 9.4.5 9.4.5 Features Ventilation System 2.7.3.6 Reactor 2.7.3.6-1 9.4.6 9.4.6 Containment Building HVAC System and Reactor Containment Building Purge System 2.7.3.7 Compound Building No entry for this HVAC System system 2.7.4.1 New Fuel Storage 2.7.4.1-1 9.1.1 9.1.1 2.7.4.2 Spent Fuel Storage 2.7.4.2-1 9.1.2 9.1.2 2.7.4.3 Spent Fuel Pool 2.7.4.3-4 9.1.3 9.1.3 Cooling and Cleanup System 2.7.4.4 Light Load Handling 2.7.4.4-2 9.1.4 9.1.4 System 2.7.4.5 Overhead Heavy 2.7.4.5-1 9.1.5 9.1.5 Load Handling System 2.7.5.1 Compressed Air and 2.7.5.1-1 9.3.1 9.3.1 Gas Systems 2.7.5.2 Fire Protection 2.7.5.2-3 9.5.1 9.5.1 System 2.7.5.3 Domestic Water and No entry for this Sanitary Systems system 2.7.6.1 Liquid Waste 2.7.6.1-2 11.2 11.2 Management System 14-98

SER Section for DCD Tier 1 Title ITAAC Table SER Section 52.47(b)(1)

Section Finding 2.7.6.2 Gaseous Waste 2.7.6.2-4 11.3 11.3 Management System 2.7.6.3 Solid Waste 2.7.6.3-2 11.4 11.4 Management System 2.7.6.4 Process and 2.7.6.4-3 11.5 11.5 Effluent Radiation Monitoring and Sampling System 2.7.6.5 Area Radiation 2.7.6.5-3 14.3.8 14.3.8 Monitoring System System design descriptions include relevant information for the ITAAC, including key design features, seismic and American Society of Mechanical Engineers (ASME) code classifications used in design and construction, system operation, alarms, displays and controls logic for system actuation, interlocks, Class 1E power sources and divisions, equipment to be qualified for harsh environment, interface requirements, and numeric performance values. The design description contains tables and figures that are referenced in the Design Commitment column of the ITAAC tables listed above.

The applicant organized its Tier 1 information in a manner similar to that used for the evolutionary designs as described in SRP Section 14.3 and Regulatory Guide (RG) 1.206, Section C.II.1-1, Design Descriptions and ITAAC Format and Content. The ITAAC tabular format and content for the plant systems follows the NRC recommended format described and presented in RG 1.206, Table C.II.1-1, Sample ITAAC Format. The ITAAC are presented in a three-column table that includes the proposed commitment to be verified (column 1), method by which the licensee will verify (column 2), and specific acceptance criteria for the inspections, tests, or analyses (column 3) that, if met, demonstrate the licensee has met the design requirements/commitment in column 1.

DCD Tier 2: The DCD Tier 2, Section 14.3 provides a general description of the APR1400 ITAAC including its relationship to other DCD Tier 1 information, the selection criteria, and content.

The applicant specified that the ITAAC for plant systems were prepared in accordance with the guidance in RG 1.206, Section C.II.1; NUREG-0800, SRP Section 14.3; and NUREG-0800 SRP Section 14.3.7.

ITAAC: The applicant provided ITAAC for plant systems in DCD Tier 1 sections as listed above in Table 14.3.7-1.

14-99

Technical Specifications: There are no technical specifications for this area of review.

Regulatory Basis The relevant requirements of the NRC regulations for this area of review, and the associated acceptance criteria, are given in NUREG-0800, Sections 14.3 and 14.3.7. Review interfaces with other SRP sections are also identified in this SRP section.

The acceptance criteria are based on meeting the relevant requirements of the following NRC regulations:

  • Title 10 CFR 52.47(b)(1), Contents of applications; technical information, as it relates to the requirement that a design certification application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification is built and will operate in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC regulations.

Technical Evaluation The NRC staff performed its review of the system and non-system based ITAAC in accordance with the SRP Section 14.3 sections described above and SRP Section 14.3.7, particularly the applicable review procedures identified in each SRP section, as well as the guidance provided by RG 1.206, Section C.II.1. The staff review examined the ITAAC to ensure that they can be inspected by the organization holding the combined license and closed out by the staff. The review examined the phrasing and format of the ITAAC to determine if they were consistent (i.e., the Commitment Wording; the Inspection, Test, or Analysis; and the Acceptance Criteria are parallel and in agreement). In addition, the staff determined that the DCD Tier 1 ITAAC items were derived from the DCD Tier 2 information.

ITAAC Development Criteria The RG 1.206, Section C.II.1.2.7, ITAAC for Plant Systems, describes the ITAAC development for plant systems and identifies the aspects that need to be verified through ITAAC, which are related to: new and spent fuel handling systems; power generation systems; air systems; cooling water systems; radioactive waste systems and HVAC systems; as well as issues which affect multiple SSCs, such as equipment qualification and protection from fires, floods and wind-borne missiles.

Since the features for ITAAC development criteria listed in DCD Tier 2, Section 14.3.2.7, ITAAC for Plant Systems, are identical to those listed in RG 1.206, Section C.II.1.2.7, ITAAC for Plant Systems, for an active plant, the NRC staff concludes that the applicant adequately identified the general aspects to be verified through ITAAC in DCD Tier 2, Section 14.3.2.7, including the ITAAC to verify the top-level design features.14-100

Design Descriptions and Figures The NRC staff reviewed the APR1400 DCD design description and figures for the plant systems in Tier 1 using the guidance provided in SRP Section 14.3, including Appendix C, Detailed Review Guidance, Fluid Systems Review Checklist, and SRP Section 14.3.7.

Standard and System Specific ITAAC Entries The NRC staff reviewed the APR1400 DCD Tier 1 ITAAC entries in Section 2.7, Plant Systems, using the guidance provided for standard and system specific ITAAC entries contained in SRP Sections 14.3 and 14.3.7.

Plant Systems Tier 1 Section 2.7 In performing the evaluation of the ITAAC items, the staff considered the safety function significance of each item with regard to its adequacy and consistent with DCD Tier 2, Section 14.2, Initial Plant Test Program.

In addition, the NRC staff used the SRP sections identified in SRP Section 14.3.7 that have a potential impact on the plant systems ITAAC sections. These included the following SRP sections that provide information related to SRP Section 14.3.7:

  • SRP Section 14.3 - general guidance information on ITAAC
  • SRP Section 14.3.2 - information regarding the ability of SSCs to withstand various natural phenomena
  • SRP Section 14.3.3 - information for piping design
  • SRP Section 14.3.5 - information for instrumentation and controls
  • SRP Section 14.3.6 - information for electrical systems and components The staff assessed the plant systems ITAAC items for the following DCD Tier 2 sections related to HVAC systems in accordance with the applicable procedures and guidance provided in SRP Sections 14.3 and 14.3.7:
  • Section 9.4.1, Control Room HVAC System
  • Section 9.4.2, Fuel Handling Area HVAC System
  • Section 9.4.3, Auxiliary Building Clean Area HVAC System
  • Section 9.4.4, Turbine Generator Building HVAC System (No ITAAC for 9.4.4)
  • Section 9.4.5, Engineered Safety Features Ventilation System
  • Section 9.4.6, Reactor Containment Building HVAC System and Purge System

The staffs specific evaluation results of the above DCD Tier 2 sections relating to the adequacy of the ITAAC listed in Table 14.3.7-1 are presented in the individual technical evaluation of each of the above sections in this SER.

Interface Requirements Interface requirements are defined for: (a) systems that are entirely outside the scope of the design and (b) the out-of-scope portions of those systems that are only partially within the scope of the standard design. Except for the Essential Service Water System and the Ultimate Heat Sink, the applicant has included the plant systems designs within the complete scope of the standard design. The staffs review of the interface requirements for these two systems are in sections 14.3.1 and 9.2 of this SER.

Combined License Information Items The DCD Tier 2 Section 14.3.2.7 contains one COL item pertaining to plant systems. The staff concluded that no additional COL items were needed. The staff agrees that it is the COL applicants responsibility to provide ITAAC for the site-specific portions of these systems.

Therefore, the staff finds COL 14.3(1) acceptable.

Table 14.3.7-2 APR1400 Combined License Information Items Item No. Description COL The COL applicant is to provide the ITAAC for the site-specific portion of the 14.3(1) plant systems specified in DCD Tier 2, Subsection 14.3.3.

Conclusion Based on the review in this SER Section, as well as those SER Sections discussed therein, NRC staff finds that if the ITAAC for the systems identified in Table 14.3.7-1 are performed and the acceptance criteria met, there is reasonable assurance the APR1400 standard design nuclear power plant will be built and operated in accordance with the design.

Radiation Protection- Inspections, Tests, Analyses, and Acceptance Criteria Introduction Standard Review Plan Section 14.3.8, Radiation Protection - Inspections, Tests, Analyses, and Acceptance Criteria, addresses the review of ITAAC for radiation protection for the APR1400.

The staff reviewed the proposed ITAAC to determine whether a plant that incorporates the design certification can be built and operated in accordance with the design certification and NRC regulations.

The scope of the radiation protection Tier 1 and ITAAC review includes:

  • Radiation shielding provided by structures and components
  • Radiation monitoring systems14-102
  • Ventilation systems (as they relate to radiation protection design features)
  • Design features and processes for radiation protection Tier 2, Chapter 11, Radioactive Waste Management, of the DCD provides information on effluent releases, public dose, the design of radioactive waste management systems, radioactive waste, and process and effluent monitors. Tier 2, Chapter 12, Radiation Protection, of the DCD provides information on the radiation protection design features of the APR1400, in-plant radiation sources, and information on occupational radiation exposure.

Details on compliance with radiation protection regulations (including 10 CFR Part 20, Standards for Protection Against Radiation, and applicable portions of 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, and 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants) are discussed in the Chapter 11 and 12 SER sections, which review those DCD Tier 2 chapters and will therefore not be discussed in detail in this section. The purpose of this SER Section is to document the staffs review of the radiation protection design features provided in Tier 1 of the DCD, including ITAAC, and to determine if the appropriate Tier 1 information and ITAAC are included in the DCD.

Summary of Application DCD Tier 1: The applicant provided design descriptions for radiation protection in DCD Tier 1, Section 2.8, Radiation Protection. Other sections of Tier 1 that include information related to radiation protection include Section 2.4.7, Leakage Detection System; Section 2.7.3, HVAC Systems; Section 2.7.6.4, Process and Effluent Radiation Monitoring and Sampling System; and Section 2.7.6.5, Area Radiation Monitoring System.

DCD Tier 2: DCD Tier 2, Section 14.3, Inspection, Tests, Analyses, and Acceptance Criteria, provides a general description of the APR1400 ITAAC including its relationship to other DCD Tier 1 information, the selection criteria, and content. DCD Tier 2, Chapter 11, provides design information for the radioactive waste management systems and process and effluent monitors, as well as information on normal expected effluent releases to the public during normal operations. DCD Tier 2, Chapter 12, provides radiation protection design information, including design-related aspects supporting the APR1400 as low as is reasonably achievable (ALARA) and radiation protection programs, information related to in-plant radiation sources, and worker dose assessment. Chapter 12 also includes COL information items on the ALARA and radiation protection programs, which are to be addressed by the COL applicant. In accordance with SRP 14.3.8, Tier 1 includes significant Tier 2 radiation protection design information.

ITAAC: The staff reviewed the radiation protection ITAAC in Tier 1, Section 2.8, as well as ITAAC relevant to radiation protection in Tier 1, Sections 2.2.1, 2.4.7, 2.7.2.5, 2.7.3, 2.7.4.2, 2.7.4.3, 2.7.4.4, 2.7.6.1, 2.7.6.4, 2.7.6.5, 2.8, and 2.11.4. The specific ITAAC items reviewed in these sections are discussed in the SER below.

Technical Specifications (TS): There are no TS for this area of review.14-103

Regulatory Basis The relevant requirements of NRC regulations for this area of review, and the associated acceptance criteria, are specified in NUREG-0800, Standard Review Plan [SRP] for the Review of Safety Analysis Reports for Nuclear Power Plants, Sections 14.3.8 and 12.0, Radiation Protection, and are summarized below. Review interfaces with other SRP sections also can be found in NUREG-0800, Section 14.3.8.

The acceptance criteria are based on meeting the relevant requirements of the following NRC regulations:

1. Title 10 CFR Part 50, Appendix A, GDC 19, Control Room, as it relates to the requirement, in part, that adequate radiation protection be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 0.05 Sieverts (5 rem) whole body, or its equivalent to any part of the body, for the duration of the accident.
2. Title 10 CFR Part 50, Appendix A, GDC 61, Fuel Storage and Handling and Radioactivity Control, as it relates to the requirement that occupational radiation protection aspects of fuel storage, fuel handling, radioactive waste, and other systems that may contain radioactivity, be designed such that they ensure adequate safety during normal and postulated accident conditions, with suitable shielding and appropriate containment and filtering systems.
3. Title 10 CFR Part 50, Appendix A, GDC 63, Monitoring Fuel and Waste Storage, as it relates to the requirement, in part, that appropriate systems be provided for the fuel storage and radioactive waste systems and associated handling areas to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels.
4. Title 10 CFR Part 50, Appendix A, GDC 64, Monitoring Radioactivity Releases, as it relates to the requirement that the containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs be monitored for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents.
5. Title 10 CFR 20.1101, Radiation protection programs, as it relates to the requirement that the licensee shall use, to the extent practical, procedures and engineering controls based upon sound radiation protection principles to achieve occupational doses and doses to members of the public that are ALARA.
6. Title 10 CFR 20.1201, Occupational dose limits for adults, as it relates to the requirement, in part, that with the exception of planned special exposures that the annual dose limit for adults is equal to a total effective dose equivalent of 5 rems, or the sum of the deep-dose equivalent and the committed dose equivalent to any individual organ or tissue other than the lens of the eye being equal to 50 rems.14-104
7. Title 10 CFR 20.1406, Minimization of contamination, Subpart B, as it relates to applicants for standard design approvals describing in the application how facility design will minimize, to the extent practicable, contamination of the facility and the environment, facilitate eventual decommissioning, and minimize, to the extent practicable, the generation of radioactive waste.
8. Title 10 CFR 20.1501, General, as it relates to the requirement, in part, that licensees make surveys that are reasonable under the circumstances to evaluate, the magnitude and extent of radiation levels, the concentrations or quantities of radioactive material, and the potential radiological hazards.
9. Title 10 CFR 20.1701, Use of process or other engineering controls, as it relates to the requirement that the applicant shall use, to the extent practical, process or other engineering controls to control the concentration of radioactive material in air.
10. Title 10 CFR 50.34(f)(2)(xvii), Contents of applications; technical information, as it relates to the requirement, in part, that instrumentation be provided, that can measure, record and readout in the main control room containment radiation intensity (high level).
11. Title 10 CFR 50.48 Fire protection, as it relates to fire induced radiological hazards to the public and radiation workers.
12. 10 CFR 52.47(b)(1), Contents of applications; technical information, as it relates to the requirement that the APR1400 application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification is built and will operate in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC regulations.

SRP Section 14.3.8 refers to SRP Section 14.3 for guidance on the content and format of ITAAC. Relevant portions of SRP 14.3 include:

1. SRP Section 14.3, Appendix A, Information on Prior Design Certification Reviews, IV.1.A, Definitions.
2. SRP Section 14.3, Appendix A, IV.2, General Provisions.
3. SRP Section 14.3, Appendix A, IV.3, Legend for Figures and Acronyms and Abbreviations.
4. SRP Section 14.3, Appendix A, IV.4.B, ITAAC, Defines three column format and explains ITAAC terminology.14-105
5. SRP Section 14.3, Appendix C, Fluid Systems Review Checklist, II.C, Style Guidelines for ITAAC.
6. SRP Section 14.3, Appendix C, Instrumentation and Control Systems Review Checklist, III, Reviewer Check Lists.
7. SRP Section 14.3, Appendix D, ITAAC Entries.

Technical Evaluation The applicant provided design-basis information, including associated tables and figures, in accordance with the selection criteria and methodology for developing DCD Tier 1 information, as described in DCD Tier 2, Section 14.3. The applicant organized the DCD Tier 1 information in the systems, structures, and topical areas format shown in the DCD Tier 1, Table of Contents.

The staff reviewed the DCD Tier 1 information and ITAAC provided by the applicant in accordance with SRP Section 14.3.8.

Radiation Shielding SRP Section 14.3.8 indicates that the criteria in Tier 1 should ensure that the radiation shielding design (as provided by the plant structures or by permanent or temporary shielding included in the design) is adequate so that the maximum radiation levels in plant areas are commensurate with the areas access requirements (and the requirements of 10 CFR Part 20). SRP Section 14.3.8 also specifies that the review should ensure that Tier 1 clearly describes the SSCs that provide a significant radiation protection function, including the key performance characteristics and safety functions of SSCs based on their safety significance. Therefore, the staff reviewed Tier 1 of the APR1400 DCD to ensure that important radiation shield barriers were included in Tier 1 of the DCD. Barriers relied upon to attenuate radiation from potential very high radiation areas and vital areas that may require access during accident conditions are considered by the staff to be examples of significant radiation barriers, which should be included in Tier 1. However, the initial application provided no ITAAC to verify the plants shielding materials or thicknesses. Instead, the applicant provided a proposed ITAAC indicating that radiation levels specified for various plant areas will be met, based on a future report generated when the plant has been built (Tier 1, Table 2.8-2, item 1). This ITAAC was unverifiable because the radiation zones for specific rooms were not provided or referenced in Tier 1 or the ITAAC. In Tier 2, Section 12.3, the applicant already provides minimum shielding thicknesses based on an analysis of radiation sources in the plant. It is more appropriate if the radiation shielding ITAAC verified that the shielding material and thicknesses meet the criteria in Tier 2, Section 12.3. Therefore, Tier 1, Table 2.8-2, item 1, was unacceptable. The staff issued RAI 116-8054, Question 14.03.08-1 (ML15208A511) requesting that the applicant modify Tier 1, Table 2.8-2, item 1, to provide an ITAAC to verify the shield barrier thickness. The staff also requested that this ITAAC verify that appropriate shielding material is used, that shielding thicknesses are verifiable in the ITAAC, and that any doors relied on for radiation attenuation are listed in the ITAAC.14-106

In its response to RAI 116-8054, Question 14.03.08-1 (ML16036A078), the applicant proposed revising the acceptance criteria to Tier 1, Table 2.8-2, item 1; however, the revisions did not include any specific shielding information. In a clarification call with the applicant, the staff explained that they were expecting the applicant to provide specific radiation shielding information, including the composition of the shielding materials and the thicknesses, for important shields in Tier 1. The staff noted that Tier 1, Section 2.2, Table 2.2.1-1, already provided some structural thicknesses, but the applicant indicated that these thicknesses were not provided for the purposes of radiation protection. Therefore, the applicant agreed to revise the response to Question 14.03.08-1, to provide shielding information for important radiation shields in Tier 1, and to provide the basis for the shields selected to be included in Tier 1.

In its response to RAI 116-8054, Question 14.03.08-1, the applicant also proposed adding a new ITAAC to Tier 1, Table 2.8-2. The purpose of the proposed ITAAC was to ensure that the Compound Building truck bay doors provide adequate radiation shielding during waste loading and unloading operations. It is necessary to ensure appropriate shielding for the doors in order to ensure that doses to the public will be kept ALARA and to ensure that the requirements of 10 CFR 20.1301 (particularly 10 CFR 20.1301(e)) are met. In its response to RAI 14-7858, Question 12.03-4 (ML15201A377), the applicant previously indicated that the COL applicant will provide the material composition and shielding properties of these doors (COL 12.3(1)). It is not appropriate for a DCD applicant to provide an ITAAC for a site specific design feature which is to be provided by the COL applicant. Therefore, in the clarification call, the applicant indicated that they would revise the response to Question 14.03.08-1 to remove the proposed ITAAC for the truck bay doors from Table 2.8-2 and would instead modify COL Item 12.3(1) to indicate that the COL applicant is to provide an ITAAC for these doors (see the discussion related to Revision 2 below).

In Revision 1 of its response to RAI 116-8054, Question 14.03.08-1 (ML17006A392), the applicant proposed to update DCD Tier 1 Table 2.2.1-1a, to provide additional information about significant radiation shields such as several missing important radiation shield walls and a large number of floor thicknesses for the Auxiliary Building. In addition, the applicant proposed to add Table 2.2.1-1a to Tier 1 to provide the minimum required shielding thicknesses for significant radiation shield walls in the Compound Building and outdoor tanks containing radioactive material (i.e. the boric acid storage tank and holdup tank). The shielding thicknesses added included most of the significant radiation shielding barriers in the plant. However, some of the aspects of radiation shielding were still under review as part of the Chapter 12 radiation protection review, and some of the shielding barriers had been revised and a few barriers had been added to Chapter 12. Therefore, some of the Tier 1 information regarding radiation shielding thicknesses in Revision 1 were inadequate.

In Revision 2 of its response to RAI 116-8054, Question 14.03.08-1 (ML17248A371), the applicant removed ITAAC item 4 in Tier 1 Table 2.8-2, related to the shielding design of the Compound Building truck bay door, because the design of the truck bay door is to be provided by the COL applicant, as specified in Tier 2, Section 12.3, COL 12.3(3). As part of the response, the applicant also revised COL 12.3(3) to specify that the COL applicant is to provide 14-107

an ITAAC for the radiation shielding for the shield doors that are to be provided by the COL applicant, including the truck bay door. The staff finds these revisions to be acceptable.

In Revision 2 of its response, the applicant also proposed to update the shielding thicknesses in Tier 1 Table 2.2.1-1a, because many of the minimum shield thicknesses for the Compound Building had been revised in Chapter 12 RAI responses. This response makes the Tier 1 information consistent with Tier 2, which is acceptable.

However, as part of the proposed Tier 1 update, to Section 2.8.2, the applicant specified that Table 2.2.1-1 and Table 2.2.1-1a provides radiation shielding thicknesses for the Auxiliary Building and Compound Building, but the text added to Section 2.8.2 did not mention the Reactor Containment Building shielding, which was also provided in Table 2.2.1-1. Finally, some of the important shielding thicknesses necessary to ensure appropriate radiation shielding for vital area access routes, provided in the applicants response to RAI 544-8756, Question 12.03-55, Revision 1 (ML17248A233) were not included in Tier 1, in this response.

In Revision 3 of its response to RAI 116-8054, Question 14.03.08-1 (ML17257A546), the applicant proposed to update Tier 1, Section 2.8.2 to clarify that Table 2.2.1-1 provides radiation shielding wall and floor thicknesses for the Reactor Containment Building and Auxiliary Building and that Table 2.2.1-1a provides radiation shielding wall and floor minimum thicknesses for the Compound Building. In its response, the applicant also included important shielding thicknesses, including shield barriers associated with vital area access routes, which had previously been missing from Tier 1, Table 2.2.1-1. However, in Revision 3 of its response, the applicant also revised several shield barrier thicknesses and parameters in Tier 1, Table 2.2.1-1. In reviewing these changes, staff identified that the revised shielding thicknesses provided for walls associated with Rooms 068-A10A and 068-A07A and floor slabs for Rooms 100-A13A and 100A-13B were less than the minimum required thicknesses specified for these rooms in DCD Tier 2, Table 12.3-4.

In Revision 4 of its response to RAI 116-8054, Question 14.03.08-1 (ML17268A038), the applicant proposed to correct the thicknesses for Rooms 068-A10A, 100-A13A, and 100-A13B, to make the thicknesses the same, or greater than the minimum thicknesses in Tier 2, which had previously been evaluated by the staff and found to be acceptable. For Room 068-07A, the applicant added new information to Tier 2, Table 12.3-4, to provide separate shielding information for the labyrinth wall and the west wall within column line from AA to AD and between column lines 25 to 26. The applicant specified that the appropriate shielding thicknesses for the labyrinth design was considered in the radiation zoning analysis. The staff also found that the zoning was appropriate with the west wall thickness specified. Therefore, these thicknesses are acceptable. The Tier 1 information was found to be consistent with the Tier 2 information. As a result, the staff found the response to be acceptable. RAI 116-8054, Question 14.03.08-1, is being tracked as a confirmatory item pending the incorporation of the proposed DCD changes.14-108

In addition, the applicant provided Tier 1, Table 2.8-2, item 3 to verify that the shielding design is adequate to ensure that operators can take actions to mitigate and recover from design basis accidents and that doses will not exceed the 5 rem limit provided in GDC 19, during design basis accidents. The staff found this shielding ITAAC acceptable to verify that the post-accident dose to operators meets the applicable regulations.

