ML19105B292

From kanterella
Jump to navigation Jump to search
LLC - Submittal of Changes to Final Safety Analysis Report Related to the Decay Heat Removal System and Emergency Core Cooling System Actuation Logic
ML19105B292
Person / Time
Site: NuScale
Issue date: 04/15/2019
From: Rad Z
NuScale
To:
Document Control Desk, Office of New Reactors
References
LO-0419-65170
Download: ML19105B292 (129)
v  d  e


Text

LO-0419-65170 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com April 15, 2019 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report Related to the Decay Heat Removal System and Emergency Core Cooling System Actuation Logic

REFERENCES:

Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, Revision 2, dated October 30, 2018 (ML18311A006)

During a public teleconference with members of the NRC staff on February 19, 2019, NuScale Power, LLC (NuScale) discussed updates to Final Safety Analysis Report (FSAR) related to the decay heat removal system and emergency core cooling system actuation logic. The changes affect FSAR Tier 1 Section 2.5 Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4 Technical Specifications. The Enclosure to this letter provides a markup of the FSAR pages incorporating revisions to these chapters, in redline/strikeout format. NuScale will include this change as part of a future revision to the NuScale Design Certification Application.

This letter makes no regulatory commitments or revisions to any existing regulatory commitments.

If you have any questions, please feel free to contact Carrie Fosaaen at 541-452-7126 or at cfosaaen@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8H12 Gregory Cranston, NRC, OWFN-8H12 Omid Tabatabai, NRC, OWFN-8H12 Getachew Tesfaye, NRC, OWFN-8H12 Cayetano Santos, NRC, OWFN-8H12

LO-0419-65170 Page 2 of 2 04/15/2019 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

Enclosure:

Changes to NuScale Final Safety Analysis Report Tier 1 Section 2.5, Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4, Technical Specifications

LO-0419-65170 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

Enclosure:

Changes to NuScale Final Safety Analysis Report Tier 1 Section 2.5, Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4, Technical Specifications

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-2 Draft Revision 3

feedwater CIVs The MPS supports the CNTS by removing electrical power to the trip solenoids of the following valves on a secondary system isolation actuation signal:

main steam CIVs

main steam bypass valves

feedwater CIVs The MPS supports the ECCS by removing electrical power to the trip solenoids of the following valves on an ECCS actuation signal:

reactor vent valves

reactor recirculation valves The MPS supports the CNTS by removing electrical power to the trip solenoids of the following CIVs on a chemical and volume control isolation actuation signal:

RCS injection CIVs

RCS discharge CIVs

Pressurizer spray CIVs

RPV high point degasification CIVs The MPS supports the chemical and volume control system (CVCS) by removing electrical power to the trip solenoids of the demineralized water system supply isolation valves on a demineralized water system isolation actuation signal.

The MPS supports the ECCS by removing electrical power to the trip solenoids of the reactor vent valves on a low temperature overpressure protection actuation signal.

The MPS supports the low voltage AC electrical distribution system (ELVS) by removing electrical power to the pressurizer heaters on a pressurizer heater trip actuation signal.

The MPS supports the normal DC power system by removing electrical power to the control rod drive system for a reactor trip.

The MPS supports the following systems by providing power to sensors for reactor trip and ESFAS actuation:

CNTS

RCS

DHRS (main steam system pressure sensors)

The MPS performs the following nonsafety-related system function that is verified by ITAAC.

The MPS supports the following systems by providing power to sensors for post-accident monitoring (PAM) Type B and Type C variables:

CNTS

RCS

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-6 Draft Revision 3 Table 2.5-1: Module Protection System Automatic Reactor Trip Functions Parameter Input Variable Interlock/Permissive High source range count rate Source range count rate N-1 permissive High source range log power rate Source range log power N-1 permissive High intermediate range log power rate Intermediate range log power N-2L interlock High-1 power range linear power Power range linear power N-2L permissive High-2 power range linear power Power range linear power None High power range positive rate Power range rate (calculated from power range power)

N-2H interlock High power range negative rate Power range rate (calculated from power range power)

N-2H interlock High narrow range containment pressure Narrow range containment pressure None High narrow range RCS hot temperature Narrow range RCS hot temperature (NR RCS Thot)

L-1None High pressurizer level Pressurizer level None High pressurizer pressure Pressurizer pressure None High main steam pressure Steam Generator (SG) 1 Main steam pressure (DHRS inlet pressure)

None High main steam pressure SG 2 Main steam pressure (DHRS inlet pressure)

None High main steam superheat SG 1 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

None High steam superheat SG 2 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

None Low AC Vvoltage to battery chargers ELVS voltage None Low low RCS flow RCS flow None Low pressurizer level Pressurizer level None Low pressurizer pressure Pressurizer pressure T-4 interlock Low low pressurizer pressure Pressurizer pressure None Low main steam pressure SG 1 Main steam pressure (DHRS inlet pressure)

N-2H interlock Low main steam pressure SG 2 Main steam pressure (DHRS inlet pressure)

N-2H Low low main steam pressure SG 1 Main steam pressure (DHRS inlet pressure)

None Low low main steam pressure SG 2 Main steam pressure (DHRS inlet pressure)

None Low main steam superheat SG 1 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

NoneV-1 interlock N-2H interlock Low steam superheat SG 2 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

None High under-the-bioshield temperature Under-the-bioshield temperature None

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-7 Draft Revision 3 Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions Engineered Safety Feature Function Protective Input Variable Interlock/Permissive ESFAS - ECCS actuation High containment water level Containment water level T-3 interlock L-2 interlock Low RPV riser level RPV riser level None Low ELVS voltage 24-hour timer ELVS voltage None ESFAS - DHRS actuation High narrow range containment pressure Narrow range containment pressure T-3 L-1 High narrow range RCS hot temperature Narrow range RCS hot temperature (NR RCS Thot)

L-1None High pressurizer pressure Pressurizer pressure L-1None High main steam pressure SG 1

Main steam pressure (DHRS inlet pressure)

L-1None High main steam pressure SG 2

Main steam pressure (DHRS inlet pressure)

L-1 High steam superheat SG 1 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

L-1 High steam superheat SG 2 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

L-1 Low AC Vvoltage to battery chargers ELVS voltage None Low low pressurizer level Pressurizer level T-2 L-1 Low pressurizer pressure Pressurizer pressure T-4 L-1 Low low pressurizer pressure Pressurizer pressure T-3 L-1 Low main steam pressure SG 1

Main steam pressure (DHRS inlet pressure)

N-2H Low main steam pressure SG 2

Main steam pressure (DHRS inlet pressure)

N-2H Low low main steam pressure SG 1 Main steam pressure (DHRS inlet pressure)

L-1 Low low main steam pressure SG 2 Main steam pressure (DHRS inlet pressure)

L-1 Low steam superheat SG 1 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

L-1 Low steam superheat SG 2 Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

L-1 High under-the-bioshield temperature Under-the-bioshield temperature None

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-8 Draft Revision 3 ESFAS - Secondary System Isolation High pressurizer pressure Pressurizer pressure None High narrow range RCS hot temperature Narrow range RCS hot temperature (NR RCS Thot)

None Low main steam pressure Main steam pressure N-2H interlock Low low main steam pressure Main steam pressure L-1 interlock High main steam pressure Main steam pressure None Low main steam superheat Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

L-1 interlock V-1 interlock N-2H interlock High main steam superheat Main steam pressure (DHRS inlet pressure)

Main steam temperature (DHRS inlet temperature)

None High narrow range containment pressure Narrow range containment pressure T-3 interlock L-1 interlock Low low pressurizer pressure Pressurizer pressure T-5 interlock RT-1 interlock Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock Low AC voltage to battery chargers ELVS voltage None High under-the-bioshield temperature Under-the-bioshield temperature None ESFAS - containment system isolation High narrow range containment pressure Narrow range containment pressure T-3 interlock Low AC voltage toELVS 480VAC to EDSS battery chargers ELVS bus voltage None Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock High under-the-bioshield temperature Under-the-bioshield temperature None ESFAS - demineralized water system isolation High subcritical multiplication Source range count rate N-1 interlock Low RCS flow RCS flow None Automatic reactor trip N/A N/AT-5 interlock RT-1 interlock Manual reactor trip N/A N/A Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions (Continued)

Engineered Safety Feature Function Protective Input Variable Interlock/Permissive

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-9 Draft Revision 3 ESFAS - chemical and volume control system isolation High narrow range containment pressure Narrow range containment pressure T-3 interlock High pressurizer level Pressurizer level None Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock Low pressurizer pressure Pressurizer pressure T-4 Low low pressurizer pressure Pressurizer pressure T-3T-5 interlock RT-1 interlock Low low RCS flow RCS flow F-1 interlock RT-1 interlock Low AC voltage to battery chargers ELVS voltage None High under-the-bioshield temperature Under-the-bioshield temperature None ESFAS - pressurizer heater trip Low pressurizer level Pressurizer level None High pressurizer pressure Pressurizer pressure None High narrow range RCS hot temperature Narrow range RCS hot temperature (NR RCS Thot)

None Low AC voltage to battery chargers ELVS voltage None Automatic DHRS actuationHigh main steam pressure N/AMain steam pressure (DHRS inlet pressure)

N/ANone Manual DHRS actuation N/A N/A Automatic containment isolation N/A N/A Manual containment isolation N/A N/A Low temperature overpressure protection actuation Low temperature interlock with high pressure Wide range RCS cold temperature (WR RCS Tcold)

Wide range RCS pressure T-1 interlock Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions (Continued)

Engineered Safety Feature Function Protective Input Variable Interlock/Permissive

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-10 Draft Revision 3 Table 2.5-3: Module Protection System Manual Switches Reactor trip Neutron flux trip bypassOperating bypass ECCSEmergency core cooling system actuation Containment system isolation actuation DHRSDecay heat removal system actuation Secondary system isolation actuation CVCSChemical and volume control system isolation actuation Demineralized water system isolation actuation Pressurizer heater breaker trip Low temperature overpressure protection actuation ESFAS actuation isolationMain control room isolation CNTS isolation oOverride Enable nonsafety control

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-11 Draft Revision 3 Table 2.5-4: Module Protection System Interlocks/Permissives/Overrides Interlock/Permissive/Override F-1 RCS flow interlock L-1 Containment water level interlock L-2 Pressurizer level interlock N-1 Intermediate range log power interlock/permissive N-2H Power range linear power interlock N-2L Power range linear power interlock/permissive O-1 CNTS isolation override RT-1 Reactor tripped interlock T-1 Wide range RCS cold temperature interlock T-2 Wide range RCS hot temperature interlock T-3 Wide range RCS hot temperature interlock T-4 Narrow range RCS hot temperature interlock T-5 Wide range RCS hot temperature interlock V-1 Feedwater isolation valve closed interlock

NuScale Tier 1 Module Protection System and Safety Display and Indication System Tier 1 2.5-16 Draft Revision 3 xi. An analysis will be performed of the output documentation of the Software Implementation Phase.

xi. The output documentation of the MPS Software Implementation Phase satisfies the requirements of the Software Implementation Phase.

xii. An analysis will be performed of the output documentation of the Software Configuration Phase.

xii. The output documentation of the MPS Software Configuration Phase satisfies the requirements of the Software Configuration Phase.

xiii. An analysis will be performed of the output documentation of the System Testing Phase.

xiii. The output documentation of the MPS Testing Phase satisfies the requirements of the System Testing Phase.

xiv. An analysis will be performed of the output documentation of the System Installation Phase.

xiv. The output documentation of the MPS Installation Phase satisfies the requirements of the System Installation Phase.

2.

Protective measures are provided to restrict modifications to the MPS tunable parametersNot used.

A test will be performed on the access control features associated with MPS tunable parametersNot used.

Protective measures restrict modification to the MPS tunable parameters without proper configuration and authorizationNot used.

3.

Physical separation exists between the redundant separation groups and divisions of the MPS Class 1E instrumentation and control current-carrying circuits, and between Class 1E instrumentation and control current-carrying circuits and non-Class 1E instrumentation and control current-carrying circuits.

An inspection will be performed of the MPS Class 1E as-built instrumentation and control current-carrying circuits.

i.

Physical separation between redundant separation groups and divisions of MPS Class 1E instrumentation and control current-carrying circuits is provided by a minimum separation distance, or by barriers (where the minimum separation distances cannot be maintained), or by a combination of separation distance and barriers.

ii.

Physical separation between MPS Class 1E instrumentation and control current-carrying circuits and non-Class 1E instrumentation and control current-carrying circuits is provided by a minimum separation distance, or by barriers (where the minimum separation distances cannot be maintained), or by a combination of separation distance and barriers.

4.

Electrical isolation exists between the redundant separation groups and divisions of the MPS Class 1E instrumentation and control circuits, and between Class 1E instrumentation and control circuits and non-Class 1E instrumentation and control circuits to prevent the propagation of credible electrical faults.

An inspection will be performed of the MPS Class 1E as-built instrumentation and control circuits.

i.

Class 1E electrical isolation devices are installed between redundant separation groups and divisions of MPS Class 1E instrumentation and control circuits.

ii.

Class 1E electrical isolation devices are installed between MPS Class 1E instrumentation and control circuits and non-Class 1E instrumentation and control circuits.

Table 2.5-7: Module Protection System and Safety Display and Indication System Inspections, Tests, Analyses, and Acceptance Criteria (Continued)

No.

Design Commitment Inspections, Tests, Analyses Acceptance Criteria

NuScale Final Safety Analysis Report Introduction Tier 2 1.1-16 Draft Revision 3 SG separation group SG steam generator SG strain gauge SGI safeguards information SGS steam generator system SGTF steam generator tube failure SICS safety information and control system SIL software integrity level SLB steam line break SLP site layout plan SM single module SMA seismic margin assessment SMACNA Sheet Metal and Air Conditioning Contractors' National Association SME subject matter expert SMR small modular reactor SMS seismic monitoring system SNL Sandia National Laboratories SNM special nuclear material SOCA security owner controlled area SOV solenoid-operated valve SPAR standardized plant analysis risk SPND self-powered neutron detector SPS security power system SQDP seismic qualification data package SQRF seismic qualification record form SQUG Seismic Qualification Utility Group SR surveillance requirement SREC standard radiological effluent control SRI Stanford Research Institute SRM staff requirements memorandum SRP Standard Review Plan SRSS square root of the sum of the squares SRST spent resin storage tank SRV sump recirculation valve SRWS solid radioactive waste system SSA safe shutdown analysis SSC structures, systems, and components SSCIV secondary system containment isolation valve SSE safe shutdown earthquake SSI soil-structure interaction or secondary system isolation SSS secondary sampling system SSSI structure-soil-structure interaction SST station service transformer STPA System-Theoretic Process Analysis SUNSI sensitive unclassified non-safeguards information SVM schedule and voting module SWIS service water intake structure SWMS solid waste management system SWV shear wave velocity SWYD switchyard system Table 1.1-1: Acronyms and Abbreviations (Continued)

Acronym or Abbreviation Description

NuScale Final Safety Analysis Report Instrumentation and Controls - Introduction and Overview Tier 2 7.0-17 Draft Revision 3 The NuScale power plant normal operation and power maneuvering control functions are provided by the following MCS functions for each NPM:

turbine trip, throttle and governor valve control turbine bypass valve control feedwater pump speed control feedwater regulating valve control RCSReactor coolant system boron concentration (chemical shim) control control rod drive system control pressurizer pressure control pressurizer level control The control inputs and functions for each during normal power operation are described below.

Turbine Trip, Throttle and Governor Valve Control The turbine trip, throttle, and governor controls rely on the following control inputs:

main turbine control system (MTCS) package sensors (case temperatures, drain valve position, eccentricity, speed sensing, shaft axial position, journal bearing displacement, journal bearing temperature and other sensors) demand power level (main turbine generator load or reactor power) from MCS and MTCS main steam line flow turbine inlet steam pressure secondary system calorimetric input target reactor power and change rate via the MCR operator workstation turbine generation limit and load change rate via the MCR operator workstation During normal power operations, the turbine governor control maintains steam header pressure as a function of reactor power demand. During load following, operator input via the MCR human-system interface establishes the turbine generation limit. The turbine bypass valves divert excess steam energy to the main condenser to limit turbine generation to the power generation target. While normal turbine generator power changes are limited to a fixed rate, the turbine generator is capable of loading/

unloading by diverting steam flow to and from the turbine bypass valves.

Turbine Bypass Valve Control The turbine bypass valve control relies on the following control inputs:

turbine trip reactor trip

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-33 Draft Revision 3 modules within a safety block would result in a complete spurious actuation in the opposite safety block due to the 2-out-of-4 voting performed by each safety block.

Partial spurious actuation is credible for digital-based CCF postulated in the EIMs of a safety block. To identify the extent of partial spurious actuations due to digital based CCF, the EIMs are evaluated and grouped by the protective action(s) configured on the EIM. The EIMs that only perform decay heat removal actuation are considered to be unaffected by a digital-based CCF that affects EIMs that perform decay heat removal and containment isolation. Based on this approach, seveneight possible partial spurious actuation scenarios are identified in Table 7.1-11. For scenarios 1 and 2, a D3 coping analysis was performed to demonstrate that the spurious actuations result in conditions that are bounded by the plant safety analyses, as discussed in Section 7.1.5.2.2.

Each Division of RTS has two RTBs. A partial spurious actuation of RTS within a Division does not result in a reactor trip and, thus, is not evaluated further. This is summarized in Table 7.1-12.

By crediting the diversity attributes between the two Safety Blocks, scenarios 3 and 4 do not prevent the unaffected Safety Block from initiating protective actions when plant conditions require them. While Scenario 4 would result in conflicting information in the MCR, there are other blocks available to resolve conflicting information.

Figure 7.1-8 identifies the blocks (with green outline) relied upon to automatically initiate safety-related functions when one of the safety blocks has a digital-based CCF (shown in red). Figure 7.1-9 identifies in green outline the available blocks used to resolve information discrepancy and to automatically initiate safety-related functions if a safety block had a CCF (shown in red).

Non-Class 1E Monitoring and Indication Block Non-Class 1E Monitoring and Indication block includes controls for safety and nonsafety equipment. Because non-Class 1E Monitoring and Indication is used for normal day-to-day operations, any spurious actuation of a major control function (e.g., rod control, feedwater control) by a digital-based CCF within non-Class 1E Monitoring and Indication block is immediately identifiable and, if it exceeds operating limits, is mitigated by Safety Blocks I or II. Figure 7.1-10 identifies the assumed digital-based CCF in red and shows in green outline the available blocks and signals used to resolve information discrepancy.

The actuation priority logic can be used to allow control of safety-related components using non-Class 1E controls; however, this can only be enabled by the operator using a safety-related switch. Without this feature being enabled, the non-Class 1E signals to the actuation priority logic are ignored. Because of the limited period in time in which safety-related components are controlled by non-Class 1E controls, it is not considered credible for a digital based CCF to occur while the enable nonsafety control input is active. The limitations on when the enable nonsafety control switch can be positioned to allow control of safety-related components from nonsafety-related controls are controlled by the plant operating procedures described in Section 13.5.2. As a result, no digital-based

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-35 Draft Revision 3 Failed Low Signal The affected variables are pressurizer level, RPV water level, and containment water level. Because protective actions are actuated when at least two-out-of-four separation groups demand a reactor trip or ESF actuation, a failed low signal results in a spurious reactor trip, containment system isolation, decay heat removal system (DHRS) actuation, chemical and volume control system (CVCS) isolation, emergency core cooling system (ECCS) actuation, and pressurizer heater trip, and secondary system isolation.

Failed low signals received by Safety Block I are transmitted to MCS, displayed in the MCR, and used for nonsafety control functions. With the spurious actuation of a reactor trip, CNTScontainment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to two correct and two incorrect sensor values has no further impact. Out of the failed low signals, pressurizer level is the only signal used for nonsafety-related controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.

Failed High Signal The affected variables are pressurizer level, RPV water level, and containment water level. Because protective actions are actuated when at least two-out-of-four separation groups demand a reactor trip or ESF actuation, a failed high signal results in a spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation.

Failed high signals received by Safety Block I are transmitted to MCS, displayed in the MCR, and used for nonsafety control functions. With the spurious actuation of a reactor trip, and CVCS isolation, the MCS response to two correct and two incorrect sensor values has a no further impact. Out of the failed high signals, pressurizer level is the only signal used for nonsafety controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.

With Sensor Block II still capable of actuating on low-level signals (e.g.,

containment isolation on low-low pressurizer level), capability to initiate other ESFs is not lost.

Failed As-Is The affected variables are pressurizer level, RPV water level, and containment water level. The failed as-is condition for two of the four sensors for each affected variable does not prevent the initiation of a reactor trip or ESF actuation. Sensor Block II is still capable of identifying plant conditions requiring protective actions.

Failed as-is signals do not lead to spurious initiation of protective actions. Failed as-is signals may go unnoticed until the valid signals significantly deviate from the failed signals.

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-36 Draft Revision 3 Digital-Based CCF of Pressure Measuring System Function Type A digital-based CCF of pressure measuring system function type for Sensor Block I (Figure 7.1-12) causes spurious actuations from MPS incorrect information provided to SDIS incorrect information provided to MCS Failed Low Signal The affected variables are pressurizer pressure and wide-range RCS pressure. Failed low signals in the four sensors for each affected variable can result in a spurious reactor trip, demineralized water system isolation,DHRS actuation, CVCS isolation, and pressurizer heater tripsecondary system isolation.

Failed low signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, DHRS actuationdemineralized water system isolation, and CVCS isolation, the MCS response to four incorrect sensor values has no further impact.

The automatic MCS response to a drop in pressure is to turn on the pressurizer heaters;, which is bounded by the spectrum of heatup event analyses described in Chapter 15.however, with the pressurizer heater trip, pressurizer heaters are unavailable.

Failed High Signal The affected variables are pressurizer pressure and wide-range RCS pressure. A failed high signal affecting the four sensors for the affected variables can result in a spurious reactor trip, CNTS isolation, DHRS actuation, CVCS isolationdemineralized water system isolation, and pressurizer heater trip, and secondary system isolation.

Failed high signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, CVCS isolationcontainment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to four incorrect sensor values has a no further impact. The automatic MCS response to a rise in pressure is to use pressurizer spray; however, with the isolation of the CVCSclosure of the containment isolation valves, pressurizer spray is unavailable.

