ML18087A108

From kanterella
Jump to navigation Jump to search
Enclosure 13 - APR1400-Z-J-NR-14012-NP, Rev. 2, Control System CCF Analysis
ML18087A108
Person / Time
Site: 05200046
Issue date: 01/31/2018
From:
Korea Hydro & Nuclear Power Co, Ltd
To:
Office of New Reactors
Shared Package
ML18087A118 List:
References
MKD/NW-18-0039L APR1400-Z-J-NR-14012-NP, Rev. 2
Download: ML18087A108 (148)


Text

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Control System CCF Analysis Revision 2 Non-Proprietary January 2018 Copyright 2018 Korea Electric Power Corporation &

Korea Hydro & Nuclear Power Co., Ltd All Rights Reserved KEPCO & KHNP

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 REVISION HISTORY Revision Date Page Description November 0 All First Issue 2014 (Sections) Revised based on RAI response or editorial correction (RAI Numbers) 2 Description for screening process added (8633-20)

(2.0) 3 Description for reference added (3.2) 4 and 5 Description for screening process added (8633-20)

(4.1) 5 Supplemental description for Figure 4.2-1 added (7892-5)

(4.2) 8 and 9 Description for DCS fail-over and fault detection features (4.4.2, 4.4.3 added, and acronyms applied for DCN-I (7892-4) and 4.4.4)

February 1 10 and 11 Description for environmental qualification of IFPD 2017 (4.4.4.1) modified (7892-8) 11 and 12 Description for design features to prevent and cope with (4.4.5 and broadcast storms modified (7892-6) 4.4.6) 13 Figure 4.1-1 modified to reflect the revised I&C System (Figure 4.1-1) Overview Architecture (8281-17) 14 Figure 4.1-2 modified to add acronyms (7892-5)

(Figure 4.1-2) 16 Figure 4.2-1 added for PCS and other non-safety I&C (Figure 4.2-1) system internal network (7892-5) 22 Supplemental description added and Figures 4.5-5 (4.5.4) modified for component segmentation 1 (7881-17)

KEPCO & KHNP ii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 23 Supplemental description added and Figure 4.5-6 modified (4.5.4) for component segmentation 1 (7881-15) 26 Supplemental description added for the assignment of (4.5.6) control groups (7881-17) 27 Table 4.5-2 modified to add BOP components (8633-20)

(Table 4.5-2) 28 and 29 Table 4.5-3 added to reflect results of screening process (Table 4.5-3) for all control system (8633-20) 30 Supplemental description added for redundant control loop (4.6) (7881-16) 30 Supplemental description added for Interlock/Permissive (4.7) functions (7881-15) 33 thru 37 Description modified, figure 4.9-1 through 4.9-4 modified (4.9) and changed, figure 4.9-5 through 4.9-7 added, and table 4.9-1 modified to make a complete list and summary for control signals from the P-CCS to the ESF-CCS and provide safety evaluation (7892-8) 43 PCS and NPCS design information added about (4.10) embedded devices (7881-8) 43 and 44 Description added and table 4.10-1 added to provide (4.10) design information about embedded digital devices (8633-18) 48, 50 thru 56 Description for availability of CSV with PRV function (5.1.1, 5.1-4, added, and Table 5.1-2 thru Table 5.1-18 are combined 5.1.4.1 thru into one table and sheet number for Table 5.1-2 added 5.1.4.17) (7881-7) 53 Clarification of failure effects of TLI signal about FWCS and (5.1.4.7 and SBCS (7892-7) 5.1.4.8) 57 Description for assumption about EMI/RFI added (7881-10)

(5.2.2) 58 Supplemental description added for SBCS main control (5.2.4.1) group (7881-15)

KEPCO & KHNP iii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 60 Editorial correction (closing throttling back) (8456-9)

(5.2.4.6) 56 Description for safety evaluation of CVCS modified (5.2.4.7) (7892-8) 62 and 63 Description for multiple failures of RRS/RPCS control (5.2.4.8) group modified (8456-11) 65 and 66 Editorial correction (Feedwater HP HP Feedwater)

(5.2.4.11 thru (8633-20) 5.2.4.13) 67 and 68 Description for multiple failures of condenser vacuum (5.2.4.16) control group added and modified (8633-20) 68 Description for multiple failures of miscellaneous BOP (5.2.4.18) control group added and modified (8633-20) 69 Description for assumptions about Seismic and EMI/RFI (5.3.2) added (7881-10) 69 and 70 Description for assumptions of the basis for selection of the (5.3.2) initial parameters added (8456-15) 70 Description for multiple failures causing RCS cooldown (5.3.2) added and editorial correction (FW HP HP FW) (8633-20) 70 Acceptance criteria for Failure Type 3 events are modified (5.3.4) according to Table 4.1-1 and DCD Chapter 15, Section 15.0.0.1.2 PA acceptance criteria.

71 Description for multiple failures about CEA withdrawal (5.3.5.1) added (8456-16) 71 The results for Failure Type 3 including BOP components (5.3.5.1) are modified (8633-20) 73 and 74 Clarification for the physical plant components (7881-7)

(Table 5.1-1) 75 thru 92 Combination of similar information into a single table and (Table 5.1-2) sheet number for Table 5.1-2 added (7881-7) 82 and 83 Clarification of failure effects of TLI signal at low power (Table 5.1-2) level (7892-7)

KEPCO & KHNP iv

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 93 Description added and modified for turbine bypass control (Table 5.2-1) (7881-15) 93 and 94 Description added and modified for turbine bypass control, (Table 5.2-1) control rod control and HP feedwater heater (7881-9) 94 Description added and modified for control rod control and (Table 5.2-1) HP feedwater heater (7892-2) 94 Editorial correction (Feedwater HP HP Feedwater)

(Table 5.2-1) (8633-20) 95 Description for multiple failures of condenser vacuum and (Table 5.2-1) miscellaneous BOP control group added and modified (8633-20) 95 Description of miscellaneous BOP control modified (Table 5.2-1) (7881-4) 96 thru 113 Editorial correction (group Group)

(Table 5.2-1 thru 5.2-18) 101 Description modified, and editorial correction (12.7 kg/sec (Table 5.2-7) 11.3 kg/sec) (8456-9) 103 Clarification of failure effects of TLI signal at low power (Table 5.2-9) level (7892-7) 104 Description for multiple failures of RRS/RPCS control (Table 5.2-9) group modified (8456-10, 8456-11), and editorial correction (AMP AWP) 111 Description for multiple failures of condenser vacuum (Table 5.2-16) control group added and modified (8633-20) 113 Description for multiple failures of miscellaneous BOP (Table 5.2-18) control group added and modified (8633-20) 114 Description for multiple failures of condenser vacuum and (Table 5.3-1) miscellaneous BOP control group added and modified (8633-20) 117 Sequences of Events for Event 1 are modified as (Table 5.3-4) recalculated results reflecting BOP components (8633-20)

KEPCO & KHNP v

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 119 Description for multiple failures of condenser vacuum and (Table 5.4-1) miscellaneous BOP control group added (8633-20) 120 Description for HP FW heater control group added (Table 5.4-2) (7881-15) 121 thru 125 Dynamic behaviors for Event 1 are modified (8633-20)

(Figure 5.3-1 thru Figure 5.3-5) 131 Reference added (7892-8)

(7)

Deletion or changes of TS scope in the sections and vii, 2, 4, 47 thru figures in the following parentheses (ABSTRACT, 2, 4.1, 55, 56 thru 61, 5.1, 5.1.1 thru 5.1.4, 5.1.4.1 thru 5.1.4.17, 5.2.1 thru 5.2.4, 64 thru 71, 130 5.2.4.1 thru 5.2.4.18, 5.2.5, 5.3.1 thru 5.3.5, 5.3.5.1 thru 5.3.5.2, 5.3.6, 5.4, 6, 7, Figure 4.1-1)

Revision bars are omitted because there are no technical changes.

Revised based on RAI response or editorial correction (RAI (Sections)

Numbers)

January 2

2018 12 Editorial correction (HIS HSI)

(4.4.6)

Diversity evaluation for ultrasonic level transmitters is 43 moved to the Diversity and Defense-in-Depth TeR, (4.10) APR1400-Z-J-NR-14002-P (8633-18) 131 Reference added (8633-18), and reference publication (7) date modified KEPCO & KHNP vi

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 This document was prepared for the design certification application to the U.S. Nuclear Regulatory Commission and contains technological information that constitutes intellectual property of Korea Hydro & Nuclear Power Co., Ltd..

Copying, using, or distributing the information in this document in whole or in part is permitted only to the U.S.

Nuclear Regulatory Commission and its contractors for the purpose of reviewing design certification application materials. Other uses are strictly prohibited without the written permission of Korea Electric Power Corporation and Korea Hydro & Nuclear Power Co., Ltd.

KEPCO & KHNP vii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 ABSTRACT This technical report (TeR) provides the results of the evaluation for postulated non-safety control system common-cause failures (CCFs) for APR1400.

