ML20063C337
| ML20063C337 | |
| Person / Time | |
|---|---|
| Site: | 05200004 |
| Issue date: | 01/31/1994 |
| From: | Leatherman J GENERAL ELECTRIC CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| MFN-009-94, MFN-9-94, NUDOCS 9402040195 | |
| Download: ML20063C337 (49) | |
Text
-
r %
l,
*~
( );
GE Nuclear Energy .
www now amia 175 D/mer Iwem:c Syn b;g CA W25 January 31,1994 MFN No. 009-94 Docket STN 52-004 l' Document Control Desk U.S. Nuclear Regulatory Commission Washington DC 20555 Attention: Richard W. Borchardt, Director Standardization Project Directorate
Subject:
NRC Requests for Additional Information (RAls) on the Simplified Boiling' Water Reactor (SBWR) Design ;
References:
- 1. Transmittal of Requests for Additional Information (RAls) for the SBWR 1 Design, Letter from M. Malloy to P. W. Marriott dated January 5,1994
- 2. MFN No. 004-94, NRC Requests for Additional Information (RAls) on the J Simplified Boiling Water Reactor (SBWR) Design Letter from J. E.
Leatherman to R. W. Borchardt, dated January 17,1994 i The Reference 1 letter requested additional information regarding the SBWR I & C design. In '
partial fulfillment of this request and in accordance with the Reference 2 schedule, GE is submitting Attachment 1 to this letter which contains responses to the following RAIs: -l 420.1 .3 420.65 420.6 620.67_ ,
420.9 .11 420.69 .70 .
420.13 420.76 .84 I 420.17 420.87 .89 _;
420.34 420.91 .98 ;
420.38 .40 ,
S:ncerely,
( /y -1
%f 6Cf o J. E. Leatherman SBWR Certification Manager MC-781, (408)925-2023 Attachment 1," Responses to NRC RAls" cc: M. Malloy, Project Manager (NRC) (w/2 copies of Attachment 1)
F. W. Ilasselberg. Project Manager (NRC) (w/1 copy of Attachment 1) 1 Q200;1 ,
um wm .,,
I 9402040195 940131 7 PDR ADOCK 05200004 N A PDR E j
~
> o RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS R AI 420.1 Identify the reports that will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff.
Subjects addressed in these reports could include, but not necessarily be limited to, the following:
- a. Overall block diagram (s) and descriptions of the reactor protection system (RPS) and engineered safety features actuation system (ESFAS), showing the architecture of the system, the allocation of functions to modules, and the communication channels among modules. Digital and analog modules should be identified. Methods fer assuring required independence should be clearly identified, as well as pcwer supply dependencies, division boundaries, and non- ;
safety system interfaces. A description of the scope of on-line and diagnostic testing features for the proposed systems should be provided with regard to the diagram (s) to illustrate compliance with testability requirements.
- b. The applicant's overall design verification program, covering development of the functional requirements, criteria, specifications, design, manufacture, test, and qualification methods and procedures. This should include a plan for software design verification and validation (V&V). ,
- c. Failure modes and effects analysis for the I&C system.
- d. A defense-in-depth analysis, demonstrating the diversity in the system that provides for defense against potential common-mode failures.
- e. System (and significant component) reliability goals, assumptions, methodology, model, analysis, and evaluation.
- f. Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design-basis electromagnetic interference (EMI) and radio frequency interference (RFI) environment.
- g. Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design basis thermal enviromr,ent established by localized heat transfer within these electronic equipment, including non-accident environments. This should also address the re-quirements for humidity controls ;
to preclude damage from (1) electrostatic discharges and (2) nioisture in the ;
a tt. ;
- h. Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design-basis surge withstand capability.
RAI 420.1 (Continued)
- Page 1 -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
, SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS ,
- j. Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design-basis radiation environment, including environments normally considered " mild" for insulation materials.
- k. Task analysis for the man-machine interface to the system.
Response
The types of I&C components used for SBWR I&C design are the same as those used for the ABWR; namely, software-based controllers using microprocessors and other programmable logic devices, discrete logic cards without software, and traditional analog-type or relay devices. These components may be arranged in various types of redundant or other fault-tolerant configurations. Most equipment is located in the control room area or environmentally-controlled (' clean') areas within the reactor building safety envelope. Thus, issues of design verification, electromagnetic compatibility, environmental qualification, and human-system interface (HSI) design are the same in terms of methodology and acceptance ,
criteria as those for ABWR.
The following documentation will be provided to support SBWR I&C design:
Design Aspect Supporting Documentation
- a. Block Diagram and Lawrence Livermore National description of RPS and Laboratory (LLNL) SBWR ESF. Diversity and Defense-in-Depth Study (draft version 1.0, June 30, 1993, has been reviewed by GE and returned to NRC).
- b. Overall design verification SBWR Tier 1 Certified Design program Material (CDM) 25A5354, Rev.
A and supporting reference material in SSAR (same program as in ABWR).
- c. FMEA Equivalent analysis included in SBWR Probabilistic Risk Assessment (PRA) SSAR Chapter 19 and LLNL Diversity and Defense-in-Depth Study.
- d. Defense-in-Depth analysis LLNL Diversity and Defense-in-Depth Study for SBWR.
- - Page 2 -
a a RESPONSES.TO NRC REQUEST FOR ADDITIONAL INFORMATION (PJLI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, II!STRUMENTATION AND CONTROLS i Response to RAI 420.1 (Continued)
- e. Reliability goals and PRA; Reliability, Availability, and methodology Meintainability (RAM) Plan GENE, NEDG-31835, May 1990.
- f. EMI/RFI protection CDM and SSAR 25A5113, Rev.
methodology and A; same as ABWR criteria.
acceptance criteria
- g. Thermal environment CDM 25A5354, Rev. A and qualification methodology SSAR; same as ABWR criteria.
and acceptance criteria, including protection from ESD and moisture in the air
qualification, including criteria.
environments normally considered " mild" for insulation materials.
- k. Task analysis for MMI to Part of main control room Human-the system System Interface (HSI) design *
(see Chapter 18 of SBWR SSAR, Section 18E, 'HSI Design Implementation Process); same as ABWR criteria.
l
- Page 3 -
i
., .- l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.2 Electromagnetic interference and radio fuguency interference, including surge and electrostatic discharge, could reduce the reliability of the safety-related digital system. Provide a list of standards with which the SBWR design will comply to minimize and withstand EMI/RFI in the SBWR's environment.
Response
The ANSI /IEEE Standards and MIL Standards which the SBWR design will comply to minimize and withstand EMI/RFI for the safety-related digital system are as follows:
ANSI /IEEE-C63.12,"American National Standard for Electromagnetic Compatibility Limits-Recommended Practice".
ANS/IEEE-C37.90.2,'.'IEEE Trial-Use Standard, Withstand Capability of .
Relay Systems to Radiated Electromagnetic Interference from Transceivers".
ANSl/IEEE-C62.41, Guide for Surge Voltages in Low-Voltage AC Power Circuits.
ANSI /IEEE-C62.45, Guide on Surge Testing for Equipment Connected to Low-Voltage AC Power Circuits.
MIL-STD-461C, Electromagnetic Emission and Susceptibility Requirements for the Control of Electromagnetic Interference.
MIL-STD-462, Measurement of Electromagnetic Interface Characteristics.
i These standards are same as those applied to ABWR design [ Reference ABWR SSAR, Appendix 7A.2(4)].
I l
P 4
4
- Page 4 -
I RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)' )
SIMPLIFIED BOILING WATER REACTOR -I SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.3 l Provide a discussion of SBWR's overall software development program. This l should include development of the functional requirements, criteria, specifications, design, manufacture, test, and qualification methods and procedures. The discussion should also include a list of standards with which the SBWR software development program will comply (consider ANSI /IEEE/ANS-7-4.3.2-1993,
" Standard Criteria for Digital Computers in Safety Systems of Nuclear Power .
Generating Stations," for guidance).
