ML20065C936
| ML20065C936 | |
| Person / Time | |
|---|---|
| Site: | 05200004 |
| Issue date: | 03/31/1994 |
| From: | Leatherman J GENERAL ELECTRIC CO. |
| To: | Borchardt R NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| References | |
| MFN-040-94, MFN-40-94, NUDOCS 9404060124 | |
| Download: ML20065C936 (100) | |
Text
{{#Wiki_filter:. _ . . _ _ GENuclear Energy GeneralElecine Company l 175 Curtner henue San Jcw CA 95125 l March 31,1994 MFN No. 040-94 Docket STN 52-004 l l Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555 l Attention: Richard W. Borchardt, Director Standardization Project Directorate l
Subject:
NRC Requests for Additional Infom1ation (RAls) on the Simplified Boiling Water Reactor (SBWR) Design
References:
- 1. Transmittal of Requests for Additional Infom1ation (RAls) for the SBWR Design, Letter from M. Malloy to P. W. Marriott dated January 5,1994
- 2. MFN No. 004-94, NRC Requests for Additional Information (RAls) on the Simplified Boiling Water Reactor (SBWR) Design Letter from J. E. Leatherman to R. W. Borchardt, dated January 17,1994
- 3. Transmittal of Requests for Additional Information (RAls) Regarding the SBWR Design, Letter from M. Malloy to P. W. Marriott dated March 8,1994 The Reference I letter requested additional information regarding the SBWR I & C design. In partial fulfillment of this request and in accordance with the Reference 2 schedule, GE is submitting Attachment 1 to this letter which contains responses to the following RAIs:
420.4 .5 420.41 .64 420.7 .8 420.66 420.12 420.71-420.14 .16 420.73 ,74 420.18 .22 420.85 .86 420.24 .33 420.90 420.35 .37 The Reference 3 letter requested SBWR core neutronics data on a short-turnaround basis of March 15,1994 to permit Brookhaven National Laboratory (BNL) to modify the RAMONA - 4B code for the staff's use. In partial fulfillment of this request and with NRC approval, GE has participated in frequent telephone dialog with BNL and submitted draft responses to these RAls prior to the deadline, and requested NRC teleconferences to receive comments before fm' al transmittal of these responses. Since Ramona - 4B and TRACG are somewhat different in their ; modeling, and GE does not use RAMONA-B, -' l l 4 9404060124 940 PDR 4 ADOCK 05200004 PDR b 1Q if t\
Nuclear Regulatory Commission March 31,1994 Page 2 MFN No. 040-94 we need to complete this telephone comment cycle with NRC to permit the BNL modeling activity to go forward. Please contact Mr. David Foreman at (408) 925-4722 to arrange for closure of the RAMONA-B dialog. Ji rely, '
!In // 5ffMdzo J. E. Leatherman, Manager SBWR Design Certification MC-781, (408)925-2023 , " Responses to NRC RAls" cc: M. Malloy, Project Manager (NRC) w/2 copies of Attachment 1)
F. W. Hasselberg, Project Manager (NRC) (w/l copy of Attachment 1) i l l l l 1 l i
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED IlOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.4 Provide a list of all actuation devices of the reactor protection system and engineered safety features actuation system that cannot be fully tested during reactor operation. How will these devices be periodically tested to ensure that they are capable of performing their safety functions, in compliance with the guidance of Regulatory Guide (RG) 1.22? GE Response: Reactor Protection Svstem (RPS) There are no safety related RPS actuation devices that cannot be tested during reactor operation. Only the backup scram solenoids, which are non-safety related, are not tested during reactor operation, since their energization necessitates a full scram. Encineered Safety Features Svstems Automatic Depressurization Subsystem (ADS) - has squib valve booster assemblics for depressurization valves (DPV) Il21-F004A,13, C, D and 1121-F005A and 13 which are periodically tested during refueling outages. Gravity-Driven Cooling System (GDCS) has squid booster assemblics for valves E50-F002A,11, C, D, E, F: E50-F006A, II, C and E50-F009A through I which are periodically tested during refueling outages. Passive Containment Cooling System - has no actuation devices that cannot be tested during reactor operation. Leak Detection and Isolation System - has no actuation devices that cannot ; be tested during reactor operation. Safety System Logic and Control- has no actuation' devices that cannot be l tested during reactor operation. Essential Multiplexing System - has no actuation devices that cannot be tested during reactor operation. Flammability Control System -is being changed to a passive system and has no actuation devices that cannot be tested during reactor operation. 1
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.4 (continued) The following updated SSAR Subsections and figures are attached:
- 1.2.2.14.1
- 1.2.2.14.7
- 1 A.2.13
- 3.1.4.12
- 6.2.5
- 7.3.6.3
- 7.3.6.5
- 7.3.8
- 9A Tables 9A.7-la and 9A.7-lb
- Chapter 16, Items 3.6 and B3.6
- 19G.2.12
- Figure 6.2-23
- Figures 6.2-24,6.2-25,21.7.3-7 and 21.7.3-8 are voided Thus within the RPS and ESF systems only the squib valves explosive charges for the ADS and GDCS are not fully tested during reactor operation.
However, during reactor operation periodic continuity checks are performed on the explosion initiator electrical circuits of squib valves via SSLC self-test logic. In addition, during each refueling outage, random samples of explosive charges of the squib valves are tested in a laboratory environment. Explosive charges of the squib valves are also replaced with new ones, based on their established qualified life. This type of testing is in accordance with and meets RG 1.22, Regulatory Position D.4 l i l 1 2 l l
REF. RA7 420,4-25A5113 R1v. A SRWR standard sanrry Analysis neport The design value for a maximum steam bypass leakage between the dowell and the suppression chamber through the diaphragm floor including any leakage through the suppression chamber-to-drywell vacuum breaken is limited. Satisfying this limit is confirmed by initial preoperational tests as well as by periodic tests conducted during refueling outages. These tests are conducted at differential pressure conditions between the drywell and suppression chamber that do not clear the drywell-tosuppression chamber horizontal vents. Equipment is provided to obtain a water tight barrier between the open reactor and the drywell during refueling. This enables the reactor well to be flooded prior to removal of the reactor steam separator, dryer assembly and to facilitate underwater fuel handling operations. Piping, cooling air ducts and return air vent openings in the reactor well platform must be removed, vents closed and sealed watertight before filling the reactor well with water. The refueling bellows assembly is provided to accommodate the movement of the vessel caused by operating temperature variations and seismic activity. Containment isolation is accomplished with inboard and outboard isolation valves on each piping penetration which are signaled to close on predefined plant parameters. Systems performing a post LOCA function are capable of having their isolation valves reopened as needed. Dgwell coolers are provided to remove heat released into the drywell atmosphere during normal reactor operations. The Flammability Control System provides recombiners ignitore located throughout both the dqwell and suppression chamber to prevent any high-energy-release recombinant reactions potentially developing within the containment following a LOCA. 1.2.2.14.2 Containment Vessel The containment vessel is a reinforced stepped cylindrical concrete vessel (RCCV). The RCCV supports the upper pools whose waM re integrated into the top slab of the containment to provide structural capability for LOCA and testing pressures. 1.2.2.14.3 Containment Intemal Structures The containment system's principalinternal structure consists of the structural barrier separating the drywell from the suppression chamber. This barrier is comprised of the suppression chamber ceiling (diaphragm floor) and the inboard wall (vertical vent wall) separating the drywell from the suppression chamber. Both of these structural l components are designed as steel structures filled with insulating concrete to minimize j long-term heat transfer from drywell to wetwell. The vertical vent wall also prosides a j durable attachment point for the RPV horizontal stabilizers. I General Plant Description - Amendment 1 DRAFT 1.2-87 Vf&%f
26A5113 Rov, A ;
.SBWR smadadsennyAnerr sisseren ;
F consequent temperature rise in the discharge stream or loss of flow actuates an alarm l in the MCR. i
. Each upper drywell FCU has a cooling capacity of 50% of the upper drywell design ,
cooling load under normal plant operating conditions. Likewise, each lower drywell . FCU has a cooling capacity of 50% of the lower drywell design cooling load. All FCUs normally operate. Each FCU is composed of a cooling coil and two fans downstream of the coil. One FCU is supplied by RCCWS loop A and the other by RCCWS loop B. One
' of the fans operates while the other is on standby status and will automatically start upon loss of the lead fan. During normal operation, if both fans of an FCU are out of commission, or the unit is not in service for some other reason, then both fans on the other unit in the area (upper or lower drywell) operate and the cooling supply transfen .
to the CWS. I i Cooled air / nitrogen leaving the FCUs enter a common plenum and is distributed to the
. various zones in the drywell through distribution ducts. Return ducts are not provided; the FCUs draw air / nitrogen directly from the upper or lower drywell.
A condensate collection pan is provided with each FCU.The condensate collected from all FCUs in the upper and the lower drywell is piped to an LD#cIS flow meter to measure the condensation rate of unidentified leakages. l 1.2.2.14.7 Flammability Control System The Flammability Control System (FCS) is designed to limit the concentration of oxygen in a potentially hydrogen-rich post-accident containment atmosphere by j controllably recombining hurring hydrogen at low levels of oxygen inside the l containment. - The FCS consists of passive autocatalvtic recombiners (PARS) Si!cnfj =:! ped !ce pcr;;r cen u=pden igniter r:=b!!:: strategically intermixed throughout the - containment including the upper and lower drywell cavities, and wetwell air space. and-pc= ::d bypr IE di!cna! pc;;::.
%: F5 i ente!!:d 9c= 6: MC". Prior to the postulated design basis LOCA, the -
con tainmen t is maintained inert at $ 4% oxygen volumetric concentration by the CACS. , H F5 :::c=: !=!!y inid t: 24 heur ^er receip: da L^CA :!p ! fer 6: l eent c!!:d !piden of hyd cger -i&'cr/ger. Once inid:::d;ipit= .i" conenue :c
=i operde un!:= = m=1?y::cpp-d by 6e cpe= cr. Manu ! FCS inid: den is !:0pecib!:
frc = M M 4G R, During normal plant operation, the CACS provides containment atmosphere oxygen level monitoring. During FCS operation, post-accident oxygen level monitoring is provided by the Coatainment Atmospheric Monitoring System (CAMS). 1.2-92 General Plant Description - Amendment 1 DRAFT N1SN i < i l' . -
25AS113 Rev. A SBWR stand:nt s:rety Anxtysis a:pire l l l . I 1 A.2.10 Relief and Safety Valve Position Indication [lI.D.3] NRC Position ' l l Reactor coolant system relief and safety valves shall be provided with a positive , l indication in the control room derived from a reliable valve-position detection device l or a reliable indication of flow in the discharge pipe. j
- Response l SRV position is indicated in the control room in full compliance with this requirement.
1A.2.11 Systems Reliability [ll.E.3.2] This TMI action plan item is superseded by USI A45, which is addressed in l Appendix 19H. 1 A.2.12 Coordinated Study of Shutdown Heat Removal Requirements [lI.E.3.3] l This TMI action plan item is superseded by USI A45, which is addressed in Appendix 19H. 1A.2.13 Containment Design-Dedicated Penetration [lI.E.4.1] t NRC Position i For plant designs with external hydrogen recombiners, provide redundant dedicated l containment penetrations so that, assuming a single failure, the recombiner systems can i be connected to the containment atmosphere. i
Response
The Flammability Control System (FCS) does not use external hydrogen recombiners that require redundant dedicated penetrations. Therefore, this TMI requirement is not applicable to the SBWR Standard Plant design. The SBWR FCS design utilizes inerting and passive autocatahtic recombiners hydrogen ign:ter for the purpose of preventing l 1hc nitigating the pctential buildup of combustible gases generated from the radiolytic decomposition of water and from 100% metal-water reaction of the active fuel cladding during a LOCA. 1A.2.14 Containment Design Isolation Dependability [ll.E.4.2] NRC Position a Containment isolation system designs shall comply with the recommendations of
~
Standard Review Plan Subsection 6.2.4 (i.e., that there be diversity in the parameters sensed for the initiation of containment isolation). m All plant personnel shall give careful consideration to the definition of essential and non-essential systems, identify each system determined to be non-essential, describe 1A.12 Response to TMI Related Matters - Amendment 1 DRAFT
%22.St
25A5113 Rev. A SBWR stasdant safety Analysis neport The design of the testing of containment heat removal sptem meets the requirements of Criterion 40. For further discussion, see the following sections; Chapter / Section Title 6.2.2 Passive Containment Cooling System 1 7.3.2 Passive Containment Cooling System 3.1.4.12 Criterion 41 -Containment Atmosphere Cleanup l Criterion 41 Statement Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessai7 to reduce, I consistent with other associated systems, the concentration and quantity of fission products released to the environment following postulated accidents, and to control the
]:
concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for on-site electric power system operation (asstuning off-site poweris notavailable) and for off-site electric power system operation (assuming on-site power is not available) its safety function can be accomplished, assuming a single failure. Evaluation Against Criterion 41 Fission products, hydrogen, oxygen, and other substances released from the reactor are contained within the low-leakage containment. Except for bypass leakage, leakage from the containment after an accident enters the safety envelope, which is isolated on an accident signal and which contains, dilutes, and holds up leakage from the containment such that the dose guidelines of 10CFR100 are not exceeded. Containment leakage that bypasses the safety envelope enters the reactor building. The containment is inerted with nitrogen during normal operation. A Flammability Control System controls post-accident hydrogen and oxygen levels with passive autocatahtic recombiners e ctde cf to prevent deflagration or detonation of hydrogen and oxygen, thus assuring that containment integrity is maintained. ! These systems have sufficient redundancy to withstand a single failure, =d are eperaNe4ren either OE site er en -ite pcever cources. Criterion 41 is satisfied. 3.1 46 Conformance with NRC Genern! Design Criteria - Amendment 1 DRAfr M 2/94 l l . ,
i 25A5113 Rev. A SBWR standant safety Analysis Report l l 6.2.5 Flammability Control System l 6.2.5.1 Design Bases ! i The Flammability Control System (FCS) is designed to mitigate, without loss of l contain ment structural integrity, the potential buildup of combustible gases generated l from the radiolytic decomposition of water and un to 100% frem !^^% metal-water l reaction of the active fuel cladding dtuing a LOCA. l 1 The FCS is designed with suitable redundancy to ensure that no single ac-ove l component failurerincluding pc ver supply fa!!ures,will prevent functioning of the system. The FCS is a safety-related system, and is designed for long-term continuous j operation for the duration of post-accident oxygen generation. FCS i ::iatica !: i l automatic, requ: ring no cpe :cr : tie- for 72 hen.~ fc!!cw:ng an acciden:. After 72 huun, opera:c= re required ic pe.dem Only cimp!: ac4ien :0 assure cy::er fansdena!!rj. l All required FCS components are designed and qualified to withstand adverse environmental conditions resulting from a design basis event (LOCA) for a duration of 100 days, and are designated Seismic Category I. Prior to the design basis LOCA, the containment is maintained inert at 4% oxygen Dr kn volumetric concentration by the Containment Atmospheric Control System (CACS) (See 9.4.8 for CACS description). 6.2.5.2 System Description 1 The FCS is an Engineered Safety Feature (ESF) system whose function is to mitigate ; oxygen buildup inside containment by controlled reaction igniden of hydrogen with oxygen. The FCS is designed to recombine twa hydrogen at low oxygen volumetric concentrations as they-(oxygen and hydrogen} are generated, thereby maintaining oxygen levels below the hydrogen detonatable limit and preventing containment ) overpressure. j The FCS consists of oassive autocatalvtic recombiners (PARS) 14 ipiter r: mb!!e: strategically located throughout the containment, including the upper and lower drywell cavit:es, and inside the suppression chamber air space.He !pite= re g cuped j in:c d di"!:!cn . r:ch dhi:!cn !: pcrered frc= = dedicated C!=: IE b ::e.j phpica!!y and e!ect:ica!!y :ndepender: from ie c6er dhi icne. 6.2.5.2.1 Major Component Description (New) 1 The PARS consist of catalyst cartridges fastened within a stainless steel box frame enclosure. The enclosure also cuides flow through the PAR device. The soaces between the cartridees serve as ventilation channels. with easses containine hydrogen and oxveen being sucked in at the bottom. recombination occurring throughout the heicht. 6.2..s4 Containment Sptoms - Amendment 1 DRAFT 322i94 - 1 J
2SA5113 Rov. A l SSWR standant sarety Analysis soport and heated cases containine combined hvdrocen and oxveen in the form ofwater vapor-leaving the too. A chimnev funnels the exit flow through an outlet that has the same area of the flow channels. Testine showed that the chimnev imoroves the efficiency and i forced ventilation canability of the PAR device. The chimney can be eliminated for installation in tight soaces where mixing is not cmcial. The chimnev also can have different shanes to adapt to soecial locations. Some spaces such as in crowded compartments or the free space at the uoper oortion of tanks. may not accommodate or need a standard fd-PAR. de. ice .cr mu!d 6ey : d a fu'! de. ice to ce=c! ' cc-b=db! g: :: For this eventuality. a series of smaller size units would be desiened. all utilizine the standard cartridges.
- k. . , A.., m -
7- "O***'O**"' k :. . f,1^. , mt..,.\ I,,eh W "" r ' O I ** " ' " * ' * * * " " '
.-m ,1*-n:dmn A. 4,
'O*"~"'"""*
.k o . .Am
* -4 * *.* A' ' k.* "1,
.1.,.4.,,.....mA..,,,..:..em.,.
. . -m .. .
- ,, . .b.. 1. - .m..--..In, gv. .:m \ e . . A , ., m.m.: n.
yf - . . ... . 1 7.-----......
.. m. mmu.. y . . .. . . nO vv s
- '."o vt' rg 1. *.*/\nor. f . '.t"h. . t.,. . . ., .
y u. m.
. y.g...
- m. . 7 - . . . . .
. . n: ,1. .m m. ..,, , . .
.- . - . w o m .m. . k.. .. .. .. . : m o.v . m.r
.k..,..mm.A.*..OO-'""'*'""""I'"'
...v ..
- e. 14 . . m t. 1 m. . -" m **m" -"o'""""'*"'
n . , e :m"n", "Th. ' 44 * * ~m: . . ~ . ....,1m.. m1..,,,,
"O'"*""*'O'"r""O"'
,w m m. . m. m m.,1. -. . - . . .-A .: . . A.:.. ,... I. . g, : n. ,. . .
* ~., : .
T. h. . k,3.m.-m.. '. . . ., m. . m . m . A t m vv. . - - . .e. m. .g....--.
- m. k l.y . v.. m , k. ,.....g--
. . . : .. . .. . k. ,m, m 1. ,
.j k. ..m y.: -gg, I mt. m, ... .7. mt. . ,. \
3f-
* - , om-,..,.,.. A at..,:nto,, 1, . .m l e A , mn e , t n , , em n er tWrpO6thC %...k..m.,:n.O~""*"""'""""-"""*""''""*"~""**"'**'***g4 py mA , m..m. ..m k. i ..m1..,,..m
- k : ~m t . , r,~m 10A17,,em 10 tb , .n ,1 kt m ,1, (m. )
O'"""*O"""""""**""" ' I
,mm..n..
w r.i.m
--v. . v.m r : n.m... . . 41 ... J..4. .., ,..g, , m. A .e t. .t ..-.k. ,,, ~, - .: , .. A . 1.. .--.
,. . : ,,1 .. A .4 m. . g,. . , ,,3.. . . : .. A ...m m. . e...t, .
r kl. ,\ 1, A : m..ht.,.,r.. ~. .:m.. ,1.. %... . - k.. m .,: .g~ ,....m. ; ; - . g. . . mn.g . -- I ,, en.
---an. .-. -, - . .
en . . A ., . * . h. . .,. ,.y. m , .,, , k. . :. . 1.
. .~
A. . . b. : , k
. . ~ .
.k . mi.m , m1. . . ,. e : m em m.m.. -~1n,. ..A ,,.., A g .u m..A., . . m .-. - . 7 O " r ' .
O " * ' " ' " " " q' ' f' 'm' 'a" " :-* .:m
.,mm,,....
"r"*"r'""*"*"""
"',r "m .",". . '/* ,",1, k..:m..y vj m..m.y m ,
- m. .. mv .r ., n... ,, y j. v-.,--.3m..e...' .-..1 eimm m
- u. .. A c, ,14 . . .. ..~7.,..
- . . , . - m . m,. J. A A m.m.
.k.
_,i._~... .,_:... ~.m....:
. . . , . . . . . .. 7 --..y..
,~:
_ . , - . . ..... o A. w m. .-.--y.. m. . . : _ -,. A ,r u. w..._,___..
- v
.m_ ,: . . . .
sprays, 6.2.5.2.2 EA3 Ignitee Location Criteria Hydrogen and oxygen can be released to the containment atmosphere by radiolysis and metal-water reaction, through the safety / relief valves, depressurization valves, or pipe breaks inside the drywell. Eventually, most non-condensables end up in the suppression - chamber air space. Therefore, PAR igniter assemblies are located in.a-eg above the i suppression pool, as well as at other strategic locations throughout the containment. F l The location, distribution and number of PARS jtare based on potential oxygen release location, regions where non-condensables will accumulate apprcpria::: pacing i : cpe-
.m,,- - , . .A...A., ~.~..,. A yv mm.
. ...:,i. - . .ru. .b""'*"""""'**""'""*
- k. : ,.k ., i ~ ,i ~ ~ - .., a _ : - ~ i ~ a . _: ~, ,
- - - . . , . . 7 ' ' * " ' ' ' ' ~ ' ' ' *
- M *"'
u ,.., :.i.,., mv .r .. k.. r.n .,. ,. : . . .: ,
. k. ..--.m.. 4. , .. . - ,A... . : k A
. . . . . - - , k,, i. m.
i ~. A, , . ,,-- .. .a. . k. :. m. .h.,._.,:m..,,., - :.- : ~., :
, r .-v . m...,. ..v .w..-.. . . . . .., . . , m r .i. :.3. . . p i m
. . . . . v.
- w. o. , .r,~..,.,,.h.
.y . . . . . .
11 , .m , , . k , . - m .1 A k .. . k: .,. . . A A.:.
- a. : m.,. ,\ - . . ~~
e. aA.A.m . . . . . . .m m,...- r""'*--'"'"""-*'""--"--'"'r--'-'"'*ir* m~, y .1.,m. .,.:m. ..- g, . .,
, ~.~A.
Containment Systems - Amendment 1 DRAFT 6.2 ,15 M234 ' l i
_ m ._ _ _ . - 25AS113 Rev. A - SBWR standant Safety Analysis Report
, . r.s . m .m ., ,,.,. : . k e .g. m ' . : :. ,,,o----"-----p..,.mi.. . .. ti A et.. ..a.k.k m. k ..
v.
"r'-------'-- > O'- -- ' i -- ' - - " - ' -
t .!.
. . .4. , . ,m n.-, - . -
- e. ,
.m. . .eA.. m ... .. m.
- . . ., A
- . :. , , , n. , .. m e n,
. ,.. , f *ln m..
v .(*. \ , . . , k.. e k. .e. .. - .m. . .e.,1, n. . . m. v., nr1.Q f .
. ~
- s. g. ,w b. . *....s us. a. m mm e, bl. Im
- m. .m....,.. Ig Kn., .re .f
\ A:, .e .n.,o m s-.,- ~
o 7, . - v , .g..... ! . . ,, t .r. a .n. . A. .
. . 4,: m m. ..,.1. ynm..
,.v
- v. . .,. ..
,m...-
-v o . .m , o.n .e...
. . ., :1.., ht. ,..
g :.m 1 mem n - m:1: n a,. om , , . nm, .m . . .: , ,
- f. 3 - m .. -. ,t u, - . e.v . m-mA ., ,. t. o. , , ,- , . m.s. m ,. --. k t .s . ,. -vu, m m. y s ..- mm. .. .. _n-O""'""'""""
-,%.,a.im,.9.m.,. . .
-v..
e k . . . ..s m, f mm. . m. m .,.- i. n. c , I.n n. o. b. . .e.ms m. .km. ,:-en,,m e y----... i. me., . . e. A, ^vue u , t.mA mvn r. ek. , yn vmv. mt, ,... 11 3 ---
...yy.,.-- v. . . .
29fMT g , t...m. J , , . m A..: -. -. .~ .. A. . . .,, , . k. , ,. 4- A, ,. . . e . . - -. .. .- ,. . :,. . : ., . , : .s Atm .k..-, T3. . : . . m.- . .
. ..j 3 -- m ...."O'""*""""~~"'"**"""'
m v. r ., ., m. 7,...--.--
. t m . . A k. . :. ,.h. .
3
. . 37 1 : .s. .- - -- ,.rm k , m ,1,
- v. ...k."-k.
1, ko.r .. k ,..sk, ,,:. :, 1_ --, -- v . s. v.-- -. . . - . - .~..m.n.. k..m..m k.< ~ ~ . . A.. ,. . . n a. e s , . . A .
.. . ., m m t ~ ee A :- k:mb . e m ,.-
g im : .. 0"*"""'""'""" "O**"""'""'"'""\"'"'"""
.me, f.kee -. 1 A ! . # .. . 4.k om . . : m m mg
" " " " ' """ ' '1 " ' r " " '
- e. , . : . 4. 1. , A . 4 ., - . - -.. \ a ,- .A -..,.ml..m msm-emA a := .
- m. . , t .a. .. . n. e .n. , . m,
- v. m
. . k. .o ., . . . . s.
m.
--. . 3 v u ."O '"I "~'1'-"'"1r"""'"'""O""'*"*
mk
- ,,,1 A , .. O""*O'*""' :.m.
em eko : m. 'n:.., em eh m m. .. . - - 1 y . ..j-.,.. --. m m,
'" ' * * ' . . . m ,1, : - -
""J'*', "*~~*Or'*""*
g T . . :.. .. -.-
.g I. m. e m- e A . .--.. , .k. . h. .e. e. .n. . .e. u : en,m .n e-.n. ,. m -.=. =
A . . . ., . 114 a. . r .. -- . . -, -n--e. e t. 4. *:- , m. , , n. km v e,
--.h. t. ..-- .. A . J. e b. . m..o t. A.. : m. . ...j-. ,. . 1 +. . e ., A ,. ,- A.:., . :v m a. . . .y-m....v . -
, I m. . . , , ,
.e.. .v.. --.me,,,,,,ht..,
~ - - - . .
j
.o.. ,. h. .t.. .. k1.
v m /.4 g -Y . A.D,.A f\ . j.-. . f. e. A.:, . : b., . . . : m .:.
- h. . . . . : n. r. t ,.m . ,. . cv. -4 0 9 , n. .A A_ . O- O. A. . o . A.
.. . , ._.kv- . 1. , -..f k.~ol m. .v... . r..,..
A. . O. 0. 9., , k. . m . .... . 1.~-,
- e : m--.. m., .r . k.s. :m :.. :- e k . , m - .. :
. . r!- ... A O O A :, , ..
..O'*""''***""'--"**""*"O"'""*'O**'"
,,. L. m
--. . . . - , , , * : , ,e - . . "A mk . : ,,1. .- m . ! m - nrek . t A:.J. m - t: :. T :. .A :- ,. A,,"t*
--- A :. 2. ,
-. , . . m, m. 1..an*
r'*/'"""',r"*'"'*"*""'*"","*"'*"""O"""'""O'""'"""'"'O"""""" e,.
- -- -. . . A:.J :n.n. O , d t'* , A.. 4. : me. - -.. - . .v. 9.,, ... -A.una -e,. A..:. " . : . A. .
, .-. m,,,
A thPM- A. 7.-. ___t . _
- ._ o.r Y a*-
- A- *
- -- .A- -- - D _ _- 3---
.g n
-.j...... n. u.. - - , .
,i..s .,- 4
- g. Y h m. ,
77 . n-~.j.. .,. 11. t'.,1.:.n. j A-.. .g
- g. Y %,mo.
v y . n -.,. .. .. . .i.t. .i o. .m. . 1. . . - - - g 4 f_. , . , . . _ . n_ ._ . , .. ...n.
. . t_s . .a.. ,.
g 4 c...,~..v.. y y.
,: m.,
ru. .. , b., 4 :, y D
,,,,e .... m _ n _ s _ .. ... .. ,,.... y.--..
m ., vc:. n. ._- m ru rr'c : , . .. .m , .:,.,t h. :m :..:, , r. . . s.A
.v...--..; ._ ..
- .A O A k m. v
.. -... ._ _. : .m. .,.. m.e v .,. f._ n, r,. A. , m v.. ., A : ,: v.,
4 ... m~v..s. . , : .. n. .m. . ., .... :,. : .,: .:, t h, : .m.
. . ..--..j . , is.n, . w m n,s.O s.. , .m. A m . A..:.-m.i..a.:.,,
j . . . . v: . .k.m . t.m.,. . :;-.3........,v...m
, , : t . ,. , ., . , m . . . , .
6.2 46 Containment Systems - Amendment 1 DRAFT M2M4
25AS113 Rev. A l SBWR Standard Safety Analysis Repon i cf O2, We.e can be -'c high energy ccmb=deseacdce before i-i !:tien. Once
': dated,igni:e= rd '! cendnue :c cpe ::e t.n!=r mar.. "f ::cpped by 6 Ope =:cr
.' !anua! FCS ini inder E abc perible 'rc-- 6e n !-' cc - re! reca l
I > e. .o.
. e. _o .,a n .. .. .. .c. .. .. _. ,_ , ..,.
T4:e !! ign::er =:er61!e are pcwered Ec- ! dhisiona! C!=: IE DC b:::e-in (11 per 6;tien). Each dhbienal pcrer b brough t :c != r=pec:ive di tional dk::ibu:ica panel 3., a : . . ., , .: - . , u m.
.._ f .. . . m. . ._.. . : 2_. . n. _ ., ._, : ., . . . . . .n. .: ., n. . :..
