ML24215A218

From kanterella
Jump to navigation Jump to search
LLC, Response to SDAA Audit Question Number A-19.1-46
ML24215A218
Person / Time
Site: 05200050
Issue date: 08/02/2024
From:
NuScale
To:
Office of Nuclear Reactor Regulation
Shared Package
ML24215A000 List: ... further results
References
LO-169995
Download: ML24215A218 (1)
v  d  e


Text

Response to SDAA Audit Question Question Number: A-19.1-46 Receipt Date: 10/23/2023 Question:

In the NuScale DCA, drop of a module being moved for refueling (( 2(a),(c) DCA Part 2, Tier 2, Table 19.1-71, Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment, documents that movement of the RBC is modeled as being operator controlled in the PRA. In the SDA, Based on Table 19.1-60: Summary of Results, module drop contributes over 34% of the total NuScale SDA CDF results. In contrast to the DCA, as reported in (( 

}}

2(a),(c) In FSAR Section 9.1.5.2.3, there is one reference to the reactor building crane (RBC) control system. In Table 19.1-21 regarding the Key Assumptions for the PRA, there is no information regarding the reactor building crane control system or the risk impact of operator error. The staff notes that the non-safety related, non-risk significant Module Control System (MCS) is treated in a global sense in Chapter 7 of the FSAR. Common cause failure analysis of the MCS is provided in FSAR Section 7.1.6. In contrast, there are a few sentences in the FSAR about the Reactor Building Crane Control System that is non-safety related, but risk significant. Based on the NuScale meeting on October 10, 2023, the staff has the following questions about the NuScale reactor building control system design, testing, and PLC reliability data, to ensure that risk insights regarding the reactor building crane have been appropriately incorporated into the FSAR Chapter 19 consistent with the Commission Severe Accident Policy Statement.

1.

Regarding the Appendix B of the Reactor Building Crane PRA, in the NuScale ERR, the Control System Functional Diagrams, as shown in Figure B-1, Figure B-2, and Figure B-3 depict the (( 

}}

2(a),(c) NuScale Nonproprietary NuScale Nonproprietary

(( }} 2(a),(c) a. There is no description or functional diagram for the control system in the FSAR. These diagrams are needed for the staff to make a reasonable assurance finding on the impact of operator error for the as-built as-to-be operated design. NuScale is requested to update the FSAR with these functional diagrams or justify why they are not needed to describe this risk significant system. b. (( }} 2(a),(c) 2. The staff reviewed SDA Table 3.10-3: Reactor Building Crane Inspections, Tests, Analyses, and Acceptance Criteria Top-Level Design Feature Categories and SDA Table 14.2-45: Test # 45 Reactor Building Cranes.

a. The staff was not able to finds tests that evaluate the integrated as-built operation of the Reactor Building Control system that results in an emergency stop without operator action given the following operational failures as discussed in the Reactor Building Crane PRA Hoist overtravel Hoist overspeed Hoist overload Hoist unbalanced load Hoist drum rope mis-spooling The staff is requesting NuScale to add testing to ITAACs and/or Chapter 14 on Pre-Operational testing on the RBC control functions as described above to ensure that the integrated as-built NuScale Nonproprietary NuScale Nonproprietary

control system meets the design specifications as described in the SDAA and the RBC PRA supporting the SDAA.

b. The staff reviewed SDA Table 3.10-3: Reactor Building Crane Inspections, Tests, Analyses, and Acceptance Criteria Top-Level Design Feature Categories and SDA FSAR Section 9.1.5, Table 9.1.5-1: Heavy Load Handling Equipment Design Data and noticed that Table 9.1.5-1 identifies 8 heavy load handling equipment, but Table 3.10-3 only identifies 6 heavy load handling equipment to be tested. The staff is requesting NuScale to add testing of the traveling jib crane hoist and the module access platform jib crane to ITAAC 3.10, or to justify why these components are excluded from testing.

3. The staff understands following devices are separate control devices that define normal operational limits. The staff could not find tests on the integrated as-built operation of the Reactor Building Control system on the control devices which control normal operational limit such as the: (( }} 2(a),(c) The staff is requesting NuScale to add testing to ITAACs and/or Chapter 14 on Pre-Operational testing on the RBC control functions as described above to ensure that the integrated as-built control system meets the design specifications as described in the SDAA and the RBC PRA supporting the SDAA.

4.

