ML20246D698
| ML20246D698 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 08/23/1989 |
| From: | Recasha Mitchell GENERAL ELECTRIC CO. |
| To: | Chris Miller NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8908280230 | |
| Download: ML20246D698 (18) | |
Text
. . , . _ _ - -
,a., ;
{. ;.
- s-.
' *^ GE Nucle 1r Energy
' ' ' Gened! Dectnc Comony .
?- 175 Curtner Avenue See Jose. CA 95QS j
[I, ,
I August 23,1989.' .
~ MFN No. 06189 l Docket No. STN 50-605 j Document Control Desk U.S. Nuclear Regulatory Commission
' Washington, D.C. ' 20555 a
i Attention:- Charles L. Miller, Director '
'l Standardization and Non-Power Reactor Project Directorate 'I l
Subject:
Submittal of Responses to AdditionalInformation as Requested '
. In NRC Letter from Dino C. Scaletti, Dated May 16,1989
Dear Mr. Miller:
Enclosed are thirty four (34) copies of further responses to the subject Request for Additional Information'(RAI) on the Standard Safety Analysis Report (SSAR) for the Advanced Boiling-
' Water Reactor (ABWR). These responses pertain to Chapters 7 and 8.
It is intendSd that GE will amend the SSAR with these responses in a future amendment. )
Sincerely, e.c. m R. C. Mitchell, Acting Manager I
l' Licensing and Consulting Services cc: D. R. Wilkins (GE) ;
F. A. Ross (DOE) i J. F. Quirk (GE) '
D. C. Scaletti (NRC) hp{3A evos2 god-pge22aioxosoogue ;
A !
b - _ _ _
___-____.______.________.________________._.________________j
'U .
4
.- i
- 3- QUESTION !
420.005 (7) Identify the topical reports' that will-be provided to support any {
aspects of the design that are substantially different relative to l l
designs previously reviewed by the staff. Subjects addressed in these l topical reports should include but not necessarily be limited to the j following:
- System (and significant component) reliability goals, assumptions, ,
methodology, model, analysis, and evaluation. I RESPONSE 1 420.005 No topical' reports will be provided. However, the information is provided in the responses to other similar questions as follows:
Reliability goals.- (See response to 420.063)
Model/ Assumptions . (See response to 420.064)
Methodology - (See response to 420.065)
' Test / Evaluation. (See response to 420.067)
Additional information may be found in Appendix 7A and the design specifications and analysis documents referenced'in Section 1.1.3.
QUESTION 420.006 (App 31) Identify the topical reports that will be provided to support any aspects of the design that are substantially different relative to designs previously reviewed by the staff. Subjects addressed in these topical reports should include but not necessarily be limited to the following:
Methodology, basis and acceptance criteria for qualifying the system and equipment to the design basis electromagnetic interference (EMI) environment.
RESPONSE
420.006 No topical reports will be provided. However, system tolerance to EMI is discussed in the following sections of Appendix 7A: 7A.2, Response (4); 7A.2, Response (15); 7A.3, Response (6)-; and 7A.3, Response (8).
Additional detail is provided in the design documents referenced in Section 1.1.3.
QUESTION 420.008 (App 3I) Identify the topical reports that will be provided to support any aspects of ths design that are substantially different relative to designs previous 13 reviewed by the staff. Subjects addressed in these topical reports stould include but not necessarily be limited to the following:
Methodology, basis, and acceptance criteria for qualifying the system and equipment to the design basis thermal environment established by localized heat transfer within e) ,~ronic equipment, including in non. accident environments; this should also address requirements for humidity controls to preclude damage from electrostatic discharge.
~
'RE9PONSE 4-420.008 The environmental qualification methodology and requirements for systems
, and equipment'are described in Section 3.11 and in the design documents referenced in Section 1.1.3 (in particular, Environmental Quality Requirements for Safety Grade Equipment, BWR Requirements . Equipment j Environmental. Interface Data and Safety System Logic & Control Design Specification). No' additional topical reports will be provided.
The panel internal environment is maintained to ensure that reliability goals are achieved. Thermal margins are such that panel internal 4 cooling by natural convection is sufficient. Fans may be used to improve long term reliability, but no credit is taken for forced-air ,
cooling in the qualification of safety.related functions. 1 Even heat load distribution is a design goal. Thermal design adequacy will be demonstrated by analysis of heat loads (per circuit module, per bay, per panel) as required by the design specifications. Thermal design will allow for addition of 15 percent more processing modules for future expansion. (See also the response to Question 420.092.)
Voltage potential buildup leading to damage from electrostatic discharge shall be limited by proper grounding of equipment and use of appropriated static ~ontrol materials and dielectric barriers to ensure that high potentials cannot be coupled to sensitive semiconductor devices, Humidity controls are provided by the normal and emergency HVAC systems; when relative humidity is restricted to the ranges specified for the mild environment locations where the microprocessor equipment will be installed, there will be no unusual static. charge buildup.
QUESTION 420.018 (7) For the proposed use of digital computers, show how the digital system is superior to analog alternatives to implementing the logic.
