ML20137Q220
| ML20137Q220 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 04/07/1997 |
| From: | Joseph Sebrosky NRC (Affiliation Not Assigned) |
| To: | NRC (Affiliation Not Assigned) |
| References | |
| NUDOCS 9704100163 | |
| Download: ML20137Q220 (34) | |
Text
-_
April 7,1997
. +
APPLICANT: Westinghouse Electric Corporation PROJECT: AP600
SUBJECT:
SUMMARY
OF AP600 TELEPHONE CONFERENCE (TELECON) TO DISCUSS INSTRU-MENTATION AND CONTROL INSPECTIONS, TESTS, ANALYSIS, AND ACCEPTANCE CRITERIA (ITAAC)
The subject telecon was held on April 1, 1997, between Roger Schreiber, and Ken Deutsch of Westinghouse, and Hulbert Li, Mario Gareri, and Joe Sebrosky of the Nuclear Regulatory Commission (NRC). Westinghouse proposed in a facsimile (attachment 1) to revise their ITAAC in the instrumentation and control area in response to NRC comments. The purpose of the phone call was to provide a preliminary assessment to Westinghouse on their approach for resolving the staff's comments.
The staff was concerned with the following two major issues concerning Westinghouse's approach: 1) more detail needs to be provided in the ITAAC, and 2) at present the information contained in Tier 2 does not adequately support the information found in Tier 1. Attachment 2 contains details of the staff's comments that were discussed daring the telecon, original signed by:
Joseph M. Sebrosky, Project Manager Standardization Project Directorate Division of Reactor Program Management Office of Nuclear Reactor Regulation Docket No.52-003 Attchment: As stated cc w/ attachment: [
See next page
]
DISTRIBUTION w/ attachment:
Docket File PDST R/F TKenyon t PUBLIC BHuffman DTJackson 7 JSebrosky MChiramal, 0-8 H3 HLi, 0-8 H3
~
[~>J MGareri, 0-8 H3 DISTRIBUTION w/o attach.wst:
SCollins/FMiraglia, 0-12 G18 AThadani, 0-12 G18 RZimmerman, 0-12 G18 TMartin MSlosson TQuay ACRS (11) JMoore, 0-15 B18 WDean, 0-17 G21 DOCUMENT NAME: A:I&C ITAA. SUM n . . , .e m. . wa m m. w.: c . co,, w.o. .n.cs u cio.o,. e . co,, .nn .cn oii.oeio. ,. = . u. . ,
0FFICE PM:PDST:DRPM HICB:DRCH E D:PDST:DRPM l l NAME JMSebrosky:sg @ MGareri 1X TRQuay TI@
l DATE 04/+/97 t/ 04/7 /97 ' 04/7/97 i ' ' T7041I)0163 970407 nrr'" AL RECORD COPY .
L l, o i Westinghouse Electric Corporation Docket .No.52-003 cc: Mr. Nicholas J.' Liparulo, Manager ilr. Frank A. Ross Nuclear Safety and Regulatory Analysis U.S. Departc.ent of Energy, NE-42 Nuclear and Advanced Technology Division Office of LWR Safety and Technology Westinghouse Electric Corporation If901 Germantown Road '
P.O. Box 355 Germantown, MD 20874 Pittsburgh, PA 15230 Mr. Ronald Simard, Director Mr. B. A. McIntyre Advanced Reactor Program Advanced Plant Safety & Licensing Nuclear Energy Institute Westinghouse Electric Corporation 1776 Eye Street, N.W.
Energy Systems Business Unit Suite 300
-Box 355 Washington, DC 20006-3706 Pittsburgh, PA 15230 Ms. Lynn Connor Ms. Cindy L. Haag Doc-Search Associates Advanced Plant Safety & Licensing Post Office Box 34 Westinghouse Electric Corporation Cabin John, MD 20818 Energy Systems Business Unit Box 355 Mr. James E. Quinn, Projects Manager Pittsburgh, PA 15230 LMR and SBWR Programs GE Nuclear Energy Mr. M. D. Beaumont 175 Curtner Avenue, M/C 165 Nuclear and Advanced Technology Division San Jose, CA 95125 Westinghouse Electric Corporation ,
One Montrose Metro Mr. Robert H. Buchholz l 11921 Rockville Pike GE Nuclear Energy Suite 350 175 Curtner Avenue, MC-781 Rockville, MD 20852 San Jose, CA 95125 Mr. Sterling Franks Barton Z. Cowan, Esq.
U.S. Department of Energy Eckert Seamans Cherin & Mellott NE-50 600 Grant Street 42nd Floor 19901 Germantown Road Pittsburgh, PA 15219 Germantown, MD 20874 Mr. Ed Rodwell, Manager Mr. S. M. Modro PWR Design Certification Nuclear Systems Analysis Technologies Electric Power Research Institute Lockheed Idaho Technologies Company 3412 Hillview Avenue !
Post Office Box 1625 Palo Alto, CA 94303 Idaho Falls, ID 83415 )
Mr. Charles Thompson, Nuclear Engineer AP600 Certification NE-50 19901 Germantown Road i
Germantown, MD 20874 1
_ ._-- -- - - . . - . . . .- - . . .- - _- . . . . .--.-.-. - ~ . -
j 03/24/97 NON 13:37 FAI 412 374 3535 AP800 0 002 a
O Certified Deelen Motorial
(
tiVERSE ACTUATION SYSTEM RevisiM: I '
Effective: 10f31/98 i
t.5.1 Diverse Actuation System 4
. Design Description ..
] ,
De diverse actuation system (DAS) iratiates reactor trip, actuates selecaed functions, and provides
- plant information to the operator.
- 1. The DAS signal processing equipment cabinets are not physically located in a room that contains protection and safety monitonng system (PMS) equipment cabinets.
! 2. The DAS provides the following nonsafety-related functions: .
l a) The DAS provides an automatic reactor trip on low wide range steam generator water level or on low pressurizer water level separate from the PMS, plant control system (PLS) or data l display and processing system (DDS).
- b) The DAS provides automatic actuation of selected functions, as identified in Table 2.5.1 1.
j . separate from the PMS, PLS, or DDS.
l c) ne DAS provides manual initiation of reactor trip and selected functions, as identified in
. Table 2.5.12, separate from the PMS, PLS, or DDS. These manual initiation functions are implemented in a manner that bypasses the signal processing equipment of the DAS. )
[ d) The DAS provides main control room (MCR) displays of selected plant parameters, as
! identified in Table 2.5.1-3 separate from the PMS PLS, or DDS. ;
i l L 3. The DAS has the following features: l i a) The signal processing hardware of the DAS uses input modules, output modules, and microproce.ssor boards that are different than those used in the PMS.
l b) The display hardware of the DAS uses a different display device than that used in the PMS. l c) Software used in the DAS uses an operating system and a programming language that are i
different than those used in the PMS.
T r5Inspections, Tests, Analyses, and Acceptance Criterls Table 2.5.1-4 specifies the inspections, tests, analyses, and associated acceptance criteria for the DAS.
