Text

Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION Title: ACRS NuScale Committee Open SessionDocket Number:N/ALocation:Rockville, Maryland

Date:August 23, 2018Work Order No.:NRC-3861 Pages 1-NEAL R. GROSS AND CO., INC.

Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.

Washington, D.C. 20005(202)234-4433 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.

(202) 234-4433 WASHINGTON, D.C. 20005

-3701 www.nealrgross.com 1 1 2 3 DISCLAIMER 4 5 6 UNITED STATES NUCLEAR REGULATORY COMMISSION'S 7 ADVISORY COMMITTE E ON REACTOR SAFEGUARDS 8 9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.

15 16 This t ranscript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.

19 20 21 22 23 1 UNITED STATES OF AMERICA 1 NUCLEAR REGULATORY COMMISSION 2+ + + + +3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 4 (ACRS)5+ + + + +6 NuSCALE SUBCOMMITTEE 7+ + + + +8 OPEN SESSION 9+ + + + +10 THURSDAY 11 AUGUST 23, 2018 12+ + + + +13 ROCKVILLE, MARYLAND 14+ + + + +15 The Subcommittee met at the Nuclear 16 Regulatory Commission, Two White Flint North, Room 17T2B1, 11545 Rockville Pike, at 8:30 a.m., Michael 18 Corradini, Chairman, presiding.

19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 2 COMMITTEE MEMBERS:

1 MICHAEL L. CORRADINI, Chairman 2 RONALD G. BALLINGER, Member 3 DENNIS C. BLEY, Member 4 CHARLES H. BROWN, JR. Member 5 WALTER L. KIRCHNER, Member 6 JOSE MARCH-LEUBA, Member 7 JOY L. REMPE, Member 8 GORDON R. SKILLMAN, Member 9 MATTHEW SUNSERI, Member 10 11 ACRS CONSULTANT:

12 MYRON HECHT 13 14 DESIGNATED FEDERAL OFFICIAL:

15 CHRISTINA ANTONESCU 16 17*Present via telephone 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 3 CONTENTS 1 2 Meeting Start..................4 3 Opening Remarks by Chairman...........4 4 Opening Remarks by Robert Caldwell.......6 5 Overview of Chapter 7..............10 6 Opportunity for Public Comment........185 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 4 P R O C E E D I N G S 1 (8:31 a.m.)

2CHAIRMAN CORRADINI: Okay, the meeting 3will come to order. This is a meeting of the NuScale 4Subcommittee. My name is Mike Corradini, Chair of 5this subcommittee meeting. ACRS members in attendance 6 are Ron Ballinger, Dennis Bley, Dick Skillman, Matt 7 Sunseri, Joy Rempe, Jose March-Leuba, Charlie Brown, 8 soon to be Walt Kirchner, and our consultant, Myron 9Hecht. Christina Antonescu is the ACRS staff -- of 10 the ACRS staff is the designated Federal official for 11 this meeting.

12 The purpose of this meeting is for NuScale 13 to give an overview to the subcommittee on the NuScale 14 Design Certification Application Chapter 7, 15 Instrumentation and Control, and for the staff to give 16 a presentation to the subcommittee on their Safety 17 Evaluation Report on Chapter 7 with open items.

18 The ACRS was established by statute and is 19governed by the Federal Advisory Committee Act, or 20FACA. That means that the committee can only speak 21through its published letter reports. We hold 22 meetings to gather information to support our 23deliberations. Interested parties who wish to provide 24 comments can contact our offices requesting time.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 5 After the meeting, the Federal Register Notice is 1 published. That said, we set aside about 15 minutes 2 for extemporaneous comments from members of the public 3attending or listening. Written comments are also 4 welcome.5 The ACRS section of the U.S. NRC's public 6 website provides our charter, bylaws, letter reports, 7 and full transcripts of all our full and subcommittee 8 meetings, including all slides presented at the 9meetings. We will hear a presentation from NuScale 10and the NRC staff today. The subcommittee will gather 11 information, analyze relevant issues and facts, and 12 formulate proposed positions and actions as 13 appropriate for deliberation by our full committee.

14 The rules for participation at today's 15 meeting have been announced as part of the notice of 16 the meeting published in the Federal Register, and we 17 have received no written comment or request for time 18 to make oral statements as a member of the public in 19 today's meeting. As always, we have one bridge line 20 established for interested members of the public to 21 listen in in the open session.

22 Also, the bridge line will be open after 23 the open meeting session to see if anyone would be 24 listening to make additional comments. A transcript 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 6of the meeting is being kept and will be made 1 available as stated in the Federal Register notice.

2 Therefore, we request that participants in this 3 meeting use the microphones located throughout the 4 meeting room when addressing the subcommittee.

5 Participants should identify themselves, speak with 6 sufficient clarity and volume so they may be readily 7 heard. 8 Please also silence all your cell phone, 9 pagers, iPhones, etcetera, so we do not have any 10 buzzes or noises through the meeting. We will now 11proceed with the meeting. One extemporaneous point is 12 this is the second of our meetings look at the DCD.

13We talked about Chapter 8 back in June. We are now 14going to discuss Chapter 7. Our intent is most likely 15 to combine our comments and suggestions on seven and 16 eight when we talk at the full committee in September.

17 So I think I am going to be calling upon 18 Robert Caldwell of NRO to start us off with some 19 introductory remarks. Mr. Caldwell?

20MR. CALDWELL: Yes, hello. My name is Bob 21 Caldwell. I am the Deputy Division Director for the 22 Division of Engineering and Infrastructure in the 23 Office of New Reactors, and I would like to thank you 24 all for giving us the opportunity to present our 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 7 findings on Chapter 7 of the DCD.

1 Right now, before we present our -- do our 2 presentation, before we get started, I would like to 3 point out that NuScale recently informed us that there 4 was a delta between Chapter 5 and 7 of the DCD which 5they are looking at. These discrepancies involve a 6remove shut-down station. During our presentation, we 7 will be providing you our findings based on the DCD 8 details that we have done the evaluation on.

9 So while NuScale is resolving these 10 discrepancies that they find, there is the need for a 11change in Chapter 7. We will take a look at it and 12 see if we need to change the SE. If there is a need 13 for the change for the SE, we will come back to the 14 subcommittee as appropriate.

15 CHAIRMAN CORRADINI: Charlie?

16 MEMBER BROWN: Just to make clear, so we 17 understand this, what you mean is they want to delete 18the remote shutdown station? Is that my 19 understanding?

20 MR. CALDWELL: No, I do not know exactly 21what their path forward is at the moment. We hope to 22 find out. This is --

23 MEMBER BROWN: But you do not know those 24details? It is kind of -- the information passed 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 8 around, it was not real clear, and I just wanted to 1 make sure it was clear to the other members.

2CHAIRMAN CORRADINI: But the only thing we 3 know for sure is what you reviewed is not necessarily 4 what is the current design thoughts.

5MEMBER BROWN: With respect to the remote 6 shutdown. With respect to Chapter 7.

7MR. CALDWELL: Yes, with respect to the 8 remote shutdown stations.

9 CHAIRMAN CORRADINI: Shutdown stations.

10MEMBER BROWN: Chapter 7 uses the RSS, 11 calls it out in many places.

12 MR. CALDWELL: Right.

13CHAIRMAN CORRADINI: Okay. So we have to 14 be aware of that.

15MR. CALDWELL: Yes, just be aware of that.

16 That is the only ones we cross. Thank you.

17CHAIRMAN CORRADINI: Thank you. So, we 18 should turn to Paul. Are you going to lead us off?

19MR. INFANGER: Yes, I am Paul Infanger.

20 I am the Licensing Project Manager for Chapter 7. I 21 appreciate the opportunity to present our technical 22details in support of the staff's SCR. I appreciated 23working with the staff on Chapter 7. We have received 24the SCR with no open items related to Chapter 7. The 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 9 only open items are related to turning back to some 1 open items in Chapter 8 and expected open items in 2Chapter 15. But there are not Chapter 7-related open 3 items. 4 We will relay, the issue on the remote 5 shutdown panel will be addressed during our 6presentation. Just want to say a little bit about my 7background. I have been with NuScale for about three 8and a half years. Prior to that, I was working on the 9 Korean reactor for Barakah, and also prior to that, at 10 UniStar for the Calvert Cliffs COLAs, and prior to 11 that, 25 years as Licensing Manager at various 12 operating sites.

13MEMBER BLEY: Mr. Paul, you mentioned 14 Chapter 8. When we went through Chapter 8 with you, 15 there were a few issues that came up that you deferred 16to Chapter 7. Are you going to talk about those in 17 particular?

18MR. INFANGER: Yeah, there were several 19 timers that we discussed in Chapter 8 that were really 20 I&C issues, so we are prepared and have information in 21 our presentation on those.

22MEMBER BROWN: Those are the 24-hour 23 timers you are talking about?

24 MR. INFANGER: Yes.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 10MEMBER BROWN: Okay. And how they 1 interface with the DC?

2 MR. INFANGER: Right.

3 MEMBER BROWN: Okay, thank you.

4MR. INFANGER: So with that, I would like 5 to introduce the lead speaker will be Brian Arnholt.

6MR. ARNHOLT: Good morning. I am Brian 7Arnholt. Thanks for the opportunity to present to the 8subcommittee this morning. I am the I&C Supervisor 9 with NuScale Power.

10 I have been with NuScale three and a half 11years. I am responsible for the design and licensing 12 of the instrumentation and control systems for the 13 NuScale plant design. Prior to that, I was with B&W 14 on the mPower project in a very similar role, and then 15prior to that, was with GE Energy. I performed 16 detailed design of the non-safety plant control system 17 for the ESBWR and other global power generation 18 projects that GE had at the time.

19 Started my career at Exelon Corporation as 20 a Reactor Engineer at the Byron Nuclear Power Station, 21 and transitioned into roles in real-time process 22systems and plant operations. And I received my 23 degree in Nuclear Engineering from the University of 24 Michigan, so please excuse my counterpart who is an 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 11 OSU grad.

1MR. INFANGER: Yeah. Ohio State. Sorry.

2 MR. ARNHOLT: You might have to separate 3us two. With me today is Rufino Ayala. He is an I&C 4engineer on our team. Do you want to quickly 5 introduce yourself?

6MR. AYALA: Good morning. My name is 7Rufino Ayala. As Brian mentioned, I have been a part 8of the I&C Engineering Group. I have been supporting 9the project now for about a little over six years. 10 Prior to NuScale, I was with Bechtel working at Watts 11 Bar Unit 2 mainly focused on the refurbishment of 12their safety-related protection systems there. Prior 13 to that, I graduated from the University of Houston.

14 Got my Bachelor's in Science and Electrical 15 Engineering.

16MR. ARNHOLT: Okay, the purpose of today, 17 we are going to provide an overview of the 18 instrumentation and control design as it is presented 19 in the Chapter 7 of the NuScale Final Safety Analysis 20Report. I have an abbreviation slide here for you.

21 We use a lot of abbreviations and acronyms throughout 22 the presentation, so this is a good point of reference 23 for you to refer back to if you do not recognize any 24 of the abbreviations we use.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 12 The NuScale Design Certification for 1 Chapter 7 follows the structure of the design-specific 2 review standard for the NuScale design. I think the 3subcommittee has seen that over the years. So this is 4 the first application for a Chapter 7 submittals that 5follows this new DSRS framework. So we structured the 6 presentation to kind of correspond with the DSRS 7 framework.

8 So there is Section 7.0 that goes into the 9architecture and system overview. Section 7.1 goes 10 through the fundamental design principals. And then 11 Section 7.2, discussing system features as they relate 12 to conformance to IEEE 603 and IEEE 7-4.3.2.

13 I am going to start off with the Section 14 7.0, and we are going to start at a high level and 15kind of work down into the details. So the I&C system 16 design basis, we leverage the NuScale passive safety 17 and passive safety design and the simplicity of the 18design in our safety-related I&C platform. It is a 19 digital I&C system based on field programmable data 20 arrays. 21 We get a couple of benefits from the use 22 of FPDAs. We leverage their capability for inherent 23 diversity to address common-cause failure issues with 24digital I&C systems, and also, we leverage the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 13 simplicity that an FPDA-based system affords you in 1the design. And that follows along with the theme of 2 the NuScale plant design and its simplicity.

3 So what that means is the safety function 4 is the removal of power. It is as simple as that.

5 There is no safety-related electrical power either AC 6 or DC that is required for the I&C systems to perform 7their required safety functions. So we de-energize 8 electricity to field components and valves and things 9 of that nature.

10 They will fail to their as-designed or 11safe position. We remove power to reactor trip 12breakers to shut down the reactor. We have no safety-13 related components that require active control. And 14 so again, just the removal of power is the safety 15 function in its simplest form.

16 The figure on the left is not all-17 encompassed, but to give you a visual depiction of the 18 systems that are related to the safety-related I&C 19 system protective functions.

20 So this slide, and I see folks have the 21 detailed figure that came out of the FSAR figure 7.0-221. I can talk to that if there are questions, but 23 this is more of a high-level picture overview of the 24entire I&C architecture. It is not to convey the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 14 building blocks that comprise the I&C systems.

1 So starting at the lower left, we have our 2 safety-related module protection system, and there are 3-- there is one independent module protection system 4for each NuScale power module. We do not share 5 safety-related functions between any of the modules.

6 They are completely independent.

7 On the lower right, we have our non-8 safety-related module control system that performs 9 non-safety-related balance of plant power generation 10 control functions, asset protection, things of that 11 nature. 12 Moving up to the plant level, we have a 13 plant-protection system that performs common plant-14protective functions. For example, control room 15 habitability, system actuation, radiation monitoring 16 are two of the primary functions that that performs at 17 the common plant level.

18 And then we have a non-safety-related 19 plant control system that performs common plant 20 functions such as site service water cooling control, 21 electrical distribution control for common plant 22 systems, things of that nature.

23MEMBER BROWN: What that means, for those 24 who have not been steeped in this, is the plant 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 15 control system, if you have got 12 modules, it applies 1 to all -- those systems, it applies to all 12 modules.

2 MR. ARNHOLT: Yes, that is correct.

3MEMBER BROWN: Okay. And the plant 4 protection system, if I read my notes, that is also 5 applicable to all 12 modules? Those units?

6 MR. ARNHOLT: That is right.

7MEMBER BROWN: Those functions apply to 8 all, but it is common across all of them?

9 MR. ARNHOLT: That is correct. The next 10 slide I will show, the next two slides, I will show a 11little bit more in detail what these systems do and 12 their classifications and give a little bit more 13 detailed discussion on that.

14MEMBER BROWN: Okay. So the only two that 15 are plant-specific are the module protection system 16 and the module control system -- yeah, the module 17 control system?

18MR. ARNHOLT: That is correct. But we 19 have some other systems, like our Incore 20 instrumentation system that provides our Incore 21 instrumentation assemblies that are module-specific, 22 but I have got a little bit more detail in the next 23 few slides.