Show how the analyses determined that the reliability of the digital computer based system was better than the reliability of the analog system.
RESPONSE
420.018 The analysis showing the superiority of the digital system compared with the analog system is given in the response to Question 420.017.
With regard to reliability, the SSLC facilitates a full "any.2.out-of.4" digital logic for both RPS and ESF systems, which is inherently more reliable than (1/2)X2 logic typically used in the previous analog designs. Distributed microprocessors are used to perform simple logic decisions in much the same way relays were used in earlier designs. The SSLC is not dependent on a centrally located digital computer.
I -
- QUESTION
. 420.030 (7.1.2.2) Define the word " sufficient" used in section (j).
RESPONSE
420.030 With regard to the Reactor Protection (Trip) System (RPS), the statement
"... sufficient electrical and physical separation between redundant
.. equipment" means that the system design bases is such that a single event caused by the environment, an electrical transient, or physical event such as a missile, will not disable more than one division of the RPS. In reality, the ABWR RPS 2/4 voting logic could permit a loss of two divisions and still function correctly to scram the reactor.
The following description of the ABWR reactor building design illustrates the electrical and physical separation methods used to accomplish this design basis objective.
Each floor of the ABWR reactor building is sectioned with fire walls dividing the redundant mechanical divisions. The placement of electrical equipment, in general, corresponds to the mechanically separated division assigned to each section (i.e., mechanical divisions Al,B,C and A4 correspond with electrical divisions I,II,III and IV, ,
respectively). Some exceptions are necessary where a given area !
requires more than one electrical division for sensors or other equipment. (For example, redundant leak detection system sensors may be required to be placed within the same partitioned area.) However, electrical separation is maintained between the redundant divisions.
Because of this partitioned design, it is highly unlikely a single event would affect more than one of the partitioned areas, and thus affect more than one of the redundant RPS divisions. Furthermore, it is not i considered credible that a single event could effect more than two such partitioned areas in a manner that could disable more than two divisions of RPS.
QUESTION 420.050 (7.1) Describe the self-diagnostic features of the computer based safety system. Describe the diagnostics that are run on-line, in a background 4 mode and in a maintenance mode. Describe what happens when an on-line l diagnostic uncovers an error in the computer system. !
1 RESPONSE j 420.050 The self-test subsystem (STS) is described as the " sixth test" in {
Section 7.1.2.1.6. Additional information is provided in Appendix 7A, l Section 7A.2, Responses (6) and (14). !
QUESTION ,
420.051 (7.1) Describe the data buses that are used in the multiplexer. !
Describe the features that are implemented to ensure that the bus or I multiplexer is not cause of a single point failure. Describe what happens when a single card on a data bus fails. Show what design features prevent the error from propagating and not challenging the remainder of the safetv ystem. If specific equipment has not been selected, please prc -he interface criteria.
L 1' . .
L
- RES'PONSE
- '420.051 The data buses that are used in the multiplexer are of two
. types: (1) The fiber optic links between multiplexer, and (2) the data pathways from the multiplexer bus interface
- units to their associated input / output system or application processor for a remote multiplexer data station or control room multiplexer data station, respectively. For clarity, the bus interface unit is frequently referred to as the
" node" of a data station of a control data network, while the input / output system or application processor is referred to as the " host" of the data station. The data buses therefore consist of (1) the network links, between nodes, and (2) the links between nodes and their respective hosts.
As described in the response.to question 420.020, divisional redundancy and electrical separation and independence design criteria prevent random failures of a control data network in one division from interfering with the proper operation and execution of multiplexer in another division. This ,
provides the means to satisfy single failure criteria ,
i required by regulations for safety, and further failure ;
contingencies are provided only for improvements in equipment reliability and availability.
These latter improvements are provided in each division through selectei redundancy and system reconfiguration capability. Redundancy is provided for both the iiber optic links between multiplexer and the multiplexer bus interface units each division. Two control data networks, each with their own fiber optic links and bus interface units, therefore, are provided for transmission of intradivisional signals.
Redundancy is not required, however, for the links between the redundant bus interface units (nodes) and their associated input / output system or application processor (host). This is because the input / output system or application processor itself is not generally redundant (within a given division cf instrumentation and control),
and because of its higher parts count, has a lower reliability than the data bus connecting it to the bus interface units. The data bus is left to be specified during the detailed design of the procured equipment, and may be either redundant serial links or a shared parallel bus, as examples.
Because the data bus connecting the redundant multiplexer bus interface units to the input / output system or application processor is not necessarily redundant, there is potential, though of relatively small probability, for the i failure of a card interfacing with this data bus to cause the loss of the entire data station. System reconfiguration is provided, however, independently within both of the redundant control data networks to drop out the failed station. The control data networks continue to operate with all data stations except the failed one.
! Failure of a card must therefore propagate through the data
} bus between the input / output system or application processor >
-. _ __d
't'o tha bus interface unit (s) to fail tha entire data 4 .
station, including functions of both the redundant nodes and l -
their associated host. Furthermore, control data network
. reconfiguration must fail in order for the card failure to propagate to the entire intradivision multiplexing network.