L Abb A)Gu) 176 8 %
S E E C.+f AAJGE AT TA CHMC.M TpAE F f. ,
3.5.1 1 l ilJ54 mWAacsweve runwozosot.=prit>431797 l
Attachment 1 i
03/24/97 MON 13:38 FAI 412 374 5535 AP600 3 003 l
l CertWied Design Material i i
l
, DfV.iMSE ACTUATION SYSTEM .
I Revision: 2 -
l Effective: itW31/96 .
l Table 2J.1 1 Functions Asteamatically Actaated by the DAS ___
- l. Turbine Trip on Low Wide range Steam Generator Water Level
- 2. Reactor Coolant Pump Trip on Low Pressuriser Water Level
- 3. Passive Residual Heat Removal (PRHR) Actuation on Low Wide-range Sesam Generator Water hvel or j en High Hot Lag Temperature 4 Core Makeup Tank (CMT) Actuation on Low P sssuriser Water hvel l l
- 5. Isolation of Selected Containment Penetrations and Inisation of Passive Containment Cooling System (PCS) on High Centainment Temperature ;
l Table 2J.12 Functions Manually Actmetad by the DAS
- 1. Reactor and Turbine Trip
- 2. PRHR Actuation ,
I
- 3. CMT Actuation
- 4. First stage Automatic Depre.ssustration System (ADS) Valys Actuation
- 5. $ccond stage ADS Valve Actuation l
- 6. Third-stage ADS Valve Actuation j
, 7. Fourth-stage ADS Valve Actuation j 1
. 8. PCS Actuation i 4
)
- 9. Isolation of Selected Containtnent Pensarations
- 10. Containment Hydrosen Ignitor Actuation i
- 11. In containment Refueling Water Storage Tek (IRWST) Injection Actuation )
- 12. Comainment Recirculation Actuauon
- 13. Actuate IRWST Drain to Containment
~ 3.".1 2 D8 m.waCouTAAc8vovt.ne=Mo20501I.wpf.tb 03t?87
03/24/97 goN g3:33 ;AI r12 374 5535 AP600- goog I
- c. nies.e % n u .t.ri.i l I tifVilR$t. AC(b UNii. dYS'11E;.1 Revtalon: 2 .
l Effective: 10/3146 .,
TaWe 2.5.13
- DAS Displays
, Equipment Name Tag Number Reactor Coolant System (RCS) Hot Las Temperature RCS-300A 1
RCS Hot Leg Temperature RCS 300B l Sicam Cenerator i Wida Range Level SGS-044 l -
Sist.rn Generswr i Wide-Range Level SGS 045 i
! Steam Generator 2 Wide Range Level SGS-046
] Steam Generator 2 Wide-Range level 505 047 Pressuriser Water IAvel RCS.305A 1
, Pressurizer Water Level RCS 305B Containment Temperature VCS-053A Containment Temperature VCS-053B Core Exit Temperature DS-006 i
Core Exit Temperature US 011 Core Exit Temperature US 029 l
- Core Exit Temperature 115-032 l Containment Hydrogen Concentration VLS 015 .
! l Containment Hydrogen Concentration VLS-016 l 1 '
- 1 1
1
. l l
4 1
I 2.5.13 D miapeowfAAesveva.nedotoset.wpf.16 031787 O
- - - - - - - - . _ _ . . - . ~ -. - . - - - . - - - -- -._. --
, o3/24/97 Il0N 13:39 FAI 412 374 5535 AP600 @ 005 Certmed Dealgri Meterial l
l 4tVEMJJ ACT9Xf1CN SYSTEM T ~C '
[ Revision: 2 ,
i'
^ " "
Effectivo: 10r31/96 l Table 2.5.1 d laspections Tests, Analyses, and Acceptanca Criteria
~
' . 2 n. Testa, Analysee Acceptance Criteria Desha Ceaunitment
- i. The DAS signal processing laspection of the as built system The DAS signal processing equipment cabinets are not will be performed. equipment cabinets are not physically locesad in a room that physically located in a room that contains PMS equipment cabinets. contains PMS equipment cabinets.
l 2.m) The DAS provides an Electrical power to the PMS. PLS. The field breakers of the control automatic reactor trip on low and DDS equipment will be rod motor generator sets open wide range sisarn generasor water disconnected and an operational after the test signal reaches the level or on low pesssuriter water test of the as built DAS will be specified limit.
level wparate from the PMS. performed using real or simulated PLS or DDS. test signals.
2 b) The DAS provides Electrical power to the PMS, PLS, Appropriata DAS output signals automane actuation of selected and DDS equipment will be are generated afur the test signal functions as identified in disconnected and an operational reaches the specified limit. ;
Tabic 2.5.1 1, separate from the test of the as-built DAS will be PMS. PLS, or DDS. performed using teal or simulated i test signals.
4 2.c) The DAS provides manual Electrical power to the PMS, PLS, i) The field breakers of the
- initiation of reactor inp and DDS. and DAS signal proccasing control rod motor generator sets selected functions, as identifled in equipment will be disconnected open after reactor and turbme trip Table 2.5.12, separate from the and an operational test of the as- manual initiation controls are PMS, PLS. or DDS. These built sysum will be performed actuated.
manual initiation functions are using the DAS manual actuation implemented in a manner that controls. ii) Appropriate DAS output bypasses the signal processing signals are generated after the equipment of the DAS. manual initjauon controls are 4 actuated.
i
- 2.d) The DAS provules MCR Electrical power so the PMS PLS. The selected plant parameters can displays of nelected plant and DDS equipment will be be retrieved in the MCR.
parameters, as identified in disconnected and inspecuon will Table 2.513, separase from the be performed foe retrievability of PMS, PLS, or DDS the selected plant parameters in the MCR.
l 2.BM IMM m W AACsvov2.rewt020so t .upt. i t>.03 t m
03/24/9.7 NON 13:30 FAI 412 374 8535 AP800 @ 006 1
Certified Doolen Material OlVERSE ACTUATION SYSTEM NN l { Reviolon: 2 5
g g ; , ggygg g 'v..no i
Table 2.5.14 (coot)
'--- " :. Tests. Analyses, and a W- Criteda s
Design Coenadtment Iz;: "- . Tests. Analyses Acceptance Criteria j 3.a) The signal processing Inspectaon of the as built DAS The DAS signal processing i hardware of the DAS uses input and PMS signal processing equipment uses input modules, rnodules, output modules. and hardware will be r f ..d. output modules, and micro-rnicroprocessor teards that are processor boards that are
- different design, use of different j component types, or different manufacturers.
3.b) The display hardware of the Inspection of the as-built DAS The DAS display hardware is
- DAS uses a different display and PMS display hardware will be different than the display j device than that used in the PMS performed. hardware used in the PMS. The i difference may be a different design, use of different component types, or different manufacturers.
' 3.c) Software used in the DAS Inspection of the DAS and PMS The DAS operating system and uses an operating system and a design documentation will be programming language are programming language that are H.fer rd. different than those used in the different than those used in the PMS.
PMS.