24 MEMBER BROWN: Okay.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 16MR. ARNHOLT: The box on the upper-left 1 shows the interaction with the operator that is 2supplied in the main control room. Where the operator 3 spends the majority of his time is at either a plant 4 control system or a module control system workstation.

5 And that is where he performs his normal 6 control systems startup, shutdown, refueling, 7 maintenance activities are performed from those 8workstations. We do provide both module-specific and 9 plant-level safety display and indication systems, and 10 that provides the operator with long-term post-11 accident monitoring indication for those types of 12 plant conditions.

13CHAIRMAN CORRADINI: So, I am just 14 listening. This is -- every time I listen to I&C, I 15re-learn it, and then I forget it. Remind me one more 16 time what is the difference between the plant control 17 system and the module control system?

18MR. ARNHOLT: The plant control system 19 controls and interfaces with systems that are common 20 all 12 modules.

21CHAIRMAN CORRADINI: Okay, fine. Thank 22 you. 23MR. ARNHOLT: Like a site cooling water 24 system is a common plant system.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 17 CHAIRMAN CORRADINI: Okay, thank you.

1MR. ARNHOLT: And module control system 2 would be turbine generator control.

3 CHAIRMAN CORRADINI: Okay. Thank you.

4MEMBER BROWN: And the plant protection 5 system is the protection function for those common --

6 separate from the plant control system itself?

7 MR. ARNHOLT: Yes, that is correct. The 8 plant protection system, if you will bear with me just 9 a minute.

10 MEMBER BROWN: Have at it.

11MR. ARNHOLT: I will talk to a little bit 12more detail in the next slide or two. But I did miss 13one. We also show that we have a remote shutdown 14area. And I will make a few remarks about the comment 15before the meeting. So the remote shutdown system is 16 provided as an alternate location for the operators to 17 monitor the plant during shutdown conditions in events 18 where they would need to evacuate the main control 19 room. 20 So a typical scenario where the operators 21 would need to evacuate the main control room, they 22would perform three things before they evacuate. They 23 would manually trip all 12 reactors, they would 24 manually initiate containment isolation for all 12 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 18modules. At that point in time, the reactors are shut 1 down, are being passively cooled by DK heat removal, 2 and they're in safe shutdown.

3 They would then evacuate the main control 4 room, staff the remove shutdown station, and at that 5 point in time, there are no additional operator 6actions to perform. It is a monitoring-only mode.

7 And that is, again, leveraging that passively-safe 8 design that we built into the NuScale plant.

9 So those reactors, all 12 modules can stay 10 in safe shutdown for an indefinite period of time 11without any operator action. So that is the scenario.

12 And there is some language in Chapter 7 that suggests 13 that -- and I need to back up. There are controls 14 available.

15 We have a complement of module control 16 system and plant control system workstations that 17 provide the operator the capability for non-safety 18 control should he or she need that. But it is not 19 required nor necessary.

20 MEMBER SUNSERI: By indefinite period of 21 time, you mean however long the water in the pool 22 lasts? 23 MR. ARNHOLT: Exactly. That is correct.

24 So the important terms are safe shutdown and passive 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 19 cooling, and the modules can sit like that in the 1 reactor pool indefinitely.

2MEMBER BLEY: And for your design, the 3 words safe shutdown have no temperature connotation?

4MR. ARNHOLT: We have a defined tech spec 5 mode of safe shutdown that is less than -- reactor 6 coolant system temperature less than 420 degrees.

7MEMBER BLEY: Okay. So the minute the 8 shut them down, you are not there yet, so it takes a 9 little while.

10MR. ARNHOLT: Right. So you have mode one 11power operations. Mode two is what we call hot 12 shutdown, and that is where a reactor coolant system 13temperature is above 420 degrees Fahrenheit. And then 14 they passively cool and transition to safe shutdown 15 where RCS temperature is less than 420 degrees 16 Fahrenheit.

17MEMBER BLEY: Okay. And that takes how 18 long, roughly?

19MR. ARNHOLT: I do not want to misquote 20numbers as far as timelines. I would imagine there 21 are figures maybe in Chapter 15.

22 CHAIRMAN CORRADINI: We could take it up 23 later if that is desired.

24 MEMBER BLEY: Hour is not a long time.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 20CHAIRMAN CORRADINI: Because I remember in 1our previous meeting, that was given to us. I just do 2 not remember what it is, either.

3 MEMBER BLEY: Yeah, I do not either. It 4was just that Brian kind of said. They will shut down 5 all of it and then they will leave, and it will be on 6 safe shutdown. But not quite yet.

7 MR. ARNHOLT: Yeah.

8 MEMBER BLEY: It's headed that way.

9MR. ARNHOLT: Yeah. So what they do is 10 they -- but there are no additional actions to take.

11 But we do provide the capability of isolating, but we 12 do have hardwired switches in our main control room 13 for these manual actuation functions. So similar to 14 existing plant designs.

15 We provide the capability to electrically 16 isolate those switches with a series of switches in 17the remote shutdown. That mitigates potential 18 spurious actuations due to fire concerns in the main 19control room. But we do provide that capability in 20 the remote shutdown station.

21MEMBER BLEY: I have a question about 22 indications. An early question.

23 MR. ARNHOLT: Sure.

24MEMBER BLEY: You will get to this later.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 21We were out there to visit four or five years ago. I 1 do not remember how long ago.

2 CHAIRMAN CORRADINI: Sounds right.

3MEMBER BLEY: And watched a lot of 4 exercises in the simulator, and at that time, we 5 looked at lot at the displays, and I personally found 6 the approaches that had been taken and tested with a 7 bunch of operators to be fairly convincing on how you 8 could diagnose things from the large panel.

9 And I think I have gotten hints that that 10has changed over time. Is that set in concrete at 11 this point in time? The kind of displays for all 12 12modules that show up in the main control room? And 13 are you going to talk about that?

14MR. ARNHOLT: I will not talk about it in 15detail. I am happy to answer questions. The displays 16 that we have for our module control system, plant 17control systems where the operator spends most of 18 their time are based on our human system interface 19 style guide that has been submitted for review.

20 And then the design of our safety display 21 and information system regarding post-accident 22 monitoring. So we have defined, and it is available 23 in Chapter 7, what variables the operators will 24 monitor for post-accident monitoring conditions. So 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 22 that is fixed as part of the design.

1MEMBER BLEY: There were a number of 2 color-coding schemes and transitions as plants moved 3-- as modules moved through toward safe shutdown.

4 MR. ARNHOLT: Those are --

5MEMBER BLEY: Are those fixed, or are 6 those not fixed in the design?

7MR. ARNHOLT: I think right now we have 8 concepts that are described in our human system 9 interface guide through now we have just completed our 10 integrated system validation of those concepts, and 11 what changes result from that, I do not know the 12 specifics of that.

13 MEMBER BLEY: We will get to that either 14 in the human engineering or in the conduct of 15 operations?

16 MR. ARNHOLT: And that would be, yeah, a 17 topic that certainly would be best to discuss in a 18 Chapter 18 discussion.

19 MEMBER BLEY: That is fine.

20MR. ARNHOLT: So just a couple of 21concluding remarks. So there is some language in 22 Chapter 7 that might lead the reader to conclude that 23 there are controls that are necessary, and that is not 24 the case, and I want to make that clear to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 23committee. There are no controls necessary for the 1 operator to manipulate at the remote shutdown station, 2 because the modules are in passive cooling and remain 3 and stay in a safe shutdown condition.

4 Through some internal reviews in the past 5 couple of weeks, we identified some discrepancies in 6 Chapter 5 related to the design of the DK heat removal 7system. We have identified those as part of our 8 corrective action program, and we are going to make 9 those necessary changes.

10MEMBER BLEY: There is nothing there that 11 is necessary if everything was done right before you 12 left the control room.

13 MR. ARNHOLT: Exactly.

14 MEMBER BLEY: IF things somehow were not 15 exactly done right and you cannot get back in the main 16 control room, do you have the capability to carry out 17 those three basic actions you described from the 18 remote shutdown system?

19MR. ARNHOLT: Not from the remote shutdown 20 system, but using available plan operating procedures, 21 you can make in-plant evolutions to manually --

22MEMBER BLEY: --- specific breakers, that 23 sort of thing, okay.

24 MR. ARNHOLT: Similar to existing plants 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 24 where if the reactors did not trip from the main 1 control room, you would dispatch a local operator to 2 open -- try to manually open the reactor trip breakers 3 locally.4MEMBER BLEY: Not after similarity, after 5 what you got.

6MR. ARNHOLT: Right. All right, moving 7 on.8 MEMBER BROWN: Yeah, go backwards. The 9 box labeled manually-enabled hardwired signal for 10each, what does that apply to? It is just a box 11 hanging in there between all the other stuff. Lower 12 right-hand corner.

13MR. ARNHOLT: We do have the capability --

14 I will talk about this in more detail, but I can 15address it now. We do have the ability to manually 16 control, take manual control of safety-related 17 components from our non-safety-related module control 18 system. So to back up a little bit.

19MEMBER BROWN: This is enable non-safety-20 related, enable -- disable, whatever that --

21MR. ARNHOLT: It is enable non-safety 22control switch. It is a hardwired switch. Acts 23 almost like a permissive or an interlock.

24MEMBER BROWN: You are going to talk about 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 25 that later, are you not?

1MR. ARNHOLT: I will talk a little bit 2 about that later.

3MEMBER BROWN: Okay. While you are on 4this picture, just one more question. And you will 5 have to correct me if I am wrong, because I am 6referring back to the HIPS subcommittee meeting. When 7 we talked about these little boxes, circles called 8 iso, which are isolated communications, one-way 9 communications, we did not have the rest of this 10 picture on there.

11 Those were described -- this is where you 12 may need to correct me -- as communication devices 13 where the receive and or, depending on which end you 14are on, they are fiber optic. They are serial data 15 links. But they consist of gateway-style, I guess I 16would call it, to make it receive only. You would 17 clip -- you do not even connect the transmit fabric.

18 Is that -- am I correct?

19 MR. ARNHOLT: You are exactly correct.

20 MEMBER BROWN: Okay. Still on the right 21page here. When we get over to the module control 22 system and the plant control system connections to the 23 plant network, you show those as the same little iso 24type things. However, on your major diagram, even 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 26 though it is not talked about in the written word of 1 Chapter 7, those are referred to as unidirectional 2 data diodes. That is different.

3 If you go look at all the literature I 4 have ever been able to find, those are different from 5 the bidirectional -- the gateway style unidirectional.

6 In other words, they are hardware-based, and that is 7-- although it does not say hardware anywhere in the 8 text, either. It just says data diode.

9 And I am just trying to calibrate myself 10in terms of the difference between the two. Is my 11 statement correct? The ones from the module control 12 system and PCS down to the plant network are data 13 diodes and they are hardware-based?

14MR. ARNHOLT: So I can just point out 15there are two parts to this. There is communication.

16 If we take the module protection system as an example, 17 there is communication isolation that is performed by 18 a monitoring and indicating bus communication module 19 that was described in the HIPS Topical Report. That 20 isolates communication one way from the module 21protection system to the module control system. Once 22 you get into -- so that is isolated communication --

23 MEMBER BROWN: That is the little iso on 24 the MPS blocks?

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 27MR. ARNHOLT: That is what is shown on 1 this box.2MEMBER BROWN: And that is a gateway?

3 That is a --

4MR. ARNHOLT: That is through a 5 communication module.

6 MEMBER BROWN: I understand that, but it 7has got to have an outflow. And is the transmitting, 8 is that literally one of the fabrics that transmit, in 9 that case that receives or cutoff?

10 MR. ARNHOLT: Yes.

11MEMBER BROWN: That is different than I am 12talking about. I understand that. We went through 13 that in terms of the MIBs.

14MR. ARNHOLT: I will talk to the second 15one that you are referring to. So once you are at the 16 level of the module control system 17 MEMBER BROWN: Or the PCS.

18 MR. ARNHOLT: Or the PCS, we show on our 19 overview, our protection overview, architectural 20overview, a unidirectional data diode. That is for 21 communication from the MCS up to a plant-level --

22 MEMBER BROWN: And I understand that.

23MR. ARNHOLT: -- and things of that 24 nature.25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 28 MEMBER BROWN: I got that.

1MR. ARNHOLT: Two separate devices, two 2 separate types of --

3MEMBER BROWN: And I am trying to 4 articulate the difference between the gateway style 5and the data diode. All the literature I have read 6 relative to remote access, preventing it, is air gap 7 with a data diode if you really want the most secure.

8 And that is typically a hardware base, yet there is 9nothing in the pictures -- there is nothing in the 10words. It just says it is a unidirectional 11 communication device off to the plant network.

12MEMBER BLEY: Which could be a software 13 control.

14MEMBER BROWN: It could be a software.

15 Yeah, it could. And that is my real question.

16 MEMBER BLEY: That is his real question.

17MR. ARNHOLT: We will specify that in our 18 application, if it is digital or hardware or software 19 based. We monitor the attributes of how that device 20 works. 21MEMBER BROWN: Well, we will be having 22some other discussions on that issue. Every other new 23 plant that we have looked at has incorporated those 24 remote access items in being hardware based, not --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 29 with no software control at all.

1MEMBER BLEY: Brian, I did not quite 2understand what you said. You said at some point, 3 that will be specified? In what kind of document?

4MR. ARNHOLT: When you get into like a 5 detailed design, equipment requirement specification 6for that device. What we have laid out in the 7 application are the design attributes that those 8 devices have to be designed to.

9MEMBER BLEY: I guess what you are 10 hearing, and there is more than one of us who lean 11 this way, is that is the sort of thing that would be 12 really good to spell out.

13 MR. ARNHOLT: Now.

14MEMBER BLEY: Now, and not wait to see 15what somebody puts in the detailed design document 16 that is not going through the kind of review at a 17 higher level that the design is going through.

18MEMBER BROWN: The concern here is to not 19 be sure that no communications off to the plant 20 network are software configurable and have no software 21 associated with them.

22 MR. ARNHOLT: Certainly take that away.

23MEMBER BROWN: Be a straight hardware 24 based data diode. So I mean, the simplest of all of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 30 the gateways is like an RS-232 where you click one or 1 the other.

2MR. ARNHOLT: You have a transmit only 3 connection.

4 MEMBER BROWN: Exactly.

5 MR. ARNHOLT: All right.

6MEMBER BROWN: You will probably hear more 7 on that as we talk today, if you had not figured that 8 out by now.

9MR. ARNHOLT: All right. Well, moving on.

10 So here, just the next couple of slides, I have 11 divided these next two slides into more detail on the 12module-specific systems. And there was a question 13about are there other module-specific systems. And we 14 have got the MPS listed here, and that is a digital 15 FPDA-based system that I talked about.

16 We have a Neutron Monitoring System.

17 There are three subsystems related to Neutron 18Monitoring System. There is the safety-related 19 Neutron Monitoring X4 System that does your X4 20 detecting for nuclear power monitoring source, 21 intermediate and power range, and that provides 22 signals to the MPS to perform protective functions 23 based on a logic determination of those inputs.