- .,. _. _.a. c_
....... .. .... i. o_ _r v. a_ , .
.. 3. o_ n. v. .,.,. ,
6en penet=:= cen*2ir= rt-here pcrer is dkuibuted ic indi-idua! ipiter tramfc= = fer veh:ge reducten :c 12"AC. Each of de -1 divi-!cn ! b ::e i= resemed- j
- c preide cendnuc= ipiter Ope = tic- for 72 Scun vi6 cut rech=g:ng. Each didien conde of S circuit vii each circuh h: ing a m=inun ef 2 ip:::=. Erh circuh ic prctected by One circe:: brecher =d a f=e :n ce-in for protecdon of e!:cuical p ne:r: den and :c prec!ude r'uldple ipher fai!ur= if a der: circu:: &ve!cp: in One m r. . n. : . . a.._. v. a_ :. 2. a.. . , , , _ . . .: ., n.. :.. 7..._
- . . . . . . . . . . .... .,...... ., _. .: a m_a. .:. .,. _. ., , n. :. _.,. : . . r_ , _ a , ,. r. .:._ . o. ,. . ~. .o, 9 pre.ide h,9cg= ignher pcwer supp!y chemad=.
6.2.5.3 Safety Evaluation 1 A calculation was performed to determine hydrogen and oxygen generation (by 1 radiolysis and metal-water reaction) under post LOCA events inside containment with no recovery or mitigation actions.This calculation is based on the methodology , presented in SRP 6.2.5. In the SBWR there are no design basis events that result in core l uncovery or core heatup sufficient to cause metal-water reaction. Per Reg. Guide 1.7, l the design basis metal-water reaction is that equivalent to the reaction of the active clad l to a depth of 0.00023 inches. SBWR will be operated with an inert atmosphere which precludes short: term combustibility due to metal-water reactions. Therefore, the FCS function is for long-term combustible gas control due to slow buildup of oxygen from . radiolysis. Hydrogen is also generated due to radiolysis, but due to pre-inerted , 1 containment, combustibility is precluded by limiting oxygen buildup regardless of hydrogen concentration. In the analysis the containment is initially inerted to 47o oxygen.The hy&cgen =d cnygen concent= den prcE!e fer : D"A even: k det-'. in p:._ .. e . o_ . o e n ,. a .n. . ,,i .. .i.,. . :._. ..._.
. . . .. ._. , .n. : _ : . ~. . . .: n.. u_. . . , . ._: , .; o_ i. n...m. . ~
2 l fc!!cn ng de acc!&r:.The PAR system will be desismed to prevent the oxygen volumetric concentration from exceeding 55 Evaluation Against liegulatory Requirements Compliance to the regulatory requirements referenced in the Standard Review Plan 6.2.5 are discussed. General Design Criterion 41 -The FCS is designed to mitigate buildup gene = den of oxygen following an accident by recombining :!cv;!y bu n:ng hydrogen at low levels of oxygen to preclude combustible gases from reaching detonable limits that could Containment Systems - Amendment 1 DRAFT 6.2 47
.W2iS4
,- __ .-. ... ~. - - - . . - - -. .- . ~ . . . . . .-- , . . .. ~ . . . . . -
k 4 a 2SASI13 Rev. A . 1 _ SBWR sunderd sakty Analysis neport , i 4 4 J ( 1' 4 j damage containment integrity. The system is designed with sufficient reliability, { redundancy (1 dFicic=) and physical independence (separation) such that no single j. failure ^ ene channe! : s ed f-c : rice could result in a loss of FCS safety
; function.
4
- General Design Criterion 42-The FCS components are != : 4calcc m pc en .A are i . .
3 designed to permit periodic visual inspection. , j' 4 General Design Criterion 43- The FCS design permits full operability testing during
,. a refuehng outage.1.:..:. A c.. ,.:ona. . ..:.,mi ._ . .. .:.. ,im . . .- .. -
-m
. ~ y _. . :_u_,.. A. . .. .J y,. i.., . . . ., m
,. _..,m... y... J. 1 j- Regulatory Guide 1.7 -The FCS design basis calculation of the post-accident generation of combustible gases is based on the methodology depicted in Reg. Gui d e 1. 7. . ". '. '_'. - .r^ ". . ^ d . . ~ -'. ^_".. .~.'. _ . . . " ^ .,- e d 4 g A., . .m _ .1 . I,' I tTC ) !... -A.. ,O, . m..m 1 4 j g .. .j .~ . A. ---- . g-f . . f t..o. /1. v-- AIM.P
+
9 e e . . A. _. .. T.__*.*_._,__._..Je_____Af._n..L__
.._v.........._
q I T. h. . . r t'C ! - .
~ ~ .
- 7. -
mm
. : m . .,11..; . ., . A e.m . . . . . . . .
7- . - . . j . - - . ~ . . . ... o m
-v .. . ... ..-. m....O"*"'*'"*"**"'"'
. ,. . r
- ,., m r ott ,.m . m t.
- .A;,..,.:m...,,
. - .. .e.1-. . . . , .. J .: . 3 .e m
. .,.1 l- : . . - m -s -m o . - .. m m. J A 1 ,. k . t :- . A . r, -
.D****" '""""r"~r"'''***O"""'""'""~"""
...k.,..........A,I-.-,-,.. Th . . . t ., ,1. . A ., . . , : : - - .. ,. h mr . k 3 -....---..O ""*" "~"'" **"****' * "' ""* ' ' * ' " " ' " 4*
4
'""'"O""'"O'""*"*****
A:.,J.:m .et. ., .. m .g
- .. .,.v.
t: ..:. ( m. .. . k. . m. . : .. ..
, m. ..m..
. 1. mm.m.
vv
. - . A . ... .J
, .r.. J.
j , . ,,. . k. .m .. s..11.g: . . .:. .. .. .,. e.m,: , . . A - .s . nm . . , . A, f. m. .s 1 7 .- .. . - ., -, .- -- . 7- . . ! . . (. . . - . : m g r.. .:m,
. . . . - , . . . . . . . . . 1 . .,. ..g,. m - r. r. t'c,
. ..s
,k A. .,, .,.,, e
,.o . : : m.. . . .. ,
..,e....J-.O~"'"*"*"*""O'***
m . A , m A - ,. k -
- j. .tm 11..m,... .. . g. .
g .,..f.u,.
...7 ,- .----v
-- . . . . . m.r m--- e e k. . . g,..: ., , .. , .. m .. . .-. . : f.j, .k. ...7 2. 2., m m .. .:.- ..g - ,
../
mv. .ok,m,,,.,.. ,. --. AO **0 t,. 10 U , e - . /1. g *."A.n.or.f i ..... .k. . - -- - 77 1. : A . e. . A E ..m,,1.....A-...A..m. n--.-...... - . . k,.. . ,,k. c: ,,..:.... -..f. j---. . - - -A:.g,
. k..: :....:
.0"'""'"'**""""'
.,k mtek A A1.J.: .
r . . . _ .. .: m ..--......-.-A.-m._i...
. . . . . . : . _ . . ., c_ . k. . r. i - _ _ u: i. : .,.,ca ..
. ... . . . . ... . . . - . . . . . - - . . ,......c._.....
- ec m... ., o J.h,, A, :. =. ,c, . .. .k., , , . : m, - ...
j , . . 6.2.6 Containment Leakage Testing This section describes the testing program for determining the containment integrated leakage rate (Type A tests), containment penetration leakage rates (Type B tests), and containment isolation valve leakage rates (Type C tests) that complies with AppendixJ and General Design Criteria 52. 53. and 54 of Appendix A to 10CFR50. Type A, B, and 6.248 Containment Syeroms - Amendment 1 ORAFT '
.W234
. _ , - _ - . - . __ _ . , . . _2 -._.c. . .- - _ .
. . - - - . . ~ - . . . - - - -- - ._ -
l l
- l lSAS113 Rev. A \
'J SBWR standard satery Analysis aeron 1
l i 7.3.6 ' Flammability Control System ; i
'l 7.3.6.1 Design Bases '
The Flammability Control System (FCS) design bases are discussed in Subsection 6.2.5. 7.3.6.2 System Description The FCS system description is discussed in Subsection 6.2.5. l 7.3.6.3 Safety Evaluation Table 7.1-1 identifies specific general design criteria, codes and standards, and regulatog requirements referenced in Section 7.3 of the Standard Review Plan for Engineered Safety Features Systems. The following paragraphs discuss compliance and any exceptions or clarifications. Subsection 6.2.5 also discusses FCS compliance with j other regulatog requirements, in accordance with Chapter 6 of the SRP. Specific Regulatory Requirements Conformance 10CFRE9.EEc (!'"279l _
'n.e : equiren en:: cf!EEE 279 re encelcped by F.C 1.153/IEEE S03.
General Design Criteria General Design Criterion 2 -The FCS ign+4er assemblies are installed inside the containment. Pc= ::npp!::, & -!buden panelsandjuncden bene: re!cented cu :!de
$e con >:!rT.cr: (in:!de 6: reat:cr b d!& g). The containment both structures h are .
Seismic Categog I and h are designed to withstand the effects of natural phenomena, including earthquakes, tornadoes, floods, hurricanes, etc. General Design Critedon 4-The FCS components including their supports, are designed to withstand, without loss offunction, the dynamic effects, including effects of missiles, pipe whips, etc. General Design Criterion 13 - The Containment Atmospheric Control System (CACS) provides FCS oxygen level monitoring during normal plant operation. The FCS post-accident oxygen level monitoring is provided by the Containment Atmospheric Monitoring System (CAMS). General Design Critedon 19- GDC 19 is a plant-wide requirement for provision of a control room. A main control room is provided in the SBWR plant design. The FCS has no eentrol functions inside the main control room. General Design Criterion 20 - The FCS legwas automatically resnonds to the presence
" dated upen re !p:cf LOC'.:!g :! '!ct mier!:;:!). I-::pted c 6!:!Ogic i:2 24 hour d-'. delay for energizing 6e ign:ter . of hydrogen and oxvgen by recombining them to form water vaDor.
Engineered Safety Features Systems - Amendment 1 DRAFT 7.3-37 171AM
1 1 l i 1 25AS113 Rev. A SBWR sandard sarery Analysis arport i General Design Criteria 21,22,24, and 41 - The FCS is designed to mitigate genemtion 1 of oxygen following an accident by h- ng recombining hydrogen at low levels of j oxygen. The FCS design pennits capability for periodic testing even refueling outage. The system is designed with sufficient reliability. redundancj (fen Ah". den:), and physicalindeoendance i-dependeaev such that no single failure er ene ch.r ne! remo.ed from ervice could result in loss of FCS safety-related function. NRCRegulatory Guides l Regulatory Guides 1.22 and 1.118 - Periodic ooerability testing of the FCS is accomph.s hed every refuehng outage.1 : _:._a. c..~._..:~.,.,,. .m..:.,,, a . . .J ., ,. _. ,1. _ i .. . ,
.. - - . . . . . - . ... r--
m . : m. , :, ,i.m _m o:.k. u...
.. - ~ 7 d:~':^ :r Regulatory Guide 1.47 -The FCS d :... r~~dd~ -^ *-^' -^^- ~'-- - A : _ . - - ' - -- - - - - - - ' ' - - -- -- - - - - - - - - - - -
j
.k..._...:.m...- - . m .r . . - .
J. , . m . : ., :.,_.......
... 7 -.. .. . ,... .....is a cassive svstem that is alwavs !
. . .c . . . . '
ouerative and reouires no control room alarmsc o__.u. .c_..o_ i...n.e i, .
- r. mee., ~7. . ..:,:m.,..
rv c.m. A .:. J. : m.,.,i. ., _.. m....
.m.. m .. . _ , . . _ . .k.,.
. y ____.j --_ . .. , . . .
. j ...
3........_,..
. . . , m, r e k. :. .., .., 1. , m
~ 3 .. ...j. ,g A..--.
D__.u..P..!J_ 1 c@ 'T'k. rt'C A mt, ln ,1..A ,m.k.J,fm (m. .n a . . 1
- I frmm
.I nn" ' " ~ ~ " ' " * " " * " "
- D - -- - - / --- " ' ' ' ' - * * ~ ''O*" Y""'""*"'"~"""-'"-
.1,
- m. . . e : . , m,.,.m. . m.1. .. .m. m m.
.rm, . e
--- .b. mm
.r k. . .
- (m.. .. . . . A. .
J.,,:.
- m R&r
- _ L : ,. ,1 n
.g._
_ _.u. _ ..j _ , c.___-
. .a _ i. .e. r r_.e..,. h.. .m.ree A ..
- . J. .m: m.. . . ,
y . .j .. -- ..t.j m
,A.
- u. .. : ~ 11.j.....-~y,..--...
- . - : A . _., A ... .
C
- o ok. . A.. J. : m m.. .....I.,,,.,.,_A.f.m.,.
m - y . . - . v. .n A . A :, . ,. A P1..,.m,,, 1. r , m, . ., , m -...,,.h.,m,... 7,. ..
..-.-- 1. ~,., w. . . Am.-
.m..--
- - ., m .4. . . A
.. . .y .--- - - - - -
. , m r. . k. . ..- .- ,- .. -m. - k.~. . :1. A.: .m.'T.*k.
. - . g,. .yv . . e m.v.. ., ,. .,.g
.y.......
e
. ., ., -. . A , m, .n. e..vm1. .f.v m.m.
- m. .e. ..
e.m..ml1.,,.m .. fmm .k mek r!. . . , m . .. m .m . .. Jm-. k m. .. kuo
. , k. . A . .J..,,
.. m a. .. - .; .,'r'--'--"-----------'---r----'---'e------'--'-- 1 A.c.
- m. A ...:.k.:
. - - . ..- . - .k.. - ~,.,... . ...: -. . .. . . u. . . 1. : 1. .. :g ., .: .. .. .i .c.~.,
- 7 g .. v _ h. : ,A-ys..--.
_ A . - . A.: . J. ,: .a. f
- . I.. mo_, . .A- -... J. . k. : . . e k. c. :r m. . m. :,m ! . . .. . .. : = e ,. . :. ..
mm . . A .C.. .w A . v 3.
.-- . . . , . w k ,.. ~.g
. - . .n. . 1.j, , - v.., v. . . ..m. .g.......--...w..,
,. :,.m .. . f. m., m k .A:.J,imm, ..:1 k1 .m a.mJ A .k. tl k:1: . ,m m .m1
-m.m..O"O**'"*"""'"~~""'""""'"*""'"'"""r"'*""*'*--"**"*"/""***'"""
vy .
- t. . ,. . : m .,
(*1 ., 1. r. :. .,. t.or m ..J. e k. /*1,,,1r ou - ,e AlmA:,. . .. m.m4A A..Jeb.
. .... . . . . . . . . -- o. m. ... ,.- . --....-..-.----...., .
7.v.. -- . .. ck. mm.:, A. y-, .,v.-m1 . ... --J.-. .
)
i l l D_ ,- _ L a - --- c_ ..! J _ 1. ____q ___ 1. A. .r M. . . r. e_e .c....j 11.. m. . . .., - .k... ...3m :.. m.. . . . . ...._ mt
- v. D. ,r*y 1. 1. A,, .K., .
- a 11, . . : . mn!, 1 f....m...-.. . . ,. . . -. ,...ys .- ., . . . . ..m.---. . 2. o n. .. . A . . A . ..n m..
.. k. m A mt. m "DI""'"*"'***"'"'"""''~~*"O"'r-*'r'
/s D. E .. ., . *F . G 1. ,\ .
n_ __ _ .u. __ . c_ .. u _ i. . i. .r e 3____.j ___ n. . . rc_e :., A m., t. 3. . _a. . ., ., -,,,. ~. . A , m. ., . . .a..k.
. , , . m. .k. . . m,3 : .. m. . . m. ._g o t' 1 1. .K 9,
.m .a.n. A f. r r r C,, A,,. O. .
Q) n .ro i.t_'e n o 1. m. . . .m ree,
. - . . . . .r. . i.t. .; ..
. ._ ._. . t, m . . :.._ ..,. . , .. . ... - . . c. n ro. t.e_en., o t.
.e .m. a o t',.~
4r47, i 1 7.3 38 Engineered Safety Featuree Systems - Amendment 1 DRAFT 322FM
.-. , - - 4
~ _ _
25A5113 Rev. A SBWR samtaurswyAurysis nepar g D_T. D c,_c o 40. %.3. ... :_,;mme.m_a. :
. . .. A. A.
. . . . . . :.. ._ A.
-.- ... .. . mw
- mm ;
gg.tm . ,,... .. m., - .-L.r. .11.. , e. m, . . A. / :g . . v . , .g . . t. e -v..
. .--....; ,m u
- m. . ..m.7,.e...m., ... -..
m-
..m. . . . .mA
. . .-f- \ A m d. . .gm .
- m ..:
.s.m
. .. m .o.t. . ,m. . ...m.-e m n am e e : n ,. 11. m.
v ym . - . v v.im . .. .. .m._ , e b.- .g.o. t e. ., - ,g L
. - ..n. .g.- A , .n. ... A . .mt. e m ,.m O' i gy ..-.
- n. e ,, ,. -.. _u_..., _. ... a_ .c.~,,...en.s. . _
- . . .. A.:.. . -:n_...:~..
. ~.n.a - A u .,:.. ,*:~,
r--------<-.-------- l
..tamment-Lm -_ . . . . _ ......_.:m_...,.. .f.. .~. eenmg.
u.~ .,1.~. e,. A. ~.. ..: A.
- L. _
-...-A ._i.._ _, .:.- ~ i. .i ~.., A,. .._ . ~. .m.
-- .. ,1. .-
7.3.6.4 Testing and inspection Requirements The FCS testing and inspection requirements are described in Subsection 6.2.5. l a 7.3.6.5 instrumentation Requirements None.
, . _ , . . _ . , e_ e_e_
y.. w..i ....w... , . _ _
%. .. . r. - t. c---. : ..t eto .-,
.m,m.:r. .nedr-.o. m.
- st . a,n.--. :. f. ..11.. . . . . m. m. ..e e t.., Y.Y. ym,.m. T. AD N. .A..m o.1. I,I.
. . . .. 1 1. ,\ , el..._ -C A.
n.- -m- -.. .. .:. _ . A..i. .j. --
. m,
. .- -e .
, . u n...... n. . u. e.: _. . ._ . . : _ _ ~, u.. . .s.
. . .. ,- , rce,. ..:.---
- n. :. e.. :,..-* .-:~.. :. _ 1. A :...n..- v.-- .
.Ae:me
-...- .+ - ,.e A b..m m e
.n.. . .A.-. - o. n ,.h. . e L.,
n
.g . . . e.om. tL. . ... . . . ny . mma vym .n .e: .g .~- . .y . a. e.. . . D.-e m
. . - . . . - - . . . - . .- ... L L a s.t a n.
m.m,.- m_ ,.mn -o n e m e:m.m. ... n e , . o h. :m e mn 1 -. . 1 %. I
- y. v .mmA. . 1. . _.,.. . mm.m- jgs. mm. .Ak...A.m,,O'**"'""""'""'""""**"'""""O""""""*"'
. j- '
rt'.C., . J11 o mm. e :..n. . . . e.m ~ m .s e,m . . m. e l l. .m. . ., m. . . 11. .... . m..i ..m--
. ~ . . ov. .. . y -. .. . . ... .j
. . m e .A k. , s k. . m m m m.e.~.. ..v j - . mys . . . f.~. .. e k. o. .m..
. 4
,ova.n. e .m1.
- , - . mm.m. j l
l
%. . .. r. n, e., m..
, . .. . .. .-. ..1.
.-: .., .. : e:. e. e. t ,m. . :., .e.l. m y~, ,,., . ..:k.,t...v c ~.m. . e n.. m..e: m.
, mn..e ..m1.
mv gg. u..m . . 1 re_c i j omn..e.m1 sv -v. w 00..,. A
. . ... me nr..(m . ...m..v.,n m.... .e
. . 1
-. ov. mn. e .m1.v .J. a. h. . m. gy-
.. . /m m . ,m. ...., m.e. ,L. A.:.
w . ..:. .,i.v mm.f .\ . r e ,L et* e -m m n. e.vm1. ..J. , b. ...:., . .,.,.-A. e. m : , a, e-
-.A e.m . m.:n..me.m ,
m,ysan..e, . e-v.
- mn. m.r e L.. imm.
- . .h. .
..3..,, - v
.g .t.e..m . . . . .
.- ynn. . .. :.. . .. . A.:. ...v J.., ,m. .
rPC ,e.11.... :n,, m n. t.m-- mr. my ~. .......~.
%..- , . . - . . . . o...m.m. a .j -.7 .. . -- e.n e L h., u.-. %. . . rec., my.
. - m.. e s tn., .. m....je . L,
..-.--v.
. e , .. A m n.l.., j- .
a re , gu .
,1. . e.: mn.L.,.,
.:. .m.. !... : n...v. e.6. . ... m e.mm. ..e n.- .... 1. e n. . e m1. v .J. a.,L. ..
.- . .. h. .. . r. PC 7
.j ... :..n..,....e.e..-A ot. o , . : ,~.1. A.:.m.m.e.m.
.,..,,..... . . .... . m .. ..
g... g . /f.r ni
~~f A:,m
.n ...A 1mm ,. 3. --.g.-- . IfT.M p '/ ~' ~ r a.. A ..A, A
- 41. 4..e, n .e.... A. 01. 4. e., i. n. . , mo,e:. 1..
in. . . r. 3-.m. im. . . - .
. m .7, ,. . . .j .
w . (mn. .~ .:
-...g m r. c, e.-.- c e_
- - -. .. -... :. A :~---.....
- .- e : ~.,.. - ,. ., a i _ . . ...~ : y. A. v_.A., :. _. . .
e u.~ ._ _ .: ., _ ..m.....v. "OOHH i a g
- AAT a n A
- Arr* .., e u.
- v. . --.- 1.:g,.h. .e , .
g
- A Y TTA TUID* gue- t .imb.
.g . e.
l
*Ir%. ,TT.T. E D m E .v . .O, T. A. ,f.tT. T A.T. ~~ --r n"
.- a t.,.
5 " Y A,m m,C C A,., r. D.- AI.M. _ E D. .* n 1 .. "4R u "D I TC T TA?nr D UA f T A t"' r * ,Jarin m, v . ,_ .... . , . , ~ . . . _ , . Engineered Safety Features Systems - Amendment 1 DRAFT 7.3-39
.V1M4 i i
i
2S45113 Rsv. A i SBWR sondantsawy Anatysis norert : a -Lu -tm.
-. nr c e..t.n. .r.re..ra ,1., n During FCS eperationr 4=ygen cencentr.;: ice :-dicat:c- !: pre.ided by We GAM &
7.3.7 COL License Information None. 7.3.8 References None. g g, . . . c. . mm : .s ...y-. .. .. ..u. m . t. ~.s. m t. m,,,, ,., T.h . , m. m,,y. .:,
. .-. , . .- t. t.>. mm .7-. . u. - -,r- n.,e
- - .9- i n u.n.
g g ry n.. n n,.c..e... A.. -,1 oi. e.,
. . . . . _ - . . .n.r..... ,c.. .,.._ . cmr.
. .,.. n.- ..i~
--r-- m g 1
i l 1 l l l l l 7.M0 Engineered Safety Features Systems - Amendment 1 DRAFT
.V1S'94 1
i
25A5113 R:v. A SBWR stadantsarnyAndysis noper i Table 9A.7-1a SBWR Safety-Related Equipment List (Continued) . 1 Elect Bldg Fire Area Penel/ I MPL Number Description Div Loc Designation Cabinet l T31-F015 AO GLOBE VALVE 4 S F18100 l l T31-F023 AO GLOBE VALVE 1 S F1A100 T31-F024 AO GLOBE VALVE 2 S F1A100 T31-F025 AO GLOBE VALVE 1 S F1A100 , l T31-PIN 012 PRESS INDICATION HVAC N S F1B100 l SUPPLY i T31-PIN 019 PRESS INDICATION HVAC N. S F18100 SUPPLY T31-PTN011 PRESS TRANSMITTER HVAC N S F18100 SUPPLY T31-PTN018 PRESS TRANSMITTER HVAC N S F18100 SUPPLY ! l l T31-TEN 008 TEMPERATURE ELEMENT 1 S F1A100 l 1 T31-TEN 015 TEMPERATURE ELEMENT 1 S F1A100 : l T31-TENO38 TEMP ELEMENT (Typ of 12) 1 P F1P100 l l ' T31-TEN 040 TEMP. ELEMENT (Typ of 6) 1 P F1P100 ; i 749 9M1 A HVDROGEN4GNITER 4 P F4P400 T49-80048 HYDROGEN !GN'TEP 2 P MP400 T49-8091C HVDROGEN !GN!TER 3 P F4P400 l T49 BM1D */DROGEN !GN'TER 4 P MP400 l l T49-8003A HYMOGEN !GN'TER 4 P 49400 i l l f T49-20028 */^ROGEN !GN'TER 3 P F4P400 T40-8002C m'OROGEN !GN'TEP 3 P F4P400 T40-8002D HVDROGEN4GNITER 4 P FTP400 T49-8003A HVDROGEN4GNITER 4 9 F4P400 T49-80038 MVDROGEN !GN!TER 2 P FTP400 T49 9M3C MVDROGEN !GN'TER 3 P FTP400 T49-8002D HVDROGEN !GNITER 4 P F19400 T' 9Mi ^ HYDROGEN !GN!TER 4 P FTP400 Ti9 99^'9 HYOROGEN !GN!TER 2 P F4P-400 l FHA Database - February 28,1993 9A.7-69 l l
25A5113 Rev. A SBWR saadant sakry Analysis aeron Table 9A.7-1a SBWR Safety-Related Equipment List (Continued) Elect Bldg Fire Area Panel / MPL Number Description Div Loc Designation Cabinet T'S 9^^4C RYDROGEN !GN!TER 3 P F4P400 T49-8004D HYO" OGEN !GNTER 4 P F4P400 T49-8006A MVDROGEN !GNTER 4 P F4P400 T49-80068 HYDROGEN !GNTER 2 P F4P400 T49 9C"C MVDROGEN4GNITER 3 P F4P400 T49-8006D MVOROGEN4GNITER 4 P MP400 T49-8006A WOROGEN !GNITER 4 P MM00 T49-80068 HVOROGEN4GNITER 2 P F4P400 T49-8006C MYOROGEN4GNITER 3 P F49400 T49-S006D MVDROGEM4GNITER 4 P F4P400 T49-B007A MVDROGEN4GNITER 4 P F4P400 T49 9007B WDROGEN !GNTER 3 P F4P400 1 1 T49 9007C MVDROGEN 'GNITER 3 P F4F400 1 i 90070 MVOROGEN !GN!TER 4 P F4P400 ) 1 vie 900S.^ VDROGEN !GNTER 4 P F4P400 l T49-B0008 HYDROGEN !GN!TER 3 P F4P400 T49-8000G MYOROGEN !GNTER 3 P F4P400 ) 1 vi9-9^^90 HYDROGEN !GN!TER 4 P F49400 T49 90".^ WDROGEN !GN'TER 4 P F4P400 T49-80008 MYOROGEN !GN!TER 2 P F4P400 T49-B000G HYDROGEN !GNTER 3 P F4P400 T49-8000D WDROGEN !GNTER 4 P F4P400 T49 9010^. HVOROGEN !GN!TER 4 P F4P400 T40-SO408 HYD" OGEN !GN!TER 2 P F4P400 T49-8040C HVOROGEN !GN!TER 3 P F4P400 T49-8010D MYDROGEN !GNTER 4 P F4P400 T49 -9011A HVOROGEN4GNITER 4 P F4P400 T49-80448 HVOROGEN !GNTER 2 P F4P400 9A.7-70 FHA Database -February 28,1993
26A5113 Rev. A SBWR senadard saktyAnalysis Report Table 9A.7-1a SBWR Safety-Related Equipment List (Continued) Elect Bldg Fire Area Panel / MPL Number Description Div Loc Designation Cabinet T'9 9011C HYDROGEN !GN'TER 3 P F4P-400 T'S 9011D HVDROGEN4GNITER 4 F F4F400 T'? *'SLm1A? AEMO75 P'^NUAL SM"TCH - 4 CR F5N400 IGNITERS T49-RMS00487 REMOTE P' ANUAL SY!'TCH 2 CR F5N400 4GNITERS T'9 PS^01C' REMOTE-MANUAL SW'TCH- 3 CR F6M400 IGNITERS T48-RMS00407 REMOTE 44ANUAL SM"TCH 4 CR N 100 4GNITERS j T53-LMU???A'? SPTMS LOCAL MULTIPLEXER 1 S F1A100 ) UNIT
)
T53-LMU7??B'? SDTMS LOCAL MULTIPLEXER 2 S F18100 ) UNIT I T53-LMU???C'? SPTMS LOCAL MULTIPLEXER 3 S F1C100 UNIT T53-LMU???D*? SPTMS LOCAL MULTIPLEXER 4 S F10100 UNIT l T53-TE001A TEMPERATURE ELEMENT 1 P F1P100 i T53-TE001B TEMPERATURE ELEMENT 2 P F1P100 l T53-TE001C TEMPERATURE ELEMENT 3 P F1P100 T53-TE001D TEMPERATURE ELEMENT 4 P F1P100 T53-TE002A TEMPERATURE ELEMENT 1 P F1P100 T53-TE002B TEMPERATURE ELEMENT 2 P F1P100 T53-TE002C TEMPERATURE ELEMENT 3 P F1P100 i T53-TE002D TEMPERATURE ELEMENT 4 P F1P100 T53-TE003A TEMPERATURE ELEMENT 1 P F1P100 T53-TE003B TEMPERATURE ELEMENT 2 P F1P100 T53-TE003C TEMPERATURE ELEMENT 3 P F1P100 T53-TE003D TEMPERATURE ELEMENT 4 P F1P100 T53-TE004A TEMPERATURE ELEMENT 1 P F1P100 T53-TE004B TEMPERATURE ELEMENT 2 P F1P100 FHA Databas<. - February 28,1993 9A.7-71 i
i
.t 25AS113 Ract. A SBWR saundedsannyAnarysus nores i
Table 9A-1b SBWR Safety-Related Equipment Ust (Continued) Elect Bldg ' Fire Ares. Penel/ l MPL Number Description Div Loc Designation Cabinet ; G31-RMC004A*? REP, TOTE MANUAL CONTROL 1 CR F5N100 (F004A) G31-RMC004B*? REMOTE MANUAL CONTROL - 2 CR- F5N100 (F0048) G31-RMS005A*? REMOTE MANUAL SWITCH 1. CR F5N100 (F005A) G31-RMS0058*? REMOTE MANUAL SWITCH 2 CR F5N100' (F005B) t G31-RMS006A*? REMOTE MANUAL SWITCH 1 CR F5N100 ! (F006A) G31-RMS006B*? REMOTE MANUAL SWITCH 2 CR- FSN100 (F006B) G31-RMS007A*? REMOTE MANUAL SWITCH 1 CR F5N100 (F007A) G31-RMS007B*? REMOTE MANUAL SWITCH - 2 CR F5N100 i (F007B) G31-RMS036A*? - REMOTE MANUAL SWITCH 1 CR. F5N100 (F036A) G31-RMS036B*? - REMOTE MANUAL SWITCH 2- CR F5N100-(F036B) G31-RMSPSS1A REMOTE MANUAL SWITCH 1 CR F5N100 i (PSS1) ' G31-RMSPSS1B REMOTE MANUAL SWITCH 2 CR F5N100 (PSS2) . H10-P601 CONTROL ROOM PANEL N CR F5N100 T49-AMS004A7 REMOT4i-MANUAL-SWITCH- 4 CR FEN 400 4GNITERS T49-RMS00487 REMOT544ANUAlrSM4TCN- 2 CR FEN 400 4GNITERS T49-RMS001C7 REMOTS44ANUAlWiM4TCH- 3 CR 56N400 4GNITERS T49-RMS00407 REMOT& MANUAL-SWITCM- 4 CR F6N400 4GNITERS G31-F035A SWING CHECK VALVE N S F7N100 G31-F035B SWING CHECK VALVE N S F7N100 G31-F036A MO GLOBE VALVE 1 S F7N100 G31-F036B MO GLOBE VALVE 2 S F7N100 ' FHA Databene -February 28,1993 9A.7137 -
. - . - . _ _ . - - _ . - , _ . . . . . _ , . , , - ., . .~,,-
25AS113 Rzv. A < 1 SBWR samtant saw Analysis neport 1
- Amendment 1 DRAFT
.V19M 3.6 Containment Systems 3.6.3.1 Containment Flammability Control T ("'A
_v-9(!91
.... .. gt :,.,:.: n n.,.,
,J.,,j,,n.:.
eo ,b. ._e t.t. h_m AD. ...r.D.A_D Y_r .