J
]
f j SEE C.HAA>&& ATid m q pg g 3
l 2.5.1-5 M E8 ,
mwucsvwa.neumoros01.wpt.i n-031797 i
03/24/97 MON 13:40 FAI 412 374 5535 A?s00 goo 7 CHANGE ATTACHMENT TO ITAAC FOR THE i
DIVERSE ACTUATION SYSTEM SECTION 2.5.1
(
Cesign Description 1
ADD THE FOU 0 WING NEWITEM NUMBER 4:
- 4. 1he DA$ hardwars and software is developed t. sing a planned design process which provides for specific dedge documentation and reviews during the following life cycle stages: i I
a) Design requirement phase '
l b) Definition phase c) Development phase i d) Test phase l e) Installation phase The planned design process also provides for comrnercial dedication of commercial off the shelf hardware and software. .
s 4
d i
1 l
l 1
+
Pag', I of 2
. ._,_ 03/24/97 MON 13:4 412 ' 5535 'AP800 goog
. CHANGE ATTACHMENT TO ITAAC FOR THE DfVERSE ACTUATION SYSTEM SECTION 2.5.1 l'
i
' 2, ::#oas, Tests, Analyses, and Acceptance Criteria
- ADD THE FOLLOWING NEW ITEM NUMBER 4 TO TABLE 2.5.14
1 i Table 2.5.1 d Inspections, Tests. Analyses, and C ,-- = Criteria for the DAS Design Comunitment '; M:- . Tests. Analyses Acceptance Criteria I 4.' The DAS hardware and Inspection will be performed of The process defines the l 5
software is developed using a the process used to design the organizational responsibilities, planned design process which hardware and software. activities, and configuration provides for specific design management controls for the l documentation and reviews during following: i the following life cycle stager -
)
l a) Establishments of plans and j
, a) Design requirement phase methodologies dunng the design 1 b) Definition phase requirement phase, c) . Development phase d) Test phase b) Specificanon of functional e) Installation phase requirements di ring the definition phase.
The planned design process also 4
provides for commercial c) Documentation and review of
- dedication of commercial off the- hardware and software during the shelf hardware and software, development phase.
d) Perfonnance of tests and the i documentation of test results during the test phase.
e) Performance of tests and inspections during the installation Ph*88-i The process also defines requirements for commercial dedication of commercial off the.
shelf hardware and software.
l Page 2 of 2
_ 03/24/97 MON 13:40 FAI 412 374 s53s AP800 goog Certified Design Motorial j g ~ / - PRO (ECTION AND SAFETY .*MifTORING SYsfEM r-W3 1-
\ Revlolon: 2
, gffootive: 10/31/46 --
m 2.5.2 Protection and Safety Monetasing System
! Design Description .
1 j 1he protection and safety monitoring system (PMS) initiates reactor trip and actuation of engineered
- safety features in response to plant conditions monitored by process instrumptation and provides ser ety-r Jated displays. 7L Eac6 m./ orrorscjeme A of f ke. PMSis
- c h p te.t.e d m To g a re. 2. s . 3.- t.
- 1. The PMS has the equipment identified in Table 2.5.21.
t
- 2. The seismic Category I equipment, identified in Table 2.5.2-1, can withstand seismic design basis
- 9 dynamic loads without loss of safety function. [as sb.emAew.se =* e oeee o k-te,ek it'em 3 ged ode) new ifem j 3. The Class IE equipment, identifwd in Table 2.5.2-1. can withstand the electromagnetic [M interference (EMI) and radio frequency interference (RFI) conditions that would exist before.
, during, and following a design basis accident without loss of safety function for the time required
- ( to perform the safety functionf 4
f, .e a) The Class IE equipment, identified in Table 2.5.21, is powered from tMir aspective Class IE division.
b) Separation is provided between PMS Class IE divisions, and between Class IE divisions and l
!' non-Class IE cable.
, 6, # The PMS provides the following safety-related functions
- l a) The PMS initiates an automatic reactor trip, as identified in Table 2.5.2 2, when plant process signals reach specified limits.
b) The PMS initiates automatic actuation of engineered safety features, as identified in Table 2.5.2 3 when plant process signals reach specified limits.
! c) The PMS provides manual initiation of reactor trip and selected engineered safety features as ~
- identified in Table 2.5.2 4.
Z .* 1he PMS providas the following nonsafery-telated functions:
J
'~
a) The PMS provides process signals to the plant control system (PLS) through isolation devices.
b) The PMS provides process signals to the data display and processing system (DDS) through isolation devices. ,
1 2.5.2 1
~
W@ mwe00VTAaC8vev2mwwpt.tb431797 i o .
I
- - . - ~ -. - - - .- - -- .
03/24/97 MON 13:41 7;J ,*t! 374 1935 Argoo gg ogo 4 ,
- Certified Design Motorial i
1 1
P,% TEC".'N t.TM P. :"! 7TW(OMING SYSTEM
! Revision: 2 Effective: 10/31/86
__ . . 7,,_
- 7. 'The PMS, in enjune'. ion .ri h the operator workstations, provides the~following functions;
! a) The PMS provides for the minimum inventory of displays.and fixed position controls, as
- identified in Tsble 2.5.2 5. in the main control room (MCR).
- }
- b) The PMS provides for the transfer of control capability from the MCR to the remote shutdown i room (R$R). )
- c) The PMS provides for us minimum inventory of displays and controls, as identified in l Table 2.5.2-5, in the RSR. The controls in the R$R do not need to be fixed position. -
s 1
j q g a) The PMS automatically removes blocks of reactor trip and engineered safety features actuation l t when the plant approaches conditions for which the associated function is designed to provide l
! protection. These blocks are identified in Table 2.5.2-6.
, _ . , . . . . . . . ~ . . - - - =.
- b) The PMS automatically produces a reactor trip or engineered safety feature initiation upon an attempt to bypass more the two channels of a function that uses two.out-of four initiation
- logic.
c) The PMS provides the interlock functions identified in Table 2.5.2-7.
- Setpoints are determined using a methodology which accounts for loop inaccuracies, response j )* testing, and maintenance or replacement of instrumentation.
l 10. The PMS hardware and software are verified and validated through a program that pmvides i
confirmation that system functional requirements are properly and correctly implemented in the delivered hardware and softry f laspections. Testa. Analyses, and Acceptance Criteria l
Table 2.5.2 8 specifies the inspectio: s, tests, analyses, and associated acceptance criteria for the PMS.