24 And then we have our module control 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 31system, and that is a digital distributed control 1system, and I will talk to that in just a second of 2what that is. And then we have our Incore 3 instrumentation system which provides Incore neutron 4 flux detectors, Incore inlet and Incore exit 5 thermocouples for post-accident monitoring conditions.

6Just a couple of notes on this slide. We 7have mentioned the safety classifications. So the 8 module protection system and the NMS excore system are 9 A1 safety classification in this classification, A1.

10 The remaining systems are B2. There are no other A2 11 or B1 systems at the module-specific level.

12 So when I mentioned that the module 13 control system is a distributed control system, there 14 were some questions about what is a distributed 15 control system.

16 MEMBER BROWN: Also the PCS is a 17 distributed control system.

18 MR. ARNHOLT: Right.

19 MEMBER BROWN: So they are both -- I mean, 20 you do not list that in here.

21 MR. ARNHOLT: It is on the next slide.

22 MEMBER BROWN: Okay. I have not gotten 23 there yet.

24MR. ARNHOLT: But this discussion will 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 32apply to both. But a distributed control system is 1 one where you can functionally allocate and 2 geographically distribute control processors and input 3 output equipment throughout your plant. And you can 4 distribute control functions based on the particular 5plant functions that that system is designed to 6 control.

7 So, for example, if I have a, for a 8 NuScale power plant, I might have a control processor 9 and input output set for controlling the main turbine, 10and that would be distributed either locally or 11 geographically separate from other parts of the 12system. And then I might have a control processor at 13 input output set to control my -- control that drive 14system. And those are where we physically allocate 15 and physically separate control functions to different 16 control processors.

17 There are many reasons why you do that, 18 and on the NuScale design, we take that and leverage 19it from a common cause failure standpoint. We perform 20a segmentation. So we did an analysis, and I have got 21 a slide later on, but I will talk to it now.

22 MEMBER BROWN: Let me back that up a 23little bit. And I do not know -- I may have the wrong 24perceptions. So you can correct me. If I look at the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 33existing plans today, and I look what were the two 1examples you used? You used what, the turbine 2 generator --

3MR. ARNHOLT: Turbine generator and 4 control rod drive system.

5 MEMBER BROWN: Control rod drives. IF you 6 go out and look at them, there is a set of equipment 7 dedicated to that with some switches somewhere else 8 that can make it do this, turn on, turn off, go up and 9 down, whatever you have to do. In the distributed 10 control system, you do not have those. They are all 11lumped in to a central processing unit where you --

12 when you talk about segmentation, you say there is a 13 bunch of memory allocated to these four process 14 functions.

15 There is another memory segment, memory 16 set of -- memory units that are identified through 17 this one, so on and so forth. And you identified, I 18 do not know, four or five. You identified the major 19ones in the Chapter 7.

There were three or four of 20 them, I think, you identified.

21 And if the way I read the document, is 22 that now all of the -- all the controls are lumped 23 into a giant package of software that has its specific 24 software identifier segmented into little parts of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 34 memory, and there is no -- there is not a separate 1 voltage regulator other than the final thing which 2runs the field current up and down or whatever you 3want to call it. Is my perception correct or 4 incorrect?

5MR. ARNHOLT: Forgive me if I say it is 6 incorrect.

7 MEMBER BROWN: That is fine. That is why 8 I asked.

9MR. ARNHOLT: Yeah, you had mentioned that 10 it is lumped into a single, I will call it a control 11 processing unit, and that is not --

12 MEMBER BROWN: That is the way it reads.

13 MR. ARNHOLT: Okay.

14 MEMBER BLEY: But go ahead.

15MR. ARNHOLT: When we mention 16 segmentation, we use physically separate control 17processors. And think of a control processor as a 18computer for lack of -- for simplicity's sake. And 19 you allocate and only program into that control 20 processing unit the software, the memory, the inputs 21 and outputs to control that particular control 22 function.

23 So in this case, let us pick control rod 24drive system. So the control processing unit for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 35 control rod drive system only controls the control rod 1drive system. Only has input and output and memory 2 allocated to it for the control rod drive system.

3 When we move to the designing the controls 4 for the turbine generator set, you have a physically 5 separate and independent control processing unit with 6 its own set of input output, its own set of memory, 7 and its own set of software that resides within the 8 control -- physically separate control processor for 9the turbine generator set. It is just an example 10 using those two systems.

11MEMBER BROWN: So if I went out and I 12 looked, I would see two boxes?

13 MR. ARNHOLT: You could.

14 MEMBER BROWN: Or boards or whatever.

15MR. ARNHOLT: You could. Depending on how 16 it was physically laid out.

17MEMBER BROWN: It might be a big box, but 18 they would be physically and electrically separated or 19 whatever.20MR. ARNHOLT: In a distributed control 21 system, the technology is there. When we bring that 22information into a network, into a control network, 23 and we present that to an operator on a human system 24 interface network where they are networked together 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 36using conventional networking technologies. But at 1 the control and input output levels, they are on 2 physically separate control processors and physically 3 separate input output modules.

4MEMBER BROWN: Okay, so there is, just as 5 an example, use the TG -- use the control rod drives 6as an example. I have a processor dedicated to the 7control rod drive actuation function. In other words, 8it drives a variable power supply of some kind that 9 latches the rods up and down when you demand it.

10 And the only part, the input to that that 11 says go up or go down, or unlatch and drop, whatever 12 that is, that command exists in another processor 13 somewhere in this network where the operators control 14 multiple of these boxes, even though they may be in 15the same cabinet. I will put that aside. Is that 16 then the way I would perceive this?

17 MR. ARNHOLT: Right. And those --

18MEMBER BROWN: But what segment -- my 19 memory -- I am not a programmer, okay, if that is not 20obvious. My memory of segmenting is allocating memory 21 to segment, to hunks of stuff you want to do.

22MR. ARNHOLT: And that is the advantage 23that the distributed control system gives you. You 24 segment not only the software and the memory, but you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 37 also segment --

1MEMBER BROWN: Hold it. You said you have 2 got it in another box.

3MR. ARNHOLT: And you also segment the 4hardware. Physically different segments in the 5 hardware. So let us use the term --

6MEMBER BROWN: Okay, let me back up again.

7 These extra boxes have all the memory in them. They 8 are -- the memory box, the memory for the control rod 9 drive mechanism does not have any other functionality 10 or processes associated with it stored in that memory.

11MR. ARNHOLT: For functions beyond its 12 sole purpose of --

13MEMBER BROWN: Other than the control rod 14drive mechanisms. It is physically addressably 15 different --

16 MR. ARNHOLT: Yes, it is.

17MEMBER BROWN: -- from every one of the 18 rest of them, okay.

19 MR. ARNHOLT: That is right.

20MEMBER BROWN: And I guess my view of 21 segmentation was multiple of -- software being 22 allocated to memory segments where you might have four 23-- it is like partitioning in a way.

24 MR. ARNHOLT: That is right.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 38 MEMBER BROWN: Where it is all lumped in 1 to one big thing, but when you call it, you do not 2 have to go rooting around through all the other memory 3to actuate a particular function. That is the way to 4go read all this stuff. That is what -- that is long 5 term memory ago.

6MR. ARNHOLT: And this is typical 7 engineering practice in process control industries, 8 and you can --

9MEMBER BROWN: Which part is typical here?

10 What I just said, or what you said earlier?

11 MR. ARNHOLT: My view, where you segment 12 both your -- and you separate both your software and 13 your hardware into physically separate cabinets, 14 control processors, input output cabinets, things of 15 that nature.

16 MEMBER BROWN: Okay. Now, in Chapter 7, 17 you identify in these major segments, there were like, 18 three or four process functions that you had 19 identified in a segment.

20 MR. ARNHOLT: Correct.

21MEMBER BROWN: That again seems to go 22 counter to the -- like the control rod drive 23 mechanisms. There was a control -- the CDCS system.

24 There was a containment -- I do not know whether it 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 39 was CM something, I do not know, I have forgotten the 1 names of them. Containment isolation and --

2MR. ARNHOLT: Maybe a containment 3 evacuation system?

4MEMBER BROWN: Maybe it is flooding or 5 what have you. The flooding was separate. That was 6something else. But those were all in one segment.

7 Does that mean their software is part of the control 8 rod drive mechanism control software?

9 MR. ARNHOLT: Yes. And --

10 MEMBER BROWN: So I am right then? That 11is -- so I have got four functions of processes 12 stuffed into one computer where you call upon any one 13 of them whereas their memory may be segmented within 14 that processor, but you have got four processes and 15 one process controller?

16MR. ARNHOLT: So I can give you a 17 practical example of how we apply that to our design.

18 And we perfor med what we call the segmentation 19analysis, and it is described in the FSAR. And we 20looked at all the major module controls system 21 functions that have the ability to impact reactivity, 22coolant inventory, pressure. I have got a slide on 23 this a little bit later, but I will talk to it now.

24 And we evaluated those from a postulated 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 40common cause failure scenario. Maybe you lose a power 1supply. Maybe you have a network fault. Whatever the 2 postulated failure is. And we evaluated the results 3 of that failure and whether or not it was bounded by 4 our Chapter 15 safety analysis. And if it was, then 5 we could, with reasonable assurance, place those 6 control function in the same control segment and 7 postulate an entire failure in that segment and still 8 be bounded by our Chapter 15 plant safety analysis.

9 So there is one example where we actually 10 had to make a design change as a result of this 11analysis. And the two functions were the CV, the 12 chemical volume and control system makeup, and 13 chemical volume of control system letdown functions.

14 Originally, we had those on the same 15 control segment because they were associated with the 16CVCS system. But we looked at that, and we had -- if 17 we postulated a failure, we could also, we could 18 impact coolant inventory adversely, and at the same 19time, core reactivity. And that was not bounded by 20 our Chapter 15 safety analysis.

21 So we made a design change early in the 22process and separated those two segments. So now you 23 can postulate a failure of the segment, the controls, 24 the makeup to the reactor through the CVCS separately 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 41 from a failure of the letdown function of the CVCS.

1 So that is an example where the analysis 2 actually resulted in a particular segmentation of two 3functions. And that was an example that we did 4describe in the Chapter 7. I do not know if you 5 remember reviewing that.

6MEMBER BROWN: I read it. I will not say 7 that I understood you.

8MR. ARNHOLT: So now those are on two 9 separate segments, physically and software separated.

10 So if you have a power supply failure, you would only 11 postulate a power supply failure maybe on a CVCS 12 letdown cycle and evaluate the potential effects of 13 how that system would fail separately from a similar 14 type of failure on the CVCS makeup segment.

15 And that is where the segmentation affords 16 you the advantages to ensure that postulated failures 17 of the non-safety systems conform to and are bounded 18 by the analysis for the plant, safety analysis for the 19 plant. 20 MEMBER BROWN: Okay. But it still boils 21 down to where you have four process functions in one 22unit. If that processor just fails totally, whatever 23 it is, you have lost four functions.

24 MR. ARNHOLT: That is correct.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 42 MEMBER BROWN: And you have evaluated --

1 you made the argument -- and I am not plant savvy 2 enough to know whether it is okay or not.

3 MR. ARNHOLT: Well, we did do --

4 MEMBER BROWN: Because they are all non-5 safety-related, the argument is, we do not need any of 6 those, and if they all fail, we do not care.

7MR. ARNHOLT: Right. And it is bounded by 8the plant safety analysis. Now, there is operational 9 considerations, obviously, but from a pure effect on 10 the plant safety analysis, we have evaluated that and 11 determined that the failures that would result from 12 that scenario are bounded by a Chapter 15 safety 13 analysis.14 MEMBER BROWN: Okay. Now back up to the 15 previous slide again.

16MEMBER SUNSERI: While you are doing that, 17let me interject here. Dr. Corradini had to step away 18 for an obligation with one of the commissioners. He 19 asked me to preside over the meeting until he returns, 20 and heedfully that will be soon. So go ahead.

21MEMBER BROWN: All right, I guess when you 22 talk about -- you have got two distributor control 23systems. This is -- I am segueing back to the 24 isolation from the plant network, which is the sole 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 43 external nexus to the outside world.

1 That is kind of a critical location, and 2 why the emphasis I made earlier on the hardware nature 3 of the data diodes, because once you get into either 4one of these, through its isolated connection, if 5somebody hacked it, you now have a bidirectional 6 connection between the PCS and the MCS which would 7 allow whoever got in to get into the other and take 8 control of everything.

9 MR. ARNHOLT: On your non-safety control 10 systems.

11MEMBER BROWN: Yeah, all the non-safety 12 control systems, which is whether they are non-safety 13 or safety is -- it is really not a good idea to take 14-- have those get compromised. So that, it is a 15 single point of vulnerability, and it applies to all 16 your plant control, which applies to all the -- what, 17 ten, 12, whatever the number of modules, NuScale power 18 modules are, as well as the individual modules.

19 So that is why I was struggling to make 20 sure I understood what you meant by segmenting and how 21 they are all kind of interconnected and what is 22 important about these two inputs from the external 23 world and how important that isolation is to be non-24 software-based under any circumstances, and why the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 44 emphasis we have placed on other designs to make that 1 a hardware -- specifically and explicitly hardware 2 based in their DCDs. So anyway, I think I have some 3-- are there any other questions on the distributed 4 control system?

5 MR. HECHT: Yes, I have one.

6 MEMBER BROWN: Go ahead.

7MR. HECHT: I thought I was clear until --

8MEMBER BROWN: This is Myron. Give us 9your name, Myron. Oh, you got his name tag, I am 10 sorry. Go ahead.

11MR. HECHT: So before I understood that 12 segment was composed of processors, but as a result of 13 this discussion, I am not sure if segments are 14 distributed within processors or there is a 15 composition relationship where processors belong to 16 segments.

17MEMBER BLEY: What is what happened to me 18halfway through this discussion. I thought I followed 19 it, and then I got lost.

20 MR. ARNHOLT: Processors are assigned to 21a segment. So you could have a segment, and again, it 22 gets into the detailed design of your plant control 23system, but the processors within a segment are 24 independent from the processors within another 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 45 segment.

1MR. HECHT: Okay, so the composition is 2 the distributed control system segments, the segments 3 consist of processors.

4 MR. ARNHOLT: Correct.

5 MR. HECHT: Okay, thank you.

6MEMBER BROWN: And I think you said in 7 your earlier discussion within that processor, if you 8 have got four processors or five, whatever they are, 9 is there -- is their software segmented within those?

10Did you say that earlier? Or is it just jumbled 11 around? 12MR. ARNHOLT: Depends on how you architect 13 the actual software.

14MEMBER BROWN: I am not trying to design.

15 I am just trying to understand.

16 MR. ARNHOLT: Right.

17MEMBER BROWN: In terms of memory 18allocation and stuff. You have not specified to that.

