ML19073A331
| ML19073A331 | |
| Person / Time | |
|---|---|
| Site: | NuScale |
| Issue date: | 03/14/2019 |
| From: | Rad Z NuScale |
| To: | Document Control Desk, Office of New Reactors |
| References | |
| LO-0319-64751 | |
| Download: ML19073A331 (48) | |
Text
LO-0319-64751 March 14, 2019 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
SUBJECT:
NuScale Power, LLC Submittal of Changes to Part 2, NuScale Final Safety Analysis Report, Part 4, Technical Specifications and Part 7, Exemptions
REFERENCES:
Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, Revision 2, dated October 30, 2018 (ML18311A006)
During a February 27, 2019 public teleconference with NRC staff, NuScale Power, LLC (NuScale) discussed RAI 9612 and the NuScale passive safety approach to meeting the remote shutdown requirements of General Design Criterion (GDC) 19. During that discussion NuScale clarified the role of the Remote Shutdown System and indicated Final Safety Analysis Report (FSAR), Chapter 7, Instrumentation and Controls would be updated to reflect the passive safety approach.
A subsequent call with Getachew Tesfaye of the NRC staff was held to explain that in addition to the Chapter 7 update, NuScale intended to update DCA Part 7, Exemptions, to include a request for exemption from GDC 19. GDC 19 will be replaced with a NuScale-specific principal design criterion (PDC) 19, based on the passive safety aspects of the NuScale design,that clarifies the required capability for remote safe shutdown. As documented in the exemption request, NuScale believes a requirement for safe shutdown with passive cooling fulfills the intent of the remote shutdown portion of GDC 19 and is consistent with NRC guidance.
The Enclosure to this letter provides a mark-up of the pages incorporating revisions to affected sections, in redline/strikeout format. NuScale will include this change as part of a future revision to the NuScale Design Certification Application.
This letter makes no regulatory commitments or revisions to any existing regulatory commitments.
If you have any questions, please feel free to contact Carrie Fosaaen, Licensing Project Manager at 541-542-7126 or cfosaaen@nuscalepower.com if you have any questions.
Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8H12 Gregory Cranston, NRC, OWFN-8H12 Getachew Tesfaye, NRC, OWFN-8H12 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
LO-0319-64751 Page 2 of 2 03/14/2019
Enclosure:
Changes to Part 2, NuScale Final Safety Analysis Report, Part 4, Technical Specifications and Part 7, Exemptions:
Part 2 - Tier 2 - Section 1.2, General Plant Description Part 2 - Tier 2 - Section 1.9, Conformance with Regulatory Criteria Part 2 - Tier 2 - Section 3.1, Conformance with U.S. Nuclear Regulatory Commission General Design Criteria Part 2 - Tier 2 - Section 5.4, Reactor Coolant System Component and Subsystem Design Part 2 - Tier 2 - Section 6.4, Control Room Habitability Part 2 - Tier 2 - Section 7.0, Instrumentation and Controls - Introduction and Overview Part 2 - Tier 2 - Section 7.1, Fundamental Design Principles Part 2 - Tier 2 - Section 7.2, System Features Part 2 - Tier 2 - Section 9.4.1, Control Room Area Ventilation System Part 2 - Tier 2 - Section 9.5.1, Fire Protection Program Part 2 - Tier 2 - Section 9.5.2, Communication System Part 2 - Tier 2 - Section 11.5, Process and Effluent Radiation Monitoring Instrumentation and Sampling System Part 2 - Tier 2 - Section 12.3, Radiation Protection Design Features Part 2 - Tier 2 - Section 14.3, Certified Design Material and Inspections, Tests, Analyses, and Acceptance Criteria Part 4 - Technical Specifications - Section B3.3, Instrumentation Bases Part 4 - Technical Specifications - Section B3.4, Reactor Coolant System Bases Part 7 - Exemptions - Section 17, 10 CFR 50, Appendix A, Criterion 19, Control Room NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
LO-0319-64751
Enclosure:
Changes to Part 2, NuScale Final Safety Analysis Report, Part 4, Technical Specifications and Part 7, Exemptions:
Part 2 - Tier 2 - Section 1.2, General Plant Description Part 2 - Tier 2 - Section 1.9, Conformance with Regulatory Criteria Part 2 - Tier 2 - Section 3.1, Conformance with U.S. Nuclear Regulatory Commission General Design Criteria Part 2 - Tier 2 - Section 5.4, Reactor Coolant System Component and Subsystem Design Part 2 - Tier 2 - Section 6.4, Control Room Habitability Part 2 - Tier 2 - Section 7.0, Instrumentation and Controls - Introduction and Overview Part 2 - Tier 2 - Section 7.1, Fundamental Design Principles Part 2 - Tier 2 - Section 7.2, System Features Part 2 - Tier 2 - Section 9.4.1, Control Room Area Ventilation System Part 2 - Tier 2 - Section 9.5.1, Fire Protection Program Part 2 - Tier 2 - Section 9.5.2, Communication System Part 2 - Tier 2 - Section 11.5, Process and Effluent Radiation Monitoring Instrumentation and Sampling System Part 2 - Tier 2 - Section 12.3, Radiation Protection Design Features Part 2 - Tier 2 - Section 14.3, Certified Design Material and Inspections, Tests, Analyses, and Acceptance Criteria Part 4 - Technical Specifications - Section B3.3, Instrumentation Bases Part 4 - Technical Specifications - Section B3.4, Reactor Coolant System Bases Part 7 - Exemptions - Section 17, 10 CFR 50, Appendix A, Criterion 19, Control Room NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
NuScale Final Safety Analysis Report General Plant Description
- three offices
- two conference rooms
- data equipment room
- lavatories
- data maintenance room
- break room Additional equipment located in the CRB includes the control room HVAC system (CRVS) equipment, the chilled water system equipment supporting the CRVS, and an elevator machine room.
1.2.2.2.1 Main Control Room The MCR contains control panels for all installed NPMs. Each reactor operator monitors and controls multiple NPMs from a control room panel. Figure 18.7-1 provides the layout for the MCR.
Digital control systems are implemented in a manner that provides independence between safety-related protection systems and nonsafety-related control systems.
Each reactor control system display provides the monitoring for a specific reactor.
Additional display stations, including a separate display for shared plant systems, provide control room operators with access to a wide range of plant information for trending and diagnostics.
The reactor operators monitor the automated control system for each NPM. The MCR contains all alarms, displays, and controls for effective monitoring and control by the operators. The control room supervisor station provides an overview of all NPMs using multiple monitors. All monitor displays are designed using human factors analysis to enhance simplicity. The display layout and design uses graphical representations of plant systems and components.
The following monitoring and control activities are typical control room functions:
- initiate NPM startup
- initiate NPM shutdown
- set or correct selected set points that control the NPM or plant functions
- take corrective actions if an NPM or plant system does not operate as intended The MCR enhances supervisory control of the NPMs and plant systems by providing alarm annunciation on the plant group-view overview display monitor as part of the alarm management system. This system includes information from the individual NPMs via the MPS, the MCS, and the shared I&C systems common to all the NPMs. In the event that the MCR becomes uninhabitable, a remote shutdown station in the Reactor Building provides a secondary location for safe shutdown of the reactors.
Tier 2 1.2-15 Draft Revision 3
Table 1.9-3: Conformance with NUREG-0800, Standard Review Plan (SRP) and Design Specific Review Tier 2 NuScale Final Safety Analysis Report Standard (DSRS) (Continued)
SRP or DSRS Section, Rev: AC AC Title/Description Conformance Comments Section Title Status DSRS 5.4.2.2, Rev 0: Steam II.5 Steam Generator Tube Repair Conforms None. 5.4.1 Generator Program Methods DSRS 5.4.2.2, Rev 0: Steam II.6 Steam Generator Tube Preservice Conforms None. 5.4.1 Generator Program Inspection DSRS 5.4.2.2, Rev 0: Steam II.7 Periodic Tube Inspection and Testing Partially Conforms 5.4.1 Generator Program in Certified Design Technical Specifications DSRS 5.4.2.2, Rev 0: Steam II.8 Operational Programs Partially Conforms This acceptance criterion governs plant- 5.4.1 Generator Program specific programmatic activities that are the responsibility of the COL applicant referencing a certified design.
DSRS 5.4.2.2, Rev 0: Steam II.9 ITAAC Partially Conforms A portion of this acceptance criterion is 5.4.1 Generator Program applicable only to COL applicants.
SRP 5.4.6, Rev 4: Reactor Core All Various Not Applicable This SRP section and its acceptance criteria Not Applicable Isolation Cooling System (II.1 through II.10) apply only to BWRs.
1.9-85 (BWR)
DSRS 5.4.7, Rev 0: Decay Heat II.1 thru II.3 Various Conforms None. 5.4.3 Removal (DHR) System Responsibilities DSRS 5.4.7, Rev 0: Decay Heat II.4 GDC 5 Conforms None. 5.4.3 Removal (DHR) System Responsibilities DSRS 5.4.7, Rev 0: Decay Heat II.5 GDC 14 Not Applicable The DHRS is connected to the secondary Not Applicable Removal (DHR) System system and does not directly interface with Conformance with Regulatory Criteria Responsibilities the RCPB.
DSRS 5.4.7, Rev 0: Decay Heat II.6 GDC 19 ConformsDeparture None.The NuScale design supports an 5.4.3 Removal (DHR) System exemption from GDC 19. As described in Responsibilities Section 3.1.2, the design complies with a NuScale-specific principal design criterion (PDC) in lieu of this GDC.
DSRS 5.4.7, Rev 0: Decay Heat II.7 GDC 34 Departure The NuScale design supports an exemption 5.4.3 Draft Revision 3 Removal (DHR) System from the power provisions of GDC 34. As Responsibilities described in Section 3.1.4, the design complies with a NuScale-specific principal design criterion in lieu of this GDC.
Table 1.9-3: Conformance with NUREG-0800, Standard Review Plan (SRP) and Design Specific Review Tier 2 NuScale Final Safety Analysis Report Standard (DSRS) (Continued)
SRP or DSRS Section, Rev: AC AC Title/Description Conformance Comments Section Title Status DSRS 9.5.2, Rev 0: II.8 Compliance with GDC 2 Conforms None. 9.5.2 Communication Systems DSRS 9.5.2, Rev 0: II.9 Compliance with GDC 3 Conforms None. 9.5.2 Communication Systems DSRS 9.5.2, Rev 0: II.10 Compliance with GDC 4 Conforms None. 9.5.2 Communication Systems DSRS 9.5.2, Rev 0: II.11 Compliance with GDC 19 ConformsDeparture The NuScale design supports an exemption 9.5.2 Communication Systems from GDC 19. As described in Section 3.1.2, the design complies with a NuScale-specific principal design criterion (PDC) in lieu of this GDC. Design documents meet requirements of GPDC-19 for ensuring that communication equipment is provided at appropriate locations inside the control room with the capability to support all 1.9-129 normal and emergency operations, including intra-plant communications and plant to emergency facilities and off-site communication requirements even in the event of a single failure within a communication subsystem or the loss of the normal power source. The design addresses control room communications so that control room can maintain communications with site and offsite entities during normal Conformance with Regulatory Criteria and accident conditions.
DSRS 9.5.2, Rev 0: II.12 Compliance with Not Applicable This acceptance criterion is applicable only Not Applicable Communication Systems 10 CFR 73.45(e)(2)(iii), to licensees subject to 10 CFR 73.45 and the 10 CFR 73.45(g)(4)(i), and general performance requirements of 10 CFR 73.45(g)(4)(ii) 10 CFR 73.20. The NuScale design does not reprocess spent fuel or use or transport special nuclear material.
Draft Revision 3
Conformance with U.S. Nuclear Regulatory Commission General Design NuScale Final Safety Analysis Report Criteria Conformance or Exception The NuScale Power Plant design does not conform to GDC 18. The NuScale design supports an exemption from the criterion.
Relevant FSAR Chapters and Sections Chapter 8 Electric Power 3.1.2.10 Criterion 19-Control Room A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.
Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design approvals or certifications under part 52 of this chapter who apply on or after January 10, 1997, applicants for and holders of combined licenses or manufacturing licenses under part 52 of this chapter who do not reference a standard design approval or certification, or holders of operating licenses using an alternative source term under 50.67, shall meet the requirements of this except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent (TEDE) as defined in 50.2 for the duration of the accident.