Response
Advanced technology has been applied to RPS and overall safety system design i for SBWR in order to produce a system that is more compact, more reliable, more ,
accurate, and more responsive than analog / relay designs. Previous experience i with the Clinton Nuclear System Protection System (NSPS) proved that discrete, solid state, logic gates could provide a simple and testable replacement for RPS relay logic. However, this implementation required the use of several hundred ,
printed circuit boards in the four protection divisions. The large quantity of equipment affected system reliability and required a complex, external, self-test system to ensure adequate availability (by fast detection and localization of circuit faults). Investigations into the use of more advanced technology for ABWR and SBWR RPS logic (part of Safety System Logic & Control) showed that significant cost savings and performance improvements were possible if locally digitized plant variables were multiplexed over fiber optic cables to the control room. The multiplexed data would be processed in microprocessor-based logic equipment controlled by software residing in non-volatile memory ("Firmware"). Control signals would also be multiplexed from the control room to the actuators of driven equipment for many systems. This type of configuration would greatly reduce the amount of processing equipment and cabling by replacing hardware logic with a software-based design requiring fewer integrated circuits.
Criteria and guidelines stated in ANSI /IEEE-aNS-7.4.3.2, as endorsed by Regulatory Guide 1.152, have been used as a basis for design procedures established for programmable digital equipment.
All programmable digital equipment utilized for safety-related functions are qualified in accordance with safety criteria and with the safety system design basis with which they interface.
Self-test or self-diagnostic features of this equipment, whether implemented in hardware or software, are considered an integral part of the design, and, as such, are qualified to Class lE standards.
- Page 5 -
e .
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7; INSTRUMENTATION AND CONTROLS Response (Continued)
A structured, engineered approach to the development of both hardware and software is implemented to assure that the design proceeds along the lines of the-requirement specifications and has traceable documentation.
Verification and validation (V&V) includes the establishment of test and evaluation criteria, the development of test and evaluation procedures, the testing-of the integrated hardware and software, and the installation of the hardware and-software in the field.
In accordance with the step-by-step verification process, design reviews are performed at the system functional and performance requirements .t specification / task analysis and allocation of functions level, the hardware design and the software design level, the test operating / maintenance plan level. Such ,
reviews are conducted by knowledgeable and experienced system engineers, software engineers, hardware engineers, etc., who are not directly responsible for the design, but who may be from the same organization.
i The software development program is iurther discussed in response to RAI 420.10 and SBWR Tier 1 Document 25A5354, Rev. A, Draft Amendment 1. The software i development criteria complies with the ANSI /IEEE/ANS 7-4.3.2-1993. ;
t f
- Page 6-I
, - .r
a .
RESPONSF,S TO NRC REQUEST FOR ADDITIONAL INFORMATION -(RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS r
RAI 420.6 Are there any limitations on the SBWR design concerning the use of expert systems? Are there any limitations on the use of technology not specifically described? Provide the requirements for using such systems and technology.
Response
Plant automation features using expert systems or other computer-controlled processes are not applied, since they are unnecessary for standby systems that ordinarily do not require any operator action (automatic trip and initiation conditions are well-defined and do not change over time). Emergency operator action is provided by direct, hardwired switches external to software logic (for example, manual scram). !
At the equipment level, the basic constraint on new technology application for safety systems is the need to provide advanced performance features while preserving long tenn reliability and availability of the basic trip functions (at least equal to that of the original designs). While almost any existing microprocessor or other Very Large Scale Integration (VLSI) technology can implement safety system functions, the following constraints on state-of-the-art technology were considered necessary to achieve a practical design:
II A RDWA RE/SOFTWA RE CONSTRAINTS:
- a. Proven technology - must have failure rate history to support reliability goals. Advanced component designs, such as Reduced Instruction Set Computer (RICS) processors, Application Specific Integrated Circuits (ASICs), gate arrays or Programmable Logic Devices (PLDs) have a limited design history and unknown future support.
- b. Not obsolescent - reasonably expected to be supported by vendors for several year.; with upgrading possible. -;
- c. Second sources - affects availability of spare parts.
- d. Components should be available in high reliability versions.
- c. Maintainability - easily replaced modules, memory chips in sockets for ,
expansion or upgrading.
- f. Software support for hardware - appropriate development tools and .
compilers must be available for desired language and pro;essor. _
- g. Programmin'g language chosen should permit top down, structured, modular design and should result in easily readable' source code. .
- h. Testability - automatic testability must be provided for logic inaccessible to manual surveillance and test methods.
- i. IIeat dissipation - equipment should require lowest power for required speed, preferably lower than previous designs. Sufficient panel space is ,
available such that the highest density electronic packaging is not required.
- Page 7 -
]
-RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILI't1G WATER REACTOR (SBWR) -
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i RAI 420.9 Using a block diagram, describe the operation of the essential multiplexing system (EMS). The description should explain how the EMS transmits serial, time-pulsed data streams representing the status of plant variables, from local sensors to the logic processor. -It should also explain how the EMS transmits alarm and trip status data to the safety system logie and control (SSLC) and display ,
controllers in the main control room. (Reference SSAR Section 7.s. k4.)
Response
Refer to SSAR Figure 21.7.3-6 for a block diagram of EMS. The microprocessor-based controllers of SBWR EMS are similar in design and configuration to those applied in ABWR EMS and use the same data communications nrotocols.
However, because of the location of the Safety System Logic and Control (SSLC) !
panels in the reactor building safety envelope, EMS is configured for direct data link operation for data required by SSLC. A dual, token ring, fiber optic, FDDI network (ANSI ASC X3T9.5,100 Mbits/sec or equivalent deterministic protocol),
which is independent in each division, provides safety system data to the flat touch panel display processors in the main control room (see SSAR Section 7.3.5.2). In.
addition, manual operator requests for safety action are transmitted by EMS to SSLC (some manual actions are hardwired and bypass EMS). In the control room, the EMS devices that provide interfaces to the safety-related displays and control switches are designated as control room multiplexing units (CMUs). In the ABWR, CMUs provide the same type of data transfer functions, but the data are monitored process parameters leading to SSLC trip action. Thus, the SBWR design has a simpler, more direct interface into SSLC for safety-related trip signals. Note that a process sensor can be connected to inputs of two local multiplexing units (LMUs), to achieve redundancy into SSLC.
The LMUs, so called because they are close to the SSLC cabinets in the reactor '
building clean areas, contain the Fiber Distributed Data Interface (FDDI) -i hardware and software plus a data acquisition front end, all communicating on a ,
common bus. The LMUs condition and digitize the incoming process data and send i
the data on serial communications links to SSLC for trip determination. The data links also use the FDDI protocol. Although separate from the EMS ring, additional data links send trip status, alarm data, and diagnostic outputs from SSLC to the process computer and main conuel complex display processors via a gateway device. Isolation is provided from the safety-related SSLC to the non-safety-related control data network by: (1) the fiber optic transmission medium, (2) the gateway protocol translator, and (3) the specified one-way data transmission from the safety side to the non-safety side. The communications protocol for these links will be RS485 optical (10 Mbits/sec) or equivalent.
- Page 8 -
i
RESPONSES TO NRC REQUEST FOR LDDITIONAL INFORMATZON (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS Response (Continued)
Note that LMUs do not provide output signals to driven equipment; ESF control outputs are not multiplexed as they are in ABWR due to the proximity of SSLC to ,
the actuators, the reduced gaantity of actuators, and the mainly squib-type or solenoid-type actuators that are used instead of motor-operated valves requiring l several control signals per valve. 9 EMS is powered in each division from the divisional Class 1E 125 VDC power source.
-l E
P i
f f
f
- Page 9 -
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION :(RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l
l
'1 R AI 420.10 Describe the data transmission process between safety-related systems and non-safety-related systems, including the interface criteria. This should also describe the data bus used (protocols and error detection). : Describe what happens when a-singl card on a data bus fails. Identify the design features that prevent errors from propagating into the safety systems. (Reference SSAR Section 7.1.1.)