19 You are fundamentally segmenting by processors and 20 processes within a processor that compacts the 21 segment. 22MR. ARNHOLT: I will give you a simple, 23everyday example. Everyone drives a car. You have 24 your engine control module, and you think of that as 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 46 a segment, and then you have your infotainment module 1 that handles your radio.

2 MEMBER BROWN: Not me.

3MR. ARNHOLT: That is a separate segment.

4 So if your infotainment module fails, or otherwise 5 becomes inoperable, you still have your engine control 6 module, and you can continue to drive down the road.

7 That is a very simple everyday example of 8 segmentation.

9MEMBER BLEY: And there are some real good 10 examples of people who have hacked through the 11 entertainment module into the other modules.

12MEMBER BROWN: Into the other module, 13yeah. Yeah. But I am glad I still have a distributor 14 and a carburetor. They are so old.

15MR. ARNHOLT: That is a simple, practical 16 example of a segmentation.

17MR. HECHT: To continue to onto Charlie's 18 point, within an individual processor, I assume you 19 have a real-time operating system?

20MR. ARNHOLT: Typically, distributed, most 21 of your modern commercially available distributor 22 control systems are based on real-time operating 23 systems.

24MR. HECHT: But you do not specify that in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 47 the Chapter 7?

1MR. ARNHOLT: Or the MCS or the PCS, we 2 did not get into that.

3 MR. HECHT: Okay. Well, I would assume, 4 and I guess maybe does this turn into some kind of 5ASAI? But I would assume that these distributed 6 operating systems keep all their tasks, each task 7related to some control function. Separate memory 8spaces. And that they are given their own time slice 9 and given their own resource allocation after which 10 they get done executing that they -- that it moves on 11 and they are turned off until the --

12MR. ARNHOLT: So I can answer that with a 13 little bit of foreshadowing into the content that I 14 have in section 7.1. We have our fundamental design 15principles. And largely, we discussed in our 16 application how we applied the fundamental design 17 principles to the design of the safety-related 18 systems.

19 But we also did carry those design 20principles over to the non-safety systems. And to 21 your point, we have a predictability and repeatability 22 fundamental design principal that was parlayed into 23 and put forth and carried into the design of your --

24MR. HECHT: Well, that is a principal. I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 48 am talking about the implementation now, and just to 1clarify to Charlie's point, that I would -- okay. It 2 would seem to me that most conventional designs keep 3 tasks that are associated with control functions and 4 separate memory spaces, and if that's not clear in the 5 application at this point, should it not be?

6MR. ARNHOLT: It is not in the 7 application, and it was not part of the framework of 8 the DSRS when we put the application together for the 9non-safety systems. Those implementing details are --

10 just were not part of the application for the non-11 safety system.

12 MEMBER BROWN: If I am not mistaken, the 13 point of this, I think, what I was hanging up on that 14 was one of my -- thank you for leaping into this --

15 when you turn a switch and tell something to stop, 16 start, increase, or decrease, you would like it to 17 happen before you blink your eye.

18 MR. ARNHOLT: Exactly.

19MEMBER BROWN: So that is a real-time 20operation. If it is like my computer here, and I ask 21 it to do something, and I said, nothing is happening, 22 takes five, ten, 15 seconds before something starts, 23that is not a good idea if I am not mistaken. So I 24 guess how -- I would -- I am trying to connect the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 49repeatable and predictable to not being a real-time 1process. If you got repeatability and predictability 2 and you applied that design principle to the MCS and 3 PCS. 4MR. ARNHOLT: I can offer this. I am not 5 aware of a commercially-available distributed control 6 system that does not function in a repeatable and 7 predictable manner with a highly designed real-time 8 operating system.

9 MEMBER BROWN: But if there was nothing, 10 there was nothing in the Chapter 7 that talked about 11 response time of the module control system and plant 12 control system --

13 MR. ARNHOLT: That level of detail --

14MEMBER BROWN: -- so all you do is say it 15 needs to be repeatable and predictable, but it could 16 be ten seconds or a minute, and that is repeatable and 17 predictable.

18MR. ARNHOLT: But we also do provide, you 19 know, for balance plan and asset protection. So you 20 know, you have a highly -- high-cost asset such as a 21turbine generator set. Those are design principles 22 that you would want to apply to how you control and 23operate your turbine generator set from an asset 24 protection standpoint.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 50MEMBER BROWN: Take an example. Is the 1 overspeed protection system for the turbine generator 2 set embedded in the module control system, or in the 3 boxes mounted that come with the turbine generator 4 set? 5MR. ARNHOLT: Most likely that would be --

6MEMBER BROWN: I went and looked at 7 Chapter 8, and I went and looked at -- I think it was 8 something else. I could not find it.

9MR. ARNHOLT: The turbine generator 10 designers and suppers that I am familiar with all have 11 their own package control system that comes along with 12 the turbine generator set itself.

13MEMBER BROWN: So your distributed control 14 system, through your process and your segmenting, will 15 tell it, provides the commands to do the other things, 16 and the inherent protection features are built into 17 the unit that comes with it.

18MR. ARNHOLT: And I can tell you, based on 19 my experience, those are designed in a highly real-20 time system. For example, you have a fixed cycle at 21which a control processor works through all its 22functions. It might allocate ten percent to read all 23 the inputs, 40 percent to perform all the logic, and 24 then 50 percent to process all the outputs.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 51 And that is a fixed sequence of events 1 every single frame cycle of that control processor 2function. That is the typical way that most real-time 3distributed control systems function. But that level 4 of detail was not in -- we did not put that into 5 Chapter 7 for the non-safety systems.

6MEMBER BROWN: Do you have anything else, 7 Dennis? 8MEMBER SUNSERI: I guess maybe I have a 9 question, Charlie.

10 MEMBER BROWN: Have at it.

11MEMBER SUNSERI: For Charlie and Myron.

12 I guess it would help me to understand the context of 13this conversation of what is the so what. Are you 14 expressing a concern or seeking to understand?

15MEMBER BROWN: Just trying to understand, 16okay? This is a -- I mean, it is a -- they have been 17 defined as non-safety systems, so --

18MEMBER BLEY: And understanding implies 19 you can think of the in sults that might cause a 20 problem.

21 MEMBER BROWN: Exactly. And that is --

22MEMBER BLEY: That is the reason for 23 digging into it.

24 MEMBER BROWN: I dug into this because I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 52 wanted to understand the relationship between the 1possible external access, the ability to get into 2 them, how interwoven are these interior to the -- you 3 know, within the designs of these two systems.

4MEMBER SUNSERI: I was not challenging.

5 I was just trying to seek to understand myself.

6MEMBER BROWN: No, this was strictly an 7 understanding to make sure we understand, because we 8 are not -- we are obviously not trying to design the 9 non-safety systems. I mean, but we -- we do want to 10 make sure that they are not susceptible to causing a 11 problem in some other manner based on the way they are 12 put together or accessed.

13MR. ARNHOLT: And the takeaway I would 14 like to leave you with is we have done that analysis 15 and the results of that analysis and how we designed, 16 at least from an architecture level, is reflected in 17 the design that you see here today.

18MEMBER BROWN: And now for -- go ahead, 19 Dennis. 20MEMBER BLEY: That is kind of comforting.

21 If one drives the non-safety systems into places you 22 do not ever expect them to be, they can create 23 challenges for the safety systems that might be beyond 24 your design capabilities.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 53MR. ARNHOLT: That is true. And there is 1--2 MEMBER BLEY: So they are not non-safety 3in that sense. They can drive you into difficult 4 situations.

5MR. ARNHOLT: True. And the fact that we 6 call them non-safety does not mean they are not 7 important to the overall operation of the plant. We 8 design them as such, to be highly reliable and work 9when called upon. And so we did describe, in Chapter 10 7, there is some language, and we call them 11 preventative and limiting measures.

12 So there are things that you can do in 13design space. Segmentation is one. Error checking on 14 your signal inputs, having redundant sensor inputs --

15 and this is non-safety I am talking about. So there 16 are a whole series of preventative and limiting 17 measures you can do and apply to your design that 18 ensure the reliable operation of these systems.

19 And then we described some of those in the 20application, how we apply those. And that ensures 21 that as the operators interface with the system, as 22 the system operates, it operates as designed, in a 23 reliable fashion.

24 MEMBER BROWN: Okay, let me ask, it does 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 54not show up on this diagram. But on the other 1 diagram.2MR. ARNHOLT: And I do have, in this 3 presentation, if you want, at the very end, I can 4 throw the more difficult --

5 MEMBER BROWN: Yeah, okay. Go ahead and 6put it up there. I do not know if anybody can read 7 it. Now you cannot read that. Okay.

8 MR. ARNHOLT: I am happy to --

9MEMBER BROWN: Now I guess my question is, 10if I look at this and if you will put it back up. No, 11 go on back to the last thing just so if somebody wants 12 to see it, they can.

13 MEMBER MARCH-LEUBA: Brian, you have the 14 mouse. You can point.

15 MEMBER BROWN: Here.

16MEMBER MARCH-LEUBA: So we can see what 17 you --18MEMBER BROWN: Go up to the box. Go up to 19 the right. Right hand. Now go over a little bit to 20 the -- there are two boxes between the legend and the 21 main control room. Right there.

22 MR. ARNHOLT: Right here?

23MEMBER BROWN: Now down, go down one more.

24No, the next little box below it. It is labeled 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 55 technical support center.

1 MR. ARNHOLT: Okay. All right.

2MEMBER BROWN: Let me see. It is up, up, 3 right there.

4 MR. ARNHOLT: Right there. Okay.

5 MEMBER BROWN: That has a line down into 6 plant control system, but yet when I try to define it 7-- and it has got some words like PCS power operations 8network. From reading the chapter -- and I could not 9 figure it out -- it implied to me that the technical 10 support center had some ability to control or operate 11 the plant control system as opposed to just a 12 monitoring function. I could not define it.

13MR. ARNHOLT: No, that is not correct. The 14 PCS workstations and the technical support center are 15 for monitoring the plant level the operation of the 16plant. So each module control system's information --

17MEMBER BROWN: I understand the 18workstation. I am talking about the other little box 19 to the right where it says power operations, HSI 20 network.

21MR. ARNHOLT: Right. And that -- we have 22a network where all the human system interfaces 23 connect to, and that is where that workstation is 24connected to. So you have an IO network, the way this 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 56drawing is set up. You have an IO network that 1 interfaces with the control network and so those are 2 those IO modules that I mentioned.

3 The control processor's function on the 4control network level. And then you aggregate that up 5to you HSI operations network. And that is the 6 network where the human system interfaces reside for 7the operator interfaces. And that is where this 8 display would interface to.

9MEMBER BROWN: Without any notes, I guess 10 I would have interpreted that line to be a 11 bidirectional line although based on what you just 12said, it ought to be a unidirectional. I do not care 13 whether it is a gateway or whatever, but --

14MR. ARNHOLT: It did not provide that 15 level of detail in this drawing of that, but when you 16 configure your -- and again, this is getting into the 17 design details of how you --

18MEMBER BROWN: I am not interested in 19 getting -- I just want to make sure that people from 20 the TSC cannot go initiate some action from the 21 technical server --

22MR. ARNHOLT: But there are user roles 23that you would assign for somebody to be able to 24access that. And these are on cyber security 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 57 principles of how you design systems that you have 1 operator roles, engineer roles, technician roles.

2 MEMBER BROWN: But you are talking about 3 they have to ask for information.

4 MR. ARNHOLT: Right.

5MEMBER BROWN: From the plant control 6 system. 7 MR. ARNHOLT: Right. And so it --

8MEMBER BROWN: And that is why it is 9 bidirectional.

10MR. ARNHOLT: If you log in with a 11 technical support center role, you would not have 12control capability. You would have monitor only 13 capability, as an example.

14 MEMBER BROWN: Okay. You can go on back 15 to your other slide now.

16MEMBER MARCH-LEUBA: Going back to what --

17 that line is bidirectional.

18 MEMBER BROWN: Did you find it?

19MEMBER MARCH-LEUBA: The line between the 20technical support center and the plant control, the 21 PCS, is bidirectional.

22MR. ARNHOLT: Yeah, we did not show it as 23 a unidirectional line, but that is a typical --

24MEMBER BROWN: Because it did not say 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 58anything, I assumed it was a bidirectional line. Just 1 based on the rest of the approach that you did with 2the rest of the figure. And why does it have to be 3bidirectional? I thought if you just sent all the 4 information to technical support center, they do not 5 have to ask for anything. It is always there.

6MR. ARNHOLT: Yes. You can. I am sorry, 7 did you have a question?

8 MEMBER KIRCHNER: I thought the protocol 9 would be the control would remain with the operator, 10 not the technical support center.

11 MEMBER BROWN: Well, he just said that.

12 MEMBER KIRCHNER: Okay.

13 MEMBER BROWN: If I am not mistaken.

14MR. ARNHOLT: When I say bidirectional, I 15 mean typical ethernet networking technologies.

16 TCP/IP. We do not use any special --

17MEMBER MARCH-LEUBA: What someone is 18 reading there is "hackable." 19 MEMBER BROWN: Yes.

20MR. ARNHOLT: And the way this 21 architecture is laid out is, is we have a defensive 22 architecture with multiple layers of security, so your 23 innermost layers are where your safety systems reside.

24 There is no physical possibility to even remotely 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 59 access the systems.

1 Once you get out, we have the 2 unidirectional data diode that we talked about 3 earlier, and once you get out to that, up to the plant 4 network, you have firewalls. So we do have multiple 5 defensive levels that are going to -- designed within 6 this architecture from a --

7 MEMBER BROWN: Well, your firewalls from 8 the plant network on out to the world is a 9bidirectional firewall, so that is useless. I will 10 not phrase it in the way I normally phrase it.

11 MR. ARNHOLT: And I will add, I have got 12 a slide on this, too, but we -- part of our 13 application, we did not submit a cybersecurity plan.

14 We have a --

15MEMBER BROWN: I am not working on 16cybersecurity. I am only looking at remote access, 17okay? And that -- it is the data diodes from the 18 plant control or machinery and module control system.

19 If you have a bidirectional firewall, whatever it is 20 that you want to screw around with and try to make it 21 smart all the time, that is your business.

22 I just want to make sure the penetration 23 of that firewall to the plant network cannot allow any 24 communication at all under any circumstances to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 60 other two.

1 MR. ARNHOLT: I certainly understand the 2 line of the questions.

3MEMBER BROWN: To SNMCS, because if you 4 are open to total vulnerability to the entire plant 5 whether you call it non-safety or whatever, from that 6 standpoint.

7MR. HECHT: This is Myron Hecht again. Can I 8 ask a question about that connection that you were 9just talking about? You said it was a TCP/IP-type 10 connection. And then, you said that, basically, the 11 role-based log-in would prevent an operator or a 12 person in the TCS, or TSC -- excuse me -- Technical 13Support Center from controlling the network. Yet, 14TCP/IP is inherently a bidirectional connection. So, 15 that means that the prevention of control or 16 inhibition of control from the TSC is based on 17 software-based, on the log-in function and the 18 software which basically says a person with a TSC role 19 cannot control the plant. Just to make that clear.