Implementation in the NuScale Power Plant Design The NuScale design supports an exemption from the provisions of GDC 19. The following PDC has been adopted:
A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents.
Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem total effective dose equivalent (TEDE) as defined in 10 CFR 50.2 for the duration of the accident.
Tier 2 3.1-14 Draft Revision 3
Conformance with U.S. Nuclear Regulatory Commission General Design NuScale Final Safety Analysis Report Criteria Equipment at appropriate locations outside the control room shall be provided with a design capability for safe shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe shutdown condition.
The NuScale Power main control room contains the instrumentation and controls necessary to operate the NPMs safely under normal conditions and to maintain them in a safe condition under accident conditions, including a LOCA. Adequate protection is provided to permit access and occupancy of the control room so that personnel do not receive a whole body dose greater than 5 rem.
Heating, ventilation, and air conditioning are normally provided to the main control room by the control room ventilation system. Redundant toxic gas detectors, smoke detectors, and radiation detectors are provided in the outside air duct, upstream of both the control room ventilation system filter units and the bubble tight outdoor air isolation dampers. Upon detection of a high radiation level in the outside air intake, the system is realigned so that 100 percent of the outside air passes through the control room ventilation system filter unit. When power is unavailable, or if high levels of radiation are detected downstream of the charcoal filtration unit, the control room ventilation system filter unit is stopped, the outside air intake is automatically isolated, and the bubble-tight isolation dampers are closed. Once the control room envelope dampers are closed, the control room envelope is maintained for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> by the control room habitability system.
The NuScale main control room (MCR) is designed with the ability to place the reactors in safe shutdown in the event of an MCR evacuation event, and for safe shutdown to be maintained without operator action thereafter. Prior to evacuating the MCR, operators trip the reactors, initiate decay heat removal and initiate containment isolation. These actions result in passive cooling that achieves safe shutdown of the reactors. Operators can also achieve safe shutdown of the reactors from outside the MCR in the MPS equipment rooms within the reactor building. Following shutdown and initiation of passive cooling from either the MCR or the MPS equipment rooms, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain safe shutdown condition. The design includes a remote shutdown station (RSS) for monitoring of the plant if the MCR is evacuated. There are no displays, alarms, or controls in the RSS credited to meet the requirements of principal design criterion (PDC) 19 as there is no manual control of safety-related equipment allowed from the RSS.The NuScale Power Plant design includes a remote shutdown station which has the necessary instrumentation and controls to maintain the NPM in a safe condition during hot shutdown and to bring the NPM to safe shutdown.
Conformance or Exception The NuScale Power Plant design departs from GDC 19 and supports an exemption from the criterion. The NuScale Power Plant design conforms to GPDC 19.
Relevant FSAR Chapters and Sections Section 5.4.3 Decay Heat Removal System Section 6.4 Control Room Habitability Tier 2 3.1-15 Draft Revision 3
NuScale Final Safety Analysis Report Reactor Coolant System Component and Subsystem Design The DHRS heat removal function does not rely on actuating ECCS. Any ECCS actuation after a DHRS actuation allows continued residual heat removal by both systems from the reactor core as described in Section 6.3.
Applicable 10 CFR 50 Appendix A, General Design Criteria and Other Design Requirements RAI 05.02.01.01-7 GDC 1, 2, and 4 - The DHRS is classified Quality Group B and is designed, fabricated, constructed, tested and inspected as Class 2 in accordance with Section III of the ASME BPVC and is designed, fabricated, and tested to the highest quality standards in accordance with Quality Assurance Program described in Chapter 17. The DHRS is designed to withstand the effects of natural phenomena without loss of capability to perform its safety function. The DHRS is designed to accommodate the effects of, and be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. The design of the Reactor Building structure, NPM operating bays, and location of the NPM within the operating bays provides protection from possible sources of external or internal generated missiles.
The DHRS is protected from pipe whip as described in Section 3.6.
GDC 5 - The DHRS does not share any active or passive components between individual NPMs necessary for performance of the DHRS safety functions. The NPMs share the reactor pool as the ultimate heat sink for removal of decay heat from the DHRS passive condensers. The shared Reactor Building and other structures are described in Chapters 1 and 3 and the reactor pool is described in Section 9.2.5. DHRS active components fail-safe on a loss of power. Therefore, shared power supplies between NPMs do not impact the capability of performing the DHRS safety functions.
GDC 14 - The DHRS is connected to the secondary system and does not directly interface with the RCPB. The SGs are described in Section 5.4.1 and the containment system piping coupling the DHRS to the SGs is described in Section 6.2.4. There are no other interfaces or shared components between the DHRS and the RCPB.
RAI 09.03.06-2S1 GPDC 19 - The DHRS is initiatedoperated from the control room, and is capable of prompt hotsafe shutdown of the reactor. The DHRS can also be initiated from outside the MCR in the MPS equipment rooms within the reactor building., including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown conditions. The DHRS is also actuated and monitored from an alternate shutdown location outside the control room. Once the reactor reaches safe shutdown conditions, non-safety systems are used to lower RCS temperature and pressure to the point the containment can be flooded with reactor pool water allowing the NPM to reach transition conditions using convection and conduction heat transfer.
RAI 09.03.06-2S1 PDC 34 (refer to Section 3.1 for the definition of PDC 34)- The DHRS is a passive design that utilizes natural circulation flow from the SGs to dissipate residual and decay core heat to the reactor pool. The DHRS consists of two independent trains each capable of performing the system safety function in the event of a single failure. The DHRS Tier 2 5.4-17 Draft Revision 3
NuScale Final Safety Analysis Report Control Room Habitability GDC 5 was considered in the design of the CRHS. The CRHS services the control room that contains the controls of up to 12 NuScale Power Modules and is designed such that a failure of one portion of the system does not significantly impair the ability to perform its regulatory required functions including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining unit(s).
The CRHS complies with GPDC 19, as it relates to maintaining the control room in a safe condition under accident conditions and providing adequate radiation protection.
In conjunction with the CRVS, the design of the CRHS satisfies CFR 50.34(f)(2)(xxviii), in that it provides assurance that, in the event of an accident, radiation doses to operators will not exceed acceptable limits and, consequently, will not prevent operators from performing control functions.
6.4.2 System Design 6.4.2.1 Definition of Control Room Envelope The control room envelope (CRE) includes the main control room (MCR), reference room, shift manager's office, shift turnover room, office space, and other areas to support MCR operation. All of these areas are either frequently or continuously occupied. The CRE includes air locks for ingress and egress.
6.4.2.2 Ventilation System Design Normal heating ventilation and air conditioning service to the CRE is provided by the CRVS as described in Section 9.4.1. The CRVS includes redundant isolation dampers that close to isolate the CRE. The CRHS provides emergency air to the CRE from a bottled air supply. The CRHS is designed to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. Design capacity of the air bottles is defined in Section 6.4.2.3. The supply of breathing air limits the concentration of carbon dioxide in the CRE to less than 5000 ppm for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the CRE is isolated.
The CRHS is designed to Seismic Category I standards, except for the compressor and associated equipment and piping up to the isolation valve between the compressor and the air bottles which are Seismic Category III. The compressor is not located in the same area as the bottles, so it does not need be designed to Seismic Category II.
A simplified diagram of the CRHS is shown in Figure 6.4-1. System design parameters are presented in Table 6.4-1. The major components of the CRHS include:
- high pressure air compressor
- high pressure air storage bottles
- air bottle racks
- eductor
- silencers
- piping, valves, and instrumentation Tier 2 6.4-2 Draft Revision 3
NuScale Final Safety Analysis Report Control Room Habitability A loss of DC power from EDSS-C to either division of the Plant Protection System (PPS) results in a CRHS actuation.
Operation of the CRHS can also be initiated by manual actuation, for example in response to a hazardous chemical spill.
After the CRHS isolation valves are opened, the air supply pressure is regulated by the self-contained regulating valves. These valves maintain a constant downstream pressure despite upstream pressure changes as the bottled air inventory is supplied to the CRE. A constant air flow rate is maintained by the orifice downstream of the pressure regulating valves.
In the event of insufficient or excessive flow in the main delivery line, the main delivery line is isolated and the alternate delivery line is manually actuated. The alternate delivery line contains the same components as the main delivery line with the exception of the remotely operated isolation valves, and thus is capable of supplying compressed air to the CRE pressure boundary at the required air flow rate.
The regulated breathing air flow rate from the CRHS air bottles is sufficient to maintain the CRE pressure boundary at one-eighth inch water column positive differential pressure with respect to the surroundings.
Differential pressure between the CRE and the surrounding area is monitored to ensure that a positive pressure is maintained in the control room with respect to its surroundings. The wall separating the MCR area from the vestibule contains two pressure relief lines with balancing valves which discharge air from the CRE general area into the CRE vestibule. This air movement maintains the vestibule at a higher pressure than the CRB corridor pressure, reducing the potential for radioactive material being transported into the CRE when operators enter. Two vestibule discharge openings provide a purge flow path from the vestibule to the corridor.
6.4.4 Design Evaluation As noted in Section 15.0.0, no operator actions are required or credited to mitigate the consequences of design basis events. As such, the operators perform no safety-related functions, consistent with the definition in 10 CFR 50.2. Therefore, although a habitable control room is provided for the operators, consistent with GPDC 19, to perform other important non-safety- related functions, the control room envelope and supporting habitability systems and components, including the CRHS, are not safety-related.
GDC 2 was considered in the design of the CRHS. Natural phenomena, including earthquakes, do not prevent regulatory required components of the CRHS from performing their intended function. The CRHS is designed and constructed to Seismic Category I specifications except for the compressor and the piping up to the first isolation valve between the compressor and the air bottles. The compressor is not located in the same space as the air bottles. The CRHS is located within the CRB, a Seismic Category I concrete building protecting its contents from the effects of severe weather.
GDC 4 was considered in the design of the CRHS. CRHS components are not subject to pipe whipping or fluids discharging from nearby systems that could degrade their performance.
Tier 2 6.4-6 Draft Revision 3
NuScale Final Safety Analysis Report Control Room Habitability CRHS materials are compatible with the expected environmental conditions encountered during all phases of plant operation.
Although the CRHS is a shared system for 12 NPMs, its use during an accident on one unit does not affect the ability to safely shutdown and cooldown the remaining units, as it provides air to the control room common to all units. Thus, in compliance with GDC 5, the CRHS design does not create conditions that would cause an accident in one unit to propagate to other units.
The CRHS, in conjunction with the CRVS, provides compliance with GPDC 19, as it relates to maintaining the control room in a safe condition under accident conditions and providing adequate radiation protection. The CRVS has radiation monitors, toxic gas monitors, and smoke detectors located in the outside air intake as described in Section 9.4.1. Upon detection of smoke or toxic gas in the outside air duct, the outside air isolation dampers are closed to isolate the CRB from the environment. The CRB will not be pressurized under these conditions.
RAI 01-1 Upon a detection of a high radiation level in the outside air intake, the normal outside air flow path is isolated with isolation dampers and 100 percent of the outside air is routed through the CRVS air filtration unit, which includes charcoal and HEPA filters. If high levels of radiation are detected downstream of the air filtration unit or if normal AC power is not available to the CRVS air handlers or the EDSS-C battery chargers, the CRVS provides isolation of the CRE from the surrounding areas and outside environment via the CRE isolation dampers. A loss of DC power from EDSS-C to the PPS also results in a CRHS actuation. The CRHS is then relied upon to maintain a habitable environment in the CRE.
The CRHS air bottles have sufficient capacity to pressurize the CRE for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The thermal mass of the CRB provides passive cooling, maintaining CRE temperatures suitable for equipment and personnel for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
After 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the CRVS, if available, will be used to provide air conditioning and building pressurization. The CRHS also includes an external air supply connection so that the air bottles can be replenished from an offsite source if needed.
The TSC is not served by the CRHS and therefore does not receive pressurization air in the event the CRVS is unavailable. If the CRVS is not able to provide air of acceptable quality for pressurization of the TSC, the TSC is determined to be uninhabitable and is evacuated. The TSC function is then transferred to another location in accordance with the emergency plan.
