Text

Response to SDAA Audit Question Question Number: A-16.3.3.1-7 Receipt Date: 03/18/2024 Question:

LCO 3.3.1, Module Protection System, does not include the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and 8-hour timers for ECCS actuation.

SDAA Rev. 0, Part 2, FSAR Section 7.0.4.1.4, Module Protection System Support Systems, on page 7.0-9, says:

To ensure EDAS batteries supply power for their mission time, only loads associated with maintaining the ECCS valves closed remain energized during ECCS-hold mode. These loads include the MPS and NMS cabinets, including power to ECCS valve solenoids,, and the EDAS battery monitors. If two out of four sensors detect a loss of voltage on both B and C battery charger switchgears, the MPS automatically generates a reactor trip, decay heat removal system (DHRS) actuation, pressurizer heater trip [PHT], demineralized water supply isolation [DWSI], secondary system isolation [SSI], chemical and volume control system isolation [CVCSI], containment isolation [system (CIS) actuation], and starts the three 24-hour timers per division. For the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following a loss of voltage, the four separation groups of MPS equipment and both divisions of ESFAS and RTS remain energized. If an ECCS actuation is not required due to plant conditions, then ECCS is not actuated (ECCS trip solenoid valves remain energized), which is defined as the ECCS hold mode, to allow time to restore AC power and prevent actuation of ECCS. The ECCS still actuates if the associated ESFAS signal is generated during this 24-hour period.

If AC power is not restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the 24-hour timers time out (PAM only mode),

the RTS chassis, ESFAS chassis, MWS [maintenance workstation] for both MPS divisions, and Separation Groups A and D are de-energized, and the rest of the ESFAS actuations initiate (e.g., ECCS), reducing the load on batteries for buses B and C to support the availability of PAM indications for a minimum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The MPS actuates ECCS automatically after a specified [8 hour] period of time following an NuScale Nonproprietary NuScale Nonproprietary

automatic or manual reactor trip. This actuation allows the ECCS supplemental boron to recirculate into the reactor core region before xenon decays from the core, to assure subcriticality without requiring operator actions. This actuation may be manually blocked by operators if subcriticality at cold conditions is confirmed.

The applicant is requested to explain (1) why SDAA Part 4, Rev. 1, LCO 3.3.1 does not include a Function for ECCS actuation on the 8-hour post reactor trip timer timeout.

(2) how many 8-hour post reactor trip timers are provided for use by ECCS actuation logic.

(3) how SDAA Part 4, Rev. 1, LCO 3.3.1 Function 25.h, ECCS actuation on Low AC Voltage to EDAS Battery Chargers, relates to the 24-hour timer timeout function that initiates ECCS, to support maintaining battery-power to PAM until 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after losing AC power to the EDAS battery chargers. The 24-hour timer appears to meet none of the LCO selection criteria because PAM instrumentation is not included in the GTS.

Response

Response to Item (1):

The emergency core cooling system (ECCS) supplemental boron actuation time delay function is part of Generic Technical Specification (GTS) LCO 3.3.3, Function 1 (ECCS), because the timer is part of the logic that initiates ECCS. This function is addressed by GTS surveillance requirement SR 3.3.3.3, and is discussed in the bases for that surveillance requirement.

Response to Item (2):

There is one ECCS supplemental boron actuation time delay time function redundantly implemented in each module protection system divisional logic. The ECCS supplemental boron actuation time delay function logic can be found in Standard Design Approval Application Figure 7.1-1j, Reactor Trip and Reactor Tripped Interlock RT-1, and Figure 7.1-1n, ESFAS Emergency Core Cooling System Actuation, Low Temperature Overpressure Protection Actuation.

Response to Item (3):

The relationship of GTS LCO 3.3.1 Function 25.h to ECCS actuation on Low AC Voltage to the Augmented DC Power System (EDAS) Battery Chargers is discussed in the Bases for LCO 3.3.1 Function 25. The Bases for Function 25 state:

NuScale Nonproprietary NuScale Nonproprietary

Low AC Voltage to EDAS Battery Chargers is determined by measuring two ELVS 480 VAC buses that provide power to the EDAS battery chargers with two sensors per separation group.

