ML18247A186
| ML18247A186 | |
| Person / Time | |
|---|---|
| Site: | NuScale |
| Issue date: | 09/04/2018 |
| From: | Rad Z NuScale |
| To: | Document Control Desk, Office of New Reactors |
| References | |
| LO-0918-61648 | |
| Download: ML18247A186 (10) | |
Text
LO-0918-61648 September 4, 2018 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
SUBJECT:
NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report, Section 7.0, Instrumentation and Controls - Introduction and Overview, and Section 7.1, Fundamental Design Principles
REFERENCE:
Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, Revision 1, dated March 15, 2018 (ML18086A090)
During the ACRS NuScale Subcommittee meeting held on August 23, 2018, NuScale Power, LLC (NuScale) discussed potential updates to Final Safety Analysis Report (FSAR) sections related to isolation of distributed control systems. After this meeting, NuScale also discussed a separate potential FSAR update with the NRC staff related to a clarification of plant impacts associated with postulated failures of RCS flow sensors. As a result of these discussions, NuScale changed the relevant parts of FSAR Section 7.0 and Section 7.1. The Enclosure to this letter provides a mark-up of the FSAR pages incorporating revisions to these sections in redline/strikeout format. NuScale will include this change as part of a future revision to the NuScale Design Certification Application.
This letter makes no regulatory commitments or revisions to any existing regulatory commitments.
If you have any questions, please feel free to contact Paul Infanger at 541-452-7351 or at pinfanger@nuscalepower.com.
Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8G9A Gregory Cranston, NRC, OWFN-8G9A Omid Tabatabai, NRC, OWFN-8G9A
Enclosure:
Changes to NuScale Final Safety Analysis Report Sections 7.0, Instrumentation and Controls - Introduction and Overview, and 7.1, Fundamental Design Principles NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
LO-0918-61648
Enclosure:
Changes to NuScale Final Safety Analysis Report Sections 7.0, Instrumentation and Controls -
Introduction and Overview, 7.1, Fundamental Design Principles NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
NuScale Final Safety Analysis Report Instrumentation and Controls - Introduction and Overview including chemical, utility, and support process systems to the NPM. The MCS is part of the nonsafety-related network and includes the associated network equipment and appurtenances necessary for network communication.
The MCS provides component-level control and monitoring of safety-related components that are specific to an NPM. The monitoring of the safety-related components is achieved by receiving one-way communications from the MPS to the MCS through isolation one-way communication ports on the MIB communication module. The controls of the ESF components by the MCS are manual component-level manipulations used for maintenance, testing, or aligning the components following refueling or actuation and not for safety-related purposes. The control signal from the MCS is hard-wired and sent through a qualified isolation device through the HWM to the EIM in the MPS, which contains priority logic that requires a safety-related enable signal prior to allowing control of the device from the MCS.
Figure 7.0-17 represents the MCS internal functions and external interfaces.
The boundary of the MCS is at the terminations on the MCS hardware. The MCS supplies nonsafety-related inputs to the HSIs for nonsafety displays in the MCR, the remote shutdown station, and other locations where MCS HSIs are necessary. There are two boundaries between MCS and MPS, the fiber-optic isolated portion and the HWM boundary. The MCS has a direct, bi-directional interface with the PCS. The network interface devices for the MCS domain controller/historian provide the interface between the human machine interface (HMI) network layer and the control network layer. A uni-directional, firewalled connectionone-way deterministic isolation device between the connection from the MCS to the plant network is provided.
The MCS uses logic processing in the cases where redundant input/output channels are used. Some logic supports the redundant-channel architecture used by the MPS, while other logic directly supports the process systems. The logic processing of multiple channels can include two, three, or four input signals.
RAI 01-61 COL Item 7.0-1: A COL applicant that references the NuScale Power Plant design certification is responsible for demonstrating the stability of the NuScale Power Module during normal and power maneuvering operations for closed-loop module control system subsystems that use reactor power as a control input.
The NuScale power plant normal operation and power maneuvering control functions are provided by the following MCS functions for each NPM:
- turbine trip, throttle and governor valve control
- turbine bypass valve control
- feedwater pump speed control
- feedwater regulating valve control
- pressurizer pressure control Tier 2 7.0-16 Draft Revision 2
NuScale Final Safety Analysis Report Instrumentation and Controls - Introduction and Overview The boundary of the PCS is at the terminations on the PCS hardware. The PCS supplies nonsafety inputs to the HSIs for nonsafety displays in the MCR, the remote shutdown station, and other locations where PCS HSIs are necessary. The boundary between the PPS and PCS is at the output connection of the optical isolators in the PPS. The PCS has a direct, bi-directional interface with the MCS. The network interface devices for the PCS domain controller/historian provide the interface between the HMI network layer and the control network layer. A uni-directional, firewalled connectionone-way deterministic isolation device between the connection from the PCS to the plant network is provided.