The design of the CRHS satisfies CFR 50.34(f)(2)(xxviii) in that it provides assurance that, in the event of an accident, radiation doses to operators will not exceed acceptable limits and consequently will not prevent operators from performing required functions. The CRHS does not interface with other systems that would provide a potential pathway for radioactive materials. The CRHS consists of pressurized air bottles that are charged with breathing quality air. There is an external air connection point that will allow the connection of a post 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> air supply from off-site air bottles to supply air and pressurization to the CRE for extended accident conditions if needed.
Tier 2 6.4-7 Draft Revision 3
NuScale Final Safety Analysis Report Control Room Habitability Radiological Protection In the presence of significant airborne radiation downstream of the CRVS air filtration unit, the CRVS radiation monitors generate a signal that results in isolation of the CRE, securing CRVS operation, and initiating CRHS operation. The integrated design of the CRE, the CRVS, and the CRHS prevents radioactive materials from entering the CRE that would result in an operator dose exceeding the GPDC 19 limit.
The CRHS provides bottled air to the CRE for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following CRE isolation and maintains the CRE at a higher pressure than its surroundings. After 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the CRHS bottled air supply is depleted and the CRVS, if available, (Section 9.4.1) is returned to operation, providing the CRE and the rest of the CRB with filtered air.
With the CRHS in operation, the CRE is maintained at a positive pressure of one-eighth inch water column with respect to its surroundings. The only source of unfiltered leakage into the CRE is due to ingress and egress; up to 5 cfm is considered for this type of inleakage.
The dose analysis conservatively includes an additional 10 cfm of inleakage. Before the isolation dampers have closed in response to the high radiation signal, a certain amount of radioactive material will have entered the CRE. This material is gradually diluted over the duration of the accident as air enters and an equal amount of air leaves the CRE. Finally, control room operators will receive a small amount of radiation dose due to airborne radiation outside the CRE (sky shine and direct shine) and from the filters in the CRVS (filter shine).
For the purposes of radiation dose, accident duration is considered to be 30 days in accordance with RG 1.183. Analysis shows that the sum of radiation doses to control room personnel from all sources is less than 5 rem for the duration of any postulated accident.
These design features provide compliance with 10 CFR 50.34(f)(2)(xxviii). Radiological dose to control room operators is further addressed in Section 15.0.3.
Toxic Gas Protection COL Item 6.4-1: A COL applicant that references the NuScale Power Plant design certification will comply with Regulatory Guide 1.78 Revision 1, "Evaluating the Habitability of a Nuclear Power Plant Control Room During a Postulated Hazardous Chemical Release."
RAI 06.04-1 COL Item 6.4-2: Not used.
Other Habitability Considerations When normal air conditioning from the CRVS is not available, the thermal mass of the CRB and its contents limit the temperature increase as shown in Table 6.4-3 for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The peak temperature at three hours is the result of a conservative assumption in the analysis, that control room equipment powered by the normal DC power system remains powered for three hours. After 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the CRVS, if available, (Section 9.4.1) provides cooling to the CRE.
Tier 2 6.4-8 Draft Revision 3
Tier 2 NuScale Final Safety Analysis Report RAI 07.0.DSRS-1, RAI 07.0.DSRS-2, 07.0.DSRS-2S1, RAI 07.0.DSRS-3, RAI 07.0.DSRS-4, RAI 07.0.DSRS-5, RAI 07.0.DSRS-6 Table 7.0-1: NuScale Instrumentation and Controls Design and Applicable Regulatory Requirements Matrix Regulatory Applicable DCD Sections Requirements 7.1- Fundamental Design 7.2 - System Characteristics and Guidance Principles 7.1.1 7.1.2 7.1.3 7.1.4 7.1.5 7.2.1 7.2.2 7.2.3 7.2.4 7.2.5 7.2.6 7.2.7 7.2.8 7.2.9 7.2.10 7.2.11 7.2.12 7.2.13 7.2.14 7.2.15 10 CFR 50.34(b)(2)(i) x 50.34(f)(2)(iv) x 50.34(f)(2)(v) x x 50.34(f)(2)(xi) x 50.34(f)(2)(xvii) x 50.34(f)(2)(xviii) x 50.34(f)(2)(xiv) x 50.34(f)(2)(xix) x 50.36(c)(l)(ii)(A) x 7.0-30 50.36(c)(3) x x 50.49 x 50.54(jj) x Instrumentation and Controls - Introduction and Overview 50.55(i) x 50.55a(h) x x x x x x x x x x x x x x x x x x x x 50.62 (ATWS) x 52.47(a)(2) x GDC 1 x GDC2 x GDC4 x GDC 5 x GDC 10 x GDC 13 x x x x x GDC 15 x Draft Revision 3 GDC 16 x GPDC 19 x x GDC20 x x GDC21 x x x x GDC22 x x
NuScale Final Safety Analysis Report Fundamental Design Principles Consistent with GDC 16, the MPS initiates containment isolation and safety-related functions to ensure the containment design conditions are not exceeded for the duration of a postulated accident.
Consistent with GPDC 19, the I&C systems are designed to ensure the ability to control each NPM during normal and accident conditions. The NuScale main control room (MCR) is designed with the ability to place the reactors in safe shutdown in the event of an MCR evacuation event, and for safe shutdown to be maintained without operator action thereafter. Prior to evacuating the MCR, operators trip the reactors, initiate decay heat removal and initiate containment isolation. These actions result in passive cooling that achieves safe shutdown of the reactors. Operators can also achieve safe shutdown of the reactors from outside the MCR in the MPS equipment rooms within the reactor building. Following shutdown and initiation of passive cooling from either the MCR or the MPS equipment rooms, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain safe shutdown condition. There are no displays, alarms, or controls in the RSS credited to meet the requirements of principal design criterion (PDC) 19 as there is no manual control of safety-related equipment allowed from the RSS. The equipment within the remote shutdown station (RSS) provides the controls necessary to place the NPM in a hot shutdown condition, maintain the NPM in a safe condition during hot shutdown, and to bring the NPM to cold shutdown.
Consistent with GDC 20, the MPS, with inputs from the NMS, senses when specified parameters are exceeded and initiates reactor trips and ESF actuations to ensure that specified fuel design limits are not exceeded as a result of AOOs.
Consistent with GDC 21, MPS and NMS have sufficient redundancy and independence to ensure that no single failure results in the loss of the protection function. Individual SSC of the MPS and NMS may be removed from service for testing without loss of protection functions.
Consistent with GDC 22, the MPS and NMS have sufficient functional diversity and component diversity to prevent the loss of a protection function during operations, maintenance, testing, and postulated accidents, and to withstand the effects of natural phenomena.
Consistent with GDC 23, the MPS fails into a safe state upon loss of electrical power or if adverse environmental conditions are experienced.
Consistent with GDC 24, the MPS has physical, electrical, communication, and functional independence within the system and from associated nonsafety-related systems and components.
Consistent with GDC 25, the MPS initiates reactor trip functions to ensure that specified fuel design limits are not exceeded for any single malfunction of the reactivity control system. Compliance with GDC 25 is discussed in Section 4.6.2 Consistent with GDC 28, the MPS initiates reactor trip functions to limit the potential amount and rate of reactivity increase and to ensure sufficient protection from reactivity accidents. Compliance with GDC 28 is discussed in Section 4.6.2.
Tier 2 7.1-3 Draft Revision 3
NuScale Final Safety Analysis Report Fundamental Design Principles Despite these considerations, events for the RSS design and licensing basis include smoke due to fire in the MCR and loss of the Control Building as part of a loss of a large area.
At the onset of an MCR evacuation, the operators trip the reactors and initiate decay heat removal and containment isolation for each reactor prior to leaving the MCR. Following evacuation of the MCR, the ability to isolate the MPS manual switches to prevent spurious actuations is provided in the RSS as described in Section 7.2.12. An alarm is annunciated in the MCR when the MCR hard-wired switches are isolated using the MCR isolation switches in the RSS, see Figure 7.1-1j.
The MPS manual isolation switches are mounted in a Seismic Class I enclosure to allow them to remain functional following an earthquake. Controls are available outside the MCR in the associated MPS equipment rooms that provide the capability to trip the reactors, initiate DHRS and initiate containment isolation, which will initiate passive cooling and places and maintains the NPMs in safe shutdown.The MCS equipment in the RSS provides an independent alternative shutdown capability that is physically and electrically separate from the controls in the MCR. The MCS equipment in the RSS provides nonsafety-related human-system interface (HSI) and direct readings of the process variables necessary to monitor safe shutdown of each NPM. Figure 1.2-14 shows the location of the RSS equipment.
The alternative shutdown capability is independent of specific fire areas and accommodates post-fire conditions when offsite power is available and when offsite power is not available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, dependent on the conditions described in the fire hazards analysis as described in Section 9A.
The controls necessary for the operator to monitor the plant status of an immediate hot shutdown of the reactor, maintain the unit in a safe condition during hot shutdown, and perform subsequent cold shutdown of the unit are provided in the RSS.
Access to the RSS is under administrative controls.
7.1.1.2.4 Safety Display and Indication System The safety display and indication system (SDIS) as described in Section 7.0.4.4, provides HSI for the MPS and PPS to monitor and display PAM variables, and provides the capability for control inputs and status information. The SDIS is a nonsafety-related, nonrisk-significant system; however, because it supports the PAM function, the SDIS meets augmented quality and regulatory requirements as described in Table 3.2-1.
7.1.1.2.5 Plant Protection System The PPS as described in Section 7.0.4.3 provides monitoring and control of plant systems that are common to multiple NPMs. The PPS is nonsafety-related; however, because it supports the PAM function, the PPS is designed to meet augmented Tier 2 7.1-12 Draft Revision 3
NuScale Final Safety Analysis Report Fundamental Design Principles General Design Criterion 16 The MPS initiates containment isolation and safety-related functions. In addition, MPS removes power to the secondary main steam isolation valves (MSIVs) and the main feedwater regulating valve upon DHRS actuation, providing a backup containment isolation function. See Section 7.1.1.
GeneralPrincipal Design Criterion 19 The I&C systems ensure the ability to control each NPM during normal and accident conditions. The NuScale MCR is designed with the ability to place the reactors in safe shutdown in the event of an MCR evacuation event, and for safe shutdown to be maintained without operator action thereafter. Prior to evacuating the MCR, operators trip the reactors, initiate decay heat removal and initiate containment isolation. These actions result in passive cooling that achieves safe shutdown of the reactors. Operators can also achieve safe shutdown of the reactors from outside the MCR in the MPS equipment rooms within the reactor building. Following shutdown and initiation of passive cooling from either the MCR or the MPS equipment rooms, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain safe shutdown condition. The design includes an RSS for monitoring of the plant if the MCR is evacuated.
There are no displays, alarms or controls in the RSS credited to meet the requirements of principal design criterion (PDC) 19 as there is no manual control of safety-related equipment allowed from the RSS.In addition, the MCS and PCS provide monitoring and controls to the RSS. The RSS has the necessary I&Cs to maintain the NPM in a safe condition during hot shutdown and to bring the NPM to cold shutdown when the MCR is evacuated.
See Section 7.1.1 and Section 7.2.13.
General Design Criterion 20 The MPS, with inputs from the NMS, senses when specified parameters are exceeded and initiates reactor trips and ESF actuations to ensure that specified fuel design limits are not exceeded as a result of AOOs, and to sense accident conditions to initiate the operation of appropriate systems and components. See Section 7.1.1 and Section 7.2.7.
General Design Criterion 21 The MPS and NMS have sufficient redundancy and independence to ensure that no single failure results in the loss of the protection function. The MPS and NMS components may be removed from service to permit periodic testing during operation, including the capability to test channels independently to determine failures and losses of redundancy that may have occurred. See Section 7.1.2, Section 7.1.3, Section 7.1.4, and Section 7.2.15.
General Design Criterion 22 The MPS and NMS have sufficient functional diversity to prevent the loss of a protection function. See Section 7.1.2 and Section 7.1.5.
General Design Criterion 23 Tier 2 7.1-48 Draft Revision 3
NuScale Final Safety Analysis Report System Features The NMS-excore contains sensors and analog signal processing equipment and is not a digital computer system; therefore, the requirements of IEEE Std 7-4.3.2-2003 do not apply.
Fire Protection Considerations The MPS equipment and cabling are designed in accordance with the NuScale fire protection design guidelines described in Section 9.5.1. Separation Groups A, C, and Division I of the RTS and ESFAS and Separation Groups A and C NMS-excore signal processing equipment are located in one room and Separation Groups B, D, and Division II of the RTS, ESFAS and Separation Groups B and D NMS-excore equipment are located in a different room; the rooms are located in two different fire zones. MPS and NMS-excore cables are required to pass the flame test as required in IEEE Std 1202-2006 (Reference 7.2-28) as endorsed by RG 1.189.
