ML20046B144

From kanterella
Jump to navigation Jump to search
Nonproprietary Rev 0 to WCAP-13634, AP600 I&C Defense-In-Depth & Diversity Rept.
ML20046B144
Person / Time
Site: 05200003
Issue date: 06/30/1993
From:
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML19310D544 List:
References
WCAP-13634, WCAP-13634-R, WCAP-13634-R00, NUDOCS 9308030165
Download: ML20046B144 (122)


Text

)/ WW kit'. E 7,'. % g q. ll ,j;. . ;. . . 3, .. . . , . , . . . . , . ,, , . , , . , .

? 6 y - . ., . . - .

.j

" .f[..*y.f.g$j' $- -c$.m:v;.:. bgJ:s "~~a,- s3..f.k.-

1

-. f. Mf . b".*~

..l, " ' r C .. ;..i4,

' . . - ,. <: *. / '..' a = 1 '. n ; . N:. hp' y. ,

g*h "

6yu, m - - -

h

'l h .f '.". .' _(

.h .;. .; ,} ' '^

fu y  % 1x k.v,  ::r . ' 7 .u ,: y. * , . < . ...v. . n. : - . . ,()l a. y

)4.s**, l>f. ..Y. &,f-4:k.. .. : ;. f:,, g (hl';<  :

...,.'g.', h., 4,.- ',D:hl~.<.lYi.'s: - '$ l .o ,, . m; . . .? .

. . h. '. ' .. . , . i.,. -, ..- .'.?;.: :.d.. %.' m.,..n

_c. . . 4 j . .g .. c.

. .; 2

- '. W

. .. .  : ' . , c . 'i 6 !.

pg,  ; & t- e, . 4  ; J .' 2" U !

3, . , ..N..

f.

y- y . , . .

.9s yy.J .v:3;7-,, "h; -%,y.c 1; y ,; . .. ;; s ,.

.~g w..$t- '.

, ,' ' 9;m ..&4x; .

c ,s . . .

3 .

. . ff, t y 4 sc.. .s .. n. .; o.e. '..<.'y.r....v... ::..a.

y. .v; .. . .3.. a -.. ; . . a....

n y . * .;L* . ..,5%*.f-..8.%:p. )

.., s s..

..;c&n A< . -. .ev .. . . y g. ~: .  :'; m e

, wr,. v,; s aq z, @. . :1.7. v ? . ..,', .. a . A. .b. ,y ' .:. C , . a . . . '

6 S c,  ? .,..>1,j;ft? .-

. ;'-'?
w;.%. :.v%a .#......',.,,.'' ..

'.m,.,.;h..'.'.'- ~ ...

2 . . . '. '. n;- - e .

.'.s.

.:'  ;  :,~ . .. . ?re .  :.

WQ 'h. &gp'N l, W ,;.. b ;;b. . w
. l'. 'r , . ' . ? .C e ' ~ s  : c *:

C' t d ,.s .r~,h :nu'* -% . i

~ 4 ,

di '

.w~. ' ' .":V,"8 0. < ',~ . q .. ".h...'.3"'a i . .

,c,

,r>',...-;

Q

y. + Ap..

1

,7,

- t e j; ty <s.y.7. .sg.

).: , . a . , .: T

.m= _^:  : . . a .u 6-x

..y

- .,; 's .:. x ,

... 'e., s . ;' ' . e I;

kN d,,' .D.7 'r. p f. [f;e.,.,'.) .... ;j , } (l '. },' .,5,l , [ ,,,I

+,7 , n[4)W ;W M. x - . AT,,l. "n' -b, ;n...? , m,L,J'. .'s*3 .:e4, +..'.J.~.' .Y.sM. <. . :. .e,,Q:h

- .: .a ..

..' . '., ,..;.*.~ - s pg ?M k4sA4 y%

" ~- ^~"

.py, ~.c.

a.. .,'.4,; ' . " . ','. :a "l Y ' ,' i.'  % k.

hk .. t Q,I Y '%lfsb kJ:? ? A # '. S; ,' f'l*

'.?

[ .fI .

I .,h . . , ' ^d n .,

  • . k.f G %y4W. 3- $$% ,- -] 1. ' ' * . - 6 ". U ". o y,, q .t. % p -3 v%:D..m j a..' : ;* - . .;.'...e-' '. . .. :%..{

4 .o; .p; -

<g yq.'

h[. R*,';q;r ;M5 W.

( ,4 p.;a. W,h'.gS_~![, a 3: s-i ?t  ;;y '..-' i ". . .' n s 4i:

  • ~ ' .*-. '.- %

% '. 4, 6

m,.ll ...'/ vfi.*}( >, h k. - - ..

/  ; . ,

. >Q v @i9.hV  !- F y.

-. .',n....

h. .' s.%.l a ' W ;;.%.>' +.,9A s.. y g: ?lM .,; %l. . '%. gf :< . c .f; .M..e. .. && . ' .9% c ' :: . - . : .:. . - 6 3 . ::.. :: r,
.. q%;h::

ghh.b-+ u'W.ig\;D Q,y.s :.. 3l.%'%..:s; % ' .Q!:% .Q

. .' 6.? ';; . .1

. .. , ? ,

,: .: W:.X*.l: .Wh%, .

.y  ; .; ."a..'[i;f. 8 .

'. . .. ~** . ' i ,

fy. ]:MW;kQ. *h f.)9,! y 5 l.'.h.'.l&.f. m

.a f* .i .Y..

l , , ' . ;.. .r,. .. .)' . '

. !?, ,

p.., ;n . . '.  :. -

%~ ):  ;;f Q. ;

.c f

'. g : '. .

I '* *;n ;'~

y

.d('g.K(' f t.{}l

.y .;f V :; ;,_ :. ':;; '

g:p %.,. ;t, g:&w,7.,s'la, s . :fly" 8, ..  ;~*

. . ..... ~.,

Y ' ~

b.s. . : . ;% W s* 'n m..- .'

.8 ,

w $.$p.f.

, o ... n .

?.w

.n .:'

.- s * ; . s

,u.

> < my ;... y'yl .% 4. . . ,  : - ;.... '- ':- : .' . '

rsQ:W. ';-mv .Q n m ,f I - : :*'"

j;, , l3.wmy :):y 9 m;',. .- . .,

L,Q:;;4ls. .q,.

, y..gi .f.. W .'?' C..',

. .n . ; . . .:,g: ..,c.._.'.,., .

Y

' ,u: %.Q [:n.&f :.Q'[n:%'n. !['):if;Qi:,,. ik # [i f;,. fik 1, i

?.. I aO - E$ . ., a

.p 7 .. ;- v - n'

' . . ' .p.-.;-. -'Qa s .I c:m, Qlh ?;W: w gNk.Q ;.  :, .;m y

,9 k, g4;.4 e, 0 -: {y , _ .gg&py  ;,n. q , 'q;%d;:.gerg.

. y w .;  ::.L; , . ..f';':,: c;:?

.:'..-..<..'.:  : .. - - ^' .

3 ;T :. . - ' '. ',.

~'~

m: >*. .-. . .. . - ,'

%;,apQ.7:nhLQl g% ?:.efs , a .,:: 1 :. ! t '.. ." . . .' '. :: - .. O w . . .. , ~G**'-

.u . . .

. w '- .

Q ' W:a y&y g..$h. ";i%;0, d.M ' ..: \.*:. %~ qb.;%.?. ::%:.% e W y.'SV:,3

.> 4 ~'-b -

l;j. G . - Og 'f.Qh:jt::# . ' . - : :'G.: ' = . ' ' l ^ " ... ' . %. .' ': ' ' : : ,3:

' . .f .* * ; ' " .. '];

1 y.g ; .. %
%;l'.e.  % :<.% y. - '.'-. ...* '.g : : :- ' - , .~-

9: h '",, $. ;% ;;. *;W;z W'%G. '.,.y .;.yJ.:gg: .:  ; .y ~  : D,'!.y . .\

'_. a  :,

? .< Y . u- 0% 0 ' . ' . :. '" h !.a . s A. .: -

. .j c-D.&:

?

%.% n.F y: .e-:w4. . . . .'a .Y.....

. ' %d,l' ' &a r*n .' Y.C. . e ':..- . . -

5 M ':. 8.M.. .n.,.: .v "s; : *rr. r.,v.v: ... ' sl" .*. '. ' . --.c - m . :. !..

% ...'..d ..

n.'.:..;'b ' . . .~

.'. .' .. c. ......:..%> ' . : ' . ' . ~ . -  ;'

s,

- y

> b $. it,r. m L. 'U. m.Q,ca.'.%. Mni

. e h '.* :.[5.";r c - .- - '..:::: - ~; '. .. . - :..- :' .*'..e:u r

.e ,. . . . ' ~;.s. .: .' 4 u. . \ ' l.: <' .' .

nW.,;Q:\,.@m%w ' n'Y L ..g. Mfg C,:;m: .h.' * . -': ;.:.+X.. 7 r. *.' '?' i,%. , k.,%s.:.:

.u. .:

.e?,

.: - ..'?

M [~k":&.g .g ' y:s: ' 4 ' ,,

];.f3 ,,

.. 3 ' . . , . . . .,

] ^. (,] ,'; ' g. ! .1 ' ;. ]' ,..' . 't.8.

1.p g  ; . . -'f, 17 i .,. . X  :

e F. '. ,,; . . ::- :

. 3 :: m c.,: m:'

? , ., g,- c5  : b .r - u. , '

.- .s

.'... . ...,,~;*' ~'

..i. -

's ':* Q.Q:p %y)Wl(g.g. . . . ,s .; a.'g. e .- .

q . 3 :. Y . ':f . '. ,n' *

=,.: - d'.

.:: OF P &j.. n . .

  • Y Y..: O , . ..

d 1 M  :'% M;. . . i . w:  ::. . . ' T . }. = A N'.a r.9 :9 .

q  : ' 'i ..s  :!J:..' '. : \ N.  :.!: . . .

'Y.. k: )h.Y::::Y":f.: *. . \ 0.k:'.i;Y b. A ' , i 'Y . ^. . : 'l " .I . .' Y. ' ',. $ ! .h:x Q

}y.;hkhl"

{.fl%.Yj%j&c,[;bh. N$::? m%%;.k'i:"* :k h;T.  ?* 7 #:;L.

t d .Y :6 ". g' :...: ? ..' ;l.;W T--O '..^.

.:. O ' .S :i d" ' ". ' S L

'^

^ n I' " :. . '-~ '. '.' . "... ' f f:.?.^;* *

,%.;. $' f . . v: .Q .

.i9' C' .'.
  • 8s,W,N. '

':, ?' -' '

h:W: . Vc: .  ? .t ':'. 3. U \ 1  ; * '[ ' L . .  :, .  ; '. ' ' . '.. .'  :  ; ', .'[ .,: 1.;

' . lc;. ;' . 0" h!$ '2 $U .D ' ' '- ' -

hs W. &Ra .. . ' ' . . i '  :' ..

  • I '* ' ' *:- '-  ::'  ? ' ' .  :" .. ~

lQ, Q:v?& $@x: $.&.  ;;r .. ..%.

.',;,'..n ll.'. ..: . :!- ::. ^ ';....:. :~ -. :. :.v .. - . . L'-' : .- - '.; J Y'I ' .  :-( ~ .. . l '  ::. k./ "

".l

..+n ( 2:-:4 y.:r =;..?  ;- ; ..: -- . ' -

.._;,. . : .z:,..,

. - .;-. .' " . . : '.:>,<c..

b 3 , c . L. 1

. *h ^: . . '>

y_,y.. . .

.,..:.".~,..,.,'.', '

lL. '. f't l~a .[%.g. . , . ,. .:.  ; j -.c . . .. ' Wl ::: m.~:.. -- . .. . ,,. : R \ . ,.. . ;;. ,.' . . . . : ." ,., ,3. .*: .,. -: .... 2., ".

.f ,' t: y - .,  ; } ., ,  ?'... ~  ;  ::,: .

~,

<: ' ~-.:. . . u j?,'....,'. ,>h.:..... _. * - .; . ~, , . _

^

. . . .. , ' : - e .

/ ': ; . :.: ' T

. . Y.y!"6 lt;.. ,'O  :. e., . , . .. ... .. .. .

! ,t, ,'.1 *
f.

< J o : ~. :s ':b;Q,.,g... .b:.. /. ;. ..:l

..f . . .  : .i,.

.. 'j ,

) y.].p). '. _pi  ;;.: .g .. .;.y - ;1. ;. . . . . _ _ ' . U , ' .'**  ;*. -. *. *. ' . _ . . s. 7e. . ..; _ "*:. ... .-- .;

f..[M. , t

.g z . s .m

  • L. ::...a, r,

9; *.7 .it.n.o cc u .~ .:.,. .p

f $ d ." .. %,.' . *~

c.4:, : . . - ..

d

.n.... . . . . .- .:

'e a . ;. * *.

.'-.~

2u,').. .->......isE.'........:

'p:

,_.' :[ .:<: ; :~:." >... :: .. _ '.. : .

. +;: . :i <:=.. ; . . ;;n. q.,. ...r. 49.: :: h, %. ... 3 . ;. n. .; :. ~.

.a . s .

e .s ..;... . ...

e , :xMc.v...g.m  ;

.1 4 m. v:.e?i : :.

, .. z _. s . .  ;

3 y..

a

. ., ., y . , . , . . -. . f. .:.

,, w' W.qh'. l.

.. ti y ,, , .. '. Q.,p,p , , . ;e .,.; 3 . ,",,,j.e,...:.-

,.,,.. .s.,. .;,< , g ja. ..- . . .*. b. , :' . :. ,5'  ;, , , . " ',. , :s

^

Qk : : 5. . !d '

. ;* 3 * ' ll T..' I$ ^ ' ' : . ' !Y -

.. . . . . . l'\',. . . ' ' '~ '

h'.;. .Y ';  ?..$. h:g . $ E D.c* 3  ;.;W  !..: ... '.,;i; ' . : , ' . . .'#,

. ;.,[ g.,W.O.

\, h ,.f.

g . k. 3 . ' . '.'. ,

C.. [ ,)

. :,. . ' . : . . '[ (7.,:.:. '....*  % .' ;. t...k.t '. '...>. ' . . - c .5.}.,
s. . }. . . , MV 7 1., , ' ' ' . Oc '

,::c ' . ..;.h

--  : -: ~ , .:,...,.y, ,. . ...

+rn, - ',; . . .: . . .

9, :..

_.o. 1 % , m. ;.,. pw ,.q .. , 9: :

';'f....:..:,.,....,.

.;:.n,_ . g# ,,.,.>,I.-

,Q, _,@ . :..M;'.; 7. '.:(

. ,*-.: .,. .~y. .. ~ z. [ ' ;

- !{*: "1'.. L. .e.,..

Q . y ;n ! '), [ **.g '_...

h. .. .. . ,l:. . ; y. y,_ ,. ., , . . .a4'

.w.. ... . .

.g;q.y.l. , :,_ llk . :,.. ;  : . - .: . , .I. . . . . ' _ '; ,

[.' , ,l % . ; ' .:.; . _j

~ ,, .'_;' :4::c ',  ; g}. f .4. r.nv,

-; ... . ; g;n  :. ; ..? . . < '.  % _' . ' . ... . . .- .  ; - ,.* .\

.L.;

.. ; _ .- _i.

  • ......)_

? :n. fn: ..@;V % g u.::p. . .e.;y * . - . :'. ::. . . o%' - .' '. *

.: y ~.g;:

.ai .:1.< .. , : ,

_._..v.  ? .-..  : s_, _ . ;; .,,e ,', %. ..1: . 4 'y. .'. '

_. '.; ,: . . : z .:

,_'.); . ) . i .:: i'. l,  :.

. ,f 0. : ,, .-" r ': ?. ' E A.' ..:,l \ - l . ': < ':;;).^ . ' '
  • i *'. . , : :.' ' '
  • _ . . .' . C_

r..F7j,;yg.'.;s..;. y '. "; W ).> ..f.c ... f* q:. ,.1.q v. s .";>. %i .'. g. .. .".,  : S.

as. c M  ;~9

. , . . .
: .. . * .
  • e - . .

-.'.,..~,

.- .. ~r.,  !  : y- ,, .. . , ; .- - .. .
. .. . ^ , ,:

...' ' :. 1. ' ; . i- l...-

' ^

. f @ .?, '; ;f ',,.~g .a O. . ,'k .f.; ,

.%.,' .. , ;. ': : [ ; . ".", Q:.] f.. ;r. .* ' ..i ' %;;'S ;, . ; '.,.. .

' M

, . . . _A . '.;. .: ,,x.. h,. ; *. .;:., . ,. .. _. .. -, -

_c

.*'.[,...:m,.' . . . . ., . ': . :;._ .p_ , - _. . .

' i.' 3
2 ;;i. -l/ .yi.',,._..[.j,.[ .e. ..'~ , ' '. ;' .:. : N . .;l,,. . . .- . * .

s,., .

t

^

.M .n ' .. .' '*; ; . .' j ' ,' . ., . \ " ' : N. .',* c.. l. ,

7: Q_ ' .. ,) ?

\: ."'n,.

sr 1 -

. + . . . " . 9 mL*'.,. . 34., m,.._.;".3......

- .3. /s.%.. .cy:.!g.. (5. W c . .. '. .l  ;. ..~.: ... ., ; g

.. ,#,,.#.< . , Jq . ,

f.

f. 3 . ' - }; _ . ,., . . .. .

.q. . ,.. _ , . -~ ': ..  : . ..,..; . .. ',_.

.; .).;.',..; .gf .p ., ', s .- .q .a,; . . -'%.,..\. ......_{c v.

o .

,..,:._ ; _a;.

r

,.,. s

Q.

b k .

.T 4 . .'s. k. M K' t .g. -_ .4:ll 4 .p , [ Q  ; , ..?);&,l: . - .;..  : _  :

' - .:. . , 'I. , ; ; , '. [ , . , . [_ n _ ': ..

. . ' .s.' j' . h. ]

W.r;.q.;Q.

.. c k  : , , , . ~ -

R. ;- . ' .. .j ft..*;,M . . .. . - q w.f. ',, :.f l'. ' ..::. ,.: .: '..s. .p .- . .

..,',,,' r.,....

? a . .

f' ..ql. .r . : . . ., :y fd. ;).7.;,'; , u.

,;.. ,'. ..f . ' e..  : q:;, ,;.G', .&);!. .;,9 _. x , .3_. . , . ' . i' f a

. :. .- .'".fv-

  • ' f;n.,p  :

,. : , . ,. ' .,; y '_ _ _ . _

c .- - yu u t...';. . _ f. : .-

'[.ff,f fl:[ .. l, j [ ,.le.. (. hq;% , ,1 [.:,

'h.)$ h^fl$.f $f l:\N.".f:_

.n. ; ; >;s  : kv h,sh  ;. x.  :

i: " 7%v ~.  : f:. nc-;>e- -

h ;. j ' ,f .-;. .. h"; .l , f.'. ~.; ' ' . u '

?. ;:

.n'.

t

' ; - L 'L'.'

[?a l

v. ; . . x r ,w  ; ;..,._ .w. ~. 3.' ..u w%. ...% 3.v'".'W.3 ',
. .
; + .x y + .

u:./J o.. 'w

.- . ...r-

-*3,'..4  : - ,.- .