.A.DD.T
.. T.r' .A.D
-~ T.T I.T. V.7 u...nn.. r c 1. e n.
- .u A O.
I
.A.N. . AM.
v C
,v 1 1
I NWON "_r 4n ' ". " r "
.A.r'..'
- n, u. , Gown 1 j
j A, One di cini', : cNgntteerr. M P ::cre !: q w a h % l inoperabier di.i !On efignite= :0 { ADC.D_A_uf
- v. ~ r .,., .UGs uu , ..
b T'//c di'icion c[!yn.'eT: M P.e0 cre One incpeOb!e inope:nh!e. divi:!c : efignite= :c i A_ ... DC.D,.A_H T_U .,n .e.
.. .. . ._.. 4 g,
4 D.o,.. .. .: ..na.
.A.r .e.:n.n. .e. s.. A. Q,} - .. : .s. M... An Do -- r .9.. 10 k..m. cg 1
1 1 associated Cc:npletion- ! TI:ne nci : net. 1 SURVEILLANCE REQUIREMENTS I 1 1 SURVFJilANCE FREQUENCY SP. 3.6.3.1.1 Feiferrn 2 cy te.-' fnnc*ien21:e:: for each didien of REFUr' e-
- tteren T h. .PT.T_D. .t.T.A_T SR 3.6.3.1.2 Visually examine each recombiner igniter enclosure and REFUELING ensure there is no evidence of abnormal conditions.or. INTERVAL fouling.
SR 3.6.3.1.3 Test nerformance of PAR catalvtic element with H 3,_02- REFUELING mixture. Perfe- a re !:tance te grcnnd ::: for each. INTERVAL igniter, l TechnicalSpecifications 16.1 6-21
i l I l 2SA5113 ft3tt. A i l SBWR stantsent sanroy Anarysis separ Containment Flammability Control , B 3.8.3.1 i B 3.6 Containment Systems j B 3.6.3.1 Containment Flammability Control l i BASES l BACKGROUND The Flammability Control System (FCS) ensures containment integrity in post-accident environments by eliminating the potential breach of ! containment due to a hydrogen-oxygen reaction. The FCS is required to control combustible gas (oxygen) concentration l 2 in the containment following a loss-of-coolant accident (LOCA). The j containment FCS accomplishes this by using oassive autocatalytic ! recombiners (PARS) ignitors for recombining hydrogen and oxygen to form water vapor, which remains in the containment. i The FCS is an Engineered Safety Feature (ESF) system. It in cingle . i fai!ure proef and cencise of four 33% capaci"j eubrjetems.Ihf_FCS is designed to recombine km hydrogen at low oxygen volumetric 1 concentrations as they (oxygen and hydrogen) are generated, thereby maintaining oxygen levels below the hydrogen detonable limit and preventing containment overpressure. The PARS ig-ite= are designed to maintain the oxygen gas concentration within the containment below the flammability limit of 5.0 volume percent (v/o) following a postulated LOCA. FCS consists of PAR 44 igniter assemblies strategically located throughout the containment, including the upper and lower drywell cavities, and inside the wetwell air space. The ignite = are grouped - inte A did,iene dth each dhtien pervered frer a dedicated Cla~ IE hatte.j phy !ca!!y and e!ectdca!!y independent frc:n the ether divicien: E:e ig-iter (g!cv; plug) = a the:ra!!gniden device that v;her acth ated 5/ elecidc cunent creduc= I a rer.istance at the clement (er tip) and an !=re=e in tempen'ture of at !e= 927 C (1?^^ r). Ed: tip temp =ture is su"icient te cause cc=hu tion of the nuncunding gre at re!ntive!y !cv/ concent=tiene. T:e ign ! r-bucunted in un igniter a=e:rh!y er heuring Oth en!y the tip (g!e ;;4cg) enposed. E:e heucing i cenet:ucted cf stain!e= tee! nnd contain: a t= =fenner te step devin the vc!! age
!c eac!' igniter fic:r 125 Vac to 12 Vac, e ter!"inal h!rh far-wB.3SS2 TechnicalSpecifications
d
.Ii 1
\
25AS113 Rw. A SBWR smmsanyAwysisa ar m } Containment Flammability Control l B 3.6.3.1 1 om.. m. _ e :_ mf .: e._. ~ m.1. .-.3 mv .. . --- v. .. . . . a. 4 ,., . ,a e t t .L. .. m .. ma m e. A mi.
. -- . .-,-----m - - .
e .4.m,.m.1.
.,.,4. 4 . . L. et L n te m.
. .3 , 7. .. A e m. .m..... e t. .. . . - . .LL.y. f. .
~ .-. ~ . - . .
,e..im m. . 1. T. .L. m. .b*'"-
- m. .m . ehm m..m
-- .m. LL. .j lam.*.O"*"""*""r-"I"-"'-"""""'""'"""'**"'
m _ A ..J e h . -. . .L L.1 A . . .L * ,L _.,e m J . i m1 3.m... un e .7. . g 7,e.n 7.me.~.. m1.
.m m
~
-+ n.mm,
. g,
..u
- e. .m. - - - - . . . .-- .7 .. m .-m.
A.. ,...m .
- e. 7 - . m e . . .n m..,
-~
,m . . . A L A!
e m 7 .m. .7...,.,.+m.--~--- k.,m. ,, L meem,L.A
.m. 1
~. - ,..... _ L.,,.m._.m 7-.g~ ..m m.r ..._m n n v ----,---
. . .. . . .J.,.,.m*m.,
- L. o ~.~.L.,1. mm
,. m ,
e.m. e.l.. - ..e. 4.m.. mr
- L.
.~ ... .. - , .. ..
.,m. - .. ~ , , . . . . .. . .
j
. , _ : .. m e : m.. .... c ._ t,m.e: ,. m..mem 4.,.1 .._ ,a .. 1,..,e. m
,a.. L. A e m
-- ,. - g . -,. --- - - - . .
7.~ . . --
.L -. . mr *1. _ : . ,1 ~. .
... ... 1._.mt,eL.O--'"~~~""*'***~O**-~~'--'*"""-
i l A T. .k.m . . -1~.m
- - e t.m v.. , ,2L.4L..
- - - - - - .. - m_ , m .i. A m. ..-
. .m. .t.,.
.. -- m r .igmm. .t. e.m ,. :.~ L. ,o , - - - m.m. l mm .~. .m1 -- - 1 m. m .
e.. .m. .. .m. 1. m,,..,./O'-~**-~~""'--*'"'O-*-"'*'*'-*"-~
- m. .*m.. . . .L m .. mmu 7
,. m.u. ,3,---.L1. ., m .e.m,, m .m . m.4 m e mm - i m m .. - . . . m.
1.:L L.7 m.o
. . . - m.. . m. . . 1 m e.m , 77. m7. - .m ,,7 ,4. . m. 3
. ..n.
mmm m m , ,.. .
.,3...-.. . : m1 fm -~t me:- m i m .m.,.1.m.,
v7 . . .m. - -,
. - - - --. ~ 7 -- 7 e. m
.m A . . m. A m 7-m .-- - . .g . .n. . . J-
.mu m . . .
v....
. 3 m... . L. .m mt / f tY 4 O.f v'.c h - - - . . m. met,m1L.7 .- -.I. _im _A - m. . m.
. D..D U. Y . . 1 1.
L.O * -- \ " - " '"' " i 1 m OA m
,.3. . .-m ,h m1.... 7.~--. k. .. m.
- . -. . . : m. . m. -AL...
-7.m.-,,.,.2. f 11m , A 4 ~
O""'""O""~~~""""*" La.L m,.,t A me I
,, ,3 m
-...,mC'L ~ ~ e h. .~m me m . .. L.._. m.e.
.... . , . - .L L. e_: 1L.j. L. . +m,,' *.L. . .,
i
.7 m 4.m.. , -...m...
y j_g . u. ..~._- i...:. _ m e. .
, e.~Ae - m,., L _A. _ mk.,u. n _ :e. fm, ..
._.7 - . . -
- . 411 o m mmm.77. m.--.m..-~.y,. . L '. 40 L.. ,.. (b, .. , _ : : *t .. . A
- 1 . L, . . em
- . . . . ~ . .... _ . - "--- '"--~~- *"
.O-~~*" I mmm me.mv7+.----.-...m...~ . - . , .
L. m 1L
,mm_A 77-- n k.,,*L. - ~ y --. -. men 1L.i..m.
. .,m.1 L ml.m mm4 m,, m.. e.k._ ..., A.. ,,,.m,, . 1 L...... m.e :.m... - -- 7 ,. - .L1. - . . .f . . . . . .
l 1 l f _ _ A. ,a:.,2.: _ i. A, A:,. T. .L. . A. A. L. : . . . ., _ .m. .k.,u-~ m -.
~ .sm, 7, .,,.. ..m. .:. . , , . . -. ~ . ~ . . - . . . -
.,m.:
m 3...~.-. P1.m.. 1.- r- TP, -- km e.u. 4. . ...,g /1 1 7 mm
,2..L .-.
a.: ...\ ,. Um,,L.. _. ,. A.L. ,2 4.,. m1 me
-.. L m. . ,.1.. e. _eb,._ AL,2.!.m m. 1 A L 41d,. ..:m... m m m. m1.m. . .
*.m. L. ,, . A e t. .
.m
- -. ~ - - - - - - - . ,
- u. - n . .7 7-.
-,1
,m
-m n. e m .L. . .m. . . . +... .n. .L. .~:.. ,.1. ~ . L L.. . ,m . . - - .. ..
f.m,,.m. 1.--O K U, TP, e.m. 1.-vOn U, .A.D, - . e.L. . m.. mm me.mem. o m. . L. . . . .L . .. mm. . .- L A L* 4k[.e*A *m L. ,l t. A A . . 1
- ' ' ' - " " " - - * " " - - - ~ ' ~
r'-~~'"~'"*-~--------'"~~~~~r"..,*~:m"-6.," bm.
.g . t.e. . .m m..fm..
m.
.f,. . .,.m1. *..m.3 - . A- - - - - - - - 10., U. .A.P. Un L m,r el.m.
A. A. L.A.L. ~ ..- - - .. m1 L, e.e.m 4. . m- ~ ,., . A e m 7..,. m. 2..J..- -- -
,m . . . m. . . Omtem.
-- vv --
.O-" "-
mmm.m.v.. metm (m.. 40- k. . m.. . , .,.J.6.L.a. . .m, , L. ..a m v7 . -.. - - . . ,. .,A.g 3- . U_m,L.. ,31.,4 .. ~ 4.m..,m,,...,L..,.,_, . mf. R. ,4. m. J.e . .,. J. e k mm L. ,4. e. . : . m , , f C L.n t e _ Um,k m ,. . - - - - .
----..mL m.a .3 - ....m .A. m........
-.-.O-*-""~~~-
,4. m. :.. L A. L,. .. - ,d. m. .A +. k., m, o t ., A m. -..- - .f.. * - A.m. .Om.
~ m..me.mo
- g. , . . .
7
. . - - ... - . m m.,- L. .mr. 1. e A.-mt.m
...meL ,m m L.A 7.v. m . v - -
7-.~..---.--- Ae.m 7.--. - -- .m..1.+ .. . 7 m 61.m
- ~.,:e f,.:t . ... :f , L m
,a. m. :e. A. . 1mm.- ... : -..-. - m.r e l..._.,.. ~: ..m. ..:. .. .
.e... 7...
APPLICABLE The containment PARS i- .".= ensure containment integrity by SAFETYANALYSES providing the capability ofcontrolling the bulk oxygen concentration in . 4 primary containment to less than the lower flammable concentration of. 5.0 v/o following a Design Basis Accident (DBA). This control would prevent a containment wide hydrogen burn thus ensuring containment e Technical Specifications N B.3.6-53
25A5113 RDct. A SBWR senadentsauty Anarysis neport Containment Flammability Control B 3.6.3.1 integrity and minimizing damage to safety-related equipment located in containment. The limiting DBA relative to hydrogen generation is a LOCA. Ilydrogen and oxygen may accumulate in containment following a LOCA as a result of:
- a. a metal-steam reaction between the zirconium fuel rod cladding and the reactor coolant results in release of hydrogen;
- b. radiolytic decomposition of water in the Reactor Coolant System (RCS)results in release of hydrogen and oxygen; and
- c. hydrogen dissolved in the RCS is released.
To evaluate the potential for hydrogen and oxygen accumulation in containment following a LOCA, the hydrogen and oxygen generation is calculated as a function of time following the initiation of the accident. The assumptions recommended by Reference B 3.6.3.1-1 are used to maximize the amount of hydrogen and oxygen calculated. The FCS satisfies Criterion 3 of the NRC Interim Policy Statementyn. passive components PARS will be ooerable at all times. LCO r~~'".*..^:....-.'.'..3'-...'--,,'.,.'7.,....,...-.',,,,,,"m.D^."....?,,,d..
.vu. . . . . ...
-* -' ^ r .
m
.r,s
, . ,. ... :mAm
... Amm.
. .rm ..,. .1 m
3 .m.. m. m .. .r.rm m.
. . v.
g,...s....., -,o m.4.....A A ,,., g.m, ., , m.. .. . ..g .. . m,g.,s 1. :..m., . T..h .,.,,..., - . .,,.h..m .. . mg, mm. , . : m.s. m,,.r o . i m .s , .
- L. m o ~, ,s.
. ... -. ._. .. . . . . . . . e.:..m.. .m. m. . . :, ,:.m 3......
..L,....m.m...,,
.. : ,, . L. . ..,..m.. . .
... m. . m,r..,,.,.,.m.......
- s. _m,m ,.: , ,.1. - - . :. r., : 1. . . m . ..
m.j . . , ..3--.....
..,.m
^
m. 43s,m..m s ...: m . .o.. . .4. . h. . . I.m e. ,,. . *L.. . . .. m.s . .m.... ._, : m. m. . . . .t.3.....,.,..L.,,,j.....m.m.. . , . .
- m ..Y -~ A P, A. n,m. 7 3 ., ~,m,.... . m .: m.. ,. ,.,m. L. _.
- m. , .. e... .. h. . -e..
. . h. o .,s, m.
.s,.~...m .. . ,._ . . .. A r.,, m m .. ,. .L.n.e .. m.._ L:.1.:.. 1.:.m.:.... T ,L. .,.. ., l..e.t.,:.1. :. . . , m,, .r g .
At..m.3 ... . m.i .t .rm, - m. .. ........, : ..,s. o. m. .. : :.m. L,. 3......,..~ ,j . m. m. . ,
,.L . t.o.,. A . m. . h. m
. . s . ,m . .
- m. . :.3. . . . .
.m..m..m..... . . . m3r. m. /.L
.m r ., . . .. .m. . n, m m et:11.,.
ge ,,. . .m.m...
. m,, .m. . . . . :.m.m... .
.m.
s_..,.,.m ..-. . . . _ ~ ~ . . , 1.: .m.t.. .m. mms.A m .A.,\
. .. . h.e... ,. . m. 1. A... .m.,. .. .. .:. .. .L. . h. .. ,A_ .~,,3m. .. , . .
. r,st.i.m, %. . 3 1 m. .
7 . _,I nPm A. T. h. m. e m ,. - 1,m. . . m . . 1. A. , L..,. c 1..,. - .m. r.e ,. .. m. m,, . ,.h. . . m ime A .,s ,. h
. g. ..
3 .. .. .. . L..:.6 -
. ,.- ..:m.. , ,s. r ~. ,. . e. . m. m.,mm.
. m .m. .g.m.
.s.. , . . . m ., m.s m. . A. - . s . g , .
m......m. m, .. ,. . .. . . . m..,A.,.,.,,_e g 1. . , h., m,. e.. L. . ~s, m. . ,: m. m. . m.
. , . . .. .. . ,. s. ..m,.. ..,.o.._.,o m. m. . ._, : .s. m. ,. . .. . 1.m. e.t.,e.3
. ,. m.m.._m.
,..L.- , m m. . gm. m..e .. .. .. m. . ...m. A : ,,. . h. m ,,,,,.m.,,
r ., m. e,.m em .. .
. ,.m s,m.,.
m . .. . ...
.s.1.f . - . .
tw
.m.m.3 .m. . .
1.s . ,_. A m. . . : .. m m ,.m .1 A
- m. - - y .. 1^ " ' - - . im.m " ' 'm- A " :" ----
ms m e ,: , m m.s .' " - - ' " - - - - - - - ' ' " '--'- ,1, '-m"" "m' m. - - .-. - 168.3.6-54 Technical Specificatione
25A5123 %v. A SBWR staaentsanyAuryns nepar Containment Flammability Control B 3.6.3.1 APPLICABILITY Not Applicable
...L...
T .m.1 X.v.An, U
. . ~u C 1. m.m. A O, .h.m. rm. . ,.m
- - . . . .v.
m.- ......
,: . m. m ~ . m. . ,.m.
- 13. .t e.m-- -- j ,e_m .m. ~.o.
. 3 .m.~-A e.,, .m ..v. . m1 .-h.. mm . jg.mm . m.
e m, m e m m - - - - - .
. .n e m, .m. . ,n--e. k. .. g ,m,m m
- e
- -m. -. ~ ~ .m m m e.-
t n.o .m. ..m. ..m,k,:11 mn T AP A n . .. . m L ~ L_. 1.m mv . .e . .
.y 1.: .m.i. ..m.r K . A..f. .-/..,, .mn
.. rm11 m 4. m.O " " " '- *' -
- * ** * ~O m
.m,m...-v. ..m-~, m .:. ~1~ . fe:1 v.m.3.. ~..... -.,
%. ..:. ,. m.m ... .- - . - ,.m,.m.m.,m..,...
m - . . . .
. I m. . e..m 3
- 4. .. . o ., A
.y - . -
_ . no _tm u, m,...:m.,m. ,... .n....A ....m
- 7. . .~ -
.. An....nn e.n. .
.y . ~ 1.n m -- ~
A 3 - .7 . .
. . ~ . .-. . m..m 1m.m.. A . 4.. h. . t..m.
.vm .~ n . -v..-.m..
,,,.m Y.n. M.AnrQ-, .mb .,e : m m nem emA m L. 7. . . A .-m ~ m .,vy . . mm,
.mm m k.,ne.l.
. . v~~ v
. L--- v .,- . -A
/O*r*"'*"'"""**~~~~~'- ;
mA.., e.t. m m 1. L. .,. .Am,,n. m .,--
--- o ., ,- Am.my.mm.m. nn g, m
,---~~- - A ore.m. m- ~nT AP A. .mm n-- .1.A_ km.
1 ,,1, e.L.. .. . . n, D,.A. L
- -T A, , P A.. .A.1.. m , - ~ ~ - - - nr .L..
,n . . . m
.-. ..e.t.
1 - . . ..m... -- . 1.,, . m - -A .rm
,,: A m .
1:
- .m..t.e m A.....: m..m.L... e.k..:, M.-~~Anr,
. m . .
m e.L._ 7. mk.e.h:.11. -
. .j. m.r v o.m. .. _no.--...
.m m .t .4.m etm ,m m e , L - . m : . m ., t, Im . Thm fm.. .h.
.1"""O"-~"""""""'***O""'*"~-' - - - ' - " " ' ' "**
o -mm.e
-. - . . n :.m. .m. . .D""**"'""'-*"'-1'---'"***-"""'
1,m t e m , e.m . m. mA In unnr Q T..,.. . u.n_ nU,C, A. m A .K, *L..
~_ -. . -
6mkok:1: *,, e ., A ,m.m A. . ., a mr T AP A r-""--"---/---'----x-'---'------- e, m,.,e m m. 7.m. , i. . .. u m. .:. - . : ~.,~. :n t. m..
- i.m . A . . - - - ...
_ m . . . . ..
- 7. -.. -. - - . A. -, . .. - . , - . . .. e.s. _
, u..n,. n. r e. T.1. m.m.em.m, e.t.
. . . m. m.. , : m.._ .....~..e..._.m. _.
. -. ~..
- ,m :
.... .. .~. . .m,-- -~ .: m A ;
.u. -.nn, r e, . m :.,em
~ .. . ~ - . . m.m....
.. t..
.-~ m. m -. . e , L. . . . m .....-e....,.
I i I ACTIONS Not Applicable-AA. w:.t.. .. . .m.. . ~-- ,. . , : . .. ..: ._m.
. .:. m. A :.,.: .: m.,. :...vy,....,.~-.m,,7,
. . . . . 3 .~. -.
m.v
. mm ,nu e t m L .m ..~n u..
-, L., ..j.,e.m .m. m.--.hm, ....
.m, . m, m A e. m A, D. U D. A D.,T U e m + . . .,. A.. h. L. . Q, A,, A m. , Y. .,..
~
- .-, -- . s ~~-.-
. . - j.
e.k.~ .t--. .Pm.. A, : .L.,
.m m. . o L. .L.. 3 v .ADrD. A.D-.vT U Am.m,
~
e h. m.. . - m A ,. . . m.. m
.. .., ~ ~~~ .~
. A n..
~
-- 7 . .
m A L , A m mm ., ,,, . m1 f, . .s ,. L U m _. e.m..-m .#. .m . . e.h. . m. m m. .. .~m m 7 /O'--~~"-*/'**"O'-'-*'*"-----"-*'--""-' e.t.. m m,.mm..m. 1.1. . m, 1.: e k:1..: .,. . t ,. _ A . . , m A k,m o n . . . ,. n. L. 3.m t
.f.,11..
. .~ ~ L.. .h..m l .. .
. -. .j - .-- ,-- - - - ~ . . ~ ..---
ADrD
- v. A.D..T ~U A -.:.,A .*
. -.v m.m.~ o m, ~ 1. A.- .. ... . 1..
- m. .m A . . , mA. m-~m .,- j 3 .- . o .m. A.
...~m m ,. m.m. ,m. m, ...v .n- mi t . h., _m . A L. .j.A -.my . .ml. en.7..k.:.1 7: .. . T.1.Q A,, A .m..
j vv. P. m m. 7..m e.L.m. T. :.m. . m. . . ,. - - m.,. mr. o.Y A,., P, A. e.k. . e . . ..m .1 A.
.m e.h.. m..n imm m,,.m..m.,.m
- 7. m L m L:.11 . .j m. m.r .L.m. .. . . . . . - . ~ n o -,.
nem A L .A en7- mnL.L.. nr --- n n. .n m ., n nm ynom..---
.. - n,3
.-k n m, m,- .. . ,..~ n j3~..-.-.7- - . --om--
A k. 3 e h. . m. n.o m.m.mL.t.t.:.
. . - 5..y 1. ..m..t., .. #.L... . I.m ~e h. mr m. e m. : m. . m o..re.m. . .. . . ~ .L...,.-m.- . . . .L..o.*.
3- . mm n, m.m mAem . f m.m. 1 m,, t. , ,. 7~ . . m e.: mm. n---
- . . . - . .mm .1 A km . mmg . ..--
~~ -
m7 m.m.,.m .~ ~ . . e.h.~ .. t , l. i .m.:. .-m
.g
- m. ,.mmA.mA,.e.m.A. .L..
. _- . L.".m m mheh:16.mrreL.m. mrehm ADrD A DT U r-"','----'1"--'--'----'--'"-----~-'
_~.,e.n
- a. . ...., m..m
.. .m..... 3.....
. . . A...
-...... ~.. .
. ~ ~
D. mp .m m.. : m-A ,.A.r e.L.m a. . .A. 1. L. .._, E.,m m..,m,s.-.m.-A:M,.A ., . L.n M..me.m m .h.n . t. ,L. . . . o.. m ...-.k.m. .
~j - ,-m . .
mm a.L.,, mr T PA Q A A o m .,m. e m.,1: -~LL A.e m. . 1. m unne
' ' ' ' ' - ~ ' - -~'
' r r * - ' '- " - ' ' - ~ - " ' - - ' ' - * " " ~ ~
r r-"'--~--""-~~"..'A..m.,.
,m :,
,.h. .m .m.3. _. m i t m _ A n
. . -~n-
.. m.m. . sA:..a.: m... m.r.:3.m... m : :. ~ :.,mm ,LL TL :,.
l
. ~~ v
.'~r'~'----~
mu. m . ., . :,~
- r -.. "
m.m.:AmA n_ ,..~ mr. m ano im .. ._L,n:i:e, me .im r-"'-""--"- vi'---~"r-"'^-"---'l"*"- TechnicalSpecifications 168.3.6-55
25A5113 Rsv. A SBWR suandsaMyAnalydsRepen Containment Flammability Control B 3.6.3.1 m,, , . . m .m. ~- e
- m m.f .,. Y.,AP, A. e.h. .m. e. .,.,m m- . 1. A
-m .
- m. m.yj.-o . ---
m
..m AA. 1.j.-m . ,.my. m m.
vs-.... v
- y ..- m.
*.. .m..m.m,......- -y r e n.~~L1.m.n. m f. .. . .o - ,m m e mt A
- ~ - . .
m.3 .h..m (1m m...m mL:.11..,.1:~~..e., /O
~ . - -- ~.
r- ,i eh.m.- 1m,.,,.,. m
. - .rm
- - . -L . m mfshno A, , .D r~.-D- A D T._r A .:.,4 * ..m, .m.,, /9\ ehm
. 7 mk.o.k:1.:.+,.
- - - . mrv. e.L.._ v. -
. rvf ---
m osm. 1.m .y me k. . v.r +..1.m. . . i e re. m.. .m. 7 ,,.. 1.mem
.. --- -~ A T ( V,.'A. L.,o..rm.,em, m .,
~7,.m. m..e. .. m.m.~o. : m. . . .
.1 .,m. -. 1. A 1,m. m. .. ,.g. .m A e. m,., m .m.,m . m 7.m - . . . ~ , m m A
- m.g,. o h m- - - .ilm m. ..m.
s--.. -
..y..m -- ....1:m L:.11.m t.
f.,m. .m. . Lmt. ..gm , .. A A m,r. ma.tm. L. .. .A ,m,.m
. . -~ ,m _m ,..,., - . . .m mg Af /..A..\ +.
._ L.~am.., s.:1 m.L.,:.1..: *.m j .
7 . y .. m....,m..-.3 . ., e m . . ~ . ,
. 3 j.
M u, ,n. e.t.. . . .,..--. _ a m. e. . : m. . _. . m . . e. :.g,...
~ . . . . ~ . --
a : .,.: : : m .-.m...: . mmm m. 7~.-,.m,, hi _ m. ,.- .L,,,.
,j .
,. e m m
...-. . . e k,m ~ . m,,e m, . -
m A e.m., A,, D. .E. D A.D..Y. r ,
. ..- .,,J. e.h. .. *. . .., 4
. . - *m.+.. - A .m.. _.7,,, .. T. L. .
m1 1, L. e m A m... .. L. . 1.m, ,.,,m.7.mL., L.,i.t.:*,., m.r e L.- A..m,j. _.,
. (%,v .m. 7.me:
, . - m- . . T. .: m. m,. , --- ,.