i UM CA % { CpW A e g O Mky L
ll 4
4 i
1.5.2 2 D mWAAesWveneeMoaotos woot 031797
. - -r---u - - - -
9dII.!!87 NON 13:41 FAI'412 374 5535 AP600 @ 011 Certified Design Motorial L
f PrWTECTION AND SAFETY 010NITORING SYSTEM
. \ Reviolon: 2 EWestive: 10f31/96 Table 2.3.21
- PMS Egelpment Name and ClemlAcation Selsade Qual. for Egelpeneet Narne
j integrated Protection Cabinets. Division A Yes Yes No b Integrated Protection Cabinets. Division B Yes Yes No Integrated Protection Cabinets.' Division C Yes Yes No ,
- integrated Protecdon Cabinets. Division D Yes Yes No
~
Engineered Safety Features Actuation cabinets. Division A Yes Yes No Engineered Safety Features Actuation Cabineu. Division B Yes Yes No Engineered Safety Features Actuation Cabinets. Division C Yes Yes No Engineered Safety Features Actuation Cabinets. Division D Yes Yes . No
- Protection Logic Cabinets. Division A Yes Yes No Protection Logic Cabinets. Division B Yes Yes No Protection Logic Cabinets. Division C Yes Yes No Protection Logic Cabinets. Division D Yes Yes No
] Reactor Trip Switchgear. Division A Yes Yes No
! Reactor Trip Switchgear. Division B Yes Yes No
- Reactor Trip Switchscar. Division C Yes Yes No Reactor Trip Switchgear. Division D Yes Yes No Multipleser Cabinets. Division A Yes Yes No
.i l Multiplener Cabinets. Division B Yes Yes No Multiplexer Cabinets. Division C Yes Yes No Multipieaer Cabinets. Division D Yes Yes No MCR/RSR Transfer Panels Yes Yes No i
Safety.Related Display Processing Cabinets Yes Yes No Safety Related Display InpuV0utput (1/0) Cabinets Yes Yes No MCR Safety Related Displays Yes Yes No
. .. N MCR safety Related Controls Yes Yes No Remois Shutdown Workstation No No No l t
4 '
2.513
,- T W98tkl@l0084 , m wAAcswa.ns.Wintosotai+1b 031797
- . . - - .-= .. _ . - - - - .. -
- e. 03/24/97 MON 13:42 FAX 412 374 5535 AP600 @ 012 Certified Design Material 1 PROTECTION AND SAFETY MONITOMING 4YSTEM
\ Revision: 2 Effective: 105146 _ .
Table 2.5.2 2 PMS Autossatic Reector Trips Source Range Reactor Trip Intermediate Range Reactor Trip Power Range (Low Setpoint) Trip Power Range (High Setpoint) Trip High Positive Flux Rate Trip Reactor Coolant Pump High Bearing Water Temperature Trip Overtemperature Delta-T Trip Overpower Delta.T Trip Pressuriser Low Pressure Trip Pressurizer High Pressure Trip Pressurizer High Water Level Trip Low Reactor Coolant Flow Trip Reactor Coolant Pump Underspeed Trip ;
Low Stearn Generator Water Level Trip 1 High Steam Generator Water Level Trip e e
03/24/97 NON 13:42 FAI 412 374 5535 AP600 gols CertNkK1 Deelgn Material l
PROTECTION AND SAFETY MONITORINO f*?$7%I I Revision: 2 Effective: 10f31/96 . . .
. _r _ _-
Tatele ?J.2-3 PMS Automatically Actussed Engineered Safety Features Containment Isolation Automatic Depressurization Main Feedwater Isolation Reactor Coolant Pump Trip
- Core Makeup Tank Irdection-Turbine Trip Steam Line Isolation Steam Generator Blowdown isolation bsJa$ Containment Cooling Surtup Feedwater isolation Passive Residual Heat Removal Block of Boron Diludon Chemical and Volume Control Systr.s. Makeup Line Isoladon 4
Steam Dump Block Main Control Room Isoladon and Air Supply Initiation Chemical and Volume Control System #urification Line Isoladon Containment Air Filtration System isolauon 7 L d ,,j m Normal Residual Heat Removal Isolation !
Spent Fuel Pool Isolation l In<entainment Refueling Water Storage Tank injection
- AContainment Recirculation ____
f 4
a l
2.5.2 5 MM mWAAesvev2.newve20so2.ptitet7s7
03/24/97 MON 13:42 FAI 412 374 5535 AP600
@014 1
Certified Design Material ,
l l'
PROTECTION AND SAFETY MONrf0 RING SYSTEM -: :q 4 , Rev6elon: 2 3
- Sffective
- 10/31/96 . -
1 -
l Table 2.5.2 4
< PMS MasseUy Actuated Fnanctions
- Reactor Trip Safeguards Actuation j Containment Isolation 'T ' -_,
aj
- Stage 1. 2. and 3 Automauc Depressurization Stage 4 Automatic Depressunzation
< Main Feedwater Isolation 4
Core Makeup Tank IMon Sesam Line isolation AssWt. Containment j Cooling i Passive Residual Heat Removal In Containment Refueling Water Storage Tank Injection
- Containment Recirculation ,
CAbb]
- MCR IsoIc.tson ond A,r Sw/y L,yg,m 4
4
)
4 c
E i ,
3
, e 1
E . .i $
4 y-w g- --
mv,-w,w - -
l 9),LLU87 MON 13:43 FAI 412 374 55SS AP600 S 015 !
4 CertNied Doolgn Motorial !
' ~-9ROTECTION AND SAFETY MONITORING SYSTEM Revision: 2 I.'{
( ENootive: 10/31/96 9 Table 2.5.2 5 Minimum Invenemey of Displays and Maed Peeldoo Centrats Control Display j k Descripsion 1 4 Yes q q Neutron Flus -
Yes k Reactor Coolant System (RCS) Pressure -
y Wide Range Hot Las Temperature - Yes Wide Range Cold Lag Temperature - Yes y
D Containment Water Level / . Yes I Containment Pressure [f - Yes
- Pressurizer Water Level Y[
Y
[ - Yes D Pressuriser Reference Leg Temperature j [ - Yes l
I Pressuriser Pressure [A [ - Yes
, Core Exit Temperature , / [ - Yes RCS Subcooling k [ - Yes i In-Containment Refueling water Stoqpge TankkWJh) Water Level - Yes Q J i
Passive Residual Heat Removal (PRk)/Flow . Yes l l g PRHR Outlet Temperature % kf '
- Yes kb Passive Containment Coolir)g Syste torage Tank Water IAvel - Yes PCS Cooling Plow _f , [ - Yes
' T to Normal Resido t val System (RNS) Suction valve - Yes q
ContainmentJ dI ntiokalve Pult[n (Selected) - Yes
% Containment Ah HMhasion Level - Yes h Containment Pressk(Enh Range) - Yes l Containment Hydrogen Concentrasion - Yes
% Manual Reactor Trip Yes -
- Manual Safeguards Actueuon Yes .
Manual Core Makeup Tank Actuation Yes -
l Neu Otsh t.)inecess aos applethee
. 2.6.2 T
[ Wp6fingh0088 . m. w e esvevi m ieti>ost7s?
03/94/91 MON J3:43 FAI 412 374 5535 AP600 @ 016 Codified Doolgn Material 2
' 42r;GTdW7Lt!) A~'A 2AV4?"/ 90NITORING SYSTEM i
- f. Revisioni 2 '
Effective: 10rJ1/96 i
j TaWe 2J.2 5 (cont)
Minimasa Investery of Displays and Fised Postelos Controls 1 no ,.i , cw D ar l
j Automanc Depressurization System (ADS) Sh. 2. aMaitiation Yes -
ADS 5tage 4 Initiadon f Y[ Yes .
, Manual PRHR Actuadon g 9[ Yes -
! Manual Containment Cooling Aaguadok [ Yes .
ManualIRWST Injection Assugik . [ Yes -
Manual Containment R/cyculatio[htion Yes .
Manual Contalmt kon (heted) Yes .
! Manual Main Sh isMon Yes -
Manual Feedwater blatd Yes .
Manual Containment Hydrogen Ignitor (Nonsafety-Related) Yes .