.;A d> v. s v ., " .',:..' .' l. .- . . . ,. sp s..,_

f,y .f,g . ' .<.  : ..., ., ..;;.".,,,s,,

,;.- ;:' ":-':-7-:

c. ..-

r s . .... . -;

q _ . ,".,.),.xW:.q;lj}.}%,rg;iiy*t,m,;

,,.a','**g

.. ;; , ,". y ,g'.'.g'z y.

..gs l. ..... . ; .. . . . , .

Wd* j 's.4 f. . c.w i. - ,,pj @ly:)j@v

, " o is

.4 j,.Q,- {i.

l ' ' ' -,. N

.+ ; en v. % gj. cn(.,f,a . w.,mg e ,g,.. ,f,f .p .Q( . , 'x,. .

, ...f/,,'-,.en, ,l yf,,' f. id,(',  ; -'. ..j. .n/[...n. ,. ,;";. , -_.;.N

- .i..L. .II- .. '~;., . d,_., .,;._:. ,

.l,.,. .. C .. .E.,- , . , , , . -

d 2-dC . L' i. ' U ' ' I . . . . . '.-

9308030165 930726 . _U ' ' ;E ! ~ J. E . ? i :'  :

PDR ADOCK 05200003 G@[D, . -

  • b . % '. . l ' ..T L
    . - '~ "

"" /

A %j Y.i:: .l .&.. ' ' ? ' ." - s~' .'.J'~-

PDR L O. . . . C'L.'W: 7 L 9 .. .. .,

I'

~n m '

% g;

\  ;

, %hk<,"fg y >

xs x i

+

1

  • fe ,W 3

. > bQ e

r h'l3

)

,.Gis,w Wo.;,@.% ,

t WJ,t

~.a 4 EMM g ,

y  ?- m >

< y ,

, , -p

.c e ,

n. s .

d

- w-,mwn

se >r " > s a, + Q w a w ,

v -

. 3a

.V' .>.. '9. ) ; ;A

,r , ,

d t 4 'A' s 1 , , i . (

. .)

h' j} *

,,h

.my

. o y ~*

w'. . ,c '

B j

. h1 1 '

g '. \

i , ,, -si

.-i>- ,*4

.s,

. h', 'k gh :4.s k'$$ t. S &h >h~kgr&'- ( h & j '.- &'i .

, , ,  %, .xm -q vus wc

' w ,v 3

.h r

'd '.-J s

^ '~ -

-:s ,

- - - &. 3 -

9.. N

  • ' , ' ,. V

'i g .

C -

,g.

.+

_1.

A &.f g- .f

  • w rg ,'A ? l j f.m .1, _m 4

u-f t =

u+

a j.. ,

Q

% + b, _ ' ..JL y,_ m
Jgj i

,w,-

$n st

.p s ,

y .. ,

= p./ ) .. $f .,.

,ow g&g,iOl .

g gi n ifs ?\

~

I*"T

. .i-~ ,

a

~.-

I

,, , ,, ;m g x:mM1., 4 4e 4

, m:

g yhj i /N

' : '-- =

y

^

r f-

'g-S 4 db

,] ' T M" IM',

[/ , fMQ p ' Q~ki.f y? '

'Qm. m a ,

1

%q / Wc if dk > '%; g ?ca. i

, a f. g $;l6g 5 C

e y tg <

Qe {wm9nm T "mr"- n"v m ,

e

, g~ ,  % c 4 +. , ,~ .Amg: ,gf,>;.g'y

-.h,J c

[,Il y ' N V Jf! h$ {p k entp$ [.,h'p

- x ..- , 4.o 4 y p

s y

~

p.h 3

m's ,% , , s . , ,

gm m.

, yy, +

.. , g q' y, ,,;gfc~yDygggn y q ., ~

y- -

. . ;;. > +

7 d[yQR j ;gy yy

-a q y g, ?." - -

y3 y y %k [, . g .py yll <

, y m

~ D <

, g"i ,%M 'WW %gy$ t f..l mx. . ,%

m. -. .

4-&g r,

.yw w r7c,.x O

-p wgl . n 4

y W,

%<wM$ygr 3 x g.m36 y

g i

,,7 a --

+

.%. . . . .;.y -

,  :. ~. r , ~ ~

m e,

g &Y.d ' " 'l r s ,j > r Q: - - , ' pqtf ,']. ' - f: ;* ^  ;

g 3R , ~ , W;-  %. %(, '

L&, < - p;no.ypp f 2 L_ '" vn: ' WN.cA.

.- " '.a , 1. Mc m

, ,omx- -. -

. h, e W}yL ,

.e A,m>s g a,fy ;,.-

- y.

un n ~g y u v-a.u n.m. p;c.. m

,r, c' m y r..F'f

-Q. ,.y > f r. 2 h g

$yJ

.ty d,.*,.y,) vyM, 4cs t

<y(' '

, ' '

  • Q.

'~

,QU [;&.D V W

__ E F j. ,3 [ .7, 1; 1 * '>?' j g..r .

':h h a> _ N-t {f. - ;} .M '

. Jg ,

, .a

, h. . f ygp gn'k h 2[h. .

e . h;') ..m , .h-), # N ;b

.L I' [~ , +, ., [

~y

,,,n- .a s 3 t

f,,

s lgfww w ay %ll gy s..

ff mfpegf JM ~

_ mam oww ,,,

1g jl

.m ,

s l  :

m1 a

, -y . .

s

. -5 ,

s gpMy g.

a .n n Q"i V w&;l.; ,llf *

" }'y i F'I@y}u Q Q , v. ,j gw 8

4 <

l wp.'.

x

, m

+L ,4

, y ' g,- Q F.T. qM. Q. pw m )

u~ c , , . .:/ .. ,

gJ '

m % $QN - R i") -

"?

y. Nf; 'i @&f Qp$!

h j % $ ] $}Q:.$'9 gg we m _

yj a w%%p, hh "

][{

,d ww& .

JH

.w P;q-M ,}e+

e d&yW; W;W>

, t S Q@.g?fp Qhq  ; %r?g UQ:

+ , . >

e2 Ww2%e q a-%e 3,'

s' 30 h,'- n}

c. '

y&m,w k M..& x y;y,}f' l%; , v.Y : tffi ;f..

y,Y ". , , .

7 7 M q.r n

r yy; 3.

w. ,

s

gy .gy e gy mm s y ,,9
g .a K,g %y ,

Q -

, , , b Qh

' ~"

t w y_ hg[yn w ~:e nM $ r."@ p%f h ,g ]

Wy.

s

. y, me ev y

n'.,

y

?

mN w a%e g 'gs :su n e wW.

v JW- a- Q

~

m -

g:;pe g,  ;; g - : y

- 4 ;;a w :, L e ~ ;Qg%(p g:; g;fsy y &y 9 I

&&, 4:g s ,

9300030165 930726 PDR ADOCK 05200003 kpg %f VI doe. i y v

A PDR  % .s

- __m . _ __ , . . d

\

WESTINGHOUSE CLASS 3 WCAP-13634 Westinghouse Proprietary Class 2 Version Exists as l WCAP-13633 i AP600 Instrumentation and Control Defense-in-Depth and Diversity Report ,

I P

E (C) WESTINGHOUSE ELECTRIC CORPORATION 19_9,3 A heense is reserved to the U.S. Govemment under cxmtract DE4C03-90SF18495.  ;

O WESTINGHOUSE PROPRIETARY CLASS 2 l This document contains informabon propnetary to Westmghouse Electne Corporabon: it is submitted in confidence and is to be used solely for the purpose for which it is fumished and retumed upon request his document and such informabon is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part uthout authorizaban of Wesbnghouse Electne Corporabon Energy Systems Busmess Unit, subrect to the legends j contained hereof.

GOVERNMENT LIMITED RIGHTS:  !

(A) These data are submitted with hmited nghts under Govemment Contract No. DE-AC03-90$F18495. These data may be reprodJced and used by the Govemment uth ths express limitatson that they mil not, ethout wntion permiseen of the Contractor, be used for purposes of manufacturer nor esclosed outside the Govemment; except that the Govemment may deciose these data outards the Govemment for the following purposes, if any, provided that the Govemment makes such declosure subject to prohitHtion 89amst fl.rrther use and dadosure:

(!) This 'propnetary data' may be disclosed for evaluabon purposes under the restnchons above. '

l (11) The 'propnetary data

  • may be dscioned to the Electne Power Researth Insutute (EPRI), onectne utitty representabves and their droct consultants, excludng droct commertzal compettors, and the DOE National Laboratones under the prohibibons and restnetions above. J (B) This notice shall be marked on any reproduchon of these data, in whole or m part. -l

@ WESTINGHOUSE CLASS 3 (NON PROPRIETARY)

EPRI CONFIDENTIAUOBLIGATION NOTICES: i NOTICE: 1E 20 3 04 Os O CATEGORY: A EB DC ODDE OF O O DOE CONTRACT DELIVERABLES (DELIVERED DATA)

Subject to specified exceptons, disclosure of this data is restncted until September 30,1995 or Desegn Certrheaten under DOE contract DE-AC03-90SF18495, whichever is later.

Westinghouse Electric Corporation i Energy Systems Business Unit Nuclear And Advanced Technology Division P.O. Box 355 Pittsburgh, Pennsylvania 15230

@ 1993 Westinghouse Electric Corporation

' All Rights Reserved i

i

p WESTINGHOUSE PROPRIETARY CLASS 3 l t

AP600 Instrumentation and-Control  !

Defense-in-Depth and Diversity Report j t

i l

ACKNOWLEDGEMENTS i The author wishes to expmss his appreciation to the many people who helped in the preparation  !

of this repon, but especially to Stan Kihm for preparing the numerous figures that are included l in this document and to Andma Sterdis for her help in the final editing of this document. l I

i i

i I

r I

i

[

t k

i a

I s

. Revision: 0 GW-J1R-004_ i June 30,1993 -l i -l I

1 5

1 WESTINGHOUSE PROPRIETARY CLASS 3 l AP600 Instrumentation and Control '

Defense in-Depth and Diversity Report Table of Contents: l:

r 1.0 1 l

1.1- Scope 1 i 1.2 Preface 1  !

1.3 Summary and Conclusions .2 j 1.4 List of Acronyms 3 l 2.0 AP600 Instrumentation and Control Architecture / Systems Description - 5-

2.1 Architecture Description - 5 -- -l l 2.2 Pmtection and Safety Monitoring System Overview . 6 l l 2.3 Plant Control System Overview 7 l 2.4 . Diverse Actuation System Overview 7 I 2.5 Data Display and Monitoring System Overview . '8 l 2.6 Conformance to the NUREG-0493 Echelon'of Defense Stmettre and to the NUREG-0493 Block Stmeture 8, 3.0 Definitions 24  !

l 3.1 Defense in Depth 24 j l 3.2 Echelons of Defense 24 l 3.3 Channel 26  !

3.4 Instmmentation System 26 i l

3.5 Diversity 26  !

3.5.1 Signal Diversity 27 i 3.5.2. Equipment Diversity 27 j 3.6 Common-Mode Failure - 27 3.7 Anticipated Operational Occurrences -27 l

4.0 Defense-indepth features of the AP600 instmmentation and control architec- [

ture. 29 l

' 4.1 Introduction "29.  !

4.2 Definition of Common-Mode Failures-- 29 -l 4.3 Overall Instrumentation and Control Fault Tolerant Design Features. 30 -

i i

Revision: 0 - GW-J1R-004  !

June 30,1993-ii

]

i t- I i

r W'. 'j

WESTINGHOUSE PROPRIETARY CIASS 3 AP600 Instrumentation and Control Defense-b-Depth and Diversity Report 5.r Discussion of Compliance of the Instrumentation and Control Architecture to l Oction 2 of NUREG-0193, " Technical Discussion" 33 5.1 Introduction 33 5.2 Compliance w.:th section 2.1, " General Principles" 33 5.3 Compliance with section 2.2, " Problem of Multiple Failures" 35 5.4 Compliance with section 2.3, " Separation and Diversity ofInstmmentation Systems" 35 5.5 Compliance with section 2.4, " Alternative Approaches". 36 5.6 Compliance with section 2.6, " Block Concept". 37 6.0 Discussion of Compliance of the Instrumentation and Control Architectum to Section 3.3 of NUREG-0493 38 6.1 Introduction 38 l 6.2 Guideline 1 - General Requiiements (3.3.1 of NUREG-0493) 38 l 6.3 Guideline 2 - Me6ad of Evaluation (3 3.2 ef NUREG-0493) 39 l 6.4 Guideline 3 - Postulated Cc,mnon-Mode Failure of Blocks (3.3.3 of i NUREG-0493) 39

! 6.5 Guideline 4 - Use ofIdentical Hardware and Software Modules (3.3.4 of NUREG-0493) 40 6.6 Guideline 5 - E"ect of Other Blocks (3.3.5 of NUREG4)493) 40 6.7 Guideline 6 - Output Signals (3.3.6 of NUREG-0493) 41 l

6.8 Guideline 7 - Diversity for Anticipated Operational Occurrences 41 <

6.9.1 Control / Scram (3.3.8.1 of NUREG-0493) 42 6.9.2 Control /ESF (3.3.8.2 of NUREG-0493) 42 6.9.3 Scram /ESF (3.3.8.3 of NUREG-0493) 43 6.10 Guideline 9 - Plant Monitoring (3.3.9 of NUREG-0493) 43 i

7.0 Evaluation of diversity within the AP600 Instrumentation and Control Architec-i ture 45 i 7.1 Introduction 45 7.2 Diversity Overview of the AP600 Instrumentation and Control Architec-ture 45 7.3 Reactor Shutdown 46 7.4 Reactor Coolant System Inventory Control 47 7.5 Core Decay Heat Removal 50 7.7 Containment Isolation 52 Revision: 0 GW-J1R-004 June 30,1993 iii

i WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control  ;

Defense-in-Depth and Diversity Report 7.8 Event Scenarios 52 80 References 55 Appendix A - Diverse Actuation System Description A-1 ,

A.1 Automatic Actuation Functions of the Diverse Actuation System A-1 A.2 Manual Actuation Functions of the Diverse Actuation System A-2 A.4 Isolation of the Diverse Actuation System A-3 .

Appendix B - Defense-in-depth, Diversity Block Diagrams B-1 i

i  !

l 1

l  !

l i

t I i l

4 4

i Revision: 0 GW-J1R-004 l

June 30,1993 I

iv l-

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report Figures:

11 Figure 2.1 - AP600 Instrumentation and Control Systems Interactions 12 Figure 2.2 - AP600 Instmmentation and Control Architecture Figure 2.3 - AP600 Instrumentation and Contml Echelons of Defense 13 Figure 2.4 - NUREG-0493 Block Structum - Safety-Related level of Scram (Reactor Trip) Echelon 16 Figum 2.5 - Cabinet Locations - Safety-Related Level of Scram (Reactor Trip)

Echelon 17 Figure 2.6 - NUREG-0493 Block Stmeture - Safety-Related level of ESF Actuation Echelon 18 Figure 2.7 - Cabinet locations - Safety-Related Ievel of ESF Actuation Echelon 19 Figure 2.8 - NUREG-0493 Block Structure - Nonsafety-Related Level of Plant Control Echelon 20 Figure 2.9 - Cabinet Imcations - Nonsafety-Related level of Plant Control Echelon 21 Figure 2.10 - NUREG-0493 Block Stmetum - Diverse Actuation System level of Scram (Reactor Trip) and ESF Actuation Echelons 22 Figure 2.11 - Cabinet Locations - Diverse Actuation System level of Scram (Reac-tor Trip) and ESF Actuation Echelons 23 Figure 7.1 - AP600 Instrumentation and Control Systems Diversity Architecture 53 Figure 7.2 - AP600 Diverse Instmmentation and Control Stmetum 54 Tables:

I Table 2.1 - Assignment ofInstmmentation and Control Equipment to Defense-in-Depth Echelons 14 Revision: 0 GW-JlR-004 -

June 30,1993 v

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 1.0 Introduction 1.1 Scope This report describes the diversity and defense-in-depth features of the AP600 instrumentation and control architecture, following the guidelines outlined in NUREG-0493.

1.2 Preface Since January 1979 when NUREG-0493 (Ref.1) was issued, the instrumentation and control architecture for Westinghouse Pressurized Water Reactors has undergone refinement in both the systems architecture aspects of the overall design, and the detailed design of the instrumentation and control cabinets. Experience gained fmm upgrading the instrumentation and control of domestic plants, providing instrumentation and control systems for overseas plants, and pmviding instrumentation and control for non-nuclear applications has been incorporated into the AP600 instmmentation and contml design. The ALWR Utility Requirements Document has provided valuable industry guidance which has also been incorporated into the design. Also, modem statistical tools have been applied to analyv.e the instrumentation and control design within the context of overall plant risk assessment, and these results have provided insight into design performance considerations. As a result of these factors, the AP600 Instrumentation and Control Design has evolved beyond the RESAR-414 design which was evaluated for NUREG-0493.

Changes beyond the RESAR-414 design have been incorporated into the AP600 Instrumentation and Control Architecture that must be considered in the diversity assessment:

1) PRA methods are used to consider the role of both safety-related equipment and nonsafety-related equipment in the prevention and mitigation of transients and faults. For the AP600, this consideration has been reflected in the overall design of the AP600's plant systems.
2) The nonsafety-related Diverse Actuation System provides a reactor trip and engineered safeguards features actuations diverse from the protection and safety monitoring system.

This system is included to support the aggressive AP600 risk goals by reducing the probability of a severe accident which potentially results from the unlikely coincidence of postulated transients and postulated common-mode failure in the pmtection and control Revision: 0 GW-J1R-004 June 30,1993 1

4- e- - er

i WESTINGHOUSE PROPRIETARY CLASS 3 l

AP600 Instrumentation and Control j Defense-in-Depth and Diversity Report I

systems.

The protection and safety monitoring system is a safety-related instmmentation and control system that is included in the AP600 instmmentation and control architecture to address the design basis events outlined and described in Chapter 15 of the AP600 SSAR. The protection and safety monitoring system is designed to meet plant licensing requimments by including design features such as: redundancy, functional diversity, fail-safe design, continuous self-diagnostics, an integrated automatic tester, circuit isolation, and a design, verification, and validation process. The fault tolerant features of the protection and safety monitoring system 1 are described in section 4.3. The diverse actuation system is a nonsafety-related instrumentation i l and control system that is an expanded version of the AMSAC in present generation  ;

l Westinghouse nuclear power plants. The diverse actuation system is included to enable the l AP600 instmmentation and control architecture to meet reliability goals in the AP600 j Probabilistic Risk Assessment for analyzed events, where the protection and safety monitoring l system is assumed to fail as a result of causes beyond design basis, such as common-mode j failure. l The diversity assessment in this report concentrates on system diversity and plant response on l the strategic level to transients and faults.

1 i

1.3 Summary and Conclusions i 1.3.1 The AP600 Instmmentation and control architecture complies with l NUREG-0493, in particular, Section 2, " Technical Discussion", and Section 3.3 l

  • Guidelines", which contain guidelines, requirements, and recommendations.  ;

1.3.2 The analysis to protect against common-mode failure in the AP600 instrumenta-tion and control architecture was done as part of the Probabilistic Risk Assess-ment (PRA). In the PRA, failures of the instmmentation and control architecture,  !

including common cause failures, were analyzed. This analysis of the AP600 instmmentation and control systems is described in the PRA in Appendix C20,

" Protection and Safety Monitoring System, Plant Control System",- Appendix Cl2, " Diverse Actuation System", and Appendix E.3.4.6, " Evaluation of Common Cause Failure forInstmmentation and Control." The conclusion is that the AP600 instmmentation and control architecture is, by PRA analysis, sufficient to meet probabilistic safety goals.