Failed As-Is The affected variables are pressurizer pressure and wide-range RCS pressure. The failed as-is condition for the four sensors of each affected variable does not result in spurious actuations; however, it can prevent initiation of protective actions if a DBE were to occur. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-37 Draft Revision 3 Digital-Based CCF of Flow Measurement Function Type A digital-based CCF of flow measurement function type for Sensor Block I (Figure 7.1-13) causes spurious actuations from MPS incorrect information provided to SDIS incorrect information provided to MCS Failed Low Signal The affected variable is RCS flow. A failed low signal for the four channels results in a spurious reactor trip, demineralized water system (DWS) isolation and CVCS isolation. There is no further impact associated with a failed low signal.

Failed High Signal The affected variable is RCS flow. A failed high signal for the four channels does not result in spurious actuations; however, the safety blocks would be unable to identify a low RCS flow condition and the operator would have incorrect information.

Failure to identify a low RCS flow condition failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

Failed As-Is The affected variable is RCS flow. The failed as-is condition for the four channels does not result in spurious actuations. The failed as-is condition can prevent initiation of protective actions based on low flow conditions; however, the RCS flow sensor is not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2 and Table 7.1-18. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

7.1.5.1.7 Guideline 7 - Use of Identical Hardware and Software Modules The digital-based flow and pressure measuring system function type found in Sensor Block I and II are considered to be identical. The other blocks are considered to be independent such that a postulated digital-based CCF is limited to a block.

Diversity attributes within and between blocks are discussed in Section 7.1.5.1.2.

7.1.5.1.8 Guideline 8 - Effect of Other Blocks The blocks are assumed to function correctly in response to inputs that are correct or incorrect.

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-42 Draft Revision 3 7.1.5.2 Results and Conclusions 7.1.5.2.1 Vulnerabilities to Spurious Actuations resulting from Digital-Based Common Cause Failures After applying the guidelines of NUREG/CR-6303, the following potential vulnerabilities have been identified:

1) Potential digital-based CCF within a safety block may lead to spurious initiation of a protective action, as described in Section 7.1.5.1.6:

reactor trip DHRSdecay heat removal system actuation ECCSemergency core cooling system actuation containment system isolation CVCSchemical and control volume system isolation pressurizer heater trip DWSdemineralized water system isolation low temperature overpressure protection (LTOP) secondary system isolation

2) Potential digital-based CCF within a safety block may lead to spurious partial initiation of protective actions (Section 7.1.5.1.6). The identified consequencesscenarios are provided in Table 7.1-11.
3) Potential digital-based CCF of level function type within Sensor Block I or II may result in one of the following (Section 7.1.5.1.6):

spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, ECCS actuation, demineralized water system isolation, and pressurizer heater trip, and secondary system isolation spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation

4) Potential digital-based CCF of pressure measuring system function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):

spurious reactor trip, DHRS actuation, CVCS isolation, demineralized water system isolation, and secondary system isolationpressurizer heater trip spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, demineralized water system isolation, and secondary system isolationpressurizer heater trip Type 3 failure for the digital-based pressure measuring system function type sensors

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-66 Draft Revision 3 Table 7.1-3: Reactor Trip Functions Process Variable Analytical Limit Number of Channels Logic High Power Range Linear Power High-1 = 25% RTP High-2 = 120% RTP 4

2/4 High Intermediate Range Log Power Rate 3 dpm 4

2/4 High Power Range Positive and Negative Rate

+/- 15% RTP/minute 4

2/4 High Source Range Count Rate 5x105 cps 4

2/4 High Source Range Log Power Rate 3 dpm 4

2/4 High Narrow Range RCS Hot Temperature (NR RCS Thot) 610°F 4

2/4 High Narrow Range Containment Pressure 9.5 psia 4

2/4 High Pressurizer Pressure 2000 psia 4

2/4 Low Pressurizer Pressure 1720 psia 4

2/4 Low Low Pressurizer Pressure 1600 psia 4

2/4 High Pressurizer Level 80%

4 2/4 Low Pressurizer Level 35%

4 2/4 High Main Steam Pressure 800 psia 4

2/4 Low Main Steam Pressure 300 psia 4

2/4 Low Low Main Steam Pressure 10020 psia 4

2/4 High Main Steam Superheat (MS Temperature and Pressure) 150°F 4

2/4 Low Main Steam Superheat (MS Temperature and Pressure) 0.0°F 4

2/4 Low Low RCS Flow 0.0 ft3/s 4

2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 1) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4 Note 1: Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system.

The Analytical Limit is based on loss of AC power to plant busses (0 volts); the actual bus voltage used is based upon the voltage ride-thru characteristics of the EDSS battery chargers.

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-67 Draft Revision 3 Table 7.1-4: Engineered Safety Feature Actuation System Functions ESF Function Process Variable Analytical Limit Number of Channels Logic System Automated Function Emergency Core Cooling System (ECCS)

High Containment Water Level 260 - 220264" - 300" (elevation)

(Note 3) 4 2/4 Removes Electrical Power to the trip solenoids of the reactor vent valves.

Removes electrical power to the trip solenoids of the reactor recirculation valves Low RPV Riser Level 390- 350 (elevation) (Note 3) 4 2/4 Low ELVS voltage 24-hour Timer 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 3

2/3 Decay Heat Removal System (DHRS)

High Pressurizer Pressure 2000 psia 4

2/4 Removes electrical power to the trip solenoids of the decay heat removal valves Removes electrical power to the trip solenoids of the of the following valves in the containment, main steam, and feedwater systems:

  • feedwater regulating valves High Narrow Range RCS Hot Temperature (NR RCS Thot) 610°F 4

2/4 Low Main Steam Pressure 300 psia (> 15% RTP) 4 2/4 Low Low Main Steam Pressure 100 psia ( 15% RTP) 4 2/4 High Main Steam Pressure 800 psia 4

2/4 Low Steam Superheat (MS Temperature and Pressure) 0.0°F 4

2/4 High Steam Superheat (MS Temperature and Pressure) 150°F 4

2/4 High Narrow Range Containment Pressure 9.5 psia 4

2/4 Low Pressurizer Pressure 1720 psia (Note 1) 4 2/4 Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 Low Low Pressurizer Level 20%

4 2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-68 Draft Revision 3 Secondary System Isolation High Pressurizer Pressure 2000 psia 4

2/4 Removes electrical power to the trip solenoids of the of the following valves in the containment, main steam, and feedwater systems:

  • feedwater regulating valves High Narrow Range RCS Hot Temperature (NR Thot) 610°F 4

2/4 Low Main Steam Pressure 300 psia (15% RTP) 4 2/4 Low Low Main Steam Pressure 20 psia 4

2/4 High Main Steam Pressure 800 psia 4

2/4 Low Main Steam Superheat (MS Temperature and Pressure) 0.0°F 4

2/4 High Main Steam Superheat (MS Temperature and Pressure) 150°F 4

2/4 High Narrow Range Containment Pressure 9.5 psia 4

2/4 Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 Low Low Pressurizer Level 20%

4 2/4 Low ELVS 480VAC to EDSS Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4 Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

ESF Function Process Variable Analytical Limit Number of Channels Logic System Automated Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-69 Draft Revision 3 Containment System Isolation (CSI) Signal High Narrow Range Containment Pressure 9.5 psia 4

2/4 Removes electrical power to the trip solenoids of the following valves:

  • RCS injection valves
  • RCS discharge valves
  • PZR spray valves
  • RPV high point degasification line valves
  • containment evacuation system valves
  • reactor component cooling water system supply and return valves
  • containment flooding and drain system valves Low Low Pressurizer Level 20%

4 2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4 Demineralized Water System Isolation (DWSI)

High Power Range Linear Power High-1 = 25% RTP High-2 = 120% RTP 4

2/4 Removes electrical power to the trip solenoids of the demineralized water supply valves High Intermediate Range Log Power Rate 3 dpm 4

2/4 High Power Range Positive and Negative Rate

+/- 15% RTP/minute 4

2/4 High Source Range Count Rate 5x105 cps 4

2/4 High Source Range Log Power Rate 3 dpm 4

2/4 High Narrow Range RCS Hot Temperature (NR RCS Thot) 610°F 4

2/4 High Narrow Range Containment Pressure 9.5 psia 4

2/4 High Pressurizer Pressure 2000 psia 4

2/4 Low Pressurizer Pressure 1720 psia (Note 1) 4 2/4 Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

ESF Function Process Variable Analytical Limit Number of Channels Logic System Automated Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-70 Draft Revision 3 Demineralized Water System Isolation (DWSI)

(continued)

Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 High Pressurizer Level 80%

4 2/4 Low Pressurizer Level 35%

4 2/4 High Main Steam Pressure 800 psia 4

2/4 Low Main Steam Pressure 300 psia (> 15% RTP) 4 2/4 Low Low Main Steam Pressure 10020 psia ( 15% RTP) 4 2/4 High Main Steam Superheat (MS Temperature and Pressure) 150°F 4

2/4 Low Main Steam Superheat (MS Temperature and Pressure) 0.0°F 4

2/4 Low RCS Flow 1.7 ft3/s 4

2/4 Low Low RCS Flow 0.0 ft3/s 4

2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4 High Subcritical Multiplication (SCM) 3.2 4

2/4 Chemical and Volume Control System Isolation (CVCSI)

High Pressurizer Level 80%

4 2/4 Removes electrical power to the trip solenoids of the following valves:

  • RCS injection valves
  • RCS discharge valves
  • PZR spray valves
  • RCS high point degasification valves High Narrow Range Containment Pressure 9.5 psia 4

2/4 Low Pressurizer Pressure 1720 psia (Note 1) 4 2/4 Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 Low Low Pressurizer Level 20%

4 2/4 Low Low RCS Flow 0.0 ft3/s 4

2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 High Under-the-Bioshield Temperature 250°F 4

2/4 Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

ESF Function Process Variable Analytical Limit Number of Channels Logic System Automated Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-71 Draft Revision 3 Pressurizer Heater Trip Low Pressurizer Level 35%

4 2/4 Removes electrical power to the PZR heaters Any DHRS Actuation - See DHRS Actuation VariablesHigh Pressurizer Pressure See DHRS Actuation Analytical Limits2000 psia 4

2/4 High Narrow Range RCS Hot Temperature (NR RCS Thot) 610°F 4

2/4 High Main Steam Pressure 800 psia 4

2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage Actuation Delay of 60 seconds (Note 4) 4 2/4 Low Temperature Overpressure Protection (LTOP)

Low Temperature Interlock with High Pressure (WR RCS cold temperature and WR RCS Pressure)

Variable based on WR RCS cold temperature and WR RCS Pressure as listed in Table 5.2-10 4

2/4 Removes electrical power to the trip solenoids of the reactor vent valves Note 1: If RCS hot temperature is above 600°F.

Note 2: If RCS hot temperature is <below 600°F.

Note 3: RPV riser level and CNVContainment vessel water level are presented in terms of elevation where reference zero is the bottom of the reactor pool. The ranges allow

+/-1820" from the nominal ECCS level setpoint of 282370" and 240", respectively.

Note 4: Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system. The Analytical Limit is based on loss of AC power to plant busses (0 volts); the actual bus voltage used is based upon the voltage ride-thru characteristics of the EDSS battery chargers.

Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

ESF Function Process Variable Analytical Limit Number of Channels Logic System Automated Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-73 Draft Revision 3 N-2H Interlock Power Range Linear Power Interlock:

Interlock established when at least 3 of 4 Power Range Linear Power Channels

< 15% RTP Automatically establishes an operating bypass of the following:

  • Demineralized Water System Isolation actuation on High Power Range Positive Rate
  • Demineralized Water System Isolation actuation on High Power Range Negative Rate
  • DHRSSecondary system isolation (SSI) actuation on Low Main Steam Pressure
  • Demineralized Wwater Ssystem Iisolation actuation on Low Main Steam Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

V-1 Interlock FWIV Closed Interlock:

Interlock established when one FWIV indicates closed.

Automatically establishes an operating bypass of the following when N-2H is active (below 15% RTP):

  • Secondary system isolation on Low Main Superheat.

Operating bypasses are automatically removed when interlock condition is no longer satisfied.

RT-1 Interlock Reactor Tripped Interlock:

Interlock is established when both divisional reactor trip (RT) breakers indicate open The RT-1 Interlock is used in conjunction with the F-1, T-2 and L-1 interlocks, and the override function O-1.

T-1 Interlock Wide Range RCS Cold Temperature Interlock:

Interlock established when at least 3 of 4 Wide Range RCS Cold Temperature channels > 325° F Automatically establishes an operating bypass of the following:

  • Low Temperature Overpressure Protection actuation on High WR RCS Pressure Operating bypass is automatically removed when interlock condition is no longer satisfied.

T-2 Interlock Wide Range RCS Hot Temperature Interlock:

Interlock established when at least 3 of 4 Wide Range RCS Hot Temperature channels < 200° F, AND the RT-1 interlock is active.

Automatically establishes an operating bypass of the following:

  • DHRSSecondary system isolation actuation on Low Low Pressurizer Level
  • CVCSChemical and volume control system Iisolation actuation on Low Low Pressurizer Level
  • Containment Ssystem Iisolation actuation on Low Low Pressurizer Level Operating bypasses are automatically removed when interlock condition is no longer satisfied.

Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/

Permissive/

Override Condition for Interlock/Permissive/

Override Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-74 Draft Revision 3 T-3 Interlock Wide Range RCS Hot Temperature Interlock:

Interlock established when at least 3 of 4 Wide Range RCS Hot Temperature channels < 350° F Automatically establishes an operating bypass of the following:

  • ECCS actuation on High Containment Water Level
  • DHRS Secondary system isolation actuation on High Narrow Range Containment Pressure
  • Containment Ssystem Iisolation actuation on High Narrow Range Containment Pressure
  • CVCSChemical and volume control system Iisolation actuation on High Narrow Range Containment Pressure trip
  • DHRS actuation on Low Low Pressurizer Pressure
  • CVCS Isolation actuation on Low Low Pressurizer Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

T-4 Interlock Narrow Range RCS Hot Temperature Interlock:

Interlock established when at least 3 of 4 RCS Narrow Range RCS Hot Temperature channels <600° F Automatically establishes an operating bypass of the following:

  • CVCS Isolation actuation on Low Pressurizer Pressure
  • DHRS actuation on Low Pressurizer Pressure
  • Demineralized Wwater Ssystem Iisolation of Low Pressurizer Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

T-5 Interlock Wide Range RCS Hot Temperature T-5 interlock:

Interlock established when least 3 of 4 Wide Range RCS Hot Temperature channels are less than 420°F AND RT-1 is active.

Automatically establishes an operating bypass of the following:

  • Secondary system isolation actuation on Low Low Pressurizer Pressure
  • Chemical and volume control system isolation actuation on Low Low Pressurizer Pressure.

Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/

Permissive/

Override Condition for Interlock/Permissive/

Override Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-75 Draft Revision 3 L-1 Interlock Containment Water Level Interlock:

Interlock established when at least 3 of 4 Containment Level Channels > 45 AND RT-1 is active Automatically establishes operating bypass of the following trip signals for DHRS actuation:

  • High Pressurizer Pressure
  • Low Low Pressurizer Pressure
  • Secondary system isolation actuation on Low Low Pressurizer Level
  • High Narrow Range RCS Hot Temperature
  • Secondary system isolation actuation on Low Low Main Steam Pressure
  • Secondary system isolation actuation on Low Main Steam Superheat
  • High Steam Superheat
  • Secondary system isolation actuation on High Narrow Range Containment Pressure
  • Containment system isolation actuation on Low Low Pressurizer Level
  • Chemical and volume control system isolation actuation on Low Low Pressurizer Level Operating bypasses are automatically removed when interlock condition is no longer satisfied.

L-2 Interlock Pressurizer Level Interlock, L2:

Interlock established when 3 of 4 Pressurizer Level channels are greater than 20% AND T-3 interlock is active.

Automatically establishes operating bypass of the ECCS actuation on high containment water level.

F-1 Interlock RCS Flow Interlock:

Interlock established after a set time delay when at least 3 of 4 RCS Flow Channels 0.0 ft3/sec and RT-1 has been established Automatically establishes operating bypass of CVCS isolation on Low Low RCS Flow.

Operating bypasses are automatically removed when interlock condition is no longer satisfied.

O-1 Override Containment System Isolation Override Function:

Override established when manual override switch is active and RT-1 permissive is established Override allows manual control of the CFDS, RCS injection, and pressurizer spray containment isolation valves if an automatic containment system isolation or a CVCS isolation actuation signal is present with the exception of the High Pressurizer Level CVCS isolation actuation signal.

The Override switch must be manually taken out of Override when the Override, O-1, is no longer needed.

Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/

Permissive/

Override Condition for Interlock/Permissive/

Override Function

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-76 Draft Revision 3 Table 7.1-6: Design Basis Event Actuation Delays Assumed in the Plant Safety Analysis Signal Sensor Actuation Delay High Power Range Linear Power Power Range Neutron Flux 2.0s SR and IR Log Power Rate SR & IR Neutron Flux Variable High Power Range Rate Power Range Neutron Flux 2.0s High Source Range Count Rate Source Range Neutron Flux 3.0s High Subcritical Multiplication Source Range Neutron Flux 150.0s High Narrow Range RCS Hot Temperature Riser Outlet Temperature 8.0s High Narrow Containment Pressure Containment Pressure 2.0s High Pressurizer Pressure Pressurizer Pressure 2.0s High Pressurizer Level Pressurizer Level 3.0s Low Pressurizer Pressure Pressurizer Pressure 2.0s Low Low Pressurizer Pressure Pressurizer Pressure 2.0s Low Pressurizer Level Pressurizer Level 3.0s Low Low Pressurizer Level Pressurizer Level 3.0s Low Main Steam Pressure Main Steam Pressure 2.0s Low Low Main Steam Pressure Main Steam Pressure 2.0s High Main Steam Pressure Main Steam Pressure 2.0s Low Main Steam Superheat Main Steam Pressure & Temperature 8.0s High Main Steam Superheat Main Steam Pressure & Temperature 8.0s Low RCS Flow RCS Flow 6.0s Low Low RCS Flow RCS Flow 6.0s Low RPV Riser Level RCS Level 3.0s High Containment Water Level Containment Level 3.0s Low AC Voltage to the Battery Chargers AC Voltage 60.0s High Under-the-Bioshield Temperature Under-the-Bioshield Temperature 8.0s

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-80 Draft Revision 3 Table 7.1-9: Sensor Inputs to Module Protection System Process Variable Sensor Type Output Signal Safety-Related?

Type A, B, or C PAM Variable?

Sensor Block I Sensor Block II SG A SG C DIV. I SG B SG D DIV. II Pressurizer level (Note 1)

Digital Analog Y

N X

X X

X RPV riser level (Note 1)

Digital Analog YN Y

X-X X

X-PZR pressure (Note 1)

Digital Analog Y

N X

X X

X Wide-range reactor coolant system (RCS) pressure (Note 1)

Digital Analog Y

Y X

X X

X Containment water level (Note 1)

Digital Analog Y

Y X

X X

X Narrow-range containment pressure Analog Analog Y

Y X

X X

X Wide-range containment pressure Digital Analog N

Y X

X Containment isolation valve positions (except FWIV Valve Position)

Discrete (Analog)

Discrete (Analog)

N Y

X X

Secondary MSIV position Discrete (Analog)

Discrete (Analog)

N N

X X

Secondary MSIV bypass isolation valve position Discrete (Analog)

Discrete (Analog)

N N

X X

Feedwater regulation valve position Discrete (Analog)

Discrete (Analog)

N N

X X

ECCS valve position Discrete (Analog)

Discrete (Analog)

N N

X X

Narrow-range RCS hot temperature Analog Analog Y

N X

X X

X Wide-range RCS hot temperature Analog Analog Y

Y X

X X

X Wide-range RCS cold temperature Analog Analog Y

N X

X X

X Core exit temperature Analog Analog N

Y X

X Core inlet temperature Analog Analog N

Y X

X RCS flow (Note 1)

Digital Analog Y

N X

X X

X Main steam pressure (decay heat removal inlet pressure)

Analog Analog Y

N X

X X

X Main steam temperature (decay heat removal inlet temperature)

Analog Analog Y

N X

X X

X Power range linear power Analog Analog Y

Y X

X X

X Intermediate range log power Analog Analog Y

Y X

X X

X Source range count rate Analog Analog Y

Y X

X X

X Source/intermediate range fault Discrete (Analog)

Discrete (Analog)

Y N

X X

X X

Power range fault Discrete (Analog)

Discrete (Analog)

Y N

X X

X X

NMS Supply Fault Discrete (Analog)

Discrete (Analog)

Y N

X X

X X

Inside bioshield area radiation monitor Digital Analog N

Y X

X

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-81 Draft Revision 3 FWIV positions Discrete (Analog)

Discrete (Analog)

Y Y

X X

Reactor trip breaker position feedback Discrete (Analog)

Discrete (Analog)

Y N

X X

Pressurizer heater breaker status Discrete (Analog)

Discrete (Analog)

N N

X X

DHRS valve position Discrete (Analog)

Discrete (Analog)

N N

X X

DHRS outlet temperature Analog Analog N

N X

X DHRS outlet pressure Analog Analog N

N X

X X

Demineralized water system isolation valve position Discrete (Analog)

Discrete (Analog)

N N

X X

Reactor pool temperature Analog Analog N

N X

X EDS voltage Analog Analog N

N X

X ELVS voltage Analog Analog Y

N X

X X

X Reactor safety valve position Discrete (Analog)

Discrete (Analog)

N N

X X

Under-the-bioshield temperature Analog Analog Y

N X

X X

X NMS-Flood Analog Analog N

Y X

X NMS-Flood Faults Discrete (Analog)

Discrete (Analog)

N Y

X X

Containment evacuation vacuum pump suction pressure Analog Analog N

N X

X Note 1: These sensors are digital-based and perform safety-related functions.

Table 7.1-9: Sensor Inputs to Module Protection System (Continued)

Process Variable Sensor Type Output Signal Safety-Related?

Type A, B, or C PAM Variable?

Sensor Block I Sensor Block II SG A SG C DIV. I SG B SG D DIV. II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-83 Draft Revision 3 Table 7.1-11: Partial Spurious Actuation Scenarios for Engineered Safety Features Actuation System within Safety Block I Scenario Protective Action(s) on EIM Components Actuated 1

Containment isolation, DHRS, and Secondary System Isolation and DHRS DHRS actuation valves MSIVs MS isolation bypass valves Feedwater isolation valves Secondary MSIVs Secondary MSIV bypass valves Feedwater regulating valves 2

ECCS ECCS reactor recirculation valve (Note 1) 3 ECCS and LTOP ECCS reactor vent valves (Note 1) 4 Containment isolation Containment evacuation CIV Containment flood & drain CIV Reactor component cooling water CIVs 5

CVCS isolation and containment isolation CVCS containment isolation valves 6

DWS isolation and loss of AC power DWS isolation valve 7

PZR heater trip PZR heater breakers 8

DHRS DHRS Actuation Valves Note 1: The ECCS valves include an inadvertent actuation block (IAB) described in Section 7.2.5.2 that is designed to prevent the spurious opening of the ECCS valves at normal operating pressures. The spurious opening of the ECCS valves below the IAB setpoint is bounded by the plant safety analysis described in Chapter 15.