TS The pertinent features of the control systems, including the architecture of the distributed control system (DCS), credited in this evaluation are described in this technical report.

One key feature of the DCS that ensures the failure of a single non-safety control group does not cause plant conditions more severe than those described in the analysis of anticipated operational occurrences (AOOs) in Chapter 15, is that major control functions, such as pressurizer level control and feedwater control, are distributed to separate control groups. Each control group consists of at least one separate controller and includes at least one control system.

The following Failure Types due to a shared signal failure and CSCCFs are evaluated to confirm that the DCD Chapter 15 analysis acceptance criteria are met.

  • Failure Type 1 : multiple function failures due to a single failure of a shared signal
  • Failure Type 2 : multiple failures of a single control group due to a CSCCF
  • Failure Type 3 : multiple failures of more than one control group due to a CSCCF
  • Failure Type 4 : multiple failures of Information Flat Panel Display (IFPD) control commands due to a CSCCF For all Failure Types above, the failure effect on multiple control functions and multiple plant components is considered.

For Failure Types 1 and 2, the qualitative evaluations are performed. This report concludes that the event consequences of the transients caused by a shared signal failure and the postulated CCFs are bounded by the acceptance criteria of AOOs presented in DCD Chapter 15.

For Failure Types 3 and 4, the worst combinations of multiple failures with respect to fuel cladding integrity and primary system integrity are quantitatively evaluated using the RELAP5 code. This report concludes that the event consequences caused by the postulated CSCCFs are bounded by the acceptance criteria of postulated accidents (PAs) in DCD Chapter 15.

TS KEPCO & KHNP viii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TABLE OF CONTENTS

1. PURPOSE ............................................................................................................ 1
2. SCOPE ................................................................................................................. 2
3. APPLICABLE CODES AND REGULATIONS .......................................................... 3 3.1. 10 CFR 50.55a(h), Protection and Safety Systems ..................................................................... 3 3.2. IEEE Standard 603......................................................................................................................... 3
4. CONTROL SYSTEM DESIGN FEATURES TO PREVENT CCF ............................... 4 4.1. Credible Failure Boundary .............................................................................................................. 4 4.2. Control System Overview ............................................................................................................... 5 4.3. Credible Failure Types of Control System CCF ............................................................................. 5 4.4. Control System Design Features ................................................................................................... 6 4.4.1. Segmentation of Major Functions ................................................................................................... 7 4.4.2. Redundancy ................................................................................................................................... 7 4.4.3. Diagnostic and Alarming Functions ................................................................................................ 9 4.4.4. Design Features of the Information Flat Panel Display .................................................................. 9 4.4.5. Design Features to Prevent CCF Due to Broadcast Storms on the DCN-I Network ................... 11 4.4.6. Design Features to Cope with Broadcast Storms on the IFPD/ESCM Ethernet Networks.......... 12 4.5. Segmentation ............................................................................................................................... 18 4.5.1. Functional Grouping ..................................................................................................................... 18 4.5.2. Component Grouping ................................................................................................................... 20 4.5.3. Functional Segmentation .............................................................................................................. 21 4.5.4. Component Segmentation 1 ......................................................................................................... 22 4.5.5. Component Segmentation 2 ......................................................................................................... 25 4.5.6. Control Group ............................................................................................................................... 26 4.6. Redundant Controller for Availability Enhancement ..................................................................... 30 4.7. Interlock/Permissive Functions by Separate Control Group or Safety system ............................ 30 4.8. Control Signal Validation .............................................................................................................. 31 4.9. Non-safety Control Signals Sent to ESF-CCS ............................................................................. 33 4.9.1. Evaluation of the Non-safety Control Signal for CVCS ................................................................ 33 4.9.2. Evaluation of the Non-safety Control Signal for Class 1E 4.16kV System .................................. 36 4.9.3. Evaluation of Other Non-safety Control Signals ........................................................................... 38 4.10. CCF Analysis of Embedded Devices in Field Equipment............................................................. 43 4.10.1. Evaluation for the CCF of Non-safety Field Instruments .............................................................. 43 4.10.2. Evaluation for the CCF of Non-safety Field Actuators.................................................................. 44 4.10.3. Evaluation for the Effect on Field Instruments due to Controller Failures .................................... 44 KEPCO & KHNP ix

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.10.4. Evaluation for the Effect on Field Actuators due to Controller Failures ........................................ 45

5. EVALUATION METHOD AND RESULTS ............................................................. 46 5.1. Failure Type 1: Multiple Failure due to a Single Failure of Shared Signal ................................... 47 5.1.1. Assumptions Used in the Evaluation ............................................................................................ 47 5.1.2. Initial Conditions ........................................................................................................................... 48 5.1.3. Acceptance Criteria ...................................................................................................................... 48 5.1.4. Evaluation Results ........................................................................................................................ 48 5.2. Failure Type 2: Multiple Failure due to Single Control group ....................................................... 56 5.2.1. Selection of Initiating Events ........................................................................................................ 56 5.2.2. Assumptions Used in the Evaluation ............................................................................................ 56 5.2.3. Acceptance Criteria ...................................................................................................................... 57 5.2.4. Evaluation Results ........................................................................................................................ 57 5.2.5. Conclusion .................................................................................................................................... 67 5.3. Failure Type 3: Multiple Failures of more than One Control Group ............................................. 68 5.3.1. Selection of Initiating Events ........................................................................................................ 68 5.3.2. Assumptions Used in the Evaluation ............................................................................................ 68 5.3.3. Initial Conditions ........................................................................................................................... 69 5.3.4. Acceptance Criteria ...................................................................................................................... 69 5.3.5. Evaluation Results ........................................................................................................................ 70 5.3.6. Conclusion .................................................................................................................................... 71 5.4. Failure Type 4: Multiple Failures of IFPD Control Commands ..................................................... 71
6. CONCLUSIONS ................................................................................................ 130
7. REFERENCES .................................................................................................. 131
8. DEFINITIONS .................................................................................................. 132 KEPCO & KHNP x

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 LIST OF TABLES Table 4.1-1 Credible Failure Types ........................................................................................................... 5 Table 4.5-1 Segregation of Power Source .............................................................................................. 19 Table 4.5-2 Control Group ...................................................................................................................... 27 Table 4.5-3 Results of Screening Process for All Control System in the APR1400 Plant ...................... 28 Table 4.7-1 Control Limit and Interlocks on Digital Rod Control System ................................................ 31 Table 4.9-1 Non-safety Control Signals sent from P-CCS to ESF-CCS ................................................. 40 Table 4.10-1 Embedded Digital Device Type used in Non-safety System ............................................... 43 Table 5.1-1 Shared Signals .................................................................................................................... 72 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals .................................................. 74 Table 5.2-1 Control Group Segmentation ............................................................................................... 92 Table 5.2-2 Multiple Failures of Single Control Group (SBCS Main) ...................................................... 95 Table 5.2-3 Multiple Failures of Single Control Group (SBCS Permissive) ............................................ 96 Table 5.2-4 Multiple Failures of Single Control Group (FWCS1) ............................................................ 97 Table 5.2-5 Multiple Failures of Single Control Group (FWCS2) ............................................................ 98 Table 5.2-6 Multiple Failures of Single Control Group (PPCS)............................................................... 99 Table 5.2-7 Multiple Failures of Single Control Group (PLCS) ............................................................. 100 Table 5.2-8 Multiple Failures of Single Control Group (CVCS) ............................................................ 101 Table 5.2-9 Multiple Failures of Single Control Group (RRS/RPCS) .................................................... 102 Table 5.2-10 Multiple Failures of Single Control Group (DRCS) ............................................................ 104 Table 5.2-11 Multiple Failures of Single Control Group (RCP) ............................................................... 105 Table 5.2-12 Multiple Failures of Single Control Group (HP FW Heater) ............................................... 106 Table 5.2-13 Multiple Failures of Single Control Group (HP FW Heater Bypass Line) .......................... 107 Table 5.2-14 Multiple Failures of Single Control Group (FW Pump On/Off) .......................................... 108 Table 5.2-15 Multiple Failures of Single Control Group (Non-1E AC Power - 13.8kv) .......................... 109 Table 5.2-16 Multiple Failures of Single Control Group (Condenser Vacuum Control) .......................... 110 Table 5.2-17 Multiple Failures of Single Control Group (Turbine Control System) ................................ 111 Table 5.2-18 Multiple Failures of Single Control Group (Miscellaneous BOP control) ........................... 112 Table 5.3-1 Assumptions for Event 1 .................................................................................................... 113 Table 5.3-2 Assumptions for Event 2 .................................................................................................... 114 Table 5.3-3 Initialization of RELAP5 for Nominal Initial Condition ........................................................ 115 Table 5.3-4 Sequence of Major Events for Event 1 .............................................................................. 116 Table 5.3-5 Sequence of Major Events for Event 2 .............................................................................. 117 Table 5.4-1 Multiple Failures of IFPD control commands - Fuel Cladding Integrity ............................. 118 Table 5.4-2 Multiple Failures of IFPD control commands - Primary System Integrity .......................... 119 KEPCO & KHNP xi