This is the nost severe, but'unlikely outcome of the initiating random card failure. In any event, however,'it is not possible for the failure to propagate to another ,
safety division, and capability to perform safety related l functions is unaffected despite the single error.
The interface requirements, therefore, are those. features described above; that is, redundancy of fiber optic links between multiplexer; redundancy of bus interface units with as aciated provision for each to communicate to and from the process input / output system or application processor; and capability for control network reconfiguration to drop out a failed bus interface unit (or data station). These requirements apply to each division separately.
Furthermore, there are requirements for electrical independence and separation, as well as for autonomous and ,
asynchronous control, of the multiplexing systems in the different divisions, as discussed in response to question 420.020.
QUESTION 420.052 (10/87) As indicated in the October 1987 ABWR presentation, the self-test sequence of the digital processor equipment is supposed to reduce the need for surveillance and monitoring by human personnel.
Describe how it was proven that the old and new surveillance schedules are functionally equivalent.
RESPONSE
420.052 As indicated in the response to 420.072, the self-test system sends a signal to the annunciator and the process computer upon detection of failures within the hardware or software. Thus, the need for surveillance and monitoring by human personnel is reduced, in some areas within the Technical Specifications, compared with that required for systems not employing self-test. .l l
The suggested surveillance intervals for the ABWR are based on studies j with operating plants and the BWR Owner's Group. Where there are i differences with respect to the "old" surveillance schedules, these are !
identified and justified in Chapter 16 in the bases to the Technical l Specifications. I I
i QUESTION 420.054 (7) Does the FMEA consider unusual failure modes and their effects such )
as system stall, interruption and restoration of power (or function), I metastability, or timing errors? Provide a descriptive summary of the ]
failure modes addressed in the FMEA or describe the interface criteria.
- i
' RESPO'N'SE
,:420.054 This' response addresses the FMEA for the Essential Multiplexing System (EMS) (see Section 15B.4).
1 The only two failure modes that need be considered for the EMS are 1) corruption of the signal due to failure of EMS equipment, and 2) loss of signal due to failure of EMS equipment (or power). Such failures could also occur due to severed fiber optic cable and/or. misalignment of junctions. These failure modes are analyzed in Section 15B.4.
Graceful degradation is a design feature of 16C microprocessor equipment that causes safe. state output responses to unusual failure modes such as system stall, interruption and restoration of power (or function),
metastability and timing errors. This feature is implemented in both-hardware and software. Thus, unusual failure modes can be considered to be part of the hypothesized failure modes analyzed in the FMEA.
Watchdog timers detect system stall or timing errors and cause an INOP output for the failed channel. The same type of trip occurs on loss of power to any given channel. When the effects of these trips are propagated to the Safety System Logic & Control equipment, channel input trips will occur. These trips (fail-safe for RPS and fail-as-is for ECCS) force a " half-trip" condition of the 2-out-of-4 coincidence logic for the given channel and simultaneously alert the operator via the l
annunciators and process computer. The operator may then opt to bypass the failed channel, which causes the logic to revert to 2-out-of-3.
Only one channel may be bypassed at any given time.
The power-on logic ensures known and acceptable initial conditions after l restoring instrument or system power or inserting a card with power on.
On interruption of power and restart, the microprocessor-controlled logic resets to the start of the control program. Time delays are not
~
activated upon application of power Outputs depend only upon sensed inputs. If downstream processors receive erroneous inputs (based on self-checking within each instrument), then the INOP trip described above will be generated by those processors.
QUESTION l 420.055 (7) Provide a summary of any graceful degradation features provided in l the 1&C systems or describe the interface criteria.
RESPONSE
420.055 Test facilities in the control room monitor data transmission of the essential multiplex system (EMS) to ensure that data transport, routing and timing specifications that are csut-of-tolerance for a particular input signal will result in an INOP trip condition for that input into the trip logic processors of SSLC. The SSLC will cause protective function activation upon receipt of inoperative signals caused by hardware or software failure of system instruments. The SSLC Self-diagnostics alsocauses protective function activation when software or hardware failures are detected.
Upon loss of AC or DC power, functions which are normally energized, such as reactor trip and main steam line isolation, will provide fail safe trip action. For such functions, loss of power to a sensor, its channel, or associated logic automatically produces a trip output.
l For normally de-energized functions, such as emergency core cooling, the l
1 L__ ---_----- _ _ - - _- - - - - - - - - - - - - -
ia c'ame' failures will leave tna state of the cetuated equipment unchanged.
+ -
The system is also designed such that subsequent restoration of power
+. does not introduce transients that could cause a change of state in the actuated equipment.
L l- Additional information is available in Appendix 7A, and in the Safety L System Logic and control System Design Specification (Section 1.1.3).
l.
QUESTION 420.056 (7) Demonstrate that the effects of hardware and external failures on software performance have been sufficiently addressed in the EMEA or describe the interface criteria.
