ML20197A415
ML20197A415 | |
Person / Time | |
---|---|
Site: | NuScale |
Issue date: | 06/19/2020 |
From: | Bergman T NuScale |
To: | Office of Nuclear Reactor Regulation |
Cranston G | |
References | |
NUSCALESMRDC, NUSCALESMRDC.SUBMISSION.12, NUSCALEPART02.NP, NUSCALEPART02.NP.5 | |
Download: ML20197A415 (21) | |
Text
NuScale Standard Plant Design Certification Application Chapter Twenty-One Multi-Module Design Considerations PART 2 - TIER 2 Revision 4.1 June 2020
©2020, NuScale Power LLC. All Rights Reserved
COPYRIGHT NOTICE This document bears a NuScale Power, LLC, copyright notice. No right to disclose, use, or copy any of the information in this document, other than by the U.S. Nuclear Regulatory Commission (NRC), is authorized without the express, written permission of NuScale Power, LLC.
The NRC is permitted to make the number of copies of the information contained in these reports needed for its internal use in connection with generic and plant-specific reviews and approvals, as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by NuScale Power, LLC, copyright protection notwithstanding. Regarding nonproprietary versions of these reports, the NRC is permitted to make the number of additional copies necessary to provide copies for public viewing in appropriate docket files in public document rooms in Washington, DC, and elsewhere as may be required by NRC regulations. Copies made by the NRC must include this copyright notice in all instances and the proprietary notice if the original was identified as proprietary.
TABLE OF CONTENTS NuScale Final Safety Analysis Report Table of Contents Tier 2 i
Revision 4.1 CHAPTER 21 Multi-Module Design Considerations................................ 21-1 21.1 Design Features of Safety-Related Systems.................................... 21-1 21.1.1 Safety-Related System Independence........................................ 21-1 21.1.2 Safety-Related System Protection From Internal Events....................... 21-2 21.1.3 Safety-Related System Protection From External Events....................... 21-3 21.2 Shared System Design Considerations........................................ 21-3 21.2.1 Shared System Reliability and Availability..................................... 21-3 21.2.2 Shared System Design Basis Event Initiators.................................. 21-3 21.2.3 Shared System Interactions.................................................. 21-4 21.3 Other Multi-Module Considerations.......................................... 21-4 21.3.1 Multi-Module Evaluations.................................................... 21-4 21.3.2 Multi-Module Operations.................................................... 21-5 21.3.3 Multi-Module Considerations During Phased Construction and Startup........ 21-6 21.3.4 Inspections, Tests, Analyses, and Acceptance Criteria......................... 21-7 21.4 Multi-Module Regulatory Considerations..................................... 21-7 21.4.1 Compliance with GDC 5 of 10 CFR 50 Appendix A............................. 21-7 21.4.2 Compliance with 10 CFR 52.47(c)(3).......................................... 21-8
LIST OF TABLES NuScale Final Safety Analysis Report List of Tables Tier 2 ii Revision 4.1 Table 21-1:
Shared Systems not Associated with Design Basis Event Initiators................ 21-9 Table 21-2:
Shared System Interactions (Mechanical Systems)..............................21-10 Table 21-3:
Shared System Interactions (Electrical and Instrumentation and Control Systems)......................................................................21-16
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-1 Revision 4.1 CHAPTER 21 MULTI-MODULE DESIGN CONSIDERATIONS The modular design of the NuScale Power Plant is consistent with the definition included in 10 CFR 52.1, which defines modular design as a nuclear power station that consists of two or more essentially identical nuclear reactors (modules), and each module is a separate nuclear reactor capable of being operated independent of the state of completion or operating condition of any other module co-located on the same site, even though the nuclear power station may have some shared or common systems.
As described in Chapter 1, the NuScale Power Module (NPM) is a collection of systems, sub-systems, and components that together constitute a modularized nuclear steam supply system. For the purposes of this chapter, an NPM is a self-contained nuclear steam supply system composed of a reactor core, a pressurizer, two steam generators integrated within the reactor pressure vessel and housed in a compact steel containment vessel (CNV), and its dedicated module-specific safety systems. The term, NuScale Power Plant, refers to the entire site, including up to 12 NPMs and the associated balance of plant support systems and structures.
For modular designs, 10 CFR 52.47(c)(3) requires an evaluation of module operating configurations, considering the common systems, interface requirements, and system interactions, as well as the identification of any restrictions necessary during module construction and startup. This chapter demonstrates that safety-related systems and functions that prevent or mitigate NPM design basis events (DBEs) are not adversely affected as a result of failures of shared (common) systems or interfaces between NPMs. This is demonstrated by a consideration of design features of safety-related systems, including independence and protection from the adverse effects of internal and external events.
NPM protection from adverse shared systems interactions.
multi-module interfaces.
21.1 Design Features of Safety-Related Systems The NuScale Power Plant is designed such that each NPM can be safely operated independent of other NPMs. The plant includes design features that ensure the independence and protection of safety-related systems during DBEs.
21.1.1 Safety-Related System Independence Except for the ultimate heat sink (UHS), safety-related systems are module-specific and functionally independent of shared systems and other NPMs, which precludes adverse interactions between NPMs as a result of safety-related system operation during DBEs. The redundant safety-related systems are designed to meet single failure criteria, and single failures are considered in the safety analysis as described in Section 15.0.0. In addition, there are no operator actions that are credited in the DBE analysis, and manual actions that may couple NPMs during a DBE are not required for event mitigation.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-2 Revision 4.1 The design measures that ensure the functional independence of module-specific safety-related systems are described in the following sections:
emergency core cooling system: Section 6.3.1 containment system: Section 6.2.1 and 6.2.4 decay heat removal system: Section 5.4.3 module protection system (MPS): Section 7.1.2 neutron monitoring system: Section 7.1.2 chemical and volume control system (CVCS) (demineralized water isolation valves):
Section 9.3.4 The UHS is the only safety-related system in the NuScale Power Plant that is not module-specific and is shared between multiple NPMs. As described in Section 9.2.5, the UHS is a passive safety system that is capable of performing its safety function for a limiting 12 NPM heat load. The UHS has sufficient capacity to remove heat from a design basis accident (DBA) in one NPM and an orderly shutdown and cooldown of the remaining NPMs.