Radiation Protection Features Associated with Fuel Handling and Storage The majority of occupational radiation exposure typically occurs during refueling outages, with exposure to plant personnel from the movement of irradiated fuel and in-core components being a potentially significant contributor to this dose. Furthermore, the plant should be designed with appropriate radiation protection design features during potential accident conditions, in accordance with 10 CFR Part 50, Appendix A, GDC 61. Therefore, the staff reviewed Tier 1 information and ITAAC related to spent fuel handling and storage, to ensure that significant radiation protection design features were included in Tier 1 of the DCD. The design includes the refueling machine, spent fuel handling machine, and spent fuel transfer machine to handle spent fuel. However, it was unclear to the staff if the control element assembly change platform and elevator could be used to transfer spent fuel assemblies, and the staff could find no information in the DCD (including Tier 1) clearly specifying what equipment would be used to handle fuel. The staff issued RAI 23-7929, Question 12.02-6 (ML15174A324), requesting that the applicant describe all areas where fuel will be handled or stored and update Tier 1 to clarify where fuel will be handled and stored, so that the staff can adequately review fuel storage and handling areas in both Tier 1 and Tier 2. In its response to RAI 23-7929, Question 12.02-6 (ML15223B087), the applicant updated Tier 1, Table 2.7.4.4-1 to specify that the only equipment or locations used to handle or store fuel (other than the new fuel racks, spent fuel racks, reactor core, and upender (for transferring between the spent fuel pool (SFP) and the core)) are the refueling machine, spent fuel handling machine, new fuel elevator, and fuel handling hoist of overhead crane, and that no other equipment, locations, or areas will be used to do so at APR1400 plants. New fuel is not a significant radiological concern prior to activation, and transferring fuel on the upender occurs at the bottom of the refueling pool and refueling canal and inside the fuel transfer tube, so there would be sufficient water shielding in these areas during transfer. For these reasons, no specific ITAAC for radiation protection purposes is needed for this equipment, other than ITAAC for the structural shielding barriers for the fuel transfer tube, which is provided in DCD Tier 1, Table 2.2.1-1. The staffs evaluation of RAI 23-7929, Question 12.02-6, can be found in Section 12.2 of this SER.

However, spent fuel assemblies and other in-core components being transferred by the refueling machine and spent fuel machine could be a significant source of radiation exposure to plant personnel. In reviewing ITAAC associated with fuel handling features, the staff could not find an ITAAC to verify that there would be interlocks provided on the refueling machine or spent fuel machine to ensure that it cannot be raised to a height that would result in operators being exposed to a dose rate exceeding 2.5 mrem/hour during fuel movement, in accordance with ANSI/ANS-57.1-1992, Design Requirements for Light Water Reactor Fuel Handling Systems, which is referenced by the applicant. In addition, RG 8.38, Control of Access to High and Very 14-109

High Radiation Areas in Nuclear Power Plants, specifies that control measures should be implemented to ensure that activated materials are not raised above or brought near the surface of the pool. The staff issued RAI 116-8054, Question 14.03.08-3 (ML15208A511), requesting the applicant to provide this information.

In its response to RAI 116-8054, Question 14.03.08-3 (ML15244B378), the applicant indicated that ITAAC item 8 of Table 2.7.4.4-2 specifies that the refueling machine and spent fuel handling machine are provided with mechanical stops that restrict the withdrawal of the fuel assemblies. However, this ITAAC does not specify an acceptable lift height or dose rate to an operator from a raised fuel assembly. The ITAAC should ensure that the dose to an operator from raised fuel assemblies and control elements will not exceed 2.5 mrem/hour in accordance with ANSI/ANS-57.1-1992. Therefore, RAI 116-8054, Question 14.03.08-3, was closed and the staff issued RAI 310-8355, Question 14.03.08-12 (ML15320A348), requesting that the applicant provide this information.

In its response to RAI 310-8355, Question 14.03.08-12 (ML16285A531), the applicant proposed providing information in Tier 1 Section 2.7.4.4 and ITAAC in Tier 1 Table 2.7.4.4-2. The information specified that the refueling machine, spent fuel handling machine, and control element assembly change platform include mechanical stops that restrict withdrawal of the spent fuel assemblies or control element assemblies above a minimum safe water cover depth of nine feet (2.7 meters). The applicant indicated that nine feet of water shielding ensures that an operator on the refueling platform is exposed to less than 2.5 mrem/hour, when at the lower limit of the normal operating water level, in accordance with ANSI/ANS-57.1-1992. The applicant proposed that the ITAAC acceptance criteria would be that the equipment provides at least nine feet of water cover depth. In staffs view, the proposed Tier 1 information and ITAAC wording would be acceptable if nine feet of water was all that was necessary to meet the 2.5 mrem/hour dose criteria. However, in its response to RAI 396-8463, Question 12.03-50 (ML16083A547), the applicant indicated that in addition to the nine feet of water, additional shielding from the fuel handling equipment was also needed to reduce the dose to operators to less than 2.5 mrem/hour. In Revision 1 of RAI 396-8463, Question 12.03-50 (ML16232A504),

the applicant provided information demonstrating that the 2.5 mrem/hour dose criteria would be met if the shielding properties provided by the refueling machine, grapple, mast, and hoist box were considered. In its revised response to RAI 396-8463, Question 14.03.08-12 (ML16285A531), the applicant proposed to update the information in Tier 1 Section 2.7.4.4, to specify that the minimum nine feet of water coverage, plus the shielding provided by the refueling equipment, ensures that an operator on the refueling platform is not exposed to the radiation dose limit of 2.5 mrem/hour when the pool is at the lower limit of the normal operating water level. This is consistent with ANSI/ANS-57.1-1992 and is therefore acceptable. The staff verified that the proposed changes have been incorporated into Revision 1 of the DCD.

Revision 1 of the DCD also updated ITAAC item 8 in Table 2.7.4.4-2 to be consistent with the information in the text of Tier 1, Section 2.7.4.4, which is appropriate and acceptable.

Therefore, RAI 396-8463, Question 14.03.08-12, is resolved and closed. More information on the review of the response to RAI 396-8463, Question 12.03-50, can be found in Chapter 12 of this SER.14-110

Also, the staff could find no information in Tier 1 to verify that there will be no piping penetrations in the SFP lower than 10 feet (3.1 meters) above the top of fuel assemblies seated in the pool or to ensure that the failure of the gates connecting the SFP to the transfer canal and spent fuel cask loading pit will result in the coolant inventory from being drained to levels lower than 10 feet (3.1 meters) above the tops of fuel assemblies in accordance with RG 1.13, Spent Fuel Storage Facility Design Basis. In addition, the staff could not identify any information in Tier 2 demonstrating that a failure of a single gate would not result in draining the pool below 10 feet above the top of the assemblies. Therefore, the staff could not verify that the APR1400 application contained the appropriate Tier 1 information to verify compliance with GDC 61. As a result, the staff issued RAI 116-8054, Question 14.03.08-2 (ML15208A511), requesting the applicant to provide this information.

In its response to RAI 116-8054, Question 14.03.08-2 (ML15303A426), the applicant indicated that the information requested was already provided in its responses to RAI 98-8051, Question 09.01.02-8 (ML15299A481) and RAI 79-7990, Question 09.01.02-7 (ML15301A236).

The applicants response to RAI 98-8051, Question 09.01.02-8, provided a detailed analysis of the SFP water level in the event of a failure of the gates to the cask loading pit and fuel transfer canal. The staff reviewed this response, which calculated the water level in the SFP after a failure where water had transferred to the fuel transfer canal and cask loading pit individually.

The response showed that the water level in the SFP remained well above 10 feet above the top of the fuel assemblies stored in the pool. RG 1.13 specifies that the water level should remain more than 10 feet above the top of the fuel assemblies during such an event. The 10 feet of water provides sufficient water coverage for shielding purposes during an accident and is therefore acceptable, from a radiation protection perspective. However, while acceptable from a radiation protection perspective, additional review is performed in Chapter 9, Auxiliary Systems, of this SER to determine the acceptability of the design for safety-system operation and maintaining appropriate SFP cooling.

In its response to RAI 79-7990, Question 09.01.02-7 (ML15301A236), the applicant provided Tier 1 information for a failure of a gate and Tier 1 information for the locations of piping penetrations. Specifically, in the applicants response to RAI 79-7990, Question 09.01.02-7, the applicant proposed modifying the design description in Tier 1, Section 2.7.4.2, to indicate that the SFP has no openings, gates, drains, or connections below the top of the stored fuel; that the gates were Seismic Category I and designed to minimize leakage; and that the water level in the SFP remains 3 meters (10 feet) above the top of the fuel assemblies in the event of a single gate failure. The design description of Tier 1, Section 2.7.4.2, also specifies that all piping penetrations are located approximately 3 meters above the top of the irradiated fuel assemblies seated in the storage racks, and all piping extending down into the SFP will have siphon breaker holes installed on the piping inside the SFP at or above the 10 foot (3 meter) level. While the information on siphon breaks not allowing leakage below the lowest piping penetrations is consistent with RG 1.13 and is acceptable, RG 1.13 specifies that there should be no piping penetrations below the minimum water level of 3 meters.14-111

Therefore, RAI 116-8054, Question 14.03.08-2, was closed and the staff issued RAI 449-8533, Question 14.03.08-15 (ML16082A354), requesting that the applicant specify that all piping penetrations are located at least 10 feet (3 meters) above the top of the fuel assemblies, instead of approximately 10 feet (3 meters) above the fuel assemblies. In its response to RAI 449-8533, Question 14.03.08-15 (ML16183A362), the applicant made the suggested changes to Tier 1, Section 2.7.4.2, indicating that all piping penetrations in the SFP will be at least 10 feet (3 meters) or more above the top of the stored fuel assemblies.

Tier 1, Table 2.7.4.2-1, ITAAC item 1, covers all of the information in the design description section of Tier 1, Section 2.7.4.2. Since there is Tier 1 information and an ITAAC to ensure that all piping penetrations in the SFP will be at least 10 feet (3 meters) or more above the top of the stored fuel assemblies, the staff determined that the proposed Tier 1 design description and ITAAC for penetrations in the SFP and potential drain down events from a gate failure are acceptable from a radiation protection perspective. Chapter 9 of this SER discusses the acceptability of these issues as they relate to adequate cooling of the SFP and appropriate safety system operation. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 449-8533, Question 14.03.08-15. Therefore, RAI 449-8533, Question 14.03.08-15, is resolved and closed.

Radiation Monitoring The staff reviewed ITAAC Table 2.7.6.4-1 associated with process and effluent radiation monitors in Tier 1, Section 2.7.6.4, and ITAAC Table 2.7.6.5-1 associated with the area radiation monitors identified in Tier 1, Section 2.7.6.5. The main purpose of reviewing the process and effluent monitors as part of this section is to review the appropriateness of the ITAAC for the main control room monitors. Therefore, while some aspects of the process and effluent monitor Tier 1 information, including ITAAC, are discussed in this section of the SER, other aspects of the process and effluent monitor Tier 1 information, including ITAAC, are reviewed in more detail in Chapter 11, Radioactive Waste Management, of this SER.

All area, process, and effluent radiation monitors provided in Tier 1 provide local displays and alarms, as well as displays and alarms in the MCR.

The staff noted that Tier 1, Section 2.4.7-1 discusses relying on a containment airborne particulate monitor to detect reactor coolant leakage in containment. Table 2.4.7-1, ITAAC item 1.e, contains an ITAAC associated with this. However, it is unclear from reviewing the ITAAC which monitor is being relied on to detect reactor coolant system leakage. The staff issued RAI 116-8054, Question 14.03.08-8 (ML15208A511) requesting this information.

In its response to RAI 116-8054, Question 14.03.08-8 (ML15303A426), the applicant proposed adding Table 2.4.7-2 to Tier 1 of the DCD, which identifies the equipment being relied on for reactor coolant system leakage detection, including radiation monitors PR-RE-039A and PR-RE-040B. The applicant also proposed referencing this Table in Tier 1 Section 2.4.7 and ITAAC Table 2.4.7-1. The radiation monitors identified are consistent with the monitors14-112

described in Tier 2, Chapter 11 and are therefore acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 116-8054, Question 14.03.08-8. Therefore, RAI 116-8054, Question 14.03.08-8, is resolved and closed.

As a result of other issues with the radiation monitoring ITAAC and Tier 1 information identified by the staff, the staff issued RAI 116-8054 (ML15208A511), Question 14.03.08-4, associated with area radiation monitoring, and Question 14.03.08-5, associated with process and effluent monitors. Both Question 14.03.08-4 and Question 14.03.08-5 contain several subparts, with different topics (the specific questions asked can be found in ML15208A511).

The next several pages discuss the RAI responses and staff evaluation of the most significant aspects of Questions 14.03.08-4 and 14.03.08-5, in sequential order. The evaluations of Questions 14.03.08-4 and 14.03.08-5 resulted in follow-up RAI 368-8470, Question 14.03.08-14 (ML16019A273), which also contains several subparts. The responses and evaluation of Question 14.03.08-14 make up the remainder of this section and are discussed following the evaluation of the Question 14.03.08-4 and Question 14.03.08-5 responses.

In its response to RAI 116-8054, Question 14.03.08-4 (ML15303A426), the applicant made numerous changes to the plant area radiation monitoring system in both Tier 1 and Tier 2. The changes to Tier 2 included mostly editorial changes, except for deleting proposed monitors for a potential interim radwaste storage facility, which will not be included as part of the DCD (COL item 11.4(7)), deleting the instrument calibration facility radiation monitor, and clarifying that there are two Truck Bay Area monitors (C-RE-288 and C-RE-289). The evaluation of these changes is found in the following three paragraphs.

Regarding the proposed removal of radiation monitors for a potential interim radwaste storage facility, it would be inappropriate for the application to contain information and ITAAC for radiation monitors that are not within the scope of the DCD. Therefore, the removal of the interim radwaste storage facility monitors from the design is acceptable.

Regarding the proposed deletion of the instrument calibration facility, the instrument calibration facility is a potential very high radiation area, when the instrument calibrator is unshielded. In addition, the instrument calibration facility was an area where changes in plant conditions can cause significant increases in personnel exposure rate, which according to ANSI/ANS-HPSSC-6.8.1-1981, Location and Design Criteria for Area Radiation Monitoring Systems for Light Water Nuclear Reactors, as referenced in the staffs SRP and Section 12.3-12.4 of the DCD, should have a radiation monitor and alarm both inside and outside of the instrument calibration room.

Therefore, the staff issued Part 1 of RAI 368-8470, Question 14.03.08-14 (ML16019A273),

requesting that the applicant justify the removal of this monitor.

Regarding the proposed clarification that there are two truck bay monitors, it is acceptable to clarify that there are two area monitors in the truck bay area because this provides additional radiation dose rate information for an additional area of the truck bay. However, the DCD 14-113

Section 11.5, Process and Effluent Radiation Monitoring and Sampling Systems, figures, which shows the locations of radiation monitors throughout the plant, only still shows one truck bay monitor. Therefore, the staff issued Part 2 of RAI 368-8470, Question 14.03.08-14 (ML16019A273), requesting that the applicant identify the location of the other radiation truck bay radiation monitor.

The staff had also identified several inconsistencies between the Tier 1 and Tier 2 radiation monitor information and asked the applicant, in Question 14.03.08-4, to clarify or revise the DCD, as appropriate. For example, there were monitors with inconsistent tag numbers and monitors that were labeled as safety related in Tier 2 and non-safety related in Tier 1. There was also information missing for some monitors listed in Tier 1. In its response to RAI 116-8054, Question 14.03.08-4 (ML15303A426), the applicant changed Tier 1 information, including correcting monitor tag numbers, correcting the classification of monitors, and making other corrections.

In addition, there was no ITAAC or information in Tier 1 to ensure that the containment upper operating area monitors will be positioned to view a large fraction of the containment free air volume, as discussed in NUREG-0737, Clarification of TMI Action Plan Requirements. So in Question 14.03.08-4 the staff asked the applicant to provide this information. Therefore, in the response to Question 14.03.08-4, the applicant proposed to add a proposed ITAAC to Tier 1, Table 2.7.6.5-3, to ensure that the containment upper operating area monitors are located in an unimpeded location. However, the proposed ITAAC on the location of the upper operating area monitors did not provide enough information to ensure that the monitors will actually be able to view a large fraction of the containment volume, consistent with NUREG-0737. Therefore, the staff issued Part 3 of RAI 368-8470, Question 14.03.08-14 (ML16019A273), requesting that the applicant provide more information in this area.

In addition, the containment operating area monitors (including the two lower operating area monitors and two upper operating monitors), SFP area monitors, and main control room air intake monitors provide engineered safety features (ESF). The ESF functions initiated by these monitors are initiating containment purge isolation, fuel handling area emergency ventilation, and main control room emergency ventilation. While there are ITAAC to confirm that these monitors send initiation signals to the ESF group control cabinet, there did not appear to be an ITAAC to confirm that the ESF function will actually initiate when high radiation is detected. It was also unclear if sufficient overlap testing is being included in the ITAAC consistent with IEEE 338-1987, Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, which is referenced in RG 1.118, Periodic Testing of Electric Power and Protection Systems. In its response to Part 4 of RAI 116-8054, Question 14.03.08-4 (ML15303A426), the applicant pointed to several different ITAAC which they indicated provided overlap testing of the ESF function of the safety-related monitors. While IEEE 338-1987 specifies that testing from sensor (monitor) to actuation (specified ESF function) is the preferred method of testing, it is also acceptable to perform individual overlap tests when whole scale testing is not practicable. However, the ITAAC that the applicant referenced only appeared to be testing individual pieces of the circuitry between the radiation monitors and 14-114

actuation of the components. There did not appear to be sufficient overlap testing. In addition, ITAAC items 4 and 5 in Table 2.7.6.4-3 and ITAAC items 3 and 6 in Table 2.7.6.5-3 specified that the radiation monitors would be tested with an integral activated check source. It was unclear what this term means to staff. During a pre-application audit, the applicant indicated that the monitors would be tested with a radiation calibration check source. Therefore, the staff issued Part 4 of RAI 368-8470, Question 14.03.08-14 (ML16019A273), requesting that the applicant address these issues.

In its response to RAI 116-8054, Question 14.03.08-5 (ML15303A426), the applicant proposed updating Tier 1, Table 2.7.6.4-1, to include the safety-class information and range for the process and effluent radiation monitors and sampling system components. The information provided was consistent with the information in Tier 2 of the application, except for a few minor errors, which were later corrected in the response to RAI 368-8470, Question 14.03.08-14.

Therefore, the changes with those additional corrections provided in the applicants response to RAI 368-8470, Question 14.03.08-14, are acceptable.

In its response to RAI 116-8054, Question 14.03.08-5 (ML15303A426), the applicant also provided information justifying why it is acceptable for the main control room air intake monitors to only monitor for noble gasses when many other designs also include particulate and iodine monitors in the main control room intakes. The main control room air intake monitors initiate main control room emergency filtration and close the air intake damper with the higher radiation level (the higher of the two intakes), when radiation levels above the pre-determined set point are detected. This is necessary to ensure that the dose to control room operators does not exceed 5 rem during an accident in accordance with GDC 19. Specifically, the applicant provided the results of an analysis that showed that noble gas releases during all design basis accidents would be significant. Moreover, in many accidents, it was the only significant type of radioactive material released. Therefore, it is acceptable to use noble gas monitors alone for the main control room intake monitors.

Finally, in Part 4 of RAI 116-8054, Question 14.03.08-5, the staff had requested that the applicant demonstrate how the main control room air intake monitors were tested with sufficient overlap testing, as was similarly asked in RAI 116-8054, Question 14.03.08-4, for the area radiation monitors. In its response to Part 4 of RAI 116-8054, Question 14.03.08-5 (ML15303A426), the applicant duplicated the information provided in its response to RAI 116-8054, Question 14.03.08-4, claiming that sufficient overlap testing was provided. As discussed above, the staff found this response to be unacceptable. Therefore, in Part 6a of RAI 368-8470, Question 14.03.08-14 (ML16019A273), the staff requested that the applicant provide additional information on the testing and functioning of the main control room intake monitors and emergency ventilation system. The staff issued Part 6b of Question 14.03.08-14 requesting the applicant to provide additional information on ITAAC 9 in Table 2.7.3.1-3, which indicated that the air intake damper with the higher radiation level would close while the intake with the lower intake would remain open, in order to provide the cleanest air possible to the control room. Specifically, the staff asked the applicant to explain what would prevent the dampers from continually swapping between open and closed, because as a damper closes,14-115

the airborne radiation levels in the intakes would likely decrease significantly because there is no longer a suction drawing air into the intake. If this were to occur, the dose rates in the control room could be significantly higher than if the higher intake remained closed, because the intake with higher radiation levels could be open for a large portion of an accident.

For the reasons described above, the responses to RAI 116-8054, Questions 14.03.08-4 and 14.03.08-5 were unacceptable and closed and the staff issued RAI 368-8470, Question 14.03.08-14 (ML16019A273) as a follow-up RAI. Question 14.03.08-14 included Parts 6a and 6b discussed above. The topic of each question is repeated below, as well as the applicants response to each item, in sequential order. The applicant submitted an original response (ML16113A303) and three revisions to the response to Question 14.03.08-14 (Revision 1 at ML17191B027, Revision 2 at ML17242A326, and Revision 3 at ML17257A542). All items resolved in earlier revisions were carried forward through Revision 3.

Part 1 of Question 14.03.08-14 Part 1 of RAI 368-8470, Question 14.03.08-14 requested that the applicant provide additional information regarding why the instrument calibration facility radiation monitor was being removed from the design in the response to Question 14.03.08-4.

Response and Evaluation to Part 1 of Question 14.03.08-14 In the original response to Part 1 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant indicated that they would retain the monitor in the instrument calibration facility and associated information in both Tier 1 and Tier 2.

However, in Revision 1 of the response to Question 14.03.08-14 (ML17191B027), the applicant revised the response to Part 1, again removed the instrument calibration facility from the design.

This is because the applicant deleted information from the DCD specifying that high activity instrument calibration will be conducted at the plant site. Instead, in the response to RAI 235-8275, Question 12.03-34 (ML17102B266) and RAI 376-8496, Question 12.03-49 (ML17095B053), the applicant specified that the use of the room will be determined by the COL applicant. The COL applicant is also to provide all necessary access controls and any other design features or operational procedures for the room to meet all applicable requirements.

This is satisfactory because it is acceptable for these types of calibration activities (using high activity sources that meet the 10 CFR Part 36 definition of an irradiator) to be performed offsite by a separate licensee. As a result, it is acceptable to remove the instrument calibration facility monitor from the design. Therefore, the response to Part 1 of RAI 368-8470, Question 14.03.08-14 is acceptable. Please see the SER discussion of Questions 12.03-34 and 12.03-49 for more information on this topic.14-116

Part 2 of Question 14.03.08-14 Part 2 of RAI 368-8470, Question 14.03.08-14 requested that the applicant update DCD Figure 11.5-2T to show truck bay monitor RE-288 or justify why it did not need to be shown in the figure.

Response and Evaluation to Part 2 of Question 14.03.08-14 In the original response to Part 2 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant included the missing truck bay area radiation monitor (RE-288) on DCD Tier 2, Figure 11.5-2T. The monitor is located in the opposite truck bay of monitor RE-289. This location would provide the radiation levels in the other truck bay and is therefore in accordance with ANSI/ANS-HPSSC-6.8.1-1981 and was found to be acceptable. Therefore, the response to Part 2 of RAI 368-8470, Question 14.03.08-14 was found to be acceptable.

