ML20042E072
| ML20042E072 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 04/16/1990 |
| From: | Marriott P GENERAL ELECTRIC CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| EEN-9016, NUDOCS 9004200004 | |
| Download: ML20042E072 (28) | |
Text
. .
. e d .
s '
)
a s^ GE Nuclear Energy cwan.ac cem 17$ clrint! hat"'ut ravn kW CA 9[lES
- April 16,1990 MFN No.035 90 Docket No. STN 50-605 EEN 9016 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attention: Charles L. Miller, Director ,
Standardization and Non Power Reactor Project Directorate
Subject:
Submittal of Responses to Additional Information as Requested In NRC letter from Dino C. Scaletti, Dated March 14,1990
Reference:
Enclosed are thirty four (34) copies of further responses to subject Request for Additional Information (RAl) on the Standard Safety Analysis Report (SSAR) for the Advanced Boiling i Water Reactor (ABWR). These responses pertain to Chapters 7 and 10.
It is intended that GE will amend the SSAR with these responses in a future amendment. .
Sincerely,
]
/
P. W. Marriott, Manager Regulatory and Analysis Services M/C 382, (408) 925 6948 b
cc: F. A. Ross (DOE)
D. C. Scaletti (NRC) '
D. R. Wilkins (GE)
J. F. Quirk (GE) 9004200004.900416 \ -
DR- ADOCK05 cog 5 ,
p
.JF
3r > 3 4
Charles L Afiller April 16,1990 MFN No. 035 90 Page 2 bec:
} t ch
. - ell ob $5)f>"at:ac-}[
. d'
. r
. )
' l
, QUESTION _
l 420.019 (7.1.2.1.6(4)) This section states that automatic self. test is performed ;
sequencia11y on all four divisions, to minimize common mode effects, and -
that a complete self. test sequence through all four divisions takes no more than 30 minutes. The original response to question 19 revised this ;
section. What hardware and software design features are provided to '
allow sequencing the testing of the four divisions without violating independence / isolation criteria? The revised section appears to allow a ;
common centralized test driver. Illustrate with a block diagram. 1 i
RESPONSE I 420.019 Please refer to the responses to questions 420.73 and 420.127, which are ,
closely related. Figure 7.1 1 was revised in accordance with the design change which eliminated the on line interconnecting concept for the !
self. test function. This provides the requested block diagram. The ,
previous revision of subsection 7.1.2.1.6 was incomplete, but has now ;
been completely revised consistent with this philosophy (see attached .
7.1.2.1.6(6)).
The updated SSLC self test program includes an on.line test and an * ,
off line test. Both are independently conducted on each division.
There are no common centralized test drivers. Details are described in !
the updated 7.1.2.1.6(6), and in 7A.2 . responses (6) and (14). ;
QUESTION 420.069 (7) Are there any limitations on the ABWR design concerning the use of !
expert systems? Any limitations on the use of technology not specifically described? The original response does not describe an approach for determining what hardware or software developments (which may occur between design certification and plant operation) can be implemented without changes to the design certification and NRC review. ,
RESPONSE
420.069 NOTE: THE TOLLOWING IS THE ORIGINAL RESPONSE TO QUESTION 420.69. A >
SUPPLEMENT HAS BEEN ADDED AT THE END IN RESPONSE TO THE AMMENDED PORTION OF THE QUESTION.
Advanced technology has been applied to RPS and overall safety system design for ABWR in order to produce a system that is more compact, more reliable, more accurate, and more responsive than analog / relay designs.
Previous experience with the Clinton Nuc1 car System Protection System (NSPS) proved that discrete, solid state, logic gates could provide a .
simple and testable replacement for RPS relay logic. However, this implementation required the use of several hundred printed circuit boards in the four protection divisions. The large quantity of equipment ;
affected system reliability and required a complex, external, self. test '
system to ensure adequate availability (by fast detection and localization of circuit faults).
Investigations into the use of more advanced technology for ABWR RPS logic (part of Safety System Logic & Control) showed that significant :
cost savings and performance improvements were possible if locally digitized plant variables were multiplexed over fiber optic cables to the control room. The multiplexed data would be processed in microprocessor. based logic equipment controlled by software residing in
.'/-
non volctile memory (*firmware*). Contrsi signals would cleo b) multiplexed from the control room to the actuators of driven equipment l for many systems. This type of configuration would greatly reduce the amount of processing equipment and cabling by replacing hardware logic d with a software based design requiring fewer integrated circuits.
RPS and other safety systems for ABWR based on the above oc'nfiguration remain independen.t of plant control or computer systems; digital processing of sensor data for possible trip-action is contained within the safety grade boundaries of the protection divisions. Control systems or the process c omputer do not provide inputs to safety system !
logic.
In addition to multiplexing and microprocessor based logic processing, )
application of advanced technology is limited to fault locating t self diagnostics, auto calibration, manual (semi-automatic) surveillance functions, graphical operator displays, and flat panel. touch screens -
that replace most hardware switch functions. Plant automation features using expert systems or other computer controlled processes are not .
i applied, since they are unneessary for standby systems that ordinarily-do not require any operator action (automatic trip and initiation conditions are well defined and do not change over time). Emergency. .
operator action is provided by direct, hardwired switches external to software logic (for example, manual scram).
At the equipment level, the basic constraint on new technology application for safety systems is the need to provide advanced
- performance features while preserving long term reliability and availability of the basic trip functions (at least equal to that of the original designs). While almost any existing microprocessor or other
- V1.SI technology can implement safety system functions,the following ,
constraints on state of-the art technology were considered necessary to y achieve a practical design:
1 HARDWARE / SOFTWARE CONSTRAINTS:
- a. Proven technology must have failure rate history to support reliability goals. Advanced component designs, such as l Reduced Instruction Set Computer (RISC) processors, l Application Specific Integrated Circuits (ASICs), gate arrays l or Programmable 1.ogic Devices (Pl.Ds) have a limited design history and unknown future support, j
- b. Not obsolescent - reasonably expected to be supported by ;
vendors for several years with upgrading possible,
- c. Second sources affects availability of spare parts,
- d. Components should be available in high reliability versions,
- e. Maintainability easi?y replaced modules, memory chips in j sockets for expansion or upgrading. 1
\
- f. Software support for hardware - appropriate development tools i and compilers must be available for desired language and processor. ..
