ML19105B292

From kanterella
Jump to navigation Jump to search
LLC - Submittal of Changes to Final Safety Analysis Report Related to the Decay Heat Removal System and Emergency Core Cooling System Actuation Logic
ML19105B292
Person / Time
Site: NuScale
Issue date: 04/15/2019
From: Rad Z
NuScale
To:
Document Control Desk, Office of New Reactors
References
LO-0419-65170
Download: ML19105B292 (129)
v  d  e


Text

LO-0419-65170 April 15, 2019 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report Related to the Decay Heat Removal System and Emergency Core Cooling System Actuation Logic

REFERENCES:

Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, Revision 2, dated October 30, 2018 (ML18311A006)

During a public teleconference with members of the NRC staff on February 19, 2019, NuScale Power, LLC (NuScale) discussed updates to Final Safety Analysis Report (FSAR) related to the decay heat removal system and emergency core cooling system actuation logic. The changes affect FSAR Tier 1 Section 2.5 Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4 Technical Specifications. The Enclosure to this letter provides a markup of the FSAR pages incorporating revisions to these chapters, in redline/strikeout format. NuScale will include this change as part of a future revision to the NuScale Design Certification Application.

This letter makes no regulatory commitments or revisions to any existing regulatory commitments.

If you have any questions, please feel free to contact Carrie Fosaaen at 541-452-7126 or at cfosaaen@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8H12 Gregory Cranston, NRC, OWFN-8H12 Omid Tabatabai, NRC, OWFN-8H12 Getachew Tesfaye, NRC, OWFN-8H12 Cayetano Santos, NRC, OWFN-8H12 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

LO-0419-65170 Page 2 of 2 04/15/2019

Enclosure:

Changes to NuScale Final Safety Analysis Report Tier 1 Section 2.5, Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4, Technical Specifications NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

LO-0419-65170

Enclosure:

Changes to NuScale Final Safety Analysis Report Tier 1 Section 2.5, Module Protection System and Safety Display and Indication System, Tier 2 Chapter 7, Instrumentation and Controls, Chapter 10, Steam and Power Conversion System, Chapter 16, Technical Specifications, and Tier 2 Part 4, Technical Specifications NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

NuScale Tier 1 Module Protection System and Safety Display and Indication System feedwater CIVs

  • The MPS supports the CNTS by removing electrical power to the trip solenoids of the following valves on a secondary system isolation actuation signal:

main steam CIVs main steam bypass valves feedwater CIVs

  • The MPS supports the ECCS by removing electrical power to the trip solenoids of the following valves on an ECCS actuation signal:

reactor vent valves reactor recirculation valves

  • The MPS supports the CNTS by removing electrical power to the trip solenoids of the following CIVs on a chemical and volume control isolation actuation signal:

RCS injection CIVs RCS discharge CIVs Pressurizer spray CIVs RPV high point degasification CIVs

  • The MPS supports the chemical and volume control system (CVCS) by removing electrical power to the trip solenoids of the demineralized water system supply isolation valves on a demineralized water system isolation actuation signal.
  • The MPS supports the ECCS by removing electrical power to the trip solenoids of the reactor vent valves on a low temperature overpressure protection actuation signal.
  • The MPS supports the low voltage AC electrical distribution system (ELVS) by removing electrical power to the pressurizer heaters on a pressurizer heater trip actuation signal.
  • The MPS supports the following systems by providing power to sensors for reactor trip and ESFAS actuation:

CNTS RCS DHRS (main steam system pressure sensors)

The MPS performs the following nonsafety-related system function that is verified by ITAAC.

  • The MPS supports the following systems by providing power to sensors for post-accident monitoring (PAM) Type B and Type C variables:

CNTS RCS Tier 1 2.5-2 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-1: Module Protection System Automatic Reactor Trip Functions Parameter Input Variable Interlock/Permissive High source range count rate Source range count rate N-1 permissive High source range log power rate Source range log power N-1 permissive High intermediate range log power rate Intermediate range log power N-2L interlock High-1 power range linear power Power range linear power N-2L permissive High-2 power range linear power Power range linear power None High power range positive rate Power range rate (calculated from power N-2H interlock range power)

High power range negative rate Power range rate (calculated from power N-2H interlock range power)

High narrow range containment pressure Narrow range containment pressure None High narrow range RCS hot temperature Narrow range RCS hot temperature (NR RCS L-1None Thot)

High pressurizer level Pressurizer level None High pressurizer pressure Pressurizer pressure None High main steam pressure Steam Generator Main steam pressure (DHRS inlet pressure) None (SG) 1 High main steam pressure SG 2 Main steam pressure (DHRS inlet pressure) None High main steam superheat SG 1 Main steam pressure (DHRS inlet pressure) None Main steam temperature (DHRS inlet temperature)

High steam superheat SG 2 Main steam pressure (DHRS inlet pressure) None Main steam temperature (DHRS inlet temperature)

Low AC Vvoltage to battery chargers ELVS voltage None Low low RCS flow RCS flow None Low pressurizer level Pressurizer level None Low pressurizer pressure Pressurizer pressure T-4 interlock Low low pressurizer pressure Pressurizer pressure None Low main steam pressure SG 1 Main steam pressure (DHRS inlet pressure) N-2H interlock Low main steam pressure SG 2 Main steam pressure (DHRS inlet pressure) N-2H Low low main steam pressure SG 1 Main steam pressure (DHRS inlet pressure) None Low low main steam pressure SG 2 Main steam pressure (DHRS inlet pressure) None Low main steam superheat SG 1 Main steam pressure (DHRS inlet pressure) NoneV-1 interlock Main steam temperature (DHRS inlet N-2H interlock temperature)

Low steam superheat SG 2 Main steam pressure (DHRS inlet pressure) None Main steam temperature (DHRS inlet temperature)

High under-the-bioshield temperature Under-the-bioshield temperature None Tier 1 2.5-6 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions Engineered Safety Feature Protective Input Variable Interlock/Permissive Function ESFAS - ECCS actuation High containment water level Containment water level T-3 interlock L-2 interlock Low RPV riser level RPV riser level None Low ELVS voltage 24-hour ELVS voltage None timer ESFAS - DHRS actuation High narrow range Narrow range containment T-3 containment pressure pressure L-1 High narrow range RCS hot Narrow range RCS hot L-1None temperature temperature (NR RCS Thot)

High pressurizer pressure Pressurizer pressure L-1None High main steam pressure SG Main steam pressure (DHRS L-1None 1 inlet pressure)

High main steam pressure SG Main steam pressure (DHRS L-1 2 inlet pressure)

High steam superheat SG 1 Main steam pressure (DHRS L-1 inlet pressure)

Main steam temperature (DHRS inlet temperature)

High steam superheat SG 2 Main steam pressure (DHRS L-1 inlet pressure)

Main steam temperature (DHRS inlet temperature)

Low AC Vvoltage to battery ELVS voltage None chargers Low low pressurizer level Pressurizer level T-2 L-1 Low pressurizer pressure Pressurizer pressure T-4 L-1 Low low pressurizer pressure Pressurizer pressure T-3 L-1 Low main steam pressure SG Main steam pressure (DHRS N-2H 1 inlet pressure)

Low main steam pressure SG Main steam pressure (DHRS N-2H 2 inlet pressure)

Low low main steam pressure Main steam pressure (DHRS L-1 SG 1 inlet pressure)

Low low main steam pressure Main steam pressure (DHRS L-1 SG 2 inlet pressure)

Low steam superheat SG 1 Main steam pressure (DHRS L-1 inlet pressure)

Main steam temperature (DHRS inlet temperature)

Low steam superheat SG 2 Main steam pressure (DHRS L-1 inlet pressure)

Main steam temperature (DHRS inlet temperature)

High under-the-bioshield Under-the-bioshield None temperature temperature Tier 1 2.5-7 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions (Continued)

Engineered Safety Feature Protective Input Variable Interlock/Permissive Function ESFAS - Secondary System High pressurizer pressure Pressurizer pressure None Isolation High narrow range RCS hot Narrow range RCS hot None temperature temperature (NR RCS Thot)

Low main steam pressure Main steam pressure N-2H interlock Low low main steam pressure Main steam pressure L-1 interlock High main steam pressure Main steam pressure None Low main steam superheat Main steam pressure (DHRS L-1 interlock inlet pressure) V-1 interlock Main steam temperature N-2H interlock (DHRS inlet temperature)

High main steam superheat Main steam pressure (DHRS None inlet pressure)

Main steam temperature (DHRS inlet temperature)

High narrow range Narrow range containment T-3 interlock containment pressure pressure L-1 interlock Low low pressurizer pressure Pressurizer pressure T-5 interlock RT-1 interlock Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock Low AC voltage to battery ELVS voltage None chargers High under-the-bioshield Under-the-bioshield None temperature temperature ESFAS - containment system High narrow range Narrow range containment T-3 interlock isolation containment pressure pressure Low AC voltage toELVS ELVS bus voltage None 480VAC to EDSS battery chargers Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock High under-the-bioshield Under-the-bioshield None temperature temperature ESFAS - demineralized water High subcritical Source range count rate N-1 interlock system isolation multiplication Low RCS flow RCS flow None Automatic reactor trip N/A N/AT-5 interlock RT-1 interlock Manual reactor trip N/A N/A Tier 1 2.5-8 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions (Continued)

Engineered Safety Feature Protective Input Variable Interlock/Permissive Function ESFAS - chemical and volume High narrow range Narrow range containment T-3 interlock control system isolation containment pressure pressure High pressurizer level Pressurizer level None Low low pressurizer level Pressurizer level T-2 interlock L-1 interlock Low pressurizer pressure Pressurizer pressure T-4 Low low pressurizer pressure Pressurizer pressure T-3T-5 interlock RT-1 interlock Low low RCS flow RCS flow F-1 interlock RT-1 interlock Low AC voltage to battery ELVS voltage None chargers High under-the-bioshield Under-the-bioshield None temperature temperature ESFAS - pressurizer heater trip Low pressurizer level Pressurizer level None High pressurizer pressure Pressurizer pressure None High narrow range RCS hot Narrow range RCS hot None temperature temperature (NR RCS Thot)

Low AC voltage to battery ELVS voltage None chargers Automatic DHRS N/AMain steam pressure N/ANone actuationHigh main steam (DHRS inlet pressure) pressure Manual DHRS actuation N/A N/A Automatic containment N/A N/A isolation Manual containment isolation N/A N/A Low temperature overpressure Low temperature interlock Wide range RCS cold T-1 interlock protection actuation with high pressure temperature (WR RCS Tcold)

Wide range RCS pressure Tier 1 2.5-9 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-3: Module Protection System Manual Switches Reactor trip Neutron flux trip bypassOperating bypass ECCSEmergency core cooling system actuation Containment system isolation actuation DHRSDecay heat removal system actuation Secondary system isolation actuation CVCSChemical and volume control system isolation actuation Demineralized water system isolation actuation Pressurizer heater breaker trip Low temperature overpressure protection actuation ESFAS actuation isolationMain control room isolation CNTS isolation oOverride Enable nonsafety control Tier 1 2.5-10 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-4: Module Protection System Interlocks/Permissives/Overrides Interlock/Permissive/Override F-1 RCS flow interlock L-1 Containment water level interlock L-2 Pressurizer level interlock N-1 Intermediate range log power interlock/permissive N-2H Power range linear power interlock N-2L Power range linear power interlock/permissive O-1 CNTS isolation override RT-1 Reactor tripped interlock T-1 Wide range RCS cold temperature interlock T-2 Wide range RCS hot temperature interlock T-3 Wide range RCS hot temperature interlock T-4 Narrow range RCS hot temperature interlock T-5 Wide range RCS hot temperature interlock V-1 Feedwater isolation valve closed interlock Tier 1 2.5-11 Draft Revision 3

NuScale Tier 1 Module Protection System and Safety Display and Indication System Table 2.5-7: Module Protection System and Safety Display and Indication System Inspections, Tests, Analyses, and Acceptance Criteria (Continued)

No. Design Commitment Inspections, Tests, Analyses Acceptance Criteria xi. An analysis will be performed of xi. The output documentation of the the output documentation of the MPS Software Implementation Phase Software Implementation Phase. satisfies the requirements of the Software Implementation Phase.

xii. An analysis will be performed of xii. The output documentation of the the output documentation of the MPS Software Configuration Phase Software Configuration Phase. satisfies the requirements of the Software Configuration Phase.

xiii. An analysis will be performed of xiii. The output documentation of the the output documentation of the MPS Testing Phase satisfies the System Testing Phase. requirements of the System Testing Phase.

xiv. An analysis will be performed of xiv. The output documentation of the the output documentation of the MPS Installation Phase satisfies the System Installation Phase. requirements of the System Installation Phase.

2. Protective measures are provided to A test will be performed on the access Protective measures restrict modification restrict modifications to the MPS control features associated with MPS to the MPS tunable parameters without tunable parametersNot used. tunable parametersNot used. proper configuration and authorizationNot used.
3. Physical separation exists between An inspection will be performed of i. Physical separation between the redundant separation groups the MPS Class 1E as-built redundant separation groups and and divisions of the MPS Class 1E instrumentation and control current- divisions of MPS Class 1E instrumentation and control carrying circuits. instrumentation and control current-current-carrying circuits, and carrying circuits is provided by a between Class 1E instrumentation minimum separation distance, or by and control current-carrying circuits barriers (where the minimum and non-Class 1E instrumentation separation distances cannot be and control current-carrying circuits. maintained), or by a combination of separation distance and barriers.

ii. Physical separation between MPS Class 1E instrumentation and control current-carrying circuits and non-Class 1E instrumentation and control current-carrying circuits is provided by a minimum separation distance, or by barriers (where the minimum separation distances cannot be maintained), or by a combination of separation distance and barriers.

4. Electrical isolation exists between An inspection will be performed of i. Class 1E electrical isolation devices the redundant separation groups the MPS Class 1E as-built are installed between redundant and divisions of the MPS Class 1E instrumentation and control circuits. separation groups and divisions of instrumentation and control circuits, MPS Class 1E instrumentation and and between Class 1E control circuits.

instrumentation and control circuits ii. Class 1E electrical isolation devices and non-Class 1E instrumentation are installed between MPS Class 1E and control circuits to prevent the instrumentation and control circuits propagation of credible electrical and non-Class 1E instrumentation faults. and control circuits.

Tier 1 2.5-16 Draft Revision 3

NuScale Final Safety Analysis Report Introduction Table 1.1-1: Acronyms and Abbreviations (Continued)

Acronym or Description Abbreviation SG separation group SG steam generator SG strain gauge SGI safeguards information SGS steam generator system SGTF steam generator tube failure SICS safety information and control system SIL software integrity level SLB steam line break SLP site layout plan SM single module SMA seismic margin assessment SMACNA Sheet Metal and Air Conditioning Contractors' National Association SME subject matter expert SMR small modular reactor SMS seismic monitoring system SNL Sandia National Laboratories SNM special nuclear material SOCA security owner controlled area SOV solenoid-operated valve SPAR standardized plant analysis risk SPND self-powered neutron detector SPS security power system SQDP seismic qualification data package SQRF seismic qualification record form SQUG Seismic Qualification Utility Group SR surveillance requirement SREC standard radiological effluent control SRI Stanford Research Institute SRM staff requirements memorandum SRP Standard Review Plan SRSS square root of the sum of the squares SRST spent resin storage tank SRV sump recirculation valve SRWS solid radioactive waste system SSA safe shutdown analysis SSC structures, systems, and components SSCIV secondary system containment isolation valve SSE safe shutdown earthquake SSI soil-structure interaction or secondary system isolation SSS secondary sampling system SSSI structure-soil-structure interaction SST station service transformer STPA System-Theoretic Process Analysis SUNSI sensitive unclassified non-safeguards information SVM schedule and voting module SWIS service water intake structure SWMS solid waste management system SWV shear wave velocity SWYD switchyard system Tier 2 1.1-16 Draft Revision 3

NuScale Final Safety Analysis Report Instrumentation and Controls - Introduction and Overview The NuScale power plant normal operation and power maneuvering control functions are provided by the following MCS functions for each NPM:

  • pressurizer pressure control
  • pressurizer level control The control inputs and functions for each during normal power operation are described below.

Turbine Trip, Throttle and Governor Valve Control The turbine trip, throttle, and governor controls rely on the following control inputs:

  • main turbine control system (MTCS) package sensors (case temperatures, drain valve position, eccentricity, speed sensing, shaft axial position, journal bearing displacement, journal bearing temperature and other sensors)
  • demand power level (main turbine generator load or reactor power) from MCS and MTCS
  • turbine inlet steam pressure
  • secondary system calorimetric input
  • target reactor power and change rate via the MCR operator workstation
  • turbine generation limit and load change rate via the MCR operator workstation During normal power operations, the turbine governor control maintains steam header pressure as a function of reactor power demand. During load following, operator input via the MCR human-system interface establishes the turbine generation limit. The turbine bypass valves divert excess steam energy to the main condenser to limit turbine generation to the power generation target. While normal turbine generator power changes are limited to a fixed rate, the turbine generator is capable of loading/

unloading by diverting steam flow to and from the turbine bypass valves.

Turbine Bypass Valve Control The turbine bypass valve control relies on the following control inputs:

NuScale Final Safety Analysis Report Fundamental Design Principles modules within a safety block would result in a complete spurious actuation in the opposite safety block due to the 2-out-of-4 voting performed by each safety block.

Partial spurious actuation is credible for digital-based CCF postulated in the EIMs of a safety block. To identify the extent of partial spurious actuations due to digital based CCF, the EIMs are evaluated and grouped by the protective action(s) configured on the EIM. The EIMs that only perform decay heat removal actuation are considered to be unaffected by a digital-based CCF that affects EIMs that perform decay heat removal and containment isolation. Based on this approach, seveneight possible partial spurious actuation scenarios are identified in Table 7.1-11. For scenarios 1 and 2, a D3 coping analysis was performed to demonstrate that the spurious actuations result in conditions that are bounded by the plant safety analyses, as discussed in Section 7.1.5.2.2.

Each Division of RTS has two RTBs. A partial spurious actuation of RTS within a Division does not result in a reactor trip and, thus, is not evaluated further. This is summarized in Table 7.1-12.

By crediting the diversity attributes between the two Safety Blocks, scenarios 3 and 4 do not prevent the unaffected Safety Block from initiating protective actions when plant conditions require them. While Scenario 4 would result in conflicting information in the MCR, there are other blocks available to resolve conflicting information.

Figure 7.1-8 identifies the blocks (with green outline) relied upon to automatically initiate safety-related functions when one of the safety blocks has a digital-based CCF (shown in red). Figure 7.1-9 identifies in green outline the available blocks used to resolve information discrepancy and to automatically initiate safety-related functions if a safety block had a CCF (shown in red).

Non-Class 1E Monitoring and Indication Block Non-Class 1E Monitoring and Indication block includes controls for safety and nonsafety equipment. Because non-Class 1E Monitoring and Indication is used for normal day-to-day operations, any spurious actuation of a major control function (e.g., rod control, feedwater control) by a digital-based CCF within non-Class 1E Monitoring and Indication block is immediately identifiable and, if it exceeds operating limits, is mitigated by Safety Blocks I or II. Figure 7.1-10 identifies the assumed digital-based CCF in red and shows in green outline the available blocks and signals used to resolve information discrepancy.

The actuation priority logic can be used to allow control of safety-related components using non-Class 1E controls; however, this can only be enabled by the operator using a safety-related switch. Without this feature being enabled, the non-Class 1E signals to the actuation priority logic are ignored. Because of the limited period in time in which safety-related components are controlled by non-Class 1E controls, it is not considered credible for a digital based CCF to occur while the enable nonsafety control input is active. The limitations on when the enable nonsafety control switch can be positioned to allow control of safety-related components from nonsafety-related controls are controlled by the plant operating procedures described in Section 13.5.2. As a result, no digital-based Tier 2 7.1-33 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Failed Low Signal The affected variables are pressurizer level, RPV water level, and containment water level. Because protective actions are actuated when at least two-out-of-four separation groups demand a reactor trip or ESF actuation, a failed low signal results in a spurious reactor trip, containment system isolation, decay heat removal system (DHRS) actuation, chemical and volume control system (CVCS) isolation, emergency core cooling system (ECCS) actuation, and pressurizer heater trip, and secondary system isolation.

Failed low signals received by Safety Block I are transmitted to MCS, displayed in the MCR, and used for nonsafety control functions. With the spurious actuation of a reactor trip, CNTScontainment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to two correct and two incorrect sensor values has no further impact. Out of the failed low signals, pressurizer level is the only signal used for nonsafety-related controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.

Failed High Signal The affected variables are pressurizer level, RPV water level, and containment water level. Because protective actions are actuated when at least two-out-of-four separation groups demand a reactor trip or ESF actuation, a failed high signal results in a spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation.

Failed high signals received by Safety Block I are transmitted to MCS, displayed in the MCR, and used for nonsafety control functions. With the spurious actuation of a reactor trip, and CVCS isolation, the MCS response to two correct and two incorrect sensor values has a no further impact. Out of the failed high signals, pressurizer level is the only signal used for nonsafety controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.

With Sensor Block II still capable of actuating on low-level signals (e.g.,

containment isolation on low-low pressurizer level), capability to initiate other ESFs is not lost.

Failed As-Is The affected variables are pressurizer level, RPV water level, and containment water level. The failed as-is condition for two of the four sensors for each affected variable does not prevent the initiation of a reactor trip or ESF actuation. Sensor Block II is still capable of identifying plant conditions requiring protective actions.

Failed as-is signals do not lead to spurious initiation of protective actions. Failed as-is signals may go unnoticed until the valid signals significantly deviate from the failed signals.

Tier 2 7.1-35 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Digital-Based CCF of Pressure Measuring System Function Type A digital-based CCF of pressure measuring system function type for Sensor Block I (Figure 7.1-12) causes

  • spurious actuations from MPS
  • incorrect information provided to SDIS
  • incorrect information provided to MCS Failed Low Signal The affected variables are pressurizer pressure and wide-range RCS pressure. Failed low signals in the four sensors for each affected variable can result in a spurious reactor trip, demineralized water system isolation,DHRS actuation, CVCS isolation, and pressurizer heater tripsecondary system isolation.

Failed low signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, DHRS actuationdemineralized water system isolation, and CVCS isolation, the MCS response to four incorrect sensor values has no further impact.

The automatic MCS response to a drop in pressure is to turn on the pressurizer heaters;, which is bounded by the spectrum of heatup event analyses described in Chapter 15.however, with the pressurizer heater trip, pressurizer heaters are unavailable.

Failed High Signal The affected variables are pressurizer pressure and wide-range RCS pressure. A failed high signal affecting the four sensors for the affected variables can result in a spurious reactor trip, CNTS isolation, DHRS actuation, CVCS isolationdemineralized water system isolation, and pressurizer heater trip, and secondary system isolation.

Failed high signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, CVCS isolationcontainment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to four incorrect sensor values has a no further impact. The automatic MCS response to a rise in pressure is to use pressurizer spray; however, with the isolation of the CVCSclosure of the containment isolation valves, pressurizer spray is unavailable.

Failed As-Is The affected variables are pressurizer pressure and wide-range RCS pressure. The failed as-is condition for the four sensors of each affected variable does not result in spurious actuations; however, it can prevent initiation of protective actions if a DBE were to occur. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

Tier 2 7.1-36 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Digital-Based CCF of Flow Measurement Function Type A digital-based CCF of flow measurement function type for Sensor Block I (Figure 7.1-13) causes

  • spurious actuations from MPS
  • incorrect information provided to SDIS
  • incorrect information provided to MCS Failed Low Signal The affected variable is RCS flow. A failed low signal for the four channels results in a spurious reactor trip, demineralized water system (DWS) isolation and CVCS isolation. There is no further impact associated with a failed low signal.