The PCS uses logic processing in the cases where redundant input/output channels are used. Some logic supports the redundant-channel architecture used by the PCS, while other logic directly supports the process systems. The logic processing of multiple channels can include two, three, or four input signals.
7.0.4.6.1 Plant Control System Segmentation Segmentation is used in the PCS control architecture to provide functional independence between major control functions. The segmentation is a key defensive preventive measure against a failure in one controller group from causing an undesirable condition in another controller group. Preventive and limiting measures are determined by a susceptibility analysis that considers malfunctions and spurious actuations, as set forth in NRC DI&C-ISG-04, Section 3.1, staff position 5. The purpose of the susceptibility analysis is to identify control groups that may lead to the following effects:
- reactivity addition
- primary coolant pressure increase or decrease
- primary coolant temperature increase or decrease
- primary coolant level increase or decrease
- radioactive material release to the environment The PCS control architecture is separated into multiple control segments based on their functions. The major PCS control segment subject to a coping analysis is described below. This segment has a direct impact on the effects listed above and serves functions relating to protection of plant assets, human habitability, and radioactivity control as follows:
- EHVS, EMVS, and ELVS Segment The EHVS, medium voltage AC electrical distribution system (EMVS), and ELVS use the same segment of the PCS for automatic and remote control functions. For the EHVS, the PCS controls each breaker except for the breaker that connects the turbine generator to the off-site customer loads.
7.0.4.6.2 Postulated digital-based Common Cause Failure Evaluation of the Plant Control System Evaluation of Digital-Based CCFs of the EHVS, EMVS, and ELVS Segment of the PCS Tier 2 7.0-26 Draft Revision 2
NuScale Final Safety Analysis Report Instrumentation and Controls - Introduction and Overview Figure 7.0-1: Overall Instrumentation and Controls System Architecture Diagram Tier 2 7.0-41 Draft Revision 2
NuScale Final Safety Analysis Report Fundamental Design Principles The affected variables are pressurizer pressure and wide-range RCS pressure. A failed high signal affecting the four sensors for the affected variables can result in a spurious reactor trip, CNTS isolation, DHRS actuation, CVCS isolation, and pressurizer heater trip.
Failed high signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, CVCS isolation, and pressurizer heater trip, the MCS response to four incorrect sensor values has a no further impact. The automatic MCS response to a rise in pressure is to use pressurizer spray; however, with the isolation of the CVCS, pressurizer spray is unavailable.
Failed As-Is The affected variables are pressurizer pressure and wide-range RCS pressure. The failed as-is condition for the four sensors of each affected variable does not result in spurious actuations; however, it can prevent initiation of protective actions if a DBE were to occur. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.
Digital-Based CCF of Flow Measurement Function Type A digital-based CCF of flow measurement function type for Sensor Block I (Figure 7.1-13) causes
- spurious actuations from MPS
- incorrect information provided to SDIS
- incorrect information provided to MCS Failed Low Signal The affected variable is RCS flow. A failed low signal for the four channels results in a spurious demineralized water system (DWS) isolation and CVCS isolation. There is no further impact associated with a failed low signal.
Failed High Signal The affected variable is RCS flow. A failed high signal for the four channels does not result in spurious actuations; however, the safety blocks would be unable to identify a low RCS flow condition and the operator would have incorrect information.
Failure to identify a low RCS flow condition failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.
Failed As-Is The affected variable is RCS flow. The failed as-is condition for the four channels does not result in spurious actuations; however, it can prevent initiation of Tier 2 7.1-36 Draft Revision 2
NuScale Final Safety Analysis Report Fundamental Design Principles protective actions if a DBE were to occur. The failed as-is condition can prevent initiation of protective actions based on low flow conditions; however, the RCS flow sensor is not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2 and Table 7.1-18. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.
7.1.5.1.7 Guideline 7 - Use of Identical Hardware and Software Modules The digital-based flow and pressure measuring system function type found in Sensor Block I and II are considered to be identical. The other blocks are considered to be independent such that a postulated digital-based CCF is limited to a block.
Diversity attributes within and between blocks are discussed in Section 7.1.5.1.2.
7.1.5.1.8 Guideline 8 - Effect of Other Blocks The blocks are assumed to function correctly in response to inputs that are correct or incorrect.