The staff needs to make a reasonable assurance finding that the RBC will not be operated following high winds, external floods, and extended losses of offsite power which is explicitly stated in the DCA for POS 3 and POS 5. For example, SDA FSAR Table, 19.1-74 for external flooding states, In the event of loss of AC power, the RBC brakes will set and stop motion. The RBC is designed with redundant holding brakes so that if one set fails to engage, the other brake automatically holds the load. Because both brake systems are designed and rated to maintain a hoisted load at the maximum allowable crane load, a loss of power will halt operations but not result in a load drop. The module can be maintained in position suspended by the RBC until power is restored and the lift can resume; therefore, external flooding effects NuScale Nonproprietary NuScale Nonproprietary

were not evaluated for this POS. The staff understands that (( 

}}

2(a),(c) 5. The staff understand that (( }} 2(a),(c) As concluded in NUREG 7150 Volume 1, a consequential three phase short is incredible and need not be considered. The RBC motors and breaks operate on three phase AC. The staff is requesting this information to be in the FSAR so the staff can make a reasonable assurance finding on the impacts of fire and flood on the reactor building crane or justify why this is not necessary. 6. 10CFR 50.34 (f)(1)(i) states "Perform a plant/site specific probabilistic risk assessment, the aim of which is to seek such improvements in the reliability of core and containment heat removal systems as are significant and practical and do not impact excessively on the plant." Regarding the assessment of (( }} 2(a),(c)

Response

1a. NuScale revised FSAR Section 9.1.5.5, Instrumentation and Control, to include information on the control system used by the Reactor Building crane (RBC). 1b. Reliability information relevant to modeling of the programmable logic controller (PLC) in the control system used by the RBC is sourced from the Quanterion Automated Databook. As described in FSAR Section 19.1.6.1.4, Low Power and Shutdown Data Sources and Analysis, and NuScales response to Audit Issue A-19-43, the Quanterion Automated Databook is a database of failure data collected from commercial, industrial, and military sources. The Quanterion Automated Databook represents the best-available information to characterize reliability of RBC components and is (( }}2(a),(c) NuScale Nonproprietary NuScale Nonproprietary

In response to the clarification call with the NRC and NuScale held on 02/13/2024, NuScale is providing the following additional information: The RBC control system supports automated operation and protection of the RBC, minimizing contributions to a module drop from human errors of commission. The design of RBC components and the RBC control system, fail-safe component behavior, as well as hardware-and software-related boundaries and restrictions on RBC travel provide defense against travel-related errors of commission and prevents load drops by stopping crane motion and setting brakes. As a result, load path failures (i.e., catastrophic gearbox and wire rope failures) are a larger contributor to the Reactor Building crane PRA than human errors of commission. The (US460) RBC control system comprises two functional parts. The first is the protection function, which, as described in FSAR Section 9.1.5.5, uses sensor feedback, limit switches, and interlocks to maintain the RBC within travel boundaries and secure the load in response to an upset (e.g., overtravel). The PRA models of both the US600 and US460 RBC designs include fail-safe design implementations for halting motion and securing the load that are functionally equivalent. The second function is the control automation, which supports automated motion of the RBC. The control automation function is modeled conceptually for both designs. Risk insights from the US600 Reactor Building crane PRA are (( }}2(a),(c) The US460 Reactor Building crane PRA models the RBC control system protective function such that (( }}2(a),(c) The RBC control system includes several features that are designed to increase reliability of the system. For example, motor and drive components include position measuring and indication equipment (e.g., encoders, lasers, limit switches) requiring failures of redundant equipment to result in a travel upset. Additionally, (( }}2(a),(c) NuScale Nonproprietary NuScale Nonproprietary

(( }}2(a),(c) However, mitigation of RBC upsets is ultimately accomplished by removing power to motors and brakes. Removing power stops motors and sets brakes (fail-safe behavior) and can also be performed using the RBC emergency power-off function, which (( }}2(a),(c) As described in FSAR Section 7.2.1.2.8, the Digital I&C Software Master Test Plan generates factory acceptance test procedures and site acceptance test procedures during the test phase of the software life cycle. NuScale revised Section 9.1.5.5 of the FSAR to include RBC control system performance requirements and relevant design information (e.g., inclusion of limit switches and interlocks to prevent abnormal operation). Together, this design information and the instrumentation and controls information in FSAR Section 7.2.1 meet the content requirements of 10 CFR 52.137 and applicable NUREG-0800 and Design-Specific Review Standard acceptance criteria. NuScale revised FSAR Section 9.1.5 to include a reference to Section 7.2.1. 1c. The use of industry reliability data as implemented in NuScale PRA models is not a key assumption. Utilized reliability data reflects best-estimate information applicable to the components for which that data is applied. Thus, the Reactor Building crane PRA reflects best-estimate modeling of RBC components and design information, including the PLC. Specific to the reliability of the control system used by the RBC, the use of industry failure data for the PLC is not a key assumption. (( }}2(a),(c) The module drop probability comprises the largest contributor to the NuScale risk profile. To that end, (( }}2(a),(c) NuScale Nonproprietary NuScale Nonproprietary