20MEMBER BROWN: Yes, that's what I 21 understood.

22 MR. HECHT: Okay.

23 MEMBER BROWN: I don't particularly care 24 for that, but that's beyond us right now.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 61MR. ARNHOLT: Yes, and I would say that 1 the details of those designs were in progress in that 2 detail design phase, but you won't find that level of 3 detail in the application that's currently used right 4 now.5 MEMBER BROWN: Okay.

6 MR. HECHT: But, on a hardware level, it 7is bidirectional. It's only on the software level 8 that we inhibit the --

9 MEMBER BROWN: Yes.

10MR. ARNHOLT: And there are multiple 11 technologies and engineering attributes you can apply 12 to the design of these systems to make them robust 13 from an interaction and communication standpoint.

14 MR. HECHT: Thank you.

15MEMBER MARCH-LEUBA: Where is the 16 Technical Support Center located physically? Inside 17 the plant or outside the plant?

18 MR. ARNHOLT: I don't know the answer to 19 that question without having to --

20 MEMBER BLEY: Usually inside.

21MEMBER MARCH-LEUBA: Yes, but if it was 22 located 10 miles away --

23MEMBER BROWN: No, no, I agree with 24 Dennis; the ones we've seen before is just a building 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 62 outside --

1MEMBER MARCH-LEUBA: If it's inside the 2 fence --3 MR. BERGMAN: This is Tom Bergman.

4 It's inside the control building.

5MEMBER BROWN: It's inside the control 6 building?7 MR. BERGMAN: Yes.

8 MEMBER BROWN: Okay.

9MEMBER MARCH-LEUBA: Then, it doesn't 10 matter.11 MEMBER BROWN: Right.

12MR. ARNHOLT: And there's other security-13level controls. There's, obviously, physical security 14 controls that afford you the most protection, being 15 able to physically secure your digital I&C equipment.

16 I mean, the most bang for your buck is in how you 17 apply physical security.

18MEMBER MARCH-LEUBA: If it's a copper 19 line, with TCP/IP, I can go there with a little needle 20 and put any TCP/IP package I want to in there. But, 21 if it's in the secured area, then I cannot do that.

22 I might as well go to the blue PCS --

23MEMBER BLEY: They usually have 24 connections to the company network in that area, too.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 63MEMBER BROWN: Well, in this case, they're 1 not showing that.

2 MEMBER MARCH-LEUBA: Not in that way.

3MEMBER BROWN: It has to go through the 4 plant control s ystem, which it's a unit. That's a 5 good way to do it.

6MR. ARNHOLT: Any other remaining 7 questions here?

8 MEMBER BROWN: Okay. Yes, you can go on 9 back to your other one.

10MEMBER BROWN: I'm just trying to make 11 sure we understand what we're looking at.

12MR. ARNHOLT: All right. So, I've covered 13this slide, and I just have a similar slide that 14discusses the plant-level systems. I've talked about 15 most of these.

16 I do want to make a couple of points 17 regarding the design of the plant protection system 18and the safety display and information system. While 19 these are non-safety, non-risk-significant systems, 20this doesn't mean we don't design them with a high 21level of design quality. We've applied augmented 22 design requirements for these.

23 For example, the plant protection system 24-- and you may have read this in the application -- is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 64 actually based off of the same platform technology as 1our module protection system. So, we leverage all the 2 design attributes that make that a safe and reliable 3 system and apply that to the plant protection system.

4 In turn, the plant protection system does 5perform very important functions. It will actually 6 control inhabitability under a certain set of 7 conditions for protection of the operators in the main 8 control room, and it also has some important 9 radiation-monitoring functions that made us supply 10 these augmented design requirements to it.

11 MEMBER BLEY: Brian?

12 MR. ARNHOLT: Yes?

13MEMBER BLEY: When you say non-safety-14related, I understand.

When you say non-risk-15 significant, is that from the I&C designer's point of 16 view or is that from the point of view of the PRA that 17tried to find ways to make this system create risk-18 important scenarios?

19MR. ARNHOLT: That risk determination was 20 performed as part of our design reliability assurance 21 program. So, throughout the design of --

22MEMBER BLEY: Which isn't connected to the 23 PRA?24MR. ARNHOLT: The PRA informs this, but 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 65 the process for performing DRAP evaluations that's 1 described in Chapter 17 explains how we came up with 2 the risk determination for these systems.

3 MEMBER BLEY: Which chapter?

4 MR. ARNHOLT: Chapter 17.

5 MEMBER BLEY: Seventeen.

6MR. ARNHOLT: Describes our design 7 reliability assurance program.

8MEMBER BLEY: I will look at that. Also, 9we haven't reviewed the PRA in detail yet. I want to 10 make sure they look for ways that, in fact, this could 11 become a significant --

12MR. ARNHOLT: For many years, we had an 13 active -- and still do have an active -- DRAP expert 14 panel, and we apply the principles that we've 15 described in our DRAP program to the design of all the 16 NuScale --

17 MEMBER BLEY: In Chapter 17.

18 MR. ARNHOLT: Yes.

19 MEMBER BLEY: Okay.

20MR. ARNHOLT: But that's where the risk 21 determination comes from in this context.

22 The safety display and information system, 23it's actually a unique display system. It's non-24 safety-related, but we do apply FPGA-based technology 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 66 to this. And as I mentioned earlier, there are some 1 benefits in simplicity and diversity that we carry 2 through, even into our safety display and information 3 systems, and those are the primary systems that 4 provide the display of post-accident monitoring 5 information to the plant operators.

6 MEMBER BROWN: My memory tells me that's 7 redundant pluses. There's a safety design. There's 8 a division 1 SDI and a division 2 SDI?

9MR. ARNHOLT: There's actually 26 physical 10 displays, two divisions for each module or module-11specific information. And then, we have a 12 redundant --

13 MEMBER BROWN: I've read the number. My 14 point is, all the information from all the plants goes 15 through just -- and it's not shown on your other -- if 16 you go back to figure 8, it's not shown on figure 8.

17 No, it was back earlier. That one. The next one.

18MR. ARNHOLT: We don't show that level of 19 detail here, but --

20MEMBER BROWN: Yes, you show it, but it's 21 shown on the figure as, and the implication is, the 22 monitors, you've got a lot of those.

23 MR. ARNHOLT: We do.

24MEMBER BROWN: But it only shows a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 67 division 1 and 2. And the way I read that was there 1 is an SDI for each and every NPM.

2 MR. ARNHOLT: That's correct.

3 MEMBER BROWN: Is that?

4 MR. ARNHOLT: Yes.

5MEMBER BROWN: Okay. All right. So, they 6 are segregated by NuScale Power Modules?

7 MR. ARNHOLT: Yes.

8MEMBER BROWN: Okay. That was my 9 question. Thank you.

10 MR. ARNHOLT: I mentioned most of these, 11 and I'd just mention the last set of systems is a 12radiation-monitoring system. This largely is a series 13 of plant-level radiation monitors throughout the 14plant, fixed-area radiation monitors. We do have a 15 set of module-specific radiation monitors. So, this 16 kind of crosses both paths, but we apply both analog 17 and digital technology to the design of the system.

18So, dropping down into a lower level of 19 detail, looking at the module protection system, the 20 module protection system is the NuScale specific 21 implementation of the highly-integrated protection 22 system platform that the ACRS Subcommittee has 23previously reviewed. The NRC has approved our Topical 24 Report for that.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 68 An important takeaway of that, we have 1 taken no deviations from what was presented as part of 2 the HIPS platform in the design of the NuScale 3specific module protection system. So, we conform to 4the same regulations and take no exceptions to 5 IEEE 603, IEEE 7-4.3.2, or the Staff Requirements 6 Memorandum for SECY-93-087 that explains the diversity 7 attributes of your I&C systems.

8The major components of the MPS. We have 9 four separation groups of sensor inputs and 10electronics and trip determination. You may remember 11this from the review of the HIPS platform. We have 12 Class 1E DC-to-DC power converters, and that provides 13 isolation between the non-safety related, non-Class 1E 14 DC power system provided by the highly-reliable DC 15 system to the safety-related module protection system.

16 So, that is our isolation point for the power feeds to 17 MPS.18 We have reactor trip and pressurizer 19heater breakers, two divisions of reactor trip and 20 ESFAS divisional voting and outputs to field actuation 21components. We also provide two divisions of 22hardwired manual actuation switches. If you recall 23the NuScale design, there are no required operator 24actions to perform the safety-related functions. So, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 69 the MPS performs all of its required safety functions 1 automatically without any input from the operator.

2 However, we do provide the capability for backup 3 manual action by the operator if the case would arise.

4 We have non-safety-related 24-hour timers, 5 and I'll talk to this just shortly in the next slide.

6 These are the 24-hour timers that came out of the 7Chapter 8 discussion. I'll talk a little bit more 8 about how those function and how the I&C systems 9 respond to that.

10 And then, we have some non-safety-related 11 maintenance workstations that allow us to perform 12 calibration and maintenance of the module protection 13 system.14 Also, part of the MPS, we had the 15 discussion previously about the remote shutdown 16station. We do pr ovide isolation switches that 17 isolate those hardwired actuation and enable non-18safety switches in the main control room. We provide 19 the capability to isolate those electrically from the 20main control room and the remote shutdown stations.

21 That helps mitigate any potential issues, if there 22 were a fire in the main control or if those switches 23 to become compromised.

24 MEMBER BLEY: At least somewhere in here 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 70 I'm assuming, but I might be wrong, that the manually-1 enabled hardwired signal for each component that we 2 talked about on the overall architecture drawing is 3described. Is that one switch that sets up the 4 hardware control for everything or is there a separate 5 switch for each item?

6MR. ARNHOLT: It's an excellent question, 7and I can clarify a little bit. We have system-level 8manual actuation switches. When I say "system-level," 9I mean we actuate the reactor trip function. We 10 actuate the containment isolation function at the 11system level. There is one switch per each division.

12 And we do have a pair of --

13 MEMBER BLEY: And that's hardwired --

14 MR. ARNHOLT: Hardwired, copper wires to 15 a hardwired module inside the module protection 16 system.17MEMBER BLEY: Everything else continues to 18 work automatically when you engage that switch?

19 MR. ARNHOLT: Yes.

20MEMBER BLEY: It just adds one more 21 signal?22MR. ARNHOLT: The inputs for these manual 23 switches are hardwired, and they actually input -- and 24 I've got a slide that at the end I can make sure I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 71 point out.

1 MEMBER BLEY: Okay.

2MR. ARNHOLT: But it inputs, actually, 3 downstream of any digital or software-based component.

4 MEMBER BLEY: Okay.

5MR. ARNHOLT: So, it bypasses all the 6 software and actually inputs at the very end to drive 7 the actuation command.

8MEMBER BLEY: But does that switch 9actually send a signal or that just enables? Then, 10 you have another push button or something?

11MR. ARNHOLT: What it does is it tells, it 12 interfaces with our actuation part of the logic and 13 tells our equipment interface module to remove power 14 from the --

15MEMBER BLEY: Okay. So, it actually 16 creates a function?

17 MR. ARNHOLT: Exactly.

18 MEMBER BLEY: Okay.

19MEMBER BROWN: So, it's not totally 20downstream? It still interfaces with the actuation 21 priority logic --

22 MR. ARNHOLT: Priority logic.

23 MEMBER BROWN: -- which is in the EI --

24 MR. ARNHOLT: Exactly.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 72 MEMBER BROWN: -- in the equipment --

1MR. ARNHOLT: Equipment interface module.

2 MEMBER BROWN: -- interface module.

3MR. ARNHOLT: But downstream of any 4 digitally-based component.

5 MEMBER BROWN: All the digital stuff?

6 MR. ARNHOLT: Right.

7MR. HECHT: In an answer to one of the 8 questions that the staff had raised, you made the 9 point that this hardware switch is a non-safety 10 function and that, in the APLs modules, the 11 application priority logic modules, that if there was 12 an indication of an RTS or an ESF condition, that the 13manual signal would basically be ignored. Is that 14 correct?15 MR. ARNHOLT: Yes.

16MR. HECHT: So, is that the only condition 17 under which the manual switch is ignored?

18MR. ARNHOLT: If there were an active 19 manual or automatic signal, and you attempt to 20 manipulate the switch -- it's a momentary contact 21switch -- that signal would be ignored. If you had 22 normal conditions and you wanted to take control of 23 safety-related equipment using this switch, and so, 24say you enabled the switch, and you were in the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 73 process of performing control of safety-related 1 components, if during that time you were to receive a 2 valid automatic or manual actuation signal, that 3 switch input would drop out and the automatic and 4 manual signal would be automatically processed at the 5 highest priority. That's another condition.

6 And then, if the operator wanted to re-7 enable control from the non-safety systems, he would 8 have to physically manipulate that switch yet again.

9 So, anytime an automatic or manual signal occurs, the 10 design of the APL completely ignores any input from 11 that switch and you have to work through the sequence 12of events to re-enable that control again. The 13 keyword is it "takes deliberate operator actuation" to 14 re-enable the capability for that non-safety-related 15 control.16MEMBER BROWN: The APL is all just logic, 17 solid-state --

18 MR. ARNHOLT: Logic components.

19MEMBER BROWN: Transistor logic, whatever 20 you want to call it. In the old days, it was TGL or 21 something like that.

22 MR. ARNHOLT: For those of the Committee 23 members -- I don't know if you've been to see our 24 prototype in Corvallis, where we have an actual card 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 74of the APL. But I can't show a picture of it in an 1 open --2MEMBER BROWN: I'm just remembering the 3figure and the discussion from the HIPS thing. And my 4 memory was that it was all just hardwired -- the way 5 we made computers in the 1960s.

6MR. ARNHOLT: Exactly. Ironically, quite 7 complicated in design space to do, but we did it.

8MEMBER BROWN: I hate to say I remember 9 that.10 (Laughter.)

11MEMBER SUNSERI: They were made out of 12 wood, weren't they?

13 (Laughter.)

14MEMBER BROWN: And hammers and non-15 magnetic nails.

16One other question on this. You talked 17about you could actuate back through the module 18control system. And you haven't gotten to this enable 19safety switch. Is that another pathway into actuating 20 the module protection system, with the enable safety 21 control switch? It's not listed here as an input.

22MR. ARNHOLT: It is, and it's an excellent 23question. For the operator to be able to take 24 component-level control from the non-safety-related 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 75 module control system, we have to enable the non-1 safety -- you have to have no active protective signal 2enabled. You have to manipulate this, enable the non-3safety switch.

And then, the operator has to take 4 control functions from his MCS workstation.

5 Those outputs are actually via hardwired, 6non- -- there's no digital communication. They're 7 actually hardwired outputs from the non-safety system 8 into our hardwired module to drive the logic-level 9commands to control safety-related components. So, 10that input, yes, that is an isolated input into the 11 MPS, but through a hardwired non-digitally-12 communicated interface.