. 7v .
mor...~..,~ Y A,., P. A. ..L..o.e.... .. ~m
- m-- ' m A m. .~o
~ ~ ~ - . . mf .m.
- v. . .m,, . 1 A 3 ~ .. . '.. L"I. .A ~ "D' " "" " - / C "
l 1 il,. ._ mL:1:e,, t- m.
- L. ~-.m...- - . - ,m mm.L1.m, mr ..,mm A m.y m e om o
- 7. - -. . . . - ~ ~ - . . .k.o mm,.,.3 l
i 1
- m.. : +. , e.h. . m.
1m m. r e.:..m. . m , r* .
-.m h ...m. m
- m. ,. *1 m.. .,,m.
~ . .y L. . . e..m. ~. . . . .
- L. . m .. mg .m.m e.m. . . v 1. A. l k.,m. m.* .-A e.m,.,m m.
... m. .m.,. i A 1 m
*.k. .m, ,m,.m...I : m L,112. . m.r ]
3-.m p . ~ .m -~~ . .g ... ,. t.1.,1..: m.#.. m.
. . --, J. . .-
7 i
.L... ~ te ,n A A .. 11 m.. no emm. l
.'"D--~""~""""/"'-r""O'*/"""~'
)
M l l l l mi 1 T.L. m y ..m, ... m....., Y P, n_ A A m m , u.,,*.
- m. .si..m ,. m A A. .K. A, , n_ r_ t. . . .L. .. L. . *.L.
7 -~ - ... .m. . . .. n. If L. . mm ...L.. m m,e.km m7g. t.,.
. - .m.mmm
. ny. _mL,1.m ,
mm.+,.m..m.. . . . ~m. 3 *. e. m..,.,,,,.m..m..
. - . ~-... v.
. .,.*. m . A e.m -m. ADrD. A_D T_~U .o e m,.. ...- . . . 4. L. - -- motme m ---.- m1
- ~
.~ A em, ~ m. 7.m a t m,.. T. .* m. . . m .
T. L. , 1, A m
. L..,m1. ,y moi. .g~.h. . . m1..,
l . m e.1._, ~.. . '-1.E.-- An., r 9 .,J, .e..h.:.m. . 1 0, 7 ... - -
- k. . m . ,- - . T. h.o. .~,11. ~. 1m, A 2. m .
. - ~- ~mm. . m17.-m-,e.t m .i.m. .. . .. m . .mr10k.m.m . .-.- - -.mm.mm.oL1.m. - -. --
etm. , k.m..m -A mm.
- . m.
mmm . m m .. mm . m , . . em .mm L 1LEAnr 9 f
'" " ' ' ' ' ' " ' - " ' ' ' ~ " ' " - " " * "
m.m f. 11 7~ ..-..b*r'""'**'-'8 " " " " mm,. 1.m 7v -- . .A:sim
, m
- - .., t .. ... . m. .
m, A. m, 1.. , . . m .,.... j . -...- m A. .J. .e.k. m.. +.. . h. ..m.1.1...g m ., A."m ,. O m1m . , . - 7 - ... 9 .e.m m. ~. SURVEILLANCE SR 3.63.L1 REQUIREMENTS Dm
. .cm __ m m. _~v.m c .. .j_.,. m m.......-.
_. c. . .. . : _ m.1. . m ,. .mc . _- m _1.. ~. _- ._. .m
. . . . . . . . . ., . - . :. m.
. .._. . m ..
I'enit- cube l/ete " ensuree that the $'*nitere e are OpED Ag[E and can mm m + e. n .t
. . m m. A . . . . : n. e.h. . m.
e.mm.7-........m..~.,....,,-. 7 . m,O.m,,.,...7
. -.. . v y . . m.. . A.
L: t 4 4*
.. .A m,,y,. m.. m--.,.m m. . . ..-m- e. .m .m. . T. m. m m...~ 1... , e h.t, CD. . . .m.
L. 7- . e.h. .e + e.h. . m, 7.. .w . . . - . . m.t. ... m.......
- 13. .t e.~m mm --. :
..m.7-ue..~.-.-m.-,
... .~
m.m. e n,, 5 - -0.,070P, /14. g A,,n,, or\
.f . . . -
1.K.m..*....,.., ... . J, e.k. . e. .. . .. ~ m . o.t..m. me..n t. m A,. m.e. mm me..
. - . . . . m, fm, .- me m L. o.s. e. l . 7..
. . - - . . . e.,
Im m . e. (m . , h. m. b.o.m.m.fe.m . m., e.mm ..L. .. -. Lm -e k.m m1.,:.1.:.* . mr
- L.. . o~ .g..
7 m.
~.
t.e m .
. m.
*n
.m m .mmm 1. Th o r ,m m . m ,.. . mr m. m .m DrriTT UTMP
- f. . m. . - e. i.m .. r ' 'r ' - / - - ' - - 'r - - '1 "- ' ' ' / - -- " --- - ' ~
168.3.6-56 TechnicalSpecifications
.. . ~ . . _- . - . . . ,- -- 25AS113 Rn. A l i SBWR standard seneryanserses neport l Containment Flammability Control B 3.6 3.1 \ 1 T Y. T. r..D.t'.tT. .rm.., . h. . .. .t C. .D. . ... .. ..A.- m. .ml. 7_A _ . .
- 1. .: .m. 3 .-...-...e._
. . . ..s . ., h. re , . m ..
. u. m..
. ,. mA a n -.... -. m
-. r.u. .. . ..:
,-.7 .m .. -.A
,m .,: s.. .,...,,. .,,. - - - - - .
j 1 1 SR 3.6.3.1.2 1 1 Even outage PARS will be inspected to determine any external dnmage. Anv debris that collects on the surface of the catalvtic elements will be
- removed bv vacuuming or other means. To ensure that the catalvtic elements have not been ouled r by foreien material that could reduce their efficiency selected catahtic elements will be tested for recombination effectiveness.
mt.....,.: i m.m,ti.. T. n. :.,,. C D. . m
.- . - .,. . ....... -... .L_~.. ,,..
..,.n...m.. - ,.m_ ,, . . u ,, tr_ , .- , , , . .
- .- -- .. 7 j. - 7
, ,mm m .t *k m,, ... . . .C ,m...-~.m t. . 1.. , - -- . . m, L. n ..~,- ! , 1 71.7 -- , . .. , L. ._7_. .
. t. . m.~.
t.3 ~7-. . 3 . . . - - . ..
- m. ...Lt
-y,.,..m,.,. ,
- 1. , e.m. .~... 1 : . . .,1 . .m ., k. . m .1, .,,.1 .O.m. : .1. . .. -.~. T. h.., m..1.. ,. J*L1.m
-m .
.j - . . .
..y----.
o m ..Am .. ...
.m.-,..
- r.
- 1. . . . . ,,1.. .
.. .~
1.~, . m, r.mm.~. mm 7 ,.,. . . _ ., . . L . . m O'**"'~'""" t .. :1.
" " " " ' " " " " ' ' ' ' - ~
;- n ,. .,
..7-,..,-~.
.A..".. . - -41.!. . ,7 - ~ ,.
, . ,,:m.. 1, ,. -. .31.,.I _ . e d A m. . -
1
-.---.v a k m . . . . .1. e m i~--- J .: .L ...
.- L. -~ ~ - - - - - -- .,. . . , k. . .r.m.:.1.. . . ,.- ,. T. L.. r.
. - - . 1 A e. a . . . . . m .
-~ .. m...., ,..7 - . . ,. 7.. , .r ._..
.j D_rr. i fr. Y TY. .P. Y.A. .M. D.17.A T-.m,, T
. . . L. . I . C. D. . . ~. _. . A.m. . . .1. m , A - m,,,
7 - . ..,,t.
-~. A - *
- m. g~
-,..ek re,.m .
--- - - - - . _ .L - ."00'"*""'""*7*r""'""'""*'-"""'""*
.,.~.J .. mr.L m,...t - . A -m ..! .- .
M.:6-@S6r
.CD. . Q
. r,, . .9. 1. . Q., .
i I T. h. .t ,. CD. 7- . 4.*m _ . m_.
. . . . . .. ..,:..m
- - . ~ , . -.,gm.. . - - . . -
J,.
. . . .. . m r. m- _,, , k. . :.O * ** * ' " "'
.. .m
. ..1,.....L.,...L..,.,3_.,..k.,1..,3.m.,._.J..,.. T. k. .t ,1,,
,~ --.- . .~...--...s...~.-
L.,..,.:.,...m m. . . ,3 cm
.me ,. m . . 71 .-.
--- .L. . A.. L.,. , . . t r. .: ,.
7 k.m ..-.73... ..--.....0"""*"'"*"*~~/ 1, :
. m . 1, 51. A,, , A,, A,, A, mk. ... . T. h.. . . r. mr . D. FUT T. -r T TV. , P-3.. . . . ~ . - .
m ., . . .3 . . ~ 7 ,,... ...j T.V. T. U D. .i.f.A T. .tm. . k.t , .C, D. ... . . _.--. . J -. 1.m.m, ,. _ J.. -_ , . . . .
. J . : ,. .. . , L. . .ca , e.m..--.m._
.t. . ..., . ,__..J .~ . . ... a,, r . n.. .
m . . : _ _ .7.......
,-. 3 ...... . - . . . . . . . . .
- _ . , ....-~.-.
REFERENCES B 3.6.3.1-1 Regulatory Guide 1.7, " Control of Combustible Gas Concentrations in Containment Following a Loss-of. Coolant Accident, U.S. Nuclear Regulatory Commission.' B 3.6.3.1 2 SBWR SSAR. Section 6.2.5. Technical Specofications - Amendment 1 DRAFT 168.3.6.S7 322s94'
2SA5113 Rsv. A SBWR Standard Safety Analysit Report Containment Oxygen Concentration l B 3.6.3.2 B 3.6 Containment Systems B 3.6.3.2 Containment Oxygen Concentration BASES BACKGROUND All nuclear reactors must be designed to withstand events that generate hydrogen either due to the zirconium metal-water reaction in the core or due to radiolysis. The primary method to control hydrogen is to inert the containment. With the containment inert, that is, oxygen concentration less than 4.0 volume percent (v/o), a combustible mixture cannot be present in the containment for any hydrogen concentration. The capability to inert the containment and maintain i oxygen below 4.0 v/o works together with the Flammability Control System (LCO 3.6.3.1) and the Containment Atmospheric Control System to provide redundant methods to mitigate events that produce hydrogen. For example, an event that rapidly generates hydrogen from zirconium metal-water reaction will result in excessive hydrogen in containment, but oxygen concentration will remain below 4.0 v/o and no combustion can occur. Long-term generation of both hydrogen and oxygen from radiolytic decomposition of water may eventually result in a combustible mixture in containment, except that the passive, autocatahtic recombinen recombindgetem (gic" p'ug ) burn hydrogen and oxygen gases faster than they can be produced from radiolysis and again no combustion can occur. This LCO is to er_,ure that oxygen concentration does not exceed 4.0 v/o during cperation in ' the applicable conditions. APPLICABLE The Reference B 3.6.3.2-1 calculations assume that the containment is l SAFETYANALYSES inerted where a Design Basis Accident (DBA) loss-of<oolant accident (LOCA) occurs. Thus, the hydrogen assumed to be released to the containment as a result of metal-water reaction in the reactor core will not produce combustible gas mixtures in the containment. Oxygen, which is subsequently generated by radiolytic decomposition ofwater, is recombined by the ignitem (LCO 3.6.3.1) more rapidly than it is produced. Containment oxygen concentration satisfies Criterion 2 of the NRC Interim Policy Statement. LCO The containment oxygen concentration is maintained below 4.0 v/o to ensure that an event that produces any amount of hydrogen and oxygen does not result in a combustible mixture inside containment. 168.3.6-58 Technical Specifications - Amendment 1 DRAFT 3N2iS4
j: ? I 25AS113 Rw. A SBWR seededsawyAndrsisnever Containment Oxwen Concentration B 3.6,3.2 l APPLICABILTIY The containment oxygen concentation must be within the specified limit when containment is inerted, except as allowed by the relaxations during startup and shutdown addressed below. The containment must be inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen.' , Inerting the containment is an operational problem because it prevents containment access without an appropriate breathing apparatus. ! Therefore, the containment is inerted as late.as possible in the plant j' startup and de-inerted as soon as possible in the plant shutdown. As long L as reactor power is below 15% RATED THERMAL POWER (RTP), the potential for an event that generates significant hydrogen is low and the con tainment need not be inert. Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours of a startup _ or within the last 24 hours before a shutdown is low enough that these
" windows," when the containment is not inerted, are alsojustified. The 24-hour time is a reasonable amount of time to allow plant personnel to l perform inerting or de-inerting. ,
ACTIONS M 4 l If oxygen concentration exceeds 4.0 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to below 4.0 v/o within 24 hours The 24-hour Completion Time is allowed when oxygen I concentration is above 4.0 v/o because of the availability of other hydrogen-mitigating systems (recombiners) (e.g., ignite =) and the low probability and long duration of an event that would generate - significant amounts of hydrogen occurring during this period. ; If equipment used to monitor oxygen concentration in containment is determined to be inoperable, the containment oxygen concentration is not considered to be within limits and Required Action A.1 applies to - restore such equipment to OPERABLE status. M If oxygen concentration cannot be restored to within limits in the associated Completion Time, the plant must be placed in a MODE in which the LCO does not apply. This is done by reducing power to s 15% RTP in 8 homs The 8-hour Completion Time is reasonable, based on operating experience related to the amount of time required to reduce reactor power from full power in an orderly manner and without challenging plant systems. TechnicalSpecifications 168.3.6-59 I
l l 25A5113 R>v. A l SBWR standardsafetyAnarr stsneport regime since the oxygen is diluted with added hydrogen. Further details of the CACS can be found in Subsection 9.4.8. The SBWR is also provided with hydrogen passive autocatahtic recombiners (PARS) pite assemblies (as part of the Flammability Control System [FCS]) which mitigate the buildup of oxygen in the containment, due to radiolysis, from creating a potentially . , flammable mixture. Radiolysis is the only potential source of oxygen in the SBWR - primary containment. Further details of the FCS can be found in Subsection 6.2.5. ! 19G.2.13 Long-Term Training Upgrade [ftem (2) (i)] j NRC Position Provide simulator capability that correctly models the control room and includes the capability to simulate small-break LOCAs. (Applicable to construction permit applicants only.) [1.A.4.2]
Response
This is a COL license information requirement (see Subsection 19G.3.1). 19G.2.14 Long-Term Program of Upgrading of Procedures [ item (2) (ii)] NRC Position Establish a program, to begin during construction and follow into operation, for. integrating and expanding current efforts to improve plant procedures. The scope of the program shall include emergency procedures, reliability analyses, human factors engineering, crisis management, operator training, and coordination with INPO and other industry efforts. (Applicable to construction permit applicants only.) [I.C 9]
Response
This is a COL license information requirement (see Subsection 19G.3.2). 19G.2.15 Control Room Design Reviews [ftem (2) (iii)] NRC Position l Provide, for Commission review, a control room design that reflects statsf-the-art
- human factor principles prior to committing to fabrication or revision of fabricated control room panels and layouts. [I.D 1]
I Response ! This item is addressed in Subsection 1A.2.2. l 19G.2.16 Plant Safety Parameter Display Console (SPDS) [ item (2) (iv)] i i NRC Position l Provide a plant safety parameter display console that will display to operators a !. minimum set of parameters defining the safety status of the plant, capable of displaying 19G-6 Response to CP/ML Rule -February 2% 1993 l
SSAS113 Re:1. A SBWR standad sarery Anarrsis sopors
- N 8 8 1
1 1
% J j
~ -
,,- ^ ~ ~
8 ' Figure 6.2-23 PAR My+cge.- !gd:- Distribution in the Containment Containment Systems - Amendment 1 DRAFT ' 6.2 135
%22A4
25A5113 Reu, A SBWR smahdsantyAnarsisaerort I i t I l i l I f i 1 i I 4 1 i l i l i l i j
)
i A c: . .. e..9_ oA,
- u. -.A .m.. _.- n
. .t.a.m
. .. --e.,_ . .. c
.. . .. . .L.. . _..4.:. __
d 6.2-136 Containment Systems - February 28, 1993
-&. y n .+-
25AS113 Rsv. A i SBWR standantsm Analysis sepan l { 1 4C k,! 4 l cl Cl l 1: O
'4i ilI W3 l :
4 > t i 1 ; O C>- t> dI D Wlt "Wl3 i B ll
.AI li O
L> 0: 3: Gl J 0) Wi 6 ai O
- a. l
\
- I ED U2 l
l l Containment Systems-February 2S 1993 6.2-137
4 . - . i -'g , 3 -
, i 4
- - ~
i p . s' l .. l , f nas
.-t.al 4
. x I
l
. l l
=
1 s l-1 I l l
-i l l l
Y > 'll 4I k 1! e$ c o en m . : o 1-t l l l M 4.
<m a>
l s I
.i.
O O W-
- l--
W. J % -LLI-O O I l 1 I I i 1 h LJ Q Q II (D 4
'l
- ,, , , ~ - . - . . - ._ . , . , . . . . _ . . . _ , . . . - .
- r g s ?6 m b A , _.
V E "_
^
RR A s 3s ", 11 5o ^, 0w 5e 2s . Y _ I, a 2 _ w 3 D E 4 T _ E L , E D - 3 6 _ 7 _ E D C = B A _
._g.-s o ad e w 4 + - -aa w- m - - - - - - - - - - - - - - - - - - - , - - - - - - - -
D
.f's $ 49 M.
ge J-it e 4 d lf e-a 3-1: I. gh 6. N 1 en er
'I f.
I
\[ I O
1 i O W
- F- ,
4 W- i 4 i ---en W ' O en f% W O Q Il g 4 i
oJM.r ._ .4 +-- e #wa a sa+d- w e a- -
- n m i
I E -- d> G ,4 i D I { tad k *6* 4 E( 4) M 1-N@ 45 M ,
.I d
M l
'a o
),
f Il ! lf
.a L,
N a> 1 i I- U u 6. ( ~N i i O W
, F-W J
- --e LLJ g
1
-j l
1 i l 4 1 l 1 1 b y c o Il (D 4 ____-__-- ------- < -- , _-. . .4--- -.-
i l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) L SIMPLIFIED BOILING WATER REACTOR
- SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l
RAI 420.5 l The last sentence on page 7.1-9 of the standard safety analysis report (SSAR) in the discussion of compliance with RG 1.47 states that those portions of the bypass indications that, when faulted, could reduce the independence between redundant safety-related systems are electrically isolated from the protection circuit. Identify which are the portions of the bypass indications that are referred to on SSAR page 7.1-9. GE Response: All bypass status indications of safety related systems are isolated using l isolation devices. See attached revised SSAR subsection 7.1.2.2, page 7.1-9. l l l 3 l
REF. IR AT. 4 20.5 _. 2SA5113 Rev. A 'SBWR standard sonrty Analysis neport l l 1 Conformance to Regulatory Guides The following compliance statements for Regulatory Guides apply to the I&C generally. Individual system application is addressed in Table 7.1-1, and possible clarificadons or , excepdons are discussed in the Safety Evaluanon subsections within Sections 7.2 I through 7.7. i Regulatory Guide 1.22 - Pedodic Testing of Protection System Actuation Functions - All safety-related systems have provision for periodic testing. Proper functioning of analog sensors can be verified by channel cross-ccmparison. Some actuators and digital sensors, because of their locations, cannot be fully tested during actual reactor , operation. Such equipment is identified and provisions for meeting the requirements ) of Paragraph D.4 (per BTP ICSB 22) are discussed in the Safety Evaluation subsections within Sections 7.2 through 7.7. Regsdatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems- Bypass indications are designed to satisfy the requirement of IEEE 279, Paragraph 4.13, Regulatog Guide 1.47, and BTP ICSB 21. The design of the bypass indications allows testing during normal operation and is used to supplement administrative procedures by providing indications of safety-related systems status. Bypass indications are designed A "" d isingisolation devices to in c r.anner whieh-precludes preclude the possibility of any adverse electrical effect that hvoass indication circuits could have on the plant safety-related system. Ecce pertion: er the-bypass 4adication: czhich, rhen fau'ted, ces!d reduce &e independence between-redundart cafety-related y: tem: are electric !!y i:clated fren' 6e prctection circuits, Regulatog Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems -The safety-related system designs conform to the single failure criterion. However, this guide is outdated in that it endorses an earlier version ofIEEE 379 than that applied to the SBWR (Table 1.9-21). The augmentations of this guide are therefore assumed to be equally applicable to the later Institute of Electsical and Electronic Engineers (IEEE) version, although the section references in the guide may not correlate. Regulatory Guide 1.62 - Manual Initiation of Protective Actions - Manual initiation of the protective action is provided at the system level for all safety-related systems. Regulatory Guide 1.75 - Physical Independence of Electric Systems -This guide is outdated in that it endorses an earlier version ofIEEE 384 than that applied to the SBWR (Table 1.9-21). The augmentations of this guide are therefore assumed to be i equally applicable to the later IEEE version, although the section references in the guide may not correlate. l l Introduction - Amendment 1 DRAFT 7.1-9 331)94
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED HOlllNG _ WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.7 The application of high technology semiconductor electronics components has resulted in high current densities in some portions of equipment used in non-nuclear application. Identify how these higher current densities, which can result in localized hot-spots that can damage the electronic components, will be considered in the design. Is there provision in the design for monitoring hot-spots and high localized temperature? When designing the electronic equipment, will thermal analysis be performed of-the electronic boards? What method of cooling is being considered in the design, forced or natural circulation? GE Response: Computing devices used for SllWR instrumentation are designed to utilize the lowest power components available for the task. Technologies such as CMOS and low power Schottky, including high speed and advanced h versions, will be the standard device types used for all functions, including the microprocessor. The emphasis is on low stress design; when these components are operated within their voltage and current ratings and at their specified clock frequency,-no unusual heat stresses will occur within the semiconductor materials. As much as possible, all components shall be of the high reliability type or adequately screened and burned-in to ensure high reliability. The only likely areas of high current density will be in the power semiconductors of solid-state load drivers. The effects of these localized hot spots will be mitigated by proper heat sinking and ventilation of the local area, following the component vendor's recommendations. High power devices will be physically separated as much as possible from low power circuitry. To ensure that adequate compensation for heat rise is incorporated into the design, a COL licensing information thermal analysis will be performed at the circuit board, instrument and panel design stages. The heat release by internal panel components shall not raise the internal temperature of a panel to great than 15 C above external ambient temperature of the equipment room for electronic components within a chassis or within any printed circui tfile structure. Convective cooling is assumed; cooling fans, particularly for safety-related equipment, are not recommended for mounting within instruments or panels. However,if fans are used to increase reliability of equipment located in high density panels or high temperature areas, no credit shall be taken for forced-air cooling in the thermal analyses, since it is intended that all computerized 4
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i 4 RAI 420.7 (continued) instrumentation will be installed in the Main Control Room or in other areas with similar environmental conditions, adequate HVAC will generally be available for proper heat transfer. In case ofloss of HVAC, the instrumentation is designed for operation to an ambient temperature of 50'C. Emironmental qualification testing of safety-related equipment shall include adequate margin to ensure that this condition can be met under extreme conditions. The minimum margin shall be stated in IEEFe323,- Subsection 6.3.1.5. Additional margin will be determined by thermal l analysis of the installed equipment areas. J All I&C designs shall meet the environmental criteria stated in the following SBWR requirements documents. (1) General Electric Environmental Qualification Program, NEDE-24326- ; IP, Proprietary Document, January 1983. ] i At the component design level, the methods of MIIeHDilK-217E (or latest revision) shall be used to include environmental stress as part of overall reliability prediction. During the detailed design stage, the Part Stress Analysis Prediction method shall be applied to all parts, using an appropriate environmental factor such as Ground, Fixed (rack mounted, air-cooled, but uncontrolled emironment) or Ground, llenign (control room-type conditions). Thermal analysis is an important part of this method; all analyses shall follow the methods described in MII,HDIlK- j 251, " Reliability / Design: Thermal Applications". l 5
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.8 The SllWR design has active non-safety systems that perform important functions. These non-safety systems need to be operated reliably. To address the needed reliability, provide a discussion of the following:
- a. Overall design verification program for the non-safety equipment that are important to safety;
- b. Software development program, as described in Question 420.3;
- c. Self-test requirements and surveillance test requirements;
- d. Reliability / availability goals; and
- c. The applicable standards and RGs.
GE Response: (Note: complete responses to items a), b), c), and d) are provided herewith. Response to item e) may be supplemented as deemed necessary following l resolution of the Regulatory Treatment of the Non-Safety Systems Issue). l The non-safety systems control and instrumentation that perform important support functions, identified in the SSAR sections 7.7.2 through 7.7.9, are as follows: C11 - Rod Control & Infbrmation System (RC&IS) i C31 - Feed Water Control System (FWCS) I C82 - Automatic Power Regulator System (APRS)' C85 - Steam Bypass & Pressure Control System (SB&PCS) ! C91 - Performance Monitoring & Control subsystem (PMCS) of the ; I Process Computer System I l C91 - Power Generation Control Subsystem (PGCS) of the Process i l Computer l System C62 - Non-essential Multiplexing System (NEMS) C51 - Automated Fixed In-core Probe Subsystem (AFIP) of the Neutron Monitoring System l T31 - Containment Atmospheric Control System (CACS) except for the containment isolation function 6
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.8 (continued)
- a. Design Verification Program The design verification for the non-safety instrumentation and ,
controls, that are important to safety, uses the same basic process as that I applied to the design of the safety system instrumentation and controls. A structured, engineered approach to the development of both hardware and software is implemented to assure that the design proceeds along the lines of the requirement specifications and documentation. Verification and validation (V&V) includes the establishment of test and evaluation criteria, the development of the test and evaluation procedures, the testing of the integrated hardware and software, and the installation of the hardware and software in the field. In accordance with the step-by-step verification process, design reviews are performed at; a
- system functional and performance requirements level,
- specification / task analysis and allocation of functions level,
- hardware and software design level,
- test and evaluation criteria and procedures level,
- personnel requirements and operating / maintenance plan level.
Such reviews are conducted by knowledgeable and experienced system engineers, software engineers, hardware engineers, etc., who are not directly responsible for the design, but who may be from the same organization. An illustration of a typical structure utilized for the controls and instrumentation design can be found in the ABWR SSAR 23A6100, Appendix 7A, Figure 7A-2.
- b. Software Development Program '
A discussion on the overall software development program (including ; verification and validation) can be found in the response provided for RAI 420.03. :
- c. Self-test Requirements and Surveillance Test Requirements All support functions of the non-safety related systems which are taken j credit for in the transient analysis are covered by the surveillance test j requirements. These surveillance test requirements are provided in 1 Chapter 16 of the SSAR. In particular the following functions of these systems are to be surveillance tested: i l
7 l; I
l l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIMPLIFIED BOILING WATER REACTOR (SBWR) ! SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l i I l RAI 420.8 (continued) a) Pressure Isolation Valve functionality of the feedwater system, b) Low water level (level 8) trip instrumentation of the feedwater system, c) Turbine bypass valve functionality, d) Automated Thermal Limit Monitor functionality of the PMCS, e) Rod control and display functionality of the RC&IS, f) Containment isolation valve functionality of the CACS. The surveillance test requirements will be supplemented by the plant l operational reliability assurance activities (0-RAP) such as periodic surveillance inspections; monitoring of structures, systems and component performance; and/or periodic preventive maintenance. More discussion on O-RAP can be found in the SSAR Subsection 17.3.9.
- d. Reliability / availability goals These non-safety systems are designed and maintained with a high degree of reliability commensurate with the importance of the system's contribution to the overall plant reliability / availability. There are no specific quantitative reliability / availability goals for these systems. More discussion on the SBWR plant systems' reliability goals l can be found in the response to RAI 420.12.
- c. Applicable Standards and Regulatory Guides These non-safety systems are not required to meet the exclusive safety criteria and standards applicable to the design of those systems which perform safety-related functions. However, as listed in Tables 3.2-1 and 7.1-1, the 10CFR50.55 General Design Criteria 13 and 19, ISA S67.02 and Regulatory Guide 1.151 have been used as a basis for design procedures established for these non-safety systems.