(( }}2(a),(c) as the risk associated with the module drop already drives risk for the NuScale design. Further, because load path failures are dominant RBC contributors to the module drop probability, (( }}2(a),(c) Consequently, PLC reliability as implemented in the PRA is not a key assumption. 1d. The system identified as Reactor Building Crane in FSAR Table 17.4-1, Design Reliability Assurance Program Structures, Systems, and Components (SSC) Functions, Categorization, and Categorization Basis, includes the control and power cabinets associated with the RBC. For clarification, the Standard Design Approval Application does not contain a system identified as the RBC control system. The SSC classification of the RBC control cabinet is B1. Table 17.4-1 identification of SSC associated with the RBC is missing the word crane in its descriptions of the RBC control and power cabinets. NuScale revised Table 17.4-1 to correct this omission. 2a. Section 14.2 of the FSAR, Initial Plant Test Program, Table 14.2-45, Test #45 Reactor Building Cranes, component level test 45.01.01 includes the test method to Actuate or simulate actuation of the RBC interlocks, which includes the RBC interlocks and limit switches described in FSAR Section 9.1.5, Overhead Heavy Load Handling Systems. The acceptance criteria for this test is, Local visual observation indicates that the interlocks limit RBC motion and speed. With respect to emergency stop of the RBC, component level test 45.01.02 verifies the RBC stops (( }}2(a),(c) upon 1) loss of control, 2) loss of power, and 3) seismic switch activation. 2b. NuScale revised Standard Design Approval Application Part 8 Table 3.10-3, Overhead Heavy Load Handling System Equipment, to include the module access platform jib crane and the traveling jib crane hoist.

3. American Society of Mechanical Engineers (ASME) NOG-1 paragraph 7253 requires a test of the crane electrical system to verify proper operation of the controls. Paragraph 7420 includes requirements for no-load testing, full-load testing, and rated load testing. The no-load test includes verifying the limit switches, interlocks, and stops are properly adjusted and set.

The RBC test abstract (FSAR Table 14.2-45) includes both site acceptance testing and the ASME rated load testing as prerequisites to performing the preoperational tests. As described above in the response to item 2, the component level tests include verification of proper operation of the interlocks. The system level tests (45.02.XY) include tests to 1) lift a NuScale Power Module (NPM) and move an NPM to a reactor bay, 2) move an NPM into the containment flange tool and reactor flange tool and perform disassembly of the NPM, and 3) NuScale Nonproprietary NuScale Nonproprietary

perform assembly of an NPM. The system level tests require using the RBC semi-automatic controls to perform these tests. Proper function of the controls is necessary to perform these tests. For example, (( }}2(a),(c) Therefore, the existing preoperational tests ensure proper function of the RBC controls, including associated interlocks and limit switches. Furthermore, the associated ASME testing (e.g., rated load tests) and preoperational testing prerequisites serve as further verification of the RBC controls.

4. The RBC is powered from ((

}}2(a),(c) The NuScale Power Plant US460 standard design does not include safety-related power supplies (e.g., emergency diesel generators), and (( }}2(a),(c) Following events that include a loss of power, including external flooding, high winds, and other extended loss of power events, the loss of power causes RBC motors and brakes to transition to a safe state; motor motion ceases and brakes set. As a result, the RBC is capable of maintaining a hoisted load until power is restored.

5. NuScale revised FSAR Section 9.1.5 to include design information on the power source for the RBC motors and brakes.
6. For the assessment of 10 CFR 50.34(f)(1)(i), the maximum benefit of a design improvement (described in FSAR Section 19.2.6.2, Estimate of Risk for Design) considers the NPM drop release frequency for ((

}}2(a),(c) Markups of the affected changes, as described in the response, are provided below: NuScale Nonproprietary NuScale Nonproprietary

License Conditions; ITAAC Shared Structures, Systems, and Components and Non-Structures, Systems, and Components Based Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) Design Descriptions and ITAAC NuScale US460 SDAA 144 Draft Revision 2 Audit Question A-19.1-46 Table 3.10-3: Overhead Heavy Load Handling System Equipment Equipment Identifier Equipment Description Design Code 00-RBC-CRN-0001 RBC main hoist and lower block assembly ASME NOG-1, Type I (Note 1) RBC sister hook ASME NOG-1, Type I RBC auxiliary hoists (2 total) ASME NUM-1, Type IA 00-RBC-CRN-0006 Articulating traveling jib crane ASME NUM-1, Type IA 00-RBC-CRN-0007 Dry dock jib crane ASME NUM-1, Type IA 00-RBC-MHE-0002 Auxiliary wet hoist ASME NUM-1, Type IA 00-RBC-CRN-0008 Module access platform jib crane ASME NUM-1, Type IA 00-RBC-CRN-0005 Traveling jib crane hoist ASME NUM-1, Type IA Note 1: Refer to FSAR Table 9.1.5-1 for exceptions.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-42 Draft Revision 2 9.1.5.1 Design Bases Consistent with General Design Criterion 1, OHLHS components are designed, fabricated, erected, and tested to appropriate quality standards such that their failure does not impact the function of other safety-related or risk-significant systems. General Design Criterion 2 is considered in the design of the OHLHS, including the ability of structures, systems, and components (SSC) in the RXB and OHLHS to withstand the effects of earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches. The OHLHS is located in the Seismic Category I portion of the RXB. General Design Criterion 4 is considered in the design of the OHLHS. No safety-related or risk-significant SSC are affected by load drops because the individual components of the OHLHS are designed to meet the American Society of Mechanical Engineers (ASME) codes and standards specified in Table 9.1.5-1. In addition, the OHLHS is protected from the effects of external missile hazards by being located inside the RXB. General Design Criterion 5 is considered in the design of the OHLHS. The RBC is used to move each NPM for refueling. However, only one NPM can be moved at a time. The CFT, RFT, and module inspection rack are designed to hold a single NPM at a time. 9.1.5.2