Part 3 of Question 14.03.08-14 Part 3 of RAI 368-8470, Question 14.03.08-14 requested that the applicant provide additional information on the locations of containment high range radiation monitors and requested that the applicant provide additional information on how it will be ensured that the monitors will meet 10 CFR 50.34(f)(xvii) and the guidance of NUREG-0737.

Response and Evaluation to Part 3 of Question 14.03.08-14 In the original response to Part 3 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant provided additional information on the locations of the containment operating area monitors. The response indicates that the two upper operating area radiation monitors (RE-233A and RE-234B) were located on opposite sides of containment just below the containment polar crane support girder (near El. 230). However, in response to RAI 376-8496, Question 12.03-49 (see ML16123A127 for Revision 0 and ML16211A098 for Revision 1 of the response), the applicant proposed updating DCD, Tier 2, Figure 11.5-2A, which shows monitor RE-233A at elevation 200. Therefore, the responses were inconsistent and the staff requested that the applicant correct the discrepancy. In addition, if monitor RE-233A is at the 200 elevation, than it would appear that the pressurizer compartment wall, which extends up to elevation 200, could block part of the view of containment for monitor RE-233A. Therefore, it was unclear why the location of the monitor at 200 elevation is acceptable.

In the revised response to Question 14.03.08-14 (ML17191B027), the applicant provided additional information related to the response to Part 3. The applicant specified that the two upper containment radiation monitors are 180 degrees apart from each other. Monitor RE-234B is located just below the containment polar crane rail support girder near elevation 230 and has an unobstructed view of containment. Monitor RE-233A was initially located at elevation 228 at the reference plant, but was moved for ease and safety when the monitor needed to be accessed. The new location is the pressurizer compartment concrete wall at elevation 200.14-117

While a portion of the monitors view is blocked by the pressurizer compartment, it still provides observation of a large fraction of the containment free air volume. Staff reviewed the locations of the monitors on the associated figures and found the description to be accurate. Therefore, the placement of the monitors is consistent with the requirements of 10 CFR 50.34(f)(xvii) and is acceptable. The applicant also proposed to include an ITAAC in Tier 1, Table 2.7.6.5-3 to ensure the monitors are placed to meet this criteria. The staff reviewed this proposed ITAAC and found it to be acceptable. Therefore, the response to Part 3 of RAI 368-8470, Question 14.03.08-14 is acceptable.

Part 4 of Question 14.03.08-14 Part 4 of RAI 368-8470, Question 14.03.08-14 requested that the applicant provide additional information on ITAAC testing for radiation monitors with ESF functions.

Response and Evaluation to Part 4 of Question 14.03.08-14 In the original response to Part 4 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant revised various ITAAC to ensure that the entire loop of the radiation monitor channels from radiation detector to actuation of the ESF function is tested. However, there did not appear to be complete testing of the monitor indications in the main control room. In addition, the applicant indicated that they would not include testing the functionality of the radiation monitors with a physical radiation calibration source as part of the ITAAC because of the high levels of radioactivity required to reach the setpoints on some of the monitors. Staff agrees that testing the monitors with high activity sources could be an unnecessary radiation hazard and could be inconsistent with ALARA, as required by 10 CFR 20.1101(b). However, the lower end of each radiation monitors range could be tested with a radiation check source, without resulting in a radiological hazard to workers. In addition, most radiation monitors have a built in radiation check source. Therefore, at least the lower end of the radiation monitors range should be tested with an actual radiation check source to ensure radiation monitor functionality. As a result, the original response to Part 4 of RAI 368-8470, Question 14.03.08-14 was unacceptable.

In the revised response to Question 14.03.08-14 (ML17191B027), the applicant provided additional information regarding the response to Part 4. In the revised response, the applicant included new and revised ITAAC in Tier 1, Table 2.7.6.4-3, for the process and effluent radiation monitors and Table 2.7.6.5-1 for area monitors. The new ITAAC were to ensure that each monitor channel of the process, effluent, and radiation monitors are tested using a radiation check source (as opposed to a simulated signal), to ensure that the channel responds to radiation. However, some of the new and revised ITAAC lacked clarity. In Revision 2 of the response to RAI 368-8470, Question 14.03.08-14 (ML17242A326), the applicant revised some of the ITAAC wording for radiation monitors to add clarity regarding the intent of the ITAAC.

The staff found these changes to be acceptable. Therefore, the staff finds the response to RAI 368-8470, Question 14.03.08-14, Part 4 to be acceptable.14-118

Part 5 of Question 14.03.08-14 Part 5 of RAI 368-8470, Question 14.03.08-14 requested the applicant to make several editorial corrections and minor clarifications.

Response and Evaluation to Part 5 of Question 14.03.08-14 In the original response to Part 5 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant made various minor corrections and edits to Tier 1 information, which are acceptable.

Part 6 of Question 14.03.08-14 Part 6 of RAI 368-8470, Question 14.03.08-14 requested a) that the applicant provide additional information on the overlap testing for the main control room air intake monitors and; b) to provide additional information regarding the operation of the main control room intake dampers and associated ITAAC.

Response and Evaluation to Part 6 of Question 14.03.08-14 In the original response to Part 6 of RAI 368-8470, Question 14.03.08-14 (ML16113A303), the applicant indicated that upon detection of high radiation in either one (or both) of the outside air intakes, the outside air intake isolation dampers in the outside air intake with the largest radiation level closes automatically. Then, after a preset time, the closed dampers will re-open and the radiation level in both intakes will be analyzed again, with the intake with the higher radiation level again closing. This process will repeat for the duration of the accident. The applicant proposed revising ITAAC in DCD Tier 1, Section 2.7.3.1-3, to adequately test this function (see the revised item 9 in Table 2.7.3.1-3). Specifically, the acceptance criteria of 9.b states that the as-built outside air intake isolation dampers are automatically reset and reopened at an interval after they are initially closed upon receipt of a simulated high radiation signal. The applicant also proposed adding COL 9.4(2) to specify that the COL applicant is to provide the interval of reopening the closed outside air intake isolation dampers by considering the durability of the isolation dampers and the site-specific meteorological data.

It was unclear to staff if the occasional re-opening of the main control room dampers was appropriately considered in the Chapter 15 and Section 6.4 main control room dose analysis and in the main control room filter loading source term provided in the response to RAI 207-8247, Question 12.02-16 (ML15343A410), proposed DCD Table 12.2-24, Sheets 13 and 14.

In Revision 1 (ML17191B027) and Revision 2 (ML17242A326) of the response to RAI 368-8470, Question 14.03.08-14, the applicant provided additional information regarding the response to Part 6. In these revisions, the applicant provided additional information regarding the main control room intake dampers and the adequacy of the calculations for MCR dose and filter loading. The applicant indicated that the Chapter 15 analysis modeling of the 14-119

MCR ventilation system accounts for the additional outside air intake for the intermittent periods when both dampers are open. Specifically, the applicant indicated that the total time to open the closed damper, detect the radiation level, process the signal, and re-close the intake damper would take approximately 45 seconds and that the interval between re-assessment would be 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Assuming the opening time would be 60 seconds (instead of 45 seconds) would increase the intake by approximately 8.3%. However, RG 1.194 allows for a reduction factor of 10 for intakes with an auto-select function. KHNP used a reduction factor of 8 in their calculations. This 20% conservatism more than accounts for the 8.3% increase during the period when both dampers are open.

The applicant also proposed to update DCD Tier 2 Chapter 15 to provide information on re-opening the closed intake dampers, including specifying that the interval time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is assumed between re-opening the closed intake dampers. In addition, the applicant also proposed to provide COL information items stating that the COL applicant will provide the interval of re-opening the closed dampers based on site specific meteorology and other information (See COLs 9.4(5), 15.0(2), and 15.0(3), in the response). Specifically, the COL applicant has to re-evaluate the following radiological consequence analyses for the main control room: 1) the interval time for reopening the intake dampers exceeds the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time assumed; 2) the time period for re-opening and closing the dampers exceeds 60 seconds; or 3) if there are any other aspects of the design of the dampers that are non-conservative compared to what is described in DCD Section 15.0.3.5.

Finally, in the response, the applicant proposed to update Tier 1, Table 2.7.3.1-3, ITAAC 9.b, to clarify that the ITAAC will test that the closed outside air intake dampers are automatically opened after an interval and then the intake dampers with the higher radiation level are closed.

The staff finds this ITAAC to be acceptable because using the intake with the lower radiation level is expected to decrease the dose to operators within the MCR and helps to ensure that doses are maintained in accordance with GDC 19.

In summary, the staff finds the justification and the proposed DCD revisions consistent with the intent of RG 1.194. In addition, the proposed COL items 9.4(5), 15.0(2), and 15.0(3) assures that the COL applicant will be required to address any non-conservatisms in the site specific damper design, based on site meteorology, etc. The staff finds the COL items to be acceptable.

In Revision 3 of the response to RAI 368-8470, Question 14.03.08-14 (ML17257A542), the applicant proposed to revise DCD Section 15.0.3.5 to revise the reference of COL 9.4(5) to COL 9.4(2). This is an editorial correction because the COL numbers in Section 9.4 of the DCD had been revised by the applicant. COL 9.4(2) is the correct number. Therefore, this change was acceptable. Therefore, the staff finds the response to RAI 368-8470, Question 14.03.08-14, Part 6 to be acceptable, regarding the control room dampers and potential impacts on MCR dose and filter loading.

Additional information on the MCR air intake radiation monitors and dampers are also found in Chapters 12 and 15 of this SER.14-120

Based on the above, RAI 368-8470 Question 14.03.08-14 is being tracked as a confirmatory item, pending the incorporation of the proposed DCD revisions.

Ventilation Systems The staff reviewed the radiation protection aspects of the APR1400 ventilation system ITAAC, as they apply to this section. Item 2 in Tier 1, Table 2.8-2, is provided to verify that airflow within radiological controlled areas is from areas of low airborne contamination to areas of higher airborne contamination. The staff finds this ITAAC acceptable to confirm that airborne contamination in the plant is minimized to the extent practicable. However, the wording of this ITAAC was unclear. The staff issued RAI 116-8054, Question 14.03.08-11 (ML15208A511),

requesting the applicant to clarify.

In its response to RAI 116-8054, Question 14.03.08-11 (ML16034A204), the applicant modified item 2 in Tier 1, Table 2.8-2, to revise and clarify the acceptance criteria for the ITAAC. The wording is now clear that the acceptance criteria is met if airflow is from areas of lower potential airborne contamination to areas of higher potential airborne contamination. This is consistent with the design described in Section 12.3 of the DCD and also consistent with the criteria in SRP 12.3-12.4, and is therefore acceptable. The applicant also stipulated in the ITAAC that the concentrations of airborne radionuclides shall not exceed the concentrations provided in 10 CFR Part 20, Appendix B. This proposed ITAAC and acceptance criteria is acceptable. The staff confirmed that the DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 116-8054, Question 14.03.08-11. Therefore, RAI 116-8054, Question 14.03.08-11, is resolved and closed.

In addition, the staff reviewed other Tier 1 information associated with ITAAC for ventilation systems in Tier 1 Section 2.7.3, and in these sections the staff reviewed filter configurations and layout in ventilation systems to ensure that these systems properly filter and control the release of radioactive material, from a radiation protection perspective. The staff finds the information acceptable, except that the applicant did not appear to provide an ITAAC assuring that the total leakage rate from ducting in the ESF systems is less than the value assumed in the post-accident dose consequence design basis, as described in RG 1.52, Design, Inspection, and Testing Criteria for Air Filtration and Adsorption Units of Post-Accident Engineered-Safety-Feature Atmosphere Cleanup Systems in Light-Water-Cooled Nuclear Power Plants. The staff issued RAI 116-8054, Question 14.03.08-6 (ML15208A511), requesting this information.

In its response to RAI 116-8054, Question 14.03.08-6 (ML15280A260), the applicant specified that, in accordance with RGs 1.52 and 1.140, Design, Inspection, and Testing Criteria for Air Filtration and Adsorption Units of Normal Atmosphere Cleanup Systems in Light-Water-Cooled Nuclear Plants, the air cleaning unit (ACU) housing and ductwork are tested to provide reasonable assurance that the leakage rate from ductwork and ACU housing is less than the allowable leakage rate as defined in Sections HA-4500 and SA-4500 of ASME AG-1-2009, with addenda, Code on Nuclear Air and Gas Treatment. In addition, the applicant specified that ductwork and ACU housing leak tests are performed in accordance with Section TA-4300 of 14-121

ASME AG-1-2009 with addenda. Finally, the applicant proposed adding ductwork and ACU housing leak testing to DCD Tier 2 for the containment purge system, fuel handling area heating, ventilation, and air conditioning (HVAC) system, compound building HVAC system, and the auxiliary building controlled area HVAC system.

However, while the applicants response indicated that the ductwork and ACU housing leak testing will occur in accordance with TA-4300 of ASME AG-1-2009 with addenda, the proposed DCD updates do not specify which version of ASME AG-1 is being referenced. Therefore, the staff closed RAI 116-8054, Question 14.03.08-6 and issued RAI 329-8424, Question 14.03.08-13 (ML15343A330), requesting that the applicant specify which version of ASME AG-1 is being referenced in the DCD. In addition, DCD Chapter 15 specifies that unfiltered in-leakage to the MCR and technical support center from the ventilation systems during design basis accidents is assumed to be 8.50 cubic meters (300.2 cubic foot) per minute.

If leakage exceeds this value, it is outside the accident dose analysis performed in Chapter 15.

If this occurred, it is unclear if the dose limit of 5 rem for control room operators in GDC 19 would be met. In Question 14.03.08-13, the staff also requested that the applicant include an ITAAC to ensure that the in-leakage to the MCR and technical support center does not exceed 8.50 cubic meters per minute.

In its response to RAI 329-8424, Question 14.03.08-13 (ML18170A057), the applicant proposed updating the DCD additions to specify that the 2009 version of ASME AG-1-2009, with Addenda, is being referenced. This is consistent with RG 1.52 and is, therefore, acceptable. In addition, the applicant proposed updating DCD Tier 2, Section 14.2.12.1.95 to specify that one of the acceptance criteria for the control room HVAC system is that the total unfiltered inleakage rate is less than 170 cubic meters per hour (100 cfm) in the emergency mode. This is consistent with the information in Chapter 15 and is, therefore, acceptable. Finally, in the response, the applicant also indicated that DCD Tier 1 Subsection 2.7.3.1.1, item 11, already provides the ITAAC for control room envelope leakage. While Subsection 2.7.3.1.1, item 11, is just the design description that states that unfiltered leakage is within performance value limits the staff verified that ITAAC Table 2.7.3.1-3, item 11 provided an ITAAC to verify that the main control room unfiltered inleakage is less than the specified value. Therefore, no new ITAAC was needed and the applicants response is acceptable. Based on the above, RAI 329-8424, Question 14.03.08-13 is being tracked as a confirmatory item, pending the incorporation of the proposed DCD revisions.

Other aspects of the ventilation system ITAAC review, including other system design related ITAAC are discussed in Section 9.4 of this SER.

Minimization of Contamination The staff could not identify any design features associated with minimizing contamination in the Tier 1 ITAAC. The staff issued RAI 116-8054, Question 14.03.08-7 (ML15208A511), requesting the applicant to provide this information. In its response to RAI 116-8054, Question 14.03.08-7 (ML16093A011), the applicant proposed providing ITAAC in the DCD for significant 14-122

10 CFR 20.1406 related design features, including an ITAAC to ensure that the steam generator blowdown radiation monitor alarms in the MCR on high radioactive contamination and isolates the blowdown valves (ITAAC Table 2.7.6.4-3, item 8); an ITAAC for the leak detection design and alarms for the holdup tank, boric acid storage tank, and reactor makeup water tank, which are outside tanks potentially containing radioactive material (ITAAC Table 2.7.2.5-4, item 9);

ITAAC for the leak detection design for the floor drain tanks, equipment waste tanks, and monitor tanks (ITAAC Table 2.7.6.1-2, items 7, 8, and 9); and an ITAAC for SFP liner leaks (ITAAC Table 2.7.4.3-4, item 13). In its revised response to RAI 116-8054, Question 14.03.08-7 (ML16211A413), the applicant modified these proposed ITAAC to make the acceptance criteria clearer and more easily verifiable. For example, the ITAAC for the leak detection design now includes acceptance criteria to verify that an alarm functions in the MCR, as the result of a signal test, to notify operators of leakage from the tanks and for indoor radwaste tanks, to ensure an alarm also functions in the radwaste control room. The staff finds that the proposed ITAAC for 10 CFR 20.1406 related design features are acceptable, because they adequately test some of the more significant 10 CFR 20.1406 related design features in the plant. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 116-8054, Question 14.03.08-7. Therefore, RAI 116-8054, Question 14.03.08-7, is resolved and closed.

Radiation Protection Equipment Qualification ITAAC Tier 1 provides ITAAC ensuring that certain equipment that is located in environmentally harsh conditions are capable of withstanding the conditions for which they are located. However, the staff identified that even though several containment radiation monitors are safety-related and located within an environmentally harsh environment (including radiological harsh environment),

as identified in DCD Tier 2, Section 3.11, these monitors did not have an ITAAC ensuring that they can withstand the environment in which they are located. The staff issued RAI 116-8054, Question 14.03.08-9 (ML15208A511), requesting that the applicant provide justification for why certain equipment included an ITAAC associated with the environmentally harsh condition for which they are located and others did not.

In its response to RAI 116-8054, Question 14.03.08-9 (ML16050A536), the applicant acknowledged that some of the equipment located in a harsh environment did not have an associated ITAAC. The applicant included an example of the type of ITAAC that will be added for the missing equipment. In the example, the applicant showed a proposed update to Tier 1, Section 2.7.6.5, on area radiation monitoring, which would include Tier 1 information to ensure that the containment operating area and upper operating area radiation monitors were identified as being Class 1E equipment, located in a harsh environment. In addition, the applicant proposed adding an ITAAC to Tier 1, Table 2.7.6.5-3, to ensure, in part, that the these monitors are capable of withstanding the environmental conditions that would exist before, during, and following a design basis accident without loss of safety function. The staff finds this proposed ITAAC to be acceptable because it ensures that the safety-related area radiation monitors will be qualified for the harsh environmental conditions in which they are located. However, while the response provided an acceptable example of how Tier 1 and ITAAC would be updated, the 14-123

response did not provide any updates for the equipment located in a harsh environment that was missing from Tier 1. The applicant indicated in the response that this additional information would be included in a future revision to the response.

In its revised response to RAI 116-8054, Question 14.03.08-9 (ML16211A397), the applicant indicated that it completed its review of other systems which contained equipment located in a harsh environment, for which ITAAC were not included in the DCD, Revision 0. The applicant indicated that the other systems and components missing ITAAC were relevant components in the Containment Hydrogen Control System and the Fuel Handling Area HVAC System.

Therefore, the applicant proposed including similar ITAAC to those provided in Section 2.7.6.5 for applicable components in these systems, in ITAAC Tables 2.7.6.5-3 and 2.11.4-3.

Therefore, these proposed ITAAC are acceptable. The staff did not identify any other systems or components identified as being located in a harsh environment in Tier 2, which did not include an ITAAC in Tier 1. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 116-8054, Question 14.03.08-9. Therefore, RAI 116-8054, Question 14.03.08-9, is resolved and closed.

Other Design Features The APR1400 design credits a decontamination factor of 100 for the pre-holdup ion exchanger for the removal of Cesium and Rubidium. This decontamination factor far exceeds the value of 2 specified in NUREG-0017 and ANSI/ANS 18.1-1999, which are referenced in Chapter 12 of the SRP. This large decontamination factor is relied on to lower the activity in the holdup tank and boric acid storage tank, which are located outdoors. Therefore, having an ion exchanger that can achieve this decontamination factor for the life of the facility is an important design feature to limit the doses from these tanks and to ensure doses to members of the public remain within limits. In a June 15, 2016 meeting, the applicant agreed to include information in Tier 1, specifying that the decontamination factor of 100 will be maintained for the pre-holdup ion exchanger for the life of the facility. The staff issued RAI 308-8339, Question 12.02-19 (ML16272A470), which, in part, requested the applicant to address this issue. In the response to RAI 308-8339, Question 12.02-19 (ML16272A470), the applicant proposed to update DCD Tier 1, Section 2.4.6 to specify that the pre-holdup ion exchanger is used to limit radionuclide inventories stored in the holdup tank and that the pre-holdup ion exchanger has a minimum cesium decontamination factor of 100. Staff finds that this response is acceptable and adequately addresses the issue. The staff confirmed that this was incorporated into Revision 1 of the DCD. Therefore, RAI 308-8339, Question 12.02-19, is resolved and closed. The full evaluation of RAI 308-8339, Question 12.02-19 is provided in Chapter 12 of the SER.

Combined License Information Items There are no COL items associated with Section 14.3.2.8 of the APR1400 DCD. The proposed COL 9.4(2) and COL 12.3(1), are related to this section. COL 9.4(2) and COL 12.3(1) are discussed in Chapters 12 and 9 of this SER, as appropriate.14-124

Conclusions The applicant provided DCD Tier 1 and ITAAC for radiation protection SSCs, which it credited for demonstrating that a plant incorporating the APR1400 design certification will be built and operated in accordance with 10 CFR Part 20, 10 CFR Part 50, and 10 CFR Part 52. As discussed above, RAI 116-8054, Question 14.03.08-1, RAI 368-8470, Question 14.03.08-14, and RAI 329-8424 Question 14.03.08-13 are being tracked as confirmatory items. Upon incorporation of these confirmatory items into a subsequent DCD revision, the staff concludes, as explained above, that the radiation protection Tier 1 information and ITAAC discussed in this SER section meet the applicable acceptance criteria in SRP Section 14.3.8, the requirements of 10 CFR 52.47(b)(1), and applicable radiation protection regulations in 10 CFR Part 20, 10 CFR Part 50, and 10 CFR Part 52. In addition, if the inspections, tests, and analyses are performed and the acceptance criteria met, then a facility referencing the APR1400 certified design has been constructed, and will be operated, in compliance with the design certification, the Atomic Energy Act of 1954, as amended, and applicable NRC regulations.

Human Factors Engineering - Inspections, Tests, Analyses, and Acceptance Criteria Introduction This SER section addresses inspections, tests, analyses, and acceptance criteria (ITAAC) related to the human factors aspects of the nuclear power plant design for the main control room (MCR), the remote shutdown facility, the local control stations, the technical support center, and the emergency operations facility.

Summary of Application DCD Tier 1: The applicant has provided commitments for human factors engineering (HFE) in Tier 1 Section 2.9, Human Factors Engineering. Tier 1 Section 1, Introduction, provided definitions, general provisions, and a legend for figures, acronyms, and abbreviations.

DCD Tier 2: Tier 2 Section 14.3, Inspections, Tests, Analysis, and Acceptance Criteria, provides a general description of the APR1400 ITAAC, including its relationship to other Tier 1 information, and the selection criteria and processes used to develop the Tier 1 content.

ITAAC: The applicant has provided ITAAC for HFE in Tier 1 Section 2.9, Table 2.9-1, Human Factor Engineering ITAAC.

Technical Specifications (TS): There are no TS for this area of review.

Regulatory Basis Title 10 of the Code of Federal Regulations (10 CFR) Section 52.47(b)(1) requires that a design certification application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a facility that incorporates the design certification has been constructed and will be operated in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended (AEA), and the NRCs rules regulations.14-125

Technical Evaluation ITAAC and Tier 1 Design Description The NRC staff and industry conducted a series of public meetings as part of an effort to develop a set of standardized ITAAC that will be incorporated into regulatory guidance and will be applied as a basis for future applications under 10 CFR Part 52. The public meeting summary dated February 6, 2015 (ML15036A211) states:

This was the 7th meeting in a series of public meetings between NRC staff and stakeholders held with regard to improvements and standardization of inspections, tests, analyses, and acceptance criteria (ITAAC). The goal of this effort is to develop a set of standardized ITAAC that will be incorporated into regulatory guidance, and will be applied as a basis for future applications under Part 52The first subject area discussed was Human Factors Engineering. Both industry and staff agreed that the proposed standardized ITAAC were acceptable. These ITAAC will be incorporated into the list of standardized ITAAC.