Response
The response to RAI 420.9 addresses the basic techniques for safety-related to non-safety-related data transmission. The basic criterion employed is that no failure of hardware or software on the non-safety-related side shall propagate back - ,
into the safety-related side and affect safety-critical logic. The methods used are addressed in ANSI /IEEE Std. ANS-7-4.3.2 (1993). In general, data is broadcast q continuously to the non-safety system by a protocol not requiring handshaking ;
signals for control of transmission. This prevents data transmission lock-up and possible software hang-up on the safety-related side. Error detection is provided by the FDDI station management protocol and controller self-test software on both the safety and non-safety sides. Fiber Distributed Data Interface (FDDI) networks are automatically reconfigurable on failure of a single card or cable. All controller self-test functions have the features described in SSAR Section~ 7.3.4.4 for the Safety System Logic and Control (SSLC) logic processors. Note that data are continuously refreshed on each scan cycle so transient errors are self-correcting.
i L
i b
- Page 10 - ,
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.11 Provide a discussion of the error tolerance of the bus and multiplexer. Explain how -
errors are detected and how the systems are tolerant to the errors.
Response
Error tolerarce of the bus and multiplexer will be addressed during detailed hardware / software design. This subject cannot be fully considered until the actual equipment is selected, which, in any case, must meet the accuracy requirements of each supported system. Error detection is addressed in responses to RAl's 420.9, 420.10, and 420.17.
P 3
- Page 11 -
~
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION -(RAI) !
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.13 Provide a discussion of the availability of the reactor protection system monitoring systems. The discussion should include the conditions and functions that are being monitored to inform the operator of the status of both the long-term and short-tenn availability of the RPS. (Reference SSAR Section 7.2.1.2.)
Response
The SBWR reactor protection system (RPS) is essentially the same design as that for the ABWR. Furthermore, the availability has been somewhat increased for the SBWR design by putting the Main Steam Isolation Valve logic in a separate, independent logic channel in each division. Otherwise, the 2-out-of-4 voting -
configuration of both the sensor inputs and divisional trip outputs makes RPS highly available, since a by-passable failure at both the input and output side of the same or different divisions (making the trip logic 2-out-of-3 at both ends) plus an additional failure in another division at either the input or output sides will not inadvertently trip or prevent a required trip (full scram) of RPS. This arrangement also prevents half scrams and permits on-line maintenance without reactor trip.
The operator is kept informed of the status of RPS by the self-test functions of Essential Mu'.dplexing System and Safety System Logic and Control, which include control room indication, plus indicators for the trip status of each monitored trip parameter, bypass status, and scram pilot valve solenoid circuit continuity -
(white status lights). Long term availability is assured by periodic on-line surveillance testing that exercises the trip logic in bypassed channels and exercises the output load drivers and pilot valve solenoids (half-scram condition).
Off-line surveillance testing during maintenance outages fully exercises all logic ,
and solenoids simultaneously.
s
- Page 12 -
f
RESPONSES TO NRC REQt.fEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CCAPTER 7, INSTRUME.NTATION AND CONTROLS R AI 420.17 Describe the self-diagnostic features of the computer-based safety system.
(Reference SSAR Section 7.2.1.4.)
Response
The self-diagnostic features of the computer-based safety system comprise those features found in the essential multiplexing system (EMS) and safety system logic and control (SSLC). EMS, which includes both data acquisition and multiplexing functions, contains diagnostics that are part of the signal conditioning modules and also contains diagnostics that are part of the communications -
hardware and associated embedded software. The station management functions in ROM that are part of the Fiber Distributed Data Interface (FDDI) protocol permit automatic reconfiguration (fault isolation) and continued operation of EMS on failure of one redundant communication channel.
Other self-diagnostic features, which are the same as those provided for the ABWR safety systems' microprocessor-based controllers, are summarized below (also see SSAR Section 7.3.4.4, covering SSLC logic processors):
Error Detection Diagnostic capability is focused on trapping errors in the critical data path in order to prevent false outputs to the equipment actuators.
Continuous, on-line, self-diagnostics within each microprocessor-based controller provide error detection of lost or corrupted data or broken cables throughout the safety system channels. Detected errors are annunciated in the control room. The self-diagnostics locate and identify the failed part to the lowest replaceable module level.
Error detection capability includes data I/O checks (plausibility, boundary, and rate limit checking), RAM and ROM checks, and program flow checks. Basic system
' health' is monitored by both software and hardware watchdog timers. In the data path, parity bits are appended to each data message and a cyclic redundancy check (CRC) is calculated. The data messages are then checked throughout the data channel for correct transmission and reception. System hardware is also monitored for shorted, open, and oscillating inputs and outputs, and high or low power supply voltages.
After a trip state is determined from the incoming data, dynamic trip encoding is used to prevent " stuck-at-1" or " stuck-at-0" failures from inadvertently causing or preventing a trip. The safe state is represented by a 4 or 8 bit pattern, while the
" armed" state has another unique bit pattern. The patterns are chosen such that nccidental changes in one or two bits will not be recognized as a change of state, Trip conditions are always validated before a trip output is permitted.
- Page 13 -
a 2 i & . as - .u<.
RESPONSES TO NRC REQUEST FOR ADDITIONAL-INFORMATION-(RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS Response (Continued)
Error correction Basic error correction uses Hamming coding techniques that correct 1 or 2 bit errors. In general, though, since cach scan cycle results in new data refreshing old data, transient errors are recoverable and do not affect performance.
t
- Page 14 -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SYMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.34 ;
Explain how the SBWR complies with anticipated transient without scram (ATWS) mitigatior requirements. In addition, describe the manual actuation system of the automatic de pressurization system (ADS). (Reference SSAR Section 7.3.1.1.)
Response
ATWS Requirements and Implementation ATWS mitigation requirements are discussed in SBWR SSAR Section 15.8.1, to wit:
"SRP 15.8 requires an automatic recirculation pump trip (RPT) and emergency procedures for ATWS. This SRP has been superseded by the issuance of -
10CFR50.62, which requires the BWR to have automatic RPT, an alternate rod insertion (ARI) system and an automatic standby liquid control system (SLCS) with a minimum flow capacity and boron content equivalent to 5.42 x 10-3 m3/sec (86 gpm) of 13 weight percent sodium pentaborate solution."
SBWR complies with these requirements for ATWS prevention / mitigation by providing the following (from SSAR Section 15.8.2):
An ARI system that utilizes sensors and logic which are diverre and <
independent of the RPS, Electrical insertion of Fine Motion Control Rod Drive (FMCRDs) that abo utilize sensors and logic which are diverse and independent of the RPS, Automatic feedwater runback under conditions indicative of an ATWS, and
. Automatic initiation of SLCS under conditions indicative of an ATWS.
The ATWS rule of 10CFR50.62 was written as hardware-specific, rather than functionally, because it clearly reflected the BWR use of forced core flow circulation. Since the SBWR uses natural circulation, there are no recirculation -
pumps to be tripped. lience, no Recirculation Pump Trip (RPT) logic is implemented in the SBWR. However, an ATWS automatic feedwater runback feature is implemented. This feature prevents reactor vessel overpressure and possible short-term fuel damage for the most limiting postulated ATWS events.
The SLCS is required by 10CFR50 Appendix A and is described in Chapter 9. -
Ilowever, because the new drive design eliminates the previous common-mode failure potential and because of the very low probability of simultaneous common :
mode failure of a large number of FMCRDs, a failure to achieve shutdown is >
deemed incredible. Nevertheless, automatic initiation of SLCS under conditions -
indicative of an ATWS is also incorporated in order to meet the rule specified in 10CFR50.62(c)(4).
- Page 15 -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS Response (Continued)
As stated in SSAR Section 7.7.2.2.8, the two channels of Rod Control and Information System (RC&IS), during an ATWS event, each receive ARI signals .
from the four divisions of SSLC. The RC&IS logic, after two-out-of-four voting on the ATWS input signals from SSLC, controls the fine motion control rod drive motors such that all control rods are driven to their full-in position. .
The operator at the RC&lS operator interface can take action to initiate the ARI function. Two manual actions are required to manually initiate the ARI. The ARI signals (manual) are sent to four divisions of SSLC, which are then sent back to RC&IS from SSI.C. The logic of RC&IS is designed such that a single failure can only result in insertion failure of no more than one operable control rod, when the -
ARI function is activated.