System Description

9.1.5.2.1 General Description RAI 9.1.5-6 The OHLHS includes equipment designed to handle critical loads in areas containing safety-related equipment that could be potentially impacted by the drops of such loads. The design of the OHLHS equipment, in conjunction with procedures and safe load paths, ensures safe movement of critical loads. Safe load paths for NPM movement minimize the potential for contact witha load drop on irradiated fuel in a reactor vessel or spent fuel pool (SFP), or withon safe shutdown equipment. The safe load path for NPM movement with the RBCthe movement of the OHLHS is shown in Figure 9.1.5-1. The largest load handled is the fully-assembled NPM, with the maximum water height in the containment vessel (CNV), and fully flooded in the reactor pressure vessel (RPV). The RBC is designed to handle this load with no credit taken for buoyancy. 9.1.5.2.2 Component Descriptions Reactor Building Crane The RBC is designed for critical load handling and consists of a bridge, trolley, main hoist, and two auxiliary hoists as shown in Figure 9.1.5-2.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-43 Draft Revision 2 The RBC bridge is supported by runway rails anchored to the RXB, more than 5.5 inches from the edge, and provides traveling motion across the length of the reactor pool, refueling pool, and dry dock. The RBC trolley is supported by the bridge and travels across the width of the pool on the bridge rails. The trolley supports and transfers the lifted load to the bridge via the main hoist. The RBC main hoist is designed with a reeving system. Failure of any single rope in the reeving system can be tolerated without loss of control of the load. The rope reeving system is designed to transfer the load to the remaining ropes without excessive shock in case of a failed rope. Audit Question A-19.1-46 The hoist drive system includes dual gearboxes, a power braking control system, and redundant holding brakes. There are four hoist motor brakes, two on each gearcase input shaft. The hoisting brakes are automatically set when electrical power is off or mechanically tripped by overspeed or overload devices. The RBC hoist motors and brakes operate on three-phase alternating current power. The RBC main hoist includes a load-weighing assembly to monitor the tension on the rope for slack rope when a load is lowered, for high loads due to too heavy of a load or hang up, and for a broken rope. The design of the assembly ensures a structural failure does not result in a dropped load. The main hoist monitors hook height and hard-wired limit switches as upper limit constraints. RAI 9.1.5-6 The lower block assembly (LBA), located at the bottom of the main hoist, provides the connection method for the RBC to lift and carry the NPM from the operating bay to the refueling bay and dry dock, as shown in Figure 9.1.5-3. The LBA is designed with load paths consisting of cleviseslifting arms that interface with the lifting lugs on the TSS of the NPM. The pins that engage the TSS lifting lugs are engaged with actuators. The engagement is confirmed by travel limit switches and visual indication. Design and capacity requirements for the RBC main hoist and LBA are specified in Table 9.1.5-1. A removable sister hook is connected to the LBA by a single, large-diameter pin. Design and capacity requirements for the sister hook are specified in Table 9.1.5-1. RAI 9.1.5-6 Two auxiliary hoists mounted on the RBC provide low-capacity lifting for equipment in the RXB. The RBC auxiliary hoists are underhung-monorail type hoists. The auxiliary hoist rail is mounted off the outer surface of each bridge girder. The auxiliary hoists ensure a failure of athe load path single component does not result in an uncontrolled load. The auxiliary hoists also contain a load-weighing assembly that monitors for slack rope, high loads, and broken ropes. Design and capacity requirements associated with the RBC auxiliary hoists are specified in Table 9.1.5-1.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-45 Draft Revision 2 The LRLTT is used for assembly and disassembly of the lower riser assembly (LRA) in the lower RPV, and for lifting and removing the lower riser from the lower RPV. The LRLTT is classified as nonsafety-related, non-risk-significant. The LRLTT is operated attached to the RBC with the AWH to remotely unbolt and remove the LRA from the RPV, and place the LRA on a stand located on the RXB pool floor. Following the refueling operations, the LRLTT is used to reinstall the LRA onto the lower RPV. The LRLTT is designed to the applicable requirements of ASME BTH-1 (Reference 9.1.5-1). Additionally, the LRLTT is designed to the requirements of ASME NML-1 (Reference 9.1.5-2) for lifting devices for critical lifts. Other Refueling Devices The CFT is located at the bottom of the refueling pool adjacent to the SFP in the RXB. The CFT is used to assemble and disassemble the lower parting flange on the CNV. The RBC is used to place the NPM in the CNV support stand and remains connected to the NPM. The lower CNV remains in the CFT once unbolted. The upper NPM including the reactor vessel is then moved to the RFT. The RFT is located at the bottom of the refueling pool adjacent to the CFT. The RBC moves the NPM from the CFT to the RFT and remains connected to the NPM. The RFT supports the lower portion of the reactor vessel containing the core during refueling operations. The RFT performs closure bolt installation and tensioning for assembly and disassembly of the RPV lower parting flange. The module inspection rack is a permanently-mounted work platform located in the dry dock of the RXB used to support the NPM for inspection and maintenance. It supports the NPM in the vertical orientation. The RBC moves the upper CNV with the upper reactor vessel from the RFT to the module inspection rack. 9.1.5.2.3 System Operation Reactor Building Crane Operation The RBC is used to lift and move equipment within the RXB to support normal operations, maintenance, receipt of new equipment, and to assist in refueling operations. The crane is designed to withstand the RXB environmental conditions and to operate during all modes of plant operations. The RBC transfers an NPM from its installed operating position in the reactor pool to the refueling pool and back. Travel paths are determined and attributes are entered into the RBC control system. Each task is specified and scheduled by the crane operator. RAI 9.1.5-6