(Note: More information on the applicable standards and Regulatory Guides can be provided later under the discussion and/or closure of Regulatory Treatment of the Non-Safety Systems). 8
. - ~. - , .-- - . _ . __ . . _ __ _-___ _ _
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIJS RAI 420.12 What are the reliability / availability goals for the reactor protection system and engineered safety features (ESFs) systems? In addition, what testing will be done to demonstrate reliability and what is the scope of each test? The discussion shou'd also include the method used in determining the system reliability / availability. GE Response: SI1WR System Reliability Each SBWR syst is designed to be as reliable as or more reliable than corresponding systems in currently operating BWRs. This is accomplished in the SBWR by having system design based on existing systems, in cases where current experience is acceptabic, or by incorporating design improvements that will enhance system reliability. Examples of the latter are the use of fault-tolerant digital controls with automatic self-checking capability in some systems and the use of two-out-of-four logic instead of.two-out-of-two or one-out-of-two twice logic in other systems, such as the instrumentation and control equipment. The SBWR is designed to meet top level availability and reliability requirements specified by the ALWR URD. These requirements include-a frequency of unplanned automatic scrams less than one per year, a core damage frequency (CDF) less than E-5, and an overall plant availability at least 87%. The SBWR Reliability, Availability and Maintainability (RAM) Program has the responsibility of allocating system contributions to plant unavailability so that total unavailability is no greater than 13%. Instrumentation and control systems are designed with reliabic components and configurations so that they will contribute positively to the systems to which they apply. By keeping mean time between failures (MTilFs) high and mean time to repair (MTTR) low, the designers are able to assure high system reliability. For most systems there is not a specific reliability goal, but the system reliability is evaluated by the system's contribution to the plant core damage frequency, and the plant availability (or unavailability). As long as the overall plant goals for CDF, scram frequency and unavailability are met, and no one system is a predominant contributor to these major goals, individual systems are judged to have acceptable reliability. 9
i l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORAIATION (RAI) SIhfPLIFIED BOILING WATER REACTOR (SBWR)
- SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS
\ RAI 420.12 (continued)- Some systems' reliabilities are calculated for specific events or sequences. For example, the Reactor Protection System (RPS) reliability is calculated by fault tree for some of the ATWS sequences and entered into the event trees at the appropriate step. As mentioned above, as long as the CDF is less j than its goal, and the RPS is not a conspicuous contributor to the CDF, the ! RPS reliability isjudged to be acceptahic. Calculated values for RPS l reliability can be seen in the PRA event trees in Figures 19AD-25a,-26a, 17a,-28a and -29a. In summary, as long as the overall plant goals are achieved and no one system is a dominant contributor to plant unreliability or unavailability, specific goals for individual systems are not specified. Testine The testing which will be used to demonstrate the RPS and ESF systems readiness / availability to perform the intended system function (s) is same as that discussed in AllWR SSAR Subsection 7.1.2.1.6 " Protection System Inservice Testability", starting on Page 7.1-7. i l The methodology which will be used in determining the system reliability / availability is based on ANSI /IEEE std. 352 and will comprise one or more of the following elements: a) FMEA for Essential Multiplexing System b) Probabilistic Risk Assessment (PRA) for Safety System c) Quantitative Analysis (assumed NUMAC-type instrumentation)
- Manual Calculation
- Computer Calculation (Markov Models for Essential Multiplexing System) 10
=--- - .. - - - RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.14 Provide a list of the reactor protection system supporting equipment, such as air conditioning systems. If these supporting equipment are non-Class-lE equipment, what are the reliability requirements of the supporting equipment, and explain how they are isolated from the RPS. Would the failure of any of the supporting equipment reduce the reliability of the RPS? (Reference SSAR Section 7.2.1.) GE Response: RPS Supnortine Eauinment
- Control Room Area Control room envelope HVAC Class IE 120 VAC for manual controls Essential multiplexing system
* . Reactor Building divisional " Clean Areas" (outside secondary containment)
Clean area ventilation system Class lE 125 VDC (4 divisions) for protection system logic Safety System Logic and Control (SSLC) cabinets Essential multiplexing system
- Reactor Building inside secondary containment Controlled area ventilation system Two divisions of class lE 120 V vital AC (UPS) for scram pilot valve solenoids Two divisions of class lE 125 VDC for the backup scram valve solenoids.
RPS has a high probability of performing its safety-related reactor trip function on demand because ofits redundant,4-division, logic arrangement; physical and electrical independence; functional separation; fail-safe trip design; and in-senice testability. As stated in SBWR SSAR Section 7.2.1.1(14): "The RPS will fail into a safe state if conditions such as disconnection of the system or portions of the system, loss of electrical power, or adverse environment are experienced." In addition, per Section 7.2.1.1(12): ".'..The RPS is capable of accomplishing its safety-related protection functions in the presence of any single failure within the RPS, all failures caused by the single failure, and all failures caused by any design basis event that requires RPS protective action." 11
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i i l i I . .i RAI 420.I4 (continued) l All automatic safety functions of RPS are located within the reactor' i building safety envelope in four divisionally separated clean areas. These areas are cooled by the clean area ventilation system (CLAVS), which is a subsystem of the reactor building HVAC system. CLAVS is not safety- 1 related, but has redundant exhaust fans for normal use and redundant smoke exhaust fans that are used only when necessary (see SSAR Section - 9.4.6). CLAVS will maintain the areas where RPS equipment is located to within 29 C (85 F), However, RPS and its supporting SSLC logic do not depend upon HVAC for a safe-state response to abnormal conditions, since the equipment is operable in the long term to at least 50 C (122 F). Moreover, as discussed above, failure of multiple RPS channels results in a fail-safe trip output, de-energizing the scram pilot valve solenoids. Manual scram, which directly breaks the power source connections to the solenoids, is hardwired outside of the electronic trip logic. Manual actuation functions of RPS are located within the Scaled Emergency Operating Area (SEOA). These functions are:
- Manual scram Reactor mode switch (causes scram in shutdown mode)
- CRD header charging pressure trip bypass
- NMS coincident /non-coincident trip selection switch
- Auto-scram test
. The control room envelope HVAC (CREHVAC) system cools this area during normat operation. Although non-safety-related, CREHVAC has a redundant, qualified, safety-related function of automatically isolating the SEOA on detection of high airborne radioactivity, toxic gases, and smoke (see SSAR Sections 6.4 and 9.4.1). The habitability featurcs within the SEOA will permit operating personnel to perform manual safety-related actions as necessary. i The loss of supporting equipment does not reduce the reliability of RPS to perform its trip function on demand, but can bring the system closer to an inadvertent trip (which is, however, a safe-state resp: c). The most significant contributors to RPS reliability are the dual out-of-4 trip configuration (2-out-of-4 sensor channels for a trip decision and 2-out-of-4 trip systems for an output scram decision); continuous, on-line self-diagnostics; rapid, on-line, replacement capability for failed parts; and fail-- safe equipment design. 12 1 l
4 ! RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS
- s a
! RAI 420.14 (continued) i . Loss of single disisions of vital AC electrical power will at most cause a half-- scram (if Division II or Division III power is involved), but this would , require loss of the divisional inverters which provide Class lE DC support of vital AC. Loss of two or more divisions of power results in reactor scram. As discussed above, the equipment that performs RPS functions, including the essential multiplexing system, is qualified to at least 50 C for continuous operation. Nevertheless, assuming component failures at high temperatures, the result will generally be a safe-state trip response because of the fail-safe trip design, However, assume a worst-case loss of all HVAC . in the Reactor Building clean areas such that an undetected common-cause failure occurs on rising temperature that locks all four divisions of RPS in an untdpped state concurrent with a demand for automatic trip. Even this unlikely condition is mitigated by the availability of diverse reactor vessel water level and pressure sensors hardwired directly to the control room displays. These displays enhance the operator's ability to perform the manual scram function, which is implemented outside of the RPS electronics and simply breaks the power source connection (placing the reactor mode switch in shutdown position causes the same action). In addition, anticipated transient without scram (ATWS) features are available , (with diverse automatic and manual actuation), such as alternate rod l insertion (ARI) capability, standby liquid control system initiation, and ] feedwater runback. These functions are implemented in logic that is i diverse from RPS so that even if subjected to the same abnormal environment, will not fail conunon-mode at the same time. l i i l 13
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPIJFIED HOIIJNG WATER REACTOR (SHWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIS I l RAI 420.15 li Using a block diagram, describe the reactor protection system power ! distribution system. In addition, identify any non-Class-lE equipment l connected to the Class 1E power supply. If any non-1E equipment is connected to the RPS power distribution system, explain how this non-1E equipment is isolated from the 1E power system, and explain the reasons for connecting non-1E equipment to 1E power supply. In addition, explain how the SI1WR design complies with General Design Criteria 17 and 18, IEEE Standard 308-1974, and RG 1.32. (Reference SSAR Section 7.2.1.) GE Response: A bic ck diagram showing power distribution for the reactor protection system (RPS) is prosided in Figure 420.15-1. As shown in this diagram the 120 Vac divisional distribution panel is normally supplied from the plant normal preferred power source and is backed-up by four other sources, siz., plant alternate preferred, on-site standby diesel generator,125 Vdc (2 hour) batteries and on-site transportable diesel generator sources. With multiple power sources and four separate and independent divisions of power distribution, a loss of any single power source will not cause sufficient instrument channel trips or solenoids de-energized to result in full reactor scram or insertion of control rods of any of the four scram groups. This arrangement prosides a high degree of power supply availability and helps reduce the unplanned scrams. A simplified schematic diagram showing power distribution for the RPS actuators can be found in the SSAR Figure 7.2-1 and an SSLC system interface diagram including RPS functions can be found in the SSAR Figure 7.3-3 (this figure is a GE proprietary information).- The Class lE 120 Vac and 125 Vdc divisional power system shown on the block diagram 420.15-1 supplies power exclusively to safety loads and there are no non-Class lE loads connected to these power supplies. Discussion on compliance with the General Design Criteria 17 and 18 for the plant ac power supply systems including the RPS power distribution is - provided in the SSAR subsections 3.1.2.8, 3.1.2.9 & 8.3.1.2.1. As far as the Regulatory Guide 1.32 and its associated IEEE Std. 308 (SIlWR SSAR Table , 1.9-3 lists 308-80 as opposed to 308-74 indicated in the RAI) are concerned they have a much broader scope than the RPS power distribution system. As for the conformance with the requirements ofIEEE std 308-80 criteria 6.2.2 and 6.3.2, the Class 1E AC and DC start and operate all their required loads, each division of the distribution system is physically separate and 14
1 RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIS l l RAI 420.15 (continued) electrically independent from other divisional equipment with no l provision for automatic interconnection of redundant loads, and l distribution equipment auxiliary devices supplied from the related bus or ' bus section. For a conformance statement on the RG 1.32 refer to the SSAR subsections 8.1.5.2.3,8.1.6.3,8.2.2 and 8.3.2.2.9 , 1 l 4 l l l l 15 i
RA1 +20 . I 5 NOTES. 1.480 VAC DP BUS IS NORMALLY SUPPUED FROM THE PLANT'S TO 480 VAC POWER TO TRANSPORTABLE N $EOER ER S U C S. V Z P E Rf ATE CENTER 10B219 D!ESEL GENERATOR {$TE gN0BY D 5E iEE 3L E POWER SOURCE SOURCES. FOR UPPER LEVEL INTERCONNECTION OF THE 480 VAC POWER SUPPLY SOURCES, REFER TO SSAR FIGURE 21.8.3-1. 2.RPS SCRAM PILOT *A'SOLENO!DS ARE SUPPUED FROM RPS
) 480 VAC (Q) 120 VAC DIVISION 2. AND PILOT 'B' SOLENOIDS ARE SUPPUED DIST PNL 10B2191
) (NOTE 1) FROM DIVISION 3 D!STRIBUTION PANELS. A SIMPUFIED 0 : SCHEMATIC DIAGRAM SHOWlNG POWER DISTRIBUTION FOR THE RPS ACTUATORS CAN BE FOUND IN THE SSAR
) ) ) FIGURE 72-1.
- 3. BACKUP SCRAM (AIR HEADER DUMP) VALVE *A' SOLENOID SUPPLIED FROM 125 VDC, DMSION 2 AND VALVE *B" 181D101 SOLENOID SUPPUED FROM DIVISION 3.
125 VDC 1B1D102 1B2D102 BATT BATT 1 B2D101 BATT FM (O)- sm (2 HRS.) CHARGER CHARGER 125 VDC BATT 1BTR101 , (72 HRS.) DIV. 2 125 VDC ' BUS 1BD103 DIV. 2 125 VDC BUS 1BD104 h
~ "
208/120 VAC ) k ) kk ) ) DIST ANL (O) 1BY101 ( f f TO OTHER LOADS
') (REQUIRED FOR 2 HRS.)
TO OTHER SAFETY- BACKUP SSLC RELATED 18Y103 (O) SCRAM (RPS LOGIC) LOADS INVERTER VALVE (REF. FlG. 7.3-3)
& TRANSF (NOTE 3)
SWITCH TO OTHER h LOADS DIV.2 120 VAC';DIST PNL.18Y113 (REQUIRED FIGURE 420.15-1 FOR 72 HRS.) RPS Power Distribution Bk>ck Diagram (Shown for division 2, typic:.1 for divisions 1,3 and 4 TO OTHER SAFETY- RPS SCRAM with appropriate substitution of bus and equipment r,. m.s s., RELATED LOADS SOLENOIDS (NOTE 2) reference designations and notes.)
i RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) 2 SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i i i j BAI 420.16
- The second sentence of the second paragraph of SSAR page 7.2-13 on bypass indication states that indicator lights indicate which part of a system is not operable. Clarify whether these indicator lights incficate the bypass or inoperability of portions of a system that performs a function important to safety. (Reference SSAR Section 7.2.1.2.1 and RG 1.47.)
GE Response: Bvpass Indicator Lichts The indicator lights do signify the bypassing of portions of systems important to safety, namely Reactor Protection System (RPS) and Engineered Safety Feature (ESF). The bypass ftmctions and their alarm status are clearly identified in SSAR section 7.2.1.5.2. Operational bypasses are essentially interlocks that permit or inhibit specific functions under stated conditions, while maintenance bypasses remove larger portions of RPS from senice for repair, calibration, or test. All bypass functions are safety-related and are incorporated into the divisional circuitry. Interlocking of bypass status among divisions to prevent multiple bypasses is performed over isolated signal paths. Automatic indication of each bypass or inoperable condition is implemented in conformance to RG 1.47. These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not perform a safety-rela'ted function. I 16
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIhD'LIFIED BOILING WATER REACTOR 'l SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l l RAI 420.18 ,
~
Identify any on-line test equipment or circuits that are not part of the safety-related system. Also describe the interface between the safety-related system and the on-line test equipment. Show that limits in the test equipment will not challenge the system or equipment being tested.
~
Explain how all four channels of reactor protection system are tested without violating independence / isolation criteria. Describe the process ; (configuration management) that will be incorporated at operating facilities when on-line diagnostics uncovers an error in the computer , system . (Reference SSAR Section 7,2.1.4.) ! GE Response: i On-line Test Eauioment for RPS All on-line test functions are safety-related. On-line testing of Reactor Protection System (RPS) is performed by.
- 1) Built-in self-test software and hardware contained in each microprocessor-based control unit,
- 2) Monitoring functions contained in non-microprocessor logic circuits, ,
- 3) Manual test switches, ;
- 4) Manual control switches, with portions of the logic channels bypassed and the remaining portions in a state of reduced, but safe, redundancy.
On-line testing never violates the independence and separation of the four )' RPS divisions because automatic cross-division tests are not performed. Instead, because of the digital multiplexed nature of RPS data communications, continuous diagnostics within the on-line self-test for each controller monitor each I/O communication path for operability and also monitor the logic for correct timing and general operability. However, the diagnostics do not insert trip signals or otherwise cause changes of state i in the trip signal path. Trip testing within a division of sensor channels is performed only when divisional system level bypasses are applied, thus blocking the final output to the actuators; or oft-line during a maintenance i outage, when simultaneous 4-division testing is possible. Conventional half-scram actuator testing is also performed as specified in the plant technical specifications. 17
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPI.IFIED BOII.ING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS d i RAI 420.18 (continued) On-line detection of errors in any safety-related controller results in an inoperable indication to the operator. The operator then, as appropriate, places the alTected disision of sensors in bypass at the input to the TLU or takes the division out of service after the output of the TLU. Even on a second failure of a given sensor channel, the operator can place an individual sensor channel within a division in a trip condition. Thus, l there is no need for automatic bypass because any single. failure within one division results in a safe-state condition (i.e., either a 2-out-of-3 or 1-out-of-3 condition for trip output, depending upon the failure state). As described in the ABWR Technical Specifications (ABWR SSAR Chapter ! 16, l.CO 3.3.3.1), the operator is given 6 hours to place the failed channel or division in uip or hypass, respectively. Repair of the failed equipment is facilitated by automatic identification of the failed equipment and its location to the lowest replaceable module level via the on-line diagnostic facilities. 18
1 RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED IlOILING WATER REACTOR l SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l i l RAI 420.19 l l Discuss the reactor protection system automatic testing features' l compliance with RG 1.22, RG 1.118, and IEEE Standard 338. (Reference
- SSAR Section 7.2.1.4.)
L GE Response: Reactor Protection System (RPS) Automatic Test Eauinment Compliance I with RG 1.22. RG 1.118. and IEEE Std 338 l l SBWR SSAR Section 7.2.L3 states RPS compliance with RG 1.22, RG 1.118, and IEEE Std 338. Automatic testing, in conjunction with the 2-outmf-4 sensor channel and trip channel arrangement, augments conventional manual methods and eliminates the need for lifted leads and'j umpers. The continuous self-diagnostics enhance the periodic testing requirements of RG 1.22 and RG 1.118 by quickly detecting logic and hardware failures. , The bypassable 2-out-of-4 voting logic configuration permits temporary j bypass of sensors or trip channels so that in-depth offline testing (without final actuator trip) can be performed with the o!T-line self-tests built-in to j the logic controllers or with the manual divisional trip controls, which [ permit half-scram testing of the scram pilot valve solenoids. In this way, l complete system testing by means of overlap testing (per IEEE Std 338) is possibic Intervals for these tests are specified in the plant technical specifications (SSAR Chapter 16). The types of tests performed are given in SSAR Section 7.2.1.4. During a maintenance outage, external automatic self-test controllers are connected in each division for rapid end-to-end testing of all four divisions simultaneously. l l r 1 !- l 19
t RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.20 Provide a single failure analysis of the reactor protection system as part of the failure modes and effects analysis (FMEA) in response to Question ' 420.1.c. (Reference SSAR Section 7.2.1.) GE Response: Sincie Failure Analvsis of Reactor Protection System (RPS) A single failure analysis is provided within the documents referenced in the response to RAI 420.l(c), namely the SBWR PRA in SSAR Chapter 19 and the LLNL Diversity and Defense-in-Depth Study. However, a concise description of the single failure capability of RPS is provided in SSAR section 7.2.1.4, which is quoted below:
"The RPS is designed to provide reliable single-failure-proof capability to automatically or manually initiate a reactor scram while maintaining protection against unnecessary scrams resulting from single failures. The RPS remains single-failure-proof even when one entire division of channel sensors is bypassed and/or when one of the four automatic RPS trip logic systems is out-of-service. This is accomplished through the 1 combination of fail-safe equipment design, the redundant two- i out-of-four sensor channel trip decision logic, and the redundant l two-out-of-four trip systems output scram logic arrangement ]
utilized in the SSLC/RPS design. All equipment within the RPS and within the RPS-related portions of the SSLC System is designed to fail into a trip l initiating state on loss of power, loss or disconnection of any ' input signal, or loss of any internal or external device-to-device connection signal. In conjunction with this fail-to-safe-state , design, the trip initiating logic signals to and within the RPS are l asserted low (i.e . "0" to scram) whereas trip bypass logic signals and trip bypass permissive logic signals are asserted high (i.e.,
"1" to bypass and "0" to release bypass)."
20
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR , SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l RAI 420.21 ; 4 RG 1.47 requires that manual capability exist in the control room to activate l l cach system-level indicator provided in accordance with Regulatory Position C l. This position states that administrative procedures should be supplemented by a system that automatically indicates at the system level the bypass or deliberately induced inoperability of the protection system l and the systems actuated or controlled by the protection system. Explain ! how SIMVR complies with this RG 1.47 position. -(Reference SSAR Section 7.2.1.5.3.) ! GE Response: The reactor protection system (RPS) instrumentation and control design-implements the Regulatog Guide 1.47. Individual indicator lights are provided to indicate divisional sensor and division out of senice bypasses and inoperabilities/out of service. The bypass capabilities are included within the safety system logic and control system and are provided by means of bypass switches for trip logic units and digital trip modules. More information on the RPS and ESF bypass capabilities is provided in response to RAI 420.43 and bypass status indication is provided in response to RAI 420.26. Automatic indicators once activated remain illuminated and cannot be cleared until the function is restored to the operable condition. This automatic activation is provided over and above the manual administrative controls. More discussion on the conformance to Regulatory Guide 1.47 can be found in SSAR subsection 7.2.1.3. Information on the manual actuation of system level bypass indications is also provided in response to , RAI 420.24. ) 1 l l l 21 l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIS RAI 420.22 Explain how the reactor protection system complies with RG 1.62, Regulatory Positions C.2 and C.S. (Regulatory Position C.2 of RG 1.62 on ' manualinitiation of protective actions requires that manualinitiation of a protective action at the system level perform all actions performed by automatic initiation. Regulatory Position C.3 states that the switch for manual initiation of protective action at the system level should be located in the control room and be casily accessible to the operator so that action can be taken in an expeditious manner.) In addition, explain how the RPS complies with Regulatory Position C.5 of RG 1.62, which states that manual-initiation of protective actions should depend on the operation of a minimum of equipment. (Reference SSAR Section 7.2.1.) GE Response:
- Compliance with RG 1.62. Position C.2:
Reactor scram in SilWR, like other llWRs, is accomplished by interruption of AC power to scram solenoids and supplying DC power to back-up scram solenoids. The scheme for controlling electrical power to scram and backup scram solenoids is graphically presented in Figure 7.2-1 of the SSAR. Load-drivers (contacts) designated by small letters are controlled by automatic scram logic of RPS; whereas, load-drivers designated by capital letters are controlled by ' manual scram logic of RPS. As can be seen, the end-result for either automatic or manual scram is interruption of divisional AC power to : scram solenoids and supply of divisional DC power to back-up scram ; solenoids. I l i
- Compliance with RG 1.62. Position C.3:
On Page 7.2-14, first paragraph, the location for manual scram push-buttons is determined to be on the principal control room console which is easily accessible to the operator.
- Compliance with RG 1.62. Position C.6:
As depicted in Figure 7.2.-l and Figure 21.7.2-2, sheets 47 and 48 of the SSAR, the manual scram equipment and devices are limited to manual scram push-buttons and relay logic associated with contacts designated by capital letters. In essence, this is the minimum equipment for implementation of manual scram. The details of manual scram logic is depicted on sheets 47,48, and sheets 53 through 56 of Figure 21.7.2-2 of the SSAR. 22
l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
. SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.24 l Do all system-level bypass indicators have the manual capability to be activated according to Regulatory Position C.4 of RG 1.47? List any bypass that does not have manual-activation capability and explain the reasons for not having it. (Reference SSAR Section 7.2.1.3.)
GE Response: Manual Actuation of System 1.crel 11vnass Indicators per RG 1.47 Reactor Protection System (RPS) cannot be bypassed on an overall system , level (which would inhibit automatic scram), but because ofits 4-division, -
- 2-out-of-4 trip configuration, up to an entire division of trip logic can be l
bypassed. No provided bypass can render the system inoperable; likewise, no single failure can render the system inoperable. However, each type of divisional bypass (division-of-sensors or division out-of-service), although manually induced, is automatically indicated in the main control room. j All operational and maintenance bypasses, along with their automatic and manual activation capability, are described in SBWR SSAR Section ; 7.2.1.5.2. Note that automatic operational by3 asses are actually normal l responses to changes in p'lant operating motes and do not cause system ! inoperability, so do not need to conform to the manual bypass indicator ! activation requirement. All manual operational and maintenance bypasses have indication. This includes logic controllers being placed in an off-line condition or circuit cards being removed from their connectors (cardeut-of-file indicator). i 1 l i 23 l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS , RAI 420.25 Describe the built-in interlocks that will prevent a simultaneous bypass of more than one channel. Proside a list of bypasses that do not have this interlock capability and prosidejustifications for not having it. (Reference SSAR Section 7.2.1.3.) GE Response: Bypass Interlocks The division-of-sensors and division-out-of-service (trip logic unit bypass) bypasses can be applied independently because each reduces the system redundancy at its point of application to no worse than a 2-out-of-3 condition. However, each type of bypass is interlocked divisionally among its redundant channels such that a second bypass of that type cannot be activated if a previous bypass has not been removed. The interlock arrangement is illustrated in Figures 420.43-1 and 420.43-2, which are attached to the response for RAI 420.43. These figures are similar to those appearing in the ABWR SSLC Hardware / Software System Specification, 23A6915, Rev. O, but have been revised to apply to the SBWR configuration. Bypass status transmitted across divisional boundaries is electrically and physically isolated among divisions. l All other bypasses are applied to specific operational functions, as indicated in SSAR Section 7.2.1.5.2, and are required to be applied in four divisional channels. Thus, interlocks are not required for these bypasses. I 1 I-24
1 l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER RFACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l RAI 420.26 l Does all equipment have a bypass status indication local to the equipment to provide information to maintenance personnel. (Reference SSAR Secdon i 7.2.1.3.) l GE Response: t I Local lhvass Status Indication Bypass status indication is displayed on each Safety System Logic and Control (SSLC) panel located in each reactor building divisional clean zone. These panels contain all Reactor Protection System (RPS) logic processing equipment. The local multiplexing unit (LMU) cabinets in each clean zone, which acquire sensor data for RPS, also indicate bypass status. I l l i l l i I l l 25
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.27 Describe how the bypass indicators are grouped in the control room. (Reference SSAR Section 7.2.1.3.) GE Response: Individual indicator lights are arranged together in the control room to indicate which function of the system is out of senice, or otherwise inoperable. Two types of channel bypasses are prosi ' !, division -of-3ensors hypass and division-out-of-service (or division %tenance) bypass. All bypasses are alarmed (per division) in the n control room. At the operator display bypass indications are grouped at the sensor trip alarms. More discussion on the RPS and ESF trip logic . jpass arrangement and processing is provided in response to RAI 420.43. A general discussion on the control room fixed-position alarms is provided in the SSAR Subsection 18.4.2.12 and discussion on alarm processing logic is provided in Subsection 18.4.2.13. A discussion on system level (conceptual) grouping philosophy for the RPS bypass indications can be found in Subsection 7.2.13. 1 I l l 1 I l l 26
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7,INSTRUAIENTATION AND CONTROLS RAI 420.28 Identify the reports that will be provided to support any aspects of the neutron monitoring system design that are different relative to designs previously reviewed by the stafT. (Reference SSAR Section 7.2.2.) GE Response: The report that supports the Automated Fixed In-Core Probe (AFIP) subsystem (addressed in Section 7.7.8) of the neutron monitoring system is included in the S11WR SSAR, Appendix 7A. "A Fixed In-Core Calibration System for the Neutron Monitoring System". L j l I r 27
)
c
.- . . =. - ..
1 RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) I SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l i RAI 420.29 Using block diagrams, describe the operation of the reactor protection and safety monitoring system for a average power range monitor upscale trip. The description should trace the transmission of the initiating signals from the sensors through the integrated protection cabinets, the engineered safety features actuation cabinets, and the monitoring and controls at the control room work station to the actuated devices. The diagram should also l include all the major components, such as the sensors, the signal l conditioners, the isolation devices, the multiplexers, the data buses, the indicators, the protection cabinets, and control rod drive system. The diagram should show all channels and components and interfaces. (Reference SSAR Section 7.2.1.) GE Response: See attached Figure 420.29-1 of NMS hlock diagrams. Figure 420.29-1 shows l the initiating signals from the sensors, through the signal conditioner, to the reactor protection system. Figure 7.3.21) of the SilWR SSAR shows the signals from the SSLC/RPS to the actuation devices. The neutron monitoring system i safety related trip signals use a dedicated data transmission path to the safety i system logic control (SSLC) and reactor protection system (RPS) and do not go through the essential multiplexing system (EMS). Other NMS signals going to the plant monitoring & control system (PMCS) and automated power regulation system (APRS) go through the non-essential multiplexing system (NEMS) first. This is illustrated in Figure 420.29-1. The NMS also has a dedicated data transmission pathway to the rod control & information system (RC&lS) and its subsystem, the automated thermal limit monitor (ATLM). 28
I [ REACT O PRIMARY l REACTO BLElDING SAFETY ENWELOPE COfGROL RM raEsSuRE l l VESSEL j Co,nA=,n: : _ ,m
. l m
. I N,.wass s,,cm I . ,RNM $1GNAL COND,TIONER (DN O trau . tram Aru -4 7 ,
neoa 'e m .ocArum m
. = ~
stNsoRs l ~
*==5"==
c I ' ' onr.a _, A,,,, co ca. [ I :oa ' = j _ 1 mt C = Arus ew .aus)
~
oreas M 'McS (m .ea6)
* * *
- y g C teve l .N .
q,,, amie h 10 Egg
, .i -
l w , d .cri i l ,
> Ann
_ _ _ _. _ l _ _ _ _ _ 1, _ _ _ _ _ c_ao_, _ _E r. .,
-4 l r ,
l m_ , A,gm
~
*= _
a 07.ea -- a6 era.ATeu t ' . - g EDet#EAIDs ' I , = I yo, l L g ' u
==
1 _ 70 Arit5(m.Es6)
-i --
.I .
l mm w 3 .
= ,_ ,
,, , , -- -= *
-{g- : : m t x .m i l 4 .
TO ATL). ____4,_____4______________ 5 MNM SIGNAL CONDITIONEll (DtV II) _______ ___________~_______________
; : ,, m -+ ,_ _
ReCTEN Pgl.1
,: ~
l- { - m DdDCATM
' " *5 " ""
ff7
*acaro. ,
l <. -
' l
' i - .
g , e=
-. I j
2K ov.es m l.
= to ms s=.casi l .ssr K4J
-= -
10 8.stS (m .EME)
. w l t
'l gits w-
__ .o ntas g
. i __ _ :
- T1
- l - .oAnm
_ _ _ _ I _ _ _ _ ______________ p: _PitPO4 SIGNAL COdDITOBER _fDrV __ _ _ __ __ . _ _ _ _NI _ _ , . __________________________
. l l t A ==
__g. . r , s
.u.r=
.- p
- I ss.a.s== - ---
. .m
.o .e.c.A.r.a <4 ,
< .l .
g 1 3 D c 474 car., t
.o.,
- 1
-- g mC.
mm l .m
=
o" w b
. =A,...,
.h l
- = -
- l. =aci n. 3 N
, i 3. , -.
- ==s o,
~ ' -
i c I 1 .<m a .
; A,t p
I I um 4-I : : sus.o DATA CGtesetATO RJ5 NOTE . Fon 5m su Taas6. esso.s unto 15tCesr5 410 ACT 2 CacWoen edt eaI A CDeeu.sCAfs) 0F TATTD4 PARTh.UAYm AWEAAED AMee 5ENat teo.CEVEIS EACMChn et AEFEe TO f C F 3 ?.S OF f>E 53.s.e l5AA. __ E' N IMI 3 son ttimaJo ctScartiu s tatat a.e sacu pasat 9ENCA70RS HEFES TO.eeS ta tsE 21.F Z 39 AND SD(8C 21.F 24L DISCMTE ess Fleure 420.29-1 Block Diauram Neutron Monitorine System APRM Trio To SSLC g 1...