L
.y
- g. Programming language chosen should permit top down, structured, j modular design and should result in easily readable source code. ;
l 2- i
. h. T: stability - cutomatic c:st:bility must be pr:vided f r Itgic
, inacc:ssiblo t3 manual surveillcnco cnd t:st meth:ds.
i
.' i. Heat dissipation - equipment should require lowest power for j required speed, preferably lower than previous designs. !
Sufficient panel space is available such that the highest ,
density electronic packaging is not required. , ,
l l
PERFORMANCE CONSTRAINTS l
- a. Robust design (power.on initialization without transients, i L
power down reset to safe state, immunity to noise and common mode failures, operability in design basis thermal and l seismic environments) is more important than the ability to i support large memory arrays or perform complex calculations. l
- b. Speed should be minimum needed.to support data throughput; ;
faster speeds result in noise problems and require complex '
error detection and correction methods. ,
t THE FOLLOWING RESPONSE SUPPLEMENTS THE ORIGINAL RESPONSE TO THIS .
QUESTION:
This response addresses the question of developing an approach for determining equipment changes that can be made after design ;
certification without changes to the certification and without NRC l review. '
The basis for reliable design of safety system components will be conformance to Regulatory Guide 1.152, which endorses ANSI /IEEE ANS-7 4.3.2-1982 (Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating i Stations). The methodolosy described in this standard establishes a ' ^
program of independent verification and validation (V6V) for confirming ;
correct implementation of integrated hardware and software. The V6V y program will be used after design certification during the actual !
hardware and software implementation phases to verify and document all steps of the design and testing process. During final' validation testing, acceptance criteria shall confirm correct operation of the completed system with regard to design specification requirements. -
Design certification addresses system level design down to the hardware / software system specification level._ A. vendor may implement these functional requirements using different combinations of hardware and software. For example, because of hardware response time requirements, a certain function shown as originally being a software process in the system documents may be designed using discrete logic.
Many other changes will be made because of cost, component availability and prototype test results. The structured design process, including design reviews, the V&V program and the overall: Quality Assurance program, will ensure adherence to the intent of the design specifications. This development process will include provisions for meeting independence, separation and' defense in depth requiremente no i l matter what technology is used. In addition, all safety-related -)
i components will be qualified to the appropriate standards. !
1 In general, only system level changes that alter the inputs and outputs i or modify basic parameters, such as trip levels and response times, g
th;uld require chang:s to design certificcti:n er NRC revicw.
..........................................................s...................
QUESTION 420.123 (15B4) SSAR 158.4 describes the essential multiplaxing system (EMS) in some detail. SSAR Figure 7A.2 1 states that the design is.not limited to this configuration. It is our understanding that the EMS design is still in a preliminary design stage. Is SSAR 15B.4 still accurate and is the design limited to that configurationt
RESPONSE
420.123 SSAR 15B.4 is an accurate system. level description of EMS and reflects the components described in the EMd design specification and SSLC design specification, and is the chosen system configuration. The exact hardware implementation is not specified for. design certification, since potential vendors could accomplish the multiplexing functions in several ways, given the restriction that qualification requirements must be met.
However, certain design details to bt: imposed on such vendors are discussed in the various responses given in SSAR 7A.2. Hardware and software ("firmware") requirements down to the module level of the equipment are. described.
The EMS design is presently defined to the level of the type of processing components needed to perform the data transmission task. The design requires-remote multiplexing units, control room multiplexing units and fiber optic interconnecting links. The bi directional, dual redundant token ring topology is the chosen configuration for these components, and is the configuration shown in SSAR Figure 7A.2 1.
However, the multiplexing tasks shown in the figure could also be accomplished by the same components arranged in a star, bus, or point.to. point architecture (all still using a dual redundant configuration). This part of the design will be determined during the detailed design phase, depending upon the required system speed (data .
throughput), response time, the vendor's communications protocols, error detection / correction methods, and available hardware / software designs.
CE believes that specifying the exact EMS configuration at the design certification stage could skew competitive bidding for potential vendors of the equipment. The system requirements imposed on the multiplexed safety system design (e.g. single failure proof, signal isolation, 2.out.of.4 system logic, bypassing of failed components, self. test, easy repair, periodic surveillance, highly reliable materials, verification and validation of software, and integration testing) are sufficient to provide a qualified design.
QUESTION 420.124 (1$B4) The FMEA submitted in SSAR 15B.4 is inadequate for a safety evaluation supporting the design certification. The FMEA appears to the staff to be oversimplified with one line item each for component failures and does not address potential software complications. The staff requests clarification cf how this FMEA was developed given that the system design has not been finalized. The staff also believes that software failures need to be evaluated. The failure modes investigated should include, as a minimum, stall, runaway, lockup, interruption / restoration, clock and timing faults, counter overflow, missing / corrupt data, and effects of hardware faults on sof tware. I
- sj - i J
,E *
. i
. RESPONSE t 420.124 Definition of ' level of detail" for design certification is presently ;
undergoing review with the Staff. A full response to this question will '
be submitted following the results of that review. However, the specific failure modes of stall, interruption / restoration and timing faults were addressed in the responses to 420.53 and 420.54.
.............................................................................. t QUESTION 420.125 (7.4.1.4) This section provided additional clarification of the intended use of the remote shutdown system. The degree of independence and i isolation from the Safety System Logic and Control (SSLC) and EMS are ,
not clear. Is it intended in the SSAR to take credit for the RSS if there is a total loss of EMS? ,
RESPONSE i 420.125 The remote shutdown system (RSS) is totally separate and independent >
from the SSLC and EMS in that it is *hard wired" and does not have any multiplexed signal interfaces. ,
The EMS consists of four independent and separate divisions. Therefore, a total loss of all four divisions of EMS is highly unlikely, and could 5 only be attributed to common. node failure (See response to 420.127). .
The extensive V6V steps which will be performed in the EMS development ,
should make the possibility of a common. node failure almost negligible.
- However, the RSS will provide an additional degree of protection from cominon mode failures by providing an independent means of actuating core cooling functions diverse from both the EMS and the plant main control room.
Reactor scram functions would most likely occur directly as a result of a postulated common. mode EMS failure, because of the " failsafe" design of the reactor protection system (i.e., loss of signals coming from EMS would cause scram). However, the standby liquid control (SLC) system is '
also available to shut down the reactor because it, too, is 'hard wired" l and does not interface with the EMS. The SLC is discussed in Subsections 7.4.1.2 and 7.4.2.2.