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-85 Draft Revision 3 Table 7.1-13: Effects of Digital-Based Common Cause Failure of Level Function Type on Sensor Block I Function Type Process Variable Sensor Block I Sensor Block II Digital-based level measurement PZR level Digital-based CCF OK RPV water level Digital-based CCF OK Containment water level Digital-based CCF OK Digital-based pressure measurement PZR pressure OK OK Wide-range RCS pressure OK OK Digital-based flow measurement RCS flow OK OK

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-86 Draft Revision 3 Table 7.1-14: Effects of Digital-Based Common Cause Failure of Digital-Based Pressure Measuring System Function Type on Sensor Block I and II Function Type Process Variable Sensor Block I Sensor Block II Digital-based level measurement PZR level OK OK RPV water level OK OK Containment water level OK OK Digital-based pressure measurement PZR pressure Digital-based CCF Digital-based CCF Wide-range RCS pressure Digital-based CCF Digital-based CCF Digital-based flow measurement RCS flow OK OK

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-87 Draft Revision 3 Table 7.1-15: Effects of Digital-Based Common Cause Failure of Digital-Based Flow Function Type on Sensor Block I and II Function Type Process Variable Sensor Block I Sensor Block II Digital-based level measurement PZR level OK OK RPV water level OK OK Containment water level OK OK Digital-based pressure measurement PZR pressure OK OK Wide-range RCS pressure OK OK Digital-based flow measurement RCS flow Digital-based CCF Digital-based CCF

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-88 Draft Revision 3 Table 7.1-16: Safety-Related Digital Sensors Used by Safety Block I and II Input Signal Sensor Technology Function Containment water level Digital-based level Accident monitoring initiate protective action(s)

RPV water / PZR water level Digital-based level Accident monitoring initiate protective action(s)

Wide-range RCS pressure Digital-based pressure Accident monitoring initiate protective action(s)

PZR pressure Digital-based pressure Initiate protective action(s)

RCS flow Digital-based flow Initiate protective action(s)

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-93 Draft Revision 3 Category 3 Events For the events listed in this section, the digital-based sensor subject to a CCF is credited in both the deterministic analyses described in Chapter 15 and the best-estimate D3 coping analyses; however, multiple, diverse sensors that do not use digital-based technology provide the required protection; therefore, sufficient sensor diversity exists to provide the required safety function. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.

Loss of Condenser Vacuum high main steam pressure high main steam superheat high PZR pressure (digital-based) high main steam pressure high steam superheat high PZR pressure (digital-based)

Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Loss of Nonemergency AC Power to the Station Auxiliaries high main steam pressure high main steam superheat high PZR pressure (digital-based) high main steam pressure high steam superheat high PZR pressure (digital-based)

Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Loss of Normal Feedwater Flow high PZR pressure (digital-based) high RCS hot temperature high main steam superheat high PZR pressure (digital-based) high RCS hot temperature high steam superheat Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

System Malfunction that Increases Reactor Coolant Inventory high PZR level (note 1) high PZR pressure (digital-based) high PZR level (note 1) high PZR pressure (digital-based)

Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Feedwater System Pipe Breaks Outside of Containment high PZR pressure (digital-based) high RCS hot temperature high main steam superheat high PZR pressure (digital-based) high RCS hot temperature high steam superheat Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Steam Generator Tube Failure low PZR level (digital-based, see note

1) low PZR pressure (digital-based) low PZR level (digital-based, see note 1) low PZR pressure (digital-based)

Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Loss-of-Coolant Accidents from a Spectrum of Postulated Piping Breaks inside CNV high CNV pressure low RPV water level (see note 1) high CNV pressure low RPV water level (see note 1)

Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences and Postulated Accidents (Continued)

Design Basis Event Signals Credited in Plant Safety Analysis Described in Chapter 15 Signals Credited in D3 Best-Estimate Coping Analysis Comments

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-94 Draft Revision 3 Category 4 Events For the design basis events listed below, while the deterministic plant safety analyses described in Chapter 15 credit the function provided by the digital-based sensors that are subject to a CCF; however, the evaluation of the plant response for these events using best-estimate analysis methods determined that the plant response does not progress to the point where the digital-based sensor is relied upon to provide required protection. In these events, other sensors that do not use digital-based technology and are not subject to a digital-based CCF provide the required safety function and the FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function (note 2).

Control Rod Misoperation high power range linear power high RCS hot temperature high PZR pressure (digital-based) high power range negative rate (control rod drop) high power range linear power high RCS hot temperature high power range negative rate (control rod drop)

Diverse sensors not subject to a digital-based CCF provide required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Inadvertent Operation of Emergency Core Cooling System (ECCS) high CNV pressure low RPV water level (note 1) high CNV pressure low RPV water level (note 1)

Diverse sensors not subject to a digital-based CCF provide required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Failure of Small Lines Carrying Primary Coolant Outside Containment low PZR level (see note 1) low PZR pressure (digital-based) low PZR level (see note 1)

Diverse sensors not subject to a digital-based CCF provide required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Instability Events high RCS hot temperature low pressurizer level (note 1) low PZR pressure (digital-based) high RCS hot temperature low pressurizer level (note 1)

Diverse sensors not subject to a digital-based CCF provide required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Note 1: The digital-based level measurement function incorporates equipment diversity between sensor blocks I and II such that a postulated CCF of the digital-based level measurement function is limited to one sensor block only. Since the other sensor block remains functional, sufficient diversity exists for those functions that rely on the digital-based level measurement function, see Section 7.1.5.1.2.

Note 2: The design basis for the digital-based RCS flow sensors in the plant safety analysis described in Section 15.4.6 is to ensure minimum RCS flow rates exist during dilution events to ensure proper mixing within the RCS; therefore, the RCS flow sensors are not included in Table 7.1-18 as they are not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2. The plant safety analysis credits the high subcritical multiplication protective function for detection and mitigation of an uncontrolled RCS dilution. Best-estimate analysis of this event concludes the event is non-limiting and does not rely on the digital-based RCS flow sensor to function. The consequences of RCS flow stagnation or reversal during low power conditions are addressed in NuScale Power, LLC topical report, Non-Loss-of-Coolant Accident Analysis Methodology, TR-0516-49416. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.

Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences and Postulated Accidents (Continued)

Design Basis Event Signals Credited in Plant Safety Analysis Described in Chapter 15 Signals Credited in D3 Best-Estimate Coping Analysis Comments

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-112 Draft Revision 3 Figure 7.1-1c: Power Range High-2 Power Trip and N-2 Interlocks, Low and Low Low RCS Flow Trips 2/4 NS NS NS NS A

B C

D RTS 2/4 ESFAS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I REACTOR TRIP DEMINERALIZED WATER SYSTEM ISOLATION RTS N-2L PERMISSIVE/

INTERLOCK POWER RANGE LINEAR POWER N-2L PERMISSIVE/INTERLOCK 2/4 NS NS NS NS A

B C

D 2/4 I

I I

I RTS (NOTE 1)

DIVISION I RTS N-2L ESFAS N-2L PERMISSIVE/

INTERLOCK ESFAS (NOTE 1)

DIVISION I HIGH-2 POWER RANGE LINEAR POWER (NOTE 2)

(NOTE 2)

ESFAS F

(NOTE 1)

DIVISION I 2/4 FS FS FS FS A

B C

D LOW RCS FLOW (NOTE 2)

LOW LOW RCS FLOW 2/4 FS FS FS FS A

B C

D RTS ESFAS DIVISION I (NOTE 1)

F (NOTE 1)

DIVISION I (NOTE 2)

A A

A A

A A

A A

A A

A A

DEMINERALIZED WATER SYSTEM ISOLATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION REACTOR TRIP LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

NOTE 2:

THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

P P

RTS/ESFAS N-2L PR LINEAR POWER N-2L PERMISSIVE/INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 PR INPUTS > N-2L SETPOINT 2oo4 PR INPUTS N-2L SETPOINT P

ESFAS N-2L RTS N-2H INTERLOCK POWER RANGE LINEAR POWER N-2H INTERLOCK 2/4 NS NS NS NS A

B C

D 2/4 I

I I

I RTS (NOTE 1)

DIVISION I RTS N-2H ESFAS N-2H INTERLOCK ESFAS (NOTE 1)

DIVISION I (NOTE 2)

P P

RTS/ESFAS N-2H PR LINEAR POWER N-2H INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 PR INPUTS < N-2H SETPOINT 2oo4 PR INPUTS N-2H SETPOINT P

ESFAS N-2H ESFAS REACTOR TRIPPED INTERLOCK RT-1 d

dzW/>>Kt>Kt

Z^&>Kt/EWhd

>K'/

2/4 F

P ESFAS F-1 CHEMICAL & VOLUME CONTROL SYSTEM ISOLATION

< F-1 F-1 AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS F-1 2/4 DEMINERALIZED WATER SYSTEM ISOLATION F

P ESFAS F-1 LOW LOW RCS FLOW CVCSI ACTUATION INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 RCS FLOW INPUTS < LOW LOW SETPOINT FOR MORE THAN TD, AND RT-1 ACTIVE 2oo4 RCS FLOW INPUTS > LOW LOW SETPOINT FOR MORE THAN TD, OR 3oo4 RCS FLOW INPUTS < LOW LOW SETPOINT FOR LESS THAN TD, OR RT-1 NOT ACTIVE

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-113 Draft Revision 3 Figure 7.1-1d: Power Range and Intermediate Range Rate Trips DEMINERALIZED WATER SYSTEM ISOLATION 2/4 NS NS NS NS A

B C

D RTS 2/4 ESFAS NS NS NS NS A

B C

D NS NS NS NS A

B C

D F

F LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

(NOTE 1)

DIVISION I (NOTE 1)

DIVISION I A

A A

A A

A A

A A

A A

A REACTOR TRIP N-2H N-2H DEMINERALIZED WATER SYSTEM ISOLATION RTS ESFAS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I REACTOR TRIP 2/4 2/4 N-2L N-2L DEMINERALIZED WATER SYSTEM ISOLATION RTS ESFAS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I REACTOR TRIP NOTE 2:

HIGH POWER RANGE POSITIVE RATE HIGH POWER RANGE NEGATIVE RATE HIGH INTERMEDIATE RANGE LOG POWER RATE THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

POWER RANGE NEUTRON FLUX TYPICAL NEUTRON POS FLUX RATE CALCULATION RATE POWER RANGE NEUTRON FLUX TYPICAL NEUTRON NEG FLUX RATE CALCULATION RATE RTS ESFAS 2/4 2/4 N-2H N-2H RTS ESFAS ESFAS N-2H INTERLOCK ESFAS N-2L INTERLOCK ESFAS RTS RTS N-2H INTERLOCK ESFAS N-2H INTERLOCK RTS N-2L INTERLOCK HIGH PR POSITIVE RATE TRIP STATUS P

HIGH PR NEGATIVE RATE TRIP STATUS AUTOMATIC BYPASS AUTOMATICALLY ENABLED HIGH IR LOG POWER RATE TRIP STATUS AUTOMATIC BYPASS (NOTE 2)

(NOTE 2)

P RTS/ESFAS N-2L

> N-2L SETPOINT N-2L SETPOINT AUTOMATICALLY ENABLED RTS/ESFAS N-2H N-2H SETPOINT

< N-2H SETPOINT P

AUTOMATIC BYPASS AUTOMATICALLY ENABLED RTS/ESFAS N-2H N-2H SETPOINT

< N-2H SETPOINT NS NS NS NS A

B C

D A

A A

A N-1 DEMINERALIZED WATER SYSTEM ISOLATION ESFAS F

(NOTE 1)

DIVISION I HIGH SUBCRITICAL MULTIPLICATION SOURCE RANGE COUNT RATE TYPICAL NEUTRON POS FLUX MULTIPLICATION RATE CALCULATION MULTIPLICATION RATE ESFAS (NOTE 2)

N-1 INTERLOCK P

ESFAS N-1 HIGH SUBCRITICAL MULTIPLICATION TRIP STATUS

> N-1 SETPOINT AUTOMATICALLY ENABLED AUTOMATIC BYPASS 2/4 N-1 SETPOINT RTS N-2H INTERLOCK

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-114 Draft Revision 3 Figure 7.1-1e: Pressurizer Pressure and Level Trips LOW LOW PRESSURIZER PRESSURE REACTOR TRIP 2/4 REACTOR TRIP PS PS PS PS A

B C

D 2/4 2/4 PS PS PS PS A

B C

D 2/4 F

F F

RTS (NOTE 1)

ESFAS DIVISION I RTS (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I A

A A

A CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION DECAY HEAT REMOVAL SYSTEM ACTUATION PRESSURIZER HEATER TRIP REACTOR TRIP LOW PRESSURIZER LEVEL 2/4 LS LS LS LS A

B C

D 2/4 RTS ESFAS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I HIGH PRESSURIZER LEVEL 2/4 LS LS LS LS A

B C

D 2/4 F

ESFAS RTS (NOTE 1)

DIVISION I REACTOR TRIP F

(NOTE 1)

DIVISION I A

A A

A CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

NOTE 2:

HIGH PRESSURIZER PRESSURE THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

(NOTE 2)

(NOTE 2)

(NOTE 2)

LOW PRESSURIZER PRESSURE REACTOR TRIP 2/4 PS PS PS PS A

B C

D F

RTS (NOTE 1)

DIVISION I (NOTE 2)

T-4 RTS A

A A

A A

A A

A A

A A

A RTS T-4 INTERLOCK P

ESFAS T-5 AND RT-1 LOW LOW PRESSURIZER PRESSURE CVCSI AND SSI TRIP STATUS

< T-5 AND RT-1 T-5 OR NO RT-1 AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

RTS/ESFAS T-4 LOW PRESSURIZER PRESSURE TRIP STATUS

< T-4 SETPOINT T-4 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED ESFAS (NOTE 1)

DIVISION I SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION A

ESFAS T-5 INTERLOCK RT-1 INTERLOCK F

DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION 2/4 F

ESFAS (NOTE 1)

DIVISION I DEMINERALIZED WATER SYSTEM ISOLATION PRESSURIZER HEATER TRIP ESFAS T-4 INTERLOCK ESFAS T-4

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-115 Draft Revision 3 Figure 7.1-1f: Reactor Coolant System Hot Temperature Trip, Temperature Interlocks T-3 WR RCS HOT TEMPERATURE T-3 INTERLOCK ESFAS (NOTE 1)

DIVISION I 2/4 TS TS TS TS A

B C

D T-2 WR RCS HOT TEMPERATURE T-2 INTERLOCK ESFAS (NOTE 1)

DIVISION I ESFAS RT-1 2/4 TS TS TS TS A

B C

D REACTOR TRIP ESFAS RTS F

(NOTE 1)

DIVISION I (NOTE 1)

DIVISION I DECAY HEAT REMOVAL SYSTEM ACTUATION 2/4 TS TS TS TS A

B C

D 2/4 A

A A

A NOTE 2:

LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

HIGH NARROW RANGE RCS HOT TEMPERATURE THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

(NOTE 2)

(NOTE 2)

T-4 INTERLOCK T-4 NR RCS HOT TEMPERATURE 2/4 TS TS TS TS A

B C

D 2/4 T-4 INTERLOCK RTS ESFAS P

P I

I I

I RTS ESFAS (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I RTS T-4 ESFAS T-4 (NOTE 2)

RCS THOT 2 TEMPERATURE RCS THOT 1 TEMPERATURE AVG Thavg TYPICAL RCS THOT AVERAGE CALCULATION RCS THOT 3 TEMPERATURE P

ESFAS T-2 WR RCS HOT TEMPERATURE INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 THOT INPUTS < T-2 SETPOINT AND REACTOR TRIPPED 2oo4 THOT INPUTS T-2 SETPOINT OR REACTOR NOT TRIPPED P

ESFAS T-2 ESFAS REACTOR TRIPPED INTERLOCK RT-1 P

ESFAS T-3 WR RCS HOT TEMPERATURE INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 THOT INPUTS < T-3 SETPOINT 2oo4 THOT INPUTS T-3 SETPOINT P

ESFAS T-3 P

ESFAS T-4 NR RCS HOT TEMPERATURE INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 THOT INPUTS < T-4 SETPOINT 2oo4 THOT INPUTS T-4 SETPOINT HIGH UNDER-THE-BIOSHIELD TEMPERATURE I

I I

I I

I I

I 2/4 TS TS TS TS A

B C

D RTS F

(NOTE 1)

DIVISION I REACTOR TRIP A

A A

A CONTAINMENT SYSTEM ISOLATION ACTUATION ESFAS (NOTE 1)

DIVISION I F

(NOTE 2) 2/4 SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION T-5 WR RCS HOT TEMPERATURE ESFAS T-5 INTERLOCK ESFAS (NOTE 1)

DIVISION I 2/4 TS TS TS TS A

B C

D (NOTE 2)

P ESFAS T-5 I

I I

I P

ESFAS T-5 WR RCS HOT TEMPERATURE INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 THOT INPUTS < T-5 SETPOINT 2oo4 THOT INPUTS T-5 SETPOINT F

DEMINERALIZED WATER SYSTEM ISOLATION PRESSURIZER HEATER TRIP DEMINERALIZED WATER SYSTEM ISOLATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-116 Draft Revision 3 Figure 7.1-1g: Reactor Coolant System Low RPV Riser LevelPressurizer Level Interlock and Trip, High Containment Pressure, and High Containment Level Trips HIGH NARROW RANGE CONTAINMENT PRESSURE 2/4 PS PS PS PS A

B C

D RTS 2/4 HIGH CONTAINMENT WATER LEVEL LS LS LS LS A

B C

D ESFAS 2/4 F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I REACTOR TRIP A

A A

A A

A A

A EMERGENCY CORE COOLING SYSTEM ACTUATION L-1 CONTAINMENT WATER LEVEL INTERLOCK L-1 INTERLOCK ESFAS P

(NOTE 1)

DIVISION I ESFAS L-1 ESFAS RT-1 LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

CONTAINMENT SYSTEM ISOLATION ACTUATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION ESFAS (NOTE 1)

DIVISION I THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

(NOTE 2)

LOW LOW PRESSURIZER LEVEL 2/4 LS LS LS LS A

B C

D A

A A

A CONTAINMENT SYSTEM ISOLATION ACTUATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION ESFAS (NOTE 1)

DIVISION I (NOTE 2)

ESFAS T-3 ESFAS T-3 INTERLOCK ESFAS L-1 INTERLOCK ESFAS L-1 ESFAS T-3 INTERLOCK ESFAS T-3 P

RTS L-1 AND ESFAS L-1 CONTAINMENT WATER LEVEL INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 LEVEL INPUTS > L-1 SETPOINT AND REACTOR TRIPPED 2oo4 THOT INPUTS L-1 SETPOINT OR REACTOR NOT TRIPPED ESFAS REACTOR TRIPPED INTERLOCK RT-1 ESFAS T-2 ESFAS T-2 INTERLOCK ESFAS L-1 INTERLOCK ESFAS L-1 NOTE 2:

P ESFAS L-1 HIGH CONTAINMENT PRESSURE TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS T-3 HIGH CONTAINMENT PRESSURE TRIP STATUS

< T-3 SETPOINT T-3 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS T-3 AND L-2 HIGH CONTAINMENT WATER LEVEL TRIP STATUS

< T-3 AND > L-2 T-3 OR L-2 AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS L-1 LOW LOW PRESSURIZER LEVEL TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS T-2

< T-2 SETPOINT T-2 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED LOW LOW PRESSURIZER LEVEL TRIP STATUS SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION ESFAS L-2 ESFAS L-2 INTERLOCK L-2 PRESSURIZER LEVEL INTERLOCK L-2 INTERLOCK ESFAS P

(NOTE 1)

DIVISION I ESFAS L-2 2/4 LS LS LS LS A

B C

D (NOTE 2)

P ESFAS L-2 PRESSURIZER LEVEL INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 LEVEL INPUTS > L-2 SETPOINT 2oo4 THOT INPUTS L-2 SETPOINT F

F DEMINERALIZED WATER SYSTEM ISOLATION F

F RTS L-1 PERMISSIVE/

INTERLOCK RTS (NOTE 1)

DIVISION I RTS L-1 P

2/4 NS NS NS NS A

B C

D 2/4 I

I I

I (NOTE 2)

RT-1 INTERLOCK I

I I

I

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-117 Draft Revision 3 Figure 7.1-1h: Steam Generator Low and Low Low Main Steam Pressure Trips LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 REACTOR TRIP ESFAS (NOTE 1)

RTS (NOTE 1)

F F

DIVISION I DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

NOTE 2:

LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

RTS N-2H INTERLOCK RTS N-2H ESFAS N-2H INTERLOCK ESFAS N-2H REACTOR TRIP ESFAS (NOTE 1)

RTS (NOTE 1)

F F

DIVISION I DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A (NOTE 2)

RTS N-2H INTERLOCK RTS N-2H ESFAS N-2H INTERLOCK ESFAS N-2H REACTOR TRIP ESFAS (NOTE 1)

RTS (NOTE 1)

F F

DIVISION I DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A (NOTE 2)

ESFAS L-1 ESFAS L-1 INTERLOCK P

LOW MAIN STEAM PRESSURE SG 1 TRIP STATUS AUTOMATICALLY ENABLED AUTOMATIC BYPASS LOW MAIN STEAM PRESSURE SG 2 TRIP STATUS REACTOR TRIP ESFAS (NOTE 1)

RTS (NOTE 1)

F F

DIVISION I DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A (NOTE 2)

ESFAS L-1 ESFAS L-1 INTERLOCK P

ESFAS L-1 LOW LOW MIAN STEAM PRESSURE SG 1 TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED P

ESFAS L-1 LOW LOW MAIN STEAM PRESSURE SG 2 TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED RTS/ESFAS N-2H

< N-2H SETPOINT N-2H SETPOINT P

AUTOMATICALLY ENABLED AUTOMATIC BYPASS RTS/ESFAS N-2H

< N-2H SETPOINT N-2H SETPOINT SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION F

DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION F

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-118 Draft Revision 3 Figure 7.1-1i: High Main Steam Pressure and Steam Generator Low and High Steam Superheat Trips REACTOR TRIP RTS F

(NOTE 1)

DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A REACTOR TRIP ESFAS RTS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I 2/4 PS PS PS PS A

B C

D 2/4 A

A A

A HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 REACTOR TRIP ESFAS RTS F

F (NOTE 1)

DIVISION I (NOTE 1)

DIVISION I 2/4 TS TS TS TS B

C D

2/4 A

A A

A LOW MAIN STEAM SUPERHEAT STEAM GENERATOR 1 REACTOR TRIP RTS F

(NOTE 1)

DIVISION I 2/4 TS TS TS TS A

B C

D A

A A

A LOW MAIN STEAM SUPERHEAT STEAM GENERATOR 2 REACTOR TRIP ESFAS RTS F

(NOTE 1)

DIVISION I (NOTE 1)

DIVISION I 2/4 TS TS TS TS A

B C

D 2/4 A

A A

A HIGH MAIN STEAM SUPERHEAT STEAM GENERATOR 1 REACTOR TRIP RTS F

(NOTE 1)

DIVISION I 2/4 TS TS TS TS A

B C

D 2/4 A

A A

A HIGH MAIN STEAM SUPERHEAT STEAM GENERATOR 2 LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

NOTE 2:

(NOTE 2)

HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

(NOTE 2)

MAIN STEAM PRESSURE MAIN STEAM TEMPERATURE f(x)

TSAT A

(+)

()

TSH TYPICAL STEAM SUPER HEAT CALCULATION ESFAS L-1 INTERLOCK ESFAS L-1 A

P ESFAS L-1 LOW STEAM SUPERHEAT SG 1 TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED (NOTE 2)

(NOTE 2)

(NOTE 2)

(NOTE 2)

(NOTE 2)

SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION ESFAS (NOTE 1)

DIVISION I DECAY HEAT REMOVAL SYSTEM ACTUATION SECONDARY SYSTEM ISOLATION F

P V-1 AND RTS N-2H AND ESFAS N-2H REACTOR TRIP AND SECONDARY SYSTEM ISOLATION INTERLOCK NO FWIV CLOSED OR N-2H SETPOINT 1 OR 2 FWIV CLOSED AND < N-2H SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED N-2H ESFAS ESFAS N-2H INTERLOCK V-1 INTERLOCK ESFAS F

(NOTE 1)

DIVISION I 2/4 (NOTE 2)

ESFAS L-1 A

SECONDARY SYSTEM ISOLATION N-2H ESFAS ESFAS N-2H INTERLOCK V-1 INTERLOCK ESFAS L-1 INTERLOCK V-1 ESFAS V-1 ESFAS P

ESFAS L-1 LOW STEAM SUPERHEAT SG 1 TRIP STATUS

> L-1 SETPOINT L-1 SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED ESFAS (NOTE 1)

DIVISION I SECONDARY SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION PRESSURIZER HEATER TRIP DECAY HEAT REMOVAL SYSTEM ACTUATION PRESSURIZER HEATER TRIP DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION F

DEMINERALIZED WATER SYSTEM ISOLATION F

DEMINERALIZED WATER SYSTEM ISOLATION DEMINERALIZED WATER SYSTEM ISOLATION F

F V-1 INTERLOCK RTS N-2H INTERLOCK V-1 RTS N-2H RTS V-1 INTERLOCK RTS L-1 INTERLOCK V-1 RTS N-2H RTS P

V-1 AND RTS N-2H AND ESFAS N-2H REACTOR TRIP AND SECONDARY SYSTEM ISOLATION INTERLOCK NO FWIV CLOSED OR N-2H SETPOINT 1 OR 2 FWIV CLOSED AND < N-2H SETPOINT AUTOMATIC BYPASS AUTOMATICALLY ENABLED

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-119 Draft Revision 3 Figure 7.1-1j: Reactor Trip and Reactor Tripped Interlock RT-1 REACTOR TRIP BREAKER ARRANGEMENT ROD DRIVE POWER SUPPLY ROD CONTROL DIVISION I MANUAL REACTOR TRIP RTS DIVISION I DIVISION II MAIN CONTROL ROOM DIVISION I LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

(NOTE 1)

TRIP HS (NOTE 2)

TWO MOMENTARY REDUNDANT SWITCHES, ONE PER RTS DIVISION.

NOTE 2:

A REACTOR TRIPPED RT-1 INTERLOCK MANUAL REACTOR TRIP AUTOMATIC REACTOR TRIP DIVISION I (NOTE 1)

ESFAS HS (NOTE 3)

DIVISION II MCR ISOLATION SWITCH DIVISION I MCR ISOLATION SWITCH HS (NOTE 3)

DIVISION I MCR ISOLATION DIVISION II MCR ISOLATION REMOTE SHUTDOWN STATION TWO MANUAL ACTUATION ISOLATION REDUNDANT SWITCHES LOCATED IN THE REMOTE SHUTDOWN STATION, ONE PER RTS AND ESFAS DIVISION.

NOTE 3:

DIVISION I BREAKER OPENED DIVISION I BREAKER OPENED A

A HIGH-1 POWER RANGE LINEAR POWER HIGH POWER RANGE POSITIVE RATE HIGH INTERMEDIATE RANGE LOG POWER RATE LOW PRESSURIZER PRESSURE HIGH NARROW RANGE RCS HOT TEMPERATURE HIGH NARROW RANGE CONTAINMENT PRESSURE HIGH-2 POWER RANGE LINEAR POWER HIGH POWER RANGE NEGATIVE RATE HIGH PRESSURIZER PRESSURE LOW PRESSURIZER LEVEL HIGH PRESSURIZER LEVEL LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 1 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW STEAM SUPERHEAT STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 2 LOW STEAM SUPERHEAT STEAM GENERATOR 2 LOW AC VOLTAGE TO BATTERY CHARGERS HIGH SOURCE RANGE LOG POWER RATE HIGH SOURCE RANGE COUNT RATE LOW LOW RCS FLOW LOW LOW PRESSURIZER PRESSURE HIGH UNDER-THE-BIOSHIELD TEMPERATURE A

REACTOR TRIPPED RT-1 INTERLOCK DIVISION I (NOTE 1)

RTS DIVISION I BREAKER OPENED DIVISION I BREAKER OPENED ESFAS RT-1 INTERLOCK RTS RT-1 INTERLOCK

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-120 Draft Revision 3 RAI 16-18S1 Figure 7.1-1k: ESFAS - Containment System Isolation, Chemical and Volume Control System Interlocks (NOTE 2)

ACTUATE HS LOW LOW PRESSURIZER LEVEL HIGH CONTAINMENT PRESSURE CONTAINMENT EVACUATION ISOLATION CONTAINMENT FLOODING AND DRAIN ISOLATION REACTOR COMPONENT COOLING WATER ISOLATION NOTE 1:

LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 2:

NOTE 3:

MANUAL ACTUATION INITIATES CONTAINMENT SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

CONTAINMENT SYSTEM ISOLATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION RCS INJECTION ISOLATION (NOTE 2)

ACTUATE HS HIGH PRESSURIZER LEVEL LOW LOW PRESSURIZER PRESSURE RPV HIGH POINT DEGASIFICATION LINE ISOLATION NOTE 4:

MANUAL ACTUATION INITIATES CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

ESFAS REACTOR TRIPPED RT-1 INTERLOCK OVERRIDE O-1 A

NOTE 5:

(NOTE 5)

(NOTE 2)

HS (A)

(M)

(A)

(M)

(A)

(M)

(NOTE 3)

MANUAL ACTUATION (M)

AUTOMATIC ACTUATION (A)

I A

(NOTE 4)

MANUAL ACTUATION (M)

(A)

(M)

(M)

(A)

PRESSURIZER SPRAY ISOLATION (M)

(A)

AUTOMATIC ACTUATION (A)

OVERRIDE TO ALLOW OPERATORS TO ADD WATER VIA CFDS OR CVCS.

LOW AC VOLTAGE TO BATTERY CHARGERS (M)

(M)

(M)

MANUAL CONTAINMENT SYSTEM ISOLATION (M)

LOW LOW RCS FLOW NOTE 6:

TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

HIGH UNDER-THE-BIOSHIELD TEMPERATURE MCR ISOLATION (NOTE 6)

A I

A I

A I

A RCS DISCHARGE ISOLATION (M)

(A)

(M)

I A

AUTOMATIC ACTUATION (A)

SECONDARY SYSTEM ISOLATION (M)

(A)

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-121 Draft Revision 3 Figure 7.1-1l: ESFAS - Decay Heat Removal System and Secondary System Isolation Actuation, FWIV Interlock DHRS ACTUATION VALVES NOTE 1:

LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 2:

NOTE 3:

MANUAL ACTUATE INITIATES ACTUATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

DECAY HEAT REMOVAL SYSTEM ACTUATION (NOTE 2)

(NOTE 3)

ACTUATE HS HIGH PRESSURIZER PRESSURE HIGH RCS HOT TEMPERATURE HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 NOTE 4:

DECAY HEAT REMOVAL SYSTEM ACTUATION IS DEFINED AS THE SIMULTANEOUS CLOSURE OF THE FWIV, FWRV, MSIV, SECONDARY MSIV AND THE OPENING OF THE DHRS ACTUATION VALVES FOR A GIVEN TRAIN OF DHRS.

(NOTE 4)

MANUAL CONTAINMENT SYSTEM ISOLATION HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 FEEDWATER ISOLATION VALVES MAIN STEAM ISOLATION VALVES FEEDWATER REGULATING VALVES MAIN STEAM ISOLATION BYPASS VALVES SECONDARY MAIN STEAM ISOLATION VALVES SECONDARY MSIV BYPASS VALVES MANUAL DHRS ACTUATION (M)

AUTOMATIC DHRS ACTUATION (A)

(A)

(A)

(M)

(A)

(A)

(A)

(A)

(M)

(M)

(A)

(M)

(M)

(M)

(M)

I A

(M)

(M)

(M)

(NOTE 3)

MANUAL CONTAINMENT SYSTEM ISOLATION (M)

(M)

(M)

(M)

LOW AC VOLTAGE TO BATTERY CHARGERS PRESSURIZER HEATER TRIP (A)

MCR ISOLATION (NOTE 5)

NOTE 5:

TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

I A

SECONDARY SYSTEM ISOLATION ACTUATION (NOTE 2)

(NOTE 3)

ACTUATE HS HIGH PRESSURIZER PRESSURE HIGH RCS HOT TEMPERATURE LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 1 HIGH CONTAINMENT PRESSURE LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 HIGH STEAM SUPERHEAT STEAM GENERATOR 2 LOW STEAM SUPERHEAT STEAM GENERATOR 1 LOW STEAM SUPERHEAT STEAM GENERATOR 2 FEEDWATER ISOLATION VALVES MAIN STEAM ISOLATION VALVES FEEDWATER REGULATING VALVES MAIN STEAM ISOLATION BYPASS VALVES SECONDARY MAIN STEAM ISOLATION VALVES SECONDARY MSIV BYPASS VALVES SECONDARY SYSTEM ISOLATION ACTUATION (M)

AUTOMATIC SSI ACTUATION (A)

(A)

(A)

(A)

(A)

(A)

(A)

(M)

(M)

(M)

(M)

(M)

(M)

I A

(M)

(M)

(M)

(M)

(M)

(M)

LOW AC VOLTAGE TO BATTERY CHARGERS LOW LOW PRESSURIZER PRESSURE HIGH UNDER-THE-BIOSHIELD TEMPERATURE MCR ISOLATION (NOTE 5)

I A

LOW LOW PRESSURIZER LEVEL V-1 INTERLOCK P

P V-1 FWIV INTERLOCK STATUS NO FWIV CLOSED 1 OR 2 FWIV CLOSED ACTIVE NOT ACTIVE OPEN CLOSED OPEN CLOSED FEEDWATER ISOLATION VALVE 1 FEEDWATER ISOLATION VALVE 2 FWIV INTERLOCK V-1 AUTOMATIC CONTIANMENT SYSTEM ISOLATION

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-122 Draft Revision 3 Figure 7.1-1m: ESFAS - Demineralized Water System Isolation, Pressurizer Heater Trip NOTE 1:

LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 2:

NOTE 3:

MANUAL ACTUATION INITIATES DEMINERALIZED WATER SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

(NOTE 2)

(NOTE 3)

ACTUATE HS DEMINERALIZED WATER SYSTEM ISOLATION LOW PRESSURIZER LEVEL PRESSURIZER HEATER BREAKER TRIP PRESSURIZER HEATER BREAKER TRIP (NOTE 2)

(NOTE 4)

ACTUATE HS NOTE 4:

AUTOMATIC TRIP (A)

(M)

(A)

(NOTE 4)

MANUAL TRIP (M)

I A

DEMINERALIZED WATER SYSTEM ISOLATION (M)

(A)

AUTOMATIC ACTUATION (A)

MANUAL ACTUATION (M)

I A

AUTOMATIC DHRS ACTUATION PRESSURIZER HEATER BREAKER ARRANGEMENT ELVS POWER PRESSURIZER HEATER A CONTROLLERS ESFAS DIVISION I ESFAS DIVISION II ELVS POWER PRESSURIZER HEATER B CONTROLLERS MCR ISOLATION (NOTE 5)

NOTE 5:

TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

I A

I A

SOURCE RANGE COUNT RATE HIGH SUBCRITICAL MULTIPLICATION RATE LOW RCS FLOW MANUAL ACTUATION INITIATES PRESSURIZER HEATER BREAKER TRIP AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

ESFAS T-5 INTERLOCK ESFAS REACTOR TRIPPED INTERLOCK RT-1 HIGH-1 POWER RANGE LINEAR POWER HIGH POWER RANGE POSITIVE RATE HIGH INTERMEDIATE RANGE LOG POWER RATE LOW PRESSURIZER PRESSURE HIGH NARROW RANGE RCS HOT TEMPERATURE HIGH NARROW RANGE CONTAINMENT PRESSURE HIGH-2 POWER RANGE LINEAR POWER HIGH POWER RANGE NEGATIVE RATE HIGH PRESSURIZER PRESSURE LOW PRESSURIZER LEVEL HIGH PRESSURIZER LEVEL LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 1 HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW STEAM SUPERHEAT STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 2 LOW STEAM SUPERHEAT STEAM GENERATOR 2 LOW AC VOLTAGE TO BATTERY CHARGERS HIGH SOURCE RANGE LOG POWER RATE HIGH SOURCE RANGE COUNT RATE LOW LOW PRESSURIZER PRESSURE HIGH UNDER-THE-BIOSHIELD TEMPERATURE LOW-LOW RCS FLOW

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-123 Draft Revision 3 Figure 7.1-1n: ESFAS Emergency Core Cooling System Actuation, Low Temperature Overpressure Protection Actuation OPEN ECCS REACTOR RECIRCULATION VALVE LTOP AUTOMATIC ACTUATION (A)

EMERGENCY CORE COOLING SYSTEM ACTUATION NOTE 1:

LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 2:

NOTE 3:

MANUAL ACTUATE INITIATES LTOP ACTUATION AND EMERGENCY CORE COOLING SYSTEM ACTUATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

(NOTE 2)

(NOTE 3)

ACTUATE HS HIGH CONTAINMENT WATER LEVEL T-1 WR RCS COLD TEMPERATURE WR RCS PRESSURE A

2/4 2/4 TS TS TS TS A

B D

(NOTE 4)

PS PS PS PS B

C D

T-1 (NOTE 5)

LTOP SP LTOP SP LTOP SP I

A P

I I

I ESFAS T-1 A

A A

A LTOP SP I

LTOP SETPOINT (SP) IS CALCULATED BASED ON WR RCS COLD TEMPERATURE. LTOP ACTUATION OCCURS WHEN 2/4 WR RCS PRESSURE INPUTS INCREASE ABOVE THE LTOP SP.

NOTE 5:

LOW TEMPERATURE INTERLOCK T-1: AUTOMATIC BLOCK ABOVE T-1; AUTOMATIC LTOP ENABLE BELOW T-1.

NOTE 4:

C WR RCS COLD TEMPERATURE ECCS AUTOMATIC ACTUATION (A)

(M)

(A)

ECCS MANUAL ACTUATION (M)

OPEN ECCS REACTOR VENT VALVE (M)

(A) f(x) f(x)

TYPICAL LTOP SETPOINT CALCULATION f(x) f(x) f(x)

P ESFAS T-1 WR RCS COLD TEMPERATURE INTERLOCK STATUS ACTIVE NOT ACTIVE 3oo4 TCOLD INPUTS > T-1 SETPOINT 2oo4 TCOLD INPUTS T-1 SETPOINT LTOP ACTUATION (NOTE 2)

ACTUATE HS (M)

LTOP MANUAL ACTUATION (M)

(NOTE 3)

MCR ISOLATION (NOTE 6)

NOTE 6:

TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

MCR ISOLATION (NOTE 6)

I A

I A

I A

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-124 Draft Revision 3 Figure 7.1-1o: Decay Heat Removal System Valve Actuation NOTE 1:

SOLENOIDS ARE ENERGIZED BY REDUNDANT EIMS TO CLOSE VALVE; SOLENOIDS ARE DE-ENERGIZED TO OPEN VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

DECAY HEAT REMOVAL SYSTEM VALVE ACTUATION ENABLE NONSAFETY CONTROL DIVISION I OPEN CLOSE VALVE FULLY OPENED I

I DISABLE NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

ESFAS DIVISION I (NOTE 2)

NONSAFETY CONTROL DIVISION I MANUAL AUTO ACTUATION AND PRIORITY LOGIC (APL)

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

HS AUTOMATIC DHRS ACTUATION (A)

(M)

MANUAL DHRS ACTUATION ENABLE OPEN CLOSE I

I MANUAL AUTO ENABLE NONSAFETY CONTROL DIVISION II OPEN CLOSE I

I DISABLE (NOTE 2)

NONSAFETY CONTROL DIVISION II MANUAL AUTO HS AUTOMATIC DHRS ACTUATION (A)

(M)

MANUAL DHRS ACTUATION ENABLE OPEN CLOSE I

I MANUAL AUTO SAFETY NONSAFETY SAFETY NONSAFETY DIVISION I DIVISION I DIVISION II DIVISION II (NOTE 4)

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

(NOTE 4)

(NOTE 4)

(NOTE 4)

DIVISION I VALVE FULLY CLOSED DIVISION I VALVE FULLY CLOSED VALVE FULLY OPENED VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED DIVISION I VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED DIVISION II VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED DIVISION II VALVE FULLY CLOSED VALVE FULLY OPENED VALVE FULLY CLOSED VALVE FULLY OPENED VALVE FULLY CLOSED VALVE FULLY OPENED EIM OUT EIM OUT EIM OUT (NOTE 3)

(NOTE 3)

ESFAS DIVISION II EIM OUT ESFAS DIVISION II (NOTE 3)

(NOTE 3)

EIM OUT DHRS ACTUATION VALVE ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

(NOTE 3)

(NOTE 3)

(NOTE 3)

ACTUATION AND PRIORITY LOGIC (APL)

ACTUATION AND PRIORITY LOGIC (APL)

(D)

(E)

(D)

(E)

NS ENABLE NS DISABLE NS ENABLE NS DISABLE NS ENABLE NS DISABLE NS DISABLE NS ENABLE EIM OUT EIM OUT EIM OUT (NOTE 1)

DHRS ACTUATION VALVE DHRS ACTUATION VALVE DHRS ACTUATION VALVE NOTE 5:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS SOLENOID VALVES (NOTE 1)

(NOTE 1)

(NOTE 1)

SOLENOID VALVES SOLENOID VALVES SOLENOID VALVES CLOSE OPEN NONSAFETY INPUT DECODE LOGIC CLOSE OPEN (NOTE 6)

NOTE 6:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

MCS CLOSE OPEN NONSAFETY INPUT DECODE LOGIC CLOSE OPEN (NOTE 6)

MCS CLOSE OPEN NONSAFETY INPUT DECODE LOGIC CLOSE OPEN (NOTE 6)

MCS CLOSE OPEN NONSAFETY INPUT DECODE LOGIC CLOSE OPEN (NOTE 6)

DIVISION II MCR ISOLATION DIVISION I MCR ISOLATION

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-125 Draft Revision 3 Figure 7.1-1p: Main Steam Isolation Valve Actuation NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

VALVE (NOTE 1)

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

(NOTE 5)

SAFETY NONSAFETY NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL DHRS ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II DIVISION I (NOTE 2)

(NOTE 3)

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

(NOTE 4)

(NOTE 4)

EIM OUT ACTUATION AND PRIORITY LOGIC (APL)

MAIN STEAM ISOLATION VALVE ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

SOLENOID VALVE SOLENOID VALVE VALVE FULLY OPENED VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE NS ENABLE EIM OUT EIM OUT EIM OUT (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS CLOSE OPEN (NOTE 7)

MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC (NOTE 7)

(NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

MAIN STEAM ISOLATION VALVE MAIN STEAM ISOLATION VALVE MAIN STEAM ISOLATION VALVE DIVISION I DIVISION II DIVISION II DIVISION I DIVISION I DIVISION II DIVISION II (M)

MANUAL SSI ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-126 Draft Revision 3 Figure 7.1-1q: Main Steam Isolation Bypass Valve Actuation NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

SAFETY NONSAFETY OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II EIM OUT ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE NS ENABLE EIM OUT EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT MS ISOLATION BYPASS VALVE NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

DIVISION I MS ISOLATION BYPASS VALVE MS ISOLATION BYPASS VALVE MS ISOLATION BYPASS VALVE DIVISION II DIVISION II DIVISION I DIVISION I DIVISION II DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-127 Draft Revision 3 Figure 7.1-1r: Secondary Main Steam Isolation Valve Actuation SAFETY NONSAFETY NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

SAFETY NONSAFETY OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II EIM OUT ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II NS ENABLE EIM OUT EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT SAFETY NONSAFETY VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT SECONDARY MAIN STEAM ISOLATION VALVE NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

DIVISION I DIVISION I MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE (NOTE 7)

NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

SECONDARY MAIN STEAM ISOLATION VALVE SECONDARY MAIN STEAM ISOLATION VALVE SECONDARY MAIN STEAM ISOLATION VALVE (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-128 Draft Revision 3 Figure 7.1-1s: Secondary MSIV Bypass Valve Actuation NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