An attachment to the meeting summary (ML15015A226) lists two standardized ITAAC for HFE.

The applicant proposed two HFE ITAAC based on these draft standardized ITAAC. Because NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (SRP) has not been updated to reflect these ITAAC, the applicants use of standardized ITAAC in this application is being reviewed as an alternative method.

The staff reviewed DCD Tier 1, Section 2.9, Human Factors Engineering, and Table 2.9-1, Human Factor Engineering ITAAC. Table 2.9-1 lists two ITAAC for HFE. The applicants HFE ITAAC are generally consistent with the format and content of the standardized HFE ITAAC; however, the staff found that the acceptance criteria stated for Item 1 in Table 2.9-1 was not consistent with the standardized HFE ITAAC. To resolve the inconsistency, the staff issued RAI 349-8440, Question 14.03.09-1 (ML16039A351), asking the applicant to either revise the acceptance criteria to make it consistent with the standardized ITAAC acceptance criteria or provide the basis for the acceptance criteria provided in the DCD. In its response to RAI 349-8440, Question 14.03.09-1 (ML16081A305), the applicant confirmed that it would revise the acceptance criteria wording for Item 1 of the DCD Tier 1, Table 2.9-1. In its response, the applicant also provided a proposed markup of the revised Item 1 in Table 2.9-1.

The staff reviewed the applicants response to RAI 349-8440, Question 14.03.09-1 and found it acceptable because the revised acceptance criteria for Item 1 in DCD Tier 1, Table 2.9-1 is consistent with the standardized ITAAC acceptance criteria. The changes proposed in the RAI response were incorporated in Revision 1 of the DCD. Therefore, RAI 349-8440, Question 14.03.09-1 is resolved and closed.

When the staff determined the standardized HFE ITAAC were acceptable, the staff assumed the HFE implementation plans (IPs) submitted by a design certification applicant with an application containing the standardized ITAAC would be designated as Tier 2*. A discussion of how conclusions on the acceptability of Tier 1 and ITAAC are related to the staffs review of an applicants HFE program, and why the staffs conclusions on the acceptability of the standard ITAAC relied in part on the NRC being able to review and approve changes to information in the approved HFE implementation plans prior to those changes being made, is found below in the 14-126

subsection titled, Background Information on the HFE Review and Tier 2*. Based on the assumption that the HFE implementation plans would be designated as Tier 2*, and based on the review of the applicable sections of the DCD in conjunction with the applicants responses to RAI 349-8440 Question 14.03.09-1, the NRC staff determined that:

1. The ITAAC table includes Item 1 describing completion of the integrated system validation (ISV) test that demonstrates the control room design incorporates HFE principles that minimize the potential for operator error. As discussed in SER Section 18, Human Factors Engineering, the staff has reviewed, and found acceptable, the applicants design process for the control room human-system interfaces. The ISV test is a performance-based assessment of the design based on the realistic operation of a sample of the control room human-system interfaces within a simulator-driven MCR. Pass/fail criteria for the ISV test are identified in Technical Report APR1400-E-I-NR-14008, Human Factors Verification and Validation Implementation Plan (V&V IP), and Technical Report APR1400-E-I-NR-14010, Human Factors Verification and Validation Scenarios, which were provided with the design certification application. These criteria provide for a clear, measureable set of acceptance criteria for the ISV test.
2. The ITAAC table includes Item 2 describing an inspection that verifies the as-built plant is built and operates in conformance to the certified HFE program and the standard design certification. The inspection to be performed will verify the as-built control room human-system interfaces conform to the validated design.
3. Tier 1 HFE-related information is consistent with Tier 2, Chapter 18 information.

The HFE design elements addressed in Chapter 18 were appropriately summarized in Tier 1 so there is a clear statement of the objectives accomplished by each element.

However, during the review, the staff received new information indicating that the applicant did not intend to use Tier 2*. As a result of this new information, the staff re-evaluated the acceptability of the standard HFE ITAAC for the application. The results of the reevaluation are discussed below in the subsection titled, Reevaluation of the Applicants ITAAC and Resolution.

Background Information on the HFE Review and Tier 2*

SER Section 18.0, Overview, explains that the staff uses the guidance in NUREG-0711, Human Factors Engineering Program Review Model, to determine whether the applicant has met the requirement of 10 CFR 50.34(f)(2)(iii) to provide, for Commission review, a control room design that reflects state-of-the-art human factors principles. Figure 1-1, Elements of the HFE programs review model, of NUREG-0711 illustrates the HFE design process, which consists of 12 HFE program elements. The 12 HFE program elements are organized into the following phases: planning and analysis, design, verification and validation, and implementation and operation.

As discussed in SER Section 18.0, Overview, the applicant addressed the 12 HFE program elements by providing three COL items and nine IPs in lieu of a control room design for review and approval. The COL items address the HFE elements established by operational programs.

SER Section 18.8, Procedure Development, and Section 13.5; SER Section 18.9, Training 14-127

Program Development, and Section 13.2; and SER Section 18.12, Human Performance Monitoring, document the staffs evaluation of the three COL items and the staffs conclusions that they are acceptable because these elements are addressed by operational programs that are established and implemented by a COL holder. Operational programs are subject to NRC inspection prior to operation of the facility.

The HFE IPs are technical reports that contain the procedures and describe the methods for completing a particular HFE program element, and they are incorporated by reference in DCD Tier 2 as shown in Table 1.6-2, List of Technical Reports. The applicants IPs describe the means by which nine of the HFE program elements will be completed. As shown in Figure 4-2, APR1400 HFE Program Milestones, of the Human Factors Engineering Program Plan (HFE PP), which is one of the nine IPs, the IPs have been provided with the design certification application. Figure 4-2 also shows that the COL holder is to complete the activities in the implementation plans and document the results in results summary reports.

The applicants HFE IPs contain design acceptance criteria (DAC) because they contain the procedures for completing the control room design that reflects state-of-the-art human factors principles, and the staff has relied, in part, on the information in the implementation plans to make a safety determination for the design certification. SECY-92-053, Use of Design Acceptance Criteria During 10 CFR Part 52 Design Certification Reviews, describes DAC and states:

The DAC are a set of prescribed limits, parameters, procedures, and attributes upon which the NRC relies, in a limited number of technical areas, in making a final safety determination to support a design certification. The DAC are to be objective (measurable, testable, or subject to analysis using pre-approved methods), and must be verified as a part of the ITAAC performed to demonstrate that the as-built facility conforms to the certified design. That is, the acceptance criteria for DAC become the acceptance criteria for ITAAC, which are part of the design certification.

The ITAAC in DCD Tier 1, Table 2.9-1 for the ISV verifies satisfactory completion of the DAC.

The ISV employs a sampling strategy such that a sample of the control room human-system interfaces are tested during the ISV. If the activities are performed in accordance with each of the approved HFE IPs, then the staff has reasonable assurance that the control room design incorporates human factors principles. The ITAAC for the ISV test that samples that design is sufficient to verify the design has incorporated HFE principles and thus minimizes the potential for operator error because the human system interfaces (HSIs) sampled during the test are from the design that has been developed in accordance with an acceptable human factors design process.

As documented in the Conclusions sections of SER Section 18, the staff has reviewed the implementation plans using the relevant review criteria in NUREG-0711, Revision 3; concluded the IPs conform to these review criteria; and thus found the applicants HFE program complies with HFE-related requirements. Therefore, the staff has reasonable assurance that the ISV test that samples the design resulting from the applicants HFE program, if implemented in accordance with the design certification, is sufficient to verify the design has incorporated HFE principles and minimizes the potential for operator error.14-128

Consistent with SRP Section 14.3, Appendix A, IPs previously approved by the staff have been designated as Tier 2* because they contained the DAC the staff used to make its safety finding during the design certification. The staffs rationale for designating the IPs as Tier 2* was that the staff made its conclusions to support a finding based on the information in the IPs, and thus the NRCs approval prior to making changes to the IPs is necessary to ensure proposed changes made after design certification do not invalidate the safety finding made during design certification.

As discussed in SRP Section 14.3, Tier 2 information can be changed by a combined license (COL) applicant or licensee under a 50.59-like process, provided the change does not impact Tier 1. The entire change process is set forth in the design certification rules (Appendices A - D to 10 CFR Part 52). The staff has not relied on the 50.59-like process for Tier 2 information to adequately control changes to the implementation plans submitted by previous design certification applicants because the 50.59-like process uses criteria that do not apply to the HFE IPs.

Reevaluation of the Applicants ITAAC and Resolution The applicant designated the HFE implementation plans as Tier 2 documents, and the staff had planned to designate them as Tier 2* consistent with the guidance in SRP Section 14.3, Appendix A. However, shortly after the ACRS subcommittee meeting on June 21, 2017, SECY-17-0075, Planned Improvements in Design Certification Tiered Information Designations, dated July 24, 2017 (ML16196A321), was issued. SECY-17-0075 explains that Tier 2* information must be demonstrated to have the same safety significance as Tier 1, and Tier 2* should be applied only when the subject matter reflects a demonstrated need for the additional flexibility provided by the Tier 2* change control process.

The applicant has not designated any portion of the application as Tier 2*. Given the IPs would not be Tier 2* and were designated as Tier 2 in the application, the staff could not rely on the 50.59-like process to ensure the staff would be able to review and approve changes to the HFE IPs to ensure that no changes would invalidate the safety finding for the applicants HFE program made during design certification. The staff considered whether the IPs had the same safety significance as Tier 1. Because the IPs contain the procedures and attributes the staff has relied on during design certification to make a finding on the applicants HFE program, they contain DAC. SECY-92-053 says the DAC are to be objective (measurable, testable, or subject to analysis using pre-approved methods) and must be verified as a part of the ITAAC performed to demonstrate that the as-built facility conforms to the certified design. ITAAC are part of Tier 1.

The staff considered whether the ITAAC in the application were sufficient to verify whether the activities described in the IPs were completed in accordance with the approved IPs (i.e.,

whether they were sufficient to verify the DAC). Because the ISV test is a performance-based test, it is an effective means of verifying the control room design incorporates HFE principles that minimize the potential for operator error (i.e., the design commitment in the ITAAC Item 1).

However, the ISV employs a sampling strategy such that a sample of the control room human-system interfaces are tested during ISV. As discussed in SER Section 18, the staff has reviewed the applicants HFE program (i.e., the three COL items together with the nine IPs) and found it conforms to the review criteria in NUREG-0711. If the activities are performed in accordance with each of the approved IPs, then the staff has reasonable assurance that control room design incorporates human factors principles. The ITAAC for the ISV test that samples that design is sufficient to verify the design has incorporated HFE principles and minimizes the 14-129

potential for operator error because the human system interfaces (HSIs) sampled during the test are from the design that has been developed in accordance with an acceptable human factors design process. Additionally, the applicants IPs contain criteria for documenting in the results summary reports (ReSRs) the results of completing the activities in each of the IPs. The ReSRs would be available for the staff to audit if it was determined necessary to do so.

An ITAAC to verify the ISV test would be sufficient to verify the design commitment if there is assurance that the sampled HSIs are representative of the control room design as a whole. To provide this assurance, the IPs need to be subject to appropriate regulatory controls, but a 50.59-like process does not provide such controls for the IPs. Thus, the staff initially determined it was necessary for additional ITAAC to be added to verify the completion of each of the IPs, similar to the ITAAC that were provided for other applications (e.g., AP1000 and Economic Simplified Boiling Water Reactor). The staff thought adding additional ITAAC in Tier 1 for verification of each IP would provide a basis for designating the information in the IPs as Tier 1 because the IPs would contain the DAC that would be the acceptance criteria for the ITAAC.

Additionally, the staff observed that technical report Human Factors Verification and Validation Scenarios (the Scenarios Document) was not incorporated by reference in Tier 2, in Table 1.6-2. The staff relied on the information in the Scenarios Document to make conclusions to support the safety finding. Therefore, the staff thought portions of the Scenarios Document should be identified as Tier 1 information because those portions contain the specific set of scenarios used to perform the ISV test and the acceptance criteria for each of the events in the scenarios. As such, it contains the DAC for the ITAAC provided to verify the acceptance criteria for the scenarios is satisfied. Therefore the staff issued RAI 553-9084, Question 18-134 (ML17249A979) requesting the applicant provide an ITAAC to verify the completion of each IP.

Additionally, the staff provided a list of the specific sections of the IPs and the Scenarios Document that needed to be designated as Tier 1 because those sections contain information the staff relied on to make the safety finding during the design certification (i.e., the DAC), and that information would be verified by the additional ITAAC that the staff requested be added as well as the standardized HFE ITAAC for the ISV.

On October 16, 2017, the staff conducted a public meeting with the applicant to discuss RAI 553-9084, Question 18-134 (ML17277B794). At the meeting, the applicant stated that the staff already determined that the standardized ITAAC for HFE were sufficient and acceptable for HFE, therefore the applicant did not think it was necessary to provide additional ITAAC. The applicant also stated that sufficient regulatory processes and controls existed for the IPs, such as the 50.59-like process. The staff explained its concern that the 50.59-like criteria could not be relied on to provide adequate control of changes to the implementation plans following design certification.

Given these concerns, the applicant and the staff discussed whether other options existed to sufficiently control the information in the implementation plans. Specifically, Regulatory Guide (RG) 1.206, Section C.IV.3.3.2, Tier 2 Information, states: An applicant or licensee may depart from Tier 2 information, without prior NRC approval, if the proposed departure does not involve a change to, or departure from, Tier 1. Similar statements are included in the design certification rules in the appendices to Part 52 (e.g., Appendix D to Part 52, Design Certification Rule for the AP1000,Section VIII.B.5(a), which states: An applicant or licensee who references this appendix may depart from Tier 2 information, without prior NRC approval, unless the proposed departure involves a change to or departure from Tier 1 information).14-130

The applicant and the staff discussed the scope and type of information that could be added to DCD Tier 1 to constrain changes to the Tier 2 IPs and Scenarios Document such that the staff could review significant changes to ensure they would not invalidate the safety findings in the SER. The staff explained that at a minimum, DCD Tier 1 needed to include additional text to specify that the implementation plans conform to the review criteria in NUREG-0711, Revision 3, which is the criteria the staff used to determine the applicants HFE program is acceptable as documented in SER Section 18.

In its response to RAI 553-9084, Question 18-134 (ML17317A397), the applicant provided a proposed revision to DCD Tier 1, Section 2.9, which stated the following:

The HSI system is designed in accordance with the HFE program to provide reasonable assurance that the HFE design is properly developed and effectively implemented to conform to NUREG-0711, Rev. 3. The HFE program objectives for the design are that the design is human-centered, it incorporates HFE principals and methods, and is developed according to a systematic top-down integrated approach in accordance with applicable requirements and performance of the HFE program element implementation plans and results summary reports to support ITAAC closure.

Design ITAAC is applied to the human factors verification and validation (HF V&V) for the APR1400. The HFE program is in effect at least from the start of the design cycle through completion of initial plant startup test program to conform to NUREG-0711, Rev. 3. The COL applicant is to provide a design ITAAC closure schedule for implementing the V&V design ITAAC. Design ITAAC will be closed in accordance with applicable regulatory guidance. Any changes and departures will be governed by applicable regulatory guidance and that included with the design certification rulemaking.

The staff reviewed the applicants response and considered whether the additional text in DCD Tier 1 would provide sufficient controls to constrain changes to the implementation plans that would affect the conclusions in the SER. The staff determined that the proposed revision was not sufficient because it did not clearly state that the implementation plans were complete and conformed to the review criteria in NUREG-0711, Revision 3. If DCD Tier 1 contained a statement that the IPs are complete and conform to the review criteria in NUREG-0711, Revision 3, then any changes made to the IPs would not need to be reviewed and approved by the staff prior to being implemented as long as the IPs continued to conform to those review criteria.

At a public meeting held on March 14, 2018 (ML18073A255), the staff discussed this with the applicant. Additionally, the staff discussed the following items as additional changes that would need to be made to DCD Tier 1, Section 2.9.

  • Not all of the review criteria in NUREG-0711 are applicable to the IPs submitted with this design certification application. Some review criteria are identified in NUREG-0711 as being applicable only to boiling water reactors, and thus these review criteria are not applicable to this design because the APR1400 is a pressurized water reactor. Other review criteria are identified as being applicable to reviews of modifications to control rooms at operating plants, and thus these review criteria are not applicable to this application for the development of a new control room design. The appendices of the HFE IPs include a list of the review 14-131

criteria in NUREG-0711 and the sections of the IPs that conform to those criteria.

The staff reviewed these appendices and found they identify the review criteria for boiling water reactors and modifications as not being applicable in all cases except for one instance in the HFE PP. The HFE PP appendix lists one of the modification criteria as being applicable. The staff stated that the applicant should evaluate why this one review criteria is treated differently than the other review criteria for plant modifications and remove it from the HFE PP, if necessary. The staff explained that the HFE IPs should be consistent with NUREG-0711 such that if a COL questions which review criteria in NUREG-0711 are applicable when evaluating changes to the HFE IPs, the information in the application is consistent with the guidance in NUREG-0711.

  • Additionally, the staff reviewed all of the applicable review criteria in NUREG-0711 to determine whether they were prescriptive enough to constrain changes to the IPs. The staff found that the majority of the review criteria are sufficiently prescriptive. For example, Review Criterion 5.4(1) in NUREG-0711 provides a list of tasks that should be included in an applicants task analysis. In order to conform to this review criterion a required by the statement in DCD Tier 1, the tasks included in the scope of the task analysis, which is discussed in APR1400-E-I-NR-14004, Task Analysis Implementation Plan, need to contain, at a minimum, the tasks listed in this criterion. Therefore, changes to the scope of task analysis described in the HFE IP can be made as long as the change does not result in the IP no longer conforming to the review criterion.

However, the staff determined some of the review criteria related to ISV testing are not prescriptive enough to adequately control changes to the implementation plans. For example, Review Criterion 11.4.3.5.1(5) states: The applicant should identify the workload measures obtained for each scenario. In this case, the V&V IP, Section 4.5.5.1, Types of Performance Measures Used, identifies the method for measuring workload. As discussed in SER Section 18.10.4.3, Integrated System Validation, for the staffs evaluation of Review Criterion 11.4.3.5.1(5), the staff has reviewed the method for measuring workload during ISV testing and found it is acceptable. However, if another tool for measuring workload is selected instead of the measure in the approved IP, then it is possible that the measure might not be acceptable because it might not be valid, reliable and sensitive. In this case, the IP would continue to conform to the review criterion because the wording in the criterion says the workload measure(s) should be identified and does not prescribe what they should be.

Therefore the staff provided a list of the specific information in the V&V IP that the staff used to make its conclusions, and for which the review criteria are not sufficiently prescriptive, that should be added either in DCD Tier 1 Section 2.9 or in the ITAAC for the ISV test. The applicant stated that all of the information could be added to DCD Tier 1, Section 2.9; however, the applicant stated that the means for measuring workload and situation awareness were proprietary and that it was not desirable to include this information in Tier 1. The staff stated that the applicant could instead state that measures of workload and situation awareness will be valid, reliable, and sensitive. Therefore the specific methods for measuring workload and situation awareness can be changed so long as those methods are valid, reliable and sensitive.14-132

  • The Scenarios Document was included with the design certification application, and is an extension of the V&V IP. The staff has made some findings on the information in the document. However, unlike all of the other HFE technical reports, it was not incorporated by reference in the DCD. The staff stated it should be incorporated by reference as part of DCD Tier 2 because it is an extension of the V&V IP, and it contains information the staff has relied on to make conclusions to support the safety finding. The staff said the Scenarios Document did not need to be Tier 1 as originally requested in RAI 553-9084, Question 18-134, because the addition of a statement in DCD Tier 1, Section 2.9 that the IPs conform to the review criteria of NUREG-0711, Revision 3, would be sufficient to constrain changes to the scenarios. Specifically, changes to the scenarios in the Scenarios Document will not require prior staff review and approval so long as the scenarios continue to conform to the review criteria in NUREG-0711, Revision 3. The staffs experience conducting inspection of the Westinghouse AP1000 ISV shows that flexibility with the number of scenarios and scenario events is desirable when DAC has been used because the scenarios may need to be changed as more detailed plant information becomes available. The applicant stated it would include the V&V Scenarios Document in Table 1.6-2.
  • The staff also identified some editorial changes that could be made for clarity (e.g., changing HFE principals to HFE principles.

In its revised response to RAI 553-9084, Question 18-134 (ML18115A330), the staff reviewed the applicants response and determined it was acceptable because the applicant revised the application to address each of the topics discussed at the public meeting on March 14, 2018.

Specifically, the applicant proposed the following revisions:

  • Addition of a statement in DCD Tier 1, Section 2.9 that the IPs are complete and conform to the review criteria of NUREG-0711, Revision 3.
  • Deletion of the review criterion applicable to plant modifications in the appendix of the HFE PP.
  • Addition of information from the V&V IP the staff requested to be added because the review criteria in NUREG-0711 are not prescriptive enough to control changes to these sections of the IP. The information continues to be included in the V&V IP, which is Tier 2; however, any changes to the information in the V&V IP that is also included in DCD Tier 1, Section 2.9, requires the NRCs approval prior to implementing changes.
  • Addition to DCD Tier 2, Table 1.6-2, of the Scenarios Document.

The staff finds the proposed revisions to DCD Tier 1, Section 2.9 are sufficient to control changes to the IPs such that any changes are comparable to what would have otherwise been afforded by using Tier 2*. They impose a constraint on the IPs because changes cannot occur that would cause the IP to no longer conform to the NUREG-0711 review criteria or would change the ISV test information in Tier 1, and any changes to Tier 1 require the NRCs approval prior to changing. The Tier 1 information also states that the design will be developed in 14-133

accordance with requirements and performance of the IPs and the ReSRs to support ITAAC closure.

Therefore, RAI 553-9084, Question 18-134, is being tracked as a Confirmatory Item pending the incorporation of the response into a subsequent revision of the DCD.

ITAAC Closure and COL Information Items In reviewing DCD Section 14.3.2.9, ITAAC for Human Factors Engineering, the staff noted a statement in this section that the ITAAC applied to HFE will be closed in accordance with Section 8.3.1 of NEI 08-01, Industry Guidelines for the ITAAC Closure Process Under 10 CFR 52, Revision 4 (Reference 32). Upon further review, the staff found that the cited Section 8.3.1 did not exist in NEI 08-01 and also that the DCD did not reflect the current revision of this Nuclear Energy Institute (NEI) document that has been approved for use by the staff, as documented in RG 1.215, Rev. 2. The staff also found that the description of COL Item 14.3(4) provided in DCD Section 14.3.6, Combined License Information, and that described in DCD Section 14.3.2.9, ITAAC for Human Factors Engineering, were not consistent. Specifically, DCD Section 14.3.2.9 said, The COL applicant is to provide a design ITAAC closure schedule for implementing the V&V design ITAAC (COL 14.3(4)), but COL Item COL 14.3(4) only said, The COL applicant is to provide a design ITAAC. The ITAAC had already been provided in DCD Tier 1, Table 2.9-1. To resolve these two issues, the staff issued RAI 512-8665, Questions 14.03.09-2, and 14.03.09-3 (ML16217A494), respectively.

In its response to RAI 512-8665, Question 14.03.09-2 (ML16314E535), the applicant provided proposed revisions to DCD Section 14.3.2.9. The staff reviewed the proposed changes and concluded that the applicant adequately addressed RAI 512-8665, Question 14.03.09-2 because the applicant proposed to revise DCD Section 14.3.2.9 to refer to Section 10.1, Design Acceptance Criteria, of NEI 08-01, Revision 5 - Corrected and change Reference 32 to NEI 08-01, Revision 5 - Corrected. The changes proposed in the RAI response were incorporated in Revision 1 of the DCD. Therefore, RAI 512-8665, Question 14.03.09-2 is resolved and closed.

