ML18241A142
| ML18241A142 | |
| Person / Time | |
|---|---|
| Issue date: | 08/23/2018 |
| From: | Christina Antonescu Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu C | |
| References | |
| NRC-3861 | |
| Download: ML18241A142 (242) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
ACRS NuScale Committee Open Session Docket Number: N/A Location: Rockville, Maryland Date: August 23, 2018 Work Order No.: NRC-3861 Pages 1-242 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5 (ACRS) 6 + + + + +
7 NuSCALE SUBCOMMITTEE 8 + + + + +
9 OPEN SESSION 10 + + + + +
11 THURSDAY 12 AUGUST 23, 2018 13 + + + + +
14 ROCKVILLE, MARYLAND 15 + + + + +
16 The Subcommittee met at the Nuclear 17 Regulatory Commission, Two White Flint North, Room 18 T2B1, 11545 Rockville Pike, at 8:30 a.m., Michael 19 Corradini, Chairman, presiding.
20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 1 COMMITTEE MEMBERS:
2 MICHAEL L. CORRADINI, Chairman 3 RONALD G. BALLINGER, Member 4 DENNIS C. BLEY, Member 5 CHARLES H. BROWN, JR. Member 6 WALTER L. KIRCHNER, Member 7 JOSE MARCH-LEUBA, Member 8 JOY L. REMPE, Member 9 GORDON R. SKILLMAN, Member 10 MATTHEW SUNSERI, Member 11 12 ACRS CONSULTANT:
13 MYRON HECHT 14 15 DESIGNATED FEDERAL OFFICIAL:
16 CHRISTINA ANTONESCU 17 18 *Present via telephone 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 CONTENTS 2
3 Meeting Start . . . . . . . . . . . . . . . . . . 4 4 Opening Remarks by Chairman . . . . . . . . . . . 4 5 Opening Remarks by Robert Caldwell . . . . . . . 6 6 Overview of Chapter 7 . . . . . . . . . . . . . . 10 7 Opportunity for Public Comment . . . . . . . . 185 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1 P R O C E E D I N G S 2 (8:31 a.m.)
3 CHAIRMAN CORRADINI: Okay, the meeting 4 will come to order. This is a meeting of the NuScale 5 Subcommittee. My name is Mike Corradini, Chair of 6 this subcommittee meeting. ACRS members in attendance 7 are Ron Ballinger, Dennis Bley, Dick Skillman, Matt 8 Sunseri, Joy Rempe, Jose March-Leuba, Charlie Brown, 9 soon to be Walt Kirchner, and our consultant, Myron 10 Hecht. Christina Antonescu is the ACRS staff -- of 11 the ACRS staff is the designated Federal official for 12 this meeting.
13 The purpose of this meeting is for NuScale 14 to give an overview to the subcommittee on the NuScale 15 Design Certification Application Chapter 7, 16 Instrumentation and Control, and for the staff to give 17 a presentation to the subcommittee on their Safety 18 Evaluation Report on Chapter 7 with open items.
19 The ACRS was established by statute and is 20 governed by the Federal Advisory Committee Act, or 21 FACA. That means that the committee can only speak 22 through its published letter reports. We hold 23 meetings to gather information to support our 24 deliberations. Interested parties who wish to provide 25 comments can contact our offices requesting time.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1 After the meeting, the Federal Register Notice is 2 published. That said, we set aside about 15 minutes 3 for extemporaneous comments from members of the public 4 attending or listening. Written comments are also 5 welcome.
6 The ACRS section of the U.S. NRC's public 7 website provides our charter, bylaws, letter reports, 8 and full transcripts of all our full and subcommittee 9 meetings, including all slides presented at the 10 meetings. We will hear a presentation from NuScale 11 and the NRC staff today. The subcommittee will gather 12 information, analyze relevant issues and facts, and 13 formulate proposed positions and actions as 14 appropriate for deliberation by our full committee.
15 The rules for participation at today's 16 meeting have been announced as part of the notice of 17 the meeting published in the Federal Register, and we 18 have received no written comment or request for time 19 to make oral statements as a member of the public in 20 today's meeting. As always, we have one bridge line 21 established for interested members of the public to 22 listen in in the open session.
23 Also, the bridge line will be open after 24 the open meeting session to see if anyone would be 25 listening to make additional comments. A transcript NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1 of the meeting is being kept and will be made 2 available as stated in the Federal Register notice.
3 Therefore, we request that participants in this 4 meeting use the microphones located throughout the 5 meeting room when addressing the subcommittee.
6 Participants should identify themselves, speak with 7 sufficient clarity and volume so they may be readily 8 heard.
9 Please also silence all your cell phone, 10 pagers, iPhones, etcetera, so we do not have any 11 buzzes or noises through the meeting. We will now 12 proceed with the meeting. One extemporaneous point is 13 this is the second of our meetings look at the DCD.
14 We talked about Chapter 8 back in June. We are now 15 going to discuss Chapter 7. Our intent is most likely 16 to combine our comments and suggestions on seven and 17 eight when we talk at the full committee in September.
18 So I think I am going to be calling upon 19 Robert Caldwell of NRO to start us off with some 20 introductory remarks. Mr. Caldwell?
21 MR. CALDWELL: Yes, hello. My name is Bob 22 Caldwell. I am the Deputy Division Director for the 23 Division of Engineering and Infrastructure in the 24 Office of New Reactors, and I would like to thank you 25 all for giving us the opportunity to present our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1 findings on Chapter 7 of the DCD.
2 Right now, before we present our -- do our 3 presentation, before we get started, I would like to 4 point out that NuScale recently informed us that there 5 was a delta between Chapter 5 and 7 of the DCD which 6 they are looking at. These discrepancies involve a 7 remove shut-down station. During our presentation, we 8 will be providing you our findings based on the DCD 9 details that we have done the evaluation on.
10 So while NuScale is resolving these 11 discrepancies that they find, there is the need for a 12 change in Chapter 7. We will take a look at it and 13 see if we need to change the SE. If there is a need 14 for the change for the SE, we will come back to the 15 subcommittee as appropriate.
16 CHAIRMAN CORRADINI: Charlie?
17 MEMBER BROWN: Just to make clear, so we 18 understand this, what you mean is they want to delete 19 the remote shutdown station? Is that my 20 understanding?
21 MR. CALDWELL: No, I do not know exactly 22 what their path forward is at the moment. We hope to 23 find out. This is --
24 MEMBER BROWN: But you do not know those 25 details? It is kind of -- the information passed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1 around, it was not real clear, and I just wanted to 2 make sure it was clear to the other members.
3 CHAIRMAN CORRADINI: But the only thing we 4 know for sure is what you reviewed is not necessarily 5 what is the current design thoughts.
6 MEMBER BROWN: With respect to the remote 7 shutdown. With respect to Chapter 7.
8 MR. CALDWELL: Yes, with respect to the 9 remote shutdown stations.
10 CHAIRMAN CORRADINI: Shutdown stations.
11 MEMBER BROWN: Chapter 7 uses the RSS, 12 calls it out in many places.
13 MR. CALDWELL: Right.
14 CHAIRMAN CORRADINI: Okay. So we have to 15 be aware of that.
16 MR. CALDWELL: Yes, just be aware of that.
17 That is the only ones we cross. Thank you.
18 CHAIRMAN CORRADINI: Thank you. So, we 19 should turn to Paul. Are you going to lead us off?
20 MR. INFANGER: Yes, I am Paul Infanger.
21 I am the Licensing Project Manager for Chapter 7. I 22 appreciate the opportunity to present our technical 23 details in support of the staff's SCR. I appreciated 24 working with the staff on Chapter 7. We have received 25 the SCR with no open items related to Chapter 7. The NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1 only open items are related to turning back to some 2 open items in Chapter 8 and expected open items in 3 Chapter 15. But there are not Chapter 7-related open 4 items.
5 We will relay, the issue on the remote 6 shutdown panel will be addressed during our 7 presentation. Just want to say a little bit about my 8 background. I have been with NuScale for about three 9 and a half years. Prior to that, I was working on the 10 Korean reactor for Barakah, and also prior to that, at 11 UniStar for the Calvert Cliffs COLAs, and prior to 12 that, 25 years as Licensing Manager at various 13 operating sites.
14 MEMBER BLEY: Mr. Paul, you mentioned 15 Chapter 8. When we went through Chapter 8 with you, 16 there were a few issues that came up that you deferred 17 to Chapter 7. Are you going to talk about those in 18 particular?
19 MR. INFANGER: Yeah, there were several 20 timers that we discussed in Chapter 8 that were really 21 I&C issues, so we are prepared and have information in 22 our presentation on those.
23 MEMBER BROWN: Those are the 24-hour 24 timers you are talking about?
25 MR. INFANGER: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1 MEMBER BROWN: Okay. And how they 2 interface with the DC?
3 MR. INFANGER: Right.
4 MEMBER BROWN: Okay, thank you.
5 MR. INFANGER: So with that, I would like 6 to introduce the lead speaker will be Brian Arnholt.
7 MR. ARNHOLT: Good morning. I am Brian 8 Arnholt. Thanks for the opportunity to present to the 9 subcommittee this morning. I am the I&C Supervisor 10 with NuScale Power.
11 I have been with NuScale three and a half 12 years. I am responsible for the design and licensing 13 of the instrumentation and control systems for the 14 NuScale plant design. Prior to that, I was with B&W 15 on the mPower project in a very similar role, and then 16 prior to that, was with GE Energy. I performed 17 detailed design of the non-safety plant control system 18 for the ESBWR and other global power generation 19 projects that GE had at the time.
20 Started my career at Exelon Corporation as 21 a Reactor Engineer at the Byron Nuclear Power Station, 22 and transitioned into roles in real-time process 23 systems and plant operations. And I received my 24 degree in Nuclear Engineering from the University of 25 Michigan, so please excuse my counterpart who is an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1 OSU grad.
2 MR. INFANGER: Yeah. Ohio State. Sorry.
3 MR. ARNHOLT: You might have to separate 4 us two. With me today is Rufino Ayala. He is an I&C 5 engineer on our team. Do you want to quickly 6 introduce yourself?
7 MR. AYALA: Good morning. My name is 8 Rufino Ayala. As Brian mentioned, I have been a part 9 of the I&C Engineering Group. I have been supporting 10 the project now for about a little over six years.
11 Prior to NuScale, I was with Bechtel working at Watts 12 Bar Unit 2 mainly focused on the refurbishment of 13 their safety-related protection systems there. Prior 14 to that, I graduated from the University of Houston.
15 Got my Bachelor's in Science and Electrical 16 Engineering.
17 MR. ARNHOLT: Okay, the purpose of today, 18 we are going to provide an overview of the 19 instrumentation and control design as it is presented 20 in the Chapter 7 of the NuScale Final Safety Analysis 21 Report. I have an abbreviation slide here for you.
22 We use a lot of abbreviations and acronyms throughout 23 the presentation, so this is a good point of reference 24 for you to refer back to if you do not recognize any 25 of the abbreviations we use.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1 The NuScale Design Certification for 2 Chapter 7 follows the structure of the design-specific 3 review standard for the NuScale design. I think the 4 subcommittee has seen that over the years. So this is 5 the first application for a Chapter 7 submittals that 6 follows this new DSRS framework. So we structured the 7 presentation to kind of correspond with the DSRS 8 framework.
9 So there is Section 7.0 that goes into the 10 architecture and system overview. Section 7.1 goes 11 through the fundamental design principals. And then 12 Section 7.2, discussing system features as they relate 13 to conformance to IEEE 603 and IEEE 7-4.3.2.
14 I am going to start off with the Section 15 7.0, and we are going to start at a high level and 16 kind of work down into the details. So the I&C system 17 design basis, we leverage the NuScale passive safety 18 and passive safety design and the simplicity of the 19 design in our safety-related I&C platform. It is a 20 digital I&C system based on field programmable data 21 arrays.
22 We get a couple of benefits from the use 23 of FPDAs. We leverage their capability for inherent 24 diversity to address common-cause failure issues with 25 digital I&C systems, and also, we leverage the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1 simplicity that an FPDA-based system affords you in 2 the design. And that follows along with the theme of 3 the NuScale plant design and its simplicity.
4 So what that means is the safety function 5 is the removal of power. It is as simple as that.
6 There is no safety-related electrical power either AC 7 or DC that is required for the I&C systems to perform 8 their required safety functions. So we de-energize 9 electricity to field components and valves and things 10 of that nature.
11 They will fail to their as-designed or 12 safe position. We remove power to reactor trip 13 breakers to shut down the reactor. We have no safety-14 related components that require active control. And 15 so again, just the removal of power is the safety 16 function in its simplest form.
17 The figure on the left is not all-18 encompassed, but to give you a visual depiction of the 19 systems that are related to the safety-related I&C 20 system protective functions.
21 So this slide, and I see folks have the 22 detailed figure that came out of the FSAR figure 7.0-23 1. I can talk to that if there are questions, but 24 this is more of a high-level picture overview of the 25 entire I&C architecture. It is not to convey the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1 building blocks that comprise the I&C systems.
2 So starting at the lower left, we have our 3 safety-related module protection system, and there are 4 -- there is one independent module protection system 5 for each NuScale power module. We do not share 6 safety-related functions between any of the modules.
7 They are completely independent.
8 On the lower right, we have our non-9 safety-related module control system that performs 10 non-safety-related balance of plant power generation 11 control functions, asset protection, things of that 12 nature.
13 Moving up to the plant level, we have a 14 plant-protection system that performs common plant-15 protective functions. For example, control room 16 habitability, system actuation, radiation monitoring 17 are two of the primary functions that that performs at 18 the common plant level.
19 And then we have a non-safety-related 20 plant control system that performs common plant 21 functions such as site service water cooling control, 22 electrical distribution control for common plant 23 systems, things of that nature.
24 MEMBER BROWN: What that means, for those 25 who have not been steeped in this, is the plant NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 control system, if you have got 12 modules, it applies 2 to all -- those systems, it applies to all 12 modules.
3 MR. ARNHOLT: Yes, that is correct.
4 MEMBER BROWN: Okay. And the plant 5 protection system, if I read my notes, that is also 6 applicable to all 12 modules? Those units?
7 MR. ARNHOLT: That is right.
8 MEMBER BROWN: Those functions apply to 9 all, but it is common across all of them?
10 MR. ARNHOLT: That is correct. The next 11 slide I will show, the next two slides, I will show a 12 little bit more in detail what these systems do and 13 their classifications and give a little bit more 14 detailed discussion on that.
15 MEMBER BROWN: Okay. So the only two that 16 are plant-specific are the module protection system 17 and the module control system -- yeah, the module 18 control system?
19 MR. ARNHOLT: That is correct. But we 20 have some other systems, like our Incore 21 instrumentation system that provides our Incore 22 instrumentation assemblies that are module-specific, 23 but I have got a little bit more detail in the next 24 few slides.
25 MEMBER BROWN: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1 MR. ARNHOLT: The box on the upper-left 2 shows the interaction with the operator that is 3 supplied in the main control room. Where the operator 4 spends the majority of his time is at either a plant 5 control system or a module control system workstation.
6 And that is where he performs his normal 7 control systems startup, shutdown, refueling, 8 maintenance activities are performed from those 9 workstations. We do provide both module-specific and 10 plant-level safety display and indication systems, and 11 that provides the operator with long-term post-12 accident monitoring indication for those types of 13 plant conditions.
14 CHAIRMAN CORRADINI: So, I am just 15 listening. This is -- every time I listen to I&C, I 16 re-learn it, and then I forget it. Remind me one more 17 time what is the difference between the plant control 18 system and the module control system?
19 MR. ARNHOLT: The plant control system 20 controls and interfaces with systems that are common 21 all 12 modules.
22 CHAIRMAN CORRADINI: Okay, fine. Thank 23 you.
24 MR. ARNHOLT: Like a site cooling water 25 system is a common plant system.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1 CHAIRMAN CORRADINI: Okay, thank you.
2 MR. ARNHOLT: And module control system 3 would be turbine generator control.
4 CHAIRMAN CORRADINI: Okay. Thank you.
5 MEMBER BROWN: And the plant protection 6 system is the protection function for those common --
7 separate from the plant control system itself?
8 MR. ARNHOLT: Yes, that is correct. The 9 plant protection system, if you will bear with me just 10 a minute.
11 MEMBER BROWN: Have at it.
12 MR. ARNHOLT: I will talk to a little bit 13 more detail in the next slide or two. But I did miss 14 one. We also show that we have a remote shutdown 15 area. And I will make a few remarks about the comment 16 before the meeting. So the remote shutdown system is 17 provided as an alternate location for the operators to 18 monitor the plant during shutdown conditions in events 19 where they would need to evacuate the main control 20 room.
21 So a typical scenario where the operators 22 would need to evacuate the main control room, they 23 would perform three things before they evacuate. They 24 would manually trip all 12 reactors, they would 25 manually initiate containment isolation for all 12 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1 modules. At that point in time, the reactors are shut 2 down, are being passively cooled by DK heat removal, 3 and they're in safe shutdown.
4 They would then evacuate the main control 5 room, staff the remove shutdown station, and at that 6 point in time, there are no additional operator 7 actions to perform. It is a monitoring-only mode.
8 And that is, again, leveraging that passively-safe 9 design that we built into the NuScale plant.
10 So those reactors, all 12 modules can stay 11 in safe shutdown for an indefinite period of time 12 without any operator action. So that is the scenario.
13 And there is some language in Chapter 7 that suggests 14 that -- and I need to back up. There are controls 15 available.
16 We have a complement of module control 17 system and plant control system workstations that 18 provide the operator the capability for non-safety 19 control should he or she need that. But it is not 20 required nor necessary.
21 MEMBER SUNSERI: By indefinite period of 22 time, you mean however long the water in the pool 23 lasts?
24 MR. ARNHOLT: Exactly. That is correct.
25 So the important terms are safe shutdown and passive NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1 cooling, and the modules can sit like that in the 2 reactor pool indefinitely.
3 MEMBER BLEY: And for your design, the 4 words safe shutdown have no temperature connotation?
5 MR. ARNHOLT: We have a defined tech spec 6 mode of safe shutdown that is less than -- reactor 7 coolant system temperature less than 420 degrees.
8 MEMBER BLEY: Okay. So the minute the 9 shut them down, you are not there yet, so it takes a 10 little while.
11 MR. ARNHOLT: Right. So you have mode one 12 power operations. Mode two is what we call hot 13 shutdown, and that is where a reactor coolant system 14 temperature is above 420 degrees Fahrenheit. And then 15 they passively cool and transition to safe shutdown 16 where RCS temperature is less than 420 degrees 17 Fahrenheit.
18 MEMBER BLEY: Okay. And that takes how 19 long, roughly?
20 MR. ARNHOLT: I do not want to misquote 21 numbers as far as timelines. I would imagine there 22 are figures maybe in Chapter 15.
23 CHAIRMAN CORRADINI: We could take it up 24 later if that is desired.
25 MEMBER BLEY: Hour is not a long time.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1 CHAIRMAN CORRADINI: Because I remember in 2 our previous meeting, that was given to us. I just do 3 not remember what it is, either.
4 MEMBER BLEY: Yeah, I do not either. It 5 was just that Brian kind of said. They will shut down 6 all of it and then they will leave, and it will be on 7 safe shutdown. But not quite yet.
8 MR. ARNHOLT: Yeah.
9 MEMBER BLEY: It's headed that way.
10 MR. ARNHOLT: Yeah. So what they do is 11 they -- but there are no additional actions to take.
12 But we do provide the capability of isolating, but we 13 do have hardwired switches in our main control room 14 for these manual actuation functions. So similar to 15 existing plant designs.
16 We provide the capability to electrically 17 isolate those switches with a series of switches in 18 the remote shutdown. That mitigates potential 19 spurious actuations due to fire concerns in the main 20 control room. But we do provide that capability in 21 the remote shutdown station.
22 MEMBER BLEY: I have a question about 23 indications. An early question.
24 MR. ARNHOLT: Sure.
25 MEMBER BLEY: You will get to this later.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1 We were out there to visit four or five years ago. I 2 do not remember how long ago.
3 CHAIRMAN CORRADINI: Sounds right.
4 MEMBER BLEY: And watched a lot of 5 exercises in the simulator, and at that time, we 6 looked at lot at the displays, and I personally found 7 the approaches that had been taken and tested with a 8 bunch of operators to be fairly convincing on how you 9 could diagnose things from the large panel.
10 And I think I have gotten hints that that 11 has changed over time. Is that set in concrete at 12 this point in time? The kind of displays for all 12 13 modules that show up in the main control room? And 14 are you going to talk about that?
15 MR. ARNHOLT: I will not talk about it in 16 detail. I am happy to answer questions. The displays 17 that we have for our module control system, plant 18 control systems where the operator spends most of 19 their time are based on our human system interface 20 style guide that has been submitted for review.
21 And then the design of our safety display 22 and information system regarding post-accident 23 monitoring. So we have defined, and it is available 24 in Chapter 7, what variables the operators will 25 monitor for post-accident monitoring conditions. So NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1 that is fixed as part of the design.
2 MEMBER BLEY: There were a number of 3 color-coding schemes and transitions as plants moved 4 -- as modules moved through toward safe shutdown.
5 MR. ARNHOLT: Those are --
6 MEMBER BLEY: Are those fixed, or are 7 those not fixed in the design?
8 MR. ARNHOLT: I think right now we have 9 concepts that are described in our human system 10 interface guide through now we have just completed our 11 integrated system validation of those concepts, and 12 what changes result from that, I do not know the 13 specifics of that.
14 MEMBER BLEY: We will get to that either 15 in the human engineering or in the conduct of 16 operations?
17 MR. ARNHOLT: And that would be, yeah, a 18 topic that certainly would be best to discuss in a 19 Chapter 18 discussion.
20 MEMBER BLEY: That is fine.
21 MR. ARNHOLT: So just a couple of 22 concluding remarks. So there is some language in 23 Chapter 7 that might lead the reader to conclude that 24 there are controls that are necessary, and that is not 25 the case, and I want to make that clear to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1 committee. There are no controls necessary for the 2 operator to manipulate at the remote shutdown station, 3 because the modules are in passive cooling and remain 4 and stay in a safe shutdown condition.
5 Through some internal reviews in the past 6 couple of weeks, we identified some discrepancies in 7 Chapter 5 related to the design of the DK heat removal 8 system. We have identified those as part of our 9 corrective action program, and we are going to make 10 those necessary changes.
11 MEMBER BLEY: There is nothing there that 12 is necessary if everything was done right before you 13 left the control room.
14 MR. ARNHOLT: Exactly.
15 MEMBER BLEY: IF things somehow were not 16 exactly done right and you cannot get back in the main 17 control room, do you have the capability to carry out 18 those three basic actions you described from the 19 remote shutdown system?
20 MR. ARNHOLT: Not from the remote shutdown 21 system, but using available plan operating procedures, 22 you can make in-plant evolutions to manually --
23 MEMBER BLEY: --- specific breakers, that 24 sort of thing, okay.
25 MR. ARNHOLT: Similar to existing plants NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1 where if the reactors did not trip from the main 2 control room, you would dispatch a local operator to 3 open -- try to manually open the reactor trip breakers 4 locally.
5 MEMBER BLEY: Not after similarity, after 6 what you got.
7 MR. ARNHOLT: Right. All right, moving 8 on.
9 MEMBER BROWN: Yeah, go backwards. The 10 box labeled manually-enabled hardwired signal for 11 each, what does that apply to? It is just a box 12 hanging in there between all the other stuff. Lower 13 right-hand corner.
14 MR. ARNHOLT: We do have the capability --
15 I will talk about this in more detail, but I can 16 address it now. We do have the ability to manually 17 control, take manual control of safety-related 18 components from our non-safety-related module control 19 system. So to back up a little bit.
20 MEMBER BROWN: This is enable non-safety-21 related, enable -- disable, whatever that --
22 MR. ARNHOLT: It is enable non-safety 23 control switch. It is a hardwired switch. Acts 24 almost like a permissive or an interlock.
25 MEMBER BROWN: You are going to talk about NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 that later, are you not?
2 MR. ARNHOLT: I will talk a little bit 3 about that later.
4 MEMBER BROWN: Okay. While you are on 5 this picture, just one more question. And you will 6 have to correct me if I am wrong, because I am 7 referring back to the HIPS subcommittee meeting. When 8 we talked about these little boxes, circles called 9 iso, which are isolated communications, one-way 10 communications, we did not have the rest of this 11 picture on there.
12 Those were described -- this is where you 13 may need to correct me -- as communication devices 14 where the receive and or, depending on which end you 15 are on, they are fiber optic. They are serial data 16 links. But they consist of gateway-style, I guess I 17 would call it, to make it receive only. You would 18 clip -- you do not even connect the transmit fabric.
19 Is that -- am I correct?
20 MR. ARNHOLT: You are exactly correct.
21 MEMBER BROWN: Okay. Still on the right 22 page here. When we get over to the module control 23 system and the plant control system connections to the 24 plant network, you show those as the same little iso 25 type things. However, on your major diagram, even NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1 though it is not talked about in the written word of 2 Chapter 7, those are referred to as unidirectional 3 data diodes. That is different.
4 If you go look at all the literature I 5 have ever been able to find, those are different from 6 the bidirectional -- the gateway style unidirectional.
7 In other words, they are hardware-based, and that is 8 -- although it does not say hardware anywhere in the 9 text, either. It just says data diode.
10 And I am just trying to calibrate myself 11 in terms of the difference between the two. Is my 12 statement correct? The ones from the module control 13 system and PCS down to the plant network are data 14 diodes and they are hardware-based?
15 MR. ARNHOLT: So I can just point out 16 there are two parts to this. There is communication.
17 If we take the module protection system as an example, 18 there is communication isolation that is performed by 19 a monitoring and indicating bus communication module 20 that was described in the HIPS Topical Report. That 21 isolates communication one way from the module 22 protection system to the module control system. Once 23 you get into -- so that is isolated communication --
24 MEMBER BROWN: That is the little iso on 25 the MPS blocks?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1 MR. ARNHOLT: That is what is shown on 2 this box.
3 MEMBER BROWN: And that is a gateway?
4 That is a --
5 MR. ARNHOLT: That is through a 6 communication module.
7 MEMBER BROWN: I understand that, but it 8 has got to have an outflow. And is the transmitting, 9 is that literally one of the fabrics that transmit, in 10 that case that receives or cutoff?
11 MR. ARNHOLT: Yes.
12 MEMBER BROWN: That is different than I am 13 talking about. I understand that. We went through 14 that in terms of the MIBs.
15 MR. ARNHOLT: I will talk to the second 16 one that you are referring to. So once you are at the 17 level of the module control system 18 MEMBER BROWN: Or the PCS.
19 MR. ARNHOLT: Or the PCS, we show on our 20 overview, our protection overview, architectural 21 overview, a unidirectional data diode. That is for 22 communication from the MCS up to a plant-level --
23 MEMBER BROWN: And I understand that.
24 MR. ARNHOLT: -- and things of that 25 nature.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1 MEMBER BROWN: I got that.
2 MR. ARNHOLT: Two separate devices, two 3 separate types of --
4 MEMBER BROWN: And I am trying to 5 articulate the difference between the gateway style 6 and the data diode. All the literature I have read 7 relative to remote access, preventing it, is air gap 8 with a data diode if you really want the most secure.
9 And that is typically a hardware base, yet there is 10 nothing in the pictures -- there is nothing in the 11 words. It just says it is a unidirectional 12 communication device off to the plant network.