RESPONSE
420.056 The answer to this question is included in the response to Question 420.054. In particular, a component failure (integrated circuit or passive parr) will result in loss or corruption of data as described in i
the FMEA. Whether the erroneous data results from associated software failure or damage to the signal path, the effect on downstream ,
processors is the same. External failures are also sensed as erroneous data and will be treated as described previously.
QUESTION 420.059 (7) Describe the methods which are used to assure that equipment which is not qualified for all servics conditions will not spuriously operate during exposure to conditions for which the equipment is not required to function to mitigate the effects of accidents or other events.
RESPONSE
420.059 The non-safety feedwater, recirculation flow and turbine control systems utilize triplicated control channels with middle.value voting. This means that a spurious signal from one of the channels, which differs from the other two channel outputs, will be disregarded by the controller.
The Class-1E safety systcms are entirely separated from the non-1E control systems such that spurious initiation of non-safety systems has no adverse impact on safety functions.
QUESTION 420.060 (7.1.2.2) Provide examples for section (g) which meet the design bases.
RESPONSE
420.060 The origin for this design basis is Section 4.7.3 of IEEE 279. However, the statement f.n (g) was less conservative as originally written because it did not mention the degradation of a second random failure.
Therefore, (g) has been rewritten to agree with IEEE 279 more precisely (see attached mark.up).
The ABWR reactor protection (trip) system is designed with 2/4 voting logic, and is electrically isolated and physically separated from the plant control systems [see Section 7.2.2.2.3.1(7)). In addition, the feedwater, recire flow, and turbine control systems utilize fault tolerant (middle value voting) triplicated instrument channels in their I __. _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ -
r control sch:mes (see Saction 7.7). As such, there are no single random L
failure scenerios which could causa a control system action that causes a plant condition that requires a reactor scram, but also prevents-
..- action by some RPS channels. (See Section 7.1.2.10.11 relative to instrument lines.)
L l The system has also been designed to protect against multiple failures resulting from a credible single event (Section 4.7.4 of IEEE 279).
This scenerio is discussed in Section 7.2.2.2.3.1(7).
QUESTION 420.064 (7) Describe the reliability model and assumptions used to demonstrate achievement of the reliability goals; this should include a description of the system architecture.
RESPONSE' 420.064 The reliability model and assumptions used to demonstrate achievement of the reliability goals are based on the principles and guidelines of IEEE 352. ,
The system architecture is described in Appendix 7A, Section 7A.2, Responses (10) and (11).
QUESTION 420.075 (7.1.2.2) For section 7.1.2.2(j) clarify that the physical and electrical separation does not preclude the proper environmental qualification of redundant I6C equipment.
RESPONSE ,
420.075 All I6C equipment associated with the reactor protection system sctam i function, and all other safety-related functions, is qualified both seismically and environmentally (Sections 3.10 and 3.11), to Class-1E standards. The qualification requirements of such equipment are independent of the separation requirements imposed on the redundant channels of the systems Which utilize the equipment.
QUESTION 420.078 (7.1.2.1.4.1) One of the reasons stated for the utilization of microprocessors for the implementation of instrumentation and logic functions is that less uncertainty exists in the margins between actual safety limits and the limiting safety trips. The margins are stated to be set from experimental data on setpoint drift (see Section 7.1.2.1.4.1) and from quantitative reliability requirements for each system and its components.
Will this precedure be a topical report used as a design tool?
I j
L __ _ _ - a
m -
- ~
ll 1
RESPONSE .
420.078 The ABWR' utilizes'theidesign specifications, integration procedures; implementation procedures and analysis reports as bases-for the-design,
< rather than topical reports. These documents are referenced in Section 1.1.3.
QUESTION 420.079 (7.1.2.1.4.1)' One.of the' reasons stated for the utilization of microprocessors for the implementation.of instrumentation and logic functions is that less. uncertainty exists in the margins-between: actual-safety limits and the limiting safety trips. The. margins are stated to 17 be' set from experimental 1' data on setpoint' drift (see Section 17.1.2.1.4.1). and from quantitative reliability requirements for each system and its components.
What experimental data has been used to provide inputs to this design approach?
RESPONSE '
420.079 The term " experimental data" is misleading:in this context, .and has been changed to'" historical data" as marked in attachment- ,
Section~4.4 of NEDC.31336 " General Electric Instrument Setpoint Methodology" discusses historical data accumulated from three operating-plants amounting to.approximately 9 reactor-years of experience. The plants involved were Peach Bottom, Grand Gulf and Nine Mile Point 1.
, These plants utilize transmitters similar to those of ABWR, However,
-the data associated with analog trip devices of earlier plant desi 5ns is.
very conservative compared with the ABWR. This is because setpoint drift is non-existent in the Digital Trip Modules (see response to 420.077). The MUX system introduces a slightly lower accuracy than the hard-wired designs, but the overall uncertainties in the margins are significantly improved.
The details for setpoint methodology specific for the ABWR may be found in the " Instrument Setpoints Design Requirements" document identified in the reference in Section 1.1.3.