Revision: 0 GW-J1R-004 ,

June 30,1993 j 2

l i

l WESTINGHOUSE PROPRIETARY CLASS 3 ,

i AP600 Instrumentation and Control Defense-in-De-pth and Diversity Report  !

i i

1.4 List of Acronyms -

ADS - Automade Depressurization System  ;

i AMSAC - ATWT Mitigation System Actuation Cabinet j ATWT- Anticipated Transient Without Trip j CMF - Common-mode Failure L CMT - Core Makeup Tank _

f CRDMS Control Rod Drive Mechanism l CVS -

Chemical and Volume Control System -

DAS - Diverse Actuation System i i i DDS - Data Display and Processing System l l

l EMI/RFI Electromagnetic Interference / Radio Frequency Interference  !

l l ESF Engineered Safety Features i

ESFAC Engineered Safety Features Actuation Cabinets r FWS - Startup Feedwater System L  ;

HVAC- Heating, Ventilation, and Air Conditioning -

l t i IEEE _ - Institute of Electrical and Electronic Engineers IRWST - Incontainment Refueling Water Storage Tank  !

MMI - Man-Machine Interface i

Revision: 0 GW-J1R-004 )

June 30,1993 .j 3 'l

)

=_- - .- - .-. - . - _-= - .. . - .

I WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report l l

I i

PLS -

Plant Control System j

! i l PMS -

Protection and Safety Monitoring System  !

l PRA - Probabilistic Risk Assessment l i  :

i PRHR HX Passive Residual Heat Removal Heat Exchanger  ;

l l  !.

PCS -

Passive Containment Cooling System  ;

I PXS -

Passive Cor: Cooling System l 1

RCS -

Reactor Coolant System .j I

RNS -

Normal Residual Heat Removal System i

SSAR - Standard Safety Analysis Report  !

i i

l i

i J

Revision: 0 GW-J1R-004

- June 30,1993 4

1 1

l l

I

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 2.0 AP600 Instmmentation and Control Architecture / Systems Description 2.1 Architecture Description The instrumentation and control systeme and functions have been stmetured into the architecture shown in figures 2.1 and 2.2. Figure 2.1 is a simplified representation of the AP600 instmmentation and control architecture that illustrates the interactions between the instmmenta-tion and control systems. Figure 2.2 shows the same instrumentation and control systems and their interfaces in greater detail. In this architecture, related functions are grouped into cabinets and then these cabinets are connected into systems by means of hard wird conductors, datalinks, and data highways. The cabinets also communicate plant data between systems thmugh a plant wide data highway termed the monitor bus.

The instrumentation and control architecture is arranged in a hierarchical manner. Above the monitor bus are the systems whose purpose is to facilitate the interaction between the plant operators and the instrumentation and control systems. These are the operations and control centers system and the data display and processing system. Below the monitor bus are the systems and functions that perform the protective, contml, and data monitoring functions. These are the protection and safety monitoring system, the plant control system, the incore instrument system, the special monitoring system, and the diverse actuation system.

The special monitoring system and incore instrumentation system do not pmvide any functions directly related to the control or protection of the plant and are therefore not discussed in this document.

The operations and contml centers system defines the arrangement of the main comi room, the remote shutdown area, the layout of the main control room workstations, we remote shutdown area, and contains the design process for the layout, and content of operating and safety displays, alanns, controls, and procedures for the preceding man-machine interfaces. The man-machine interface functions developed under the operations and control centers system are

covered in the appropriate instrumentation and control systems such as the protection and safety monitoring system, plant control system, diverse actuation system, and data display and j processing system.

Revision: 0 Gw.31R-004 i June 30,1993 1

5

1 f

i WESTINGHOUSE PROPRIETARY CLASS 3 i

l AP600 Instrumentation and Control Defense-in-Depth and Diversity Report l 2.2 Pmtection and Safety Monitoring System Overview 1

Located in the lower left of figure 2.2 is the safety-related protection and safety momtonng system. The protection and safety monitoring system provides actuating signals to the reactor trip breakers and to the engineered safety features equipment in the event of an accident. The protection and safety monitoring system also processes plant parameters and pmvides qualified plant displays for post accident monitoring.

The pmtection and safety monitoring system contains the:

Integrated protection cabinets that contain the reactor trip subsystem, the engineered i safety features actuation subsystem and communications subsystem. These cabinets,9eir l' related sensors and the reactor trip switchgear are four way redundant.

Engineered safety features actuation cabbets that perfonn system-level logic calculations for the initiation of engNeered safety features such as safety injection. They receive inputs from the integrated protection cabinets and the control room. These cabinets are four-way redundant.

Protection logic cabinets that provide the capability for on-off control of individual plant loads for the Class 1E applications such as the ESF functions. They receive inputs from i the engineered safety features actuation cabinets and from the control room via the main  ;

control room multiplexers. These cabinets are four-way redundant. '

Qualified display processing system cabinets that receive inputs from qualified input l signal cabinets and process accident monitoring data, including inadequate core cooling indication. This data is displayed in the Main Control Room and Remote Shutdown Room in qualified video display units. These cabinets and their related sensors are two-way redundant.