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 LIST OF FIGURES Figure 4.1-1 Credible Failure Boundary of Control System CCF ........................................................... 13 Figure 4.1-2 Control System Overview................................................................................................... 14 Figure 4.1-3 Overview of 4 Credible Failure Types ................................................................................ 15 Figure 4.2-1 Internal Network of PCS and Other Non-safety I&C Systems ........................................... 16 Figure 4.4-1 Data Communication between the IFPD and DCS Controller ........................................... 17 Figure 4.5-1 Critical Functions and Success Paths (Example) .............................................................. 19 Figure 4.5-2 Independent Configuration (Example) ............................................................................... 20 Figure 4.5-3 Serial Configuration (Example) .......................................................................................... 20 Figure 4.5-4 Parallel Configuration (Example) ....................................................................................... 21 Figure 4.5-5 Component Segmentation 1 for SBCS Turbine Bypass Control........................................ 22 Figure 4.5-6 Component Segmentation 1 for High Pressure FW Heater ............................................... 23 Figure 4.5-7 SBCS Main Functional Block Diagram .............................................................................. 24 Figure 4.5-8 SBCS Permissive Functional Block Diagram ..................................................................... 24 Figure 4.5-9 HP FW Heater Functional Block Diagram .......................................................................... 25 Figure 4.8-1 Control Signal Validation .................................................................................................... 32 Figure 4.9-1 Non-safety Control Signals Sent from P-CCS to ESF-CCS for ESF Valves (Typical) ....... 34 Figure 4.9-2 ESF-CCS Control Logic against Non-Safety Signal Failure .............................................. 34 Figure 4.9-3 Non-safety Control Signals Sent from P-CCS to ESF-CCS for Reactor Coolant Makeup 35 Figure 4.9-4 Configuration of Class 1E 4.16kV Bus ............................................................................... 37 Figure 4.9-5 Simplified Signal Flow for UAT-PCB and SAT-PCB ........................................................... 37 Figure 4.9-6 Simplified ESF-CCS Control Logic for Case A................................................................... 38 Figure 4.9-7 Simplified ESF-CCS Control Logic for Case B .................................................................. 39 Figure 5.3-1 Core Power (Event 1) ....................................................................................................... 120 Figure 5.3-2 Pressurizer Pressure (Event 1) ........................................................................................ 121 Figure 5.3-3 Safety Injection Flow (Event 1) ........................................................................................ 122 Figure 5.3-4 SG Pressure (Event 1) ..................................................................................................... 123 Figure 5.3-5 DNBR (Event 1) ............................................................................................................... 124 Figure 5.3-6 Core Power (Event 2) ....................................................................................................... 125 Figure 5.3-7 RCP Discharge Pressure - Short Term (Event 2) ............................................................ 126 Figure 5.3-8 RCP Discharge Pressure - Long Term (Event 2) ............................................................ 127 Figure 5.3-9 POSRV Flow (Event 2) .................................................................................................... 128 Figure 5.3-10 SG Pressure (Event 2) ..................................................................................................... 129 KEPCO & KHNP xii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 ACRONYMS AND ABBREVIATIONS AMI automatic motion inhibit AOO anticipated operational occurrence APR1400 Advanced Power Reactor 1400 AWP automatic withdrawal prohibit BAST boric acid storage tank BOP balance of plant CCF common cause failure CCS component control system CCW component cooling water CDP condensate pump CEA control element assembly CEAC control element assembly calculator Ch. 1) Chapter, 2) channel CIAS containment isolation actuation signal CPCS core protection calculator system CPC core protection calculator CSCCF control system common cause failure CVCS chemical and volume control system CWP 1) CEA withdrawal prohibit, 2) circulating water pump DCD design control document DCN-I data communication network-information DCS distributed control system DBE design basis event DNBR departure from nucleate boiling ratio DRCS digital rod control system DV downcomer valve ESCM ESF-CCS soft control module ESFAS engineered safety features actuation system ESF-CCS engineered safety features - component control system EV economizer valve FW feedwater FWCS feedwater control system HART highway addressable remote transducer HPPT high pressurizer pressure trip KEPCO & KHNP xiii

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 HSI human-system interface HTR heater HVAC heating, ventilation, and air conditioning I&C instrumentation and control I/O input/output IFPD information flat panel display IPS information processing system KHNP Korea Hydro & Nuclear Power Co. Ltd.

LCO limiting conditions for operation LEL lower electrical limit LOCV loss of condenser vacuum LOF loss of flow LONF loss of normal feedwater LPD local power density MCR main control room MFIV main feedwater isolation valve MFWP main feedwater pump Mod. modulation MSIV main steam isolation valve MSIS main steam isolation signal MSSV main steam safety valve MTC moderator temperature coefficient NFO not fully open NIMS NSSS integrity monitoring system NPP nuclear power plant NPCS NSSS process control system NRC Nuclear Regulatory Commission NSSS nuclear steam supply system PA postulated accident Perm. permissive P&ID piping and instrumentation diagram PAMI post accident monitoring instrumentation P-CCS process-component control system PCS power control system PLCS pressurizer level control system POSRV pilot operated safety and relief valve KEPCO & KHNP xiv

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 PPCS pressurizer pressure control system PRV process representative value PZR pressurizer RCP reactor coolant pump RCS reactor coolant system RDT reactor drain tank RMS radiation monitoring system RPCS reactor power cutback system RRS reactor regulating system RSPT reed switch position transmitter RSR remote shutdown room SBCS steam bypass control system SFADL specified acceptable fuel design limit SIAS safety injection actuation signal Tavg average temperature TBV turbine bypass valve TBN turbine Tcold cold leg temperature TCS turbine control system Tref reference temperature VOPT variable over power trip UEL upper electrical limit UGS upper group stop KEPCO & KHNP xv

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Page intentionally blank KEPCO & KHNP xvi

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

1. PURPOSE The purpose of this technical report (TeR) is to determine the effects of the postulated common cause failures (CCFs) on the non-safety control system, describe the methodology for evaluating those function/component effects on the plant, and document the evaluation results for the Advanced Power Reactor 1400 (APR1400) design.

KEPCO & KHNP 1

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

2. SCOPE This TeR provides the evaluation methods and results of the evaluation for the postulated control system CCF (CSCCF).

The non-safety control systems of primary and secondary systems are considered for the evaluation as described in Section 4.1. All control systems of the primary and secondary systems described in the design control document (DCD) Chapter 7.7 and Chapter 15 are included in the evaluation for the TS postulated CSCCF, TS Therefore, CCFs within the non-safety control system are considered. The results of screening process for all control systems in the APR1400 plant are presented in Section 4.1 and Table 4.5-3.

TS The expected failures due to a shared signal failure and CSCCF are divided into four parts as follows.

  • Failure Type 1 : multiple function failures due to a single failure of a shared signal
  • Failure Type 2 : multiple failures of a single control group due to CSCCF
  • Failure Type 3 : multiple failures of more than one control group due to CSCCF
  • Failure Type 4 : multiple failures of Information Flat Panel Display (IFPD) control commands due to CSCCF TS Failure Types 1 and 2 are evaluated to meet the AOO acceptance criteria of the DCD Chapter 15. Refer to Sections 5.1 and 5.2 for the evaluation method and the results.

Failure Types 3 and 4 are evaluated to meet the PA acceptance criteria of the DCD Chapter 15. Refer to Sections 5.3 and 5.4 for the evaluation method and the results.

KEPCO & KHNP 2

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

3. APPLICABLE CODES AND REGULATIONS The following subsections provide applicable codes and regulations.

3.1. 10 CFR 50.55a(h), Protection and Safety Systems The 10 CFR 50.55a(h) endorses IEEE Std. 603.

3.2. IEEE Standard 603 The compliance with Clause 4.8 of IEEE Std. 603-1991 (Reference 3) is described in this TeR.

The non-safety control system is designed to have the compliance with Clauses 4.8 and 5.6.3 of IEEE Std. 603-1991.

IEEE Std. 603-1991, Clause 5.6.3 states, in part, that the safety system design shall be such that credible failures in and consequential actions by other systems, as documented in 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard.

For the compliance with Clauses 4.8 and 5.6.3 of IEEE Std. 603-1991, the evaluation methods and results for the postulated CSCCF are described in this TeR.

KEPCO & KHNP 3

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

4. CONTROL SYSTEM DESIGN FEATURES TO PREVENT CCF This section describes design features of the non-safety control systems and safety systems that (1) prevent failures that could otherwise lead to a CCF, (2) reduce the adverse effect of CCFs or (3) allow coping with CCFs.

4.1. Credible Failure Boundary The primary and secondary control systems are evaluated for the postulated CCFs. Table 5.2-1 shows the control groups of primary and secondary systems evaluated for the postulated CCFs. Each control group consists of at least one separate controller and includes at least one control system. For the major control systems of primary and secondary systems, refer to Figure 4.1-2.