ATWS mitigation logic is presented in SSAR Figure 7.3-4a&b and Subsections 7.7.2 and 7.3.4. The mitigation of ATWS events is accomplished by the features-discussed above plus ADS inhibit. Section 15.8.3.4 lists the ATWS initiation signals and setpoints.
Manual Actuation of ADS Manual actuation of ADS by means of safety system logic [Depressurization Valve (DPV) and Safety Relief Valve (SRV) channels] requires the operator to actuate two (out of four) dual action switches. This ensures that the manual initiation of ADS is a deliberate act. In addition, the DPVs and SRVs can be manually initiated independently by their own switches outside of safety system logic. Manual amling and manual actuation of ADS are alarmed in the main control
]
Toom.
Manual actuation through the safety system logic is independent of automatic initiation and does not depend ,
upon the ADS timer. Manual initiation immediately starts the DPV and SRV.
timing sequences, which then go to completion. Manual switches that are-independent of safety system logic are routed through separate diverse logic to. .
load drivers or contactors that are separate and diverse from those used for j automatic actuation. Two (out of two) keylocked switches must be operated i simultaneously for the dual timing sequences to result in all DPVs opening at the correct intervals. In contrast, each SRV has two keylocked switches either of-which opens the valve. There are eight sets of switches for individual control of all SRVs. (See SSAR-Figures 19AE.8-2 and 19.AE.8-3)
J l
- Page 16 -
i l'
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l R AI 420.38 '
Describe how the gravity-ddven cooling system pool water level is monitored. Is the level constantly monitored in the control room? (Reference SSAR Section 7.3.1.2.2.)
Response
The Gravity-Driven Cooling System pool water level is continuously monitored by r safety related level transmitters, two for each pool. The signals from the level i transmitters are multiplexed and then continuously fed into level indicator switches to indicate water level as well as activate a low water level alarm in the train control room.
i P
+
P L
t
- Page 17 -
RESPONSES '?O NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) !
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.39 The last sentence of the first paragraph on page 7.3-9 states that the deluge valves actuate immediately upon sensing extreme lower drywell base mat temperature. This sentence, however, is not consistent with the second sentence of the last paragraph on page 6.3-5 (SSAR Section 6.3.2.2) which states that the deluge line flow is initiated by thermocouple which sense high lower drywell region base mat temperature indicative of molten fuel on the lower drywell floor. This needs to be clarified. (Reference SSAR Section 7.3.1.2.2.)
Response
Second sentence of the last paragraph on page 6.3-5 (SSAR Section 6,3.2.2) will ' l be revised to read as follows:
" Deluge line flow is initiated by thermocouples which sense high lower drywell temperature indicative of molten fuel in the lower drywell."
The last sentence of the first paragre, a on page 7.3-9 (SSAR Section 7.3.1.2.2) will be revised to read as follows:
"The deluge valves actuate upon receiving a high lower drywell temperature sensed by thermocouples located in the lower drywell."
A 4
I
- Page 18 - ,
I
RESPONSES TO NRC REQUEST FOR ADDITIONAL IN1'ORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS R AI 420.40 a The third sentence of the second paragraph of page 7.3-9 states that any division sending an input signal will generate a divisional output logic signal which is then sealed in for 30 minutes. Is this 30-minute seal-in different from the 30-minute delay for the suppression pool equalizing line valves? Also, explain what would -
happen if the input signal goes away. (Reference SSAR Section 7.3.1.2.2.)
Response
The 30-minute seal-in time for the output logic signal is totally different from the 30-minute delay for actuating the suppression pool equalizing line squib valves.
A Gravity-Driven Cooling System (GDCS) logic division, on receiving a confirmed .
level 1 signal from the Safety System Logic and Control (SSLC) system, will generate a GDCS divisional signal which will be sealed-in for 30 minutes in this GDCS logic. The sealed-in signal will stay in GDCS logic for this time even if the input signal received from the SSLC system goes away during this time.
5 b
i
?
- Page 19 -
t I
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION.(RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS ,
l RAI 420.65 Describe the standby liquid control system's (SLCS's) manual initiation system.
Is the manual system independent from the automatic initiation system?- In ,
addition, describe the interface between SLCS and the safety system logic and l
. control (essential multiplexing system). (Reference SSAR Section 7.4.1.)
Response
Detailed information on manual initiation of SLCS is provided in SSAR Section '
9.3.5.2, page 9.3-14 paragraphs 2 and 3.
The manual initiation controls and signals are separate and independent from those for the automatic initiation. The revised SSAR figure 7.3-4a (attached) depicts the (Anticipated Transients Without Scram / Safety System Logic and Control) ATWS/SSLC Logic Interface. As shown in this figure the interfaces between the SLCS initiation (manual and automatic) signals, NMS inputs and SLCS output, and the SSLC is achieved through the Essential Multiplexing System (EMS) via the fiber optics links. For detailed discussion of the EMS design features refer to SSAR Section 7.3.5.2, page 7.3-31 paragraphs 7 and 12.
Discussion of SLCS automatic initiation under ATWS conditions is also provided in response to RAI 420.34.
- Page 20 -
+
, - . . - , .. . _~ . . - . . . - - . _ .
RCalS ,
-f l
Channel A
.RPS invener
-I. m
( Scn n Fotrow )K 2 ~
r177fvia rnus) _
Dv. Il d m r177(via rnur) 7 F1ACRD
] j#- stT7(nansmrod) --
N ~~RUN4N ..,
( Scrarn Fonow M,.".*
j 2 i av.m t -
MF
- mW q
j 9
H r-} - C i I r* -
2/4 l
l hmay Logic Channel B l
SSLC CRDS ,
RCaIS -
l ATWS DISCRETE 1.OGIC CARD l N_h,. N#LY88m-- I -
g.!. J.i ARLS nanon A -. J., ,_,p F
"3'" "
Manual [
-y 7 O 3p- = l I
"*.g .
Br-ARLSLCS ininanon B . - m I
_2,- A. .
-I a . .
N h'_ I,,,,",_, j
~
NBS SSLC OE-- d- . i sg.ys_'~,
a ;
' g ,_. .
g
,,,w .
Aw iu_ 1 _
B a,-ma '
'1 I
?
en m ts b an- ,g g 3--
SSLC SRV DLU
< L2 i m.m -
_ IATM INHIBIT ADS t.
I" U
--.-+
C SRV .
n.m.to m I ACTUATDJ l
-4wo)- Loco NBS SSLC i I
y.
. ,, >SPr mu
. SSLC ICS OLU Q iATMr 2._sfP; REACTOR l
M.
ma== 4, MODE
.N / TPU SWITCHE N
=Ymm
. spi 4
3 . RETURN SATE ATv ~ BYPASS
> sp VALVES
- F006A(8,C)
"%N " -j l
.MCR SLCS Manual f*eset of ATWS Auto ------ TPu Inhibit of ADSinitiation ._,
PBS i RESET -
3 3 rninC> -
2 3-.;g7o =
j
~ NMS(Hard-wired to sstc) - BORON
-no=
O-~ IWECT D4- {
wo; av.s anosamt m =-i mma mm.asmaa = k
"'~
- """""*--" 3.5 rnin _
_ _ _ _ - . m J '<
met SfealtrtCaLA
-]
(
mtB 0.WestreceA - _
- O umm nomsmcma -
h
- { -+
,~
8 f ~~
_ m RUNRACK -
l 1
i Revised Figure 7.3M ATWS/SSLC Logic Interfaces (discrete section)
RESPONSES'TO NRC REQUEST.FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.67 Explain which standby liquid control system parameters are monitored and displayed in the control oom. (Is SLCS flow monitored?) (Reference SSAR Section 7.4.1.)
Response
The SLCS process parameters monitored and displayed in the control room are; sodium pentaborate tank level accumulator tank pressure and Nitrogen temperature. These are listed in the SSAR Chapter 19, Table 19AE.6-1 and are shown on figure 19AE.6-1. The SLCS flow is not monitored because the duration of the SLCS flow is relatively short and the pentaborate solution injection is -
evidenced by the drop in the tank level and accumulator pressure. Discussion of ,
SLCS instrumentation is also provided in the SSAR Section 9.3.5.5. ;
1
- Page 21 -
25AS?13 Rev. A SBWR standant sarery Analysis aeport parallel squib-type valves, only one of which is required for the safety-related function of SLCS. The SLCS instrumentation required to assure operability of the system is also redundant in order to avoid unknown out-of-senice conditions. .