In its response to RAI 512-8665, Question 14.03.09-3 (ML16314E535), the applicant provided a proposed revision to DCD Section 14.3.6, COL Item 14.3(4), which now states, The COL applicant is to provide a design ITAAC closure schedule for implementing the V&V design ITAAC as addressed in Subsection 14.3.2.9. The staff reviewed the proposed change and concluded that the applicant adequately addressed RAI 512-8665, Question 14.03.09-3 because the applicant proposed to revise the description of COL Item 14.3(4) to align with the information in DCD Section 14.3.2.9. The COL information item is acceptable because providing an ITAAC closure schedule for implementing the V&V ITAAC is consistent with guidance in RG 1.206, Section C.III.5.1, Detailed Design Information and the Combined License Application, which explains the staffs need for a schedule as follows:

The COL applicant should identify those design areas where detailed information cannot be provided and should supply the NRC with a schedule for completion of detailed engineering, procurement, fabrication, installation, and testing information. The applicant should similarly do this in a manner to support timely NRC inspection of DAC information. The path to successfully satisfying the DAC and completing the associated ITAAC may include review of information or procedures that occur early in the construction, fabrication, or development processes that may necessitate early involvement by NRC inspectors and staff.14-134

The applicant also provided conforming changes to DCD Tier 2 Table 1.8-2, Combined License Information Items. The changes proposed in the RAI response were incorporated in Revision 1 of the DCD. The staff also observed that the applicant changed the numbering of the COL items listed in DCD Section 14.3.6 and Table 1.8-2 such that COL Item 14.3(4) in Revision 0 of the DCD is COL Item 14.3(2) in Revision 1 of the DCD. Therefore, RAI 512-8665, Question 14.03.09-3 is resolved and closed.

At a public meeting held on March 14, 2018 (ML18073A255), the staff discussed clarifying the V&V IP to reflect activities needing to be performed before ITAAC closure. The HFE PP includes Figure 4-2, APR1400 HFE Program Milestones, and the applicants response to RAI 553-9084, Question 18-134 (ML17317A397), includes the same figure. The figure shows that the IPs were submitted with the design certification application, and the COL holder needs to complete the ReSRs as discussed in the IPs. The figure shows that the results of completing the HFE activities, as described in the IPs, are inputs to the design, and the ISV test validates the design. Because an ITAAC has been provided for the ISV, but the activities in other HFE IPs need to be completed before the ISV test occurs as shown in the figure, the staff stated that the applicant should consider adding the figure to the V&V IP to help clarify the meaning of the statement the applicant proposed to be added to DCD Tier 1, Section 2.9, which states: The HFE program objectives for the design are that the designis developed in accordance with applicable requirements and performance of the HFE program element implementation plans and results summary reports to support ITAAC closure. The staff thought this would be helpful to a COL holder because the figure shows the HFE activities that need to occur before the ISV test and thus before ITAAC closure.

In the applicants revised response to RAI 553-9084, Question 18-134 (ML18082A926), the applicant revised the V&V IP by adding Figure 3-1, ITAAC Closure Schedule, which shows the activities that precede the ISV and ITAAC closure, and that the results of those activities are inputs to the design that is validated by the ISV test. The staff finds this acceptable.

RAI 553-9084, Question 18-134 is being tracked as a confirmatory item pending incorporation of the response into a subsequent revision of the DCD.

During the APR1400 Subcommittee Meeting of the Advisory Committee on Reactor Safeguards (ACRS) held on June 21, 2017, to discuss Chapter 18 of the DCD, the ACRS questioned why there are no COL items for the HFE elements that that have an associated IP. Specifically, the ACRS questioned how the COL applicant will know that it is the COL applicants responsibility to complete the activities described in the HFE IPs. Following the ACRS meeting, the staff considered this question and reevaluated the application.

As stated above, the applicant included nine IPs and three COL items in the design certification application to address the 12 HFE program elements. The applicants IPs describe the means by which nine of the HFE program elements will be completed. The results of completing the activities in the IPs are inputs to the design that is validated during the ISV test. The ISV test must be completed before the ITAAC for the ISV can be closed; however, the activities described in the IPs are not required to be complete prior to issuance of a COL. Therefore, COL items are not necessary for the HFE program elements for which the design certification applicant has provided an implementation plan. Additionally, because Figure 4-2, APR1400 HFE Program Milestones, of the HFE PP shows that the IPs are completed as part of during design certification and that the ReSRs need to be completed following design certification and prior to conducing the ISV test and closing the ITAAC, the staff finds the application sufficiently describes what a COL applicant needs to do.14-135

14.3.9.5 Combined License Information Items The DCD Tier 2 Section 14.3.2.9 contains one COL item pertaining human factors engineering.

The staff concluded that no additional COL items were needed. The staffs review of this item is discussed in Section 14.3.9.4 of this report.

Table 14.3.9-1 APR1400 Combined License Information Items Item No. Description COL The COL applicant is to provide a design ITAAC closure schedule for 14.3(2) implementing the V&V design ITAAC as addressed in DCD Tier 2, Subsection 14.3.2.9.

14.3.9.6 Conclusions Upon incorporation of the confirmatory item above into a subsequent DCD revision, the staff concludes that DCD Tier 1 Section 2.9 satisfactorily summarizes the top-level design process objectives that will be used to develop the HFE design and is consistent with DCD Tier 2, Chapter 18 Human Factors Engineering. Therefore the Tier 1 information associated with DCD Section 14.3.9 Human Factors Engineering - Inspections, Tests, Analyses, and Acceptance Criteria is acceptable.

Furthermore, upon incorporation of the confirmatory item above into a subsequent DCD revision, the staff concludes that the ITAAC in Tier 1 Section 2.9 adequately verify the DCD Tier 1 HFE design. Therefore, within the review scope of this section, the staff concludes that the APR1400 ITAAC in Tier 1 Section 2.9, are necessary and sufficient to provide reasonable assurance that, if the Inspections, Tests, and Analyses are performed and the Acceptance Criteria are met, a facility that incorporates the certified APR1400 design has been constructed and will be operated in conformity with the applicable portions of the design certification, the AEA, and the NRCs rules and regulations.

Emergency Planning- Inspections, Tests, Analyses, and Acceptance Criteria The staffs evaluation of the design-related Emergency Planning ITAAC contained in DCD Tier 1, Section 2.10, Table 2.10-1, Emergency Planning ITAAC, and Tier 2 Section 14.3.2.10, ITAAC for Emergency Planning, are evaluated in Section 13.3.4.9, ITAAC, of this SER.

Containment Systems - Inspections, Tests, Analyses, and Acceptance Criteria Introduction Design Control Document (DCD) Tier 2, Section 14.3, Inspections, Tests, Analysis, and Acceptance Criteria, (ITAAC) discusses the selection criteria and methods used to develop the DCD Tier 1 information and the ITAAC. DCD Tier 1 includes the portion of the design-related 14-136

information that, if acceptable, would be approved, certified, and incorporated by reference into a new design certification rule for the APR1400 design. The design descriptions, interface requirements, and site parameters are derived from DCD Tier 2 information.

This Section 14.3.11 evaluation addresses ITAAC related to the containment and associated systems. The scope of containment systems encompasses containment design and associated issues, which include containment isolation provisions, containment leakage testing, hydrogen generation and control, containment heat removal, and subcompartment analysis.

The staff reviewed the ITAAC with respect to containment systems described in the DCD in accordance with NUREG-0800, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.11, Containment Systems - Inspections, Tests, Analyses, and Acceptance Criteria. The staff reviewed the proposed ITAAC to determine whether they are necessary and sufficient to provide reasonable assurance that, if the ITAAC are successfully completed, a facility that incorporates the design certification has been constructed and will be operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended (AEA), and the Commission's rules and regulations. In addition, the staff reviewed whether interface requirements are necessary for containment systems.

The scope of the review of the containment systems ITAAC includes the DCD Tier 1 sections given in Table 14.3.11-1, Cross References for the Staffs Evaluation of Containment Systems ITAAC, of this report, that are significantly related to normal operation, transients, and accidents. The evaluation of each containment systems ITAAC is documented in the section of this SER referenced below in Table 14.3.11-1.

Summary of Application DCD Tier 1: The applicant provided design descriptions for containment systems in DCD Tier 1 Section 2.11, Containment Systems. DCD Tier 1, Chapter 1, Introduction, provides definitions, general provisions, and a legend for figures, acronyms, and abbreviations.

Table 14.3.11-1 Cross References for the Staffs Evaluation of Containment Systems ITAAC DCD Tier SER Section for Title ITAAC Table SER Section 1 Section 52.47(b)(1) Finding Containment 6.2.1 6.2.1 2.11.1 2.11.1-2 Structure Containment Spray 2.11.2 2.11.2-4 6.2.2 6.2.2 System Containment 2.11.3 2.11.3-2 14.3.11.4.5 14.3.11.4.5 Isolation System Containment 2.11.4 Hydrogen Control 2.11.4-3 14.3.11.4.6 14.3.11.4.6 System System design descriptions include relevant information for the ITAAC, such as key design features; seismic and ASME code classifications used in design and construction; system operation; alarms, displays, and controls; logic for system actuation; interlocks; class 1E power 14-137

sources and divisions; equipment to be qualified for harsh environment; interface requirements; and numeric performance values. The design description contains tables and figures that are referenced in the Design Commitment column of the ITAAC tables listed above.

The applicant organized its Tier 1 information in a manner similar to that used for the evolutionary designs as described in SRP Section 14.3 and RG 1.206 Section C.II.1. The ITAAC tabular format and content for the containment systems follows the NRC recommended format described and presented in RG 1.206, Table C.II.1-1, Sample ITAAC Format. The ITAAC are presented in a three-column table that includes the proposed commitment to be verified (column 1), the method by which the licensee will verify (column 2), and specific acceptance criteria for the inspections, tests, or analyses (column 3) that, if met, demonstrate the licensee has met the design commitment in column 1.

DCD Tier 2: The DCD Tier 2, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, provides a general description of the APR1400 ITAAC including its relationship to other DCD Tier 1 information, and the bases, processes, and selection criteria used to develop Tier 1 information.

The applicant specified that the ITAAC for containment systems were prepared in accordance with the guidance in RG 1.206, Section C.II.1, Inspections, Tests, Analyses, and Acceptance Criteria; NUREG-0800 SRP Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria; and NUREG-0800 SRP Section 14.3.11 Containment Systems - Inspections, Tests Analyses, and Acceptance Criteria.

ITAAC: The applicant provided ITAAC for containment systems in DCD Tier 1 sections as listed above in Table 14.3.11-1.

Technical Specifications: There are no technical specifications for this area of review.

Regulatory Basis The relevant requirements of NRC regulations for this area of review, and the associated acceptance criteria, are given in NUREG-0800, Sections 14.3, Inspections, Tests, Analyses, and Acceptance Criteria, and 14.3.11, Containment Systems - Inspections, Tests, Analyses, and Acceptance Criteria. Review interfaces with other SRP sections are also identified in this SRP section.

Acceptance criteria are based on meeting the relevant requirements of the following NRC regulations:

  • 10 CFR 52.47(b)(1), Contents of applications; technical information, as it relates to the requirement that a design certification application contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, a plant that incorporates the design certification has been constructed and will be operated in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC rules and regulations.14-138

Technical Evaluation The staff performed its review of the system and non-system based ITAAC in accordance with the SRP Section 14.3 and SRP Section 14.3.11, particularly the applicable review procedures identified in each SRP Section III, as well as the guidance provided by RG 1.206, Section C.II.1, Inspections, Tests, Analyses, and Acceptance Criteria. The staff examined the ITAAC to ensure that they can be inspected by the organization holding the combined license and closed out by the staff. The review examined the phrasing and format of the ITAAC to determine if they were consistent (i.e., the Design Commitment; the Inspection, Test, or Analysis; and the Acceptance Criteria are parallel and in agreement). In addition, the staff determined that the DCD Tier 1 ITAAC items were derived from the DCD Tier 2 information.

ITAAC Development Criteria The RG 1.206 Section C.II.1.2.11, ITAAC for Containment Systems, describes the ITAAC development for containment systems and identifies the aspects to be verified through ITAAC.

These are related to the containment design and associated issues, such as containment isolation provisions, containment leakage testing, hydrogen generation and control, containment heat removal, and sub-compartment analysis.

Since the features for ITAAC development criteria listed in DCD Tier 2 Section 14.3.2.11 are identical to those listed in RG 1.206 Section C.II.1.2.11 for an active plant, the NRC staff concludes that the applicant adequately identified the general aspects to be verified through ITAAC in DCD Tier 2 Section 14.3.2.11, including the ITAAC to verify the top-level design features.

Containment Systems Tier 1 Section 2.11 In performing the evaluation of the ITAAC items, and determining whether the ITAAC appropriately verify the top-level design features, the staff considered the safety function significance of each item in light of the results of the containment safety analyses, such as loss-of-coolant-accident, main-steam-line-break, main-feed-line-break, and subcompartment analyses. Specifically, DCD Tier 2, Table 14.3.4-1, Design Basis Accident Analysis Key Design Features, DCD Tier 2, Table 14.3.4-2, PRA and Severe Accident Analysis Key Design Features, and DCD Tier 2, Table 14.3.4-6, Radiological Analysis Key Design Features, were reviewed to confirm that the table entries are complete with respect to the safety analyses in DCD Tier 2, Chapter 6, Engineered Safety Features, and DCD Tier 2, Chapter 15, Transient and Accident Analyses, and consistent with DCD Tier 2, Section 14.2, Initial Plant Test Program.

In addition, the staff used the SRP sections identified in SRP Section 14.3.11 that have a potential impact on the containment systems ITAAC sections. These included the following SRP sections that provide information related to SRP Section 14.3.11: SRP Section 14.3 (general guidance on ITAAC), SRP Section 14.3.2 (structures, systems, and components (SSCs) ability to withstand various natural phenomena), SRP Section 14.3.3 (piping design),

SRP Section 14.3.5 (instrumentation and controls), SRP Section 14.3.6 (electrical systems and components), and SRP Chapter 19 (SSCs design features and functions that should be addressed based on severe accident, PRA, and shutdown safety evaluations).14-139

The staff assessed the containment systems ITAAC items for the following DCD Tier 2 sections in accordance with the applicable procedures and guidance provided in SRP Sections 14.3 and 14.3.11:

  • Section 6.2.1, Containment Functional Design
  • Section 6.2.2, Containment Heat Removal System
  • Section 6.2.4, Containment Isolation System
  • Section 6.2.5, Containment Hydrogen Control System The staffs specific evaluation of the above sections relating to the adequacy of their ITAAC items are presented in the sections of this report identified above in Table 14.3.11-2. Pending the resolution of confirmatory items related to ITAAC in these sections, the staff considers the ITAAC to be adequately addressed and acceptable.

Containment Function Design ITAAC, Table 2.11.1-2 The primary functions of the RCB are to protect the safety-related SSCs located within it and to prevent the release of radiation and contamination during normal plant operations and accidents. The containment encloses the reactor system and is the final barrier against the release of significant amounts of radioactive fission products in the event of an accident.

Containment structure must also maintain functional integrity in the long term following a postulated accident. The design and sizing of containment systems are largely based on the pressure and temperature conditions that result from release of the reactor coolant in the event of LOCA.

The information associated with this evaluation is provided in DCD Tier 2, Section 6.2.1.1, Containment Structure, and DCD Tier 1, Section 2.11.1, Containment Structure.

The ITAAC associated with the evaluation of DCD Tier 2, Section 6.2.1 are provided in DCD Tier 1, Table 2.11.1-2,Containment Structure ITAAC. The NRC staffs detailed review of Containment Function Design Tier 1 information is contained in Section 6.2.1 of this SER.

Containment Heat Removal System ITAAC, Table 2.11.2-4 The containment heat removal system credited in the APR1400 DCD is the containment spray system (CSS). The CSS is a safety-related system which acts to reduce containment pressure and temperature following a main steam line break or a loss-of-coolant accident (LOCA). The CSS consists of two divisions, each with a pump, heat exchanger, spray header and associated piping and valves capable of delivering 100 percent of the required flow.

The information associated with this evaluation is provided in DCD Tier 2, Section 6.2.2, Containment Heat Removal System, and DCD Tier 1, Section 2.11.2, Containment Spray System.

The ITAAC associated with the evaluation of DCD Tier 2, Section 6.2.2 are provided in DCD Tier 1, Table 2.11.2-4, Containment Spray System ITAAC. The NRC staffs detailed review of the CSS Tier 1 information is contained in Section 6.2.2 of this SER.14-140

Containment Isolation System ITAAC, Table 2.11.3-2 The containment isolation system (CIS) is a safety-related system which allows the normal or emergency passage of fluids through the containment boundary while preserving the ability of the boundary to prevent or limit the escape of fission products from postulated accidents. The CIS includes the system and components (piping, valves, and actuation logic) that establish and preserve the containment boundary integrity.

The information associated with this evaluation is provided in DCD Tier 2, Section 6.2.4, Containment Isolation System, and DCD Tier 1, Section 2.11.3, Containment Isolation System.

The ITAAC associated with the evaluation of DCD Tier 2, Section 6.2.4 are provided in DCD Tier 1, Table 2.11.3-2, Containment Isolation System ITAAC. The NRC staffs detailed review of the CIS is contained in Section 6.2.4 of this SER, but the review of the ITAAC in Tier 1 Section 2.11.3 follows.

DCD Tier 1, Section 2.11.3, Containment Isolation System, describes the design, functional requirements, and location of all the components in the CIS and provides ITAAC confirming the design and location of all components. DCD Tier 1 Table 2.11.3-1, Containment Isolation System Components List, also provides the design and functional requirements of all components in the CIS with the configuration as shown in Figure 2.11.3-1, Containment Isolation Valves Functional Arrangement. The ITAAC associated with the design commitments are provided in DCD Tier 1 Table 2.11.3-2, Containment Isolation System ITAAC.

The staff has reviewed Table 2.11.3-1 and Table 2.11.3-2 regarding the design commitments and ITAAC. ITAAC Table 2.11.3-2, Item 1 verifies functional arrangement of the CIS components. Items 2, 3, and 4 verify ASME Section III requirements of ASME Code components and piping, pressure boundary welds and pressure boundary integrity at their design pressure. Item 5 verifies seismic Category I requirements of the CIS. Items 6 to 11 verify component environmental qualification, Class 1E power source, separation and electrical isolation, controls and indications, and valve closure times. After reviewing these ITAAC items, the staff determined, with one exception discussed below, that the ITAAC would be necessary and sufficient to verify that a facility incorporating the APR1400 design has been constructed and will be operated in accordance with the applicable portions of the certified design, the NRCs rules and regulations, and the AEA.

However, the staffs review of the Containment Isolation System ITAAC, Table 2.11.3-2 revealed that no ITAAC were provided to confirm that the as-built piping distances from containment to containment isolation valve outside containment will not exceed those listed in DCD Tier 2 Table 6.2.4.1, List of Containment Penetrations and System Isolation Positions.

The staff also indicated that the associated penetration numbers should be included in DCD Tier 1, Table 2.11.3-1, Containment Isolation System Component List. Therefore, the staff issued RAI 357-8344, Question 06.02.04-11 to address the issue (ML15006A045). In the response (ML16182A591), the applicant stated that General Design Criteria (GDCs) 55, 56, and 57 require that isolation valves located outside of containment should be located as close to containment as practical. The APR1400 design has incorporated this design concept into the location of the containment isolation valves, and acceptable containment isolation valve location is assured through the overall design and piping analysis program. According to the applicant, the length of pipe between containment and the isolation valve indicated in DCD Tier 2, Table 6.2.4-1 does not necessarily represent a bounding condition for each piping line 14-141

listed. Therefore, the applicant stated that including verification of as-built piping distances as a prescriptive ITAAC item is not meaningful nor practical for a subjective criteria such as locating isolation valves as close as practical to containment and the graded approach for piping analysis that has been implemented for the APR1400. In a revised response (ML17171A364),

the length of pipe from containment to outer isolation valves in DCD Tier 2, Table 6.2.4-1 markups was included. The applicant provided an example from an operational plant as a reference which was subject to change during the detailed design phase. As discussed in Section 6.2.4 of this report, the staff finds these values of length in Table 6.2.4-1 acceptable for conformance with the requirements of GDCs 55, 56 and 57. But in the response to RAI 357-8344, Question 06.02.04-11, the applicant did not provide ITAAC to ensure that the outer isolation valves in the as-built structure are located as close to the containment as practical. In an email (ML18073A391), the NRC notified the applicant that an ITAAC needs to be provided to ensure the requirements of GDCs 55, 56, and 57 are met. In a revised response to RAI 357-8344 Question 06.02.04-11 (ML18089A578), the applicant proposed an additional ITAAC to be added to DCD Tier 1 Table 2.11.3-2. The staffs review found the proposed ITAAC sufficient to ensure that the isolation valves in the as-built structure are as close to the containment as practical, thereby meeting the requirements of GCDs 55, 56, and 57.

Containment penetration numbers were added to DCD Tier 1, Revision 1, Table 2.11.3-1 in the response to RAI 357-8344 Question 06.02.04-11, Revision 0. The applicant indicated that some incorrect information in DCD Tier 1, Table 2.11.3-1 regarding valves FW-V132, IA-V0020, PS-V0032, PS-V0258 and WI-V0015 will be corrected, and missing manual valves VQ-V2014, V016 AND V2024 will be added as indicated in the attachment associated with this response.

The staff reviewed the proposed markup changes to DCD Tier 1, Table 2.11.3-1 and finds them acceptable.

The staff reviewed the applicants response and proposed DCD markups and finds them acceptable. Therefore, RAI 357-8344, Question 06.02.04-11 is tracked as a confirmatory item.

The staff finds that, pending the incorporation of the confirmatory items discussed above, the proposed ITAAC in Table 2.11.3-2 of DCD Tier 1 satisfy 10 CFR 52.47(b)(1) because they are necessary and sufficient to provide reasonable assurance that, if met, the containment isolation system has been constructed and will be operated in conformity with the applicable portions of the certified design, the NRCs rule and regulations, and the AEA. The ITAAC ensure the containment isolation system conforms to the design as described in the DCD, Section 14.3.2.11 by verifying locations and classifications for components and the necessary controls and alarms for monitoring system operation. This conclusion is based on the inclusion of comprehensive inspections, tests, and analyses that verify the acceptability of the containment structure.

Containment Hydrogen Control System ITAAC, Table 2.11.4-3 The Containment Hydrogen Control System (CHCS) mitigates the consequences of postulated accidents by mixing, monitoring, preventing, or removing combustible gas concentrations that 14-142

may be released into the containment atmosphere in the event of a significant beyond-design-basis accident.

The information associated with this evaluation is provided in DCD Tier 2, Section 6.2.5, Hydrogen Control System, and DCD Tier 1, Section 2.11.4, Containment Hydrogen Control System.

DCD Tier 1, Section 2.11.4, Containment Hydrogen Control System, describes the function and location of all the components in the CHCS and provides ITAAC confirming the existence and location of all components. The staff requested that additional design information for the Containment Hydrogen Monitoring System (CHMS) be added to the ITAAC in Section 2.11.4 as indicated in RAI 155-8167, Question 06.02.05-5, dated August 18, 2015. In its response to RAI 155-8167, Question 06.02.05-5, dated November 18, 2015, the applicant committed to adding to the ITAAC additional design information concerning the number and locations of the passive autocatalytic recombiners (PARs) and the hydrogen igniters (HIs), and range information for the hydrogen monitors (ML15322A028). The staffs finds this response acceptable. The staff confirmed that APR1400, Revision 1 contains this update. RAI 155-8167, Question 06.02.05-5 is resolved and closed.

The staff also requested in RAI 155-8167, Question 06.02.05-4, dated August 18, 2015, the PAR and HI locations be provided in DCD Tier 1 and PAR recombination rates be added to DCD Tier 1 ITAAC Table 2.11.4-3, and Tier 2 (ML15235A001). In its response dated November 18, 2015, the applicant provided the recombination rates for the three sizes of PARs (ML15322A028). The staff has reviewed this response and found the recombination rates acceptable, as they form the basis of the combustible gas control in containment analysis.

However, staff needed this information to be provided in both DCD, Tier 1 and Tier 2 for completing its review. Therefore, the staff closed RAI 155-8167, Question 06.02.05-4 as unresolved and issued a follow-up RAI 541-8724, Question 06.02.05-12 requesting this information be added to the DCD.