. QUESTION-420.084 (App 31) What EMI coupling protection is to be provided for the 16C.
systems and how will its effectiveness for specific installed conditions be verified? (Examples of standards such as FCC docket 20780, Part 15, Subpart J, " Class A Computing Devices" have been identified by industry for computing devices as a source limitation for radiated and conducted noise. Also ANSI C63.12-1984 " Recommended Practice on procedures for Control of System Electromagnetic Capability," is available as a design.
guidance tool.) Address these effects, possible limitations, and the criteria and standards to be used by GE in the ABWR design for safety systems equipment, b - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
gy -- --
=,'
_w .
~
/ g RESPONSE.
n ., , .
p.
V 420.084_ Syrtem toleranceLto EMI and associated testing, is discussed in the. .
.following~ sections of Appendix-7A: 7A.2, Response (4);;7A.2, Response 1 .(15);.7A.3, Response (6); and 7A.3, Response (8).
L; . .. Units shall' under5o standard surge withstand capability: tests as defined
'in IEEE 472. The fiber. optic equipment will undergo EMI and surge-testing.to the standards identified in NUREG/CR.3453/ EGG.2444.
_ Additional detail is provided in'the design documents referenced in Section 1.1.3.
?
1 '
QUESTION' ~
420.086 (7) If hard Ired meters are used explain how the adjacent electronics in the control-panels are protected from EMI and fault propagation from
, -faulted current transformers.
-RESPONSE-
~420.086 Hardwired analog-type meters and current transformers are not used near
. sensitive electronics, either on the operator _benchboard or back row '
-- panels . If__ hardwired meters are used for backup of a'few' critical y ,
functions, then'they will be installed ~on a' separate backup panel.
Current transformers and hardwired meters will. form instrument loops; y physically and electrically independent from the multiplexed,
. microprocessor. based data' acquisition and control systems. As discussed' in other responses, general EMI protection is provided by fiber-optic data transmission and proper grounding.
....................s.........................................................
QUESTION '
420.089'(7) List the design goals for the survivability and. continued operation of safety systems. equipment in the presence of line switching transients, lightning induced surges and other induced transients-within the systems as installed.
I:
RESPONSE
420.089 Surge withstand capability, and associated testing criteria, is 7 discussed in Sections 7A.2 [ Response (4)] and 7A.3 [ Response (8)] of L Appendix 7A.
QUESTION L .420.090 (7) Address the possible effects of electrostatic discharge (ESD) at
? keyboards, keyed switches and other exposed equipment components.
RESPONSE
l: 420.090 If appropriate countermeasures are not taken, then Electrostatic Discharge (ESD) can cause damage to electronic components. High l impedance devices using MOS (metal. oxide semiconductor) technology are -!
particularly subject to damage. The discharge from an electrically l charged human body, when certain areas of electronic equipment are touched (keypads, switches), may open the junctions of CMOS devices or other semiconductors.
However, modern CMOS and other MOS components have internal pr6tection 1
w_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _
ignin:t ESD in the form of dioda clamping errays and current limiting
^
- - ~
e ..-
resistors 'that conduct the discharge away from the junction. In
'. addition, good circuit design practices will include the use of other
, devices such'as transient suppressors (for example, metal-oxide varistors (MCVs), Zener diodes) across' critical circuit inputs and outputs that are directly exposed to external transients.
Other precautions against the effects of ESD take the form of adequate insulation or proper grounding. Keypads generally have insulating material in the form of a thick plastic covering over the metallic switch contacts. Toggle switches and other controls should have insulating knobs. Various. metallic chassis components (front panel, candles, deck, connector shells) should be solidly grounded to each other (the effects of painted and plated surfaces should be considered),
and the chassis should be grounded to the appropriate panel or instrument ground bus by metallic ground straps. Panel and instrument mounting hardware should not be depended upon for solid grounds.
Printed circuit boards must have the signal commons and ground plane commons properly connected to the common busses and to the low voltage logic power supplies.
QUESTION 420,091 (7) Most of the I6C system microprocessor equipment is likely to be located in a mild environment, but survivability requirements or limitations on the voltage potential buildup by humidity control or other measures is not discussed. Also, the data concentrators are provided at remote locations where the environmental control is not clearly described. Identify the criteria, design limits and testing program for this area of ESD controls.
RESPONSE
420.091 The environmental qualification requirements for systems and equipment are described in Secton 3.11 and in the design documents referenced in Section 1.1.3 (in particular, BWR Requirements - Equipment Environmental Interface Data and the Safety System Logic & Control Design Specification).
Voltage potential buildup will be limited by proper grounding of equipment and use of appropriate static control materials and dielectric barriers to ensure that high potentials cannot be coupled to sensitive semiconductor devices (see the response to Question 420.090). Humidity controls are provided by the normal and emergency HVAC systems; when relative humdity is restricted to the ranges specified for the mild environment locations where the microprocessor equipment will be installed, there will be no unusual static charge buildup.