Long-term heat removal following a DBE is provided by the UHS and by module-specific safety-related systems without reliance on other shared systems.
21.1.2 Safety-Related System Protection From Internal Events Internal events have the potential to result in adverse multi-module interactions.
Safety-related systems are protected from internal events such as floods, pipe failures, and missiles, which includes dynamic and environmental effects of these events, consistent with General Design Criterion (GDC) 4. The design features and programs that demonstrate protection of safety-related systems are described in Chapter 3 (pipe failures, floods, missiles). The design features and programs that demonstrate protection from the effects of an internal fire are addressed in Section 9.5.1.
The NuScale Power Plant is designed such that an accident in one NPM that results in an accident in another NPM is bounded by analysis and shown to be acceptable. The postulated accidents are listed in Table 15.0-1. The postulated accidents were evaluated for adverse multi-module effects as described below.
A spent fuel cask drop and an NPM drop are not analyzed DBAs because the potential for NPM or spent fuel cask drops is precluded by the inclusion of a single failure proof Reactor Building crane as described in Sections 15.7.5 and 15.7.6. The effects of the control rod ejection and steam generator tube failure accidents (Sections 15.4.8 and 15.6.3) are contained within the affected NPM process boundaries and do not result in adverse interactions with another NPM. In the Reactor Building, high energy line breaks and moderate energy line leakage cracks are acceptable on a bounding basis, as described in the PRHA technical report TR-0818-61384 and FSAR Section 3.6. Beyond the Reactor Building, the routing and evaluation of all piping, including high-and moderate-energy, is the COL applicant responsibility as described in Section 3.6.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-3 Revision 4.1 21.1.3 Safety-Related System Protection From External Events External events have the potential to result in adverse multi-module interactions.
Safety-related systems are protected from external events such as tornadoes and extreme winds, earthquake, flood, snow and ice, consistent with GDC 2. The design features and programs that demonstrate protection are described in Chapter 3. Section 3.7.2 describes the impact of operation with less than 12 installed NPMs on the structural analysis.
21.2 Shared System Design Considerations Systems that are shared or common to multiple NPMs have the potential for adverse interactions that affect multiple modules. This section describes the design features and analyses which demonstrate that safety-related functions which mitigate DBEs are not adversely affected as a result of shared system operations.
21.2.1 Shared System Reliability and Availability With the exception of the UHS, only nonsafety-related systems are shared between NPMs.
Although nonsafety-related, the shared systems are designed for operational reliability and availability to minimize restrictions on NPM operating configurations during normal modes of operation. The shared systems include design features such as redundancy, spare capacity, isolation, and consideration of system interfaces. These features minimize the effects of NPM out-of-service and testing configurations in order to allow continued full-power operation of the other NPMs. Shared system reliability and availability is also demonstrated through system failure evaluations, which consider system and component failures that have the potential to result in adverse system interactions or undesirable multi-module impacts.
21.2.2 Shared System Design Basis Event Initiators The NuScale Power Plant is designed such that operation and failures of the nonsafety-related shared systems do not prevent NPM safety-related functions during a DBE. Shared system failures are also evaluated for the potential to create a transient or accident initiator and a multi-module DBE. There are no credible failures of shared systems that result in DBAs. Some shared system failures result in DBEs, and a few of these are multi-module events, but as described in Section 21.2.3, the shared system failures do not simultaneously prevent safety-related NPM functions.
The shared system failures are considered as part of the safety analysis provided in Chapter 15 and the probabilistic risk assessment (PRA) provided in Chapter 19. Where these failures result in anticipated operational occurrences, they are included in the safety analysis either as a separate transient initiator, shown to be bounded by other analyzed transients, or captured by a failure in a component that the shared support system serves. The plant design includes evaluations of shared system component failures consistent with the classification of anticipated operational occurrences up to total failures of shared systems as part of the special event analysis and the PRA shared system hazard analysis. A total functional failure of certain shared systems may lead to an automatic or manual trip of up to 12 NPMs, but these failures do not prevent safety-related NPM functions. The evaluations are described in Chapter 15 (DBEs), Section 8.4 (station blackout (SBO)), and
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-4 Revision 4.1 Chapter 19 (PRA). The scope of DBE initiators and shared system interactions does not include loss-of-coolant accidents in interfacing systems which are precluded by design.
21.2.3 Shared System Interactions Except for the safety-related UHS, the NuScale Power Plant shared systems are nonsafety-related, are not credited in DBE mitigation, and are not risk-significant. The shared systems that are not associated with DBE initiators are listed in Table 21-1. The remaining shared systems that have potential for an adverse system interaction or an undesirable multi-module interaction were evaluated as summarized in Table 21-2 and Table 21-3. The evaluations demonstrate that shared system operation does not result in adverse system interactions, such as a loss of a safety-related function, a DBE and a simultaneous degradation of a safety-related function, a DBE and simultaneous degradation of critical operator information, or a DBE and a requirement for operator actions outside the control room.
The reactor component cooling water system (RCCWS) is the only shared system that directly interfaces with multiple NPMs and is also designed to simultaneously support more than one NPM at a time. As described in Table 21-2, the RCCWS includes design features that prevent adverse system interactions and undesirable multi-module effects.