The MPS equipment and cable routing is designed to meet the separation requirements of IEEE Std 384-1992 "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" (Reference 7.2-10) as endorsed by RG 1.75, Rev 3. These design attributes also provide separate rooms and cable runs to prevent a fire or explosion from affecting more than one division of MPS and NMS-excore equipment. See Section 9.5.1.2.
To reduce the MPS and NMS-excore susceptibility to smoke exposure as discussed in RG 1.209, fire protection methods are employed such as isolation and detection practices and minimization of combustible materials in the MPS rooms and cabinets.
Refer to Section 9.5.1 for more detail on the fire protection methods employed in the NuScale Power Plant design. The MPS and NMS-excore equipment do not use chassis fans, which can distribute smoke, soot, and dust on the electronic circuitry and can cause degradation of the equipment. There is no forced cooling of internal MPS or NMS-excore hardware equipment.
The MPS manual trip/actuate, operating bypass, and enable nonsafety control switches are located in the main control room (MCR).
The reactor trip breakers (RTBs) and the pressurizer heater trip breakers are located in the associated MPS division room.
In the event of a fire in the MCR the operators trip the reactors, initiate decay heat removal and initiate containment isolation prior to evacuating the MCR. These actions result in passive cooling that achieves and maintains the modules in a safe shutdown condition. Operators can also place the reactors in safe shutdown from outside the MCR in the MPS equipment rooms within the reactor building. The operators then relocate to the remote shutdown station (RSS) to monitor plant conditions. Following shutdown and initiation of passive cooling, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain a safe stable shutdown condition. There are two MCR isolation switches for each NuScale Power Module (NPM) in the RSS that when repositioned isolate the MPS manual actuation switches, override switches and enable nonsafety control switches for each NPM's MPS in the MCR to prevent spurious actuation of equipment due to fire damage.In the event of a fire in the MCR, the operators evacuate the MCR and relocate Tier 2 7.2-33 Draft Revision 3
NuScale Final Safety Analysis Report System Features to the remote shutdown station (RSS). There are two MCR isolation switches for each NuScale Power Module (NPM) in the RSS that when repositioned, isolate the MPS manual actuation switches, override switches, and the enable nonsafety control switches for each NPM's MPS in the MCR to prevent spurious actuation of equipment due to fire damage.
MPS and NMS Equipment EMI and RFI Qualification The MPS and NMS-excore equipment is designed and qualified in accordance with the guidance provided in RG 1.180 for compliance with NRC regulations regarding electromagnetic interference (EMI) and radio frequency interference (RFI) and power surges on safety-related I&C systems. Regulatory Guide 1.180 provides several acceptable methods for addressing electromagnetic compatibility consideration for qualifying safety-related I&C systems for the expected electromagnetic environment in nuclear power plants. The EMI and RFI, surge withstand capabilities, and operating envelopes are elements of the total package that is needed to ensure electromagnetic compatibility within a NuScale Power Plant.
For compliance to RG 1.204, Guidelines for Lightning Protection of Nuclear Power Plants, NuScale applies the guidance for EMI and RFI protection from IEEE Std 1050-1996 "IEEE Guide for Instrumentation Control Equipment Grounding in Generating Stations" (Reference 7.2-21) to the design of I&C systems.
IEEE Std 665-1995, "IEEE Guide for Generating Station Grounding" (Reference 7.2-12) and IEEE Std C62.23-1995 "IEEE Application Guide for Surge Protection of Electric Generating Plants" (Reference 7.2-6) provide guidance and do not contain specific mandatory design requirements.
Instrument Sensing Lines The safety-related sensors associated with the NuScale reactor design are described in NuScale Power, LLC, TR-0316-22048 "Nuclear Steam Supply Systems Advanced Sensor Technical Report," (Reference 7.2-26). The sensors that utilize instrument sensing lines are pressurizer pressure narrow range, reactor coolant system pressure wide range, main steam pressure, feedwater outlet pressure and DHRS outlet pressure. For these sensors, the instrument sensing lines are designed in accordance with ISA-67.02.01-1999 "Instrument Sensing Line Piping and Tubing Standards for Use in Nuclear Power Plants" (Reference 7.2-24), as endorsed by RG 1.151. More detailed information is provided in technical report TR-0316-22048 on sensor functions, sensor requirements, sensor design, sensor installation, sensor maintenance, and sensor qualification.
7.2.3 Reliability, Integrity, and Completion of Protective Action This section discusses the reliability and integrity of the NuScale I&C systems, and the ability to complete a protective action once initiated to accomplish the safety functions.
The design of the NuScale I&C systems meets the reliability, system integrity, and completion of protective action criteria contained in Sections 5.5 and 5.15 of IEEE Std 7-4.3.2-2003, and the requirements of Sections 5.2, 5.5, 5.15 and 7.3 of IEEE Std 603-1991.
RAI 07.0.DSRS-1, RAI 07.0.DSRS-2,RAI 07.0.DSRS-2S1, RAI 07.0.DSRS-3, RAI 07.0.DSRS-4, RAI 07.0.DSRS-5, RAI 07.0.DSRS-6 Tier 2 7.2-34 Draft Revision 3
NuScale Final Safety Analysis Report Air Conditioning, Heating, Cooling, and Ventilation Systems 9.4 Air Conditioning, Heating, Cooling, and Ventilation Systems 9.4.1 Control Room Area Ventilation System The normal control room HVAC system (CRVS) serves the entire Control Building (CRB) and the access tunnel between the CRB and Reactor Building. The CRVS boundary begins at the air intake on the outside of the CRB and extends to the point of discharge from the CRB.
Under certain postulated conditions the control room envelope (CRE) is isolated and air is provided by the control room habitability system (CRHS). The CRHS is described in Section 6.4.
9.4.1.1 Design Bases This section identifies the required or credited functions of the CRVS, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure that the functions are fulfilled. Together, this information represents the design bases, defined in 10 CFR 50.2, as required by 10 CFR 52.47(a) and (a)(3)(ii).
The CRVS serves no safety-related functions, is not credited for mitigation of design basis accidents, and has no safe-shutdown functions. General design criteria (GDC) 2, 3, 4, and 5 were considered in the design of the CRVS. Per GDC 2, the ability of the Seismic Category I CRVS structures, systems, and components (SSC) to withstand the effects of a safe shutdown earthquake is consistent with Section 3.2.1.1 and the guidance of Regulatory Guide (RG) 1.29. Components of the CRVS whose failure could adversely affect Seismic Category I SSC or could result in incapacitating injury to occupants of the control room during or following an SSE are designed as Seismic Category II. Consistent with GDC 3, the CRVS is designed to limit hydrogen concentration in battery rooms in accordance with Regulatory Position C.6.1.7 of RG 1.189, Revision 2 by using guidance in section 52.3.6 of NFPA 1.
Consistent with GDC 4, the CRVS is protected against dynamic effects and is designed to accommodate the effects of, and be compatible with, the environmental conditions of normal operation, maintenance, testing, and postulated accidents. Consistent with GDC 5, the CRVS is common for up to 12 NuScale Power Modules and is designed to operate during an accident in one unit without affecting the capability to conduct a safe and orderly shutdown and cooldown in the remaining units. See Section 9.4.1.3 for the CRVS safety evaluation.
The CRVS, in conjunction with the CRHS (Section 6.4), maintains the CRE within the temperature and humidity limits needed to support personnel and to maintain equipment during all modes of operation, including normal, abnormal, station blackout, and toxic gas conditions.
Consistent with GPDC 19, the control room remains functional such that actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain the plant in a safe condition under accident conditions, including loss-of-coolant accidents and hazardous chemical releases. In accordance with RG 1.78, Revision 1, the CRVS includes toxic gas monitors.
Tier 2 9.4-1 Draft Revision 3
NuScale Final Safety Analysis Report Air Conditioning, Heating, Cooling, and Ventilation Systems GDC 5 was considered in the design of CRVS. The CRVS serves the control room, which provides services for all NuScale Power Modules. However, the CRVS does not have a function relative to shutting down a NuScale Power Module or maintaining it in a safe shutdown condition. Operation of the CRVS does not interfere with the ability to operate or shut down a unit.
Upon detection of smoke or toxic gas in the outside air duct, the outside air isolation dampers are closed to isolate the CRB from the environment. The CRVS is then operated in recirculation mode to provide conditioned air to the occupied areas of the CRB, with no outside air being introduced into the building. The CRB is not pressurized in this mode.
When gaseous or particulate radioactivity in the outside air duct exceeds the high setpoint, the normal outside air flow path is isolated and 100 percent of the outside air is bypassed through the air filtration unit to remove iodine and particulates. If high levels of radiation are detected downstream of the air filtration unit, or if normal AC power is lost to both CRVS air handling units for 10 minutes, or if power is lost to all EDSS-C battery chargers, the CRE is isolated and breathable air is supplied by the CRHS.
An additional design feature allows the BDGS to provide power to components necessary for continued operation of the CRVS during a loss of normal AC power.
In normal operation, the CRVS maintains the MCR at a positive pressure relative to the outside environment. In off-normal conditions, the redundant CRE isolation dampers provide a barrier against the surrounding environment. These design features provide compliance with GPDC 19.
The CRVS maintains the CRB at a higher pressure than its surroundings, except when in recirculation mode, limiting the amount of contamination that could enter during normal operation. The CRVS includes radiation monitors in the intake ductwork. When a high radiation signal is generated, the normal outside air flow path is isolated and 100 percent of the outside air is bypassed through the CRVS air filtration unit. When high radiation is detected downstream of the AFU, a signal is generated to close the outside air isolation dampers, which prevents further contamination from entering the CRB through this pathway. Thus, the CRVS limits the spread of contamination in compliance with 10 CFR 20.1406(b).
In a station blackout event, the CRE isolation dampers close to form part of the CRE. The CRHS then provides bottled air to the CRE. Along with the CRHS, the CRE isolation dampers ensure that a suitable operating environment is maintained to support operators and equipment in the MCR.
9.4.1.4 Inspection and Testing Preoperational testing of the CRVS is performed as described in Section 14.2.
The CRVS is provided with adequate instrumentation, temperature, flow, and differential pressure indicating devices to facilitate testing and verification of proper equipment function. Additionally, the CRVS is designed to permit periodic inspection and testing of major components, such as fans, motors, dampers, coils, filters, and ducts to verify their integrity, operability, and capability. CRVS equipment and Tier 2 9.4-10 Draft Revision 3
NuScale Final Safety Analysis Report Other Auxiliary Systems 9.5.1.1 Design Basis This section identifies the FPP required or credited functions, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure that the functions are fulfilled. Together, this information represents the design bases, defined in 10 CFR 50.2, as required by 10 CFR 52.47(a) and (a)(3)(ii).
The hardware associated with the FPP is not safety related. Consistent with GDC 1, and as indicated in Section 3.2, the hardware does not have a Quality Classification and is Seismic Class III.
RAI 09.05.01-8 The hardware associated with the FPS is not safety-related. Consistent with GDC 2, however, the capability for manual fire fighting of safe shutdown equipment following a seismic event is provided in the reactor building via seismically analyzed hose standpipes. Fire Protection system components are seismically designed as described in Section 3.2.1.2 including the guidance of RG 1.29.
As required by 10 CFR 50.48(a)(1), a Fire Protection Program has been developed that conforms to GDC 3 in minimizing the probability and effect of fires and explosions.
Noncombustible and heat resistant materials are used to the extent practical. The reactor building (RXB), control building (CRB), and radioactive waste building (RWB) floors, walls and ceilings are constructed almost entirely of reinforced concrete. The FPS, through detection and suppression, minimizes adverse effects of fires on structures, systems, and components. Rupture or inadvertent operation of firefighting systems is considered in the design to assure it does not significantly impair the safety capability of structures, systems, and components.
GDC 5 was considered in the design of the FPS. The modules are located in the RXB which is serviced by a common, shared fire protection system. Redundant divisions of safe shutdown equipment for the modules are located in separate fire areas where practicable so that fires or a spurious discharge or a failure of the FPS can only affect one division of safe shutdown equipment per module. There are fire areas in the RXB where one fire could affect multiple modules although only one division per module would be affected leaving an alternative division intact. With one success path of safe shutdown equipment available for each module, safe shutdown functions can still be performed for all modules and therefore the effectiveness of the FPS is not compromised by the sharing.