Failed High Signal The affected variable is RCS flow. A failed high signal for the four channels does not result in spurious actuations; however, the safety blocks would be unable to identify a low RCS flow condition and the operator would have incorrect information.

Failure to identify a low RCS flow condition failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

Failed As-Is The affected variable is RCS flow. The failed as-is condition for the four channels does not result in spurious actuations. The failed as-is condition can prevent initiation of protective actions based on low flow conditions; however, the RCS flow sensor is not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2 and Table 7.1-18. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.

7.1.5.1.7 Guideline 7 - Use of Identical Hardware and Software Modules The digital-based flow and pressure measuring system function type found in Sensor Block I and II are considered to be identical. The other blocks are considered to be independent such that a postulated digital-based CCF is limited to a block.

Diversity attributes within and between blocks are discussed in Section 7.1.5.1.2.

7.1.5.1.8 Guideline 8 - Effect of Other Blocks The blocks are assumed to function correctly in response to inputs that are correct or incorrect.

Tier 2 7.1-37 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles 7.1.5.2 Results and Conclusions 7.1.5.2.1 Vulnerabilities to Spurious Actuations resulting from Digital-Based Common Cause Failures After applying the guidelines of NUREG/CR-6303, the following potential vulnerabilities have been identified:

1) Potential digital-based CCF within a safety block may lead to spurious initiation of a protective action, as described in Section 7.1.5.1.6:
  • containment system isolation
  • CVCSchemical and control volume system isolation
  • pressurizer heater trip
  • DWSdemineralized water system isolation
  • low temperature overpressure protection (LTOP)
  • secondary system isolation
2) Potential digital-based CCF within a safety block may lead to spurious partial initiation of protective actions (Section 7.1.5.1.6). The identified consequencesscenarios are provided in Table 7.1-11.
3) Potential digital-based CCF of level function type within Sensor Block I or II may result in one of the following (Section 7.1.5.1.6):
  • spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, ECCS actuation, demineralized water system isolation, and pressurizer heater trip, and secondary system isolation
4) Potential digital-based CCF of pressure measuring system function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):
  • spurious reactor trip, DHRS actuation, CVCS isolation, demineralized water system isolation, and secondary system isolationpressurizer heater trip
  • spurious reactor trip, containment isolation, DHRS actuation, CVCS isolation, demineralized water system isolation, and secondary system isolationpressurizer heater trip
  • Type 3 failure for the digital-based pressure measuring system function type sensors Tier 2 7.1-42 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-3: Reactor Trip Functions Process Variable Analytical Limit Number of Logic Channels High Power Range Linear Power High-1 = 25% RTP 4 2/4 High-2 = 120% RTP High Intermediate Range Log Power Rate 3 dpm 4 2/4 High Power Range Positive and Negative Rate +/- 15% RTP/minute 4 2/4 High Source Range Count Rate 5x105 cps 4 2/4 High Source Range Log Power Rate 3 dpm 4 2/4 High Narrow Range RCS Hot Temperature (NR RCS Thot) 610°F 4 2/4 High Narrow Range Containment Pressure 9.5 psia 4 2/4 High Pressurizer Pressure 2000 psia 4 2/4 Low Pressurizer Pressure 1720 psia 4 2/4 Low Low Pressurizer Pressure 1600 psia 4 2/4 High Pressurizer Level 80% 4 2/4 Low Pressurizer Level 35% 4 2/4 High Main Steam Pressure 800 psia 4 2/4 Low Main Steam Pressure 300 psia 4 2/4 Low Low Main Steam Pressure 10020 psia 4 2/4 High Main Steam Superheat (MS Temperature and Pressure) 150°F 4 2/4 Low Main Steam Superheat (MS Temperature and Pressure) 0.0°F 4 2/4 Low Low RCS Flow 0.0 ft3/s 4 2/4 Low AC Voltage to Battery Chargers 80% of normal ELVS voltage 4 2/4 Actuation Delay of 60 seconds (Note 1)

High Under-the-Bioshield Temperature 250°F 4 2/4 Note 1: Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system.

The Analytical Limit is based on loss of AC power to plant busses (0 volts); the actual bus voltage used is based upon the voltage ride-thru characteristics of the EDSS battery chargers.

Tier 2 7.1-66 Draft Revision 3

Tier 2 NuScale Final Safety Analysis Report Table 7.1-4: Engineered Safety Feature Actuation System Functions ESF Function Process Variable Analytical Limit Number of Logic System Automated Function Channels Emergency Core Cooling System High Containment Water Level 260 - 220264" - 300" (elevation) 4 2/4 Removes Electrical Power to the trip (ECCS) (Note 3) solenoids of the reactor vent valves.

Low RPV Riser Level 390- 350 (elevation) (Note 3) 4 2/4 Low ELVS voltage 24-hour Timer 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 3 2/3 Removes electrical power to the trip solenoids of the reactor recirculation valves Decay Heat Removal System High Pressurizer Pressure 2000 psia 4 2/4 Removes electrical power to the trip (DHRS) High Narrow Range RCS Hot 610°F 4 2/4 solenoids of the decay heat removal valves Temperature (NR RCS Thot)

Low Main Steam Pressure 300 psia (> 15% RTP) 4 2/4 Removes electrical power to the trip Low Low Main Steam Pressure 100 psia ( 15% RTP) 4 2/4 solenoids of the of the following valves in High Main Steam Pressure 800 psia 4 2/4 the containment, main steam, and Low Steam Superheat (MS 0.0°F 4 2/4 feedwater systems:

Temperature and Pressure)

  • main steam isolation bypass valves Temperature and Pressure)
  • feedwater isolation valves Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4
  • feedwater regulating valves Low Low Pressurizer Level 20% 4 2/4 Low AC Voltage to Battery 80% of normal ELVS voltage 4 2/4 Chargers Actuation Delay of 60 seconds (Note 4)

Fundamental Design Principles High Under-the-Bioshield 250°F 4 2/4 Temperature Draft Revision 3

Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

Tier 2 NuScale Final Safety Analysis Report ESF Function Process Variable Analytical Limit Number of Logic System Automated Function Channels Secondary System Isolation High Pressurizer Pressure 2000 psia 4 2/4 Removes electrical power to the trip High Narrow Range RCS Hot 610°F 4 2/4 solenoids of the of the following valves in Temperature (NR Thot) the containment, main steam, and feedwater systems:

Low Main Steam Pressure 300 psia (15% RTP) 4 2/4

  • feedwater isolation valves Temperature and Pressure)
  • feedwater regulating valves High Narrow Range 9.5 psia 4 2/4 Containment Pressure Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 Low Low Pressurizer Level 20% 4 2/4 Low ELVS 480VAC to EDSS 80% of normal ELVS voltage 4 2/4 7.1-68 Battery Chargers Actuation Delay of 60 seconds (Note 4)

High Under-the-Bioshield 250°F 4 2/4 Temperature Fundamental Design Principles Draft Revision 3

Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

Tier 2 NuScale Final Safety Analysis Report ESF Function Process Variable Analytical Limit Number of Logic System Automated Function Channels Containment System Isolation High Narrow Range 9.5 psia 4 2/4 Removes electrical power to the trip (CSI) Signal Containment Pressure solenoids of the following valves:

Low Low Pressurizer Level 20% 4 2/4

  • RCS injection valves Low AC Voltage to Battery 80% of normal ELVS voltage 4 2/4
  • RCS discharge valves Chargers Actuation Delay of 60 seconds
  • PZR spray valves (Note 4)
  • RPV high point degasification line valves High Under-the-Bioshield 250°F 4 2/4
  • containment evacuation system valves
  • reactor component cooling water 7.1-69 system supply and return valves
  • containment flooding and drain system valves Demineralized Water System High Power Range Linear Power High-1 = 25% RTP 4 2/4 Removes electrical power to the trip Isolation (DWSI) High-2 = 120% RTP solenoids of the demineralized water supply valves High Intermediate Range Log 3 dpm 4 2/4 Power Rate High Power Range Positive and +/- 15% RTP/minute 4 2/4 Negative Rate High Source Range Count Rate 5x105 cps 4 2/4 Fundamental Design Principles High Source Range Log Power 3 dpm 4 2/4 Rate High Narrow Range RCS Hot 610°F 4 2/4 Temperature (NR RCS Thot)

High Narrow Range 9.5 psia 4 2/4 Draft Revision 3 Containment Pressure High Pressurizer Pressure 2000 psia 4 2/4 Low Pressurizer Pressure 1720 psia (Note 1) 4 2/4

Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

Tier 2 NuScale Final Safety Analysis Report ESF Function Process Variable Analytical Limit Number of Logic System Automated Function Channels Demineralized Water System Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4 Isolation (DWSI) High Pressurizer Level 80% 4 2/4 (continued) Low Pressurizer Level 35% 4 2/4 High Main Steam Pressure 800 psia 4 2/4 Low Main Steam Pressure 300 psia (> 15% RTP) 4 2/4 Low Low Main Steam Pressure 10020 psia ( 15% RTP) 4 2/4 High Main Steam Superheat (MS 150°F 4 2/4 Temperature and Pressure)

Low Main Steam Superheat (MS 0.0°F 4 2/4 Temperature and Pressure)

Low RCS Flow 1.7 ft3/s 4 2/4 Low Low RCS Flow 0.0 ft3/s 4 2/4 Low AC Voltage to Battery 80% of normal ELVS voltage 4 2/4 Chargers Actuation Delay of 60 seconds 7.1-70 (Note 4)

High Under-the-Bioshield 250°F 4 2/4 Temperature High Subcritical Multiplication 3.2 4 2/4 (SCM)

Chemical and Volume Control High Pressurizer Level 80% 4 2/4 Removes electrical power to the trip System Isolation (CVCSI) High Narrow Range 9.5 psia 4 2/4 solenoids of the following valves:

Containment Pressure

  • RCS injection valves Low Pressurizer Pressure 1720 psia (Note 1) 4 2/4
  • RCS discharge valves Low Low Pressurizer Pressure 1600 psia (Note 2) 4 2/4
  • PZR spray valves Low Low Pressurizer Level 20% 4 2/4
  • RCS high point degasification valves Fundamental Design Principles Low Low RCS Flow 0.0 ft3/s 4 2/4 Low AC Voltage to Battery 80% of normal ELVS voltage 4 2/4 Chargers Actuation Delay of 60 seconds (Note 4)

Draft Revision 3 High Under-the-Bioshield 250°F 4 2/4 Temperature

Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)

Tier 2 NuScale Final Safety Analysis Report ESF Function Process Variable Analytical Limit Number of Logic System Automated Function Channels Pressurizer Heater Trip Low Pressurizer Level 35% 4 2/4 Removes electrical power to the PZR Any DHRS Actuation - See DHRS See DHRS Actuation Analytical 4 2/4 heaters Actuation VariablesHigh Limits2000 psia Pressurizer Pressure High Narrow Range RCS Hot 610°F 4 2/4 Temperature (NR RCS Thot)

High Main Steam Pressure 800 psia 4 2/4 Low AC Voltage to Battery 80% of normal ELVS voltage 4 2/4 Chargers Actuation Delay of 60 seconds (Note 4)

Low Temperature Overpressure Low Temperature Interlock with Variable based on WR RCS cold 4 2/4 Removes electrical power to the trip Protection (LTOP) High Pressure (WR RCS cold temperature and WR RCS solenoids of the reactor vent valves temperature and WR RCS Pressure as listed in Table 5.2-10 Pressure)

Note 1: If RCS hot temperature is above 600°F.

7.1-71 Note 2: If RCS hot temperature is <below 600°F.

Note 3: RPV riser level and CNVContainment vessel water level are presented in terms of elevation where reference zero is the bottom of the reactor pool. The ranges allow

+/-1820" from the nominal ECCS level setpoint of 282370" and 240", respectively.

Note 4: Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system. The Analytical Limit is based on loss of AC power to plant busses (0 volts); the actual bus voltage used is based upon the voltage ride-thru characteristics of the EDSS battery chargers.

Fundamental Design Principles Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/ Condition for Interlock/Permissive/ Function Permissive/ Override Override N-2H Interlock Power Range Linear Power Interlock: Automatically establishes an operating bypass of the following:

  • Reactor Trip on High Power Range Positive Rate Interlock established when at least 3 of
  • Reactor Trip on High Power Range Negative Rate 4 Power Range Linear Power Channels
  • Demineralized Water System Isolation actuation on High

< 15% RTP Power Range Positive Rate

  • Demineralized Water System Isolation actuation on High Power Range Negative Rate
  • DHRSSecondary system isolation (SSI) actuation on Low Main Steam Pressure
  • Demineralized Wwater Ssystem Iisolation actuation on Low Main Steam Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

V-1 Interlock FWIV Closed Interlock: Automatically establishes an operating bypass of the following when N-2H is active (below 15% RTP):

Interlock established when one FWIV

indicates closed.

  • Secondary system isolation on Low Main Superheat.

Operating bypasses are automatically removed when interlock condition is no longer satisfied.

RT-1 Interlock Reactor Tripped Interlock: The RT-1 Interlock is used in conjunction with the F-1, T-2 and L-1 interlocks, and the override function O-1.

Interlock is established when both divisional reactor trip (RT) breakers indicate open T-1 Interlock Wide Range RCS Cold Temperature Automatically establishes an operating bypass of the following:

Interlock:

  • Low Temperature Overpressure Protection actuation on High WR RCS Pressure Interlock established when at least 3 of 4 Wide Range RCS Cold Temperature Operating bypass is automatically removed when interlock channels > 325° F condition is no longer satisfied.

T-2 Interlock Wide Range RCS Hot Temperature Automatically establishes an operating bypass of the following:

Interlock:

  • DHRSSecondary system isolation actuation on Low Low Pressurizer Level Interlock established when at least 3 of
  • CVCSChemical and volume control system Iisolation 4 Wide Range RCS Hot Temperature actuation on Low Low Pressurizer Level channels < 200° F, AND the RT-1
  • Containment Ssystem Iisolation actuation on Low Low interlock is active. Pressurizer Level Operating bypasses are automatically removed when interlock condition is no longer satisfied.

Tier 2 7.1-73 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/ Condition for Interlock/Permissive/ Function Permissive/ Override Override T-3 Interlock Wide Range RCS Hot Temperature Automatically establishes an operating bypass of the following:

Interlock:

  • ECCS actuation on High Containment Water Level
  • DHRS Secondary system isolation actuation on High Narrow Interlock established when at least 3 of Range Containment Pressure 4 Wide Range RCS Hot Temperature
  • Containment Ssystem Iisolation actuation on High Narrow channels < 350° F Range Containment Pressure
  • CVCSChemical and volume control system Iisolation actuation on High Narrow Range Containment Pressure trip
  • DHRS actuation on Low Low Pressurizer Pressure
  • CVCS Isolation actuation on Low Low Pressurizer Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

T-4 Interlock Narrow Range RCS Hot Temperature Automatically establishes an operating bypass of the following:

Interlock:

  • CVCS Isolation actuation on Low Pressurizer Pressure Interlock established when at least 3 of
  • DHRS actuation on Low Pressurizer Pressure 4 RCS Narrow Range RCS Hot
  • Demineralized Wwater Ssystem Iisolation of Low Pressurizer Temperature channels <600° F Pressure Operating bypasses are automatically removed when interlock condition is no longer satisfied.

T-5 Interlock Wide Range RCS Hot Temperature T-5 Automatically establishes an operating bypass of the following:

interlock:

  • Secondary system isolation actuation on Low Low Pressurizer Pressure Interlock established when least 3 of 4

channels are less than 420°F AND RT-1

  • Chemical and volume control system isolation actuation on is active. Low Low Pressurizer Pressure.

Tier 2 7.1-74 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)

Interlock/ Condition for Interlock/Permissive/ Function Permissive/ Override Override L-1 Interlock Containment Water Level Interlock: Automatically establishes operating bypass of the following trip signals for DHRS actuation:

Interlock established when at least 3 of

  • High Pressurizer Pressure 4 Containment Level Channels > 45
  • Low Low Pressurizer Pressure AND RT-1 is active
  • Secondary system isolation actuation on Low Low Pressurizer Level
  • High Narrow Range RCS Hot Temperature
  • Secondary system isolation actuation on Low Low Main Steam Pressure
  • Secondary system isolation actuation on Low Main Steam Superheat
  • High Steam Superheat
  • Secondary system isolation actuation on High Narrow Range Containment Pressure
  • Containment system isolation actuation on Low Low Pressurizer Level
  • Chemical and volume control system isolation actuation on Low Low Pressurizer Level Operating bypasses are automatically removed when interlock condition is no longer satisfied.

L-2 Interlock Pressurizer Level Interlock, L2: Automatically establishes operating bypass of the ECCS actuation on high containment water level.

Interlock established when 3 of 4 Pressurizer Level channels are greater than 20% AND T-3 interlock is active.

F-1 Interlock RCS Flow Interlock: Automatically establishes operating bypass of CVCS isolation on Low Low RCS Flow.

Interlock established after a set time delay when at least 3 of 4 RCS Flow Operating bypasses are automatically removed when interlock Channels 0.0 ft3/sec and RT-1 has condition is no longer satisfied.

been established O-1 Override Containment System Isolation Override Override allows manual control of the CFDS, RCS injection, and Function: pressurizer spray containment isolation valves if an automatic containment system isolation or a CVCS isolation actuation signal is present with the exception of the High Pressurizer Override established when manual Level CVCS isolation actuation signal.

override switch is active and RT-1 permissive is established The Override switch must be manually taken out of Override when the Override, O-1, is no longer needed.

Tier 2 7.1-75 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-6: Design Basis Event Actuation Delays Assumed in the Plant Safety Analysis Signal Sensor Actuation Delay High Power Range Linear Power Power Range Neutron Flux 2.0s SR and IR Log Power Rate SR & IR Neutron Flux Variable High Power Range Rate Power Range Neutron Flux 2.0s High Source Range Count Rate Source Range Neutron Flux 3.0s High Subcritical Multiplication Source Range Neutron Flux 150.0s High Narrow Range RCS Hot Temperature Riser Outlet Temperature 8.0s High Narrow Containment Pressure Containment Pressure 2.0s High Pressurizer Pressure Pressurizer Pressure 2.0s High Pressurizer Level Pressurizer Level 3.0s Low Pressurizer Pressure Pressurizer Pressure 2.0s Low Low Pressurizer Pressure Pressurizer Pressure 2.0s Low Pressurizer Level Pressurizer Level 3.0s Low Low Pressurizer Level Pressurizer Level 3.0s Low Main Steam Pressure Main Steam Pressure 2.0s Low Low Main Steam Pressure Main Steam Pressure 2.0s High Main Steam Pressure Main Steam Pressure 2.0s Low Main Steam Superheat Main Steam Pressure & Temperature 8.0s High Main Steam Superheat Main Steam Pressure & Temperature 8.0s Low RCS Flow RCS Flow 6.0s Low Low RCS Flow RCS Flow 6.0s Low RPV Riser Level RCS Level 3.0s High Containment Water Level Containment Level 3.0s Low AC Voltage to the Battery Chargers AC Voltage 60.0s High Under-the-Bioshield Temperature Under-the-Bioshield Temperature 8.0s Tier 2 7.1-76 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-9: Sensor Inputs to Module Protection System Process Variable Sensor Output Safety- Type A, B, Sensor Block I Sensor Block II Type Signal Related? or C PAM SG A SG C DIV. I SG B SG D DIV. II Variable?

Pressurizer level (Note 1) Digital Analog Y N X X - X X -

RPV riser level (Note 1) Digital Analog YN Y X- X - X X- -

PZR pressure (Note 1) Digital Analog Y N X X - X X -

Wide-range reactor coolant Digital Analog Y Y X X - X X -

system (RCS) pressure (Note 1)

Containment water level (Note Digital Analog Y Y X X - X X -

1)

Narrow-range containment Analog Analog Y Y X X - X X -

pressure Wide-range containment Digital Analog N Y - X - X - -

pressure Containment isolation valve Discrete Discrete N Y - - X - - X positions (except FWIV Valve (Analog) (Analog)

Position)

Secondary MSIV position Discrete Discrete N N - - X - - X (Analog) (Analog)

Secondary MSIV bypass Discrete Discrete N N - - X - - X isolation valve position (Analog) (Analog)

Feedwater regulation valve Discrete Discrete N N - - X - - X position (Analog) (Analog)

ECCS valve position Discrete Discrete N N - - X - - X (Analog) (Analog)

Narrow-range RCS hot Analog Analog Y N X X - X X -

temperature Wide-range RCS hot Analog Analog Y Y X X - X X -

temperature Wide-range RCS cold Analog Analog Y N X X - X X -

temperature Core exit temperature Analog Analog N Y - X - X - -

Core inlet temperature Analog Analog N Y - X - X - -

RCS flow (Note 1) Digital Analog Y N X X - X X -

Main steam pressure (decay Analog Analog Y N X X - X X -

heat removal inlet pressure)

Main steam temperature Analog Analog Y N X X - X X -

(decay heat removal inlet temperature)

Power range linear power Analog Analog Y Y X X - X X -

Intermediate range log power Analog Analog Y Y X X - X X -

Source range count rate Analog Analog Y Y X X - X X -

Source/intermediate range Discrete Discrete Y N X X - X X -

fault (Analog) (Analog)

Power range fault Discrete Discrete Y N X X - X X -

(Analog) (Analog)

NMS Supply Fault Discrete Discrete Y N X X - X X -

(Analog) (Analog)

Inside bioshield area radiation Digital Analog N Y - X - X - -

monitor Tier 2 7.1-80 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-9: Sensor Inputs to Module Protection System (Continued)

Process Variable Sensor Output Safety- Type A, B, Sensor Block I Sensor Block II Type Signal Related? or C PAM SG A SG C DIV. I SG B SG D DIV. II Variable?

FWIV positions Discrete Discrete Y Y - - X - - X (Analog) (Analog)

Reactor trip breaker position Discrete Discrete Y N - - X - - X feedback (Analog) (Analog)

Pressurizer heater breaker Discrete Discrete N N - - X - - X status (Analog) (Analog)

DHRS valve position Discrete Discrete N N - - X - - X (Analog) (Analog)

DHRS outlet temperature Analog Analog N N - X - X - -

DHRS outlet pressure Analog Analog N N X X - X - -

Demineralized water system Discrete Discrete N N - - X - - X isolation valve position (Analog) (Analog)

Reactor pool temperature Analog Analog N N - X - X - -

EDS voltage Analog Analog N N - X - X - -

ELVS voltage Analog Analog Y N X X - X X -

Reactor safety valve position Discrete Discrete N N - X - X - -

(Analog) (Analog)

Under-the-bioshield Analog Analog Y N X X - X X -

temperature NMS-Flood Analog Analog N Y - X - X - -

NMS-Flood Faults Discrete Discrete N Y - X - X - -

(Analog) (Analog)

Containment evacuation Analog Analog N N X - - - X -

vacuum pump suction pressure Note 1: These sensors are digital-based and perform safety-related functions.

Tier 2 7.1-81 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-11: Partial Spurious Actuation Scenarios for Engineered Safety Features Actuation System within Safety Block I Scenario Protective Action(s) on EIM Components Actuated 1 Containment isolation, DHRS, and DHRS actuation valves Secondary System Isolation and DHRS MSIVs MS isolation bypass valves Feedwater isolation valves Secondary MSIVs Secondary MSIV bypass valves Feedwater regulating valves 2 ECCS ECCS reactor recirculation valve (Note 1) 3 ECCS and LTOP ECCS reactor vent valves (Note 1) 4 Containment isolation Containment evacuation CIV Containment flood & drain CIV Reactor component cooling water CIVs 5 CVCS isolation and containment CVCS containment isolation valves isolation 6 DWS isolation and loss of AC power DWS isolation valve 7 PZR heater trip PZR heater breakers 8 DHRS DHRS Actuation Valves Note 1: The ECCS valves include an inadvertent actuation block (IAB) described in Section 7.2.5.2 that is designed to prevent the spurious opening of the ECCS valves at normal operating pressures. The spurious opening of the ECCS valves below the IAB setpoint is bounded by the plant safety analysis described in Chapter 15.