Shared systems that serve one NPM at a time are equipped with standby capacity and isolation features that prevent a direct module-to-module interface during normal operation (e.g., isolation valves that are closed except for the single NPM being served). An adverse multi-module interaction for shared systems that serve one NPM at a time would require abnormal lineups or multiple concurrent failures to impact the operation of more than one NPM.
21.3 Other Multi-Module Considerations 21.3.1 Multi-Module Evaluations 21.3.1.1 Probabilistic Risk Assessment A shared system hazard analysis was performed to qualitatively assess the risk associated with accidents that are initiated by or propagated by impairments in systems that are shared among NPMs. To assess the cause-and-effect relationship between a particular system and plant operation, the hazard analysis postulated a complete failure of the shared system and considered the implications of the plant response.
An evaluation of the multi-module risk is performed by applying adjustment factors to the single-module, internal event accident sequence frequencies. The insights from this evaluation and the systematic process used to evaluate multi-module risk potential are described in Section 19.1.7.
21.3.1.2 Accident Source Term There are no DBA release scenarios that include radionuclide emissions from more than one NPM. As described in Section 15.0.3, the accident source term methodology
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-5 Revision 4.1 assumes one NPM is impacted as there is no credible DBE or maximum hypothetical accident that would involve multiple NPMs.
21.3.1.3 NuScale Power Plant Operating Dose Assessment The operating dose assessment is developed assuming up to 12 NPMs are operating as described in Section 12.4.1. Radiation sources are described in Section 12.2.
21.3.1.4 Beyond Design Basis Events The NuScale Power Plant coping capability and mitigating strategy for beyond design basis-external events are described in Chapter 20.
21.3.2 Multi-Module Operations 21.3.2.1 Island Mode Operations As described in Section 8.3.1, the NuScale Power Plant has the capability to operate in island mode without an offsite grid connection. Island mode represents an alternate means of supplying onsite alternating current (AC) power. The design basis safety analysis does not credit AC power for DBE mitigation. Consequently, the source of AC power, either offsite power or plant turbine generators in island mode, has no impact on the safety analysis. The plant response to a total loss of AC power as a result of a SBO event is described in Section 8.4. As described in Section 19.1, island mode is not credited in the PRA.
21.3.2.2 Refueling Operations Refueling operations involve the transport of an NPM from its operating bay across the reactor pool to a refueling bay and its subsequent disassembly. Protection from adverse interactions with an NPM being moved to and from the refueling location is provided by the single-failure proof RXB crane and by other design measures, which are described in Section 9.1.5. As described in Section 15.7, the single-failure proof crane precludes adverse multi-module interactions resulting from a heavy load drop.
21.3.2.3 Control Room Operator Staffing The NuScale Power Plant design includes monitoring and control of up to 12 NPMs from a single control room by utilizing human factors engineering and increased automation to reduce staffing and human errors. Operator staffing associated with multi-module operations is described in Section 18.5.
21.3.2.4 Technical Specifications The technical specifications specify the operational requirements for safety-related systems, which support safety system independence, single failure capability, and redundancy. Requirements for the UHS, which is the only safety-related shared system, are included in the technical specifications. These controls provide assurance that the UHS remains reliable and available consistent with the assumptions in the safety analysis supporting multiple NPM operations.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-6 Revision 4.1 21.3.3 Multi-Module Considerations During Phased Construction and Startup The NuScale Power Plant design includes a complement of up to 12 NPMs. A full complement is the number of NPMs licensed for a site-specific plant. The construction of plant structures, systems, and components (SSC) and the sequential installation and startup of subsequent NPMs are designed to minimize the impact on operating NPMs.
During the construction phase that occurs prior to the initial NPM fuel load, the shared and module-specific systems within the Reactor Building (RXB), Control Building (CRB), and Radioactive Waste Building (RWB) are substantially completed with the exception of the installation of additional NPMs, as described below.
The SSC necessary to support operating modes of the initial NPM will be installed and tested as part of construction associated with the initial NPM. The initial NPM may be installed and tested in parallel with other SSC that support operation of the initial NPM.
The RXB and the SSC within the building necessary to support operating modes for the full NPM complement will be installed with the exception of testing for SSC supporting only uninstalled NPMs. Testing will be performed for the initial and subsequent NPM installations as described in Section 14.2.12.
The CRB and the SSC within the building necessary to support operating modes for the full NPM complement will be installed with the exception of testing for SSC supporting only uninstalled NPMs. Testing will be performed for the initial and subsequent NPM installations as described in Section 14.2.12.
The RWB and the SSC within the building necessary to support operating modes for the full NPM complement will be installed with the exception of testing for SSC supporting only uninstalled NPMs. Testing will be performed for the initial and subsequent NPM installations as described in Section 14.2.12.
Systems with connections exiting the RXB, CRB, or RWB that support uninstalled NPMs may be isolated or partitioned at locations external to the building with proper consideration of system interfaces and safe operation of the shared systems supporting operating NPMs. Site work control processes and procedures will be used to control plant configuration, interfaces, equipment status, and subsequent testing of isolated or partitioned systems.
A Turbine Generator Building (TGB) is provided for up to six NPMs. An additional TGB is provided for plants with greater than six NPMs. Each TGB and the SSC within the building necessary to support operating modes for the initial NPM will be installed and tested during construction of the initial NPM. SSC supporting uninstalled NPMs will be isolated or partitioned with proper consideration of interfaces and safe operation of the shared systems supporting operating NPMs. Site work control processes and procedures will be used to control plant configuration, interfaces, equipment status and testing of isolated or partitioned systems. Testing will be performed for the initial and subsequent NPM installations as described in Section 14.2.12.