{*) $ M hM4
( l i .
l k e vzu 7kl c 2.5,2-5 b N 0k 0$Ast)& G 4
03/24/97 MON 13:45 FAI 412 374 8535 AP600 gogg Certified Design lasteriel
..c hMj l #ROTECTION AND SAPETY MON (NMING dYST1M 4
f Revielen: 1 1 sm on j i Effective: 10f31/96
- Table 2.5.2 4 (coet) f _ J-t, Tests, Amelyses, and Acceptance CHeeria j Design Cosemiensent Inspectiosa, Tests. Analyses Acceptance Criteria j l
! 6 Ma) N PMS initiates an An operational test of the as-built i) he reactor trip switchgear i
automatic reactor trip, as identifad PMS will be performed using real opens afwr the test signal reaches in Table 2.5.2 2. when plant or simulseed test signals. the specifwd limit. This only
- l. process signals reach specified limits.
needs to be verifled for one automatac reactor trip function.
l
- 11) PMS output signals to the
! reactor trip switchgear are j generated after the test signal I j reaches the specified limit. This f needs to be verified for each I automade reactor trip function.
j ]
(, #.b) The PMS initiates automatic An operational test of the as-built Appropriate PMS output signals '
i
- actuation of engineered safety PMS will be performed using real are generated after the test signal i features. as identified in or simulated test signals. reaches the specified limit.
Table 2.5.2 3, when plant process l signals reach specified limits.
- c) De PMS provides manual An operational test of the as built i) De reactor trip switchgear l
4 initiation of reactor inp and PMS will be i La.cd using the opens after manual reactor inp j selected engineered safety features PMS manual actuation controls. controls are EW l as identified in Table 2.5.2 4.
- ii) Appropriase PMS output i signals are generated after the i manual initiadon controls are actuated.
, 7 .<a) m PMS provides erocess Type iests. anairses. or a combination of type tests and A repari esists aad concludes ihat the isolasion devices prevent
- signals to the Pi.S through l isolation devices. analyses of the isoladon devices credible faults from propagating will be performed into the PMS.
~/ #b) The PMS provides process Type tests, analyses, or a A report calsts and concludes that signals to the DDS through combinaden of type tests and the isolation devices prevent isolation devices, analyses of the isoladon devices credible faults from propagating will be performed. into the PMS.
7.a)' he PMS provides for the i) laspection will be performed for i) ne selected plant pararrwters )
minimum inventory of displays reewvability of the seleceed plant can be retrieved in the MCR.
and fined poution controls, as parameters in the MCR.
- identifad in Table 2.5.2 5. in the l MCR. ii) An operational test of the as. ii) Appropriate output signals are j . built system will be performed generated after the MCR flued using the MCR fined position position controls are &H Y _
- t'*\*
- 18.211 Westillgh0088 mW4otNTAACSWLrowytotCGo2 wof t1431797 Y- A e + s e. as s$ot a o + 0 b o e *\ e. O u r S w e A
03/24/97 IION 13:45 FAI 418 374 5535 AP600 gogo ,
Cetttfled Desigri Material l
! PROTECTION AND SAFETY MONff0 RING SYSTEM - ' inj
( Revision: 2 y
. Effective: 10/31/95 .m -
i
, l 5
Table 2.5.2 4 (coot) a M- . Tests, Analyses, and Acceptases Cetterie Desian Counmitment r=ra**8a= Tests. Amelyses Acceptance Cetteria
$ 4) The PMS provides for the transfer of control capability from An operational test of the es. built system will be performed to Actuation of the sransfer switches results in an alarm in the MCR
! the MCR to the RSR. demonstrate the transfer of control and RSR, the activation of i
capability from the MCR to the i operator control capability from t RSR. the RSR, and the deactiva6on of
- operesor control capability from the MCR.
7 The PM5 provides for i) spection will be perform or i) e selected plant par rs i mim inventory of ays retrie 'ry of the select ant can ved in the and cons ied in parameters RSR.
Table 2.5. . e RSR. The con n the RSR ot need to ii) An operati te as. ii) Appr outp0hs gnals are l aed position. built syste 'ill be perfo y+r ' ner the contro 'n the
, usine we in the RSR. RSR a(actuated.
,ra) The PMS automatically An operational test of the as-built The PMS blocks are automaucally f y removes blocks of reactor trip and PMS will be performed using real removed when the test signal !
3 ,
engineered safety features or simulated test signals. reaches the specified limit. l l actuadon when the plant approaches condinons for which Aguggg ,4g gg l
j the associated funedon is designed oo .,44pgg c
1 ; to provide protection. These A rrqq
?
blocks are identified in i Table 2 5.2 6
}.b) The PMS automancally An oper 6ont test of the es. built Appropnase PMS outpuK
- produces a reactor inp or PMS will be prsformed are automatically initiated after an I
e l engineered safety feature initiation attempt to bypass more than two l .
upon an attempt to bypass more chantiels of a function that uses
! than two channels of a func6on two out-of-four inidadon logic.
l
- I that uses two.out of.four initiadon i .E ( logic. _ __
j
{ g ,4c) The PM,$ provides the An operational test of the as. built PMS will be perfonned using real Appropnase PMS output signals i { interlock functions identified in are generated.
1 Table 2.5.2 7. or simulated test signals.
y # Setpoints are desermined using inspection will be perfonned for a A report exists and concludes that
) .
a rnethodology which accounts for document that describes the the PMS setpoints are determined loop inaccuracies, response testing, methodology and input parameters using a methodology which and maintenance or replacement of used to desermles the PMS accounts for loop inaccuracies, instrumentation, seapoints. response testing, and maintenance or reptacement of insuumentadon.
/%9 C . OUEb m bb$ IT M c.
[mQMmsw f~h0N) ireaex MS usmuwew w m '
4 rr e e.o n l 2.5.2 12 ,
W85th$10088 m%,econAA esvevt ew.wo20sca.wot t b.as t 7s 7
_ 113/24/97 IION 13:46 FAI 412 374 5535 AP600 g ogg ;
CertNied Design Material 4
- ~ ~ ~ kg
/ PROTECTION AND SAFETY MONITORING SYSTEM Revision: 2 E
\
no'on EMeetive: 10/3146
,i TaWe 2J.2 4 (coe0
-;::M-s. Tests. Analyses, and Aeoeptance Cretaria l
j _ Design Ceaultuwat I- ; W;. Tests. Analyses Acceptance Criteria f 10. The PMS hardware and Inspection will be perfonned for a A report esists and concludes that' l, softwars are verified and validated document that desenbes the the PMS hardware and software 7
2 through a program that provides verification and validation program were venfied and validated.
confinnation that system functional for the PMS.
requirements are properly and conectly implemented in the delivered hardware and software.
a 1
cM4A?6i ATTALM M CHT 1
1 I
i )
i 1
2 s
1 4
2.5.2 13 IM m.W AACsvornewwo205aa.wof.16 031797
03/24/97 Il0N 13:48 FAI 412 374 5535 AP600 gogg CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM SECTION 24.2 8 j l A' Design Description f
} ADD FIGURE 2.3.21 AS 70s. LOW 5:
a j
O o o n ,
4
~
- ~
O e5 0 - -
- aca - -
O -,
asse
- m. c T* -
m ovvio cmes., +-=
arm.
e-o n c, = w"c*
II di il De e.EEhl0 il enerv
~
p ? E "vo.