Regulatory Guide 1.75 -The SLCS complies with RG 1.75.
Regulatory Guide 1.118 - The SLCS complies with RG 1.118.
Regulatory Guide 1.153 - Consistent with the discussion of other regulatory guides and the General Design Criteria, the SLCS complies with this regulatory guide.
Branch TechnicalPositions ICSB 21 - The SLCS complies with BTP ICSB 21.
ICSB 22 -The approach to compliance with RG 1.22 is discussed above.
7.4.1.4 Testing and Inspection Requirements An initial SLCS performance verification test will be performed as a part of the start-up test program.This test is intended to demonstrate that the SLCS performance is in accordance with the data provided in the process flow diagram.
After the plant has become operational, a full test of this system will no longer be possible. There are, however, no active components in this system other than the two squib valves, only one of which is required. If one of these valves is actuated and the system is in its normal operating configuration and within its norma' range for critical system parameten (accumulator level and pressure) injection will occur as specified in the process flow diagram.
Normal surveillances as specified in the Technical Specifications will assure operability with an acceptably low probability of demand failure.
7.4.1.5 Instrumentation Requirements Status lights indicating full-open or full <losed valve positions are prmided for RXE and F002. An open indication for valves F006 and F002 is required to assure SLCS operability.
Accumulator pressure and solution level alarms and indication are provided in the control room to:
a assure operability of the system; a warn of an out-of-tolerance condition on level or pressure; and a provide verification of proper system operation after initiation.
Shutdown Systemn 713
25AS113 Rev. A SBWR standant sarery Analysis aeport These measurements are redundant to minimize vulnerability to instrument or indicator failure. The level instrumentation is triply redundant in order to proside the twooutof-three initiation signal for closure of the shutoff valve, F002. The pressure indication and alarm is dually redundant, but only one ch.mnel is used for makeuo entml of accumulator pressure. These instruments also provide local indication.
Local indication and control room alarm are provided for the nitrogen gas hetde-package and noison solution makeup.The low level ahmi4S alarms are set to provide adequate time for recharging er replacing thesebeldes the manually onerated nitrocen and sodium nentabomte solution supply systems.
7.4.2 Flemote Shutdown System (C61) 7.4.2.1 Design Bases The Remote Shutdown System (RSS) shall provide the means to safely shut down the i reactor from outside the main control room. The RSS shall provide remote manual ;
control of the systems necessary to: (1) achieve prompt hot shutdown of the reactor ~
after a scram, (2) achieve subsequent cold shutdown of the reactor, and (3) maintain '
safe conditions during shutdown.
The RSS is classified as a nonaafety-related system. The RSS does not include control interfaces with nuclear safety-related equipment. The specific regulatory requirements applicable to the RSS are listed in Table 7.1-1. l 7.4.2.2 System Description i
General To achieve a safe and orderly plant shutdown from outside the main control room, !
controls and indicators necessary for operation of the following systems and equipment j are provided on the remote shutdown panel.
m Reactor Water Clean-up/ Shutdown Cooling (RWCU/SDC) System a Control Rod Drive (CRD) System (make-up function) m . lteactor Component Cooling Water (RCCW) System a Plant Service Water (PSW) System a Electrical Power Distribution System a Nuclear Boiler System (NBS) instrumentation a Reac:cr B diding4 WAG 7M Shutdown Systems
25AS113IL e A SBWR Standant Safety Analysis Report steelline designed for 17.24 M1 a (2500 psig) internal pressure with corresponding ratings for the valves.
m Redundant level instrumentation to assure adequate solution inventory and to initiate closure of the injection line on completion of solution injection.
m A poison solution line used for initial charging and any necessary periodic make up -
to the accumulator.
In addition to these safety-related system components, the SLCS also includes the following subsystem which is not safety-related:
a a-pressme-regulated nitrogen charging system operating from a liquid nitrogen tank, vaporizer, and compressor high pressure nump for initial accumulator charging or4em+ package-of-nitrogemgaShoules4e and makeup for the normal, but very small, system losses during normal plant operations.
l The SLCS also requires support from the following safety-related systems:
a power from the Class 1E 125 VDC power system; e initiation signals to trigger automatic initiation; e a sparger system consisting of a reactor vessel penetration, an internal injection line, a distribution manifold, and four injection spargers located in the external core bypass volume to assure uniform solution injection; and e instrumentation and alarms to assure conformance to equipment environmental qualification constraints.
In addition, support is required from the following non-safety-related function:
a control of the equipment compartment temperature and humidity conditions to assure proper equipment operation and avoidance of solute precipitation in the accumulator or injection line.
The bulk of the safety-related SLCS equipment is located within one room of the reactor building safety envelope except for a portion of the injection line containing a manual shut off valve and a check valve located in the drywell and an upstream check valve located outside the drywell The nonefety-related nitrogenvoison solution charging and make-up equipment is located outside the safety envelope.
The sparger system is located within the reactor vessel, and those portions of the SLCS injection line downstream of the squib valve contain only r,nid stagnant reactor grade water.
Process Auxiliaries - Amendment 1 DRAFT 9.3-13
25A5113 Rsv. A SBWR standardsafety Analysis neport Closure of the injection shutoffvalve is automatically initiater by the accumulatorlevel instrumentation using 2-out-of-3 logic. Closure, or override, t the automatic closure initiation, may also be initiated manually from the control room. Operation of the accumulator vent system is manual from the control roomr andeperadon, Operation of -
the accumulator nitrogen charcing. and make+p makeup system to accomtnodate small losses is automade mantial. Control room alarms are provided for high, or low,_
and low-low conditions of accumulator pressure and low and low-low conditions of accumulator solution level. At low level conditions. the nitrocen and poison solution makeup systems are manually started. l Instrumentation consisting of accumulator temperature, solution level, and accumulator pressure is provided locally inside the accumulator room. Figure 21.9.3-3 contains process data for the various anticipated operating conditions for the SLCS including those beyond the safety design basis for the plant.
I The status of all valves vital to the operation of the system are provided in the main control room.
A further discussion of the SLCS instrumentation may be found in Section 7.4. .
9.3.6 Instrument Air System 9.3.6.1 Design Bases Safety Design Bases The Instrument Air System (IAS) is a nonsafety-related system and has no safety design basis.
Power Generation Design Bases a 'Ihe Instrument Air System (IAS) is provided with redundant active components.
e The IAS is designed with sufficient capacity to operate during normal plant operation, transients, plant startup, and plant shutdown.
9.3.6.2 System Description The IAS provides filtered, dry and oil-free compressed air for plant instrumentation, -
control systems and pneumatic valve / damper actuaton located outside of the containment during nonnal operation. During refueling operations, the IAS supplies compressed air to the nitrogen gas users located inside the containment by way of the High Pressure Nitrogen Supply System (HPNSS) piping.The IAS is shown in Figure 21.9.3-4.
I Design of the system ensures that failure of the IAS does not compromise any safety- ;
related system or component nor does it prevent a safe shutdown. Pneumatic-operated )
9.340 Procese Auxiliaries - Amendment 1 DRAFT l
l
i 25A5113 Rav. A IS WR sundard Sakty Analysis Raport ;
i Table 19AE.6-1 Control Room Instrumentation and Alarms Variable Monitored Indication Alarm l
- aene ! Ve!ve F^^^ Po:Sn Open/C!cced No Sodium Pentaborate Level Below Set Point Yes I
Set Point Ygg Accumulator Tank Pressure Below Set Point Yes i Set Point Yes ;
Nitregen Supp!y Pre: cure Above Set Point Ygg !
S !~re SM Point Yes Motor Operated Valve F014 Position Open/ Closed No ,
Motor Operated Valve F002 Position Open/ Closed No ,
Nitrocen Temoerature Above Setooint Xgg
] !
l Table 19AE.6-2 System Dependency Matrix .:
DC Power 125Vdc SLCS Component Div.1 Div.2 Div.3 - Div.4 All MO Valves X X X X .j Div.1 instrumentation X Div.2 Instrumentation X Div.3 instrumentation X ,
- i Div.4 Instrumentation X ..