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-46 Draft Revision 2 Heavy load exclusion zones and sSafe load paths are defined in operating procedures and equipment drawings as defined by COL Item 9.1-5. This restriction reduces the probability of a heavy load drop that could result in safe shutdown equipment damage or result in a release of radioactive material that could cause unacceptable radiation exposures. RAI 9.1.5-6 The position control system assists in aligning the RBC with the NPM for engagement before performing lifting operations. The RBC control system is capable of load-dependent travel restrictionsHeavy load exclusion zones are dependent on the load on the RBC hoist. The travel path is chosen to accommodate this information. Repeatability, proper load path, and proper locations are ensured by semi-automatic crane operation. Refueling Operations Refueling operations for an individual NPM are independent of the operating status of the remaining NPMs because only one NPM can be moved at a time. This section presents the process of moving an NPM from the operating bay to the refueling pool and preparing the vessel for fuel movement. Section 9.1.4 presents the process of moving fuel assemblies into an open reactor vessel. The RBC is moved to the operating bay containing the NPM that is shutdown for refueling. When the RBC is within a predefined position, the lower block assembly is lowered over the NPM lifting lugs. The LBA is manipulated until its lugs are fully engaged with the NPM lifting lugs. Verification of pin position is achieved by sensor feedback on the LBA and visual indicators. The LBA is raised until the load sensing system detects load, indicating NPM lifting lugs are fully engaged with the LBA. The NPM is raised to a pre-defined elevation and moved through the predefined path to the CFT in the refueling pool. Once the RBC is aligned over the CFT, the NPM is lowered onto the stand of the CFT. With the LBA still attached to the NPM, the CFT de-tensions and removes the CNV flange closure bolts. The RBC lifts the upper CNV, with the RPV attached, from the lower CNV and transfers it into location over the RFT. The lower CNV remains in the CFT during the remaining refueling process. The RBC lowers the upper CNV with the RPV onto the stand in the RFT. With the LBA still attached to the upper CNV, the RFT de-tensions and removes the RPV flange closure bolts. Once the bolts are removed, the RBC lifts the upper CNV with the upper RPV and transports it to the module inspection rack in the flooded dry dock. The RBC lowers the upper NPM into the module inspection rack. The NPM is confirmed to be properly seated in the module inspection rack and the LBA is disconnected from the module. The process is performed in reverse to reassemble the NPM and move it back into the operating bay.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-47 Draft Revision 2 9.1.5.3 Safety Evaluation The heavy load handling system includes features to minimize the potential for a load drop and for the safe handling of heavy loads. The design includes enhanced safety handling systems, mechanical stops, electrical interlocks, safe load paths, established load handling procedures, and a plant configuration that provides redundancy to minimize the probability of a load drop. The components designed to handle critical loads support the load during and after a safe shutdown earthquake (SSE). Audit Item A-9.1.5-1, Audit Item A-9.1.5-2 The underhung cranes within the OHLHS conform to ASME NUM-1 Type IA requirements, as stated in Table 9.1.5-1. The design standards in Table 9.1.5-1 provide the design criteria, redundancy, seismic, and quality assurance criteria to ensure that a credible failure of a single component does not result in the loss of capability to stop and hold a critical load. The application of this standard provides an enhanced safety handling system basis, and as a result, postulated load drop analysis is not required to assess radiological consequences. The RBC design conforms to the ASME standard specified in Table 9.1.5-1 so a credible failure of a single component does not result in the loss of capability to stop and hold a critical load. The use of this standard precludes the need to perform load drop evaluations, and as a result, accident analysis is not required to assess radiological consequences of an NPM drop accident. Audit Question A-9.1.5-1, Audit Question A-9.1.5-2 RAI 9.1.5-6 Seismic category I or II cranes in Table 9.1.5-1 are designed toThe design of the RBC main hoist and the seismic analysis ensures SSC are able to withstand the SSE and not drop the load. Large components are analyzed to ensure they do not become a missilecome loose during a seismic event and potentially damage other equipment. The RBC is designed to ensure the system retains its load throughout an SSE. At the onset of an earthquake, a seismic switch disconnects power. The trolley, bridge, and hoist stop, and the brakes set. Earthquake restraints keep the trolley on the bridge and the bridge on the runway. If power cannot be restored, the brakes can be released manually, and the crane and suspended load can be safely positioned. The CFT and the module inspection rack are designed to ensure their structural failure or interaction cannot degrade the functioning of Seismic Category I SSC during or after an SSE. Other plant cranes are designed in accordance the applicable design codes for each crane specified in Table 9.1.5-1. Cranes are designated as Type I, II, or III based on their requirement to handle critical loads and their seismic design criteria. RAI 9.1.5-6