The control systems listed in Table 5.2-1 and described in DCD Chapter 7.7 and Chapter 15 are TS considered for the evaluation for the postulated CSCCF, TS A system is identified as being capable of affecting critical safety functions if that control system can affect the reactivity, the RCS pressure, the RCS temperature, the RCS flow, or the RCS inventory of the primary system, because its failure can challenge fuel cladding integrity, or primary system integrity and ultimately can affect critical safety functions. The following critical safety functions which can challenge the analysis acceptance criteria presented in DCD Tier 2, Section 15.0 are considered to determine the limiting initiating events for the control system CCF analysis.

  • Challenge to primary system integrity
  • Challenge to offsite dose limit
  • Challenge to containment integrity Most of the control systems are implemented by a DCS-based common platform that has been proven by operating experiences in the nuclear industry and other industries.

The DCS conducts the functions of operator interface, component level control, automatic process control, high-level group control, and data processing for normal operation. The DCS is designed with a redundant and fault-tolerant architecture for high reliability and to minimize and prevent the failure of a single component from causing a spurious plant trip.

Some instrumentation and control (I&C) systems are implemented by self-standing systems.

As the non-safety control systems are software-based systems that are susceptible to a software defect, the design features and evaluation are necessary to prevent CSCCF.

TS KEPCO & KHNP 4

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 4.2. Control System Overview The non-safety control systems consist of the power control system (PCS) and the process-component control system (P-CCS).

The PCS includes the reactor regulating system (RRS), the digital rod control system (DRCS), and the reactor power cutback system (RPCS).

The P-CCS includes the NSSS process control system (NPCS) and balance of plant (BOP) control systems. The NPCS consists of the feedwater control system (FWCS), steam bypass control system (SBCS), pressurizer pressure control system (PPCS), pressurizer level control system (PLCS), and other miscellaneous nuclear steam supply system (NSSS) control functions.

The BOP control systems provide discrete and continuous control of normally used non-safety BOP processes including radwaste control system.

Major control systems of NSSS are PCS and NPCS which include RRS, RPCS, DRCS, PPCS, PLCS, SBCS, and FWCS. Refer to Figure 4.1-2.

The internal network of PCS and other non-safety I&C systems is shown in Figure 4.2-1.

4.3. Credible Failure Types of Control System CCF Credible failures of the CSCCF are initiating events caused by the control system failure that can affect critical safety functions.

As each major control function is assigned to a separate control group which consists of at least one controller, the following 4 credible Failure Types are assumed as credible failures. Refer to Table 4.1-1.

  • Failure Type 1 : multiple function failures due to a single failure of a shared signal
  • Failure Type 2 : multiple failures of a single control group due to CSCCF
  • Failure Type 3 : multiple failures of more than one control group due to CSCCF
  • Failure Type 4 : multiple failures of IFPD control commands due to CSCCF Table 4.1-1 Credible Failure Types Failure Type Evaluation Criteria Failure Type 1 : Multiple function failures due to a single failure of a shared signal To be bounded by DCD Chapter 15 AOO acceptance Failure Type 2 : Multiple failures of a single control criteria group due to CSCCF KEPCO & KHNP 5

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Failure Type Evaluation Criteria Failure Type 3 : Multiple failures of more than one control group due to CSCCF To be bounded by DCD Chapter 15 PA acceptance criteria Failure Type 4 : Multiple failures of IFPD control commands due to CSCCF Refer to Figure 4.1-3 for the overview of the four Failure Types. The evaluation results of the four Failure Types are described in Section 5.

4.4. Control System Design Features To reduce the likelihood of CSCCF, the control system is designed to have the following design features:

  • Each control function in DCD Chapter 7.7 is assigned to separate control group that consists of

[1]

at least one separate controller to limit the failure in the control group (segmentation) . Refer to Section 4.5.

  • A redundant controller for increased availability
  • Interlock/permissive functions by a separate control group or safety system to limit the failure effects (e.g., control element assembly (CEA) withdrawal interlock signals, turbine bypass valve

[2]

(TBV) permissive signals)

  • Control signal validation to limit a single input failure of redundant channel inputs (i.e., large deviation of redundant inputs)
  • Redundant analog input modules with auto signal selection algorithm to limit the failure effect of a single module (i.e., out of range)

[3]

  • Hardwired signal interface of shared signals between the control groups within PCS and NPCS
  • Diagnostic and alarming functions
  • Design features of the IFPD to defend against a design basis event (DBE) due to single random

[1]

hardware failure (e.g., broadcast storm)

[1] Control group segmentation and design features to protect broadcast storm are credited in the evaluation of Failure Types 1 and 2. For the design features of broadcast storm, refer to Section 4.4.5.

[2] Permissive functions of SBCS permissive control group are credited in the evaluation of Failure Types 1 and 2.

[3] Refer to Figure 4.1-3 and Table 5.1-1.

Each design feature listed above is described in the following sections.

KEPCO & KHNP 6

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.4.1. Segmentation of Major Functions Segmentation is a process that separates and groups components, including instrument and control functionality in a non-safety DCS controller.

Functional allocation is performed to minimize the effects of single failures in the nuclear power plant (NPP). Maintaining the dependent and independent relationships established by the plant functional design is achieved by allocating specific functions (e.g., monitoring, control) to specific processors and by allocating specific inputs and outputs to specific input/output (I/O) modules (e.g., boards, personality/base modules).

Segmentation is credited to limit the effects of a single failure within a controller to the functions controlled by that controller. However, even with segmentation, erroneous signals that may result from a single failure, and that propagate to other controllers, are evaluated in this analysis for their effect on the functions controlled by those other controllers.

Segmentation can also be credited to limit the effect of a software defect to a single controller, regardless of that defect existing in multiple controllers. This can be done by demonstrating that each controller has different inputs and application programs. Therefore, the same defect is unlikely to be triggered in multiple controllers concurrently.

Due to the continuous operation of most control systems, triggered failures are self-announcing because they cause component repositioning. Therefore, when the defect is announced, it can be corrected in all controllers, before it causes a CCF of multiple controllers.

The detailed requirements of segmentation are described in Section 4.5. Though the segmentation of control functions makes the concurrent failure of those multiple control functions highly unlikely, multiple concurrent failures of more than one control group due to a CCF is considered as a credible failure and is evaluated in Section 5.3 as a beyond design basis event.

4.4.2. Redundancy The control system is provided with the following redundancies in the platform design:

  • Digital processors
  • Input/output modules
  • Communication networks
  • Power supply Non-safety system cabinets include redundant power supplies with outputs auctioneered to power the digital processors, I/O modules, and other system peripherals. No loss of function occurs when either power supply is turned off or on, with the other supply being powered.

The non-safety system incorporates network communication configurations that have dual or redundant communication paths.

The non-safety system incorporates digital processors in configurations that have redundant processing.

A failure that results in shutdown of the primary processor will automatically hand off system functionality to a backup processor. The non-safety system incorporates redundancy with selected inputs or outputs.

KEPCO & KHNP 7

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 There are different approaches available to incorporate this redundancy. Depending on the approach taken, component and instrument segmentation are considered to that extent needed to preserve the desired fault tolerance for safety analysis.

Failure of the primary controller would result in fail-over to the standby controller and an alarm. Failure of the standby controller would only result in an alarm as the primary controller is already controlling.

TS Redundancy enhances system availability due to many component failures. However, redundancy cannot prevent the adverse effects from a failure that results in erroneous or spurious signals.

Therefore, redundancy is not credited in the Failure Type 1, 2, 3 or 4 analyses.

KEPCO & KHNP 8

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.4.3. Diagnostic and Alarming Functions For all applications the non-safety DCS controller is provided in a redundant-pair configuration to provide fault tolerance. The non-safety DCS controller is fully redundant with a backup controller designed to operate in a masterless scheme. Each controller in the redundant pair executes the same application with the primary controlling the outputs while the secondary tracks the primary. Fail-over detection and switching control to the backup process controller is done automatically and smoothly.

The non-safety DCS controller utilizes multiple control areas to support multitasking and preemptive task scheduling. The controller has high-capacity control capability. The functions executed within one controller are typically limited only by the amount of memory or flash disk available, to execute simple or complex modulating and sequential control and by the throughput performance required for the application.

TS Diagnostic and alarming functions are not credited in the Failure Type 1, 2, 3 or 4 analyses.