13MEMBER BROWN: Okay. And somewhere I read 14 that -- and I'm just looking at my notes now; I can't 15 remember if it was in the CSR or the Chapter 7 -- that 16 this enable safety control switch, whatever you call 17 it, is a momentary switch.

18 MR. ARNHOLT: That's correct.

19MEMBER BROWN: Does that mean you have to 20 hold it in place while you do something else?

21 MR. ARNHOLT: No. It --

22MEMBER BROWN: You say you have to enable 23 that and, then, go do something else?

24MR. ARNHOLT: You do not have to maintain 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 76it. It's a swaying-return-to-center switch, and it 1 creates a logic-level signal that allows --

2 MEMBER BROWN: But that locks in?

3 MR. ARNHOLT: It locks in.

4MEMBER BROWN: It locks in the logic-level 5 signal. So, then, you can go operate the control?

6 MR. ARNHOLT: If you were to get a --

7MEMBER BROWN: Okay, I've got the picture 8 now.9MR. ARNHOLT: Okay. Then, that would 10 automatically go away if you got a valid protective 11 signal.12 MEMBER BROWN: Yes, I've got it.

13 MR. ARNHOLT: You've got to re-enable it 14 to restart that scenario.

15 MEMBER BROWN: Okay. Thank you.

16 MR. AYALA: One thing I just want to add 17 to that is, so it is two divisions of those switches.

18 Let's say you wanted to do component-level control of 19 a safety-related component. Your division 1 switch, 20you control on that valve. You would disable the 21 division 1 control. Then, you move on to division 2 22 and use that switch. So, you would have to -- it's 23 not a single switch capable of allowing you to control 24 two divisions of safety-related components.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 77 MR. ARNHOLT: All right.

1MEMBER BROWN: Thank you for the 2 clarification, by the way.

3 MR. ARNHOLT: All right. There was some 4 discussion during the Chapter 8 ACRS Subcommittee 5 meeting on loss of AC power scenario and the design 6 function of these 24-hour timers that we talked about.

7 I'm going to walk through that here.

8To set the stage, you just want to 9 remember your frame of mind is the safety-related I&C 10 systems require no safety-related or Class 1E 11 electrical AC or DC power to perform their safety 12function. Remember, the removal of power is the 13 safety function.

14 However, we do want to provide the 15 capability for long-term post-accident monitoring.

16For that, you do need electrical power. So, what I've 17 shown here is kind of a diagram of the flow of both AC 18 and DC electrical power, and I've got a sequence of 19events there on the bottom. But, to do that, we take 20 advantage of our highly-reliable DC power system 21that's, again, non-safety-related. And that's 22 arranged into four power channels, power channels 23alpha, bravo, charlie, and delta. Power channels 24 alpha and delta have batteries that provide up to 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> of power supply to its required loads, and power 1 channels bravo and charlie provide up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for 2 long-term post-accident monitoring.

3 So, in order to ensure power is available 4 for long-term post-accident monitoring, we monitor for 5 and detect a loss of AC power to the input of the EDSS 6battery chargers. So, on a detection -- you can kind 7 of follow along there at the bottom -- on a detection 8 of a loss of AC power, and we have volted sensors that 9 monitor the AC power input to the batteries, upon a 10 loss of AC power, the module protection system 11 automatically initiates a reactor trip, containment 12isolation, and decay heat removal actuation. And what 13 that does is that removes non-essential loads related 14 to what's required to be powered for this scenario, 15and it starts these 24-hour timers. The 24-hour 16 timers, remember, are non-safety-related functions, 17 and their sole purpose is to ensure that we are 18 capable of supplying power to meet our long-term post-19 accident monitoring requirements.

20 So, we call this mode an ECCS hold mode.

21 The important part is here we want to reduce the loads 22on the batteries to just those related to, for the 23 first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, just related to post-accident 24 monitoring, and we want to continue to maintain power 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 79 to the ECCS valves to make sure that they remain 1 closed. We do not inhibit the ability for either an 2 automatic or a manual operator-initiated ECCS 3actuation. So, there is no way that they can inhibit 4 a valid ECCS actuation demand that one were to call 5 for. They're simply there to keep power supplied to 6 the ECCS valves to prevent an unnecessary or spurious 7 ECCS actuation for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

8We chose 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. It's a reasonable 9amount of time to make restoration of AC power and 10 also keep power applied to the ECCS valves and ensure 11 they're closed.

12 At the end of the 24-hour period, if AC 13 power is not restored, we would remove power from the 14 reactor trip system and the engineered safeguards 15features chassis. And so, that removal of power 16 would, in turn, remove power from the ECCS valves, and 17 they would open on that loss of power.

18 And then, we would transition to what we 19 call -- and you may have read it in the application --

20 is a PAM-only mode, post-accident monitoring only 21mode. So, the only loads powered at that time are 22those loads related to sensor electronics or sensor 23 loop power and the power to the safety display and 24indication system. And we would sit there and provide 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 80 that power for the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for long-term monitoring.

1MEMBER SKILLMAN: So, the 24-hour hold is 2intended to enable repowering whatever it is that 3 caused the casualty, so that you could go back to 4power? The flip side is you prevent going on ECCS, so 5 you don't have to go through an ECCS reset? Is that 6 what you're doing?

7 MR. ARNHOLT: That's correct.

8MEMBER SKILLMAN: I understand. Thank 9 you.10MR. HECHT: To confirm on Gordon's 11 question, the ECCS hold really means ECCS inhibit, 12 right?13 MR. ARNHOLT: No.

14 MR. HECHT: No?

15MR. ARNHOLT: We do not -- and I mentioned 16 previously -- we do not inhibit the capability to 17 automatically actuate ECCS. If an ECCS condition is 18 warranted, ECCS will actuate either automatically or 19manually via the operator. This scenario is assuming 20 there is not a demand for an ECCS actuation.

21 MR. HECHT: Okay. Thank you.

22MR. ARNHOLT: That's the important 23distinction. If, during that 24-hour period, the 24 operators were to notice conditions that would warrant 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 81 an ECCS actuation, they would have the capability to 1 manually initiate an ECCS actuation.

2MEMBER BLEY: But, at the end of the 24 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, you actuate, which means we get there, if 4 everything's working right, before the batteries start 5 to decay?6 MR. ARNHOLT: Right. And it's important 7 to note, the DC-to-DC power converters, those are a 8Class 1E isolation device. And that's where we 9 provide our protection from any under-voltage 10 conditions, power surge transients from the AC power 11system, things of that nature. That's what those 12 devices are intended to do, protect the downstream 13 safety-related equipment within the MPS.

14MEMBER SKILLMAN: What is the -- let me 15 ask this question very carefully because I don't wish 16 to be pejorative -- what is the advantage that the 17 designers envisioned, other than draining the 18batteries? How often might the designers of the 19 NuScale facility think this event might occur?

20 MR. ARNHOLT: How often?

21 MEMBER SKILLMAN: Yes.

22MR. ARNHOLT: I don't know what the 23 postulated frequency of a loss of AC power event is.

24 Do you know what Chapter 15 assumes?

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 82MR. INFANGER: No. We don't have a 1specific -- it's in the PRA. Chapter 19 has a loss of 2 outside power frequency. Typically, in the industry 3 it's about once every 20 years.

4MEMBER BLEY: But it varies around the 5 country.6 MR. INFANGER: Yes.

7MR. ARNHOLT: But the takeaway is, AC 8 power or DC power is not required for performance of 9 a safety function.

10 MEMBER SKILLMAN: Yes. Thank you.

11MR. ARNHOLT: Just a note about, we 12 mentioned earlier or heard a discussion earlier about 13 application specific action items, and this is just a 14takeaway. The HIPS Top ical Report provided 65 15application specific action items. So, we did a 16 detailed cross-referencing in the NuScale Chapter 7 17 application that showed where we addressed within the 18 chapter all of the 65 action items. And we've got a 19 detailed table that provides that cross-referencing 20for review. And then, that way, it gives you the 21 pointer to the content in the chapter where those 22 pieces of information were addressed.

23 I've got a little bit lower level of 24 detail of the module protection system top-level 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 83 architecture, and the color coding is important here.

1 The color coding is meant to convey this inherent 2 diversity attribute, but the Committee has seen this 3figure before. So, for separation groups alpha and 4 charlie in ESFAS in reactor trip division 1, that's 5based on one FPGA technology. And for separation 6 groups bravo and delta, and reactor trip in ESFAS 7 divisions 2, that's based on a different FPGA 8technology. So, we apply the exact same diversity 9 attributes that we described in our HIPS Topical 10 Report to the NuScale plant design. That's what the 11 color coding was meant to convey.

12 The gray boxes down at the end indicate 13 that those prior-to-logic functions do not contain any 14 embedded digital technology.

15MEMBER BROWN: Just if you don't remember 16 from the HIPS meeting what that means on the two 17 technologies, one of them is a one-time program or 18 flash FPGA operation; the other one is an SRAM or 19static random access memory. The one-time programming 20 is, if my memory serves, that's a non-volatile set of 21 stuff.22 MR. ARNHOLT: Correct.

23MEMBER BROWN: The SRAM is a volatile set 24 of FPGAs which, when you lose power, everything goes 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 84 away. I mean, you don't have any memory. It has to 1 be reset.2MEMBER BLEY: But the common point is the 3 logic you've put in by either method.

4MEMBER BROWN: That's right. In one case 5 the memory is retained, and the other one the memory 6 is not retained. But they're two different, they're 7 just two different approaches in terms of the FPGA 8 technologies.

9MR. AYALA: Just a minor clarification, 10though. They both still have some level of non-11 volatile memory.

12 MEMBER BROWN: Well, everything --

13 MR. AYALA: Yes.

14MEMBER BROWN: -- has some level of non --

15 otherwise, you couldn't start it up.

16MR. AYALA: Right. So, on the SRAM, when 17 it starts up, the SRAM loses its configuration.

18 MEMBER BROWN: Yes.

19MR. AYALA: So, it has to look at the non-20 volatile memory and say, okay, how should I be 21 configured? And then, it configures itself.

22MEMBER BROWN: But that's got programmable 23 read-only memory somewhere in there that the SRAM goes 24and sucks stuff out to reprogram itself. It just 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 85 takes time to do it; that's all.

1 MR. AYALA: Yes.

2MEMBER BLEY: It's lacking a few switches.

3 Never mind.

4 (Laughter.)

5MR. ARNHOLT: So, one of the last 6 takeaways here, and just so it's clear in everyone's 7 mind, we have four separation groups of signal inputs, 8 trip determination, and that feeds into two divisions 9 of voting logic and ac tuation commands to field 10 components. So, just as a point of clarification.

11MEMBER BLEY: Just from your point of 12 view -- this is not a technical question -- how 13 helpful did it turn out to be for you to have done the 14 Topical earlier before you did the review of Chapter 15 7 with this there?

16MR. ARNHOLT: I think the way that NuScale 17did it was extremely advantageous to us. And 18obviously, we took no exceptions to it. So, the staff 19 review that was performed for Chapter 7 leveraged a 20 lot of what was reviewed and approved in the HIPS 21 Topical Report. Very helpful.

22MEMBER BROWN: I would actually echo that, 23from our standpoint. If I had had to do both of these 24 coming up to the same meeting, my head would have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 86 exploded, as if it didn't in the first place.

1 MR. ARNHOLT: And just remember, the way 2 we've designed the HIPS system and applied it to the 3 NuScale design for the module protection system, it's 4 a very simple system. And it affords us a lot of --

5 it's easy to review, and there's just a lot of benefit 6 to that.7Just a quick slide. We do have reactor 8trip breakers. We have four reactor trip breakers, 9two aligned to each reactor trip system division. And 10 we do provide the capability for manual trip of those 11breakers. And we have a similar complement of 12pressurizer heater trip breakers that are a safety-13 related function to remove power upon demand actuation 14 from the pressurizer heaters.

15 And just to note, these breakers do have 16 both a safety-related under-voltage coil, and to go 17 back to the removal of power is the safety function.

18 But we also do apply a non-safety-related diverse shut 19 trip circuitry capability, too, just from a breaker 20 operation --

21MEMBER BLEY: Experience has shown that's 22 a really good idea because, depending on how well you 23 do the maintenance, the under-voltage --

24MR. ARNHOLT: We've leveraged a lot of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 87 operating experience into the design of these 1 breakers.2 We've talked about this in great detail.

3I don't want to spend any more time on this. If we 4need to, I can entertain additional questions. But 5 that list of five effects down at the bottom, that was 6 how we evaluated those systems from the segmentation.

7 And we looked at the system's ability to impact, as I 8 mentioned, reactivity, coolant pressure, temperature 9 level increases or decreases, or radioactive release 10to the environment. So, that kind of formed the 11 framework by which we did our evaluation and allocated 12 segments to parts to the control system.

13MEMBER SUNSERI: Brian, this looks like a 14 good place for a break.

15MR. ARNHOLT: Absolutely. I was going to 16 say we're concluded with the Section 7.0 section.

17MEMBER SUNSERI: All right. So, let's 18pause here for 15 minutes. Return at 20 after on this 19 clock up here.

20 Thank you.

21 (Whereupon, the foregoing matter went off 22 the record at 10:03 a.m. and went back on the record 23 at 10:20 a.m.)

24CHAIRMAN CORRADINI: Okay, why don't we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 88 get started?

1 I was asked to make a reminder that, 2 thanks to the diligence of the members, we get close 3 to proprietary, and we leave it to you to tell us to 4 back off, so that we can save those questions for the 5 afternoon closed session.

6 MR. ARNHOLT: Understood.

7 CHAIRMAN CORRADINI: Okay.

8MR. ARNHOLT: I haven't got there yet this 9 morning, and I'm not have any prepared information for 10 a closed session, but if discussions need to go there, 11 we can --12CHAIRMAN CORRADINI: But you just warn us, 13 so we don't --

14 MR. ARNHOLT: Thank you.

15 CHAIRMAN CORRADINI: Keep on going.

16MR. ARNHOLT: All right. Before I jump 17 into the Section 7.1 information, I just want to make 18 sure that people were clear on a discussion we had on 19 the previous section about our enable non-safety 20 control switch. And I can't remember if I misspoke, 21 but it is a momentary contact switch.

22MEMBER BROWN: Yes, I asked you that 23 question.24 MR. ARNHOLT: Okay.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 89 MEMBER BROWN: And you answered it.

1 MR. ARNHOLT: Okay. Thank you.

2MEMBER BROWN: And explained why it was 3 okay to be momentary.

4 MR. ARNHOLT: Okay. Good.

5 So, the Section 7.1 instruction on these 6 fundamental design principles of independence, 7 redundancy, predictability, and repeatability, 8diversity and defense-in-depth, and simplicity. As I 9 wrap up the presentation, I'll talk a little bit more 10 about the simplicity attribute and how we applied 11 that.12 Working on the independence principle, 13 this is a figure that those of you who were part of 14 the review of the HIPS Topical Report may have seen in 15the past. The MPS and NMS are two safety-related 16systems. They're designed with physical-electrical 17 communication and functional independence.