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-48 Draft Revision 2 The OHLHS is protected from the effects of external missile hazards by being located inside the RXB. Dynamic effects associated with missile impact are provided in Section 3.5. In addition to being designed as an enhanced safety handling system, the RBC iscranes are designed with a system of interlocks that prevents movement in heavy load exclusion zonesrestricts hook travel to prevent impacts. RAI 9.1.5-6 The heavy load exclusion zones represent areas where heavy loads cannot travel without additional measures because a heavy load drop in the exclusion zones could potentially impact safe shutdown equipment, cause a release of radioactive materials, or a criticality accident that could cause unacceptable radiation exposures. RAI 9.1.5-6 Physical limits and administrative controls are included to ensure safe handling of critical loads. Thus, the design of the OHLHS, in conjunction with safe load paths and heavy load exclusion zones, allows for moving an NPM or other equipment without impacting the operation of the other NPMs, including safe shutdown and cooldown. RAI 9.1.5-6 The process of accepting and receiving a new NPM into the dry dock while the plant is operating is performed using the module assembly equipment discussed in Section 3.8. The module inspection rack is part of the module assembly equipment used, not only in initial receipt of the NPM, but also during refueling. In addition, the RBC is used during initial delivery of an NPM. Because only one NPM can be moved at a time, the receipt of a new NPM cannot occur when the RBC is being used for other lifting or during an NPM refueling. In addition, the safe load paths apply to the initial delivery of an NPM. Therefore, the operation of other NPMs is not affected by the receipt and delivery of a new NPM. COL Item 9.1-5: An applicant that references the NuScale Power Plant US460 standard design will provide a description of the program governing heavy loads handling. The program should address operating and maintenance procedures. inspection and test plans. personnel qualification and operator training. detailed description of the safe load paths for movement of heavy loads. 9.1.5.4 Inspection and Testing The RBC is inspected and tested in accordance with ASME NOG-1 (Reference 9.1.5-3). Tests include operational testing with 100 percent load to demonstrate function and speed controls for bridge, trolley, and hoist drives, and proper functioning of limit switches, locking, and safety devices. A rated load test is performed with a 125 percent load.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-49 Draft Revision 2 Audit Question A-9.1.5-1, Audit Question A-9.1.5-2 RAI 9.1.5-6 In-process inspection and testing of the RBC auxiliary hoists, the auxiliary wet hoist, the ATJC, the dry dock jib crane, the MAP jib crane, and the TJC is performed in accordance with ASME NUM-1 (Reference 9.1.5-4). Testing of the permanently installed NPM top support structure is conducted per ANSI N14.6 requirements for dual-load-path devices (Reference 9.1.5-5). A rated load test is performed with a 150 percent load, and includes non-destructive examination and dimensional checks. The methodology and approach utilized to develop related Inspections, Tests, Analyses, and Acceptance Criteria is addressed in Section 14.3. Preoperational testing of the RBC is addressed in Section 14.2. 9.1.5.5 Instrumentation and Control Audit Question A-19.1-46 The RBC utilizes a programmable logic controller (PLC) based digital control system for control, operation, and monitoring. The control system consists of limit switches for boundary zone and over-travel definition. The RBC digital control system uses position feedback devices such as motor encoders, cameras, and laser measurement devices. Load sensing and handling are controlled with devices such as load cells and inclinometers. Audit Question A-19.1-46 Software interlocks prevent collisions with other SSC, operation outside of the equipment design capabilities, and initiation of automated sequences for which all prerequisites have not been met. Zone controls provide speed, hoist positioning, and load control. Audit Question A-19.1-46 Normal operation of the RBC includes automated bridge and trolley motions, including hold points and way points specified in the load path. Manual control of these motions is also permissible at reduced speed. Interlocks and boundary zones can be bypassed through specific operator action that requires a key and is administratively controlled. In the event of a power failure, direct mechanical control of system drives is available. Audit Question A-19.1-46 RAI 9.1.5-6 Positioning and weighing capability ensures the RBC does not travel within heavy load exclusion zones. The RBC limit switches and interlocks include: End of travel limit switches, including slow limit switches, are used for bridge, trolley, and LBA rotate motions.