,w., o o 0u%s840 m sg 04'A
)
g l
+
,eOCt99mse g
,[ce m o T- ,
l oo e
- O% O & "
>i O sou=se==
REVISE ITEM NUMBER 3 TO BE AS FOLLDWS:
- 3. The Class IE equipment identified in Table 2.5.21. has electrical surge withstand capability
'SWC), and can withstand the electromagnetic interference (EMI). radio frequency interference
- RFI), and electrostatic discharge (ESD) conditions that would exist before, during, and following a design basis accident without loss of safety function for the time required to perform the safety function.
1 i i j - ADD THE FOLLOWING NEWITEM NUMBER 4:
- 4. The Class IE equipment. identified in Table 2.5.2-1 can withstand the room ambient temperature. .
- I humidity, pressure, and mechanical vibrstion conditions that would exist before, during, and followmg a design basis accident without loss of safety function for the time required to perform
- - the safety function.
l i
Page 1 of 11
0,3/ 24/97 NON 13:47 FAI 412 374 5535 AP600 gogs CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM i SECTION 2.5.2 i
l REVISE ITEM NUMBER 8 (formally item 7) TO BE AS FOLLOWS:
3
- 8. De PMS. in conjunction with the operator workstations, provides the following functions:
1-
! a) De PMS provides for the minimum inventory of displays. visual alerts, and fixed position i controls, as identiSed in Table 2.5.2 5, in the main control room (MCR).
b) De PMS provides for the transfer of control capability from the MCR to the terras shutdown room (RSR).
c) Displays of the open/ closed status of the reactor trip breakers can be retrieved in the MCR.
1 REVISE ITEM NUMBER 9b (formally item Sb) TO BE AS FOLLOW 5:
- 9. b) The PMS two-out-of four initiation logic reverts to a two out-of-three coincidence logic if one of the four channels is bypassed. If a second channel is bypassed, the PMS two-out-of-four initiation logic reverts to a one out-ot-two coincidence logic. De PMS automatically produces
- a reactor trip or engineered safety feature initiation upon an attempt to bypass more than two
- channels of a function that uses two-out-of four initiation logic.
1 REVISE AND EXPAND ITEM NUMBER 11 (formally item 10) AS FOLLOWS:
- 11. De PMS hardware and software is developed using a planned design process which provides for i specific design documentation and reviews during the following life cycle stages:
a) Design requirement phase b) Definition phase c) Development phase d) Test phase i
e) Installation phase
- 72. The PMS software is designed, tested, installed, and maintairied using a process which incorporates .
a graded approach according to the software's relative importance to safety and specifies l requirernents for. I c l
- 3) Softwm management including documentation requirements, standards, review requirements, and procedures for problem reporting and corective action l b) Software configuration management including historical records of softweit and control of l p software changes I
c) Verification and validation including requirements for reviewer independence.
i Page 2 of 11 i
81/G.L.s_7 aloN 13:47 FAX 412 374 5535 AP600 @ 024 l
CHANGE ATTACHMENT TO ITAAC FOR THE I PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.5.2 i '
!( '
- 13. The use of commercial grade computer hardware and software items in the PMS is accomplished through a process that specifles requirements for:
a) Review of supplier design control configuration management, problem reporting and change control i b) Review of product performance i
i c) Receipt acceptance of the commercial grade item d) Final acceptance based on equipment qualification and software validation in the integrated
- system.
i l REVISE TABLE 2.3.2 5 TO BE AS FOLLOWS:
)
i Table 2J.2 5 Micimum Inventory et Displays and Controls in the MCR
' Description Control Display Alert'"
I Neutron Flus N/A Yes Yes Neutron Flus Doubling N/A No Yes Startup Rare N/A Yes Yes Reactor Coolant System (RCS) Pressure N/A Yes Yes Wide Range Hot Leg Tempers:ure N/A Yes No Wide Range Cold les Temperature N/A Yes Yes RCS Cooldown Rate Compared to the Limit Based on N/A Yes Yes j RCS Pmsure _
Wide Range Cold Lag Tempersture Compared to the N/A Yes . . Yes I
Limit Based on RCE Pressure
- Change of RCS Temperaturz br more than F F la the N/A No Yes i
.- last 10 minutes Containment Water Level N/A Yes Yes Containment Pressure N/A Yes Yes Pressuriser Water Level N/A Yes Yes Pressuriser Water Level Trenj N/A Yes No Presseriter Reference Leg Ternperature N/A Yes No Resetor Vessel. Hot Lag Water Level N/A Yes Yes _-
Page 3 of 11 l
I -
03/24/97 SON 13:48 FAI 412 374 5535 AP600 @ 025
- CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.S.2
( .
j w ==== me..
j TeWe 2J.2 5 (cont)
Minioneen lavestory of IHsplays and Controle in the MCR j 4
' Desedption Control Display Aied" Pressuriser Pressure N/A Yes No Core Exit Temperature N/A Yes Yes
]
RCS Subcooling N/A Yes Yes RCS Cold Overpressure Limit N/A Yes Yes In<ontainment Refueling Water Storage Tank (IRWST) N/A Yes Yes Water IAvel l Passive Residual Heat Removal (PRHR) Flow N/A Yes ~ Yes t
- PRHR Outlet Temperature N/A Yes Yes Passive Containment Cooling System (PC5) Storage N/A Yes- No Tank Water level l
\
j PCS Cooling Flow N/A Yes No i IRWST so Normal Residual Heat Removal System N/A Yes Yes
- (RNS) Suction Valve Status
- Remotely Operated Containment Isolation Valve Status
- N/A Yes No l Containment Area High-Range Radiation Level N/A Yes Yes j Containment Pressure (Entended Range) N/A Yes No l Containment Hydrosen Concentration N/A Yes No CMT Level N/A Yes No 1
Manual Raaetor Trip Yes N/A N/A
. Manual Safeguards Actuation Yes N/A N/A I
Manual Core Makeup Tank Actuation Yes N/A N/A Manual MCR Emergency Habitability System Actuation Yes N/A N/A Manual Automatic Depressurissuon System (ADS) Yes N/A N/A I Stages 1. 2. and 3 Initiation
- Manuel ADS Stage 4 initiation Yes N/A N/A
- Manual PRHR Actuauon Yes N/A N/A Manual Containment Cooling Actuation Yes N/A N/A j
Manual IRWST Injection Actuation Ya N/A N/A I
- j. Manual Containment Recirculation Actuation Yes N/A N/A Page,4 of 11
03/24/97 MON 13:48 FAI 412 374 5535 AP600 @ 026 CHANGE ATTACHMENT TO TTAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.5.2 i'
i aus Table 2.5.2 5 (coet)
Minimsm Inventory of DIspisys med Controls in the MCR Manual Containment' Isolation Yes N/A N/A Manual Main Steam Line Isoladon Yes N/A N/A Manual Feedwater Isolation Ya N/A N/A Manual Containment Hydrogen Ignitor (Nonsafety. Yes N/A N/A Related) 1 Notes.