In a response dated December 29, 2017, the applicant provided PAR and HI locations in the containment and markups for DCD Tier 1 Table 2.11.4-1 (ML17363A255). The staff reviewed this information and determined that it provided an adequate basis for locating PARs and HIs in the containment. The applicant provided PAR recombination rates and markups for DCD Tier 2 Table 6.2.5-3 giving this information. The applicant provided markups for DCD Tier 1 Table 2.11.4-3 providing an acceptance criterion for PAR and HI capacities that would verify that the hydrogen depletion rates for the installed PARs and HIs will maintain containment hydrogen concentration, both locally and globally, of less than or equal to 10 percent by volume, or that DDT or detonation is avoided in order to maintain containment integrity. For hydrogen igniters, the acceptance criterion requires that the surface temperature exceeds 1,700 °F.

Therefore, RAI 541-8724, Question 06.02.05-12 is tracked as a confirmatory item.

DCD Tier 1 Table 2.11.4-1 identifies PARs and HIs of the CHCS and the containment temperature element of the CHMS as seismic Category I, for which DCD Tier 1 ITAAC Table 2.11.4-3 lists a design commitment with an acceptance criterion to ensure that they are located in a seismic Category I structure. (The temperature measurement is for monitoring hydrogen concentration in the containment as described in DCD Tier 2 Section 6.2.5.2.2.) The staff finds this acceptable because this ITAAC would ensure that the CHCS and CHMS would function after a seismic event consistent with SRP Section 6.2.5 and RG 1.7.14-143

DCD Tier 1 ITAAC Table 2.11.4-3 lists a design commitment requiring that electrical power to HIs be supplied from the Class 1E division. On loss of offsite power and failure of the emergency diesel generator to start or run, the HIs have the alternate power supply from the alternate alternating current (AAC) generator. Also, HIs are powered by battery back-up. Tests will be performed on the as-built HIs to confirm that they are powered from Class 1E division, the emergency diesel generator, the AAC generator, and DC battery. The staff finds this ITAAC acceptable because it ensures that HIs are powered from reliable, diverse power sources consistent with SRP Section 6.2.5 and RG 1.7.

DCD Tier 1 ITAAC Table 2.11.4-3, provides a design commitment requiring that the Containment Temperature Element, CM-TE-031A, be qualified for a harsh environment so that it is capable of withstanding the environmental conditions that would exist before, during, and following a design basis accident without loss of safety function for the time required to perform the safety function. The ITAAC verifies this design commitment through type tests, analyses or a combination of type tests and analyses of the SSC, with an inspection to verify that the as-built SSC is bounded by the tested or analyzed conditions. As stated in DCD Tier 2 Section 6.2.5.2.2, Containment Hydrogen Monitoring System, the temperature measurement from the Containment Temperature Element is used to calculate containment hydrogen concentration. The staff informed the applicant that the containment and IRWST hydrogen concentration instruments should be included in the list of equipment to be verified by ITAAC that they are qualified for a harsh environment. In response to RAI 558-9456 Question 14.03.01-1 (ML18137A480) the applicant proposed to add the instruments identified in Table 2.11.4-2 to the design commitment and acceptance criteria of ITAAC 6 in Table 2.11.4-3.

Since Table 2.11.4-2 identifies the containment and IRWST hydrogen concentration instruments, the staff finds this response acceptable. Therefore RAI 558-9456 Question 14.03.01-1 is tracked as a confirmatory item. The staff finds that the design commitment and ITAAC provided are consistent with SRP Section 6.2.5 and RG 1, and therefore, are acceptable.

DCD Tier 2 Section 6.2.5.2.1 states the following: Because the PAR is self-actuated and does not need a power supply, operator action for the PAR is not needed. The HIs are actuated by manual actuation in the MCR or RSR on indication that the hydrogen concentration exceeds a predetermined setpoint of volume percent or an indication of the beyond DBA. Consistent with this DCD Tier 1 ITAAC Table 2.11.4-3 lists design commitments for controls, displays, and alarms existing in the MCR and RSR for which inspections will be performed to confirm. The staff finds these ITAAC acceptable because they ensure the availability of controls, displays, and alarms for monitoring hydrogen concentration in the containment from the MCR and RSR consistent with SRP Section 6.2.5 and RG 1.7.

In a response to RAI 546-8782, Question 14.03.03-6, on incorporation of standardized ITAAC guidance regarding equipment qualification for nonmetallic parts in safety-related mechanical equipment, the applicant added item 7 to DCD Tier 1 ITAAC Table 2.11.4-3 (ML17227A608).

DCD changes in response to this RAI are reviewed and found acceptable in Section 14.3.3.4.3 of this report.

The staff review found that the applicants proposed ITAAC for the CHCS in Table 2.11.4-3 in Tier 1 of the DCD, are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria met, the CHCS has been constructed and will be operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and the Commissions rules and regulations.

Therefore, the staff finds that the APR1400 CHCS meets the requirements of 10 CFR 52.47(b)(1).14-144

Interface Requirements Interface requirements are defined for: (a) systems that are entirely outside the scope of the design, and (b) the out-of-scope portions of those systems that are only partially within the scope of the standard design. The applicant has included the containment systems designs within the complete scope of the standard design, thus precluding the necessity of having interface requirements for these systems. The staff has accepted that interface requirements are not needed for containment systems.

Combined License Information Items There are no COL Information Items associated with the APR1400 Containment Systems ITAAC.

Conclusions In general, the NRC staff concludes that the applicant has adequately identified the containment systems which need to have ITAAC requirements. The review of the ITAAC in Tier 1 Tables 2.11.1-2 (Containment Functional Design) and 2.11.2-4 (Containment Heat Removal System) are in Sections 6.2.1 and 6.2.2 of this report, respectively. The review completed in this section of the SER supports the 10 CFR 52.47(b)(1) findings made in those sections of the SER. For the review of the ITAAC in Tier 1 Table 2.11.3-2 (Containment Isolation System) and Table 2.11.4-3 (Containment Hydrogen Control System), the staff finds, based on the above review and upon incorporation of the confirmatory item above into a subsequent DCD revision, that these ITAAC satisfy 10 CFR 52.47(b)(1).

Physical Security Hardware - Inspections, Tests, Analyses, and Acceptance Criteria Introduction In APR1400 DCD Tier 2, Chapter 14, Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria [ITAAC], the applicant described the methods for verifying design commitments for physical security incorporated into the KHNP APR1400 standard design. The DCD Tier 2 describes the engineered physical security systems (PSS), hardware, and features within the scope of the APR1400 standard Design Certification (DC) to establish a design standard for multiple security functions. That standard will provide, in part, the detection, assessment, communication, delay, and response functions of the design of a physical protection system that implement a physical security program that will protect against potential acts of radiological sabotage and theft of special nuclear material (SNM).

Specifically, the applicant provided the design descriptions for engineered PSS and credited design features (e.g., structural walls, floors, and ceilings, configurations of nuclear island and structures), descriptions of intended security functions and performance requirements, assumptions for detailed design, and supporting technical bases that a COL applicant will incorporate by reference as part of the design and licensing bases. The APR1400 standard design, along with site-specific design of a physical protection system, physical protection programs, and a security organization that are described by a COL applicant, demonstrates how a COL applicant will meet the performance and prescriptive requirements of 10 CFR Part 73, Physical Protection of Plants and Materials.14-145

The design bases, analyses, and assumptions for the design of PSS, including plant layout and building configurations of the APR1400 design, are described in KHNP TeR APR1400 E-A-NR-14002-P-SGI, Security Design Features. The technical report describes evaluations and identifies vital equipment and areas for the APR1400 standard design. The scope of the PSS described in the APR1400 standard design is limited to those related to the nuclear islands and structures within the standard design. DCD Tier 2, Section 13.6, Physical Security, identifies COL information items and requires the COL applicant to provide descriptions addressing the design of PSS that are outside the scope of the APR1400 standard design and provide descriptions of the COL applicants physical protection programs, respectively.

The APR1400 DCD Tier 1, Section 2.13, Physical Security Hardware, describes the generic standard physical security ITAAC for the verification of design commitments for vital equipment, vital areas, and PSS. The COL applicant that references the APR1400 standard design, addresses the PSS that are not within the scope of the certified design - beyond the nuclear island and structures - that reference the APR1400 standard design. The COL Information Items COL 14.3(1) and COL 14.3(3), establish actions that the COL applicant will provide the ITAAC for the site-specific portion of the plant systems and describe the ITAAC for the facilitys physical security hardware for site-specific PSS credited for performing security functions, based on the COL applicants final design of a physical protection system and security programs.

Summary of Application The following portions of the APR1400 DCD, Tier 1 and Tier 2, and referenced TeRs contain the applicants design descriptions and physical security ITAAC information related to PSS that meet regulatory requirements:

DCD Tier 1: DCD Tier 1, Section 2.12.1, Design Description, describes key elements of a physical protection system for the APR1400 standard design that provide detection, delay, and response to protect against the design-basis threat (DBT) for radiological sabotage.

Table 2.12-1, Physical Security Hardware ITAAC [4 sheets], provides the general design commitments, inspections, tests, and analyses (ITA), and acceptance criteria of PSS included in the scope of the APR1400 standard design. In addition, Section 2.6.9, Communication Systems, describes plant and plant-to-offsite communications for security-related events and plant security communication systems. Table 2.6.9-1, Communication Systems ITAAC, includes design commitments for communication systems meeting security functions.

Section 2.6.8, Lighting Systems, describes normal and emergency lighting systems for illuminations inside buildings and plant areas. Table 2.6.8-1, Plant Lighting Systems Inspections, Tests, Analyses, and Acceptance Criteria, includes verification of design commitments for plant lighting systems.

DCD Tier 2: DCD Tier 2, Section 1.2, General Plant Description, through Section 1.2.14, Plant Arrangement Summary, provides descriptions of what is within the scope of the APR1400 standard design. Section 1.8.1, COL Information Items, identifies COL 1.8(1) and COL 1.8(2) for the COL applicant to address how site-specific interface requirements will be met and how each COL information item is addressed. Tables 1.8-1, Index of System, Structure, or Component Interface Requirements for APR1400, and 1.8.2, Combined License Information Items, describe protection systems interfaces, related PSS, and associated ITAAC.

COL 14.3(4), specifies that the COL applicant is to provide ITAAC for the facilitys physical security hardware addressed in Section 14.3.2.12, ITAAC for Physical Security Hardware,14-146

which describes the PSS that are site specific (i.e., not within the scope of the APR1400 standard design) and how they will meet applicable regulatory requirements of 10 CFR 73.55, Requirements for physical protection of licensed activities in nuclear power reactors against radiological sabotage, for design, configuration, or installation of PSS.

The applicant described conformance with the U.S. Nuclear Regulatory Commission (NRC) regulatory guides (RGs) in Section 1.9, Conformance with Regulatory Criteria. Table 1.9-1 identifies conformance to RGs. The applicants conformance with Division 5, Materials and Plant Protection, RGs are described in DCD Tier 2, Section 1.9.1, Conformance with Regulatory Guides. Table 1.9-2, APR1400 Conformance with the Standard Review Plan, provides specifics for applicability of standard review plans (i.e., NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, various dates and revisions) and their conformance. Table 1.9-1, APR1400 Conformance with Regulatory Guides, identifies guidance, such as RG 5.7, Entry/Exit Control for Protected Areas, Vital Areas, and Material Access Areas; RG 5.65, Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls; and RG 5.79, Protection of Safeguards Information, for elements of the site-specific physical security program that is addressed by the COL applicant and not applicable for design certification.

Table 1.9-2 identifies SRP Section 13.6, Physical Security, and SRP Section 13.6.2, Physical Security - Design Certification, Revision 1, issued October 2010. The applicant also identified SRP Section 14.3.12, Physical Security Hardware - ITAAC, Revision 0, issued March 2007, instead of subsequent Revision 1, issued May 2010. The staff issued RAI 197-8176, Question 14.3.12-9 (ML15247A004), requesting that the applicant indicate Revision 1 to SRP Section 14.3.12, which the APR1400 conforms to in preparing the DCD for certification. In its response to RAI 197-8176, Question 14.3.12-9 (ML15315A042), the applicant addressed this issue. The staff finds the applicants response to indicate the latest revision of SRP 14.3.12 in the revision to the DCD acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-9. Therefore, RAI 197-8176, Question 14.3.12-9, is resolved and closed.

The DCD Tier 2, Section 13.6.2, Physical Security - Design Certification, states:

[t]his section provides noncategorized, high level, details on the systems, structures and components (SSCs) that make up the Physical Security system.

Additional details are provided in the technical report Physical Security Design Features (Reference 3) which includes details on the systems, structures, and components (SSCs) that require protection as vital equipment, as defined in 10 CFR 73.2 (Reference 4), as well as details on the installed security features required for physical protection. This report is to be incorporated by reference.

Reference 3 is categorized as security safeguards information (SGI) and is withheld from public disclosure pursuant to 10 CFR 73.21 (Reference 6).

The applicant describes PSS incorporated as part of the APR1400 physical standard design. In addition, Section 13.6.7, Combined License Information, COL Information Item Nos.

COL 13.6(1), COL 13.6(2), and COL 13.6(3) - identify commitments on physical security program, access authorization program and cyber security program - that the COL applicant will develop the site-specific programs, including site-specific ITAAC as applicable, to provide a physical protection system and programmatic requirements that are beyond the scope of the APR1400 standard design. The COL applicant would describe the elements of a physical protection program, such as the organization structure, training, operational programs, plant 14-147

procedures, target sets, performance assessments, response requirements, design features for physical protection, and Fitness-for-Duty Program, along with an implementation schedule.

The DCD Tier 2, Chapter 14, Verification Programs, describes the physical security ITAAC for design commitments that will be verified to satisfy the acceptance criteria through inspections, tests, and/or analyses. The following sections discuss the verification of ITAAC within the scope of the APR1400 standard design: Section 14.2, Initial Plant Test Program; Section 14.3, Inspections, Tests, Analyses, and Acceptance Criteria; and Section 14.3.2.12, ITAAC for Physical Security Hardware. Section 14.2 describes the ITAAC abstracts for preparing test procedures for verifying the ITAAC for the APR1400 standard design. In Section 14.3.6, Combined License Information, the applicant identified COL 14.3(3), which requires the COL applicant referencing the APR1400 DC to provide site-specific ITAAC for the facilitys PSS not addressed in the APR1400 standard design.

Technical Reports: The applicant submitted TeR APR1400-E-A-NR-14002-P-SGI, Physical Security Design Features, and TeR APR1400-E-A-NR-14001-P-SGI, Physical Security Design Response, which describe the security considerations in the APR1400 standard design. TeR APR1400-E-A-NR-14002-P-SGI, is incorporated by reference in DCD Tier 2, Operations, Section 13.6, Physical Security. The applicant did not incorporate by reference, TeR APR1400-E-A-NR-14001-P-SGI, and therefore does not provide the technical bases for the staffs review and findings for the requested APR1400 standard DC. The information contained in the TeR(s) is Safeguards Information and/or security-related or proprietary information; therefore, it is protected in accordance with 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements, and 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding, respectively.

Combined License Information Items: COL 14.3(3), requires the COL applicant referencing the APR1400 standard design to provide ITAAC for the facilitys physical security hardware addressed in Section 14.3.2.12, in accordance with RG 1.206, Combined License Applications for Nuclear Power Plants, as appropriate, and provide a test abstract describing the specific inspections, tests, and analyses for the physical security ITAAC not addressed in the DCD.

COL 14.2(5), inadequately identified an action to defer the development of detail descriptions addressing system testing requirements for the APR1400s physical security ITAAC to the COL applicant. The staff issued RAI 197-8176, Question 14.3.12-5 (ML15247A004), requesting the applicant to delete COL 14.2(5). In its response to RAI 197-8176, Question 14.3.12-5 (ML15315A042), the applicant addressed this issue. The staff finds the applicants response to delete COL Item 14.2(5) from the DCD, acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-5. Therefore, RAI 197-8176, Question 14.3.12-5 is resolved and closed. In addition, Revision 1 to DCD Tier 2 Section 14.3 added COL 14.3(4), the COL applicant is to provide the proposed ITAAC for the facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206.

COL 13.6(1), requires the COL applicant that references the APR1400 standard design, to develop a physical security, training and qualification plan, and safeguards contingency plan.

The COL applicant is to address site-specific information related to the physical security, contingency, and guard training and qualification plans. The COL applicant is to address site-specific physical security ITAAC as applicable. The security plans prepared by the COL applicant are required to describe how the performance and prescriptive requirements of 10 CFR 73.55(b), are met in a security program established for an operating license.14-148

Additionally COL 13.6(2) and COL 13.6(3), are identified specifically for describing elements of a physical protection program beyond the scope of the DC. The COL applicant is to revise the nonstandard plant vital areas and vital equipment information in the reference TeR, APR1400-E-A-NR-14002-P-SGI, and address any site-specific designs or conditions. The information from COL information items identified in Tier 2, Section 13.6, are relied on to identify key design commitments and acceptance requirements that must be verified through ITAAC for site-specific PSS constructed and installed to perform security functions as designed and relied on to implement the security programs.

Regulatory Basis Regulations in 10 CFR 52.47, Contents of Applications; Technical Information, require that information submitted for a DC must include performance requirements and design information sufficiently detailed to permit the preparation of acceptance and inspection requirements by the NRC, as well as procurement specifications and construction and installation specifications by an applicant. The provisions in 10 CFR 52.47(b)(1) require the APR1400 application to contain the proposed ITAAC that are necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria are met, a facility that incorporates the design certification has been constructed and will operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended and the Commissions rules and regulations.

The NRC security regulations, 10 CFR Part 73, Physical Protection of Plants and Materials, include performance and prescriptive requirements that, when adequately met and implemented, provide protection against acts of radiological sabotage, prevent the theft or diversion of SNM, and protect Safeguards Information.

In accordance with requirements of 10 CFR 73.55(b), the COL applicant must establish and maintain a physical protection system and security organization whose objective will be to provide high assurance that activities involving SNM are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety. A physical protection system (i.e., detection, assessment, communication, and response), with capabilities to detect, assess, interdict, and neutralize, shall be designed to protect against the DBT of radiological sabotage.

Regulations in 10 CFR 73.55(b)(2) establish the performance requirements to protect a nuclear power plant against the DBT for radiological sabotage as described in 10 CFR 73.1(a)(1),

Radiological Sabotage. The COL applicant must describe how it will meet regulatory requirements, including achieving the high assurance objective for the protection against the DBT of radiological sabotage. The provisions within 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks; 10 CFR 73.55, Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors against Radiological Sabotage; 10 CFR 73.56, Personnel Access Authorization Requirements for Nuclear Power Plants; 10 CFR 73.58, Safety/Security Interface Requirements for Nuclear Power Reactors, Appendix B, General Criteria for Security Personnel, and Appendix C, Nuclear Power Plant Safeguards Contingency Plans; establish performance and prescriptive requirements that are applicable to designs of PSS, operational security requirements, management processes, and programs.

The requirements in 10 CFR Part 52, regarding certification of design, limit the application of regulatory requirements that are specific to PSS within the scope of the APR1400 standard 14-149

design. According to 10 CFR Part 52, Subpart C, Combined Licenses, the operational or administrative controls, programs, and processes (e.g., management systems or controls) are addressed by the COL applicant and are not in the scope for certification of the APR1400 standard design.

An applicant may apply the latest revision of the following regulatory guidance documents, and accepted industry codes, standards, or guidance, to meet regulatory requirements on ITAAC:

(1) RG 1.68, Initial Test Programs for Water-Cooled Nuclear Power Plants, Revision 3, issued 2007.

(2) RG 1.206, Combined License Applications for Nuclear Power Plants (Light-Water Reactor (LWR) Edition), Revision 0, issued 2007.

(3) NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, issued March 2007.

(4) NUREG-0800, Standard Review Plan, Section 14.3.12, Physical Security HardwareInspections, Tests, Analyses, and Acceptance Criteria (PS-ITAAC),

Revision 1, issued May 2010.

The NRC guidance, approaches, and examples described above and in other guidance for methods of compliance are not regulatory requirements and are not intended to be the only methods for meeting regulatory requirements. The applicant may use methods or approaches for implementing NRC regulations other than those discussed in agency guidance, provided that such measures satisfy the relevant and applicable NRC regulatory requirements.

Technical Evaluation The staffs technical review consists of determining whether the applicant adequately described physical security ITAAC that provides reasonable assurance that, if the ITA are performed and the acceptance criteria are met, a facility that incorporates the design certification has been constructed and operated in conformity with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and the Commissions rules and regulations. The staffs review determined whether the applicant adequately identified physical security ITAAC and described appropriate ITA needed for verification and the appropriate acceptance criteria capturing the intended security functions, reliability and availability, or performance of selected PSS for ITAAC verification and closure, in accordance with 10 CFR 52.47(b)(1).

The PSS described in the APR1400 standard design (and those specific to a COL application) must be reliable and available to ensure performance and to meet intended security functions.

The PSS are required to meet applicable performance and prescriptive requirements of 10 CFR Part 73. Within this context, the applicant addresses PSS that are within the scope of the APR1400 DC. The design and technical bases for PSS within the scope of the APR1400 DCD are described in DCD Tier 2, Section 13.6, and TeR APR1400 E-A-NR-14002-P-SGI.

These documents provide the systems designs and performance requirements supporting the identified ITAAC design commitments for verification.

The staffs review also included the following applicant responses submitted to address the RAIs and resulting revisions to the DCD Tier 1, Tier 2, and referenced technical reports:

14-150

Design Commitments, Inspections, Tests, Analyses, and Acceptance Criteria In DCD Tier 1, Chapter 2.0, Design Description and ITAAC, Section 2.12, Physical Security Hardware, the applicant described the specific design commitments for PSS that are within the scope of the APR1400 DC. In DCD Tier 1, Section 1.2.2, Implementation of ITAAC, the applicant described the arrangement of ITAAC tables applicable to PSS. Consistent with safety-related ITAAC, the first column proposes design requirements or commitments extracted from the design description that must be verified. The second and third columns identify proposed methods of verifications and acceptance criteria that demonstrate that design requirements or commitments are met, respectively.

In DCD Tier 1, Section 2.6.8, Lighting Systems, the applicant provided design descriptions for the plants normal and emergency lighting. Table 2.6.8-1, Lighting System Inspections, Tests, Analyses, and Acceptance Criteria [2 sheets], includes normal and emergency [alternating current (ac) and direct current (dc)] lighting systems. In DCD Tier 1, Section 2.6.9, Communication Systems, and Table 2.6.9-1, Communication Systems ITAAC, includes independent plant communication systems. Section 2.6.9 provides design descriptions and the inspections and tests for the plants communication systems for intra-plant and plant-to-offsite communications during normal, transient, fire, accidents, off normal phenomena (e.g., loss-of-offsite power), and security related events.

The DCD Tier 1, Section 2.12, Physical Security Hardware, provides design descriptions for PSS that are within the scope of the APR1400 standard design to detect, assess, and delay intrusion, communicate, and assist response to protect against the design-basis threat for radiological sabotage. The design descriptions include the following:

  • Vital equipment and central alarm station (CAS) and secondary alarm station (SAS) locations.
  • Bullet-resistant constructions for main control room and CAS and SAS.
  • Lock, intrusion detection, and alarm of vital areas and access points.
  • Vehicle barrier system is installed and located at safe standoff distance.
  • Alarm annunciation and video assessment capabilities.
  • Secondary security power supply systems.
  • Supervision, tamper, and trouble indications for security alarms.
  • Intrusion detection system capabilities and recording of functions.14-151
  • Communications capabilities from CAS to various locations.

The DCD Tier 1, Section 2.12 also provides specifics on engineered PSS that are not within the scope of the APR1400 standard design, which will not be certified and are addressed by the COL applicant. Section 2.12.1 Items 2.a; 2.b; 2.c; 3.a; 3.b; 3.c; 4.a; 4.c; 8.a; 8.b; and 9; are structures, systems, or components of a physical protection system that are located outside of the nuclear power block, within the plant protected area and owner control area, or engineered systems implementing elements of the physical security program that may be addressed by the COL applicant (i.e., outside of the scope a standard design).