The SSC within the site boundary but outside the boundaries of the RXB, CRB, RWB or TGB such as tanks, electrical transformers, and switchyard equipment necessary to support operating modes of the initial NPM will be installed and tested during construction of the initial NPM. SSC supporting uninstalled NPMs will be isolated or partitioned with proper consideration of interfaces and safe operation of the shared systems supporting operating NPMs. Site work control processes and procedures will
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-7 Revision 4.1 be used to control plant configuration, interfaces, equipment status, and testing of isolated or partitioned systems. Testing will be performed for the initial and subsequent NPM installations as described in Section 14.2.12.
Partitioning of shared systems (e.g. installing major equipment and delaying the installation of individual supply lines that only serve uninstalled NPMs) is permitted by design features and site work control processes and does not require restrictions to operating NPM configurations. The design features include valves, flanges, and breakers that are provided to isolate equipment for maintenance or to accommodate an absent NPM (e.g. during refueling operations).
The NuScale Power Plant design relies on passive safety-related systems that are module specific. With the exception of the UHS, the shared systems are nonsafety-related and not risk-significant, and shared system interactions do not result in a loss of NPM safety-related functions. The construction method and the phased expansion of NPMs described above provide assurance that the operating configuration is not materially different than that assumed in the safety analysis and that the independence of NPM safety-related systems is maintained. In addition, the analysis of shared system interactions that is described in Section 21.2.3 continues to apply to the operating NPMs during installation of subsequent NPMs. Consequently, restrictions in operating configurations or interface requirements are not necessary to ensure the safe operation of operating NPMs during installation, testing, or startup of subsequent NPMs.
21.3.4 Inspections, Tests, Analyses, and Acceptance Criteria The Inspections, Tests, Analyses, and Acceptance Criteria related to common or shared structures, systems, and components are described in Section 14.3.6.
21.4 Multi-Module Regulatory Considerations 21.4.1 Compliance with GDC 5 of 10 CFR 50 Appendix A The design of the NuScale Power Plant complies with GDC 5. Other than the UHS, safety-related systems are functionally independent and are not shared among NPMs. The UHS is designed to perform its required safety-related functions given a DBE in one NPM and a controlled shutdown of the remaining NPMs.
The RXB and portions of the CRB are Seismic Category I structures that house and support safety-related systems for multiple NPMs. The RXB and CRB structures are not adversely impacted during DBEs. (Portions of the CRB that support the MPS are Seismic Category I as described in Section 3.8.4.) In addition, the operation of the nonsafety-related shared systems, including credible failures of these systems during DBEs, does not adversely affect safety-related NPM functions.
The NuScale Power Plant compliance with Regulatory Guide 1.81 is described in Section 8.3.1 for the onsite AC power system and in Section 8.3.2 for the highly reliable DC power system (EDSS).
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-8 Revision 4.1 21.4.2 Compliance with 10 CFR 52.47(c)(3)
The design of the NuScale Power Plant complies with 10 CFR 52.47(c)(3). The operating configurations of the NuScale Power Plant include from 1 to 12 NPMs in the five operating modes permitted by the technical specifications.
The operating configurations were considered in the design of the NuScale Power Plant, and no restrictions are required to ensure plant safety. The shared systems have been evaluated for interface requirements and system interactions. The plant design provides protection of safety systems in the event of failures in shared systems and the performance of safety-related functions is ensured during DBEs.
The effects of phased construction and testing activities due to the addition of NPMs on the safety functions of operating NPMs in the plant are evaluated for adverse impacts. No restrictions or design modifications to shared systems are required to accommodate startup testing and phased construction. The plant configuration for operating NPMs during construction is not materially different than that assumed in the safety analysis, and the independence of safety-related systems is maintained. In addition, the analysis of shared system interactions that is described in Section 21.2.3 continues to apply to the operating NPMs during installation and testing of subsequent NPMs. Consequently, there are no restrictions in operating configurations or interface requirements that are necessary to ensure the safe operation of operating NPMs during installation, testing, or startup of subsequent NPMs.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-9 Revision 4.1 Table 21-1: Shared Systems not Associated with Design Basis Event Initiators Shared System NPMs Supported Ground and lightning protection system 12 Plant lighting system 12 Fixed area radiation monitoring system 12 Health physics network 12 Meteorological and environmental monitoring system 12 Communication system 12 Seismic monitoring system 12 Plant wide video monitoring system 12 Balance-of-plant drains system 6
Site drainage system 12 Solid radioactive waste system 12 Radioactive waste drain system 12 Radioactive Waste Building HVAC system 12 Diesel Generator Building HVAC system 12 Turbine Building HVAC system 6
Potable water system 12 Utility water system 12 New fuel storage 12 Spent fuel storage 12 Cathodic protection system 12 Service air system 12 Backup power supply system 12 Condensate polishing system 6
Feedwater treatment system 6
Annex Building HVAC system 12
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-10 Revision 4.1 Table 21-2: Shared System Interactions (Mechanical Systems)
Shared System NPMs Supported System Interactions Module heatup system (MHS)
Two independent subsystems each supporting 6 NPMs The MHS supports one NPM at a time via an interface with the module-specific CVCS during startup and shutdown operations (if necessary) to heat the reactor coolant. The MHS design eliminates the possibility of boron dilution via inter-system leakage by providing double isolation valves with drains and pressure monitoring between the isolation valves. The instrument air supply to these valves can be removed via administrative controls to prevent a spurious or inadvertent opening.