(1) These parameters are used to generate visual alerts that identify challenga to the critical safety functions.
- (2) Thue instruments are not required after 24 Sours.
1 d
i i
i I .
i 4
9 i
I Page 5 of 11
03/24/97 30N 13:48 FAI 412 374 8535 AP600 @ 027 CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM 4
SECTION 2.5.2 i
4 4
i Inspections, Tests, Analyses, and Acceptance Celteria REVISE ITEM NUMBER 3 TO DE AS FOLLOWS:
Table 2.5.18 Inspecticas, Tests. Analyses, and Acceptance Criteria for the FMS i Design Counselesment 8 ;:" . Tests Analyses Acceptance Crtteria
- 3. The Class IE equipment. Type tests, analyses, or a A report exists and concludes that idendfied in Table 2.5.21. has combination of type sosts and the Class IE equipmeet identified electrical surge withstand analyses will be performed on the in Table 2.5.21 can withstand capability (5WC), and can equipment. the SWC. EMI. RFi. and ESD withstand the eintromagnetic conditions that would exist i 1
Interference (EMI), radio befors, during, and following a l frequency interference (RFI). and design basis accident without loss i electrostatic discharge (ESD) of safety function for the time conditior.s that would exist required to perform the safety before, during, and following a function.
design basis accident without loss of safety function for the time required to perform the safety function. i f
ll i
1 l
l l
4 1
l l
1 I
4 Page 6 of 11
03/24/97 IION 13:49 FAI 412 374 5535 AP300 @ 088' l 1
CHANGE ATTACHMENT TO ITAAC FOR THE i PROTECTION AND SAFETY MONITORING SYSTEM 3 ?.C T1 O rI L %.2 I
ADD THE FOLLOWING NEWITEM NUMBER 4:
. Table 2.5.18 l Inspections. Tests. Analyses, and Acceptance Criterie for the PMS
! Design Comsalteneet Inspecelees. Tests. Analyses As**pe==e* Criteria _
- 4. The Class IE equipment. Type tests, analyses, or a A report saists and concludes that identified in Table 2.5 21, can combination of type tests and the Class lE equipment identified i withstand the room arnbient analyses will be performed on the in Table 2.5.21 can withstand temperature, humidity, pressure, equipment. the room ambient temperature, and rnochanical vibration humidity, pressure, and conditions that would exist mechanical vibration conditions
- before. during, and following a that would salst before, during, design basis accident without loss and following a design basis of safety function fx the time accident without loss of safety
, required to perform the safety function for the time required to function. perform the safety function l
l 4
Page 7 of 11
03/24/97 MON 13:49 FAI 412 374 5535 AP900 @ 029
. CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.5.2
. (
REVISE ITEM NUMBER 8 (formaUy stem 7) TO DE A5 70LLOWS:
i . Table 2.5.18
- i
- Tests. Analyses, and A ;^::3 Criteria for the PMS Design Commitroent inspections, Tests, Aaaiyses Acceptance Cetteria 8.a) The PMS provides for the i) Inspection will be performed i) The selected plant parameters eninimum inventory of disp!ays. for retrievability of the selected can be retrieved in the MCR.
1 visual alerts, and fixed position plant parameters in the MCR.
controls, as identified in
. Table 2.5.2 5. in the MCR. ii) Inspection will be performed li) The selected parameters are to verify that the selected used to generate visual alerts that i parameters are used to generate identify challenges to critical visual aletts that identify safety functions.
challenges to critical safety .
functions. )l iii) An operational test of the as- iii) Appropriate output signals ,
i built system will be performed are generated after the MCR i using the MCR fixed position fixed position controls are l controls. ectuated.
8.b) The PMS provides for the An operational test of the as built Acsustion of the transfer switches transfer of control capability from system will be performed to results in an alarm in the MCR
, the MCR to the RSR. demonstrate the transfer of control and RSR, the activation of capability from the MCR to the operator control capability from
- RSR. the RSR, and the deactivation of operator control capability from i
the MCR.
8 c) Displays of the open/ closed Inspection will be performed for Displays of the open/ closed status status of the reactor mp breakers retrievability of displays of the of the reactor trip breakers can be can be retrieved in the MCR. open/ closed status of the reactor retrieved in the MCR.
trip breakers in the MCR.
l I
1 1
Page 8 of II G
03/24/97 HON 13:50 FAI 412 374 5535 AP600 @ 030 l CHANGE ATTACHMENT TO ITAAC FOR THE PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.5.2 l
- REVISE ITEM NUMBER 96 (formally item 8b) TO DE A5 FOLLOW 5
. Table 2J.18 Ex;:t-- . Tests. Analyses, and Aeoeptance Criteria for the FMS i 1
Design Comasitewat I- ;:.t:x Tests. Analyses Acceptance Criteria !
9.b) 'the PMS two out of four An operational test of the as built The PMS two out-of four !
initiation logic reverts to a two- PMS will be performed initiation logic reverts to a two-
. out of-three coincidence logic if out of three coincidence logic if one of the four channels is one of the four channels is bypassed. If a second channel is bypassed The PMS two-out-of-1 bypassed, the PMS two-out-of- four initiation logic reverts to a
]
four initiation logic reverts to a one out-of two coincidence logic ,
i one out oc two coincidence logie. If two of the four channels are 1 The PMS automatically produces bypassed. Appropriate PMS I
a tsactor trip or engineered safety output signals are automatically feature initiation upon an attempt initiated after. an attempt to to bypass more than two channels bypass more than two channels of 1 of a function that uses two-out- a function that uses two out of- )
I i of four initiation logic, four initiation logic.
4 l
l J
l l
i i
e d
Page 9 of 11
03/24/97 MON 13:50 FAI 412 374 5535 AP600 0 031 CHANGE A'ITACHMENT TO ITAAC FOR THE l PROTECTION AND SAFETY MONITORING SYSTEM l l SECTION 2.5.2
. : l i
- I l
REVISE AND EXPAND ITEM NtJMBER 11 (formally Irem 10) AS F01. LOWS: *
. Table 2.5.18 !
'-~~ - "--- Tests. Amelyses, and Acceptence Celeeria for the PMS l 1 i Design Commitment Ir;: ": . Tests Analyses Acceptance Crli is !
II. The PM5 hardware and Inspection will be performed of The process defines the l l software is developed using a the process used to design the organlaational responsibilities.
planned design process which hardware and software, activities, and configuration provides for specific design management controls for the
- documentation and reviews during following
- )
> the following life cycle stages: )
a) Establishments of plans and '
l a) Design requirement phase methodologies during the design i b) Definition phase requirement phase.
c) Development phase j d) Test phase b) Specification of functional
- e) Installation phase requirements during the definition Ph a**-
, The planned design process also j provides for commercial c) Documentation and review of j dedication of commercial off.the. hardware and software during the shelf hardware and software. development phase.
d) Performance of tests and the documentation of test results
! during the test phase.
. e) Performance of tests and I
inspections during the installation Phase.
The process also defines 4
requirements for commercial dedication of commercial off the-shelf hardware and software.