13 MEMBER BLEY: Which could be a software 14 control.
15 MEMBER BROWN: It could be a software.
16 Yeah, it could. And that is my real question.
17 MEMBER BLEY: That is his real question.
18 MR. ARNHOLT: We will specify that in our 19 application, if it is digital or hardware or software 20 based. We monitor the attributes of how that device 21 works.
22 MEMBER BROWN: Well, we will be having 23 some other discussions on that issue. Every other new 24 plant that we have looked at has incorporated those 25 remote access items in being hardware based, not --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1 with no software control at all.
2 MEMBER BLEY: Brian, I did not quite 3 understand what you said. You said at some point, 4 that will be specified? In what kind of document?
5 MR. ARNHOLT: When you get into like a 6 detailed design, equipment requirement specification 7 for that device. What we have laid out in the 8 application are the design attributes that those 9 devices have to be designed to.
10 MEMBER BLEY: I guess what you are 11 hearing, and there is more than one of us who lean 12 this way, is that is the sort of thing that would be 13 really good to spell out.
14 MR. ARNHOLT: Now.
15 MEMBER BLEY: Now, and not wait to see 16 what somebody puts in the detailed design document 17 that is not going through the kind of review at a 18 higher level that the design is going through.
19 MEMBER BROWN: The concern here is to not 20 be sure that no communications off to the plant 21 network are software configurable and have no software 22 associated with them.
23 MR. ARNHOLT: Certainly take that away.
24 MEMBER BROWN: Be a straight hardware 25 based data diode. So I mean, the simplest of all of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1 the gateways is like an RS-232 where you click one or 2 the other.
3 MR. ARNHOLT: You have a transmit only 4 connection.
5 MEMBER BROWN: Exactly.
6 MR. ARNHOLT: All right.
7 MEMBER BROWN: You will probably hear more 8 on that as we talk today, if you had not figured that 9 out by now.
10 MR. ARNHOLT: All right. Well, moving on.
11 So here, just the next couple of slides, I have 12 divided these next two slides into more detail on the 13 module-specific systems. And there was a question 14 about are there other module-specific systems. And we 15 have got the MPS listed here, and that is a digital 16 FPDA-based system that I talked about.
17 We have a Neutron Monitoring System.
18 There are three subsystems related to Neutron 19 Monitoring System. There is the safety-related 20 Neutron Monitoring X4 System that does your X4 21 detecting for nuclear power monitoring source, 22 intermediate and power range, and that provides 23 signals to the MPS to perform protective functions 24 based on a logic determination of those inputs.
25 And then we have our module control NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 system, and that is a digital distributed control 2 system, and I will talk to that in just a second of 3 what that is. And then we have our Incore 4 instrumentation system which provides Incore neutron 5 flux detectors, Incore inlet and Incore exit 6 thermocouples for post-accident monitoring conditions.
7 Just a couple of notes on this slide. We 8 have mentioned the safety classifications. So the 9 module protection system and the NMS excore system are 10 A1 safety classification in this classification, A1.
11 The remaining systems are B2. There are no other A2 12 or B1 systems at the module-specific level.
13 So when I mentioned that the module 14 control system is a distributed control system, there 15 were some questions about what is a distributed 16 control system.
17 MEMBER BROWN: Also the PCS is a 18 distributed control system.
19 MR. ARNHOLT: Right.
20 MEMBER BROWN: So they are both -- I mean, 21 you do not list that in here.
22 MR. ARNHOLT: It is on the next slide.
23 MEMBER BROWN: Okay. I have not gotten 24 there yet.
25 MR. ARNHOLT: But this discussion will NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1 apply to both. But a distributed control system is 2 one where you can functionally allocate and 3 geographically distribute control processors and input 4 output equipment throughout your plant. And you can 5 distribute control functions based on the particular 6 plant functions that that system is designed to 7 control.
8 So, for example, if I have a, for a 9 NuScale power plant, I might have a control processor 10 and input output set for controlling the main turbine, 11 and that would be distributed either locally or 12 geographically separate from other parts of the 13 system. And then I might have a control processor at 14 input output set to control my -- control that drive 15 system. And those are where we physically allocate 16 and physically separate control functions to different 17 control processors.
18 There are many reasons why you do that, 19 and on the NuScale design, we take that and leverage 20 it from a common cause failure standpoint. We perform 21 a segmentation. So we did an analysis, and I have got 22 a slide later on, but I will talk to it now.
23 MEMBER BROWN: Let me back that up a 24 little bit. And I do not know -- I may have the wrong 25 perceptions. So you can correct me. If I look at the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1 existing plans today, and I look what were the two 2 examples you used? You used what, the turbine 3 generator --
4 MR. ARNHOLT: Turbine generator and 5 control rod drive system.
6 MEMBER BROWN: Control rod drives. IF you 7 go out and look at them, there is a set of equipment 8 dedicated to that with some switches somewhere else 9 that can make it do this, turn on, turn off, go up and 10 down, whatever you have to do. In the distributed 11 control system, you do not have those. They are all 12 lumped in to a central processing unit where you --
13 when you talk about segmentation, you say there is a 14 bunch of memory allocated to these four process 15 functions.
16 There is another memory segment, memory 17 set of -- memory units that are identified through 18 this one, so on and so forth. And you identified, I 19 do not know, four or five. You identified the major 20 ones in the Chapter 7. There were three or four of 21 them, I think, you identified.
22 And if the way I read the document, is 23 that now all of the -- all the controls are lumped 24 into a giant package of software that has its specific 25 software identifier segmented into little parts of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1 memory, and there is no -- there is not a separate 2 voltage regulator other than the final thing which 3 runs the field current up and down or whatever you 4 want to call it. Is my perception correct or 5 incorrect?
6 MR. ARNHOLT: Forgive me if I say it is 7 incorrect.
8 MEMBER BROWN: That is fine. That is why 9 I asked.
10 MR. ARNHOLT: Yeah, you had mentioned that 11 it is lumped into a single, I will call it a control 12 processing unit, and that is not --
13 MEMBER BROWN: That is the way it reads.
14 MR. ARNHOLT: Okay.
15 MEMBER BLEY: But go ahead.
16 MR. ARNHOLT: When we mention 17 segmentation, we use physically separate control 18 processors. And think of a control processor as a 19 computer for lack of -- for simplicity's sake. And 20 you allocate and only program into that control 21 processing unit the software, the memory, the inputs 22 and outputs to control that particular control 23 function.
24 So in this case, let us pick control rod 25 drive system. So the control processing unit for NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1 control rod drive system only controls the control rod 2 drive system. Only has input and output and memory 3 allocated to it for the control rod drive system.
4 When we move to the designing the controls 5 for the turbine generator set, you have a physically 6 separate and independent control processing unit with 7 its own set of input output, its own set of memory, 8 and its own set of software that resides within the 9 control -- physically separate control processor for 10 the turbine generator set. It is just an example 11 using those two systems.
12 MEMBER BROWN: So if I went out and I 13 looked, I would see two boxes?
14 MR. ARNHOLT: You could.
15 MEMBER BROWN: Or boards or whatever.
16 MR. ARNHOLT: You could. Depending on how 17 it was physically laid out.
18 MEMBER BROWN: It might be a big box, but 19 they would be physically and electrically separated or 20 whatever.
21 MR. ARNHOLT: In a distributed control 22 system, the technology is there. When we bring that 23 information into a network, into a control network, 24 and we present that to an operator on a human system 25 interface network where they are networked together NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 using conventional networking technologies. But at 2 the control and input output levels, they are on 3 physically separate control processors and physically 4 separate input output modules.
5 MEMBER BROWN: Okay, so there is, just as 6 an example, use the TG -- use the control rod drives 7 as an example. I have a processor dedicated to the 8 control rod drive actuation function. In other words, 9 it drives a variable power supply of some kind that 10 latches the rods up and down when you demand it.
11 And the only part, the input to that that 12 says go up or go down, or unlatch and drop, whatever 13 that is, that command exists in another processor 14 somewhere in this network where the operators control 15 multiple of these boxes, even though they may be in 16 the same cabinet. I will put that aside. Is that 17 then the way I would perceive this?
18 MR. ARNHOLT: Right. And those --
19 MEMBER BROWN: But what segment -- my 20 memory -- I am not a programmer, okay, if that is not 21 obvious. My memory of segmenting is allocating memory 22 to segment, to hunks of stuff you want to do.
23 MR. ARNHOLT: And that is the advantage 24 that the distributed control system gives you. You 25 segment not only the software and the memory, but you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1 also segment --
2 MEMBER BROWN: Hold it. You said you have 3 got it in another box.
4 MR. ARNHOLT: And you also segment the 5 hardware. Physically different segments in the 6 hardware. So let us use the term --
7 MEMBER BROWN: Okay, let me back up again.
8 These extra boxes have all the memory in them. They 9 are -- the memory box, the memory for the control rod 10 drive mechanism does not have any other functionality 11 or processes associated with it stored in that memory.
12 MR. ARNHOLT: For functions beyond its 13 sole purpose of --
14 MEMBER BROWN: Other than the control rod 15 drive mechanisms. It is physically addressably 16 different --
17 MR. ARNHOLT: Yes, it is.
18 MEMBER BROWN: -- from every one of the 19 rest of them, okay.
20 MR. ARNHOLT: That is right.
21 MEMBER BROWN: And I guess my view of 22 segmentation was multiple of -- software being 23 allocated to memory segments where you might have four 24 -- it is like partitioning in a way.
25 MR. ARNHOLT: That is right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1 MEMBER BROWN: Where it is all lumped in 2 to one big thing, but when you call it, you do not 3 have to go rooting around through all the other memory 4 to actuate a particular function. That is the way to 5 go read all this stuff. That is what -- that is long 6 term memory ago.
7 MR. ARNHOLT: And this is typical 8 engineering practice in process control industries, 9 and you can --
10 MEMBER BROWN: Which part is typical here?
11 What I just said, or what you said earlier?
12 MR. ARNHOLT: My view, where you segment 13 both your -- and you separate both your software and 14 your hardware into physically separate cabinets, 15 control processors, input output cabinets, things of 16 that nature.
17 MEMBER BROWN: Okay. Now, in Chapter 7, 18 you identify in these major segments, there were like, 19 three or four process functions that you had 20 identified in a segment.
21 MR. ARNHOLT: Correct.
22 MEMBER BROWN: That again seems to go 23 counter to the -- like the control rod drive 24 mechanisms. There was a control -- the CDCS system.
25 There was a containment -- I do not know whether it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1 was CM something, I do not know, I have forgotten the 2 names of them. Containment isolation and --
3 MR. ARNHOLT: Maybe a containment 4 evacuation system?
5 MEMBER BROWN: Maybe it is flooding or 6 what have you. The flooding was separate. That was 7 something else. But those were all in one segment.
8 Does that mean their software is part of the control 9 rod drive mechanism control software?
10 MR. ARNHOLT: Yes. And --
11 MEMBER BROWN: So I am right then? That 12 is -- so I have got four functions of processes 13 stuffed into one computer where you call upon any one 14 of them whereas their memory may be segmented within 15 that processor, but you have got four processes and 16 one process controller?
17 MR. ARNHOLT: So I can give you a 18 practical example of how we apply that to our design.
19 And we performed what we call the segmentation 20 analysis, and it is described in the FSAR. And we 21 looked at all the major module controls system 22 functions that have the ability to impact reactivity, 23 coolant inventory, pressure. I have got a slide on 24 this a little bit later, but I will talk to it now.
25 And we evaluated those from a postulated NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1 common cause failure scenario. Maybe you lose a power 2 supply. Maybe you have a network fault. Whatever the 3 postulated failure is. And we evaluated the results 4 of that failure and whether or not it was bounded by 5 our Chapter 15 safety analysis. And if it was, then 6 we could, with reasonable assurance, place those 7 control function in the same control segment and 8 postulate an entire failure in that segment and still 9 be bounded by our Chapter 15 plant safety analysis.
10 So there is one example where we actually 11 had to make a design change as a result of this 12 analysis. And the two functions were the CV, the 13 chemical volume and control system makeup, and 14 chemical volume of control system letdown functions.
15 Originally, we had those on the same 16 control segment because they were associated with the 17 CVCS system. But we looked at that, and we had -- if 18 we postulated a failure, we could also, we could 19 impact coolant inventory adversely, and at the same 20 time, core reactivity. And that was not bounded by 21 our Chapter 15 safety analysis.
22 So we made a design change early in the 23 process and separated those two segments. So now you 24 can postulate a failure of the segment, the controls, 25 the makeup to the reactor through the CVCS separately NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1 from a failure of the letdown function of the CVCS.
2 So that is an example where the analysis 3 actually resulted in a particular segmentation of two 4 functions. And that was an example that we did 5 describe in the Chapter 7. I do not know if you 6 remember reviewing that.
7 MEMBER BROWN: I read it. I will not say 8 that I understood you.
9 MR. ARNHOLT: So now those are on two 10 separate segments, physically and software separated.
11 So if you have a power supply failure, you would only 12 postulate a power supply failure maybe on a CVCS 13 letdown cycle and evaluate the potential effects of 14 how that system would fail separately from a similar 15 type of failure on the CVCS makeup segment.
16 And that is where the segmentation affords 17 you the advantages to ensure that postulated failures 18 of the non-safety systems conform to and are bounded 19 by the analysis for the plant, safety analysis for the 20 plant.
21 MEMBER BROWN: Okay. But it still boils 22 down to where you have four process functions in one 23 unit. If that processor just fails totally, whatever 24 it is, you have lost four functions.
25 MR. ARNHOLT: That is correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 MEMBER BROWN: And you have evaluated --
2 you made the argument -- and I am not plant savvy 3 enough to know whether it is okay or not.
4 MR. ARNHOLT: Well, we did do --
5 MEMBER BROWN: Because they are all non-6 safety-related, the argument is, we do not need any of 7 those, and if they all fail, we do not care.
8 MR. ARNHOLT: Right. And it is bounded by 9 the plant safety analysis. Now, there is operational 10 considerations, obviously, but from a pure effect on 11 the plant safety analysis, we have evaluated that and 12 determined that the failures that would result from 13 that scenario are bounded by a Chapter 15 safety 14 analysis.
15 MEMBER BROWN: Okay. Now back up to the 16 previous slide again.
17 MEMBER SUNSERI: While you are doing that, 18 let me interject here. Dr. Corradini had to step away 19 for an obligation with one of the commissioners. He 20 asked me to preside over the meeting until he returns, 21 and heedfully that will be soon. So go ahead.
22 MEMBER BROWN: All right, I guess when you 23 talk about -- you have got two distributor control 24 systems. This is -- I am segueing back to the 25 isolation from the plant network, which is the sole NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1 external nexus to the outside world.
2 That is kind of a critical location, and 3 why the emphasis I made earlier on the hardware nature 4 of the data diodes, because once you get into either 5 one of these, through its isolated connection, if 6 somebody hacked it, you now have a bidirectional 7 connection between the PCS and the MCS which would 8 allow whoever got in to get into the other and take 9 control of everything.
10 MR. ARNHOLT: On your non-safety control 11 systems.
12 MEMBER BROWN: Yeah, all the non-safety 13 control systems, which is whether they are non-safety 14 or safety is -- it is really not a good idea to take 15 -- have those get compromised. So that, it is a 16 single point of vulnerability, and it applies to all 17 your plant control, which applies to all the -- what, 18 ten, 12, whatever the number of modules, NuScale power 19 modules are, as well as the individual modules.
20 So that is why I was struggling to make 21 sure I understood what you meant by segmenting and how 22 they are all kind of interconnected and what is 23 important about these two inputs from the external 24 world and how important that isolation is to be non-25 software-based under any circumstances, and why the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 emphasis we have placed on other designs to make that 2 a hardware -- specifically and explicitly hardware 3 based in their DCDs. So anyway, I think I have some 4 -- are there any other questions on the distributed 5 control system?
6 MR. HECHT: Yes, I have one.
7 MEMBER BROWN: Go ahead.
8 MR. HECHT: I thought I was clear until --
9 MEMBER BROWN: This is Myron. Give us 10 your name, Myron. Oh, you got his name tag, I am 11 sorry. Go ahead.
12 MR. HECHT: So before I understood that 13 segment was composed of processors, but as a result of 14 this discussion, I am not sure if segments are 15 distributed within processors or there is a 16 composition relationship where processors belong to 17 segments.
18 MEMBER BLEY: What is what happened to me 19 halfway through this discussion. I thought I followed 20 it, and then I got lost.
21 MR. ARNHOLT: Processors are assigned to 22 a segment. So you could have a segment, and again, it 23 gets into the detailed design of your plant control 24 system, but the processors within a segment are 25 independent from the processors within another NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1 segment.
2 MR. HECHT: Okay, so the composition is 3 the distributed control system segments, the segments 4 consist of processors.
5 MR. ARNHOLT: Correct.
6 MR. HECHT: Okay, thank you.
7 MEMBER BROWN: And I think you said in 8 your earlier discussion within that processor, if you 9 have got four processors or five, whatever they are, 10 is there -- is their software segmented within those?
11 Did you say that earlier? Or is it just jumbled 12 around?
13 MR. ARNHOLT: Depends on how you architect 14 the actual software.
15 MEMBER BROWN: I am not trying to design.
16 I am just trying to understand.
17 MR. ARNHOLT: Right.
18 MEMBER BROWN: In terms of memory 19 allocation and stuff. You have not specified to that.
20 You are fundamentally segmenting by processors and 21 processes within a processor that compacts the 22 segment.
23 MR. ARNHOLT: I will give you a simple, 24 everyday example. Everyone drives a car. You have 25 your engine control module, and you think of that as NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1 a segment, and then you have your infotainment module 2 that handles your radio.
3 MEMBER BROWN: Not me.
4 MR. ARNHOLT: That is a separate segment.
5 So if your infotainment module fails, or otherwise 6 becomes inoperable, you still have your engine control 7 module, and you can continue to drive down the road.
8 That is a very simple everyday example of 9 segmentation.
10 MEMBER BLEY: And there are some real good 11 examples of people who have hacked through the 12 entertainment module into the other modules.
13 MEMBER BROWN: Into the other module, 14 yeah. Yeah. But I am glad I still have a distributor 15 and a carburetor. They are so old.
16 MR. ARNHOLT: That is a simple, practical 17 example of a segmentation.
18 MR. HECHT: To continue to onto Charlie's 19 point, within an individual processor, I assume you 20 have a real-time operating system?
21 MR. ARNHOLT: Typically, distributed, most 22 of your modern commercially available distributor 23 control systems are based on real-time operating 24 systems.
25 MR. HECHT: But you do not specify that in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1 the Chapter 7?
2 MR. ARNHOLT: Or the MCS or the PCS, we 3 did not get into that.
4 MR. HECHT: Okay. Well, I would assume, 5 and I guess maybe does this turn into some kind of 6 ASAI? But I would assume that these distributed 7 operating systems keep all their tasks, each task 8 related to some control function. Separate memory 9 spaces. And that they are given their own time slice 10 and given their own resource allocation after which 11 they get done executing that they -- that it moves on 12 and they are turned off until the --
13 MR. ARNHOLT: So I can answer that with a 14 little bit of foreshadowing into the content that I 15 have in section 7.1. We have our fundamental design 16 principles. And largely, we discussed in our 17 application how we applied the fundamental design 18 principles to the design of the safety-related 19 systems.
20 But we also did carry those design 21 principles over to the non-safety systems. And to 22 your point, we have a predictability and repeatability 23 fundamental design principal that was parlayed into 24 and put forth and carried into the design of your --
25 MR. HECHT: Well, that is a principal. I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 am talking about the implementation now, and just to 2 clarify to Charlie's point, that I would -- okay. It 3 would seem to me that most conventional designs keep 4 tasks that are associated with control functions and 5 separate memory spaces, and if that's not clear in the 6 application at this point, should it not be?
7 MR. ARNHOLT: It is not in the 8 application, and it was not part of the framework of 9 the DSRS when we put the application together for the 10 non-safety systems. Those implementing details are --
11 just were not part of the application for the non-12 safety system.
13 MEMBER BROWN: If I am not mistaken, the 14 point of this, I think, what I was hanging up on that 15 was one of my -- thank you for leaping into this --
16 when you turn a switch and tell something to stop, 17 start, increase, or decrease, you would like it to 18 happen before you blink your eye.
19 MR. ARNHOLT: Exactly.
20 MEMBER BROWN: So that is a real-time 21 operation. If it is like my computer here, and I ask 22 it to do something, and I said, nothing is happening, 23 takes five, ten, 15 seconds before something starts, 24 that is not a good idea if I am not mistaken. So I 25 guess how -- I would -- I am trying to connect the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 repeatable and predictable to not being a real-time 2 process. If you got repeatability and predictability 3 and you applied that design principle to the MCS and 4 PCS.
5 MR. ARNHOLT: I can offer this. I am not 6 aware of a commercially-available distributed control 7 system that does not function in a repeatable and 8 predictable manner with a highly designed real-time 9 operating system.
10 MEMBER BROWN: But if there was nothing, 11 there was nothing in the Chapter 7 that talked about 12 response time of the module control system and plant 13 control system --
14 MR. ARNHOLT: That level of detail --
15 MEMBER BROWN: -- so all you do is say it 16 needs to be repeatable and predictable, but it could 17 be ten seconds or a minute, and that is repeatable and 18 predictable.
19 MR. ARNHOLT: But we also do provide, you 20 know, for balance plan and asset protection. So you 21 know, you have a highly -- high-cost asset such as a 22 turbine generator set. Those are design principles 23 that you would want to apply to how you control and 24 operate your turbine generator set from an asset 25 protection standpoint.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1 MEMBER BROWN: Take an example. Is the 2 overspeed protection system for the turbine generator 3 set embedded in the module control system, or in the 4 boxes mounted that come with the turbine generator 5 set?
6 MR. ARNHOLT: Most likely that would be --
7 MEMBER BROWN: I went and looked at 8 Chapter 8, and I went and looked at -- I think it was 9 something else. I could not find it.
10 MR. ARNHOLT: The turbine generator 11 designers and suppers that I am familiar with all have 12 their own package control system that comes along with 13 the turbine generator set itself.
14 MEMBER BROWN: So your distributed control 15 system, through your process and your segmenting, will 16 tell it, provides the commands to do the other things, 17 and the inherent protection features are built into 18 the unit that comes with it.
19 MR. ARNHOLT: And I can tell you, based on 20 my experience, those are designed in a highly real-21 time system. For example, you have a fixed cycle at 22 which a control processor works through all its 23 functions. It might allocate ten percent to read all 24 the inputs, 40 percent to perform all the logic, and 25 then 50 percent to process all the outputs.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1 And that is a fixed sequence of events 2 every single frame cycle of that control processor 3 function. That is the typical way that most real-time 4 distributed control systems function. But that level 5 of detail was not in -- we did not put that into 6 Chapter 7 for the non-safety systems.
7 MEMBER BROWN: Do you have anything else, 8 Dennis?
9 MEMBER SUNSERI: I guess maybe I have a 10 question, Charlie.
11 MEMBER BROWN: Have at it.
12 MEMBER SUNSERI: For Charlie and Myron.
13 I guess it would help me to understand the context of 14 this conversation of what is the so what. Are you 15 expressing a concern or seeking to understand?
16 MEMBER BROWN: Just trying to understand, 17 okay? This is a -- I mean, it is a -- they have been 18 defined as non-safety systems, so --
19 MEMBER BLEY: And understanding implies 20 you can think of the insults that might cause a 21 problem.
22 MEMBER BROWN: Exactly. And that is --
23 MEMBER BLEY: That is the reason for 24 digging into it.
25 MEMBER BROWN: I dug into this because I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1 wanted to understand the relationship between the 2 possible external access, the ability to get into 3 them, how interwoven are these interior to the -- you 4 know, within the designs of these two systems.
5 MEMBER SUNSERI: I was not challenging.
6 I was just trying to seek to understand myself.
7 MEMBER BROWN: No, this was strictly an 8 understanding to make sure we understand, because we 9 are not -- we are obviously not trying to design the 10 non-safety systems. I mean, but we -- we do want to 11 make sure that they are not susceptible to causing a 12 problem in some other manner based on the way they are 13 put together or accessed.
14 MR. ARNHOLT: And the takeaway I would 15 like to leave you with is we have done that analysis 16 and the results of that analysis and how we designed, 17 at least from an architecture level, is reflected in 18 the design that you see here today.
19 MEMBER BROWN: And now for -- go ahead, 20 Dennis.
21 MEMBER BLEY: That is kind of comforting.
22 If one drives the non-safety systems into places you 23 do not ever expect them to be, they can create 24 challenges for the safety systems that might be beyond 25 your design capabilities.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 MR. ARNHOLT: That is true. And there is 2 --
3 MEMBER BLEY: So they are not non-safety 4 in that sense. They can drive you into difficult 5 situations.
6 MR. ARNHOLT: True. And the fact that we 7 call them non-safety does not mean they are not 8 important to the overall operation of the plant. We 9 design them as such, to be highly reliable and work 10 when called upon. And so we did describe, in Chapter 11 7, there is some language, and we call them 12 preventative and limiting measures.
13 So there are things that you can do in 14 design space. Segmentation is one. Error checking on 15 your signal inputs, having redundant sensor inputs --
16 and this is non-safety I am talking about. So there 17 are a whole series of preventative and limiting 18 measures you can do and apply to your design that 19 ensure the reliable operation of these systems.
20 And then we described some of those in the 21 application, how we apply those. And that ensures 22 that as the operators interface with the system, as 23 the system operates, it operates as designed, in a 24 reliable fashion.
25 MEMBER BROWN: Okay, let me ask, it does NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1 not show up on this diagram. But on the other 2 diagram.
3 MR. ARNHOLT: And I do have, in this 4 presentation, if you want, at the very end, I can 5 throw the more difficult --
6 MEMBER BROWN: Yeah, okay. Go ahead and 7 put it up there. I do not know if anybody can read 8 it. Now you cannot read that. Okay.
9 MR. ARNHOLT: I am happy to --
10 MEMBER BROWN: Now I guess my question is, 11 if I look at this and if you will put it back up. No, 12 go on back to the last thing just so if somebody wants 13 to see it, they can.
14 MEMBER MARCH-LEUBA: Brian, you have the 15 mouse. You can point.
16 MEMBER BROWN: Here.
17 MEMBER MARCH-LEUBA: So we can see what 18 you --
19 MEMBER BROWN: Go up to the box. Go up to 20 the right. Right hand. Now go over a little bit to 21 the -- there are two boxes between the legend and the 22 main control room. Right there.
23 MR. ARNHOLT: Right here?
24 MEMBER BROWN: Now down, go down one more.
25 No, the next little box below it. It is labeled NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 technical support center.
2 MR. ARNHOLT: Okay. All right.
3 MEMBER BROWN: Let me see. It is up, up, 4 right there.
5 MR. ARNHOLT: Right there. Okay.
6 MEMBER BROWN: That has a line down into 7 plant control system, but yet when I try to define it 8 -- and it has got some words like PCS power operations 9 network. From reading the chapter -- and I could not 10 figure it out -- it implied to me that the technical 11 support center had some ability to control or operate 12 the plant control system as opposed to just a 13 monitoring function. I could not define it.
14 MR. ARNHOLT: No, that is not correct. The 15 PCS workstations and the technical support center are 16 for monitoring the plant level the operation of the 17 plant. So each module control system's information --
18 MEMBER BROWN: I understand the 19 workstation. I am talking about the other little box 20 to the right where it says power operations, HSI 21 network.