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-53 Draft Revision 2 Audit Question A-19.1-46 RAI 9.1.5-6 Figure 9.1.5-1: NuScale Power ModuleReactor Building Crane Safe Load Path SAFE LOAD PATH FOR NPM GEOMETRIC CENTER WHILE TRANSPORTED BY RBC RBC MAIN HOIST TRAVEL AREA RBC AUXILLARY HOIST TRAVEL AREA RBC RAIL RBC RAIL POOL WALL

NuScale Final Safety Analysis Report Radioactive Release from a Subsystem or Component NuScale US460 SDAA 15.7-2 Draft Revision 2 RAI 9.1.5-6 Section 9.1.5 provides additional information regarding the RBC system design and capabilities, including a description of system interlocks, and safe load paths., and load exclusion zones. Chapter 19 provides a description of the low power and shutdown (LPSD) probabilistic risk assessment. All stages of a nominal refueling outage are included in the LPSD probabilistic risk assessment, including movement and disassembly of an NPM during refueling. An NPM drop event is also evaluated in the LPSD probabilistic risk assessment in Section 19.1.6.

NuScale Final Safety Analysis Report Reliability Assurance Program NuScale US460 SDAA 17.4-8 Draft Revision 2 Audit Question A-19.1-46 RAI 9.1.5-6 Table 17.4-1: Design Reliability Assurance Program Structures, Systems, and Components Functions, Categorization, and Categorization Basis System Function Function Category (A1 & B1) SSC Required to Perform System Function Basis for Function Categorization Containment System (CNTS)

  • Provides a barrier to contain mass, energy, and fission product release by closure of the containment isolation valves (CIVs) upon containment isolation signal
  • Provides a sealed containment and thermal conduction for the condensation of steam that provides makeup water to the reactor coolant system (RCS)
  • Transfers core heat from reactor coolant in containment to the ultimate heat sink (UHS)
  • Provides safety-related signals A1 CNTS SSC with the exception of the following:
  • CIV close and open position sensors:

- Containment evacuation system, inboard and outboard - Containment flooding and drain system (CFDS), inboard and outboard - Chemical and volume control system (CVCS) inboard and outboard pressurizer (PZR) spray line - CVCS, inboard and outboard RCS discharge - CVCS, inboard and outboard RCS injection - CVCS, inboard and outboard high-point degasification - Reactor component cooling water system, inboard and outboard return and supply - Main steam system (MSS) and MSS backup

  • Reactor pressure vessel (RPV) high point degasification solenoid valve close and open position sensors
  • CVCS discharge air operated valve close and open position sensors
  • CFDS piping inside containment
  • Containment air resistance temperature detectors
  • Piping from systems (containment evacuation system, CFDS, CVCS, condensate and feedwater system, MSS, reactor component cooling water system) CIVs to disconnect flange (outside containment)

Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis

NuScale Final Safety Analysis Report Reliability Assurance Program NuScale US460 SDAA 17.4-14 Draft Revision 2 Reactor Building Components

  • Vents air pressures internal to the Reactor Building that result from a high energy line break
  • Provides safety-related anchorage and structural support to the NPM A1
  • Over-pressurization vents
  • NPM supports
  • Steam gallery blow off panels
  • CVCS high energy line break blow off panels Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis
  • Provides nonsafety-related anchorage and structural support to handling equipment B1
  • Reactor Building crane runway rail support Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Reactor Building Crane
  • Provides structural support and movement to the NPM while moving from refueling, inspection and operating bay
  • Limits motion of an NPM or spent fuel cask containing nuclear fuel, to within predefined safe load paths and outside of exclusion zones B1
  • Reactor Building crane
  • Reactor Building control cabinet
  • Reactor Building power cabinet Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Control Building
  • Houses safety-related, risk significant equipment and facilities pertinent to the operation and support of the reactor module(s)
  • Provides anchorage and support for safety-related, risk significant equipment and facilities pertinent to the operation and support of the reactor module(s)
  • Protects safety-related, risk significant equipment and facilities from natural phenomena and externally generated missiles A1
  • Control Building Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis
  • Protects operators from natural phenomena and externally generated missiles B1
  • Control Building Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Table 17.4-1: Design Reliability Assurance Program Structures, Systems, and Components Functions, Categorization, and Categorization Basis (Continued)

System Function Function Category (A1 & B1) SSC Required to Perform System Function Basis for Function Categorization

NuScale Final Safety Analysis Report Reliability Assurance Program NuScale US460 SDAA 17.4-8 Draft Revision 2 Audit Question A-19.1-46 RAI 9.1.5-6 Table 17.4-1: Design Reliability Assurance Program Structures, Systems, and Components Functions, Categorization, and Categorization Basis System Function Function Category (A1 & B1) SSC Required to Perform System Function Basis for Function Categorization Containment System (CNTS)