Both the RSS and SLC are identified as diverse mitigating systems for such scenarios in 7A 7 [ Items 7A.5(4) and 7A.6(4)).
l ..............................................................................
QUESTION 420.126 (7A.7) Compared with CESSAR II, the ABWR has significantly reduced the number of input sensors by use of sharing sensors. Provide a bases as to why this does not increase potential vulnerability to common mode failures by raducing sensor diversity.
RESPONSE
420.126 Sensor diversity is not compromised by the reduction of instruments, because each of the diverse RPV parameters monitored for the GESSAR II '
design is still represented in the ABVR, Only the quantity of similar instruments monitoring a given parameter is reduced. ,
Generally, the reduction in sensors does not necessarily degrade i
reliability or availability. In fact, simpler systems are usually more reliable. When additional components are used redundantly in a system 5~ -
,1 '. ;
' t3 improve r011tbility, o point is rc= hed whero the cystem rolitbility is dominated by common.cause failure, and additional redundancies add !
, . little, if any, improvement in system reliability. In the early stages i of the ABVR design (before the instrument reduction program), the l reliability of ECCS initiation was limited (in the analysis) by five j i
common.cause interdivisional sensor miscalibration error probabilities. t Following the instrument reduction program, there were only three groups ;
of sensors subject to such probabilities. This reduction in
[
common.cause miscalibration errors is because there are less sensors, and the sensors are shared.
Sharing of sensors does raise the possibility of common.cause sensor !
- miscalibration error between safety functions. However, for the !
limiting risk case, where low RPV water level is the sole sensed i initiation condition, reactor trip and ECCS initiation have different '
sets and types of sensors. ECCS is initiated by two sets of wide range L water level sensors and RPS is. initiated by a separate set of i narrow range sensors. With proper maintenance procedures and special i precautions, the possibility of common.cause miscalibration resulting'in :
loss of automatic initiation of both safety functions is very remote. [,
There is sharing of drywell pretsure sensors between functions, but the.
primary purpose of these sensors is to sense increased drywell pressure resulting from a loss.of coolant accident, and LOCAs are a very small contributor to core damage frequency or risk. The RPS and ECCS have .
separate trip units.
t The same reactor pressure sensors are used for RPS and low pressure ECCS j permissive signals, but again, there are separate trip units that are ;
calibrated separately. A common.cause failure of the RPV pressure sensing function would have very little effect on core damage frequency.
In the ABWR design, the 2.out of.4 logic utilized in the CESSAR II RPS has been expanded to include all of the ESF systems as well. Thus, where ESF systems could tolerate any single instrument failure in the CESSAR II design, they can now tolerate any two instrument failures in .
the ABVR design. In other words, failure of 3 sensors is required to disable the signal in the ABVR, whereas failure of 2 sensors was ,
sufficient in the CESSAR II design. Therefore, from a multiple. failure point of view, the ABVR has better protection compared to the CESSAR II :
design.
l l ..............................................................................
QUESTION 420.127 (7) In general, the applicant should provide a clear presentation of how ,
l the ABVR with common software modules for any functions (including SSLC logic self test programs) conforms-with IEEE 279 1971 and is at least as single failure proof as CESSAR II. Tho discussion of shared sensors in '
7A 7 does not address potential common mode software failures which may i be capable of defeating the diverse parameters. Additionally, the applicant should address why diversity of software should not be a requirement to maintain system diversity.
I qw e e-6- =m-
- . }
)
RESPONSE
- 420.127 The complete independence of the SS14 self test program is discussed in i l' the revised subsection 7.1.2.1.6(6) (See response 420.19).
Each of the four electrical divisions has its own independent hardware >
! and software. Software
- nodules
- might be construed as " common
- only to l
! the extent that each of the independent and redundant hardware modules L are similarly programmed in firmware before shipment. ,
l i
, With regard to single failure, the SSLC trip logic has inter divisional f
- l. fiber optic links to facilitate the 2/4 coincident voting capability, r However, such links are unidirectional and their only failure mechanism i j is an erroneous logic signal to the voting processor. The remaining I channels would revert to 1/3 (unbypassed) or 2/3 voting depending on the .
- state of the logical failure. This is the.same affect as any other '
L failure within a given channel and is consistent with the single failure l
criteria defined in IEEE Standards 279, 603 and 379.. With the full 4 divisional any two out of four logic configuration inherent for virtually all safety systems, the ABVR can actually withstand multiple ;
failures in more postulated scenerios than could the CESSAR 11 design. !
! Therefore, it is more ' single failure proof
- than CESSAR II. i l ,
Regarding postulated common mode software failure, please review Appendix 7A 7, and the responses to questions 420.125-and 420.126, which are closely related to this question. These describe the increased i reliability of the 2/4 logic over previous designs, the extensive V6V '
program to prevent common mode failure, and the diverse SLC and RSS systems to mitigate consequences of such failures. The reasons why ,
software diversity is not necessary, and could even be detrimental, are summarized as follows: l (1) The software is developed and documented in accordance with the NRC !
I approved Nuclear Energy Group Boiling Water Reactor Quality Assurance program. As described in Appendix 7A, the design methodology meets the i requirements of Regulatory Guide 1.152, including all the necessary +
reviews, verification, testing, etc.
(2) The SSLC is actually governed by firmware that has been verified by the V6V program. This firmware can only be burned in at the factory prior to shipment. It is not possible to make program manipulations in the field which could result in a higher probability of common cause fr.ilures, y
(3) The SSLC is made up of four independent divisione, each having its [
own individual and independent microprocessors. The software (firmware) -
is thus distributed among separated processing hardware. The system is not dependent on a common central processor.
(4) Each division is independently controlled by its own timing system which is not synchronized with other divisions. Therefore, unlikely -
common mode failures would be even less likely to occur at the same instant, thus initiating an inadvertent synchronized response. '
(5) Each individual microprocessor module is sufficiently simple that it can be verified and validated with great confidence prior to shipment from the factory. Diverse programs would complicate verification and validation activities making them much more costly and difficult to manage. For example, software diversity would require working the bugs out of up to four different system programs. Such cost increases could
~) - }
' ^
def t the p;t:ntici s.vings from applying s:ftv:ro.brs:d cystrs. !