Further description of the protection and safety monitoring system is contained in Chapter 7 of the AP600 SSAR and in WCAP-13382, "AP600 Instmmentation and Control Hardware Description." (Ref 2) l Revision: 0 GW-J1R-004 June 30,1993 6

~~~

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation Defense-in-Depth and Diversity Report and -Control Plant Control System Overview i ht of the protection and safety monitoring 2.3 fh The nonsafety-related plant l ontrol system control system is the Theis toautomatic plant r g regulation o t e the system control se to load changes.

system in figure 2.2. The purpose lant'softransient the p antperformance.

c ides The plant control reactor and other key components h in respon ating limits. Thet eplant maximizes margins to plant safety limits and p control system prov l functions.

system maintains the plant t defense-in-depth conditions within oper automatic and manuafety-the instrumentation and control to supporThe plant contro The plant control system contains: f nctions to the integrated protection l

Integrated control cabinets that tion and control.

perform simiar u These t l include re cabinets for theSubsystems nonsafety-related that interact with instrumentacontr the integrated con and pressurizer heater controller.

i turbine steam bypass control. off cabinets are rod control of individual plantcontrol, rod Control logic cabinets that provide the capability for on-loads for the nonsafety-related plant control functions.(M Rod control cabinets and rod drive r motor-generator and power to move the control rods on the reacto . ition of the c Rod position indication cabinet that monitors the pos ower to Pmssurizer heater controller that regulates the ac p heater.

ts that are identical or similar to those The Plant Control System i uses equipment and componenS used for the Protection and Safety 0 SSARMonitor ng system is contained in Chapter 7 of the AP60 Diverse Actuation System Overview d to the right of the plant control system 2.4 i

stem is to provide alternative means of The nonsafety-related diverse actuation GW-J1R-004 system Revision: 0 June 30,1993 7

WESTINGHOUSE PROPRIETARY CLLSS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report initiating the mactor trip and some engi to the operator. The diverse actuation neered safety features, and providing plant infor mation dedicated sensors. Thereceives system diversesignals fmm sensors actuation in the plant controlsy tsyste plant control system s em and contains protection redundant and at signalm safety p oring system. rom the hardware and softwa The the diverse SSAR. actuation system is described funh 2.5 er in appendix A of this repon and Chapter 7 Data Display and Monitoring System w Overvie The data display and monitoring systemThe nonsaf n oring system is in the upper right of figure 2 2 workstations that pmvide man-machine interf ..

Display Generation ace functions includingng the followin Alanns Generation Computerized Plant Procedures Log keeping Historical data storage and retrieval Engineering analysis Data link server for off-site communication The functions of the data display and monit in the plant via the monitor bus. workstations thatng communicate 2.6 er and the otherinstrumentation ems and control sys 0493 Block StmetumConformance to the NUREG-04 e ense Stmeture and to the NUREG-defined in section 1.2.2 of NUREG-0493The 3.2 of NUREG-0493.

Figure 2.2and the theblock manner instmetum descr ure illustrates whi h h figure, the reactor trip and ESF c actuationinstrumentatio and r the NUREG-0493 echelons .

In this of defenset e i Revision: 0 echelons are divided into ng thethree levels con June 30,1993 GW-J1R-004 8

l \

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 2.3 Plant Control System Overview The nonsafety-related plant control system is to the right of the protection and safety monitoring system in figure 2.2. The purpose of the plant control system is the automatic regulation of the reactor and other key components in response to load changes. The plant control system ,

maximizes margins to plant safety limits and the plant's transient perfomiance. The plant control system maintains the plant conaitions within opemting limits. The plant control system provides the instmmentation and control to support defense-in-depth automatic and manual functions.

The plant control system also provides sensors for nonsafety-related plant monitoring functions.

The plant control system contains:

Integrated control cabinets that perform similar functions to the integrated protection

( cabinets for the nonsafety-related instrumentation and control. These include reactor  ;

control, pressurizer level control, pressurizer pressure control, feedwater control, and  ;

turbine steam bypass control. Subsystems that interact with the integrated control cabinets are rod control, rod position indication, and pressurizer heater controller.  ;

l Control logic cabinets that provide the capability for on-off control of individual plant  !

loads for the nonsafety-related plant control functions.

Rod control cabinets and rod drive motor-generator (M-G) sets that provide the control and power to move the control rods on the reactor.

! Rod position indication cabinet that monitors the position of the control rods.

Pressurizer heater controller that regulates the ac power to the variable pressurizer heater.

i The Plant Control System uses equipment and components that are identical or similar to those used for the Protection and Safety Monitoring System. Funher description of the palnt control system is contained in Chapter 7 of the AP600 SSAR 2.4 Diverse Actuation System Overview The nonsafety-related diverse actuation system is located to the right of the plant control system l in figure 2.2. The purpose of the diverse actuation system is to provide alternative means of i Revision: 0 GW-J1R-004 June 30,1993 7

l

r l

l WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control-Defense-in-Depth and Diversity Report

initiating the reactor trip and some engineered safety features, and pmviding plant information to the operator. The diverse actuation system receives signals from sensors in the plant control l

system and protection and safety monitoring system through isolation devices and dimctly from -

dedicated sensors. The diverse actuation system contains redundant signal processing units that use hardware and software that is different (diverse) from the hardware and software used in the plant control system and protection and safety monitoring system.

The diverse actuation system is described funher in appendix A of this mport and Chapter 7 of the SSAR.

2.5 Data Display and Monitoring System Overview The nonsafety-related data display and monitoring system is in the upper right of figum 2.2.

The data display and monitoring system contains the microprocessor-based engineering workstations that provide man-machine interface functions including the following:

Display Generation l Alarms Generation  !

Computerized Plant Procedures  !

Log keeping l Historical data storage and retrieval ,

Engineering analysis Data link server for off-site communication The functions of the data display and monitoring system are provided by means of engineering workstations that communicate with each other and the other instrumentation and control systems j

in the plant via the monitor bus.

2.6 Conformance to the NUREG-0493 Echelon of Defense Structure and to the NUREG- - ,

0493 Block Structure .

The AP600 instrumentation and control architecture conforms to the echelon of defense structum defined in section 1.2.2 of NUREG-0493 and the block' structure described in sections 2.5 and 3.2 of NUREG-0493. Figure 2.2 illustrates the manner in which the individual AP600 l l

instrumentation and control systems support the NUREG-0493 echelons of defense. In this figure, the reactor trip and ESF actuation echelons are divided into three levels containing the Revision: O GW-J1R-004 -

June 30,1993-8 L ,

i~

u

1 WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report nonsafety-related systems, safety-related systems, and nonsafety-related diverse systems that provide automatically and manually actuated functions to suppon these echelons. Since manual trips and actuations are also provided within each of the three echelons, plant monitoring functions for these three layers are shown in parallel with the three echelons.

The functions assigned to the instrumentation and control systems are implemented by microprocessor based subsystems, which are placed within a structure of cabinets. Table 2.1, illustrates the relationships between these subsystems and cabinets and the block structure described in NUREG-0493. In this table, the assignment of equipment to the blocks is shown for each level within the echelons of defense.

Due to the nature of the microprocessor implementation, the demarcation between measured variable blocks and derived variable blocks lies within the software stmeture of a channel or function, these blocks are combined into a single column for purposes of defining hardware assignments. Additionally, a fourth column was added to identify availability of manual actions with the echelon of defense stmeture.

Figures 2.3 through 2.10 funher illustrate this stmeture, using the block diagram format used in appendix B. Figures 2.3 and 2.4 show how the subsystems used within the safety-related level of the scram (reactor trip) echelon correspond to the NUREG-0493 block stmeture and show the cabinet location of these subsystems. Figures 2.5 and 2.6 show how the subsystems used within the safety-related level of the ESF actuation echelon correspond to the NUREG-0493 block structure and show the cabinet location of these subsystems. Figure 2.7 shows how the subsystems used within the nonsafety-related level of the instrumentation and control architecture to avoid scram (reactor trip) and ESF actuation by maintaining plant conditions within operating limits correspond to the NUREG-0493 block structure. Figure 2.8 shows the cabinet location of these subsystems. Figures 2.9 and 2.10 show how the components of the diverse actuation system used for the scram (reactor trip) and ESF actuation echelons correspond to the NUREG-0493 block structure and show the cabinet location of these components.

Indications to support manual actions to maintain the plant within operating limits, trip the reactor, and actuate ESF functions are provided within the three layers of the instmmentation and control architecture. Nonsafety-related operator displays and alarms are provided by the nonsafety-related data display and monitoring system. Plant data for the nonsafety-related displays and alarms is obtained from across the instrumentation ind control architecture by means of the monitor bus. Safety-related operator displays are provided by the qualified display Revision: 0 GW-J1R-004 June 30,1993 9

WESTINGHOUSE PROPRIETARY CLASS 3 i AP600 Instrumentation and Control Defense-in-Depth and Diversity Report pmcessing system within the safety-related protection and safety monitoring system. And, ,

nonsafety-related, diverse operator indications are provided by the diverse actuation system. The  !

integration of indication functions into the instmmentation and control architecture is shown on .

figure 7.2.

i i

l l

l h

Revision: 0 GW-J1R-004 June 30,1993 10 f

s

OPERATIONS AND DATA DISPLAY AND CONTROL CENTERS SYSTEM PROCESSING SYSTEM iOPERATORjiCOMPUT- i: PLANT  : iDISTRIB. !

OPERATOR INTERFACE iDISPLAY :iERIZED  !! ALARM 'IUTED  !

DESIGN [ SYSTEM j!PROCED. !! SYSTEM
! PLANT  !

,  ! ((URES l[  !! COMPUTER l i :iSYSTEM i. i iSYSTEM :

. 3. .

MONITOR BUS m m m m

PROTECTION PLANT DIVERSE SPECIAL INCORE AND SAFETY CONTROL ACTUATION MONITORING INSTRUMEN-MONITORING SYSTEM SYSTEM SYSTEM TATION SYSTEM SYSTEM DIVERSE REACTOR TRIP AUTOMATIC AND REACTOR TRIP DIAGNOSTICS REACTOR CORE ESF ACTUATION MANUAL PLANT ESF ACTUATION AND MONITOR- DATA ACQUISI-MONITORING CONTROL MONITORING ING TlON SAFETY-RELATED FIGURE 2.1 AP600 INSTRUMENTATION AND CONTROL SYSTEMS INTERACTIONS FILE: FIG _2_1.DRW JJB 07/07/93 II

FI G U R E 2.2 _A P._60_ _0_.I.N_S.m_TR. _U M E. _NT. _A.T_I_O_ _N_.&_ C.._O. .N_T_R_O. ._L. A_R_ _C H_ _I_T_ _EC. _TU l OCS .CPERATIONS AND CONTROL CENTERS SYSTEM DOS . DATA DISPLAY AND PROCESSING SYSTEM i 7_ i-

- - - - R O M RT M E D - - - - - - ,- . il8- - - i. l i

,_1....
p .

i I

l I

ll O i, "]l --> 5 EL

- --4, '_

I.

l

,no com i I

=~: . .g I,1 J. '4i g

7 7 a 4 ==

g, ca l

lll ll . ji - 7,

= -

t,

=-

q a_

u

_= .-
~

.I l

jl

>- __j. ; ,

- __g __- =_

_.s _. _ / s l

1 i =, i..il' i  !

t._ __ . ._. _. ~. . ._, . I._l.l. ___ , _ , _ _ , . _ __o._ .___ .--

i 1

(

r---- -- - - - - - - - - - - -- - - - - - -

trONITOR BUS

-- a :-'--~~~ i-~

~F

~~' ~

~ ~~ ~ -~ ~ T 1 l

on oo mm "m' j e

e e

e ooyy_) --

C - ,

'. - M=

'O l

l

. I I - -

a,-_- l 1

[-d, l g *

  • l.

m 3 g

. 1 ,

i i I t i

/4__co:. =%.4 7, I y ' L l , l l.

j _.e ,

e I, .

j  ; (

j

- c.,

-;c I l

. t . l

  1. p . ,
  • ~" . , ,
  • 4. .==== a $h l l g lg l

.e_=

,,,,,, _ y. , ._ . ./ . l l

. l-

. e i

[

i~.

f.>o I

. r .r

e. .i I .

l

  • * ' " dE U
l. N t OfGEP l

i I,

M .E-8I.

i m.

e

<-__L_ '

_ !ptsi.#li' 9_Ili-! "

El E I, "_ _"_ [

,i

_;* l  !

I;m O.. , ,

! [jie dj  ! .I o+*k I, =l.,i -e i" o! o ooo e oes, !U , I o -

e j

l l e OAS - DIWft9E y 1 49 l t

  • PMS PROTECTION AND
  • PLS - Pl. ANT I ICONTROL SYSTEM lactuamN 8YN
  • SMS . SPECIAL l MONITORING SYSTEM 'I"=;* *l
  • i I. SAFETY

.._.. . _ . MONITORING _ . _ . _ . _ . _SYSTEM . _ . _ . - . - . _ . ~ . _ ._.a.. _ . - . _ . _ . - . n.. _ . _ .s._. _ . _ . _ . _ . - ..a . _ , _ . _ . .J File: APGARCH.ORW JJO - 01/12/93 2

12

] -- _- . _.

- . .-. - . - -~ .

i i i i LAYER 1 LAYER 2 LAYER 3 l l NONSAFETY DIVERSE, i SAFETY RELATED NONSAFETY i RELATED SYSTEMS REATED j SYSTEMS SYSTEMS ,

NUREG-0493 PLANT CONTROL CONTROL ECHELON SYSTEM

. (PLS)

NOTES 1 & 2 PROTECTION DIVERSE l NUREG-0493 j AND SAFETY ACTUATION REACTOR MONITORING SYSTEM TRIP T SYSTEM (PMS) (DAS)

ECHELON l

- NOTE 2 NOTE 2 NUREG-0493 AND SAFETY ACTUATION  !

ESF SYSTEM MONITORING i ACTUATION f SYSTEM (PMS) (DAS) 5 ELON NOTE 2 NOTE 2 t

PLANT DATA PROTECTION DIVERSE i

MONITORING DISPLAY AND SAFETY ACTUATION i (TO SUPPORT AND MONITORING SYSTEM l MANUAL PROCESSING SYSTEM (PMS) - (DAS) l ACTIONS) SYSTEM (DDS) l  ;

i CLASS 1E  :

SYSTEMS  !

NOTES:

1) THE PLS FUNCTIONS TO ENABLE THE PLANT TO MAINTAIN CONDITIONS  !

WITHIN OPERATING LIMITS AND ALSO PROVIDES AUTOMATIC AND  !

MANUAL ACTUATIONS OF THE NONSAFETY-RELATED DEFENSE-IN-DEPTH' l SYSTEMS  !

i

2) AUTOMATIC AND MANUAL ACTIONS PROVIDED IN THE PLS, PMS, AND DAS f i

FIGURE 2.3 AP600 INSTRUMENTATION AND CONTROL i ECHELONS OF DEFENSE ne no_2_3.onw aas . ostasies l 13 -I 1

5

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report Table 2.1 - Assignment of instrumentation and Control Equipment to Defense-in-Depth Echelons Echelon AP600 Function Measured and Derived Variable Command Block Manual Actions Blocks Nonsafety-related Not Applicable Not Applicable Not Applicable Reactor Trip Safety-related Sensors, signal conditioning, reac- Global trip, trip enable subsys- 11ardwired reactor trip to t t trip subsystems tems and dynamic trip bus, reac- reactor trip breakers (Scram) tot trip switchgear Diverse Sensors, signal conditioning, Output driver, rod drive Hardwired reactor trip to rod diverse processors motor / generator set drive motor / generator set Nonsafety-related Not Applicable Not Applicable Not Applicable Engineered Safety Features safety-related Sensors, signal conditioning, esf ESFAC's, logic bus, protection System level to ESPAC's; t subsystems logic cabinets Component level Actuation Diverse Sensors, signal conditioning, di- Output driver liardwired component level verse processors Revision: O GW-J1R-004 June 30,1993 -

14

.~ - . . _ . - - - . . - - . - . .. . - . . - _ . - . - . - . - - . . ~ . _ . - - . . - - - . - . , . . _ _ _-

WESTINGIIOUSE PROPRIETARY CLASS 3 i <

AP600 Instrumentation and Controi Defense-in-Depth and Diversity Report Table 2.1 - Assignment of Instrumentation and Control Equipment to Defense-in-Depth Echelons Echelon AP600 Function Measured and Derived Variable Command Block Manual Actions Blocks Nonsafety-related Sensors, signal conditioning. Output signal conditioning, output Manual rod controls; System (communications subsystem in selector, process bus, integrated level to be determined by PMS)', signal selector, control control cabinets, control logic MMI design:

Plant Control group subsystems cabinets Component level Safety-related NONE NONE NONE __

Diverse NONE NONE NONE Nonsafety-related Sensors, signal conditioning, (com- Monitor bus, alarm processors. Not Applicable munications subsystem in PMS)' display processors Plant Monitoring Safety-related Sensors, signal conditioning, com- Qualified operator displays Not Applicable munications subsystem, signal processing subsystems Diverse Sensors, signal conditioning Diverse display devices Not Applicable l

1. Used for safety-related sensors that provide isolated information to nonsafety-related systems.

Revision: O GW-J1R-004 June 30,1993 .

15

- - . . . - . _ . . _ - - _ - _ _ . _ - . . _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ . _ ____--s_ _ _ _ . . _ _ - - . - . - . . . . . - - _. ~ . - . _ . , . , ~ , . . . . - . _ - . _ . _ . . , - . . . , _ - . - . . - _ _ . _ _ . - -_ _ _ ._ _ _ _ . - -

af FIGURE 2.4 IS PROPRIETARY i

FIGURE 2.4 NUREG-0493 BLOCK STRUCTURE SAFETY-RELATED LEVEL OF SCRAM (REACTOR TRIP)

ECHELON FILE: FIG 2_4N.DRW JJB - 03/09/93 16

.. .- - , - . . - ~ . ... - .. - . , - . _ . - . _ _ . .

a,c L

FIGURE 2.5 IS PROPRIETARY FIGURE 2.5 CABINET LOCATIONS i SAFETY-RELATED LEVEL OF SCRAM (REACTOR TRIP)

ECHELON rnanoun.onw aas own3 17

1 a,C FIGURE 2.6 IS PROPRIETARY i

e FIGURE 2.6 NUREG-0493 BLOCK STRUCTURE SAFETY-RELATED LEVEL OF ESF ACTUATION ECHELON FILE: FIG 2_6N.DRW JJB -03/09193 18

- as l

l FIGURE 2.7 IS PROPRIETARY FIGURE 2.7 CABINET LOCATIONS SAFETY-RELATED LEVEL OF ESF ACTUATION ECHELON FILE: FIG 2_7N.DRW JJB 03/09/93 19

as FIGURE 2.8 NUREG-0493 BLOCK STRUCTURE NONSAFETY-RELATED PLANT CONTROL ECHELON FIGURE 2.8 IS PROPRIETARY

_ FILE: FIG 2_8N.DRW JJB 03/09'9:

20

a.:c FIGURE 2.9 CABINET LOCATIONS NONSAFETY-RELATED PLANT CONTROL ECHELON FIGURE 2.9 IS PROPRIETARY FILE: FIG 2_9N.DRW JJB -03/09/9:

21

- as l

FIGURE 2.10 IS PROPRIETARY FIGURE 2.10 l NUREG-0493 BLOCK STRUCTURE DIVERSE ACTUATION SYSTEM LEVEL OF SCRAM (REACTOR TRIP)

AND ESF ACTUATION ECHELONS Fil.E: FIG 2_10N.DRW JJB - 03S9/93 22

a,C 1

FIGURE 2.11 IS PROPRIETARY 4

FIGURE 2.11 CABINET LOCATIONS DIVERSE ACTUATION SYSTEM LEVEL OF SCRAM (REACTOR TRIP) l.

AND ESF ACTUATION ECHELONS FILE: FIG 2_11N.DRW JJB - 03 @9/93 4

23

= . . .. _ __ __ m_-- --_~ w < _. _ _- -. - . . . - - -.svn -,- ,~-n,--,-c. ~,--cw , , - - - - - --- ,-- .,.m, ... _ _ . _ _ _ _--

a WESTINGHOUSE PROPRIETARY CLASS 3 ,

1 1 AP600 Instrumentation and Control  !

Defense-in-Depth and Diversity Report l l

l l t l 3.0 Defmitions ,

\

! This section contains clarifications of terms used in this report that are defined in NUREG-0493. l These definitions are provided to aid in understanding of the report text, instrumentation and i

control architecture, and conformance to guidelines. The definitions and clarifications may vary l l from corresponding dermi Sns in NUREG-0493 as a result of development and evolution of the  !

l AP600 instmmentation and control architecture. Definitions as stated in NUREG-0.#93 are in i italics. i 3.1 Defense in Depth l The defense-in-depth includes, as a generalprinciple, designfeatures providingforplant i andpublic safety by the use ofoverlapping and redundant echelons ofdefense. l l  !

l 3.2 Echelons of Defense i

i NUREG-0493 provides definitions of three echelons of defense. The definition of each level  ;

is mproduced in the following along with a brief description of the instmmentation and control systems that accomplish the task. i i

Scram System.  :

)

l "The scram system consists ofsensors, signalprocessors, logic, and actuation initiation l l devices necessary to efect reactor trip or scram,- including essential auxiliary systems. '

This echelon ofdefense performs a safetyfunction. The scram system is also knorm as  ;

the reactor trip system. "  ;

The automatic and manual reactor trip functions performed by the scram system echelon of  !

defense is included in the safety-related protection and safety monitoring system. The nonsafety- ,

related, diverse actuation system also provides automatic and manual reactor trip capabilities.

ESF Actuation System:

"The ESF actuation system consists ofsensors, signalprocessors, logic, and actuation initiation devices necessary to efect thefunctioning of engineered safetyfeatures (for Revision: 0 GW-JlR-004

- June 31,1993 L

24 l

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control )'

Defense-in-Depth and Diversity Report i

example, auxiliaryfeedwater, containment isolation, emergency core cooling, emergency power), including essential auxiliary systems. This echelon ofdefense performs a safety function.  ;

The automade and manual ESF actuation functions performed by the ESF actuation system j echelon of defense is included in the safety-related protection and safety monitoring system. The ,

nonsafety-mlated, diverse actuation system also provides automatic and manual actuation- {

capability for a subset of ESF component actuations. The actuation initiation devices in this  ;

definition DO NOT INCLUDE valves, motor control centers, pilot valves or devices not contained in the instmmentation cabinets. These devices are provided by other systems. ' The l engineered safety functions provided include:  !

I maintain reactor coolant system inventory,  !

maintain core decay heat removal,  !

initiate containment cooling, initiate containment isolation.

A note in NUREG-0493 for paragraph 1.2.2.2 states: "* The scram system plus the ESF actuation system, taken together, are the " Protection System" defned in IEEE-279 and the I General Design Criteria. " The scram system and the ESF actuation system, included in the j Protection and Safety Monitoring System, taken together, am the " Protection System" defined  !