22 MR. ARNHOLT: Right. And that -- we have 23 a network where all the human system interfaces 24 connect to, and that is where that workstation is 25 connected to. So you have an IO network, the way this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1 drawing is set up. You have an IO network that 2 interfaces with the control network and so those are 3 those IO modules that I mentioned.
4 The control processor's function on the 5 control network level. And then you aggregate that up 6 to you HSI operations network. And that is the 7 network where the human system interfaces reside for 8 the operator interfaces. And that is where this 9 display would interface to.
10 MEMBER BROWN: Without any notes, I guess 11 I would have interpreted that line to be a 12 bidirectional line although based on what you just 13 said, it ought to be a unidirectional. I do not care 14 whether it is a gateway or whatever, but --
15 MR. ARNHOLT: It did not provide that 16 level of detail in this drawing of that, but when you 17 configure your -- and again, this is getting into the 18 design details of how you --
19 MEMBER BROWN: I am not interested in 20 getting -- I just want to make sure that people from 21 the TSC cannot go initiate some action from the 22 technical server --
23 MR. ARNHOLT: But there are user roles 24 that you would assign for somebody to be able to 25 access that. And these are on cyber security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1 principles of how you design systems that you have 2 operator roles, engineer roles, technician roles.
3 MEMBER BROWN: But you are talking about 4 they have to ask for information.
5 MR. ARNHOLT: Right.
6 MEMBER BROWN: From the plant control 7 system.
8 MR. ARNHOLT: Right. And so it --
9 MEMBER BROWN: And that is why it is 10 bidirectional.
11 MR. ARNHOLT: If you log in with a 12 technical support center role, you would not have 13 control capability. You would have monitor only 14 capability, as an example.
15 MEMBER BROWN: Okay. You can go on back 16 to your other slide now.
17 MEMBER MARCH-LEUBA: Going back to what --
18 that line is bidirectional.
19 MEMBER BROWN: Did you find it?
20 MEMBER MARCH-LEUBA: The line between the 21 technical support center and the plant control, the 22 PCS, is bidirectional.
23 MR. ARNHOLT: Yeah, we did not show it as 24 a unidirectional line, but that is a typical --
25 MEMBER BROWN: Because it did not say NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1 anything, I assumed it was a bidirectional line. Just 2 based on the rest of the approach that you did with 3 the rest of the figure. And why does it have to be 4 bidirectional? I thought if you just sent all the 5 information to technical support center, they do not 6 have to ask for anything. It is always there.
7 MR. ARNHOLT: Yes. You can. I am sorry, 8 did you have a question?
9 MEMBER KIRCHNER: I thought the protocol 10 would be the control would remain with the operator, 11 not the technical support center.
12 MEMBER BROWN: Well, he just said that.
13 MEMBER KIRCHNER: Okay.
14 MEMBER BROWN: If I am not mistaken.
15 MR. ARNHOLT: When I say bidirectional, I 16 mean typical ethernet networking technologies.
17 TCP/IP. We do not use any special --
18 MEMBER MARCH-LEUBA: What someone is 19 reading there is "hackable."
20 MEMBER BROWN: Yes.
21 MR. ARNHOLT: And the way this 22 architecture is laid out is, is we have a defensive 23 architecture with multiple layers of security, so your 24 innermost layers are where your safety systems reside.
25 There is no physical possibility to even remotely NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1 access the systems.
2 Once you get out, we have the 3 unidirectional data diode that we talked about 4 earlier, and once you get out to that, up to the plant 5 network, you have firewalls. So we do have multiple 6 defensive levels that are going to -- designed within 7 this architecture from a --
8 MEMBER BROWN: Well, your firewalls from 9 the plant network on out to the world is a 10 bidirectional firewall, so that is useless. I will 11 not phrase it in the way I normally phrase it.
12 MR. ARNHOLT: And I will add, I have got 13 a slide on this, too, but we -- part of our 14 application, we did not submit a cybersecurity plan.
15 We have a --
16 MEMBER BROWN: I am not working on 17 cybersecurity. I am only looking at remote access, 18 okay? And that -- it is the data diodes from the 19 plant control or machinery and module control system.
20 If you have a bidirectional firewall, whatever it is 21 that you want to screw around with and try to make it 22 smart all the time, that is your business.
23 I just want to make sure the penetration 24 of that firewall to the plant network cannot allow any 25 communication at all under any circumstances to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1 other two.
2 MR. ARNHOLT: I certainly understand the 3 line of the questions.
4 MEMBER BROWN: To SNMCS, because if you 5 are open to total vulnerability to the entire plant 6 whether you call it non-safety or whatever, from that 7 standpoint.
8 MR. HECHT: This is Myron Hecht again. Can I 9 ask a question about that connection that you were 10 just talking about? You said it was a TCP/IP-type 11 connection. And then, you said that, basically, the 12 role-based log-in would prevent an operator or a 13 person in the TCS, or TSC -- excuse me -- Technical 14 Support Center from controlling the network. Yet, 15 TCP/IP is inherently a bidirectional connection. So, 16 that means that the prevention of control or 17 inhibition of control from the TSC is based on 18 software-based, on the log-in function and the 19 software which basically says a person with a TSC role 20 cannot control the plant. Just to make that clear.
21 MEMBER BROWN: Yes, that's what I 22 understood.
23 MR. HECHT: Okay.
24 MEMBER BROWN: I don't particularly care 25 for that, but that's beyond us right now.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 MR. ARNHOLT: Yes, and I would say that 2 the details of those designs were in progress in that 3 detail design phase, but you won't find that level of 4 detail in the application that's currently used right 5 now.
6 MEMBER BROWN: Okay.
7 MR. HECHT: But, on a hardware level, it 8 is bidirectional. It's only on the software level 9 that we inhibit the --
10 MEMBER BROWN: Yes.
11 MR. ARNHOLT: And there are multiple 12 technologies and engineering attributes you can apply 13 to the design of these systems to make them robust 14 from an interaction and communication standpoint.
15 MR. HECHT: Thank you.
16 MEMBER MARCH-LEUBA: Where is the 17 Technical Support Center located physically? Inside 18 the plant or outside the plant?
19 MR. ARNHOLT: I don't know the answer to 20 that question without having to --
21 MEMBER BLEY: Usually inside.
22 MEMBER MARCH-LEUBA: Yes, but if it was 23 located 10 miles away --
24 MEMBER BROWN: No, no, I agree with 25 Dennis; the ones we've seen before is just a building NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1 outside --
2 MEMBER MARCH-LEUBA: If it's inside the 3 fence --
4 MR. BERGMAN: This is Tom Bergman.
5 It's inside the control building.
6 MEMBER BROWN: It's inside the control 7 building?
8 MR. BERGMAN: Yes.
9 MEMBER BROWN: Okay.
10 MEMBER MARCH-LEUBA: Then, it doesn't 11 matter.
12 MEMBER BROWN: Right.
13 MR. ARNHOLT: And there's other security-14 level controls. There's, obviously, physical security 15 controls that afford you the most protection, being 16 able to physically secure your digital I&C equipment.
17 I mean, the most bang for your buck is in how you 18 apply physical security.
19 MEMBER MARCH-LEUBA: If it's a copper 20 line, with TCP/IP, I can go there with a little needle 21 and put any TCP/IP package I want to in there. But, 22 if it's in the secured area, then I cannot do that.
23 I might as well go to the blue PCS --
24 MEMBER BLEY: They usually have 25 connections to the company network in that area, too.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1 MEMBER BROWN: Well, in this case, they're 2 not showing that.
3 MEMBER MARCH-LEUBA: Not in that way.
4 MEMBER BROWN: It has to go through the 5 plant control system, which it's a unit. That's a 6 good way to do it.
7 MR. ARNHOLT: Any other remaining 8 questions here?
9 MEMBER BROWN: Okay. Yes, you can go on 10 back to your other one.
11 MEMBER BROWN: I'm just trying to make 12 sure we understand what we're looking at.
13 MR. ARNHOLT: All right. So, I've covered 14 this slide, and I just have a similar slide that 15 discusses the plant-level systems. I've talked about 16 most of these.
17 I do want to make a couple of points 18 regarding the design of the plant protection system 19 and the safety display and information system. While 20 these are non-safety, non-risk-significant systems, 21 this doesn't mean we don't design them with a high 22 level of design quality. We've applied augmented 23 design requirements for these.
24 For example, the plant protection system 25 -- and you may have read this in the application -- is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1 actually based off of the same platform technology as 2 our module protection system. So, we leverage all the 3 design attributes that make that a safe and reliable 4 system and apply that to the plant protection system.
5 In turn, the plant protection system does 6 perform very important functions. It will actually 7 control inhabitability under a certain set of 8 conditions for protection of the operators in the main 9 control room, and it also has some important 10 radiation-monitoring functions that made us supply 11 these augmented design requirements to it.
12 MEMBER BLEY: Brian?
13 MR. ARNHOLT: Yes?
14 MEMBER BLEY: When you say non-safety-15 related, I understand. When you say non-risk-16 significant, is that from the I&C designer's point of 17 view or is that from the point of view of the PRA that 18 tried to find ways to make this system create risk-19 important scenarios?
20 MR. ARNHOLT: That risk determination was 21 performed as part of our design reliability assurance 22 program. So, throughout the design of --
23 MEMBER BLEY: Which isn't connected to the 24 PRA?
25 MR. ARNHOLT: The PRA informs this, but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 the process for performing DRAP evaluations that's 2 described in Chapter 17 explains how we came up with 3 the risk determination for these systems.
4 MEMBER BLEY: Which chapter?
5 MR. ARNHOLT: Chapter 17.
6 MEMBER BLEY: Seventeen.
7 MR. ARNHOLT: Describes our design 8 reliability assurance program.
9 MEMBER BLEY: I will look at that. Also, 10 we haven't reviewed the PRA in detail yet. I want to 11 make sure they look for ways that, in fact, this could 12 become a significant --
13 MR. ARNHOLT: For many years, we had an 14 active -- and still do have an active -- DRAP expert 15 panel, and we apply the principles that we've 16 described in our DRAP program to the design of all the 17 NuScale --
18 MEMBER BLEY: In Chapter 17.
19 MR. ARNHOLT: Yes.
20 MEMBER BLEY: Okay.
21 MR. ARNHOLT: But that's where the risk 22 determination comes from in this context.
23 The safety display and information system, 24 it's actually a unique display system. It's non-25 safety-related, but we do apply FPGA-based technology NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1 to this. And as I mentioned earlier, there are some 2 benefits in simplicity and diversity that we carry 3 through, even into our safety display and information 4 systems, and those are the primary systems that 5 provide the display of post-accident monitoring 6 information to the plant operators.
7 MEMBER BROWN: My memory tells me that's 8 redundant pluses. There's a safety design. There's 9 a division 1 SDI and a division 2 SDI?
10 MR. ARNHOLT: There's actually 26 physical 11 displays, two divisions for each module or module-12 specific information. And then, we have a 13 redundant --
14 MEMBER BROWN: I've read the number. My 15 point is, all the information from all the plants goes 16 through just -- and it's not shown on your other -- if 17 you go back to figure 8, it's not shown on figure 8.
18 No, it was back earlier. That one. The next one.
19 MR. ARNHOLT: We don't show that level of 20 detail here, but --
21 MEMBER BROWN: Yes, you show it, but it's 22 shown on the figure as, and the implication is, the 23 monitors, you've got a lot of those.
24 MR. ARNHOLT: We do.
25 MEMBER BROWN: But it only shows a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1 division 1 and 2. And the way I read that was there 2 is an SDI for each and every NPM.
3 MR. ARNHOLT: That's correct.
4 MEMBER BROWN: Is that?
5 MR. ARNHOLT: Yes.
6 MEMBER BROWN: Okay. All right. So, they 7 are segregated by NuScale Power Modules?
8 MR. ARNHOLT: Yes.
9 MEMBER BROWN: Okay. That was my 10 question. Thank you.
11 MR. ARNHOLT: I mentioned most of these, 12 and I'd just mention the last set of systems is a 13 radiation-monitoring system. This largely is a series 14 of plant-level radiation monitors throughout the 15 plant, fixed-area radiation monitors. We do have a 16 set of module-specific radiation monitors. So, this 17 kind of crosses both paths, but we apply both analog 18 and digital technology to the design of the system.
19 So, dropping down into a lower level of 20 detail, looking at the module protection system, the 21 module protection system is the NuScale specific 22 implementation of the highly-integrated protection 23 system platform that the ACRS Subcommittee has 24 previously reviewed. The NRC has approved our Topical 25 Report for that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1 An important takeaway of that, we have 2 taken no deviations from what was presented as part of 3 the HIPS platform in the design of the NuScale 4 specific module protection system. So, we conform to 5 the same regulations and take no exceptions to 6 IEEE 603, IEEE 7-4.3.2, or the Staff Requirements 7 Memorandum for SECY-93-087 that explains the diversity 8 attributes of your I&C systems.
9 The major components of the MPS. We have 10 four separation groups of sensor inputs and 11 electronics and trip determination. You may remember 12 this from the review of the HIPS platform. We have 13 Class 1E DC-to-DC power converters, and that provides 14 isolation between the non-safety related, non-Class 1E 15 DC power system provided by the highly-reliable DC 16 system to the safety-related module protection system.
17 So, that is our isolation point for the power feeds to 18 MPS.
19 We have reactor trip and pressurizer 20 heater breakers, two divisions of reactor trip and 21 ESFAS divisional voting and outputs to field actuation 22 components. We also provide two divisions of 23 hardwired manual actuation switches. If you recall 24 the NuScale design, there are no required operator 25 actions to perform the safety-related functions. So, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 the MPS performs all of its required safety functions 2 automatically without any input from the operator.
3 However, we do provide the capability for backup 4 manual action by the operator if the case would arise.
5 We have non-safety-related 24-hour timers, 6 and I'll talk to this just shortly in the next slide.
7 These are the 24-hour timers that came out of the 8 Chapter 8 discussion. I'll talk a little bit more 9 about how those function and how the I&C systems 10 respond to that.
11 And then, we have some non-safety-related 12 maintenance workstations that allow us to perform 13 calibration and maintenance of the module protection 14 system.
15 Also, part of the MPS, we had the 16 discussion previously about the remote shutdown 17 station. We do provide isolation switches that 18 isolate those hardwired actuation and enable non-19 safety switches in the main control room. We provide 20 the capability to isolate those electrically from the 21 main control room and the remote shutdown stations.
22 That helps mitigate any potential issues, if there 23 were a fire in the main control or if those switches 24 to become compromised.
25 MEMBER BLEY: At least somewhere in here NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1 I'm assuming, but I might be wrong, that the manually-2 enabled hardwired signal for each component that we 3 talked about on the overall architecture drawing is 4 described. Is that one switch that sets up the 5 hardware control for everything or is there a separate 6 switch for each item?
7 MR. ARNHOLT: It's an excellent question, 8 and I can clarify a little bit. We have system-level 9 manual actuation switches. When I say "system-level,"
10 I mean we actuate the reactor trip function. We 11 actuate the containment isolation function at the 12 system level. There is one switch per each division.
13 And we do have a pair of --
14 MEMBER BLEY: And that's hardwired --
15 MR. ARNHOLT: Hardwired, copper wires to 16 a hardwired module inside the module protection 17 system.
18 MEMBER BLEY: Everything else continues to 19 work automatically when you engage that switch?
20 MR. ARNHOLT: Yes.
21 MEMBER BLEY: It just adds one more 22 signal?
23 MR. ARNHOLT: The inputs for these manual 24 switches are hardwired, and they actually input -- and 25 I've got a slide that at the end I can make sure I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1 point out.
2 MEMBER BLEY: Okay.
3 MR. ARNHOLT: But it inputs, actually, 4 downstream of any digital or software-based component.
5 MEMBER BLEY: Okay.
6 MR. ARNHOLT: So, it bypasses all the 7 software and actually inputs at the very end to drive 8 the actuation command.
9 MEMBER BLEY: But does that switch 10 actually send a signal or that just enables? Then, 11 you have another push button or something?
12 MR. ARNHOLT: What it does is it tells, it 13 interfaces with our actuation part of the logic and 14 tells our equipment interface module to remove power 15 from the --
16 MEMBER BLEY: Okay. So, it actually 17 creates a function?
18 MR. ARNHOLT: Exactly.
19 MEMBER BLEY: Okay.
20 MEMBER BROWN: So, it's not totally 21 downstream? It still interfaces with the actuation 22 priority logic --
23 MR. ARNHOLT: Priority logic.
24 MEMBER BROWN: -- which is in the EI --
25 MR. ARNHOLT: Exactly.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1 MEMBER BROWN: -- in the equipment --
2 MR. ARNHOLT: Equipment interface module.
3 MEMBER BROWN: -- interface module.
4 MR. ARNHOLT: But downstream of any 5 digitally-based component.
6 MEMBER BROWN: All the digital stuff?
7 MR. ARNHOLT: Right.
8 MR. HECHT: In an answer to one of the 9 questions that the staff had raised, you made the 10 point that this hardware switch is a non-safety 11 function and that, in the APLs modules, the 12 application priority logic modules, that if there was 13 an indication of an RTS or an ESF condition, that the 14 manual signal would basically be ignored. Is that 15 correct?
16 MR. ARNHOLT: Yes.
17 MR. HECHT: So, is that the only condition 18 under which the manual switch is ignored?
19 MR. ARNHOLT: If there were an active 20 manual or automatic signal, and you attempt to 21 manipulate the switch -- it's a momentary contact 22 switch -- that signal would be ignored. If you had 23 normal conditions and you wanted to take control of 24 safety-related equipment using this switch, and so, 25 say you enabled the switch, and you were in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1 process of performing control of safety-related 2 components, if during that time you were to receive a 3 valid automatic or manual actuation signal, that 4 switch input would drop out and the automatic and 5 manual signal would be automatically processed at the 6 highest priority. That's another condition.
7 And then, if the operator wanted to re-8 enable control from the non-safety systems, he would 9 have to physically manipulate that switch yet again.
10 So, anytime an automatic or manual signal occurs, the 11 design of the APL completely ignores any input from 12 that switch and you have to work through the sequence 13 of events to re-enable that control again. The 14 keyword is it "takes deliberate operator actuation" to 15 re-enable the capability for that non-safety-related 16 control.
17 MEMBER BROWN: The APL is all just logic, 18 solid-state --
19 MR. ARNHOLT: Logic components.
20 MEMBER BROWN: Transistor logic, whatever 21 you want to call it. In the old days, it was TGL or 22 something like that.
23 MR. ARNHOLT: For those of the Committee 24 members -- I don't know if you've been to see our 25 prototype in Corvallis, where we have an actual card NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1 of the APL. But I can't show a picture of it in an 2 open --
3 MEMBER BROWN: I'm just remembering the 4 figure and the discussion from the HIPS thing. And my 5 memory was that it was all just hardwired -- the way 6 we made computers in the 1960s.
7 MR. ARNHOLT: Exactly. Ironically, quite 8 complicated in design space to do, but we did it.
9 MEMBER BROWN: I hate to say I remember 10 that.
11 (Laughter.)
12 MEMBER SUNSERI: They were made out of 13 wood, weren't they?
14 (Laughter.)
15 MEMBER BROWN: And hammers and non-16 magnetic nails.
17 One other question on this. You talked 18 about you could actuate back through the module 19 control system. And you haven't gotten to this enable 20 safety switch. Is that another pathway into actuating 21 the module protection system, with the enable safety 22 control switch? It's not listed here as an input.
23 MR. ARNHOLT: It is, and it's an excellent 24 question. For the operator to be able to take 25 component-level control from the non-safety-related NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 module control system, we have to enable the non-2 safety -- you have to have no active protective signal 3 enabled. You have to manipulate this, enable the non-4 safety switch. And then, the operator has to take 5 control functions from his MCS workstation.
6 Those outputs are actually via hardwired, 7 non- -- there's no digital communication. They're 8 actually hardwired outputs from the non-safety system 9 into our hardwired module to drive the logic-level 10 commands to control safety-related components. So, 11 that input, yes, that is an isolated input into the 12 MPS, but through a hardwired non-digitally-13 communicated interface.
14 MEMBER BROWN: Okay. And somewhere I read 15 that -- and I'm just looking at my notes now; I can't 16 remember if it was in the CSR or the Chapter 7 -- that 17 this enable safety control switch, whatever you call 18 it, is a momentary switch.
19 MR. ARNHOLT: That's correct.
20 MEMBER BROWN: Does that mean you have to 21 hold it in place while you do something else?
22 MR. ARNHOLT: No. It --
23 MEMBER BROWN: You say you have to enable 24 that and, then, go do something else?
25 MR. ARNHOLT: You do not have to maintain NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1 it. It's a swaying-return-to-center switch, and it 2 creates a logic-level signal that allows --
3 MEMBER BROWN: But that locks in?
4 MR. ARNHOLT: It locks in.
5 MEMBER BROWN: It locks in the logic-level 6 signal. So, then, you can go operate the control?
7 MR. ARNHOLT: If you were to get a --
8 MEMBER BROWN: Okay, I've got the picture 9 now.
10 MR. ARNHOLT: Okay. Then, that would 11 automatically go away if you got a valid protective 12 signal.
13 MEMBER BROWN: Yes, I've got it.
14 MR. ARNHOLT: You've got to re-enable it 15 to restart that scenario.
16 MEMBER BROWN: Okay. Thank you.
17 MR. AYALA: One thing I just want to add 18 to that is, so it is two divisions of those switches.
19 Let's say you wanted to do component-level control of 20 a safety-related component. Your division 1 switch, 21 you control on that valve. You would disable the 22 division 1 control. Then, you move on to division 2 23 and use that switch. So, you would have to -- it's 24 not a single switch capable of allowing you to control 25 two divisions of safety-related components.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1 MR. ARNHOLT: All right.
2 MEMBER BROWN: Thank you for the 3 clarification, by the way.
4 MR. ARNHOLT: All right. There was some 5 discussion during the Chapter 8 ACRS Subcommittee 6 meeting on loss of AC power scenario and the design 7 function of these 24-hour timers that we talked about.
8 I'm going to walk through that here.
9 To set the stage, you just want to 10 remember your frame of mind is the safety-related I&C 11 systems require no safety-related or Class 1E 12 electrical AC or DC power to perform their safety 13 function. Remember, the removal of power is the 14 safety function.
15 However, we do want to provide the 16 capability for long-term post-accident monitoring.
17 For that, you do need electrical power. So, what I've 18 shown here is kind of a diagram of the flow of both AC 19 and DC electrical power, and I've got a sequence of 20 events there on the bottom. But, to do that, we take 21 advantage of our highly-reliable DC power system 22 that's, again, non-safety-related. And that's 23 arranged into four power channels, power channels 24 alpha, bravo, charlie, and delta. Power channels 25 alpha and delta have batteries that provide up to 24 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1 hours1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of power supply to its required loads, and power 2 channels bravo and charlie provide up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for 3 long-term post-accident monitoring.
4 So, in order to ensure power is available 5 for long-term post-accident monitoring, we monitor for 6 and detect a loss of AC power to the input of the EDSS 7 battery chargers. So, on a detection -- you can kind 8 of follow along there at the bottom -- on a detection 9 of a loss of AC power, and we have volted sensors that 10 monitor the AC power input to the batteries, upon a 11 loss of AC power, the module protection system 12 automatically initiates a reactor trip, containment 13 isolation, and decay heat removal actuation. And what 14 that does is that removes non-essential loads related 15 to what's required to be powered for this scenario, 16 and it starts these 24-hour timers. The 24-hour 17 timers, remember, are non-safety-related functions, 18 and their sole purpose is to ensure that we are 19 capable of supplying power to meet our long-term post-20 accident monitoring requirements.
21 So, we call this mode an ECCS hold mode.
22 The important part is here we want to reduce the loads 23 on the batteries to just those related to, for the 24 first 24 hours, just related to post-accident 25 monitoring, and we want to continue to maintain power NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1 to the ECCS valves to make sure that they remain 2 closed. We do not inhibit the ability for either an 3 automatic or a manual operator-initiated ECCS 4 actuation. So, there is no way that they can inhibit 5 a valid ECCS actuation demand that one were to call 6 for. They're simply there to keep power supplied to 7 the ECCS valves to prevent an unnecessary or spurious 8 ECCS actuation for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
9 We chose 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. It's a reasonable 10 amount of time to make restoration of AC power and 11 also keep power applied to the ECCS valves and ensure 12 they're closed.
13 At the end of the 24-hour period, if AC 14 power is not restored, we would remove power from the 15 reactor trip system and the engineered safeguards 16 features chassis. And so, that removal of power 17 would, in turn, remove power from the ECCS valves, and 18 they would open on that loss of power.
19 And then, we would transition to what we 20 call -- and you may have read it in the application --
21 is a PAM-only mode, post-accident monitoring only 22 mode. So, the only loads powered at that time are 23 those loads related to sensor electronics or sensor 24 loop power and the power to the safety display and 25 indication system. And we would sit there and provide NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1 that power for the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for long-term monitoring.
2 MEMBER SKILLMAN: So, the 24-hour hold is 3 intended to enable repowering whatever it is that 4 caused the casualty, so that you could go back to 5 power? The flip side is you prevent going on ECCS, so 6 you don't have to go through an ECCS reset? Is that 7 what you're doing?
8 MR. ARNHOLT: That's correct.
9 MEMBER SKILLMAN: I understand. Thank 10 you.
11 MR. HECHT: To confirm on Gordon's 12 question, the ECCS hold really means ECCS inhibit, 13 right?
14 MR. ARNHOLT: No.
15 MR. HECHT: No?
16 MR. ARNHOLT: We do not -- and I mentioned 17 previously -- we do not inhibit the capability to 18 automatically actuate ECCS. If an ECCS condition is 19 warranted, ECCS will actuate either automatically or 20 manually via the operator. This scenario is assuming 21 there is not a demand for an ECCS actuation.
22 MR. HECHT: Okay. Thank you.
23 MR. ARNHOLT: That's the important 24 distinction. If, during that 24-hour period, the 25 operators were to notice conditions that would warrant NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1 an ECCS actuation, they would have the capability to 2 manually initiate an ECCS actuation.
3 MEMBER BLEY: But, at the end of the 24 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, you actuate, which means we get there, if 5 everything's working right, before the batteries start 6 to decay?
7 MR. ARNHOLT: Right. And it's important 8 to note, the DC-to-DC power converters, those are a 9 Class 1E isolation device. And that's where we 10 provide our protection from any under-voltage 11 conditions, power surge transients from the AC power 12 system, things of that nature. That's what those 13 devices are intended to do, protect the downstream 14 safety-related equipment within the MPS.
15 MEMBER SKILLMAN: What is the -- let me 16 ask this question very carefully because I don't wish 17 to be pejorative -- what is the advantage that the 18 designers envisioned, other than draining the 19 batteries? How often might the designers of the 20 NuScale facility think this event might occur?
21 MR. ARNHOLT: How often?
22 MEMBER SKILLMAN: Yes.
23 MR. ARNHOLT: I don't know what the 24 postulated frequency of a loss of AC power event is.
25 Do you know what Chapter 15 assumes?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1 MR. INFANGER: No. We don't have a 2 specific -- it's in the PRA. Chapter 19 has a loss of 3 outside power frequency. Typically, in the industry 4 it's about once every 20 years.