As an interfacing system with the chemical and volume control system (CVCS), a malfunction in the module heatup system (MHS) resulting in loss of heat addition could result in injection of colder fluid through the CVCS injection lines to the reactor coolant system. Injection of colder fluid through the CVCS injection lines, particularly during startup, could lead to decreased reactor coolant system flow due to the natural circulation forces of the NuScale reactor design. An MHS malfunction could cause a reactivity transient if the colder fluid reaches the core. The CVCS is isolated from the RCS by the module protection system on low low reactor coolant system flow, limiting the amount of cold water injection that could possibly occur.
Therefore, considering the capacity of the NPM CVCS, a reactivity change due to MHS malfunction is judged a non-limiting reactivity event compared to the spectrum of reactivity events analyzed as presented in the FSAR Section 15.4. Note that for consistency with Section 15.4.4 of the Standard Review Plan, Section 15.4.4 of the FSAR discusses startup of an inactive loop or recirculation loop at an incorrect temperature; however, this event is not applicable to NuScale because the NuScale design does not have multiple coolant loops or means in the design to introduce a substantial amount of cold water similar to an inactive loop startup. A decrease in RCS inventory that could be caused by a tube failure in the MHS is bounded by the safety analysis for CVCS line breaks outside the containment vessel as presented in the FSAR Section 15.6.
The MHS does not involve a unique NPM operating configuration. The design of the MHS and the CVCS reactor startup mode ensures that the reactor operates within the RCS stability map during reactor startup. A loss of both MHS heat exchangers would delay NPM startups until repairs could be made, but would not affect NPM operating configurations.
Boron addition system (BAS) 12 The BAS supplies borated water to each NPM via an interface with the module-specific CVCS. The BAS is designed to prevent a boron dilution event via plant control system (PCS) mode logic during tank transfers and batch tank manual isolation valves. BAS operation does not result in a new DBE. Administrative controls are used to control boron concentrations. A BAS component failure does not adversely affect safety-related NPM functions.
As described in Section 9.3.4, the BAS sizing is conservatively based on a 12-NPM shutdown event. The BAS is designed such that the loss or outage of a single major component does not result in a significant loss of plant capacity, and a failure of a single BAS component does not prevent continued operation of up to 12 NPMs.
In the unlikely event of a total failure of the BAS, failure to deliver borated water to the CVCS may result in a controlled reactor shutdown if the condition persists in the long term. If the BAS design features and administrative controls that prevent dilution fail, a failure of the CVCS that results in the BAS and demineralized water system (DWS) combining valve spuriously repositioning to the DWS bounds the BAS dilution.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-11 Revision 4.1 Containment flooding and drain system (CFDS)
Two independent subsystems each supporting 6 NPMs The CFDS subsystems are only operated after shutdown and prior to startup of a single NPM at a time. The NPM interface is via a nozzle in the CNV through containment isolation valves. There are three normally closed valves in series between the CFDS pumps and an NPMs containment. These include two containment isolation valves and a CFDS module isolation valve.
The sequence necessary to inadvertently flood a containment of an operating NPM requires multiple spurious failures, starting of a CFDS pump, and operator errors, and is not considered an initiating event for containment flooding. A CFDS component failure does not adversely affect safety-related NPM functions.
The CFDS can provide water to the CNV for cooling during a beyond design basis event as described in Section 9.3.6.
Reactor component cooling water system (RCCWS)
Two independent subsystems each supporting 6 NPMs Each RCCWS supports up to 6 NPMs at a time. The system interface with the NPM is via control rod drive mechanism (CRDM) cooling within the NPM and via system piping routed in the CNV. The RCCWS is designed such that no single failure can cause the loss of RCCWS heat removal from more than one NPM. A leak in an RCCWS cooler, heat exchanger, condenser, or tank can be isolated locally. This could cause the shutdown of an individual NPM depending on the component failure, but it would not require the shutdown of multiple NPMs. In the event a NPM is shut down for maintenance or refueling, the RCCWS will continue to operate under normal conditions for the other five NPMs with the isolation valves closed to the CRDMs for the shutdown NPM. An RCCWS component failure does not adversely affect safety-related NPM functions. The RCCWS has no piping in the CNV. The RCCWS supplies RCCW to CNTS that then conducts RCCW to the CRDS piping.
CRDS pipe breaks inside the containment that could release RCCW are isolated on high-containment pressure, but could result in a design basis loss of containment vacuum or containment flooding event and are included as a single-module event in the safety analysis. The CRDS pipe break resulting in a release of RCCW does not result in an emergency core cooling system actuation from a high CNV water level. Section 15.1.6 of the FSAR discusses the safety analysis for pipe breaks inside the containment vessel.
A failed-open RCCWS flow control valve on the CVCS non-regenerative heat exchanger secondary side may result in introduction of cooler CVCS water to the NPM primary system, but does not result in a new DBE. In addition, Section 15.5.1 of the FSAR addresses cold water injection through the CVCS, focusing on pressurization related to the increased inventory. A loss of RCCWS to the CVCS nonregenerative heat exchanger adds negative reactivity and is not a DBE.
A total failure of a RCCW subsystem would eventually result in a manual shutdown of up to six NPMs due to rising CRDM temperatures, which are indicated in the control room, but does not prevent safety-related NPM functions and does not result in a design basis event.
Table 21-2: Shared System Interactions (Mechanical Systems) (Continued)
Shared System NPMs Supported System Interactions
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-12 Revision 4.1 Process sampling system (PSS) 12 The PSS is designed such that the system interfaces with multiple NPMs are limited. The sampling of individual NPM process fluid streams is module-specific. Each NPM is provided with its own PSS. Six primary sampling systems share a cooling water temperature control unit that supplies chilled water to their second-stage sample coolers. Secondary sampling systems have both module-specific and shared components. A containment sampling system used for collecting gas samples from the containment evacuation system is also provided for each NPM.