SAFETY NONSAFETY OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II EIM OUT ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND SECORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II NS ENABLE EIM OUT EIM OUT SAFETY NONSAFETY VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT SAFETY NONSAFETY VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT SECONDARY MSIV BYPASS VALVE NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE (NOTE 7)

NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

SECONDARY MSIV BYPASS VALVE SECONDARY MSIV BYPASS VALVE SECONDARY MSIV BYPASS VALVE (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-129 Draft Revision 3 Figure 7.1-1t: Feedwater Isolation Valve Actuation NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

SAFETY NONSAFETY OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

VALVE ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL)

(NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II NS ENABLE EIM OUT EIM OUT EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT FEEDWATER ISOLATION FEEDWATER ISOLATION FEEDWATER ISOLATION FEEDWATER ISOLATION AUTOMATIC DHRS OR SSI ACTUATION DIVISION I NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE (NOTE 7)

NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE VALVE VALVE (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-130 Draft Revision 3 Figure 7.1-1u: Feedwater Regulating Valve Isolation NOTE 1:

SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO ALLOW NONSAFETY CONTROL OF VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2:

ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 5:

VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

NOTE 3:

THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4:

THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

SAFETY NONSAFETY OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I EIM OUT (NOTE 3)

ESFAS DIVISION II EIM OUT ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION NONSAFETY CONTROL DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY OPENED I

VALVE FULLY CLOSED I

MANUAL AUTO (M)

MANUAL CONTAINMENT ISOLATION AUTOMATIC DHRS OR SSI ACTUATION (A)

(M)

MANUAL SSI ACTUATION DIVISION II DIVISION II DIVISION II (NOTE 2)

(NOTE 4)

(NOTE 4)

ACTUATION AND PRIORITY LOGIC (APL)

ESFAS DIVISION I (NOTE 3)

ESFAS DIVISION II ACTUATION AND SECORITY LOGIC (APL) (NOTE 3)

VALVE FULLY OPENED DIVISION I VALVE FULLY CLOSED NS ENABLE NS DISABLE (E)

(D)

NONSAFETY CONTROL DIVISION II (NOTE 2)

VALVE FULLY OPENED DIVISION II VALVE FULLY CLOSED (E)

(D)

NS ENABLE NS DISABLE DIVISION II NS ENABLE EIM OUT EIM OUT SAFETY NONSAFETY VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT SAFETY NONSAFETY VALVE (NOTE 1)

(NOTE 5)

DIVISION I (NOTE 3)

EIM OUT SOLENOID VALVE SOLENOID VALVE (NOTE 1)

DIVISION II (NOTE 3)

EIM OUT FEEDWATER REGULATING VALVE AUTOMATIC DHRS OR SSI ACTUATION DIVISION I NOTE 6:

LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC (NOTE 7)

NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE MCS CLOSE OPEN (NOTE 7)

NONSAFETY INPUT DECODE LOGIC NONSAFETY INPUT DECODE LOGIC OPEN CLOSE OPEN CLOSE (NOTE 7)

NOTE 7:

NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

FEEDWATER REGULATING VALVE FEEDWATER REGULATING VALVE FEEDWATER REGULATING VALVE (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II (M)

MANUAL DHRS ACTUATION DIVISION I (M)

MANUAL DHRS ACTUATION DIVISION II

NuScale Final Safety Analysis Report Fundamental Design Principles Tier 2 7.1-143 Draft Revision 3 Figure 7.1-1ah: Loss of AC Power to ELVS Battery Chargers LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 1:

NOTE 2:

NOTE 3: THE TIME DELAY (TD) IS ADDED TO DELAY THE START OF THE TIMING SEQUENCE TO PREVENT ACTUATION OF TRIP LOGIC ON MOMENTARY AC BUS VOLTAGE TRANSIENTS. THE TIME DELAY ALSO DELAYS THE RESET OF THE TIMING SEQUENCE TO PREVENT PREMATURE RESET OF TRIP LOGIC ON MOMENTARY AC BUS VOLTAGE TRANSIENTS.

THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

REACTOR TRIP 2/4 VS VS VS VS A

B C

D 2/4 RTS (NOTE 1)

DIVISION I A

ESFAS (NOTE 1)

DIVISION I A

DECAY HEAT REMOVAL SYSTEM ACTUATION LOW AC VOLTAGE TO C BATTERY CHARGERS 2/4 VS VS VS VS A

B C

D 2/4 RTS (NOTE 1)

DIVISION I A

ESFAS (NOTE 1)

DIVISION I A

A A

A A

A A

A A

LOW AC VOLTAGE TO B BATTERY CHARGERS F

F (NOTE 2)

(NOTE 2)

TD TD TD TD TD TD TD TD (NOTE 3)

(NOTE 3)

START/STOP 24-HOUR TIMER DEMINERALIZED WATER SYSTEM ISOLATION SECONDARY SYSTEM ISOLATION CONTAINMENT SYSTEM ISOLATION ACTUATION CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION PRESSURIZER HEATER TRIP BREAKERS

NuScale Final Safety Analysis Report System Features Tier 2 7.2-57 Draft Revision 3 placed on the backplane. These signals are provided to the associated EIM actuation priority logic circuits downstream of the FPGA logic components that generate automatic signals.

A Division I and Division II manual actuation switch is provided in the MCR for each of the following protective actions. Each manual actuation switch actuates the respective protective function within its associated division. Actuation of either divisional switch is sufficient to complete the safety function. The manual actuation switches are shown in the MPS functional logic diagrams as shown in Figure 7.1-1j through Figure 7.1-1n:

reactor trip ECCS actuation decay heat removal actuation containment isolation demineralized water system isolation chemical and volume control system isolation pressurizer heater trip secondary system isolation low temperature over pressure protection Because the hard-wired manual actuation switch input is downstream of digital components within the MPS, failure of the MPS automatic function does not prevent the manual initiation of the required protective action.

RAI 16-18S1 If enabled by the operator using the safety-related enable nonsafety control switch, the capability for manual component level control of ESF equipment is possible using nonsafety discrete hard-wired inputs from the MCS to the HWM. These signals are then input to the actuation priority logic circuit on the EIM. Any automatic or manual safety-related signal will override the nonsafety signal and is prioritized within the actuation priority logic. For beyond DBEs and for a limited number of actuated equipment, a safety-related override switch can be used to prioritize a nonsafety signal over certain automatic signals. Override switches are provided for the containment system isolation override function as shown below.

Override - two switches / one per division RAI 16-18S1 The manual override switches allow for manual control of the CFDS, RCS injection, and pressurizer spray containment isolation valves if an automatic containment system isolation actuation signal or a CVCS isolation actuation signal is present with the exception of the High Pressurizer Level CVCS isolation actuation signal.

The manual override switches will generate an alarm when activated.

See the MPS functional logic diagrams (Figure 7.1-1j through Figure 7.1-1ao). The manual controls are controlled administratively through approved plant procedures.

NuScale Final Safety Analysis Report Summary Description Tier 2 10.1-7 Draft Revision 3 RAI 10.04.07-1 Figure 10.1-1: Power Conversion System Block Flow Diagram Condensate Pumps Condensate Polisher Skids LEGEND Steam Generator & Aux Boiler Containment System Main Steam System Turbine Generator System Condensate& Feedwater System Condenser Air Removal System LP Heater IP Heater To Cond Gland Steam Condenser To Cond CWFS Condenser Air Removal Packages To Atm To Cooling Tower From Circ Water Pumps Condenser Desuperheater Feedwater Turbine Generator From HP Heater Turbine Bypass Valve Turbine Stop Valve MSSVs Aux Steam Header Secondary Main Steam Isolation Valves Removable Spool Pieces Main Steam Isolation Valves Feedwater Isolation Valves Feedwater Regulating Valves To Atm From Other Units VFD VFD VFD Feedwater Pumps Gland Steam Exhauster Packages To IP Heaters CNTS SG CNTS SG CNTS CFWS PDT PDT SR NS Safety I

III Seismic Removable Spool Pieces Seismic Anchor Located at Entrance to RXB Steam Generator HP Heater MSS CWFS MSS ABS SR NS Safety RIT RIT CNTS MSS I

III Seismic Seismic Anchor Located at Exit From RXB MSS TGS TGS MSS DUCT TGS CWFS TGS CWFS CWFS CWS CFWS CARS RT MSS CWFS CWFS TG CWFS RT NuScale Power Cycle Block Flow Diagram

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-1 Draft Revision 3 10.3 Main Steam System The primary function of the main steam system (MSS) is to transport steam from the steam generators to the turbine generator system. Each NuScale Power Module (NPM) is supplied with a separate MSS.

The containment-penetrating steam supply is divided into three portions: internal to containment discussed in Section 5.4, the containment and safety-related main steam isolation valves (MSIVs) discussed in Section 6.2, and the nonsafety-related portion discussed in this section.

The MSS extends from the flange immediately downstream of the MSIVs to the inlet of the turbine generator vendor package. The extraction points from the turbine to the feedwater heaters are also considered part of the MSS although there is no direct connection to the other MSS piping.

10.3.1 Design Bases This section identifies the MSS required or credited functions, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure that the functions are fulfilled. Together, this information represents the design bases defined in 10 CFR 50.2 for the MSS, as required by 10 CFR 52.47(a) and 10 CFR 52.47(a)(3)(ii).

The MSS is nonsafety-related. One nonsafety-related secondary MSIV is located downstream of each containment system MSIV as backup for the performance of the containment system MSIV design bases functions as outlined in Section 6.2.4.

General Design Criteria (GDC) 2, 4, and 5 were considered in the design of the MSS. No safety-related structures, systems, and components (SSC) are affected by the effects of natural phenomena such as earthquakes. The design of the MSS provides protection of safety-related SSC from the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. There are no safety-related components in the MSS that are shared among NPMs; therefore, the loss of components in one MSS does not impair the ability of other NPMs to perform their safety functions.

The NPM decay and residual heat removal safety function is performed by the decay heat removal system (DHRS) flowpath requiring containment isolation. Consistent with PDC 34, the secondary MSIVs provide a nonsafety-related backup to the containment MSIVs, and provide additional assurance that the blowdown of a second steam generator (SG) is limited if a steamline were to break upstream of the MSIV. Secondary system isolation (SSI) is provided to protect the steam generator inventory without an unnecessary cooldown.

Conformance with PDC 34 is further discussed in Section 5.4 and Section 10.3.3.

Consistent with 10 CFR 50.63, the nonsafety-related portion of the MSS is not relied upon to operate in response to a station blackout (SBO). Rather, the DHRS operates in conjunction with the ultimate heat sink to fulfill the core cooling function in the event of an SBO.

Conformance with 10 CFR 50.63 and the guidelines of Regulatory Guide 1.155 are discussed in Section 8.4.2 and Section 10.3.3.

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-3 Draft Revision 3 Outside of the RXB, sampling points are provided on each main steam line. The MSS piping is protected from overpressure by MSSVs ((outside the TGB wall)) upstream of the sampling and auxiliary steam connections.

Branch piping inside the TGB for each MSS provides for turbine bypass to the main condenser, secondary sampling system, low point drains, feedwater heater steam, and backup auxiliary steam. The MSS provides gland steam through the auxiliary boiler system header. Connections allowing sampling are provided in appropriate locations in the secondary side piping. The secondary sampling system is described in Section 9.3.2.

As discussed in Section 10.3.1, the portion of each MSS up to and including the secondary MSIVs provides nonsafety-related backup to the MSIVs for safety-related isolation functions, and for the safety-related decay and residual heat removal safety function in PDC 34.

RAI 10.03-5 Design considerations of the MSS are reflected in the failure modes and effects analyses summarized in Section 5.4 (specific to providing backup to DHRS operation) and Table 10.3-2 (specific to providing backup toof containment and secondary system steam line isolation functions of the MSS). Failure modes and effects analysis for MSIV and MSIV bypass valves can be found in Table 6.2-6.

The MSS is designed to permit appropriate functional testing of system components as described further in Section 10.3.2.2 and Section 10.3.4.

The MSS piping upstream of the secondary MSIVs is designed to not exceed its service limits during a design basis event. Administrative procedures preclude filling the SG and MSS piping water-solid during normal operation, as well as during DHRS operation.

The MSS has leak detection capabilities. An MSS steam line break is detected as low steam line pressure by pressure sensors in the steam plenums (Section 5.3). This causes an isolation signal to the MSIVs, and closure signals to the turbine bypass valve, turbine stop valve, and drain line isolation valves to limit blowdown of the system.

Section 5.4.1 provides a description of SG design features to minimize fluid flow water hammer. The design and layout of the MSS include provisions to minimize the potential for water hammer and other flow instabilities (Section 3.6.3).

10.3.2.2 Component Description The major components of the MSS include the piping, secondary MSIVs, secondary main steam isolation bypass valves, MSSVs, drains, and associated supports and appurtenances. The design and operational characteristics of these components are described below. Design parameters and associated values are provided in Table 10.3-1.

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-4 Draft Revision 3 The portion of the MSS from the outlets of the MSIVs to the first piping restraint downstream of the MSIVs is nonsafety-related, Seismic Category I, and quality group D.

The remainder of the MSS is classified as nonsafety-related, non-seismic, and quality group D. Consistent with Regulatory Guide 1.26, these portions are designed in accordance with the provisions of ASME Power Piping Code Section B31.1. Additional detail of the safety, quality, and seismic classification of the MSS components is provided in Section 3.2.

Main Steam Piping Figure 10.1-1 depicts the MSS boundaries, including interconnections with other systems.

The two steam lines combine to mix and equalize the output of the two SG coils.

Flanges immediately downstream of the MSIVs are provided to enable disconnection of the piping from the NPM in preparation for moving the module for refueling or maintenance. Immediately downstream of the flanges, the MSS lines pass through the secondary MSIV and secondary MSIBVs. Ball-joint type flanges are used downstream of the secondary MSIVs to reduce containment vessel nozzle stress.

The steam lines from six NPMs are then routed inside the RXB toward the center of the building and then exit the building above ground. They are supported on a pipe rack between the RXB and the TGB.

In the TGB, the MSS lines are each routed to their separate turbine generator set.

Secondary Main Steam Isolation Valves Design parameters and associated values for the secondary MSIVs are provided in Table 10.3-1.

RAI 06.02.04-6S1, RAI 15.06.03-2 Each secondary MSIV is provided with two independent actuator control systems to ensure successful performance of the secondary MSIV function, assuming a single failure. In response to a main steam isolation signalDHRS actuation signal and SSI signal, the secondary MSIVs automatically close. The secondary MSIVs are capable of closing in steam conditions.

RAI 15-17S1 The nonsafety-related secondary MSIVs are used for event mitigation as backup protection for the safety-related MSIVs as described in Section 15.0.0.6.6. The secondary MSIV is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in steam systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve can reliably close within the required time specified in Table 10.3-1 at full power steam flow and pressure conditions.

RAI 15-17S1

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-8 Draft Revision 3 General Design Criterion 5 was considered in the design of the MSS. There are no safety-related components in the MSS shared among NPMs, and therefore the MSS does not impair the ability of other NPMs to perform their safety functions.

Principal Design Criterion 34 was considered in the design of the MSS. The decay and residual heat removal safety function per PDC 34 is performed by the DHRS flowpath, and containment isolation function of the containment system performed by the MSIVs and the feedwater isolation valves. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown. Consistent with PDC 34, the nonsafety-related secondary MSIVs downstream of the MSIVs are credited as backup isolation components in the event that an MSIV fails to close. Although not safety-related, the secondary MSIVs are designed to close under postulated worst-case conditions and are included in technical specification surveillance requirements to ensure their reliability and operability. Thus, consistent with the position established in NUREG-0138, Issue Number 1, the secondary MSIVs ensure that the blowdown is limited if a steamline were to break upstream of the MSIV. Conformance with PDC 34 is further discussed in Section 5.4.

The requirements of 10 CFR 20.1101(b) were considered in the design of the MSS. The MSS is not normally a radiation hazard in a pressurized water reactor. Radiological considerations do not affect access to system components during normal conditions.

Therefore, no radiation shielding is provided for the MSS and associated components. It is only in the unlikely event of a primary-to-secondary system leak or SG tube failure that the steam could become contaminated. If a SG tube failure is detected, the secondary coolant is sampled and a radiation survey completed before performing maintenance or modification work on the system. Access to the areas containing the system is restricted, if required, based on the survey results. The requirements of 10 CFR 20.1406 were considered in the design of the MSS. Consistent with 10 CFR 52.47(a)(6), the MSS is designed to meet the requirements of 10 CFR 20.1406 as it relates to minimizing contamination of the facility.

Further discussion of the facility design features to protect against contamination is provided in Section 12.3.

The requirements of 10 CFR 50.63 were considered in the design of the MSS. The nonsafety-related portion of the MSS is not relied upon to operate in response to an SBO to satisfy 10 CFR 50.63. Rather, the DHRS operates in conjunction with the ultimate heat sink to fulfill the core cooling function in the event of an SBO. Successful operation of the DHRS relies on the safety-related MSIVs, which form part of the DHRS flowpath and pressure boundary. The secondary MSIVs provide backup to the MSIVs, thus are also required to fail closed during an SBO. This functionality is ensured with or without the availability of electrical power. Conformance with 10 CFR 50.63 and the guidelines of Regulatory Guide 1.155 are discussed in Section 8.4.2.

10.3.4 Inspections and Tests The MSS components are inspected and tested as part of preoperational and startup tests, and are within the scope of the initial test program described in Section 14.2.

Nonsafety-related MSS piping and components are inspected and tested in accordance with the requirements of ASME B31.1.

The proposed Inspections, Tests, Analyses, and Acceptance Criteria required by 10 CFR 52.47(b)(1) and 10 CFR 52.80(a) are discussed in Section 14.3.

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-13 Draft Revision 3 Table 10.3-5 provides a list of power conversion system piping which is within the scope of the flow-accelerated corrosion monitoring program.

RAI 10.03.06-5 In addition to design and layout provisions, flow-accelerated corrosion is minimized by the implementation of a secondary water chemistry control program as described in Section 10.3.5.

RAI 10.03.06-1, RAI 10.03.06-5 COL Item 10.3-2:

A COL Applicant that references the NuScale Power Plant design certification will provide a description of the flow-accelerated corrosion monitoring program for the steam and power conversion systems based on Generic Letter 89-08 and the latest revision of the Electric Power Research Institute NSAC-202L at the time of the COL application.

10.3.7 Instrumentation The main steam temperature, pressure, radiation, and flow instrumentation is designed to permit automatic plant operation, remote control, and continuous indication of system parameters. The remote instrumentation readouts required for monitoring the system are provided in the main control room. The ability to manually initiate MSS control actions is available in the main control room.

Table 10.3-4 shows the MSS instrumentation. A list of the instrumentation associated with SSI actuation and DHRS actuation and operation (including MSIV and secondary MSIV closure) is provided in Section 7.1.

The instrumentation and controls associated with turbine bypass are described in Section 10.4.4.

10.3.8 References 10.3-1 Electric Power Research Institute, "Recommendations for an Effective Flow-Accelerated Corrosion Program (NSAC-202L-R3) Non-Proprietary Version," EPRI #1015425, Final Report, Palo Alto, CA, 2007.

10.3-2 Electric Power Research Institute, "Pressurized Water Reactor Secondary Water Chemistry Guidelines, EPRI #1016555 Rev. 7, February 17, 2009, Palo Alto, CA.

10.3-3 Nuclear Energy Institute, "Steam Generator Program Guidelines," NEI 97-06, Rev 3, Washington, DC, January 2011.

NuScale Final Safety Analysis Report Main Steam System Tier 2 10.3-24 Draft Revision 3 Steam trap drain valve limit switches Valve fully open No Yes Steam trap drain valve limit switches Valve fully closed No Yes FWS differential pressure transmitters SG inventory No Yes Table 10.3-4: Main Steam System Instrumentation (Continued)

Equipment Name Monitored Parameter Local Display Signal To MCS

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Tier 2 10.4-29 Draft Revision 3 10.4.7.1 Design Bases This section identifies the CFWS required or credited functions, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure the functions are fulfilled. Together, this information represents the design bases, as defined in 10 CFR 50.2, as required by 10 CFR 52.47(a) and (a)(3)(ii).

Specific feedwater components provide a nonsafety-related, not risk-significant backup to plant safety features. One feedwater regulating valve (FWRV) is located upstream of each CNTS feedwater isolation valve (FWIV), as a means of backup isolation to the containment system FWIV as outlined in Section 6.2.4. Likewise, the feedwater check valve is used as a backup to the FWIV integral check valve to prevent SG backflow. Use of these valves as backup to plant safety features is discussed in Section 15.0.0.

General Design Criteria 2, 4, and 5 were considered in the design of the CFWS. No safety-related SSC are affected by the effects of natural phenomena such as earthquakes. The design of the CFWS provides protection of safety-related SSC from the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. There are no safety-related components in the CFWS shared among NPMs, therefore failure of the CFWS does not impair the ability of other NPMs to perform their safety functions. See Section 10.4.7.3 for the CFWS safety evaluation.

The NPM decay and residual heat removal safety function is performed by the decay heat removal system (DHRS) flowpath requiring containment isolation. Consistent with PDC 34, the FWRVs provide a nonsafety-related backup to the FWIVs and provide additional assurance that the blowdown of a second steam generator (SG) is limited if a feedwater line were to break upstream of the FWIV. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown.

Conformance with PDC 34 is further discussed in Section 5.4 and Section 10.4.7.3.

Consistent with GDC 60, the design of the CFWS ensures the capability to control releases of radioactive materials to the environment. Consistent with 10 CFR 20.1101(b), the CFWS design supports keeping radiation exposures as low as reasonably achievable (ALARA). The CFWS is designed to meet the requirements of 10 CFR 20.1406 as it relates to minimization of contamination of the facility.

10.4.7.2

System Description

10.4.7.2.1 General Description The containment penetrating systems are divided into three portions: internal to containment, the containment and safety-related isolation valve(s), and the nonsafety-related portion external to the NPM. The three portions of the system are shown on Figure 10.1-1. The CFWS provides the upstream nonsafety-related portion.

The CFWS includes the following equipment and components:

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Tier 2 10.4-33 Draft Revision 3 Normal control of the FWRVs is through the MCS. In off-normal conditions the MPS overrides normal control of the valves and can force closure. Each FWRV is designed to fail closed on loss of power or control signal of DHRS actuation and secondary system isolation (SSI), regardless of the operating mode, and performs a feedwater isolation function as a backup to the FWIV. As such, the FWRVs meet the same flow requirements as the FWIVs.