Tier 2 7.1-83 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-13: Effects of Digital-Based Common Cause Failure of Level Function Type on Sensor Block I Function Type Process Variable Sensor Block I Sensor Block II Digital-based level PZR level Digital-based CCF OK measurement RPV water level Digital-based CCF OK Containment water level Digital-based CCF OK Digital-based pressure PZR pressure OK OK measurement Wide-range RCS pressure OK OK Digital-based flow measurement RCS flow OK OK Tier 2 7.1-85 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-14: Effects of Digital-Based Common Cause Failure of Digital-Based Pressure Measuring System Function Type on Sensor Block I and II Function Type Process Variable Sensor Block I Sensor Block II Digital-based level PZR level OK OK measurement RPV water level OK OK Containment water level OK OK Digital-based pressure PZR pressure Digital-based CCF Digital-based CCF measurement Wide-range RCS pressure Digital-based CCF Digital-based CCF Digital-based flow measurement RCS flow OK OK Tier 2 7.1-86 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-15: Effects of Digital-Based Common Cause Failure of Digital-Based Flow Function Type on Sensor Block I and II Function Type Process Variable Sensor Block I Sensor Block II Digital-based level PZR level OK OK measurement RPV water level OK OK Containment water level OK OK Digital-based pressure PZR pressure OK OK measurement Wide-range RCS pressure OK OK Digital-based flow measurement RCS flow Digital-based CCF Digital-based CCF Tier 2 7.1-87 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Table 7.1-16: Safety-Related Digital Sensors Used by Safety Block I and II Input Signal Sensor Technology Function Containment water level Digital-based level Accident monitoring initiate protective action(s)

RPV water / PZR water level Digital-based level Accident monitoring initiate protective action(s)

Wide-range RCS pressure Digital-based pressure Accident monitoring initiate protective action(s)

PZR pressure Digital-based pressure Initiate protective action(s)

RCS flow Digital-based flow Initiate protective action(s)

Tier 2 7.1-88 Draft Revision 3

Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)

Design Basis Event Signals Credited in Plant Safety Signals Credited in D3 Best- Comments Analysis Described in Chapter 15 Estimate Coping Analysis Category 3 Events For the events listed in this section, the digital-based sensor subject to a CCF is credited in both the deterministic analyses described in Chapter 15 and the best-estimate D3 coping analyses; however, multiple, diverse sensors that do not use digital-based technology provide the required protection; therefore, sufficient sensor diversity exists to provide the required safety function. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.

Loss of Condenser Vacuum high main steam pressure high main steam pressure Sensor diversity ensures performance of required safety high main steam superheat high steam superheat function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high PZR pressure (digital-based) high PZR pressure (digital-based) other division remains fully functional.

Loss of Nonemergency AC high main steam pressure high main steam pressure Sensor diversity ensures performance of required safety Power to the Station Auxiliaries high main steam superheat high steam superheat function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high PZR pressure (digital-based) high PZR pressure (digital-based) other division remains fully functional.

Loss of Normal Feedwater Flow high PZR pressure (digital-based) high PZR pressure (digital-based) Sensor diversity ensures performance of required safety function is satisfied. FPGA technology diversity within the MPS 7.1-93 high RCS hot temperature high RCS hot temperature limits digital-based CCF impact to one of two divisions - the high main steam superheat high steam superheat other division remains fully functional.

System Malfunction that high PZR level (note 1) high PZR level (note 1) Sensor diversity ensures performance of required safety Increases Reactor Coolant high PZR pressure (digital-based) high PZR pressure (digital-based) function is satisfied. FPGA technology diversity within the MPS Inventory limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Feedwater System Pipe Breaks high PZR pressure (digital-based) high PZR pressure (digital-based) Sensor diversity ensures performance of required safety Outside of Containment high RCS hot temperature high RCS hot temperature function is satisfied. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high main steam superheat high steam superheat other division remains fully functional.

Steam Generator Tube Failure low PZR level (digital-based, see note low PZR level (digital-based, see Sensor diversity ensures performance of required safety Fundamental Design Principles

1) note 1) function is satisfied. FPGA technology diversity within the MPS low PZR pressure (digital-based) low PZR pressure (digital-based) limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Loss-of-Coolant Accidents from high CNV pressure high CNV pressure Sensor diversity ensures performance of required safety Draft Revision 3 a Spectrum of Postulated Piping low RPV water level (see note 1) low RPV water level (see note 1) function is satisfied. FPGA technology diversity within the MPS Breaks inside CNV limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)

Design Basis Event Signals Credited in Plant Safety Signals Credited in D3 Best- Comments Analysis Described in Chapter 15 Estimate Coping Analysis Category 4 Events For the design basis events listed below, while the deterministic plant safety analyses described in Chapter 15 credit the function provided by the digital-based sensors that are subject to a CCF; however, the evaluation of the plant response for these events using best-estimate analysis methods determined that the plant response does not progress to the point where the digital-based sensor is relied upon to provide required protection. In these events, other sensors that do not use digital-based technology and are not subject to a digital-based CCF provide the required safety function and the FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function (note 2).

Control Rod Misoperation high power range linear power high high power range linear power high Diverse sensors not subject to a digital-based CCF provide RCS hot temperature RCS hot temperature required protection. FPGA technology diversity within the MPS high PZR pressure (digital-based) high power range negative rate limits digital-based CCF impact to one of two divisions - the (control rod drop) other division remains fully functional.

high power range negative rate (control rod drop)

Inadvertent Operation of high CNV pressure high CNV pressure Diverse sensors not subject to a digital-based CCF provide Emergency Core Cooling System low RPV water level (note 1) low RPV water level (note 1) required protection. FPGA technology diversity within the MPS (ECCS) limits digital-based CCF impact to one of two divisions - the 7.1-94 other division remains fully functional.

Failure of Small Lines Carrying low PZR level (see note 1) low PZR level (see note 1) Diverse sensors not subject to a digital-based CCF provide Primary Coolant Outside low PZR pressure (digital-based) required protection. FPGA technology diversity within the MPS Containment limits digital-based CCF impact to one of two divisions - the other division remains fully functional.

Instability Events high RCS hot temperature high RCS hot temperature Diverse sensors not subject to a digital-based CCF provide low pressurizer level (note 1) low pressurizer level (note 1) required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the low PZR pressure (digital-based) other division remains fully functional.

Note 1: The digital-based level measurement function incorporates equipment diversity between sensor blocks I and II such that a postulated CCF of the digital-based level measurement function is limited to one sensor block only. Since the other sensor block remains functional, sufficient diversity exists for those functions that rely on the digital-based level measurement function, see Section 7.1.5.1.2.

Fundamental Design Principles Note 2: The design basis for the digital-based RCS flow sensors in the plant safety analysis described in Section 15.4.6 is to ensure minimum RCS flow rates exist during dilution events to ensure proper mixing within the RCS; therefore, the RCS flow sensors are not included in Table 7.1-18 as they are not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2. The plant safety analysis credits the high subcritical multiplication protective function for detection and mitigation of an uncontrolled RCS dilution. Best-estimate analysis of this event concludes the event is non-limiting and does not rely on the digital-based RCS flow sensor to function. The Draft Revision 3 consequences of RCS flow stagnation or reversal during low power conditions are addressed in NuScale Power, LLC topical report, Non-Loss-of-Coolant Accident Analysis Methodology, TR-0516-49416. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1c: Power Range High-2 Power Trip and N-2 Interlocks, Low and Low Low RCS Flow Trips LOW LOW RCS FLOW HIGH-2 POWER RANGE LINEAR POWER RANGE LINEAR POWER POWER RANGE LINEAR POWER LOW RCS FLOW POWER N-2H INTERLOCK N-2L PERMISSIVE/INTERLOCK A B C D FS FS FS FS (NOTE 2)

A B C D A B C D A B C D A B C D NS NS NS NS (NOTE 2) (NOTE 2)

NS NS NS NS NS NS NS NS (NOTE 2) FS FS FS FS (NOTE 2)

A A A A ESFAS REACTOR TRIPPED A A A A I I I I I I I I INTERLOCK RT-1 A A A A d

dzW/>>Kt>Kt

2/4 Z^&>Kt/EWhd

2/4 2/4 2/4 2/4 2/4 2/4 >K'/

2/4 2/4 2/4 F F RTS ESFAS RTS ESFAS P P P N-2H N-2H N-2L P N-2L F

F F

RTS ESFAS DIVISION I DIVISION I RTS ESFAS RTS ESFAS ESFAS (NOTE 1) (NOTE 1) DIVISION I DIVISION I P DIVISION I DIVISION I F-1 (NOTE 1) (NOTE 1) (NOTE 1) ESFAS (NOTE 1)

DIVISION I RTS ESFAS DIVISION I DIVISION I (NOTE 1) F (NOTE 1) (NOTE 1)

REACTOR TRIP DEMINERALIZED RTS N-2H ESFAS N-2H RTS N-2L ESFAS N-2L REACTOR TRIP CHEMICAL AND WATER SYSTEM DEMINERALIZED INTERLOCK INTERLOCK PERMISSIVE/ PERMISSIVE/ DEMINERALIZED VOLUME CONTROL ISOLATION WATER SYSTEM INTERLOCK INTERLOCK WATER SYSTEM SYSTEM ISOLATION ISOLATION ISOLATION RTS/ESFAS PR LINEAR POWER N-2H INTERLOCK RTS/ESFAS PR LINEAR POWER N-2L P P P ESFAS F-1 CHEMICAL & VOLUME CONTROL SYSTEM ISOLATION N-2H STATUS N-2L PERMISSIVE/INTERLOCK STATUS ACTIVE 3oo4 PR INPUTS < N-2H SETPOINT ACTIVE 3oo4 PR INPUTS > N-2L SETPOINT

< F-1 AUTOMATIC BYPASS NOT ACTIVE 2oo4 PR INPUTS N-2H SETPOINT NOT ACTIVE 2oo4 PR INPUTS N-2L SETPOINT F-1 AUTOMATICALLY ENABLED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE. P ESFAS F-1 LOW LOW RCS FLOW CVCSI ACTUATION INTERLOCK STATUS 3oo4 RCS FLOW INPUTS < LOW LOW SETPOINT FOR MORE ACTIVE THAN TD, AND RT-1 ACTIVE 2oo4 RCS FLOW INPUTS > LOW LOW SETPOINT FOR MORE NOT ACTIVE THAN TD, OR 3oo4 RCS FLOW INPUTS < LOW LOW SETPOINT FOR LESS THAN TD, OR RT-1 NOT ACTIVE Tier 2 7.1-112 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1d: Power Range and Intermediate Range Rate Trips HIGH POWER RANGE HIGH POWER RANGE POSITIVE RATE NEGATIVE RATE HIGH SUBCRITICAL MULTIPLICATION POWER RANGE POWER RANGE SOURCE RANGE NEUTRON FLUX NEUTRON FLUX COUNT RATE RATE RATE MULTIPLICATION RATE TYPICAL NEUTRON TYPICAL NEUTRON TYPICAL NEUTRON POS FLUX POS FLUX RATE NEG FLUX RATE HIGH INTERMEDIATE RANGE LOG MULTIPLICATION CALCULATION CALCULATION POWER RATE RATE CALCULATION A B C D A B C D A B C D A B C D NS NS NS NS (NOTE 2) NS NS NS NS (NOTE 2) (NOTE 2) (NOTE 2)

NS NS NS NS NS NS NS NS RTS N-2H ESFAS N-2H ESFAS N-2H RTS N-2L ESFAS N-2L RTS N-2H INTERLOCK A INTERLOCK INTERLOCK INTERLOCK INTERLOCK A A A INTERLOCK A A A A A A A A A A A A N-1 INTERLOCK 2/4 2/4 2/4 2/4 2/4 2/4 2/4 RTS ESFAS RTS ESFAS RTS ESFAS N-2H N-2H N-2H N-2H N-2L N-2L ESFAS N-1 F F F F F F F

RTS ESFAS RTS ESFAS RTS ESFAS ESFAS DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

REACTOR TRIP DEMINERALIZED REACTOR TRIP DEMINERALIZED REACTOR TRIP DEMINERALIZED DEMINERALIZED WATER SYSTEM WATER SYSTEM WATER SYSTEM WATER SYSTEM ISOLATION ISOLATION ISOLATION ISOLATION RTS/ESFAS RTS/ESFAS RTS/ESFAS ESFAS HIGH SUBCRITICAL MULTIPLICATION P HIGH PR POSITIVE RATE TRIP STATUS P HIGH PR NEGATIVE RATE TRIP STATUS P HIGH IR LOG POWER RATE TRIP STATUS P N-2H N-2H N-2L N-1 TRIP STATUS N-2H SETPOINT AUTOMATICALLY ENABLED N-2H SETPOINT AUTOMATICALLY ENABLED > N-2L SETPOINT AUTOMATIC BYPASS > N-1 SETPOINT AUTOMATIC BYPASS

< N-2H SETPOINT AUTOMATIC BYPASS < N-2H SETPOINT AUTOMATIC BYPASS N-2L SETPOINT AUTOMATICALLY ENABLED N-1 SETPOINT AUTOMATICALLY ENABLED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

Tier 2 7.1-113 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1e: Pressurizer Pressure and Level Trips HIGH PRESSURIZER PRESSURE LOW LOW PRESSURIZER PRESSURE LOW PRESSURIZER PRESSURE HIGH PRESSURIZER LEVEL LOW PRESSURIZER LEVEL A B C D A B C D A B C D A B C D A B C D PS PS PS PS (NOTE 2) PS PS PS PS (NOTE 2) (NOTE 2)

PS PS PS PS (NOTE 2) LS LS LS LS (NOTE 2) LS LS LS LS A A A A A A A A A A A A A A A A A A A A ESFAS T-5 RT-1 RTS T-4 ESFAS T-4 INTERLOCK INTERLOCK INTERLOCK INTERLOCK 2/4 2/4 2/4 2/4 2/4 2/4 2/4 2/4 A 2/4 2/4 RTS T-4 ESFAS T-4 F

F F F F F F F F F ESFAS RTS ESFAS RTS DIVISION I ESFAS RTS RTS ESFAS RTS DIVISION I DIVISION I DIVISION I (NOTE 1) ESFAS DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

(NOTE 1)

DECAY HEAT SECONDARY DEMINERALIZED DEMINERALIZED CHEMICAL AND DEMINERALIZED REACTOR TRIP DEMINERALIZED PRESSURIZER REACTOR TRIP CHEMICAL AND SECONDARY REACTOR TRIP REACTOR TRIP REACTOR TRIP PRESSURIZER DEMINERALIZED REMOVAL SYSTEM SYSTEM WATER SYSTEM WATER SYSTEM VOLUME WATER SYSTEM WATER SYSTEM HEATER VOLUME CONTROL SYSTEM HEATER WATER SYSTEM ACTUATION ISOLATION ISOLATION ISOLATION CONTROL ISOLATION ISOLATION TRIP SYSTEM ISOLATION ISOLATION TRIP ISOLATION SYSTEM ISOLATION ESFAS LOW LOW PRESSURIZER PRESSURE CVCSI AND SSI RTS/ESFAS P T-5 AND RT-1 P LOW PRESSURIZER PRESSURE TRIP STATUS TRIP STATUS T-4

< T-5 AND RT-1 AUTOMATIC BYPASS < T-4 SETPOINT AUTOMATIC BYPASS T-5 OR NO RT-1 AUTOMATICALLY ENABLED T-4 SETPOINT AUTOMATICALLY ENABLED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

Tier 2 7.1-114 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1f: Reactor Coolant System Hot Temperature Trip, Temperature Interlocks HIGH NARROW RANGE RCS HOT TEMPERATURE T-2 T-3 T-4 T-5 RCS THOT 1 RCS THOT 2 RCS THOT 3 HIGH UNDER-THE-BIOSHIELD TEMPERATURE WR RCS HOT TEMPERATURE WR RCS HOT TEMPERATURE NR RCS HOT TEMPERATURE WR RCS HOT TEMPERATURE TEMPERATURE TEMPERATURE TEMPERATURE A B C D A B C D A B C D A B C D A B C D TS TS TS TS (NOTE 2)

AVG TS TS TS TS (NOTE 2) TS TS TS TS (NOTE 2) TS TS TS TS (NOTE 2) TS TS TS TS (NOTE 2)

TYPICAL RCS THOT AVERAGE ESFAS REACTOR Thavg A A A A I I I I CALCULATION I I I I TRIPPED I I I I I I I I INTERLOCK RT-1 A B C D TS TS TS TS (NOTE 2) 2/4 2/4 2/4 2/4 2/4 2/4 2/4 A A A A ESFAS RT-1 2/4 2/4 ESFAS RTS ESFAS ESFAS P P P P T-3 T-4 T-4 T-5 F F ESFAS P

T-2 F ESFAS ESFAS RTS ESFAS RTS ESFAS ESFAS DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1)

(NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

(NOTE 1)

F REACTOR TRIP DEMINERALIZED CONTAINMENT CHEMICAL SECONDARY ESFAS T-3 RTS WATER SYSTEM SYSTEM AND VOLUME SYSTEM T-2 RTS ESFAS ESFAS DIVISION I INTERLOCK INTERLOCK T-4 T-4 DIVISION I ISOLATION ISOLATION CONTROL SYSTEM ISOLATION T-5 (NOTE 1) ACTUATION ISOLATION INTERLOCK INTERLOCK INTERLOCK (NOTE 1)

ESFAS WR RCS HOT TEMPERATURE ESFAS WR RCS HOT TEMPERATURE ESFAS NR RCS HOT TEMPERATURE ESFAS WR RCS HOT TEMPERATURE P P P P REACTOR TRIP SECONDARY DEMINERALIZED DECAY HEAT PRESSURIZER T-2 INTERLOCK STATUS T-3 INTERLOCK STATUS T-4 INTERLOCK STATUS T-5 INTERLOCK STATUS SYSTEM WATER SYSTEM REMOVAL SYSTEM HEATER TRIP 3oo4 THOT INPUTS < T-2 SETPOINT ISOLATION ISOLATION ACTUATION ACTIVE ACTIVE 3oo4 THOT INPUTS < T-3 SETPOINT ACTIVE 3oo4 THOT INPUTS < T-4 SETPOINT ACTIVE 3oo4 THOT INPUTS < T-5 SETPOINT AND REACTOR TRIPPED NOT ACTIVE 2oo4 THOT INPUTS T-2 SETPOINT NOT ACTIVE NOT ACTIVE NOT ACTIVE 2oo4 THOT INPUTS T-3 SETPOINT 2oo4 THOT INPUTS T-4 SETPOINT 2oo4 THOT INPUTS T-5 SETPOINT OR REACTOR NOT TRIPPED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

Tier 2 7.1-115 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1g: Reactor Coolant System Low RPV Riser LevelPressurizer Level Interlock and Trip, High Containment Pressure, and High Containment Level Trips L-1 L-2 HIGH NARROW RANGE HIGH CONTAINMENT CONTAINMENT WATER LEVEL INTERLOCK LOW LOW PRESSURIZER LEVEL PRESSURIZER LEVEL INTERLOCK CONTAINMENT PRESSURE WATER LEVEL A B C D A B C D A B C D A B C D A B C D PS PS PS PS LS LS LS LS NS NS NS NS (NOTE 2) LS LS LS LS (NOTE 2) LS LS LS LS (NOTE 2)

(NOTE 2) (NOTE 2)

ESFAS ESFAS L-1 ESFAS T-3 ESFAS L-1 ESFAS L-2 ESFAS T-3 RT-1 ESFAS T-2 I I A A A A I I I I REACTOR TRIPPED A A A A I I INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK RT-1 A A A A ESFAS T-2 2/4 2/4 2/4 2/4 2/4 2/4 2/4 ESFAS T-3 ESFAS L-1 ESFAS L-2 ESFAS T-3 ESFAS L-1 ESFAS RT-1 F

ESFAS ESFAS P P RTS L-1 L-2 P

L-1 F F

F F ESFAS RTS ESFAS ESFAS ESFAS ESFAS RTS DIVISION I F DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

(NOTE 1) (NOTE 1)

EMERGENCY CORE CHEMICAL CONTAINMENT SECONDARY REACTOR TRIP DEMINERALIZED CONTAINMENT CHEMICAL AND SECONDARY RTS L-1 L-1 INTERLOCK L-2 INTERLOCK COOLING SYSTEM AND VOLUME SYSTEM SYSTEM WATER SYSTEM SYSTEM VOLUME SYSTEM PERMISSIVE/

ACTUATION CONTROL SYSTEM ISOLATION ISOLATION ISOLATION ISOLATION CONTROL ISOLATION INTERLOCK ISOLATION ACTUATION ACTUATION SYSTEM ISOLATION ESFAS P LOW LOW PRESSURIZER LEVEL TRIP STATUS ESFAS ESFAS L-1 P HIGH CONTAINMENT PRESSURE TRIP STATUS P T-3 AND L-2 HIGH CONTAINMENT WATER LEVEL TRIP STATUS RTS L-1 AND ESFAS L-1 CONTAINMENT WATER LEVEL L-1 P > L-1 SETPOINT AUTOMATIC BYPASS INTERLOCK STATUS ESFAS P PRESSURIZER LEVEL INTERLOCK STATUS

> L-1 SETPOINT AUTOMATIC BYPASS < T-3 AND > L-2 AUTOMATIC BYPASS 3oo4 LEVEL INPUTS > L-1 SETPOINT L-1 SETPOINT L-2 ACTIVE AUTOMATICALLY ENABLED L-1 SETPOINT T-3 OR L-2 AND REACTOR TRIPPED AUTOMATICALLY ENABLED AUTOMATICALLY ENABLED ACTIVE 3oo4 LEVEL INPUTS > L-2 SETPOINT NOT ACTIVE 2oo4 THOT INPUTS L-1 SETPOINT ESFAS P LOW LOW PRESSURIZER LEVEL TRIP STATUS ESFAS OR REACTOR NOT TRIPPED T-2 HIGH CONTAINMENT PRESSURE TRIP STATUS NOT ACTIVE 2oo4 THOT INPUTS L-2 SETPOINT P

T-3 < T-2 SETPOINT AUTOMATIC BYPASS

< T-3 SETPOINT AUTOMATIC BYPASS T-2 SETPOINT AUTOMATICALLY ENABLED T-3 SETPOINT AUTOMATICALLY ENABLED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

Tier 2 7.1-116 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1h: Steam Generator Low and Low Low Main Steam Pressure Trips LOW MAIN STEAM LOW LOW MAIN STEAM LOW LOW MAIN STEAM LOW MAIN STEAM PRESSURE PRESSURE PRESSURE PRESSURE STEAM GENERATOR 1 STEAM GENERATOR 2 STEAM GENERATOR 1 STEAM GENERATOR 2 A B C D A B C D A B C D A B C D PS PS PS PS (NOTE 2) PS PS PS PS PS PS PS PS PS PS PS PS (NOTE 2) (NOTE 2) (NOTE 2)

A A A A A A A A A A A A A A A A RTS N-2H ESFAS N-2H RTS N-2H ESFAS N-2H ESFAS L-1 ESFAS L-1 INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK INTERLOCK 2/4 2/4 2/4 2/4 2/4 2/4 2/4 2/4 ESFAS L-1 ESFAS N-2H ESFAS L-1 RTS N-2H ESFAS N-2H RTS N-2H F

F F F F F F F F F RTS ESFAS RTS ESFAS RTS RTS ESFAS ESFAS DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

(NOTE 1) (NOTE 1) (NOTE 1)