18 We've talked about this in previous 19 discussions, but just to reemphasize, we have one-way 20 communication from safety to non-safety systems 21through isolated data paths. So, that's a 22 communication-independence attribute.

23 We separate safety and non-safety-related 24 communications on the separate communication buses.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 90 And I'll point to this figure and walk you through a 1 couple of examples.

2 If you look at the top of that figure, and 3 at safety function module No. 1, that safety function 4 module may perform a safety-related function, say, to 5 monitor pressurizer level and initiate a reactor trip 6on a high or low pressurizer level function. And you 7 can see we've drawn some arrows between these three 8 safety data buses that are part of the safety data 9 communication path, and we also provide that data onto 10 a separate, completely separate and independent 11 communication bus that we call a monitoring 12 communication bus.

13 So, we have three safety, redundant safety 14 data buses here, and you can see those connections 15from that safety function module. And we have an 16 isolated independent non-safety-related communication 17bus that's our monitoring and indication bus. That's 18 that isolated data path that we talked about earlier 19 that provides information to MCS through these 20 communication modules.

21 If you look at safety function module --

22MEMBER MARCH-LEUBA: That yellow box is 23 the isolation?

24MR. ARNHOLT: That is where the electrical 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 91 and communication isolation occurs.

1 So, if we look at safety function module 2 No. 2, you will not see connections to the safety data 3bus. And these are physical connections on the actual 4 FPGA circuitry. Physically, when we manufacture and 5 design and build the system, we physically do not make 6those connections. And we only apply data to, and 7 connect data to, this monitoring and indication bus.

8 An example of that might be a sensor input 9 that's used for post-accident monitoring that has a 10 non-safety-related function, but we would still bring 11 it into the MPS because, then, we can leverage the 12 reliability of the MPS and take advantage of the 13 highly-reliable DC power system for that long-term 14 post-accident monitoring.

15 So, here's just a pictorial description of 16how we've implemented at a practical level this 17 concept of independence in communication in the 18 system.19 MEMBER MARCH-LEUBA: So, even though you 20 don't need it to be in the safety box, you put the 21 sensor in the safety --

22MR. ARNHOLT: We do. And really, what 23 drove us to that decision was a simplicity standpoint.

24 We wanted to maintain the overall architecture as 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 92 simple as possible, and by doing it this way --

1MEMBER MARCH-LEUBA: I was going to ask 2the opposite, how come -- that's not simplicity.

3 That's complicated, the safety box, which is the one 4 you want to be simple. It's simplifying your life.

5 (Laughter.)

6MR. ARNHOLT: And then, we talked about 7 this again, the control of safety-related components 8 of the hardwired isolated inputs for the module 9control system. We mentioned earlier that that is 10 performed by hardware connections that communicate no 11 data.12 Moving on to the next fundamental 13 principle, redundancy, we talked about this again, but 14 just how we've implemented it into the architecture 15 and design, four separation groups, two divisions of 16module protection system. We have four channels of 17 safety-related neutron monitoring system that provide 18 inputs from the X4 detectors into the MPS to perform 19 protective functions on this inputs.

20 The NMS and the MPS are designed to meet 21 single failure criteria and through those redundancy 22 attributes. We also apply redundancy into our post-23accident monitoring functions. We have no, NuScale 24 has no Type A post-accident monitoring variables that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 93 are associated with required safety-related operator 1actions. We do have Type B and C variables. And for 2 those functions, we do meet the single failure 3 criterion, as required by IEEE 497.

4 And I had mentioned this earlier. We do 5 even carry these principles into the design of the 6 non-safety-related systems. And again, the end goal 7 there is a for a highly-reliable system for asset 8 protection and to reliably operate your plant.

9 Just a couple of notes and takeaways on 10predictability and repeatability. There's a pretty 11 detailed discussion in the Highly Integrated 12Protection System Topical Report. Some of that is of 13 a proprietary nature, and I won't discuss it here.

14 But we directly apply those principles into the design 15 of the FPGA-based MPS system.

16 And we do account for this fixed response 17time. We describe how we calculate that response 18 time, and that is directly accounted for in the safety 19 analysis as part of the actuation delays that are 20 assumed in the Chapter 15 analysis.

21 Lastly, looking at the diversity and 22 defense-in-depth, I had mentioned earlier we leverage 23 the diversity between the two different types of FPGA 24 technologies, as I talked about, from an architecture 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 94 standpoint, how we do that with the platform 1technology diversity. And that's where we get most of 2 our advantage and provide defense against digital-3 based common-cause failures.

4 Now the NuScale design does make use of 5 some first-of-a-kind sensors for safety-related 6 functions, but have digital technology in them. And 7 when I say "digital technology," based on the sensor 8 design, the sensor electronics and processing makes 9use of digital processing technology. Now what the 10 actual inputs to MPS are, are actually analog inputs.

11 So, it's just the sensor processing that is performed 12 by a digital function, but we still would input that 13 as an analog input to the MPS, as I say, as a 4-to 14 milliamp signal or a 0-to-10-volt signal.

15MEMBER MARCH-LEUBA: Is it planned to 16 build a complete system, a complete four-channel 17 protection system, plug it into a simulator, and run 18 it for three years before you go into the real system?

19MR. ARNHOLT: I don't know that that's 20part of our plan. We'll go through the normal digital 21I&C development life cycle where you build. You'll do 22 component-level testing, integrated system testing, 23 factor acceptance testing, site acceptance testing.

24 But to do a long-term --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 95MEMBER MARCH-LEUBA: Because it is one-of-1 a-kind, you are going to mess up somewhere.

2MR. ARNHOLT: For most of our first-of-a-3 kind technology, we do have in-progress activities 4 that we're doing proof-of-concept and prototype 5development. For example, we have a working prototype 6of a single channel and single division of a module 7protection system. That's been built and we've had 8 that in operation up in our Corvallis simulator for 9 the last 18 months or so.

10MEMBER MARCH-LEUBA: How likely is it that 11 you will build the same system when you build the 12plant? I mean, you'll probably use different 13 components.

14MR. ARNHOLT: We could. But, you know, 15 there are certain design attributes that we applied, 16just because it was a prototype. We maybe didn't use 17 rigor in the design of chassis or how the carbs are 18 physically assembled into the chassis, things of that 19 nature.20MEMBER MARCH-LEUBA: Yes, I mean, being 21 one of a kind, you will mess up. I will rather that 22 you test it on a computer instead of on the real 23 plant.24MR. ARNHOLT: Yes, and as part of our 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 96 first-of-a-kind development program, we do proof-of-1 concept. We have a whole qualification program that 2 is laid out as part of our design schedule.

3 Just for point of clarification, I had 4 mentioned our safety display and information system is 5 an FPGA-based system.

6 MEMBER MARCH-LEUBA: Uh-hum.

7MR. ARNHOLT: We expect to have a 8 prototype fully tested and built by the end of this 9year. So, in the next several months, we'll have a 10working prototype. And that, the large benefit to 11 that is we had talked earlier about the human-system 12interface and colors, and how do graphics interface 13with the operator. So, we're able to validate that 14 because using FPGAs to perform display and monitoring, 15 it's a unique and novel concept, and we'll work out a 16 lot of those challenges with our prototype 17 development.

18 But, with these digital-based sensors, we 19 did want to address the digital-based common-cause 20 failure with those. And to do that, we addressed it 21as part of a coping analysis. And so, there's an 22 extensive summary of this in the FSER Table 7.1-18, 23where we walk through the digital-based sensors for 24pressure, level, and flow, and looked at those 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 97 potential common-cause failure scenarios as they 1 relate to how the Chapter 15 analysis laid out.

2 Remember, a coping analysis uses best 3estimate methods. So, the takeaway is we performed 4 our coping analysis using best estimate methods, and 5we met all of our acceptance criteria. And that 6largely was related to two different scenarios. Once 7 you apply best estimate methods, the particular 8 scenario that you evaluate for never gets to a point 9where you have to challenge the safety system. So, it 10just becomes a "no, never mind". And in other cases, 11 we would have had diverse non-digital-based sensors 12 that provide us the backup protective function. So, 13 the takeaway here is we perform an extensive coping 14 analysis to address these digital-based sensors and 15 postulated common-cause failures, and the results were 16 acceptable.

17That concludes 7.1. Any remaining 18 questions related to the content in 7.1?

19 (No response.)

20 All right. Moving into Section 7.2, and 21 we've talked about this extensively this morning, but 22 I do want to have a brief discussion on the control of 23 access attributes.

24 The design of the module protection system 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 98 conforms to the control-of-access requirements in 1IEEE 603 and Regulatory Guide 1.152. That sets the 2 regulatory basis for how we've evaluated and presented 3 that in Chapter 7.

4 I've mentioned the No. 1 security aspect 5that we take advantage of is physical protection. We 6 lock our safety-related cabinets in physically-7 protected rooms.

8 The MPS design, physically, you cannot 9 perform any remote access to the FPGA-based logic, and 10 that's one of the other attributes that you get a 11benefit from with FPGA-based systems. They're highly 12 secure, and once they're put into the runtime 13 configuration, there is physically no way to alter the 14 runtime application without actually removing a card 15 from service, physically removing it, and performing 16 whatever manipulations you need to change the logic on 17 that.18 We do have a limited set of what we call 19 tunable parameters, things such as calibration 20constants or setpoints that we use our maintenance 21workstation for to update. And you can update that on 22 the system in a running configuration, but very 23 limited to just a few select number of parameters as 24 far as calibration of the system goes.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 99 A quick note on automatic and manual 1 controls, and to reemphasize, there are no safety-2 related manual operator actions required for the 3 NuScale design. The MPS performs all of its RTS and 4ESFAS functions automatically. However, we do provide 5 these series of -- and they're listed here -- of 6manual actuation switches that backup. There's one 7 switch per division, and that is purely to give the 8 operator a backup to the automatic functions that the 9 MPS provides.

10 This next slide, I included this to 11discuss the actuation prior to logic. And you may 12 have seen in the application we provide the logic 13 diagrams for all the MPS functions. So, this figure 14 is straight out, is representative straight out of the 15 FSER, and it's an attempt to show that your automatic 16 and manual protective functions have the highest 17priority. And you can see, there on the left, they 18 input at the lowest point downstream to where the 19 voting logic occurs for command and actuation to the 20 final actuated component.

21 And we talked earlier about this enable 22non-safety control switch. You can see where the 23logic comes as you walk through this. The way the 24 logic represents -- and I talked about it before -- if 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 100 the operator had enabled non-safety-related control 1 using his procedures, and if an automatic or manual 2 actuation signal were to occur during that scenario, 3 this logic would drop out that input from the enable 4 non-safety-related control switch and remove any non-5 safety-related control commands until the operate took 6 deliberate action to reenable that.

7 And just a point to take away, to 8remember, this is a non-digital-based component. It's 9 actually a separate circuit within our equipment 10interface module. It is comprised of non-digital 11 discrete components. So, there is no software-based 12 or digital-based circuitry involved with that.

13 MEMBER BROWN: Non-digital --

14 MR. ARNHOLT: Non-digital.

15MEMBER BROWN: -- that's digital. I mean, 16 it's digital logic. It's just hardware-implemented; 17 that's all.

18 MR. ARNHOLT: Yes, discrete components.

19 MEMBER BROWN: It's no software.

20MR. ARNHOLT: Exactly. I just had a note 21 here --22 MEMBER BROWN: Non-digital, though, it's 23 just no software.

24MR. ARNHOLT: I'm going to back up one 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 101slide, two slides. I just wanted to mention -- I 1 don't have it written up here -- but we do have a COL 2 action item I mentioned this morning to submit a 3cybersecurity plan. So, this application does not 4submit that as part of the NuScale DCA, but it is a 5 COL item to submit a cybersecurity plan.

6 So, to wrap up, in conclusion, I mentioned 7 the FSAR follows the Chapter 7 DSRS structure.

8 Overall, we thought it was a huge success to follow 9 that structure versus the old SRP. I thought it led 10to efficient review. We had a lot of interactions 11 with the NRC staff, and really a lot of benefit with 12that, the way that the DSRS worked out. I've been 13 involved with it for a number of years, and this is 14 the culmination of the result of that effort.

15CHAIRMAN CORRADINI: Well, if you talk to 16 anybody above the staff you're talking to, to higher-17 ups within the Agency, that would be good to know.

18 MR. ARNHOLT: Okay.

19CHAIRMAN CORRADINI: Because I think at 20 the higher levels they wanted to make sure that this 21 was a benefit.

22MR. ARNHOLT: In my view, I think to speak 23 on behalf of NuScale, it was a very, very large 24 benefit to this.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 102 CHAIRMAN CORRADINI: Okay.

1MEMBER BROWN: Well, the object of the --

2 and this is a personal opinion -- but the DSRSes were 3 to provide an overall framework within which we should 4 evaluate stuff, as well as more in one place 5 succinctly describe the things that you need to look 6at underneath that overarching framework. That's why 7 I think it's been useful for us, or at least it has 8 been for me.

9 MR. ARNHOLT: It can achieve the desired 10 result.11 The foundation of the regulatory 12 conformance, there we've taken no departure to the 13 regulations and the regulatory guidance that exists.

14 And that helps the review.

15And just a couple of notes about the 16simplicity. We tried to leverage the overall 17 passively-safe, simple design of the NuScale power 18module. And you see that in the design of the I&C 19systems. We don't have closed-loop control from a 20safety-related standpoint. It's actuate-only, and the 21actuation function is the removal of power. So, very 22simple functions. Typically, your safety-related 23 protective signal conditioning and trip determination 24 functions are greater than and less than functions, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 103 simple comparators, simple functions to perform that, 1 and again, leverages the simplicity attributes that we 2 set forth.

3And that concludes my presentation. I 4 don't know if there are any other remaining questions.

5 I'm happy to answer them.

6CHAIRMAN CORRADINI: Take silence as a 7 success. Thank you.

8 We'll move on to the staff.

9 And for an I&C Subcommittee, we are almost 10 by uncertainty on time.

11 MEMBER BLEY: We are?

12 (Laughter.)

13 CHAIRMAN CORRADINI: Well, I mean, staff 14was supposed to start at 10:15. So, this is pretty 15 close to on time.

16 (Laughter.)

17 It's in the same hour.

18MEMBER BLEY: It may speak to having done 19 the Topical.

20 CHAIRMAN CORRADINI: Huh?

21MEMBER BLEY: That may speak, also, to 22 having done the Topical earlier.

23 CHAIRMAN CORRADINI: Yes.

24 You know, the army is coming. Careful.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 104 (Laughter.)

1 Luis, are you going to start us off or is 2 Omid? You'll start us off? Okay.

3 This is now a testament to the complexity 4 of I&C or just the complexity of the staff? What is 5 it?6 MEMBER BROWN: Both.