in IFER-279 and the General Design Criteria.

Control System  !

"The control system consists of allinstrumentation and control equipment not included in the scmm orESFactuation systems, including automatic and manualprocess controls, l presentations of information to the operator, plant monitoring system, and plant '

computer (s) that are notpart ofscram orESF actuation systems. This echelon ofdefense  ;

does not perform a safetyfunction, but is neverless imponant to the defense-in-depth .

principle. " l The function performed by the control system echelon of defense is included in the nonsafety-  !

related plant control system. The nonsafety-related plant control system normally functions to j l

maintain the plant within operating limits to avoid the need for a reactor trip or ESF actuation. ,

Revision: 0 GW-J1R-004 L June 31,1993 '

25 j

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report  !

Figure 2.2 maps these echelons of defense to the instmmentation and control systems of the instmmentation and control amhitecture. In this figure, a plant monitoring function to support manual actions is shown in parallel to the three echelons. The echelons are divided into a nonsafety-related layer, a safety-related layer, and a diverse layer to reflect the means provided by related systems to implement the functions of each echelon.

3.3 Channel "The channel is an arrangement of components and modules as required to generate a single protective action signal when required by a generating station condition. A channel loses its identig when single action signals are combined. "

In the instrumentation and contml architecture, the components and modules in the above i dermition can be hardware or software entities.

3.4 Instmmentation System "The reactor system instrumentation senses various reactor parameters and transmits appropriate signals to the control systems during normal operation and to the scram systems and the engineered safetyfeatures actuation system during normal, abnormal, and accident conditions. "

In this report, the instmmentation system includes the following systems in the instrumentation and control architectum:

Protection and Safety Monitoring System (PMS)

Plant Control System (PLS)

Data Display and Processing System (DDS)

Diverse Actuation System (DAS) 3.5 Diversity

" Diversity is the design approachfor achieving a reduced probability offunctionalfailure as a result ofpostulated common-mode failures, by providing di[ferent equipment as redundant backup. "

Revision: 0 GW-J1R-004 June 31,1993 26

i l

l WESTINGHOUSE PROPRIETARY CLASS 3 l AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report i 3.5.1 Signal Diversity

" Signal diversity is the use of diferent signals to initiate action, wherein either signal can independently sense the abnonnal condition to be protected against, even ifthe other signal fails in a common-mode failure (CMF). For example, overpower can be l independently measured by diverse signals such as neutron flux and reactor coolant l temperature rise. "

3.5.2 Equipment Diversity

" Equipment diversity is the use of diferent equipment to perform safety functions. i 1

"Diferent" means suficiently unlike as to decrease signifcantly the vulnerability to i common modefailures. "

t 3.6 Common-Mode Failure  :

" Common-modefailures are casually relatedfailures ofredundant orseparate equipment; i l

thus (1) CMF ofidentical redundant blocks in diferent channels or (2) CMF ofdiferent i subsystems or echelons of defense. In this report, CMF embraces all causal relation- ,

ships, including severe environments, design errors, calibration and maintenance errors, and consequentialfailures. "

For this report, a distinction is made between true common-mode failures and multiple failures.  ;

Common-mode failures are further discussed in Section 4.1 l 3.7 Anticipated Operational Occurrences ,

" Anticipated operational occurrences mean those conditions ofnormal operation which are expected to occur one or more times during the life of the nuclear power unit and

include... "

t Section 15.0.1 of the SSAR,

i l

Revision: 0 GW-J1R-004  ;

June 31,1993 t 27 f

, I l i l

t WESTINGHOUSE PROPRIETARY CLASS 3 ,

AP600 Instrumentation and Control ,

Defense-in-Depth and. Diversity Report  ;

3.8 Accidents ,

t f

t

" Accidents are defned as those conditions of abnonnal operation that result in limiting faults.... " l Section 15.0.1 of the SSAR, " Classification of Plant Conditions", provides the definition and discussion of Accidents.

i i

i i

l i

l i

i t

f I

I I

i 1

Revision: O GW-J1R-004 l June 31,1993 1

! 28  !

1 i i  !

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and _ Control  ;

Defense-in-Depth and Diversity Report  :

i i

t 4.0 Defense-in-depth features of the AP600 instmmentation and control architecture. 3 4.1 Introduction This section describes features of the instmmentation and control architecture that provide i I

redundant design, fail-safe design, and failure detection and repair. Design diversity is discussed as part of Section 7.0 of this document.  !

1 i

4.2 Definition of Common-Mode Failures {

i For the purpose of this report, common-mode failures are considered to be a set of identical or l related failures that occur within a limited time period, and ' fall outside of system design l capabilities for detection or mitigation of failures. The failures that meet this definition exhibit l l- the following characteristics: l

  • The failures occur in a sufficient number of places in the instrumentation and j contml architecture such that redundant design is ineffective in enabling the j j system to tolerate the failure,  ;

l

  • The failures are such that fail-safe design is ineffective in enabling the system to  !

tolerate the failure, i

  • The failures are undetectable, or they occur within a sufficiently short time period  !

that neither automatic nor manual responses are possible to enable the system to 'f tolerate the failures.

{

i I

l 1 i

Revision: 0 GW-J1R-004 June 31,1993 29 l

l  :

t

i WESTINGHOUSE PROPRIETARY CLASS 3  :,

AP600 Instrumentation and Control r Defense-in-Depth and Diversity Report Multiple failures are not necessarily the common-mode failures as defined in NUREG-0493, since an instrumentation and control system, or portion of a system, can be capable of tolerating '

sets of identical or related failures because:

1) Diverse design exists within the system.
2) Redundant design exists within the system  ;
3) Fail-safe design exists within the system i
4) The failure is detectable and sufficient time exists between instances of failure that  !

automatic or manual response to the failure occurs.

4.3 Overall Instmmentation and Control Fault Tolemnt Design Features.

l The instmmentation and control architecture contains design features whose primary intent is to l meet licensing requirements and to enhance plant reliability and availability. However, these l

features also provide a degree of protection against common-mode failures, and as a result 1 l decrease the probability that a common-mode failure will render a ponion of the AP600 l instmmentation and control architecture unable to respond to a transient or plant fault. Among these design features that protect against failures, including common-mode failure, are:

i The Design, Verification, and Validation Process - The design of the instmmentation and control systems hardware and software elements are controlled by a design, verification, and validation .

process that is described in WCAP-13383 (Ref. 3). This process is a formal, rigorous means to detect and correct design errors before they can result in common-mode errors in the plant.

l Use of a Distributed Processing Architecture - Instrumentation and control functions are divided among multiple microprocessor subsystems so that diverse functions are separated into different i microprocessor subsystems. This, in conjunction with other design features such as division independence, has the effect of localizing certain multiple failures to a single type of micropro-l cessor subsystem. For instances where functional diversity exists in the instmmentation and control architecture, complete system failure will not occur as a result of multiple failures.

i i

Revision: 0 GW-J1R-004 June 31,1993  ;

30 L

l l

l

i l l

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report j Redundancy - While red..ndant design of itself does not prevent common-mode failures, use of redundant subsystems can enable the plant to detect and respond to failures, including common-mode failures in tnose instances where sufficient time exists between occurrence of the individual l failures.

Modular Design - Modular design enhances the rapid isolation and repair of failures. . For r instances where failures, including common-mode failures, occur, but sufficient time between l failure instances exists for detection and mpair, modular design enables the redundant  :

subsystems to be available for response to events.  ;

1 Fail-Safe / Fault Tolemnt Design - Fail-safe design features in the instrumentation and control '

architecture, such as deenergizing to trip or actuate, provide the capability to, automatically or manually, put the plant into a safe condition following single failures and certain types of t multiple failures. Fault tolerant design features, such as functional diversity and redundancy, also  !

provide the capability to, automatically or manually, put the plant into a safe condition following .

single failures and certain types of multiple failures. -

Alarm system - The AP600 alarm system is capable of alerting the opemtor to failures, including multiple failures, in other parts of the instrumentation and control systems. The main AP600  !

alarm system is part of the data display and monitoring system, which uses different hardware and software from the protection and safety monitoring system and plant control system.

i Continuous Self-Diagnostics - In the AP600 instrumentation and contml Architecture, the microprocessor based subsystems continuously execute self-diagnostic software routines. Other self-diagnostic features, such as readbacks and watchdog timers continuously monitor operation of critical subsystems. These self-diagnostic features are designed to detect and report hardware ,

failures, enabling the operator to take action. l Integrated Automatic Tester -Integrated automatic testers rapidly and consistently verify system operation. The use of these integrated automatic testers enhances the timely detection of all failures, including common-mode failures. The integrated automatic testers also enhance the ability of plant personnel to quickly diagnose and repair failures detected by the continuous self-diagnostic features. 3 l

Circuit Isolation - Circuit isolation is used to electrically isolate segments of the instrumentation l and control architecture and to prevent propagation of electrical faults. This feature helps to Revision: 0 GW-J1R-004 June 31,1993 l 31 i

l

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report limit the propagation of faults caused by failures, including common-mode failures.

Control of Setpoint and Tuning Adjustments - The instrumentation and control architecture has physical and administrative controls and multiple levels of security for access to setpoint and tuning adjustments. This helps to prevent common-mode failure due to incorrect constants entered as a result of a maintenance error.

Use of Engineering Units for Setpoints and Tuning Constants - Setpoints and tuning constants in the instmmentation and control architecture are entered in engineering units rather than as scaled values. This eliminates a potential common-mode error by removing scaling calculations.

Signal Selector in the Plant Control System - The signal selector in the plant control system protects against failure, including common-mode failure, of sensor signals shared by the ,

protection and control systems. The signal selector alerts the operator to differences in output signals from redundant sensors. See WCAP-8899, " Westinghouse Model 414 Control Signal Selection Device." (Ref 5.)

Physical Separation - Physical separation is provided between the four redundant divisions of equipment for the safety-related protection and safety monitoring system, which in turn, is separated from nonsafety-related systems such as the plant contml system. Equivalent physical separation is also provided for supponing systems, such as electrical power. This physical separation pmvides pmtection from common-mode failures induced by physical phenomena.

Equipment Qualification - Equipment in the instrumentation and control architecture is qualified to environmental requirements, including tempenture, humidity, vibration / seismic, EMI/RFI, and surge withstand criteria commensurate with its safety classification and intended usage. The environmental qualification program provides assurance that physical phenomena will not introduce common-mode failures until design requirements are exceeded.

other Features - The instrumentation and control architecture also contains other design features, such as ac power line protection and filtering, EMI/RFI design, and surge withstand networks at signal conditioning board inputs, which will prevent failure from specific causes. Due to these features, the causes which would induce multiple failures must be in excess of design and qualification test limits.

Revision: 0 GW-J1R-004 June 31,1993 32

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 5.0 Discussion of Compliance of the Instrumentation and Control Architecture to Section 2 of NUREG-0493, " Technical Discussion" 5.1 Introduction This section contains a discussion of how the instmmentation and control amhitecture complies with and exceeds the design principles set forth in section 2, " Technical Discussion" of NUREG-0493. Since this section of NUREG-0493 is in a narrative form and contains examples, the corresponding discussion is this report is also in a narmtive form which parallels NUREG-0493.

5.2 Compliance with section 2.1, " General Principles" In this section, NUREG-0493 proposes three echelons of defense.

1. Designing, building, and operating the plant correctly, with the operating parameters maintained within their nonnal range.

While the discussion in NUREG-0493 extends to systems other than instmmentat9; and control systems, this document is limited, by its scope definition, to discuss instrumentation and control systems and their relationship to the other systems in the plant. The instmmentation and control system architecture conforms to the first pan of this guideline by implementing a man-machine interface design process as outlined in Chapter 10 of the ALWR Utility Requimments Document (Ref. 4) and described in Chapter 18 of the AP600 SSAR. The second pan of this guideline follows from the first, since proper design is a mquisite for proper operation. The instmmenta-tion and control systems that are provided to meet this guideline are the nonsafety-related plant control system (PLS) and data display and processing system (DDS).

2. Providing protection systems to place the plant in a safe shutdown condition when the limits are exceeded.

The safety-related protection and safety monitoring system (PMS) is provided to trip the mactor when plant operating limits are exceeded. This function provides for automatic response by using the reactor trip subsystems, trip enable subsystem, global trip subsystem, and dynamic trip bus in the integrated protection cabinets and the reactor trip switchgear. Manual trip capability is also provided. Operator information is provided by the integrated protection cabinets in conjunction with the safety-related qualified display processing system cabinets in the protection Revision: O GW-J1R-004 June 31,1993 33

l l

i WESTINGHOUSE PROPRIETARY CLASS 3  ;

l AP600 Instrumentation and Control l

! Defense-in-Depth and Diversity Report l l and safety monitoring system and by the nonsafety-related data display and monitoring system.

l i The non-safety related diverse actuation system also provides the capability of tripping the  !

reactor when plant operating limits are exceeded. This diverse function provides for automatic l response by tripping the rod control motor / generator set. Manual diverse trip capability is also  ;

! provided. The diverse actuation system also provides operator information on diverse display  !

l devices.  ;

3. Pronding engineered safetyfeatures to maintain essentialfunctions, like decay heat removal and containment isolation, under abnonnal conditions.

l The safety-related pmtection and safety monitoring system (PMS) also includes functions to  ;

automatically and manually actuate engineered safety features. This function is automatically actuated by the ESF subsystems in the integrated protection cabinets, the engineered safety features actuation cabinets, the protection logic cabinets, dedicated datalinks and data highways.

In addition, systems level manual actuations are provided which do not require the operation of the integrated protection cabinets, and component level manual actuations are provided which ,

use only the protection logic cabinets and' data highways. Operator information is provided by the integrated protection cabinets in conjunction with the safety-related qualified display processing system cabinets in the protection and safety monitoring system and by the nonsafety-related data display and monitoring system.

The nonsafety-related diverse actuatim system provides a separate and diverse means of -

l automatically and manually actuating s :lected engineered safety features. The diverse actuation system also provides operator informstion on diverse display devices. ,

Instmmentation and control to provide automatic and manual actuation of the nonsafety-related, defense-in depth plant systems that provide alternative means of performing ESF functions are - ,

provided by the nonsafety-related plant contml system. '

The issue of nonsafety-related system failures propagating back into the safety-related portions of the scram and ESF echelons is addressed by providing the signals that are transmitted from the protection and safety monitoring system to the nonsafety-related systems via isolation devices to prevent electrical failures in these nonsafety-related instrumentation and control systems from l pmpagating into the protection and safety monitoring system. This complies with the control / protection separation requirements ofIEEE 279.(Ref 10) Since the protection and safety Revision: 0 GW-J1R-004 June 31,1993

{

34 i i

i

\-

l WESTINGHOUSE PROPRIETARY CLASS 3

{

AP600 Instrumentation and Control Defense-in-Depth and Diversity Report l monitoring system does not use any data from nonsafety-related instmmentation and control  ;

systems to accomplish its tasks, data failures in the nonsafety-related instmmentation and control systems will not influence the operation of the protection and safety monitoring system. These ,

issues are discussed in section 7.1.4 of the SSAR. j The plant control system uses isolated sensor data provided by the protection and safety monitoring system to automatically control plant operation. A signal selection device, described in WCAP-8899 (Ref. 5), is provided to prevent a failure within the pmtection and safety monitoring system from initiating false operation in the plant control. system. This topic is funher discussed in section 7.1.4 of the SSAR.

5.3 Compliance with section 2.2, " Problem of Multiple Failures" The relationships among the three echelons of defense in the AP600 and their response to j i

multiple failures for various events is treated in section 7.0 and appendix B of this document.  :

For the purposes of this document, multiple failures are treated the same as common-mode ,

failures insofar as the resultant plant response is the same - failure of a layer within the echelons  ;

of defense as shown in figure 2.2. I i

5.4 Compliance with section 2.3, " Separation and Diversity ofInstrumentation Systems" ,

r This section of NUREG-0493 is concerned with the issue of common-mode failures and identifies four forms of diversity to address this issue:

a. Signal Diversity Signal diversity for specific events is provided within the safety-related level of the reactor trip ,

and ESF actuation echelons. The signals used to produce reactor trips and engineered safety featurer actuations within the protection and safety monitoring system are divided between two l reactor trip subsystems and two ESF subsystems within the integrated protection cabinets. i Appendix B contains figures that illustate the signal diversity provided for specific events, as  ;

l shown in tables 7.2-5 and 7.2-6 of the SSAR. ,

i l b. Equipment Diversity _

For the diverse actuation system, the hardware and software used to provide the automatic  !

i Revision: 0 GW-J1R-004  !

l June 31,1993 35

{

I l 1

l WESTINGHOUSE PROPRIETARY CLASS 3 l AP600-Instrumentation and Control Defense-in-Depth and Diversity Report j l

actions and pammeter monitoring will be diverse from the equipment used for elated functions .

l in the pmtection and safety monitoring system and plant control system. In addition, the reactor trip provided by the diverse actuation system will be accomplished by tripping the nonsafety-related rod drive motor-generator sets in the plant control system. This means is diverse from  !

the reactor trip switchgear used in the pmtection and safety monitoring system for reactor trip. l

c. Aspect Diversity In the diverse actuation system, energize to trip or actuate logic is used. In the protection and safety monitoring system, deenergize to trip or actuate logic is used, except where energize to -

trip is necessary to meet plant system design requirements.

d. People Diversity The Design, Verification, and Validation program for instmmentation and control systems, as ,

described in WCAP-13383 (Ref. 3), requims and specifies the use of independent review. It is i a requirement of the diverse actuation system that different people will be responsible for its design and fabrication, including verification and validation.