REACTOR TRIP SECONDARY DEMINERALIZED REACTOR TRIP SECONDARY DEMINERALIZED REACTOR TRIP SECONDARY DEMINERALIZED REACTOR TRIP SECONDARY DEMINERALIZED SYSTEM WATER SYSTEM SYSTEM WATER SYSTEM SYSTEM WATER SYSTEM SYSTEM WATER SYSTEM ISOLATION ISOLATION ISOLATION ISOLATION ISOLATION ISOLATION ISOLATION ISOLATION RTS/ESFAS RTS/ESFAS ESFAS LOW LOW MIAN STEAM PRESSURE SG 1 TRIP ESFAS LOW LOW MAIN STEAM PRESSURE SG 2 TRIP P LOW MAIN STEAM PRESSURE SG 1 TRIP STATUS P LOW MAIN STEAM PRESSURE SG 2 TRIP STATUS P P N-2H N-2H L-1 STATUS L-1 STATUS N-2H SETPOINT AUTOMATICALLY ENABLED N-2H SETPOINT AUTOMATICALLY ENABLED > L-1 SETPOINT AUTOMATIC BYPASS > L-1 SETPOINT AUTOMATIC BYPASS

< N-2H SETPOINT AUTOMATIC BYPASS < N-2H SETPOINT AUTOMATIC BYPASS L-1 SETPOINT AUTOMATICALLY ENABLED L-1 SETPOINT AUTOMATICALLY ENABLED NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

Tier 2 7.1-117 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1i: High Main Steam Pressure and Steam Generator Low and High Steam Superheat Trips HIGH MAIN STEAM PRESSURE HIGH MAIN STEAM PRESSURE LOW MAIN STEAM SUPERHEAT LOW MAIN STEAM SUPERHEAT HIGH MAIN STEAM SUPERHEAT HIGH MAIN STEAM SUPERHEAT STEAM GENERATOR 1 STEAM GENERATOR 2 STEAM GENERATOR 1 STEAM GENERATOR 2 ESFAS L-1 STEAM GENERATOR 1 STEAM GENERATOR 2 INTERLOCK A B C D A B C D MAIN STEAM MAIN STEAM A B C D A B C D A B C D TEMPERATURE PRESSURE V-1 ESFAS N-2H PS PS PS PS (NOTE 2) PS PS PS PS (NOTE 2) TS TS TS TS TS TS TS TS TS TS TS TS INTERLOCK (NOTE 2) INTERLOCK (NOTE 2) (NOTE 2) f(x)

A A A A A A A A A A A A V-1 A A A A A A A A

(+) ESFAS L-1 V-1 INTERLOCK

() INTERLOCK INTERLOCK TSAT RTS L-1 INTERLOCK TYPICAL STEAM TSH SUPER HEAT ESFAS N-2H RTS N-2H CALCULATION INTERLOCK ESFAS INTERLOCK V-1 2/4 2/4 2/4 2/4 2/4 2/4 2/4 2/4 2/4 2/4 ESFAS V-1 N-2H A B C D INTERLOCK RTS TS TS TS TS (NOTE 2) N-2H F

RTS F V-1 A A A A A ESFAS L-1 F (NOTE 2) F F F ESFAS V-1 ESFAS F

N-2H F RTS 2/4 2/4 N-2H RTS A F RTS ESFAS V-1 ESFAS RTS ESFAS ESFAS L-1 RTS RTS ESFAS RTS ESFAS DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I F DIVISION I (NOTE 2) DIVISION I DIVISION I DIVISION I DIVISION I (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1) F (NOTE 1)

(NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

REACTOR TRIP DEMINERALIZED SECONDARY DECAY HEAT PRESSURIZER REACTOR TRIP SECONDARY REACTOR TRIP REACTOR TRIP SECONDARY REACTOR TRIP SECONDARY DEMINERALIZED SECONDARY DEMINERALIZED DEMINERALIZED WATER SYSTEM SYSTEM REMOVAL SYSTEM HEATER TRIP SYSTEM WATER SYSTEM SYSTEM WATER SYSTEM SYSTEM WATER SYSTEM ISOLATION ISOLATION ACTUATION ISOLATION SYSTEM F F ISOLATION ISOLATION ISOLATION ISOLATION ISOLATION RTS ESFAS ISOLATION DIVISION I DIVISION I F

(NOTE 1) (NOTE 1)

ESFAS P LOW STEAM SUPERHEAT SG 1 TRIP STATUS L-1 DEMINERALIZED DECAY HEAT PRESSURIZER > L-1 SETPOINT AUTOMATIC BYPASS WATER SYSTEM REMOVAL SYSTEM HEATER TRIP ISOLATION ACTUATION L-1 SETPOINT AUTOMATICALLY ENABLED REACTOR TRIP DEMINERALIZED P V-1 AND RTS N-2H AND ESFAS N-2H REACTOR TRIP AND SECONDARY WATER SYSTEM SECONDARY SYSTEM ISOLATION INTERLOCK SYSTEM ISOLATION 1 OR 2 FWIV CLOSED AND < N-2H SETPOINT ISOLATION AUTOMATIC BYPASS NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NO FWIV CLOSED OR N-2H SETPOINT AUTOMATICALLY ENABLED NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

ESFAS P LOW STEAM SUPERHEAT SG 1 TRIP STATUS L-1

> L-1 SETPOINT AUTOMATIC BYPASS L-1 SETPOINT AUTOMATICALLY ENABLED P V-1 AND RTS N-2H AND ESFAS N-2H REACTOR TRIP AND SECONDARY SYSTEM ISOLATION INTERLOCK 1 OR 2 FWIV CLOSED AND < N-2H SETPOINT AUTOMATIC BYPASS NO FWIV CLOSED OR N-2H SETPOINT AUTOMATICALLY ENABLED Tier 2 7.1-118 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1j: Reactor Trip and Reactor Tripped Interlock RT-1 DIVISION I MCR ISOLATION SWITCH A

HIGH SOURCE RANGE COUNT RATE HS DIVISION I MCR ISOLATION HIGH SOURCE RANGE LOG POWER RATE (NOTE 3)

HIGH-1 POWER RANGE LINEAR POWER HIGH-2 POWER RANGE LINEAR POWER DIVISION II MCR ISOLATION SWITCH HIGH POWER RANGE POSITIVE RATE A HIGH POWER RANGE NEGATIVE RATE HS DIVISION II MCR ISOLATION DIVISION I HIGH INTERMEDIATE RANGE LOG POWER RATE MANUAL REACTOR TRIP (NOTE 3)

REMOTE SHUTDOWN STATION LOW PRESSURIZER PRESSURE TRIP HS MANUAL REACTOR TRIP LOW LOW PRESSURIZER PRESSURE (NOTE 2)

HIGH PRESSURIZER PRESSURE MAIN CONTROL ROOM LOW PRESSURIZER LEVEL HIGH PRESSURIZER LEVEL AUTOMATIC REACTOR TRIP HIGH NARROW RANGE RCS HOT TEMPERATURE HIGH UNDER-THE-BIOSHIELD TEMPERATURE LOW LOW RCS FLOW HIGH NARROW RANGE CONTAINMENT PRESSURE DIVISION I BREAKER OPENED A LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 RT-1 INTERLOCK ESFAS RT-1 INTERLOCK LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 REACTOR TRIPPED LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 DIVISION I BREAKER OPENED LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 ESFAS HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 DIVISION I (NOTE 1)

HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 HIGH STEAM SUPERHEAT STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 2 DIVISION I BREAKER OPENED LOW STEAM SUPERHEAT STEAM GENERATOR 1 A RT-1 INTERLOCK LOW STEAM SUPERHEAT STEAM GENERATOR 2 RTS RT-1 INTERLOCK REACTOR TRIPPED LOW AC VOLTAGE TO BATTERY CHARGERS DIVISION I BREAKER OPENED RTS RTS DIVISION I DIVISION I (NOTE 1) (NOTE 1)

NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: TWO MOMENTARY REDUNDANT SWITCHES, ONE PER RTS DIVISION.

DIVISION I DIVISION II NOTE 3: TWO MANUAL ACTUATION ISOLATION REDUNDANT SWITCHES LOCATED IN THE REMOTE SHUTDOWN STATION, ONE PER RTS AND ESFAS DIVISION.

ROD DRIVE ROD CONTROL POWER SUPPLY REACTOR TRIP BREAKER ARRANGEMENT Tier 2 7.1-119 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles RAI 16-18S1 Figure 7.1-1k: ESFAS - Containment System Isolation, Chemical and Volume Control System Interlocks LOW AC HIGH UNDER-THE- LOW LOW HIGH VOLTAGE TO BIOSHIELD LOW LOW HIGH CONTAINMENT ESFAS REACTOR PRESSURIZER LOW LOW RCS PRESSURIZER BATTERY TEMPERATURE PRESSURIZER LEVEL PRESSURE TRIPPED PRESSURE FLOW LEVEL CHARGERS RT-1 INTERLOCK CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION ACTUATE HS (NOTE 2)

CONTAINMENT SYSTEM ISOLATION ACTUATE OVERRIDE O-1 HS HS (NOTE 5)

(NOTE 2) (NOTE 2)

A A

MCR ISOLATION (NOTE 6)

I A I A I A I A AUTOMATIC ACTUATION (A)

AUTOMATIC ACTUATION (A)

AUTOMATIC ACTUATION (A)

I A MANUAL ACTUATION (M) (NOTE 3) MANUAL CONTAINMENT SYSTEM ISOLATION (M)

(A) (M) (A) (M) (A) (M) (M) (A)

MANUAL ACTUATION (M) (NOTE 4)

CONTAINMENT CONTAINMENT REACTOR SECONDARY FLOODING (M) (A) (M) (M) (A) (M) (M) (A) (M) (M) (A) (M)

EVACUATION COMPONENT SYSTEM AND DRAIN ISOLATION COOLING WATER ISOLATION ISOLATION PRESSURIZER RCS INJECTION RCS DISCHARGE RPV HIGH POINT ISOLATION SPRAY ISOLATION ISOLATION DEGASIFICATION ISOLATION LINE ISOLATION NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 3: MANUAL ACTUATION INITIATES CONTAINMENT SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

NOTE 4: MANUAL ACTUATION INITIATES CHEMICAL AND VOLUME CONTROL SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

NOTE 5: OVERRIDE TO ALLOW OPERATORS TO ADD WATER VIA CFDS OR CVCS.

NOTE 6: TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

Tier 2 7.1-120 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1l: ESFAS - Decay Heat Removal System and Secondary System Isolation Actuation, FWIV Interlock HIGH MAIN HIGH MAIN LOW MAIN LOW MAIN LOW LOW LOW LOW HIGH MAIN HIGH MAIN STEAM STEAM LOW AC STEAM STEAM MAIN STEAM MAIN STEAM STEAM STEAM HIGH STEAM HIGH STEAM LOW STEAM LOW STEAM LOW AC AUTOMATIC PRESSURE PRESSURE VOLTAGE TO LOW LOW LOW LOW HIGH PRESSURE PRESSURE PRESSURE PRESSURE HIGH PRESSURIZER HIGH RCS HOT PRESSURE PRESSURE SUPERHEAT SUPERHEAT SUPERHEAT SUPERHEAT HIGH UNDER- HIGH VOLTAGE TO CONTIANMENT FEEDWATER STEAM STEAM BATTERY PRESSURIZER PRESSURIZER PRESSURIZER HIGH RCS HOT STEAM STEAM FEEDWATER PRESSURE TEMPERATURE STEAM STEAM STEAM STEAM STEAM STEAM STEAM STEAM THE-BIOSHIELD CONTAINMENT BATTERY SYSTEM GENERATOR 1 GENERATOR 2 CHARGERS PRESSURE LEVEL PRESSURE TEMPERATURE GENERATOR 1 ISOLATION ISOLATION GENERATOR 2 GENERATOR 1 GENERATOR 2 GENERATOR 1 GENERATOR 2 GENERATOR 1 GENERATOR 2 GENERATOR 1 GENERATOR 2 TEMPERATURE PRESSURE CHARGERS ISOLATION VALVE 1 VALVE 2 OPEN CLOSED OPEN CLOSED MANUAL CONTAINMENT SYSTEM ISOLATION V-1 P

INTERLOCK MCR ISOLATION (NOTE 5)

DECAY HEAT REMOVAL SYSTEM ACTUATION MCR ISOLATION (NOTE 5)

I A ACTUATE SECONDARY SYSTEM ISOLATION HS ACTUATION (NOTE 2)

ACTUATE HS (NOTE 2)

MANUAL CONTAINMENT SYSTEM ISOLATION (M) (NOTE 3) I A MANUAL DHRS ACTUATION (M) I A (NOTE 3)

AUTOMATIC DHRS ACTUATION (A) AUTOMATIC SSI ACTUATION (A)

I A SECONDARY SYSTEM ISOLATION ACTUATION (M)

(NOTE 3)

(M) (A) (M) (M) (A) (M) (M) (A) (M) (M) (A) (M) (A) (M) (M) (A) (M) (M) (A) (M) (A) (M) FWIV INTERLOCK (M) (A) (M) (A) (M) (M) (A) (M) (M) (A) (M) (M) (A) (M) (M) (A) (M) V-1 FEEDWATER FEEDWATER MAIN STEAM DHRS MAIN STEAM SECONDARY REGULATING SECONDARY PRESSURIZER FEEDWATER FEEDWATER MAIN STEAM MAIN STEAM SECONDARY ISOLATION ISOLATION ACTUATION ISOLATION MAIN STEAM SECONDARY VALVES MSIV BYPASS HEATER TRIP REGULATING ISOLATION ISOLATION ISOLATION MAIN STEAM VALVES VALVES VALVES BYPASS ISOLATION MSIV BYPASS VALVES VALVES VALVES VALVES BYPASS ISOLATION (NOTE 4) VALVES VALVES VALVES VALVES VALVES P V-1 FWIV INTERLOCK STATUS NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I. ACTIVE 1 OR 2 FWIV CLOSED NOTE 2: TWO SWITCHES, ONE PER ESFAS DIVISION. NOT ACTIVE NO FWIV CLOSED NOTE 3: MANUAL ACTUATE INITIATES ACTUATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

NOTE 4: DECAY HEAT REMOVAL SYSTEM ACTUATION IS DEFINED AS THE SIMULTANEOUS CLOSURE OF THE FWIV, FWRV, MSIV, SECONDARY MSIV AND THE OPENING OF THE DHRS ACTUATION VALVES FOR A GIVEN TRAIN OF DHRS.

NOTE 5: TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

Tier 2 7.1-121 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1m: ESFAS - Demineralized Water System Isolation, Pressurizer Heater Trip SOURCE RANGE COUNT RATE HIGH SUBCRITICAL MULTIPLICATION RATE MCR ISOLATION (NOTE 5)

HIGH SOURCE RANGE COUNT RATE HIGH SOURCE RANGE LOG POWER RATE HIGH-1 POWER RANGE LINEAR POWER ESFAS REACTOR TRIPPED ESFAS T-5 INTERLOCK RT-1 INTERLOCK HIGH-2 POWER RANGE LINEAR POWER HIGH POWER RANGE POSITIVE RATE HIGH POWER RANGE NEGATIVE RATE LOW PRESSURIZER AUTOMATIC HIGH INTERMEDIATE RANGE LOG POWER RATE LEVEL DHRS ACTUATION LOW PRESSURIZER PRESSURE LOW LOW PRESSURIZER PRESSURE HIGH PRESSURIZER PRESSURE PRESSURIZER HEATER DEMINERALIZED WATER SYSTEM ISOLATION BREAKER TRIP LOW PRESSURIZER LEVEL ACTUATE HIGH PRESSURIZER LEVEL HS (NOTE 2) ACTUATE (NOTE 2) HS (NOTE 3) (NOTE 4)

HIGH NARROW RANGE RCS HOT TEMPERATURE HIGH UNDER-THE-BIOSHIELD TEMPERATURE HIGH NARROW RANGE CONTAINMENT PRESSURE I A I A LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 1 LOW LOW MAIN STEAM PRESSURE STEAM GENERATOR 2 I A HIGH MAIN STEAM PRESSURE STEAM GENERATOR 1 AUTOMATIC TRIP (A) MANUAL TRIP (M)

HIGH MAIN STEAM PRESSURE STEAM GENERATOR 2 I A (NOTE 4)

HIGH STEAM SUPERHEAT STEAM GENERATOR 1 HIGH STEAM SUPERHEAT STEAM GENERATOR 2 AUTOMATIC ACTUATION (A) MANUAL ACTUATION (M)

LOW STEAM SUPERHEAT STEAM GENERATOR 1 LOW STEAM SUPERHEAT STEAM GENERATOR 2 (A) (M)

(A) (M)

LOW AC VOLTAGE TO BATTERY CHARGERS DEMINERALIZED WATER SYSTEM PRESSURIZER HEATER BREAKER LOW-LOW RCS FLOW ISOLATION TRIP LOW RCS FLOW ESFAS ESFAS DIVISION I DIVISION II NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I. ELVS POWER PRESSURIZER HEATER A CONTROLLERS NOTE 2: TWO SWITCHES, ONE PER ESFAS DIVISION.

NOTE 3: MANUAL ACTUATION INITIATES DEMINERALIZED WATER SYSTEM ISOLATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

ELVS POWER PRESSURIZER HEATER B CONTROLLERS NOTE 4: MANUAL ACTUATION INITIATES PRESSURIZER HEATER BREAKER TRIP AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.

NOTE 5: TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

PRESSURIZER HEATER BREAKER ARRANGEMENT Tier 2 7.1-122 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1n: ESFAS Emergency Core Cooling System Actuation, Low Temperature Overpressure Protection Actuation WR RCS COLD TEMPERATURE (NOTE 5) f(x)

T-1 HIGH CONTAINMENT WATER WR RCS PRESSURE TYPICAL LTOP WR RCS COLD TEMPERATURE LEVEL SETPOINT LTOP CALCULATION LTOP LTOP A SP B SP C D A B C D MCR ISOLATION (NOTE 6)

SP PS PS PS PS TS TS TS TS LTOP SP f(x) f(x) f(x) f(x)

A A A A I I I I EMERGENCY CORE COOLING SYSTEM ACTUATION 2/4 2/4 ACTUATE HS (NOTE 2)

T-1 ESFAS P T-1 (NOTE 4)

LTOP ACTUATION ESFAS WR RCS COLD TEMPERATURE P

T-1 INTERLOCK STATUS ACTUATE (NOTE 2) HS ACTIVE 3oo4 TCOLD INPUTS > T-1 SETPOINT NOT ACTIVE 2oo4 TCOLD INPUTS T-1 SETPOINT I A I A MCR ISOLATION (NOTE 6) I A LTOP AUTOMATIC ACTUATION (A) ECCS AUTOMATIC ACTUATION (A)

I A LTOP MANUAL ACTUATION (M) (NOTE 3) ECCS MANUAL ACTUATION (M) (NOTE 3)

(M) (A) (M) (A) (M)

NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: TWO SWITCHES, ONE PER ESFAS DIVISION. OPEN OPEN ECCS REACTOR ECCS REACTOR NOTE 3: MANUAL ACTUATE INITIATES LTOP ACTUATION AND EMERGENCY CORE COOLING SYSTEM ACTUATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC. VENT VALVE RECIRCULATION VALVE NOTE 4: LOW TEMPERATURE INTERLOCK T-1: AUTOMATIC BLOCK ABOVE T-1; AUTOMATIC LTOP ENABLE BELOW T-1.

NOTE 5: LTOP SETPOINT (SP) IS CALCULATED BASED ON WR RCS COLD TEMPERATURE. LTOP ACTUATION OCCURS WHEN 2/4 WR RCS PRESSURE INPUTS INCREASE ABOVE THE LTOP SP.

NOTE 6: TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.

Tier 2 7.1-123 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1o: Decay Heat Removal System Valve Actuation DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I MCR VALVE FULLY VALVE FULLY OPEN CLOSE VALVE FULLY VALVE FULLY OPEN CLOSE VALVE FULLY VALVE FULLY DIVISION II MCR OPEN CLOSE VALVE FULLY VALVE FULLY ISOLATION OPEN CLOSE OPENED CLOSED OPENED CLOSED (NOTE 6) OPENED CLOSED ISOLATION OPENED CLOSED (NOTE 6) MCS MCS MCS MCS ENABLE NONSAFETY NONSAFETY NONSAFETY ENABLE NONSAFETY CONTROL CONTROL DIVISION I SAFETY SAFETY DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I (NOTE 6) (NOTE 6)

ENABLE AUTOMATIC DISABLE ENABLE AUTOMATIC MANUAL DISABLE MANUAL DHRS DHRS HS DHRS DHRS HS ACTUATION ACTUATION ACTUATION ACTUATION (A) (M) (A) (M)

NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE NS DISABLE NS DISABLE NS DISABLE MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED (NOTE 4) (NOTE 4)

(NOTE 4) (NOTE 4)

OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE DHRS ACTUATION VALVE DHRS ACTUATION VALVE DHRS ACTUATION VALVE DHRS ACTUATION VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

(D) (E) (D) (E)

SOLENOID VALVES NONSAFETY CONTROL SOLENOID VALVES NONSAFETY CONTROL SOLENOID VALVES DIVISION I DIVISION II SOLENOID VALVES (NOTE 2) (NOTE 2)

(NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

NOTE 1: SOLENOIDS ARE ENERGIZED BY REDUNDANT EIMS TO CLOSE VALVE; SOLENOIDS ARE DE-ENERGIZED TO OPEN VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

DECAY HEAT REMOVAL SYSTEM NOTE 5: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION. VALVE ACTUATION NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NOTE 6: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

Tier 2 7.1-124 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1p: Main Steam Isolation Valve Actuation DIVISION II DIVISION II DIVISION II DIVISION II VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE CLOSED OPENED OPEN CLOSE CLOSED OPENED VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY (NOTE 7) (NOTE 7)

CLOSED OPENED MCS (NOTE 7) CLOSED OPENED MCS (NOTE 7)

NONSAFETY SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II AUTOMATIC MANUAL MANUAL DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II MANUAL NONSAFETY NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL CONTROL CONTROL ACTUATION ACTUATION ACTUATION ISOLATION DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT (NOTE 2) ACTUATION ACTUATION (NOTE 2)

ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ISOLATION (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE OPEN NS DISABLE NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN MAIN STEAM ISOLATION VALVE MAIN STEAM ISOLATION VALVE MAIN STEAM ISOLATION VALVE MAIN STEAM ISOLATION VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

SOLENOID VALVE VALVE SOLENOID VALVE SOLENOID VALVE VALVE SOLENOID VALVE DIVISION I (NOTE 5) DIVISION II DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-125 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1q: Main Steam Isolation Bypass Valve Actuation DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY DIVISION I DIVISION I OPEN CLOSE CLOSED OPENED OPEN CLOSE CLOSED OPENED VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY (NOTE 7)

(NOTE 7)

CLOSED OPENED MCS (NOTE 7) CLOSED OPENED MCS (NOTE 7)

NONSAFETY DIVISION II SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II NONSAFETY DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY CONTROL AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT DHRS OR SSI SSI DHRS CONTAINMENT CONTROL (NOTE 2) DHRS OR SSI SSI DHRS CONTAINMENT CONTROL ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2)

(A) (M) (M) (M) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

(E) (D)

CLOSE CLOSE CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE NS DISABLE OPEN NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN MS ISOLATION BYPASS VALVE MS ISOLATION BYPASS VALVE MS ISOLATION BYPASS VALVE MS ISOLATION BYPASS VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

(NOTE 2)

SOLENOID VALVE VALVE SOLENOID VALVE SOLENOID VALVE VALVE SOLENOID VALVE DIVISION I (NOTE 5) DIVISION II DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-126 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1r: Secondary Main Steam Isolation Valve Actuation DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I VALVE FULLY VALVE FULLY DIVISION I DIVISION I VALVE FULLY VALVE FULLY OPEN CLOSE OPEN CLOSE CLOSED OPENED CLOSED OPENED VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY (NOTE 7) (NOTE 7)

