Text

07-18_Rev.3 - 1 / 3 KEPCO/KHNP REVISED RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION APR1400 Design Certification Korea Electric Power Corporation / Korea Hydro & Nuclear Power Co., LTD Docket No.52-046 RAI No.: 356-7881 SRP Section: 07 - Instrumentation and Controls - Overview of Review Process Application Section:

Date of RAI Issue: 01/04/2016 Question No. 07-18 Describe the mechanisms in place that would allow operators to determine whether the QIAS-N and IFPDs have undergone a failure.

10 CFR 50.55a(h)(3) requires compliance with IEEE Std 603-1991. IEEE Std. 603-1991, Clause 5.6.3, states, in part, that the safety system design shall be such that credible failure in and consequential actions by other systems, as documented in Clause 4.8 of the design basis section of this standard, shall not prevent the safety systems from meeting the requirements of this standard. The QIAS-N and IFPDs, located in the main control room (MCR) provide alarm, display and controls for operators. In Section 7.7.1.4 of APR1400 FSAR Tier 2, regarding the IFPDs, the applicant states that, If a data communication error occurs, an appropriate message is generated. For information displays, the applicant does not appear to state in the licensing documentation how an operator can determine whether a failure such as a common cause failure has occurred such that the displays are frozen up or affected by some other means. Therefore, it is not apparent that an appropriate error message could be generated to alert the operator(s) to a random or common cause failure, for non-safety or safety-displays. Failures of the IFPDs are addressed in Technical Report APR1400-Z-J-NR-14012-P, Rev.0, Control System CCF Analysis. However this document does not address how operators would make the initial determination that IFPDs have experienced a failure of some type.

Describe the mechanisms, procedures, or processes in place for the APR1400 design that would allow operators to be alerted to a failure of either the QIAS-N or the IFPDs (e.g. frozen displays or controls).

Response - (Rev.3)

The applicants response to RAI 323-8281 07.03-19 provides the mechanisms that will alert operators when the information flat panel display (IFPD) is malfunctioning.

07-18_Rev.3 - 2 / 3 KEPCO/KHNP The QIAS-N processor receives safety system signals via the ITP. The QIAS-N MTP receives non-safety system signals via the multi-channel gateway. Isolation devices are used between the ITP and QIAS-N processor, and between the multi-channel gateway and QIAS-N MTP.

The QIAS-N processor performs applicable calculations based on the data received from the safety systems and non-safety systems. The QIAS-N MTP provides maintenance and testing means of the QIAS-N, and a gateway function with the multi-channel gateway to provide communication from the non-safety P-CCS. The QIAS-N server contains the process database, updates the values and status of the database records, executes the alarm processing function, and functions as a gateway between the QIAS-N network and QIAS-N display network.

The data from the QIAS-N processor (safety system signals) and the data from the QIAS-N MTP (non-safety system signals) are broadcasted on the QIAS-N network. The QIAS-N server captures the data from the QIAS-N network and updates the QIAS-N process database. The QIAS-N server broadcasts them on the QIAS-N display network for indication on the QIAS-N displays (QIAS-N FPDs, mini-LDPs, and SODPs).

To inform operator of QIASN-N failure, the QIAS-N server provides system diagnostic functions as follows:

a. Monitor the QIAS-N MTP, QIAS-N processor, QIAS-N network, QIAS-N display network.

b. Detect QIAS-N trouble and generate QIAS-N trouble status signals.

c. Transfer the QIAS-N trouble status to the non-safety IPS for alarm purpose.

d. Transfer the QIAS-N trouble status to the QIAS-N MTP via QIAS-N network for indication on the QIAS-N MTP displays.

e. Transfer the QIAS-N trouble status to the QIAS-N FPDs, mini-LDPs, and SODPs via QIAS-N display network.

QIAS-N is classified as non-safety system since it has no safety function. However, the QIAS-N hardware is qualified as Class 1E and it is regarded as an associated circuit according to IEEE Std. 384. For power supply design, the QIAS-N is powered from the Class 1E vital bus power supply system (VBPSS) without isolation. A dedicated circuit breaker in VBPSS is provided for the feeder of QIAS-N.

The operator controls the plant utilizing four ESCMs, four IFPDs, and the associated mouse on the operator console. An operator console is considered inoperable when one of the following occurs: 1) Three IFPDs and each mouse are unavailable, 2) Three ESCMs are unavailable, or 3) The workstation disable switch is switched to disable mode.

The workstation disable switch (WDS) is to disconnect the signal interface of the IFPD and peripheral devices (e.g., mouse, keyboard) from the node of the DCN-I network should these non-safety devices generate spurious signals.

07-18_Rev.3 - 3 / 3 KEPCO/KHNP The WDS is located on each operator console and is a hardwired two-position (enable/disable) type of cam switch. Therefore, there are five WDSs for the RO, TO, EO, SS, and STA console. The keyboard, monitor, and mouse of the operator console are connected to the keyboard/video/mouse (KVM) extender. The KVM extender sends signals over an internal communication cable between the KVM extender and the network switch. When the WDS is switched to the disable mode, the switch disconnects 120 Vac power that comes from the power branch of the non-safety vital bus power supply system (VBPSS) to the KVM extender on the corresponding operator console. The configuration of the WDS will be shown in APR1400 DCD Tier 2, Figure 7.7-15.

The WDS does not have any software and, therefore, is not subject to a software CCF. The failure of a WDS does not impact any safety devices, including ESCMs at the operator console, because the WDS does not have any interfaces with safety devices. If a single failure of a WDS occurs, the operator can use the IFPD and peripheral devices at another operator console. A multiple failure of all five WDSs occurring concurrently is highly unlikely because the WDSs are hardwired devices and each WDS is separated, which enables an operator to perform the required operator actions on the safety console.

Impact on DCD The changes that were proposed in previous revised responses (Rev.1 and Rev. 2) to this RAI have been incorporated into Revision 2 of the DCD.

Impact on PRA There is no impact on the PRA.

Impact on Technical Specifications There is no impact on the Technical Specifications.

Impact on Technical /Topical/Environmental Reports.

There is no impact on any Technical, Topical, or Environmental Report.