7.1.5.1.9 Guideline 9 - Output Signals Figure 7.1-14 identifies in general terms the direction of information or signals between blocks. The following sections describe how the I&C architecture prevents errors from propagating backwards into the output of a previous block.
Safety Blocks I and II The information from Safety Block I and II to SDIS blocks are through optically isolated transmit-only communication ports as described in Section 7.0.4.1 and Section 7.1.2.3. Signals from the manual control blocks to safety blocks are physical switch contacts that cannot be automatically changed by a digital-based CCF in the safety blocks.
The communication between safety blocks is for
- data sent from Separation Group A and C to Division II MPS Gateway.
- data sent from Separation Group B and D to Division I MPS Gateway.
The four separation groups are independent and redundant; however, for the purposes of the D3 assessment, the separation groups were grouped into safety blocks according to the FPGA architecture used. Communications from the separation groups to both divisions of RTS and ESFAS are through optically isolated, transmit-only communication ports. Data sent from the separation groups to either division of the MPS gateway are through optically isolated, transmit-only Tier 2 7.1-37 Draft Revision 2
NuScale Final Safety Analysis Report Fundamental Design Principles
- spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, ECCS actuation, demineralized water system isolation, and pressurizer heater trip
- spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation
- 4) Potential digital-based CCF of pressure measuring system function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):
- spurious reactor trip, DHRS actuation, CVCS isolation, demineralized water system isolation, and pressurizer heater trip
- spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, demineralized water system isolation, and pressurizer heater trip
- Type 3 failure for the digital-based pressure measuring system function type sensors
- 5) Potential digital-based CCF of flow function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):
- spurious reactor trip, demineralized water system isolation, and CVCS isolation
- Type 3 failure of flow function type sensors (See Item 6 and 7 below)
- 6) Type 3 failures of digital sensors may lead to failure of MPS to initiate protective action(s) during AOOs and PAspostulated accidents. Table 7.1-18 identifies the digital sensors credited for AOOs and PAspostulated accidents that were addressed with a D3 coping analysis. A failure of two of the four MPS separation groups that leads to the spurious initiation of a protection action or combination of protective actions was evaluated by the D3 coping analysis using best-estimate methods. While there are a very large number of possible actuation combinations, the analysis of these events can be simplified without addressing each possible combination specifically.
The D3 coping analysis determined that the spurious actuation of containment system isolation due to a digital-based CCF is the bounding analysis with regard to the reactor coolant pressure boundary integrity. Concurrent actuations of any combination of RTS, DHRS or PZR heater trip have been evaluated to be less limiting due to the additional heatup effects on the delay of reactor trip, DHRS actuation valve opening or PZR heaters being tripped off.
CSI actuation includes CVCSI actuation which increases the heatup event slightly and negates any possible effects of DWSI actuation. The consequences of a digital-based CCF that leads to spurious initiation of any combination of MPS protective actions at normal operating pressure and temperature are bounded by the existing inadvertent DHRS analysis.
A postulated digital-based CCF affecting digital-based sensors that lead to a partial spurious initiation of protective actions at normal operating pressure and temperature is bounded by the existing plant safety analyses described in Chapter 15 or have no immediate impact and are non-limiting events.
Tier 2 7.1-42 Draft Revision 2
NuScale Final Safety Analysis Report Fundamental Design Principles 7.1.5.2.2 Results of Coping Analyses for Postulated Digital-Based Common Cause Failure Vulnerability As identified in Section 7.1.5.2.1, several postulated digital-based CCF vulnerabilities were identified that required a coping analysis to verify the consequences for the digital-based CCF were acceptable. For the AOOs and PAspostulated accidents identified in Table 7.1-18, the events were analyzed with postulated digital-based CCFs of the identified sensors that are relied upon and credited for the event in question. The results of the coping analysis concluded the AOO and postulated accident acceptance criteria were met. For the postulated spurious actuations analyzed, none resulted in a plant response or consequence that created conditions which were not bounded by the plant safety analysis described in Chapter 15. As a result, no additional coping strategies have been identified for prevention or mitigation of the postulated spurious actuations analyzed.
The acceptance criteria for the coping analysis is to demonstrate a SCCFdigital-based CCF of a credited signal and all sensors of the same type, concurrent with a DBE does not violate the integrity of the primary coolant pressure boundary, or result in radiation release exceeding 10 percent of 10 CFR 100 dose limits for AOOs and 100 percent of 10 CFR 100 dose limits for postulated accidents. The analysis summary is provided below for the flow and pressure safety-related digital-based sensors.