(6) System self test runs as a background task in each SSLC logic !
processor. The operating system or executive program for each processor schedules self. test differently depending upon what other tasks are being processed. Thus, self test is independent and unsychronized in the four divisions. In addition, both hardware and software watch. dog timers alert the operator to inoperative failures so mitigative action i can be taken. Multi divisional failiures in SSLC or EMUX would cause ;
scram directly because of the fail. safe (loss of signal - scram) design 4 of the RPS.
(?) Manual diverse backup rystems (SLC and RSS) are provided for ,
critical functions of reactor shut.down and core cooling. . Manaal =
- hard. wired" scram is provided for reactor trip. This provides ;
additional defense in depth despite high reliability of qualified ;
safety related hardware / software equipment. '
(8) Although the probability of common.cause failures of multiple '
divisions is reduced by utilizing diverse firmware, the probability of individual failures is increased due to the increased numbers of diverse paths over which postulated failures could occur. In addition, diverse firmware curtails the benefits of standardization in control and .
-instrumentation equipment. !
(9) As summarized in Appendix 7A hardware diversity principles are .
incorporated at both tha signal and system levels similar to operating BWRs and CESSAR 11.. The ABWR fully meets the intent of NUREC 0493, *A i Defense.in. Depth and Diversity Assessment of the Resar.414 Integrated Protection System *, May 1985.
.............................................................................. [
QUESTION 420.128 (7A.7) Will software be used to isolate data? If so, what are the design and qualification criteria'that are to be applied? Are'there any systems which have non Class 1E software such as keyboard or display control software that interface with the Class.1E systems? _ Are there ,
any interface with the Class.1E systems which receive inputs from F non. Class IE systems or other channels of IE systems?
RESPONSE
420.128 The following cases are presented to illustrate situations where software may be used to isolate data between Class 1E and non class 1E system interfaces: '
- 1. SYSTEM LEVEL r
- a. NON CLASS 1E TO CLASS 1E: In general, transfer of data from non Class 1E systems to Class 1E systems is not permitted. All i plant sensors and other inputs to safety systems, such as contact closures from relays and manual control switches, that are l
connected to the Essential Multiplexing System (EMS) or directly ;
to safety system logic must be Class 1E. -
3 A few situations require data from a non safety.related system.
~
l' In these cases, only qualified, Class 1E devices shall be used i to_ acquire and transmit the data, using electrical and physical isolation as required (typical applications are Main Turbine and Control Rod Drive). An analysis must be performed to confirm
-g-
..,..%, +
)
L -
c
, that fcilura cf the devico er cupporting structur:s will not cff:ct the safety systems er EMS.
Electronic devices such as touch panels used for software based safety system controls must also be Class 1E.
- b. CLASS 1E TO NON CLASS 1E: Transfer of data from Class 1E systems to tion Class 1E systems is permitted with ap'p ropriate hardware and sof tware isolation. Typical applications are safety system outputs to the Performance Monitoring and Control System (PMCS); i.e. , output signals used for status displays, annunciator alarms, and computer logging. Other applications are the scram following outputs from the Reactor Protection System (RPS) to the Rod Control & Information System (RC&lS) and recirculation pump trip outputs from RPS to the Recirculation Flow Control System. These outputs will be transmitted over an isolating medium (in general, fiber optic data links) to PMCS or the other non safety systems.
The safety system equipment shall broadcast its data to the non safety systems with little or no control signal handshaking. No interrupts shall be used by the non safety systems to request data from the safety systems. No hardware or ,
software failure on the non safety side shall affect the safety system side; i.e., safety critical functions shall not be inhibited. Non safety related software shall not affect safety related software, causing it to fail into a non safe state or causing an unwanted transient response.
Software for data transfer that resides in the safety system equipment shall be written and tested as safety related code.
The code shall be verified and validated under the same V6V ;
program as the other portions of software written for safety l functions, thus conforming to Regulatory Guide 1.152.
I
- c. CLASS 1E TO CLASS 1E: Data transfer betveen_ multiple channels of Class 1E systems or between different Class 1E systems is permitted, except that the essential multiplexing systemsLin multiple channels shall not directly communicate with each other.
All permitted communications shall be over fiber optic data links for signal isoletion. A hardware or softwar6 failure in-either channel shall not affect the other channel's normal software performance. All data transfer shall be under the control of error detection / correction software at both the transmitting and receiving ends. Communication protocols shall employ parity checking, checksum, CRC or some combination of these methods in addition to reasonableness, limits, and bounds checking of transferred data. An appropriate trip or warning alarm shall be generated on communication failure if automatic l recovery within time limits is not possible. All safety related software shall be developed under the guidelines of Regulatory Guide 1.152.
- 2. EQUIPMENT LEVEL
- a. KEYBOARD OR KEYPAD INPUTS: Individual logic processing instruments that implement microprocessor based, software controlled safety functions will allow technician access (by administrative control, using key access or passwords) to
i '. :
c:rtOin calibr: tion cnd t:st functiens. However, sinco s:foty equipment control programs are in read.only noemory
. -(ROM), the basic safety. critical functions cannot be changed even F when calibration is performed. ,
Keypad input shall not affect any safety related signal path. !'
However, some setpoints may be changeable in the field (under administrative control) because of varying plant conditions.
Gaining access to setpoint, calibration or test functions shall ;
automatically cause the equipment to go off-line and cause the !
affected system to be placed in a bypass condition or to go ;
off line in the apropriate tripped or untripped state, so that ;
the system remainc in a safe state. ;
- b. FRONT PANEL DISP 1AYS: Safety related data for local display shall be sent via isolated paths to separate display 3 processors. There shall be no interaction between display .
software and safety. critical software. For example, failure of a !
handshaking control signal during data transfer shall not affect !
normal data flow in safety. critical software. No data shall be transferred from the display processor to the safety related i portions of the hardware or software. The entire instrument, ,
including both the safety function processor and the display ;
processor and associated software, shall be qualified as ,
Class IE, nuclear safety.related.
i QUESTION 420.129 (7) List those systems or major components in the I&C design area for which the design is not complete to the " purchase specification" level. '
RESPONSE
420.129 Definition of ' purchase specification level" for design certification is j
, presently undergoing review with the Staff. A response to this question j will be submitted following the results of that review. '
QUESTION 420.130 (Response 420.63) In this response a MTBF goal of 100,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> (11.4 years) is given for the essential multiplexing system. Is this goal for one channel or the complete system? If this goal is for the complete system it appears to the staff that the ABWR can expect to loose control at the control room of many of the safety systems (RPS, RHR. ADS) five t or six times over the lifetime of the plant. How does this compare with .:
the reliability / availability of multiple ESP systems in the BWR/S 6 6 design (or GESSAR II)? ,'
RESPONSE l 420.130 The MTBF goal for the essential multiplexing system (EMS) is 100,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> per channel.