t 5.5 Compliance with section 2.4, " Alternative Approaches". l For the instrumentation and control architecture, guidance for addressing the issue of i

common-mode failure is obtained from the PRA which includes various common-mode failures in the numerical analysis, and addresses the issues involved in quantifying common-mode failure. ,

in the instmmentation and contml architecture, diverse equipment, in the form of the diverse actuation system, is provided to protect against common-mode failures within the protection and  ;

safety monitoring system and plant control system. Common-mode failure is treated as the complete failure of the protection and safety monitoring system and plant control system to -

protect against an event. In addition to the automatic actions provided by the diverse actuation l system, the manual reactor trips and ESF actuations pmvided by the protection and safety  !

monitoring system and diverse actuation system will be available. The diverse actuation system also provides diverse monitoring and indication functions for selected plant parameters in order to provide opemtor guidance in initiating any manual actions necessary to bring the plant to a j safe shutdown condition. t Revision: 0 GW-J1R-004 June 31,1993 36

?

I j WESTINGHOUSE PROPRIETARY CLASS 3 l AP600 Instrumentation and Control  !

l Defense-in-Depth and Diversity Report l i

Because the diverse actuation system is nonsafety-related, the supponing plant systems, such as  !

electrical power and HVAC, am different from the corresponding safety-related suppon systems  ;

used for the safety-related protection and safety monitoring system. This provides protection  ;

from a common-mode failure affecting both the diverse actuation system and the protection and safety monitoring system.

}

5.6 Compliance with section 2.6, " Block Concept".  !

The instmmentation and control functions have been designed using modular hardware and software " building blocks". Table 2.1 and figures 2.3 through 2.8 in section 2.9 show the l' correlation between the blocks defined in NUREG-0493 and the cabinets and microprocessor subsystems used for the protection and safety monitoring system and plant control system. Due ,

to the use of these microprocessor subsystems, there is no distinction in hardware between the  ;

MEASURED VARIABLE BLOCK and DERIVED VARIABLE BLOCK of NUREG-0493 -the boundary between these blocks is within the implementing software.

For the diverse actuation system, separate building blocks exist for the diverse actuation system j functions of automatic actuation and monitoring. The diverse actuation system automatic l actuation and monitor functions each conform to the MEASURED VARIABLE BLOCK,  ;

l DERIVED VARIABLE BLOCK, and CONTROL BLOCK structure of NUREG-0493. Table  !

l 2.1 and figures 2.9 and 2.10 in section 2.9 show the correlation between the blocks defm' ed in  !

NUREG-0493 and the diverse actuation system.  ;

i l

l l

l l

Revision: GW-J1R-004 June 31, w93 37

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 6.0 Discussion of Compliance of the Instrumentation and Control Architecture to Section 3.3 .

of NUREG-0493 l

6.1 Introduction i Section 3.3 of NUREG-0493 contains a series of guidelines for the design of instrumentation  ;

and control for a nuclear power plant and guidelines for the evaluation of this instrumentation i and control design. The following section restates these guidelines and discusses how the instrumentation and control design, and the evaluations performed in this report conform to -

these guidelines. Text copiedfmm NUREG-N93 is in italics.

6.2 Guideline 1 - General Requirements (3.3.1 of NUREG-W93) l t

The instrumentation system should provide three echelons of defense in depth: contml, scram, and ESF. ,

The instrumentation and contml architecture i.c divided into three echelons of defense, as l dermed in NUREG-0493. The control echelon is provided by the nonsafety-related plant  ;

control system, with certain inputs provided frorn the safety-related integrated protection l cabinets by means of isolated data links.

The scram echelon is provided by the protection and safety monitoring system and the  !

diverse actuation system. The reactor trip subsystems, trip enable subsystem, global trip  :

subsystem, and dynamic trip bus within the integrated protection cabinets and the reactor trip '

switchgear provide the scram function in the safety-related protection and safety monitoring _ i system. The nonsafety-related diverse actuation system and rod drive motor-generator set  ;

provide a diverse reactor trip function. In addition, the plant control system will enable the i plant to avoid the need to trip for certain events by maintaining the plant within acceptable  !

limits. -

i The ESF echelon is provided by the protection and safety monitoring system and the diverse actuation system. The ESF subsystems within the integrated protection cabinets, the engi-neered safety features actuation cabinets, the protection logic cabinets, dedicated datalinks, and data highways provide the ESF function in the protection and safety monitoring system.

The diverse actuation system provides diverse means to actuate some ESF functions. In addition, the plant control system actuates defense-in-depth plant systems to enable the plant Revision: 0 GW-31R-004 June 31,1993 38

WESTINGHOUSE PROPRIETARY CLASS 3  ;

l AP600 Instrumentation and Control  ;

Defense-in-Depth and Diversity Report to avoid the need for actuating the safety-related passive systems. l t

6.3 Guideline 2 - Method ofEvaluation (3.3.2 ofNUREG-0493) }

l The instrumentation system should be subdivided into redundant channels and each  ;

channel should be analyzed as consisting of blocks as depned in Section 3.2 and-  ;

Figure 2, and discussed in Section 2.5.

The safety related instrumentation that provides the protective functions is divided into four .

redundant divisions. Table 2.1 shows how the cabinets and subsystems within each division s can be mapped into the blocks shown in figure 2 and discussed in Secdon 2.5 of NUREG- .

0493. l The nonsafety-related plant control system uses redundant sensors and redundant micropro- f cessor subsystems to provide defense-in-depth functions. The nonsafety-related diverse l actuation system uses redundant sensors and redundant micropmcessor subsystems to provide  !

diverse actuation functions. Table 2.1 shows how these systems can also be mapped into the l' blocks shown in figure 2 and discussed in Section 2.5 of NUREG-0493.

In this evaluation, however, common-mode failures are postulated to cause complete failure l of similar or identical equipment. This failure mode is assumed to cause the complete loss ,

of function of the plant control system and the protection and safety monitoring system, but  !

not loss of function of the diverse actuation system due to the diversity of the implementa-  :

tions. i t

6.4 Guideline 3 - Postulated Common-Mode Failure ofBlocks (3.3.3 ofNUREG-0493) i i

Analysis of defense in depth should be performed by postulating concurrentfailures of ,

the same block or blocks in all redundant channels.

1 i l The common-mode failure of micropmcessor subsystems postulated for this document is a l failure that occurs in all similar micropmcessor subsystems. This postulated failure can be  !

caused by failure of a common hardware element, or failure of a common software element.

This failure mode is assumed to cause the complete loss of function of the plant control  :

system and the protection and safety monitoring system, but not loss of function of the  ;

diverse actuation system due to the diversity of the implementations. The result of this l t

Revision: O GW-J1R-004 ,

June 31,1993 39 1

I t

WESTINGnOUSE PROPRIETARY CLASS 3 l l

l AP600 Instrumentation and Control l

, Defense-in-Depth and Diversity Report  !

failure is that the entire system or systems fail to produce any protective actions. The ,

evaluation of the instrumentation and control architectum based on this failure is contained in i Section 7.0 of this document.

l 6.5 Guideline 4 - Use ofIdentical Hardware and Softare Modules (3.3.4 ofNUREG-0493) 1 To limit the postulated CMF to a single block in all redundant channels, the likelihood of CMF among the diferent blocks in the same channel should be shown to be acceptably low.

The Probabilistic Risk Assessment (PRA) postulated CMF within the instnamentation and control architecture, in conjunction with random failures. The PRA evaluated the contribution to com damage due to instrumentation and control common-mode failure to be acceptably low. It is conservatively assumed in the PRA that all software modules or hardware modules of a type will fail simultaneously. The diversity between the protection and safety monitor-ing system and diverse actuation system assures that the joint common-mode failure probabil-ity is acceptably low. ,

l 6.6 Guideline 5 - Efect of Other Blocks (3.3.5 ofNUREG-0493)

The analysis should include propagation of the postulated CMF in the single block in each channel da its output signals to all other blocks influenced by these signals, directly or indirectly.

In the AP600 instmmentation and control architecture, input signals are shared between subsystems although independent signal conditioning and loop power is provided. It is conservatively assumed that all subsystems within either the plant control system or diverse  ;

actuation system, but not both, sharing an input signal will fail. l For common-mode failure within the protection and safety monitoring system, the system is 1 conservatively assumed to not produce any protective actions needed during an event as the l failure mode.

I Revision: 0 GW-J1R-004 l June 31,1993 40 i

l I

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control  !

Defense-in-Depth and Diversity Report  ;

i 6.7 Guideline 6 - Output Signals (3.3.6 ofNUREG-0493)  :

Each block should be designed so that it cannot be sigmpcantly inpuenced by any l credible change orfailure of equipment to which its output signal or signals are connected. l l '

l Optical or resistive isolation is provided between microprocessor subsystems to prevent -

propagation of electrical failures in either direction. Physical separation is provided between  !

the four divisions of the protection and safety monitoring system. Since sensors are consid-ered to be contained in a measured variable block for the purposes of the analyses in this repon, failure of signal conditioning equipment influencing sensor performance is not +

considered. (It should be noted that the instmmentation and control hardware contains features to minimize the occurmace of this failure mode.)

6.8 Guideline 7 - Diversityfor Anticipated Operational Occurrences  ;

Supicient diversity should be provided in the design so that,for each anticipated operational occurrence in the design basis, occurring in conjunction with each single CMFpostulated in accordance with Guidelines 3 through 6, the plant response i l calculated using conservative analyses should not result in a nan-coolable geometry of the core or violation of the integrity of the primary coolant pressure boundary or ,

violation of the integrity of the containment.  ;

The frequency of a postulated accident occuring in conjunction with common-mode failures  :

of the protection and monitoring system (PMS) and failures of the Diverse Actuation System l (DAS) is calculated in the AP600 Probabilistic Risk Assessment (PRA). Appendix C20 of ,

the PRA report discusses the protection and safety monitoring system modeling and Appen-dix C12 presents the modeling of the diverse actuation system. Section 7.0 of this document i provides a strategic evaluation of the ability of the instmmentation and control architecture to  ;

produce required protective actions to support the safety goals of:  !

  • reactor shutdown, l

e initiate and maintain core decay heat removal, ,

e initiate and maintain containment cooling, '

  • and initiate containment isolation. l Revision: 0 GW-J1R-004 l June 31,1993  !

41 ,

_. .c

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control ,

Defense-in-Depth and Diversity Report It should be noted that the primary coolant system can be depressurized in a contmlled i j fashion to mitigate certain events. l l

6.9 Guideline 8 - Diversity Among Echelons ofDefense (3.3.8 ofNUREG-0493)  ;

6.9.1 Control / Scram (3.3.8.1 of NUREG-0493)

When a CMFpostulated in accordance with Guidelines 3 through 6, can result in a  ;

plant response that requires scram and can also impair the scramfunction, diverse means, which are not subject to orfailed by the postulated CMF, should be provided  :

to efect the scramfunction and to ensure that the plant response calculated using j conservative analyses should not result in a non-coolable geometry of the core or violation of the integrity of the primary coolant pressure boundary or violation of the integrity of the containment.

For the low probability circumstance where an event that requires a scram occurs coincident with a postulated common-mode failure in the plant control system and the protection and ,

i safety monitoring system, the diverse actuation system initiates the reactor trip in a diverse fashion. The specific fimetions p rformed by the diverse actuation system are selected based on the PRA evaluation. The diverse actuation system functional requirements are based on an assessment of the protection system instrumentation common-mode failure probabilities combined with the event probability.

Additionally, both the protection and safety monitoring system and diverse actuation system provide manual means of tripping the reactor. To support manual reactor trip, both the protection and safety monitoring system and the diverse actuation system provide plant  !

information to the operator. The protection and safety monitoring system provides the safety-related qualified data processing system indications, while the diverse action system provides nonsafety-related diverse indications.

6.9.2 Control /ESF (3.3.8.2 ofNUREG-0493)

When a CMFpostulated in accordance with Guide:ines 3 through 6, can result in a plant response that requires ESF and can also impair the ESFfunction, diverse means, which are not subject to orfailed by the postulated CMF, should be provided to efect the ESFfunction and to ensure that the plant response calculated using l Revision: 0 GW-JIR-004 I L June 31,1993 l 42

! 1 I

l l l WESTINGHOUSE PROPRIETARY CLASS 3 1 i

AP600 Instrumentation and Control i Defense-in-Depth and Diversity Report l

conservative analyses should not result in a non-coolable geometry of the core or violation of the integrity of the primary coolant pressure boundary or violation of the  ;

integrity of the containment.  ;

( For the low probability circumstance where an event that requires one or more ESF i actuations occurs, coincident with a postulated common-mode failure in the plant control system and the protection and safety monitoring system, the diverse actuation system ,

initiates selected ESF actuations in a diverse fashion. The specific functions performed by the diverse actuation system are selected based on the PRA evaluation. The DAS funcdonal requirements are based on an assessment of the protection system instrumentation common-mode failure probabilities combined with the event probability. .j Additionally, the protection and safety monitoring system provides both system level and f component level manual means of actuating ESF functions, and diverse actuation system  :

provides manual means of actuating selected ESF functions. To support manual ESF .

actuation, both the protection and safety monitoring system and the diverse actuation system provide plant information to the operator. The protection and safety monitoring system ,

provides the safety-related qualified data processing system indications, while the diverse l' actuation system provides nonsafety-related diverse indications.

i 6.9.3 Scram /ESF (3.3.8.3 ofNUREG-0493) l l  ;

l Interconnections between scram and ESF (for interlocks providingfor scram initiation i if cenain ESF are initiated, or ESF initiation when a scram occurs, or operating bypassfunctions) are permitted provided timt all guidelines are satisped, with speciai attention being given to Guidelines 5 and 6.

Isolated, independent interconnections exist between the reactor trip and ESF actuation func-tions. Failum of the reactor trip function will not prevent the ESF actuation function from  !

responding to other inputs, nor will failure of the ESF actuation function prevent the reactor l trip function from responding to other inputs. l 6.10 Guideline 9 - Plant Monitoring (3.3.9 ofNUREG-0493) l Signals may be transmittedfrom the scram and ESF actuation systems to the control j systemfor plant monitoring purposes, provided that all guidelines are satisped, uith . '

Revision: 0 GW-J1R-004 June 31,1993 l

j 43 I I

I L

i

i.  ;

- _ , , .__._.u_

l WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control

! Defense-in-Depth and Diversity Report ,

special attention being given to Guidelines 5 and 6. The design should be such diat thefailure of the plant monitonng system does not influence thefunctioning of the ,

scram or ESF actuation systems. The design should also address the possibility that -

failure or misopemtion of the plant monitoring system might cause the operating staf to make adjustments in the scram and/or ESF actuation systems, or in-plant operating parameters, that could cause or allow plant operation to be outside the safety limits 1

or to be in violation of the limiting conditionsfor operation.

l ,

Signals are transmitted from the protection and safety monitoring system to the plant control l system and the data display and processing system. The datalinks that connect the protection l and safety monitoring system to the plant control system and data display and processing l system contain isolation devices to prevent failures in the plant control system or data display l and processing system from affecting operation of the protection and safety monitoring system. The signal conditioning and data acquisition functions associated with these signals are performed by an independent subsystem in the integrated protection cabinets, not l

associated with the reactor trip or ESF actuation functions. once signals leave the protection and safety monitoring system through the isolation devices, they are no longer classed as l safety-related, and are not used to provide any safety-related functions.

l l Alteration of parameters in the instrumentation cabinets associated with reactor trip and ESF actuation is under administrative control and is not normally available to plant operators.

The parameters in the reactor trip and ESF actuation subsystems are stored in read only memory. In order to make adjustments to these parameters, access to the front panel, access to a key for the keyswitch, and possession of the password are required. These items are under strict administrative control.

l .

1 l Revision: 0 GW-JIR-004 June 31,1993 44 l

  • l

WESTINGHOUSE PROPRIETARY CLASS 3  ;

I AP600 Instrumentation and Control Defense-in-Depth and Diversity Report 7.0 Evaluation of diversity within the AP600 Instrumentation and Control Architecture 7.1 Introduction l

The AP600 fluid systems are designed with multiple levels of defense for a wide range of events. Both the safety-related rnd the nonsafety-related systems am used to support this multiple level design philosophy. The AP600 instmmentation and control systems architec-ture reflects this multiple level of defense approach by including safety-related and nonsafety-related instmmentation systems, that provide safety-related and nonsafety-related means of initiating protective functions.

This section of the document discusses the functions provided to protect the core and limit the spread of radioactivity during an event by initiating:

  • Reactor Shutdown

!

  • Containment Cooling e Containment Isolation.

7.2 Diversity Overview of the AP600 Instrumentation and Control Architecture For the purposes of discussing instrumentation and control diversity, the AP600 instmmenta-tion and control systems can be organized into three layers. The first layer contains the nonsafety-related plant control system (PLS) and the data display and processing system (DDS). The plant control system provides the monitoring, and the automatic and manual actuation of nonsafety-related functions. The plant control system contains sensors, the integrated control cabinets, the rod contml cabinets, the process bus, control logic cabinets, the rod drive motor / generator set, the pressurizer heater controller, the rod position indica-tion system, control multiplexers, and operator controls. The data display and monitoring system pmvides operator displays and alarms in the main control room and remote shutdown area. Display processing and alarm processing are performed by dedicated functional processors. The information from the other plant instrumentation and control systems is acquired by the display and alarm processors by means of the monitor bus, which is also part of the data display and processing system.

Revision: 0 GW-J1R-004 June 31,1993 45

i WESTINGHOUSE PROPRIETARY CLASS 3 1 i

AP600 Instrumentation and Control j Defense-in-Depth and Diversity Report  !

t The second layer contains the safety-related protection and safety monitoring system (PMS). l

! T1.e protection and safety monitoring system provides the safety-related reactor trip function, l l engineered safeguards features actuation functions, and qualified plant monitoring function.  !

! In the protection and safety monitoring system,' both automatic and manual means are 1 l pmvided to trip the reactor and actuate the engineered safety features. The protection and ,

safety monitoring system contains sensors, integrated protection cabinets, engineered safety l features actuation cabinets, logic buses, protection logic cabinets, reactor trip switchgear,-  !