CLOSED OPENED MCS (NOTE 7) CLOSED OPENED MCS (NOTE 7)

NONSAFETY SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II AUTOMATIC MANUAL AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL MANUAL MANUAL MANUAL NONSAFETY NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI DHRS OR SSI SSI DHRS CONTAINMENT CONTROL SSI DHRS CONTAINMENT CONTROL ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2)

ACTUATION ACTUATION ISOLATION (NOTE 2)

(A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

CLOSE CLOSE CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE NS DISABLE OPEN NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN SECONDARY MAIN STEAM SECONDARY MAIN STEAM SECONDARY MAIN STEAM SECONDARY MAIN STEAM ISOLATION VALVE ISOLATION VALVE ISOLATION VALVE ISOLATION VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

SAFETY SAFETY NONSAFETY NONSAFETY SOLENOID VALVE VALVE SOLENOID VALVE (NOTE 5) SOLENOID VALVE VALVE SOLENOID VALVE DIVISION I DIVISION II (NOTE 1) (NOTE 1) (NOTE 5)

DIVISION I DIVISION II (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-127 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1s: Secondary MSIV Bypass Valve Actuation DIVISION II DIVISION II DIVISION II DIVISION II VALVE FULLY VALVE FULLY DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY VALVE FULLY OPEN CLOSE CLOSED OPENED VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY (NOTE 7) CLOSED OPENED (NOTE 7)

CLOSED OPENED MCS (NOTE 7) CLOSED OPENED MCS (NOTE 7)

NONSAFETY SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2)

(NOTE 2) (NOTE 2)

(A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

CLOSE CLOSE CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE NS DISABLE OPEN NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN SECONDARY MSIV SECONDARY MSIV SECONDARY MSIV SECONDARY MSIV BYPASS VALVE BYPASS VALVE BYPASS VALVE BYPASS VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND SECORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

SAFETY NONSAFETY SAFETY SOLENOID VALVE VALVE SOLENOID VALVE NONSAFETY DIVISION I (NOTE 5) DIVISION II SOLENOID VALVE VALVE SOLENOID VALVE (NOTE 1) (NOTE 1)

DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-128 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1t: Feedwater Isolation Valve Actuation DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I OPEN CLOSE VALVE FULLY VALVE FULLY DIVISION I DIVISION I OPEN CLOSE VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY (NOTE 7) CLOSED OPENED VALVE FULLY VALVE FULLY (NOTE 7) CLOSED OPENED CLOSED OPENED MCS (NOTE 7) MCS (NOTE 7)

CLOSED OPENED NONSAFETY SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY MANUAL MANUAL MANUAL NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL SSI DHRS CONTAINMENT CONTROL ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) ACTUATION ACTUATION ISOLATION (NOTE 2)

(A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

CLOSE CLOSE CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE NS DISABLE OPEN NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN FEEDWATER ISOLATION FEEDWATER ISOLATION FEEDWATER ISOLATION FEEDWATER ISOLATION VALVE VALVE VALVE VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3)

(NOTE 3)

SOLENOID VALVE VALVE SOLENOID VALVE SOLENOID VALVE VALVE SOLENOID VALVE DIVISION I (NOTE 5) DIVISION II DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1) (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO OPEN VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-129 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1u: Feedwater Regulating Valve Isolation DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I DIVISION I DIVISION I OPEN CLOSE VALVE FULLY VALVE FULLY OPEN CLOSE VALVE FULLY VALVE FULLY CLOSED OPENED VALVE FULLY VALVE FULLY (NOTE 7) CLOSED OPENED VALVE FULLY VALVE FULLY (NOTE 7)

MCS (NOTE 7) CLOSED OPENED MCS (NOTE 7)

CLOSED OPENED NONSAFETY DIVISION I DIVISION I DIVISION I DIVISION I SAFETY DIVISION I DIVISION I DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION II DIVISION I DIVISION I DIVISION II DIVISION II DIVISION II DIVISION II AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY AUTOMATIC MANUAL MANUAL MANUAL NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL MANUAL MANUAL NONSAFETY DHRS OR SSI SSI DHRS CONTAINMENT CONTROL DHRS OR SSI SSI DHRS CONTAINMENT CONTROL ACTUATION ACTUATION ACTUATION ISOLATION DHRS OR SSI SSI DHRS CONTAINMENT CONTROL (NOTE 2) ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION ACTUATION ACTUATION ACTUATION ISOLATION (NOTE 2) (NOTE 2) (NOTE 2)

(A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D) (A) (M) (M) (M) (E) (D)

CLOSE CLOSE CLOSE NONSAFETY INPUT CLOSE NONSAFETY INPUT NONSAFETY INPUT NONSAFETY INPUT DECODE LOGIC DECODE LOGIC DECODE LOGIC DECODE LOGIC NS ENABLE NS ENABLE NS ENABLE NS ENABLE NS DISABLE OPEN NS DISABLE NS DISABLE OPEN NS DISABLE OPEN OPEN MANUAL MANUAL MANUAL MANUAL AUTO AUTO AUTO AUTO I I I I I I I I

VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY VALVE FULLY CLOSED OPENED CLOSED OPENED CLOSED OPENED CLOSED OPENED (NOTE 4) (NOTE 4) (NOTE 4) (NOTE 4)

CLOSE OPEN CLOSE OPEN CLOSE OPEN CLOSE OPEN FEEDWATER REGULATING FEEDWATER REGULATING VALVE FEEDWATER REGULATING FEEDWATER REGULATING VALVE VALVE VALVE ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II ACTUATION AND PRIORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION I ACTUATION AND SECORITY LOGIC (APL) (NOTE 3) EIM OUT ESFAS DIVISION II EIM OUT EIM OUT EIM OUT EIM OUT (NOTE 3) (NOTE 3) (NOTE 3) (NOTE 3)

SAFETY SAFETY NONSAFETY NONSAFETY SOLENOID VALVE VALVE SOLENOID VALVE SOLENOID VALVE VALVE SOLENOID VALVE DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1) DIVISION I (NOTE 5) DIVISION II (NOTE 1) (NOTE 1)

NOTE 1: SOLENOID IS ENERGIZED BY REDUNDANT EIMS TO ALLOW NONSAFETY CONTROL OF VALVE; SOLENOID IS DE-ENERGIZED TO CLOSE VALVE WHEN BOTH EIM OUTPUTS ARE DE-ENERGIZED.

NOTE 2: ONE ENABLE NONSAFETY CONTROL SWITCH PER DIVISION. THE SINGLE SWITCH ENABLES NONSAFETY CONTROL TO ALL ESF COMPONENTS.

NOTE 6: LOGIC IS SHOWN FOR DIVISION I AND II. BOTH DIVISIONS ARE SHOWN TO INDICATE UNIQUE ACTUATED EQUIPMENT NOTE 3: THE LOGIC SHOWN IS IMPLEMENTED IN REDUNDANT EIM ACTUATION PRIORITY LOGIC (APL) MODULES. A SINGLE EIM CAN BE REMOVED FOR MAINTENANCE, AND THE NUMBERS ASSOCIATED WITH EACH REDUNDANT DIVISION.

VALVE LOGIC WILL REMAIN FUNCTIONAL WITH THE EIM THAT REMAINS IN SERVICE.

NOTE 4: THE EIM APL LOGIC INCLUDES A SEAL-IN TO ENSURE COMPLETION OF THE PROTECTIVE ACTION. THE SEAL-IN REMAINS IN PLACE UNTIL POSITION FEEDBACK INDICATES THAT THE NOTE 7: NONSAFETY CONTROL INPUTS CONSIST OF 14 INDIVIDUAL HARDWIRED SIGNALS.

VALVE HAS REACHED THE POSITION DEMANDED BY THE PROTECTIVE ACTION. THE PROTECTIVE ACTION IS FAIL-SAFE, OR DE-ENERGIZE TO ACTUATE.

NOTE 5: VALVE IS CONTROLLED BY TWO REDUNDANT SOLENOIDS. ONE FROM EACH DIVISION. THE VALVE CLOSES WHEN EITHER THE DIVISION I OR DIVISION II SOLENOID IS DE-ENERGIZED.

THE VALVE OPENS ONLY WHEN BOTH THE DIVISION I AND DIVISION II SOLENOIDS ARE ENERGIZED.

Tier 2 7.1-130 Draft Revision 3

NuScale Final Safety Analysis Report Fundamental Design Principles Figure 7.1-1ah: Loss of AC Power to ELVS Battery Chargers LOW AC VOLTAGE TO B LOW AC VOLTAGE TO C BATTERY CHARGERS BATTERY CHARGERS A B C D A B C D VS VS VS VS (NOTE 2) VS VS VS VS (NOTE 2)

TD TD TD TD (NOTE 3) TD TD TD TD (NOTE 3)

A A A A A A A A 2/4 2/4 2/4 2/4 A A A A ESFAS RTS DIVISION I DIVISION I (NOTE 1) (NOTE 1)

RTS DIVISION I ESFAS (NOTE 1) F F DIVISION I (NOTE 1)

REACTOR TRIP CONTAINMENT CHEMICAL AND PRESSURIZER DECAY HEAT DEMINERALIZED START/STOP SECONDARY SYSTEM VOLUME HEATER REMOVAL SYSTEM WATER SYSTEM 24-HOUR TIMER ISOLATION CONTROL ISOLATION TRIP BREAKERS SYSTEM ISOLATION ACTUATION SYSTEM ISOLATION ACTUATION NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.

NOTE 2: THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.

NOTE 3: THE TIME DELAY (TD) IS ADDED TO DELAY THE START OF THE TIMING SEQUENCE TO PREVENT ACTUATION OF TRIP LOGIC ON MOMENTARY AC BUS VOLTAGE TRANSIENTS. THE TIME DELAY ALSO DELAYS THE RESET OF THE TIMING SEQUENCE TO PREVENT PREMATURE RESET OF TRIP LOGIC ON MOMENTARY AC BUS VOLTAGE TRANSIENTS.

Tier 2 7.1-143 Draft Revision 3

NuScale Final Safety Analysis Report System Features placed on the backplane. These signals are provided to the associated EIM actuation priority logic circuits downstream of the FPGA logic components that generate automatic signals.

A Division I and Division II manual actuation switch is provided in the MCR for each of the following protective actions. Each manual actuation switch actuates the respective protective function within its associated division. Actuation of either divisional switch is sufficient to complete the safety function. The manual actuation switches are shown in the MPS functional logic diagrams as shown in Figure 7.1-1j through Figure 7.1-1n:

  • containment isolation
  • demineralized water system isolation
  • chemical and volume control system isolation
  • pressurizer heater trip
  • secondary system isolation
  • low temperature over pressure protection Because the hard-wired manual actuation switch input is downstream of digital components within the MPS, failure of the MPS automatic function does not prevent the manual initiation of the required protective action.

RAI 16-18S1 If enabled by the operator using the safety-related enable nonsafety control switch, the capability for manual component level control of ESF equipment is possible using nonsafety discrete hard-wired inputs from the MCS to the HWM. These signals are then input to the actuation priority logic circuit on the EIM. Any automatic or manual safety-related signal will override the nonsafety signal and is prioritized within the actuation priority logic. For beyond DBEs and for a limited number of actuated equipment, a safety-related override switch can be used to prioritize a nonsafety signal over certain automatic signals. Override switches are provided for the containment system isolation override function as shown below.

Override - two switches / one per division RAI 16-18S1

  • The manual override switches allow for manual control of the CFDS, RCS injection, and pressurizer spray containment isolation valves if an automatic containment system isolation actuation signal or a CVCS isolation actuation signal is present with the exception of the High Pressurizer Level CVCS isolation actuation signal.
  • The manual override switches will generate an alarm when activated.

See the MPS functional logic diagrams (Figure 7.1-1j through Figure 7.1-1ao). The manual controls are controlled administratively through approved plant procedures.

Tier 2 7.2-57 Draft Revision 3

NuScale Final Safety Analysis Report Summary Description RAI 10.04.07-1 Figure 10.1-1: Power Conversion System Block Flow Diagram Safety Removable Seismic Seismic Anchor Feedwater Spool Pieces I III Located at Exit SR NS RIT From RXB MSSVs Turbine Bypass TGS Valve Desuperheater TGS CWFS Main Steam CWFS Isolation Valves RIT Turbine Stop To Cooling Tower Valve Secondary Main MSS DUCT Steam Isolation MSS TGS Turbine Generator CNTS MSS Valves ABS From Circ Water Pumps TGS Condenser CNTS CWFS CWS Aux Steam Header MSS SG CFWS To Atm To Atm CARS Steam Generator From RT RT Other Units MSS Seismic Anchor Located at Gland Steam Entrance to Exhauster From HP Packages CWFS RXB Heater Removable SG Spool Pieces Condenser Air Safety Seismic Removal Packages MSS SR NS I III CNTS IP Heater PDT CWFS Feedwater Feedwater Isolation Valves Regulating Valves VF D PDT LP Heater CNTS CFWS D CWFS VF HP Heater To Cond CWFS LEGEND To IP D Condensate Heaters Polisher Steam Generator & Aux Boiler VF TG Skids Containment System Main Steam System Turbine Generator System Feedwater Pumps To Cond CWFS Condensate Condensate& Feedwater System Gland Pumps Condenser Air Removal System Steam Condenser NuScale Power Cycle Block Flow Diagram Tier 2 10.1-7 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System 10.3 Main Steam System The primary function of the main steam system (MSS) is to transport steam from the steam generators to the turbine generator system. Each NuScale Power Module (NPM) is supplied with a separate MSS.

The containment-penetrating steam supply is divided into three portions: internal to containment discussed in Section 5.4, the containment and safety-related main steam isolation valves (MSIVs) discussed in Section 6.2, and the nonsafety-related portion discussed in this section.

The MSS extends from the flange immediately downstream of the MSIVs to the inlet of the turbine generator vendor package. The extraction points from the turbine to the feedwater heaters are also considered part of the MSS although there is no direct connection to the other MSS piping.

10.3.1 Design Bases This section identifies the MSS required or credited functions, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure that the functions are fulfilled. Together, this information represents the design bases defined in 10 CFR 50.2 for the MSS, as required by 10 CFR 52.47(a) and 10 CFR 52.47(a)(3)(ii).

The MSS is nonsafety-related. One nonsafety-related secondary MSIV is located downstream of each containment system MSIV as backup for the performance of the containment system MSIV design bases functions as outlined in Section 6.2.4.

General Design Criteria (GDC) 2, 4, and 5 were considered in the design of the MSS. No safety-related structures, systems, and components (SSC) are affected by the effects of natural phenomena such as earthquakes. The design of the MSS provides protection of safety-related SSC from the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. There are no safety-related components in the MSS that are shared among NPMs; therefore, the loss of components in one MSS does not impair the ability of other NPMs to perform their safety functions.

The NPM decay and residual heat removal safety function is performed by the decay heat removal system (DHRS) flowpath requiring containment isolation. Consistent with PDC 34, the secondary MSIVs provide a nonsafety-related backup to the containment MSIVs, and provide additional assurance that the blowdown of a second steam generator (SG) is limited if a steamline were to break upstream of the MSIV. Secondary system isolation (SSI) is provided to protect the steam generator inventory without an unnecessary cooldown.

Conformance with PDC 34 is further discussed in Section 5.4 and Section 10.3.3.

Consistent with 10 CFR 50.63, the nonsafety-related portion of the MSS is not relied upon to operate in response to a station blackout (SBO). Rather, the DHRS operates in conjunction with the ultimate heat sink to fulfill the core cooling function in the event of an SBO.

Conformance with 10 CFR 50.63 and the guidelines of Regulatory Guide 1.155 are discussed in Section 8.4.2 and Section 10.3.3.

Tier 2 10.3-1 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System Outside of the RXB, sampling points are provided on each main steam line. The MSS piping is protected from overpressure by MSSVs ((outside the TGB wall)) upstream of the sampling and auxiliary steam connections.

Branch piping inside the TGB for each MSS provides for turbine bypass to the main condenser, secondary sampling system, low point drains, feedwater heater steam, and backup auxiliary steam. The MSS provides gland steam through the auxiliary boiler system header. Connections allowing sampling are provided in appropriate locations in the secondary side piping. The secondary sampling system is described in Section 9.3.2.

As discussed in Section 10.3.1, the portion of each MSS up to and including the secondary MSIVs provides nonsafety-related backup to the MSIVs for safety-related isolation functions, and for the safety-related decay and residual heat removal safety function in PDC 34.

RAI 10.03-5 Design considerations of the MSS are reflected in the failure modes and effects analyses summarized in Section 5.4 (specific to providing backup to DHRS operation) and Table 10.3-2 (specific to providing backup toof containment and secondary system steam line isolation functions of the MSS). Failure modes and effects analysis for MSIV and MSIV bypass valves can be found in Table 6.2-6.

The MSS is designed to permit appropriate functional testing of system components as described further in Section 10.3.2.2 and Section 10.3.4.

The MSS piping upstream of the secondary MSIVs is designed to not exceed its service limits during a design basis event. Administrative procedures preclude filling the SG and MSS piping water-solid during normal operation, as well as during DHRS operation.

The MSS has leak detection capabilities. An MSS steam line break is detected as low steam line pressure by pressure sensors in the steam plenums (Section 5.3). This causes an isolation signal to the MSIVs, and closure signals to the turbine bypass valve, turbine stop valve, and drain line isolation valves to limit blowdown of the system.

Section 5.4.1 provides a description of SG design features to minimize fluid flow water hammer. The design and layout of the MSS include provisions to minimize the potential for water hammer and other flow instabilities (Section 3.6.3).

10.3.2.2 Component Description The major components of the MSS include the piping, secondary MSIVs, secondary main steam isolation bypass valves, MSSVs, drains, and associated supports and appurtenances. The design and operational characteristics of these components are described below. Design parameters and associated values are provided in Table 10.3-1.

Tier 2 10.3-3 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System The portion of the MSS from the outlets of the MSIVs to the first piping restraint downstream of the MSIVs is nonsafety-related, Seismic Category I, and quality group D.

The remainder of the MSS is classified as nonsafety-related, non-seismic, and quality group D. Consistent with Regulatory Guide 1.26, these portions are designed in accordance with the provisions of ASME Power Piping Code Section B31.1. Additional detail of the safety, quality, and seismic classification of the MSS components is provided in Section 3.2.

Main Steam Piping Figure 10.1-1 depicts the MSS boundaries, including interconnections with other systems.

The two steam lines combine to mix and equalize the output of the two SG coils.

Flanges immediately downstream of the MSIVs are provided to enable disconnection of the piping from the NPM in preparation for moving the module for refueling or maintenance. Immediately downstream of the flanges, the MSS lines pass through the secondary MSIV and secondary MSIBVs. Ball-joint type flanges are used downstream of the secondary MSIVs to reduce containment vessel nozzle stress.

The steam lines from six NPMs are then routed inside the RXB toward the center of the building and then exit the building above ground. They are supported on a pipe rack between the RXB and the TGB.

In the TGB, the MSS lines are each routed to their separate turbine generator set.

Secondary Main Steam Isolation Valves Design parameters and associated values for the secondary MSIVs are provided in Table 10.3-1.

RAI 06.02.04-6S1, RAI 15.06.03-2 Each secondary MSIV is provided with two independent actuator control systems to ensure successful performance of the secondary MSIV function, assuming a single failure. In response to a main steam isolation signalDHRS actuation signal and SSI signal, the secondary MSIVs automatically close. The secondary MSIVs are capable of closing in steam conditions.

RAI 15-17S1 The nonsafety-related secondary MSIVs are used for event mitigation as backup protection for the safety-related MSIVs as described in Section 15.0.0.6.6. The secondary MSIV is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in steam systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve can reliably close within the required time specified in Table 10.3-1 at full power steam flow and pressure conditions.

RAI 15-17S1 Tier 2 10.3-4 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System General Design Criterion 5 was considered in the design of the MSS. There are no safety-related components in the MSS shared among NPMs, and therefore the MSS does not impair the ability of other NPMs to perform their safety functions.

Principal Design Criterion 34 was considered in the design of the MSS. The decay and residual heat removal safety function per PDC 34 is performed by the DHRS flowpath, and containment isolation function of the containment system performed by the MSIVs and the feedwater isolation valves. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown. Consistent with PDC 34, the nonsafety-related secondary MSIVs downstream of the MSIVs are credited as backup isolation components in the event that an MSIV fails to close. Although not safety-related, the secondary MSIVs are designed to close under postulated worst-case conditions and are included in technical specification surveillance requirements to ensure their reliability and operability. Thus, consistent with the position established in NUREG-0138, Issue Number 1, the secondary MSIVs ensure that the blowdown is limited if a steamline were to break upstream of the MSIV. Conformance with PDC 34 is further discussed in Section 5.4.

The requirements of 10 CFR 20.1101(b) were considered in the design of the MSS. The MSS is not normally a radiation hazard in a pressurized water reactor. Radiological considerations do not affect access to system components during normal conditions.

Therefore, no radiation shielding is provided for the MSS and associated components. It is only in the unlikely event of a primary-to-secondary system leak or SG tube failure that the steam could become contaminated. If a SG tube failure is detected, the secondary coolant is sampled and a radiation survey completed before performing maintenance or modification work on the system. Access to the areas containing the system is restricted, if required, based on the survey results. The requirements of 10 CFR 20.1406 were considered in the design of the MSS. Consistent with 10 CFR 52.47(a)(6), the MSS is designed to meet the requirements of 10 CFR 20.1406 as it relates to minimizing contamination of the facility.

Further discussion of the facility design features to protect against contamination is provided in Section 12.3.

The requirements of 10 CFR 50.63 were considered in the design of the MSS. The nonsafety-related portion of the MSS is not relied upon to operate in response to an SBO to satisfy 10 CFR 50.63. Rather, the DHRS operates in conjunction with the ultimate heat sink to fulfill the core cooling function in the event of an SBO. Successful operation of the DHRS relies on the safety-related MSIVs, which form part of the DHRS flowpath and pressure boundary. The secondary MSIVs provide backup to the MSIVs, thus are also required to fail closed during an SBO. This functionality is ensured with or without the availability of electrical power. Conformance with 10 CFR 50.63 and the guidelines of Regulatory Guide 1.155 are discussed in Section 8.4.2.

10.3.4 Inspections and Tests The MSS components are inspected and tested as part of preoperational and startup tests, and are within the scope of the initial test program described in Section 14.2.

Nonsafety-related MSS piping and components are inspected and tested in accordance with the requirements of ASME B31.1.

The proposed Inspections, Tests, Analyses, and Acceptance Criteria required by 10 CFR 52.47(b)(1) and 10 CFR 52.80(a) are discussed in Section 14.3.

Tier 2 10.3-8 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System Table 10.3-5 provides a list of power conversion system piping which is within the scope of the flow-accelerated corrosion monitoring program.

RAI 10.03.06-5 In addition to design and layout provisions, flow-accelerated corrosion is minimized by the implementation of a secondary water chemistry control program as described in Section 10.3.5.

RAI 10.03.06-1, RAI 10.03.06-5 COL Item 10.3-2: A COL Applicant that references the NuScale Power Plant design certification will provide a description of the flow-accelerated corrosion monitoring program for the steam and power conversion systems based on Generic Letter 89-08 and the latest revision of the Electric Power Research Institute NSAC-202L at the time of the COL application.

10.3.7 Instrumentation The main steam temperature, pressure, radiation, and flow instrumentation is designed to permit automatic plant operation, remote control, and continuous indication of system parameters. The remote instrumentation readouts required for monitoring the system are provided in the main control room. The ability to manually initiate MSS control actions is available in the main control room.