-/O- -_
i QUESTION 420.131 (19.2.3.4) Are multiplexer and software failures included in these systems interactions and common cause failures?
l
RESPONSE
420.131 Multiplexer failures are explicitly modeled in the ECCS instrumentation ,
fault trees, as is the multiplexer common cause failure between '
electrical divisions. Software is an integral part of the ESF logic, and such failures are included in the ESF logic failure rates.
QUESTION 420.132 (19.3.1.3.1(b)) (Response 420.47) Section 19.3.1.3.1(b) states that if .
core cooling is accomplished without the use of an RHR system and the '
suppression pool cooling begins overheating, the suppression pool t cooling mode of the RHR will be initiated by the operator. Is any ;
manual action required prior to 30 minutes? ;
RESPONSE
420.132 No. Suppression pool cooling is not required prior to 30 minutes for .
any Design Basis Event.
QUESTION 420.133 (19.3.1.3.1(c)(i)) This section describes the MSIV closure sequence with the most desirable outcome requiring operator action at 30 seconds to insert rods. If that fails the operator must inhibit ADS valves from opening and initiate SLCS within 10 minutes. These activities do not >
appear to be consistent with a stated design goal of no operator action for 30 minutes following a transient. Provide a description of how the '
MSIV closure sequence meets the 30 minute rule (6.3.1.1.1) same question for Loss of Offsite Power (th0P). t
RESPONSE
420.133 The reference design goal specified in 6.3.1.1.1 is applicable to Design l
Basis Accidents. The events considered in 19.3.1.3.1(2)(c)(i) and r l 19.3.1.3.1(2)(c)(iv) [MSIV Closure and IDOP, respectively) are multiple failure ATWS events which are beyond the design basis. Therefore, the !
30 minute design goal is not applicable.
QUESTION 420.134 (19D.3.4) Equipment maintenance or test unavailabilities are taken from-
a large contributer to system downtime. How do these systems (RHR, I
RCIC) unavailability numbers take into account the new multiplexing and microprocessors?
l
- // - ;
l t
B.ESPONSE 420.134 The .=ystem maintenance unavailabilities presented in Table 19D.3-2 do ;
not address the new multiplexing and microprocessors.
Multiplexing and microprocessor logic are explicitly modeled in the ECCS
- actuation instrumentation system fault trees presented in Figure ;
19D.6 15. To assess the unava11 abilities of systems such as RHR and ,
RCIC, support system fault trees (electric power, instrumentation, ;
service water, etc.) are first linked directly to the front line system l trees, and then the composite trees evaluated to determine overall ;
system unavilability. In this manner, unavailabilities attributable to :
the new multiplexing and microprocessors are directly taken into r account. -
i QUESTION 420.135 (Table 19D.610) Provide the justification for a Mean Time to Repair ,
(MITR) of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for multiplexers and 20 minutes for ESF logic. .
Invertors and battery chargers have restoration time given (Table 19A.8) '
as 48 56 hours6.481481e-4 days <br />0.0156 hours <br />9.259259e-5 weeks <br />2.1308e-5 months <br />. Are the multiplexers designed with all test and maintenance equipment installed? *
RESPONSE
420.135 The multiplexing network has been designed with an integral test feature which tests system performance on a thirty minute cycle and annunciates I component failures. Therefore, on the average, the mean time to detect i annunciated failures is 15 minutes. Failed components at the module or -
logic card level are automatically indicated to the operator or technician.
The mean time to repair of 30 minutes for ESF logic is based upon the assumption that ESF logic cards are located in the control room and that. ,
replacement cards are readily available. On this basis, 30 minutes is ;
judged to be adequate for ESF logic card replacement. ,
A mean time to repair for multiplexers of four hours is based upon ,
divisional multiplexer components being located external to .no control
- room and requiring greater, time to reach and replace. As in the case of ESP logic cards, replacement components are assumed to be readily ,
l available. On this basis, four hours is judged to be adequate for multiplexer repair. Time required to perform any related plant !
administrative procedures is not considered to be part of mean time to ,
, repair. I l
QUESTION I L 420.136 (7A) The staff has reviewed the commitments in the SSAR and has reviewed l the available documentation describing the verification and validation L
I plans. To date, the information has been vague, general in nature and '
lacking in essential detail to demonstrate conformance with ANSI /IEEE j 7 4.3.2. Does the applicant intend to enclose the V6V Plan as Appendix j B of SSAR Chapter 7 or will the V&V details be left as an interface requirement? The staff required a formal, structured V6V plan to be in- i place and implemented early in the software design process.
l l l i
-/2-
. .t i
- c. :;
.._c
- .~-
RESIONSE. ..
'[
. 420.136 Definition of *1evel of detail' for design certification is presently ;
. undergoing review with the Staff. A response to this question v111'be j submitted following the results of-that review. !
- i
..................................................................~............ ,
t
.I
.[
'I, -
I l
't
'+
-h r
i t
e s!
a i
- f .
.y
?
l I
i Ik h
~!
I a
m
, / 3 . - ., , ... - . -. . . . .. . . ..,-- ,. . ,
(
'f26.N f =l
$* 1* 2.{ 6 ,
The sixth test is an integrated self test provision built into the microprocessors within the safety system logic and control (SSLC). It consists of an on line,
- continuously operating, self diagnostic monitoring network; and an off line r semi automatic (operator initiated, but automatic to completion), end to end ,
surveillance program. Both on line and off line functions operate independently within each of the four divisions. There are no multi divisional interconnections associated with self testing. i The primary purpose of the self test is to improve the availability of the SSLC by optimizing the time to detect and determine the location of a failure in the functional system. It is not intended that self test eliminate the need for the '
other five manual tests. However, most faults are detected more quickly than with manual testing alone.