RAI 15-17S1 The nonsafety-related FWRVs are used for event mitigation as backup protection for the safety-related FWIVs as described in Section 15.0.0.6.6. The FWRV is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in feedwater systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve actuates as expected at operating conditions.

RAI 15-17S1 Each secondary FWRV is periodically tested in accordance with the Augmented Valve Testing Program described in FSAR Section 3.9.6.5. Valve functions and periodic testing requirements are specified in FSAR Table 3.9-17.

Feedwater Check Valves Two check valves are installed in each feedwater line. Both feedwater check valves prevent reverse flow from the steam generators whenever the feedwater system is not in operation and are designed to withstand the forces of closing after a CFWS line rupture.

The first check valve is upstream of and integral with the FWIV, providing backflow prevention. The second is downstream of the FWRV and is provided for secondary backflow prevention.

RAI 15-17S1 The nonsafety-related secondary FW check valves are used for event mitigation as backup protection for the safety-related FW check valves as described in Section 15.0.0.6.6. The secondary FW check valve is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in water systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve actuates as expected at operating conditions.

RAI 15-17S1 Each secondary FW check valve is periodically tested in accordance with the Augmented Valve Testing Program described in FSAR Section 3.9.6.5. Valve functions and periodic testing requirements are specified in FSAR Table 3.9-17.

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Tier 2 10.4-37 Draft Revision 3 Inadvertent DHRS actuation and SSI causes closure of the MSIV and MFIV on the affected side of the secondary system. This increases the secondary side pressure on the affected SG. The RCS pressure and temperature increases at a lower rate. The unaffected SG train steam production is lower than the turbine steam demand. The reactor trips on high steam pressure, high PZR pressure, or high PZR level. See Section 15.6.1 for the inadvertent opening of a reactor safety valve.

A steam line break event refers to a main steam line break ranging from a small break to a double-ended rupture of a main steam line. Initially, the steam flow is increased before the affected steam line is isolated and depressurizes. After a short time of overcooling, the RCS temperature and pressure increase. If the steam line break is inside the containment, the reactor trips on high containment pressure. If the steam line break is outside the containment, the reactor trips on low steam pressure or low PZR level or pressure. For breaks outside containment, the break flow is terminated by closure of the MSIV on the affected SG or after CFWS is isolated and the SG boils dry. For breaks inside the containment, the break flow is terminated after feedwater flow is isolated and the SG dries out. A steam line break is discussed in Section 15.1.5.

The SGTF is defined as a double-ended rupture of a single SG tube. Primary coolant from the RCS enters the secondary system, driven by the pressure difference between the RCS and the secondary side of the SG. As a result, the inventory, pressure, and activity in the affected SG increase. The break flow depressurizes the RCS and decreases the PZR level. On the secondary side, the FWIVs and FWRVs isolate on a low-low PZR level containment isolation signal to prevent excessive loss of RCS inventory. The reactor trips on high steam pressure, low PZR pressure, or low PZR level. An SGTF is discussed in Section 15.6.3.

The sudden loss of CFWS flow at power causes the SG heat removal rates to decrease, which causes the reactor coolant temperature to increase. The RCS fluid expands, flows into the PZR, thereby increasing the pressure. The SG liquid levels decrease following the termination of feedwater flow. The reactor trips on high PZR level and pressure, or low feedwater flow. This event results in the closure of the MSIVs and the actuation of the DHRS. The DHRS initiates and establishes decay heat removal and control RCS pressure and temperature within required limits. A loss of feedwater flow is discussed in Section 15.2.7.

10.4.7.3 Safety Evaluation The portion of the feedwater piping from the SG feedwater nozzles to the outermost FWIV flange is classified as safety-related Quality Group B. This portion of the system is designed to ensure feedwater system isolation in accident situations, such as a feedwater line break, and containment isolation in cases in which the feedwater system could potentially become a containment bypass pathway (e.g., SGTF) and is included in the containment system described in Section 6.2. One FWRV is located upstream of each containment system FWIV as back up for the performance of the FWIV design bases functions. Likewise, the feedwater check valve is used as a back up to the FWIV integral check valve to prevent SG backflow. Both valves are nonsafety-related and not risk significant.

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Tier 2 10.4-39 Draft Revision 3 therefore, failure of the CFWS does not impair the ability of other NPMs to perform their safety functions.

The condensate and feedwater system is designed to avoid FAC:

feedwater piping and components are constructed using material resistant to FAC flow velocity and changes in flow direction is limited consistent with the guidance of NSAC-202L (Reference 10.4-4) feedwater chemistry is continuously monitored and controlled The CFWS and supporting systems monitor and control secondary water chemistry to maintain water quality specifications during normal operation and AOOs. Flow-accelerated corrosion is discussed further in Section 10.3.6.

RAI 10.04.07-1 The CFWS system is nonsafety-related. Each FWRV is designed to provide backup to the FWIV safety function. Both valves are designed to fail closed on loss of motive force or loss of control signal.Principal Design Criterion 34 was considered in the design of the MSS. The decay and residual heat removal safety function per PDC 34 is performed by the DHRS flowpath, and containment isolation function of the containment system, along with the secondary system isolation function, are performed by the MSIVs and the feedwater isolation valves. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown. Consistent with PDC 34, the nonsafety-related secondary MSIVs downstream of the MSIVs are credited as backup isolation components in the event that an MSIV fails to close.

General Design Criterion 60 was considered in the design of the condensate and feedwater system. Consistent with GDC 60, the CFWS design controls radioactive material releases to the environment. Consistent with 10 CFR 20.1101(b), the CFWS design supports keeping radiation exposures ALARA. To maintain the radiation exposure to operating and maintenance personnel ALARA, the CFWS is designed to facilitate maintenance, inspection, and testing in accordance with the guidance in RG 8.8. The CFWS design satisfies the requirements of 10 CFR 20.1406 in that it supports minimization of contamination of the facility and the environment. Primary-to-secondary leakage from an SGTF has the potential to introduce radioactive material into the CFWS. Main steam and condensate monitoring with MSS and CFWS isolation capabilities minimize the contamination and release to the environment. The CFWS drains to the BPDS, which discharges to the radioactive waste drain system should the CFWS become contaminated.

Detected radioactive material in the condenser is managed by the CARS (Section 10.4.2). Radiation monitors are also provided on the exhaust from the gland seal condenser (Section 10.4.3).

RAI 10.03-5 The results of the CFWS failure modes and effects analysis is presented in Table 10.4-18.

Failure modes and effects analysis for FWIV valves can be found in Table 6.2-6.

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Tier 2 10.4-90 Draft Revision 3 Feedwater header flow meter indicating transmitter (duplicate)

Feedwater flow rate (gpm)

Yes Yes Feedwater regulating valve A/B position indicating transmitter Flow control valve position

(%)

No Yes Feedwater regulating valve A/B position switch open indicators Valve not fully open No Note 1 Feedwater regulating valve A/B position switch closed indicators Valve not fully closed No Note 2 Condensate header emergency rejection level control valve position indicating transmitter Level control valve position

(%)

No Yes Condensate header normal rejection level control valve position indicating transmitter Level control valve position

(%)

No Yes Condensate storage tank level indicating transmitter Vessel level (inches of H2O)

Yes Yes Condensate makeup conductivity analyzer Condensate conductivity

[microsiemens per centimeter

@ 25°C (S/cm)]

Yes Yes Condensate storage tank makeup level control valve position indicating transmitter Level control valve position

(%)

No Yes Condensate pump inlet manual valve position switch open Valve not fully open No Yes Long cycle cleanup air operated valve position switch open Valve not fully open No Yes Long cycle cleanup air operated valve position switch closed Valve not fully closed No Yes Condensate pump redundant minimum flow protection valve position switch open Valve not fully open No Yes Condensate pump redundant minimum flow protection valve position switch closed Valve not fully closed No Yes Long cycle recirculation flow element Flow rate (lb/hr)

No Yes Long cycle recirculation flow indicating transmitter Flow rate (lb/hr)

Yes Yes FWS differential pressure transmitters SG inventory No Yes Notes:

(1) Signal to MPS for valve timing technical specification.

(2) Signal to Safety Display & Indication (SDI, system E014), via MPS to indicate that the FWRV is fully closed.

Table 10.4-19: Condensate and Feedwater System Instrumentation (Continued)

Equipment Name Monitored Parameter (NPMs)

Local Display Signal To MCS

NuScale Final Safety Analysis Report Technical Specifications Tier 2 16.1-9 Draft Revision 3 3.4.8.1 14 days The 14 day Frequency is adequate to trend changes in the noble gas specific activity level and based on the low probability of an accident occurring during this time period.

3.4.8.2 14 days The 14 day Frequency is adequate to trend changes in the iodine activity level and based on the low probability of an accident occurring during this time period.

3.4.10.1 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.4.10 3 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.1.1 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.1.3 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.2.1 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is based on the similarity of the test to a CHANNEL CHECK as performed throughout existing large plant designs. The test verifies the accumulator pressure and thereby assures the OPERABILITY of the valves, as well as the status of the automatically monitored pressure alarms.

3.5.2.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on the expected low rate of gas accumulation and the availability of control room indication and alarm of decay heat removal system (DHRS) level in the control room.

3.5.2.3 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> The SR to verify SG level is within limits every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> takes into account indications and alarms that are continuously available to the operator in the control room and is consistent with other routine Surveillances which are typically performed once per shift. In addition, operators are trained to be sensitive to SG level and will ensure that the level is appropriately established and controlled.

3.5 2.43 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.3.1 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Since the ultimate heat sink (UHS) level is normally maintained at a stable level, and is monitored by main control indication and alarm, a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is appropriate. This Frequency also takes into consideration the high ratio of UHS volume change to UHS level change due to the UHS geometry.

3.5.3.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is sufficient to identify a temperature change that would approach either the upper or lower limit of UHS bulk average temperature assumed in the safety analyses. Since the UHS bulk average temperature is normally stable, and is monitored by main control indication and alarm, a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is appropriate. This Frequency also takes into consideration the large heat capacity of the UHS in comparison to the magnitude of possible heat addition or removal mechanisms.

Table 16.1-1: Surveillance Frequency Control Program Base Frequencies (Continued)

Surveillance Requirement Base Frequency Basis

MPS Instrumentation 3.3.1 NuScale 3.3.1-4 Draft Revision 3.0 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME I.

As required by Required Action C.1 and referenced in Table 3.3.1-1.

I.1 Be in MODE 2.

AND I.2 Be in MODE 3 and PASSIVELY COOLED.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours J. As required by Required Action C.1 and referenced in Table 3.3.1-1.

J.1 Open two reactor vent valves.

1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> K. As required by Required Action C.1 and referenced in Table 3.3.1 1.

K.1 Be in MODE 2.

AND K.2 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours LK. As required by Required Action C.1 and referenced in Table 3.3.1-1.

LK.1 Be in MODE 2.

AND LK.2 Be in MODE 3 with RCS temperature below the T-2 interlock.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 48 hours ML.

As required by Required Action C.1 and referenced in Table 3.3.1-1.

ML.1 Be in MODE 2.

AND ML.2 Be in MODE 3 and PASSIVELY COOLED.

AND ML.3 Be in MODE 3 with RCS temperature below the T-2 interlock.

AND 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> 96 hours 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />

MPS Instrumentation 3.3.1 NuScale 3.3.1-5 Draft Revision 3.0 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME ML.

(continued)

ML.4 Isolate dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve.Isolate demineralized water flow to the reactor coolant system.

AND ML.5 Open pressurizer heater breakers.

96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> 96 hours N. As required by Required Action C.1 and referenced in Table 3.3.1 1.

N.1 Be in MODE 2.

AND N.2.1 Be in MODE 3 with RCS temperature below the T 2 interlock.

OR N.2.2 Be in MODE 3 with Containment Water Level above the L 1 interlock.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 48 hours 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK on each required channel listed in Table 3.3.1-1.

In accordance with the Surveillance Frequency Control Program

MPS Instrumentation 3.3.1 NuScale 3.3.1-9 Draft Revision 3.0 Table 3.3.1-1 (page 2 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS

7. High Pressurizer Pressure
a. RTS 1, 2(a), 3(a) 4 D
b. DHRS 1, 2, 3(e) 4 I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
d. DWSI 1, 2(a), 3(a) 4 H
e. SSI 1, 2, 3(e) 4 I
8. Low Pressurizer Pressure
a. RTS 1(g) 4 D
b. DHRS 1(g) 4 D
c. CVCSI 1(g) 4 F
d. Pressurizer Heater Trip 1(g) 4 G

eb. DWSI 1(g) 4 H

9. Low Low Pressurizer Pressure
a. RTS 1, 2(a) 4 D
b. DHRS 1, 2 4

I cb. CVCSI 1, 2 4

F

d. Pressurizer Heater Trip 1, 2 4

G ec. DWSI 1, 2(a) 4 H

d. SSI 1

4 I

(a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f)

With pressurizer heater trip breakers closed.

(g) With narrow range RCS hot temperature above the T-4 interlock.

MPS Instrumentation 3.3.1 NuScale 3.3.1-10 Draft Revision 3.0 Table 3.3.1-1 (page 3 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS

10. High Pressurizer Level
a. RTS 1, 2(a), 3(a) 4 D
b. CVCSI 1, 2, 3 4

F

c. DWSI 1, 2(a), 3(a) 4 H
11. Low Pressurizer Level
a. RTS 1, 2(a), 3(a) 4 D
b. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
c. DWSI 1, 2(a), 3(a) 4 H
12. Low Low Pressurizer Level
a. DHRS 1, 2, 3(h) 4 N

ba. CIS 1, 2, 3(h) 4 KL cb. CVCSI 1, 2, 3(h) 4 F

d. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
c. SSI 1,2,3(h) 4 I
13. High Narrow Range RCS Hot Temperature
a. RTS 1

4 D

b. DHRS 1, 2, 3(e) 4 I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
d. DWSI 1

4 H

e. SSI 1, 2, 3(e) 4 I

(a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f)

With pressurizer heater trip breakers closed.

(h) With RCS temperature above the T-2 interlock and containment water level below the L-1 interlock.

MPS Instrumentation 3.3.1 NuScale 3.3.1-11 Draft Revision 3.0 Table 3.3.1-1 (page 4 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS

14. Low RCS Flow
a. DWSI 1, 2, 3 4

H

15. Low Low RCS Flow
a. RTS 1, 2(a), 3(a) 4 D
b. CVCSI 1, 2, 3 4

F

c. DWSI 1, 2(a), 3(a) 4 H
16. Low RPV Riser Level
a. ECCS 1, 2, 3 4

I 167.

High Main Steam Pressure

a. RTS 1, 2(a) 4 per SG D
b. DHRS 1, 2, 3(e) 4 per SG I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 per SG G
d. DWSI 1, 2(a) 4 per SG H
e. SSI 1, 2, 3(e) 4 per SG I

178.

Low Main Steam Pressure

a. RTS 1(b) 4 per SG E
b. DHRS 1(b) 4 per SG E
c. Pressurizer Heater Trip 1(b) 4 per SG E

db. DWSI 1(b) 4 per SG H

c. SSI 1(b) 4 per SG E

(a) When capable of CRA withdrawal.

(b) With power above the N-2H interlock.

(e) When not PASSIVELY COOLED.

(f)

With pressurizer heater trip breakers closed.

MPS Instrumentation 3.3.1 NuScale 3.3.1-12 Draft Revision 3.0 Table 3.3.1-1 (page 5 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS 189.

Low Low Main Steam Pressure

a. RTS 1, 2(a) 4 per SG D
b. DHRS 1, 2 4 per SG K
c. Pressurizer Heater Trip 1, 2(f) 4 per SG G

db. DWSI 1, 2(a) 4 per SG H

c. SSI 1, 2(a) 4 per SG I

2019.

High Steam Superheat

a. RTS 1

4 per SG D

b. DHRS 1

4 per SG D

c. Pressurizer Heater Trip 1

4 per SG G

db. DWSI 1

4 per SG H

c. SSI 1

4 per SG I

201.

Low Steam Superheat

a. RTS 1(b) 4 per SG D
b. DHRS 1

4 per SG D

c. Pressurizer Heater Trip 1

4 per SG G

db. DWSI 1(b) 4 per SG H

c. SSI 1(b) 4 per SG I

(a) When capable of CRA withdrawal.

(b) With power above the N-2H interlock or no V-1 interlock (FWIV closed.)

(f)

With pressurizer heater trip breakers closed.

MPS Instrumentation 3.3.1 NuScale 3.3.1-13 Draft Revision 3.0 Table 3.3.1-1 (page 6 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS 212.

High Narrow Range Containment Pressure

a. RTS 1, 2(a), 3(a) 4 D
b. DHRS 1, 2, 3(e) 4 I

cb. CIS 1, 2, 3(i) 4 LK dc. CVCSI 1, 2, 3(i) 4 F

e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

fd. DWSI 1, 2(a), 3(a) 4 H

e. SSI 1, 2, 3(e) 4 I

223.

High Containment Water Level

a. ECCS 1, 2, 3(je) 4 I

234.

High RCS Pressure -

Low Temperature Overpressure Protection

a. LTOP 3(k) 4 J

(a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f)

With pressurizer heater trip breakers closed.

(i)

With RCS temperature above the T-3 interlock.

(j)

With RCS temperature above the T-3 interlock or containment water level below the L-2 interlock.

(k)

With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

MPS Instrumentation 3.3.1 NuScale 3.3.1-14 Draft Revision 3.0 Table 3.3.1-1 (page 7 of 7)

Module Protection System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS 245.

Low AC Voltage to ELVS Battery Chargers

a. RTS 1, 2(a), 3(a) 4 per bus ML
b. DHRS 1, 2, 3(e) 4 per bus ML
c. CIS 1, 2, 3 4 per bus ML
d. CVCSI 1, 2, 3(i) 4 per bus F

de. DWSI 1, 2(a), 3(a) 4 per bus ML ef. Pressurizer Heater Trip 1, 2(f) 4 per bus ML

g. SSI 1, 2, 3(e) 4 per bus L

256.

High Under-the-Bioshield Temperature

a. RTS 1, 2(a), 3(a) 4 LM
b. DHRS 1, 2, 3 4

M cb. CIS 1, 2, 3 4

LM

c. CVCSI 1, 2, 3(e) 4 F
d. DWSI 1, 2(a), 3(a) 4 LM
e. SSI 1, 2, 3(e) 4 L
e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 M

(a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f)

With pressurizer heater trip breakers closed.

(i) With RCS temperature above the T-3 interlock.

ESFAS Logic and Actuation 3.3.3 NuScale 3.3.3-6 Draft Revision 3.0 Table 3.3.3-1 (page 1 of 1)

ESFAS Logic and Actuation Functions ACTUATION FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED DIVISIONS CONDITIONS

1. Emergency Core Cooling System (ECCS) 1, 2, 3(a) 2 C
2. Decay Heat Removal System (DHRS) 1, 2, 3(a) 2 C
3. Containment Isolation System (CIS) 1, 2, 3(b) 2 D
4. Demineralized Water Supply Isolation (DWSI) 1, 2, 3 2

E

5. CVCS Isolation (CVCSI) 1, 2, 3 2

F

6. Pressurizer Heater Trip 1, 2(c), 3(c) 2 G
7. Low Temperature Overpressure Protection (LTOP) 3(d) 2 A
8. Secondary System Isolation (SSI) 1, 2, 3(b) 2 D

(a) Not PASSIVELY COOLED.

(b) With any RCS temperature above the T-2 interlock.

(c)

Not required when Pressurizer Heater trip breakers are open and deactivated.With pressurizer heater breakers closed.

(d) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

Manual Actuation Functions 3.3.4 NuScale 3.3.4-4 Draft Revision 3.0 Table 3.3.4-1 (page 1 of 1)

Manual Actuation Functions MANUALLY ACTUATED FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED DIVISIONS CONDITIONS

1. Reactor Trip System 1, 2(a), 3(a) 2 C
2. Emergency Core Cooling System 1, 2, 3(b) 2 D
3. Decay Heat Removal System 1, 2, 3(b) 2 D
4. Containment Isolation System 1, 2, 3(c) 2 I
5. Demineralized Water Supply Isolation 1, 2, 3 2

E

6. CVCS Isolation System 1, 2, 3 2

F

7. Pressurizer Heater Trip 1, 2(d), 3(d) 2 G
8. Low Temperature Overpressure Protection 3(e) 2 H
9. Secondary System Isolation (SSI) 1, 2, 3(c) 2 I

(a) When capable of CRA withdrawal.

(b) When not PASSIVELY COOLED.

(c)

With any RCS temperature above the T-2 interlock.

(d) Not required when pressurizer heater trip breakers are open and deactivated.With pressurizer heater breakers closed.

(e) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

DHRS 3.5.2 NuScale 3.5.2-1 Draft Revision 3.0 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.2 Decay Heat Removal System (DHRS)

LCO 3.5.2 Two DHRS loopstrains shall be OPERABLE.

APPLICABILITY:

MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One DHRS looptrain inoperable.

A.1 Restore DHRS looptrain to OPERABLE status.

72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> B. Required Action and associated Completion Time not met.

OR Both DHRS loopstrains inoperable.

B.1 Be in MODE 2.

AND B.2 Be in MODE 3 and PASSIVELY COOLED.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours

DHRS 3.5.2 NuScale 3.5.2-2 Draft Revision 3.0 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.5.2.1 Verify required valves accumulator pressures are within limits.

In accordance with the Surveillance Frequency Control Program SR 3.5.2.2 Verify DHRS heat exchangersloops are filled.

In accordance with the Surveillance Frequency Control Program SR 3.5.2.3

NOTE--------------------------------

Not required to be performed for DHRS loop with associated FWIV open.

Verify SG level is > [5]% and [65]%

In accordance with the Surveillance Frequency Control Program SR 3.5.2.43 Verify that each DHRS actuation valve actuates to the open position on an actual or simulated actuation signal.

In accordance with the Surveillance Frequency Control Program SR 3.5.2.54 Verify the open actuation time of each DHRS actuation valve is within limits.

In accordance with the INSERVICE TESTING PROGRAM

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-3 Draft Revision 3.0 BASES BACKGROUND (continued) affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

The critical heat flux ratio (CHFR) shall be maintained above the SL value to prevent critical heat flux (CHF);

Fuel centerline melting shall not occur; and Pressurizer pressure SL of 2285 psia shall not be exceeded.

Maintaining the variables within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 50.34 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 50.34100 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The MPS includes devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:

1. Reactor Trip System (RTS) actuation;
2.

Emergency Core Cooling System (ECCS) actuation;

3.