5 MEMBER BLEY: But it varies around the 6 country.
7 MR. INFANGER: Yes.
8 MR. ARNHOLT: But the takeaway is, AC 9 power or DC power is not required for performance of 10 a safety function.
11 MEMBER SKILLMAN: Yes. Thank you.
12 MR. ARNHOLT: Just a note about, we 13 mentioned earlier or heard a discussion earlier about 14 application specific action items, and this is just a 15 takeaway. The HIPS Topical Report provided 65 16 application specific action items. So, we did a 17 detailed cross-referencing in the NuScale Chapter 7 18 application that showed where we addressed within the 19 chapter all of the 65 action items. And we've got a 20 detailed table that provides that cross-referencing 21 for review. And then, that way, it gives you the 22 pointer to the content in the chapter where those 23 pieces of information were addressed.
24 I've got a little bit lower level of 25 detail of the module protection system top-level NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 architecture, and the color coding is important here.
2 The color coding is meant to convey this inherent 3 diversity attribute, but the Committee has seen this 4 figure before. So, for separation groups alpha and 5 charlie in ESFAS in reactor trip division 1, that's 6 based on one FPGA technology. And for separation 7 groups bravo and delta, and reactor trip in ESFAS 8 divisions 2, that's based on a different FPGA 9 technology. So, we apply the exact same diversity 10 attributes that we described in our HIPS Topical 11 Report to the NuScale plant design. That's what the 12 color coding was meant to convey.
13 The gray boxes down at the end indicate 14 that those prior-to-logic functions do not contain any 15 embedded digital technology.
16 MEMBER BROWN: Just if you don't remember 17 from the HIPS meeting what that means on the two 18 technologies, one of them is a one-time program or 19 flash FPGA operation; the other one is an SRAM or 20 static random access memory. The one-time programming 21 is, if my memory serves, that's a non-volatile set of 22 stuff.
23 MR. ARNHOLT: Correct.
24 MEMBER BROWN: The SRAM is a volatile set 25 of FPGAs which, when you lose power, everything goes NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1 away. I mean, you don't have any memory. It has to 2 be reset.
3 MEMBER BLEY: But the common point is the 4 logic you've put in by either method.
5 MEMBER BROWN: That's right. In one case 6 the memory is retained, and the other one the memory 7 is not retained. But they're two different, they're 8 just two different approaches in terms of the FPGA 9 technologies.
10 MR. AYALA: Just a minor clarification, 11 though. They both still have some level of non-12 volatile memory.
13 MEMBER BROWN: Well, everything --
14 MR. AYALA: Yes.
15 MEMBER BROWN: -- has some level of non --
16 otherwise, you couldn't start it up.
17 MR. AYALA: Right. So, on the SRAM, when 18 it starts up, the SRAM loses its configuration.
19 MEMBER BROWN: Yes.
20 MR. AYALA: So, it has to look at the non-21 volatile memory and say, okay, how should I be 22 configured? And then, it configures itself.
23 MEMBER BROWN: But that's got programmable 24 read-only memory somewhere in there that the SRAM goes 25 and sucks stuff out to reprogram itself. It just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 takes time to do it; that's all.
2 MR. AYALA: Yes.
3 MEMBER BLEY: It's lacking a few switches.
4 Never mind.
5 (Laughter.)
6 MR. ARNHOLT: So, one of the last 7 takeaways here, and just so it's clear in everyone's 8 mind, we have four separation groups of signal inputs, 9 trip determination, and that feeds into two divisions 10 of voting logic and actuation commands to field 11 components. So, just as a point of clarification.
12 MEMBER BLEY: Just from your point of 13 view -- this is not a technical question -- how 14 helpful did it turn out to be for you to have done the 15 Topical earlier before you did the review of Chapter 16 7 with this there?
17 MR. ARNHOLT: I think the way that NuScale 18 did it was extremely advantageous to us. And 19 obviously, we took no exceptions to it. So, the staff 20 review that was performed for Chapter 7 leveraged a 21 lot of what was reviewed and approved in the HIPS 22 Topical Report. Very helpful.
23 MEMBER BROWN: I would actually echo that, 24 from our standpoint. If I had had to do both of these 25 coming up to the same meeting, my head would have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1 exploded, as if it didn't in the first place.
2 MR. ARNHOLT: And just remember, the way 3 we've designed the HIPS system and applied it to the 4 NuScale design for the module protection system, it's 5 a very simple system. And it affords us a lot of --
6 it's easy to review, and there's just a lot of benefit 7 to that.
8 Just a quick slide. We do have reactor 9 trip breakers. We have four reactor trip breakers, 10 two aligned to each reactor trip system division. And 11 we do provide the capability for manual trip of those 12 breakers. And we have a similar complement of 13 pressurizer heater trip breakers that are a safety-14 related function to remove power upon demand actuation 15 from the pressurizer heaters.
16 And just to note, these breakers do have 17 both a safety-related under-voltage coil, and to go 18 back to the removal of power is the safety function.
19 But we also do apply a non-safety-related diverse shut 20 trip circuitry capability, too, just from a breaker 21 operation --
22 MEMBER BLEY: Experience has shown that's 23 a really good idea because, depending on how well you 24 do the maintenance, the under-voltage --
25 MR. ARNHOLT: We've leveraged a lot of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1 operating experience into the design of these 2 breakers.
3 We've talked about this in great detail.
4 I don't want to spend any more time on this. If we 5 need to, I can entertain additional questions. But 6 that list of five effects down at the bottom, that was 7 how we evaluated those systems from the segmentation.
8 And we looked at the system's ability to impact, as I 9 mentioned, reactivity, coolant pressure, temperature 10 level increases or decreases, or radioactive release 11 to the environment. So, that kind of formed the 12 framework by which we did our evaluation and allocated 13 segments to parts to the control system.
14 MEMBER SUNSERI: Brian, this looks like a 15 good place for a break.
16 MR. ARNHOLT: Absolutely. I was going to 17 say we're concluded with the Section 7.0 section.
18 MEMBER SUNSERI: All right. So, let's 19 pause here for 15 minutes. Return at 20 after on this 20 clock up here.
21 Thank you.
22 (Whereupon, the foregoing matter went off 23 the record at 10:03 a.m. and went back on the record 24 at 10:20 a.m.)
25 CHAIRMAN CORRADINI: Okay, why don't we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1 get started?
2 I was asked to make a reminder that, 3 thanks to the diligence of the members, we get close 4 to proprietary, and we leave it to you to tell us to 5 back off, so that we can save those questions for the 6 afternoon closed session.
7 MR. ARNHOLT: Understood.
8 CHAIRMAN CORRADINI: Okay.
9 MR. ARNHOLT: I haven't got there yet this 10 morning, and I'm not have any prepared information for 11 a closed session, but if discussions need to go there, 12 we can --
13 CHAIRMAN CORRADINI: But you just warn us, 14 so we don't --
15 MR. ARNHOLT: Thank you.
16 CHAIRMAN CORRADINI: Keep on going.
17 MR. ARNHOLT: All right. Before I jump 18 into the Section 7.1 information, I just want to make 19 sure that people were clear on a discussion we had on 20 the previous section about our enable non-safety 21 control switch. And I can't remember if I misspoke, 22 but it is a momentary contact switch.
23 MEMBER BROWN: Yes, I asked you that 24 question.
25 MR. ARNHOLT: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1 MEMBER BROWN: And you answered it.
2 MR. ARNHOLT: Okay. Thank you.
3 MEMBER BROWN: And explained why it was 4 okay to be momentary.
5 MR. ARNHOLT: Okay. Good.
6 So, the Section 7.1 instruction on these 7 fundamental design principles of independence, 8 redundancy, predictability, and repeatability, 9 diversity and defense-in-depth, and simplicity. As I 10 wrap up the presentation, I'll talk a little bit more 11 about the simplicity attribute and how we applied 12 that.
13 Working on the independence principle, 14 this is a figure that those of you who were part of 15 the review of the HIPS Topical Report may have seen in 16 the past. The MPS and NMS are two safety-related 17 systems. They're designed with physical-electrical 18 communication and functional independence.
19 We've talked about this in previous 20 discussions, but just to reemphasize, we have one-way 21 communication from safety to non-safety systems 22 through isolated data paths. So, that's a 23 communication-independence attribute.
24 We separate safety and non-safety-related 25 communications on the separate communication buses.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 And I'll point to this figure and walk you through a 2 couple of examples.
3 If you look at the top of that figure, and 4 at safety function module No. 1, that safety function 5 module may perform a safety-related function, say, to 6 monitor pressurizer level and initiate a reactor trip 7 on a high or low pressurizer level function. And you 8 can see we've drawn some arrows between these three 9 safety data buses that are part of the safety data 10 communication path, and we also provide that data onto 11 a separate, completely separate and independent 12 communication bus that we call a monitoring 13 communication bus.
14 So, we have three safety, redundant safety 15 data buses here, and you can see those connections 16 from that safety function module. And we have an 17 isolated independent non-safety-related communication 18 bus that's our monitoring and indication bus. That's 19 that isolated data path that we talked about earlier 20 that provides information to MCS through these 21 communication modules.
22 If you look at safety function module --
23 MEMBER MARCH-LEUBA: That yellow box is 24 the isolation?
25 MR. ARNHOLT: That is where the electrical NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1 and communication isolation occurs.
2 So, if we look at safety function module 3 No. 2, you will not see connections to the safety data 4 bus. And these are physical connections on the actual 5 FPGA circuitry. Physically, when we manufacture and 6 design and build the system, we physically do not make 7 those connections. And we only apply data to, and 8 connect data to, this monitoring and indication bus.
9 An example of that might be a sensor input 10 that's used for post-accident monitoring that has a 11 non-safety-related function, but we would still bring 12 it into the MPS because, then, we can leverage the 13 reliability of the MPS and take advantage of the 14 highly-reliable DC power system for that long-term 15 post-accident monitoring.
16 So, here's just a pictorial description of 17 how we've implemented at a practical level this 18 concept of independence in communication in the 19 system.
20 MEMBER MARCH-LEUBA: So, even though you 21 don't need it to be in the safety box, you put the 22 sensor in the safety --
23 MR. ARNHOLT: We do. And really, what 24 drove us to that decision was a simplicity standpoint.
25 We wanted to maintain the overall architecture as NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 1 simple as possible, and by doing it this way --
2 MEMBER MARCH-LEUBA: I was going to ask 3 the opposite, how come -- that's not simplicity.
4 That's complicated, the safety box, which is the one 5 you want to be simple. It's simplifying your life.
6 (Laughter.)
7 MR. ARNHOLT: And then, we talked about 8 this again, the control of safety-related components 9 of the hardwired isolated inputs for the module 10 control system. We mentioned earlier that that is 11 performed by hardware connections that communicate no 12 data.
13 Moving on to the next fundamental 14 principle, redundancy, we talked about this again, but 15 just how we've implemented it into the architecture 16 and design, four separation groups, two divisions of 17 module protection system. We have four channels of 18 safety-related neutron monitoring system that provide 19 inputs from the X4 detectors into the MPS to perform 20 protective functions on this inputs.
21 The NMS and the MPS are designed to meet 22 single failure criteria and through those redundancy 23 attributes. We also apply redundancy into our post-24 accident monitoring functions. We have no, NuScale 25 has no Type A post-accident monitoring variables that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1 are associated with required safety-related operator 2 actions. We do have Type B and C variables. And for 3 those functions, we do meet the single failure 4 criterion, as required by IEEE 497.
5 And I had mentioned this earlier. We do 6 even carry these principles into the design of the 7 non-safety-related systems. And again, the end goal 8 there is a for a highly-reliable system for asset 9 protection and to reliably operate your plant.
10 Just a couple of notes and takeaways on 11 predictability and repeatability. There's a pretty 12 detailed discussion in the Highly Integrated 13 Protection System Topical Report. Some of that is of 14 a proprietary nature, and I won't discuss it here.
15 But we directly apply those principles into the design 16 of the FPGA-based MPS system.
17 And we do account for this fixed response 18 time. We describe how we calculate that response 19 time, and that is directly accounted for in the safety 20 analysis as part of the actuation delays that are 21 assumed in the Chapter 15 analysis.
22 Lastly, looking at the diversity and 23 defense-in-depth, I had mentioned earlier we leverage 24 the diversity between the two different types of FPGA 25 technologies, as I talked about, from an architecture NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 1 standpoint, how we do that with the platform 2 technology diversity. And that's where we get most of 3 our advantage and provide defense against digital-4 based common-cause failures.
5 Now the NuScale design does make use of 6 some first-of-a-kind sensors for safety-related 7 functions, but have digital technology in them. And 8 when I say "digital technology," based on the sensor 9 design, the sensor electronics and processing makes 10 use of digital processing technology. Now what the 11 actual inputs to MPS are, are actually analog inputs.
12 So, it's just the sensor processing that is performed 13 by a digital function, but we still would input that 14 as an analog input to the MPS, as I say, as a 4-to 15 milliamp signal or a 0-to-10-volt signal.
16 MEMBER MARCH-LEUBA: Is it planned to 17 build a complete system, a complete four-channel 18 protection system, plug it into a simulator, and run 19 it for three years before you go into the real system?
20 MR. ARNHOLT: I don't know that that's 21 part of our plan. We'll go through the normal digital 22 I&C development life cycle where you build. You'll do 23 component-level testing, integrated system testing, 24 factor acceptance testing, site acceptance testing.
25 But to do a long-term --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 1 MEMBER MARCH-LEUBA: Because it is one-of-2 a-kind, you are going to mess up somewhere.
3 MR. ARNHOLT: For most of our first-of-a-4 kind technology, we do have in-progress activities 5 that we're doing proof-of-concept and prototype 6 development. For example, we have a working prototype 7 of a single channel and single division of a module 8 protection system. That's been built and we've had 9 that in operation up in our Corvallis simulator for 10 the last 18 months or so.
11 MEMBER MARCH-LEUBA: How likely is it that 12 you will build the same system when you build the 13 plant? I mean, you'll probably use different 14 components.
15 MR. ARNHOLT: We could. But, you know, 16 there are certain design attributes that we applied, 17 just because it was a prototype. We maybe didn't use 18 rigor in the design of chassis or how the carbs are 19 physically assembled into the chassis, things of that 20 nature.
21 MEMBER MARCH-LEUBA: Yes, I mean, being 22 one of a kind, you will mess up. I will rather that 23 you test it on a computer instead of on the real 24 plant.
25 MR. ARNHOLT: Yes, and as part of our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 1 first-of-a-kind development program, we do proof-of-2 concept. We have a whole qualification program that 3 is laid out as part of our design schedule.
4 Just for point of clarification, I had 5 mentioned our safety display and information system is 6 an FPGA-based system.
7 MEMBER MARCH-LEUBA: Uh-hum.
8 MR. ARNHOLT: We expect to have a 9 prototype fully tested and built by the end of this 10 year. So, in the next several months, we'll have a 11 working prototype. And that, the large benefit to 12 that is we had talked earlier about the human-system 13 interface and colors, and how do graphics interface 14 with the operator. So, we're able to validate that 15 because using FPGAs to perform display and monitoring, 16 it's a unique and novel concept, and we'll work out a 17 lot of those challenges with our prototype 18 development.
19 But, with these digital-based sensors, we 20 did want to address the digital-based common-cause 21 failure with those. And to do that, we addressed it 22 as part of a coping analysis. And so, there's an 23 extensive summary of this in the FSER Table 7.1-18, 24 where we walk through the digital-based sensors for 25 pressure, level, and flow, and looked at those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 1 potential common-cause failure scenarios as they 2 relate to how the Chapter 15 analysis laid out.
3 Remember, a coping analysis uses best 4 estimate methods. So, the takeaway is we performed 5 our coping analysis using best estimate methods, and 6 we met all of our acceptance criteria. And that 7 largely was related to two different scenarios. Once 8 you apply best estimate methods, the particular 9 scenario that you evaluate for never gets to a point 10 where you have to challenge the safety system. So, it 11 just becomes a "no, never mind". And in other cases, 12 we would have had diverse non-digital-based sensors 13 that provide us the backup protective function. So, 14 the takeaway here is we perform an extensive coping 15 analysis to address these digital-based sensors and 16 postulated common-cause failures, and the results were 17 acceptable.
18 That concludes 7.1. Any remaining 19 questions related to the content in 7.1?
20 (No response.)
21 All right. Moving into Section 7.2, and 22 we've talked about this extensively this morning, but 23 I do want to have a brief discussion on the control of 24 access attributes.
25 The design of the module protection system NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 1 conforms to the control-of-access requirements in 2 IEEE 603 and Regulatory Guide 1.152. That sets the 3 regulatory basis for how we've evaluated and presented 4 that in Chapter 7.
5 I've mentioned the No. 1 security aspect 6 that we take advantage of is physical protection. We 7 lock our safety-related cabinets in physically-8 protected rooms.
9 The MPS design, physically, you cannot 10 perform any remote access to the FPGA-based logic, and 11 that's one of the other attributes that you get a 12 benefit from with FPGA-based systems. They're highly 13 secure, and once they're put into the runtime 14 configuration, there is physically no way to alter the 15 runtime application without actually removing a card 16 from service, physically removing it, and performing 17 whatever manipulations you need to change the logic on 18 that.
19 We do have a limited set of what we call 20 tunable parameters, things such as calibration 21 constants or setpoints that we use our maintenance 22 workstation for to update. And you can update that on 23 the system in a running configuration, but very 24 limited to just a few select number of parameters as 25 far as calibration of the system goes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 1 A quick note on automatic and manual 2 controls, and to reemphasize, there are no safety-3 related manual operator actions required for the 4 NuScale design. The MPS performs all of its RTS and 5 ESFAS functions automatically. However, we do provide 6 these series of -- and they're listed here -- of 7 manual actuation switches that backup. There's one 8 switch per division, and that is purely to give the 9 operator a backup to the automatic functions that the 10 MPS provides.
11 This next slide, I included this to 12 discuss the actuation prior to logic. And you may 13 have seen in the application we provide the logic 14 diagrams for all the MPS functions. So, this figure 15 is straight out, is representative straight out of the 16 FSER, and it's an attempt to show that your automatic 17 and manual protective functions have the highest 18 priority. And you can see, there on the left, they 19 input at the lowest point downstream to where the 20 voting logic occurs for command and actuation to the 21 final actuated component.
22 And we talked earlier about this enable 23 non-safety control switch. You can see where the 24 logic comes as you walk through this. The way the 25 logic represents -- and I talked about it before -- if NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 1 the operator had enabled non-safety-related control 2 using his procedures, and if an automatic or manual 3 actuation signal were to occur during that scenario, 4 this logic would drop out that input from the enable 5 non-safety-related control switch and remove any non-6 safety-related control commands until the operate took 7 deliberate action to reenable that.
8 And just a point to take away, to 9 remember, this is a non-digital-based component. It's 10 actually a separate circuit within our equipment 11 interface module. It is comprised of non-digital 12 discrete components. So, there is no software-based 13 or digital-based circuitry involved with that.
14 MEMBER BROWN: Non-digital --
15 MR. ARNHOLT: Non-digital.
16 MEMBER BROWN: -- that's digital. I mean, 17 it's digital logic. It's just hardware-implemented; 18 that's all.
19 MR. ARNHOLT: Yes, discrete components.
20 MEMBER BROWN: It's no software.
21 MR. ARNHOLT: Exactly. I just had a note 22 here --
23 MEMBER BROWN: Non-digital, though, it's 24 just no software.
25 MR. ARNHOLT: I'm going to back up one NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 1 slide, two slides. I just wanted to mention -- I 2 don't have it written up here -- but we do have a COL 3 action item I mentioned this morning to submit a 4 cybersecurity plan. So, this application does not 5 submit that as part of the NuScale DCA, but it is a 6 COL item to submit a cybersecurity plan.
7 So, to wrap up, in conclusion, I mentioned 8 the FSAR follows the Chapter 7 DSRS structure.
9 Overall, we thought it was a huge success to follow 10 that structure versus the old SRP. I thought it led 11 to efficient review. We had a lot of interactions 12 with the NRC staff, and really a lot of benefit with 13 that, the way that the DSRS worked out. I've been 14 involved with it for a number of years, and this is 15 the culmination of the result of that effort.
16 CHAIRMAN CORRADINI: Well, if you talk to 17 anybody above the staff you're talking to, to higher-18 ups within the Agency, that would be good to know.
19 MR. ARNHOLT: Okay.
20 CHAIRMAN CORRADINI: Because I think at 21 the higher levels they wanted to make sure that this 22 was a benefit.
23 MR. ARNHOLT: In my view, I think to speak 24 on behalf of NuScale, it was a very, very large 25 benefit to this.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 1 CHAIRMAN CORRADINI: Okay.
2 MEMBER BROWN: Well, the object of the --
3 and this is a personal opinion -- but the DSRSes were 4 to provide an overall framework within which we should 5 evaluate stuff, as well as more in one place 6 succinctly describe the things that you need to look 7 at underneath that overarching framework. That's why 8 I think it's been useful for us, or at least it has 9 been for me.
10 MR. ARNHOLT: It can achieve the desired 11 result.
12 The foundation of the regulatory 13 conformance, there we've taken no departure to the 14 regulations and the regulatory guidance that exists.
15 And that helps the review.
16 And just a couple of notes about the 17 simplicity. We tried to leverage the overall 18 passively-safe, simple design of the NuScale power 19 module. And you see that in the design of the I&C 20 systems. We don't have closed-loop control from a 21 safety-related standpoint. It's actuate-only, and the 22 actuation function is the removal of power. So, very 23 simple functions. Typically, your safety-related 24 protective signal conditioning and trip determination 25 functions are greater than and less than functions, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1 simple comparators, simple functions to perform that, 2 and again, leverages the simplicity attributes that we 3 set forth.
4 And that concludes my presentation. I 5 don't know if there are any other remaining questions.
6 I'm happy to answer them.
7 CHAIRMAN CORRADINI: Take silence as a 8 success. Thank you.
9 We'll move on to the staff.
10 And for an I&C Subcommittee, we are almost 11 by uncertainty on time.
12 MEMBER BLEY: We are?
13 (Laughter.)
14 CHAIRMAN CORRADINI: Well, I mean, staff 15 was supposed to start at 10:15. So, this is pretty 16 close to on time.
17 (Laughter.)
18 It's in the same hour.
19 MEMBER BLEY: It may speak to having done 20 the Topical.
21 CHAIRMAN CORRADINI: Huh?
22 MEMBER BLEY: That may speak, also, to 23 having done the Topical earlier.
24 CHAIRMAN CORRADINI: Yes.
25 You know, the army is coming. Careful.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 1 (Laughter.)
2 Luis, are you going to start us off or is 3 Omid? You'll start us off? Okay.
4 This is now a testament to the complexity 5 of I&C or just the complexity of the staff? What is 6 it?
7 MEMBER BROWN: Both.
8 (Laughter.)
9 CHAIRMAN CORRADINI: Okay. Omid, you're 10 up.
11 MR. TABATABAI: Good morning, everyone.
12 Good morning, Chairman. Thanks very much for giving 13 us an opportunity to present to you the staff's 14 evaluation of NuScale's Chapter 7 instrumentation and 15 controls chapter for the design certification 16 application.
17 We have, as you said, a team of experts 18 here, but that is not all of us. As you can imagine, 19 there are a lot more branches and technical 20 disciplines involved in this review. And Luis will 21 touch on that.
22 Actually, before we get started, I would 23 like to remind members of the public who are listening 24 on the phone, we have a public version of the Safety 25 Evaluation Report available in ADAMS. If they need NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 1 the ML number, they can contact me or Greg Cranston.
2 CHAIRMAN CORRADINI: Or Christina.
3 MR. TABATABAI: Or Christina, to get the 4 ML number.
5 Dr. Bley, you also mentioned about Chapter 6 17. You had a question about the DRAP process and the 7 classification of risk significant systems. I just 8 want to tell you --
9 MEMBER BROWN: Not quite, but go ahead.
10 MR. TABATABAI: I'm sorry, it was Mr.
11 Skillman. I think you asked the question during 12 NuScale's presentation.
13 MEMBER BLEY: Well, I asked where their 14 evaluation of non-risk-significant came from.
15 MR. TABATABAI: Right.
16 MEMBER BLEY: And they pointed me to 17 Chapter 17, which I haven't seen.
18 MR. TABATABAI: Right. And I happen to be 19 the PM for Chapter 17 as well.
20 MEMBER BLEY: Oh, okay.
21 MR. TABATABAI: So, we finished the SER, 22 the safety evaluation for Chapter 17. I can provide 23 a copy of that to you ahead of time.
24 MEMBER BLEY: Okay, great.
25 MR. TABATABAI: So, that's all --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 1 MEMBER BLEY: Through Christina, yes.
2 MR. TABATABAI: Of course, yes.
3 Aside from that, I don't have any more 4 remarks. I would like to ask Luis Betancourt to start 5 the technical discussions.
6 CHAIRMAN CORRADINI: Thank you.
7 MR. BETANCOURT: Well, good morning. My 8 name is Luis Betancourt, and I am the Acting I&C 9 Branch Chief. With me here today we have -- front and 10 center are two main presenters for today, which is 11 Sergiu Basturescu as well as Dawnmathews 12 Kalathiveettil, and Dinesh Taneja, who is also the I&C 13 technical reviewer for the NuScale design. And at 14 least in the audience we've got, also, some of the 15 members that, in the case that we need to draw them, 16 we will also put them in the line of fire.
17 That being said, for today's agenda, what 18 we want to do, I will provide a high-level background 19 of the I&C staff review team, how we interface with 20 all the disciplines in the NRC as well as some of the 21 high-level milestones that we go through in the 22 review.
23 Following my presentation, Sergiu will 24 talk about the philosophy of the safety-focused review 25 that we employed in this review, followed by the high-NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 1 level overview of the I&C architecture. And he will 2 present three of the four fundamental design 3 principles.
4 Then, Dawnmathews will be talking about 5 the fundamental design physical of D3, as well as some 6 of the questions that we got in the morning on the no 7 cementation analyses as well as the assumption of 8 ATWS.
9 We also plan to have a slide to talk about 10 the comments that we got from Chapter 8, from the 11 Subcommittee members. So, we're going to cover the 12 story from the staff, and then, high-level 13 conclusions.
14 MEMBER BLEY: Luis, were you planning to 15 talk about or would you talk about how you folks saw 16 the utility of having done the Topical ahead of time?
17 MR. BETANCOURT: Yes, I will.
18 So, very quickly, this is the I&C review 19 team as well as the quality management team.
20 The purpose of this slide is to show that, 21 even though we're seeing today a Chapter 7 review, 22 this actually involved a lot of the disciplines that 23 you see on this slide. In the slide you will see the 24 different disciplines that are called out, and we 25 actually interacted with five Divisions across three NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1 different offices.
2 One of the things, it was really helpful 3 in the DSRS that these interfaces were clearly 4 delineated. So, that really helped us to start with 5 the review, or who are all of these people that we 6 need to start to talking to in order to be able to 7 perform the review of Chapter 7.
8 To address your question, Dennis, one of 9 the things that we found out as part of the pre-10 application activities is that we actually had a lot 11 of interactions with the pre-applicant. And as part 12 of those pre-applications, we also had the HIPS 13 Topical Report at that time. And when they came in, 14 one of the things that they found out is in this area 15 of built-in diversity. That was the first time that 16 we saw that. We actually had a lot of questions with 17 them at that time. It actually helped us to 18 understand their diversity early in the game.
19 So, when we received the application in 20 late 2016, we already knew what were these safety-21 focused areas that we want to do on the staff. So, 22 even though we had this pre-application between late 23 2016 to March 2017, when we were doing our acceptance 24 review, there were some of the major technical issues 25 that were addressed as far as the Topical Report. So, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 1 we were able to focus on other areas that were more 2 application-specific in the NuScale design.