Consistent with GPDC 19 the FPS provides control room fire protection with manual suppression and automatic detection. The FPS protects the control building which houses the control room; therefore, isolating the control room from fire. By protecting the building, the FPS protects the cables, switching and transmitting type equipment, and display components from fire damage allowing the control room to function. In the reactor building, the FPS protects sensing, switching and transmitting type equipment, and cabling which contributes to the functionality of the control room in the case of fire in the reactor building. The design also incorporates a remote shutdown Tier 2 9.5-2 Draft Revision 3
NuScale Final Safety Analysis Report Other Auxiliary Systems station that permits control and monitoring of systems related to safe- shutdown when the MCR has been abandoned due to fire.
Consistent with GDC 23, functional requirements have been imposed on the design of the Module Protection System (MPS) that addresses safe failure states when exposed to the effects of fire and water.
10 CFR 52.47(b)(1) information pertaining to the methodology for the development of ITAAC is presented in Section 14.3.
9.5.1.2 System Description In accordance with RG 1.189, Revision 2, fire protection for nuclear power plants uses the concept of defense-in-depth to achieve the required degree of reactor safety by using administrative controls, fire protection systems and features, and safe shutdown capability.
These defense-in-depth principles achieve the following objectives:
- To prevent fires from starting;
- To rapidly detect, control, and extinguish promptly those fires that do occur; and
- To provide protection for structures, systems, and components important to safety so that a fire that is not promptly extinguished by the fire suppression activities does not prevent the safe shutdown of the plant.
The FPS is principally related to the second bullet above and is designed to perform the following functions:
- Detect fires and provide indication of the location
- Provide the capability to extinguish fires in plant areas, protect site personnel, limit the impact of fires and protect safe shutdown capabilities
- Provide a suppression water volume sufficient to meet the largest hydraulic demand of the automatic sprinkler or spray system with an additional 500 gpm for fire hose use, for a minimum of two hours
- Maintain 100 percent fire pump design capability assuming a failure of the largest fire pump or a loss of offsite power.
- Provide water to hose stations for firefighting activities in areas containing safe shutdown equipment, following a safe shutdown earthquake (SSE) as specified in the FHA.
- Provide automatic fire suppression in plant areas where the FHA or fire safe shutdown analysis of Appendix 9A has determined a single fire area could prevent the plant from achieving and maintaining a safe shutdown condition. Appendix 9A addresses special cases involving the containment and the fire areas enclosed by the bioshields of each NPM.
- Plant areas protected by an automatic fire suppression system are also provided with manual fire suppression capability, based on the fire hazard analysis.
Tier 2 9.5-3 Draft Revision 3
NuScale Final Safety Analysis Report Other Auxiliary Systems Consistent with GPDC 19, COMS equipment at locations outside the main control room (MCR) is provided with the capability to support onsite and offsite communications during all normal and emergency operating conditions.
Consistent with Appendix E to 10 CFR Part 50, Part IV.E(9), provisions for communications are made for emergency facilities and equipment, including one onsite and one offsite communications system; each system having a backup power source.
The COMS telephone private branch exchange system provides onsite communication with an offsite interface to the public switched telephone network for offsite communications. The COMS receives AC electrical power from the EDNS power system which has a battery-backed uninterruptible power supply. Security related COMS systems are powered by the security power system as discussed in the physical security technical report (Reference 9.5.2-2). In addition, fixed and portable satellite communications are provided to meet the 10 CFR 50 Appendix E requirement. Portable satellite communications devices, batteries, and battery chargers are designated for this purpose.
COL Item 9.5-1: A COL applicant that references the NuScale Power Plant design certification will provide a description of the offsite communication system, how that system interfaces with the onsite communications system, as well as how continuous communications capability is maintained to ensure effective command and control with onsite and offsite resources during both normal and emergency situations.
The requirements of 10 CFR 50.34(f)(2)(xxv), regarding Three Mile Island Action Plan Item III A.1.2 requires that details of the onsite technical support center (TSC), and onsite operational support center (OSC) be provided. Design details pertaining to the TSC are provided in Section 13.3. Details of the design pertaining to the OSC are site-specific, as stated in Section 13.3.
Consistent with the requirements of 10 CFR 50.47(b)(6) and 10 CFR 50.47(b)(8) adequate provisions for communications are provided and maintained in the emergency facilities and control room to support the emergency response, including the ability to provide prompt communication among principal response organizations, emergency personnel and to the public.
Consistent with the requirements of 10 CFR 50.55a, SSC related to the COMS are designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
Consistent with the requirements of 10 CFR 73.45(e)(2)(iii),10 CFR 73.45(g)(4)(i), and 10 CFR 73.45(g)(4)(ii) as related to the COMS, provisions for communications systems and procedures are made and described that support site physical protection including the ability to transmit rapid and accurate security information among onsite forces for routine security operations, assessment of a contingency, response to a contingency, and detection and assessment information to offsite assistance forces.
Consistent with the requirements of 10 CFR 73.46(f), as related to the COMS, communications systems exist whereby each security officer, watchman, or armed Tier 2 9.5-101 Draft Revision 3
NuScale Final Safety Analysis Report Other Auxiliary Systems keeping with the required safety function. The COMS is classified as a non-Class 1E system which serves no safety-related function.
Consistent with GDC 2, portions of the COMS whose structural failure could adversely affect the function of Seismic Category I SSC are designed to Seismic Category II requirements in accordance with Section 3.2.1.2.
Consistent with GDC 3, the COMS systems are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Section 9.5.1 evaluates the fire protection features. Table 3.2-1 classifies the COMS as nonsafety-related. The COMS provides two-way voice communications to support safe shutdown and emergency response in the event of fire. The plant radio system complies with Regulatory Guide 1.189, Regulatory Position 4.1.7, in that the communications system design provides effective communications between plant personnel in all vital areas during fire conditions under maximum potential noise levels.
Consistent with GDC 4, the COMS is not required to function during or after events that result in the generation of missiles, pipe whipping, or discharging fluids. The COMS is a nonsafety-related and nonrisk-significant system and does not interface with any safety-related or risk-significant SSC.
The three COMS subsystems (public address and general alarm system, private branch exchange, and plant radio systems) are physically independent. These systems serve as a backup to one another in the event of system failure as a result of natural phenomena, environmental or dynamic effects, and fires. The three independent voice communications systems are designed and installed to provide assurance that any single event does not cause a complete loss of intra-plant communication.
GDC 5 was considered in the design of the COMS. The COMS is designed to provide effective communications between plant personnel in vital areas during normal operations as well as during the full spectrum of accident or incident conditions under maximum potential noise levels. A failure in a COMS subsystem will not significantly impair the ability of the other COMS subsystems to perform, including in the event of an accident in one NuScale Power Module and an orderly shutdown and cooldown of the remaining NuScale Power Modules.
GPDC 19 requires that an MCR be provided from which actions can be taken to operate the plant safely under normal conditions and to maintain it in a safe condition under accident conditions. GPDC 19 is not directly applicable to the communications systems.
The NuScale Power Plant design allows for safe shutdown without operator action.
Therefore, the communications systems need not be credited in evaluating compliance with GPDC 19. However the various independent and diverse communications systems located in the MCR significantly increase the overall command and control the reactor operators have over the plant by providing the ability to communicate and direct activities with operations, maintenance, health physics, firefighters, security, and rescue teams. The NuScale Power Plant has an independent plant radio system for security purposes. Other communications systems such as the public address and general alarm system and private branch exchange are available as alternate means, if necessary.
Tier 2 9.5-107 Draft Revision 3
NuScale Final Safety Analysis Report Other Auxiliary Systems Consistent with the requirements of 10 CFR Part 50, Appendix E, IV.E(9), provisions are made for emergency facilities and equipment, which includes at least one onsite and one offsite communications system, with a backup power source. The public address and general alarm system, private branch exchange, sound-powered telephone system, and the plant radio system provide onsite communications capability. The private branch exchange and plant radio system are capable of providing offsite communications. These systems are powered by diverse nonsafety-related EDNS power supplies.
The failure of any communications system does not adversely affect safe -shutdown capability. It is not necessary for plant personnel in safety-related areas of the plant to communicate with the MCR in order to achieve safe shutdown of the plant. There are four independent voice communications systems for support onsite and the failure of any or all of their components do not affect any safety-related equipment. There are two COMS systems that provide offsite communications. Since there are at least one onsite and offsite communications systems with backup power sources the COMS design complies with the requirements of 10 CFR Part 50 Appendix E.IV.E(9).
Consistent with the requirements of 10 CFR 50.34(f)(2)(xxv), regarding Three Mile Island Action Plan Item III A.1.2, and the requirements of 10 CFR 50.47(b)(6) and 10 CFR 50.47(b)(8) adequate provisions for communications are provided and maintained in the emergency facilities and control room to support the emergency response, including prompt communication among principal response organizations to emergency personnel and to the public. As stated in Section 13.3, the design of the TSC is compliant with the requirements of NUREG-0696 "Functional Criteria for Emergency Response Facilities." The central alarm station and secondary alarm station maintain the ability to provide continuous communications with onsite and offsite resources. The TSC and OSC are equipped with voice communications such as private branch exchange, public address and general alarm system, plant radio, and sound-powered telephone systems, which provide communications between the TSC and OSC and plant, local, and offsite emergency response facilities, the Nuclear Regulatory Commission, and local and state operations centers. Details of the OSC design are site-specific, as stated in Section 13.3.
10 CFR 73.45(e)(2)(iii) requires that communications systems and procedures provide for notification of an attempted unauthorized or unconfirmed removal of strategic special nuclear material. The design of the COMS employs a completely independent plant radio system for security communications purposes. Other communications systems such as the public address and general alarm system, private branch exchange, and plant radio are available as alternate means, if necessary. The application of these communications systems for security purposes is described in the physical security technical report under conformance to 10 CFR 73.55.
10 CFR 73.45(g)(4)(i) requires rapid and accurate transmission of security information among onsite forces for routine security operation, assessment of a contingency, and response to a contingency. Communications networks are provided to transmit rapid and accurate security information among onsite forces for routine security operation, assessment of a contingency, and response to a contingency. The design of the COMS employs a completely independent plant radio system for security communications purposes. The public address and general alarm system, private branch exchange, and Tier 2 9.5-108 Draft Revision 3
Process and Effluent Radiation Monitoring Instrumentation and NuScale Final Safety Analysis Report Sampling System
- Provide for data collection of liquid and gaseous effluents to unrestricted areas (10 CFR 50.36a).
- Provide design features to reduce the potential contamination of the facility and the environment, as well as reducing radioactive waste generation (10 CFR 20.1406).
- For the control room ventilation system, perform protective functions while withstanding the effects of natural phenomena without loss of function (GDC 2).
- Provide initiation signals for automated system functions to maintain control room habitability of the control room under accident conditions (GPDC 19).
- Control the release of liquid and gaseous effluents from plant systems (GDC 60).
- Provide monitoring and sampling of fuel storage and handling areas, and radioactive waste management systems to detect excessive radiation levels, and initiate the appropriate automated system functions (GDC 61 and GDC 63).
- Provide monitoring of the effluent discharge paths, and the plant environs for radioactivity that may be released during normal operations, AOOs, and under post-accident conditions (GDC 64).
- Provide monitoring and sampling instrumentation for measuring and recording radiological data of noble gases at release points with continuous monitoring and sampling of radioactive iodine and particulates in gaseous effluents from accident release points in accordance with the requirements of 10 CFR 50.34(f)(2)(xvii).
11.5.2 System Description The effluent and process radiation monitoring and sampling provisions are described on a per system basis within Section 11.5.2.1 and Section 11.5.2.2. The following system descriptions apply to the systems on a generic basis. Information that is unique to a specific effluent or process monitor including automated system actuations is provided within the individual system descriptions.
The radiation monitors provide a continuous indication and an archiving function to the main control room. When a specified setpoint is exceeded, the effluent and process radiation monitors provide a visual and audible alarm in the main control room, and where specified, locally and in the waste management control room. Alarms are designed such that they do not reset without operator action. The radiation monitors remain operable when the alarm setpoint is exceeded. The process and effluent radiation monitoring instrumentation provides self-monitoring to the extent that power failure or equipment failure causes an alarm in the main control room.