Decay Heat Removal System (DHRS) actuation;

4.

Containment Isolation System (CIS) actuation;

5. Secondary System Isolation (SSI);
56. Chemical and Volume Control System Isolation (CVCSI) actuation;
67. Demineralized Water Supply Isolation (DWSI) actuation;

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-4 Draft Revision 3.0 BASES BACKGROUND (continued)

78. Pressurizer Heater Trip (PHT) actuation; and
89. Low Temperature Overpressure Protection (LTOP) actuation.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-15 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Feedwater Isolation Valve (FWIV) Closed Interlock, V-1 The FWIV Closed interlock, V-1 is active when one or both FWIV indicate closed.

1. When the V-1 interlock AND the N-2H interlock are active, an automatic operating bypass is established for the Low Main Steam Superheat reactor trip.
2. When the V-1 interlock AND the N-2H interlock are active, OR the containment level interlock, L-1, is active, an automatic operating bypass is established for the Low Main Steam Superheat Secondary System Isolation actuation.
3. When the V-1 interlock OR the N-2H interlock are not active, AND L-1 is not active, the operating bypass is automatically removed for the Low Main Steam Superheat Secondary System Isolation actuation.
4. When the V-1 interlock OR the N-2H interlock are not active, the operating bypass is automatically removed for the Low Main Steam Superheat reactor trip.

Wide Range RCS Cold Temperature Interlock, T-1 The Wide Range RCS Cold Temperature Interlock, T-1, is established when Wide Range RCS Cold Temperature is greater than approximately 325°F.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-18 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. When L-1 is active, an automatic operating bypass is established for the:

Low Low Main Steam Pressure Secondary System Isolation actuation, Low Main Steam Superheat Secondary System Isolation actuation, High Narrow Range Containment Pressure Secondary System Isolation actuation, Low Low Pressurizer Level Secondary System Isolation actuation, and Low Low Pressurizer Level Containment System Isolation actuation.

2. When the L-1 interlock is not active, the operating bypass is automatically removed for the:

Low Low Main Steam Pressure Secondary System Isolation actuation, Low Main Steam Superheat Secondary System Isolation actuation, and High Narrow Range Containment Pressure Secondary System Isolation actuation.

3. When the L-1 interlock and the WR RCS Thot interlock, T-2, are not active, the operating bypass is automatically removed for the:

Low Low Pressurizer Level Secondary System Isolation actuation, Low Low Pressurizer Level CVCS isolation, and Low Low Pressurizer Level Containment System Isolation actuation.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-19 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Level Interlock, L-2 The L-2 interlock is active when pressurizer level is greater than 20%.

1. When L-2 AND the WR RCS Thot Interlock, T-3, are active, an automatic operating bypass is established for the High Containment Level ECCS actuation.
2. When L-2 OR the WR RCS Thot Interlock, T-3, are not active, the operating bypass is automatically removed for the High Containment Level ECCS actuation.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-20 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. On increasing containment water level the L 1 interlock automatically bypasses the following trip signals for DHR actuation:

High Pressurizer Pressure; High Narrow Range RCS Hot Temperature;Low Low Main Steam Pressure; High Main Steam Pressure; Low Steam Superheat; High Steam Superheat; High Narrow Range Containment Pressure; Low Low Pressurizer Pressure; and Low Low Pressurizer Level.

2. On decreasing containment water level or not RT 1 (Reactor Trip Permissive not established), the L 1 interlock automatically enables the following trip signals for DHR actuation:

High Pressurizer Pressure; High Narrow Range RCS Hot Temperature; Low Low Main Steam Pressure; High Main Steam Pressure; Low Steam Superheat; High Steam Superheat; High Narrow Range Containment Pressure; Low Low Pressurizer Pressure; and Low Low Pressurizer Level.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-28 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

2. Pressurizer Pressure Pressurizer pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel.

The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 1500 to 2200 psia.

a. High Pressurizer Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, and Secondary System Isolation The High Pressurizer Pressure trip is designed to protect against exceeding RPV pressure limits for reactivity and heatup events.

The trip provides protection for the following events:

Loss of external load; Turbine trip; Loss of condenser vacuum; Closure of a main steam isolation valve (MSIV);

Loss of nonemergency AC power to station auxiliaries; Loss of normal feedwater flow; Pressurizer heater malfunction; Inadvertent operation of DHRS; Uncontrolled CRA withdrawal at power; System malfunctions that increases reactor coolant inventory; and Feedwater system pipe breaks inside and outside the containment vessel.

Four High Pressurizer Pressure Reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-29 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.

Four High Pressurizer Pressure DHRS and four SSI channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. When PASSIVE COOLING is established sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Pressurizer Pressure DHRS and Pressurizer Heater Trip determination logic is automatically bypassed when containment water level is above the L 1 interlock and automatically enabled when containment water level is below the L 1 interlock.

b. Low Pressurizer Pressure - Reactor Trip, and Demineralized Water System Isolation, Decay Heat Removal System Actuation, CVCS Isolation, and Pressurizer Heater Breaker Trip The Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment, CRA drop, and protect the RCS subcooled margin against flow instability events.

The RTS and ESFAS Low Pressurizer Pressure setpoint is approximately 1720 psia. Actual setpoints are established in accordance with the Setpoint Control Program. Four Low Pressurizer Pressure reactor trip and ESFAS channels are required to be OPERABLE when operating in MODE 1 with RCS hot temperature above the T-4 interlock. In MODE 1 with RCS hot temperature below the T-4 interlock and in MODES 2, 3, 4, and 5 the RCS temperatures are well below T-4 and with the reactor subcritical the heat input will be insufficient to reach T-4. Four

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-30 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The Reactor Trip and ESFAS actuation of the DHRS, DWSI, CVCS isolation, and pressurizer heater breaker trip by the Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-4 interlock, and is automatically enabled when RCS temperature is above the T-4 interlock.

c. Low Low Pressurizer Pressure - Reactor Trip, Demineralized Water System Isolation, Decay Heat Removal System Actuation, CVCS Isolation and Secondary System Isolation, Pressurizer Heater Breaker Trip The Low Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment and protect the RCS subcooled margin against flow instability events.

The RTS and ESFAS Low Low Pressurizer Pressure setpoint is approximately 1600 psia. Actual setpoints are established in accordance with the Setpoint Program. Four Low Low Pressurizer Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the function is fulfilled because the CRAs are inserted. Four Low Low Pressurizer Pressure DHRS, CVCSI and Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODES 1 and 2. In MODES 3, 4, and 5 the reactor is subcritical.

Four Low Low Pressurizer Pressure Secondary System Isolation signals are required when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-31 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS actuation of the SSI, DWSI, and CVCS IsolationDHRS and pressurizer heater breaker trip by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-53 interlock or and the reactor trip breakers are open (RT-1)containment water level is above the L 1 interlock, and is automatically enabled when RCS temperature is above the T-53 interlock and or when the reactor trip breakers are not open.containment water level is below the L 1 interlock.

The ESFAS actuation of the CVCS Isolation by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T 3 interlock, and is automatically enabled when RCS temperature is above the T 3 interlock.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-33 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four Low Pressurizer Level Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Pressurizer Level - Decay Heat Removal System Actuation, Containment Isolation, Secondary System Isolation, and CVCS Isolation, and Pressurizer Heater Trip The Low Low Pressurizer Level trip provides protection for:

Steam system piping failures inside and outside containment; Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel; Loss-of-coolant accidents outside the containment vessel; and Steam generator tube failure.

Four Low Low Pressurizer Level Containment Isolation, SSI, and CVCSI trip channels are required to be OPERABLE when operating in MODES 1, and 2, and MODE 3 when RCS temperature is above the T-2 interlock and CNV level is less than L-1. In MODE 3 with RCS temperature below the T-2 interlock, and in MODES 4 and 5, the reactor will remain subcritical.

The Low Low Pressurizer Level Containment Isolation and CVCSI trip channels are automatically bypassed when the RCS temperature is below the T 2 interlock. The Low Low Pressurizer Level Containment Isolation and CVCSI trip channels are automatically enabled when RCS temperature is above the T 2 interlock.

Four Low Low Pressurizer Level DHRS trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-34 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) when RCS temperature is above the T 2 interlock and containment water level is below the L 1 interlock. In MODE 3 with RCS temperature below the T 2 interlock or containment water level above the L 1 interlock with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

The Low Low Pressurizer Level DHRSCIS, SSI, and CVCS Isolation trip channels are automatically bypassed when the RCS temperature is below the T-2 interlock or containment water level is above the L-1 interlock. The Low Low Pressurizer Level DHRSCIS, SSI, and CVCS Isolation trip channels are automatically enabled when RCS temperature is above the T-2 interlock and containment water level is below the L-1 interlock.

d. Low RPV Riser Level Emergency Core Cooling System Actuation The Low RPV Riser Level trip signal provides protection for low water level above the core in LOCA events.

Four Low RPV Riser Level trip channels are required to be OPERABLE when operating in MODES 1, 2 and 3. In MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

4.

RCS Hot Temperature Narrow Range RCS Hot Temperature is measured by three resistance temperature detectors (RTDs) per separation group (a total of 12 RTDs), located in the RCS flow near the top of the reactor vessel downcomer.

a. High Narrow Range RCS Hot Temperature - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, Secondary System Isolation

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-35 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The High RCS Hot Temperature trip provides protection for:

Instability events; Control rod misoperation; and Uncontrolled CRA withdrawal at power.

The High RCS Hot Temperature trip causes a reactor trip, DWSI, DHRS actuation, SSI and a pressurizer heater trip. The DHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L 1 interlock and automatically enabled when containment water level is below the L 1 interlock.

Four High Narrow Range RCS Hot Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four High Narrow Range RCS Hot Temperature DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-37 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

6. Main Steam Pressure Main Steam pressure is measured by eight pressure sensors (two per separation group, one on each steam line) located on the main steam lines upstream of the MSIVs near the connection to the DHRS lines.

Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips.

a. High Main Steam Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Secondary System Isolation, and Demineralized Water System Isolation The High Main Steam Pressure trip provides protection for:

Loss of external load; Turbine trip; Loss of condenser vacuum; Loss of nonemergency AC power to the station auxiliaries; Closure of a MSIV; and Inadvertent operation of the DHRS.

The High Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, SSI, DWSI, and Pressurizer Heater Trip to actuate.

Four High Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the reactor will remain subcritical.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-38 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Main Steam Pressure DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

The High Main Steam Pressure DHRS and Pressurizer Heater Trip channels are automatically bypassed when containment water level is above the L 1 interlock and the RTBs are open. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip The Low Main Steam Pressure trip provides protection for:

Increase in steam flow; Inadvertent opening of the turbine bypass system; Loss of feedwater flow; Steam system piping failures inside and outside the containment vessel; and Feedwater system pipe breaks inside and outside the containment vessel.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-39 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Low Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate.

Four Low Main Steam Pressure reactor trip, DWSI, DHRS, and Pressurizer Heaterand SSI Trip channels measuring pressure on each steam line are required to be OPERABLE when operating in MODES 1 with power range linear power above N-2H. In MODE 1 below N-2H and in MODE 2 the unit is protected by the Low Low Main Steam Pressure function. In MODES 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Breaker Trip The Low Low Main Steam Pressure trip provides protection for:

Increase in steam flow; Inadvertent opening of the turbine bypass system; Loss of feedwater flow; Steam system piping failures inside and outside the containment vessel; and Feedwater system pipe breaks inside and outside the containment vessel.

The Low Low Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSI Pressurizer Heater Breaker Trip to actuate.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-40 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Low Low Main Steam Pressure reactor trip, and DWSI, and SSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA and in MODES 3, 4, and 5 the reactor is subcritical.

Four Low Low Main Steam Pressure DHRS SSI Trip channels are required to be OPERABLE when operating in MODES 1 and 2.

Protection from low main steam pressure is not required in MODES 3, 4, and 5.

Four Low Low Main Steam Pressure Pressurizer Heater Breaker Trip channels are required to be OPERABLE in MODE 1 and MODE 2 when pressurizer heater breakers are closed. In MODE 2 with pressurizer heater breakers open and in MODES 3, 4, and 5 the function is fulfilled.

The Low Low Main Steam Pressure SSIDHRS channels are automatically bypassed when water level is above the L-1 interlock and the RTBs are open. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

7. Steam Superheat Steam Superheat is determined by MPS SFM processing of main steam temperature and pressure data. Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips. Four steam temperature sensors are located on each steam pipe upstream of the MSIVs. Each channel of superheat receives two steam generator pressure inputs and two steam temperature inputs (one pressure and one temperature signal from each steam line). The degree of superheat is found by determining the saturation temperature (TSAT) at the measured main steam pressure (PSTM), and subtracting this value from the measured main steam temperature (TSTM). The main steam saturation temperature is found via a simple steam table lookup function using the measured steam pressure value.

TSH = TSTM - TSAT(PSTM)

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-41 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. High Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip The High Steam Superheat trip provides protection for steam generator (SG) boil-off.

The High Steam Superheat trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate.

Four High Steam Superheat reactor trip, DWSI, DHRS, and SSIPressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Steam Superheat DHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L 1 interlock.

b. Low Steam Superheat - Reactor Trip, Demineralized Water System Isolation, Decay Heat Removal System Actuation, and Secondary System IsolationPressurizer Heater Trip The Low Steam Superheat trip provides mitigation of SG overfilling.

The Low Steam Superheat trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate. Steam Superheat is determined by MPS processing of temperature and pressure data.

Four Low Steam Superheat reactor trip, DWSI, DHRS, and SSIPressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-42 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The Low Steam Superheat SSIDHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L-1 interlock or 1 FWIV is closed with power less than the N-2H setpoint.

8.

Containment Pressure Narrow Range Containment pressure is measured by four sensors (one per separation group) located near the top of the containment vessel.

a. High Narrow Range Containment Pressure - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Secondary System Isolation,Decay Heat Removal System Actuation, Pressurizer Heater Trip, and CVCS Isolation The High Containment Pressure trip provides protection for:

System malfunctions that increase the RCS inventory; Inadvertent operation of the ECCS; Loss of containment vacuum; Steam system piping failures inside and outside the containment vessel; Feedwater system pipe breaks inside and outside the containment vessel; and Loss-of-coolant accidents from a spectrum of postulated piping breaks inside the containment vessel.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-43 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The High Narrow Range Containment Pressure trip causes the reactor trip breakers to open, the containment to be isolated, the DHRS and Pressurizer Heater TripSSI to be actuated, and the DWS and CVCS to be isolated.

Four High Narrow Range Containment Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal.

Four High Narrow Range Containment Pressure SSIDHRS channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

Four High Containment Pressure CVCSI and CIS channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock. In MODE 3 with RCS temperature is below the T-3 interlock, and in MODES 4 and 5 the containment pressure is allowed to exceed this setpoint and is expected, isolation is not required.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Containment Pressure Containment Isolation, SSI, DHRS, Pressurizer Heater Trip, and CVCSI actuations are automatically bypassed when RCS temperature is below the T-3 interlock. The High Containment Pressure DHRS and Pressurizer Heater Trip actuationSSI is also automatically bypassed when containment water level is above the L-1 interlock.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-44 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

9.

Containment Water Level The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS hot temperature above T-3 or PZR level below L-2. In MODE 3 with RCS hot temperature below T-3 and PZR level above L-2, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T-3 interlock and PZR level is above L-2, and automatically enabled when RCS temperature is above the T-3 interlock or PZR level is below L-2.Containment Water Level is measured by 4 sensors (one per separation group) located in the containment vessel. The level is measured by a radar instrument which will run the entire distance of the measurement, from the containment head to an elevation below 45 ft.

a. High Containment Water Level Emergency Core Cooling System Actuation The High Containment Water Level trip provides protection for LOCA events.

The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T 3 interlock and the RTBs open, and automatically enabled when RCS temperature is above the T 3 interlock.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-46 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

11. Low AC Voltage to ELVS Battery Chargers The Low AC Voltage function ensures the EDSS batteries supply power for their full mission time; 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for A and D power channels, and 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for B and C power channels. Power channels B and C provide power to the accident monitoring equipment. It also keeps ECCS from actuating for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to allow operators time to restore AC power. An ECCS actuation will occur if required by unit conditions. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the loss of normal AC is called ECCS Hold.
a. Low ELVS Voltage - ECCS Hold Low ELVS Voltage is determined by measuring two ELVS 480 VAC buses that provide power to the EDSS battery chargers with two sensors per separation group. If both 480 VAC bus voltages are below the setpoint, the following occurs:

Reactor Trip; DHRS Actuation; Pressurizer Heater Trip Actuation; Containment Isolation Actuation; Chemical and Volume Control System Isolation; Secondary System Isolation; Demineralized Water System Isolation; and 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> timers started.

If AC voltage is not restored to at least EDSS battery charger B OR C within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> the following will occur:

RTS chassis is de-energized; ESFAS chassis is de-energized; and MWS is de-energized.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-47 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This will generate an ECCS actuation.

Eight (4/bus) Low ELVS Voltage DWSI and reactor trip channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Eight (4/bus) Low ELVS Voltage Containment Isolation channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the functions are fulfilled.

Eight (4/bus) Low ELVS Voltage DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Eight (4/bus) Low ELVS Voltage Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater trip breakers closed. In MODES 2 with the pressurizer heater trip breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels per bus are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

12. Under-the-Bioshield Temperature Temperature under the bioshield is measured by 4 sensors (one per separation group) mounted on the pool wall outside containment.
a. High Under-the-Bioshield Temperature - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Chemical and Volume Control System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip An undetected small main steam line break under the bioshield would expose the equipment to sustained elevated temperatures challenging the safety-related functions of the MSIVs and DHR valves. The High Temperature Under-the-Bioshield trip provides protection for the safety-related equipment that would be exposed

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-48 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four High Under-the-Bioshield Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Four High Under-the-Bioshield Temperature DHRS and Containment Isolation channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 these functions are fulfilled.

Four High Under-the-Bioshield Temperature SSI and CVCSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical, passively cooled, and the MSIVs would be in their credited safety position.

Four High Under-the-Bioshield Temperature Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater trip breakers closed. In MODES 2 with the pressurizer heater trip breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

ACTIONS The most common causes of channel inoperability are outright failure of a sensor or MPS SFM module sufficient to exceed the tolerance allowed by the unit-specific setpoint analysis as specified by the SP. Typically, sensor drift is found to be small and results in a delay of actuation rather than a total loss of capability to actuate within the allowed tolerance around the NTSP. This determination is of the channel's actual trip setting generally made during the performance of a CHANNEL CALIBRATION when the process sensor output signal is measured and verified to be within specification. If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE status.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-56 Draft Revision 3.0 BASES ACTIONS (continued)

K.1 and K.2 Condition K is entered when Condition C applies to Functions that result in actuation of the DHRS on Low Low Main Steam Pressure as listed in Table 3.3.1 1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions K.1 and K.2. K.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable DHRS automatic channel. K.2 places the unit in MODE 3 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.

LK.1 and LK.2 Condition LK is entered when Condition C applies to Functions that result in actuation of the Containment Isolation system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions LK.1 and LK.2. LK.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. LK.2 places the unit in MODE 3 with RCS hot temperature < 200°F within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the condition. This condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

ML.1, ML.2, and ML.3, L.4, and L.5 Condition LM is entered when Condition C applies to Functions that result in a reactor trip, CIS actuation, DHR actuation, DWSI, SSI, and Pressurizer Heater Trip due to the Low ELVS Voltage or High Under-the-Bioshield Temperature as listed in Table 3.3.1-1.

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-57 Draft Revision 3.0 BASES ACTIONS (continued)

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions ML.1, ML.2, ML.3, ML.4, and ML.5.

ML.1 places the unit in MODE 2 within 672 hours0.00778 days <br />0.187 hours <br />0.00111 weeks <br />2.55696e-4 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable automatic channel. ML.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br /> of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the DHRS OPERABILITY is no longer required.

ML.3 places the unit in MODE 3 with RCS temperature below the T-2 interlock within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br /> of entering the condition. This condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

ML.4 isolates the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valvedemineralized water flowpath to the RCS within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br />. This completes the function of the DWSI.

ML.5 opens the power supply breakers to the pressurizer heaters within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br />.

Completion Times are established considering the likelihood of a design basis event that would require automatic actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

N.1 and N.2 Condition N is entered when Condition C applies to Functions that result in the actuation of DHRS on Low Low Pressurizer Level as listed in Table 3.3.1 1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions N.1 and N.2. N.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable DHRS automatic channel. N.2 places the unit in MODE 3 with RCS

Module Protection System Instrumentation B 3.3.1 NuScale B 3.3.1-58 Draft Revision 3.0 BASES ACTIONS (continued) temperature below the T 2 interlock or in MODE 3 with Containment Water Level above the L 1 interlock within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the condition. This condition assures the RCS is in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require DHRS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

SURVEILLANCE SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken.

This determination includes, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same process variable. This determination is made using computer software or may be performed manually.

It is based on the assumption that instrument channels monitoring the same process variable should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between CHANNEL CALIBRATIONS.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment is operating outside its limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

ESFAS Logic and Actuation B 3.3.3 NuScale B 3.3.3-1 Draft Revision 3.0 B 3.3 INSTRUMENTATION B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation BASES BACKGROUND The ESFAS portion of the Module Protection System (MPS) protects against violating the core fuel design limits, ensures reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents, and ensures acceptable consequences during accidents by initiating necessary safety systems.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups is received by each division of the ESFAS SVMs.

LCO 3.3.3 addresses only the logic and actuation portions of the MPS that perform the ESFAS functions. The scope of this LCO begins at the inputs to the SVMs and extends through the actuating contacts on the actuated components. This LCO also includes the pressurizer heater trip breakers. Component OPERABILITY and surveillance requirements are provided in the system LCOs and by programmatic requirements identified in Chapter 5, Administrative Controls.

LCO 3.3.1, Module Protection System (MPS) Instrumentation, and LCO 3.3.2, "Reactor Trip System (RTS) Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

The ESFAS logic and actuation consists of:

1. Emergency Core Cooling System (ECCS) actuation;
2. Decay Heat Removal System (DHRS) actuation;
3. Containment Isolation System (CIS) actuation;
4. Demineralized Water Supply Isolation (DWSI) actuation;
5. Chemical and Volume Control System Isolation (CVCSI) actuation;
6. Pressurizer Heater Trip (PHT); and

ESFAS Logic and Actuation B 3.3.3 NuScale B 3.3.3-2 Draft Revision 3.0 BASES BACKGROUND (continued)

7. Low Temperature Overpressure Protection (LTOP) actuation; and.
8. Secondary System Isolation (SSI) actuation.

Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.