The self test function is classified as safety associated. However, its hardware and software are an integral part of the SSLC and, as such, are qualified to Class i 1E standards.
The hierarchy of test capability is provided to ensure maximum coverage of all EMS /SSLC functions, including logic functions and data communications links. Tekting shall include:
(1) On line Continuous Testing. i A self diagnostic program monitors each signal processing module from input to .
output. Testing is automatic and is performed periodically during normal operation. Tests will verify the basic integrity of each card or module on the microprocessor bus. All operations are part of normal data processing intervals and will not affect system response to incoming trip or initiation signals.
Automatic initiation signals from plant sensors will override an automatic test sequence and perform the required safety function. Process or logic signals are not be changed as a result of self. test functions. .
Self-diagnosis includes monitoring of overall program flow, reasonableness of process variables, RAM and PROM condition, and verification of 2/4 coincidence logic and device interlock logic. Testing includes continuous error checking of all transmitted and received data on the serial data links of each SSLC controller; for example, error checking by parity check, checksum, or cyclic redundancy checking (CRC) techniques.
A fault is considered the discrepancy between an expected output of a permissive ,
circuit and the existing present state. .
Actuation of the trip function is not performed during this test. The self test function is capable of detecting and logging intermittent failures without stopping system operation. Normal surveillance by plant personnel will identify these failures, via a diagnostic display, for preventive maintenance.
Self test failures (except intermittent failures) are annunciated to the operator at the main control room console and logged by the process computer.
Faults are identified to the replacement board or module level and positively indicated at the failed unit, c \wp\ssar/71216tns.wp
- /4/ ~
~
. s i
The continuous surveillance monitoring also includes power supply voltage l 1evels, card out of file interlocks, and battery voltage levels on battery backed memory cards (if used). Out-of tolerance conditions will result .
in an inoperative (out of service) condition for that particular system !
function. >
Automatic system self testing occurs during a portion of every periodic transmission period of the data communication network. Since exhaustive tests cannot be performed during any one transmission interval, the test sof tware is written so that sufficient overlap coverage is provided to prove system performance during tests of portions of the circuitry, as allowed in IEEE 338.
The Essential Multiplexing System (EMS) is included in the continuous, automatic self test function. Faults at the Remote Multiplexing Units (RMUs) are alarmed in the main control room. Since EMS is dual in each division, self test supports automatic reconfiguration or bypass of portions of EMS after a detected-fault, such that the least effect on system availability occurs.
(2) Off line Semi automatic End to End Testing .
The more complete, manually initiated, internal self test is available when a unit is off line for surveillance or maintenance testing. This test exercises the trip outputs of the SSLC logic processors. The channel containing the processors will be bypassed during testing.
A fault is considered the inability to open or close any control circuit, j Self test failures are displayed on a front panel readout device or other diagnostic unit.
To reduce operator burden and decrease outage time, a Surveillance Test Controller (STC) is provided as a dedicated test instrument in each division of SSLC. The STC performs semi automatic (operator initiated) testing of SSLC functional logic, including trip, initiation, and interlock logic. Test coverage includes verification of correct operation of the following capabilities, as defined in each system IBD:
- a. Each 2/4 coincident logic function,
- b. Serial and parallel I/0, including manual control switches, limit switches, and other contact closures,
- c. The 1/N trip selection function,
- d. Interlock logic for each valve or pump.
A separate test sequence for each safety system is operator selectable; testing will proceed automatically to conclusion after initiation by the operator.
Surveillance testing is performed in one division at a time.
(
c \wp\ssar/712161ns.wp
-/ P ;
- 7. .
The STC injects test patterns through the essential multiplexing system (EMS) communications links to the RMUs. It then tests the RMUs ability to format and transmit sensor data through and across the EKS/SSLC interface. in the prescribed time, to the load drivers. Under the proper bypass conditions, or with the reactor shut down, the load drivers themselves may be actuated.
All testing features adhere to the single failure criterion, as follows: 1) No single failure in che test circuitry shall incapacitate an SSLC safety function. 2)
No single failure in the test circuitry shall cause an inadvertent scram, MS1V isolation, or actuation of any safety systems served by the SSLC.
l c \wp\sser/71216tns.wp I
-h- ;
i
'h, l
r: , .
e t
o 1
9 6
E CHAPTER 10 QUESTIONS / RESPONSES-1 e
e P
k f
I i
9
s . _
t QUESTION 281.15 !
In a letter from Thomas E. Murley, NRR, to Ricardo Artigas, G.E. dated August 7, 1987, the staff provided the ABVR licensing review bases as well as the scope and content of the and content of the ABVR Standard Safety Analysis Report (SSAR). In Section 8.7, Water Chemistry Guide-lines, of the referenced letter, it states that GE has committed to using BVR Ovners Group water chemistry guidelines. These guidelines are neces- ,
sary to maintain proper water chemistry in BVR cooling systems to prevent intergranular stress corrosion cracking of austenitic stainless steel piping and components and to minimize corrosion and ero-sion/ corrosion induced piping wall thinning in single-phase and two phase high energy carbon steel piping. Water chemistry is also important for the minimization of plant radiation levels due to activated corrosion products. Section 10.4.6.3 of the ABWR indicates that the condensate cleanup system complies with Regulatory Guide 1.56. Section 10.4 should indicate that'the system meets the guidelines published in:
EPRI NP 4947 SR, BVR Hydrogen Water Chemistry Guidelines 1987 Revi-sion, dated October 1988.
EPRI NP 5283-SR A, Guidelines for Permanent BWR Hydrogen Water Chemistry 1987 Revision, dated September 1987.
The use of zine injection as a means of controlling BVR radiation field build up should be discussed.
RESPONSE 281.15 A new Subsection 9.3.9 vill be added to describe the hydrogen addition system. Revised Subsection 5.2.3 indicates that the guidelines in EPRI NP 4947 SR, BWR Hydrogen Water Chemistry Guidelines 1987 Revision, Octo-ber 1988 and EPRI NP 5283 SR A, Guidelines for Permanent BWR Hydrogen 4 Water Chemistry 1987 Revision, September 1987 will be met. This will !
also be indicated in new Subsection 9.3.9.
Subsection 9.3.11 has been added to describe the zine addition system.