Mitigating actions for abnormal events where a potentially contaminated system is leaking into a normally non-radiologically contaminated system are specified in site procedures. If required, operators have the ability to manually isolate and sample the potentially contaminated system using isolation valves operated from the main control room or locally in the plant. The alarm setpoints, control room monitoring capability, system sampling capability, and operator response in accordance with site procedures conform with GDC 60 and RG 4.21 and ensure that the objectives of 10 CFR 20.1406 are met.
Tier 2 11.5-2 Draft Revision 3
Process and Effluent Radiation Monitoring Instrumentation and NuScale Final Safety Analysis Report Sampling System significant release point as characterized in RG 1.21 and to verify the effluent monitor readings for the utility water system. The system is sampled for radioactive material content on a periodic basis to verify the effluent monitor readings for the UWS. The frequency is determined by the offsite dose calculation manual (ODCM) described in Section 11.5.2.6. Samples of the CWS are taken periodically from the sample points located in the cooling tower basins where turbulent flow ensures a representative sample. Provisions for CWS sampling are described in Table 11.5-3.
The CWS is described in Section 10.4.5.
11.5.2.2 Process Radiation Monitoring For each plant system that is potentially radiologically contaminated within its process liquid or gas, a description of its radiation monitoring and sampling equipment is provided. The applicable regulatory requirements for each system are considered, and a description of how these requirements are met is provided for each system.
11.5.2.2.1 Normal Control Room HVAC System The normal control room HVAC system (CRVS) protects personnel from exposure to radiation during abnormal and accident conditions initially by removing radioactive contamination from outside air via charcoal filtration. If conditions degrade and radiation levels are detected that exceed the capability of the charcoal filtration units or if power is not available, the environment within the control room boundary is isolated and pressurized with a bottled air supply from the control room habitability system (CRHS).
Three in-line radiation monitors are located upstream of the CRVS filter unit and the outdoor air isolation dampers that are in parallel with the CRVS filter unit. Upon detection of a high radiation level in the outside air intake, the system is realigned so that 100 percent of the outside air passes through the CRVS filter unit, containing high-efficiency particulate air and charcoal filters to process outside air and minimize radiation exposure to personnel within the control room boundary.
If air conditions are further degraded as sensed by two off-line radiation monitors downstream of the CRVS filter unit or if power is not available, the CRVS filter unit is stopped, the outside air intake is automatically isolated, the operating supply air handling unit is stopped, the general exhaust fan is stopped, the CRB battery room exhaust fan is stopped, and the CRHS system is initiated to facilitate continued control room habitability consistent with GPDC 19. Section 6.4.3.2 provides a complete discussion of the CRHS system initiation.
The radiation monitors that initiate the isolation for operation of the CRHS have augmented quality assurance requirements. The augmented quality requirements are specified in Table 3.2-1.
The CRVS radiation monitors provide continuous display and alarm capability to the MCR and provide the signal for the CRVS and CRHS automated functions. To ensure accurate and representative indication, these in-line and off-line monitors are designed to meet the guidance of ANSI/HPS N13.1-2011 (Reference 11.5-2).
Tier 2 11.5-10 Draft Revision 3
NuScale Final Safety Analysis Report Radiation Protection Design Features protect plant personnel, members of the public, and susceptible equipment subject to environmental qualification requirements.
Shielding performance is in accordance with the following criteria:
- exposure limits of 10 CFR 20
- dose limits of 10 CFR 50, GPDC 19 In addition, plant layout and shielding are used to limit equipment radiation doses to levels that are consistent with the assumptions used to demonstrate environmental qualification.
12.3.2.2 Design Considerations Shielding is provided for radioactive systems and components to reduce radiation levels commensurate with area personnel access requirements and ALARA principles.
The radiation zone maps described in Section 12.3.1 indicate the radiation levels for plant areas.
As described in Section 12.3.1, shielding design features include permanent shielding and separation of components that constitute substantial radiation sources, the use of shielded cubicles, labyrinths, and shielded entrances to minimize dose. The selection of shielding materials considers the ambient environment and potential degradation mechanisms. Temporary shielding is considered where it is impractical to provide permanent shielding for substantial radiation sources.
Consistent with RG 8.8, streaming of radiation into accessible areas through penetrations for pipes, ducts, and other shield discontinuities is reduced by using layouts that prevent alignment with the radiation source, placing penetrations above head height to reduce personnel exposures, and using shadow shields to attenuate radiation streaming.
Consistent with RG 8.8, shielding analysis employs accurate modeling techniques and conservative approaches in the determination of shielding thickness. Source terms, geometries, and field intensities are analyzed conservatively. In addition to normal conditions, source terms include transient conditions such as resin transfers.
RAI 12.03-58 The material used for a significant portion of plant shielding is concrete. For most applications, concrete shielding is designed in accordance with ANSI/ANS 6.4-2006 (Reference 12.3-1). Table 12.3-6 and Table 12.3-7 show the shielding thicknesses assumed in the shielding analyses in plant buildings. In addition to concrete, other types of materials such as steel, water, tungsten, and polymer composites are considered for both permanent and temporary shielding. The use of lead is minimized.
For shield walls that contain a door, the door provides an equivalent radiation attenuation as the shield wall that contains the door. A listing of radiation shield doors is provided in Table 12.3-8 for the RXB and Table 12.3-9 for the RWB.
Tier 2 12.3-9 Draft Revision 3
NuScale Final Safety Analysis Report Radiation Protection Design Features Radiation zones are selected to facilitate personnel access for operation and maintenance.
12.3.2.4 Major Component Shielding Design Description 12.3.2.4.1 NuScale Power Module An NPM is a self-contained nuclear steam supply system composed of a reactor core, a pressurizer, two steam generators integrated within the reactor pressure vessel, CRDMs and valves, and is housed in a compact steel containment vessel.
The containment vessel is partially immersed in the reactor pool as shown in Figure 1.2-5.
Biological shielding is provided above each NPM to allow personnel access above the 126' elevation in the RXB. The bioshield design is described in Section 3.7.3.
The containment vessel, pool water, and pool wall provide shielding and attenuation. The pool wall thickness is used for attenuating radiation from the radiation sources associated with the NPM.
RAI 12.03-55S1 COL Item 12.3-8: A COL applicant that references the NuScale Power Plant design certification will describe the radiation shielding design measures used to compensate for the main steam and main feedwater piping penetrations through the Reactor Building pool wall between the NuScale Power Module bays and the Reactor Building steam galleries near the 100 ft elevation (Shown on Figure 3.6-16 and Figure 3.6-17).
12.3.2.4.2 Main Control Room The dose rate in the main control room during normal operations is negligible. The Control Building (CRB) room locations and elevations are shown in figures provided in Section 1.2. The CRB walls are designed to attenuate radiation from the RXB. As indicated by Table 15.0-12, the GPDC 19 dose acceptance criteria for the control room are met for postulated accidents.
12.3.2.4.3 Reactor Building In general, the calculated dose rates in open areas and corridors of the RXB are less than five mrem/hr during normal operation as shown in the radiation zone maps (Figure 12.3-1a through Figure 12.3-1i).
The RXB includes systems that contain radioactive components. The major radiation sources in the RXB are associated with the NPM (see Section 12.3.2.4.1),
chemical volume and control system, PCUS, and spent fuel storage. The shielding designs for these systems are described below.
Chemical and Volume Control System Tier 2 12.3-11 Draft Revision 3
NuScale Final Safety Analysis Report Radiation Protection Design Features 12.3.3.1 Design Objectives Design objectives for the plant heating ventilation and air conditioning systems include the following:
- During normal plant operations, the airborne radioactivity levels to which plant personnel are exposed in radiation controlled areas are maintained ALARA and within the limits specified in 10 CFR 20. The airborne radioactivity released during normal plant operations are also maintained ALARA and within the limits of 10 CFR 20, Appendix B, Table II.
RAI 02.03.01-2, RAI 02.03.05-1
- During normal plant operations, the dose from airborne radioactive material exposure in unrestricted areas is maintained ALARA and within the limits specified in 10 CFR 20.1301 and 10 CFR 50, Appendix I.
- The dose to the control room personnel does not exceed the limits specified in 10 CFR 50, Appendix A, GPDC 19 following the design basis accidents described in Chapter 15.
12.3.3.2 Design Features to Minimize Personnel Exposure from Heating Ventilation and Air Conditioning Equipment The building ventilation systems are designed to maintain a negative pressure with respect to the outside environs and create air flow inside the building from areas of low airborne potential to areas of higher airborne potential.
Other design features that are incorporated to minimize radiation exposures to personnel are listed below.
- The design of the plant ventilation systems incorporates the guidance of RG 8.8.
- Ventilation fans and filters are provided with adequate access space to permit servicing with minimum personnel radiation exposure. The heating ventilation and air conditioning system is designed to allow rapid replacement of components.
Filter-adsorber unit conformance complies with the recommendations of RG 1.140.
- Ventilation ducts are designed to minimize the buildup of radioactive contamination within the ducts.
- Access to ventilation systems in potentially radioactive areas can result in personnel exposure during maintenance, inspection, and testing. Equipment is located in low dose areas as much as practicable, with most equipment being located outside of rooms that contain significant radiation sources. The outside air supply units and building exhaust system components have adequate work space provided around each unit for anticipated maintenance, testing, and inspection.
12.3.3.3 Reactor Building Heating Ventilation and Air Conditioning System During normal operation, the RBVS services the areas inside the RXB by providing conditioned and filtered outside air. The exhaust from the RXB is normally filtered by a high-efficiency particulate air (HEPA) filter. If the spent fuel pool exhaust radiation monitors detect radioactivity above their setpoints, the exhaust flow from the spent Tier 2 12.3-15 Draft Revision 3
NuScale Final Safety Analysis Report Radiation Protection Design Features fuel pool area is diverted to go through HEPA filters and charcoal adsorbers. See Section 9.4.2 for additional details.
The dry dock area is provided with exhaust flow to entrain airborne contamination that may result from NPM components being exposed to air during maintenance activities.
Heating ventilation and air conditioning equipment drains are routed to the RWDS.
In response to a high-radiation signal from the spent fuel exhaust ductwork, the RBVS will change into its high-radiological mode. In this mode, the spent fuel pool exhaust flow is diverted through both the HEPA filters and charcoal adsorbers. The general exhaust fans will reduce capacity and maintain the design exhaust airflows for the RWB and Annex Building. The RBVS supply will also reduce its capacity to provide ventilation air while maintaining a negative pressure in the RXB.
Adequate space for temporary shielding is provided to minimize personnel exposures during maintenance of ventilation equipment, including filters, inspection, and testing.
In addition, the filter units are designed with features that minimize the time required for filter changes.
12.3.3.4 Radioactive Waste Building Heating Ventilation and Air Conditioning System The RWBVS serves the RWB as a once-through system. Outside air is introduced by the main supply air handling unit and is exhausted through the RBVS exhaust system. The main supply air handling unit contains both low and high efficiency outside air filters, a heating coil, and a chilled water cooling coil. Supply air from the main RWBVS is distributed throughout the RWB. Exhaust air is collected and conveyed to the RBVS general exhaust filter units and exhausted through the main stack. The RWBVS maintains airflow from areas of lesser potential contamination to areas of greater potential contamination. The RWBVS also maintains the RWB atmosphere at a slight negative pressure with respect to the outside. See Section 9.4.3 for additional details.
12.3.3.5 Normal Control Room Heating Ventilation and Air Conditioning System During normal operations, the normal control room HVAC system (CRVS) supplies conditioned air to the CRB, including the control room envelope (CRE), the technical support center, and the other areas, of the CRB with outside air that has been filtered (low and high efficiency) to maintain a suitable environment for personnel and equipment. The CRVS is designed to maintain a positive pressure inside the main control room (MCR) with respect to adjacent spaces. See Section 9.4.1 for additional details.
If a high radiation indication is received from an outside air intake radiation monitor, the supply air is routed through the CRVS filter unit which provides additional HEPA and charcoal filtration. Areas served by the CRVS (MCR and technical support center) are designed to maintain operator doses within GPDC 19 limits.
If power is not available, or if a high radiation indication is received from the radiation monitors downstream of the CRVS filter unit, the control room envelope (CRE) isolation dampers close and the control room habitability system is initiated.