- i, 1
. Table 19AE.6-3 Component Tests :
(All components of the SLCS are tested at refueling outages except instrumentation, valve F010, #
and orifice D002 which are tested at 90 day intervals) :;
i l
1 I
Standby Liquid Control System (SLCS) - February 28.1993 19AE.6-5
=
b E c-------------------------------------- UI
$ l Hatt ! %
9 e A A 8 g l VENT L :
~
! n00s R$
j m - _ _
._____ :r------I :
s PS KEYLOCK e RMS _ RMS '
( F507@
]
KEYLOCK RMS
_ @ 125 VDC Y ND
- FC l (F506 hF702 F014 DRYWELL REACTOR 8
, ' o CONTAINMENT BUILDING SAFETY h a l
l ENVELOPE A t * ~ ~ ~ ~ ~ ~ ~t REACTOR BUILDING vL e
^ V PE '
g3g g ,
--.a w F02 l l a 32 h o TIS Y REACTOR
""5 i "8 '
F027{} '7___________
yc VESSEL lI" l Q] F702 g N016 0 O e L----- N2 8 g i ] C- KEYLOCK e e 00 e VAPORIZER nt'
' A001 o CORE- Oe 8 Boot :
p p o BYPASS MO s NITROGEN ,
S AND N2 gg C LO F001
~
k"' $
F006 F005 FW h rq --l F F505 h RMS O g ~ ~j )(F504 +-e----------------' E
~~
h H ',__
q n C003 KEYLOCK C 01 p
h ATWS StGNAL g 2 POISON E j SottmON 3 g MAKEUP R-3*
P j Figure 19AE.6-1 Simplified Diagram of SLCS j.
l
- - - ,, - w , , , . -,w .s , -- -, - .- e - - ,. -. - - - -. .. n a .~v . . . v-, . . - - e e ._. - - , .
RESPONSES TO NRC REQUEST FOR ADDITIONAL _INFORMATION (RAI) ;
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RA I 420.69 Provide a list of systems that interface with the remote shutdown system (RSS) and provide a description of the interface between the RSS and other systems. In addition, describe the RSS's defense against failures in the interfaces and interconnections. Could failures in the RSS prevent the I&C systems from perfonning their functions? (Reference SSAR Section 7.4.2.) '
Response
A list of systems that interface with the Remote Shutdown System (RSS)is provided in the SSAR section 7.4.2.2 and Table 7.4-1. The Reactor Building IIVAC system, however, has been deleted from section 7.4.2.2 and is not listed in Table 7.4-1. The components for each system that interface with the RSS are listed in Table 7.4-1. The interface to each component is made by hardwire connections. ,
The defense against failures in the interfaces and interconnections is discussed in the SSAR section 7.4.2.2 fourth paragraph stated as follows:
"The RSS provides sufficient redundancy in the control and monitoring capability to accommodate a single failure within the interfacing systems and the RSS controls.. ".
This is accomplished by the use of dual trains of controls and sensors for all RSS interface systems. The simplified logic diagram for the RSS is provided in Figure 21.7.4-3. The RSS is not connected to the interface systems until the Remote Shutdown Transfer Switches are positioned to transfer control of the signals from 1 their normal control configuration to the RSS. Failures in the RSS will not prevent the I&C systems from performing their functions since the 'RSS is designed such that it does not degrade the capability of the interfacing systems' (Ref. SSAR section 7.4.2.2 fourth paragraph).
a 6
9
- Page 22 - >
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR' CHAPTER 7, INSTRUMENTATION AND CONTROLS' RAI 420.70 Provide a discussion of the remote shutdown system's environmental qualification criteria and reliability goals. (Reference SSAR Section 7.4.2.)
Response
Environmental Qualification - The SSAR Table 7.1.1 identifies the codes and standards that apply to plant systems including RSS. Environmental qualification is governed by General Design Criterion 4-Environmental and Dynamic-Effects Design Bases. (Reference SBWR SSAR section 3.1.1.4 for a discussion of GDC 4). As indicated in section 7.4.2.3, GDC 4 is not applicable to the RSS because the system is classi3ed as non-safety-related. Although there are no Class IE .
equipment qualification requirements applicable to the system, the equipment will be qualified for its installed location in accordance with SBWR Environmental Equipment Specification 25A5901.
Reliability Goals - A discussion of overall reliability.and availability for plant systems, structures and components is found in GE design bases document Reliability, Availability and Maintainability (RAM) Criteria 23A6899. For more discussion on the individual system reliability / availability criteria, refer to response provided for RAI 420.08.
- Page 23--
> RESPONSES TO NRC REQUEST FOa ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER PEACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS ,
i RAI 420.76 Provide a discussion of the independence between alternate rod insertion (ARI) ,
and the reactor protection system (RPS). Explain how the ARI design complies with 10 CFR 50.62. (Reference SSAR Section 7.4.5.)
Response
For pictorial description of independence between ARI and RPS refer to Figures 7.3-2b,7.3-4a, and 7.3-4b of the SSAR. Figure 7.3-2b depicts sensors allocation to RPS and Anticipated Transients Without Scram (ATWS) logic cards. Figures 7.3-4a and 7.3 " nrovide the details of ATWS logic cards and the independent-from-normal-sc. . ctuated shut-down devices (i.e., ARI valves, Fine Motion Control .
Rod Drive (FMCRD) run-in, and SLCS (boron injection)]. Figures 19AE.14-1 and l 19AE.14-2 of chapter 19 also provide more detailed information as to the ;
independence between ATWS/ARI and RPS equipment. A discussion of SBWR ;
ATWS design compliance with 10CFR50.62 is provided in SSAR Section 15.8.2 of chapter 15 i
+
h l
i
- Page 24 - j l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REkCTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS R AI 420.77 Describe the interface between alternate rod insertion and other systems. In addition, describe the ARI's defenses against common- mode failures. (Reference '
SSAR Section 7.4.5.)
Response
Figure 7.3-4a provides the interface infomiation of Safety System Logic and ;
i Control (SSLC) Anticipated Transients Without Scram (ATWS) function with other systems. For defense against common-mode failure, the SSLC ATWS logic .
design, as depicted in Figure 7.3-4a, implements the use of sensors diverse from Reactor Protection System (RPS); hard-wired signals (vs multiplexed for RPS) from sensors to ATMs (Analog Trip Modules); ATM-based trip logic vs micro processor-based trip logic of RPS; and discrete logic hardware for other ATWS ;
logic functions vs microprocessor-based logic of RPS. In addition, within SSLC
/ATWS logic, yet another level of diversity is provided by implementing Depressurization Valve (DPV) actuation logic in microprocessor-based logic (see Figure 7.3-4b) to make it diverse from Safety Relief Valve (SRV) actuation logic (see Figure 7.3-4a). Furthermore, the sensors used for DPV actuation logic are j also dn erse from those used for SRV actuation logic. -
i i
6 i
t f
L t
- Page 25 -
RESPONSES TO NRC. REQUEST FOR ADDITIONAL INFORMATION (RAI) .. ;
GI::rLIrrro sOILINO ;rA:nn nracTon (csim)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i
R AI 420.78 Describe how the required data is processed and displayed to comply with RG 1.97. (Reference SSAR Section 7.5.)
Response
The discussion regarding Post Accident Monitoring (PAM) and ways and means of displaying PAM data to the plant operator is provided in Section 18.4.2.8 (see updated Chapter 18 submittal of 12-14-93; MFN No.187-93). Table 18F-2 provides a listing of plant parameters identified by "*", that must be monitored and displayed to meet RG 1.97 requirements. Section 18.4.2.1 of the SSAR provides a listing of SBWR control room design features. Items (3), (9), (10) and (11) of the listing provide information as to the independence of the process !
computer and fixed-position displays, which display PAM and Safety Parameter Display System (SPDS) variables, from the plant process computer system that' drives other plant non-safety controls and displays.
l P
P 5
E
- Page 26 - 4
, + - -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)-
- SIMPLIFIEL LOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.79 Explain how ti.e SBWR design complies with NUREG-0737, Jtem I.D.2, which requires each applicant to install a safety parameter display system that will.
display a minimum set of parameters for operating personnel to detennine the -
safety status of the plant. (Reference SSAR Section 7.5.)