As described in Section 9.3.2, the PSS is connected to the NPM via intervening systems and does not employ sample lines which penetrate the CNV or the reactor pressure vessel. There are no containment isolation valves or containment isolation functions included in the PSS. The shared components are due to common downstream equipment such as sample coolers and the ion chromatograph units. A component failure of this shared equipment does not affect plant operation or adversely affect safety-related NPM functions.
Circulating water system Two subsystems each supporting 6 NPMs A loss of circulating water results in a transient that would impact multiple NPMs, but does not adversely affect safety-related NPM functions. A malfunction affecting the circulating water may result in a loss of condenser vacuum, loss of feedwater, or decrease in feedwater temperature and is evaluated in the safety analysis. The circulating water system interface with the condensate and feedwater system is the only interface relevant for the purpose of DBE identification. The change in heat removal from the secondary side due to these types of conditions is considered in Section 15.1 and Section 15.2 in the FSAR.
A total loss of circulating water would require that the 12 NPMs enter a shutdown state as process conditions would encroach on reactor trip setpoints.
Site cooling water system (SCWS) 12 The SCWS provides cooling water to auxiliary systems, interfacing with chiller condensers, instrument air compressor coolers, and heat exchangers for reactor pool cooling, spent fuel pool cooling, reactor component cooling water, condenser air removal, and turbine generators. In addition, the SCWS interfaces with main steam sample coolers, condensate and feedwater sample coolers, process sampling system chillers, and auxiliary boiler blowdown coolers. An SCWS failure is captured in the safety analysis by a failure in the interfacing system and does not result in a new DBE. The SCWS failure may affect the operation of multiple NPMs, but does not adversely affect safety-related NPM functions.
A total loss of SCWS would affect cooling of auxiliary systems across multiple NPMs and would likely result in manual reactor trips due to loss of RCCWS and high CRDM temperatures.
Nitrogen distribution system (NDS) 12 The NDS provides pressure-regulated nitrogen supplies to various plant systems. An NDS failure is captured in the safety analysis by a failure in the interfacing system and does not result in a new DBE.
Failure of the gaseous radioactive waste system is addressed in FSAR Section 11.3.2.
Failure of the liquid radioactive waste system is addressed in FSAR Section 11.2.
Failure of the chemical and volume control system is addressed in FSAR Section 9.3.4.
Failure in the containment evacuation system is addressed in FSAR Section 9.3.6.
Failure in the main steam system is addressed in FSAR Section 10.3.
The NDS failure may affect the operation of multiple NPMs, but does not adversely affect safety-related NPM functions.
A plant shutdown is not expected in the event of a total loss of the NDS. The operational impacts of a total loss of NDS are limited to the liquid radwaste and gaseous radwaste systems.
Table 21-2: Shared System Interactions (Mechanical Systems) (Continued)
Shared System NPMs Supported System Interactions
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-13 Revision 4.1 Demineralized water system (DWS) 12 The DWS provides makeup to various systems. Failures in the DWS are accounted for by considering failures in the DWS interface to the CVCS, which is a module-specific system. The DWS interfaces with the CVCS as a dilution source for boron concentration. A DWS failure does not adversely affect safety-related NPM functions.
The DWS can be a dilution source to a single NPM via a spurious repositioning of a CVCS BAS and DWS combining valve to the DWS during makeup operation, which is evaluated in the safety analysis in FSAR Section 15.4.6. The design failure position of the combining valve is open to the BAS and closed to the DWS, which is the safe position. Boron dilution events are indicated by NPM power and reactivity instruments, and trigger closure of the CVCS demineralized water supply isolation valves if the safety setpoints are reached. There are two isolation valves in series in the DWS supply to each CVCS to satisfy single failure criteria. The valves are fail-closed air-operated valves.
The DWS is not credited in a DBE, but may be used as an inventory makeup source via the CVCS. The DWS also provides plant support during abnormal conditions by providing additional makeup water to the spent fuel pool cooling system (SFPCS) to compensate for inventory loss and to the condenser for emergency fill.
In the event of a total loss of DWS, a manual shutdown may be required due to loss of CVCS makeup if the failure persists in the long term.
Fire protection system and fire detection system 12 The fire systems are in a standby status during normal operation, and failures or inadvertent operation of these systems do not result in DBEs and do not adversely affect safety-related NPM functions. The fire hazard analysis includes an analysis of the protection of nuclear safety-related systems and components from inadvertent actuation and breaks in a fire protection system as described in Section 9A.
Failures in these systems are subject to the requirements of the Fire Protection Program, which is described in Section 9.5 and is included in the administrative controls portion of the technical specifications.
Fuel handling equipment 12 Fuel handling accidents are described in Section 15.7.4. These accidents do not result in a DBE in operating NPMs and do not adversely affect safety-related NPM functions.
Table 21-2: Shared System Interactions (Mechanical Systems) (Continued)
Shared System NPMs Supported System Interactions
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-14 Revision 4.1 Instrument air system (IAS) 12 Local failures in the IAS that would affect a specific valve are not explicitly considered in the safety analysis as the effects of such failures are considered in the interfacing system. The loss of the IAS that could affect multiple valves is considered. These failures may result in multi-module events, but do not adversely affect safety-related NPM functions.
Loss of instrument air will cause closure of the secondary main steam isolation valves and possibly valves in the turbine generator system. Loss of instrument air may cause loss of containment vacuum due to closure of valves in the containment evacuation systems. The IAS supports the CVCS, and loss of instrument air could affect normal pressurizer spray control, recirculation, or makeup and letdown operation. The operation of these normal, nonsafety control systems is considered as part of evaluating DBEs. Loss of instrument air on other systems does not cause significant direct impact on an NPM that is not already accounted for by considering the availability of normal nonsafety controls in the safety analysis.