If both 480 VAC bus voltages are below the setpoint, the following occurs:

A delayed Emergency Core Cooling System Actuation timer is initiated; Eight (4/bus) Low ELVS Voltage delayed ECCS Actuation channels are required to be OPERABLE when operating in MODES 1 and 2, and in MODE 3 without PASSIVE COOLING in operation. ECCS actuation as a result of the low ELVS voltage is delayed for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time delay associated with ECCS actuation on Low AC Voltage to EDAS Battery Chargers is implemented in the programmable logic of the module protection system for each division. The logic for the 24-hour timer is shown in Standard Design Approval Application Figure 7.1-1ag, Loss of AC Power to ELVS Battery Chargers.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time delay associated with ECCS actuation on Low AC Voltage to EDAS Battery Chargers is a non-safety related function and does not meet any of the criteria of 10 CFR 50.36(c)(2)(ii) for inclusion in the technical specifications.

NuScale revises the Bases for GTS Sections 3.3.2 and 3.3.3 to include a reference to TR-0516-49416-P-A, Revision 2, Design of the Highly Integrated Protection System Platform.

Markups of the affected changes, as described in the response, are provided below:

NuScale Nonproprietary NuScale Nonproprietary

RTS Logic and Actuation B 3.3.2 NuScale US460 B 3.3.2-1 Draft Revision 2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Trip System (RTS) Logic and Actuation BASES BACKGROUND The RTS portion of the Module Protection System (MPS) initiates a reactor trip to protect against violating the core fuel design limits and maintain reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents. By tripping the reactor, the RTS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

LCO 3.3.2 addresses only the logic and actuation portions of the MPS that perform the RTS function. The scope of this LCO begins at the inputs to the scheduling and voting modules (SVM) and extends through the actuated components. This includes the reactor trip breakers (RTBs).

LCO 3.3.1, Module Protection System (MPS) Instrumentation, LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the RTS SVMs. Redundant data from all four separation groups is received by each division of the RTS SVMs.

Logic for Reactor Trip Initiation The MPS reactor trip initiation logic is implemented in two divisions of RTS. The three SVMs, in each division, generate a reactor trip signal when safety function modules (SFMs) in any two of the four separation groups determine a reactor trip is required. Each of the two RTS divisions evaluate the input signals from the SFMs from all four separation groups.

Each SVM compares the four inputs received from the SFMs, and generates a reactor trip signal if required by two of the four separation groups. The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs).

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate (Ref. 2).

RTS Logic and Actuation B 3.3.2 NuScale US460 B 3.3.2-6 Draft Revision 2 BASES SURVEILLANCE REQUIREMENTS (continued)

However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.4 SR 3.3.2.4 verifies the reactor trip breaker (RTB) actuates to the open position on an actual or simulated trip signal. This test verifies OPERABILITY by actuation of the end devices.

The RTB test verifies the under voltage trip mechanism opens the breaker. Each RTB in a division is tested separately to minimize the possibility of an inadvertent reactor trip.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES

1. FSAR, Section 7.2.

2. TR-0516-49416-P-A, Design of the Highly Integrated Protection System Platform, Rev. 2.

ESFAS Logic and Actuation B 3.3.3 NuScale US460 B 3.3.3-2 Draft Revision 2 BASES BACKGROUND (continued)

7. Secondary System Isolation (SSI) actuation;

8. Pressurizer Line Isolation; and

9. Low Temperature Overpressure Protection (LTOP) actuation.

Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.

The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division - independent and redundant EIMs for each division of ESFAS.

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate (Ref. 2).

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.

Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.

Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unit

ESFAS Logic and Actuation B 3.3.3 NuScale US460 B 3.3.3-12 Draft Revision 2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.3.4 SR 3.3.3.4 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.

Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety functions. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices. The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assureensure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program. However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.5 SR 3.3.3.5 verifies the pressurizer heater breaker actuates to the open position on an actual or simulated trip signal on each pressurizer heater breaker. This test verifies OPERABILITY by actuation of the end devices.

The pressurizer heater breaker test verifies the under voltage trip mechanism opens the breaker.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES

1. FSAR, Chapter 7.

2. TR-0516-49416-P-A, Design of the Highly Integrated Protection System Platform, Rev. 2.