The thermal design environments for the SSLC panels themselves are discussed in the response to Question 420.008. The Remote Multiplexing Units (i.e., " data concentrators") of the Essential Multiplexing System are located within the " clean" areas of ths Reactor Building outside the secondary containment. The panels containing this equipment will be environmentally qualified and tested in accordance with Regulatory Guide 1.89 and IEEE 323 for the areas in shich they are located.
i-l I6C microprocessor equipment will be required to meet the requirements of IEC Standard Publication 801-2, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment, Part 2 (Electrostatic Discharge Requirements)". Test equipment shall have the 1
w -
Er .
,, fol, lowing minimum c:pabilities:
L -
. Output Voltage . 2 kV to 16.5 kV Polarity .~ positive
-Energy Storage Capacitor . 150 pF'plus or minus 10%
Discharge Resistor . 150 ohms plus or minus 5%
Charging Resistor -100 Megohms plus or minus 10%
Rise time of discharge current - 5 ns plus or minus 30% at 4 KV Operating Modes ..(1) up to 20' discharges per second for approximately 5 seconds per test; (2) also single pulses with at least 1 see between succesive discharges.
Acceptance critorion shall be no misoperation during or after test.
QUESTION 420.093 (7) The application of high technology semiconductor materials and related technologies to computing devices has resulted.in high current densities in some portions.of equipment used in non-nuclear applications. This type of equipment may be used for the ABWR.
Does an analysis of these potential hot spots result in special thermal design constraints?
RESPONSE
420.093 The answer to this question is included in the reponse to Question 420.092.
QUESTION
'420.095.(7) The application of high technology semiconductor materials and related technologies to computing devices has resulted in high current dentities in some portions of equipment used in non. nuclear applications. This type of equipment may be used for the ABWR.
Since tuo plant environmental limitations only identify general area temperature ranger, what consideration will be given to localized cooling and h et transfer't RESPONSE q 420.095 The answer to this question is included in the response to Question J 420.092. 1 1
I I
i 1
_--_--J
t e.
S; ;. QUESTION.
A 435.004 (a)=In sectionL8.2.3 of the ABWR SSAR1one of the Nuclear Island Linterfaces identified is four 6.9 kV feeders to four transformers powering ten RIP: pumps. However. figure 8.3 1 and figure 8.3 2 show motor generatorfsets between two of the 6.9 kV feeders-and the. RIP pumps. Please clarify whether;the motor generator sets will be used in the ABWR design and if so, describe their function.
(b)iAlso, with regard to the same subject,z section 15.3.1.1.11 states
'that'sincesfour buses are used to supply power to the RIPS, the. worst.
~-single failure'can only cause three RIPS to' trip, and the frequency of occurrence.of.this event is' estimated to be less than 0.001'per' year.
'Further down in this same section a statement is made that the
- probability of' additional RIP trips is low (less than .000001 per year).
Justify these figures in light of the fact that historically, a total-loss of offsite power occurs about once per 10' site. years (EUREG/CR.3992). Also, has the effect of a fault on the common feeder upstream of the 6.9 kV feeders been considered with respect to the-coastdown capability of the RIPS and motor generator sets (braking-effect)?
-RESPONSE 435.004 (a) Motor generator sets are used in the ABWR design. Their primary function is to provide additional mechanical inertia to extend the coastdown~ time of the connected RIPS during a bus failure transient.
.With.the adoption of motor. generator set design, the probability of having an all RIPS trip ie virtually eliminated.
(b) A RIP reliability analysis will be submitted as Appendii 15.C'to
-Chapter:15 of the SSAR. This analysis estimates the probability that exactly 1, 2, ... 10 out of ten RIPS will trip. The results are shown in the following:
- OF PUMPS TRIPPED PROBABILITY 1 ................ 5.57E.3 2 ................ 1.07E.4 3 ................ 1.64E.3 4 ................ 6.44E.6 5 ................ 4.36E.5 6 ................ 6.37E-7 7 ................ 1.41E-7 8 ............... <<1.00E.6 9 ............... <<1.00E.6 10 ............... <<1.00E.6 This analysis includes the effect of a fault on the common feeder upstream of the 6.9 kV feeders. However, the effect of a total loss of offsite power is not included. This is because the reactor system l response to a total loss of offsite power is more than a trip of RIPS.
For example, a load rejection followed by a reactor scram will be l initiated after a loss of offsite power. The complete discussion of the L_ loss of offsite power event is contained in Subsection 15.2.6. A new analysis for Subsection 15.2.6 will be submitted to include the affect of M/G sets, i i
.................e............................................................
hmh---w____._.-___. _ ___ U
4 e
_, QUESTION 435.043 Section 8.3.2.1.3.3 states that battery rooms are ventilated to remove the minor amounts of gas produced during the charging of batteries.
Verify that, in accordance with position C.1 of R.G. 1.128 the ventilation system will limit hydrogen concentration to less than two j percent by volume at any 1ccation within the battery area..
Also, in accordance with position C.6.e of R.G. 1.128, verify that ventilation air flow sensors are installed in the battery rooms with their associated alarms installed in the control room.