protection multiplexers, operator controls, qualified display processing system cabinets, and l l qualified displays. j The third layer contains the nonsafety-related diverse actuation system. The diverse i actuation system provides nonsafety-related, diverse reactor trip functions, actuation of engineered safeguards features, and operator displays. In the diverse actuation system, both automatic and manual means are provided to trip the reactor and actuate selected engineered l safeguards features. The diverse actuation system also provides diverse monitoring of plant l l parameters required to ascertain the state of the plant and provide guidance for manual l l actions by the operator. The diverse actuation system is implemented in hardware and l software that is diverse from the protection and safety monitoring system and plant control ctem.

I Figure 7.1, shows, on an overview basis, the relationships between components of the plant control system, diverse actuation system, and protection and safety monitoring system, and illustrates the means provided to accomplish the automatic and manual actions. This figure l illustrates the sources of signals for automatic trips and actuations, and operator displays. It also shows the manual contmis and operator displays that facilitate operator actions.

i Figure 7.2 shows how diverse sensors, cabinets, and operator controls are integrated into the  !

instmmentation and control architecture.

l l

7.3 Reactor Shutdown i

Reactor shutdown is the process of bringing the reactor to a suberitical state in a timely manner and maintaining an adequate shutdown margin. This function is normally prrvided by inserting the control rods into the core either in a controlled manner (stepping) ox by -_

d opping them.

Revision: 0 GW-J1R-004' June 31,1993 46 l

l E

L _ .

, . - _ . _ _ . . _ -__ _ . - . _ _ ui

i i

WESTINGHOUSE PROPRIETARY CLASS 3 l AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report 7.3.1 The control rods can be automatically or manually stepped into the com. The nonsafety-related plant control system (PLS) provides automatic insenion of the control rods using signals from various sensors in the plant control system and protection and safety monitoring system. The plant control system also provides controls for manual insertiva of the control rods. The final actuation devices for l reactor shutdown via the plant control system are the control rod drive mecha-nisms (CRDMs).

7.3.2 Automatic reactor shutdown capability is pmvided by the safety-related protection and safety monitoring system by dropping the rods using the integrated protection cabinets and the reactor trip switchgear. When the reactor trip switchgear opens, the control rod drive mechanisms are deenergized and the rods are permitted to l drop into the core. The safety-related protection and safety monitoring system also l provides a manual reactor shutdown by means of controls that directly open the reactor trip switchgear.

7.3.3 The nonsafety-related diverse actuation system provides the capability for automat-ic reactor shutdown by deenergizing the field of the rod drive motor / generator set which supplies power to the control rod drive mechanisms (CRDMS) . This is a diverse means of deenergizing the control rod drive mechanisms and has the same effect as opening the reactor trip switchgear. The nonsafety-related Diverse Actuation System also provides the capability for manual reactor shutdown by deenergizing the field of the rod drive motor / generator set.

7.4 Reactor Coolant System Inventory Control l Reactor coolant system inventory control is the process of maintaining sufficient Nrated i water in the reactor coolant system (RCS) to maintain the heat removal capability.

7.4.1 During normal plant operation, the pressurizer level control function of the nonsafety-related plant control system automatically controls the operation of the

! nonsafety-related ehemical and volume control system (CVS) to maintain reactor coolant system inventory. In the event of a small reactor coolant system leak, the CVS makeup pumps automatically start on a low pressurizer level signal. The makeup pumps also start automatically on a safety-related core makeup tank (CMT) actuation signal.

Revision: 0 GW-J1R-004 June 31,1993 47

i r

WESTINGHOUSE PROPRIETARY CLASS 3  !

i AP600 Instrumentation and Control  !

Defense-in-Depth and Diversity Report  !

s 7.4.2 ' Die safety-related passive com cooling system (PXS) pmvides emergency core i decay heat removal, reactor coolant system emergency makeup and boration, and safety injection. The PXS includes four sources of passive injection for RCS l inventory contml. These injection sources provide injection in a sequenced  :

manner, based upon RCS pressure. The CMTs are normally the first injection  !

source, pmviding makeup at any reactor coolant system pressure. CMT injection ,

is automatically initiated by the safety-related protection and safety monitoring j system using the integrated pmtection cabinets, the engineemd safety features  !

actuation cabinets, the logic bus, and the protection logic cabinets. )

The pmtection and safety monitoring system also provides the capability for l safety-related manual actuation of the CMTs using control devices, multiplexers, I the logic buses, and the protection logic cabinets.

7.4.3 The diverse actuation system provides the capability for nonsafety-nlated automat-

! ically actuation of the CMT injection. The DAS also provides the capability for j nonsafety-related manual actuation of CMT injection using dedicated, hard-wired l controls.

l 7.4.4 The other three PXS injection sources provide makeup once the RCS is de-pressurized. The automatic depressurization system (ADS) uses four valve stages to provide a controlled depressurization of the reactor coolant system. Each ADS

stage is automatically initiated by the protection and safety monitoring system i

using the integrated protection cabinets, the engineered safety features actuation L cabinets, the logic bus, and the pmtection logic cabinets.

The protection and safety monitoring system pmvides the capability for safety-related manual actuation of the ADS using contml devices, multiplexers, the logic

buses, and the protection logic cabinets.

! 7.4.5 The diverse actuation system also pmvides the capability for nonsafety-related manual actuation of the ADS using dedicated, hard-wired controls for the valves  !

in each stage.

l 7.4.6 The second PXS injection source is the accumulator tanks. Injection from the accumulators is initiated once reactor coolant system pressure is below the static -

l Revision: 0 GW-J1R-004 .

June 31,1993 l 48  !

l WESTINGHO'USE PROPRIETARY CLASS 3 l

AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report pressure in the accumulators. The protection and safety monitoring system is used to opente the accumulator discharge isolation valves which are normally open with actuation powered removed during plant power operation.

7.4.7 The nonsafety-related normal residual heat removal system (RNS) can be manually l

actuated to provide reactor coolant system injection once reactor coolant system l

pressure is reduced to within the capability of the RNS.

l 7.4.8 The third PXS makeup source is the in-contamment refueling water storage tank (IRWST). During plant power operation, IRWST injection is automatically initiated once reactor coolant system pressure is within the injection head capabil-ity of the IRWST. The protection and safety monitoring system is used to operate the IRWST discharge isolation valves which are normally open with actuation powered removed during plant operation.

7.4.9 During shutdown operations, the IRWST discharge isolation valves are normally shut with actuation power available. These valves can be manually opened using the safety-related protection and safety monitoring system to initiate IRWST hjec-tion through the reactor coolant system to fill the refueling cr.vity. The nonsafety- '

i related diverse actuation system automatically opens these valves to initiate reactor coolant system injection based on reactor coolant system hot leg level indication.

The diverse actuation system also provides the capability for nonsafety-related manual actuation of the IRWST discharge isolation valves.

7.4.10 The fourth PXS makeup source is the containment recirculation volume of reactor coolant and makeup water that collects in the recirculation screen areas in contain-ment following an event. Contamment recirculation is automatically initiated once reactor coolant system pressure is within the injection head capability of the floodup inventory in containment. The protection and safety monitoring system is also used to automatically open the containment recirculation valves, which provide an altemate recirculation flowpath. The protection and safety monitoring system also provides the capability for safety-related manual actuation of the containment recirculation valves.

l l

1 Revision: 0 GW-J1R-0(M June 31,1993 l 49

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report l

l 7.5 Core Decay Heat Removal Core decay heat removal is the process of maintaining a heat sink that is capable of cooling i the reactor core after a reactor shutdown. Core decay heat removal can be provided by a number of different systems. The system and components to be used for core heat removal will depend upon the plant operating mode. During some plant conditions, core decay heat removal is provided by the same systems and components that maintain the reactor coolant system inventory.

l 7.5.1 The nonsafety-related startup feedwater subsystem of the main and startup feed-water system (FWS) supplies feedwater to the steam generators during non-power operation to provide core decay heat removal. The nonsafety-related plant control system (PLS) automatically actuates the two nonsafety-related high pressure FWS pumps and automatically controls FWS feedwater flow to the steam generators.

l The stanup feedwater pumps automatically stan on either a low steam generator water level or low main feedwater flow signal. Startup feedwater flow control is based on the steam generator water level. l

\ l 7.5.2 The PXS provides a safety-related core cooling process using the passive residual l heat removal heat exchangers (PRHR HXs). The PRHR HXs are automatically actuated by the protection and safety monitoring system using the integrated pmtection cabinets, the engineered safety features actuation cabinets, the logic bus, and the protection logic cabinets.

The protection and safety monitoring system also provides the capability for safety-related manual actuation of the PRHR HXs using control devices,  !

multiplexers, the logic buses, and the protection logic cabinets.

7.5.3 The diverse actuation system provides the capability for nonsafety-related automat-ic actuation of the PRHR HXs. The diverse actuation system also provides the capability for nonsafety-related manual actuation of the PRHR HXs using dedi-  !

cated, hard-wired controls.

l l

7.5.4 In addition to the FWS and the PRHR HXs, core decay heat removal can also be automatically initiated by the safety-related PXS CMTs, accumulators, and IRWST, and manually initiated by the nonsafety-related RNS, once reactor coolant Revision: 0 GW-J1 R-004 June 31,1993 50

l l

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report system pressure has been reduced to within the capability of the RNS. Actuation of the components in these two systems is discussed in Section 7.4.

7.5.5 During plant shutdown conditions prior to opening the reactor coolant system, core cooling is provided as discussed previously, although some PXS components may not automatically actuate, but can be manually actuated, depending upon spe-cific plant conditions. During these conditions, the RNS is normally operating and will automatically restart when power is restored following a loss of power to the RNS pumps.

l 7.5.6 During plant conditions when the reactor coolant system is not intact or with reduced reactor coolant system inventory (such as mid-loop operation), the RNS is normally operating and will automatically restart when power is restored following a loss of power to the RNS pumps. Various PXS components including the CMTs, accumulators, and PRHR HXs are not available. The safety-related IRWST will automatically actuate if core cooling is lost and the IRWST can also be manually actuated.

7.6 Containment Cooling l

Containment cooling is the process of removing heat fmm the containment.

7.6.1 Containment cooling is normally provided by nonsafety-related fan coolers during '

power operation. The nonsafety-related plant control system (PLS) is used to contml the opemtion of the fan coolers.

7.6.2 If the fan coolers are unavailable or have insufficient capacity for the containment heat loads, the safety-related passive containment cooling system (PCS) actuates to provide safety-related containment cooling. The PCS is automatically actuated by the protection and safety monitoring system using the integrated protection cabinets, the engineered safety features actuation cabinets, the logic bus, and the protection logic cabinets.

The protection and safety monitoring system also provides the capability for safety-related manual control of the PCS using control devices, multiplexers, the logic buses, and the protection logic cabinets.

Revision: 0 GW-J1R-004 June 31,1993  ;

51 ,

l

1

+

WESTINGHOUSE PROPRIETARY CLASS 3  ;

AP600 Instrumentation and Control Defense-in-Depth and Diversity Report j i

7.6.3 The diverse actuation system provides the capability for nonsafety-related automat- j ic actuation of the PCS. The diverse actuation system also provides the capability  :

for nonsafety-related manual actuation of the PCS using dedicated, hard-wired  ;

controls.  !

7.7 Containment Isolation Containment isolation is the process of closing safety-related valves in fluid lines which  !

penetrate the containment to minimize the release of radioactivity from containment following l

an event.

I 7.7.1 Containment isolation is pmvided by the safety-related protection and safety monitoring system which automatically actuates the containment isolation valves on a safeguards actuation signal using the integrated pmtection cabinets, the l engineered safety features actuation cabinets, the logic bus, and the protection logic cabinets.  !

The protection and safety monitoring system also provides the capability for i safety-related manual actuation of containment isolation valves using control devices, multiplexers, the logic buses, and the protection logic cabinets.

l 7.7.2 The diverse actuation system provides the capability for nonsafety-related automat-ic actuation of the containment isolation valves using the containment temperature sensors. The diverse actuation system also provides the capability for nonsafety-related automatic manual containment isolation capability using dedicated, harti-  :

wired controls. ]

7.8 Event Scenarios WCAP-13792, "AP600 System / Event Matrix" (Ref 11) contains a series of flowcharts and tables that illustrate these levels of defense from an operational point of view for a selected number of full power and shutdown events.

Revision: 0 GW-J1R-004 )I June 31,1993 52

RMA , . . ALARM DISPLAYS ) - .

/ DISPLAY PROCESSORS Mm Pts PLANT l___l

! ONTROL C g CONTROL

  • '] COMPONENTS I

NONSAFETY

    • ,  ! j RELATED .

PLANT ERSE DAs SENSORS l

f, - "' DISPLAYS MAN DRIVE (f)

_ . . l_ . . __. g _ . ._ . . _ . . _. .i u/G SET -)

i DAS . . _ . . _ . . . . _ . . _ . . _ . . TRIP m LEGEND AUTOMATIC

! ._ .. ACTUATION _ . . . _ . . _ . . . . . . . . . _ . . . . _ . . . . . .

  • DAS - DIVERSE ACTUATION
SYSTEM l

~'d -"~"9 MAN O PLS - PLANT CONTROL I I SYSTEM RE+CTOR l-O o ESF ACTUATIONS Trie - PMS - PROTECTION AND SAFETY MONITORING S7.GR SAFETY _

2 SYSTEM RELATED INTEGRATED C ISOLATION PLANT PROTECTION 4 '* ~ - - - -" - - - -- - * -

  • E b DEVICE SENSORS CABINETS r

--*C - . _ . > gy MANUAL p

I OLS ttyt ACTUATION AND j

-*3 r--- a MAN SAFETY DAS AUTOMATIC l RELATED ACTUATIONLOGlc ESF l NONSAFETY-RELATED O PMs COMPONENT SIGNALS MAN LOGIC MAN l COMPONENTS l SAFETY-RELATED

- - - .I "

SIGNALS PMS DAS 4,t,,,sw%. . . _ . _ . .. . _ . . . . . . _ _ . _ . . _ _ DivEnSe PLA plGURE 7.1

( / SIGNALS N/

AP600 INSTRUMENTATION AND CONIHOL SYSTEMS DIVERSITY ARCHITECTURE FILE: FIG _,7_1.DRW JJB/SK 06/29/93 53

Figure 7.2. AP600 DIVERSE INSTRUMENTATION AND CONTROL STRUCTURE Diverse I RSR MUX'D MCR MUX'D MCR H/W s MCR MUX'D H/W SW DAS ! ControlSW Control SW Control SW l Control SW Sensors g

_-- Sensort _____ ' _---- ' _____ Sensors i _____

EEEEE Oi EEEEE #L _ EEEEE cL _ EEEE OO l i

OO l  :::=

a m

PLS - -._ PMS- s i Sensors Sensors i

, l @ l

[l]'o^5 l

_]l o4s g

_..__p____ .__________ __ ________ ____ ______ _

_..____q___ __ _____..______ _ __ _______.

ESF MUX DAS  ! MUX .__ _ . - - - -

IPC 4----- ICC RPI

- MUX AC i e

i i l- i i i n l  !

l ._ . j

^

", ( Loaic Bus ) l ( . Process Bus , [> g b

l' 8 l l l l*

DAS l

, PRZR - Rod O.

i ILC i HTR Drive RCC ILC1 -

lLCn

CONT M/G Set l "

l D]  ! l 1

l

I I
1 I I i I i i @
Engineered l Control 8 D.iverse . sarety Reactor Trip l Reactor Control Actuations E Features Actuation :

System Protection and Safety Monitoring System ' Plant Control System FILE: FIG _7_2.DRW SK - 05/18/93 54

I WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control  ;

Defense-in-Depth and Diversity Report l

i i

8.0 References i

1) "A Defense-in-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System," NUREG-0493, hiarch 1979  ;

i

2) Birsa, J. J. "AP600 Instmmentation and Control Hardware Description," WCAP- {

13382 (Pmprietary), WCAP-13391 (Non-proprietary), Afay 1992 }

3) Birsa, J. J., "AP600 Instmmentation and Control Hardware and Software Design, j Verification, and Validation Process Report," WCAP-13383 (Proprietary), j WCAP-13392 (Non-proprietary), Afay 1992.

1

- 4) " Advanced Light Water Reactor Utility Requirements Document, Volume III, l Chapter 10," Revision 3,5/92 i

5) Cook, B. hi. " Westinghouse biodel 414 Control System Signal Selection Device,"  !

WCAP-8899 (Proprietary), August 1978 i

6) Cook, B. hi., Rawlins, D. H., Bypass Logic for the Westinghouse Integrated i Protection System," WCAP-8897 (Proprietary), April 1977 _

l i

7) Cook. B. A1., et. al., " Summary ofIntegrated Protection System Validation and j Verification Program," WCAP-9739 (Pmprietary), July 1980.  :

I

8) Donnelly, J. A., et. al., "414 Integrated Protection System Prototype. Verification f Pmgram," WCAP-9153 (Pmprietary), August 1977.  :

i i 9) Gallagher, J. hi., " Emergency Response Facilities Design and Verification and l

! Validation Pmcess," WCAP-10170, April 1982.

i

10) " Criteria for Protection Systems for Nuclear Power Generating Stations," TREE ,

Standard 279-1971 l t

11) Schulz, T. L., "AP600 System / Event Operation hiatrix," WCAP-13792 (Propri-etary), July 1993 (scheduled)  ;

1 P

Revision: O GW-J1R-004  !

June 31,1993-  !

55 j

i a

_ m ---._ _ - - - - we v b __ -

__-_--9 --__ --_ _ _ _ _ _ _ _ _m+ _ _ _ _____--_---- www-_ _ _ .- _ -- -

. eas.d M A, so. 2 J eJ4-- - - - --4.-.E4*LA4+ pd- e 4.EL.-e ma*-e4.s F *- 4i ._ .h A.W - s. ..m*-. rain.a e+g-e.aawa--- -..m.g n_,, aces.,a_,ma ej.m_. _ -._,. .a .

I t f

p i

t f

h i

I i

f i

i t

.1 i,

h 9

5 t

I,

-i

'l i

t l

I l

i, f

b l

I 4

I 6

1 J

, .I e

l a

t i

1 1

i i

i l

, ,. . , . . . -. .- - -... _- , .s. . - , . .. . _ . . . _ , ,- ..- . _ _ ....,_ , . , .;.____ . _ _ . , c.-..._. ,

f i

i WESTINGHOUSE PROPRIETAR CLASS 3 l

! AP600 Instrumentation and Control Defense-in-Depth and Diversity Report Appendix A - Diverse Actuation System Description The Diverse Actuation System (DAS) is a nonsafety-related system that provides a diverse backup to the Protection and Safety Monitoring System. This backup is included to support the aggressive AP600 risk goals by reducing the probability of a severe accident which potentially results from the unlikely coincidence of postulated transients and postulated common-mode failure in the pmtection and control systems.

l l The protection and safety monitoring system is designed to prevent common-mode failures.

! However, in the low probability case where a common-mode failure does occur, the diverse actuation system provides diverse protection. The specific functions performed by the diverse actuation system are selected based on the PRA evaluad n. The DAS functional l requirements are based on an assessment of the protection systun instmmentation common-mode failure probabilities combined with the event probability.

The diverse actuation system provides automatic actuation signals, manual actuation signals, and indications for the plant operators.

A.1 Automatic Actuation Functions of the Diverse Actuation System -

The automatic actuation signals provided by the Diverse Actuation System are generated in a functionally diverse manner from the protection system actuation signals. The common-mode failure of sensors of a similar design is also considered in the selection of these functions.

Diversity is achieved by the use of a different architecture, different hardware implementa-tions and different softwam from that of the Protection and Safety Monitoring System.[

p.o Revision: 0 GW-J1R-004 June 31,1993  !

A-1  ;

l I

1 i

WESTINGHOUSE PROPRIETARY CLASS 3 ,

AP600 Instrumentation and Control l Defense-in-Depth and Diversity Report l The diverse automatic actuations are:  !

  • Trip rods via the mt+or generator set,
  • Trip the turbine,
  • Actuate the core makeup tanks,  ;
  • Initiate in-containment refueling water storage tank injection,
  • Stan passive contamment cooling water flow,

jca.o l l

The setpoints and time responses are selected so that the automatic functions do not actuate  ;

unless the Protection and Safety Monitoring System has failed to actuate and to control plant  !'

conditions. Capability is provided for testing and calibrating the channels of the diverse actuation system.  !

A.2 Manual Actuation Functions of the Diverse Actuation System i The manual actuation functions of the diverse actuation system are implemented by wiring  ;

the control board mounted switches dimetly to the fm' al loads [

i

}(a,c) i Revision: 0- GW-J1R-004 June 31,1993 ,

A-2 r

l l WESTINGHOUSE PROPRIETARY CLASS 3 l

l AP600 Instrumentation and Control Defense-in-Depth and Diversity Report a

The diverse manual functions are:

  • Core makeup tank actuation