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.30 Describe a startup range neutron monitor (SRNM) signal and the connections between a SRNM detector and preamplifier in the reactor building. Explain how the SRNM detector signals transmitted to preamplifiers are protected from the noises and interferences in their environment. (Reference SSAR Section 7.2.2.2.) r GE Response: The SRNM detector is a regenerative uranium coated fission chamber that upon receiving a neutron in the detector will generate a negative pulse (voltage signal) out of the detector. The SRNM detector is housed in a dry tube assembly, with the sensor located near the mid plane of the active fuel region in the core. The SRNM signal is transmitted via a triaxial cable from the bottom of the RPV, through the RPV pedestal, to a preamplifier located on the immediate outside of the primary containment boundary. The number of pulses generated is proportional to the neutron flux level and thus the reactor power level. The SRNM combines the function of both the source range monitor (SRM) and the intermediate range monitor (IRM) of conventional , BWRs. The SRM uses the pulse counting method which covers from 0.1 counts per second (CPS) to about 1000,000 CPS. The IRM uses the mean square voltage (MSV) method when the counting pulses per second is greater than 100,000 CPS and the pulses can no longer be differentiated from each other. . The SRNM thus cover the range from 0.1 CPS to about 1.5 x 1013 ny, which is approximately 15% of rated power and higher. The preamplifier can process both counting pulses and MSV signals, with adjustable gain and pulse i shaping capability. One SRNM detector is connected to one preamplifier, with a triaxial cable (with the signal conductor insulated and shielded) in between. In order to reduce noise, the length of the triaxial cabic is kept to a minimum, corresponding to the shortest distance from the RPV under vessel to the outside wall of the primary containment. The SRNM triaxial cable is l Class lE and environmentally qualified to operate under both normal l operating conditions and design basis accident conditions. The preamplifier l is housed in a metal case to shield from outside electromagnetic interference. As a result, noises are minimized through the triaxial cable design, the proper grounding method performed between the detector ground, cable ground and the preamplifier ground, as well as through the metal protection case of the preamplifier. More detailed description of the SRNM can be found in the licensing topical report, NEDO-31439-A, submitted to the NRC in Oct.1990. 29
i l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhiATION (RAI) SIhiPLIFIED BOILING WAT2R REACTOR (SBWR) SSAR CHAPTER 7,INSTRUh!CNTATION AND CONTROLS l RAI 420.31 f Provide a discussion of how the neutron monitoring system (NMS) instruments are tested. The discussion should also include the requirements with which NMS instruments must comply. (Reference SSAR Section 7.2.2.4.) CE Response: l-l The neutron monitoring system testing is performed routinely as part of the ! surveillance test, after the instrument is' installed and has successfully passed I the validation test including the preoperational test and the startup test. The NMS instrument surveillance tests include the following test items:
- 1. Channel Check: This is a qualitative assessment by observation of channel behavior during operation. It includes comparison of the channel indication to other indications derived from independent instrument channels measuring the same parameter.
- 2. Division Function Test: The injection of simulated or actual signals into a !
division as close to the sensors as practicable to verify operability of the sensor channel in that division.
- 3. Comprehensive Function Test: This is a set of tests that exercise RPS/ESF
- actuation functions, etc., by simulating accident events that exercise the ' ,
- inputs and outputs of the SSI.C, NMS, RPS actuation logic, etc. It also
]
simulates power failures, measures CPU and network performance, runs microprocessor-specific and application-specific diagnostics. i l 4. Sensor Channel Calibration: This is the adjustment of the sensor channel j such that it responds within the specified range and accuracy to specified i values of the parameter that the sensor channel monitors. l
- 5. Self Test: For micro-processor based system the self test function is -
performed automatically within the instrument at a predefined time interval. This includes all critical failure tests of the instrument firmware ; including inoperative failure, etc. Most self tests are performed at a time l interval similar to the computer data processing and calculation interval, l l c.g.100 milli-seconds. 30
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI) SIh1PLIFIED BOILING WATER REACTOR i SSAR CHAPTER 7,INSTRUh1ENTATION AND CONTROLS l l l RAI 420.31 (continued) SRNhi: l l In Startup mode, the SRNhi perfonnance including the neutron flux upscale trip and the short period trip functions shall be tested for 1) Channel Check (every 12 hr),2) Divisional functional Test (every 7 days),3) verifying the SRNhi and the APRh1 channels overlap within at least half decade (when first changing mode between the Startup mode and the Run mode),4) Channel Calibration (18 months),5) Comprehensive functional test (18 months), The SRNhi inoperative trip shall be tested as well in this mode using divisional functional test. In Refueling hiode, the SRNh1 performance including the neutron flux upscale trip shall be tested for 1) Channel Check (every 12 hr),2) Divisional functional Test (every 30 days),3) Channel Calibration (18 months),4) Comprehensive functional test (18 months). The SRNhi inoperative trip shall , be tested as well in this mode using divisional and comprehensive functional
- test.
In both the Run and Startup modes, the SRNh1 ATWS Permissive function shall be tested using divisional and comprehensive functional test. I APRht: In Run mode, the APRh1 performance including the neutron flux upscale trip l and the simulated thermal power trip functions shall be tested for 1) Channel l Check (crery 12 hr),2) verifying the APRhi is consistent with the calculated j reactor power (every 7 days),3) Division functional test (90 days),4) calibrate i the local power range monitor (LPRhi)-(every 1000 hiWD/T core exposure),
- 5) comprehensive functional test (18 months),6) verifying trip response time every refueling interval.
In Startup mode, the APRhi performance including the neutron flux upscale trip ftmction shall be tested for 1) Channel Check (crery 12 hr),2) divisional functional test (crery 7 days),3) calibrate the local power range monitor (LPRhi) (every 1000 htWD/T core exposure),4) verifying the SRNhi and the APRhi channels overlap within at least half decade (7 days). t In both the Run and Startup modes, the APRhi ATWS Permissive function shall be tested using divisional and comprehensive functional test. In both modes, the APRh1 inoperative trip shall be tested using divisional and comprehensive functional test. 31 l^ l
i l I RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) , .. SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i 4 RAI 420.31 (continued) The above test requirements are summarized in the following table. The "SR" refers to the surveillance requirements which are same as those identified in ABWR SSAR 23A6100, Chapter 16, SR 3.3.1.1, Rev. 3. Detailed definition of the above test items and test interval, condition, and bases of the above items,is
- docu ated in the SBWR Technical Specification, Chapter 16 of the SBWR SSAR. The current version of the SBWR SSAR Chapter 16 is being revised to reflect the above requirements on the NMS portion which are similar to that of the latest ABWR Tech Spec. (Rev 33).
l 32
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIMPLIFIED llOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l RAI 420.31 (continued) Table 1 (420.31) NMS Instrumentation Surveillance Test Applicable Surveillance Applicable Surveillance Function Mode Reauiremen.ni Function Mctic Reauirements I SRNM APEM l SRNM Startup SR 3.3.1.1.1 APRM Startup SR 3.3.1.1.1 Upscale SR 3.3.1.1.3 Upscale SR 3.3.1.1.3 SR 3.3.1.1.8 SR 3.3.1.1.7 SR 3.3.1.1.9 SR 3.3.1.1.8 SR 3.3.1.1.10 l Refueling SR 3.3.1.1.1 TPM Run SR 3.3.1.1.1 SR 3.3.1.1.4 Upscale SR 3.3.1.1.2 l SR 3.3.1.1.9 SR 3.3.1.1.5 l SR 3.3.1.1.10 SR 3.3.1.1.7 SR 3.3.1.1.9 l SRNM Startup SR 3.3.1.1.1 SR 3.3.1.1.12 l Short SR 3.3.1.1.3 : l Period SR 3.3.1.1.8 APRM Run SR 3.3.1.1.1 Upscale SR 3.3.1.1.2 Refueling SR 3.3.1.1.1 SR 3.3.1.1.5 SR 3.3.1.1.4 SR 3.3.1.1.7 SR 3.3.1.1.9 SR 3.3.1.1.9 SR 3.3.1.1.10 SR 3.3.1.1.12 SRNM Run/Startup SR 3.3.1.1.5 APRM Run/Stanup SR 3.3.1.1.5 ATWS SR 3.3.1.1.9 ATWS SR 3.3.1.1.9 Permissive Permissive l SRNM Run/Startup SR 3.3.1.1.3 APRM Run/Startup SR 3.3.1.1.5 Inop Inop SR 3.3.1.1.9 l Refueling SR 3.3.1.1.4 SR 3.3.1.1.9 l t i i l 33
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l RAI 420.32 l l Provide a description of how all four NMS channels are tested without i violating independence / isolation criteria. (Reference SSAR Section 7.2.2.4.) GE Response: (Refer to Figure 420.29-1) As shown in Figure 420.29-1, all four PRNM - channels are independent and isolated from one another except the inter-divisional communication through the fiber optics pathways. The fiber optics pathways serve as isolation devices. As a result, the isolation criteria between difTerent divisiou is satisfied. Testing of each NMS PRNM channel will not violate the isolation criteria. The Average Power Range Monitor (APRM) channel is tested for channel check, for divisional functional test, for L.PRM calibration, for APRM reading calibration, and for comprehensive functional test. For divisional functional test, the APRM tests the various trip functions and the associated trip setpoints. Such trip' functions will be verified by the output of the APRM signal conditioner and the input to the Safety System Logic and Control / Reactor Protection System (SSLC/RPS). The APRM is tested one channel at a time. This test can be performed both with this channel bypassed through the APRM Bypass Switch and with this channel not bypassed. With this channel bypassed, the local trip indication light can be verified for proper trip output. With this channel not bypassed, the trip output at the SSLC/RPS cabinet can be verified for proper trip output. However, only one channel can be tested at any time. Whether this APRM channel is bypassed or not the test is not interfering with the cross channel (division) communication through the fiber optics pathway between divisions. The bypassing of any one APRM channel will not interfere with the data communication through the cross ; channel (division) communication pathway. The test is performed without violating any independence criteria. For Local Power Range Monitor (LPRM) calibration, the LPRM sensor being calibrated is first bypassed. This , LPRM data will be temporarily excluded from the APRM averaging process. The LPRM count circuit will also reduce the LPRM number by one. This is only one LPRM bypassed out of a total of 84 LPRMs. As a result, the channel partial APRM and the total APRM reading is not affected noticeably. Consequently, the LPRM calibration test will not violate the independence criteria. 34
i 4 RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI) SIMPLIFIED BOILING WATER REACTOR i SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.32 (continued) For APRM reading calibration, the calibration procedure is first for each channel to calculate a partial APRM which is the sum & average of all the primary LPRMs in this channel (primary LPRMs refer to the LPRMs sent to this channel through coaxial cables from the I.PRM sensors). The four partial APRMs are then sent to all four channels such that each channel will perform an identical calculation to obtain a total APRM which is the sum & average of the four partial APRMs. Finally, this total sum & average APRM will replace the partial APRM in each channel and become the new partial' APRM of this channel, and at the same time this sum & average APRM will be multiplied by a gain adjustment f actor such that the resulting value will be equal to the process computer-calculated reactor power (percent of rated). This resulting value is the final APRM value. The update of the partial APRM for each channel is performed one channel at a time with this channel bypassed. After the calibration, the updated partial APRMs from all four channels are all identical. To summarize the procedure:
- 1) 13ypass Division I APRM.
- 2) In division I APRM, verify the latest calculated ibur partial APRMs from the four divisions, three of them through the liber optics pathways. Obtain the rum / average value of the four partial APRMs. This is the unadjusted-adjusted APRM. This v;due is to be used for the calibration of all four channels. That is, this value is locked for the use of all four channels during this calibration process.
- 3) Update the partial APRM in this channel by this unadjusted-adjusted APRM using a partial gain factor applied to the original partial APRM.
- 4) Calculate an APRM Gain Adjustment Factor which is the ratio of the process computer- calculated rated power value to the unadjusted-adjusted APRM, Multiply the unadjusted-adjusted APRM by this Gain Adjustment Factor. The resulted value is the final calibrated APRM.
- 5) Un-bypass Division 1 APRM.
- 6) Ilypass Division II APRM. Repeat steps 2) to 5) for Division II APRM calibration, using the same unadjusted APRM obtained from 2) as the Division II unadjusted APRM.
- 7) Repeat 6) for Division III and Division IV APRMs.
The above APRM calibration test is thus performed without affecting the independence criteria. 35
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l RAI 420.32 (continued) i l For the comprehensive functional test, there is no additional concern of independence and isolation criteria compliance other than those di cussed ! above for the neutron monitoring system test. ! l The SBWR SRNM subsystem design is similar to the ABWR NMS SRNM design, except with the slight reduction of the number of SRNM detectors in the core (from ten to eight). There is no cross division communication in the SRNM. The isolation and independence criteria are satisfied similar to the ; ABWR SRNM design. i l i l I t I l l l
?>6 r
i
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR j SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS $ RAI 420.33 j Describe the methods and design criteria used to reduce the common mode failure vulnerabilities in the hardware and software of the NMS. (Reference SSAR Section 7.2.2.3.) j GE Response:
- The issue of design consideration to reduce the common mode failure i vulnerabilities in the SBWR Neutron Monitoring System (NMS) design can
[: be addressed in the following categories:
- 1) General NMS System Design Consideration:
'. The SBWR NMS design generally follows the same design philosophy and general system structure as the AllWR and i GESSAR design. The NMS includes safety related subsystems such
- as the Startup Range Neutron Monitor (SRNM) and the Power
. Range Neutron Monitoring (PRNM), each subsystem consisting of , sensors, cables, signal conditioning electronics and monitoring equipment, etc. As part of the BWR proven design with many operating years of experiences, and as a result of rigorous quality , control (QC) and quality assurance (QA) practices, the SBWR NMS
- has inherited a very good record of extremely low occurrence of any common mode failures. As shown by BWR operating
- experiences, any common failures of equipment are more or less on a random basis. The SBWR NMS design follows the similar strict j reliability and availability requirements as well as QC and QA l requirements similar to previous BWR NMS designs, and 4
requirements specified in various regulatory guides and industry
- standards including RG 1.53,1.152, IEEE 279,379,603, etc.
Compliance to such requirements clrectively reduces the common mode failure vulnerabilities from a system design perspective, i especially from a system hardware component point of view. Also, _ i safety subsystems of the NMS are designed as single failure proof. Design criteria are established ihr any failures that should not disable the safety fimction of each subsystem. For example, the following failures shall not disable the safety function of any
, subsystem:
- a. A detectable failure from one failed component or circuit fault.
- b. Multiple detectable failures resulting from a single cause. This
. single cause is either external or internal to the system. 37
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR). SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS I l l
~
RAI 420.33 (continued)
- c. A failure that results from the accumulation of failures that are not i detectable by periodic testing. (Such failures can be detected as either dependent or independent failures.)
I In addition, a FMEA analysis was performed to evaluate and confirm that for the SBWR PRNM any component failure of the PRNM would not - disable the system safety functions. In summary, the key factors to reduce common mode failure vulnerabilities from system design level are the 13WR NMS proven design with good operating records, strict reliability requirements, strict QC/QA requirements, failure detectability criteria, all tied with a step by step systematic design approach of the whole NMS system from the component level and up.
- 2) NMS Electronics Hardware & Software Design Consideration:
The SilWR NMS utilizes microprocessor based electronics equipment. As a result, additional design requirements are included to assure the reliability of both the hardware and software aspects of the design. In addition to the system level design requirements mentioned above, some hardware and software requirements must be implemented. These include: emironmental requirements, reliability requirements, general hardware and software design requirements including component unit self test requirements. A list ofimportant self test requirements are included in the NMS hardward/ software specifrication 23A6301, Rev. 0.. Such self test functions can effectively reduce the common mode failure vulnerabilities.
- 3) NMS Software Verification & Validation:
Verification and Validation (V&V) is performed on all software contained in the NMS safety related equipment. The V&V procedure basically follows RG 1.152 requirements, which include design review, independent design verification, coding verification, validation test in the laboratory, and field startup test. The V&V can also effectively detect any potential common mode failure scenarios and reduce the common mode failure vulnerabilities. A NMS V&V Criteria Design Specification 23A6761, Rev. 0 (FMF K6/7) document is applicable to S13WR NMS. 38
~ - .
i RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) 4 SIMPLIFIED BOILING WATER REACTOR l SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l l l 1 RAI 420.33 (continued ! i l 4) NMS Surveillance Test: i) Channel Check Requirement l This is a Tech Spec. required surveillance test item that involves qualitative assessment by visual observation of channel behavior during operation. It includes comparison of the channel indication to other indications derived from independent instrument channels measuring the same parameter. It is typically performed every 12 hours during plant normal operation. This check can effectively detect any common mode fitilure which causes instrument indication to be at fault condition. ii) Electronics Self Test Requirements The SBWR NMS uses microprocessor-based electronics units, which have the capabilities of performing automated self testing of routine hardware and software functions including some critical failures detection. For example, the instrument is designed to test itself automatically and continuously during operation to see that its hardware and software are functioning properly. Any faults detected will be traced to the replaceable module level and enunciated as well as displayed. A list of self test requirements is included in Specification 23A6301. The instrument self test will detect " critical" fault and issue inoperative trip. Critical fault includes such items as voltage supply abnormal, high voltage power supply output abnonnal, module installation abnormal, microprocessor memory abnormal, etc. These periodical continuous self tests can effectively detect hardware and software failures and reduce the vulnerabilities of common mode fitilures of the instrument. ,
- 5) Safety Protection System Common Mode Failure Assessment:
i) NMS as One of many Inputs to SSLC/RPS l It is important to note that the NMS safety related trip output derived from the NMS safety related function is only one kind of many safety protection trip output signals sent to the SSLC/RPS. For common mode litilure assessment of safety protection system, i.e., SSLC/RPS, failure of NMS trip output will not disable the protection ftmction of the safety protection system. ii) Defense-In-Depth and Diversity Assessment of the SBWR Protection System 39
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) ' SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS , RAI 420.33 (continued) A defense in depth and diversity assessment of the SBWR Protection System including event analysis evaluation was performed which is similar to the NUREG-0493 analysis. This assessment was performed by Lawrence Livermore National Laboratory in Sept 1993. The objective of this assessment is to determine if postulated common mode failures could result in impairment of more than one cchelon of defense, and thus compromising defense-in-depth. Design basis accident and transient events were used as the bases for analysis. This study concluded that for SBWR there are no system wide common mode failure vulnerabilities and there is no specific event vulnerabilities caused by neutron monitoring system inputs to the SSLC/RPS. 40
[ Table 7.1-1 Regulatory Requirements Applicability Matrix (Continued) Reg. Guide li-D li-E li-F - ti-K g k BTP [ Applicable @g Criteria 1.22 1.47 1.52 1.s2 1.75 1.97 1.10s 1.11s 1.151 1.152 1.153 3 12 20 21 22 26 3 4.2 1 3 1.22 1 12 11s sie s.21 s.22 s.22 Reference (RG) 1.47 1.22 1.s7 Standard (IEEE) 279 27s 379 279 384 338 7 4.ita eos 279 27s 279 27s . . . . (ISA) se7.04 est.or Reactor X X X X X X X X X X X X Protection Sys. Neutron X X X X X X X X X X X Monitoring Sys. Supp. Pool X X X X X X X X X X X X Temp. Mon. Sys. Auto. Depress. X X X X X X X X X X X X X Subsys. Gravity-Driven X X X X X X X X X X X Cooling Sys.
-4 Leak Det. & fsol X X X X X X X X X X X X X $
Sys. Safety Sys. X X X X X X X X X X X . Logic and Cont. ; Essential X X X X X X X X X X h Multiplexing Sys. Flammabirrty X X X X X X X X X X Control Sys. SLC Sys. X X X X X X X X X Remote X X X X Shutdown Sys. Reactor Wtr. X X X X X X X X' X X X X g IT Cleanup / Cool g y isolation X X X X X X X X X X X il Condenser Sys. @ y Safety.Related X X X X X X X X X X X X X X X X k ) Display g g Cont. Atmos. X X X X X X X X -X X X X SL Monitoring Sys. f, g
,y Control Systems X ne p 3*
(Non-1E) g
'Not applicable to SBWR - see Subsection 7.1.2.2, "Conformance to TMI Action Plan Requirements" W
W 1
RM. RAT 42.0.03 25A5113 Rsv. A SBWR stukntsany Analysis uport a RG 1.75 - Physical Independence of Electric Systems a RG 1.97 -Instrumentation During and Following an Accident a RG 1.105 -Instrument Setpoints for Safety-Related Systems , a RG 1.118 - Periodic Testing of Electric Power and Protection Systems ; a - RG 1.152- Criteria for Programmable Digital Computer System Software in Safetv-Related Systems of Nuclear Power Plan 11 m RG 1.153 - Criteria for Powe , Instrumentation, and Control Portions of Safety Systems The NMS conforms with all the above listed RGs. Branch TechnicalPositions (BTPs): In accordance with the Standard Review Plan for Chapter 7, and with Table 7.1-1, only BTPs 21 and 22 are considered applicable for the NMS. They are addressed as follows: BTP ICSB 21 - Guidance for Application of Regulatory Guide 1.47 -The SBWR design ; is a single unit. Therefore, Item B-2 of the BTP is not applicable. Otherwise, the NMS is ; in full compliance with this BTP. ' BTP ICSB 22 - Guidance for Application of Regulatory Guide 1.22 - The NMS is continuously operating during reactor operation. The accuracy of the senson can be verified by cross-comparison of the various channels among the four redundant divisions. The bypass of any RPS division will cause the twooutof-four trip voting logic to revert to twoout-of-three. Therefore, the NMS fully meets this BTP. TMI Action Plan Requirements (TMI)-In accordance with the Standard Resiew Plan for Chapter 7, and with Table 7.1-1, there are no TMl action plan reqmrements ; applicable to the NMS. . l 7.2.2.4 Testing and Inspection Requirements I 7.2.2.4.1 General Requirements All NMS instruments (not including sensors) in the reactor building are designed such that they can be tested, inspected, and calibrated as required during plant operation without causing plant shutdown or scram, and with easy access to the senice personnel. NMS instrument modules, including SRNM and APRM, are designed with the capability of being tested for the normal performance, trip performance, and calibration function, either through automated process or through manual process. Routine Reactor Trip System 7.2-35
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.35 Describe the manualinitiation features of the engineered safety features actuation system. The description should include how the manual features comply with (1) IEEE Standard 279 and RG 1,62 and (2) SECY-93-087, . Position II.Q, " Defense Against Common-Mode Failures in Digital Instrumentation and Control Systems." (Reference SSAR Section 7.3.1.1.2.) GE Response: Manual Initiation Features of Encineered Safetv Features (ESF) Actuation Svstem Manual controls are provided for ESF as follows:
- Manual Automatic Depressurization System (ADS) actuation Four dual-action switches (one per disision), any two of which must be operated to cause an ADS trip (see SSAR Figure 21.7.3-1).
Manual Depressurization Valve (DPV) actuation Two key-locked switches, both of which must be operated to cause the timed sequential actuation of all DPVs (see SSAR Figure 19AE.14-ll). Manual Safety / Relief Valve (SRV) initiation Two switches for each SRV, either of which will open the valve (see SSAR Figure 19AE.14-14).
- Manual Gravity-Driven Cooling System (GDCS) initiation Two key-locked switches, both of which must be operated to cause the timed sequential actuation of all GDCS squib valves (see SSAR Figure 19AE.14-ll).
Manual Leak Detection and Isolation System (LD&lS) initiation (see SSAR Figure 21.7.3-4) Manual Main Steam Isolation Valve (MSIV) open/close function provided by four indisidual valve controls. . Manual MSIV test close function provided by four individual valve , controls. ' Manual main steam line (MSL) isolation function provided by four dual-action pushbutton switches, any two of which must be operated to close all four MSlVs. ! l 1 l 41 l l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.35 (continued) Containment isolation provided by two divisional control switches. The Division I switch activates the outboard isolation valves, while the Division 11 switch activates the inboard isolation valves (these valves are shown on sheet 1 of SSAR Figure 21.7.3-4). Two control switches provide actuation of the Reactor Water Cleanup / Shutdown Cooling'(RWCU/SDC ) A and B loop inboard and outboard isolation valves, respectively. These manual features are implemented outside of the software-based microprocessor equipment in simple discrete logic circuitry (except for the DPV portion of manual ADS, which is software-based, but diverse to the discrete-logic circuitry of SRV) and are also divisionally redundant. Thus, - these features comply with IEEE 279, Section 4.17, in that they (a) are implemented with a minimum of equipment and (b) provide single failure protection, both from the standpoint of being a backup to the automatic isolati on function and from having multiple actuation paths. Compliance with RG 1.62 is implemented by (a) prosiding system level manual initiation, (b) providing all system level functions including interlocks on the discrete logic cards, (c) having the system level switches in the main control room, (d) using a minimum of equipment common to the automatic and manual functions [ generally, only tl- final actuation devices are common, where the manual and automatic signals are combined to give the final trip output; in the case of manual DPV, GDCS, and SRV actuation, the manual and automatic signals use completely independent actuation paths and devices out to the final actuators], (c) providing single failure protection via multiple channels and 2-out-of-4 configuration of output actuation devices, (f) using a minimum of equipment consistent with the preceding items, and (g) requiring that all ! protective actions at the system level go to completion after initiation [all final trips are scaled-in and must be manually reset]. The requirements of SECY-93 087, Position II.Q, are met by prociding the manual functions in diverse, non-software-based logic as a backup to the automatic software-based trip logic. In addition, the required study to < support implementation of these features has been performed [ Lawrence Livermore National Laboratory (LLNL) SBWR Diversity and Defense-in-Depth Study (draft version 1.0, June 30,1993)]. 42
l ' I RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CIIAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.36 Unlike previous boiling water reactor ADS actuation sequencing, the L SBWR ADS actuation sequencing initiates only on water level. Explain the l change. Would this reduce the system reliability? (Reference SSAR l Section 7.3.L1.2.) GE Response: The Automatic Depressurization subsystem (ADS) is required to l depressurize the RPV in sufficient time to allow the Gravity Driven l Cooling system (GDCS) injection flow to replenish core coolant to l maintain core temperature below design limits in the event of a loss-of-coolant accident. The ADS is required to initiate upon receipt of a Level I water level signal. This requirement is not dependent upon whether the l Reactor Coolant pressure boundary break is inside or outside the containment. f Per SSAR Section 6.3.3.2: The ADS automatically actuates on a reactor low-low level (Level 1) signal that persists for at icast 10 seconds. A two-outef-four Level 1 logic is used to acthate the SRVs and DPVs. The 10 second persistence , requirement for the Level 1 signal ensures that momentary system l perturbations will not actuate the ADS when it is not required. The two-out-of-four logic assures that a single failure will not cause a spurious system actuation while also assuring that a single failure cannot prevent initiation. l 1 i l
.l l
I 43
i l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.37 Provide a discussion of how ADS channel integrity is maintained. This should include (1) the reliability of ADS and (2) environmental qualification of ADS. (Reference SSAR Section 7.3.1.1.2.) GE Response: Per SSAR Sections 7.3.1.1.2 & 7.3.1.1.4: The ADS instrumentation and logic power is obtained from the Safety System Logic and Control divisions 1,2,3, and 4,125 Vdc buses. The control power is from the divisions 1,2,3 and 4,125 Vdc battery buses. The motive power for the electrically operated gas pilot solenoid valves on the Safety Relief Valves (SRVs) is from local accumulators supplied by the High Pressure Nitrogen Supply system. The ADS trip logic units are self-tested continually every 30 minutes. The continuity of the SRV pilot solenoids and the bridge wires within the DPV squib valve actuating circuitry are tested continuously by a low amperage current, causing an alarm if the circuit is interrupted. System status during normal plant operation and ADS performance monitoring during an accident is based on the Main Control room indications specified in SSAR Section 7.3.1.1.5. Per SSAR Section 7.3.1.1.5: ADS clectrical equipment (including instrumentation and controls) located in the drywell is designed and qualified to operate in an erwironment resulting from a loss-of-coolant accident. Safety-related electrical equipment located outside the containment is designed and qualified for the environment in which they perform their safety function. l l I 44 l l r
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS I RAI 420.4I The leak detection and isolation system (LD&lS) isolates the sources of leaks from the containment. Are all LD&IS isolations backed up by manual actuation in the control room? If not, explain why. (Reference SSAR Section 7.3.3.1.) GE Response: Manual llackuo of1.D&lS Isolations Allisolations are backed up by manual actuation in the control room (see the response to RAI 420.35). I
)
l 45 l
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) 1 SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS I l i i RAI 420.42 1 Using block diagram (s), describe the arrangement of the fiber-optic data links for inter-cabinet communications. Identify all the components (including power supply arrangements) to be used for inter-cabinet communications. List all the data links between the integrated protection cabinets, and explain how the data links in a cabinet are protected from faults in other cabinets. In addition,' explain how the integrated protection cabinets communicate with other cabinets. (Reference SSAR Section 7.3A.2.) GE Response: Inter-Cabinet Communications for Intecrated Protection Svstem One Safety System Logic and Control (SSLC) cabinet resides in each of the four instrumentation divisions. The only inter-cabinet communication performed is the transfer of trip status data from the digital trip modules (DTMs) or analog trip modules (ATMs) in each division to the trip logic units (TLUs) or discrete logic units (DLUs) in the other divisions for 2-out-of-4 coincidence voting. Signal transmission is via liber optic data links in one direction only. The optical isolation provides electrical independence, since power sources are not connected among divisions. Thus, electrical faults cannot propagate among divisions. A single failure of a component in a given division, therefore, only affects transmission or reception of channel trip signals, but cannot damage components in other divisions. Divisional redtmdancy of safety systems and fault tolerance resulting from the use of coincident voting to initiate safety-related actions preclude any single failure from inhibiting a safety function. Data processing and signal transmission are asynchronous among divisions; i.e., no common timing signals are transmitted and the failure l of a clock signal within a division cannot affect timing or signal transmission in other divisions. A standard, non-proprietary communications protocol is used (RS485 or equivalent at 10 Mbps). The inter-cabinet data links are shown in SSAR Figures 7.3-2a and 7.S2b. They are shown as trip outputs from the DTMs or ATMs to the TLUs or DLUs. Data is transferred only from a trip module to the associated logic units corresponding to the system data being processed. l i 46 i
1 l RESPONSES TO NRC REQUEST FOR ADDITIONALINFORMATION (RAI) SIMPLIFIED BOIIJNG WATER REACTOR i SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS i RAI 420.42 (continued) The SSLC cabinets also transmit data to other system cabinets, either for control or alarm and display purposes. Safety-related data can only be transmitted to the non-safety-related side and not vice versa. Fiber optic data links are also used for this purpose. Signals for the main control room displays or process computer are transmitted to a network gateway device for routing to the high speed data network that connects the main control room console and process computer equipment to other plant equipment (see SSAR Figure 21.7.3-6). l l I l l 47 i l
i RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.43 Describe the channel bypass provision in the reactor trip logic. This should include a detailed description of the design of hardware and software for reverting the 2-out-of-4 logic to a 2-out-of-3 logic,2-out-of-4 logic to automatic trip, other logic reverting, alarm provision, and the basis for permitting indefinite time bypass of one channel for testing or maintenance. Is the
" channel bypass" limited to the same function (e.g., high containment pressure) or can it be applied to different functions (e.g., one high containment pressure and one low water level)? Describe the relationship between channel bypass and the trip design. Describe the method of the bypass indication at the work station in the main control room. (Reference SSAR Section 7.3.4.2.)