I l
ee R
Page 10 of 11
4
, . 03./24/07 MON 13:50 FAI 412 374 5535 AP600 @ 032 CHANGE ATTACHMENT TO ITAAC FOR THE
, PROTECTION AND SAFETY MONITORING SYSTEM SECTION 2.5.2
\
Table 2.5.18 ,
"-- g "- . Tests. Analyses, and Acceptance Crieeria for the PMS 1
- 12. The PMS softwfre is laspection will be performed of The process establishes a method designed. tested, installed, and the process used to design. test. for clasifying the PMS software maintained using a process which install. and maintain the PMS elements according to their incorporates a graded approach scftware, relative importance to safety and according to the software's specifies requirements for relative importance to safety and software assigned to each safety specifies requirernents for: classification. Requirements are provided for the following a) Software management software development functions:
including documentadon requirements, standards, review a) Software management
, requirements, and procedures for including documentation 2
) problem reporting and corrective requirements. standards, review action requirements. and procedures for problem reporting and corrective
, b) Software configuration action management including historical records of software and control of b) Software configuration software changes 4
management including historical records of software and control
, c) Verification and validation of software changes .
including requirements for teviewer independence. c) Verification and validation including requirements for j reviewer independence. l l
^
- 13. The use of commercial grade Inspection will be performed of A process is defined that has
, computer hardware and software the process defined to use requirements for:
items in the PMS is accomplished commercial grade components in
{'
through a process that specifies the applicauon , a) Review of supplier design requirements for. control, configuration management, problem reporting a) Review of supplier design and change control 4
control, configuration management problem reporting . b) Review of product and change coritrol performance 1 b) Review of product c) Receipt acceptance of the performance commettial grade item c) Receipt acceptance of the d) Final acceptance based on {
commercial grade item equipment qualificeuen and j
software validation in the i d) Final acceptance based on integrated system.
equipment qualification and i software validation in the integrated system.
i Page 11 of 11 I
c .. .
Instrumentation and Controls AP600 ITAAC telecon April 1, 1997 1
The staff provided feedback to' Westinghouse on their I&C ITAAC in two areas:
- 1) more detail needs to be provided in the ITAAC, and 2) at present the information contained in Tier 2 does not adequately support the information
. found in Tier 1. For the first item the staff referred Westinghouse to the
. ITAAC for the evolutionary plants. Specifically, the staff referenced the
! Advanced Boiling Water Reactor (ABWR) Section 3.4 pages 25 through 36 and the-Combustion Engineering System 80+ Section 2.5.1 pages 8 thru 11 as examples of i the amount of detail that the staff expects to see in the AP600 submittal.
For the second item the staff gave examples to Westinghouse of where they-
- believed the information in Attachment I conflicted or was not explained adequately in the Tier 2 (SSAR) document.
I 1) Table 2.5.1-1 is not consistent with Figure 7.2-1 sheet 19 of the SSAR.
One of the functions automatically actuated by the diverse actuation system (DAS) as shown in the figure is pressurizer level causing a turbine trip, but this automatic function is not identified in Table 2.5.1-1.
- 2) Table 2.5.1-2 items 4 through 7 identify that the four stages of the automatic depressurization system (ADS) can be manually actuated by the DAS. However, the SSAR does not explain adequately how this is accom-i plished. Although SSAR Figure 7.2-1 sheet 20 identifies this function, it is not clear to the staff that the figure is referring to the function being accomplished by switches.
Table 2.5.1-2 item 9 refers to isolation of " selected" containment 3) penetrations. The SSAR uses the term " critical" when referring to this function.
- 4) Table 2.5.1-3 identifies one core exit thermocouple per quadrant for the DAS. The staff questioned Westinghouse on their justification for supplying only one core exit thermocouple per quadrant because the staff I believed the TMI action item requires 2 per quadrant. Westinghouse stated that it was part of their design to have only one thermocouple per quadrant. The staff subsequently discussed the problem with the Reactor Systems Branch. Based on this internal discussion the staff now considers one core exit thermocouple per quadrant sufficient.
- 5) The staff believes that the SSAR does not adequately explain the
" Inspections, Tests, or Analyses" criteria in Table 2.5.1-4. Westing-
- house maintained that Chapter 14.2 (initial test program) contained this
- information. The staff will review the initial test program to see if the information was adequately documented.
Attachment 2 d'
...s l
! i
- 6) In Attachment 1 Westinghouse proposed adding a new item 4 for Sec- ,
tion 2.5.1. The staff noted that the operational and maintenance phase is not identified in the life cycle stages. Westinghouse will address l the staff's concern in response to RAI 640.39. 1
- 7) On page 2.5.2-2 of Attachment 1 Westinghouse uses the abbreviation RSR for the remote shutdown room. The SSAR uses the abbreviation RSW for j- the remote shutdown workstation when referring to this location.
Westinghouse should use one abbreviation or justify the difference.
- 8) Table 2.5.2-1 of the ITAAC and page 7.1-4 of the SSAR do not appear to be consistent. Specifically the ITAAC identify the MCR/RSR transfer panels as part of the Protection and Safety Monitoring System (PMS), I i however, this equipment is not identified in the list at the top of '
page 7.1-4. kestinghouse will add this equipment to the list at the top of page 7.1-4 and identify the equipment in Figure 7.1-2. l l
- 9) Table 2.5.2-2 is not consistent with Table 7.2-1 or Table 7.2-2.of the )
SSAR. For example ADS actuation, CMT injection, and Safeguard Actuation are not identified in Table 2.5.2-2 as automatic reactor trip signals.
- 10) Table 2.5.2-3 identifies " Containment Recirculation" as a PMS automati- l cally actuated engineered safety feature. However, Section 7.3.1.2.9 of-
! )
the SSAR identifies this function as "In-containment Refueling Water 1
- Storage Tank Containment Recirculation". )
- 11) Table 2.5.2-6 and SSAR Figure 7.2-1 sheet 2 are not consistent. The SSAR figure does not identify a high steam generator water level block j (P-ll). ,
- 12) For Section 2.5.2 of the ITAAC Westinghouse should include in Item 9.b a
, provision to check the alarm when the logic configuration is changed. 1 The provision should be added in both the design description and in the l ITAAC. j i 13) Table 2.5.2-5 refers to ADS stages 1,2,3 and 4 " initiation". The staff has checked the SSAR and found that Table 18.12.2-1 uses the term
" actuation" when referring to the ADS stages. Therefore, the term
" initiation" should be changed to " actuation" in the ITAAC.
{
]. 14) Section 2.5.2 page 6 of 11 of Attachment I discusses equipment qualifi-cation. It did not appear to the staff that the SSAR discusses mild anvironment qualification. The staff was also concerned about the treatment of electromagnetic interference (EMI) and radio frequency J interference (RFI), because the information contained in Tie. 2 does not <
adequately support the information found in Tier 1. Westinghouse I referred the staff to Section 14.2 of the SSAR, but the staff was unable to find any discussion relating to the " Inspections,_ Tests, or Analyses" L
of EMI and RFI. Westinghouse should provide EMI/RFI and equipment qualification related information in the SSAR including a discussion on sections of the standards that are applicable to the AP600 and/or
. specific test and analysis to support the ITAAC.
"'"'w-- v --'w w .e '