The loss of instrument air is bounded by the turbine trip in the safety analysis (discussed in FSAR Section 15.2) because the immediate effects of a loss of air result in the closure of the secondary main steam isolation valves. Loss of the IAS is bounded by the turbine trip event because:
Loss of instrument air will not cause the containment isolation valves to automatically close.
Loss of instrument air will cause closure of the backup nonsafety main steam isolation valves and possibly valves in the turbine generator system.
Loss of instrument air will not cause immediate closure of the feedwater regulating valves due to local air accumulators on those valves.
Loss of instrument air may cause loss of containment vacuum due to closure of valves in the containment evacuation systems. However, this increase in heat removal from the primary side due to loss of containment vacuum is assumed to be insignificant compared to the decrease in heat removal from decreased steam flow.
A total loss of the IAS would lead to an automatic shutdown on the 12 NPMs when closure of the secondary main steam isolation valves results in a reactor trip.
Gaseous radioactive waste system (GRWS) 12 A GRWS system failure is considered by failures of the GRWS interfacing system that more directly impacts the RCS such as the containment evacuation system. A GRWS failure does not introduce a new DBE and does not adversely affect safety-related NPM functions.
Section 11.3.2 includes a GRWS equipment malfunction analysis and an evaluation of the radiological consequences of GRWS failures.
Liquid radioactive waste system (LRWS) 12 A LRWS system failure is considered by failures of the LRWS interfacing system that more directly impacts the RCS, such as CVCS. A LRWS failure does not introduce a new DBE and does not adversely affect safety-related NPM functions.
Section 11.2.2 includes an evaluation of the consequences of LRWS failures. A total loss of the LRWS would complicate letdown operations.
Auxiliary boiler system (ABS) 12 Failures in the ABS are accounted for by considering failures in the MHS interface (considered part of the CVCS for analysis purposes). An ABS failure does not result in a new DBE and does not affect safety-related NPM functions.
Table 21-2: Shared System Interactions (Mechanical Systems) (Continued)
Shared System NPMs Supported System Interactions
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-15 Revision 4.1 Ventilation systems, including: normal control room HVAC system, Reactor Building HVAC System, chilled water system 12 Although the operation of ventilation systems introduces a spatial coupling between multiple NPMs, the coupling does not result in adverse system interactions. A failure in a shared ventilation system does not result in a DBE and does not result in an event that immediately causes an NPM safety-related system to operate out of its design environmental service condition as described in Section 3.11.4. Passive cooling is sufficient for safety-related systems located in the areas served by the HVAC systems. Failures in these systems do not adversely affect safety-related NPM functions. The Reactor Building HVAC system is not credited in the fuel handling accident.
Following a loss of AC power that fails the normal control room HVAC system, the control room habitability system (CRHS) automatically provides air to the control room for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The temperature increase that results from a loss of ventilation due to a loss of AC power is evaluated for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after a limiting SBO event as described in Section 8.4.
Control room habitability system (CRHS) 12 The CRHS is a standby system that does not directly interface with the reactor or with secondary systems. A CRHS failure does not introduce a new DBE and does not adversely affect safety-related NPM functions.
The system is provided with redundant features to ensure a single failure will not inhibit the operation of the CRHS. These features ensure that the control room will be habitable to allow operators to monitor the shutdown and cooldown of the NPMs. There are no safety actions required by operators to complete this operation, and monitoring is provided to verify NPMs are in a safe shutdown mode.
Ultimate heat sink (UHS) including UHS support systems -
reactor pool cooling system, pool surge control system, pool cleanup system, pool leak detection system spent fuel pool cooling system (SFPCS) 12 Passive failures that would lead to a loss of the UHS are not credible. The UHS is protected from other external natural phenomena hazards by the Seismic Category 1 RXB structure. The safety analysis assumptions for reactor pool analytical limits, such as initial level and temperature, that are necessary for the required pool heat removal capacity are controlled by the technical specifications. Abnormal conditions which result in loss of ability to remove heat from the reactor pool are not design basis initiating events because the pool is expected to be operated within the requirements of the technical specifications.
The UHS support systems are designed such that there are no connections to the reactor pool which allow the pool to be drained below the minimum level required to remove heat from the NPMs in the pool or the fuel in the spent fuel pool. There are also provisions for anti-siphoning. As described in Sections 9.1.3 and 9.2.5, if the SFPCS and reactor pool cooling system are not available, the large volume of water in the UHS provides passive cooling for the spent fuel pool and the 12 NPMs located in the UHS for at least 30 days without the addition of supplemental cooling water.
There are no failures in the UHS support systems or the SFPCS that result in a DBE or that adversely affect safety-related NPM functions. A loss of UHS, which is classified as a beyond design basis event, is described in Section 20.1.
Module assembly equipment (MAE) 12 The MAE system supports the transport of heavy load portions of one NPM at a time. The system facilitates the initial installation and assembly of NPM components such as the reactor and containment vessel. The design of equipment and the other measures that are used to ensure the safety of heavy load movement are described in Section 9.1.5. As described in COL item 9.1-1 and Section 9.1.5, the process for handling and receipt of new NPMs is the responsibility of the COL applicant, and the operation of other NPMs is not affected by the receipt and delivery of a new NPM.
Table 21-2: Shared System Interactions (Mechanical Systems) (Continued)
Shared System NPMs Supported System Interactions
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-16 Revision 4.1 Table 21-3: Shared System Interactions (Electrical and Instrumentation and Control Systems)
System NPMs Supported System Interactions 13.8 KV and switchyard system, medium voltage AC electrical distribution system (EMVS), low voltage AC electrical distribution system (ELVS) 12 There are no safety-related AC power sources in the NuScale Power Plant. An AC system component failure or a loss of AC power has no adverse effect on safety-related NPM functions.