GE Response: Channel Ikoass Provisions for Reactor Trin I ocic The attached Figures 420.43-1 and 420.43-2' illustrate the Reactor Protection System (RPS) and Engineered Safety Feature (ESF) bypass circuitry,
- respectively. These figures have been revised from similar ones appearing in ABWR Safety System Logic and Control (SSLC) Hardware / Software System Specification 23A6915, Rev. O. As described in SBWR SSAR Section 7.3.4.2, two types of channel bypass exist, division-of-sensors bypass and division-out-of-senice (or division maintenance) bypass. For division- ,
of-sensors bypass, all sensors in one division are bypassed simultaneously for both RPS and ESF channels; individual sensor channel bypass is not part of the SSLC design. However, individual channels can be placed in a trip condition by applying a simulated trip signal to the Trip Logic Unit (TLU) input for a given failed sensor channel.' As shown in the figures, the four divisional bypass units are interlocked so that only one division-of-sensors bypass can be applied at a time. When a dhision-of-sensors bypass is applied, all divisions revert to 2-out-of-3 for trip, since the bypass state in the bypassed division is transmitted to the remaining divisions and applied to those divisions' bypass inputs. The bypass units are implemented in simple hardware logic and use hardware switches. Bypass status and interlocking signal transmission between divisions is by means ofisolated fiber optic data links. The bypass functions are fully integrated with the channel trips and are qualified with the trip functions as safety-related. 48
! RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR
- SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.43 (continued)
The bypass state ahvays goes high to bypass. For fail-safe RPS and Main
- Steam Isolation Valve (MSIV) logic, the trip state goes low to trip. Applying the bypass puts a permanent no-trip signal into each 2-out-of-4 voter, thus requiring two more inputs from any redundant set of sensor channels to go low to produce a trip output for that division. For fail-as-is ESF actuation logic, the trip state goes high to trip. Applying the bypass inhibits a tripped state from activating the 2-out-of-4 voter, thus requiring two more trip states to go high before a trip is produced in a particular ESF channel.
All bypasses are alarmed (per disision) in the main control room, including the condition of sensors being in a tripped state in the bypassed division (see SSAR Figure 21.7.2-2 for RPS). At the operator display, bypass indications are grouped near the sensor trip alarms. The other type of bypass, division-out-of-senice (or division maintenance) bypass is applied at the output logic units of the divisional trip channels, after the trip logic unit. This bypass arrangement is similar to the division-of-sensors bypass, but is applied at the trip output to the load drivers, which are connected in a 2-out-of-4 configuration. In this way, all equipment in a bypassed division can be tested, calibrated, or seniced while the remaining divisions are operating in a 2-out-of-3 mode. As before, the bypass signal goes high to bypass. For RPS, the bypass signal effectively energizes that division's load drivers permanently, thus requiring two of the remaining three divisions to trip in order to cause a reactor trip. For ESF, the trip state goes high to trip. Applying the bypass inhibits the trip signal from reachmg and energizing the load drivers, thus requiring two more high trip signals from other divisions before actuators are energized. Note that unlike division-of-sensors bypass, division-out-of-service bypass can he applied individually to the logic channels of the affected system. ; 1 Division-out-of-senice bypass and division-of-sensors bypass are independent and can be applied together in any combination of dmsions. i Sensor voting logic and output trip voting logic are never reduced below 2-out-of-3. Manual divisional RPS trip, manual scram, manual Main Steam Linc (MSL) isolation, manual containment isolation, and manual Depressurization Valve (DPV), Safety Relief Valve (SRV), and Gravity Driven Cooling System (GDCS) actuations are not bypassable. 1 49 l l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WNTER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.43 (continued) Although indefinite time bypass of one division for testing or maintenance is feasible, GE does not take credit for this condition, since the SBWR PRA considers the protection system as having four operational divisions. This matter was resolved with the NRC staffin developing the ABWR technical specifications (SSAR Chapter 16), where a similar
~
concern was raised. The ABWR Chapter 16 LCO completion times indicate the NRC/GE agreements Ihr all combinations of bypass conditions. The SBWR completion times will he developed in a similar manner. 50
...___ .- m . . . _ . _ . _ _ ..___._.m. ..-.m.-__...____m_m..._m.._m-.-~
= _ _.m...__.,_~....~.m._m.. . . , _ . ..m._ . . - _ . - _ . . .. . . . - . . _
Massal Masami DMatos DMdan leolstles < Isolution MSIV I l MSIV TO Ms:V Pa.OT TO MSiv PILOT 7 p'p : VALVE SOLENOID LOAD DRIVERS VALVE SOLENotD - LOAD DRIVERS mgy h '""" ppg pps um < ttu etv ILO =e-trem # T E
-.am
- b -
TLU .
- f I, free
- v$tvg E N
" : I prus "
-;p_g gg,y,,
- p I ~h -
ars LOAD DRIVERS ,gp i D NN kOfn N N j :n - si m1 4 4-- _q _.q J - 43 " lR % , u_
-ERHKos 2
i
-) j kos =
li!!Ls. ,
-~
** T'"
]
id gOf ___q i".
;3EEffW. =-
, .y
" -1 _5 w =-ELY@.$sx -
I h-1 1
~ "
ra lm ei h
= d' "
'! S ~*=
Div. IV a mm w mme m w. - -- m Div. I m-a -
~
BYPASS UNIT gjy, (({ Div. H BYPASS UNIT
- _.=-
- =._
h'._1 1 l_
;._ -5g_[ q I" L_ S
'__ a mam 7-" E
_. h" b --T "O nw"~k u .thw 4 = 3 I- j l m "pb w .thw 3
-. .= _ g,f,2
_ t-__ ,2 4 g-i d >J. L. m d id id i p g- I - 2 "E ' d
*q un M IE
_ = _ i
==-
_ _ E_ I M, uan M* a DMa Lf E 31
'@ '~
g Trty gg % EMS ===@ - uni , ,y _ TLo g TO RPS PILOT
* - i 3
"~
j m ,sda. DTMs gq hl 4> h} ,
.m' P -
D V LVE LOAD DRIMS h_( ;_ ,,m, P g [(y,
,,__g d_ *
+
DTMs gg,,,,
- i k > "-
-C _
- TO MSfV Pa OT av (tu
=
RPS N RPS TO MSIV PtLOT M, r VALVE SOLENOID LOAD DRIVERS
- VALVE SOLENotD -
WAD DRIVERS M L. ._ " " " ' * * "
- MSIV M:
D*
, 8,,,
Dww MSIV 4 Iselstise 1
% h SSLC BYPASS SCHEME- RPS / MSiV Figure 420.43-1
n TYPICAL FOR TYPICAL FOR ICS, DPV, SRV, GDCS, ATWS, ICS, DPV, SRV, GDCS, ATWS, LD&lS (EXCEPT MSIV) LD&lS (EXCEPT MSIV) e T 2 } TO SMGLE CHANNEL TO SMGLE CHANNEL ,- { li sn,,, w
* -.-g. -
LOAD DRIVERS
~
LOAD DRIVERS : g h ig w
$j 3
*' E 4 "'ru
-5 3 _gM r TO M LOAD DRIVERS TO M LDAD DRfVERS - g 5- Q
#'m*
gy j _ _ tr fro m M DN'
~
Tt 1 INTERDfVISONAL COMMUNICATIONS FOR T1 M @hOm EMS BYPASS STATUS AND BYPASS NTERLOCK5 EMS BYPASS UNIT .L BYPASS UNIT
-Y g ,,_5
- i. _-
p_ -, ta _q _q J -5J gp., gp- e_, _
,e<OSgfll_ -{ g3f<;;E g
I s.- jEMiiE"" EN_ j?~' -
""~dj S
""EEMkx
-n i ri s h 1 1rw Diw W S "~ d 'b ~ ~'*-
Div. I w-a : n, -
- -. annaw : vaaw - - w= -
Div. H BYPASS UNIT
, i _,.
BYPASS UNIT Div. HI
#_ii 7 0 m_y q _T--_i:i 6-.-
pnaw =-
}_ -- _
q
- = -ap .._
=~
n u--rm (
.rerm RET Tggi OSigi (i- --? igi;;af ~ER_, . .: Tm i ti td i 2 2 h :l' - - -
b- diil J. arma '"
"!$ g-'! D "' uan in h
y frOm e j frOm
$--EMS
"' ow c,m TLu , gyrw i EMS ==@ ; Irm i ,y _ ow i,w ,
~
t-g- ~*"
$- % --m-J ..[
-#t - TO M LOAD DRfYERS x
- TO M LOAD DMVERS 7 'IE-
'*- +a= }
DN8 * *5 % ---m- > -- = TOSMcLEcHanNEL TOSmotEewinnEt : I, t.e_- (g * *I#W' i gg -ey - LOAD DRl VERS LOAD DMVERS -. { e --- b'- [4 TYPICAL FOR l TYPICAL FOR ICS, DPV, SRV, GDCS, ATWS, ICS, DPV, SRV, GDCS, ATWS, LDalS (EXCEPT MSIV) h p LD&ls (EXCEPT MSIV)
- o SSLC BYPASS SCHEME-ESF/ICS Figure 420.43-2
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.44 Provide a list of manual actuation controls that are not independent of safety system logic and control or the essential multiplexing system. Provide a list of manual system-level and component-level actuation controls that are independent of the SSLC and EMS. (Reference SSAR Section 7.3.4.3.) GE Response: Independence of Manual Controls
- Manual actuation controls that are independent of the essential multiplexing system (EMS)
All manual actuation controls are independent of EMS. Multiplexing is used only for input data from plant sensors. Manual actuation controls that are independent of Safety System Logic and Control (SSLC) Manual Scram Manual actuation controls that are not independent of SSLC All other manual controls are within SSLC. However, if this question refers to whether the controls are within the software-based portion of SSLC or the hardware-based portion of SSLC, then the answer is as follows: See the response to RAI 420.35 for the Engineerd Safety Feature (ESF) manual controls. All these controls are outside of the software-based portion of SSLC except the manual Automatic Depressurization System (ADS) control that actuates the DPVs. Manual divisional trip fbr Reactor Protection System (RPS) is outside of the software-based portion of SSLC. Isolation Condenser System (ICS) controls are within the software-based portion of SSLC. However, a diverse Reactor Pressure Vessel (RPV) level 2 actuation ofICS is performed in the hardware-based portion of SSLC. Note that ICS is not part of FSF. l I 51
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.45 The second sentence of paragraph 2 on page 7.3-27 states that the testing shall not cause actuation of the i!ven equipment. Describe how this will be accomplished. _ (Reference SSAR Section 7.3.4.4.) GE Response: Testine See the response to RAI 420.18. On-line self-test does not change the trip state of any logic; it checks fbr data errors in the communication path and monitors timing and program flow, status of registers, etc., in addition to checking power supply levels and circuit continuity. Off-line self-test, available when channels are bypassed, does change trip states, but because of the bypass, will not cause actuation of driven equipment. l 52 .
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIMPLIFIED BOILING WATER REACTOR ; SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l RAI 420.46
- Describe the qualification of suneillance test equipment and diagnostic equipment. In addition, describe the interfaces between the test equipment and the safety equipment. Could the test equipment (1) compromise the separation between channels or (2) potentially degrade the safety-related l equipment or system that they are testing? (Reference SSAR Section 1
7.3.4.4.) , GE Response: j Oualification Interfaces of Surveillance Test Erminment The interfaces between the surveillance test equipment and Safety System Logic and Control / Essential Multiplex System (SSLC/ EMS) are shown for l one protection system disision in attached Figure 420A6-1. - l l On-line self-diagnostics and conventional manual test methods are the ! main periodic test functions used for SSLC and EMS. Surveillance test l equipment is only used for off-line testing and so cannot degrade the ! operational safety channels. The equipment is not connected to SSLC or l EMS when the protection system is on-line. Connectors are provided on ! the protection system controllers for test equipment connection so normal system cabling is not disturbed. Portions of the protection system that are bypassed on-line can be surveillan;e tested without causing output trip. Since automatic on-line testing is suflicient to check most logic and communication functions (including inter-divisional communications) without causing actuator trip, simultaneous four-division testing is only j performed during a maintenance outage. Thus, channel separation is l never degraded by test equipment charing protection system operation. Because of the 2-out-of-4 voting configuration at both the sensor input and divisional trip output sides of the protection system, simulated sensor signals must be injected simultaneously into the redundant sensor channels. In this way all trip logic can be tested up to and including the actuators. Some driven equipment may have to be disconnected if actuation is not desired.
- Since the surveillance test equipment is not an on-line interface to the safety systems, it is not qualified as Class IE safety-related, but is, of course, calibrated to industrial standards for the appropnate accuracy reqmred.
I
- 53 l
f rd.NMJJ. DfV. U DIV m i DIV. I 120 V VITAL AC 120 V VITAL AC l Hardwired Output TRP Ef.wh EANU" (not multiplexed) y spe sena;c se m e TRIPS TO TRIPS FROM 'g '( Div. u nity Ttus Div. n ut ry DTue s + UNIT l [a g b SENSORS 4 non-pP c d N /
L LD %.
LMU CMU DTM TLU gd
' b
+.r.--++
+ r r-gp RPS : 3/4 L l2/ 4l lg a e v i i t
1 le TO GNUP A SCRAM PILOT BO MWP B KCRAM PfLOT v nvE vAtvE i , , e e SOLENOIDS f SOLENODS
' i i /
' ' /
l
' l DIVIS1040F-SENSOR $ l DlVtSION-OUT4F SERVICE l SENSORS l' 'l t BYPASS CONTROL l SYPASS CONTROL l
/
[, ,hI G LMU +!! - .
/ w"**.dM,'"_d;
,p +.-_ 1 \ intmwption a manad 1 Lo i MP
> L ----
- j iJ w 9.n.e6 s. 1 ni r ted signal infection
.ooo
=9.5. '\ f f
tarechen Calibradon Unit SurVelllance Test C W kr Y.#_*'d - i
\f- w namdry. pen; tese rim,s TRtps To 1 (not shown) riU injeet ment Dlv n tu ssitue \ throup il), bue nor throup squib
$$$ \ ==
DTM
.-e. TLU ,,DPV \,=w ai g
= i
~
= U DPV 214 to"onc' &l Q, k
(, , ',
~
,,o,,l""
, ---9. Mn3 ' '
lll Hardwired Output , REACTOR BUILDING CLEAN AREA (not multiplexed) .
. - . . _ . . - . - . - _ .. . .- e Tnips FRou av nmivom. .
N I MAIN CON'iOOL ROOM g
- l ""
*"" " " " ~
=-J,=
3 I i l '
.' h y-w& W e
( ) I : :: >g I ____ , a ...
..o . . . _ . - . . - -
... ..o l ...,,.. . ... . . . . . . . - - . .
l ...
..o \
Control Room g . Test and Monitor Unit . . . g'.. 4
- 4e
. y- g l ,
t _ _ _ _ _ __.-_ _ _._ _l = 1 p b l2/4l Figure 420.46-1 SAFETY SYSTEM LOGIC & CONTROL TEST SCHEME (npictd end.to-end connection for RPS andpart of ESF in one offouer divisiom)
l i l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.47 Describe how protection systems are tested end to end. If some portions of r the systems are not tested, explain why. In addition, explain (1) how failures in on-line testing systems will not prevent the safety circuits from performing their safety functions and (2) how the test configuration does not siolate the separation requirements. (Reference SSAR Section 7.3.4.4.) GE Response: End-to-End Testinc of the Pmtection Svstem See the responses to RAI 420.17,420.18, RAI 420.19, and RAI 420.46. Overall testing is performed through a series of overlapping ftmctional tests, as permitted by lEEE Std. 338. As described in SBWR SSAR Section 7.2.1.4 for Reactor Protection System (RPS), these tests include the following:
- Channel Checks: Cross comparison of values of analog scram .
variables, permitting verincation of operational availability of sensor ' instrument channel.
- Detector Actuation Tests: Simulated signals input to the individual detectors or sensor channels for all RPS-related instrumentation channels which are capable ofinitiating a reactor scram, permitting the trip channels to be tested or calibrated and setpoints to be verined.
Trip System Logic Tests and Trip Actuator Tests: Simulated scram signals, permitting trip system logic to be tested. System outputs toggle, permitting operation of the trip actuators to be tested. l l
- Paired-Control-Rods Scram Tests: Switches are installed in the main
! control room to permit testing of the fitst scram operation of the l I individual pairs of control rods and to conGrm, when necessary, that the individual control rods have scrammed.
- Coincident Logic Tests: Testing of coincident two-out-of-four (or one-out-of-four, twice) trip logic will verify each combination of trip conditions for each set ofinput scram variables in an RPS trip channel.
Testing will also verify each output logic combination of trip conditions in the four RPS trip systems. This testing will be performed in accordance , with the Technical Specifications. i l 54 i I
l i RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l
)
, I I i l l RAI 420.47 (continued) Similar tests are performed for Engineered Safety Feature (ESP) functions (see SSAR Section 7.3.4.4, covering Safety System Logic and Control (SSLC) logic processors). l All portions of the protection system are testable on-line, but not all portions can be tested automatically For RPS and Main Steam Isolation Valve (MSIV), the final output logic and load drivers are tested periodically with the divisional trip switches, resulting in a half-scram or half-isolation, respectively. For ESF, similar tests are possible for the 2-out-of-4-configured systems; for single-train-per-division systems such as LD&lS and ICS, with i , motor-operated or air-operated valves, on-line load driver actuation is not possible without actuating the driven equipment. Suitable test intervals for performing in-senice tests of the RPS and ESF t sensor instrument channels and the RPS and ESF trip actuators (i.e., load drivers, relays, and motor control centers) are provided in the Technical Specifications (Chapter 16). l On-line diagnostics are monitoring functions that do not insert signals into the trip path or cause trips to change state. These diagnostics are qualified l along with the safety-function software as part of the final software verification and validation (V&V) program. Within the real-time operating system, diagnostics are performed only during time intervals not used for safety function processing. In addition, since on-line diagnostics are confined to individual controllers, a random failure in one division will result only in a divisional failure that can be bypassed. l l i
)
l l l ! 55 l I - ,
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.48 Describe any design or testing requirements that deviate from Section 3.6.1,
" Testability Requirements," of Chapter 10 of EPRI Advanced Light Water Reactor Utility Requirements I)ocument, Volume III, Passive Plant.
(Reference SSAR Section 7.3.4.4.) GE Response: Deviations of Testine from EPRI URD. Chapter 10. Section 3.6.1 As described in the responses to RAI 420.17,420.18, RAI 420.19, RAI 420.46, and RAI 420.47, all testing requirements of Section 3.6 are met by the SilWR protection system design. l l 56 l i
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.49 Provide a discussion of the use of commercial dedication software in safety systems. The discussion should also include the criteria for selecting commercial software, the accuracy of tools, and the process by which the developer notifies the end user of changes. (Reference SSAR Section 7.3.4.5.) GE Response: Use of Dedicated Commercial Software in Safety Systems The use of commercial software in safety systems is covered in the SBWR Certified Design Material (CDM), Section 3.4(B) and the accompanying Inspection, Test, Analyses, and Acceptance Criteria (ITAAC) table and is endorsed in the SSAR through conformance to ANSI /IEEE ANS-7-4.3.2 i (1993). The issue of commercial dedication of software in safety systems is resolved in the ABWR SSAR in Appendix 7B (the Tier 2 material l developed to support the I&C CDM) by a commitment to ANSI /IEEE ANS-l 7-4.3.2 (1993), " Standard Criteria for Digital Computers Used in Safety Systems of Nuclear Power Generation Stations". This standard includes commercial dedication of third-party software and the use of commercial software tools for safety-related applications.' Appendix 7B and AMSO/IEEE ANS-7-1.3.2 (1993) both apply directly to SBWR, along with the following discussion. l As stated in the standard, the dedication process requires the inclusion of ; the requirements that the commercial software shall meet in the ! verification and validation (V&V) and configuration management plans. l The requirements shall address the similarity of the nuclear and non-l nuclear applications. Additionally, the requirements shall describe the l aspects of the commercial software which demonstrated that the software has the high quality required. Both complete software designs and partial designs (operating systems) are covered by the dedication process. 1 Also as stated in the standard, commercial software development tools l become part of the software configuration management process, and are controlled by, but are not formally certified through, the V&V program. These tools can include, but are not limited to, compilers, debuggers, software documentation programs, and testing tools. The software tools are l not required to be verified and validated as safety software. A tool will be indirectly verified, first hy prior knowledge ofits extensive usage in 57 l
l l l l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORhfATION (RAI)
- SIhiPLIFIED BOILING WATER REACTOR (SBW.R)
SSAR CHAPTER 7, INSTRUh1ENTATION AND CONTROLS RAI 420.49 (continued) operational industrial applications, and, second, through the formal ! verification process, where the results of code generation are checked by an independent team of reviewers against design requirements and performance specifications at each stage of software development. Eventually, testing of the integrated software and hardware combination is performed as part of the final validation process. The section of the standard covering tools reads as follows:
"5.3.4 Software Tools A software tool is software which is used in the development of safety software but which is not installed and relied upon to l perform a function. These tools can include, but are not limited i to, compilers, debuggers, software documentation programs, and testing tools. The use of these tools is important to the development of quality software and therefore the tools are l required to be identified in the V&V and configuration management plans. The software tools are not required to be j verified and. validated as safety software."
l i l l I 58
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) , SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.50 Although there are some differences in the systems aspects of the advanced boiling water reactor (ABWR) and the SBWR design, the electronic components and modules used for the SBWR I&C are very similar to those of the ABWR. Therefore, the requirements met by the SBWR design also should be very similar to the ABWR requirements. Provide a list of the standards and RGs with which the ABWR design ' complies, but the SBWR design does not. Also provide a list of standards and RGs which are unique to the SBWR design. In addition, provide a justification for each difference. (Reference SSAR Section 7.3.4.5.) GE Response: Differences in Desien Standards for ABWR and SBWR There are no kno vn reasons for standards to be different between the ABWR and SBWR I&C designs. While the system design and configuration differ between the two,in the areas of electronic components, software development, communications technology, operating emironment, and setpoint methodology the same standards apply to both designs. t 59 l:
I RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION_ (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIS RAI 420.51 Describe the methods used to program fi mware. The discussion should address the programming process that is implemented to improve the reliability of the firmware. (Reference SSAR Section 7.3.4.3.) , GE Response: Methods Used to Procram Firmware Firmware programming is controlled under the hardware and software development process described in Section 3.4, " Instrumentation and Control", of the SBWR Certified Design Material,25A5354, Rev. A. This process establishes an overall software development plan, which includes a Software Management Plan, Configuration Management Plan (CMP), and Verification and Validation Plan (V&VP). The CMP defines methods to produce software design documentation, correct errors found in software design, and maintain the status of the developed software design. The V&VP ensures that validation is performed through controlled and documented testing of the developed software as installed in the target hardware (in the form of firmware) and that such testing demonstrates compliance of the software with the software requirements specifications and compliance of the devices under test with the system design specifications. , Actual programming methods for producing finnware are a design and manufacturing detail that will be established at the time of software coding to meet the requirements of the software development plan. 60
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.52 Identify the reports that will be provided to support any aspects of the software development requirements that are different relative to software development requirements previously reviewed by the staff. (Reference SSAR Section 7.3.4.5.) GE Response: ! DifTerentes in Software Development Reauirements between SBWR and l nreviousiv reviewed desiens
' Software development requirements are identical for the SilWR and ABWR instrumentation and control equipment.
t i 1 t i i 61
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.53 , Describe how software errors are tracked during software development. (Reference SSAR Section 7.3.4.5.) GE Response:
. Methods for Trackinc Software Errors A commitment is made in Section 3.4, " Instrumentation and Control", of the SBWR Certified Design Material,25A5354, Rev. A, to establish methods under the Configuration Management Plan for tracking software errors. The use of software metrics is mentioned as a method for consideration; however, under the Design Acceptance Criteria (DAC) process, the COL applicant will be able to evaluate and select the best methods at the time of software development.
l l l l l 1 1 62
I RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR. ; SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l RAI 420.54 Paragraph 3 on page 7.3-27 states that the use ofinterrupts for processing safety-related functions is discouraged. What are the requirements for i using interrupts when they jur, used? (Reference SSAR Section 7.3.4.5,) i GE Response: Use of Interrunts for Processine Safetv-Related Functions The use ofinterrupts in the microprocessor-based logic processors of Safety - System Logic and Control (SSLC) is discouraged in order to ensure that i safety-related processes go to completion in the required time period . without interference from competing tasks. In general, this applies to external interrupts, where, for example, the acquisition of data from a sensor that may be indicating a safety-related tripped state should not be
- interrupted to read other sensor data or perform other tasks that are not as critical. However, in real-time systems, the CPU's operating system may safely use interrupts when a high-priority task must interrupt a lower-l priority task.
l In the SBWR protection system design, each CPU-uses a minimal operating system (kernel) optimized for the necessary functions. This 1 provides more predictable performance than a full operating system for the few required safety system logic functions. The control program is structured in a modular, block fashion. The operating system controls the - resource allocation to the various tasks which run under its control. The tasks call independent modules as needed and link them to perform their function. Safety-critical tasks have the highest priority and self-test has the
- lowest priority, running only when spare CPU time is available.