The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division -

independent and redundant EIMs for each division of ESFAS.

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.

Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.

Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unit is shutdown. FSAR, Chapter 7 (Ref. 1), describes MPS testing in more detail.

ESFAS Logic and Actuation B 3.3.3 NuScale B 3.3.3-5 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

8. Secondary System Isolation The Secondary System Isolation is designed to isolate the steam generators from the feedwater and main steam systems. The system limits releases of radioactive materials via these flowpaths. It also provides boundaries to preserve the inventory of the DHRS ensuring that capability to transfer decay heat to the UHS remains available.

Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when the RCS temperature is above the T-2 interlock.

The ESFAS logic and actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Operability requirements for manual ESFAS actuation are described in LCO 3.3.4.

ESFAS Logic and Actuation B 3.3.3 NuScale B 3.3.3-7 Draft Revision 3.0 BASES ACTIONS (continued)

C.1 and C.2 If Required Action B.1 directs entry into Condition C as specified in Table 3.3.3-1, or if both divisions of ECCS or DHRS are inoperable the unit is outside its design basis ability to automatically mitigate a postulated event.

With one division of actuation logic inoperable the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the ECCS or DHRS if required.

C.1 requires the unit to be in MODE 2 within 6. This action limits the time the unit may continue to operate with limited or inoperable automatic actuation logic.

C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of entering the Condition. This condition assures adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.

D.1 and D.2 If Required Action B.1 directs entry into Condition D as specified in Table 3.3.3-1, or if both divisions of the containment isolation or secondary system isolation actuation fFunction are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the CIS if required.

D.1 requires the unit to be in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable CIS automatic actuation logic.

D.2 requires the unit to be placed in MODE 3 with RCS temperature below the T-2 interlock within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the Condition. This

ECCS B 3.5.1 NuScale B 3.5.1-1 Draft Revision 3.0 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.1 Emergency Core Cooling System (ECCS) - Operating BASES BACKGROUND The ECCS provides decay heat removal for a postulated steam generator tube failure event or Loss of Coolant Accident (LOCA) event that exceeds the makeup capacity of the Chemical and Volume Control System (CVCS). The ECCS is designed to bring the reactor coolant system (RCS) to a low temperature and low pressure safe shutdown condition.

The ECCS consists of three reactor vent valves (RVVs) located on the reactor head, two RRVs located above the reactor flange, and associated controls and instrumentation. The RVVs are connected to the vapor space of the pressurizer region of the reactor vessel. The reactor recirculation valves (RRVs) penetrate the reactor vessel above the top of the reactor core and open into the downcomer region of the reactor vessel. The ECCS valves form a portion of the reactor coolant pressure boundary.

ECCS actuation occurs when the Module Protection System (MPS) de-energizes solenoid trip valves in the hydraulic controls of the RVVs and RRVs. MPS is designed to actuate the ECCS on low RCS water level, or high containment water level. In addition to the solenoid trip valve actuation, the ECCS valves are hydraulically interlocked in the closed position until the differential pressure between the RCS and containment vessel is reduced by flow from a postulated break. Even with an open signal present the valves do not actuate open until the differential pressure has fallen to the differential pressure setpoint. The differential pressure interlock will not prevent the ECCS system from performing its design function, it just reduces the likelihood of inadvertent actuation during power operations.

ECCS actuation and function, including the differential pressure interlock, do not require electrical power. The solenoid trip valves are designed to actuate upon loss of electrical power. The differential pressure interlock is mechanical and does not require external power, depending only on the pressure sources of the reactor vessel and of the containment environment to function. No operator action is required to establish and maintain long term core cooling when the system is actuated. Note that in certain loss of power events, the ECCS actuation solenoid trip valves are supplied battery power to prevent inadvertent actuation. After 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> on battery power, ECCS is actuated, removing this battery load and preserving battery power

ECCS B 3.5.1 NuScale B 3.5.1-2 Draft Revision 3.0 BASES BACKGROUND (continued) capability for other instrument functions. The battery power timer design basis and description is provided in Technical Specifications 3.3.1, MPS Instrumentation, and 3.3.3, ESFAS Logic and Actuation.

RCS vapor is vented from the pressurizer space through the RVVs into the containment vessel when the RVVs are opened. This steam condenses on the inner walls of the containment vessel and flows to the bottom of the vessel where it accumulates with any other leakage that is in the containment vessel from a postulated break. The RRVs open simultaneously with the RVVs to provide a flow path for this condensate from the containment vessel to flow back into the reactor vessel. The design of the reactor and containment vessel geometries and the total RCS liquid volume is such that upon ECCS actuation, liquid levels in both the reactor and containment vessel will stabilize above the top of the core. The containment water level will be higher than the RCS level providing the driving force for natural circulation flow of cooler RCS water in containment back into the reactor vessel.

This natural circulation flow will maintain core submersion and cooling.

Heat is transferred to the containment by steam condensation on the containment interior, and then removed from containment by condensate heat conduction through the containment vessel wall. In addition to mass transfer, heat is removed by conduction through the reactor vessel walls during ECCS operation because the lower portions of the reactor vessel walls are submerged and wetted by coolant on both sides. Heat is removed from the containment wall through contact with the reactor pool which acts as the ultimate heat sink (UHS).

The ECCS valves are sized to ensure that sufficient pressure equalization exist to support core cooling when at least two RVVs and at least one RRV have opened.

In MODES 1, 2 and MODE 3 when not PASSIVELY COOLED the RCS hot temperature is greater than the T-3 interlock (approximately 350°F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%), the ECCS is actuated on high level in the containment vessel or low level in the reactor vessel. The high containment level actuation set point of the ECCS was chosen to ensure that sufficient level exists within the containment vessel prior to actuation of the ECCS to ensure the core remains covered as a result of ECCS actuation. Similarly, the low reactor vessel level was selected to ensure that ECCS actuation occurs with sufficient coolant inventory

ECCS B 3.5.1 NuScale B 3.5.1-3 Draft Revision 3.0 BASES BACKGROUND (continued) available, which results in water levels above the reactor core during operation.

Specification 3.3.1 describes the instrumentation and actuation logic for ECCS actuation. In applicable design basis accident scenarios, this actuation setpoint is sufficient to ensure the core remains cooled and covered.

In MODE 3 the RVVs provide Low Temperature Over-Pressure (LTOP) protection for the RCS as described in LCO 3.4.10.

In MODE 3 in PASSIVE COOLING, the ECCS is either performing its design function to support the transfer of decay heat from the reactor core to the containment vessel so the system or alternative means of removing decay heat have been established and the system is no longer required to be OPERABLE.

In MODE 4 the ECCS is not required whenbecause the ECCS valves are open and de-energized, andor the unit is being PASSIVELY COOLEDpassively cooled ensuringwhich ensures decay heat removal is being accomplished. Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de-energized and opened RRVs are open between the UHS water inside the containment and the RCS. In MODE 5, core cooling is accomplished by conduction through the RPV wall to the ultimate heat sink until the upper containment and upper RPV are separated from the lower RPV and the reactor core.Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de energized and opened RRVs provide direct communication between the UHS water inside the containment and the RCS. During this period, and while in MODE 5, core cooling is accomplished by conduction through the reactor pressure vessel wall to the ultimate heat sink. Once the RPV is separated at the flange during disassembly the lower RPV internals and reactor core are RCS is in direct contact with the UHSreactor pool thereby ensuring adequate cooling by direct contact with the ultimate heat sink. Therefore the ECCS is not required to be OPERABLE in MODE 5.

The ECCS valves are OPERABLE when they are closed and capable of opening upon receipt of an actuation signal, or are open performing their intended function. FSAR Section 6.3 describes the ECCS design (Ref. 1).

ECCS B 3.5.1 NuScale B 3.5.1-4 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSES The ECCS is designed to provide core cooling following postulated Loss of Coolant Accident design basis events as described in the FSAR, Chapter 15 (Ref 2)., including:

Loss of Coolant Accident Steam Generator Tube Failure The system establishes a path for heat transfer to the UHS via conduction and convection of condensed coolant in the containment vessel and by the condensation of steam vapor on the upper portions of the containment vessel. The design ensures that in the event of a loss of primary coolant to the containment vessel, sufficient coolant will be returned to the reactor vessel to ensure that the core remains cooled and covered at all times. Actuation of the system ensures that pressure differences between the containment vessel and the reactor pressure vessel are minimized sufficiently to allow hydraulic head of the fluid in containment to establish flow to the reactor vessel via an open RRV.

The ECCS system includes an inadvertent actuation block (IAB) feature. The IAB safety function is to permit the RVVs and RRVs to open only when appropriate conditions exist as described in the safety analysis.

ECCS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO establishes the minimum conditions necessary to ensure that ECCS valves will be available to meet the initial conditions assumed in the safety analyses. Two RVVs and one RRV provide the safety function of the safety analyses for LOCA and SGTF events.

Loss of any system component eliminates the redundancy provided to meet its safety function.

APPLICABILITY The ECCS is relied upon to provide a passive response to loss of coolant accidents in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED the RCS hot temperature is greater than the T-3 interlock (approximately 350°F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%). Additionally, the valves are ensured to open when power is removed when the module is disconnected at the operating position as part of the refueling process.

In MODE 4 and 5 core cooling is provided by passive conduction through the

DHRS B 3.5.2 NuScale B 3.5.2-1 Draft Revision 3.0 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.2 Decay Heat Removal System (DHRS)

BASES BACKGROUND The Decay Heat Removal System (DHRS) is a passive heat removal system that is used whenever the normal unit feedwater and steam systems are unavailable due to failure or loss of normal AC power.

The system is comprised of two trainsloops; one connected to each of the two steam generators.

Each looptrain of decay heat removal includes a steam generator submersed in the reactor coolant system fluid, and a heat exchanger that is attached to the outside of the containment vessel and submerged in the reactor pool. The heat exchanger is located above midline of the steam generator. The top inlet of the DHRS heat exchanger is attached to the main steam line upstream of the main steam isolation valve of the associated steam generator. The bottom of the heat exchanger is attached to the feedwater line downstream of the feedwater isolation valve to the associated steam generator. Each DHR heat exchanger is normally isolated from the main steam lines by two valves, the DHRS Actuation valves, in parallel on the line between the top of the heat exchanger and the main steam line from the associated steam generator.

During normal operation the DHR heat exchanger is filled and maintained pressurized by the feedwater system. When decay heat removal is required to perform its design function the feedwater and main steam isolation valves are closed, and the DHRS Actuation valves open. The closed feedwater and main steam isolation valves form part of the DRHS pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1). This allows the water stored in the heat exchanger and piping to enter the steam generator via gravity as steam flows into the heat exchanger from the main steam line. Steam condenses on the inside of the tubes and continues to drain back to the steam generator in a closed loop. The inventory of the decay heat removal system, associated SG, and piping is sufficient to support the operation of the system.

Only one looptrain of DHRS is required to meet the decay heat removal requirements of the power module, and only one DHRS Actuation valve is required to open to ensure operation of a decay heat removal train. As a result there is no single active failure that will prevent a single loop ofthe DHRS from performing its design function.

DHRS B 3.5.2 NuScale B 3.5.2-2 Draft Revision 3.0 BASES BACKGROUND (continued)

The closed feedwater and main steam isolation valves form part of the DHRS loop pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1) and FSAR Section 10.3 (Ref. 2).

DHRS B 3.5.2 NuScale B 3.5.2-3 Draft Revision 3.0 BASES APPLICABLE SAFETY ANALYSIS The DHRS is designed to ensure that adequate decay heat removal is provided to ensure core integrity. The system function is bounded by loss of normal AC power event, as described in FSAR, Chapter 15 (Ref. 32). A loss of normal AC power will result in a loss of feedwater and a loss of condenser vacuum. Both of these anticipated operational occurrences (AOOs) require actuation of the DHRS.

DHRS is actuated by MPS upon receipt of any of the following:

a. High Pressurizer Pressure
b. High RCS Hot Temperature
c. High Containment Pressure
d. Low Pressurizer Pressure
e. Low Low Pressurizer Level cf. Low AC Voltage
g. Low Steam Pressure
h. Low Low Steam Pressure di. High Steam Pressure
j.

High Steam Superheat

k. Low Steam Superheat
l.

High Under The Bioshield Temperature These actuations cover the range of events that indicate inadequatewould prevent the normal feedwater and steam systems from providing heat removal fromto the Reactor Coolant System.

DHRS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

DHRS B 3.5.2 NuScale B 3.5.2-4 Draft Revision 3.0 BASES LCO This LCO ensures that sufficient DHRS equipment is OPERABLE to meet the initial conditions assumed in the safety analyses. One looptrain of DHRS is required to function to meet the safety function of the system. Loss of any system component impacts the redundancy needed to ensure that the system is capable of meeting its safety function if a single failure occurs.Each loop of DHRS includes one SG, one heat exchanger, and redundant valves that actuate for the system to meet its safety function. Inoperability of individual redundant valves do not affect the overall redundancy of the DHRS. However, both redundant valves are needed to ensure that the DHRS loop is capable of meeting its safety function if a single active failure occurs.

DHRS B 3.5.2 NuScale B 3.5.2-5 Draft Revision 3.0 BASES APPLICABILITY The DHRS is relied upon to provide a passive means of decay heat removal in MODES 1 and 2. The DHRS must remain OPERABLE in MODE 3 until PASSIVE COOLING. In MODE 4, DHRS is not required because conductive shutdown cooling through the containment vessel to the ultimate heat sink (UHS) has been established. When being disassembled in MODE 4 and in MODE 5 when one or more reactor vessel flange bolts are less than fully tensioned, but before the upper module and lower reactor vessel are separated, the containment lower shell has been removed and the reactor vessel and RCS are cooled by direct contact with the UHS. In MODE 5 decay heat removal is by direct transfer to the refueling pool water which is in contact with the reactor fuel.

ACTIONS A.1 To meet the DHR safety function at least one looptrain must function.

If a single looptrain of DHR is inoperable it eliminates the redundancy of this safety system. The system must be restored to OPERABLE.

A completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is reasonable based on the probability of the DHR system being needed during this period, the reliability of the other looptrain of DHR including redundant actuation and isolation valves, and the ability of the unit to cope with this conditionevent using the ECCS.

B.1 and B.2 If the Required Actions cannot be completed within the associated Completion Time, or if both loopstrains of DHRS are declared inoperable the unit must be placed in a mode that does not rely on the DHRS. This is accomplished by Required Actions B.1 and B.2.

Required Action B.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Required Action B.2 places the unit in MODE 3 and passively cooledPASSIVELY COOLED within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

Completion Times are established considering the likelihood of an event that would require DHRS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.

DHRS B 3.5.2 NuScale B 3.5.2-6 Draft Revision 3.0 BASES SURVEILLANCE REQUIREMENTS SR 3.5.2.1 This SR verifies adequate pressure in the accumulators required for DHRS actuation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM.

The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 Verification that the DHRS including the heat exchanger is filled ensures that there is sufficient inventory in the loop to fulfill its design function, and that non-condensable gases have not accumulated in the system. Each looptrain of the DHRS has four level sensors - two located on the DHRS piping below each of the two actuation valves that would indicate a reduced water level in the DHRS heat exchanger legloop. Any level switch indicating a reduced water level is sufficient to determine the DHRS heat exchanger legloop is not filled. The DHRS is filled with feedwater during startup, and during normal operation it is maintained filled by feedwater pressure. Feedwater flow through the DHRS loop does not occur because the DHRS actuation valves are closed.

Dissolved gas concentrations are maintained very low in feedwater during startup and operations by secondary water chemistry requirements. Therefore, significant levels of noncondensable gases are not expected to accumulate in the DHRS piping. However, maintaining the required DHRS inventory using the level sensors protects against buildup of noncondensable gases which could adversely affect DHRS operation. Monitoring the level switches ensures the system remains filled and non-condensable gas accumulation has not occurred.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

DHRS B 3.5.2 NuScale B 3.5.2-7 Draft Revision 3.0 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.2.3 Verification that the level in a steam generator (SG) is > [5]% and

[65]% when its associated feedwater isolation valve is closed assures that the SG contains inventory adequate to support actuation and OPERABILITY of the associated decay heat removal system loop if it is required.

A Note is provided indicating that the surveillance is not required to be performed when the associated FWIV is open. In those conditions, the normal feedwater system controls ensure that the SG will support DHRS OPERABILITY if it is required.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.43 Verification that the DHRS actuation valves are OPERABLE by stroking the valves open ensures that each looptrain of DHRS will function as designed when these valves are actuated. The DHRS actuation valves safety function is to open as described in the safety analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.54 Verifying that the open actuation time of each DHRS actuation valve is within limits is required to demonstrate OPERABILITY. The open actuation time test ensures that the valve will open in a time period less than or equal to that assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. Each looptrain of DHRS contains two actuation valves, one actuated from each division of the MPS ESFAS actuation logic.

Actuation time is measured from output of the module protection system equipment interface module until the valves are open.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

DHRS B 3.5.2 NuScale B 3.5.2-8 Draft Revision 3.0 BASES REFERENCES

1. FSAR Section 5.4, "Reactor Coolant System Component and Subsystem Design."
2. FSAR Section 10.3, "Main Steam System."
23. FSAR Chapter 15, Transient and Accident Analysis.

MSIVs B 3.7.1 NuScale B 3.7.1-2 Draft Revision 3.0 BASES BACKGROUND (continued)

The four valves are arranged so that each MSIV is provided with a bypass line that includes a MSIV bypass valve, one safety related and one non-safety related, arranged in parallel with the corresponding MSIVs.

The safety-related MSIVs and non-safety related secondary MSIVs, as well as the normally-closed MSIV bypass valves, will receive and close upon receipt of a Secondary System Isolation (SSI), Decay Heat Removal System (DHRS), or Containment Isolation System actuation as described in Specification 3.3.1. Each of the MSIV and MSIV Bypass Valves is designed to close upon loss of power.

Closing the MSIVs and MSIV bypass valves isolates the Turbine Bypass System and other steam flows from the SG to the balance of plant. The MSIVs isolate steam flow from the secondary side of the associated SG following a high-energy line break and preserves the reactor coolant system (RCS) inventory in the event of a steam generator tube failure (SGTF). The MSIVs and MSIV bypass valves also form part of the boundary of the safety-related, closed-loop, DHRS described in FSAR Section 5.4 (Ref. 3).

APPLICABLE The MSIVs and MSIV Bypass Isolation Valves close to isolate the SAFETY SGs from the power conversion system. Isolation limits ANALYSES postulated releases of radioactive material from the SGs in the event of a SG tube failure (Ref. 4) and terminates flow from SGs for postulated steam line breaks outside containment (Ref. 5). This minimizes radiological contamination of the secondary plant systems and components, and minimizes associated potential for activity releases to the environment, and preserves RCS inventory in the event of a SGTF.

The isolation of steam lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of an unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss-of-coolant accident (non-LOCA) design basis events when normal secondary-side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions.

The safety-related and nonsafety-related MSIV and MSIV bypass valves satisify Criterion 3 of 10 CFR 50.36(c)(2)(ii).

MSIVs B 3.7.1 NuScale B 3.7.1-10 Draft Revision 3.0 BASES ACTIONS (continued)

B.1 With a steam line that cannot be manually or automatically isolated the supported safety functions can no longer be met. This condition applies when two or more inoperable isolation valves prevent automatic or manual isolation of steam flow from the steam generator. This condition exists when a flow path through the safety related MSIV and MSIV bypass valve exists, and a flow path through the non-safety related secondary MSIV and MSIV bypass valve exists, that cannot be manually or automatically isolated.

For example, one MSIV bypass valve inoperable and open, and one non-safety related secondary MSIV inoperable and open could prevent isolation of the steam flow from the associated steam generator. In this condition a steam line flow could exist through the MSIV bypass valve and the secondary MSIV that could not be isolated.

Action B.1 requires isolation of the main steam line by closure of valves so that the safety function of the steam line isolation is accomplished.

Some repairs may be accomplished within the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> completion time is reasonable because the inoperable isolation valve only affect the capability of one of the two redundant DHRS trains to function.

The time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require isolation of the steam line.

If the main steam line can be isolated within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> then its safety function is being performed. An inoperable MSIV or bypass valve may be utilized to isolate the steam line only if its leak tightness has not been compromised.

Feedwater Isolation B 3.7.2 NuScale B 3.7.2-1 Draft Revision 3.0 B 3.7 PLANT SYSTEMS B 3.7.2 Feedwater Isolation BASES BACKGROUND Each Feedwater line has one safety-related feedwater isolation valve (FWIV) to isolate feedwater flow when required to support decay heat removal system (DHRS) operation or the containment system (CNTS).

The safety-related FWIVs are located outside of and close to containment. Each feedwater line includes a non-safety related feedwater regulating valve (FWRV) located upstream of the removable pipe spool between the module and the balance of the feedwater system. A description of the safety-related FWIVs is found in FSAR Section 6.2 (Ref. 1). A description of the non-safety related FWRVs is found in FSAR Section 10.4 (Ref. 2).

The safety related FWIVs and non-safety related FWRV are closed on Secondary System Isolation (SSI), Decay Heat Removal System (DHRS),

or and Containment Isolation System actuations as described in Specification 3.3.1. Each FWIV and FWRV closes on loss of power.

Closing of the FWIVs and FWRVs isolates each Steam Generator (SG) from the other SG and isolates the feedwater flows to the SGs from the balance of plant.

The FWIV and FWRV isolate the feedwater flow from the secondary side of the associated SG following a high energy line break and preserve RCS inventory in the event of a steam generator tube failure (SGTF). The FWIVs and FWRVs form part of the boundary of the safety-related DHRS closed loop, as described in FSAR Section 5.4 (Ref. 3) and applicable requirements in Specification 3.5.2.

APPLICABLE The FWIVs and FWRVs close to isolate the SGs from the balance of SAFETY plant feedwater system. Isolation limits postulated releases of ANALYSES radioactive material from the SG in the event of a SG tube failure and terminates flow to the SGs in postulated feedwater line breaks inside and outside containment (Ref. 4). This minimizes radiological contamination of the secondary plant systems and components, and minimizes any associated potential for activity releases to the environment and preserves safety RCS inventory levels.

The isolation of the feedwater lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of the unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss of coolant accident (non-LOCA) design basis events when normal secondary side cooling is unavailable or otherwise not utilized. The DHRS

Retrieved from "https://kanterella.com/w/index.php?title=ML19105B292&oldid=4931345"