If the 13.8 KV and switchyard system is lost, power to the EMVS is also lost. If the EMVS is lost, power to the ELVS is also lost.
Loss of the ELVS has a direct effect on the RCS (through loss of feedwater, etc.). Loss of the EMVS impacts NPM interfacing systems (e.g., CW pumps), but does not directly affect the RCS or RCS heat removal. Loss of power to AC systems is described in Section 15.2.6. A loss of normal AC power is a multi-module event.
The plant response to a total loss of offsite and onsite AC power is described in Section 8.4. A total loss of AC power will result in a reactor trip and automatic actuation of the decay heat removal system and containment isolation system in the 12 NPMs.
As described in Section 8.3.1, in the event of a total loss of offsite power for plants with island mode capability, transition to island mode operation prevents a loss of onsite AC power as plant loads would be supplied by the service unit. For plants without an offsite power connection, island mode represents an alternate method of supplying AC power to plant loads.
Similar to an offsite power system that is described in Section 8.2, island mode does not support safety-related or risk-significant functions. No credit is taken for island mode in the safety analysis or the PRA.
Highly reliable DC power system (EDSS) common (EDSS-C) 12 The EDSS-C is a shared subsystem of the EDSS. EDSS-C provides power to the plant protection system (PPS), post-accident monitoring, and main control room emergency lighting. The EDSS is designed with redundancy and quality provisions as described in Section 8.3.2 so that a failure of EDSS independent of another event is unlikely.
The EDSS-C batteries are designed with sufficient capacity to supply assigned plant loads for a 72-hour duty cycle. The multi-module coupling due to EDSS-C operation is limited to the EDSS-C loads, which are not risk significant and nonsafety-related. A loss of EDSS-C does not affect NPM safety functions and is not a unique initiating event. A loss of EDSS does not introduce a different or more limiting plant transient progression relative to other analyzed DBE scenarios.
A total failure of EDSS-C results in a loss of the associated loads and affects monitoring of PAM variables in the control room, but does not prevent safety-related NPM functions.
Normal DC power system (EDNS) 12 The EDNS provides power to nonsafety-related control and instrumentation loads. The effect of nonsafety system operation and failures is considered as part of the safety analysis.
Following a loss of AC electrical power supply, the EDNS batteries are sized to supply the most-limiting full-load requirements continuously for a minimum of 40 minutes. A total loss of the EDNS would result in a reactor trip for 12 NPMs as power is lost to the CRDMs, but no safety-related NPM functions would be adversely affected. The loss of EDNS would impede the ability of operators to monitor accidents because of the loss of main control room panels, but the safety display and indication system would be available.
NuScale Final Safety Analysis Report Multi-Module Design Considerations Tier 2 21-17 Revision 4.1 Safety display and indication system (SDIS) 12 The SDIS processes data from the MPS and PPS but does not control equipment. The SDIS consists of two redundant hubs that provide display of post-accident monitoring variables. An SDIS hub isolation is achieved by utilizing fiber optic cables and ports to ensure the one-way direction of network data traffic. The SDIS is designed to meet the single-failure requirements such that the SDIS continues to perform its functions in the event of a single failure. Certain component failures may affect the SDIS displays for MPS or PPS data for up to 12 NPMs and may include PCS displays depending on the failure mode, but the MPS and PPS data on the other division is unaffected. A loss of SDIS does not adversely affect safety-related NPM functions and is not a unique initiating event. The SDIS is available for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> in DBEs including a SBO. If a total failure of the SDIS occurs, plant monitoring and control remains available from the main control room via the module control system and process control system displays.
A hazards analysis was also completed for the SDIS, and failures associated with system interactions do not adversely impact safety functions. Redundancy in the SDIS design is described in Section 7.1.3.
Plant Protection System (PPS) 12 The PPS consists of two independent and redundant divisions and is designed to perform its function given a single failure. A single failure in one division will not interfere with the proper operation of the redundant PPS division. There are no connections between the PPS and NPM safety systems. A failure in the PPS does not result in a DBE and does not adversely affect safety-related NPM functions.
The PPS system architecture does not use computers with embedded software in the runtime environment. The PPS is a field programmable gate array-based system rather than a microprocessor-based system that depends on resident software for operation. The field programmable gate array-based hardware logic system of the PPS does not utilize executable software. A hazards analysis was also completed for the PPS, and failures associated with system interactions do not adversely impact safety functions. Redundancy in the PPS design is described in Section 7.1.3.
Plant Control System (PCS) 12 The systems that are controlled by the PCS are considered for failure in the scope of the safety analysis and affect areas such as the UHS, which are controlled by plant technical specifications. The PCS does not directly affect the NPMs, or have module-level portions, which are controlled by the module control system and have been separately considered for failure.
Therefore, a failure in the PCS would not directly affect the NPMs and result in a new DBE.
The PCS failure modes and effects analysis includes an analysis of internal PCS modes and failure modes represented by various structures, systems, and components which make up the described segment of the PCS and the effects of those failures upon the NuScale Power Plant. The PCS does not interface directly with safety-related actuators, and PCS component failures do not adversely impact safety-related functions.
Simultaneous failure of both PCS segment controllers (primary and secondary) is considered to be a common cause failure that results in the loss of the entire segment for the process. For certain worst case segment failures, this could possibly result in the automatic shutdown of multiple NPMs, but does not affect safety-related NPM functions. PCS segmentation is described in Section 7.0.4, and PCS redundancy is described in Section 7.1.3.
Table 21-3: Shared System Interactions (Electrical and Instrumentation and Control Systems) (Continued)
System NPMs Supported System Interactions