RESPONSE
435.043 The ventilation system for the battery room will maintain the concentration of hydrogen to less than 2% as a design requirement. The airflow sensors are described in Section 9.4.1.2, which has been revised (per" attached) to reflect the 2% limit on hydrogen concentration.
i l
i I
l l
l I
I u - _ - . - - - ---_--.---- ____-- - _ _ _ __ _ _
d 4AMR ,_ y 234siooir 1 l + _
REV M 2 h c Standhrd Plant ;
s- y- .
reliability to prevent damage 'to the l To minimize common mode effects, automatic
'~
., reactor coolant pressure boundary as a .j self-test is performed sequentially on all r ; four division; i.e., one division's test unit result of crcessive internal pressure . R 1
' will test and monitor logic circuit integrity .(i.e., to prevent nuclear system pres; g sure from exceeding the limit allowed by
!- and circuit continuity in its division and-also verify data communication links with the applicable industry codes);
other three divisions. After completion, j test control automatically transfers to the '(c) to limit the uncontrolled release of j L Lnext division, and so' on until all four radioactive materials from the fuel-assembly or reactor coolant pressure - j divisions have completed testing. A complete '
boundary, by precisely and reliably ,j
'self test sequence through all four divisions L initiating a reactor scram on gross . 1
- takes thirty minutes or,less.
l failure of either of these barriers; h
(5) Off line, manual system testing is provided for surveillance and maintenance testing in (d) to detect conditions'that threaten the bypassed channels.
fuel assembly or reactor co,olant l pressure boundary from inputs derived from variables that are true, direct ;
A separate SSLC test unit in the control room l is assigned to initiate and evaluate automatic measures of operational conditions; .,
y <!
and manual test functions in each division. This .
(c) to respond correctly to the sensed vari-achieves the least interference with normal SSLC '
ables over the expected range of magni.
operation and permits system and interdivisional tudes and rates of change; testing,to continue in the presence of failed
' SSLC pr'otection system logic processing circuitry.
(f) to provide a sufficient number of sen.
sors for monitoring ~ essential variables A separate SSLC bypass unit controls manual chat have spatial dependence; initiation .of division out-of-service bypasses and receives data from other divisions concerning The following bases assure that the RPS is bypass status (only one division shall byt designed with sufficient reliability
. bypassed at any given time). e .r/agIe nada,,, fedure
" - can coure
' e'-contref The control room test unit is capable of cali-brating all RMU input channels at the sensor (g) systen' If""fla#
uka plant condition that eI quires a reactor scram but also prevents i
([ '
action by some RPS channels, the remain-inputs in an off-line mode.
ing portions of the RPS shall meet the functional requitetnents (items"t,Iand 7.1.2.2 Reactor Protection (Trip) System (RPS).
tWaf d 8 I'Cd lustrutnentation and Control #p vandem above),Fa Hare -M e" de P ed 63 (1) Safety Design Bases (Conformance to the fol- (b) Loss of one power supply shall neither lowing design bases is discussed in Section directly cause nor prevent a reactor scram.
7.2.2.1).
The reactor protection (trip) system (RPS) (i) Once initiated, an RPS action shall go shall meet the following functional require- to completion. Return to normal opera-tion shall require deliberate operator ments:
action.
(a) to initiate a reactor scram with preci-sion and reliability to prevent or limit (j) There shall be sufficient electrical and fuel damage following abnormal opera- physical separation between redundant tional transients; instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical tran.
(b) to initiate a scram with precision and 7.17 Amendment 2 l _ _ _ _ _ _ _ _ _ _ _ _ _ . - - . _ _ _ _ _ - - - _ _ _ _ - _ _ - _ _ _ _ _ _ _ _ _ - - _ _
~
.ABWR- 2=r REV A
. , iSt'andard Plant which have been determined to be sufficient to control portions of these system may, by their -
ensure the adequacy and reliability of the system actions, prevent the plant from exceeding preset ,
from a safety viewpoint. Many of these limits which would otherwise initiate action of l requirements have been incorporated into various the safety systems.
codes, criteria, and regulatory requirements.
7.1.2.1.4 Instrument Errors 7.1.2.1.1 Safety Design Bases for Safety Systems The design considers instrument drift, test-ability, and repeatability in the selection of Safety systems provide actions necessary to instrumentation and controls and in the determi-assure safe plant shutdown to protect the inte- nation of setpoints. Adequate margin between grity of radioactive material barriers and/or safety limits and instrument setpoints is pro-prevent the release of radioactive material in vided to allow for instrument error. The safety excess of allowable dose limits. These safety limits, setpoints, and margins are provided in systems consist of components, groups of compo- Chapter 16. The amount of instrument error is nents, systems, or groups of systems. A safety determined by test and crperience. The setpoint system may have a power generation design basis is selected based on the known error. The re-which states in functional terms the unique de- commended test frequency is greater on instru-sign requirements which establish the limits mentation that demonstrates a stronger tendency witnin which the power generation objective for to drift.
the system shall be set.