4.4.4. Design Features of the Information Flat Panel Display 4.4.4.1. Design Features to Prevent Spurious Control Commands TS KEPCO & KHNP 9

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS KEPCO & KHNP 10

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 4.4.5. Design Features to Prevent CCF Due to Broadcast Storms on the DCN-I Network TS KEPCO & KHNP 11

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 4.4.6. Design Features to Cope with Broadcast Storms on the IFPD/ESCM Ethernet Networks TS KEPCO & KHNP 12

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 SC MCR RSR Legend DAS Common platform for Safety I&C Common platform for Non-Safety Mini- I&C DIS QIAS-P QIAS-N LDP SODP LDP Diverse platform for DAS TO Dedicated equipment for the System TS R

O EO QIAS-N Display or Soft control device DIS QIAS-P QIAS-N QIAS-N Safety System Data Network IFPD IFPD (SDN(AF100))

System- Data Communication Network-I System Level Switches Level MI (DCN-I)

Rx ESF Setpoint Operating Component-DMA Trip Reset Bypass Level MI Rx MSIS Setpoint Operat. Serial Data Link (SDL(HSL))

Act. Trip Act. Reset Bypass Ethernet ESCM ESCM ESCM Hardwired connection CIM RTSS (A,B,C,D) (A,B,C,D)

RTSS (A,B,C,D)

TSC RCC CPM OM CPM P-CCS OM (A,B,C,D)

(A,B,C,D) Component ESCM (A,B,C,D) IFPD Switches (A,B,C,D)

`

PPS CCG ESF-CCS GC SDN ESF-CCS DCN-I LC Other Divisions DCN-I G G CCG ITP TS MTP QIAS-N (A,B,C,D)

DIS IPS (A,B,C,D) (A,B,C,D) LC SDN G G PCS P-CCS GC/LC IPS FIDAS T/GCS G I NPCS ESF-CCS ESF-CCS DPS CPCS PPS QIAS-P (N1,N2, GC LC VLAN (A,B,C,D) (A,B,C,D) (A,B,C,D) (A,B)

N3,N4) (A,B,C,D) Switches DIS Firewall Ethernet Hub DMA Rx I I Trip APC-S I CIM I ENFMS EOF & ERDS (A,B,C,D) (A,B,C,D) (A,B,C,D)

I Non-safety Components Incore T/G RTSS (Sensors, Txs, Pumps, Valves, etc.) Detector Components (A1,B1,C1,D1, Safety Components Fission A2,B2,C2,D2) Chamber (Sensors, Txs, Pumps, Valves, etc.)

Safety-related Non-Safety Note : Signal paths important to safety are shown only.

APC-S: Auxiliary Process Cabinet - Safety DPS: Diverse Protection System I : Isolator MTP: Maintenance and Test Panel QIAS-P/N: Qualified Indication & Alarm System - P / Non-safety CCG: Control Channel Gateway ENFMS: Ex-core Neutron Flux Monitoring System IFPD: Information Flat Panel Display NPCS: NSSS Process Control System RCC: Remote Control Center CIM: Component Interface Module EOF: Emergency Operation Facility IPS: Information Processing System MSIS: Main Steam Isolation System RSR: Remote Shutdown Room CPCS: Core Protection Calculator System ERDS: Emergency Response Data System ITP: Interface and Test Processor OM: Operator Module RTSS: Reactor Trip Switchgear System CPM: Control Panel Multiplexer ESCM: ESF-CCS Soft Control Module LC: Loop Controller P-CCS: Process-Component Control Rx: Reactor DAS: Diverse Actuation System ESF-CCS: Engineered Safety Features - Component Control System LDP: Large Display Panel System SC: Safety Console DIS: Diverse Indication System FIDAS: Fixed In-core Detector Amplifier System MCR: Main Control Room PCS: Power Control System SODP: Shutdown Overview Display Panel DCN-I: Data Communication Network-Information G: Gateway MI: Minimum Inventory PPS: Plant Protection System T/GCS: Turbine/Generator Control System Rev.1 DMA: Diverse Manual ESF GC: Group Controller TSC: Technical Support Center, Txs: Transmitter Figure 4.1-1 Credible Failure Boundary of Control System CCF KEPCO & KHNP 13

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.1-2 Control System Overview KEPCO & KHNP 14

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.1-3 Overview of 4 Credible Failure Types KEPCO & KHNP 15

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.2-1 Internal Network of PCS and Other Non-safety I&C Systems KEPCO & KHNP 16

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.4-1 Data Communication between the IFPD and DCS Controller KEPCO & KHNP 17

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.5. Segmentation A majority of the plant components do not possess a unique functional identity in that they are not individually important to the plant but are collectively important as a part of a subsystem or group. Looking at a system simplistically, the valves in a fluid flow path are of little importance without the pump that drives the fluid unless a major pressure difference exists. Conversely, the pump is of no value if the valves in a fluid flow path cannot be opened. This fundamental observation is the basis for the system configuration of the non-safety control system.

The grouping is performed on the non-safety control system design based on observing two levels of functional based grouping. This task is performed using the following methodology and definitions.

  • Functional grouping - The first level of groupings establish a set of groupings that are consistent with functional boundaries of the physical systems, system definitions, and based on an overview of a grouping of systems and functions (e.g., primary systems, secondary systems, and support systems).
  • Component groupings - The second level of groupings follow a very simplistic perspective to further group components defined by functional grouping consistent with functional plant processes.

The functional grouping and component grouping are not credited in the Failure Type 1, 2, 3 or 4 analyses.

After the functional grouping and component grouping, for CSCCF functional segmentation and component segmentation are applied to reduce the likelihood of potential credible failures, to mitigate the effects of the potential credible failures. The functional segmentation and component segmentation 1, 2 are described in Section 4.5.3, 4.5.4 and 4.5.5.

The functional segmentation and component segmentation are credited in Failure Type 1 and 2 analyses.

4.5.1. Functional Grouping TS KEPCO & KHNP 18

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.5-1 Critical Functions and Success Paths (Example) 4.5.1.1. Power Source Segregation Plant components and the associated instrument loops are divided into the following power divisions:

Table 4.5-1 Segregation of Power Source Power Division Channel Designation Non-Safety A AB (N1)

Non-Safety B BB (N2)

Components belonging to each division are grouped and assigned to controllers. Each division AB and BB have the required number of groups depending upon its ability to satisfy the design philosophy.

All controllers are redundant and are powered from two separate power supplies within the same electrical division. Therefore, a credible failure of a power source has no adverse effect on any control functions.

KEPCO & KHNP 19

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.5.2. Component Grouping TS Figure 4.5-2 Independent Configuration (Example)

Figure 4.5-3 Serial Configuration (Example)

KEPCO & KHNP 20

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.5-4 Parallel Configuration (Example) 4.5.3. Functional Segmentation TS KEPCO & KHNP 21

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.5.4. Component Segmentation 1 TS Figure 4.5-5 Component Segmentation 1 for SBCS Turbine Bypass Control KEPCO & KHNP 22

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.5-6 Component Segmentation 1 for High Pressure FW Heater TS KEPCO & KHNP 23

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.5-7 SBCS Main Functional Block Diagram TS Figure 4.5-8 SBCS Permissive Functional Block Diagram KEPCO & KHNP 24

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.5-9 HP FW Heater Functional Block Diagram 4.5.5. Component Segmentation 2 TS KEPCO & KHNP 25

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.5.6. Control Group Control groups are assigned in accordance with the functional segmentation and component segmentation 1 and 2.

Refer to Table 4.5-2 for the control groups of non-safety control systems and the applied segmentation methodology. TS KEPCO & KHNP 26

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.5-2 Control Group TS KEPCO & KHNP 27

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.5-3 Results of Screening Process for All Control System in the APR1400 Plant (Sh. 1 of 2) TS KEPCO & KHNP 28

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.5-3 Results of Screening Process for All Control System in the APR1400 Plant (Sh. 2 of 2) TS KEPCO & KHNP 29

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.6. Redundant Controller for Availability Enhancement Each DCS controller of PCS and P-CCS is provided with redundant processor, power supply, and data communication network.

For NSSS control functions, PCS and NPCS use redundant control loop and control signal validation design as identified in Sections 4.8 and 5.1.1, Table 5.1-1, and Figure 4.1-3.

For RCP and BOP control functions, the following equipment control logic circuits are designed as completely redundant control loop. The redundant control loop is provided with redundant controllers with two I/O modules. These control circuits perform their functions to be completely separated from each other. The redundant controllers and I/O modules access simultaneously the field data and if one controller or I/O module fail, the other controller or I/O module can perform automatically the functions of controller or data acquisition/signal initiation without bump.

  • Control logic for RCPs
  • Control logic for non-Class 1E 13.8 kV switchgear power circuit breakers
  • Control logic for non-Class 1E 4.16 kV switchgear power circuit breakers Any one failure is annunciated in the MCR and RSR.

4.7. Interlock/Permissive Functions by Separate Control Group or Safety system TS KEPCO & KHNP 30

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.7-1 Control Limit and Interlocks on Digital Rod Control System Conditions of Interlocks Functions Signal Path Upper electrical limit (UEL) and lower Interlock: Blocks control rod RSPT DRCS (UEL, LEL) electrical limit (LEL) signals from reed withdrawal or insertion on switch position transmitter (RSPT). automatic, manual group and manual individual DRCS control modes.

Automatic withdrawal prohibit (AWP) Interlock: Blocks control rod RRS DRCS (AWP) signals from RRS and SBCS when withdrawal on automatic DRCS Tavg is much higher than Tref, Tcold control mode. SBCS DRCS (AWP) is high, or any opening demand of TBVs is generated in accordance with excessive energy in the NSSS.