l All real-time programs, including kernels, have " critical code" sections that must run to completion without being interrupted. At a " pre-emption point" in-between these sections, the kernel can safely interrupt its processing and turn its attention to other matters. Some kernels are fully pre-emptable at virtually any point. ; If multitasking is used to minimize time delays, then the operating system periodically disables all interrupts and shuts itself off from the outside world to catch up on bookkeeping. 1 l l 63
i RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7,INSTRUhfENTATION AND CONTROLS l RAI 420.55 Describe the local area networks and communication systems and provide a list of standards with which the SilWR will comply, In addition, provide ! the installation requirements for fiber optic lines. (Reference SSAR Section ! 7.3.5.2.) GE Response: Standards for Local Area Networks and Communication Systems I
- 1
{ Since the stated reference in this RAI is to the SSAR system description . 1 l section for the essential multiplexing system (EhtS), the response will be limited to EhtS. A discussion of EhtS has been provided in the response to RAI 420.9, with reference to the EhiS LED in SSAR Figure 21.7.3-6, which shows the l relationship of EhtS to other plant data networks. In each division, EhfS is a l- bi-directional, dual-redundant, reconfigurable Fiber Distributed Data l Interface .(FDDI) network, complying with the FDDI communications ; l st;mdard ANSI ASC X3T9.5 or equivalent. For compatibility in interfacing
- with other plant networks, microprocessor hardware and software for use i
in the EhiS will be compatible with communication protocols developed j under the International Standards Organization (ISO) open systems interconnect (OSI) specification, ISO 7498, as stated in SSAR Section 7.3.5.2. Additional information can be found in ABWR SSAR, 23A6100, Rev. 2, in Appendix 7A, Section 7A.2, Response 10. Installation Requirements for Fiber Optic Lines in SBWR Optical fiber cables are generally smaller and lighter than equivalent metallic conductor cables. However, they can be manufactured with sufficient ruggedness to permit installing these cables in cable trays and conduit along with metallic cables. Typically, the optical fibers are surrounded by support and fill materials, such as steel wire and . clastomers, within the overall cable. This assembly may be wrapped with a non-metallic material such as Kevlar" to improve tensile strength. In addition, the cable assembly may then be enclosed within an aluminum-or copper tube and covered with an outer insulatingjacket. This type of cable bundling allows optical cables to be handled like electrical coaxial cable when pulled through conduit. For SBWR use, the outerjacket would be fire resistant to meet the requirements ofIEEE-383. ! 61 l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l RAI 420.55 (continued) Standard industrial grade fiber optic cable with insulation specified to meet local environmental conditions will be used for the EMS. After installation, all fibers used for the EMS will be checked for optical power loss in accordance with the manufacturer's data sheets. Any fiber not meeting the optical power loss criteria will be stripped away from the termination points so as not to be usable in the future. The experience of the telecommunications industry has shown that it is possible to package optical fibers using combinations of the above techniques so that optical fiber cibles can operate reliably even in hostile environments such as direct earth burial or under the ocean. It is intended that optical communications for SBWR will be performed within the main control room (between protection divisions and to the operator control console or process computer) and between the main control room and local Safety System Logic and Control (SSLC) cabinets and local multiplexing units, which are located outside of the secondary containment in clean areas of the Reactor Building. These clean areas will have HVAC that will maintain a control room environment. Optical fiber cables will not be routed through high radiation areas. The quantity of cable will be minimized by using serial multiplexed data transmission as the main communication technique. Although optical cables can be physically protected as described above,it should be noted that these cables do not need special protection from EMI/RFI sources (relays, switchgear, motors) and are not susceptible to - crosstalk from adjacent metallic cables, including power cables, or other optical fiber cables. Some skill and special care are required to install and align connectors on optical fiber cables so that the continuity of the light path is maintained from the transmitter to receiver with low losses. However, improved connectors and termination techniques are continually being developed , by the industry. Since most cable breaks occur near the connectors, cables ! must also be properly supported to relieve strain on the terminations. ) 1 65 I
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CON'I'ROLS l RAI 420.56 i The fiber optic line protects signals from the noises in the environment; however, the fiber optic line driver and receiver are susceptible to the noises in their environment. What are the environmental qualification criteria for these drivers and receivers? (Reference SSAR Section 7.3.5.2.) GE Response: Response to ABWR Question 420.84 (presented in the ABWR SSAR Section 20.3.8, page 20.3.8-16) and information presented in the ABWR l Appendix 7A, Responses 7A.2(4),7A.2(15),7A.3(6) and 7A.3(8) provide j detailed discussion on the criteria and standards that will be applied to the fiber optic equipment design and testing. These criteria and standards are also used for the SBWR design. l l l l 1 l f 60 l
. . - - ~ - .. . .- _ - -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIhfPIlFIED BOILING WATER REACTOR SSAR CHAPTER 7,INSTRUhiENTATION AND CONTROLS l ' I I l RAI 420.57 i Show how the independence criteria in accordance with IEEE Standard 603 and IEEE Standard 379 are satisfied with the proposed configuration of fiber optic links. (Reference SSAR Section 7.3.5.2) GE Response: Conformance of Fiber Ontic Link Arrancement to Independence Criteria Confonnance to Section 5.6.1 ofIIEE 603-1991: Each of the four disisions of protection system equipment has a separate and independent essential muhiplexing system (EhtS) located within the reactor building safety envelope in the divisional clean areas. The liber optic links of each EMS are connected only within each Eh1S division, either to the protection system equipment in that division or to the main control room displays and controls. No communications are performed j between divisions of EhtS (trip data is exchanged between divisions by ! fiber optic links of Safety System L.ogic and Control (SSLC) that are independent of EhtS). l l Conformance to Section 5.6.2 ofIEEE 603-1991: l All protection system equipment, including Eh1S and SSLC,' conforms to IEEE Std 603-1991 and is qualified as safety-related, Class IE and Seismic Category I. Conformance to Section 5.6.3 ofIEEE 603-1991: As stated in SilWR SSAR Section 7.2.1.3, RPS, which includes the fiber optic links of EhtS and SSLC, complies with the criteria set forth in IEEE 603, Paragraph 5.6, and RG L75, which endorses IEEE 384. The fiber optic links themselves proside isolation, a physical barrier, and separation distance, but total protection of the four safety-related equipment divisions is afforded by the separation of the reactor building clean areas within the safety envelope. When software is involved in data transfer, software isolation is implemented through one-way broadcast of data without handshaking control and a prohibition on interrupt-driven requests for l data from the non-safety side to the safety side. Further details on isolation ! of data transfer invohing fiber optic links is given in AllWR SSAR l ' Chapter 20, Response to RAI 420.128. This discussion also applies to i SilW R. i 67
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) ; SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.57 (continued) Conformance to Section 5.1 ofIEEE 379-1977: Based on the above discussion of the independence of fiber optic links of EMS and SSLC, it can be seen that no single failure of a link or its associated signal processing equipment will interfere with the proper operation of redundant channels An entire division of EMS can be removed from senice by means of the division-of-sensors bypass provision without afTecting protection system operation other than to place it in a 2-out-of-3 condition. Likewise, a single failure of an inter-divisional link can be resolved either by (1) placing the division from which the link is transmitting in division-of-sensors bypass, which will remove all of that division's signals from service in all other divisions; or (2) by placing the division to which the link is transmitting in Trip Logic Unit (TLU)-output-logic bypass, which removes that division from service and places the remaining divisions in a 2-out-of-3 condition. I i i
.. - .1
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CIMPTER 7, INSTRUMENTATION AND CONTROlli L RAI 420.58 Describe the data highway system for the essential multiplexing system. This description should include error handling and error recovery of the system. Does the SBWR have sufficient error handling capability so that the discovery of an error would not cause a data highway trafficjam? In l addition, describe the data handling capability of the EMS. Explain whether data traflic would increase during abnormal plant conditions?
-(Reference SSAR Section 7.3.5.2.)
GE Response: Data Hichwav System for Essential Multiplexine System (EMS) EMS is not a general purpose " data highway", but is a dedicated,- deterministic network for providing safety-critical sensor signals'to the digital protection system for possible trip action. The network must be deterministic because sensor signals must have guaranteed access to the network to ensure accurate, on-time trip determination. Sensor signals - may be sent to the process computer, main control room complex, or other systems through isolated buffer devices (gateways), but no random communication is permitted. Error handling is provided, as discussed in SBWR SSAR Section 7.3.5.2, by error detection software and hardware that monitor data I/O and internal
- processes of each EMS controller. If a fault is permanent and potentially i unsafe, the system recovers (or fails) to a safe state and the operator is alerted on the interface unit in the main control room. The redundant multiplexing channels are repairable on-line if one channel fails. All
! processor memory not used for or by the operational program is initialized to a pattern that causes the system to revert to a safe state if executed. Errors will not cause a trafficjam on the network because the station management software of the network's Fiber Distributed Data Interface
- l. (FDDI) protocol handles error recovery and ensures automatic
! reconfiguration of the network on severe failures. A more detailed i discussion of error handling and error recovery is found in the ABWR , SSAR,23A6100, Rev. 2, in Appendix 7A, Section 7A.2, Response 14. The ABWR EMS uses the same basic multiplexmg equipment and i communications protocols as SBWR EMS. EMS operates at a constant data rate and with a constant number of sensors. All sensor data is periodically scanned at defined intervals; there are no interrupt-driven inouts. Thus, abnormal plant conditions will not affect the j- quantity or type o' 'ata on the network,just the data levels. 1 I
l RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l RAI 420.59 Provide a safety and hazard ;malysis, sneak circuit analysis, and timing analysis for the protection systems. (Reference SSAR Section 7.3.5.2.)
' GE Response:
Safety Anahses for the Protection System Commitments for. safety and hazard analyses, sneak circuit analyses, and timing analyses are COL action items since technology in these areas will change over time and must be specified by the final software vendor at the time of software design. A commitment to special analyses for safety-critical software is made under the software quality assurance program described in the SilWR Certified Design Material,25A5354, Rev. A, j Section 3.4(II), I l l l i I l t 70
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS l l l i l RAI 420.60 Provide an explicit discussion of how the systems conform to IEEE Standard 279, paragraph 4.5 on channel integrity, as supplemented by RG 1.75 and ' IEEE Standard 384. (Reference SSAR Section 7.3.5.3.) l GE Response: l The reference SSAR Subsection 7.3.5.3 provides a summary of safety evaluation for the Essential Multiplexing System (EMS) IEE Standard 297-71, paragraph 4.5 specifies the channel integrity criterion as follows: l "4.5 ' Channel Integrity. All protection system ' channels shall be designed l 10 maintain necessary functional capability under extremes of conditions (as applicable) relating to environment, energy supply, malfunctions, and ' I acciden ts. " ! IEEE Standard 384-81, paragraph 7.2.1: specifies
" 7. 2 Instmmentation and Control Circuits 7.2.1 General. Electrical isolation methods shall be used as required in ,
instmmentation and control circuits to maintain the independence of l redundant circuits and equipment such that safety functions required during and following any design basis event can be accomplished. This i electrical isolation of instntmentation and control circuits shall be achieved through the use of Class IE isolation devices applied to l interconnections of (a) Class IE and non-Class 1E circuits, (b) associated ; circuits and non-Class 1E circuits, or (c) Class IE logic circuits of I redundant divisions as shown in Fig. 8. Shielding and wiring techniques may also be necessary to achieve and maintain the independence of redundant circuits and equipment." Regulatory Guide 175 has no discussion on these criteria. I Layout of EMS configuration is depicted on Figure 7.3-2a and an interface block diagram for Safety System Logic and Control (SSLC) system l including EMS is shown on Figure 7.3-3. The S13WR design includes considerations for the safety system channel divisionality and integrity such that necessary functional capability of protection system channels, within the EMS components, is . maintained under the extremes of conditions relating to the emironment, power supply, malfunctions (failure or misoperation of the mechanical or structural components) and accidents. 71 l \
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPIJFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.60 (continued) As shown on the above referenced guides, the EhtS equipment is located in the reactor building clean area and thus not exposed to high level radiation hazard. Since the power supply provided for the EhtS equipment operation is of the regulated (constant voltage, constant frequency) quality, there is no adverse effect of the power supply on the proper operation of the EMS equipment. The EMS equipment is protected, either by barrier of by distance, from effects of failure or misoperation of mechanical and structural components in the vicinity of such equipment. As discussed in the SSAR Subsection 3.11.1, the safety related equipment (including EMS components) shall be designed to perform its proper safety function in their localized environment during normal, abnormal, test, design basis accident and post accident conditions as applicabic. As further discussed in Subsection 3.11.3, the 10CFR50.49(b) electrical equipment that is located in a harsh environment is qualified by test or other methods as described in IEEE 323 and permitted by 10CFR50.49(0 Also as stated in Subsection 3.11.3, the procedures and results of qualification by tests, analyses or other methods for the safety-related equipment will be documented, maintained and reported as mentioned in , the General Electric Environmental Qualification Program, NEDE-24326 P, Proprietary Document, January 1983. 1 I 72
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.61 Confirm whether system-level failures of any multiplexer system detected by automatic diagnostic systems are indicated to the operators consistent with the requirements ofIEEE Standard 279 and IEEE Standard 603 regarding safety system status indication. (Reference SSAR Section 7.3.5.4.) GE Response: The Essential Multiplexing System (EMS) for the safety-related functions contains on-line self-diagnostics impbnented in software and hardware that will continuously monitor system performance. Within each control station, the following typical parameters are monitored: (1) status of the CPU, (2) parity checks, (3) data plausibility checks, (4) watchdog timer status, (5) voltage levels in control unit circuitry, (6) memory (RAM and ROM) checks, and (7) data range and bounds checks. Self-test will indicate faults to the module board replacement level. Each multiplexing system has dual channels for fault tolerance and is provided with automatic reconfiguration and restart capability. A detected fault is automatically enunciated to the operator at both the system and individual control station level. If one transmission loop ' is completely out I of senice, that will also be enunciated. Total shutdown of a multiplexing system is indicated by a separate alarm. ; After repair, the system automatically re-initiates to normal status when power is restored to any unit and automatically resets any alarms. Power less to any control station is separately monitored and enunciated to aid in troubleshooting and to alert the ol ierator when power is deliberately removed from a unit when being seniced. 1 The above discussion indicates conformance to the requirements criterion 4.20, Information Read-Out, of1EEE Std. 279-71 and criterion 5.8.2, System - Status Indication, ofIEEE Std. 603.80. 73
i \ RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) i SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1 l RAI 420.62 - l Describe how the essential multiplexing system interfaces with non-safety-l related equipment. (Reference SSAR Section 7.3.5.2.) l l-GE Response: The interconnection of Class lE multiplexers to non-class lE devices is done using fiber optic cable. The fiber optic cable will provide the l necessary isolation. ,
- i l The plant process computer is connected to a buffer module (memory storage module). Information is stored in this module by the Essential Multiplexing System (EMS) (Class IE) units for access by the process computer, thus preventing any interruption by the Non-Class IE process computer on the EMS (Class 1E) units.
l l 74
l I' RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) l SIMPLIFIED BOILING WATER REACTOR l SSAR CHAPTER 7, INSTRUh1ENTATION AND CONTROLS l RAI 420.63 Describe the equipment that are tested by the on-line testing and automatic testing, and describe how the essential multiplexing system is tested end to end. (Reference SSAR Section 7.3.4.5.) GE Response: Test Coverace for Essential hiultinlexine System (EhtS) ! Since EhfS transmits plant sensor data to Safety System Logic and Control (SSLC), coverage of the on-line and automatic tcsting features of EhtS is included in previous RAI responses as part of the discussion of Reactor Protection System (RPS), Engineered Safety Feature (ESF), and SSLC testing. Please refer to the following RAls:
- 420.10
- 420.19
- 420.13
- 420.45 l
- 420.17
- 420.46-l
- 420.18
- 420.47 i
EhiS is necessarily tested as part of SSI.C testing or specific safety-related system testing (RPS or ESF) whenever sensor channel tests are performed l from multiplexer input to trip channel output. i The automatic, on-line test features of Eh1S are summarized below: I As in SSLC controllers, Ehis multiplexing controllers (i.e., LhfUs and j
- CNIUs) contain similar on-line self-diagnostics in firmware for the data acquisition portion of the equipment.
Error detection capability includes data 1/O checks (plausibility, boundary, and rate limit checking), rah! and ROhi checks, and program flow checks. Basic system ' health' is monitored by both software and hardware watchdog timers. In the data path, parity bits are appended to each data message and a cyclic redundancy check (CRC) is calculated. The data messages are then checked throughout the data channel for correct , transmission and reception. System hardware is also monitored for shorted, open, and j oscillating inputs and outputs, and high or low power supply voltages. l l 75 l
s RESPONSES TO NRC REQUEST FOR ADDFFIONAL INFORMATION (RAI) SIhfPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.63 continued
- Special multiplexing diagnostics in separate firmware Fiber Distributed Data Interface (FDDI) station management ROhls) monitor network i activity and perform automatic reconfiguration of the usable portion of ;
the network after failures are detected. Since EhtS is dual redundant in each division, a single cable break or loss of a multiplexing device does not result in loss of all data.
- Additional details of EhtS self-test can be found in Appendix 7A of the ABWR SSAR (Section 7A.2, Response 6).
For specialized pre-operational testing and specific testing for electromagnetic compatibility, see Responses 3 and 4, respectively, of Appendix 7A of the ABWR SSAR. These tests are directly applicable to SBWR. End-to-end testing of EhlS is essentially performed as part of sensor channel testing of SSLC, as mentioned above, since EhtS serves primarily to digitize and transmit sensor data to RPS and ESF (manual actuation functions on EhiS can readily be tested by toggling these functions). For the interfaces in the off-line mode between the surveillance test equipment and SSLC/EhtS in one protection system division, see Figure 420.46-1 which is attached to the response for RAI 420.46. True end-to-end testing of EhtS alone is performed off-line using techniques described in Appendix 7A of the ABWR SSAR (Section 7A.3, Response 1). First, where practical, the condition of the fiber optic cables is checked with an optical power meter and light source. For long cable runs, optical time domain reficctometry is used to measure and display optical loss along any continuous optical liber path. Secondly, transmission ; characteristics of EhtS are tested by bit generation. A bit error rate tester generates random bit streams into the LhiU end of the multiplexing system and verifies correct receipt of these streams at the receiving end (input to SSLC or output of control room Ch1Us).- , 1 i 76
. ... -- - - - - . = . . . . - - .
f RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR 1 SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS o RAI 420.64 ] Unlike the AllWR design, the SBWR design has numerous non-safety i systems that perform important functions. Provide a discussion of any precaution included in the SBWR design to prevent or minimize the madvertent initiation of non-safety systems. l (Note: This RAI was further clarified by the NRC via telephone j conversation with GE on January 12,1994 as follows: l The question is asking for a discussion of the reliability measures taken in , the design of the important plant operating systems (feedwater, steam bypass & pressure control, automatic power regulator) such that these systems will not challenge the safety-related systems during plant disturbancews or equipment failure. For example,- discuss triplicated, fault-tolerant digital control and its e))ect son single point failure so that feedwater control will always operate reliably and not cause a low water c level scram. i GE Response: The controls for non safety-related systems, that perform important plant , operation / power generation functions, are designed such that the functional capabilities of the safety-related systems are not obviated. Such , non safety-related systems include Feedwater Control System (FWCS), Automatic Power Regulator System (APRS) and Steam Bypass and Pressure Control System (SBPC). Control and instrumentation for these systems are described in the SSAR sections 7.7.3, 7.7.4 and 7.7.5. Controls for FWCS consist of three-element fauh tolerant digital controller and incorporates many provisions to protect against common-mode failure. More discussion on the FWCS can be found in the SSAR subsection 7.7.3.5, response to RAI 420.95 and RAI 420.96. Controls for APRS and SBPC consist of redundant, triplicated master controllers and provide defense against common mode failures. More discussion on the APRS can be found in the SSAR subsection 7.7.4.5 and response to RAI 420.97. More discussion on the SBPC can be found in the SSAR subsection 7.7.5.5, and the response to RAI 420.98. 1 i 77
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED IlOILING WATER REACTOR (SIlWR) l SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1 l RAI 420.66 ; Explain how the SilWR design complies with 10 CFR 50.62 (requirements i for reduction of risk from ATWS events for light-water-cooled nuclear ! power plants). (Reference SSAR Section 7.4.1.) l GE Response: The SilWR design incorporates the following specific features for Anticipated Transient Without Scram (ATWS) prevention / mitigation:
- an Alternate Rod Insertion (ARl) system that utilizes sensors and logic which are diverse and independent of the Reactor Protection System (RPS),
- electrical insertion of Fine Motion Control Rod Drives that utilizes sensors and logic which are diverse and independent of the RPS, automatic feedwater runback under conditions indicative of an ATWS event, and
- automatic initiation of Standby Liquid Control System under conditions indicative of an ATWS event.
Detailed discussion on each of these features and conformance with the ATWS rule of 10CFR50.62 is provided in the SSAR Section 15.8. Discussion on compliance with 10CFR50.62 and independence between ARI and RPS is also provided in response to SinVR RAI 420.76. A block diagram depiction ofinput sensors, logic interface and output interface to FMCRD, ARI, and SLCS equipment for ATWS is shown in the SSAP figures 7.3-la and 7.3-1b. ( These figures are GE proprietary information and are furnished un~ der separate cover). I 78
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1 RAI 420.71 l . Explain how standby liquid control system or leak detection and isolation system actuation signals prevent the containment' isolation valves from opening, or close them when they are open. : In addition, proside a discussion of how reactor water cleanup (RWCU)/ shutdown cooling (SDC) system actuation signals are isolated from SLCS and LD&lS actuation signals. (Reference SSAR Section 7.4.3.)' GE Response: The Reactor Water Clean-Up/ Shutdown Cooling (RWCU/SDC) system-functions are non safety-related except for the containment isolation by. signals from the Leak Detection & Isolation System (LD & IS) and for the i reactor vessel isolation by signals from the Standby Liquirl Control System (SLCS). The SSAR Subsection 6.2.4.3.2.2 provides discussio <,n the - RWCU/SDC system containment penetration lines isolation function and Table 6.2-26 shows the pertinent data for~ the RWCU/SDC system isolation valves G31-F005A/ll, F006A/11 and F007A/13. The SSAR figure 21.5.4 shows the Piping and Instrumentation Diagram (P & ID) and figure 21.7.4-4 shows the Logic Diagram (LD) for RWCU/SDC system. Figure 21.7.3-3, (sheet 6) shows the Instrument and Electrical Diagram (IED) and figure 21.7.3-1 (sheets 52 and 53) shows the LD specifically for RWCU/SDC ; isolation function signals within LD & IS. l As shown on the RWCU/SDC logic diagram figure 21.7.4-4 (sheets 3 & 4) isolation valves G31-F005A/B F006A/11 and F007A/11 are signaled to close if they are open and the valve open signal (including manual open) is blocked as long as the LD & IS isolation signal is present or not reset. As i shown on the IED figure 21.7.3-3, and the LD figure 21.7.3-1 the LD & IS signals for the RWCU/SDC isolation includes Standby Liquid Control . System (SLCS) initiation signals. RWCU/SDC system non safety-related functions control signals are non-Class lE and are processed via Non Essential Multiplexing System ; (NEMS), while the isolation valves controls are treated as safety-related and the LD & IS inputs (including SLCS initiation) are processed via Essential Multiplexing System (EMS). Thus the RWCU/SDC system controls are kept separate and isolated from the isolation valves controls. 79
. .. ~
I l ! RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTFP. 7, INSTRUMENTATION AND CONTROLS RAI 420.73 i Provide a discussion of (1)' the reactor water cleanup system / shutdown cooling system parameters monitored, and (2) how monitored data are I processed. (Reference SSAR Section 7.4.3.) l GE Response: l The Reactor Water Cleanup / Shutdown Cooling (RWCU/SDC) system ' parameters monitored for system safety function (isolation of the process lines penetrating containment) are part of the Leak Detection & Isolation System (LD & IS). These process parameters consist of RWCU/SDC flow in each loop, main steamline tunnel area ambient temperature and reactor vessel water level. Discussion on monitoring each of these parameters can- ; be found in the SSAR Subsections 5.2.5.2.1 and 5.2.5.2.2. A summary of LD
& IS control and isolation functions vs. monitored process variables is presented in Table 5.2-8. Discussion on how variables for LD & IS control and al.,rm functions are processed is provided in Subsection 7.3.3.2. Other RWCU/SDC process variables, such as conductivity, radioisotopic concentrations, temperature, pressure and flow, used for the system non safety-related functions are discussed in Subsection 7.4.3.2 i
i l t 80
, . . _ _. . ~ - . . - _
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.74 Describe which isolation condenser (IC) parameters are monitored to > casure that (1) the isolation condenser system is ready to accomplish its safety function, and (2) the IC pool has sufficient water. (Reference SSAR Section 7.4.4.) GE Response: The Isolation Condenser (IC) system's readiness to accomplish its safety function is demonstrated by means of continuous monitoring of the process valve positions, power supply and the nitrogen supply pressure availability and the IC pool levels. The functional operability of the IC system components also is verified by periodic testing of the logic and valves. Specifically, the following parameters are monitored: Steam line to IC supply valves ll32-F001 and F002 position
- Condensate to RPV valves ll32-F003, F004, F005 and F006 position
- Power supply for valves B32-F001, F004 and F006 solenoids Power supply for valves B32-F002, F0093 and F005 motors ,
Nitrogen supply pressure to valves B32-F001, F004 and F006 ' Condensate return line temperature downstream of valve B32-F004 , Differential pressure on condensate return line Water level in the IC/ Passive Containment Cooling (PCC) pool l 81
! RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) ! SIMPLIFIED HOILING WATER REACTOR (SBWR) ! SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.85 Provide a discussion of the equipment classification of the nuclear boiler system (NIIS). In addition, provide a discussion of how the NBS achieves its reliability (i.e., single failure criteria,-defense against failures, etc.). (Reference SSAR Section 7.7.1.1.) GE Response:
-NBS equipment is classified as safety-related except for the non-safety-related part of the hiain Steam Line (h1SL) drains and Feedwater lines upstream of the motor operated gate valve outside containment. (Equipment classification details are provided in Table 3.2-1 and the NBS Process and Instrument Diagram, Figure 21.5.1-1 of the SSAR.)
Mechanical systems and equipment are designed with redundancy to provide backup capability for safety ftmetions in the event of a single failure. The mechanical portion of each safety-related division is i physically separated from the other division by sufficient distance or structural barriers. l Each Main Steam line includes one inboard and one outboard isolation l valve, located as close as possible to the primary containment boundary. Each Feedwater line has one check valve inside containment, two check valves and one motor operated gate valve outside containment. Four Safety Relief Valve (SRV)s are installed on each MSL to provide Reactor Pressure Vessel (RPV) overpressure protection and depressurization capability following a Loss of Collant Accident (LOCA). Two redundant vacuum breakers are mounted on each SRV discharge line inside the drywell. Six Depressurization valves are installed to depressurize the RPV rapidly ! following a LOCA signal. (Additional details are provided in Figure 21.5.1- 1 1 of the SSAR.) I The mechanical portion of each division of the safety-related NBS I instrumentation located in the Reactor Building is physically separated , from the other divisions by structural and/or fire barriers. I Physical separation or electrical isolation exists between Class 1E divisions. Physical separation or electrical isolation exists between Class 1E divisions and non-Class lE equipment. i 82
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)
-- SIMPLIFIED BOILING WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROIS l
I l RAI 420.85 (continued) i
- MSIV's are spring loaded, pneumatically operated globe valves designed to i close on loss of gas pressure or loss of power to the solencid operated pilot valves. The separate and independent action of either gas pressure or spring force is capable of closing the MSIV. Per SSAR Section 6.2.4.2.5:
i l Electrical redundancy is provided for MSIV's, eliminating the dependency on one power source to attain i. solation. Electrical cables for MSIV's in the same line are routed separately. (For additional information on MSIV's, refer to SSAR Section 5.4.5.) Each Safety Relief valve is equipped with a pneume. tic accumulator and check valve for the Automatic Depressurization Syr. tem, (ADS) and overpressure relief operation (power actuated mode) opening functions. The accumulators assure that the valves can be opened following loss of gas supply. Depressurization valves are squib actuated non-reclosing valves. Though each valve has two squibs, only one is required to actuate the shearing plunger. Squibs are initiated by two baucry-powered independent ; firing circuits. (For additional information see SSAR Sections 5.2.2 and 6.3.3.2.) I i i l l l i I i l 83 l l
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1 i RAI 420.86 Describe how the nuclear boiler system is tested. Provide a list of the RGs ; and standards with which it will comply. (Reference SSAR Section j 7.7.1.4.) l l GE Response: The testing of the various parts of the Nuclear Boiler System (NBS) is given in various sections of the SAR as follows: The calibration and testing of the Nils instrumentation is performed during preoperational testing as well as during plant operation as described in section 7.7.1.4 of the SAR. The testing requirements and applicable. Regulatory Guides for the Automatic Depressurization Subsystem (ADS) instrumentation and control which is a part of the NBS, are given in section 7.3.1.1. The applicable Regulatory Guides are listed in Table 7.1-1 against " auto depressurization subsystem" and out of these the particular ones applicable for te mg are 1.22,1.105,.l.118, & l.153. The testing and inspection requirements for the SRV's are given in section 5.2.2.4. ! The preservice and insenice testing of the reactor coolant pressure boundag (which includes portions of the Nils) and the related standards are given in section 5.2.4. The testing and inspection requirements for the ADS are briefly described in section 6.3.3.4. i l The NBS preoperational testing is described in section 14.2.8.1.1. l l M
.. ~ . - - _= -, -
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPIJFIED BOIIJNG WATER REACTOR SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS RAI 420.90 Describe the power supplies of the non-safety systems that perfonn important functions described in SSAR Section 7.7. The description should also include the sources of power. Are these power supplies redundant ano ; uninterruptable? GE Response: The non-safety systems that perfonn important functions described in the. SBWR SSAR Section 7.2 are: Cl1 - Rod Control and Information System (RC & IS) C31 - Feed Water Control System (FWCS) C82 - Automatic Power regulator System (APRS) C85 - Steam Bypass & Pressure Control System (SB & PCS) C91 - Performance Monitoring & Control Subsystem (PMCS) of the Process Computer System C91 - Power Generation Control Subsystem (PGCS) of the Process Computer System C62 - Non-essential Multiplexing System (NEMS) C51 - Automated Fixed In-core Probe Subsystem (AFIP) of the Neutron Monitoring System T31 - Containment Atmosphere Control System (CACS) except for the containment isolation function-Power supply for each of these systems is provided based on the system functional requirements. Cl1 - RC & IS Discussion on the power supplies for the fine motion driver cabinets (FMDC) and rod brake controller cabinets (RBCC) is provided in response to RAI 420.89. Power supply for the rod action control cabinets is provided from the regulated,120 Vac, non-class 1E, unintrupptible power sources which are backed by the diesel generator plant investment protection (PIP) buses and 125 Vdc normal battery and a standby battery. I 85
~. ___
RESPONSES TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI) SIMPLIFIED BOILING WATER REACTOR (SBWR) i SSAR CHAPTER 7, INSTRUMENTATION AND CONTROLS 1 l RAI 420.90 (continued) C31 - FW'CS. C82 - APRS and C85 - SH & PC i l The control and instrumentation power for these systems is provided from -l the regulated,120 Vac, non-class 1E, uninterrupable power sources which ' are backed by the diesel generator PIP buses and 125 Vdc normal battery i and a standby battery. These systems are also supplied with non-class IE, l 125 Vdc from station (8 hour) batteries with chargers backed by the diesel generator PIP buses. ! l C91 - PMCS & PGCS The plant process computer is supplied from the regulated,208/120 Vac, non< lass IE, uninterrupable power sources which are backed by the diesel generator PIP buses and 250 Vdc normal battery and a standby battery. C62 - NEMS ) The NEMS is supplied from the regulated,120 Vac, non-class lE, . uninterrupable power sources which are backed by the diesel generator PIP buses and 125 Vdc normal battery and a standby battery. C51 - AFIP l The AFIP instrumentation is powered by the regulated 120 Vac non-class lE instrument bus which is backed by the diesel generator PIP bus. T31 - CACS The CACS instrumentation is powered by 125 Vdc non-class lE instrument bus supplied from the normal battery and a standby battery with chargers which are backed by the diesel generator PIP bus. 86
- - .}}