The staff issued RAI 197-8176 (ML15247A004) Questions 14.3.12-1a, 12.c, and 12.d, requesting that the applicant provide additional design descriptions sufficient to describe the PSS within and outside of the scope of the APR1400 standard design for the physical security ITAAC, conforming to guidance in Revision 1 of SRP 14.3.12. In its response to RAI 197-8176 (ML15315A042) Question 14.3.12-1a, the applicant included proposed revisions to the design descriptions for engineered PSS, conforming to SRP 14.3.12. In response RAI 197-8176, Question 14.3.12-1.c, the applicant proposed to revise DCD Tier 1 Section 2.12.1, to identify the design descriptions to include that [t]he alarm system will not allow the status of a detection point, locking mechanism or access control device to be changed without the knowledge and concurrence of the alarm station operator in the other alarm station. In response to RAI 197-8176, Question 14.3.12-1d, the applicant committed to update DCD Tier 1, Section 2.12.1, to establish item 11.c and provide a design description that states [e]quipment will record onsite security alarm annunciation, including the location of alarm, false alarm, alarm check, and tamper indication; and the type of alarm, location, alarm circuit, date, and time, and renumber a subsequent item as 11.d. The additional design descriptions for the intrusion detection and assessment system in Section 2.12.1 conforms to SRP Section 14.3.12 and the staff finds the applicants response acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Questions 14.3.12-1a, 14.3.12-1c and 14.3.12-1d. Therefore, RAI 197-8176, Questions 14.3.12-1a, 14.3.12-1c and 14.3.12-1d are resolved and closed.

DCD Tier 1, Table 2.12-1, Physical Security Hardware ITAAC [4 sheets], provides the ITAAC for the PSS that are within the scope for the APR1400 standard design. The design commitments include those related to vital equipment locations, physical barriers, physical controls and security measures for vital areas, intrusion detection, assessment, CAS and SAS, secondary power supply, access controls of vital areas, and communications meeting requirements of 10 CFR Part 73, Physical Protection of Plants and Materials. The applicant indicated that the descriptions of site-specific physical protection systems design and related ITAAC are to be addressed by the COL applicant that references the APR1400 DC.

RAI 197-8176, Question 14.3.12-1b requested the applicant to provide additional design descriptions in sufficient detail in Section 2.12.1 to fully address the requirements in 10 CFR 73.55, conforming to SRP Section 14.3.12, and identify whether they are within the scope of the APR1400 standard design or will be addressed by the COL applicant. In its response to RAI 197-8176, Question 14.3.12-1b, the applicant revised the design descriptions for PSS, conforming to SRP 14.3.12. The staff therefore finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-1b. Therefore, RAI 197-8176, Question 14.3.12-1b, is resolved and closed. Revision 1 to Tier 1 DCD Table 2.12-1, Physical Security Hardware ITAAC [7sheets], incorporates changes to indicate the design commitments for physical security hardware ITAAC that are within the scope of the APR1400 standard design and those that will be addressed by the COL applicant. The revised 14-152

design commitments (and as applicable ITA and acceptance criteria within the scope of the DC) conform to SRP Section 14.3.12.

In DCD Tier 1, Table 2.12-1, the applicant identified intrusion detection and assessment systems as those reserved for a COL applicant (i.e., site-specific PSS and ITAAC). The reserved ITAAC addressing these requirements are to be addressed as site-specific information provided by a COL applicant referencing the APR1400 standard design (i.e., COL 14.3(3)).

COL 14.3(3) states that: [t]he COL applicant is to provide the proposed ITAAC for the facilitys physical security hardware addressed in Section 14.3.2.12. which requires a COL applicant that references the APR1400 DC to provide ITAAC and test abstracts that are not addressed in the DCD. The staff issued RAI 197-8176, Question 14.3.12-8 (ML15247A004), requesting the applicant to correct the COL 14.3(3) to indicate that the COL applicant will only address those physical security ITAAC not addressed in the DCD, instead of all physical security ITAAC. In its response to RAI 197-8176, Question 14.3.12-8 (ML15315A042), the applicant revised COL 14.3(3). The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-8. Therefore, RAI 197-8176, Question 14.3.12-8, is resolved and closed. Revision 1 of DCD Tier 2 Section 14.3.6 included changes resulting in renumbering of COL items, to establish COL Item No. COL 14.3(4) to indicate that [t]he COL applicant is to provide the proposed ITAAC for the facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206. In addition, DCD Tier 2 Section 14.3.2.12, ITAAC for Physical Security Hardware, also indicates the same COL commitment and references the COL Item No. COL 14.3(4).

The applicant stated in DCD, Tier 2, Section 14.3.2.12 that: [t]he standard plant physical security ITAAC are consistent with the guidance provided in SRP Section 14.3. (Reference 2) and the applicable generic ITAAC in SRP Section 14.3.12 (Reference 14). The verification of APR1400 standard design includes the PSS described in DCD Tier 1, Section 2.12.

The staff finds the following:

  • The applicant has adequately identified and described attributes for a physical protection system meeting design bases and security functions of detection, assessment, communications, delays, and responses as ITAAC for verification.

The APR 1400 DCD Tier 1 identified general design commitments and ITAAC that conform with those described in SRP 14.3.12, that address vital areas and vital area access controls, illumination, bullet-resistant barriers, vehicle barrier systems stand-off distance, alarm stations, secondary power supply, interior intrusion detection and assessment systems signal display and recording transmission line supervision and monitoring, emergency exits controls, and security communications.

  • The applicant has adequately identified other PSS, such as protected area barriers; isolation zones, protected area (PA) intrusion detection; personnel, vehicles, material access control, and personnel identification systems that are outside the scope of the APR1400 standard design and will be addressed by the COL applicant. COL 14.3(1) requires a COL applicant that references the APR1400 standard design to provide ITAAC for the site-specific portions of the plant systems specified in Section 14.3.3, Interface Requirements.14-153
  • The staff concludes that the identified PSS ITAAC selected for verification, in parts within the scope of the DC, are adequate to verify and demonstrate that the construction, installation, or configurations of PSS will operate and meet intended security functions in accordance with the design bases of the APR1400 standard design. The applicant adequately identified PSS ITAAC in the DCD Tier 1 for meeting the regulatory requirement of 10 CFR 52.47(b)(1).

Verification Program and Processes The applicant, in DCD Tier 2, Section 14.2, Initial Plant Test Program, described the initial test program (ITP) that is performed during initial startup of the APR1400 plant. The ITP includes test activities commencing with the completion of construction and installation and ending with the completion of reactor power ascension testing.

The verification program included preoperational tests that provide reasonable assurance that systems and equipment perform in accordance with the safety analysis report. Test results are analyzed to verify that systems and components are performing satisfactorily and if not, to provide a basis for recommended corrective action. Table 14.2-1, Preoperational Tests, lists the preoperational tests, which included Sections 14.2.12.136 through 14.2.12.146, addressing PSS or features identified as ITAAC in the DCD Tier 1. The preoperational tests also included normal and emergency lighting systems that are relied on for safety and security functions.

The applicant indicated that the organization and staffing for performing the APR1400 initial test program are the responsibility of the COL applicant. The organization and staff are responsible for planning, executing, and documenting the plant initial testing and related activities, and developing site-specific organization and staffing level appropriate for its facility. The COL applicant also develops the management systems and processes, developing site-specific procedures and guidelines for conducting tests; submitting detailed test procedures for NRC review; preparing and planning conduct of test program; reviewing, evaluating and approving test results; and maintain records of tests. The testing program for establishing schedules and plans for operational testing for plant startup, with review and inspection of procedures prior to testing sequences for tests are described in Section 14.2.12, Test Descriptions. The applicant described the procedure test abstracts for developing detailed test procedures for the test program.

Section 14.2.13, Combined License Information, COL 14.2(1) through COL 14.2(7) established that the COL applicant will develop the details for the management systems (processes and procedures) and organization and staffing necessary for planning and implementing an initial test program.

The applicant described the management controls and processes for the test program that included the following:

  • Test specifications that included test objectives, prerequisites, test method, data required, acceptance criteria, and special considerations, along with a process for preparation and approval procedures.
  • Review, approval, closure, and documentation of test activities that verify ITAAC and managing unresolved test deficiencies, test closure and records.
  • Organization and personnel for implementing verification program.14-154

In DCD Tier 2, Section 14.3.5.1, Design ITAAC Closure Process, the applicant described options for design ITAAC closure through an amendment of the DC rule, closure through the COL application review process, or closure after COL issuance.

The staff finds the following:

  • The applicant identified COL information items for establishing the test organization and the management controls and processes for the initial test program. The applicant has established that a COL applicant that references the APR1400 standard design will address management systems and processes needed to implement verifications of ITAAC, including procedurally control and document the preparations, reviews, approvals, closeouts, and records.
  • The system test process, as described in Tier 2 Sections 14.2 and 14.3, which the COL applicant must establish, if adequately implemented, will demonstrate through testing that engineered physical security structures, systems, or components perform their intended security functions as designed.
  • The staff concludes that the applicant has established, in the APR1400 DCD, the requirements that a COL applicant referencing the APR1400 standard design would establish the management systems, processes, and organization that will verify the installation, construction, and performance that are identified for ITAAC under the verification program.

Test Abstracts for Physical Security Systems ITAAC The applicant described procedure test abstracts (also referred to as test abstracts) in DCD Tier 2, Section 14.2.12.1, Preoperational Tests, to support ITA for verifying the identified physical security ITAAC in Tier 1 of the DCD. The physical security ITAAC procedure test abstracts are provided in the same format used for safety related and other plant system preoperational tests described in the DCD Tier 2, Chapter 14. The test abstracts provided the framework for the development of detailed test procedures for the conducting of inspections, tests, and analyses that will be performed and the verification of acceptance criteria that, if met, will demonstrate that the plant incorporated the DC and the identified PSS built will operate in accordance with the DC.

The applicant described test abstracts consisting of objectives, prerequisites, methods (inspections, tests, and/or analyses), data required, and acceptance criteria for the verification of the following:

  • Locations of vital equipment.
  • Access to vital equipment.
  • Equipment to permit observation of abnormal presence or activity of persons or vehicles.
  • Vehicle barrier system to protect against the design basis threat vehicle bombs.
  • Vital area with active intrusion detection systems.
  • Security alarm annunciation and video assessment information.14-155
  • Location and equipment of the central and secondary alarm stations.
  • Secondary security power supply system.
  • Intrusion detection and assessment systems.
  • Equipment and emergency exits.
  • Security communication systems.

The staff issued RAI 197-8176, Question 14.3.12-6 (ML15247A004) requesting the applicant to provide descriptions of construction activities, preoperational testing, and test procedures for verifying PSS constructions and installations within the scope of the APR1400 standard design.

In its response to RAI 197-8176, Question 14.3.12-6 (ML15315A042), the applicant included procedure test abstracts for physical security ITAAC within the APR1400 standard design. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-6. Therefore, RAI 197-8176, Question 14.3.12-6, is resolved and closed.

Revision 1 to the DCD Tier 2 Section 14.2.12 describes the procedure test abstracts for physical security ITAAC in Sections 14.2.12.1.142 through 14.2.12.1.153. The revisions include two additional procedure test abstracts, Section 14.2.12.1.145 and Section 14.2.12.152, Equipment to permit observation of abnormal presence or activity of persons or vehicles, and Bullet-Resisting barriers, respectively. The applicant provides adequate and reasonable descriptions of the test objectives, prerequisites, test methods, and acceptance criteria in the additional procedure test abstracts for verifying PSS.

The staff finds that the applicants descriptions for elements of the procedure test for PSS (i.e.,

objectives, prerequisites, test methods, data required, and acceptance criteria) are adequate.

The procedure test abstracts consist of the descriptions for the verification of identified physical security ITAAC and support the DCD Tier 1 descriptions of ITAAC for meeting 10 CFR 52.47(b)(1). The staff concludes that the test abstracts for PSS conform to guidance provided in NUREG-0800, and are adequate and reasonable for describing the framework for developing specific ITA for the verification of PSS identified as ITAAC within the scope of the APR1400 standard design.

14.3.12.4.3.1 Inspections, Tests, and Analyses for Vital Equipment and Vital Areas The applicant, in DCD Tier 2, Section 14.2.12.1.136, Location of vital equipment, describes the procedure test abstract for physical security ITAAC 1.a, and addressed the ITA protocol for verifying design commitments for meeting regulatory requirements and design specific requirements for the vital area. The applicant indicated that the objective is to demonstrate that vital equipment is located within the vital areas protected in accordance with regulatory requirements. The verification method included inspections of the installed location of vital equipment listed in the applicants TeR APR1400-E-A-NR-14002-P-SGI, Physical Security Design Features. The acceptance criterion is the vital equipment listed is located within a vital area.

DCD Tier 2, Section 14.2.12.1.137, Access to vital areas, describes the test abstract for physical security ITAAC 1.b for the design requirement that access to vital equipment requires passage through the vital area barrier. The objective is demonstrating that the access to vital equipment requires passage through at least two physical barriers. The methods included 14-156

inspections that locate each component of vital equipment and verification that access to each component met the objective stated. The list of vital equipment in the applicants TeR APR1400 E-A-NR-14002-P-SGI, is identified as information needed for verification of physical security ITAAC 1.b. The acceptance criterion is the access to each component of vital equipment requires passage through at least two physical barriers, one of which can be the protected area barrier (and the other is the vital area barrier).

DCD Tier 2, Section 14.2.12.1.140, Vital area with active intrusion detection system, describes the test abstract for physical security ITAAC 10 for locked and alarmed access into vital areas.

The test objective is to determine that vital areas are locked and alarmed personnel access barrier and unauthorized access are detected and alarm at the central and secondary alarm stations upon intrusion into a vital area. The test methods included testing unauthorized opening of each vital area access door to verify that an intrusion alarm is generated; verifying that alarm is detected by alarm annunciator computers and displays in the CAS and SAS; verifying that alarm information; and verifying authorized access and recording of access information. The test and inspection verifications apply to all vital areas, which are locked with activated intrusion detection systems, and demonstrate that activated intrusion detection systems annunciate in the CAS in the event of an unauthorized and attempted access of an unoccupied vital area.

DCD Tier 2, Section 14.2.12.1.145, Equipment and emergency exits, describes the test abstract for physical security ITAAC 15.a for vital area emergency exits. The test abstract identified that the objective is to verify that each of the emergency exits from the vital areas have installed locking devices which will allow emergency egress and installed alarms that will notify the alarm station operator that the door has been opened. The test methods included inspections and tests of alarm initiation and indication and the tests of locking devices. The tests operate the emergency egress locking mechanism in the vital area, verify that an alarm is generated when the door is opened, and the alarmed information is displayed at the CAS and SAS.

The prerequisites identified in the test abstracts included the completion of construction for physical barriers, protection of penetrations, installation of locking devices, intrusion detection and alarm systems, completion of CAS, etc., before verification by selected test methods. The acceptance criteria identified for the ITAAC related to the vital areas are the successful inspections and tests that verify locking, intrusion detection, and alarms in accordance with requirements of 10 CFR 73.55(e)(9)(i) through (iii) and 10 CFR 73.55(e)(8)(iii).

The staff finds that the applicant has provided adequate and reasonable descriptions of the test objectives, prerequisites, test methods, and acceptance criteria that support the identified ITAAC related to the vital equipment and vital areas and emergency exit controls for the vital areas in DCD Tier 2, Tier 1, Section 2.12.1, Design Description, and Table 2.12-1, Physical Security Hardware Inspections, Tests, Analyses, and Acceptance Criteria. The test abstract supports the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).

14.3.12.4.3.2 Inspections, Tests, and Analyses for Alarms, System Supervision, Assessment, and Records DCD Tier 2, Section 14.2.12.1.141, Security alarm annunciation and video assessment information, describes the test abstract for physical security ITAAC 11.a for security alarm annunciation and video assessment. The test abstract identified that the objective is to verify 14-157

that the intrusion alarm system at the protected area perimeter generates the appropriate alarms and that the video assessment equipment captures the necessary images to perform assessment of the alarms. The test methods include testing of intrusion detection systems, security alarm annunciation, and video assessment capabilities in the CAS and SAS. This abstract addresses additional intrusion alarms and assessment at the vital areas that are verified under physical security ITAAC 10, where an alarm is generated when the door is opened and the door information is displayed at the CAS and SAS for assessment. The test methods included testing of intrusion detection systems, security alarm annunciation, and video assessment capabilities in the CAS and SAS, and include observations of video images from alarm zones to assess the cause of the alarm. The test and inspection verifying the video images being captured in varying lighting situations to determine that assessment capability is available under all expected lighting circumstance. The acceptance criteria identified for the ITAAC related to the CAS and SAS are the successful inspections and tests that verify alarm indications and video assessment capabilities in accordance with prescriptive requirements of 10 CFR 73.55(i)(2).

DCD Tier 2, Section 14.2.12.1.142, Location of equipment of the central and secondary alarm stations, describes the test abstract for physical security ITAAC 11.b for CAS and SAS. The applicant indicated that the objective is to verify the locations of CAS and SAS meet the regulatory requirements and that the equipment located in each alarm station is equivalent and redundant. The test methods included determining the locations of CAS and SAS are in vital areas, not visible from outside the protected area, have equipment for alarm annunciation and assessment, and have all the required communication equipment. The acceptance criteria identified for the ITAAC related to the CAS and SAS design and configurations of equipment for performing alarm station functions at the CAS and SAS are in accordance with 10 CFR 73.55(i)(4)(ii)(A) and 10 CFR 73.55(i)(4)(iii). In addition to the verifications described in Section 14.2.12.1.142, for location and equipment of CAS and SAS, the staff identified that the test abstract did not address the verification of locations of and analyses for a single act identified in physical security ITAAC 11.c. The staff issued RAI 465-8565 (ML16110A100),

Question 14.3.12-10.c requesting the applicant to address ITAAC 11.c in the test abstract, which may be described in either Section 14.2.12.1.142 or Section 14.2.12.1.139, which will verify that the vehicle barrier system is installed at a minimum safe-standoff distance that protects the CAS and SAS. In its response to RAI 465-8565 (ML16183A350),

Question 14.3.12-10.c, the applicant committed that a test abstract 14.2.12.1.142 will be revised to include in the objective and acceptance criteria verification of locations of the CAS and SAS to satisfy the no single act exposure criteria. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 465-8565, Question 14.3.12-10.c. Therefore, RAI 465-8565, Question 14.3.12-10.c is resolved and closed. Revision 1 to the DCD Section 14.2.12 included an additional procedure test abstract in Section 14.2.12.1.144, Vehicle barrier system to protect against the design basis threat vehicle bombs. The addition establishes the objective to verify that a vehicle barrier is installed and located at the minimum safe-standoff distance to protect against the design basis vehicle bombs. The procedure test abstract consisting of the objective, pre-requisites, test method, data required, acceptance criteria, and special precautions, are sufficiently described for developing detailed procedures and tests for the ITA of required vehicle barrier system DCD Tier 2, Section 14.2.12.1.144, Intrusion detection and assessment systems, describes the test abstract for ITAAC 13.b and 14 for intrusion and assessment systems and alarm recording equipment. The objective is to demonstrate that intrusion detection systems and video assessment are capable of detecting and assessing and record onsite security alarm 14-158

annunciation and disposition of each alarm. The prerequisites identified include complete installation of security alarms, complete construction of alarm station and installation of equipment in ITAAC 11.a and 11.b. The test method includes test and verification of intrusion detection system to perform detection of attempted penetration of the PA physical barriers. The test abstract established acceptance criteria that the intrusion detection system for each zone is capable of detecting penetration or attempted penetration of the protected area barrier and the video assessment equipment are capable of recording and playing back video images to allow assessment for physical security ITAAC 14 and the security alarm indicates the types of alarms and their locations with visual and audible indications in accordance with requirements of 10 CFR 73.55(i)(3)(i) through 10 CFR 73.55(i)(3)(v). The test abstract includes a test method for alarm recording equipment performance for recording the types of alarms and their dispositions.

The acceptance criteria includes verifying recording of types of alarms, locations of alarms, alarm circuit, dates, and time and status alarm, in accordance with 10 CFR 73.55(i)(4)(ii)(H).

The applicant did not describe the test abstract for physical security ITAAC 13.a, for security alarms tamper indication and system supervision of security alarm devices and transmission lines. The objectives to demonstrate that security alarm devices including transmission lines to annunciators are tamper indicating and self-checking, the test methods that will be applied are tests to verify tamper indication from security alarm devices and alarm system circuit self-checking functions, and the acceptance criteria, such as the security alarm devices including transmission lines to annunciators are tamper indicating and self-checking to meet the requirements of 10 CFR 73.55(i)(3)(iv) and 10 CFR 73.55(i)(3)(iv), has not been established for reasonable assurance that the procedure developed will adequately verify ITAAC 13.a.

RAI 465-8565, Question 14.3.12-10.d was issued to the applicant to provide a procedure test abstract (consisting of objectives, prerequisites, test method, data required, acceptance criteria, and special precautions) for physical security ITAAC 13.a in DCD Tier 1, Table 2.12-1. In its response to RAI 465-8565 (ML16183A350), Question 14.3.12-10.d, the applicant committed that a new test abstract 14.2.12.1.148 will be added to Section 14.2.12.1 to cover ITAAC Item 13.a in Table 2.12-1 on physical security hardware (e.g., alarm, devices and transmission lines). The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 465-8565, Question 14.3.12-10.d. Therefore, RAI 465-8565, Question 14.3.12-10.d is resolved and closed. Revision 1 to DCD Tier 2 Section 14.2.12.1.153, incorporates procedure test abstract for verifying security alarm devices and transmission lines to the alarm annunciation system are tamper indicating and self-checking and verifying that the alarm annunciation at the CAS and SAS indicates type of alarm. The procedure test abstract consisting of the objective, pre-requisites, test method, data required, acceptance criteria, and special precautions, are sufficiently described for developing detailed procedures and tests for the ITA physical security ITAAC13.a.

The staff finds that the applicant has provided adequate and reasonable descriptions of the test objectives, prerequisites, test methods, and acceptance criteria that support the identified ITAAC related to security alarms, assessment, and intrusion detection system recording in DCD Tier 1, Section 2.12.1, Design Description, and Table 2.12-1, Physical Security Hardware Inspections, Tests, Analyses, and Acceptance Criteria. The test abstracts support the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).14-159

14.3.12.4.3.3 Inspections, Tests, and Analyses for Security Communications In DCD Tier 2, Section 14.2.12.146, Security communication systems, the applicant described the test abstract for physical security ITAAC 16.a, 16.b, and 16.c for security communications that the objective is to verify the regulatory required capabilities of the installed communication system to support security requirements. The prerequisites include the complete installation of plant communication systems and components for the public address system, plant telephone system, and wireless communication system and complete installations of operational communications equipment in the CAS, SAS, and Main Control Room (MCR).

The test methods include a performance test of communications systems to verify availability of public address system, plant telephone system, voice communications with offsite local law enforcement authorities, wireless communications system (radios), and non-portable security communication system. The tests are performed to verify communications between CAS, SAS, and MCR, test the portable radio system and backup plant system between CAS and SAS and security personnel and defensive positions, and verify continuity of communications capabilities on secondary power supply (i.e., loss of normal power). The test method includes the verification of systems capabilities for open and cleared communications that can be heard where plant personnel are located. The identified test include use of local law enforcement remote radio system provided to the CAS and SAS to communicate with the local law enforcement agency. The applicant indicated that security communication system and plant communication systems are independent of each other. The verification of Table 2.12-1, Items 16a, 16.b, and 16.c, are performed independently from those of the plant communication systems, which are addressed in DCD Tier 2, Section 9.5, Other Auxiliary Systems.