Upper group stop (UGS) and lower Control Limit: Blocks control DRCS (UGS, LGS) group stop (LGS) function in the rod withdrawal or insertion on DRCS automatic and manual group DRCS control modes.

CEA withdrawal prohibit (CWP) Interlock: Blocks control rod PPS DRCS (CWP) signal from PPS. withdrawal on automatic, manual group and manual individual DRCS control modes.

4.8. Control Signal Validation Where there are at least three identical process parameter inputs including control and safety systems, a valid process representative value (PRV) calculated in the information processing system (IPS) are used to select a valid control signal, where necessary.

The control system takes action based on a sensor signal that is selected by a PRV that reflects a valid process representative value. PRV is used only as a reference value for a channel selection. One value is selected among Channel 1 and Channel 2 or average in accordance with control signal validation algorithm.

If the deviation between the input channels exceeds an acceptable level, the input channel that has less deviation from the PRV is used as the control signal.

Therefore, there are fewer challenges to plant safety due to control system errors, since failed sensors are detected and eliminated before they adversely impact control system performance.

KEPCO & KHNP 31

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 IPS failure would affect the control function, only if there is an additional failure of an input channel. Refer to Subsection 7.7.1.1 of DCD.

TS Figure 4.8-1 Control Signal Validation KEPCO & KHNP 32

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.9. Non-safety Control Signals Sent to ESF-CCS TS 4.9.1. Evaluation of the Non-safety Control Signal for CVCS TS KEPCO & KHNP 33

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.9-1 Non-safety Control Signals Sent from P-CCS to ESF-CCS for ESF Valves (Typical)

TS Figure 4.9-2 ESF-CCS Control Logic against Non-Safety Signal Failure KEPCO & KHNP 34

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.9-3 Non-safety Control Signals Sent from P-CCS to ESF-CCS for Reactor Coolant Makeup KEPCO & KHNP 35

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.9.2. Evaluation of the Non-safety Control Signal for Class 1E 4.16kV System TS KEPCO & KHNP 36

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 4.9-4 Configuration of Class 1E 4.16kV Bus TS Figure 4.9-5 Simplified Signal Flow for UAT-PCB and SAT-PCB KEPCO & KHNP 37

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.9.3. Evaluation of Other Non-safety Control Signals TS 4.9.3.1. Evaluation of the Non-safety Control Signal for Case A Figure 4.9-6 Simplified ESF-CCS Control Logic for Case A KEPCO & KHNP 38

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.9.3.2. Evaluation of the Non-safety Control Signal for Case B TS Figure 4.9-7 Simplified ESF-CCS Control Logic for Case B KEPCO & KHNP 39

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.9-1 Non-safety Control Signals sent from P-CCS to ESF-CCS (Sh. 1 of 3) TS KEPCO & KHNP 40

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.9-1 Non-safety Control Signals sent from P-CCS to ESF-CCS (Sh. 2 of 3) TS KEPCO & KHNP 41

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 4.9-1 Non-safety Control Signals sent from P-CCS to ESF-CCS (Sh. 3 of 3)

TS KEPCO & KHNP 42

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.10. CCF Analysis of Embedded Devices in Field Equipment TS Table 4.10-1 Embedded Digital Device Type used in Non-safety System 4.10.1. Evaluation for the CCF of Non-safety Field Instruments TS KEPCO & KHNP 43

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 4.10.2. Evaluation for the CCF of Non-safety Field Actuators TS 4.10.3. Evaluation for the Effect on Field Instruments due to Controller Failures KEPCO & KHNP 44

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 4.10.4. Evaluation for the Effect on Field Actuators due to Controller Failures TS KEPCO & KHNP 45

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

5. EVALUATION METHOD AND RESULTS This section describes the evaluation methods and results for the postulated CSCCF of the control system. Depending on the Failure Types, limiting initiating events caused by CSCCF are selected and the qualitative evaluations are performed to verify that the results of initiating events are bounded by the same acceptance criteria of the design basis accidents presented in the DCD Chapter 15. Where necessary for some events, quantitative evaluations are performed to confirm that the analysis acceptance criteria are met.

The expected failures due to a shared signal failure and CSCCF are divided into four types as follows.

  • Failure Type 1 : multiple function failures due to a single failure of a shared signal
  • Failure Type 2 : multiple failures of a single control group due to CSCCF
  • Failure Type 3 : multiple failures of more than one control group due to CSCCF
  • Failure Type 4 : multiple failures of IFPD control commands due to CSCCF Initiating events are those events that upset plant stability and challenge critical safety functions during shutdown as well as power operations. The following critical safety functions which can challenge the analysis acceptance criteria are considered to determine the limiting initiating events for Failure Types 1, 2, 3 and 4.
  • Challenge to primary system integrity
  • Challenge to offsite dose limit
  • Challenge to containment integrity However, a challenge to containment integrity is not of concern because a control system failure of any type, including a CCF, cannot cause a pipe break in containment.

KEPCO & KHNP 46

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.1. Failure Type 1: Multiple Failure due to a Single Failure of Shared Signal As shown in Table 5.1-1, the shared signals for the APR1400 primary and secondary system consist of reactor power, PZR pressure, RCS average temperature, turbine load index, PZR level, SG steam flow, steam header pressure and non-class 1E 13.8 kV Lo-Lo. Table 5.1-1 addresses all shared signals whose failure causes multiple function failures in two or more control groups.

As shown in Table 5.1-1 and Figure 4.1-3, shared signals are connected to a single control group or more than one control groups. The signal is shared by multiple functions within that control group and by other TS functions in the other control groups.

The cases for the failed shared signal are presented in Table 5.1-1 and are evaluated as Failure Type 1 in Section 5.1.

TS 5.1.1. Assumptions Used in the Evaluation The following assumptions are used in the evaluation.

TS KEPCO & KHNP 47

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 5.1.2. Initial Conditions The initial condition of Failure Type 1 events is same as that of DCD Chapter 15 events.

5.1.3. Acceptance Criteria Acceptance criteria for Failure Type 1 events are the same as those of DCD Chapter 15 AOO.

  • Maximum RCS pressure: less than 110% of design value
  • Maximum SG pressure: less than 110% of design value
  • Fuel failure: transient departure from nucleate boiling ratio (DNBR) does not violate specified acceptable fuel design limit (SAFDL) 5.1.4. Evaluation Results When a single failure of shared signals occurs, multiple failures of two or more than two control groups can be happened. The following shared signals are evaluated during high and low fail.
  • Reactor power
  • PZR pressure
  • RCS average temperature
  • Turbine load index
  • PZR level
  • SG steam flow

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

  • 13.8kV Lo-Lo The evaluation results are shown in Tables 5.1-2.

5.1.4.1. Reactor power signal fails low TS TS This evaluation is summarized in Table 5.1-2 (Sh. 1 of 18).

Therefore, this failure is bounded by DCD Chapter 15.2.3 (Loss of condenser vacuum, LOCV).

TS 5.1.4.2. Reactor power signal fails high TS TS This evaluation is summarized in Table 5.1-2 (Sh. 2 of 18).

This failure is bounded by DCD Chapter 15.1.2 (Increase in feedwater flow).

TS KEPCO & KHNP 49

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.1.4.3. PZR pressure fails low TS This evaluation is summarized in Table 5.1-2 (Sh. 3 of 18). TS This failure is bounded by DCD Chapter 15.2.3 (Loss of condenser vacuum).

5.1.4.4. PZR pressure fails high TS TS This evaluation is summarized in Table 5.1-2 (Sh. 4 and 5 of 18).

The CPCS is based on the results of pressurizer spray malfunction event to prevent fuel failure. There is no fuel failure because the low DNBR signal is generated by CPCS before transient DNB reaches the SAFDL.

5.1.4.5. RCS temperature fails low TS KEPCO & KHNP 50

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS This evaluation is summarized in Table 5.1-2 (Sh. 6 of 18).

Therefore, this failure is bounded by DCD Chapter 15.4.2 (Uncontrolled Control Element Assembly Withdrawal at Power).

TS 5.1.4.6. RCS temperature fails high TS This evaluation is summarized in Table 5.1-2 (Sh. 7 of 18). TS This failure is bounded by DCD Chapter 15.4.3 (Control Element Assembly Misoperation).

TS KEPCO & KHNP 51

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.1.4.7. TLI fails low TS TS This evaluation is summarized in Table 5.1-2 (Sh. 8 of 18).

This failure is bounded by DCD Chapter 15.4.3 (Control Element Assembly Misoperation). This failure is not more severe than the dropped CEA event of DCD Chapter 15.4.3 in terms of the CEA insertion time.

5.1.4.8. TLI fails high TS This evaluation is summarized in Table 5.1-2 (Sh. 9 of 18). TS This failure is bounded by DCD Chapters 15.4.1 and 15.4.2 (uncontrolled CEA withdrawal at low power and power).

5.1.4.9. PZR level fails low TS TS This evaluation is summarized in Table 5.1-2 (Sh. 10 of 18).

This failure is bounded by DCD Chapter 15.5.2 (CVCS malfunction that increases the reactor coolant inventory).