3 Since then, I wanted to point out that, in 4 April 2017, we had the full Committee on the HIPS 5 Topical Report, that the members were briefed on the 6 platform. And around that time, between March 2017 to 7 December 2017, we were able to have five public 8 meetings. We were able to issue nine RAIs that 9 contained existing questions, and we had one audit 10 regarding the FMAA/SR analysis and the no cementation 11 technical basis.
12 MEMBER BLEY: So, you got way ahead, that 13 sounds --
14 MR. BETANCOURT: Yes.
15 MEMBER BLEY: That's good to know.
16 MR. BETANCOURT: Right. And then, by that 17 time, by 2017, we were able to close all of their 18 RAIs. So, when we submitted the SER, the Draft SER 19 with Open Items and Projects, at that time there were 20 no open items. So, all of the issues that we found 21 were resolved with the RAIs.
22 And in March 2018, they submitted the 23 application and Revision of the DCD, and it took us a 24 month to verify that all the confirmatory items were 25 incorporated in Revision 1. And since then, that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 1 why we are here today.
2 One of the things that I want to commend 3 both the staff and NuScale is that, since 2014 all the 4 way to today, we have had a very open, collaborative 5 environment with the applicant that we were able to 6 actually express with very frank conversation. These 7 are the technical issues that we found in the 8 application. And we were able to have that dialog 9 that actually helped us to get where we are today.
10 As of today, we don't have any I&C 11 specific open items in the SER. You will see that 12 there are some more open items, but they're actually 13 from the interfaces that we have from other chapters; 14 for example, Chapter 8, Chapter 15, and Chapter 18.
15 But, as of today, we don't have any open items that 16 are specific to I&C.
17 Any more questions on this before I turn 18 it over to Sergiu?
19 (No response.)
20 Okay. Oh, Charlie, you had a question?
21 MEMBER BROWN: Yes. So, all open items 22 are closed?
24 MEMBER BROWN: For I&C?
25 MR. BETANCOURT: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 1 MEMBER BROWN: Okay. Good.
2 MR. BETANCOURT: So, we'll now turn it 3 over to Sergiu here, and he's going to take over.
4 Sergiu.
5 MR. BASTURESCU: Good morning. My name is 6 Sergiu Basturescu.
7 And go to slide 6. On this slide, we are 8 presenting the safety-focused review. The NRC 9 established the enhanced safety-focused review 10 approach, which lined up with the framework of the 11 DSRS, which was developed by the Instrumentation and 12 Control staff.
13 Use of risk insights to enhance the 14 safety-focused review of the NuScale SMR design is 15 consistent with the fundamental I&C safety design 16 principles of independence, redundancy, 17 predictability, and repeatability, diversity and 18 defense-in-depth, and simplicity. We will look at 19 these fundamental principles on the later slides.
20 MEMBER BLEY: Sergiu, a couple of years 21 ago or more, I guess, we were briefed on the safety-22 focused review approach and the kind of tracking 23 tables and things they had developed. Did you use 24 that kind of as we might have seen it a couple of 25 years ago or has it evolved a lot?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 1 MR. BETANCOURT: So, I was actually part 2 of that safety-focused review team as well as Joe 3 Ashcraft, who is in the audience. And, yes, we were 4 able to use that table at the beginning of the review 5 to be able to narrow down --
6 MEMBER BLEY: Was it helpful?
7 MR. BETANCOURT: It was.
8 MEMBER BLEY: Did it really focus things?
9 MR. BETANCOURT: Yes.
10 MEMBER BLEY: Okay.
11 MR. BETANCOURT: It really helped us to 12 focus on how the I&C system interfaced with the other 13 safety systems in the plan. So, it really helped us 14 to narrow down the technical issues.
15 MEMBER BLEY: It kind of "smelled" like it 16 should, but it's nice to hear that you had experience 17 with it.
18 MR. BETANCOURT: Yes.
19 MEMBER BLEY: Do you know if other parts 20 of the NuScale review are using that same approach?
21 MR. BETANCOURT: Oh, they will need to 22 answer that.
23 (Laughter.)
24 MR. TABATABAI: To the extent practicable 25 yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 1 MEMBER BLEY: Is it? Okay.
2 MR. TABATABAI: Yes. Yes, we are.
3 MEMBER BLEY: And it's helping in other 4 areas as well?
5 MR. TABATABAI: Yes, we are using that 6 approach.
7 MEMBER BLEY: Okay. Thank you.
8 MR. BETANCOURT: So, I think Chapter 14 is 9 actually using a safety-focused review as part of the 10 initial task plan. So, that's an area that they are 11 focusing the safety-focused review, as just one 12 example.
13 MR. BASTURESCU: Okay. So, moving on --
14 MR. HECHT: Can I ask a real trivial 15 question? What does the "A" stand for in the SFRA?
16 MR. BASTURESCU: Safety-focused review.
17 MR. TABATABAI: Oh, the "A", the approach.
18 (Laughter.)
19 MR. BETANCOURT: And I forgot to mention, 20 we have a lot of acronyms.
21 MEMBER BROWN: It was new.
22 MR. BETANCOURT: Yes. We have a lot of 23 acronyms in the slides. So, I'll point you to slides 24 20 and 21. It's a mapping of all of them. We will 25 try our best to clearly define the terms in each one NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 1 of the slides.
2 MR. BASTURESCU: Okay. On this slide, we 3 are presenting our Safety Evaluation Report, SER, on 4 the NuScale design, which is partly presented in Tier 5 2, Chapter 7.
6 In Tier 1, Sections 2.5 and 2.6, of the 7 DCD, in conjunction with Chapter 7, we evaluate --
8 MEMBER BROWN: Can I stop this for a 9 minute? I forgot something. If you don't mind? I 10 guess I go back to Luis.
11 MR. BETANCOURT: Okay.
12 MEMBER BROWN: You said there were no open 13 items. Yet, in --
14 MR. BETANCOURT: Specific to I&C, right.
15 MEMBER BROWN: I've got to go back and 16 find what I found a minute ago.
17 In 7.1.3.6, conclusions --
18 MR. BETANCOURT: 7 --
19 MEMBER BROWN: .1.3.6 of your SER, under 20 "redundant power sources within the module protection 21 system" --
22 MR. BETANCOURT: Yes.
23 MEMBER BROWN: -- you all commented that, 24 "Due to the open items in Section 7.1.5, 7.2.13, and 25 8.3, the NRC staff cannot reach a conclusion." That's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 1 in the version of the SER I have.
2 MR. BETANCOURT: Yes. And I actually 3 noted that before coming to the ACRS. That's cleanup 4 work that we have to do.
5 MEMBER BROWN: That's what?
6 MR. BETANCOURT: Cleanup work that we have 7 to do. That's an editorial --
8 MEMBER BLEY: It's editorial? It's not --
9 MR. BETANCOURT: Right. There's no open 10 items now in 715. So, that was something that --
11 MEMBER BROWN: Well, it says "7.2.13" 12 also.
13 MR. BETANCOURT: I can tell you right now 14 that's something that we need to fix internally in the 15 report.
16 Oh, we've got somebody over here.
17 MR. HALVERSON: Yes, Derek Halverson.
18 The 7.2.13 one just points to a Chapter 8 19 one as well. It's pointing out where --
20 MEMBER BROWN: And 7.8.3?
21 MR. HALVERSON: The 7.2.13 --
22 MEMBER BROWN: There's one in 8.3, Section 23 8.3 also, that statement. All I'm trying to do is 24 get --
25 MR. BETANCOURT: No, no, to answer your NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 1 question, Charlie, that was a missed oversight from 2 our part. That language should not be there. That's 3 the language that it was sent to Projects originally 4 back in January. So, that's something that we forgot 5 to clean up. And in reality, there should not be that 6 language in the --
7 MEMBER BLEY: So, it's editorial and not 8 technical?
9 MR. BETANCOURT: Right. Correct.
10 MR. TABATABAI: Right. I think at the 11 beginning Luis mentioned that between receiving 12 Revision 1, new revision -- they had finished their 13 SER based on Revision 0, and then, Revision 1 came in.
14 They confirmed all of the items were closed, but in 15 terms of updating the SE, we kind of fell behind, yes.
16 And we plan to clean that up for the full Committee in 17 September.
18 CHAIRMAN CORRADINI: Great, but the 19 sooner, the better. Otherwise, the old people that 20 are sometimes known as "members" will forget and ask 21 you the same thing all over again in September.
22 (Laughter.)
23 MR. BETANCOURT: Yes, understood. That's 24 something that we have to do.
25 MEMBER BROWN: Yes, another part of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 1 SER, I mean, like Section 3.1 also -- well, excuse me.
2 Under 7.2.3, it also identifies -- and it throws in 3 3.1 as well. So, there were some inconsistencies.
4 I'm not saying there's anything wrong. You're saying 5 they're all --
6 MR. BETANCOURT: It was because of the 7 timing when it was sent to Projects and when it went 8 to review. So, it's something that it was a missed 9 oversight on our part. We will clean it up before it 10 goes to the full Committee. That's an action that we 11 have to take.
12 MEMBER BROWN: Okay. Thank you.
13 MR. BASTURESCU: So, going back to in the 14 Tier 2 section, we validated the documents 15 incorporated by our IBRs, which were two Technical 16 Reports and one Topical Report. The Topical Report is 17 the Highly Integrated Protection System, the HIPS, 18 Platform, which is based on the fundamental design 19 principles, and included the 65 application specific 20 action items, ASAIs. All of these ASAIs were 21 addressed in Chapter 7 and evaluated by the staff 22 during our review of Chapter 7.
23 Besides Chapter 7, we also supported 24 evaluations in Chapters 9 and 14. Today we will be 25 focusing on Chapter 7, but we will be participating NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 1 during the review of those chapters.
2 In the exemption section --
3 MEMBER BLEY: Despite the wonderful list 4 of acronyms, I don't see "IRB" on your list.
5 MR. BASTURESCU: It's "incorporated by 6 reference".
7 MEMBER BROWN: Incorporated by reference.
8 MEMBER BLEY: Oh, okay. Thank you.
9 MR. BASTURESCU: We apologize for that.
10 So, yes, on the right side, we are showing 11 the exemptions, and those exemptions were the ones 12 that the staff looked at. The staff evaluated the 13 ATWS exemption, and the that you will find in Chapter 14 7 of the SER. And we will be discussing that in a 15 later slide. As for the three-mile exemption, that 16 one is documented in Chapter 8, SER.
17 Now moving on, unless there's any 18 questions?
19 (No response.)
20 Okay. So, this is the I&C architecture.
21 We saw this in the morning, and we are showing it as 22 an example, also, during the HIPS platform 23 presentation.
24 We have this figure. Also, we have it 25 loaded in Visio. So, we can zoom-in on any area NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 1 you're interested in looking at.
2 Besides the architecture, for NuScale, it 3 was the starting point of our review, and it was the 4 first thing we looked at and studied when we started 5 this project.
6 MEMBER BROWN: Okay. Before you leave 7 this --
8 MR. BASTURESCU: Yes?
9 MEMBER BROWN: And to echo back to the 10 discussions we had with NuScale, and if I can find 11 your page here fast enough, page 44 -- that's the 12 problem with not having paper in front of you. Here 13 we are. You made a statement in here where you said 14 that, "The unidirectional data diode," which you talk 15 about from the PCS and the MCS, you described it as a 16 unidirectional data diode "firewalled connection".
17 And I don't know why we're combining those two words.
18 "Firewalled" is a far more generic term, which would 19 imply that this can be -- that's not listed in Chapter 20 7. I couldn't find the word "firewalled" relative to 21 this anywhere in Chapter 7.
22 So, I'm just asking, do you know something 23 that we don't? Or that NuScale, that I didn't 24 communicate properly with them earlier relative to the 25 data diode characteristics of being hardware, not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
120 1 software-configured? Not allowing the option to be 2 software-configured as part of the overall design?
3 That's listed in a couple of places, both for the 4 module control system and the plant control system, 5 data diodes. And the figure just says --
6 MEMBER BLEY: Charlie's earlier point was 7 we don't find anywhere in writing that requires that.
8 MEMBER BROWN: Yes, that it be hardware-9 based. But, in addition to that, you use the word 10 "firewalled" in the SER, which has a more generic 11 implication of being, sounding like something else 12 that would be software -- they can be software-13 controlled if you just talk about firewalls. I hate 14 to mouse-note this, but I don't want to leave any 15 contradiction in terms of where you think --
16 MR. BETANCOURT: No, no, I hear your 17 comment.
18 MEMBER BROWN: -- you stand relative to 19 the hardware-based --
20 MR. BETANCOURT: Right.
21 MEMBER BROWN: -- data diode approach as 22 opposed to any software-based.
23 MR. BETANCOURT: Right.
24 MEMBER BROWN: And I did do a data search 25 of the various vendors that make this stuff before I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
121 1 came here and found that there were units called "data 2 diodes," but, yet, had significant software in terms 3 of their configuration. There were other vendors that 4 had units that very specifically called out hardware-5 based and touted their hard-based design as opposed to 6 those that were software-based.
7 MR. BETANCOURT: Right. And I remember 8 the discussion that we had in the morning, that what 9 you heard in the morning is consistent --
10 MEMBER BROWN: We're still in the morning, 11 by the way.
12 MR. BETANCOURT: -- in the application.
13 (Laughter.)
14 Right. Well, yes.
15 MEMBER BROWN: I haven't gone to sleep 16 yet.
17 (Laughter.)
18 MR. BETANCOURT: Okay. Point taken.
19 To answer your question, yes, the 20 application does not specify whether this diode is 21 going to be software-configured or hardware-based, and 22 I can see why the confusion when you read the SER and 23 the word "firewall" attached to it. So, we need to 24 remove that because it's basically with what was 25 discussed in the morning. So, I can see what was the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
122 1 confusion that you had before.
2 MEMBER MARCH-LEUBA: I'm looking at the 3 SER, and it says, "unidirectional diode," comma --
4 MR. BETANCOURT: Yes.
5 MEMBER MARCH-LEUBA: -- "firewalled 6 connection".
7 MR. BETANCOURT: Yes, I have that over 8 here.
9 MEMBER MARCH-LEUBA: So, it implements a 10 firewall function with that hardware --
11 MR. BETANCOURT: Right, and I can see why 12 the confusion.
13 MEMBER BROWN: There's a comma in between 14 there, I'll agree with that. But, still, that just 15 means it just confuses it even more.
16 MEMBER MARCH-LEUBA: No, I mean, there is 17 a firewall function.
18 MEMBER BROWN: It's just "firewalled 19 connection".
20 CHAIRMAN CORRADINI: I think they get it.
21 MR. BETANCOURT: We got it. We will take 22 that comment.
23 MEMBER BROWN: Okay.
24 MEMBER BLEY: Are you going to correct it?
25 MR. BETANCOURT: Yes. Yes, by the full NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
123 1 Committee.
2 (Laughter.)
3 MEMBER BROWN: But you also ought to --
4 there's no definition of a data diode in Chapter 7.
5 There's no definition of a data diode as a hardware-6 based device in the SER.
7 MR. BETANCOURT: That's correct.
8 MEMBER BROWN: And I only suggest that 9 that appear. Whether Chapter 7 gets revised or not is 10 another issue, but I would suggest that that be very 11 explicit in any SER that you all issue, that that data 12 diode is a hardware-based data diode.
13 MR. BETANCOURT: I'll take that back since 14 right now the application does not contain that 15 wording. So, we need to do some discussion 16 internally.
17 MEMBER BROWN: We ought to have that 18 resolved.
19 MR. BETANCOURT: Right.
20 CHAIRMAN CORRADINI: So, that's one 21 member.
22 MEMBER BROWN: Oh, absolutely, I'm one 23 member.
24 CHAIRMAN CORRADINI: But I do think 25 there's a high probability event that, if it isn't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
124 1 clarified, you might see a letter report that --
2 MR. BETANCOURT: That has that comment.
3 I understand. I understand that.
4 CHAIRMAN CORRADINI: -- that says it 5 should be clarified.
6 MR. BETANCOURT: I understand that. Okay.
7 CHAIRMAN CORRADINI: Okay. Fine. Let's 8 move on.
9 MR. BASTURESCU: So, here we're going to 10 be looking at the safety classifications. The safety 11 classifications have been determined by NuScale and 12 reviewed by the staff for Chapters 15, 17, and 19, and 13 they are documented in Chapter 3.
14 We have had interactions with staff on 15 these chapters in order to validate these 16 classifications. With the incorporation of risk 17 insights, I&C systems may be classified as safety-18 related/risk-significant, which is A1; safety-19 related/non-risk-significant, which is A2; non-safety-20 related/risk-significant, B1, and non-safety-21 related/non-risk-significant, B2.
22 In keeping with the safety-focused review 23 project direction, the staff primarily focused on 24 evaluations of the A1 systems, that is, the module 25 protection system and the neutron-monitoring system, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
125 1 the MPS and the NMS. There were no I&C systems for 2 the A2 or B1 classifications.
3 The scope of our review for the B2 systems 4 was to verify --
5 MEMBER BLEY: And when you determined 6 that, did you base that, A2, did you base that 7 determination on the PRA or something else? And if 8 you didn't base it on the PRA, how do you know there 9 are no risk-important/not-safety-related systems?
10 MR. BETANCOURT: So, I guess this goes 11 back to the table that you were mentioning at the 12 beginning of the discussion. Before the presentation, 13 NuScale provided a high-level -- these are all the 14 functions that we planned to actually send to the 15 staff. So, we went through that at that time. When 16 we received the application --
17 MEMBER BLEY: Kind of based on looking at 18 their list and your judgment that it was reasonable?
19 MR. BETANCOURT: Correct. So, we actually 20 went back to the --
21 MEMBER BLEY: But no comparison to the 22 PRA, to safety? Did any of these things crop up as 23 risk --
24 MR. BETANCOURT: So, that's where our 25 interface with the PRA --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
126 1 MEMBER BLEY: I didn't hear.
2 MR. BETANCOURT: That's where our 3 interface with the PRA group actually came in. So, we 4 actually went and talked to the DRAP people.
5 MEMBER BLEY: Okay.
6 MR. BETANCOURT: We also went to the 7 Chapter 15 analysis to verify that there's no function 8 that will be classified under A2. So, what we 9 confirmed is that --
10 MEMBER BLEY: Should have picked up 11 anything in the PRA.
12 MR. BETANCOURT: Correct.
13 MR. ASHCRAFT: Yes, this is Joe Ashcraft 14 from the staff.
15 In Chapter 17, I think it's Table 17-4 16 that lists the conclusions based on NuScale's input 17 and the PRA.
18 MEMBER BLEY: We'll look for that. We 19 haven't seen that yet.
20 MR. ASHCRAFT: I understand.
21 MR. BETANCOURT: Oh, there is a question 22 here.
23 MR. HECHT: It's Myron Hecht.
24 On one of the RAIs, there was a mention of 25 an MHS, which is a module heating system. And I don't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
127 1 see it on this list, and I had not heard of it before.
2 It was pretty well-explained in the answer, but are 3 there other systems which don't appear on this list, 4 and why not?
5 MR. BETANCOURT: So, these are the only 6 I&C specific that appear in the architecture. The MHS 7 should appear in 17.4, for these are the only I&C 8 specific systems that were under review.
9 MR. HECHT: I see. So, the MHS is more 10 like an actuator system? So, it's not really an I&C 11 system?
12 MR. BETANCOURT: Yes. Yes.
13 MR. HECHT: Okay.
14 MEMBER BROWN: What does it heat?
15 MEMBER SKILLMAN: It is the module heating 16 system that is an auxiliary system that is used to 17 start the plant by injecting heat through the CVCS 18 from 0 to 15 percent power. So, it is basically a 19 thermal hydraulic bootstrap when there is no residual 20 decay heat being produced. It's in Chapter 9, but 21 it's very obscure. But it is buried down in Chapter 22 7, you're right. I went digging after this because I 23 said, what is that? But it's not an I&C system. It's 24 a plumbing system. It's an aux boiler system, one 25 each for six modules apiece, is what it is.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
128 1 MEMBER BROWN: Okay. Since I'm not this 2 plant understanding, it's a method to prevent the 3 plant from getting too cold or is it to allow you to 4 start up, to start up heating?
5 MEMBER SKILLMAN: It can be helpful on 6 shutdown.
7 MEMBER BROWN: But is it with power? I 8 mean, the reactor is critical or is this without --
9 this is independent boiler steam circulation?
10 MEMBER SKILLMAN: You can have a cold, 11 brand-new, fresh core, no decay heat.
12 MEMBER BROWN: Okay.
13 MEMBER SKILLMAN: And if you wish to start 14 the system, you use a module heating system with heat 15 from the auxiliary boilers.
16 MR. ARNHOLT: Brian Arnholt with NuScale.
17 I would just offer, because NuScale is a 18 natural circulation plant, you don't have heat input 19 from the active reactor coolant pumps when you start 20 the plant up. So, the module heating system provides 21 you that source of heat to initiate and maintain 22 natural circulation until you begin nuclear heating 23 and you start the reactor up.
24 I hope that helps.
25 MEMBER BROWN: Well, it does. Thank you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
129 1 I think I even read that. I just forgot it.
2 (Laughter.)
3 MEMBER KIRCHNER: Just for clarity, the 4 CVCS system is part of the module control system?
5 MEMBER BROWN: The module heatup system, 6 you mean?
7 MEMBER SKILLMAN: It just delivers the hot 8 water.
9 MEMBER KIRCHNER: So, where does it 10 reside?
11 MR. TANEJA: CVCS is a plant system, 12 right? It's a plant system for that nuclear module.
13 The I&C systems are -- MCS, module control system, 14 controls CVCS functions.
15 MEMBER KIRCHNER: No, I understand all 16 that.
17 MR. TANEJA: Okay. Right. But it's a 18 plant system. So, here we are just focusing on what 19 the I&C architecture and the I&C systems are.
20 MR. HECHT: I guess the confusion is 21 because the second "C" in CVCS is "control" and the 22 second "C" in I&C, or the first "C" in I&C is 23 "control".
24 (Laughter.)
25 MR. TANEJA: I can see that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
130 1 MEMBER KIRCHNER: I'm not really confused.
2 The CVCS system is part of the module control system 3 or? Where is the actual instrumentation and control 4 reside?
5 MR. ARNHOLT: This is Brian Arnholt again.
6 CVCS, the control of CVCS is one of those 7 module-specific, non-safety-related control systems.
8 The module heating system is a common plant system, 9 but it interfaces through the CVCS heat exchange.
10 MEMBER KIRCHNER: That's the way you get 11 it into the vessel, yes. Thank you.
12 MR. BASTURESCU: So, back to B2 systems.
13 The scope of our review for the B2 systems was to 14 verify that it met the pertinent regulatory 15 requirements and to evaluate for any adverse impact to 16 safety functions or placing the plant in an unanalyzed 17 state.
18 Even though the plant protection system, 19 PPS, and safety display and indication system, SDIS, 20 are B2 systems, they both require an augmented level 21 of quality. The PPS provides monitoring and control 22 plant systems. They are common throughout the 12 23 nuclear NuScale power modules. Specifically, the PPS 24 provide automatic actuation functions for the control 25 and habitability system and the normal control in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
131 1 heating and ventilation and air conditioning system; 2 and also, for the spent fuel pool and reactor pool 3 level indication. The SDIS provides accurate, 4 complete, and timely information pertinent to the MPS 5 and PPS status and information displays.
6 So now, we're moving to the portion of our 7 presentation where we are going to focus on the I&C 8 safety design principles. The first safety design 9 principle is independence. And the four areas of 10 independence we reviewed was physical, electrical, 11 communications, and functional.
12 The physical independence. For physical 13 independence, the staff found that the equipment 14 associated with the module protection system, MPS, and 15 heat monitoring system are located in separate 16 seismically-qualified equipment rooms, and cabling is 17 routed in physical separate cable trays in risers.
18 For electrical independence, the staff 19 found that the electrical isolation between the 20 safety-related MPS and associated non-safety-related 21 systems is provided by galvanic isolation between the 22 non-safety-related sensor inputs to the MPS, transmit-23 only and receive-only fiber optic boards, DC-to-DC in 24 galvanic isolation at the hardwired modules, and 25 isolation device in the electrical power supply.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
132 1 MEMBER SKILLMAN: What do you mean by 2 "galvanic isolation"?
3 MEMBER BROWN: They're electrically 4 isolated by fiber optics. There's no electrical 5 connection. Galvanic.
6 MEMBER BLEY: I think, typically -- you 7 guys can correct me on this -- you want the ground 8 systems not to be common.
9 MEMBER BROWN: I think what they're 10 talking about galvanic, there's not an electrical 11 connection between an input and an output.
12 MR. BETANCOURT: It's what was called an 13 isolation amplifier.
14 MEMBER BROWN: Yes. So, you so isolate 15 it.
16 MR. BETANCOURT: But it is for the power 17 line. This is a power line.
18 MEMBER BLEY: This is power?
19 MR. BETANCOURT: This is power. And this 20 already followed the scope of the HIPS Topical Report.
21 All of these features were already addressed during 22 that review. So, the reason that we review over here, 23 how was that implemented throughout the whole 24 architecture?
25 MEMBER BROWN: It was kind of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
133 1 electrical independence between divisions -- or 2 between segments, I mean, excuse me, separation groups 3 and --
4 MR. BETANCOURT: And communications.
5 MEMBER BROWN: -- the communications to 6 other functions like the NIB and maintenance 7 workstation, and a few things like that, as well as 8 the MCS and PCS.
9 MR. TANEJA: Like the module control 10 system component-level controls are interfaced with 11 the module protection system using hardwired 12 connections, and they are isolated using these 13 isolation devices to provide electrical isolation 14 between the module control system and the protection 15 system. So, any faults that may occur on the non-16 safety side of it does not promulgate into the safety 17 side. And that's the isolation device that provides 18 that capability.
19 MEMBER BROWN: Thank you.
20 MR. BASTURESCU: The communications 21 independence. As part of our evaluation, the staff 22 found that, to the exception of divisional voting, 23 that the communications within the MPS separation 24 group is independent and does not rely on 25 communication from outside the respective separation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
134 1 group or division to perform a safety function.
2 For voting purposes, the communication 3 uses a point-to-point fiber optics between the 4 scheduling and bypass modules and the scheduling and 5 voting modules. There are no digital communications 6 from the non-safety-related to the safety-related 7 side.
8 Independence of module control system 9 interfaces with the MPS for performing manual 10 component-level controls is achieved via Class 1E 11 isolation devices.
12 MEMBER BROWN: But that's, again, with 13 this enable switch.
14 MR. BETANCOURT: Right.
15 MR. BASTURESCU: Yes.
16 MEMBER BROWN: So, I mean, literally, 17 that's a hardwired -- bypassed into the APLs.
18 MR. BASTURESCU: Right. That's basically 19 it.
20 MR. HECHT: Can I ask a question with 21 respect to the communication independence? You have 22 three safety data buses, all of which are controlled 23 by communications modules which are called bus 24 masters. And the bus master is working based on a 25 construct, a logical construct, called a finite state NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
135 1 machine for communications. And we don't have any 2 information about how that is implemented and we don't 3 have any information about the different FPGA 4 technologies that would be used to implement it.
5 How are you sure that a bus master on one 6 of the safety buses which is connected to all of the 7 functional modules might not take them all down 8 because of some kind of jabbering? And I understand 9 there are three separate safety data buses, but one of 10 those safety data buses might start basically 11 launching a denial-of-service attack, not intentional, 12 but unintentional, whereby it takes down all of those 13 SFMs.
14 MR. TANEJA: So, Myron, what you're 15 looking at is one separation group. So, this is a 16 tripper module redundant architecture, the TMR 17 architecture. What this offers is added dependability 18 and reliability.