Tier 2 12.3-16 Draft Revision 3
Table 14.3-2: Shared/Common Structures, Systems, and Components and Non-Structures, Systems, and components Based Tier 2 NuScale Final Safety Analysis Report Design Features and Inspections, Tests, Analyses, and Acceptance Criteria Cross Reference(1) (Continued)
ITAAC No. System Discussion DBA Internal/External Radiological PRA & Severe FP Hazard Accident 03.11.04 RXB Section 12.3, Radiation Protection Design Features, provides the X design bases for radiation shielding, including type, form and material properties utilized in specific locations. Radiation shielding is provided to meet the radiation zone and access requirements for normal operation and post-accident conditions, and to demonstrate compliance with 10 CFR 50.49, GDC 4, and GPDC 19. Compartment walls, ceilings, and floors, or other barriers provide shielding.
An ITAAC inspection is performed to verify that the thickness of RXB radiation barriers is greater than or equal to the required thicknesses.
The required thicknesses are specified in Tier 1 Table 3.11-1.
03.11.05 RXB Section 12.3.2.2, Design Considerations, provides the design bases X for radiation shielding. Radiation shielding is provided to meet the radiation zone requirements for normal operation and control room access requirements for post-accident conditions. Radiation 14.3-78 attenuating doors must meet or exceed the radiation attenuation capability of the wall within which they are installed.
Certified Design Material and Inspections, Tests, Analyses, and An ITAAC inspection is performed to verify that the RXB radiation attenuating doors are installed in their design location and have a radiation attenuation capability that meets or exceeds that of the wall within which they are installed in accordance with the approved door schedule design.
Acceptance Criteria Draft Revision 3
RSS B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Remote Shutdown Station (RSS)
BASES BACKGROUND Instrumentation located in the RSS provides the control room operator with sufficient displays to ensure the unit reaches a safe shutdown condition atfrom a location other than the control room. The RSS also ensures that control room signals are isolated preventing unintended signals from impacting indication of the unit conditions. This capability is necessary to protect against the possibility that the control room becomes inaccessible (Ref. 1). The passive core cooling systems provided by the Decay Heat Removal System, Emergency Core Cooling System, or an appropriate water level in the containment can be used to remove core decay heat. The use of PASSIVE COOLING systems allows extended operation with no operator action required in MODE 3 once initiated.
If the control room becomes inaccessible, the operators can monitor and maintain the unit in MODE 3 using the displays that are in the RSS. The unit can be maintained in MODE 3 when PASSIVELY COOLED for an extended period of time.
The RSS has several video display units which can be used to monitor unit conditions. The video display units are comparable to those provided in the control room and the operator can display information on the video display units in a manner which is comparable to the way the information is displayed in the control room. The operator normally selects an appropriate set of displays based on the particular operational goals being monitored by the operator at the time.
The OPERABILITY of the remote shutdown display functions ensures there is sufficient information available on selected variables to reach and monitor the passive safety system performance, verify that the unit transitions to MODE 3 and PASSIVELY COOLINGED, and remains stable once this condition is reached should the control room become inaccessible. Activation of the RSS also ensures that control room signals are isolated when control room evacuation is required.
APPLICABLE The RSS is required to provide equipment at appropriate locations SAFETY outside the control room to monitor the safe shutdown condition of the ANALYSES unit, defined as MODE 3 with PASSIVE COOLING established. This is accomplished by providing instrumentation that displays unit conditions.
Passive core cooling systems actuated if the control room is evacuated can establish and maintain safe shutdown conditions for the unit.
NuScale B 3.3.5-1 Draft Revision 3.0
RSS B 3.3.5 BASES APPLICABLE SAFETY ANALYSES (continued)
The criteria governing the design and the specific system requirements for achieving safe shutdown conditions are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 2), which NuScale implements as principal design criterion 19 described in FSAR section 3.1 (Ref. 3). However nNo additional operator actions are required after actuation of passive cooling and therefore the RSS only provides indication to monitor unit conditions.
The remote shutdown station satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO The RSS LCO provides the OPERABILITY requirements of the displays necessary to monitor the passive cooling system performance, verify that the unit transitions to and remains stable once MODE 3 and PASSIVE COOLING is reached, while monitoring from a location other than the control room.
The appropriate instrumentation in the RSS is OPERABLE if the display instrument functions needed to support the required monitoring capability are OPERABLE.
The instrumentation located in the RSS covered by this LCO does not need to be energized or configured to perform its design function, to be considered OPERABLE. During normal operation, the RSS is in standby with the workstations powered and connected to the human machine interface network, but the displays not activated. This LCO is intended to ensure the instrumentation located in the RSS will be OPERABLE if unit conditions require that the RSS be placed in operation.
APPLICABILITY The instrumentation located in the RSS LCO is applicable in MODES 1, 2, and MODE 3 when not PASSIVELY COOLED. This is required so that the unit can be monitored to ensure the unit transitions to MODE 3 and PASSIVELY COOLED, and remains stable in MODE 3 and PASSIVELY COOLED for an extended period of time from a location other than the control room.
This LCO is not applicable in MODE 3 and PASSIVELY COOLED, 4, or
- 5. In these MODES, the unit is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument functions if control room instruments or other actions are required.
NuScale B 3.3.5-2 Draft Revision 3.0
RSS B 3.3.5 BASES ACTIONS A.1 Condition A addresses the situation where the instrumentation in the RSS is inoperable. The Required Action is to restore the instrumentation in the RSS to OPERABLE status within 30 days. The Completion Time is based on the system design for maintainability and the low probability of an event that would require evacuation of the control room.
B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 verifies that the transfer protocol can be performed and that it performs the required functions. This ensures that if the control room becomes inaccessible, from the RSSthe passive cooling system performance can be monitored and evaluated to verify that the unit is transitioning to MODE 3 and PASSIVELY COOLINGED, and remains stable once MODE 3 and PASSIVELY COOLED condition is reached from the RSS.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.5.2 This Surveillance verifies that the workstations in the RSS receive indications from the Module Control System (MCS) and Plant Control System (PCS). The communication is accomplished by use of the MCS and PCS networks.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale B 3.3.5-3 Draft Revision 3.0
RSS B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.5.3 SR 3.3.5.3 verifies the OPERABILITY of the RSS hardware and software by performing diagnostics to show that operator displays are capable of being called up and displayed to an operator at the RSS. The instrumentation in the RSS has several video display units which can be used by the operator.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR Chapter 7, "Instrumentation and Controls."
- 3. FSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."
NuScale B 3.3.5-4 Draft Revision 3.0
SG Tube Integrity B 3.4.9 BASES APPLICABLE The steam generator tube failure (SGTF) accident is the limiting design SAFETY basis event for SG tubes and avoiding an SGTF is the basis for this ANALYSES Specification. The analysis of a SGTF event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.5, RCS Operational LEAKAGE, plus the leakage rate associated with a double-ended failure of a single tube. The accident analysis for a SGTF assumes the contaminated secondary fluid is only briefly released to the atmosphere via safety valves and the majority is discharged to the main condenser.
The analysis for design basis accidents and transients other than a SGTF assume the SG tubes retain their structural integrity (i.e., they are assumed not to fail.) In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs. or is assumed to increase as a result of accident induced conditions. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.8, RCS Specific Activity, limits. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Ref. 2) which NuScale implements as principal design criterion 19 described in FSAR section 3.1 (Ref. 3), 10 CFR 50.34 (Ref. 43) or the NRC approved licensing basis (e.g., a small fraction of these limits).
Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging criteria be plugged in accordance with the Steam Generator Program.
During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.
If a tube was determined to satisfy the plugging criteria but was not plugged, the tube may still have tube integrity.
In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall, between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet.
The tube-to-tubesheet weld is not considered part of the tube.
A SG tube has tube integrity when it satisfies the SG performance criteria.
The SG performance criteria are defined in Specification 5.5.4, Steam Generator Program, and describe acceptable SG tube performance.
The Steam Generator Program also provides the evaluation process for NuScale B 3.4.9-2 Draft Revision 3.0
SG Tube Integrity B 3.4.9 BASES LCO (continued)
There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. Failure to meet any one of these criteria is considered failure to meet the LCO.
The structural integrity performance criterion provides a margin of safety against tube failure or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube failure is defined as, The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation. Tube collapse is defined as, For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero. The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term significant is defined as An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting failure/collapse condition to be established. For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis.
The division between primary and secondary classifications will be based on detailed analysis and/or testing.
Structural integrity and the accident induced leakage performance criteria ensures that calculated stress intensity in a SG tube not exceed ASME Code,Section III (Ref. 54) limits for Design and all Service Level A, B, C and D Conditions included in the design specification. SG tube Service Level D represents limiting accident loading conditions. Additionally, NEI 97-06 Tube Structural Integrity Performance Criterion establishes safety factors for tubes with characteristic defects (axial and longitudinal cracks and wear defects), including normal operating pressure differential and accident pressure differential, in addition to other associated accident loads consistent with guidance in Draft Regulatory Guide 1.121 (Ref. 65).
Therefore in addition to meeting the structural integrity criteria, no additional accident induced primary-to-secondary LEAKAGE is assumed to occur as the result of a postulated design basis accident other than a SGTF.
NuScale B 3.4.9-3 Draft Revision 3.0
SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued) as found condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.
The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation.
Inspection methods are a function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations.
The Steam Generator Program defines the Frequency of SR 3.4.9.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 76). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.4 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections.
If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected unit SGs is restricted by Specification 5.5.4 until subsequent inspections support extending the inspection interval.
SR 3.4.9.2 During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.
The tube plugging criteria delineated in Specification 5.5.4 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.
NuScale B 3.4.9-6 Draft Revision 3.0
SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency of prior to entering MODE 3 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.
REFERENCES 1. NEI 97-06, Rev. [3], Steam Generator Program Guidelines.
- 3. FSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."
- 43. 10 CFR 50.34.
- 54. ASME Boiler and Pressure Vessel Code,Section III, Subsection NB.
- 65. Draft Regulatory Guide 1.121, Basis for Plugging Degraded Steam Generator Tubes, August 1976.
- 76. EPRI, Pressurized Water Reactor Steam Generator Examination Guidelines, Rev. [4].
NuScale B 3.4.9-7 Draft Revision 3.0
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room
- 17. 10 CFR 50, Appendix A, Criterion 19, Control Room 17.1 Introduction and Request 17.1.1 Summary NuScale Power, LLC, (NuScale) requests an exemption from General Design Criterion (GDC) 19 to depart from the portion of the rule requiring equipment outside the control room with a potential capability for subsequent cold shutdown of the reactor when the control room is evacuated.
The underlying intent of the remote shutdown portion of GDC 19 is to provide means for operators to place and maintain the reactor in a safe condition in the event of a control room evacuation. NuScale is requesting an exemption to clarify the GDC requirements as they apply to the NuScale design and substitute the term "safe shutdown" for "cold shutdown." Cold shutdown (i.e., the reactor coolant system at atmospheric pressure and <
200°F following a reactor cooldown) is not necessary to ensure a long-term safe condition following control room evacuation for NuScale's passive advanced light water reactor design. Cold shutdown is not a defined Mode under NuScale's Technical Specification definitions.
In the event of a main control room (MCR) evacuation, all reactors are tripped and decay heat removal and containment isolation are initiated prior to operators evacuating the MCR. These actions result in passive cooling that achieves and maintains safe shutdown (i.e., Mode 3 where keff < 0.99 and all NPM reactor coolant temperatures are < 420°F).
Operators can also place the reactors in safe shutdown from outside the MCR in the module protection system (MPS) equipment rooms within the reactor building.
Following shutdown and initiation of passive cooling, the NuScale design does not rely on operator action outside of the MCR to maintain a safe stable shutdown condition, and control room signals are isolated preventing unintended signals from impacting unit conditions. In addition, no instrumentation or controls are necessary outside the MCR to maintain the NuScale Power Modules (NPMs) in a safe shutdown condition.
The design includes a remote shutdown station (RSS) to monitor plant conditions; however, there are no displays, alarms, or controls in the RSS necessary to achieve or maintain safe shutdown of the NPMs. If the MCR is evacuated, the RSS serves as a central location for the operators to monitor the modules in a safe shutdown condition with DHRS in service for each module. Additionally, the RSS provides defense-in-depth capability to monitor the plant remotely from the MCR and control balance of plant equipment to support asset protection and long-term plant recovery in events where the MCR becomes uninhabitable.