High Pressurizer Pressure The plant safety analyses described in Chapter 15 credit high PZR pressure for detection and mitigation of heatup and reactivity excursion DBEs. The best-estimate transient analysis performed concluded that credit for the pressure mitigating effect of the PZR spray system would exclude the high pressure trip from being the primary credited signal. Even if the spray was insufficient to mitigate the pressure response, the result would be the lifting of a reactor safety valve.
There are two reactor safety valves each of which are sized to relieve the pressure generated by a total loss of secondary cooling without credit for a reactor trip. The D3 coping analysis concluded that a conservative postulated heatup event that did not trip on high pressure would not violate the RCS pressure boundary integrity due to the sizing of the reactor safety valves.
For the events described in Chapter 15 and listed in Table 7.1-18 that result in a high RCS pressure condition, the analyses conservatively do not take credit for normal pressurizer spray control. In the secondary plant events that result in the loss of main steam flow, the high main steam pressure signal is credited to generate reactor trip and DHRS actuations in addition to the high PZR pressure. In the case of the loss of feedwater and feedwater line break events, the high RCS hot temperature is a diverse signal. Therefore, sufficient signal diversity exists such that postulated digital-based CCFs of the high pressurizer pressure function are bounded by the plant safety analyses in Chapter 15. In most of these event scenarios, the best estimate analysis determined that the plant response would not Tier 2 7.1-43 Draft Revision 2
Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)
Design Basis Event Signals Credited in Plant Safety Signals Credited in D3 Best- Comments Analysis Described in Chapter 15 Estimate Coping Analysis Category 4 Events For the design basis events listed below, while the deterministic plant safety analyses described in Chapter 15 credit the function provided by the digital-based sensors that are subject to a CCF; however, the evaluation of the plant response for these events using best-estimate analysis methods determined that the plant response does not progress to the point where the digital-based sensor is relied upon to provide required protection. In these events, other sensors that do not use digital-based technology and are not subject to a digital-based CCF provide the required safety function and the FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function (note 2).
Control Rod Misoperation high power range linear power high high power range linear power high Diverse sensors not subject to a digital-based CCF provide RCS hot temperature RCS hot temperature required protection. FPGA technology diversity within the MPS high PZR pressure (digital-based) high power range negative rate limits digital-based CCF impact to one of two divisions - the (control rod drop) other division remains fully functional.
high power range negative rate (control rod drop)
Inadvertent Operation of high CNV pressure high CNV pressure Diverse sensors not subject to a digital-based CCF provide Emergency Core Cooling System low RPV water level (note 1) low RPV water level (note 1) required protection. FPGA technology diversity within the MPS (ECCS) limits digital-based CCF impact to one of two divisions - the 7.1-91 other division remains fully functional.
Failure of Small Lines Carrying low PZR level (see note 1) low PZR level (see note 1) Diverse sensors not subject to a digital-based CCF provide Primary Coolant Outside low PZR pressure (digital-based) required protection. FPGA technology diversity within the MPS Containment limits digital-based CCF impact to one of two divisions - the other division remains fully functional.
Instability Events high RCS hot temperature high RCS hot temperature Diverse sensors not subject to a digital-based CCF provide low pressurizer level (note 1) low pressurizer level (note 1) required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the low PZR pressure (digital-based) other division remains fully functional.
Note 1: The digital-based level measurement function incorporates equipment diversity between sensor blocks I and II such that a postulated CCF of the digital-based level measurement function is limited to one sensor block only. Since the other sensor block remains functional, sufficient diversity exists for those functions that rely on the digital-based level measurement function, see Section 7.1.5.1.2.
Fundamental Design Principles Note 2: The design basis for the digital-based RCS flow sensors in the plant safety analysis described in Section 15.4.6 is to ensure minimum RCS flow rates exist during dilution events to ensure proper mixing within the RCS; therefore, the RCS flow sensors are not included in Table 7.1-18 as they are not relied upon for detection or mitigation of AOOs or PAspostulated accidents as described in Section 7.1.5.2. The plant safety analysis credits the high subcritical multiplication protective function for detection and mitigation of an uncontrolled RCS dilution. Best-estimate analysis of this event concludes the event is non-limiting and does not rely on the digital-based RCS flow sensor to function.
Draft Revision 2 The consequences of RCS flow stagnation or reversal during low power conditions are addressed in NuScale Power, LLC topical report, Non-Loss-of-Coolant Accident Analysis Methodology, TR-0516-49416. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.