19 From the safety perspective, I can lose 20 this whole separation group A and still be able to 21 perform my safety function, because within the 22 separation group I have added redundancy offered to 23 provide additional, I guess reliability benefit and 24 operational benefit. So, I am not prone to -- it's a 25 more fault tolerant system, in other words.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
136 1 So, even though I think we looked at that 2 in detail when we looked at the Topical Report on how 3 these FPGAs were configured for these communication 4 protocols, but having three different buses, what it 5 allows me to do is I can lose communication to one of 6 the safety buses. I just need the other two to be 7 functional to still maintain my function. So, it just 8 gives me a lot more fault tolerant capabilities.
9 That's what it does, you know.
10 MR. HECHT: I guess my question really 11 isn't on the safety buses. It's what the safety buses 12 can do to the SFMs.
13 MR. TANEJA: That's okay. I mean, I could 14 lose this whole separation group, but it does not have 15 any adverse impact on the independent separation 16 groups that are running independent of this.
17 MR. HECHT: So, basically, you're relying 18 on the fact that you have replication of four 19 separation groups and you basically believe that there 20 is no circumstance in which there could be a common 21 failure across all those separation groups?
22 MR. TANEJA: Right, right.
23 MR. HECHT: Yet, you don't have any 24 details on the implementation of the bus masters?
25 MR. TANEJA: Like I said, during the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
137 1 Topical Report for the HIPS platform, we went into 2 that detail review --
3 MR. HECHT: Well, it didn't say anything 4 there, either, because that was supposed to be one of 5 those application-specific items, and it doesn't seem 6 to be occurring now. So, when would it be addressed?
7 MR. BETANCOURT: So, which ASAI are you 8 talking about?
9 MR. HECHT: I don't remember which one.
10 MR. BETANCOURT: Okay.
11 MR. HECHT: But the point is that --
12 MR. TANEJA: Let me understand the concern 13 here. Are we worried about having a failure due to 14 the bus master malfunction?
15 MR. HECHT: Some logical error --
16 MR. TANEJA: Right.
17 MR. HECHT: -- in the bus master which 18 could happen across multiple separation groups.
19 MR. TANEJA: We don't have any sharing 20 between multiple separation groups.
21 MR. HECHT: No, it's a common design, 22 right?
23 MR. TANEJA: No. We have diversity in the 24 technology also, right? We have two separation groups 25 using one FPGA technology, and the other two NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
138 1 separation groups using a different FPGA technology.
2 So, that right there is the level of diversity that 3 offers -- so, I could lose those two with the same 4 FPGA technology, those two separation groups. We have 5 a slide that will show you how the failures of 6 multiple separation groups can still offer us with the 7 success of achieving a safety function.
8 MR. HECHT: So, for example, one might be 9 using -- I forgot what they call it -- that flash 10 technology --
11 MR. TANEJA: Right.
12 MR. HECHT: -- and the other one might be 13 using some kind of fusing technology?
14 MR. TANEJA: Right.
15 MR. HECHT: But underlying both of those 16 is common VHDL, right?
17 MR. TANEJA: Well, it's different 18 toolsets.
19 MR. HECHT: But the VHDL itself could --
20 the error might have been manifested there. So, the 21 question that I would have is, I mean, there are ways 22 of dealing with that through QA and through whatever 23 design constraints you're putting on, but that's not 24 specified here in the application, as far as I can 25 tell, or in the report.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
139 1 MR. TANEJA: The software QA process is 2 laid out in the application. So, there is a very 3 rigorous development process that requires to be 4 followed in developing these platforms. So, there is 5 an Appendix B which dictates the overall quality 6 assurance program. And then, there's a specific 7 software QA assurance manual that dictates development 8 of the module protection system design. So, it's 9 essentially a controlled process in developing the 10 whole thing all the way down to site acceptance 11 testing. Not only just factory acceptance testing, it 12 takes it down to the site acceptance testing.
13 MR. HECHT: Testing will take you so far, 14 but --
15 MR. TANEJA: No, I'm just talking about, 16 it's a managed process that starts with your 17 conceptual design to intermediate design, to detailed 18 design, to integration, to module testing, you know, 19 the little software design module testing.
20 The only thing that I can offer is that, 21 when we were looking at the HIPS platform, we had the 22 opportunity to actually participate in the -- the 23 vendor built a prototype. We had an opportunity to 24 participate in the factory acceptance testing of the 25 prototype. Okay?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
140 1 Now that prototype did not, you know, it 2 was not built following this QA process that they are 3 required to follow for the NuScale design. But that 4 prototype, during the test, there were 17 --
5 MR. BETANCOURT: That may be proprietary.
6 MR. TANEJA: No, I don't think I'm saying 7 anything proprietary.
8 There was a number of multiple failures 9 that occurred before I lost the function within one 10 chassis. Okay? I'm not talking separation --
11 MEMBER BLEY: We have closed session 12 scheduled.
13 MR. TANEJA: Right, but I'm just -- this 14 is a generic statement. There were multiple failures 15 within a controller before I could lose that function 16 capability. So, it's just built in, level of 17 diversity that's built into it. And then, there is 18 this rigorous development life cycle activity that has 19 to occur for developing the actual platform.
20 MEMBER BLEY: I think everybody has that, 21 but it seemed to me Myron was suggesting a failure or 22 error mode that could create situations we haven't 23 thought about. Is that right?
24 MR. HECHT: Right. Well, where I was 25 hoping to get to is that there would be a formal NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
141 1 specification of those finite state machines or 2 communication engines, and that those would be proven 3 as part of the development process. And I didn't hear 4 that being stated here. I'm just wondering why.
5 MR. BETANCOURT: I would prefer to talk 6 about that in the closed session since --
7 MR. TANEJA: So, the state diagrams were 8 laid out in the HIPS Topical Report, right? So, those 9 state diagrams are there. Those are finite state 10 diagrams; they were there. Now, like I said, that was 11 the details on the platform.
12 Now the actual development that occurs for 13 the NuScale equipment development, it has to follow a 14 formal development process, meaning that you do do 15 intermediate verification and validation. And one of 16 the key parameters that goes into that QA program is 17 independent V&V that has to occur at the end of each 18 life cycle activity. Okay?
19 MR. HECHT: It all starts fundamentally 20 from having --
21 MR. TANEJA: Exactly.
22 MR. HECHT: -- a sound --
23 MR. TANEJA: Requirement spec. Right.
24 Yes.
25 MR. HECHT: So, I was trying to deal with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
142 1 it from that aspect again, but maybe I'm taking up too 2 much time of the Committee, unless there's other 3 interest.
4 MR. TANEJA: Maybe NuScale can offer some 5 more insight into that.
6 MEMBER BROWN: Let me back us out of that, 7 if you would, for a minute. Okay?
8 MR. TANEJA: Okay.
9 MEMBER BROWN: I remember having some of 10 this discussion back in the HIPS process. And I'm 11 going to be generic relative to this. I'm trying to 12 look at this relative to the thought process.
13 Within a separation group, the safety data 14 buses don't communicate between separation groups, No.
15 1.
16 MR. BETANCOURT: That's correct.
17 MEMBER BROWN: So, if you had a safety 18 data bus with a bus master controlling it, blowing up 19 one of the separation groups, that would not be a 20 problem. And the only place we have an interaction 21 between separation groups is right there, and that is 22 not a bus master. It's a digital --
23 MR. BETANCOURT: It's a point-to-point --
24 MEMBER BROWN: It's a point-to-point --
25 MR. BETANCOURT: Fiber optic --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
143 1 MEMBER BROWN: -- up/down, 1/0, whatever 2 you want to call it, to the voting unit processor 3 within the SVM.
4 MR. BETANCOURT: Correct.
5 MEMBER BROWN: So, I'm not trying to 6 hammer my consultant here. Okay?
7 (Laughter.)
8 I'm trying to get a better understanding 9 of why a specific problem with the state machine, or 10 whatever they're called, since I have no idea what 11 anybody is talking about when you do that, compromises 12 this when you have that much separation or that much 13 electrical -- that much independence between each 14 separation group and any connection between separation 15 groups is isolated to a 1/0-type, on/off signal, not 16 a serial data link which is connected to a safety data 17 bus.
18 MR. BETANCOURT: That's correct.
19 MR. HECHT: Do you want me to answer that?
20 MEMBER BROWN: You can try.
21 MR. HECHT: Okay.
22 MEMBER BROWN: As long as it's short.
23 CHAIRMAN CORRADINI: Yes, I was going to 24 say --
25 MEMBER BROWN: And as long as I understand NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
144 1 it.
2 CHAIRMAN CORRADINI: -- you guys are way 3 beyond stuff that I understand, but I do understand 4 time. I do want to make sure we get through their 5 presentation before lunch.
6 MEMBER BROWN: Myron?
7 MR. HECHT: All right. With the 8 Chairman's permission, it's similar argument that you 9 would make with software common-cause failures. And 10 you could argue that you have all this isolation 11 between separate processes on separate channels, and 12 there can be several problems that can occur in the 13 algorithms of those bus masters. I don't think 14 they're simple. I don't remember seeing state 15 machines that -- or that completely describe the bus 16 master performance. And given the fact that all 17 divisions are receiving the same signals in roughly 18 the same sequence, there's just --
19 MEMBER BROWN: All separation groups.
20 MR. HECHT: Yes.
21 MEMBER BROWN: But they're not.
22 MR. HECHT: What? All separation groups.
23 MEMBER BROWN: They're separate.
24 MR. HECHT: Yes.
25 MEMBER BROWN: That's why I'm having a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
145 1 hard time understanding.
2 MR. HECHT: Well, if you don't believe 3 that it's credible that the separation groups are 4 getting the same signals that could cause common 5 problems, then --
6 MEMBER BROWN: But they're not getting the 7 same signals. There's no connection of the safety 8 data buses between separation groups.
9 MR. HECHT: But from the plant.
10 MEMBER BROWN: The only place you've got 11 plant input is the detectors themselves. They've got 12 independent sensors going to each one of the SFMs.
13 MR. TANEJA: They're not sharing anything.
14 I mean, that's really the review, our review, on 15 independence, was focusing on just those things that 16 Charlie is highlighting. The independence is at the 17 input level. Independence is in the cross-18 communication between the separation groups.
19 Independence is at the EIM level, where it's really 20 controlling the component. So, really, we are not 21 doing any crosstalking other than the voting. That's 22 the only crosstalking that's happening.
23 MEMBER BROWN: And that's not a data bus 24 issue.
25 MR. TANEJA: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
146 1 MEMBER BROWN: That's the way I walked 2 away from the HIPS meeting at the high level.
3 MR. TANEJA: That's a correct 4 understanding that you have.
5 MR. HECHT: I think that that's true, but 6 I guess the point is that the SFMs could react the 7 same way to the plant inputs that they're getting.
8 MEMBER BLEY: Because of the logic inside 9 them.
10 MR. HECHT: Yes.
11 MR. AYALA: Not necessarily. Because each 12 SFM is different from each other. So, it's as if it 13 has its own function. They don't share the same 14 functions.
15 MR. TANEJA: So, I'll offer another 16 solution to this thing. Okay? We were convinced, 17 looking at the design, because of the divorced FPGA 18 technology, that the potential for a common-cause 19 failure of all four separation groups was reasonably 20 -- reasonably -- low. Okay?
21 Now there is that "What if?" Right? So, 22 we asked that question to ourselves, "What if the hell 23 breaks loose and all four of them go crazy?" So, we 24 have these manual system level actuations. Looking at 25 the physics of the NuScale modules, they're very, very NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
147 1 slow transients. And you've got basically system-2 level actuation. You can trip the plant; you can 3 initiate the DHRS; you can initiate the ECCS totally 4 independent of the digital logic. They come in at the 5 APL, and you can take care of that.
6 You know, you don't have to worry about 7 any of these things working. I mean, that's the 8 beauty of this whole plant that buys you that 9 additional confidence that, you know, hey, manual 10 actions are there as a defense-in-depth mechanism.
11 They are always there for me.
12 But, you know, just staying focused on 13 safety, we were okay with that.
14 MR. TABATABAI: I just want to clarify, 15 when he says "beauty of this plant," he means I&C 16 systems.
17 (Laughter.)
18 CHAIRMAN CORRADINI: I think we've got all 19 sides of the argument. Can we move on?
20 MEMBER BROWN: Yes, we can move on.
21 MEMBER BLEY: Well, almost. This is real 22 short. I want to take us back to the galvanic 23 isolation.
24 I'm remembering back to the sixties where 25 this first came up as an issue. And what it really NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
148 1 means -- I went back and double-checked a couple of 2 things -- is, as somebody said, no copper connection 3 between different electrical segments. We used to 4 think we had separation if we had the batteries all 5 separate, but, then, we had common grounds coming 6 back. And we got ground loops and we got all kind of 7 crap. So, it means no copper connections between 8 them. It can be any other kind of connection, 9 inductance, capacitance, light pipes, whatever, but no 10 copper anywhere.
11 MEMBER BROWN: That's the way I read the 12 ISO that we've got. They are electrically isolated 13 because it's converted to an optical signal that goes 14 from point A to point B.
15 MEMBER BLEY: And that problem was really 16 a ground problem once upon a time.
17 MEMBER BROWN: Yes. Well, you can -- I 18 hate to say this -- but if you have ground loops in 19 your power supplies, if you do that particularly with 20 auctioneered stuff, you can create huge problems.
21 MEMBER BLEY: Very interesting situations, 22 too.
23 MEMBER BROWN: I mean, still situations 24 you have to deal with in the design. Changing a wire 25 from No. 12 to No. 4 bus bar can remove your common-NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
149 1 cause, your common-mode failures relative to little 2 signals running along --
3 MEMBER BLEY: If you have copper 4 connections.
5 MEMBER BROWN: If you have copper 6 connections.
7 CHAIRMAN CORRADINI: We'll talk about this 8 over lunch. Let's go.
9 (Laughter.)
10 MR. BASTURESCU: So, the second design 11 principle we look at is redundancy.
12 MEMBER BROWN: We've got plenty of time.
13 (Laughter.)
14 We've got all day, Mike.
15 MR. BASTURESCU: This slide, this is the 16 review of redundancy, which is commonly used in safety 17 systems to achieve system reliability, goals, and 18 conformity with a single failure criterion.
19 The HIPS platform is based on a triple 20 module redundant architecture that provides for high 21 reliable and full design, such as use of three safety 22 buses, three voting modules, three bypass and schedule 23 modules within a separation group and a division.
24 Use of redundant equipment interface 25 modules for key safety application allows protection NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
150 1 against spurious actuations, fault tolerance, online 2 testability, and supports self-diagnostics. Also, the 3 PPS and the SDIS consist of two independent and 4 redundant divisions.
5 MEMBER BROWN: Go ahead.
6 MR. BASTURESCU: The predictability and 7 repeatability. This is the third I&C design principle 8 we'll look at. Predictable and repeatable system 9 behavior refers to a system that will produce the same 10 output for a given set of inputs, input signals, 11 within well-defined response time limits, to allow 12 timely completion of actions.
13 The staff found that the MPS is designed 14 to complete the reactor trip system and engineering 15 safety feature actuation system function in less than 16 or equal to one second, which satisfies the allocated 17 time in the safety analysis of one second for these 18 functions. And this is done in a predictable and a 19 repeatable manner.
20 And if there's no other questions, I will 21 turn it now over to Dawnmathews.
22 MR. KALATHIVEETTIL: Thank you, Sergiu.
23 Good morning, everyone. My name is 24 Dawnmathews Kalathiveettil, and I will be resuming our 25 presentation by diving straight into diversity and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
151 1 defense-in-depth, or D3, as we like to call it in the 2 I&C community.
3 So, the figure that you see in front of 4 you is basically the module protection system, or MPS, 5 design. As you can see, the MPS is made up of two 6 separation groups for each division, and in total, 7 there are four separation groups for the entire 8 design. Division 1 is the yellow color, while 9 division 2 is shown in red, so that it's easier to 10 understand.
11 Let's start off with the inputs to the 12 MPS. As you can see, on top, there's PTL, et cetera.
13 That's the pressure-temperature level sensors. As you 14 can see, these sensors come into the input submodule 15 versus the signal condition A, B, C, et cetera. And 16 they are additional sensors. They're analog sensors.
17 But, for the purpose of D3 assessment, our focus on 18 the sensors was mainly towards the digital-based 19 sensors, and the ones that actually have safety 20 functions related to it, and which could actually be 21 affected by additional base common-cause failure.
22 These were identified to be the digital-23 base level pressure and flow sensors. However, the 24 coping analysis demonstrated that, even if these 25 additional sensors did have additional common-cause NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
152 1 failure, the plant can cope up with it.
2 To discuss the actual MPS, the FPGA 3 portion of the safety function module, the 4 communication module, and the equipment interface 5 module are the only portions of the MPS that could be 6 affected by additional common-cause failure. Hence, 7 the MPS uses two diverse FPG architectures, like I 8 said, in order to achieve this equipment diversity.
9 So, if division 1 is made up of one type 10 of FPGAs, then division 2 would be made up of another 11 kind. And the whole idea is that the same digital 12 common-cause failure cannot simultaneously take out 13 both divisions, and at least one division would be 14 available to complete the required safety functions.
15 MEMBER BROWN: To be clear, the divisions 16 are the bottom line, and the separation groups are the 17 top line?
18 MR. KALATHIVEETTIL: Exactly. So, when it 19 comes to the division level, what you see is the ESFAS 20 and the RTS; whereas, in the separation group, you 21 actually see it come through A, B, C, and D.
22 So, in addition to the equipment diversity 23 that I just discussed, the diverse FPGA technologies 24 also result in an associated level of design 25 diversity, since FPGA vendors use different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
153 1 development tools to provide the final configured 2 FPGAs. These tools have inherent diversity due to the 3 FPG architectures and the programming methods which 4 are used.
5 The MPS also provides functional diversity 6 for the use of protection logic on the safety function 7 module, which Luis was trying to mention earlier. So, 8 the way that they are, there are different functions 9 associated with different safety function modules.
10 So, the actual logic in that would be slightly 11 different, which adds to more functional diversity.
12 MEMBER SKILLMAN: Dawnmathews, may I ask 13 this question, please?
14 MR. KALATHIVEETTIL: Sure.
15 MEMBER SKILLMAN: How will a technician 16 know the difference between an FPGA of one 17 architecture versus an FPGA of a different 18 architecture?
19 MR. BETANCOURT: As part of the 20 identification requirement, they're supposed to be 21 labeled in that throughout the plant either by 22 markings or colors. So, that's how a technician will 23 know what FPGA technology will be present in whatever 24 division.
25 MEMBER SKILLMAN: That sounds great. So, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
154 1 I'm a technician, and I put two of them in my pocket 2 and I walk around for two afternoons. Then, I pull 3 them out of my pocket and I say, "Oh-oh, what do I do 4 with these?" How do I know which one goes where?
5 MR. BETANCOURT: We actually asked that 6 question regarding, let's say, for example, that you 7 have an SFM that pertains to separation group A, and 8 by mistake, you want to put that into separation group 9 B. So, the platform has these self-testing features 10 that will be identify whether or not you're putting 11 the wrong module to other cabinets. So, it will tell 12 the operator, in that case an alarm, that you're 13 putting the wrong SFM to whatever cabinet.
14 MEMBER SKILLMAN: Thank you. Thank you.
15 MEMBER BLEY: It will fit? Physically, it 16 will fit? It's just you need the test --
17 MR. BETANCOURT: Correct.
18 MR. TANEJA: Also, physically, there are 19 some modules that are designed to a -- there's a 20 special key that won't let you plug them in.
21 MEMBER BLEY: That's really convincing if 22 we --
23 MR. TANEJA: Yes.
24 MR. ARNHOLT: Brian Arnholt with NuScale 25 Power.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
155 1 What Luis said is correct, but, also, if 2 you get to Corvallis and you look at the prototype, we 3 can actually demonstrate it. But the cards, each card 4 is physically keyed so that you cannot physically 5 insert the one card in the wrong slot.
6 MEMBER SKILLMAN: Thank you.
7 MR. KALATHIVEETTIL: All right. So, the 8 table here tries to explain the effects of additional 9 base common-cause failure on the MPSes in diversity.
10 There are three events which are shown in the table.
11 A green tic basically implies that the particular 12 module is available to do its function, while the 13 cross just says that it's not available.
14 All right. So, let's look at event one, 15 where the scenario is that you have a transient or a 16 design basis event happening, but there is no common-17 cause failure. In that situation, you have the 18 modules of all four separation groups available to 19 perform their function. Event two is a situation 20 where you have a transient or design basis event 21 concurrent with an additional base common-cause 22 failure.
23 And what is happening here is we are 24 assuming that there is functional diversity of the SFM 25 in addition to the equipment diversity. So, this is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
156 1 only affecting the SFM in separation group A and C.
2 As you can see, the communication module and the 3 equipment interface modules of A and C, along with 4 both B and D, are available to do their function.
5 And the final scenario is one where, once 6 again, you have the common-cause failure, but in this 7 case, for whatever reason, the entire separation group 8 A and C modules are gone. So, the reason is that we 9 are only considering equipment diversity, no more 10 functional diversity. The particular kind of FPGA 11 which is available in division 1 has been taken out, 12 but you still have all the modules and the different 13 type of FPGA in division 2 available to do the safety 14 functions.
15 And just to add, in addition to this, like 16 Dinesh mentioned earlier, you have the diverse system-17 level manual actuations which actually bypass the MPS 18 logic. And so, if needed, that adds an additional 19 level of diversity and defense-in-depth.
20 Next slide.
21 All right. So, simplicity has been a 22 focus of NuScale design, and NuScale has been able to 23 incorporate the fundamental design principles into its 24 I&C architecture and the systems while adhering to 25 simplicity.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
157 1 This is very evident since the design uses 2 simple reactor trip systems and ESFAS functions.
3 There are no closed or open loops, and all safety-4 related functions are de-energized to actuate. In 5 other words, the safety-related functions happen by 6 the removal of electrical power.
7 MEMBER BLEY: I really liked this part.
8 We wanted this to be one of the principles, but in 9 many applications it's just not feasible, given the 10 kind of systems people are buying. This is an 11 excellent characteristic of this system.
12 MEMBER BROWN: It's a very subjective one, 13 but it's also important.
14 MEMBER BLEY: It's subjective, but, boy, 15 when you look at problems that crop up, you eliminate 16 -- and the ability to review and understand and test 17 -- you eliminate a lot of potential situations by 18 having simplicity.
19 MR. KALATHIVEETTIL: All right. So, until 20 now, we've talked quite a bit about the safety side of 21 the NuScale design. On the non-safety side, the 22 module control system and the plant control system are 23 segmented to ensure that a failure of these non-safety 24 systems does not adversely affect the MPS.
25 MEMBER BROWN: Okay. You can stop right NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
158 1 there, please.
2 MR. KALATHIVEETTIL: Okay.
3 MEMBER BROWN: I have a hard time 4 understanding this. Since the MPS is separate, not 5 communicated with, why does segmentation of the MPS 6 and/or PCS affect the operation of the MPS if it's not 7 segmented? I mean, that's a unidirectional -- if you 8 look at your diagram, it's unidirectional and there's 9 no feedback. The only feedback you ever get to is 10 when you operate the enable safety control switch, 11 where you can take manual control, which applies only 12 getting into the APL or the actuation and priority 13 logic.
14 MR. TANEJA: So, let me try to answer 15 that, Charlie.
16 MEMBER BROWN: You're going to have to try 17 real hard.
18 (Laughter.)
19 MR. TANEJA: I'll give you a good example.
20 See, when the safety analyses are performed in Chapter 21 15, there are certain failures assumed. Loss of 22 feedwater, for example, would be one failure, right, 23 or turbine trip or turbine bypass values. So, those 24 are the different design basis events that are 25 postulated to see if the plant transient can deal with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
159 1 that, right?
2 So, with the module control system, what 3 we were looking for was could you have multiple 4 failures or spurious failures on the module, you know, 5 on the balance-of-plant side that can challenge safety 6 from the thermal hydraulic point of view, not the 7 electrical interfaces or not actuating equipment, but 8 the impact on the thermal hydraulic of the plant. And 9 that is really the concern here.
10 And I think, like NuScale presented this 11 morning, that there were these five goals that they 12 were trying to achieve from the segmentation, which 13 was essentially looking at an impact to the 14 reactivity, release of radiation. So, these were 15 safety of the plant. So, they had to basically assign 16 function to different segments, so they don't have a 17 common-cause failure that they cut multiple functions 18 and result in one of those unsafe conditions.
19 MEMBER BROWN: Yes, but that's a plant 20 safety issue, not a response of the module protection 21 system issue.
22 MR. TANEJA: It is a module protection 23 system issue if you don't do it right. If you put 24 controls on the same controller, multiple, you know, 25 if you put like -- this morning I think Brian gave a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
160 1 very good example of two functions being on the same 2 controller would have resulted in unsafe plant 3 conditions.
4 MR. ARNHOLT: Brian Arnholt with NuScale.
5 I might be able to maybe clarify what Charlie is 6 asking.
7 I think he's saying that there is no --
8 since we've isolated the MPS from the MCS, there's no 9 possible maybe adverse feedback the other way. Is 10 that your point?
11 MEMBER BROWN: Yes, it's you can't -- the 12 MPS will respond to the input it gets. And you're not 13 going to change that, regardless whether you have or 14 don't have segmentation. Whether you have multiple 15 plant systems failures that result in some analyzed 16 transient that you haven't analyzed under your 17 accident condition that the module protection system, 18 even though it responds, doesn't result in adequate 19 protection, you know, protecting the plant, that's not 20 the MPS's failure. It's not a matter of compromising 21 it. That's what I was trying to understand, but the 22 segmentation does not --
23 MEMBER BLEY: Let me try to parrot what he 24 said because it's something I brought up earlier.
25 He's talking about the module control system. So, can NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
161 1 you drive the plant itself, the physical plant, from 2 problems there into conditions that challenge the 3 protection system, that get the plant in a situation 4 that's beyond what's been analyzed?
5 MEMBER BROWN: But that's different from 6 adversely affecting the MPS functions. It functions, 7 but they may have missed a transient --
8 MEMBER BLEY: Well, it's different from 9 adversely affecting operations within the MPS. It can 10 affect the MPS function because you don't get what you 11 expected to get other than --
12 MEMBER BROWN: Yes, I would --
13 MEMBER BLEY: But the problem seems a real 14 one.
15 MEMBER BROWN: I understand your point, 16 and I understand --
17 MEMBER BLEY: Are you arguing words or are 18 you saying the problem is not a real one? I'm sorry 19 to get us going.
20 You guys can just sit back and relax for 21 a minute.
22 MEMBER BROWN: Well, no, no, that's right, 23 we're having fun.
24 (Laughter.)
25 We're going to get there, Mike, don't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
162 1 worry.
2 CHAIRMAN CORRADINI: But I want to make 3 sure -- I don't hear it as substantive. I hear about 4 you don't like how they word this, but --
5 MEMBER BROWN: No, I don't like the 6 implication --
7 CHAIRMAN CORRADINI: Right.
8 MEMBER BROWN: -- that there is some 9 failure in the MCS, whatever that is, that now can 10 adversely affect the ability of the MPS to respond to 11 its sensor inputs. That's all I'm saying. That is 12 wrong.