5.1.4.10. PZR level fails high TS KEPCO & KHNP 52

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS This evaluation is summarized in Table 5.1-2 (Sh. 11 of 18).

Therefore, this failure is bounded by DCD Chapter 15.6.2 (Failure of small lines carrying primary coolant outside the containment).

5.1.4.11. SG 1 steam flow fails low TS Therefore, a reactor trip does not occur during this failure and normal operation is maintained continuously. The evaluation result is shown in Table 5.1-2 (Sh. 12 of 18).

5.1.4.12. SG 2 steam flow fails low TS This evaluation is summarized in Table 5.1-2 (Sh. 13 of 18).

Therefore, reactor trip does not occur during this failure and normal operation is maintained continuously.

5.1.4.13. SG 1 steam flow fails high TS TS This evaluation result is shown in Table 5.1-2 (Sh. 14 of 18).

This failure is bounded by DCD 15.1.4 (Inadvertent opening of a steam generator relief or safety valve).

TS KEPCO & KHNP 53

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.1.4.14. SG 2 steam flow fails high TS The evaluation result is shown in Table 5.1-2 (Sh. 15 of 18).

Therefore, reactor trip does not occur during the failure and normal operation is maintained continuously.

5.1.4.15. Steam header pressure fails low TS The evaluation result is shown in Table 5.1-2 (Sh. 16 of 18).

Therefore, this failure is bounded by DCD Chapter 15.2.3 (Loss of condenser vacuum).

5.1.4.16. Steam header pressure fails high TS This evaluation result is shown in Table 5.1-2 (Sh. 17 of 18).

This failure is bounded by DCD Chapter 15.1.2 (Increase in feedwater flow).

5.1.4.17. Non-Class 1E 13.8kV Lo-Lo TS KEPCO & KHNP 54

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Therefore, this failure is bounded by DCD Chapter 15.2.6 (Loss of Nonemergency AC Power).

Therefore, this failure is bounded by DCD Chapter 15.2.6 (Loss of Nonemergency AC Power).

The failure is bounded by DCD Chapter 15.2.6 (Loss of nonemergency AC power).

This evaluation result is shown in Table 5.1-2 (Sh. 18 of 18).

KEPCO & KHNP 55

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.2. Failure Type 2: Multiple Failure due to Single Control group 5.2.1. Selection of Initiating Events The input failure and a CSCCF of the control group cause spurious outputs of the each control group as fail high, fail low or fail as-is. Multiple failures of a single control group are assumed as initiating events with respect to fuel cladding integrity and primary system integrity. Two worst combinations of multiple failures are separately selected in view of fuel cladding integrity and primary system integrity respectively.

The control group segmentation are presented in Table 5.2-1 and the eighteen cases of spurious component actuation due to a single control group failure are evaluated as shown in Tables 5.2-2 through 5.2-18.

5.2.2. Assumptions Used in the Evaluation The following assumptions are used in the evaluation. TS KEPCO & KHNP 56

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.2.3. Acceptance Criteria TS 5.2.4. Evaluation Results 5.2.4.1. Turbine Bypass Control (SBCS Main) TS Based on the above evaluation, it is concluded that multiple failure of the SBCS main control group has no effect on the plant and does not cause plant conditions more severe than the analysis of DCD Chapter KEPCO & KHNP 57

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 15 AOOs. The evaluation result is shown in Table 5.2-2.

5.2.4.2. Turbine Bypass Control (SBCS Permissive)

This failure is the same as multiple failures of SBCS main control group described in Subsection 5.2.4.1.

Therefore, it is concluded that multiple failure of the SBCS permissive control group has no effect on the plant and does not cause plant conditions more severe than the analysis of DCD Chapter 15 AOOs. The evaluation result is shown in Table 5.2-3.

5.2.4.3. SG #1 Feedwater Control (FWCS 1)

TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of the FWCS 1 control group are bounded by DCD Chapters 15.1.2 and 15.2.7. The evaluation result is shown in Table 5.2-4.

5.2.4.4. SG #2 Feedwater Control (FWCS 2)

The failure of the FWCS 2 control group results in the same erroneous control outputs for SG #2 and KEPCO & KHNP 58

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 causes same plant transients as the failure of FWCS 1 control group described in Subsection 5.2.4.3.

Therefore, the event consequences for multiple failures of the FWCS 2 control group are bounded by DCD Chapters 15.1.2 and 15.2.7 events. The evaluation result is shown in Table 5.2-5.

5.2.4.5. Pressurizer Pressure Control (PPCS) TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of PPCS control group with respect to fuel integrity and primary pressure integrity meet the AOOs acceptance criteria because the RPS and CPCS are designed to ensure primary pressure and fuel integrity. The evaluation result is shown in Table 5.2-6.

KEPCO & KHNP 59

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.2.4.6. Pressurizer Level Control (PLCS) TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of PLCS control group are bounded by DCD Chapters 15.5.2 and 15.6.2. The evaluation result is shown in Table 5.2-7.

5.2.4.7. Reactor Makeup Control (CVCS) TS KEPCO & KHNP 60

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of CVCS control group are bounded by DCD Chapter 15.4.6 and 15.5.2 events. This evaluation result is shown in Table 5.2-8.

TS 5.2.4.8. Control Rod Control (RRS/RPCS)

TS KEPCO & KHNP 61

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS KEPCO & KHNP 62

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS KEPCO & KHNP 63

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of RRS/RPCS control group are bounded by the event presented in DCD Chapter 15.4.1 and 15.4.2 and meet the fuel and system pressure design limits. This evaluation result is shown in Table 5.2-9 (sh. 2 of 2).

5.2.4.9. Control Rod Control (DRCS) TS 5.2.4.10. Reactor Coolant Pump Control TS Therefore, it is concluded that the event consequences for multiple failures of RCP control group are bounded by the event presented in DCD Chapter 15.3.1. This evaluation result is shown in Table 5.2-11.

5.2.4.11. HP Feedwater Heater Train A TS KEPCO & KHNP 64

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Therefore, it is concluded that the event consequences for multiple failures of HP feedwater heater train A control group are bounded by the event presented in DCD Chapter 15.1.1 and 15.2.7 with respect to fuel cladding integrity and primary system integrity. This evaluation result is shown in Table 5.2-12.

5.2.4.12. HP Feedwater Heater Train B This failure causes the same effect as multiple failures of HP feedwater heater train A control group described in Subsection 5.2.4.11. Therefore, the event consequences for multiple failures of HP feedwater heater train A control group are bounded by the event presented in DCD Chapter 15.1.1 and 15.2.7 with respect to fuel cladding integrity and primary system integrity. This evaluation result is shown in Table 5.2-12.

5.2.4.13. HP Feedwater Heater Bypass Line TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of HP feedwater heater bypass line control group are bounded by the event presented in DCD Chapter 15.1.2 with respect to fuel cladding integrity. This evaluation result is shown in Table 5.2-13.

5.2.4.14. Feedwater Pumps On/Off TS Based on the above evaluation, it is concluded that the event consequences for multiple failures of feedwater pumps on/off control group are bounded by the event presented in DCD Chapter 15.1.2 and KEPCO & KHNP 65

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 15.2.7. This evaluation result is shown in Table 5.2-14.

5.2.4.15. Non-1E AC Power to the Station Auxiliaries (13.8kv Non-Class 1E System)

TS The loss of flow (LOF) event discussed in the DCD Chapter 15.3.1 leads to the most conservative predictions of the fuel cladding integrity. Therefore, the event consequences for multiple failures of non-Class 1E AC power to the station auxiliaries (13.8kV) control group are bounded by the event presented in DCD Chapter 15.3.1. This evaluation result is shown in Table 5.2-15.

5.2.4.16. Condenser Vacuum and LP Feedwater Heater Control TS KEPCO & KHNP 66

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Therefore, it is concluded that the event consequences for the failure of condenser vacuum and LP heater control group are bounded by the event presented in DCD Chapter 15.1.1, 15.2.3 and 15.2.7 with respect to fuel cladding integrity and primary system integrity. This evaluation result is shown in Table 5.2-16.

5.2.4.17. Turbine Control System (TCS)

TS Therefore, it is concluded that the event consequences for multiple failures of turbine control group are bounded by the DCD Chapter 15.2.2 event. This evaluation result is shown in Table 5.2-17.

5.2.4.18. Miscellaneous BOP control TS Therefore, it is concluded that the event consequences for the failure of miscellaneous BOP control group are bounded by the event presented in DCD Chapter 15.1.1, 15.2.3 and 15.2.7 with respect to fuel cladding integrity and primary system integrity. This evaluation result is shown in Table 5.2-18.

5.2.5. Conclusion For Failure Types 2, the qualitative evaluations are performed to verify and demonstrate that the results of initiating events caused by all possible multiple failures of a single control group are bounded by the acceptance criteria of the AOOs presented in the DCD Chapter 15.