Therefore, NuScale requests an exemption from GDC 19 to implement a design-specific Principal Design Criterion (PDC) 19 that meets the underlying purpose of GDC 19's requirement for means to maintain the reactor in a safe condition in the event of a control room evacuation. Additional changes to PDC 19 are incorporated to improve clarity of the design criterion. As a result of this exemption, the NuScale Power Plant design conforms to Part 7 17-1 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room a principal design criterion for safe shutdown capability in the event of MCR evacuation rather than a requirement for cold shutdown.
17.1.2 Regulatory Requirements 10 CFR 52.47(a) states, in part:
The [design certification] application must contain a final safety analysis report (FSAR) that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the structures, systems, and components and of the facility as a whole, and must include the following information:
(3) The design of the facility including:
(i) The principal design criteria for the facility. Appendix A to 10 CFR part 50, general design criteria (GDC), establishes minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have previously been issued by the Commission and provides guidance to applicants in establishing principal design criteria for other types of nuclear power units; (ii) The design bases and the relation of the design bases to the principal design criteria. . .
The introduction to 10 CFR 50, Appendix A states, in part:
[T]here may be water-cooled nuclear power units for which fulfillment of some of the General Design Criteria may not be necessary or appropriate. For plants such as these, departures from the General Design Criteria must be identified and justified.
10 CFR 50, Appendix A, GDC 19 states:
Criterion 19 - Control room. A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.
Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design approvals or certifications under part 52 of this chapter who apply on or after January 10, 1997, Part 7 17-2 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room applicants for and holders of combined licenses or manufacturing licenses under part 52 of this chapter who do not reference a standard design approval or certification, or holders of operating licenses using an alternative source term under § 50.67, shall meet the requirements of this criterion, except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent (TEDE) as defined in § 50.2 for the duration of the accident.
17.1.3 Exemption Sought Pursuant to 10 CFR 52.7, NuScale requests an exemption from GDC 19, which requires equipment outside the control room providing a potential capability for cold shutdown of the reactor through the use of suitable procedures.
17.1.4 Effect on NuScale Regulatory Conformance As a result of this exemption, the NuScale Power Plant design, as reflected in the Final Safety Analysis Report (FSAR), conforms to a Principal Design Criterion (PDC) requiring the design capability for safe shutdown from equipment outside the control room, in lieu of the requirements for "design capability for prompt hot shutdown" and "potential capability for subsequent cold shutdown as specified in GDC 19. PDC 19 also clarifies the requirements for control room radiation protection consistent with the current rule.
NuScale's Principal Design Criterion is stated in FSAR Section 3.1, and reflected below:
Criterion 19 - Control room.
A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents.
Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem total effective dose equivalent (TEDE) as defined in 10 CFR 50.2 for the duration of the accident.
Equipment at appropriate locations outside the control room shall be provided with a design capability for safe shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe shutdown condition.
17.2 Justification for Exemption The principal requirement of GDC 19 is to provide a control room from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents, while providing adequate radiation protection for personnel. A secondary requirement is that facilities have equipment at appropriate locations outside the control room " (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.
Part 7 17-3 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room The underlying intent of the remote shutdown portion of GDC 19 is to provide means for operators to maintain the reactor in a safe condition in the event of a control room evacuation.
Proposed GDC 11, later finalized as GDC 19, would have required it to "be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other cause" (32 Federal Register 10216, emphasis added). During the public comment period, industry was concerned that the requirements of GDC 11 could be interpreted to require a second control room (SECY-R 143, Jan. 28, 1971). In response, NRC clarified the requirements in final GDC 19 to spell out separately the "design capability" for prompt hot shutdown and "potential capability for subsequent cold shutdown" in the longer term. There is no indication in the rulemaking record that the NRC intended to alter the intent of proposed GDC 11 with respect to maintaining a "safe condition." NRC guidance is consistent with the interpretation that the "cold shutdown" language was not directed at reactor coolant system temperature, but rather a safe stable shutdown condition. For example, in summarizing the remote shutdown capability requirements in Information Notice 91-53, NRC stated that conditions that could preclude control room accessibility "warrant the use of a remote shutdown system to achieve safe shutdown of the plant."
Therefore, NuScale concludes that the cold shutdown provision was not intended to be stricter than the originally proposed "safe condition," but rather to allow facilities to rely on "potential capabilities" outside the control room for operators to establish a long term safe condition.
Accordingly, the ability to maintain the reactor in a safe shutdown condition in the event of control room evacuation satisfies the underlying purpose of GDC 19. As discussed below, NuScale's proposed PDC 19, replacing "cold shutdown" with "safe shutdown" of the reactor, meets the underlying purpose of the design criterion for NuScale's passive advanced light water reactor design.
17.2.1 Technical Basis The underlying intent of the remote shutdown portion of GDC 19 is to provide means for operators to maintain the reactor in a safe condition in the event of a control room evacuation. For NuScale's passive advanced light water reactor design, the establishment of PDC 19 to require remote "safe shutdown" capability instead of "cold shutdown" is supported and consistent with NRC guidance, such as SECY-94-084, Policy and Technical issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs, which applies to passive residual heat removal systems and RG 1.189, Fire Protection for Nuclear Power Plants regarding fire in the main control room.
As stated in Design-Specific Review Standard for NuScale SMR Design (DSRS) Section 7.0, DSRS Chapter 7 Acceptance Criteria and Review Process Item 3, "Level of Review Applied to I&C Systems":
iii. Safe shutdown systems function to achieve and maintain a safe shutdown condition of the plant. The safe shutdown systems include I&C systems used to maintain the reactor core in a subcritical condition and provide adequate core cooling to achieve and maintain both hot and cold shutdown conditions, as defined in SECY 95-132 "Policy and Technical Issues Associated with the Regulatory Treatment of Nonsafety Systems in Passive Plant Designs (SECY 94-084)."
The term safe shutdown is footnoted with:
Part 7 17-4 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room The NRC considers a "safe stable shutdown condition" for advanced passive LWRs to be a condition by which all plant conditions are stable and within regulatory limits and the reactor coolant system pressure is stabilized and reactor coolant temperature is less than or equal to 215 degrees Celsius (C) (420 degrees Fahrenheit (F)).
As stated in NuScale Power DCA Part 4, Generic Technical Specifications, passive core cooling provided by the Decay Heat Removal System, Emergency Core Cooling System, or an appropriate water level in the containment can be used to remove core decay heat. The use of PASSIVE COOLING systems allows extended operation with no operator action required in MODE 3 once initiated. (i.e., Safe Shutdown where keff < 0.99 and all NPM reactor coolant temperatures are < 420°F).
The NuScale design addresses GDC 19's intent with respect to control room evacuation in two ways. First, the NuScale main control room (MCR) is designed specifically with the ability to place and maintain the reactors in safe shutdown in the event of an MCR evacuation event. Prior to evacuation of the MCR, operators trip the reactors, initiate decay heat removal and initiate containment isolation. These actions result in passive cooling that achieves safe shutdown of the reactors. Operators can also achieve safe shutdown of the reactors from outside the MCR in the module protection system (MPS) equipment rooms within the reactor building. Following shutdown and initiation of passive cooling, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain safe shutdown, and control room signals are isolated preventing unintended signals from impacting unit conditions. The design includes a remote shutdown station (RSS) to monitor conditions; however, there are no displays, alarms, or controls in the RSS necessary to achieve or maintain safe shutdown of the reactors, as there is no manual control of safety-related equipment allowed from the RSS.
In the MCR, each NuScale Power Module (NPM) is provided two redundant, safety-related, hard-wired switches in separate and independent divisions in order to trip the reactor and establish the conditions required to passively achieve safe shutdown. NuScale credits operation of these switches consistent with the guidance in RG 1.189, Section 5.4.4, Control Room Fires. Additionally, the operation of the MCR switches described above is verified by ITAAC 02.05.01 and ITAAC 02.05.13. In accordance with GDC 26 and NuScale PDC 27, the NPM control rods, alone, can hold the reactor subcritical to a conservative minimum reactor coolant system temperature.
Alternate means outside of the MCR are provided to shut down each reactor and establish the conditions required to passively achieve safe shutdown. For each NPM, two separate MPS equipment rooms are provided. Within each MPS equipment room, safety-related components can be physically manipulated to trip its respective reactor and passively achieve safe shutdown.
Following shutdown from the MCR shutdown switches or MPS equipment rooms, the RSS only provides indication to monitor unit conditions; control room signals are isolated preventing unintended signals from impacting the unit conditions. There is no manual control of safety-related equipment allowed from the RSS. The module control system (MCS) equipment located in the RSS is similar to the MCS equipment located in the MCR, but configured in a way that allows monitoring of plant systems. Although no subsequent operator actions are required, the RSS has several video display units which can be used to Part 7 17-5 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room monitor plant conditions. The video display units are comparable to those provided in the control room and the operator can display information on the video display units in a manner which is comparable to the way the information is displayed in the control room.
The operator normally selects an appropriate set of displays based on the particular operational goals being monitored by the operator at the time. The operability of the remote shutdown display functions provides sufficient information to monitor the passive safety system performance, and verify that the unit transitions to MODE 3, is passively cooled, and remains stable. Under normal operating conditions where the MCR is intact and fully functional, the RSS is secured and equipment therein is in a standby state.
17.3 Regulatory Basis 17.3.1 Criteria of 10 CFR 50.12, Specific Exemptions Pursuant to 10 CFR 52.7, "consideration of requests for exemptions from requirements of the regulations of other parts in this chapter, which are applicable by virtue of this part, shall be governed by the exemption requirements of those parts." The exemption requirements for 10 CFR Part 50 regulations are found in 10 CFR 50.12, and are addressed as follows:
The requested exemption is authorized by law (10 CFR 50.12(a)(1)). This exemption is not inconsistent with the Atomic Energy Act of 1954, as amended. The NRC has authority under 10 CFR 52.7 and 10 CFR 50.12 to grant exemptions from the requirements of this regulation. Therefore, the proposed exemption is authorized by law.
The requested exemption will not present an undue risk to the public health and safety (10 CFR 50.12(a)(1)). This exemption does not affect the performance or reliability of power operations, does not impact the consequences of any design basis event, and does not create new accident precursors. Therefore, the exemption will not present an undue risk to the public health and safety.
The requested exemption is consistent with the common defense and security (10 CFR 50.12(a)(1)). The exemption does not affect the design, function, or operation of structures or plant equipment that is necessary to maintain the secure status of the plant.
The proposed exemption has no impact on plant security or safeguards procedures.
Therefore, the requested exemption is consistent with the common defense and security.
Special circumstances are present (10 CFR 50.12(a)(2)(ii)) in that application of the regulation in the particular circumstances would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule. The underlying intent of the remote shutdown portion of GDC 19 is to provide means for operators to place and maintain the reactor in a safe condition in the event of a control room evacuation. NRC guidance recognizes that for passive plant designs, "safe shutdown" is a long-term safe stable shutdown condition. Thus, as a result of this exemption, NuScale's design basis will satisfy the underlying intent of GDC 19.
Special circumstances are present (10 CFR 50.12(a)(2)(iv)) in that the exemption would result in benefit to the public health and safety that compensates for any decrease in safety that may result from the grant of the exemption. Application of the remote cold shutdown provision of GDC 19, as originally prescribed for active plants, would require NuScale to Part 7 17-6 Draft Revision 3
Exemptions 10 CFR 50, Appendix A, Criterion 19, Control Room incorporate additional features increasing complexity of the I&C and shutdown systems.
The NRC's Policy Statement on the Regulation of Advanced Reactors recognizes simplified, passive safety features, including highly reliable and less complex shutdown and decay heat removal systems, as a benefit to the public health and safety. Because safe shutdown is a long term, safe, stable shutdown condition, there is no identified decrease in safety as a result of this exemption.
17.4 Conclusion On the basis of the information presented, NuScale requests that the NRC grant an exemption for the NuScale design certification from the portion of GDC 19 pertaining to potential capability to achieve cold shutdown from equipment outside the control room. PDC 19 maintains the required control room and remote shutdown capabilities, but clarifies that safe shutdown is the necessary reactor condition to achieve and maintain from outside the control room.
Part 7 17-7 Draft Revision 3