13 MR. TANEJA: No, that is not what we are 14 saying.
15 MEMBER BROWN: I totally understand that 16 you can have compounding things in the MCS that could 17 result in a plant response when the MPS does not have 18 the proper inputs --
19 MR. TANEJA: Correct.
20 MEMBER BROWN: -- to respond. That's a 21 different issue. That does not adversely affect the 22 MPS functions. That's all. It's a little bit broad.
23 This sends a message in your SER. They don't say that 24 in Chapter 7, by the way. NuScale doesn't say that, 25 but it is --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
163 1 MR. TANEJA: No, it's a broad statement 2 that we made. It is that the MPS functionality, 3 whether it's not getting the correct input at the 4 given situation -- so, the inputs are part of the MPS 5 structure, you know. So, what we were saying was 6 that, a transient on the balance of plant does not 7 give me what I need to create a turbine trip, I mean 8 a reactor trip or an ESFAS function, because the input 9 conditions did not come in at the right time --
10 MEMBER BROWN: I understand that.
11 MR. TANEJA: Yes. Right.
12 MEMBER BROWN: I understand that. But, 13 right now, we've got pressure-temperature level, 14 neutron, whatever else would come in there. If you 15 need another function to get generated because of some 16 other combination of things, it won't be there because 17 of the MCS failure. You're saying if you -- the way 18 they physically -- if we had combined all these things 19 in what I would have called "memory segmentation" 20 only, with all the control functions tied up in a big 21 pile of software, but they physically, at least what 22 they said, they physically separated them out by 23 processors --
24 MR. TANEJA: Right.
25 MEMBER BROWN: -- with their own NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
164 1 individual software. And that's a physical separation 2 of the data.
3 MR. TANEJA: Right.
4 MEMBER BROWN: But even that doesn't give 5 you a big -- it looks very difficult to have four of 6 those things that you can control from the MCS with a 7 common command set or software set. You've still got 8 four different response systems downstream from what 9 you can control. So, I just think we're working 10 overtime on this.
11 CHAIRMAN CORRADINI: But I just want to 12 make sure what we're arguing about. The way they 13 state this here is what you're objecting to, not what 14 they meant to say?
15 MEMBER BROWN: I don't like the message 16 that somehow there's something that impacts the MPS 17 and it doesn't. We may not have covered it from a 18 protection standpoint, from a plant transient in terms 19 of failures in the plant standpoint. We didn't 20 provide enough input to the MPS. We didn't provide a 21 proper --
22 MEMBER BLEY: It's not screwing with the 23 MPS internally.
24 MEMBER BROWN: That's right. That's what 25 this --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
165 1 MEMBER BLEY: It's feeding it unexpected 2 information.
3 MEMBER BROWN: And to me, this implies 4 that an MCS failure can adversely affect it. And 5 that's why we segment. That's not --
6 CHAIRMAN CORRADINI: Okay. Do you guys 7 get it?
8 MEMBER BROWN: That's not why they're 9 doing it.
10 CHAIRMAN CORRADINI: So, do you guys get 11 it?
12 MR. TANEJA: Right.
13 CHAIRMAN CORRADINI: And you agree with 14 it?
15 MEMBER BROWN: I understand what they did.
16 (Laughter.)
17 MR. ASHCRAFT: This is Joe Ashcraft. I 18 just want to make a quick comment.
19 And so, maybe this slide is misleading.
20 I think the overall, what they are trying --
21 MEMBER BROWN: Well, it's in the SER also.
22 MR. ASHCRAFT: I think what we're trying 23 to say is that the MCS/PCS does not affect the MPS.
24 MR. KALATHIVEETTIL: It doesn't 25 unnecessarily challenge it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
166 1 MR. ASHCRAFT: In other reviews that we've 2 had that was a big issue. So, maybe it's not worded 3 correctly here or maybe it's confusing, but that was 4 the goal, to just ensure that the non-safety side does 5 not impact the safety.
6 MR. BETANCOURT: This is it. I'm looking 7 at Mike and the clock.
8 MEMBER BROWN: You don't want an MCS 9 failure affecting three or four items that result in 10 data not getting to the MPS that it needs to show 11 protection for that set of failures. That's 12 fundamentally what you're --
13 MR. BETANCOURT: I think we understand the 14 comment. We're going to go back to the SE and find a 15 better way to say it.
16 CHAIRMAN CORRADINI: That's probably the 17 way to deal with it.
18 Okay. Let's move on.
19 MEMBER BROWN: What's next?
20 MR. KALATHIVEETTIL: All right. So, this 21 is the 10 CFR 5062 exemption or the anticipated 22 transient without scram exemption. The evaluation of 23 this exemption was documented in Chapter 7 with 24 assistance from Reactor Systems and the PRA Branches.
25 To give a brief history, NuScale requested NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
167 1 an exemption from the portion of the ATWS rule 2 requiring diverse equipment to initiate a turbine trip 3 under conditions indicative of an ATWS. They also 4 stated that, since the design does not include an 5 auxiliary or emergency feedwater system, the portion 6 of the ATWS rule requiring diverse automatic auxiliary 7 feedwater system initiation is not applicable to them.
8 Since the underlying purpose of the 9 10 CFR 5062 rule is to reduce the risks associated 10 with ATWS events, staff evaluated three major aspects 11 for this request.
12 First, staff evaluated how the design 13 reduces the risk of an ATWS event through redundancy, 14 diversity, and independence within the NuScale MPS.
15 The built-in diversity of the MPS design reduces the 16 probability of a failure to scram.
17 Secondly, the staff evaluated how the 18 NuScale design responds to an ATWS event and found 19 that the response is bounded by the design basis 20 accident analysis.
21 Finally, staff's evaluation also showed 22 that the MPS design results in an ATWS contribution to 23 core damage frequency which is lower than the safety 24 goal which is identified in the 10 CFR 5062 rulemaking 25 documents.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
168 1 Hence, staff concluded that the underlying 2 purpose of the ATWS rule was met by the NuScale 3 design.
4 MEMBER MARCH-LEUBA: Did NuScale submit a 5 reference ATWS calculation? Because the SER mentions 6 some numbers from Chapter 19 here and there, but I 7 haven't seen a plot of what the ATWS response is.
8 With respect to your bullet No. 2, how do you decide 9 that an ATWS is better than anything in Chapter 15?
10 MR. KALATHIVEETTIL: We actually have Jim 11 Gilmer here from Reactor Systems. He's the one who 12 evaluated this portion of it.
13 CHAIRMAN CORRADINI: But we're going to 14 see this, I guess --
15 MEMBER MARCH-LEUBA: Are we going to see 16 it?
17 CHAIRMAN CORRADINI: Yes, we're going to 18 see it.
19 MEMBER MARCH-LEUBA: That's the question.
20 Are we?
21 MR. GILMER: Yes, Jim Gilmer, Reactor 22 Systems.
23 NuScale has not submitted on the docket 24 the calculation. However, during Chapter 19 audit as 25 well as Chapter 15 audit, we reviewed all of their in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
169 1 RELAP calculations and any supporting ANSYS stress 2 analysis.
3 MEMBER MARCH-LEUBA: So, basically, we'll 4 get to see that, Chapter 15 and Chapter 19 --
5 CHAIRMAN CORRADINI: If not, we're going 6 to ask for it.
7 MEMBER MARCH-LEUBA: I'm not happy that 8 there is no submitted on-the-record calculation for 9 ATWS. It should be part of this.
10 MR. GILMER: I understand. We would like 11 to see it, also, on the docket.
12 But the two particular ATWS acceptance 13 criteria that were challenged in this design are the 14 reactor coolant pressure, RCS pressure, and 15 containment.
16 MEMBER MARCH-LEUBA: Yes.
17 MR. GILMER: And there were --
18 MEMBER MARCH-LEUBA: I'm willing to table 19 it until Chapter 15 or 19.
20 CHAIRMAN CORRADINI: Okay. All right.
21 MR. KALATHIVEETTIL: Next slide.
22 All right. So, as the heading of this 23 slide states, the purpose here is to address some of 24 the ACRS comments from a NuScale Chapter 8 25 Subcommittee meeting.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
170 1 First, there was a concern as to how the 2 24-hour timers were powered. The 24-hour timers are 3 part of the MPS boundary. And so, they are powered 4 the same source as the MPS is. The whole purpose of 5 the 24-hour timers is simply to provide an ECCS hold 6 mode and, also, any load-shedding which could, in 7 turn, help with achieving their 72-hour capacity for 8 the post-accident monitoring, or PAM-only mode.
9 Another concern was as to what happens if 10 there are degraded voltage conditions. The MPS is 11 capable of sensing any kind of degraded voltage 12 condition, and if such a condition exists, then the 13 MPS basically performs its safety function.
14 Next slide.
15 MEMBER MARCH-LEUBA: So, are you saying 16 that MPS has an under-voltage sensor and a scram based 17 on it?
18 MR. KALATHIVEETTIL: Yes, it actually had 19 a predetermined value that it looks for. And the 20 moment that it is hit, it actually goes ahead and does 21 the RTS --
22 MEMBER MARCH-LEUBA: One of the scrams is 23 local just to MPS?
24 MR. KALATHIVEETTIL: Yes. Yes, you are 25 correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
171 1 MEMBER BROWN: Okay. Is that separate 2 from the timers?
3 MR. TANEJA: The degraded condition is not 4 part of the timers. That is how the MPS is --
5 MEMBER BROWN: So, is there an under-6 voltage sensor that's fed into the MPS?
7 MR. ARNHOLT: Brian Arnholt with NuScale 8 Power.
9 Yes, we monitor the AC voltage input to 10 the EDSS battery chargers, and if we detect a low-11 voltage condition, there's logic within the MPS that 12 will initiate a reactor trip, containment isolation, 13 and decay heat removal system.
14 MEMBER BLEY: In fact, it's an ESFAS?
15 MEMBER MARCH-LEUBA: Is it --
16 CHAIRMAN CORRADINI: One at a time.
17 MR. ARNHOLT: Yes, both a reactor trip and 18 an ESFAS function.
19 MEMBER BLEY: Back in the Chapter 8 20 meeting, we were concerned that what if the batteries 21 didn't hold up as long as they're supposed to. Could 22 we get individual valves drifting shut and weird 23 stuff? And now, they're saying, well, you shouldn't 24 because we have one more backup on the battery, and 25 that's to initiate one of the safety functions.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
172 1 MEMBER MARCH-LEUBA: But he said they're 2 detecting the AC power coming from outside --
3 MEMBER BLEY: Which won't be there if 4 we're running on batteries. So, it doesn't help us if 5 we're on batteries.
6 MR. ARNHOLT: Now there's two parts to 7 that. There's the AC voltage monitoring we perform, 8 but also, if you remember, I mentioned we had those 9 DC-to-DC power converters, those Class 1E isolation 10 devices. Those monitor for any type of under-voltage 11 or voltage-changing condition for the power feed into 12 MPS. And just like they isolate --
13 MEMBER MARCH-LEUBA: So, if there's a drop 14 in voltage, you also operate for that --
15 MR. ARNHOLT: A circuit breaker, for 16 example, and then, they would remove power and isolate 17 that power feed into the MPS as well.
18 MEMBER BLEY: And the setpoints on those 19 are higher than the point at which, by testing, we 20 know any of the valves would start to drift?
21 MR. ARNHOLT: Correct.
22 MEMBER BLEY: Is that true?
23 MR. ARNHOLT: That's true.
24 MEMBER BLEY: Where is the test reports?
25 MR. ARNHOLT: Oh, we haven't those -- we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
173 1 haven't gotten that far yet. That's not --
2 MEMBER BLEY: You're going to test that?
3 We'll be interested in seeing the test results.
4 MEMBER BROWN: I also did not read -- is 5 there something in Chapter 7 or in, I guess Chapter 7, 6 that talks about the sensor inputs, one of the under-7 voltage -- that's input to the MPS system?
8 MR. BETANCOURT: Yes. So, if you look 9 under the DCD, there's a Table 7.1-4 that shows, and 10 then, Table 7.1-3 that shows all of the inputs and the 11 parameters for the ESFAS and RTS. So, Table 7.1-3 --
12 MEMBER BROWN: This is in the Chapter 7?
13 MR. BETANCOURT: Right. Reactor trip 14 functions, and Table 7.1-4, Engineered Safety 15 Features, Actuation System Functions. So, you will 16 see those parameters to be on both of them.
17 MEMBER BROWN: Okay. I just missed that 18 when I went through it. Okay. Thank you.
19 MR. KALATHIVEETTIL: This was the first 20 time that staff used the design specific review 21 standard, Chapter 7, to review an application. The 22 approach of DSRS Chapter 7 resulted in a simple I&C 23 architecture and HIPS design, while incorporating the 24 fundamental design principles. The approach also 25 resulted in the completion of the Safety Evaluation in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
174 1 an efficient and effective safety-focused manner.
2 In conclusion, the staff finds that the 3 I&C design is safe and that it complies with all the 4 applicable NRC regulatory requirements.
5 MEMBER BROWN: And I have another 6 question. Actually, I have two questions. Sorry, 7 Mike. We've got a lot of time, three minutes.
8 Multi-unit stations, you all concluded 9 that the setup and the controls, and everything, that 10 multi-unit station setup is okay?
11 MR. KALATHIVEETTIL: Yes.
12 MEMBER BROWN: My question is, when do we 13 see an evaluation of how people actually control the 14 plant using this? Is that going to be in Chapter 18, 15 HNI, or whatever it is?
16 MR. BETANCOURT: So, we reviewed the 17 Chapter 21 input and RFCR in Chapter 7, but I think 18 that will be for Chapter 18 and Chapter 15 it could be 19 addressed.
20 MEMBER BROWN: But I didn't get much out 21 of the multi-unit station discussion.
22 MR. BETANCOURT: Right.
23 MEMBER BROWN: It just says the I&C 24 systems and the distributed control systems, et 25 cetera, et cetera, provide the ability to control all NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
175 1 these things. It didn't say how am I going to control 2 12 modules with one DC system.
3 MR. BETANCOURT: Right.
4 MEMBER BROWN: How many operators do I 5 need to do --
6 MR. BETANCOURT: So, that's a Chapter 18 7 topic.
8 MEMBER BLEY: And I understand, I've heard 9 that the way they're doing that has evolved from what 10 we saw several years ago when we were out there, which 11 was three people in the control room, one guy running 12 all the plants and, then, dropping them off. And it 13 was pretty interesting. It worked very well. But 14 we're really interested in seeing that whenever it 15 comes up.
16 MEMBER BROWN: So, it's really Chapter 18?
17 MR. BETANCOURT: Yes.
18 MEMBER BROWN: Okay. All right. That's 19 question one.
20 CHAIRMAN CORRADINI: Wait a minute. Now 21 you brought it up, so it's your fault.
22 (Laughter.)
23 So, has the staffing regimen for the 24 multi-units been settled or is it still an issue 25 that's a policy issue to the Commission? I'm trying NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
176 1 to understand how many people are watching how many 2 modules. It kind of interacts with the questions you 3 were asking.
4 MEMBER BROWN: No, that's part of it, yes.
5 CHAIRMAN CORRADINI: Has that been settled 6 and it's in the DCD, settled for review?
7 MR. TABATABAI: I cannot answer that 8 question. Actually, I'm not the PM for Chapter 18.
9 So, I don't want to provide --
10 MR. BERGMAN: Tom Bergman, NuScale.
11 That's still an active part of the review.
12 CHAIRMAN CORRADINI: Fine.
13 MR. BERGMAN: The staff has just recently 14 observed some of our operator training. They have 15 another audit coming out to see more of the testing.
16 So, we haven't heard any concerns specifically raised, 17 but it is still under review by the staff.
18 MEMBER BLEY: Tom, is it spelled out in 19 the DCD now or is it --
20 MR. BERGMAN: Is what spelled out?
21 MEMBER BLEY: How they're going to operate 22 or how you expect them to operate.
23 MR. BERGMAN: I don't know that the number 24 of operators is specifically in the DCD. It will be 25 in the appendix that certifies the design, Part 52.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
177 1 So, the regulatory approaches are appendix and Part 2 52, which say COLs that incorporate this design by 3 reference follow this approach in lieu of that in 4 5054(m). And that will say our approach is six 5 operators will be in front, plus a senior reactor 6 operator, STA, and supervisor. But, just like you saw 7 when you were there, they are still the three people 8 at the desks.
9 MEMBER BLEY: Okay. Thanks.
10 CHAIRMAN CORRADINI: Charlie, I'm sorry.
11 You had one more question, Charlie?
12 MEMBER BROWN: Yes, but I've got to find 13 it here.
14 Yes, it's you all had a comment or a 15 paragraph where you talked about the MPS is an FPGA-16 based system. Traditional watchdog timers do not 17 provide the same protections for FPGA systems as they 18 do in microprocessor-based systems. The MPS addresses 19 the need for "alabness," although I couldn't find that 20 word anywhere, via the self-testing features of the 21 MPS modules, EGVF-FM. In other words, it's under the 22 built-in self-test features.
23 But, when I went and looked at that, all 24 I could find was that throughout the testing you have 25 individual -- at least the way I read it, each NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
178 1 individual piece has some type of an identification of 2 its alabness or --
3 MR. BETANCOURT: Correct.
4 MEMBER BROWN: But there's no beginning-5 to-end check that anything ever finishes a complete 6 cycle anywhere.
7 MR. BETANCOURT: Right.
8 MEMBER BROWN: In other words, from start 9 to finish. I'm not talking about repeatability. Just 10 the things actually get to the end.
11 MR. BETANCOURT: The feedback.
12 MEMBER BROWN: That's right. As you get 13 with the watchdog timer. In other words, you're 14 stepping through -- I mean, FPGA still has to go 15 through and process data, result into a vote, and 16 something has to happen.
17 MR. BETANCOURT: Right.
18 MEMBER BROWN: But there's nothing that 19 says that that actually gets completed, other than 20 individual pieces along the way.
21 MR. BETANCOURT: So, you're correct. Like 22 the way that they are designed, it's like a piecemeal 23 way.
24 MEMBER BROWN: Very piecemeal.
25 MR. BETANCOURT: Right. But, then, you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
179 1 will still get that feedback at the control room that 2 the actuation, or whatever function you're trying to 3 activate --
4 MEMBER BROWN: If you actuate, but you 5 don't actuate the protection.
6 MR. BETANCOURT: Right.
7 MEMBER BROWN: You don't actuate the trip 8 systems.
9 MR. BETANCOURT: Right.
10 MEMBER BROWN: So, you don't ever know 11 whether the thing is being voted and a signal is being 12 out to the EIM.
13 MR. BETANCOURT: And that's where the 14 piecemeal comes into play. It's like each one of the 15 modules will actually do like a cross-check against 16 each other. So, in other words, the EIM may be 17 expecting a signal from one of the separation groups, 18 and if it doesn't come in in the allotted time, it 19 will send out an alarm, hey, I was expecting --
20 MEMBER BROWN: Where are those alarms 21 identified?
22 MR. BETANCOURT: The specific alarms?
23 MEMBER BROWN: Chapter 7?
24 MR. BETANCOURT: Like you're talking about 25 the failure?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
180 1 MEMBER BROWN: Yes, I'm trying to figure 2 out, if I don't say that I complete data processing 3 from data input in whatever the sample size, you know, 4 whatever the sample period is from beginning to end, 5 and I either get a signal that either doesn't arrive 6 or does arrive at an EIM -- I don't know what the 7 endpoint is. Obviously, you don't want to actuate 8 anything.
9 MR. BETANCOURT: I believe we had an 10 RAI --
11 MEMBER BROWN: Or outputs from the voting 12 unit that says, I'm finished; nothing's there; I don't 13 have to trip. Something ought to be telling you that 14 I have finished it somewhere.
15 MR. BETANCOURT: I believe there was an 16 RAI and an ASAI, but it was clearly delineated, that 17 concern, what is a safe state of a failure, whatever 18 module. And I know that we had that on the SER. And 19 there's a table that shows what is the safe state that 20 is expected for each one of the modules.
21 MEMBER BROWN: I understand the safe 22 state, but how do I know that it doesn't get to safe 23 state? Is there an alarm triggered and where is the 24 alarm specified?
25 MR. ARNHOLT: I might be able to help.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
181 1 Brian Arnholt from NuScale Power.
2 I've got to be careful with what I say 3 here because a lot of this detail is proprietary of 4 how it works. But if --
5 MEMBER BROWN: I don't want to know how it 6 works. I just want to know whether an alarm goes off 7 if it doesn't complete a processing cycle --
8 MR. ARNHOLT: Yes, it does.
9 MEMBER BROWN: -- in 50 millicycles.
10 MR. ARNHOLT: The answer to your question 11 is yes.
12 MEMBER BROWN: And where is that stated?
13 That's not proprietary. That just means --
14 MR. ARNHOLT: That's a part of our self-15 testing and diagnostics that described in the HIPS 16 Topical Report.
17 CHAIRMAN CORRADINI: And if you want more 18 detail, let's do it after lunch in the closed session.
19 MEMBER BROWN: I guess I'll want more 20 detail.
21 CHAIRMAN CORRADINI: I figured you did.
22 MEMBER BROWN: We can talk about it after 23 lunch.
24 (Laughter.)
25 CHAIRMAN CORRADINI: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
182 1 MEMBER BROWN: Because I don't remember --
2 I remember the BIST for each individual piece, but I 3 never saw a start; I don't remember and could not 4 find. I went and took a quick look at Rev 1 of HIPS, 5 and I'm not going to talk about that anymore right 6 now, but I couldn't find anything.
7 CHAIRMAN CORRADINI: Okay.
8 MEMBER SKILLMAN: Mike --
9 CHAIRMAN CORRADINI: No, no, I want to 10 make sure I had the members --
11 MEMBER BROWN: That's my last --
12 MEMBER SKILLMAN: I have a question, sir, 13 Mr. Chairman.
14 You have not introduced slide 23. Please 15 do it. On this slide. You had to have been there to 16 understand why this change in regulation came in 1980-17 1981. I recognize this is not a full P and it's not 18 a full B. This is a hybrid in shutdown because this 19 is a PWR with a very, very low pressure.
20 But I will tell you, from having been 21 there in the control room, if you do not know what 22 your pressurized level is, you do not know the 23 condition of your core. And so, I don't know why 24 staff finds pressurizer level not necessary. I 25 understand you might say it's not necessary to achieve NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
183 1 cooling, but it's vital to understand the status of 2 the core.
3 MR. BETANCOURT: And what I believe, that 4 the intent of how NuScale is set to address this is 5 that they're not relying on pressurizer level 6 indication to get that function. They're relying on 7 the RCS flow instead of the pressurizer level 8 indication to be able to meet the intent of that 9 regulation. So, they're saying that we still meet the 10 intent, not using the pressurizer level indication.
11 We're using the RCS flow indication to be able to 12 verify there's natural circulation throughout the 13 core.
14 CHAIRMAN CORRADINI: But I think what Dick 15 is saying is, whether I'm a B or a P, in the P I find 16 pressurized level, and if it's a B, I have a level 17 indication in the reactor. What I think he is 18 bothered by is I have neither.
19 MEMBER SKILLMAN: Bingo.
20 MR. TANEJA: Yes, the regulation, for 21 regulation's sake, they don't need that information.
22 But it is a post-accident monitoring variable that is 23 available. The pressurizer level I believe is one of 24 the variables that is displayed on the safety 25 indication and display panel. So, it is one of the --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
184 1 MR. ARNHOLT: One point of clarification.
2 Brian Arnholt, NuScale Power.
3 The post-accident monitoring variable for 4 this function is RPD riser level. And that's what we 5 use to monitor inventory within the reactor vessel.
6 CHAIRMAN CORRADINI: The riser level is 7 what -- where is that measured? That's within the 8 downcomer after the steam generators?
9 MR. ARNHOLT: The riser is the central 10 column of water coming out of the core.
11 CHAIRMAN CORRADINI: Oh, I'm sorry, just 12 the opposite. What I call the shroud in the BWR.
13 Okay. Fine. Okay. So, it's within that, which is 14 physically below where the pressurizer control is?
15 MR. ARNHOLT: Correct. But that's our 16 direct measurement for whether we --
17 MEMBER SKILLMAN: And would one put on the 18 record that that is an adequate and accurate 19 representation of the hydraulic level above the core?
20 That's a yes or no.
21 MR. ARNHOLT: Could you repeat the 22 question, please?
23 MEMBER SKILLMAN: Yes. Would one 24 communicate that that riser level is an adequate and 25 accurate indication of the hydraulic level above the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
185 1 core?
2 MR. ARNHOLT: Yes.
3 MEMBER SKILLMAN: Thank you.
4 CHAIRMAN CORRADINI: Other comments by the 5 members?
6 (No response.)
7 Okay. I think at this point I'd like 8 to --
9 MR. BETANCOURT: Can I break up all of the 10 actions that we have to do? Sorry. Or you want to do 11 that after --
12 CHAIRMAN CORRADINI: Well, I think I want 13 to go to public comments.
14 MR. BETANCOURT: Okay.
15 CHAIRMAN CORRADINI: We can do that, 16 because we're going to have a closed session, and 17 we'll have a full more, I'm sure.
18 Okay. So, I'd like to get the phone line 19 open, if we could, please.
20 OPERATOR: The bridge is open.
21 CHAIRMAN CORRADINI: Thank you.
22 So, are there any members of the public 23 out there who would like to make a comment at the end 24 of our open session?
25 (No response.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
186 1 Okay. Hearing none, could you close the 2 outside line?
3 And I want to ask, anybody in the audience 4 that would like to make a comment?
5 (No response.)
6 Okay. Hearing none, we will break for 7 lunch, and we'll come back at 1:15. I think that's 8 okay if we give ourselves an additional five minutes, 9 ten minutes. Okay? We'll see you back here at 1:15, 10 and it will be in closed session.
11 (Whereupon, the foregoing matter went off 12 the record for lunch at 12:09 p.m. and went back on 13 the record in closed session at 1:16 p.m.)