Response >
Jtem (14) of SSAR Section 18.4.2.1 (see updated Chapter 18 submittal of 12 93: MFN No.187-93) addresses the incorporation of Safety Parameter Display System (SPDS) function via fixed-position displays. Section 18.4.2.11 provides . ;
detailed information as to the methodology implemented to arrive at the list of -
SPDS variables and how the methodology complies with NUREG-0737 ,
-equirements. Table 18F-2 provides a listing of plant parameters--both for PAM i' and SPDS--that are continuously displayed on fixed position displays in the main control room. >
R T
i I
l 6
l
- Page 27 - l 1
,g -
4 RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) :
SIMPLIFIED BOILING WATER REACTOR (SBWR) !
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS [
i.
k i
i RAI 420.80 i Provide a list of the primary variables for the considered events listed in SSAR ;
Tables 7.5-5 through 7.5 7 that are associated with called-for manual action.
(Reference SSAR Section 7.5.1.3.)
Response
As mentioned in the second paragraph of the SSAR Section 7.5.1.3, the results of analyses performed to identify Type A variables is reflected in Table 7.5-3. Only a ;
single Type A variable is identified for SBWR, which is Isolation Condenser / Passive Containment Cooling (IC/PCC) water level. The analyses -
which were performed on the events listed in Tables 7.5-5 through 7.5-7 did not identify any other Type A variable. -l i
I I
'l
- Page 28 -
9
4 4 RESPONSES TO NRC REQVJEST FOR' ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i
RAI 420.81 Provide a discussion of the equipment classification of containment atmospheric monitoring system (CAMS). The discussion should include how CAMS achieves its required nliability (i.e., single failure criteria, defense against failures, etc.). In addition, describe what would happen if the hydrogen concentration measured by one of the two channels is different from that measured by the other channel.
(Reference SSAR Section 7.5.2.3.)
Response
Information pertaining to the equipment classification of CAMS is provided in the SSAR Sections 7.5.1.3.(2)(f),7.5.1.3.(2)(k) and 7.5.2. A description of what happens when the hydrogen concentration readings between two channels differ is ,
t provided in subsection 7.5.1.3.(2)(k) of the SSAR.
As identified in the SSAR Table 7.1-1, RG 1.97 requirements are applicable to the CAMS and as discussed in Table 7.5-1, category 1 requirements including redundancy (single failure criteria) applies to the CAMS components and circuit design.
t
- Page 29 -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR. (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.82 Explain how the SBWR design complies with NUREG-0737, Item II.F.1. This item requires provisions for (1) instrumentation to measure, record, and readout in the control room: containment pressure, water level, hydrogen concentration, radiation intensity (high level), and noble gas effluent at all potential accident release points, (2) continuous sampling of radioactive iodine and particulates in gaseous effluent from all potential accident release points, and (3) onsite capability to analyze and measure samples. (Reference SSAR Section 7.5.2.3.)
Response
The SBWR design includes provision for monitoring, displaying and recording containment pressure, reactor water level, noble gas effluents, containment high-range gamma radiation, sampling and analysis of plant effluent radiciodines and particulates and the containment hydrogen levels as specified in NUREG-0737 II.F.1. See SSAR Sections 6.2.1.7, 7.5.1.3.(2), 7.5.2.5, 7.5.3, 11.5, 12.3.4 and Table 7.5-2 for additionalinformation pertaining to the monitoring of these parameters.
- Page 30 -
RESPONSES. TO NRC REQUEST FOR ADDITIONAL INFORMATION~ (RAI)'
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.83 '
Provide a discussion of equipment classification of process radiation monitoring system (PRMS). In addition, provide a discussion of how the PRMS achieves its required reliability (i.e., single failure criteria, defense against failures, etc.).
Provide a description of the design and opcration of the PRMS. (Reference SSAR Section 7.5.3.)
Response
Information pertaining to equipment classification, reliability, and design and operation of the PRMS is contained in the SSAR Sections 3.2,11.5 and Table 7.5- >
- 1. For a general discussion on system reliability, refer to the response provided for RAI-420.08. ;
i 9
I
- Page 31 -
a RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)- ;
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER-7, INSTRUMENTATION AND CONTROLS l
l R AI 420.84 Provide a discussion of the test requirements of the process radiation monitoring system. (Reference SSAR Section 7.5.3.) .
Respone Information pertaining to the test requirements for the Process Radiation Monitoring System is contained in the SSAR Section 11.5.6 and Table 7.5-1, item 10.
t t
e l
- Page 32 -
i i
i
RESPONSES TO NRC. REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.87 Explain the differences between the ABWR and SBWR rod control and information system (RC&IS) designs. This should include any ABWR RC&IS requirements -
that are not met by the SBWR RC&lS and an explanation of the differences.
(Reference SSAR Section 7.7.2.1.)
Respone The basic design of ABWR and SBWR RC&IS is the same. The differences arise-from applying the basic design to the specifics of SBWR. Such specifics include (1) 177 control rods for SBWR vs 205 for ABWR and the consequential assignment of control rods to gangs and (2) shorter control rod travel distance due to shorter SBWR core. The general requirements for ABWR and SBWR RC&IS :
design is the same.
C
- Page 33 -
RESPONSES TO NRC REQUEST FOR.' ADDITIONAL INFORMATION (RAI).
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION-AND CONTROLS R AI 420,88 Section 7.7.2.1 states that the rod control and information system is highly reliable.
Explain how this is achieved. The explanation should include defenses against common-mode failures. (Reference SSAR Section 7.7.2.1.) ,
Response
liigh reliability of Rod Control and Information System (RC&lS)is achieved through redundancy and built-in self-test capabilities.
As explained in SSAR Section 7.7.2.2, RC&lS has a dual redundant architecture.
For normal RC&lS operation , involving processing and reporting of control rods position data and executing control rods' movement commands, both channels mu3: tw in agreement. For protective rod block functions of RC&lS, however, it ;
only takes a single channel of RC&lS to cause a rod block, liigh availability of RC&lS is ab asured through bypass capabilities provided in the design for different RC&lS devices, modules, and subsystems. For additional information on RC&lS reliability refer to the paragraph titled "RC&lS Reliability" Section 7.7.2.2.9, page 7.7-28, and Section 7.7.2.4 for self-test.
Although RC&lS is not a safety-related system, there are built-in measures for defense against common-mode failures. For example, software development for ;
Automated Thermal Limit Monitor (ATLM) and Rod Worth Minimizer (RWM),
because of their protective rod block function, will be subjected to the same QA plan applicable to safety-related software. Other RC&lS software will be developed in the same manner with minor differences. On the hardware side, the use of high quality components will be emphasized. Self-test capabilities of RC&lS, rigorous integration testing and pre-operational and start-up testing will also be helpful in identifying common-mode failures of RC&lS.
J I
- Page 34 -
1 l
'i
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION _AND CONTROLS R AI 420.89 Describe the power supplies for the fine motion driver cabinets and rod brake controller cabinets. (Reference SSAR Section 7.7.2.2.6.) ,
Response
The Rod Control and Informaiton System Fine Motion Driver Cabinets (FMDC) ,
and Rod Brake Controller Cabinets (RBCC) are fed from Plant Investment Protection (PIP) buses (480 volt AC). PIP buses are backed-up by the diesel generators and reserve transformer. The distribution of power to FMDCs and RBCCs is configured such that no single failure in power _ distribution devices will result in a loss of power to more than 1/3 of the control rods (only the insertion of _
2/3 of control rods is required to bring the plant to a hot shut-down condition). j 2
- Page 35 -
... i RESPONSES TO NRC REQUEST FOR ADDITIONAL.INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i
R AI 420.91 .)
Provide a description of the rod control and information system interface with other systems. In addition, ducribe the communication between the RC&lS and others. <
l (Reference SSAR .cection 7.7.2.2.8.)