The staff issued RAI 197-8176, Question 14.3.12-4 (ML15247A004), requesting the applicant to provide additional design descriptions for the security and plant communication systems captured in the DCD and provide a procedure test abstract for verifying security communication systems in Table 2.12-1 and Table 2.6.9-1 for PSS within the scope of the standard APR1400 standard design. In its response to RAI 197-8176, Question 14.3.12-4 (ML15322A217), the applicant included additional design descriptions and procedures test abstracts for security and plant communications systems within the APR1400 standard design. The applicant committed to revise the DCD to provide descriptions of the security communication system from DCD Tier 2, Sections 9.5.2.2.1.5 and 9.5.2.2.1.8 to separate Sections 9.5.2.2.3 and 9.5.2.2.3.1 through 9.5.2.2.3.3. In addition, the revision would include Section 14.2.13 and Table Nos. 14.2-7 (11 of 18) and 1.8-2 (25 of 29) to indicate independence of the security communication systems and revise DCD Tier 2, Table 14.2-1, Preoperational Tests, to identify Section 14.2.12.1.146. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-4. Therefore, RAI 197-8176, Question 14.3.12-4 is resolved and closed.

Revision 1 to DCD Tier 2 Section 9.5.2.1.e, indicates that security communications measures are provided as required by 10 CFR 73.55(j) to support capabilities for onsite and offsite, alarm stations, on-duty security force personnel, and uninterruptable power supply for security operations. DCD Tier 2 Section 9.5.2.2, System Description, for communication system included communications for the security alarm stations and security building. DCD Tier 2 Section 9.5.2.2.3, Security Communication System, addresses the design requirements for independent plant telephone and wireless communication subsystems and power supply.14-160

In Revision 1 to DCD Tier 2 Section 9.5.2.2.3.2, the applicant indicated that: [t]he COL applicant is to provide the security radio system which consists of a base unit, mobile units, and portable units (COL 9.5(10)). The description of this COL information item was removed from Section 9.5.2.2.1.8, Wireless Communication System. COL 9.5(1) is provided to include the items identified in Section 9.5.10, Combined License Information, which are to be addressed by a COL applicant that references the APR1400 Certified Design. Individual Test on Table 14.2-7, Conformance Matrix for RG 1.68 Appendix A versus Individual Test Description, identifies an exception for Individual Test, which states that [t]he COL applicant will prepare the site-specific preoperational and start-up test specification and test procedures and/or guidance for plant and offsite plant communication systems (COL 14.2(17)). The Revision 1 to DCD Tier 1 Table 1.8-2, Combined License Information Items, incorporated COL 14.2(17) as previously described.

The acceptance criteria identified include: (a) communications between the CAS, SAS, and the MCR can be accomplished and remain operable in the event of loss of normal power; (b) the public address system can be used to broadcast security alerts and instructions to plant areas; (c) the plant telephone system can communicate with local law enforcement agency to call for assistance; (d) the wireless communication system provides continuous communication with the security force members and remains operable from the secondary power supply; (e) secondary power supply to non-portable wireless communication system components is located in a vital area; and (f) the local law enforcement remote radio equipment in CAS and SAS can be used to contact local law enforcement agencies during an emergency, in accordance with requirements of 10 CFR 73.55(j)(4)(i) through (4)(ii), 10 CFR 73.55(j)(3), 10 CFR 73.55(e)(9)(vi), and 10 CFR 73.55(e)(9)(vi)(B).

The staff finds that the applicant has provided an adequate and reasonable description of the test objectives, prerequisites, test methods, and acceptance criteria that support the identified physical security ITAAC related to security communications in DCD Tier 1, Section 2.12.1, Design Description, and Table 2.12-1, Physical Security Hardware Inspections, Tests, Analyses, and Acceptance Criteria. The test abstracts support the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).

14.3.12.4.3.4 Inspections, Tests, and Analyses for Security Secondary Power Systems In DCD Tier 2, Section 14.2.12.1.143, Secondary security power supply system, the applicant described the test abstract for physical security ITAAC 12 for the secondary security power supply system. The applicant stated that the objectives are to verify that the secondary security power supply system is located in a vital area and is switched on [i.e., transferred to secondary power supply] when the normal power is lost. The inspection includes locations of the secondary power supply equipment and verifies that it is within a vital area and tests to switch off the normal power to security alarm annunciation equipment and verifies that secondary power supply system can be switched on to repower the alarm annunciation equipment, in accordance with requirements of 10 CFR 73.55(e)(9)(vi) and 10 CFR 73.55(e)(9)(iv)(A). DCD Tier 2, Section 14.2.12.1.146, describes test abstract for security communication for verification of secondary power supply for security communication systems in accordance with the requirement of 10 CFR 73.55(e)(9)(vi)(B).

The staff finds that the applicant has provided adequate and reasonable descriptions of the test objectives, prerequisites, test methods, and acceptance criteria that support the verification of identified ITAAC related to security secondary power systems in DCD Tier 1, Section 2.12.1, Design Description, and Table 2.12-1, Physical Security Hardware Inspections, Tests,14-161

Analyses, and Acceptance Criteria. The test abstracts support the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).

14.3.12.4.3.5 Inspections, Tests, and Analyses for Security Lighting Systems DCD Tier 1, Section 2.6.8, Lighting Systems, and Table 2.6.8-1, Lighting Systems ITAAC, describes the design commitments for the plant lighting systems, which include normal and emergency lighting systems. DCD Tier 1, Section 2.12.1, Design Description, includes a design commitment for the security lighting system to provide illumination of the exterior area of the PA and the isolation zone. Table 2.12-1, Physical Security Hardware ITAAC, identified ITAAC 5, for security lighting providing illumination for security functions.

DCD Tier 1, Table 2.1.2-1, Physical Security Hardware ITAAC, included ITAAC 5, which verifies the design commitment that isolation zones and exterior area within the protected areas are provided with illumination to permit observation of abnormal presences or activity of persons or vehicles. DCD Tier 2, Section 14.2.12.1.138, Equipment to permit observation of abnormal presence or activity of persons or vehicles, describes test abstract objective to verify that CCTV equipment is in place to observe the isolation zones and areas at the PA for abnormal presence or activity of persons and/or vehicles. The test methods included inspection of monitors to allow observation of a subject individual on the CCTV monitors in the isolation zone and the PA, determination of the clarity and visual range of CCTV cameras, and testing of camera capability to zoom and pan to assess plant areas. The acceptance criteria include assurance that the camera and systems provide fields of observations of persons, vehicles, and activities in the isolation zone and areas of the PA barriers. Although the applicant addresses verification of camera system(s) for observation, along with test abstracts in Section 14.2.12.1.144, the test abstract described does not verify that equipment is provided and adequate exterior illuminations at the isolation zone and the PA permits observations of abnormal presence or activity of person or vehicle. RAI 465-8565 (ML16110A100), Question 14.3.12-10.a, was issued for the applicant to address the verification of system and equipment that will provide illumination, along with CCTV, to permit observation and assessment of the isolation zone and the PA in DCD Tier 2, Section 14.2.12.1.138. In its response RAI 465-8565 (ML16183A350),

Question 14.3.12-10.a, the applicant committed to revise Test Abstract 14.2.12.1.138 to address the illumination equipment discussed in ITAAC Item 5 in Table 2.12-1. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 465-8565, Question 14.3.12-10.a. Therefore, RAI 465-8565, Question 14.3.12-10.a is resolved and closed. Revision 1 to DCD Tier 2, Section 14.2.12.1.143, Equipment to permit observation of abnormal presence or activity of person or vehicles, incorporates and provides adequate descriptions for the verification of systems and equipment that will provide illumination levels that are sufficient to allow observation of persons and/or vehicles in the exterior area of the protected area.

DCD Tier 2, Sections 14.2.12.1.80, Normal Lighting System Test, and 14.2.12.1.81, Emergency Lighting System Test, describes the test abstracts for verifying the normal and emergency lighting systems provide illuminations of plant areas within the nuclear island or structures. In addition, DCD Tier 2, Sections 14.2.12.1.86 through 14.2.12.1.88, include verification of the continuity of power sources for plant lighting systems, to ensure that portions of the plant systems, including building interior lighting, remain available during accident scenarios and power failures. The ITAAC for plant normal and emergency lighting systems are established in DCD Tier 1, Table 2.6.8-1, Lighting Systems ITAAC. The lighting systems are credited by safety and security programs for illumination necessary to perform required 14-162

response in the event of a safety or security event. The staffs findings for descriptions of test abstract for verifying design commitments for normal and emergency plant lighting are addressed under review of DCD Tier 2, Section 14.3.2.6, ITAAC for Electrical Systems, and are not included in this portion of the staff security review and finding for verification of dedicated PSS.

Title 10 CFR 73.55(i)(6)(i), requires that the licensee shall ensure that all areas of the facility are provided with illumination necessary to satisfy the design requirements of 10 CFR 73.55(b) and implement the protective strategy. Section 73.55(i)(6)(ii) requires a minimum of illumination level of 0.2-foot (2.4 inches)-candles in the isolation zones and appropriate exterior areas within the protected areas. The applicant described design and performance requirements of security lighting within the facilities in Tier 1, which provides design descriptions for the plant normal and emergency lighting that satisfy these requirements. Tier 2, Sections 14.2.12.1.80; 14.2.12.1.81; 14.2.12.1.86, Emergency Diesel Generator Mechanical System Test; Section 14.2.12.87, Emergency Diesel Generator Electrical System Test; and Section 14.2.12.1.88, Emergency Diesel Generator Auxiliary Systems Test; address the verification of interior plant lighting systems and subsystems relied on to perform safety and security (e.g., implementing security functions and the protective strategy). In these sections, the applicant provided information that adequately and reasonably described the ITA that specifically addressed the verification of plant lighting for meeting the requirements of 10 CFR 73.55(i)(6)(i).

The staff issued RAI 197-8176, Question 14.3.12-3.a (ML15247A004), requesting the applicant to discuss whether the plant emergency DC lighting subsystem, described in Section 2.6.8.1, Item No. 4.b, is relied on for illumination for performing security functions. In its response to RAI 197-8176, Question 14.3.12-3.a (ML15322A217), the applicant stated:

In the APR1400 lighting system, the isolation zones and exterior areas within the protected area are provided with the illumination, a minimum of 0.2 foot-candle, by the dedicated security lighting system as described in DCD Tier 2, Subsection 9.5.3.2 (paragraph c). The interior areas for internal security response, as well as the plant operation areas, are provided with the illumination by the plant lighting systems such as the normal, emergency AC, and DC lighting system as described in DCD Tier 2, Subsection 9.5.3.2 (paragraphs a and b). In the event of a loss of plant normal lighting, the emergency AC and DC lighting systems provide sufficient illumination to perform security functions with the illumination levels as described in DCD Tier 2, Subsection 9.5.3.2 (paragraph b).

For the security alarm stations, the lighting equipment is supplied from the security power system, which is backed up by a dedicated uninterruptible power supply (UPS) for the security power system. The minimum illumination level in the security alarm stations is included in the response to Question d. The ITAAC for the plant lighting system and the security lighting system for the isolation zones and exterior areas are included in DCD Tier 1, Table 2.6.8-1 and Table 2.12-1, respectively. The ITAAC for the lighting equipment in the security alarm stations will be included in DCD Tier 1, Subsection 2.12.1 and Table 2.12-1.

The staff finds the applicants response to be acceptable. Therefore, RAI 197-8176, Question 14.3.12-3.a is resolved and closed.14-163

The staff issued RAI 197-8176, Question 14.3.12-3.d (ML15247A004), requesting the applicant to specify the minimum illumination level that will be provided by design of a plant emergency lighting system (or a dedicated security lighting system) for illumination in security alarm stations or other security locations. In its response to RAI 197-8176, Question 14.3.12-3.d (ML15322A217), the applicant committed to revise to DCD Tier 2, Section 9.5.3.2, to indicate that [t]he self-contained battery lighting provides not less than an average of 1 foot-candle and at least 0.1 foot candle at the floor level for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for access and egress, and [t]he lighting for the security alarm station is powered from the security power system and backed up by an UPS for the security power system. The normal and minimum emergency illumination level for security alarm stations are 75 foot-candle and 10 foot-candles, respectively. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-3.d. Therefore, RAI 197-8176, Question 14.3.12-3.d, is resolved and closed.

The staff issued RAI 197-8176, Question 14.3.12-3.b (ML15247A004) for the applicant to provide the design descriptions for the dedicated security lighting system, with the appropriate descriptions of interface between plant and security specific systems, if the plant emergency lighting is not relied on to enable performing security functions during loss of normal plant lighting, as implied in Tier 2, Section 9.5.3, Light Systems, In its response to RAI 197-8176, Question 14.3.12-3.b (ML15322A217), the applicant committed to revise DCD Tier 2, Section 2.12.1 and Table 2.12-1, to include a (item 5.a) design description and ITAAC for the illumination of at least 10 foot-candle for alarm stations to perform security functions. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-3.b. Therefore, RAI 197-8176, Question 14.3.12-3.b, is resolved and closed.

The staff issued RAI 197-8176, Question 14.3.12-3.c (ML15247A004) requesting the applicant to verify that the minimum illumination design requirement (i.e., 0.1 foot-candle/square feet at the floor level) also includes a criteria for system performance of minimum illumination of not less than average of 1 foot candle (10.8 lux) for Section 2.6.8, Item No. 4.b and corresponding lighting system ITAAC No. 4.b. In its response to RAI 197-8176, Question 14.3.12-3.c (ML15322A217), the applicant committed to revise DCD Tier 2, Section 2.6.8.1, Item 4.b and Table 2.6.8-1 (2 of 2) to indicate [t]he emergency illumination level is not less than an average of 1 foot-candle and at least 0.1 foot-candle at the floor level for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for access and egress route. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-3.c. Therefore, RAI 197-8176, Question 14.3.12-3.c, is resolved and closed.

The staff finds the following:

  • The applicant has provided descriptions of the test objectives, prerequisites, test methods, required data, and acceptance criteria for plant emergency and normal lighting that may be credited to support security functions. The adequacy and reasonable findings for the test abstracts described in Section 14.2.12.1.80, Section 14.2.12.1.81, and Sections 14.2.12.1.86 through 14.2.12.1.88 for verification of the plant normal and emergency lighting systems ITAAC as established in Table 2.6.8-1, Lighting Systems ITAAC, is documented by the staffs evaluation of Section 14.3.2.6, ITAAC for Electrical Systems.14-164
  • The ITA described in the test abstract provided for security lighting that is within the scope of the DC addressed the requirement of 10 CFR 73.55(i)(6)(i). The applicant described the design and performance requirements of security lighting within the facilities in DCD Tier 1, Section 2.6.8, Lighting Systems, which provides design descriptions for the plant normal and emergency lighting. DCD Tier 1, Table 2.6.8-1, Lighting System Inspections, Tests, Analyses, and Acceptance Criteria [2 sheets], includes security lighting systems and DCD Tier 2, Sections 14.2.12.1.80 and 14.2.12.1.81, address the verification of interior plant lighting systems relied on to perform security functions and implement the protective strategy.
  • The staff concludes that the selected physical security system ITAAC addresses verification of the requirements of 10 CFR 73.55(i)(6)(ii) and conforms to the staffs guidance provided in SRP 14.3.12. The verification of PSS performance meeting the requirement of 10 CFR 73.55(i)(6)(i), which includes areas within the interior of the facility, is not specifically necessary to conform to SRP 14.3.12 for physical security ITAAC, and is addressed by ITAAC identified in Table 2.6.6-1 and supporting test abstracts. The test abstracts support the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).

14.3.12.4.3.6 Inspections, Tests, and Analyses for Verifying Physical Barriers and Vehicle Barrier Systems Bullet Resisting Barriers: The applicants test abstract for physical security ITAAC 6 for bullet-resisting barriers for MCR, CAS, SAS, is not described in Sections of 14.2. RAI 465-8565 (ML16110A100), Question 14.3.12-10.b, was issued for the applicant to provide a procedure test abstract for physical security hardware ITAAC No. 6 in Table 2.12-1. In its response RAI 465-8565 (ML16183A350), Question 14.3.12-10.b, the applicant committed to revise DCD Tier 1 Table 2.12-1, Item 6 to incorporate the requirement of design and verification of physical barriers for bullet-resisting. The staff finds the applicants response to be acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 465-8565, Question 14.3.12-10.b. Therefore, RAI 465-8565, Question 14.3.12-10.b is resolved and closed. Revision 1 to DCD Tier 2, Section 14.2.12.1.152, Bullet-Resisting Barriers, provides the test abstract that adequately described the test objective, prerequisite, test method, data required, acceptance criteria, and specification for the ITA of ITAAC Item 6.

Vehicle Barrier System: DCD Tier 2, Section 14.2.12.1.139, Vehicle barrier system to protect against the design basis threat vehicle bombs, describes the test abstracts for verifying the vehicle barrier system protects against the design basis threat vehicle bombs. The applicant stated that the objective is to demonstrate that the vehicle barrier system (VBS) is installed and located at the necessary stand-off distance to protect against the DBT vehicle bombs. The verification method is inspection to validate that the VBS is installed at the minimum stand-off distance (MSSD) or a distance greater than the MSSD to determine that the system and components are installed in accordance with manufacturers specifications. The applicant also described prerequisites, data required, and acceptance criteria. The acceptance criterion that must be met is the distance measured exceeds the minimum safe stand-off distances required in the applicants TeR APR1400-E-A-NR-14002-P-SGI, Physical Security Design Features, that is incorporated by reference.14-165

The staff finds that the applicant has provided an adequate and reasonable description of the test objectives, prerequisites, test methods, required data, and acceptance criteria in Tier 2, Section 14.2, that support the identified physical security ITAAC related to bullet-resisting barriers in DCD Tier 1, Chapter 2, Section 2.12, Physical Security Hardware, and DCD Tier 1, Table 2.12-1, Physical Security Hardware Inspections, Tests, Analyses, and Acceptance Criteria, for verification of the design features that will be incorporated for physical protection in the APR1400 standard design. The test abstracts supports the verification of PSS ITAAC identified in DCD Tier 1 to meet the regulatory requirement of 10 CFR 52.47(b)(1).

Combined License Information Items The staff reviewed the applicants descriptions and commitments for COL information items for physical security ITAAC that must be addressed by a COL applicant if the design is certified.

DCD Tier 2, Section 14.3.6 states that COL 14.3(3) requires the COL applicant is to provide proposed ITAAC for the facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206. Revision 1 of DCD Tier 2, Section 14.3.6 identifies COL 14.3(4) to indicate that [t]he COL applicant is to provide the proposed ITAAC for the facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206. In addition, DCD Tier 2 Section 14.3.2.12, ITAAC for Physical Security Hardware, indicates the same commitment and references COL 14.3(4).

The applicant initially identified COL 14.2(11), which established that the COL applicant is to develop the test procedure of the communication system. The staff issued RAI 197-8176, Question 14.3.12-7 (ML15247A004), requesting the applicant to remove COL 14.2(11) which defers the development of test procedure of the communication system described in the Tier 1 and Tier 2 of the APR1400 DC and to provide test descriptions, individual pre-operational test addressing general system testing requirements for the plant communication systems described in Tier 1, Section 2.6.9 and Communication System ITAAC identified in Table 2.6.9-1. The staff also requested the applicant to provide, in Section 14.2.12.1, test descriptions, individual pre-operational test addressing general system testing requirements for the security communication systems, including plant system credited for security communications. In response to RAI 197-8176, Question 14.3.12-7 (ML15315A042), the applicant committed to delete COL 14.2(11) and to add a new test abstract to section 14.2.12.1 to address the testing of security communication systems. The staff finds the applicants response acceptable. The staff confirmed that DCD Tier 2, Revision 1, dated March 10, 2017, was revised as committed in the response to RAI 197-8176, Question 14.3.12-7. Therefore, RAI 197-8176, Question 14.3.12-7 is resolved and closed. Revision 1 to DCD Tier 2, Section 14.2.13, deleted the previously identified COL information for the COL applicant to develop the test procedure for communication systems. The revised (and renumbered) COL 14.2(11) establishes a commitment for the COL applicant to provide a schedule for the development of plant procedures.

DCD Tier 1, Chapter 2, Table 2.12-1 identified (i.e., reserved) physical security hardware ITAAC that a COL applicant will provide. The reserved ITAAC that will be provided by a COL applicant are the PSS or hardware as follows:

  • ITAAC 2.a, 2.b, and 2.c, Protected Area Barriers.
  • ITAAC 4.a and 4.c, Protected Area Perimeter Intrusion Detection System.
  • ITAAC 8.a and 8.b, Access Control Points.
  • ITAAC 9, Picture Badge Identification System.

The staff finds the following:

  • The applicant has adequately described the ITAAC outside the scope of the APR1400 DC and established clearly the ITAAC that must be addressed by a COL applicant that references the APR1400 certified design. The combined ITAAC described within the scope of the APR1400 DC and those described for fulfilling COL 14.3(4), conforms to the NRC staff guidance, SRP 14.3.12.
  • The staff finds that the applicant has provided an adequate and reasonable description of test abstracts supporting physical security ITAAC within the scope of the DC, and established COL 14.3(4) for a COL applicant referencing the APR1400 standard design to describe specific ITAAC and abstracts for PSS outside the scope of the APR1400 DC.

The DCD Tier 2 Section 14.3.2.12 contains two COL items pertaining to physical security hardware. The staff finds that the applicant has provided an adequate and reasonable description of requirements (i.e., COL 14.3(1) and COL 14.3(4)) for a COL applicant referencing the APR1400 standard design to describe the ITAAC for PSS that are outside the scope of the APR1400 DC.

Item No. Description COL The COL applicant is to provide the ITAAC for the site-specific portion of the 14.3(1) plant systems specified in DCD Tier 2, Subsection 14.3.3.

COL The COL applicant is to provide the proposed ITAAC for the site specific 14.3(4) facilitys physical security hardware not addressed in the DCD in accordance with RG 1.206.

Conclusion The staff finds the following:

  • The applicant has proposed and adequately identified and described attributes for physical security ITAAC for verification to meet the regulatory requirement of 10 CFR 52.47(b)(1).
  • The applicant has identified an appropriate and reasonable set of design commitments, test methods (inspections, tests, or analyses), and acceptance criteria for certification of the APR1400 standard design.
  • The applicant has appropriately established in the DC the requirement that a COL holder (i.e., licensee) that references the APR1400 certified design establishes a process that will identify requirements, construction verifications14-167

that review the as-built systems and conditions, and compliance determination for PSS performance and acceptance tests not specifically identified as ITAAC.

  • The applicant has provided adequate descriptions of elements of the test abstracts (or protocols) for PSS (i.e., objectives, prerequisites, test methods, data required, and acceptance criteria) that support Tier 1 descriptions of physical security ITAAC to meet the regulatory requirement of 10 CFR 52.47(b)(1).
  • The applicant has identified appropriate and reasonable descriptions of test abstracts that establish the framework for developing the detailed test procedures for conducting ITA that will be performed and, if met, will demonstrate that the plant incorporated the certified standard design, and the identified PSS built or installed and will operate in accordance with the DC, the provisions of the Atomic Energy Act of 1954, as amended, and Commissions rules and regulations.
  • The applicant has provided an adequate and reasonable description of requirements (i.e., COL 14.3(1) and COL 14.3(4)) for a COL applicant referencing the APR1400 standard design to describe the ITAAC for PSS that are outside the scope of the APR1400 DC.

The staff concludes that the applicant has met 10 CFR Part 52, Subpart B, Section 52.47, which requires information submitted for a DC to include performance requirements and design information sufficiently detailed to permit the preparation of acceptance and inspection requirements by the NRC, and procurement specifications and construction and installation specifications by an applicant. The applicant has met 10 CFR 52.47(b)(1), which requires the APR1400 DC application to contain the proposed ITAAC necessary and sufficient to provide reasonable assurance that, if the inspections, tests, and analyses are performed and the acceptance criteria are met, a plant that incorporates the design certification is built and will operate in accordance with the design certification, the provisions of the Atomic Energy Act of 1954, as amended, and NRC regulations.

Design Reliability Assurance Program - Inspections, Tests, Analyses, and Acceptance Criteria The staffs evaluation of the design reliability assurance program ITAAC contained in DCD Tier 1, Section 2.13, Table 2.13-1, Design Reliability Assurance Program ITAAC, and Tier 2 Section 14.3.2.13, ITAAC for the Design Reliability Assurance Program, are evaluated in Section 17.4 of this SER.14-168