  • Passive containment cooling actuation
  • Containment hydrogen ignitor actuation  !

o' IRWST actuation l

A.3 Indications in the Diverse Actuation System To support the diverse manual actuations, sensor outputs are displayed in the main control room by the Diverse Actuation System in a manner that is diverse from the Protection and l Safety Monitoring System display functions. . The indications that are provided are:

! 1 l

  • Hot leg tempenture, l
  • Hot leg level, )
  • Pressurizer level,
  • Containment temperature,. l
  • Containment hydmgen,  !
  • Steam genemtor high water level, l A.4 Isolation of the Diverse Actuation System The Diverse Actuation System shares certain sensor signals with the Protection and Safety Monitoring System and the Plant Cotdrol System. To prohibit failures in any of the three systems involved fmm propagating to the others through the shared sensors, signal isolation is provided. [

Revision: 0 GW-J1R-004 l June 31,1993 A-3 ,

i l

t

e i

WESTINGHOUSE PROPRIETARY CLASS 3 f

r AP600 Instrumentation and Control Defense-in-Depth and Diversity Report l

ja.o .

In the same way that sensors are shared, load actuation is shared. Load actuation is isolated  !

to prevent failures in the wiring and the interfaces to the loads from propagating into the ,

other systems. [  ;

ja.o t

i h

f f

?

i i

4 t

s i

i i

Revision: 0 GW-J1R-004  !

June 31,1993 1 A-4 ,

I i

-i n n v g--

WESTINGHOUSE PROPRIETARY CLASS 3  !

AP600 Instrumentation and Control Defense-in-Depth and Diversity Report  :

i Appendix B - Defense-in-depth, Diversity Block Diagrams l The diagrams in this appendix show, in a schematic fashion, the information in:

AP600 SSAR Table 7.2-5, Conditions for Reactor Trip AP600 SSAR Table 7.2-6, Conditions for RCCA Withdrawal Block and Engi- l neered Safeguards Actuation Dwg. 5D63525, Rev.1, AP600 Functional Diagrams, (AP600 SSAR Figure 7.2-  ;

1) {

AP600 Doc. PMS-J3J-001, Rev 3, Integrated Protection Cabinet Process Block  :

Diagrams (

These diagrams apply in the safety-related systems and diverse systems layers of the reactor  ;

trip and ESF actuation echelons shown in Figure 2.2. Diagrams are pmvided that illustrate [

the sensors and protection and safety monitoring system subsystems and cabinets that are involved in generating reactor trip and ESF actuation signals for the events listed in Table 7.2-5 and 7.2-6 of the AP600 SSAR. Diagrams that illustrate the sensors and redundant processors in the Diverse Actuation System that genente the diverse reactor trip and ESF actuations are also provided.

i

?

I i

e i

Revision: 0 GW-J1R-004 June 31,1993 B-1 l

l l

1 WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control

! Defense-in-Depth and Diversity Report Table of contents for Appendix B.  :

Figure B-1.0 Block Diagram Symbols B-5 Figure B-1.1 Feedwater Malfunction That Results in a Decrease

, in Feedwater Temperature B-6 Figure B-1.2 Feedwater Malfunction That Results in a Increase in Feedwater Flow B-7 Figure B-1.3 Excessive Increase in Secondary Steam Flow B-8 Figure B-1.4 Inadvenent Opening of a Steam Generator Relief or Safety Valve B-9 Figure B-1.5 Steam System Piping Failure B-10 Figure B-1.6 Inadvenent Operation of the PRHR B-11 Figure B-1.7 Imss of Electrical lead B-12 Figure B-1.8 Turbine Trip B-13 Figure B-1.9 Inadvenent Closure of Main Steam Isolation Valves B-14 Figure B-1.10 Loss of Condenser Vacuum and Other Events Resulting in Turbine Trip B-15 Figure B-1.11 Loss of Non Emergency AC Power to Plant Auxiliaries B-16 Figure B-1.12 Loss of Normal Feedwater B-17 Figure B-1.13 Feedwater System Pipe Break B-18 Figure B-1.14 Partial Loss of Forced Reactor Coolant Flow B-19 ,

Figure B-1.15 Complete loss of Forced Reactor Coolant Flow B-20 l Figum B-1.16 Reactor Coolant Pump Shaft Seizure B-21 Figum B-1.17 Reactor Coolant Pump Shaft Break B-22 Figure B-1.18 Uncontrolled Rod Control Cluster Assembly (RCCA) Bank Withdrawal fmm a Suberitical or Low Power Condition B-23 Figure B-1.19 Uncontrolled Rod Control Cluster Assembly Bank Withdrawal at Power B-24 Figure B-1.20 Rod Control Cluster Assembly Misalignment B-25 l Figure B-1.21 Startup of an Inactive Reactor Coolant Pump at an Incormet Tempera-tum B-26 Figure B-1.22 Chemical and Volume Control System Malfunction that Results in a Decrease in RCS Boron Concentration B-27 Figure B-1.23 Spectrum of Rod Cluster Control Assembly Ejection Accidents B-28  ;

i 1

Revision: 0 GW-J1R-004 j June 31,1993 B-2 l

1

SS 3 WESTINGHOUSE PROPRIETARY CLA AP600 Instrumentation Defense-in-Depth and Diversity and Report Control Core Cooling SystemB-29 During Inadvenent Operation of the Emergency

~

Figure B-1.24 t thatIncrease ReactorB-30 Power OperationChemical and Volume Control B-31 System Eve ADS Valve B-32 Figure B-1.25 Coolant Inventory

/ B-33 Inadvertent Opening of a Pressudzer or f Figure B-1.26 Steam Generator Tube Failure

/ Figure B-1.27 Ioss-of-coolant Accidents l Increase B-34

' Figure B-1.28 Figure B-2.1 Feedwater Malfunction that Results Relief B-35in an in Feedwater FlowInadvenent Opening ofB-36 a Steam Generat B-37 Figure B-2.2 or Safety Valve Steam System Piping Failure Plant B-38 Figure B-2.3 Figure B-2.4 Inadvenent Operation of the PRHRLoss of N B-39 B-40 Figure B-2.5 Auxiliaries B-41 Loss of Normal Feedwater Figure B-2.6 Feedwater System Pipe Break in B-42 Figure B-2.7 Figure B-2.8 Figure B-2.9 Rod Contrul Cluster Assembly Misa B-43 RCS Boror ConcentrationInadvenent y Operation of B-44 Figure B-2.10 B-45 Power Operation DS Valve Figure B-2.11 CVCS Malfunction that Inadvenent opening of a Pressurizer Increases or A RCS Inven B-46 B-47 Figure B-2.12 Steam Generator Tube Rupture Figure B-2.13 B-48 Loss-of-coolant Accidents Trip Figure B-2.14 Diverse Actuation System Turbine Diverse ReactorB-49 Figure B-3.1 Diverse Actuation System Diverse ESF -

Figure B-3.2 S t B-50 Trip Diverse Actuation System Diverse ESF - tar Figure B-3.3 Con- B-51 PRHR HX Diverse Actuation System Diverse ESF -

Figure B-3.4 tainmentIsolation GW-J1R-004 Revision: O B-3 June 31,1993

WESTINGHOUSE PROPRIETARY SS 3 CLA AP600 Instrumentation and Contr Defense-in-Depth and Diversity Rep ort Figure B-3.5 Figure B-3.6 Water StartDiverse Actuation System Diverse ESF

- PCCS Figure B-3.7 Diverse CMTS Actuation System Diverse ESF

- Actuate B-52 Figure B-3.8 Diverse Actuation System Diverse ESF RCPS

- Trip All B-53 Figure B-3.9 IRWSTIsolation ValvesDiverse

- Open Actuation B-54 System tional Manual ActuationsDiverse

- Addi- Actuation B-55 Syste B-56 Revision: 0 June 31,1993 B-4 GW-J1R-004

O - Sensor (*,"j - Dynamic Trip Bus

@ - Class 1E lsolation sm SEL

- Signal Selector lSCl - Signal Conditioning NT n - Control Group

- lNSC 1 - Nuclear Signal Conditioning

'* A - ESF Actuation Cabinet Subsystem A1

^77tn - Automatic Tester Subsystem

- Nuclear instrumentation Signal NISPAC1 Processing and Control ESFAC - ESF Actuation Cabinet Subsystem A2 Group 1 Subsystem A2

- Nuclear Instrumentation Signal 4

NISPAC2 Processing and Control O -Manual Actuations Group 2 Subsystem ot t PROC 1 - DAS Processor 1 TRIP - Global Trip Subsystem

,,,, PROC 2 - DAS Processor 2 caste -Trip Enable Subsystem

- L gical Function AND RT1 - Reactor Trip Group 1 Subsystem RT2 - Reactor Trip Group 2 Subsystem

) - Logical Function OR ESF1 - Engineered Safety Features Group 1 Subsystem -Time Delay

/  :

ESF2 - Engineered Satety Features Group 2 Subsystem COM - Communication Subsystem

- Figure B-1.0 Block Diagram Symbols FILE: DID-LEG.DRW SK - 06/28/93 B-5

a,c

, FIGURE B-1.1 IS PROPRIETARY Figure ,B-1.1 Feedwater Malfunction That Results in a Decrease in Feedwater Temperature Supporting Trips:

FILE: DIDE1-1.DRW JJB - 06/28/93 B-6

_ . _ _ _ _ _ _ . ~ . . _ , - _ , - . . . _ . - , __. _ . _ _.__.. ___ _ _._ ._,.. ..__,.-_..,___ ._._

WESTINGHOUSE PROPRIETARY CLASS 3 l t

! AP600 Instrumentation and Control l '

l Defense-in-Depth and Diversity Report i

j Figure B-1.24 Inadvenent Operation of the Emergency Core Cooling System Dunng l l Power Operation B-29 {

Figure B-1.25 Chemical and Volume Control System Events that Increase Reactor l' L Coolant Inventory B-30 Figure B-1.26 Inadvenent Opening of a Pressurizer or ADS Valve B-31 l j Figure B-1.27 Steam Generator Tube Failure B-32 l l Figure B-1.28 loss-of-coolant Accidents B-33 i l

Figure B-2.1 Feedwater Malfunction that Results in an Increase l in Feedwater Flow B-34 l Figure B-2.2- Inadvenent Opening of a Steam Generator Relief l

or Safety Valve B-35 Figure B-2.3 Steam System Piping Failure B-36 ,

Figure B-2.4 Inadvenent Operation of the PRHR B-37  !

! Figure B-2.5 Loss of Non Emergency AC to Power Plant  !

Auxiliaries B-38  !

Figure B-2.6 loss of Normal Feedwater B-39 l Figure B-2.7 Feedwater System Pipe Break B-40 l l Figure B-2.8 Rod Control Cluster Assembly Misalignment B-41  ;

i Figure B-2.9 CVCS Malfunction that Results in a Decrease in  !

l- RCS Boron Concentration B-42 Figure B-2.10 Inadvenent Operation of the Emergency Core Cooling System During i Power Operation B-43  !

Figure B-2.11 CVCS Malfunction that Increases RCS Inventory B-44 l Figure B-2.12 Inadvenent Opening of a Pressurizer or ADS Valve B-45 j Figure B-2.13 Steam Generator Tube Rupture B-46 i Figure B-2.14 Imss-of-coolant Accidents B-47  ;

Figure B-3.1 Diverse Actuation System Diverse Reactor Trip B-48 j Figure B-3.2 Diverse Actuation System Diverse ESF - Turbine l Trip B-49 i Figure B-3.3 Diverse Actuation System Diverse ESF - Start PRHR HX B-50 Figure B-3.4 Diverse Actuation System Diverse ESF - Con- j tainment Isolation B-51 i i

Revision: 0 GW-JlR-004  ;

June 31,1993  :

l B-3 l

- _ - - - ._ - .. . . . . . . - - . N

I u

)

WESTINGHOUSE PROPRIETARY CLASS 3 AP600 Instrumentation and Control Defense-in-Depth and Diversity Report  ;

Figure B-3.5 Diverse Actuation System Diverse ESF - PCCS Water Start B-52 Figure B-3.6 Diverse Actuation System Diverse ESF - Actuate  ;

CMTS B-53 i Figure B-3.7 Diverse Actuation System Diverse ESF - Trip All i RCPS. B-54 .

Figure B-3.8 Diverse Actuation System Diverse ESF - Open  !

IRWST Isolation Valves B-55 l Figure B-3.9 Diverse Actuation System Diverse ESF.- Addi- l tional Manual Actuations B-56 i b

i t

t i

l l,

i i

l i

i l

Revision: 0 GW-J1R-004 l June 31,1993  !

B-4  ;

l.

9

_f l

8 - Sensor y,*/e"$ - Dynamic Trip Bus b - Class 1E isolation slG sEL . Signal Selector lSCl - Signal Conditioning NT on - Control Group INSCl - Nuclear Signal Conditioning SFAC - ESF Actuation Cabinet Subsystem A1 "Ee$r's7 - Automatic Tester Subsystem

- Nuclear instrumentation Signal NISPAC1 Processing and Control ESFAC

- ESF Actuation Cabinet Subsystem A2 Group 1 Subsystem A2

- Nuclear Instrumentation Signal NISPAC2 Processing and Control O - Manual Actuations Group 2 Subsystem oweit PROC 1 - DAS Processor 1 TRIP - Global Trip Subsystem 1,,, PROC 2 - DAS Processor 2 tests - Trip Enable Subsystem

- L gical Function AND RT1 - Reactor Trip Group 1 Subsystem -

RT2 - Reactor Trip Group 2 Subsystem

) - Logical Function OR CSF1

- Engineered Safety Features Group 1 Subsystem - Time Delay

/

ESF2 - Engineered Safety Features Group 2 Subsystem COM - Communication Subsystem Figure B-1.0 Block Diagram Symbols FILE: DID-LEG.DRW SK - 06/28/93 B-5

t-a,c ._

1 FIGURE B-1.1 IS PROPRIETARY Figure *B-1.1 Event:

Feedwater Malfunction That Results in a Decrease in Feedwater Temperature Supporting Trips:

t FILE: DIDE1-1.DRW JJB - 06/28/93

__ ~

s B-6

._.~. -. . _- __ - . _ . - - _ _ . _ . - . _ , . _ , _ . . , . . . .--. - - __ _, ._. .. ._ ..__. . ... _ _ _._ _ .,.. _.. .. _ .-.___.- , _ _ _ . . . _ _ _ . . _ . _ _ . _ _ _ _ _ _ _ _

a,c FIGURE B-1.2 IS PROPRIETARY l

t Figure B-1.2 Event:

~Feedwater Malfunction That Results in an increase in Feedwater Flow Supporting Trips:

FILE: DiDE1-2.DRW SK - 06/29/93

' B-7

. . _ - - . . _ . . . _ _ _ . - - _ . _ . - - . _ . - , . - ~ . - _ _ . _ _ . _ . - - . _ , _ - . . . - . - . _ . . . - . . , - - - - . _ . - - - _ - - . . _ . - - - . - _ . _ _ . _ _ . - . _ . - _ - . _ _ . _ _ _ _ _ . . . _ - - - _ _ _ . . - - . _ -

- a,c ,

FIGURE B-1.3 IS PROPRIETARY

. . Figure B,-1.3 Excessive increase in Secondary Steam Flow Supporting Trips:

FILE: DIDE1-3.DRW SK - 06/29/93 B-8

a,c 1

E P

FIGURE B-1.4 IS PROPRIETARY Figure B-1.4 ,

inadvertent Ojaening of a Steam Generator '

Relief or Safety Valve Supporting Trips:

l FILE: DIDE14.DRW ' SK - 06/29/93 B-9

t a,c _

FIGURE B-1.5 IS PROPRIETARY ,

t Figure B-1.5 Event:

Steam System Piping Failure Supporting Trips:

FILE: DIDE1-5.DRW SK - 06/29/93 -

B-10

a,c, FIGURE B-1.6 IS PROPRIETARY Figure B-1.6 ,

inadvertent Operation of the PRHR ,

Supporting Trips:

FILE: DIDE1-6.DRW SK - 06/29/93 B-11

a,c FIGURE B-1.7 IS PROPRIETARY Figure B-1.7 Loss of Electrical Load

, Supporting Trips:

FILE: DIDE1-7,DRW SK - 06/29/93

~

B-12

L L

a,c l

FIGURE B-1.8 IS PROPRIETARY-

. Event:

Turbine Trip Supporting Trips:

.i FILE: DIDE1-8.DRW SK - 06/29/93

_ Wuums B-13

._.__.m__m_._.u__-_.___._-___._____.__-._._ _._m__.__.- _ . _ _ _ __,-1.__-.-..-_c.-

, _ _ _ _ ,., = -- a ,w.. w,- . . . - - . - .,-,m.. s<m.... .,.----,4.. . s,_w, . .... ...~.-....-.s4 .- .- _ _m. .

a,c t i

e l

FIGURE B-1.9 IS PROPRIETARY

i. -r Figure B-1.9 Event:

' Inadvertent Closure of Main Steam isolation Valves

' Supporting Trips:

FILE: DIDE1-9.DRW SK - 06/29/93 B-14

a,c FIGURE B-1.10 IS PROPRIETARY Figure B-1.10 Event:

Loss of Condenser Vacuum and Other Events Resulting in Turbine Trip Supporting Trips:

FILE: DIDE1-10.DRW SK - 06/29/93

.B-15

a,c FIGURE B-1.11 IS PROPRIETARY Figure B-1.11

^

Event:

Loss of Non Emergency AC Power to Plant Auxiliaries Supporting Trips:

FILE: DIDE1-11.DRW SK - 06/29/93

.B-16

_-. _ , - . _ . - - - _ - . . . ~ - - _ .

a,c FIGURE B-1.12 IS PROPRIETARY f

4 LFigure B-1.12 Loss of Normal Feedwater Supporting Trips:

FILE: DIDE1-12.DRW SK - 06/29/93 B-17

.- - ___m _ . _____-__ _ _ _ . .. ~ - ~. _-_-_ - ...-. --. .-.4 -- . . - - - . - -. - , - - . . -<n,..-.-s- . w. r e. -----,,--,-,-.m,--reet . n,m . . - + <---,e*e 4. -r ..v - r:w,,,.- ,_...-.....--+--...,o,-.- -r--.

a,c _

FIGURE B-1.13 IS PROPRIETARY Figure B-1.13 Feedwater System Pipe Break -

Supporting Trips:

FILE: DIDE1-13.DRW SK - 06/29/93 B-18

a,C FIGURE B-1.14 IS PROPRIETARY t

Figure B-1.14 Event:

Partial Loss of Forced Reactor Coolant Flow -

Supporting Trips:

i FILE: DIDE1-14.DRW SK - 06/29/93 B-19. I

a,c FIGURE B-1.15 IS PROPRIETARY Figure B-1.15 Event:

Complete Loss of Forced Reactor Coolant Flow Supporting Trips:

FILE; DIDE1-15.DRW SK - 06/29/93 B-20

a,c I

t FIGURE B-1.16 IS PROPRIETARY Figure B-1.16 '

Event.

Reactor Coolant Pump Shaft Seizure Supporting Trips:

FILE: DIDE1-16.DRW SK - 06/29/93 B-21

a,c _

FIGURE B-1.17 IS PROPRIETARY f

, , Figure,B-1.17

' Event:

Reactor Coolant Pump Shaft Break Supporting Trips:

FILE: DIDE1-17.DRW SK - 06/29/93

.B-22

a,c FIGURE B-1.18 IS-PROPRIETARY i

Figure B-1.18 Uncontrolled RCCA Bank Withdrawal from a Subcritical or Low Power Condition

-Supporting Trips:

FILE: DIDE1-18.DRW SK - 06/29/93 B-23

a,c  ;

t i

FIGURE B-1.19 IS PROPRIETARY Figure B-1.19 ,'

. Uncontrolled RCCA Bank Withdrawal at Power Supporting Trips:

FILE: DIDE1-19.DRW SK - 06/29/93 -

B-24

l' a,c -

_ t FIGURE B-1.20 IS PROPRIETARY Figure B-1.20 ,

RCCA misalignment St.pporting Trips:

FILE: DIDE1-20.DRW - SK - 06/29/93 4 B-25

_ _ _ . . . . . _ _ _ _ . . . _ . _ . _ . _ , _ . . . . _ ~ . . - . _ . - . _ . . _ _ . ~ ~ _ - - _ . _ . _ ---

a,c _ ,

FIGURE B-1.21 IS PROPRIETARY

,= ,

Figure B-1.21 Event:

Startup of an inactive Reactor Coolant Pump at an incorrect Temperature Supporting Trips:

FILE: DlDE1-21.DRW SK - 06/29/93 B-26 -

a,c l

s 1

l l

l 1

I l

FIGURE B-1.22 IS PROPRIETARY Figure B-1.22 Chemical and Volume Control System Malf that Results in a Dect in RCS Boron Conc Supporting Trips:

a,c_

FIGURE B-1.23 IS PROPRIETARY Figure B-1.23 Event:

Spec,trum of Rod Cluster Control Assembly EJ ection Accidents Supporting Trips:

i

""'" " - "U " _

n-28

a,c .

FIGURE B-1.24 IS PROPRIETA 'lY Figure B-1.24 ,

Event:

Inadvertent Operation of the Emergency Core Cooling Sys During Power Operation Supporting Trips:

FILE: DIDE1-24.DRW SK - 06/30/93 B-29

\

a,c FIGURE "-1.25 IS PROPRIETARY

, Figure B-1,25 Event:

Chemical & Volume Control System Events that increase Reactor Coolant inventory Supporting Trips:

3 39 FILE: DIDE1-25.DRW SK - 06/30/93

a,c FIGURE B-1.26 IS PROPRIETARY Figure B-1.26 ,

., inadvertent Opening of a Pressurizer or ADS Valve Supporting Trips:

FILE: DIDE1-26.DRW SK - 06/30/93 B-31

a,c-

}

[

FIGURE B-1.27 IS PROPRIETARY t

t 4 .

Figure B-1.27 ,

i Event:

Steam Generator Tube Failure Supporting Trips:

L FILE: DIDE1-27.DRW SK - 06/30/93 ,

B-32 -

- . - - - _ . . _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ .-_ .._.. .__. u _ _ ____._-_. _ _ _ _ _ _ _ __ ..._ _ _ .._... _ .,__ _ __ _._. - _ _ __. _ ._. _ _ __.._.._... _ _ . , ._ :

l a,c FIGURE B-1.28 IS PROPRIETARY

. Figure B-1.28 Loss-of-coolant accidents .

Supporting Trips:

FILE: DIDE1-28.DRW. SK - 06/30/93 B-33 -

a,c i

FIGURE B-2.1 IS PROPRIETARY 4

5 1

, Figure B-2.1 see Feedwater System Malfunction that results in an increase in Feedwater Flow Supporting Actuations:

FILE: DIDE2-1.DRW SK - 06/30/93 B-34

a,c FIGURE B-2.2 IS PROPRIETARY Figure B-2.2 Event:

Inadvertent 03ening of a Steam Generator Relief or Safe y Valve Supporting Actuations: i FILE: DIDE2-2.DRW SK - 06/30/93 o 3, _

a,c FIGURE B-2.3 IS PROPRIETARY

, Figure B-2.3 Event:

Steam System Piping Failure.

Supporting Actuations:

-- FILE: DIDE2-3.DRW SK - 06/30/93 B-36 -

a,c I

, FIGURE B-2.4 IS PROPRIETARY 1

Figure B-2.4 ,

Event:

Inadvertent Operation of the PRHR

Supporting Actuations:

FILE: DIDE2-4.DRW

_ SK - 06/30/9]

a,c 4

l FIGURE B-2.5 IS PROPRIETARY Fig,ure B-2.5 Loss of Non Emergency AC Power to Plant Auxiliaries

-Supporting Actuations:

p.

FILE: DIDE2-5.DRW SK - 06/30/93 B i'

a,C

~ -

e FIGURE B-2.6 IS PROPRIETARY Figure,B-2.6 Event:

Loss of Normal Feedwater Supporting Actuations:

- FILE: DIDE2-6.DRW SK - 06/30/93 B-39

_ . _ -_ _ _ _ _ _ . _ . _ _ _ . _ _ _ . . . _ _ _ . _ . _ . _ _ . _ . . . , _ _ . . . . _ _ _ - . . _ _ . ~ _ . . . . . . - . _ . _ , . . _ _ - . . . . _ , _ . , _ . -. .. . _ . . _ _ - . - . . . .

a,c t

FIGURE B-2.7 IS PROPRIETARY

' Figure B-2.7

  • Event:

Feedwater System Pipe Break Supporting Actuations:

+

FILE: DIDE2-7.DRW SK '- 06/30/93 B-40 i

. . - - . . _ . _ ., _ - - _ . - - _ _ . _ . _ . . _ . _ . _ _ . ~ . . . , . . . _ _ _ . - . _ . . . _ . _ . _ _ _ _ _ . _ . . _ - _ _ _ . . . _ _ _ . _ . _ . . _ . . . . - _ _ . . . _ _ _ . _ _ . . . . _ . - _ . _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ _

I I

a,c l.

r l-l.

i-t.

l FIGURE B-2.8 IS PROPRIETARY Figure B-2.8 ,

RCCA Misalignment Supporting Actuations:

FILE: DlDE2-8.DRW SK - 06/30/93 B-41 -

a,c FIGURE B-2.9 IS PROPRIETARY

, Figure B-2.9 Event: ,

CVCS Malfunction that Results in a Decrease in RCS Boron Concentration Supporting Actuations:

FILE: DIDE2-9.DRW SK - 06/30/93 B-42 -

a,c FIGURE B-2.10 IS PROPRIETARY Figure B-2.10 Inadvertent Operation of the Emergency Core Cooling System During Power Operation  !

Supporting Actuations:

FILE: DIDE2-10.DRW SK - 06/30/93

e i

FIGURE B-2.11 IS PROPRIETARY Figure B-2.11

. Event:

CVCS Malfunction that increases RCS Inventory Supporting Actuations:

FILE: DIDE2-11.DRW SK - 06/30/93

_ B-44

a,c __

1 f

FIGURE B-2.12 IS PROPRIETARY 4

I 4

+

Figure B-2.12

  • l Event:

Inadvertent Opening of a Pressurizer or ADS Valve Supporting Actuations:

_ o.,,

eemze a = = __

4

._._m.___ _ - _ _.m_..__ _._m_m____ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _____________,_____m .m_.~. - . . m._...-.e._mg _,.:_,..,..+.,....,..,.m..,+.... . - . . . _ , _ _ . . . . . _ _ . _ _ _ . _ , . . . . _ . _ _ _ _ _ . _-

.I i.

!- a,c t

FIGURE B-2.13 IS PROPRIETARY Figure B-2.13 ,

Event:

Steam Genarator Tube Rupture .

Supporting Actuations:

FILE: DIDE2-13.DRW SK - 06/30/93 B-46

.- - - _ . . _ - . - . - - . - - . .--_ ..-_._ _ . _ - . - . _ - _ _ _ , . ~ . _ . _ _ _ . . . . . _ . . . . , . - - . . - . . . . - . , - . _ . . . _ - . _ . . . - - - - -

a,c, FIGURE B-2.14 IS PROPRIETARY Figure B-2.14 Loss-Of-Coolant Accidents Supporting Actuations:

FILE: DIDE2-14.DRW SK - 06/30/93 B-47

L a,c FIGURE B-3.1 IS PROPRIETARY 4

( . . .

FIGURE B-3.1 DIVERSE ACTUATION SYSTEM DIVERSE REACTOR TRIP L

FILE: DIDE3-1.DRW JJB 06/30/93-B-48

~

e.

FIGURE B-3.2 IS PROPRIETARY FIGURE B-3.2 DIVERSE ACTUATION SYSTEM DIVERSE ESF - TURBINE TRIP JJB 06/30/93 FILE: DIDE3-2.DRW

?

FIGURE B-3.3 IS PROPRIETARY FIGURE B-3.3 DIVERSE ACTUATION SYSTEM DIVERSE ESF - START PRHR HX 1__

B-50 FILE: DIDE3-3.DR'N JJB 06/30/93

ll a,c i

FIGURE B-3.4 IS PROPRIETARY FIGURE B-3.4

' DIVERSE ACTUATION SYSTEM

, DIVERSE ESF - CONTAINMENT ISOLATION t

}

FILE: DIDE3-4.DRW JJB 06/30/93 '

B-51 1

-____u.u---u-.n___w___. .--u-----u--.-n-_.--- -.-___u-a- ---- - - _ - _ _ _ _ _ _ _ . _ _- -.n---s.L -....-ma . < w,-w,---w-, -- - .s -a,--,-- - ev.e... ,- . ~ < .. ,_---m-u_ u ,. .- ,_ ---_ _ . - ..

i a,c 2-i I

FIGURE B-3.5 IS PROPRIETARY FIGURE B-3.5 DIVERSE ACTUATION SYSTEM DIVERSE ESF - PCCS WATER START FILE: DIDE3-5.DRW JJB 06/30/93 B-52.

~ . , . _ .. . - . _ _ _ _ . . _ . _ - _ - . _ , _ _ - . - . . , _ . , , _ . _ ~ _ . . , _ . . . _ . . . . _ - - - _ , - _ . - . - _ . _ . - .- . - . _ - , - . . _ _ ,_ _ _ _ _ . - . . _ - _ _ _ _ .

a,c 5

FIGURE B-3.6 IS. PROPRIETARY.

FIGURE B-3.6 DIVERSE ACTUATION SYSTEM DIVERSE ESF - ACTUATE CMTS.

FILE: DIDE3-6.DRW JJB 06/30/93 B-53 c

a,c FIGURE B-3.7 IS PROPRIETARY FIGURE B-3.7-DIVERSE ACTUATION SYSTEM DIVERSE ESF-TRIP ALL RCPS FILE: DlDE3-7.DRW JJB 06/30/93 B-54 l-.._-... ~. . - - . _ _ . . - . _ _ . . _ _ - . . . . . - - . . _ . - . . , . _ . - - . . . . . - _ . . - . . . . - _ _ - - - , . _ _ _ . - - _ . . ~ _. ... _ _ _

a,c.

FIGURE B-3.8 IS PROPRIETARY

.F F!GURE B-3.8 2

DIVERSE ACTUATION SYSTEM DIVERSE ESF - OPEN IRWST ISOLATION VALVES FILE: DIDE3-8.DRW JJB 06/30/93 B-55

a,c 4

FIGURE B-3.9 IS PROPRIETARY e e 4 i

FIGURE B-3.9 DIVERSE ACTUATION SYSTEM DIVERSE ESF- ADDITIONAL MANUAL ACTUATIONS FILE: DIDE3-9.DRW JJB 06/30/93 -

B-56

_ . _ , , _ . . . . _ . . _ . _ . _ . _ _ _ . , - , . _ . - _ _ _ . _ . _ . , _ _ . . _ . . _ . _ _ _ _ . _ . _ . . . . _ . _ _ . . . _ _ _ . _ _ _ . . . _ _ _ _ _ . . _ _ _ . . _ . _ . _ _ _ _ _