Table 10.3-4 shows the MSS instrumentation. A list of the instrumentation associated with SSI actuation and DHRS actuation and operation (including MSIV and secondary MSIV closure) is provided in Section 7.1.

The instrumentation and controls associated with turbine bypass are described in Section 10.4.4.

10.3.8 References 10.3-1 Electric Power Research Institute, "Recommendations for an Effective Flow-Accelerated Corrosion Program (NSAC-202L-R3) Non-Proprietary Version," EPRI #1015425, Final Report, Palo Alto, CA, 2007.

10.3-2 Electric Power Research Institute, "Pressurized Water Reactor Secondary Water Chemistry Guidelines, EPRI #1016555 Rev. 7, February 17, 2009, Palo Alto, CA.

10.3-3 Nuclear Energy Institute, "Steam Generator Program Guidelines," NEI 97-06, Rev 3, Washington, DC, January 2011.

Tier 2 10.3-13 Draft Revision 3

NuScale Final Safety Analysis Report Main Steam System Table 10.3-4: Main Steam System Instrumentation (Continued)

Equipment Name Monitored Parameter Local Display Signal To MCS Steam trap drain valve limit switches Valve fully open No Yes Steam trap drain valve limit switches Valve fully closed No Yes FWS differential pressure SG inventory No Yes transmitters Tier 2 10.3-24 Draft Revision 3

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System 10.4.7.1 Design Bases This section identifies the CFWS required or credited functions, the regulatory requirements that govern the performance of those functions, and the controlling parameters and associated values that ensure the functions are fulfilled. Together, this information represents the design bases, as defined in 10 CFR 50.2, as required by 10 CFR 52.47(a) and (a)(3)(ii).

Specific feedwater components provide a nonsafety-related, not risk-significant backup to plant safety features. One feedwater regulating valve (FWRV) is located upstream of each CNTS feedwater isolation valve (FWIV), as a means of backup isolation to the containment system FWIV as outlined in Section 6.2.4. Likewise, the feedwater check valve is used as a backup to the FWIV integral check valve to prevent SG backflow. Use of these valves as backup to plant safety features is discussed in Section 15.0.0.

General Design Criteria 2, 4, and 5 were considered in the design of the CFWS. No safety-related SSC are affected by the effects of natural phenomena such as earthquakes. The design of the CFWS provides protection of safety-related SSC from the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. There are no safety-related components in the CFWS shared among NPMs, therefore failure of the CFWS does not impair the ability of other NPMs to perform their safety functions. See Section 10.4.7.3 for the CFWS safety evaluation.

The NPM decay and residual heat removal safety function is performed by the decay heat removal system (DHRS) flowpath requiring containment isolation. Consistent with PDC 34, the FWRVs provide a nonsafety-related backup to the FWIVs and provide additional assurance that the blowdown of a second steam generator (SG) is limited if a feedwater line were to break upstream of the FWIV. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown.

Conformance with PDC 34 is further discussed in Section 5.4 and Section 10.4.7.3.

Consistent with GDC 60, the design of the CFWS ensures the capability to control releases of radioactive materials to the environment. Consistent with 10 CFR 20.1101(b), the CFWS design supports keeping radiation exposures as low as reasonably achievable (ALARA). The CFWS is designed to meet the requirements of 10 CFR 20.1406 as it relates to minimization of contamination of the facility.

10.4.7.2 System Description 10.4.7.2.1 General Description The containment penetrating systems are divided into three portions: internal to containment, the containment and safety-related isolation valve(s), and the nonsafety-related portion external to the NPM. The three portions of the system are shown on Figure 10.1-1. The CFWS provides the upstream nonsafety-related portion.

The CFWS includes the following equipment and components:

Tier 2 10.4-29 Draft Revision 3

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Normal control of the FWRVs is through the MCS. In off-normal conditions the MPS overrides normal control of the valves and can force closure. Each FWRV is designed to fail closed on loss of power or control signal of DHRS actuation and secondary system isolation (SSI), regardless of the operating mode, and performs a feedwater isolation function as a backup to the FWIV. As such, the FWRVs meet the same flow requirements as the FWIVs.

RAI 15-17S1 The nonsafety-related FWRVs are used for event mitigation as backup protection for the safety-related FWIVs as described in Section 15.0.0.6.6. The FWRV is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in feedwater systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve actuates as expected at operating conditions.

RAI 15-17S1 Each secondary FWRV is periodically tested in accordance with the Augmented Valve Testing Program described in FSAR Section 3.9.6.5. Valve functions and periodic testing requirements are specified in FSAR Table 3.9-17.

Feedwater Check Valves Two check valves are installed in each feedwater line. Both feedwater check valves prevent reverse flow from the steam generators whenever the feedwater system is not in operation and are designed to withstand the forces of closing after a CFWS line rupture.

The first check valve is upstream of and integral with the FWIV, providing backflow prevention. The second is downstream of the FWRV and is provided for secondary backflow prevention.

RAI 15-17S1 The nonsafety-related secondary FW check valves are used for event mitigation as backup protection for the safety-related FW check valves as described in Section 15.0.0.6.6. The secondary FW check valve is a commercially available valve that utilizes a proven design and demonstrates reliable operation based on operating experience in water systems. A design with no previous operating experience may be proven through testing to demonstrate that the valve actuates as expected at operating conditions.

RAI 15-17S1 Each secondary FW check valve is periodically tested in accordance with the Augmented Valve Testing Program described in FSAR Section 3.9.6.5. Valve functions and periodic testing requirements are specified in FSAR Table 3.9-17.

Tier 2 10.4-33 Draft Revision 3

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Inadvertent DHRS actuation and SSI causes closure of the MSIV and MFIV on the affected side of the secondary system. This increases the secondary side pressure on the affected SG. The RCS pressure and temperature increases at a lower rate. The unaffected SG train steam production is lower than the turbine steam demand. The reactor trips on high steam pressure, high PZR pressure, or high PZR level. See Section 15.6.1 for the inadvertent opening of a reactor safety valve.

A steam line break event refers to a main steam line break ranging from a small break to a double-ended rupture of a main steam line. Initially, the steam flow is increased before the affected steam line is isolated and depressurizes. After a short time of overcooling, the RCS temperature and pressure increase. If the steam line break is inside the containment, the reactor trips on high containment pressure. If the steam line break is outside the containment, the reactor trips on low steam pressure or low PZR level or pressure. For breaks outside containment, the break flow is terminated by closure of the MSIV on the affected SG or after CFWS is isolated and the SG boils dry. For breaks inside the containment, the break flow is terminated after feedwater flow is isolated and the SG dries out. A steam line break is discussed in Section 15.1.5.

The SGTF is defined as a double-ended rupture of a single SG tube. Primary coolant from the RCS enters the secondary system, driven by the pressure difference between the RCS and the secondary side of the SG. As a result, the inventory, pressure, and activity in the affected SG increase. The break flow depressurizes the RCS and decreases the PZR level. On the secondary side, the FWIVs and FWRVs isolate on a low-low PZR level containment isolation signal to prevent excessive loss of RCS inventory. The reactor trips on high steam pressure, low PZR pressure, or low PZR level. An SGTF is discussed in Section 15.6.3.

The sudden loss of CFWS flow at power causes the SG heat removal rates to decrease, which causes the reactor coolant temperature to increase. The RCS fluid expands, flows into the PZR, thereby increasing the pressure. The SG liquid levels decrease following the termination of feedwater flow. The reactor trips on high PZR level and pressure, or low feedwater flow. This event results in the closure of the MSIVs and the actuation of the DHRS. The DHRS initiates and establishes decay heat removal and control RCS pressure and temperature within required limits. A loss of feedwater flow is discussed in Section 15.2.7.

10.4.7.3 Safety Evaluation The portion of the feedwater piping from the SG feedwater nozzles to the outermost FWIV flange is classified as safety-related Quality Group B. This portion of the system is designed to ensure feedwater system isolation in accident situations, such as a feedwater line break, and containment isolation in cases in which the feedwater system could potentially become a containment bypass pathway (e.g., SGTF) and is included in the containment system described in Section 6.2. One FWRV is located upstream of each containment system FWIV as back up for the performance of the FWIV design bases functions. Likewise, the feedwater check valve is used as a back up to the FWIV integral check valve to prevent SG backflow. Both valves are nonsafety-related and not risk significant.

Tier 2 10.4-37 Draft Revision 3

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System therefore, failure of the CFWS does not impair the ability of other NPMs to perform their safety functions.

The condensate and feedwater system is designed to avoid FAC:

  • feedwater piping and components are constructed using material resistant to FAC
  • flow velocity and changes in flow direction is limited consistent with the guidance of NSAC-202L (Reference 10.4-4)
  • feedwater chemistry is continuously monitored and controlled The CFWS and supporting systems monitor and control secondary water chemistry to maintain water quality specifications during normal operation and AOOs. Flow-accelerated corrosion is discussed further in Section 10.3.6.

RAI 10.04.07-1 The CFWS system is nonsafety-related. Each FWRV is designed to provide backup to the FWIV safety function. Both valves are designed to fail closed on loss of motive force or loss of control signal.Principal Design Criterion 34 was considered in the design of the MSS. The decay and residual heat removal safety function per PDC 34 is performed by the DHRS flowpath, and containment isolation function of the containment system, along with the secondary system isolation function, are performed by the MSIVs and the feedwater isolation valves. Secondary system isolation is provided to protect the steam generator inventory without an unnecessary cooldown. Consistent with PDC 34, the nonsafety-related secondary MSIVs downstream of the MSIVs are credited as backup isolation components in the event that an MSIV fails to close.

General Design Criterion 60 was considered in the design of the condensate and feedwater system. Consistent with GDC 60, the CFWS design controls radioactive material releases to the environment. Consistent with 10 CFR 20.1101(b), the CFWS design supports keeping radiation exposures ALARA. To maintain the radiation exposure to operating and maintenance personnel ALARA, the CFWS is designed to facilitate maintenance, inspection, and testing in accordance with the guidance in RG 8.8. The CFWS design satisfies the requirements of 10 CFR 20.1406 in that it supports minimization of contamination of the facility and the environment. Primary-to-secondary leakage from an SGTF has the potential to introduce radioactive material into the CFWS. Main steam and condensate monitoring with MSS and CFWS isolation capabilities minimize the contamination and release to the environment. The CFWS drains to the BPDS, which discharges to the radioactive waste drain system should the CFWS become contaminated.

Detected radioactive material in the condenser is managed by the CARS (Section 10.4.2). Radiation monitors are also provided on the exhaust from the gland seal condenser (Section 10.4.3).

RAI 10.03-5 The results of the CFWS failure modes and effects analysis is presented in Table 10.4-18.

Failure modes and effects analysis for FWIV valves can be found in Table 6.2-6.

Tier 2 10.4-39 Draft Revision 3

NuScale Final Safety Analysis Report Other Features of Steam and Power Conversion System Table 10.4-19: Condensate and Feedwater System Instrumentation (Continued)

Monitored Parameter Equipment Name (NPMs) Local Display Signal To MCS Feedwater header flow meter indicating Feedwater flow rate (gpm) Yes Yes transmitter (duplicate)

Feedwater regulating valve A/B position Flow control valve position No Yes indicating transmitter (%)

Feedwater regulating valve A/B position switch Valve not fully open No Note 1 open indicators Feedwater regulating valve A/B position switch Valve not fully closed No Note 2 closed indicators Condensate header emergency rejection level Level control valve position No Yes control valve position indicating transmitter (%)

Condensate header normal rejection level control Level control valve position No Yes valve position indicating transmitter (%)

Condensate storage tank level indicating Vessel level (inches of H2O) Yes Yes transmitter Condensate conductivity Condensate makeup conductivity analyzer [microsiemens per centimeter Yes Yes

@ 25°C (S/cm)]

Condensate storage tank makeup level control Level control valve position No Yes valve position indicating transmitter (%)

Condensate pump inlet manual valve position Valve not fully open No Yes switch open Long cycle cleanup air operated valve position Valve not fully open No Yes switch open Long cycle cleanup air operated valve position Valve not fully closed No Yes switch closed Condensate pump redundant minimum flow Valve not fully open No Yes protection valve position switch open Condensate pump redundant minimum flow Valve not fully closed No Yes protection valve position switch closed Long cycle recirculation flow element Flow rate (lb/hr) No Yes Long cycle recirculation flow indicating Flow rate (lb/hr) Yes Yes transmitter FWS differential pressure transmitters SG inventory No Yes Notes:

(1) Signal to MPS for valve timing technical specification.

(2)

Signal to Safety Display & Indication (SDI, system E014), via MPS to indicate that the FWRV is fully closed.

Tier 2 10.4-90 Draft Revision 3

NuScale Final Safety Analysis Report Technical Specifications Table 16.1-1: Surveillance Frequency Control Program Base Frequencies (Continued)

Surveillance Base Frequency Basis Requirement 3.4.8.1 14 days The 14 day Frequency is adequate to trend changes in the noble gas specific activity level and based on the low probability of an accident occurring during this time period.

3.4.8.2 14 days The 14 day Frequency is adequate to trend changes in the iodine activity level and based on the low probability of an accident occurring during this time period.

3.4.10.1 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.4.10 3 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.1.1 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.1.3 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.2.1 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is based on the similarity of the test to a CHANNEL CHECK as performed throughout existing large plant designs. The test verifies the accumulator pressure and thereby assures the OPERABILITY of the valves, as well as the status of the automatically monitored pressure alarms.

3.5.2.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on the expected low rate of gas accumulation and the availability of control room indication and alarm of decay heat removal system (DHRS) level in the control room.

3.5.2.3 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> The SR to verify SG level is within limits every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> takes into account indications and alarms that are continuously available to the operator in the control room and is consistent with other routine Surveillances which are typically performed once per shift. In addition, operators are trained to be sensitive to SG level and will ensure that the level is appropriately established and controlled.

3.5 2.43 24 months The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a unit outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability of the equipment.

3.5.3.1 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Since the ultimate heat sink (UHS) level is normally maintained at a stable level, and is monitored by main control indication and alarm, a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is appropriate. This Frequency also takes into consideration the high ratio of UHS volume change to UHS level change due to the UHS geometry.

3.5.3.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is sufficient to identify a temperature change that would approach either the upper or lower limit of UHS bulk average temperature assumed in the safety analyses. Since the UHS bulk average temperature is normally stable, and is monitored by main control indication and alarm, a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is appropriate. This Frequency also takes into consideration the large heat capacity of the UHS in comparison to the magnitude of possible heat addition or removal mechanisms.

Tier 2 16.1-9 Draft Revision 3

MPS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME I. As required by Required I.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Action C.1 and referenced in AND Table 3.3.1-1.

I.2 Be in MODE 3 and 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> PASSIVELY COOLED.

J. As required by Required J.1 Open two reactor vent 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Action C.1 and valves.

referenced in Table 3.3.1-1.

K. As required by Required K.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Action C.1 and referenced in AND Table 3.3.1 1.

K.2 Be in MODE 3. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> LK. As required by Required LK.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Action C.1 and referenced in AND Table 3.3.1-1.

LK.2 Be in MODE 3 with RCS 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> temperature below the T-2 interlock.

ML. As required by ML.1 Be in MODE 2. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Required Action C.1 and referenced in AND Table 3.3.1-1.

ML.2 Be in MODE 3 and 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> PASSIVELY COOLED.

AND ML.3 Be in MODE 3 with RCS 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> temperature below the T-2 interlock.

AND NuScale 3.3.1-4 Draft Revision 3.0

MPS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME ML. (continued) ML.4 Isolate dilution source flow 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve.Isolate demineralized water flow to the reactor coolant system.

AND ML.5 Open pressurizer heater 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> breakers.

N. As required by Required N.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Action C.1 and referenced in AND Table 3.3.1 1.

N.2.1 Be in MODE 3 with RCS 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> temperature below the T 2 interlock.

OR N.2.2 Be in MODE 3 with 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Containment Water Level above the L 1 interlock.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK on each required In accordance with channel listed in Table 3.3.1-1. the Surveillance Frequency Control Program NuScale 3.3.1-5 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 2 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

7. High Pressurizer Pressure
a. RTS 1, 2(a), 3(a) 4 D
b. DHRS 1, 2, 3(e) 4 I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
d. DWSI 1, 2(a), 3(a) 4 H
e. SSI 1, 2, 3(e) 4 I
8. Low Pressurizer Pressure
a. RTS 1(g) 4 D
b. DHRS 1(g) 4 D
c. CVCSI 1(g) 4 F
d. Pressurizer Heater Trip 1(g) 4 G eb. DWSI 1(g) 4 H
9. Low Low Pressurizer Pressure
a. RTS 1, 2(a) 4 D
b. DHRS 1, 2 4 I cb. CVCSI 1, 2 4 F
d. Pressurizer Heater Trip 1, 2 4 G ec. DWSI 1, 2(a) 4 H
d. SSI 1 4 I (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(g) With narrow range RCS hot temperature above the T-4 interlock.

NuScale 3.3.1-9 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 3 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

10. High Pressurizer Level
a. RTS 1, 2(a), 3(a) 4 D
b. CVCSI 1, 2, 3 4 F
c. DWSI 1, 2(a), 3(a) 4 H
11. Low Pressurizer Level
a. RTS 1, 2(a), 3(a) 4 D
b. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
c. DWSI 1, 2(a), 3(a) 4 H
12. Low Low Pressurizer Level
a. DHRS 1, 2, 3(h) 4 N ba. CIS 1, 2, 3(h) 4 KL cb. CVCSI 1, 2, 3(h) 4 F
d. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
c. SSI 1,2,3(h) 4 I
13. High Narrow Range RCS Hot Temperature
a. RTS 1 4 D
b. DHRS 1, 2, 3(e) 4 I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G
d. DWSI 1 4 H
e. SSI 1, 2, 3(e) 4 I (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(h) With RCS temperature above the T-2 interlock and containment water level below the L-1 interlock.

NuScale 3.3.1-10 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 4 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

14. Low RCS Flow
a. DWSI 1, 2, 3 4 H
15. Low Low RCS Flow
a. RTS 1, 2(a), 3(a) 4 D
b. CVCSI 1, 2, 3 4 F
c. DWSI 1, 2(a), 3(a) 4 H
16. Low RPV Riser Level
a. ECCS 1, 2, 3 4 I 167. High Main Steam Pressure
a. RTS 1, 2(a) 4 per SG D
b. DHRS 1, 2, 3(e) 4 per SG I
c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 per SG G
d. DWSI 1, 2(a) 4 per SG H
e. SSI 1, 2, 3(e) 4 per SG I 178. Low Main Steam Pressure
a. RTS 1(b) 4 per SG E
b. DHRS 1(b) 4 per SG E
c. Pressurizer Heater Trip 1(b) 4 per SG E db. DWSI 1(b) 4 per SG H
c. SSI 1(b) 4 per SG E (a) When capable of CRA withdrawal.

(b) With power above the N-2H interlock.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

NuScale 3.3.1-11 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 5 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS 189. Low Low Main Steam Pressure

a. RTS 1, 2(a) 4 per SG D
b. DHRS 1, 2 4 per SG K
c. Pressurizer Heater Trip 1, 2(f) 4 per SG G db. DWSI 1, 2(a) 4 per SG H
c. SSI 1, 2(a) 4 per SG I 2019. High Steam Superheat
a. RTS 1 4 per SG D
b. DHRS 1 4 per SG D
c. Pressurizer Heater Trip 1 4 per SG G db. DWSI 1 4 per SG H
c. SSI 1 4 per SG I 201. Low Steam Superheat
a. RTS 1(b) 4 per SG D
b. DHRS 1 4 per SG D
c. Pressurizer Heater Trip 1 4 per SG G db. DWSI 1(b) 4 per SG H
c. SSI 1(b) 4 per SG I (a) When capable of CRA withdrawal.

(b) With power above the N-2H interlock or no V-1 interlock (FWIV closed.)

(f) With pressurizer heater trip breakers closed.

NuScale 3.3.1-12 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 6 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS 212. High Narrow Range Containment Pressure

a. RTS 1, 2(a), 3(a) 4 D
b. DHRS 1, 2, 3(e) 4 I cb. CIS 1, 2, 3(i) 4 LK dc. CVCSI 1, 2, 3(i) 4 F
e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G fd. DWSI 1, 2(a), 3(a) 4 H
e. SSI 1, 2, 3(e) 4 I 223. High Containment Water Level
a. ECCS 1, 2, 3(je) 4 I 234. High RCS Pressure -

Low Temperature Overpressure Protection

a. LTOP 3(k) 4 J (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(i) With RCS temperature above the T-3 interlock.

(j) With RCS temperature above the T-3 interlock or containment water level below the L-2 interlock.

(k) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

NuScale 3.3.1-13 Draft Revision 3.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 7 of 7)

Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS 245. Low AC Voltage to ELVS Battery Chargers

a. RTS 1, 2(a), 3(a) 4 per bus ML
b. DHRS 1, 2, 3(e) 4 per bus ML
c. CIS 1, 2, 3 4 per bus ML
d. CVCSI 1, 2, 3(i) 4 per bus F de. DWSI 1, 2(a), 3(a) 4 per bus ML ef. Pressurizer Heater Trip 1, 2(f) 4 per bus ML
g. SSI 1, 2, 3(e) 4 per bus L 256. High Under-the-Bioshield Temperature
a. RTS 1, 2(a), 3(a) 4 LM
b. DHRS 1, 2, 3 4 M cb. CIS 1, 2, 3 4 LM
c. CVCSI 1, 2, 3(e) 4 F
d. DWSI 1, 2(a), 3(a) 4 LM
e. SSI 1, 2, 3(e) 4 L
e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 M (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(i) With RCS temperature above the T-3 interlock.

NuScale 3.3.1-14 Draft Revision 3.0

ESFAS Logic and Actuation 3.3.3 Table 3.3.3-1 (page 1 of 1)

ESFAS Logic and Actuation Functions APPLICABLE MODES OR ACTUATION OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS DIVISIONS CONDITIONS

1. Emergency Core 1, 2, 3(a) 2 C Cooling System (ECCS)
2. Decay Heat 1, 2, 3(a) 2 C Removal System (DHRS)
3. Containment 1, 2, 3(b) 2 D Isolation System (CIS)
4. Demineralized 1, 2, 3 2 E Water Supply Isolation (DWSI)
5. CVCS Isolation 1, 2, 3 2 F (CVCSI)
6. Pressurizer Heater 1, 2(c), 3(c) 2 G Trip
7. Low Temperature 3(d) 2 A Overpressure Protection (LTOP)
8. Secondary System 1, 2, 3(b) 2 D Isolation (SSI)

(a) Not PASSIVELY COOLED.

(b) With any RCS temperature above the T-2 interlock.

(c) Not required when Pressurizer Heater trip breakers are open and deactivated.With pressurizer heater breakers closed.

(d) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

NuScale 3.3.3-6 Draft Revision 3.0

Manual Actuation Functions 3.3.4 Table 3.3.4-1 (page 1 of 1)

Manual Actuation Functions APPLICABLE MODES OR MANUALLY ACTUATED OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS DIVISIONS CONDITIONS

1. Reactor Trip System 1, 2(a), 3(a) 2 C
2. Emergency Core 1, 2, 3(b) 2 D Cooling System
3. Decay Heat Removal 1, 2, 3(b) 2 D System
4. Containment Isolation 1, 2, 3(c) 2 I System
5. Demineralized Water 1, 2, 3 2 E Supply Isolation
6. CVCS Isolation 1, 2, 3 2 F System
7. Pressurizer Heater 1, 2(d), 3(d) 2 G Trip
8. Low Temperature 3(e) 2 H Overpressure Protection
9. Secondary System 1, 2, 3(c) 2 I Isolation (SSI)

(a) When capable of CRA withdrawal.