QUESTION 281.16 In Section 10.4.6.3, the ABWR SSAR indicates that the condensate cleanup system removes some radioactive material, activated corrosion products and fission products that are carried over from the reactor. More impor-tant functions involve removal of condensate system corrosion products, and.possible impurities from condenser leakage to assure meeting BVR Hy-drogen Water Chemistry Guidelines. This should be discussed.
RESPONSE 281.16 Subsection 5.2.3.2.2.3 has been modified to discuss the -removal of con-densate system corrosion products and possible impurities from condenser leakage.
F:jnfl04051: tja r .
QUESTION 281.17 !
The condensate (Figure 10.4 4) and feedwater (Figure 10.4 7) system dia-grams do not indicate the location of the oxygen injection into the con-densate system and hydrogen and zine oxide into the feedwa,ter' system. i This informatioa should be provided. l RESPONSE 281.17 .
The location of oxygen addition for the condensate system is in Subsec-tion 9.3.10. The location of hydrogen addition to the feedwater system will be shown in Subsection 9.3.9. The location of zine addition to the feedwater system is in Subsection 9.3.11.
QUESTION 281.18 Section 10.4 does not discuss design improvements involving material se-1ection, water chemistry, system temperatures, piping design and hydrody. ,
namic conditions that are necessary to control erosion / corrosion. The EPRI CHECMATE or.other erosion / corrosion computer codes may be useful design tools to minimize wall. thinning due to erosion / corrosion. The -
ABWR SSAR should discuss design considerations to minimize ero-sion/ corrosion and procedures and administrative controls to assure that the structural integrity of single. phase and two phase high energy carbon steel piping system is maintained. ,
RESPONSE 281.18 8
A discussion on the control of erosion corrosion of carbon steel has been.
added to Subsection S.2.3.2.2.3.
F:jnfl04051: tjm 7
-
- l
, 9.3.10 Oxygen Injection System '
9.3.10.1 Design Bases I The oxygen injection system is designed to add' sufficient oxygen to,the Condensate System to suppress corrosion and cor-rosion product release in the condensate and feedwater sys- '
tems. Experience has shown that the preferred feedwater oxygen concentration is 20 to 50 ppb. During shutdown and startup operation the feedwater oxygen concentration is usu-c11y much above the 20 to 50 ppb range. However, during power i
operation, deaeration in the main condenser may reduce the condensate oxygen concentration below 20 ppb, thus, requiring that some oxygen be added. The amount required is up to ap. l proximately 5 cubic feet per hour.
9.3.10.2 System Description '
The oxygen supply consists of high pressure gas cylinders or a liquid tank. A condensate oxygen injection module is provided ,
with pressure regulators-and associated piping, valves, and 4 controls to depressurize the gaseous oxygen and route it to the condensate oxygen injection modules. There are check valves and isolation valves between the condensate injection -
modules and the condensate lines upstream of the condensate-filters.
The flow regulating valves in this system are operated from t-tho main control room. The oxygen concentration in the con- "'
densate/feedwater system is monitored by analyzers in the sam- g; pling system (subsection 9.3.2). An operator will make g changes in the oxygen injection rate in response to changes in '
the condensate /feedwater oxygen concentration. An automatic control system is not required because instantaneous changes in oxygen injection rate are not required, .
9.3.10.3 Safety Evaluation l The oxygen injection system is not required to assure any of the following conditions.
(1) integrity of the reactor coolant pressure boundary; D (2) capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) ability to prevent or mitigate the consequences of events which could result in potential offsite exposures.
Consequently, the injection system itself is not safety-related. The high pressure oxygen storage bottles are located in an area in which large amounts of burnable materi-als are not present. Usual safe practices for handling high pressure gases are followed.
F:j nf104051: tjm 3-
.i '
s
during normal operation. The system valves may be tested to ensure operability from the main control room.
9.3.10.4 Instrumentation Application The oxygen gas storage bottles have pressure gages which will P-indicate to the operators when a new bottle is required. A } ,
flow element will indicate the oxygen gas flow rate. at all on !
times. The gas flow regulating valves will have position in- W '
dication in the main control room.
The oxygen monitors are discussed in Subsection 9.3.2.
t 9.3.11 Zine Injection System j c
9.3.11.1 Design Bases -
The continuous presence of small amounts of dissolved zine in. l the reactor water has been shown to reduce radiation levels on j primary system surfaces. Zinc injection shall be initiated during the reactor startup tests when high temperature opera-tion commences. The amount of dissolved zine required in the.
reactor water is 10 to 15 ppb zinc during an initial condi-tioning period and 5 to 10 ppb over the fuel cycle. ,
A dilute zinc solution is prepared and injected into a bypass loop around the feedwater pumps, 9.3.11.3 Safety Evaluation The injection system is not necessary to assure: l
- 1) the integrity of the reactor coolant pressure boundary; _
~
- 2) the capability to shut down the. reactor; or -
os
- 3) the capability to prevent or mitigate the consequences of "J events which could result in potential _offsite exposures. -
The zine injection system will help keep radiation levels as low as possible, thus, reducing personal exposure'especially ,
during outages.
9.3.11,4 Tests and Inspections The zine injection system is proved operable during initial ;
operation of the plant. Zine injection will not be performed when the plant is in cold shutdown. During these periods, the system can have maintenance or testing performed. +
F:jnfl04051: tjm
+
_eg' .- t
. r. . ..
.-+ .., !
+1
, - 9.3.11.5 . Instrumentation ~ .
t The injection of: zinc ' solution-will be stopped automatically ;
if'feedwater flow stops. . The sinc injection rate is manually 9 1l
>. adjusted based on zine concentration data -in the- reactor e t water. -
I D. 'i t4 - ;j k
t t
x , ;
.l 1
l l
I f
ej y
t k
4
'!t
?
'i
.. r
-l
'[
?
.f k
i
.6
.k
$ . k .', s P
i 4 ..,
F:jnf1'04051 tjm 5 t
t .t
't. {
.! t 4 - --_2.... . .- - . . . . - - _ .