KEPCO & KHNP 67

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.3. Failure Type 3: Multiple Failures of more than One Control Group 5.3.1. Selection of Initiating Events The multiple failures of more than one control group due to a software design defect or a CSCCF cause spurious output signals of the multiple control groups as high, low or as-is. Multiple failures of more than one control group are assumed as initiating events with respect to fuel cladding integrity and primary system integrity. Two worst combinations of multiple failures are separately selected in view of fuel cladding integrity and primary system integrity respectively. These combinations include the normal operation of some control group if the normal operation causes the worst event results.

5.3.2. Assumptions Used in the Evaluation TS KEPCO & KHNP 68

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 5.3.3. Initial Conditions TS 5.3.4. Acceptance Criteria TS KEPCO & KHNP 69

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 5.3.5. Evaluation Results 5.3.5.1. Fuel cladding integrity (Event 1)

TS 5.3.5.2. Primary system integrity TS KEPCO & KHNP 70

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS 5.3.6. Conclusion The worst combinations of multiple control group failures with respects to fuel cladding integrity and primary system integrity are evaluated.

TS In conclusion, the worst case scenarios in terms of fuel cladding and primary system integrity have been verified to be bounded by the consequences of DCD Chapter15 PA by performing quantitative analysis.

5.4. Failure Type 4: Multiple Failures of IFPD Control Commands Multiple failures of IFPD control commands due to a software design defect are assumed as initiating TS events with respects to fuel cladding integrity and primary system integrity.

, it is concluded that the worst case scenarios for the multiple failures of IFPD commands are bounded by the consequences of DCD Chapter 15 PA. Refer to Tables 5.4-1 and 5.4-2.

KEPCO & KHNP 71

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-1 Shared Signals (Sh. 1 of 2)

TS KEPCO & KHNP 72

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-1 Shared Signals (Sh. 2 of 2)

TS KEPCO & KHNP 73

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 1 of 18)

TS KEPCO & KHNP 74

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 2 of 18)

TS KEPCO & KHNP 75

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 3 of 18)

TS KEPCO & KHNP 76

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 4 of 18)

TS KEPCO & KHNP 77

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 5 of 18)

TS KEPCO & KHNP 78

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 6 of 18)

TS KEPCO & KHNP 79

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 7 of 18)

TS KEPCO & KHNP 80

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 8 of 18)

TS KEPCO & KHNP 81

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 9 of 18)

TS KEPCO & KHNP 82

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 10 of 18)

TS KEPCO & KHNP 83

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 11 of 18)

TS KEPCO & KHNP 84

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 12 of 18)

TS KEPCO & KHNP 85

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 13 of 18)

TS KEPCO & KHNP 86

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 14 of 18)

TS KEPCO & KHNP 87

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 15 of 18)

TS KEPCO & KHNP 88

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 16 of 18)

TS KEPCO & KHNP 89

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 17 of 18) TS KEPCO & KHNP 90

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.1-2 Multiple Failure due to a Single Failure of Shared Signals (Sh. 18 of 18)

TS KEPCO & KHNP 91

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-1 Control Group Segmentation (Sh. 1 of 3)

TS KEPCO & KHNP 92

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-1 Control Group Segmentation (Sh. 2 of 3) TS KEPCO & KHNP 93

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-1 Control Group Segmentation (Sh. 3 of 3)

TS KEPCO & KHNP 94

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-2 Multiple Failures of Single Control Group (SBCS Main)

TS KEPCO & KHNP 95

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-3 Multiple Failures of Single Control Group (SBCS Permissive)

TS KEPCO & KHNP 96

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-4 Multiple Failures of Single Control Group (FWCS1)

TS KEPCO & KHNP 97

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-5 Multiple Failures of Single Control Group (FWCS2)

TS KEPCO & KHNP 98

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-6 Multiple Failures of Single Control Group (PPCS)

TS KEPCO & KHNP 99

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-7 Multiple Failures of Single Control Group (PLCS)

TS KEPCO & KHNP 100

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-8 Multiple Failures of Single Control Group (CVCS)

TS KEPCO & KHNP 101

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-9 Multiple Failures of Single Control Group (RRS/RPCS) (Sh. 1 of 2) TS KEPCO & KHNP 102

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-9 Multiple Failures of Single Control Group (RRS/RPCS) (Sh. 2 of 2)

TS KEPCO & KHNP 103

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-10 Multiple Failures of Single Control Group (DRCS)

TS KEPCO & KHNP 104

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-11 Multiple Failures of Single Control Group (RCP)

TS KEPCO & KHNP 105

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-12 Multiple Failures of Single Control Group (HP FW Heater)

TS KEPCO & KHNP 106

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-13 Multiple Failures of Single Control Group (HP FW Heater Bypass Line)

TS KEPCO & KHNP 107

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-14 Multiple Failures of Single Control Group (FW Pump On/Off)

TS KEPCO & KHNP 108

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-15 Multiple Failures of Single Control Group (Non-1E AC Power to the Station Auxiliaries - 13.8kv)

TS KEPCO & KHNP 109

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-16 Multiple Failures of Single Control Group (Condenser Vacuum Control)

TS KEPCO & KHNP 110

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-17 Multiple Failures of Single Control Group (Turbine Control System)

TS KEPCO & KHNP 111

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.2-18 Multiple Failures of Single Control Group (Miscellaneous BOP control)

TS KEPCO & KHNP 112

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.3-1 Assumptions for Event 1 TS KEPCO & KHNP 113

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.3-2 Assumptions for Event 2 TS KEPCO & KHNP 114

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.3-3 Initialization of RELAP5 for Nominal Initial Condition TS KEPCO & KHNP 115

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.3-4 Sequence of Major Events for Event 1 TS KEPCO & KHNP 116

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.3-5 Sequence of Major Events for Event 2 TS KEPCO & KHNP 117

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.4-1 Multiple Failures of IFPD control commands - Fuel Cladding Integrity TS KEPCO & KHNP 118

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 Table 5.4-2 Multiple Failures of IFPD control commands - Primary System Integrity TS KEPCO & KHNP 119

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-1 Core Power (Event 1)

KEPCO & KHNP 120

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-2 Pressurizer Pressure (Event 1)

KEPCO & KHNP 121

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-3 Safety Injection Flow (Event 1)

KEPCO & KHNP 122

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-4 SG Pressure (Event 1)

KEPCO & KHNP 123

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-5 DNBR (Event 1)

KEPCO & KHNP 124

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-6 Core Power (Event 2)

KEPCO & KHNP 125

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-7 RCP Discharge Pressure - Short Term (Event 2)

KEPCO & KHNP 126

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-8 RCP Discharge Pressure - Long Term (Event 2)

KEPCO & KHNP 127

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-9 POSRV Flow (Event 2)

KEPCO & KHNP 128

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2 TS Figure 5.3-10 SG Pressure (Event 2)

KEPCO & KHNP 129

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

6. CONCLUSIONS The following Failure Types caused by a shared signal failure and a CSCCF are evaluated to confirm that the event consequences of DCD Chapter 15 are still effective and the analysis acceptance criteria are met.
  • Failure Type 1 : multiple function failures due to a single failure of a shared signal
  • Failure Type 2 : multiple failures of a single control group due to a CSCCF
  • Failure Type 3 : multiple failures of more than one control group due to a CSCCF
  • Failure Type 4 : multiple failures of IFPD control commands due to a CSCCF For Failure Types 1 and 2, the qualitative evaluations are performed to verify and demonstrate that the results of initiating events caused by all possible multiple failures are bounded by the acceptance criteria of the AOOs presented in the DCD Chapter 15.

For Failure Types 3 and 4, the worst combinations of multiple failures of control groups with respect to fuel cladding integrity and primary system integrity are quantitatively evaluated by using the RELAP5 code. Analysis results show that the worst case scenarios in terms of fuel cladding and primary system integrity are verified to be bounded by the acceptance criteria of the PAs presented in the DCD Chapter 15.

The evaluation concludes that all multiple failures caused by a shared signal or a CSCCF do not cause plant conditions more severe than the acceptance criteria of the DCD Chapter 15 AOOs and PAs.

KEPCO & KHNP 130

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

7. REFERENCES
1. NUREG-0800, USNRC Standard Review Plan, Revision 3, 15.0 Introduction - Transient and Accident Analyses, March 2007.
2. DI&C-ISG-04, Highly Integrated Control Rooms - Communications Issues, Rev. 1, 2009
3. IEEE Std. 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.
4. APR1400-Z-J-NR-14013-P, Response Time Analysis of Safety I&C System, January 2018.
5. APR1400-Z-J-NR -14002-P, Diversity and Defense-in-Depth, January 2018.

KEPCO & KHNP 131

Non-Proprietary Control System CCF Analysis APR1400-Z-J-NR-14012-NP, Rev.2

8. DEFINITIONS
1. Acceptance Criteria Practical and reasonable objective pass/fail tests that identify approved requirements. Criterion is qualitative or quantitative, and defines sufficiency, not optimality.
2. Penalty factor A multiplicative number necessary to ensure that the CPCS calculate DNBR and LPD conservatively KEPCO & KHNP 132