14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
NuScale Nonproprietary ACRS Presentation:
NuScale Instrumentation and Controls Design Overview Brian Arnholt Supervisor, I&C Engineering Rufino Ayala I&C Engineer Paul Infanger Licensing Project Manager August 23, 2018 1
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Purpose
- Provide an overview of the NuScale Instrumentation and Control (I&C) systems and highlights of the I&C systems design described in NuScale Final Safety Analysis Report (FSAR) Chapter 7 2
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Abbreviations APL - actuation and priority logic IEEE - Institute for Electrical and Electronics Engineers ASAI - application specific action item ISM - input sub-module CCF - common cause failure MCS - module control system CFDS - containment flood and drain system MIB - monitoring and indication bus CIS - containment isolation signal MIB-CM - MIB communication module CNT - containment system MPS - module protection system CVCS - chemical and volume control system NPM - NuScale Power Module D3 - diversity and defense-in-depth NMS - neutron monitoring system DI&C - digital instrumentation and control PAM - post-accident monitoring DHRS - decay heat removal system PCS - plant control system ECCS - emergency core cooling system PPS - plant protection system EDSS - highly reliable DC power system RMS - radiation monitoring system EDNS - normal DC power system RTB - reactor trip breaker EIM - equipment interface module RTS - reactor trip system ELVS - low AC voltage power system SBM - scheduling and bypass module ESFAS - engineered safety features actuation system SDB - safety data bus FPGA - field programmable gate array SDIS - safety display and indication system HIPS - highly integrated protection system SFM - safety function module HWM - hard-wired module SVM - scheduling and voting module I&C - instrumentation and controls UTB - under the bioshield ICIS - in-core instrumentation system 3
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
NuScale DCA Chapter 7 Structure
- NuScale Chapter 7 Design Certification Application Follows Design Specific Review Standard Framework
- Section 7.0: Instrumentation and Controls - Introduction and Overview
- System Architecture and Overview
- Key System Descriptions
- Section 7.1 Fundamental Design Principles
- Independence
- Redundancy
- Predictability and Repeatability
- Diversity and Defense-in-Depth
- Simplicity
- Hazards Analysis
- Section 7.2 System Features
- Design and system characteristics in accordance with IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations and IEEE Std 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers and Safety Systems of Nuclear Power Generating Stations 4
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Section 7.0: Instrumentation and Controls -
Introduction and Overview 5
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
I&C System Design Basis main steam isolation valves main feedwater isolation valves Safety I&C Platform
- Digital I&C system
- Use of FPGAs allows for diversification decay heat removal actuation valves within the safety I&C platform containment vessel
- Passive safety features result in a control rod drives reactor pool simpler safety I&C platform reactor vent valves safety relief valves
- A simpler and more diversified design reactor pressure vessel pressurizer results in a more reliable safety I&C steam header upper plenum platform decay heat removal passive condenser
- No safety-related pumps or fans to steam generators control feedwater header
- Provide reactor trip breaker and control rods hot leg riser pressurizer heater breaker trip signals reactor recirculation
- Provide trip signals to solenoid operated valves downcomer reactor core valves lower plenum
- On loss of power solenoids de-energize and associated valves fail in NOT TO SCALE the safe position and reactor trip and pressurizer heater breakers open 6
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
I&C Architecture Overview ISO ISO ISO ISO ISO ISO ISO 7
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Module-Specific I&C Systems Module The MPS is a digital, FPGA-based system that monitors process variables and provides Digital Protection automatic initiating signals in response to out-of-normal conditions, providing protection FPGA-based System against unsafe NPM operation during steady state and transient power operation. Each NPM A1 has a single dedicated MPS (MPS)
The neutron monitoring system (NMS) is an analog system comprised of three sub-systems:
Neutron A1
- NMS-excore subsystem provides neutron flux data to the MPS for reactor trips Analog Monitoring
- NMS-flood subsystem provides information to the MPS for post-accident monitoring during B2 System conditions when CNV is flooded
- NMS-refuel subsystem provides neutron flux signals to the PCS during refueling operations B2 (NMS) (plant-level)
Module Digital-Control The MCS is a distributed control system which provides the Human System distributed Interface and controls for monitoring and control of NPM specific plant B2 control system System components that are associated with the NPM balance-of-plant control functions.
(MCS)
Incore The ICIS monitors the neutron flux distribution within the reactor core and provides core Instrument inlet and exit temperature information to the MPS for monitoring core cooling during post- B2 System accident conditions (ICIS)
A1 - Safety-related, risk-significant B2 - Nonsafety-related, not risk-significant 8
PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Plant-Level I&C Systems Plant The PPS is an FPGA-based system that monitors process variables at the plant level Digital Protection primarily related to control room habitability and radiation monitoring and executes actuations FPGA-based System in response to normal and off-normal conditions. The PPS monitors and controls systems common to up to 12 NPMs.
(PPS)
Augmented design requirements Safety The SDIS is an FPGA-based display and monitoring system that provides module Display and and plant data to the operators to ensure that the plant is operating within the limits Digital defined by safety analyses, notifies operators when the ESFAS, RTS, and PPS FPGA-based Indication System setpoints are reached, and provides information pertinent to the MPS and PPS status and information displays to support post-accident monitoring.
Nonsafety- (SDIS) related, Augmented design requirements nonrisk-significant Digital Plant The PCS is a distributed control system which allows monitoring and control of distributed Control non-NPM-specific plant components. The PCS includes manual controls and control system System HSIs necessary for the plant operator in the Main Control Room for all 12 modules.
(PCS)
Radiation The RMS is comprised of fixed area radiation monitors and continuous air monitors Analog and throughout the plant that continuously monitor in-plant radiation and airborne radioactivity as Monitoring digital appropriate for routine and accident conditions and alerts control room operators of changing microprocessor System plant radiation levels (contains both module-specific and plant-level monitors)
(RMS) 9 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Module Protection System
- The NuScale safety-related MPS design is based on topical report TR-1015-18653-P-A, Design of the Highly Integrated Protection System Platform (HIPS TR).
- The safety-related I&C systems design basis conforms to the following without deviation or exceptions:
- IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations
- IEEE Std 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers and Safety Systems of Nuclear Power Generating Stations
- Staff Requirements Memorandum to SECY 93-087, "Policy, Technical and Licensing Issues Pertaining to Evolutionary and Advanced Light-water Reactor Designs"
- Major components:
- Four separation groups of sensor inputs, electronics and trip determination
- Class 1E DC-DC power converters/isolation devices
- Reactor trip and pressurizer heater trip breakers
- Two divisions of RTS and ESFAS voting and actuation components
- Two divisions of hard-wired manual actuation switches
- Nonsafety-related 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> timers
- Nonsafety-related maintenance workstations
- MCR isolation switches provided in Remote Shutdown Station.
10 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Loss of AC Power
- NuScale I&C Architecture Low AC ELVS bus voltage monitoring ELVS provides for nonsafety-related voltage sensors V
480 Vac I&C logic AC Power post-accident monitoring (PAM) DC Power functions.
- Performed by MPS, PPS and SDIS and MCS for Type B, C and D, and other systems for Type E EDNS 208 Vac EDSS 125 Vdc EDSS 125 Vdc
- Sensors that support long-term PAM functions remain energized for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. RTS ESFAS Actuation Actuation
- Battery Mission Times
- EDSS-MS Channel A & D - 24 CRDS Plant Sensors ESF Solenoids hours (ECCS Hold Mode)
- EDSS-MS Channel B & C - 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (PAM Support)
Time = 60 seconds Time = 0 seconds
- EDSS-C Division I & II - 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Low ELVS bus Reactor trip DHRS actuation Time = 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ECCS Actuation (PAM Support) voltage detected CNT isolation ECCS Hold Mode PAM Only Mode 11 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
HIPS TR Application Specific Action Items
12 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
MPS Top-Level Architecture 13 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
MPS Breaker Configuration
- Four reactor trip breakers, two per division
- Four pressurizer heater trip breakers, two per division Each breaker opens upon loss of power to the under voltage coil.
A shunt trip coil is provided as a nonsafety-related diverse means to open the breakers 14 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Nonsafety System Segmentation
- Segmentation is used as a defensive and preventative measure in the MCS architecture. Segmentation provides functional independence between major control functions preventing against a failure in one controller group from causing an undesirable condition in another controller group.
- Preventive and limiting measures are determined by a susceptibility analysis that considered malfunctions and spurious actuations, as set forth in NRC DI&C-ISG-04, Section 3.1, staff position 5.
- Control groups were evaluated for effect on:
- reactivity addition to the reactor coolant system
- primary coolant pressure increase or decrease
- primary coolant temperature increase or decrease
- primary coolant level increase or decrease
- radioactive material release to the environment 15 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Section 7.1 Fundamental Design Principles 16 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Fundamental Design Principles
- Independence
- Redundancy
- Predictability and Repeatability
- Diversity and Defense-in-Depth
- Simplicity 17 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Independence Separation Group A
- The MPS and NMS are 4-20mA input 4-20mA input 4-20mA input Chassis (ISMs) (ISMs) (ISMs) designed with physical, Isolation Isolation Isolation electrical, communication and SFM #1 SFM #2 SFM #n functional independence. Monitoring & Indication Bus Safety Data Bus 3
- One-way communication from Safety Data Bus 2 Safety Data Bus 1 safety to nonsafety systems through isolated data paths. Monitoring &
SBM1 SBM2 SBM3 MIB-CM Indication
- Separation of safety and non- Isolation Isolation Isolation safety communications on From SG B SBM1 From SG B SBM2 From SG B SBM3 different communication From SG C SBM1 From SG D SBM1 From SG C SBM2 From SG D SBM2 From SG C SBM3 From SG D SBM3 busses.
Isolation Isolation Isolation
- MCS control of safety-related SVM1 SVM2 SVM3 MIB-CM Monitoring &
Indication components via hard-wired isolated inputs from MCS Monitoring & Indication Bus (no digital signals) Safety Data Bus 3 Safety Data Bus 2 Safety Data Bus 1 Safety Data Paths (1, 2, 3)
Safety Data Path 1 Safety Data Path 2 EIM #1 EIM #2 EIM #n Safety Data Path 3 Reactor Trip System Monitoring and Indication Path Division I Chassis 18 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Redundancy
- FSAR Section 7.1.3
- Four separation groups, two divisions of MPS
- Four channels of safety-related NMS
- MPS and NMS meet single failure criterion
- Post-accident monitoring channels
- No PAM Type A variables
- PAM Type B and C variables meet single failure criterion
- Nonsafety I&C Systems incorporate redundancy principles for high reliability, asset protection 19 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Predictability and Repeatability
- FSAR Section 7.1.4
- The MPS applies the deterministic features of the HIPS platform.
- The MPS response time is accounted for in the plant safety analysis actuation delays.
20 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Diversity and Defense-in-Depth
- FSAR Section 7.1.5
- D3 strategy relies on platform/technology diversity for defense against common-cause failures
- diversity for the platform technology is achieved through different FPGA chip technologies and their associated development tool sets
- Approach simplifies the D3 Diversity Assessment and narrows scope of coping analysis required for digital-based sensors.
21 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Sensor Diversity
- Coping Analysis performed (summarized in FSAR Table 7.1-18) to address potential digital-based CCF vulnerabilities associated with digital-based sensors for pressure, level and flow measurements.
- Coping analysis included a full evaluation of all design basis events analyzed using best-estimate methods to analyze a postulated digital-based sensor CCF.
- In some cases, the event never progressed to a trip condition using best-estimate analytical methods.
- In other cases, diverse, non-digital sensors initiated the trip condition.
Result D3 coping analysis acceptance criteria met 22 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Section 7.2 - System Features 23 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Control of Access
- MPS design conforms to IEEE 603-1991, Section 5.9, Control of Access and Secure Development and Operational Environment requirements of Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Revision 3.
- Physical protection: locked cabinets/rooms.
- MPS design does not provide for remote access capability.
- Physical and logical controls prevent modification of MPS FPGA Logic while in service.
- Limited set of MPS tunable parameters (i.e., setpoints) can be modified when SFM is bypassed and special equipment is used.
24 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Automatic and Manual Controls
- All MPS RTS/ESFAS functions occur automatically.
- MPS provides for manual actuation via hard-wired switches in main control room as backup to automatic functions:
- ECCS actuation
- decay heat removal actuation
- containment isolation
- demineralized water system isolation
- chemical and volume control system isolation
- pressurizer heater trip
- low temperature over pressure protection 25 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Actuation Priority Logic
- APL circuit provides for prioritization of safety-related signals
- Automatic/Manual RTS/ESFAS actuation commands have highest priority.
- Enable control of safety-related components from nonsafety-related MCS via Enable Nonsafety Control Switch MCS hard-wired interfaces Non-digital (no software) circuit -- comprised of discrete components 26 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Conclusion
- NuScale FSAR follows the new Chapter 7 DSRS structure
- Overall resulted in more streamlined, efficient review.
- The NuScale I&C design meets regulatory requirements contained in IEEE 603-1991, IEEE 7-4.3.2-2003 and SRM to SECY-93-087.
- The I&C architecture and systems incorporate the fundamental design principles with an overall focus on simplicity.
- NuScale passively safe design results in a simple I&C design solution - no complicated functions
- Simple RTS/ESFAS functions (simple comparators, simple functions)
- No closed/open loop control - all safety-related functions are de-energize to actuate
- Safety function is accomplished by the removal of electrical power (e.g., reactor trip breakers open on loss of power) 27 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Appendix:
FSAR Figure 7.0-1, I&C Architecture Diagram 28 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
NuScale I&C Architecture FSAR Figure 7.0-1 29 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Portland Office Richland Office 6650 SW Redwood Lane, 1933 Jadwin Ave., Suite 130 Suite 210 Richland, WA 99354 Portland, OR 97224 541.360.0500 971.371.1592 Arlington Office Corvallis Office 2300 Clarendon Blvd., Suite 1110 1100 NE Circle Blvd., Suite 200 Arlington, VA 22201 Corvallis, OR 97330 541.360.0500 London Office 1st Floor Portland House Rockville Office Bressenden Place 11333 Woodglen Ave., Suite 205 London SW1E 5BH Rockville, MD 20852 United Kingdom 301.770.0472 +44 (0) 2079 321700 Charlotte Office 2815 Coliseum Centre Drive, Suite 230 Charlotte, NC 28217 980.349.4804 http://www.nuscalepower.com Twitter: @NuScale_Power 30 PM-0618-60212 Revision: 0 Copyright 2018 by NuScale Power, LLC.
emplate #: 0000 Template 21727 F01 R4 0000-21727-F01
Safety Evaluation with Open Items:
Chapter 7, Instrumentation and Controls NuScale Design Certification Application Review ACRS Subcommittee Meeting August 23, 2018
Agenda
- Background
- NRC Staff Review Team
- NRC Staff Interfaces
- Timeline
- Safety Evaluation
- Safety-Focused Review
- Instrumentation and Controls Overview
- Fundamental Design Principles
- Non-safety-related Systems Segmentations
- Exemption Request to 10 CFR 50.62(c)(1)
- ACRS Comments on Chapter 8 Subcommittee Meeting
- Conclusions August 23, 2018 Chapter 7 - Instrumentation and Controls 2
NRC Staff Review Team
- Technical Staff
- Sergiu Basturescu, NRO
- Dawnmathews Kalathiveettil, NRO
- Dinesh Taneja, NRO
- Yaguang Yang, RES
- Project Manager
- Gregory Cranston, Lead Project Manager
- Omid Tabatabai, Chapter Project Manager August 23, 2018 Chapter 7 - Instrumentation and Controls 3
NRC Staff Interfaces PAMS NRO/DICP NRO/DLSE NRO/DSRA EQ & TMI-ATWS Action Item Exemption Exemption NRO/DSRA NRR/DE Chap.
Coping COMS 7 Analysis &
ATWS NSIR/EP Exemption NRO/DSRA Software QA Setpoints &
& ITP Tech Specs NRO/DCIP NRR/DSS August 23, 2018 Chapter 7 - Instrumentation and Controls 4
Timeline Date Activity 2014 - 2016 Pre-application Activities September 2016 Readiness Review March 2017 Accepted Revision 0 of the DCD for Review April 2017 ACRS Full Committee Meeting on HIPS Platform Topical Report March 2017 -
Held 5 Public Meetings / Issued 9 RAIs / Completed 1 Audit December 2017 January 2018 Draft SE with Open Items Completed March 2018 Applicant Submitted Revision 1 of the DCD April 2018 All Confirmatory Items Incorporated into Revision 1 of the DCD August 2018 ACRS Subcommittee Meeting September 2018 ACRS Full Committee Meeting August 23, 2018 Chapter 7 - Instrumentation and Controls 5
Safety-Focused Review FUNDAMENTAL DESIGN PRINCIPLES Predictability &
Independence ESFRA Repeatability Diversity and Redundancy Defense-in-Depth Simplicity August 23, 2018 Chapter 7 - Instrumentation and Controls 6
NuScale DCD Evaluation TIER 1 TIER 2 Exemptions IBR Documents 9.5.2 ATWS 2.5 (COMS)
(MPS/SDIS) (50.62)
Sensors TeR (Tier 2- 7.2.6) 2.6 TR-1015-A TMI Action (NMS) 18653 S Item A
Chapter 7 50.34(f)(2)(xx)
HIPS I Platform Setpoints TeR (Tier 2 - 7.2.7) 14.3.5 (ITAAC)
August 23, 2018 Chapter 7 - Instrumentation and Controls 7
NuScale I&C Architecture August 23, 2018 Chapter 7 - Instrumentation and Controls 8
Safety Classification August 23, 2018 Chapter 7 - Instrumentation and Controls 9
Independence Physical Electrical Communications Functional August 23, 2018 Chapter 7 - Instrumentation and Controls 10
Redundancy
- MPS Redundancy
- Four separation groups and two divisions of RTS/ESFAS
- Internal Platform Redundancy
- NMS Redundancy
- Four separation groups
- Post-Accident Monitoring
- Two divisions of SDIS August 23, 2018 Chapter 7 - Instrumentation and Controls 11
Predictability and Repeatability MPS Platform (1 sec response time)
Input Sub-Module SFM SBM SVM EIM EIM Field Field Sensors Components August 23, 2018 Chapter 7 - Instrumentation and Controls 12
Diversity and Defense-in-Depth August 23, 2018 Chapter 7 - Instrumentation and Controls 13
Diversity and Defense-in-Depth (Cont.)
August 23, 2018 Chapter 7 - Instrumentation and Controls 14
Simplicity
- The I&C architecture and systems incorporate the fundamental design principles with an overall focus on simplicity
- Simple RTS/ESFAS functions
- No closed/open loop control
- All safety-related functions are de-energize to actuate August 23, 2018 Chapter 7 - Instrumentation and Controls 15
Non-Safety-Related Systems Segmentations
- Segmentation of the MCS and PCS ensures that a failure of these systems does not adversely affect the MPS functions
- This segmentation prevents any multiple failures resulting in spurious actuations or situations which put the plant in an unanalyzed condition
- Staff audited the technical basis of the segmentation analyses for both the MCS and the PCS August 23, 2018 Chapter 7 - Instrumentation and Controls 16
Exemption Three aspects to acceptance of exemption
- Built-in Diversity of the MPS
- ATWS Response Bounded by Plant Design and Chapter 15 analysis
- ATWS contribution to CDF is well below the target CDF 1x10-5/reactor year August 23, 2018 Chapter 7 - Instrumentation and Controls 17
ACRS Comments from NuScale Chapter 8 SC Meeting 24-hour timers
- 24-hour timers are part of the MPS boundary
- Powered by the non-safety-related EDSS MPS Undervoltage Design Feature
- Upon voltage degradation conditions, the MPS fails into a safe state Source: DCD Tier 2, Figure 7.1-1ai: Loss of AC Power to ELVS 24 Hour Timers Division I August 23, 2018 Chapter 7 - Instrumentation and Controls 18
Conclusion
- The approach of DSRS Chapter 7 resulted in:
- A simple I&C architecture and the HIPS design, which are based on the fundamental design principles
- A completion of safety evaluation in an efficient and effective manner (safety-focused)
- The staff finds the I&C design to be safe and that it complies with applicable regulatory requirements August 23, 2018 Chapter 7 - Instrumentation and Controls 19
- ACRS: Advisory Committee on Reactor
- EDSS: highly reliable direct current Safeguards power system
- ASAI: application-specific action item
- EIM: equipment interface module
- ATWS: anticipated transient without
- ESFAS: engineered safety features
- CCF: common-cause failure actuation system
- CDF: core damage frequency
- ESFRA: enhanced safety-focused
- CM: communications module review
- COMS: communication systems
- EQ: environmental qualification
- D3: diversity and defense-in-depth
- HIPS: highly integrated protection
- DBC: digital-based CCF system
- DCD: design control document
- I&C: instrumentation and control
- DCIP: Division of Construction Inspection and Operational Programs
- ICIS: in-core instrumentation system
- DLSE: Division of Licensing, Siting and
- ITAAC: Inspections, Tests, Analyses, Environmental Analysis and Acceptance Criteria
- DSRA: Division of Safety Systems and
- MCS: module control system Risk Assessment
- MPS: module protection system
- DSRS: design-specific review standard
- NRC: U.S. Nuclear Regulatory
- DSS: division of safety systems Commission August 23, 2018 Chapter 7 - Instrumentation and Controls 20
- NMS: neutron monitoring system
- SDIS: safety display and indication
- NRO: Office of New Reactors system
- NRR: Office of Nuclear Regulation
- SER: safety evaluation report
- NSIR: Office of Nuclear Security and
- SVM: scheduling and voting module Incident Response
- TeR: technical report
- NuScale: NuScale Power, LLC
- TMI: Three Mile Island
- PAMS: postaccident monitoring system
- PCS: plant control system
- PPS: plant protection system
- QA: quality assurance
- RAI: request for additional information
- RES: Office of Nuclear Regulatory Research
- RTS: reactor trip system
- RM: fixed area radiation monitoring
- SBM: scheduling and bypass module
- SC: subcommittee
- SFM: safety function module August 23, 2018 Chapter 7 - Instrumentation and Controls 21
Backup Slide August 23, 2018 Chapter 7 - Instrumentation and Controls 22
Exemption
- 10 CFR 50.34(f)(2)(xx) specifies power provisions for pressurizer relief valves, block valves, and level indicators
- Staff finds pressurizer level instrumentation is not necessary to maintain natural circulation cooling August 23, 2018 Chapter 7 - Instrumentation and Controls 23
Notes:
Note 1: MPS, SDIS, and PPS will provide separated, optically isolated, unidirectional data to MCS and PCS (read-only data).
NuScale Nonproprietary Note 2: Refueling neutron monitors will have normal connection to PCS during specific refueling operations. Other module instruments for refueling, which would have normal connections to MCS or PCS, are to be determined.
Note 3: Includes individual component operation originating from MCS to MPS or PCS to PPS through enable nonsafety control switch.
Note 4: MPS and PPS DIV II internals are the same as DIV I internals.
Note 5: Temporary MPS and PPS Maintenance Workstation communications are one-way, receive only and manually initiated to one Main Control Room (MCR) channel at a time while at power.
Note 6: Individual HWMs used for each separation group and division to maintain signal separation. All inputs to the HWMs are isolated.
Remote Shutdown Station (RSS) MCR Safety MCR Module MCR Common MCR Reactor Note 7: Separation Groups A & C are physically separated from B & D. Only Separation Group A is shown connected.
Display and Control System Systems Panel Operator Radioactive Waste Building Control Room (RWBCR) Note 8: MPS MWS DIV II is associated with Separation Groups B & D. MWS & Gateway Server are nonsafety-related.
Remote Shutdown Indication Operator Workstation Workstation (3)
MCS Note 9: Isolation switches to isolate MCR manual reactor trip, ESFAS actuation, overrides, and the enable nonsafety control switches Station (RSS) Monitors (13) Workstation (12)
Liquid/Solid/ for all modules.
PCS PCS MCS Gaseous Radwaste Note 10: Safety-related manual switches in the MCR include RTS and ESFAS actuation, operational bypasses and overrides, and the Power DIV I PCS PCS PCS Power HSI MCS PCS Safety Monitoring enable nonsafety control switches.
Operations SDI MCS Operations Network PCS Note 11: All MIB-CM and CTB-CM outputs and inputs are isolated (isolation not shown).
HSI Network MCS MCS HSI HSI Network DIV II Network PCS Radwaste Note 12: Each divisional MPS Gateway (nonsafety-related) also has inputs from the other 3 separation groups and RTS II and ESFAS II.
Safety Handling Note 13: The backplane (not explicitly shown) supports bi-directional communication between SFMs and SBMs and between SFMs and SDI MCS MCS HSI MIB CM.
Shift Technical Advisor PCS Network Note 14: PPS EIM only receives information and does not transmit information on the safety data bus.
PCS Workstation Safety PCS PCS PCS Note 15: Bidirectional communication exists in the backplane between SFMs and SBMs, between SFMs and MIB CM, and between Power PCS Manual Safety SBMs and MIB CM.
Operations Power Isolation Manual PCS PCS Note 16: MPS EIM only receives information from the SVM and does not transmit information on the safety data bus. Bidirectional Nonsafety PCS PCS PCS HSI Network Operations Technical Support Center Switches Switches communication exists in the backplane between EIMs and MIB CM and between SVMs and MIB CM.
Manual HSI Network (Note 9) (Note 10)
` TSC Engr. Plant Domain To Corporate/Business Workstation Plant Online Monitoring / Controller / Historian Network PCS Emergency Response Data Server MCR Control Room Power MCS/PCS Supervisor (CRS) Operations MCR Shift Manager Workstation HSI Network Workstation PCS PCS Bidirectional Firewall PCS PCS PCS PCS Power PCS PCS PCS PCS Power Operations Operations Plant Network HSI Network HSI Network SDI HUB Plant Control (Note 1) System (PCS)
PCS Meteorological & Radwaste Power PCS Unidirectional (Note 11) Safety Systems Nonsafety Systems Environmental Handling Operations Data Diode Accident Monitoring HSI HSI Network Module Protection System (MPS) Plant Protection System (PPS) PCS Domain Controller Monitoring Network (MCR & RSS)
(Note 9) and Historian Instrumentation DIV II (Note 4) Seismic (MCR & RSS)
SDI HUB DIV I DIV I DIV II Monitoring MPS GATEWAY DIV II CTB Separation Group A, Separation Group B & D MCS C, & DIV I MWS TO CTB CM Neutron Separation Group A & C (Note 7)
CTB MCR DIV II (Note 4) (Note 11)
Monitoring Plant Control System (PCS) Control Network (Note 13) MWS System DIV I MIB CM (Note 11) SFM TO Plant Video Fire Safety Related SC/TD DIV II RTS SDB3 SVM (Notes 5 & 8) (Note 1) MCR PCS Local PCS I/O SC/TD SFM SBM SD3 Monitoring Protection Instrumentation DIV II ESFAS SDB3 SVM I/O Network SBM SD2 System System (Note 4)
SBM SD1 DIV II RTS SDB2 SVM MIB CM SDI HUB Hard-wired Modules DIV II ESFAS SDB2 SVM MPS GATEWAY DIV I (HWM) (Note 15) DIV I Shared Plant Nonsafety (Note 12) SDI HUB DIV II RTS SDB1 SVM Components Trip/Bypass DIV II ESFAS SDB1 SVM DIV II Accident (Note 6) NMS-refuel (Note 2)
Monitoring DIV II Instruments Instrumentation DIV I Hard-wired B CD B CD B CD DIV I RTS B CD B CD B C D DIV I ESFAS Hard-wired Modules (HWM) Modules (HWM) (Note 14) Bidirectional nonsafety OP Bypass OP Bypass SBM3 SBM2 SBM1 control communications Manual Trip SDB1 SDB2 SDB3 SDB1 SDB2 SDB3 Manual Actuation EIM DIV II (Note 4)
Enable NS SVM SVM SVM SVM SVM SVM Enable NS DIV I (Notes 3 & 6)
Priority ISO (Notes 3 & 6) Logic Manual Hard-wired (APL) Modules (HWM) Control Module Control (Note 16) (Note 16) Trip/Bypass (PCS)
(Note 3)
Enable NS MCS Domain Network (Notes 3 & 6) (MCR & RSS) Controller and MPS Chassis Manual Historian (MCR & RSS) MCS Backplane RTS I EIM RTS I - MIB CM ESFAS I EIM ESFAS I - MIB CM Actuation Unidirectional connections Priority Priority (Note 11) (Note 11) Data Diode Logic (APL) Logic (APL)
Typical (12)
Reactor Trip MPS ESFAS MPS SPARE SPARE GATEWAY Components GATEWAY Breakers DIV II DIV II DIV II Module Control System (MCS) Control Network DIV I (Note 1)
CRH/CRV MCS I/O Process Monitoring Accident Monitoring Network Components MCS Instrumentation Instrumentation Local MCS (Note 9) I/O I/O Module Specific Nonsafety Components For protection system interconnecting lines Solid lines indicate continuous connections, dashed lines indicate temporary Accident connections. Network line arrows indicate one way communication direction. Monitoring Internal data (Safety Data Bus) Instrumentation Internal diagnostic and parameter data (Monitoring and Indication Bus)
Internal discrete signal External unidirectional data External discrete or data NuScale Nonproprietary