7.1.2.1.4.1 Safety System Setpoints 7.1.2.1.2 Specific Regulatory Requirements The safety system setpoints are listed in the The plant systems have been examined with Chapter 16 for each safety system. The settings respect to specific regulatory requirements and are determined based on operating experience and industry standards which are applicable to the conservative analyses. The settings are high instrumentation and controls for the various enough to preclude inadvertent initiation of the --.
systems, applicable requirements include safety action but low enough to assure that sig-specific parts or entities from the following: nificant margin is r7aintained between the actual setting and the limiting safety system set-(1) Title 10 Code of Federal Regulations; tings. Instrument drift, setting error, and repeatability are considered in the setpoint (2) Industry codes and standards; and determinatbn (Subsection 7.1.2.1.4). The margin between the limiting safety svstem (3) NRC Regulatory Guides. settings and the actual safety limits c..lude consideration of the maximum credible transient i The specific regulatory requirements identi- in the process being measured.
fied in the Standard Review Plan which are applicable to each system instrumentation and The periodic test control are specified in Table 7.3 2. For a is determined from 7=Wjregu,enpy f
for eachg,g data on setpoint variable diseassion of the degree of conformance see the drif t and from quantitative reliability analysis subsection for the specific system. requirements for each system and its components.
7.1.2.1.3 Nonsafety Design Bases 7.1.2.1.5 Technical Design Bases Nonsafety-related (including power genera- The technical design bases for RPS are in' tion) systems are reactor support systems which Section 7.2, engineered safety features are in are not required to protect the integrity of Section 7.3, systems required for safe shutdown radioactive material barriers nor prevent the are in Section 7.4, and other systems required l
release of radioactive material in excess of for safety are in Section 7.6.
allowable dose limits. The instrumentation and l
Am m m2 W
l
MM' . 23A6100AH pr e
^ Stendard Plant o
- Recirculation unit for subsystem 1 consists of a (4) HVAC equipment room, -
prefilter section, a high efficient filter section, an electric heater, a cooling coil, and two 50% capacity (5) Safety-related electrical equipment room, ( '
supply fans. The supply fans are placed on low-speed when the fans are in the smoke removal (6) Passages, mode.
(7) 30TS equipment at EL 7200 in CB.
Two 50% capacity return exhaust farm draw air e from safety related battery rooms. During smoke re- Recirculation unit for subsystems 3 consist of a
- 3 moval mode, the fans are placed on low-speed and prefilter section, a high efficient filter section, an elec- i ; f the air is discharged to atmosphere. tric heater, a cooling coil, and two 50% capacity .t N s.
supply fans. The supply fans are placed on low-speed when the fans are in the smoke removal mode, p 9.4.1.2.3.2 Safety.Related Subsystem 2 3e !
Subsystem 2 specifically serves: Two S0% capacity return exhaust fans draw air 6s P, @
from the safety related battery rooms. During smoke (1) Safety related battery room 2, removal mode, the fans are placed on low-speed and c the air is discharged to atmosphere. , -.c (2) Essential chiller room B, g 9.4.1.2.4 Safety Evaluation 4 f (3) RB cooling water pump and heat-exchanger i j room B, The essential electrical HVAC system is designed to 4 > !
ensure the operability of the essential electrical equip- j (4) HVAC equipment room, ment [All safety-related HVAC equipment and sur- QO '
rounding structures are of seismic category I design gJ and operable during loss of the offsite power supply, 4 (5) Safety-related electrical equipment room, g The ductwork which services these safety functions
-$ d Ag (6) Passages, y is termed ESF ductwork, and is of Seismic Category 1 e i e (7) Non-essential electrical equipment rooms. design. ESF ducting is high pressure safety grade 8y0 ductwork designed to withstand the maximum positive _ _ -
Recirculation unit for subsystem 2 consist of a and/or negative pressure to which it can be subjected g,C t3 prefilter section, a high efficient filter section, an under normal or abnormal conditions. Galvanized c!cctric heater, a cooling coil, and two 50% capacity steel ASTM A526 or ASTM A527 is used for outdoor supply fans. The supply fans are placed on air intake and exhaust ducts. All other ducts are low-speed when the fans are in the smoke removal welded black steel ASTM A570, Grade A or Grade mode. D. Ductwork and hangers are Seismic Category I.
Bolted Flange and welded joints are qualified per j Two 50% capacity return exhaust fans draw air ERDA 76-21. l from the safety related battery rooms, During i smoke removal mode, the fans are placed on Redundant components are provided where neces-low-speed and the air is discharged to atmosphere. sary to ensure that a single failure will not preclude adequate heat exchanger building ventilation.
9.4.1.2.3.3 Safety Related Subsystem 3 9.4.1.2.5 Inspection and Testing Requirements Subsystem 3 specifically serves:
Provisions are made for periodic tests of the out- i (1) Safety-related battery room 3, door air cleanup fans and filters. These tests include determinations of differential pressure across the (2) Essential chiller rcom C, filter and of filter efficiency. Connections for testing, such as injection, sampling and monitoring are prop-(3) RB cooling water pump and heat-exchanger room C,
.\mendenens 6 9.43,
- - _ _ .