Respone The RC&lS interfaces with other plant systems are described in the SSAR chapter 7, section 7.7.2.2.8. The SSAR section 7.7.2.5 provides information on RC&IS interface with Fine Motion Control Rod Drives (FMCRDs) which are part of Control Rod Drive (CRD) system. The SSAR Figure 21.7.7-1 (RC&lS IED) provides pictorial information regarding RC&lS interfaces with other plant systems and how the communication is perfomied (i.e., hard-wired or through the plant multiplexing system).
L 8
k
- Page .36 -
. RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION . (PAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.92 Are control rod blocks, bypasses, or any detected rod movement errors displayed in the control room? (Reference SSAR Section 7.3.4.5.)
Response
Yes. Status indication of rod blocks, bypasses, and rod movement errors are ,
displayed in the control room. Listings of Rod Control and Informaiton System (RC&IS) required status indications on the RC&IS Dedicated Operator Interface ,
(DOI) and related displays are provided in the SSAR chapter 7, pages 7.7-26 i through 7.7-28.
b i
e 6
9
- Page 37 - l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS t
RAI 420.93 SSAR Section 7.7.2.1 states that the rod control and information system, a dual-channel system, is designed to be single failure proof. Explain how this can be achieved when placing one of the two RC&lS channels in bypass. The discussion ;
should include defenses against common-mode failures. (Reference SSAR Section 7.7.2.2.9.)
Response
Bypass capabilities of RC&lS cover a wide range; from individual control rod devices (e.g., synchro and rod server processing channel) to RC&lS subsystems (like Automated Themial Limit Monitor and Rod Worth Minimizer), and all the way up to bypassing a complete channel of RC&lS. Thus it is the locality of a given failure and the consequential bypass which determines the extent of the loss of single-failure-proofness. For example, if one of the two rod server processing ,
channels of a control rod fails and is placed in bypass, the extent of the loss of.
single-failure-proof capability is only limited to that control rod; whereas, when there is a failure in Rod Action and Position Infonnation (RAPI) subsystem of RC&lS, bypassing the failed RAPI subsystem will result in the loss of a complete channel of RC&lS. Given the above, the issue of RC&lS failures and bypasses has been treated with special consideration in chapter 16 (Tech Specs.)of the SSAR .
As to the defense against common-mode failures, refer to the response provided to l RAI 420.88.
9 I
- Page 38 -
i 6
RESPONSES TO N'RC REQUEST FOR ADDITIONAL INFORMATION (RAI).
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1
RAI 420,94 i Describe the RC&lS self-test and on-line diagnostic test features that identify I failures of the instrumentation and control electronics. (Reference SSAR Section 7.7.2.4.)
Response ,
The typical self-tests and on-line diagnostics, that identify failures of the instrumentation and control electronics of RC&IS, include: .
(1) signal validation (plausibility, range, boundary, and rate limit checks)
(2) error handling (transient fault rejection) ,
(3) self-diagnostics (locating and alarming failed modules, card out-of-file)
(4) self-check of processor, modules, and memory at power-up .
(5) periodic memory and data bus checks (6) program-flow check (7) program execution timing check via watchdog timers (8) parity checks I
+
- Page 39 -
RESPONSES TO NRC REQUEST'FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS R AI 420.95 Explain the design of the fault-tolerant digital controller of the feedwater control system (FWCS). In addition, describe the operation of the field voter and lock-up '
voter. (Reference SSAR Section 7.7.3.2.)
Response
Fault-Tolerant Digital Controller:
The Fault-Tolerant Digital Controller (FTDC) is designed such that no single active component failure within the Feedwater Control System (FWCS) process sensing, control or communication equipment shall result in a loss of continuous validated demand signal to the FWCS actuators or critical operator displays. The FTDC includes three identical processing channels, each of which contains the hardware and firmware necessary to perform the system control calculations in parallel and three identical interface units, which provide the interface with the '
triplicated non-essential multiplexing system network and other dedicated data links. Inter-processor communication links are provided to exchange data between the FTDC processor channels to prevent divergence of outputs. The FTDC channels are powered by redundant power supplies.
Field and Lock-Up Voters:
Three (3) speed demand signals from each channel of the FTDC are sent to the remote fault-tolerant field voters which perform mid-value voting on continuous '
output signals and sends a single speed demand signal to the Reactor Feedpump (RFP). The voting scheme assures that any credible failure in the controller will not impact the process. The output of the field voteris returned to each channel of the FTDC ("ringback") and is compared to the speed demand output for that channel. If an FTDC channel detects a discrepancy between the field voter output and the FTDC channel output, then a " lock-up" signal is sent to the lock-up voter for the affected feedpump and an annunciator is activated in the control room.
Three (3) lock-up signals from each channel of the FFDC are sent to the remote fault-tolerant lock-up voters which performs 2-of-3 voting on the discrete output signals from the FTDC and sends a single discrete signal to the RFP. If the lock-up voter receives a majority oflock-up signals,it indicates a failed field voter. The lock-up signal to the RFP with the failed field voter will result in the speed demand for the RFP to be held constant until the lock-up condition is resolved. The lock-up -
voter output is also returned to the FTDC ("ringback") so that lock-up voter failure can be identified and annunciated in the control room.
See also issue 1.u of the ABWR discussing the FTDC and the operation of the field and lock-up voters which is applicable to the SBWR design.
- Page 40 -
sec 95
- RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.96 Provide a discussion of the feedwater control system's defenses against common-mode failures. In addition, explain how the FWCS' controls are qualified for its environment. (Reference SSAR Section 7.7.3.5.)
Response
Common-Mode Failures:
The SBWR design incorporates many provisions to protect against common-mode .
failure, such as equipment diagnostics, high reliability components, and a comprehensive verification and validation program. In addition, the Fault-Tolerant Digital Controller of the Feedwater Control System is a continuously operating '
system. It is expected that any anomalies will be quickly identified by the operator during nonnal operation and surveillances.
Environmental Qualification:
Since the Feedwater Control System (FWCS) is not a safety related system, no Class lE equipment qualification is required. The FWCS is located in the control room which has a mild environment. Design implementation will consider the applicable environmental conditions.
Y I
- Page 41 -
J
?.. .
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
SIMPLIFIED BOILING WATER REACTOR (SBWR)
SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS R A1 420.97 The second sentence on page 7.7-37 states that automatic power regulator system (APRS) is designed such that functionalities of safety-related systems in the plant are not affected by the APRS, a non-safety related system. Explain how this is ,
achieved. (Reference SMR Section 7.7.4.3.)
Response
The SBWR SSAR Table 7.7.1 (Automatic Power Regulator Interfaces) identifies systems that interface with the APRS. Of these systems, only the Neutron Monitoring system (NMS) is identified as a safety system. Interface between the APRS and the NMS is performed by the Non-Essential Multiplexing system (C62). This system provides the necessary isolation so that an APRS failure will not impact NMS functionality. This is accomplished by providing one way ,
transmission between the APRS and NMS by means of the fiber optic data i transmission feature of the non-essential multiplexing system.
0 1
1
- Page 42 -
>av .
RESPONSES TO NRC REQUEST FOR-ADDITIONAL INFORMATION (RAI) j SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.98 Describe the qualification of surveillance test equipment and diagnostic equipment for non-safety-related systems that perform important functions. In addition, describe the interfaces'between these test equipment and the systems being tested. Could these test equipment (1) compromise the separation between channels or (2) degrade the equipment or system that they are tuting?
(Reference SSAR Section 7.7.4.4.)
Response
The Automatic Power Regulator System (APRS), Steam Bypass and Pressure Control (SB&PC) system and the Feed Water Control system functional logic and process control functions are performed by triplicated microprocessor-based fault tolerant digital controllers. Because of the triple redundancy,it is possible to lose :
one complete processing channel without impacting the system function. This also - i facilitates taking one channel out of service for test, maintenance or repair while the system is on-line.
One way transmission between the interfacing systems by means of the fiber optic data transmission feature of the non-essential multiplexing system precludes any degradation or compromise of the systems by the test equipment. Surveillance and diagnostic test equipment will be calibrated to appropriate industrial criteria such as the National Institutes of Science and Technology Standards.
a
- Page 43 -