(b) When not PASSIVELY COOLED.

(c) With any RCS temperature above the T-2 interlock.

(d) Not required when pressurizer heater trip breakers are open and deactivated.With pressurizer heater breakers closed.

(e) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.

NuScale 3.3.4-4 Draft Revision 3.0

DHRS 3.5.2 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.2 Decay Heat Removal System (DHRS)

LCO 3.5.2 Two DHRS loopstrains shall be OPERABLE.

APPLICABILITY: MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One DHRS looptrain A.1 Restore DHRS looptrain to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> inoperable. OPERABLE status.

B. Required Action and B.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. AND OR B.2 Be in MODE 3 and 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> PASSIVELY COOLED.

Both DHRS loopstrains inoperable.

NuScale 3.5.2-1 Draft Revision 3.0

DHRS 3.5.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.5.2.1 Verify required valves accumulator pressures are In accordance with within limits. the Surveillance Frequency Control Program SR 3.5.2.2 Verify DHRS heat exchangersloops are filled. In accordance with the Surveillance Frequency Control Program SR 3.5.2.3 -------------------------------NOTE--------------------------------

Not required to be performed for DHRS loop with associated FWIV open.

Verify SG level is > [5]% and [65]% In accordance with the Surveillance Frequency Control Program SR 3.5.2.43 Verify that each DHRS actuation valve actuates to In accordance with the open position on an actual or simulated actuation the Surveillance signal. Frequency Control Program SR 3.5.2.54 Verify the open actuation time of each DHRS In accordance with actuation valve is within limits. the INSERVICE TESTING PROGRAM NuScale 3.5.2-2 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES BACKGROUND (continued) affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

  • The critical heat flux ratio (CHFR) shall be maintained above the SL value to prevent critical heat flux (CHF);
  • Fuel centerline melting shall not occur; and
  • Pressurizer pressure SL of 2285 psia shall not be exceeded.

Maintaining the variables within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 50.34 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 50.34100 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The MPS includes devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:

1. Reactor Trip System (RTS) actuation;
2. Emergency Core Cooling System (ECCS) actuation;
3. Decay Heat Removal System (DHRS) actuation;
4. Containment Isolation System (CIS) actuation;
5. Secondary System Isolation (SSI);
56. Chemical and Volume Control System Isolation (CVCSI) actuation;
67. Demineralized Water Supply Isolation (DWSI) actuation; NuScale B 3.3.1-3 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES BACKGROUND (continued)

78. Pressurizer Heater Trip (PHT) actuation; and
89. Low Temperature Overpressure Protection (LTOP) actuation.

NuScale B 3.3.1-4 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Feedwater Isolation Valve (FWIV) Closed Interlock, V-1 The FWIV Closed interlock, V-1 is active when one or both FWIV indicate closed.

1. When the V-1 interlock AND the N-2H interlock are active, an automatic operating bypass is established for the Low Main Steam Superheat reactor trip.
2. When the V-1 interlock AND the N-2H interlock are active, OR the containment level interlock, L-1, is active, an automatic operating bypass is established for the Low Main Steam Superheat Secondary System Isolation actuation.
3. When the V-1 interlock OR the N-2H interlock are not active, AND L-1 is not active, the operating bypass is automatically removed for the Low Main Steam Superheat Secondary System Isolation actuation.
4. When the V-1 interlock OR the N-2H interlock are not active, the operating bypass is automatically removed for the Low Main Steam Superheat reactor trip.

Wide Range RCS Cold Temperature Interlock, T-1 The Wide Range RCS Cold Temperature Interlock, T-1, is established when Wide Range RCS Cold Temperature is greater than approximately 325°F.

NuScale B 3.3.1-15 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. When L-1 is active, an automatic operating bypass is established for the:
  • Low Low Main Steam Pressure Secondary System Isolation actuation,
  • Low Main Steam Superheat Secondary System Isolation actuation,
  • High Narrow Range Containment Pressure Secondary System Isolation actuation,
  • Low Low Pressurizer Level Secondary System Isolation actuation, and
  • Low Low Pressurizer Level Containment System Isolation actuation.
2. When the L-1 interlock is not active, the operating bypass is automatically removed for the:
  • Low Low Main Steam Pressure Secondary System Isolation actuation,
  • Low Main Steam Superheat Secondary System Isolation actuation, and
  • High Narrow Range Containment Pressure Secondary System Isolation actuation.
3. When the L-1 interlock and the WR RCS Thot interlock, T-2, are not active, the operating bypass is automatically removed for the:
  • Low Low Pressurizer Level Secondary System Isolation actuation,
  • Low Low Pressurizer Level CVCS isolation, and
  • Low Low Pressurizer Level Containment System Isolation actuation.

NuScale B 3.3.1-18 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Level Interlock, L-2 The L-2 interlock is active when pressurizer level is greater than 20%.

1. When L-2 AND the WR RCS Thot Interlock, T-3, are active, an automatic operating bypass is established for the High Containment Level ECCS actuation.
2. When L-2 OR the WR RCS Thot Interlock, T-3, are not active, the operating bypass is automatically removed for the High Containment Level ECCS actuation.

NuScale B 3.3.1-19 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. On increasing containment water level the L 1 interlock automatically bypasses the following trip signals for DHR actuation:
  • High Pressurizer Pressure;
  • High Narrow Range RCS Hot Temperature;Low Low Main Steam Pressure;
  • Low Steam Superheat;
  • High Steam Superheat;
  • High Narrow Range Containment Pressure;
  • Low Low Pressurizer Pressure; and
  • Low Low Pressurizer Level.
2. On decreasing containment water level or not RT 1 (Reactor Trip Permissive not established), the L 1 interlock automatically enables the following trip signals for DHR actuation:
  • High Pressurizer Pressure;
  • High Narrow Range RCS Hot Temperature;
  • Low Steam Superheat;
  • High Steam Superheat;
  • High Narrow Range Containment Pressure;
  • Low Low Pressurizer Pressure; and
  • Low Low Pressurizer Level.

NuScale B 3.3.1-20 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

2. Pressurizer Pressure Pressurizer pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel.

The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 1500 to 2200 psia.

a. High Pressurizer Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, and Secondary System Isolation The High Pressurizer Pressure trip is designed to protect against exceeding RPV pressure limits for reactivity and heatup events.

The trip provides protection for the following events:

  • Loss of external load;
  • Loss of nonemergency AC power to station auxiliaries;
  • Pressurizer heater malfunction;
  • Inadvertent operation of DHRS;
  • Uncontrolled CRA withdrawal at power;
  • Feedwater system pipe breaks inside and outside the containment vessel.

Four High Pressurizer Pressure Reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in NuScale B 3.3.1-28 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.

Four High Pressurizer Pressure DHRS and four SSI channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. When PASSIVE COOLING is established sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Pressurizer Pressure DHRS and Pressurizer Heater Trip determination logic is automatically bypassed when containment water level is above the L 1 interlock and automatically enabled when containment water level is below the L 1 interlock.

b. Low Pressurizer Pressure - Reactor Trip, and Demineralized Water System Isolation, Decay Heat Removal System Actuation, CVCS Isolation, and Pressurizer Heater Breaker Trip The Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment, CRA drop, and protect the RCS subcooled margin against flow instability events.

The RTS and ESFAS Low Pressurizer Pressure setpoint is approximately 1720 psia. Actual setpoints are established in accordance with the Setpoint Control Program. Four Low Pressurizer Pressure reactor trip and ESFAS channels are required to be OPERABLE when operating in MODE 1 with RCS hot temperature above the T-4 interlock. In MODE 1 with RCS hot temperature below the T-4 interlock and in MODES 2, 3, 4, and 5 the RCS temperatures are well below T-4 and with the reactor subcritical the heat input will be insufficient to reach T-4. Four NuScale B 3.3.1-29 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The Reactor Trip and ESFAS actuation of the DHRS, DWSI, CVCS isolation, and pressurizer heater breaker trip by the Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-4 interlock, and is automatically enabled when RCS temperature is above the T-4 interlock.

c. Low Low Pressurizer Pressure - Reactor Trip, Demineralized Water System Isolation, Decay Heat Removal System Actuation, CVCS Isolation and Secondary System Isolation, Pressurizer Heater Breaker Trip The Low Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment and protect the RCS subcooled margin against flow instability events.

The RTS and ESFAS Low Low Pressurizer Pressure setpoint is approximately 1600 psia. Actual setpoints are established in accordance with the Setpoint Program. Four Low Low Pressurizer Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the function is fulfilled because the CRAs are inserted. Four Low Low Pressurizer Pressure DHRS, CVCSI and Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODES 1 and 2. In MODES 3, 4, and 5 the reactor is subcritical.

Four Low Low Pressurizer Pressure Secondary System Isolation signals are required when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

NuScale B 3.3.1-30 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS actuation of the SSI, DWSI, and CVCS IsolationDHRS and pressurizer heater breaker trip by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-53 interlock or and the reactor trip breakers are open (RT-1)containment water level is above the L 1 interlock, and is automatically enabled when RCS temperature is above the T-53 interlock and or when the reactor trip breakers are not open.containment water level is below the L 1 interlock.

The ESFAS actuation of the CVCS Isolation by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T 3 interlock, and is automatically enabled when RCS temperature is above the T 3 interlock.

NuScale B 3.3.1-31 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four Low Pressurizer Level Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Pressurizer Level - Decay Heat Removal System Actuation, Containment Isolation, Secondary System Isolation, and CVCS Isolation, and Pressurizer Heater Trip The Low Low Pressurizer Level trip provides protection for:
  • Steam system piping failures inside and outside containment;
  • Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel;
  • Loss-of-coolant accidents outside the containment vessel; and

Four Low Low Pressurizer Level Containment Isolation, SSI, and CVCSI trip channels are required to be OPERABLE when operating in MODES 1, and 2, and MODE 3 when RCS temperature is above the T-2 interlock and CNV level is less than L-1. In MODE 3 with RCS temperature below the T-2 interlock, and in MODES 4 and 5, the reactor will remain subcritical.

The Low Low Pressurizer Level Containment Isolation and CVCSI trip channels are automatically bypassed when the RCS temperature is below the T 2 interlock. The Low Low Pressurizer Level Containment Isolation and CVCSI trip channels are automatically enabled when RCS temperature is above the T 2 interlock.

Four Low Low Pressurizer Level DHRS trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 NuScale B 3.3.1-33 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) when RCS temperature is above the T 2 interlock and containment water level is below the L 1 interlock. In MODE 3 with RCS temperature below the T 2 interlock or containment water level above the L 1 interlock with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

The Low Low Pressurizer Level DHRSCIS, SSI, and CVCS Isolation trip channels are automatically bypassed when the RCS temperature is below the T-2 interlock or containment water level is above the L-1 interlock. The Low Low Pressurizer Level DHRSCIS, SSI, and CVCS Isolation trip channels are automatically enabled when RCS temperature is above the T-2 interlock and containment water level is below the L-1 interlock.

d. Low RPV Riser Level Emergency Core Cooling System Actuation The Low RPV Riser Level trip signal provides protection for low water level above the core in LOCA events.

Four Low RPV Riser Level trip channels are required to be OPERABLE when operating in MODES 1, 2 and 3. In MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

4. RCS Hot Temperature Narrow Range RCS Hot Temperature is measured by three resistance temperature detectors (RTDs) per separation group (a total of 12 RTDs), located in the RCS flow near the top of the reactor vessel downcomer.
a. High Narrow Range RCS Hot Temperature - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, Secondary System Isolation NuScale B 3.3.1-34 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The High RCS Hot Temperature trip provides protection for:

  • Instability events;
  • Uncontrolled CRA withdrawal at power.

The High RCS Hot Temperature trip causes a reactor trip, DWSI, DHRS actuation, SSI and a pressurizer heater trip. The DHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L 1 interlock and automatically enabled when containment water level is below the L 1 interlock.

Four High Narrow Range RCS Hot Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four High Narrow Range RCS Hot Temperature DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

NuScale B 3.3.1-35 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

6. Main Steam Pressure Main Steam pressure is measured by eight pressure sensors (two per separation group, one on each steam line) located on the main steam lines upstream of the MSIVs near the connection to the DHRS lines.

Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips.

a. High Main Steam Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Secondary System Isolation, and Demineralized Water System Isolation The High Main Steam Pressure trip provides protection for:
  • Loss of external load;
  • Loss of nonemergency AC power to the station auxiliaries;
  • Closure of a MSIV; and
  • Inadvertent operation of the DHRS.

The High Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, SSI, DWSI, and Pressurizer Heater Trip to actuate.

Four High Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the reactor will remain subcritical.

NuScale B 3.3.1-37 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Main Steam Pressure DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

The High Main Steam Pressure DHRS and Pressurizer Heater Trip channels are automatically bypassed when containment water level is above the L 1 interlock and the RTBs are open. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip The Low Main Steam Pressure trip provides protection for:
  • Increase in steam flow;
  • Inadvertent opening of the turbine bypass system;
  • Steam system piping failures inside and outside the containment vessel; and
  • Feedwater system pipe breaks inside and outside the containment vessel.

NuScale B 3.3.1-38 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Low Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate.

Four Low Main Steam Pressure reactor trip, DWSI, DHRS, and Pressurizer Heaterand SSI Trip channels measuring pressure on each steam line are required to be OPERABLE when operating in MODES 1 with power range linear power above N-2H. In MODE 1 below N-2H and in MODE 2 the unit is protected by the Low Low Main Steam Pressure function. In MODES 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Breaker Trip The Low Low Main Steam Pressure trip provides protection for:
  • Increase in steam flow;
  • Inadvertent opening of the turbine bypass system;
  • Steam system piping failures inside and outside the containment vessel; and
  • Feedwater system pipe breaks inside and outside the containment vessel.

The Low Low Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSI Pressurizer Heater Breaker Trip to actuate.

NuScale B 3.3.1-39 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Low Low Main Steam Pressure reactor trip, and DWSI, and SSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA and in MODES 3, 4, and 5 the reactor is subcritical.

Four Low Low Main Steam Pressure DHRS SSI Trip channels are required to be OPERABLE when operating in MODES 1 and 2.

Protection from low main steam pressure is not required in MODES 3, 4, and 5.

Four Low Low Main Steam Pressure Pressurizer Heater Breaker Trip channels are required to be OPERABLE in MODE 1 and MODE 2 when pressurizer heater breakers are closed. In MODE 2 with pressurizer heater breakers open and in MODES 3, 4, and 5 the function is fulfilled.

The Low Low Main Steam Pressure SSIDHRS channels are automatically bypassed when water level is above the L-1 interlock and the RTBs are open. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

7. Steam Superheat Steam Superheat is determined by MPS SFM processing of main steam temperature and pressure data. Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips. Four steam temperature sensors are located on each steam pipe upstream of the MSIVs. Each channel of superheat receives two steam generator pressure inputs and two steam temperature inputs (one pressure and one temperature signal from each steam line). The degree of superheat is found by determining the saturation temperature (TSAT) at the measured main steam pressure (PSTM), and subtracting this value from the measured main steam temperature (TSTM). The main steam saturation temperature is found via a simple steam table lookup function using the measured steam pressure value.

TSH = TSTM - TSAT(PSTM)

NuScale B 3.3.1-40 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. High Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip The High Steam Superheat trip provides protection for steam generator (SG) boil-off.

The High Steam Superheat trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate.

Four High Steam Superheat reactor trip, DWSI, DHRS, and SSIPressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Steam Superheat DHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L 1 interlock.

b. Low Steam Superheat - Reactor Trip, Demineralized Water System Isolation, Decay Heat Removal System Actuation, and Secondary System IsolationPressurizer Heater Trip The Low Steam Superheat trip provides mitigation of SG overfilling.

The Low Steam Superheat trip causes the reactor trip breakers to open and the DHRS, DWSI, and SSIPressurizer Heater Trip to actuate. Steam Superheat is determined by MPS processing of temperature and pressure data.

Four Low Steam Superheat reactor trip, DWSI, DHRS, and SSIPressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

NuScale B 3.3.1-41 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The Low Steam Superheat SSIDHRS and Pressurizer Heater Trip actuation is automatically bypassed when containment water level is above the L-1 interlock or 1 FWIV is closed with power less than the N-2H setpoint.

8. Containment Pressure Narrow Range Containment pressure is measured by four sensors (one per separation group) located near the top of the containment vessel.
a. High Narrow Range Containment Pressure - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Secondary System Isolation,Decay Heat Removal System Actuation, Pressurizer Heater Trip, and CVCS Isolation The High Containment Pressure trip provides protection for:
  • System malfunctions that increase the RCS inventory;
  • Inadvertent operation of the ECCS;
  • Loss of containment vacuum;
  • Steam system piping failures inside and outside the containment vessel;
  • Feedwater system pipe breaks inside and outside the containment vessel; and
  • Loss-of-coolant accidents from a spectrum of postulated piping breaks inside the containment vessel.

NuScale B 3.3.1-42 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The High Narrow Range Containment Pressure trip causes the reactor trip breakers to open, the containment to be isolated, the DHRS and Pressurizer Heater TripSSI to be actuated, and the DWS and CVCS to be isolated.

Four High Narrow Range Containment Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal.

Four High Narrow Range Containment Pressure SSIDHRS channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

Four High Containment Pressure CVCSI and CIS channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock. In MODE 3 with RCS temperature is below the T-3 interlock, and in MODES 4 and 5 the containment pressure is allowed to exceed this setpoint and is expected, isolation is not required.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Containment Pressure Containment Isolation, SSI, DHRS, Pressurizer Heater Trip, and CVCSI actuations are automatically bypassed when RCS temperature is below the T-3 interlock. The High Containment Pressure DHRS and Pressurizer Heater Trip actuationSSI is also automatically bypassed when containment water level is above the L-1 interlock.

NuScale B 3.3.1-43 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

9. Containment Water Level The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS hot temperature above T-3 or PZR level below L-2. In MODE 3 with RCS hot temperature below T-3 and PZR level above L-2, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T-3 interlock and PZR level is above L-2, and automatically enabled when RCS temperature is above the T-3 interlock or PZR level is below L-2.Containment Water Level is measured by 4 sensors (one per separation group) located in the containment vessel. The level is measured by a radar instrument which will run the entire distance of the measurement, from the containment head to an elevation below 45 ft.
a. High Containment Water Level Emergency Core Cooling System Actuation The High Containment Water Level trip provides protection for LOCA events.

The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T 3 interlock and the RTBs open, and automatically enabled when RCS temperature is above the T 3 interlock.

NuScale B 3.3.1-44 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

11. Low AC Voltage to ELVS Battery Chargers The Low AC Voltage function ensures the EDSS batteries supply power for their full mission time; 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for A and D power channels, and 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for B and C power channels. Power channels B and C provide power to the accident monitoring equipment. It also keeps ECCS from actuating for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to allow operators time to restore AC power. An ECCS actuation will occur if required by unit conditions. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the loss of normal AC is called ECCS Hold.
a. Low ELVS Voltage - ECCS Hold Low ELVS Voltage is determined by measuring two ELVS 480 VAC buses that provide power to the EDSS battery chargers with two sensors per separation group. If both 480 VAC bus voltages are below the setpoint, the following occurs:
  • DHRS Actuation;
  • Pressurizer Heater Trip Actuation;
  • Containment Isolation Actuation;
  • Chemical and Volume Control System Isolation;
  • Secondary System Isolation;
  • Demineralized Water System Isolation; and
  • 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> timers started.

If AC voltage is not restored to at least EDSS battery charger B OR C within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> the following will occur:

  • RTS chassis is de-energized;
  • ESFAS chassis is de-energized; and
  • MWS is de-energized.

NuScale B 3.3.1-46 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This will generate an ECCS actuation.

Eight (4/bus) Low ELVS Voltage DWSI and reactor trip channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Eight (4/bus) Low ELVS Voltage Containment Isolation channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the functions are fulfilled.

Eight (4/bus) Low ELVS Voltage DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Eight (4/bus) Low ELVS Voltage Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater trip breakers closed. In MODES 2 with the pressurizer heater trip breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels per bus are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

12. Under-the-Bioshield Temperature Temperature under the bioshield is measured by 4 sensors (one per separation group) mounted on the pool wall outside containment.
a. High Under-the-Bioshield Temperature - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Chemical and Volume Control System Isolation, and Secondary System IsolationDecay Heat Removal System Actuation, and Pressurizer Heater Trip An undetected small main steam line break under the bioshield would expose the equipment to sustained elevated temperatures challenging the safety-related functions of the MSIVs and DHR valves. The High Temperature Under-the-Bioshield trip provides protection for the safety-related equipment that would be exposed NuScale B 3.3.1-47 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four High Under-the-Bioshield Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Four High Under-the-Bioshield Temperature DHRS and Containment Isolation channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 these functions are fulfilled.

Four High Under-the-Bioshield Temperature SSI and CVCSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical, passively cooled, and the MSIVs would be in their credited safety position.

Four High Under-the-Bioshield Temperature Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater trip breakers closed. In MODES 2 with the pressurizer heater trip breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

ACTIONS The most common causes of channel inoperability are outright failure of a sensor or MPS SFM module sufficient to exceed the tolerance allowed by the unit-specific setpoint analysis as specified by the SP. Typically, sensor drift is found to be small and results in a delay of actuation rather than a total loss of capability to actuate within the allowed tolerance around the NTSP. This determination is of the channel's actual trip setting generally made during the performance of a CHANNEL CALIBRATION when the process sensor output signal is measured and verified to be within specification. If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE status.

NuScale B 3.3.1-48 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

K.1 and K.2 Condition K is entered when Condition C applies to Functions that result in actuation of the DHRS on Low Low Main Steam Pressure as listed in Table 3.3.1 1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions K.1 and K.2. K.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable DHRS automatic channel. K.2 places the unit in MODE 3 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.

LK.1 and LK.2 Condition LK is entered when Condition C applies to Functions that result in actuation of the Containment Isolation system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions LK.1 and LK.2. LK.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. LK.2 places the unit in MODE 3 with RCS hot temperature < 200°F within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the condition. This condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

ML.1, ML.2, and ML.3, L.4, and L.5 Condition LM is entered when Condition C applies to Functions that result in a reactor trip, CIS actuation, DHR actuation, DWSI, SSI, and Pressurizer Heater Trip due to the Low ELVS Voltage or High Under-the-Bioshield Temperature as listed in Table 3.3.1-1.

NuScale B 3.3.1-56 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions ML.1, ML.2, ML.3, ML.4, and ML.5.

ML.1 places the unit in MODE 2 within 672 hours0.00778 days <br />0.187 hours <br />0.00111 weeks <br />2.55696e-4 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable automatic channel. ML.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br /> of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the DHRS OPERABILITY is no longer required.

ML.3 places the unit in MODE 3 with RCS temperature below the T-2 interlock within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br /> of entering the condition. This condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

ML.4 isolates the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valvedemineralized water flowpath to the RCS within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br />. This completes the function of the DWSI.

ML.5 opens the power supply breakers to the pressurizer heaters within 396 hours0.00458 days <br />0.11 hours <br />6.547619e-4 weeks <br />1.50678e-4 months <br />.

Completion Times are established considering the likelihood of a design basis event that would require automatic actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

N.1 and N.2 Condition N is entered when Condition C applies to Functions that result in the actuation of DHRS on Low Low Pressurizer Level as listed in Table 3.3.1 1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions N.1 and N.2. N.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This action limits the time the unit may continue to operate with a limited or inoperable DHRS automatic channel. N.2 places the unit in MODE 3 with RCS NuScale B 3.3.1-57 Draft Revision 3.0

Module Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued) temperature below the T 2 interlock or in MODE 3 with Containment Water Level above the L 1 interlock within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the condition. This condition assures the RCS is in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require DHRS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

SURVEILLANCE SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken.

This determination includes, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same process variable. This determination is made using computer software or may be performed manually.