.- ' ABWR zwms
, . mandard Plant arv e
[ '
eessive oxidation, hydriding, or crud deposition sure during operation and maintenance of the may lead to a breach of the cladding wall. plant components. I 1
Metellic impurities can result in neutron Water quality parameters can have an influ- l losses and associated economic penalties which in- ence on radiation buildup rate's. In laboratory J crease in proportion to the amount being intro- tests, the water conductivity and pH were varied !
duced into the reactor and deposited on the systematically from a high purity base case. In l i
fuel. With respect to iron calde type crud depo- each case, impurities increased the rate of sits, it can be concluded that operation within cobalt 60 uptake over that of the base case. i the BWR water chemistry guidelines (specifically The evidence suggests that these impurities the limits on feedwater iron 1cvels) effectively change both the corrosion rate and the oxide precludes the buildup of significant deposits on film characteristics to adversely increase the fuel elements. cobalt 60 uptake. Thus, controlling water l -
purity should be beneficial in reducing ra-g.23.2.2.2 Radiation F6 eld Bulldup diation buildup.
The primary long term source of radiation Pr filming of stainless steel in cobalt 60 fields in most BWRs is cobalt 60, which is formed free water, steam, or water / steam mixtures also by neutron activation of cobalt 59. Corrosion appears to be a promising method to reduce ini-products are released from corroding and wearing tial radiation buildup rates. As an example, surfaces as soluble, colloidal, and particulate the radiation buildup rates are reduced sig * .
- species. The formation of cobalt 60 takes place nificantly when samples are prefilmed in high '
after the corrosion products precipitate, adsorb, temperature (2880C), oxygenated (200 ppb l or deposit on the fuel rods. Subsequent reen- oxygen) water prior to exposure to cobalt 60 tralament in the coolant and deposition on out- containing water. Mechanical polishing and ;
of core stainless steel surfaces leads to buildup electropolishing of piping internal faces should of the activated corrosion products (such as co- also be effective in reducing radiation buildup.
balt 60) on the out of core surfaces. The depo-sition may occur either in a loosely adherent 5.23.2.23 Sources ofimpurities layer created by particle deposition, or in a
- tightly adherent corrosion layer incorporating Various pathways exist for impurity ingress
- radioisotopes during corrosion and subsequent ion to the primary system. The most common sources exchange. Water chemistry influences all of of impurities that result in increases in reac. ,
these transport processes. The key variables are tor water conductivity are condenser cooling t the concentration of soluble cobalt 60 in the re- water inleakage, improper operation of ion ex-
[ actor water and the characteristics of surface change units, air inleakage, and radwaste re-
, oxides. Thus, any reduction in the soluble co- cycle. In addition to situations of relatively balt 60 concentration will have positive continuous ingress, such as from low level con-benefits, denser cooling water inleakage, transient events can also be significant. The major sources of
. As a means to reduce cobalt, GE has reduced ' impurities during such events are resin intru.
, cobalt content in alloys to be used in high sions, organic chemical intrusions, inorganic [
A fluence areas such as fuel assemblies and control chemicalintrusions, and improper rinse of re.
W rods. In addition, cobalt base alloys used for sins. Chemistry transients resulting from intro-E pins and rollers in control rods have been duction of organic substances into the radwaste replaced with noncobalt alloys, system comprised a significant fraction of the transients which have occurred. m 3,g g r I The reactor water cleanup system, which pro- t Nt
= cesses reactor water at a rate of 2% of rated The following factors are measured for con gT f%G j feedwater flow, will remove both dissolved and trol or diagnostic purposes to maintain proper ,
g undissolved impurities which can become radioac- water chemistry in the ABWR.
g tive deposits. Reduction of these radioactive g
deposits will reduce occupational radiation expo. ,
Amendment 7 129 i
- 6-y -- % 4,-+, s g.,*.- ,yq. - -
F- @j =, ,
g ,..; ..,
o
' ~$. ., . g 'i p' The condensate cleanup systes hasntwo. stages of. water treatsient.
The first stage, the, hollow-fiber filters,~is effective'in
[ removing insoluble solids, - such as. condensat e syst em ' insoluble-
,. corrosion' products.- The second stage, the deep bed
- demineralizers,-1s'effeetive'in. removing' soluble: solids, s u c h .. a s soluble, corrosion, products and i mpurities from possibit- condenser
.d leakage.
4 4
i I-g-- .
6 -
T
~
w ,
' '~
M _ .
MN m..a..e en..a meime i
- _,c
. aion following HWC impleme:tation. '
i (b) Quantitative assessment of water chemis.
try transients. [, '
(c) Long tera quantification of the success -
of the HWC program. .
The major impurities in various parts of a BWR under certain operating conditions are listed in Table $.2 5. The plant systems have been designed to achieve these limits at least 90% of the time. The plant operators are encouraged to achieve better water quality by using good a operating practice.
Water quality speelfications require that
" erosion corrosion resistant low alloy steels are to be used in susceptible steam extraction and drain !!aes. Stainless steels are considered for
. baffles, shleids, or other areas of severe duty.
g* Provisions are made to add nitrogen gas to ElA extraction steamlines, feedwater heater shells, heater drain tanks, and drain piping to minimize corrosion during layup. Alternatively, the system may be designed to drain while hot so that dry layup can be achieved, g* Condenser tubes and tubesheet are required to Rj be made of titanium alloys.
4 _
l N S5S.:T N EXT PS U Amendment 3 U.t h 1
-S~
in
f .
s
-Erosion-corrosion-(E/C) of carbon steel-components will be ;
controlled as follows. The mechanism of E/C-or, preferably, flow
-assisted' corrosion is complex and involves the electrochemical aspects of general corrosion plus the effects of mass transfer. ,
Under single phase flow conditions,. E/C is af f ect ed by wat er chemi stry,. t emperat ure, flow path, material composition and -
gecretry. For wet. Steam (two phas e ), the percent moisture has an additional effect on E/C.
g3 .The potential deterioration of ABWR carbon steel' piping from flow l
-, assisted corrosion due to high velocity single phase water flow and two phase steam water flow will be addressed by using.the o .EPR1 developed CHECMATE (ChexallHorowitz Erosion Corrosion sj Methodolagy.for Analy:ing Two-phase Environments) computer code. I CHECMATE will be used to predict' corrosion rates and calculate ,
the tice remaining before reaching a defined acceptable wall thickness. Thus, this code wi'11 be used to ~ identify areas where-design' improvements-(piping design, mat erials select ion, hydrodynamic conditions, oxygen content, temperature) are ,
required to ensure edequate margin for extended piping.
performance in u the ABWR design.
9 l
l l
\
-. 9 .-