  • Provides a barrier to contain mass, energy, and fission product release by closure of the containment isolation valves (CIVs) upon containment isolation signal
  • Provides a sealed containment and thermal conduction for the condensation of steam that provides makeup water to the reactor coolant system (RCS)
  • Transfers core heat from reactor coolant in containment to the ultimate heat sink (UHS)
  • Provides safety-related signals A1 CNTS SSC with the exception of the following:
  • CIV close and open position sensors:

- Containment evacuation system, inboard and outboard - Containment flooding and drain system (CFDS), inboard and outboard - Chemical and volume control system (CVCS) inboard and outboard pressurizer (PZR) spray line - CVCS, inboard and outboard RCS discharge - CVCS, inboard and outboard RCS injection - CVCS, inboard and outboard high-point degasification - Reactor component cooling water system, inboard and outboard return and supply - Main steam system (MSS) and MSS backup

  • Reactor pressure vessel (RPV) high point degasification solenoid valve close and open position sensors
  • CVCS discharge air operated valve close and open position sensors
  • CFDS piping inside containment
  • Containment air resistance temperature detectors
  • Piping from systems (containment evacuation system, CFDS, CVCS, condensate and feedwater system, MSS, reactor component cooling water system) CIVs to disconnect flange (outside containment)

Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis

NuScale Final Safety Analysis Report Reliability Assurance Program NuScale US460 SDAA 17.4-14 Draft Revision 2 Reactor Building Components

  • Vents air pressures internal to the Reactor Building that result from a high energy line break
  • Provides safety-related anchorage and structural support to the NPM A1
  • Over-pressurization vents
  • NPM supports
  • Steam gallery blow off panels
  • CVCS high energy line break blow off panels Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis
  • Provides nonsafety-related anchorage and structural support to handling equipment B1
  • Reactor Building crane runway rail support Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Reactor Building Crane
  • Provides structural support and movement to the NPM while moving from refueling, inspection and operating bay
  • Limits motion of an NPM or spent fuel cask containing nuclear fuel, to within predefined safe load paths and outside of exclusion zones B1
  • Reactor Building crane
  • Reactor Building crane control cabinet
  • Reactor Building crane power cabinet Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Control Building
  • Houses safety-related, risk significant equipment and facilities pertinent to the operation and support of the reactor module(s)
  • Provides anchorage and support for safety-related, risk significant equipment and facilities pertinent to the operation and support of the reactor module(s)
  • Protects safety-related, risk significant equipment and facilities from natural phenomena and externally generated missiles A1
  • Control Building Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis
  • Protects operators from natural phenomena and externally generated missiles B1
  • Control Building Determination by expert panel and informed with input from PRA, deterministic, and other methods of analysis Table 17.4-1: Design Reliability Assurance Program Structures, Systems, and Components Functions, Categorization, and Categorization Basis (Continued)

System Function Function Category (A1 & B1) SSC Required to Perform System Function Basis for Function Categorization

NuScale Final Safety Analysis Report Overhead Heavy Load Handling Systems NuScale US460 SDAA 9.1-49 Draft Revision 2 Audit Question A-9.1.5-1, Audit Question A-9.1.5-2 RAI 9.1.5-6 In-process inspection and testing of the RBC auxiliary hoists, the auxiliary wet hoist, the ATJC, the dry dock jib crane, the MAP jib crane, and the TJC is performed in accordance with ASME NUM-1 (Reference 9.1.5-4). Testing of the permanently installed NPM top support structure is conducted per ANSI N14.6 requirements for dual-load-path devices (Reference 9.1.5-5). A rated load test is performed with a 150 percent load, and includes non-destructive examination and dimensional checks. The methodology and approach utilized to develop related Inspections, Tests, Analyses, and Acceptance Criteria is addressed in Section 14.3. Preoperational testing of the RBC is addressed in Section 14.2. 9.1.5.5 Instrumentation and Control Audit Question A-19.1-46 The RBC utilizes a programmable logic controller (PLC) based digital control system for control, operation, and monitoring. The control system consists of limit switches for boundary zone and over-travel definition. The RBC digital control system uses position feedback devices such as motor encoders, cameras, and laser measurement devices. Load sensing and handling are controlled with devices such as load cells and inclinometers. Audit Question A-19.1-46 Software interlocks prevent collisions with other SSC, operation outside of the equipment design capabilities, and initiation of automated sequences for which all prerequisites have not been met. Zone controls provide speed, hoist positioning, and load control. Audit Question A-19.1-46 Normal operation of the RBC includes automated bridge and trolley motions, including hold points and way points specified in the load path. Manual control of these motions is also permissible at reduced speed. Interlocks and boundary zones can be bypassed through specific operator action that requires a key and is administratively controlled. In the event of a power failure, direct mechanical control of system drives is available. Audit Question A-19.1-46 The RBC digital control system is developed using the processes described in Section 7.2.1. Audit Question A-19.1-46 RAI 9.1.5-6 Positioning and weighing capability ensures the RBC does not travel within heavy load exclusion zones.}}

Retrieved from "https://kanterella.com/w/index.php?title=ML24215A218&oldid=5465224"