It is based on the assumption that instrument channels monitoring the same process variable should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between CHANNEL CALIBRATIONS.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment is operating outside its limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.3.1-58 Draft Revision 3.0

ESFAS Logic and Actuation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation BASES BACKGROUND The ESFAS portion of the Module Protection System (MPS) protects against violating the core fuel design limits, ensures reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents, and ensures acceptable consequences during accidents by initiating necessary safety systems.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups is received by each division of the ESFAS SVMs.

LCO 3.3.3 addresses only the logic and actuation portions of the MPS that perform the ESFAS functions. The scope of this LCO begins at the inputs to the SVMs and extends through the actuating contacts on the actuated components. This LCO also includes the pressurizer heater trip breakers. Component OPERABILITY and surveillance requirements are provided in the system LCOs and by programmatic requirements identified in Chapter 5, Administrative Controls.

LCO 3.3.1, Module Protection System (MPS) Instrumentation, and LCO 3.3.2, "Reactor Trip System (RTS) Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

The ESFAS logic and actuation consists of:

1. Emergency Core Cooling System (ECCS) actuation;
2. Decay Heat Removal System (DHRS) actuation;
3. Containment Isolation System (CIS) actuation;
4. Demineralized Water Supply Isolation (DWSI) actuation;
5. Chemical and Volume Control System Isolation (CVCSI) actuation;
6. Pressurizer Heater Trip (PHT); and NuScale B 3.3.3-1 Draft Revision 3.0

ESFAS Logic and Actuation B 3.3.3 BASES BACKGROUND (continued)

7. Low Temperature Overpressure Protection (LTOP) actuation; and.
8. Secondary System Isolation (SSI) actuation.

Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.

The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division -

independent and redundant EIMs for each division of ESFAS.

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.

Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.

Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unit is shutdown. FSAR, Chapter 7 (Ref. 1), describes MPS testing in more detail.

NuScale B 3.3.3-2 Draft Revision 3.0

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

8. Secondary System Isolation The Secondary System Isolation is designed to isolate the steam generators from the feedwater and main steam systems. The system limits releases of radioactive materials via these flowpaths. It also provides boundaries to preserve the inventory of the DHRS ensuring that capability to transfer decay heat to the UHS remains available.

Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when the RCS temperature is above the T-2 interlock.

The ESFAS logic and actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Operability requirements for manual ESFAS actuation are described in LCO 3.3.4.

NuScale B 3.3.3-5 Draft Revision 3.0

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

C.1 and C.2 If Required Action B.1 directs entry into Condition C as specified in Table 3.3.3-1, or if both divisions of ECCS or DHRS are inoperable the unit is outside its design basis ability to automatically mitigate a postulated event.

With one division of actuation logic inoperable the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the ECCS or DHRS if required.

C.1 requires the unit to be in MODE 2 within 6. This action limits the time the unit may continue to operate with limited or inoperable automatic actuation logic.

C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of entering the Condition. This condition assures adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.

D.1 and D.2 If Required Action B.1 directs entry into Condition D as specified in Table 3.3.3-1, or if both divisions of the containment isolation or secondary system isolation actuation fFunction are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the CIS if required.

D.1 requires the unit to be in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable CIS automatic actuation logic.

D.2 requires the unit to be placed in MODE 3 with RCS temperature below the T-2 interlock within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of entering the Condition. This NuScale B 3.3.3-7 Draft Revision 3.0

ECCS B 3.5.1 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.1 Emergency Core Cooling System (ECCS) - Operating BASES BACKGROUND The ECCS provides decay heat removal for a postulated steam generator tube failure event or Loss of Coolant Accident (LOCA) event that exceeds the makeup capacity of the Chemical and Volume Control System (CVCS). The ECCS is designed to bring the reactor coolant system (RCS) to a low temperature and low pressure safe shutdown condition.

The ECCS consists of three reactor vent valves (RVVs) located on the reactor head, two RRVs located above the reactor flange, and associated controls and instrumentation. The RVVs are connected to the vapor space of the pressurizer region of the reactor vessel. The reactor recirculation valves (RRVs) penetrate the reactor vessel above the top of the reactor core and open into the downcomer region of the reactor vessel. The ECCS valves form a portion of the reactor coolant pressure boundary.

ECCS actuation occurs when the Module Protection System (MPS) de-energizes solenoid trip valves in the hydraulic controls of the RVVs and RRVs. MPS is designed to actuate the ECCS on low RCS water level, or high containment water level. In addition to the solenoid trip valve actuation, the ECCS valves are hydraulically interlocked in the closed position until the differential pressure between the RCS and containment vessel is reduced by flow from a postulated break. Even with an open signal present the valves do not actuate open until the differential pressure has fallen to the differential pressure setpoint. The differential pressure interlock will not prevent the ECCS system from performing its design function, it just reduces the likelihood of inadvertent actuation during power operations.

ECCS actuation and function, including the differential pressure interlock, do not require electrical power. The solenoid trip valves are designed to actuate upon loss of electrical power. The differential pressure interlock is mechanical and does not require external power, depending only on the pressure sources of the reactor vessel and of the containment environment to function. No operator action is required to establish and maintain long term core cooling when the system is actuated. Note that in certain loss of power events, the ECCS actuation solenoid trip valves are supplied battery power to prevent inadvertent actuation. After 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> on battery power, ECCS is actuated, removing this battery load and preserving battery power NuScale B 3.5.1-1 Draft Revision 3.0

ECCS B 3.5.1 BASES BACKGROUND (continued) capability for other instrument functions. The battery power timer design basis and description is provided in Technical Specifications 3.3.1, MPS Instrumentation, and 3.3.3, ESFAS Logic and Actuation.

RCS vapor is vented from the pressurizer space through the RVVs into the containment vessel when the RVVs are opened. This steam condenses on the inner walls of the containment vessel and flows to the bottom of the vessel where it accumulates with any other leakage that is in the containment vessel from a postulated break. The RRVs open simultaneously with the RVVs to provide a flow path for this condensate from the containment vessel to flow back into the reactor vessel. The design of the reactor and containment vessel geometries and the total RCS liquid volume is such that upon ECCS actuation, liquid levels in both the reactor and containment vessel will stabilize above the top of the core. The containment water level will be higher than the RCS level providing the driving force for natural circulation flow of cooler RCS water in containment back into the reactor vessel.

This natural circulation flow will maintain core submersion and cooling.

Heat is transferred to the containment by steam condensation on the containment interior, and then removed from containment by condensate heat conduction through the containment vessel wall. In addition to mass transfer, heat is removed by conduction through the reactor vessel walls during ECCS operation because the lower portions of the reactor vessel walls are submerged and wetted by coolant on both sides. Heat is removed from the containment wall through contact with the reactor pool which acts as the ultimate heat sink (UHS).

The ECCS valves are sized to ensure that sufficient pressure equalization exist to support core cooling when at least two RVVs and at least one RRV have opened.

In MODES 1, 2 and MODE 3 when not PASSIVELY COOLED the RCS hot temperature is greater than the T-3 interlock (approximately 350°F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%), the ECCS is actuated on high level in the containment vessel or low level in the reactor vessel. The high containment level actuation set point of the ECCS was chosen to ensure that sufficient level exists within the containment vessel prior to actuation of the ECCS to ensure the core remains covered as a result of ECCS actuation. Similarly, the low reactor vessel level was selected to ensure that ECCS actuation occurs with sufficient coolant inventory NuScale B 3.5.1-2 Draft Revision 3.0

ECCS B 3.5.1 BASES BACKGROUND (continued) available, which results in water levels above the reactor core during operation.

Specification 3.3.1 describes the instrumentation and actuation logic for ECCS actuation. In applicable design basis accident scenarios, this actuation setpoint is sufficient to ensure the core remains cooled and covered.

In MODE 3 the RVVs provide Low Temperature Over-Pressure (LTOP) protection for the RCS as described in LCO 3.4.10.

In MODE 3 in PASSIVE COOLING, the ECCS is either performing its design function to support the transfer of decay heat from the reactor core to the containment vessel so the system or alternative means of removing decay heat have been established and the system is no longer required to be OPERABLE.

In MODE 4 the ECCS is not required whenbecause the ECCS valves are open and de-energized, andor the unit is being PASSIVELY COOLEDpassively cooled ensuringwhich ensures decay heat removal is being accomplished. Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de-energized and opened RRVs are open between the UHS water inside the containment and the RCS. In MODE 5, core cooling is accomplished by conduction through the RPV wall to the ultimate heat sink until the upper containment and upper RPV are separated from the lower RPV and the reactor core.Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de energized and opened RRVs provide direct communication between the UHS water inside the containment and the RCS. During this period, and while in MODE 5, core cooling is accomplished by conduction through the reactor pressure vessel wall to the ultimate heat sink. Once the RPV is separated at the flange during disassembly the lower RPV internals and reactor core are RCS is in direct contact with the UHSreactor pool thereby ensuring adequate cooling by direct contact with the ultimate heat sink. Therefore the ECCS is not required to be OPERABLE in MODE 5.

The ECCS valves are OPERABLE when they are closed and capable of opening upon receipt of an actuation signal, or are open performing their intended function. FSAR Section 6.3 describes the ECCS design (Ref. 1).

NuScale B 3.5.1-3 Draft Revision 3.0

ECCS B 3.5.1 BASES APPLICABLE The ECCS is designed to provide core cooling following postulated SAFETY Loss of Coolant Accident design basis events as described in the ANALYSES FSAR, Chapter 15 (Ref 2)., including:

  • Loss of Coolant Accident
  • Steam Generator Tube Failure The system establishes a path for heat transfer to the UHS via conduction and convection of condensed coolant in the containment vessel and by the condensation of steam vapor on the upper portions of the containment vessel. The design ensures that in the event of a loss of primary coolant to the containment vessel, sufficient coolant will be returned to the reactor vessel to ensure that the core remains cooled and covered at all times. Actuation of the system ensures that pressure differences between the containment vessel and the reactor pressure vessel are minimized sufficiently to allow hydraulic head of the fluid in containment to establish flow to the reactor vessel via an open RRV.

The ECCS system includes an inadvertent actuation block (IAB) feature. The IAB safety function is to permit the RVVs and RRVs to open only when appropriate conditions exist as described in the safety analysis.

ECCS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO establishes the minimum conditions necessary to ensure that ECCS valves will be available to meet the initial conditions assumed in the safety analyses. Two RVVs and one RRV provide the safety function of the safety analyses for LOCA and SGTF events.

Loss of any system component eliminates the redundancy provided to meet its safety function.

APPLICABILITY The ECCS is relied upon to provide a passive response to loss of coolant accidents in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED the RCS hot temperature is greater than the T-3 interlock (approximately 350°F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%). Additionally, the valves are ensured to open when power is removed when the module is disconnected at the operating position as part of the refueling process.

In MODE 4 and 5 core cooling is provided by passive conduction through the NuScale B 3.5.1-4 Draft Revision 3.0

DHRS B 3.5.2 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.2 Decay Heat Removal System (DHRS)

BASES BACKGROUND The Decay Heat Removal System (DHRS) is a passive heat removal system that is used whenever the normal unit feedwater and steam systems are unavailable due to failure or loss of normal AC power.

The system is comprised of two trainsloops; one connected to each of the two steam generators.

Each looptrain of decay heat removal includes a steam generator submersed in the reactor coolant system fluid, and a heat exchanger that is attached to the outside of the containment vessel and submerged in the reactor pool. The heat exchanger is located above midline of the steam generator. The top inlet of the DHRS heat exchanger is attached to the main steam line upstream of the main steam isolation valve of the associated steam generator. The bottom of the heat exchanger is attached to the feedwater line downstream of the feedwater isolation valve to the associated steam generator. Each DHR heat exchanger is normally isolated from the main steam lines by two valves, the DHRS Actuation valves, in parallel on the line between the top of the heat exchanger and the main steam line from the associated steam generator.

During normal operation the DHR heat exchanger is filled and maintained pressurized by the feedwater system. When decay heat removal is required to perform its design function the feedwater and main steam isolation valves are closed, and the DHRS Actuation valves open. The closed feedwater and main steam isolation valves form part of the DRHS pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1). This allows the water stored in the heat exchanger and piping to enter the steam generator via gravity as steam flows into the heat exchanger from the main steam line. Steam condenses on the inside of the tubes and continues to drain back to the steam generator in a closed loop. The inventory of the decay heat removal system, associated SG, and piping is sufficient to support the operation of the system.

Only one looptrain of DHRS is required to meet the decay heat removal requirements of the power module, and only one DHRS Actuation valve is required to open to ensure operation of a decay heat removal train. As a result there is no single active failure that will prevent a single loop ofthe DHRS from performing its design function.

NuScale B 3.5.2-1 Draft Revision 3.0

DHRS B 3.5.2 BASES BACKGROUND (continued)

The closed feedwater and main steam isolation valves form part of the DHRS loop pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1) and FSAR Section 10.3 (Ref. 2).

NuScale B 3.5.2-2 Draft Revision 3.0

DHRS B 3.5.2 BASES APPLICABLE The DHRS is designed to ensure that adequate decay heat removal is SAFETY provided to ensure core integrity. The system function is bounded by ANALYSIS loss of normal AC power event, as described in FSAR, Chapter 15 (Ref. 32). A loss of normal AC power will result in a loss of feedwater and a loss of condenser vacuum. Both of these anticipated operational occurrences (AOOs) require actuation of the DHRS.

DHRS is actuated by MPS upon receipt of any of the following:

a. High Pressurizer Pressure
b. High RCS Hot Temperature
c. High Containment Pressure
d. Low Pressurizer Pressure
e. Low Low Pressurizer Level cf. Low AC Voltage
g. Low Steam Pressure
h. Low Low Steam Pressure di. High Steam Pressure
j. High Steam Superheat
k. Low Steam Superheat
l. High Under The Bioshield Temperature These actuations cover the range of events that indicate inadequatewould prevent the normal feedwater and steam systems from providing heat removal fromto the Reactor Coolant System.

DHRS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale B 3.5.2-3 Draft Revision 3.0

DHRS B 3.5.2 BASES LCO This LCO ensures that sufficient DHRS equipment is OPERABLE to meet the initial conditions assumed in the safety analyses. One looptrain of DHRS is required to function to meet the safety function of the system. Loss of any system component impacts the redundancy needed to ensure that the system is capable of meeting its safety function if a single failure occurs.Each loop of DHRS includes one SG, one heat exchanger, and redundant valves that actuate for the system to meet its safety function. Inoperability of individual redundant valves do not affect the overall redundancy of the DHRS. However, both redundant valves are needed to ensure that the DHRS loop is capable of meeting its safety function if a single active failure occurs.

NuScale B 3.5.2-4 Draft Revision 3.0

DHRS B 3.5.2 BASES APPLICABILITY The DHRS is relied upon to provide a passive means of decay heat removal in MODES 1 and 2. The DHRS must remain OPERABLE in MODE 3 until PASSIVE COOLING. In MODE 4, DHRS is not required because conductive shutdown cooling through the containment vessel to the ultimate heat sink (UHS) has been established. When being disassembled in MODE 4 and in MODE 5 when one or more reactor vessel flange bolts are less than fully tensioned, but before the upper module and lower reactor vessel are separated, the containment lower shell has been removed and the reactor vessel and RCS are cooled by direct contact with the UHS. In MODE 5 decay heat removal is by direct transfer to the refueling pool water which is in contact with the reactor fuel.

ACTIONS A.1 To meet the DHR safety function at least one looptrain must function.

If a single looptrain of DHR is inoperable it eliminates the redundancy of this safety system. The system must be restored to OPERABLE.

A completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is reasonable based on the probability of the DHR system being needed during this period, the reliability of the other looptrain of DHR including redundant actuation and isolation valves, and the ability of the unit to cope with this conditionevent using the ECCS.

B.1 and B.2 If the Required Actions cannot be completed within the associated Completion Time, or if both loopstrains of DHRS are declared inoperable the unit must be placed in a mode that does not rely on the DHRS. This is accomplished by Required Actions B.1 and B.2.

Required Action B.1 places the unit in MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Required Action B.2 places the unit in MODE 3 and passively cooledPASSIVELY COOLED within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

Completion Times are established considering the likelihood of an event that would require DHRS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.

NuScale B 3.5.2-5 Draft Revision 3.0

DHRS B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQUIREMENTS This SR verifies adequate pressure in the accumulators required for DHRS actuation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM.

The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 Verification that the DHRS including the heat exchanger is filled ensures that there is sufficient inventory in the loop to fulfill its design function, and that non-condensable gases have not accumulated in the system. Each looptrain of the DHRS has four level sensors - two located on the DHRS piping below each of the two actuation valves that would indicate a reduced water level in the DHRS heat exchanger legloop. Any level switch indicating a reduced water level is sufficient to determine the DHRS heat exchanger legloop is not filled. The DHRS is filled with feedwater during startup, and during normal operation it is maintained filled by feedwater pressure. Feedwater flow through the DHRS loop does not occur because the DHRS actuation valves are closed.

Dissolved gas concentrations are maintained very low in feedwater during startup and operations by secondary water chemistry requirements. Therefore, significant levels of noncondensable gases are not expected to accumulate in the DHRS piping. However, maintaining the required DHRS inventory using the level sensors protects against buildup of noncondensable gases which could adversely affect DHRS operation. Monitoring the level switches ensures the system remains filled and non-condensable gas accumulation has not occurred.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.5.2-6 Draft Revision 3.0

DHRS B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.2.3 Verification that the level in a steam generator (SG) is > [5]% and

[65]% when its associated feedwater isolation valve is closed assures that the SG contains inventory adequate to support actuation and OPERABILITY of the associated decay heat removal system loop if it is required.

A Note is provided indicating that the surveillance is not required to be performed when the associated FWIV is open. In those conditions, the normal feedwater system controls ensure that the SG will support DHRS OPERABILITY if it is required.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.43 Verification that the DHRS actuation valves are OPERABLE by stroking the valves open ensures that each looptrain of DHRS will function as designed when these valves are actuated. The DHRS actuation valves safety function is to open as described in the safety analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.54 Verifying that the open actuation time of each DHRS actuation valve is within limits is required to demonstrate OPERABILITY. The open actuation time test ensures that the valve will open in a time period less than or equal to that assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. Each looptrain of DHRS contains two actuation valves, one actuated from each division of the MPS ESFAS actuation logic.

Actuation time is measured from output of the module protection system equipment interface module until the valves are open.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

NuScale B 3.5.2-7 Draft Revision 3.0

DHRS B 3.5.2 BASES REFERENCES 1. FSAR Section 5.4, "Reactor Coolant System Component and Subsystem Design."

2. FSAR Section 10.3, "Main Steam System."
23. FSAR Chapter 15, Transient and Accident Analysis.

NuScale B 3.5.2-8 Draft Revision 3.0

MSIVs B 3.7.1 BASES BACKGROUND (continued)

The four valves are arranged so that each MSIV is provided with a bypass line that includes a MSIV bypass valve, one safety related and one non-safety related, arranged in parallel with the corresponding MSIVs.

The safety-related MSIVs and non-safety related secondary MSIVs, as well as the normally-closed MSIV bypass valves, will receive and close upon receipt of a Secondary System Isolation (SSI), Decay Heat Removal System (DHRS), or Containment Isolation System actuation as described in Specification 3.3.1. Each of the MSIV and MSIV Bypass Valves is designed to close upon loss of power.

Closing the MSIVs and MSIV bypass valves isolates the Turbine Bypass System and other steam flows from the SG to the balance of plant. The MSIVs isolate steam flow from the secondary side of the associated SG following a high-energy line break and preserves the reactor coolant system (RCS) inventory in the event of a steam generator tube failure (SGTF). The MSIVs and MSIV bypass valves also form part of the boundary of the safety-related, closed-loop, DHRS described in FSAR Section 5.4 (Ref. 3).

APPLICABLE The MSIVs and MSIV Bypass Isolation Valves close to isolate the SAFETY SGs from the power conversion system. Isolation limits ANALYSES postulated releases of radioactive material from the SGs in the event of a SG tube failure (Ref. 4) and terminates flow from SGs for postulated steam line breaks outside containment (Ref. 5). This minimizes radiological contamination of the secondary plant systems and components, and minimizes associated potential for activity releases to the environment, and preserves RCS inventory in the event of a SGTF.

The isolation of steam lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of an unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss-of-coolant accident (non-LOCA) design basis events when normal secondary-side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions.

The safety-related and nonsafety-related MSIV and MSIV bypass valves satisify Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale B 3.7.1-2 Draft Revision 3.0

MSIVs B 3.7.1 BASES ACTIONS (continued)

B.1 With a steam line that cannot be manually or automatically isolated the supported safety functions can no longer be met. This condition applies when two or more inoperable isolation valves prevent automatic or manual isolation of steam flow from the steam generator. This condition exists when a flow path through the safety related MSIV and MSIV bypass valve exists, and a flow path through the non-safety related secondary MSIV and MSIV bypass valve exists, that cannot be manually or automatically isolated.

For example, one MSIV bypass valve inoperable and open, and one non-safety related secondary MSIV inoperable and open could prevent isolation of the steam flow from the associated steam generator. In this condition a steam line flow could exist through the MSIV bypass valve and the secondary MSIV that could not be isolated.

Action B.1 requires isolation of the main steam line by closure of valves so that the safety function of the steam line isolation is accomplished.

Some repairs may be accomplished within the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> completion time is reasonable because the inoperable isolation valve only affect the capability of one of the two redundant DHRS trains to function.

The time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require isolation of the steam line.

If the main steam line can be isolated within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> then its safety function is being performed. An inoperable MSIV or bypass valve may be utilized to isolate the steam line only if its leak tightness has not been compromised.

NuScale B 3.7.1-10 Draft Revision 3.0

Feedwater Isolation B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Feedwater Isolation BASES BACKGROUND Each Feedwater line has one safety-related feedwater isolation valve (FWIV) to isolate feedwater flow when required to support decay heat removal system (DHRS) operation or the containment system (CNTS).

The safety-related FWIVs are located outside of and close to containment. Each feedwater line includes a non-safety related feedwater regulating valve (FWRV) located upstream of the removable pipe spool between the module and the balance of the feedwater system. A description of the safety-related FWIVs is found in FSAR Section 6.2 (Ref. 1). A description of the non-safety related FWRVs is found in FSAR Section 10.4 (Ref. 2).

The safety related FWIVs and non-safety related FWRV are closed on Secondary System Isolation (SSI), Decay Heat Removal System (DHRS),

or and Containment Isolation System actuations as described in Specification 3.3.1. Each FWIV and FWRV closes on loss of power.

Closing of the FWIVs and FWRVs isolates each Steam Generator (SG) from the other SG and isolates the feedwater flows to the SGs from the balance of plant.

The FWIV and FWRV isolate the feedwater flow from the secondary side of the associated SG following a high energy line break and preserve RCS inventory in the event of a steam generator tube failure (SGTF). The FWIVs and FWRVs form part of the boundary of the safety-related DHRS closed loop, as described in FSAR Section 5.4 (Ref. 3) and applicable requirements in Specification 3.5.2.

APPLICABLE The FWIVs and FWRVs close to isolate the SGs from the balance of SAFETY plant feedwater system. Isolation limits postulated releases of ANALYSES radioactive material from the SG in the event of a SG tube failure and terminates flow to the SGs in postulated feedwater line breaks inside and outside containment (Ref. 4). This minimizes radiological contamination of the secondary plant systems and components, and minimizes any associated potential for activity releases to the environment and preserves safety RCS inventory levels.

The isolation of the feedwater lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of the unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss of coolant accident (non-LOCA) design basis events when normal secondary side cooling is unavailable or otherwise not utilized. The DHRS NuScale B 3.7.2-1 Draft Revision 3.0

Retrieved from "https://kanterella.com/w/index.php?title=ML19105B292&oldid=2613697"