7 (Laughter.)

8 CHAIRMAN CORRADINI: Okay. Omid, you're 9 up.10MR. TABATABAI: Good morning, everyone.

11 Good morning, Chairman. Thanks very much for giving 12 us an opportunity to present to you the staff's 13 evaluation of NuScale's Chapter 7 instrumentation and 14 controls chapter for the design certification 15 application.

16 We have, as you said, a team of experts 17here, but that is not all of us. As you can imagine, 18there are a lot more branches and technical 19disciplines involved in this review. And Luis will 20 touch on that.

21 Actually, before we get started, I would 22 like to remind members of the public who are listening 23 on the phone, we have a public version of the Safety 24Evaluation Report available in ADAMS. If they need 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 105 the ML number, they can contact me or Greg Cranston.

1 CHAIRMAN CORRADINI: Or Christina.

2 MR. TABATABAI: Or Christina, to get the 3 ML number.

4 Dr. Bley, you also mentioned about Chapter 517. You had a question about the DRAP process and the 6classification of risk significant systems. I just 7 want to tell you --

8 MEMBER BROWN: Not quite, but go ahead.

9MR. TABATABAI: I'm sorry, it was Mr.

10Skillman. I think you asked the question during 11 NuScale's presentation.

12MEMBER BLEY: Well, I asked where their 13 evaluation of non-risk-significant came from.

14 MR. TABATABAI: Right.

15MEMBER BLEY: And they pointed me to 16 Chapter 17, which I haven't seen.

17MR. TABATABAI: Right. And I happen to be 18 the PM for Chapter 17 as well.

19 MEMBER BLEY: Oh, okay.

20 MR. TABATABAI: So, we finished the SER, 21 the safety evaluation for Chapter 17. I can provide 22 a copy of that to you ahead of time.

23 MEMBER BLEY: Okay, great.

24 MR. TABATABAI: So, that's all --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 106 MEMBER BLEY: Through Christina, yes.

1 MR. TABATABAI: Of course, yes.

2Aside from that, I don't have any more 3remarks. I would like to ask Luis Betancourt to start 4 the technical discussions.

5 CHAIRMAN CORRADINI: Thank you.

6 MR. BETANCOURT: Well, good morning. My 7 name is Luis Betancourt, and I am the Acting I&C 8Branch Chief. With me here today we have -- front and 9 center are two main presenters for today, which is 10 Sergiu Basturescu as well as Dawnmathews 11 Kalathiveettil, and Dinesh Taneja, who is also the I&C 12technical reviewer for the NuScale design. And at 13 least in the audience we've got, also, some of the 14 members that, in the case that we need to draw them, 15 we will also put them in the line of fire.

16 That being said, for today's agenda, what 17 we want to do, I will provide a high-level background 18of the I&C staff review team, how we interface with 19 all the disciplines in the NRC as well as some of the 20high-level milestones that we go through in the 21 review.22 Following my presentation, Sergiu will 23 talk about the philosophy of the safety-focused review 24 that we employed in this review, followed by the high-25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 107 level overview of the I&C architecture. And he will 1 present three of the four fundamental design 2 principles.

3 Then, Dawnmathews will be talking about 4 the fundamental design physical of D3, as well as some 5 of the questions that we got in the morning on the no 6 cementation analyses as well as the assumption of 7 ATWS.8 We also plan to have a slide to talk about 9 the comments that we got from Chapter 8, from the 10Subcommittee members. So, we're going to cover the 11 story from the staff, and then, high-level 12 conclusions.

13 MEMBER BLEY: Luis, were you planning to 14 talk about or would you talk about how you folks saw 15 the utility of having done the Topical ahead of time?

16 MR. BETANCOURT: Yes, I will.

17 So, very quickly, this is the I&C review 18 team as well as the quality management team.

19 The purpose of this slide is to show that, 20 even though we're seeing today a Chapter 7 review, 21 this actually involved a lot of the disciplines that 22you see on this slide. In the slide you will see the 23 different disciplines that are called out, and we 24 actually interacted with five Divisions across three 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 108 different offices.

1 One of the things, it was really helpful 2 in the DSRS that these interfaces were clearly 3 delineated. So, that really helped us to start with 4 the review, or who are all of these people that we 5 need to start to talking to in order to be able to 6 perform the review of Chapter 7.

7 To address your question, Dennis, one of 8 the things that we found out as part of the pre-9 application activities is that we actually had a lot 10 of interactions with the pre-applicant. And as part 11of those pre-applications, we also had the HIPS 12 Topical Report at that time. And when they came in, 13 one of the things that they found out is in this area 14 of built-in diversity. That was the first time that 15we saw that. We actually had a lot of questions with 16them at that time. It actually helped us to 17 understand their diversity early in the game.

18 So, when we received the application in 19 late 2016, we already knew what were these safety-20focused areas that we want to do on the staff. So, 21 even though we had this pre-application between late 22 2016 to March 2017, when we were doing our acceptance 23 review, there were some of the major technical issues 24that were addressed as far as the Topical Report. So, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 109 we were able to focus on other areas that were more 1 application-specific in the NuScale design.

2 Since then, I wanted to point out that, in 3 April 2017, we had the full Committee on the HIPS 4 Topical Report, that the members were briefed on the 5platform. And around that time, between March 2017 to 6 December 2017, we were able to have five public 7meetings. We were able to issue nine RAIs that 8contained existing questions, and we had one audit 9 regarding the FMAA/SR analysis and the no cementation 10 technical basis.

11MEMBER BLEY: So, you got way ahead, that 12 sounds --13 MR. BETANCOURT: Yes.

14 MEMBER BLEY: That's good to know.

15MR. BETANCOURT: Right. And then, by that 16 time, by 2017, we were able to close all of their 17RAIs. So, when we submitted the SER, the Draft SER 18 with Open Items and Projects, at that time there were 19no open items. So, all of the issues that we found 20 were resolved with the RAIs.

21 And in March 2018, they submitted the 22 application and Revision of the DCD, and it took us a 23 month to verify that all the confirmatory items were 24incorporated in Revision 1. And since then, that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 110 why we are here today.

1 One of the things that I want to commend 2 both the staff and NuScale is that, since 2014 all the 3 way to today, we have had a very open, collaborative 4 environment with the applicant that we were able to 5actually express with very frank conversation. These 6 are the technical issues that we found in the 7application. And we were able to have that dialog 8 that actually helped us to get where we are today.

9 As of today, we don't have any I&C 10specific open items in the SER. You will see that 11 there are some more open items, but they're actually 12 from the interfaces that we have from other chapters; 13 for example, Chapter 8, Chapter 15, and Chapter 18.

14 But, as of today, we don't have any open items that 15 are specific to I&C.

16 Any more questions on this before I turn 17 it over to Sergiu?

18 (No response.)

19 Okay. Oh, Charlie, you had a question?

20MEMBER BROWN: Yes. So, all open items 21 are closed?

22 MR. BETANCOURT: For I&C.

23 MEMBER BROWN: For I&C?

24 MR. BETANCOURT: Right.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 111 MEMBER BROWN: Okay. Good.

1MR. BETANCOURT: So, we'll now turn it 2 over to Sergiu here, and he's going to take over.

3 Sergiu.4MR. BASTURESCU: Good morning. My name is 5 Sergiu Basturescu.

6And go to slide 6. On this slide, we are 7presenting the safety-focused review. The NRC 8 established the enhanced safety-focused review 9 approach, which lined up with the framework of the 10 DSRS, which was developed by the Instrumentation and 11 Control staff.

12 Use of risk insights to enhance the 13 safety-focused review of the NuScale SMR design is 14 consistent with the fundamental I&C safety design 15 principles of independence, redundancy, 16 predictability, and repeatability, diversity and 17defense-in-depth, and simplicity. We will look at 18 these fundamental principles on the later slides.

19MEMBER BLEY: Sergiu, a couple of years 20 ago or more, I guess, we were briefed on the safety-21 focused review approach and the kind of tracking 22tables and things they had developed. Did you use 23 that kind of as we might have seen it a couple of 24 years ago or has it evolved a lot?

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 112 MR. BETANCOURT: So, I was actually part 1 of that safety-focused review team as well as Joe 2 Ashcraft, who is in the audience. And, yes, we were 3 able to use that table at the beginning of the review 4 to be able to narrow down --

5 MEMBER BLEY: Was it helpful?

6 MR. BETANCOURT: It was.

7MEMBER BLEY: Did it really focus things?

8 MR. BETANCOURT: Yes.

9 MEMBER BLEY: Okay.

10MR. BETANCOURT: It really helped us to 11 focus on how the I&C system interfaced with the other 12 safety systems in the plan. So, it really helped us 13 to narrow down the technical issues.

14MEMBER BLEY: It kind of "smelled" like it 15 should, but it's nice to hear that you had experience 16 with it.17 MR. BETANCOURT: Yes.

18 MEMBER BLEY: Do you know if other parts 19 of the NuScale review are using that same approach?

20MR. BETANCOURT: Oh, they will need to 21 answer that.

22 (Laughter.)

23MR. TABATABAI: To the extent practicable 24 yes.25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 113 MEMBER BLEY: Is it? Okay.

1 MR. TABATABAI: Yes. Yes, we are.

2MEMBER BLEY: And it's helping in other 3 areas as well?

4MR. TABATABAI: Yes, we are using that 5 approach.6 MEMBER BLEY: Okay. Thank you.

7MR. BETANCOURT: So, I think Chapter 14 is 8 actually using a safety-focused review as part of the 9 initial task plan. So, that's an area that they are 10 focusing the safety-focused review, as just one 11 example.12 MR. BASTURESCU: Okay. So, moving on --

13MR. HECHT: Can I ask a real trivial 14 question? What does the "A" stand for in the SFRA?

15 MR. BASTURESCU: Safety-focused review.

16MR. TABATABAI: Oh, the "A", the approach.

17 (Laughter.)

18MR. BETANCOURT: And I forgot to mention, 19 we have a lot of acronyms.

20 MEMBER BROWN: It was new.

21MR. BETANCOURT: Yes. We have a lot of 22acronyms in the slides. So, I'll point you to slides 2320 and 21. It's a mapping of all of them. We will 24 try our best to clearly define the terms in each one 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 114 of the slides.

1MR. BASTURESCU: Okay. On this slide, we 2 are presenting our Safety Evaluation Report, SER, on 3 the NuScale design, which is partly presented in Tier 4 2, Chapter 7.

5 In Tier 1, Sections 2.5 and 2.6, of the 6 DCD, in conjunction with Chapter 7, we evaluate --

7MEMBER BROWN: Can I stop this for a 8minute? I forgot something. If you don't mind? I 9 guess I go back to Luis.

10 MR. BETANCOURT: Okay.

11MEMBER BROWN: You said there were no open 12 items. Yet, in --

13 MR. BETANCOURT: Specific to I&C, right.

14MEMBER BROWN: I've got to go back and 15 find what I found a minute ago.

16 In 7.1.3.6, conclusions --

17 MR. BETANCOURT: 7 --

18 MEMBER BROWN: .1.3.6 of your SER, under 19"redundant power sources within the module protection 20 system" --

21 MR. BETANCOURT: Yes.

22MEMBER BROWN: -- you all commented that, 23"Due to the open items in Section 7.1.5, 7.2.13, and 248.3, the NRC staff cannot reach a conclusion." That's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 115 in the version of the SER I have.

1MR. BETANCOURT: Yes. And I actually 2noted that before coming to the ACRS. That's cleanup 3 work that we have to do.

4 MEMBER BROWN: That's what?

5MR. BETANCOURT: Cleanup work that we have 6 to do. That's an editorial --

7MEMBER BLEY: It's editorial? It's not --

8 MR. BETANCOURT: Right. There's no open 9 items now in 715. So, that was something that --

10MEMBER BROWN: Well, it says "7.2.13" 11 also.12MR. BETANCOURT: I can tell you right now 13 that's something that we need to fix internally in the 14 report.15 Oh, we've got somebody over here.

16 MR. HALVERSON: Yes, Derek Halverson.

17 The 7.2.13 one just points to a Chapter 8 18 one as well. It's pointing out where --

19 MEMBER BROWN: And 7.8.3?

20 MR. HALVERSON: The 7.2.13 --

21MEMBER BROWN: There's one in 8.3, Section 228.3 also, that statement. All I'm trying to do is 23 get --24MR. BETANCOURT: No, no, to answer your 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 116 question, Charlie, that was a missed oversight from 1our part. That language should not be there. That's 2 the language that it was sent to Projects originally 3back in January. So, that's something that we forgot 4to clean up. And in reality, there should not be that 5 language in the --

6 MEMBER BLEY: So, it's editorial and not 7 technical?

8 MR. BETANCOURT: Right. Correct.

9MR. TABATABAI: Right. I think at the 10 beginning Luis mentioned that between receiving 11 Revision 1, new revision -- they had finished their 12 SER based on Revision 0, and then, Revision 1 came in.

13 They confirmed all of the items were closed, but in 14 terms of updating the SE, we kind of fell behind, yes.

15 And we plan to clean that up for the full Committee in 16 September.

17CHAIRMAN CORRADINI: Great, but the 18sooner, the better. Otherwise, the old people that 19 are sometimes known as "members" will forget and ask 20 you the same thing all over again in September.

21 (Laughter.)

22MR. BETANCOURT: Yes, understood. That's 23 something that we have to do.

24MEMBER BROWN: Yes, another part of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 117 SER, I mean, like Section 3.1 also -- well, excuse me.

1 Under 7.2.3, it also identifies -- and it throws in 23.1 as well. So, there were some inconsistencies.

3I'm not saying there's anything wrong. You're saying 4 they're all --

5MR. BETANCOURT: It was because of the 6 timing when it was sent to Projects and when it went 7to review. So, it's something that it was a missed 8oversight on our part. We will clean it up before it 9goes to the full Committee. That's an action that we 10 have to take.

11 MEMBER BROWN: Okay. Thank you.

12MR. BASTURESCU: So, going back to in the 13 Tier 2 section, we validated the documents 14 incorporated by our IBRs, which were two Technical 15Reports and one Topical Report. The Topical Report is 16 the Highly Integrated Protection System, the HIPS, 17 Platform, which is based on the fundamental design 18 principles, and included the 65 application specific 19action items, ASAIs. All of these ASAIs were 20 addressed in Chapter 7 and evaluated by the staff 21 during our review of Chapter 7.

22 Besides Chapter 7, we also supported 23evaluations in Chapters 9 and 14. Today we will be 24 focusing on Chapter 7, but we will be participating 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 118 during the review of those chapters.

1 In the exemption section --

2 MEMBER BLEY: Despite the wonderful list 3 of acronyms, I don't see "IRB" on your list.

4MR. BASTURESCU: It's "incorporated by 5 reference".

6MEMBER BROWN: Incorporated by reference.

7 MEMBER BLEY: Oh, okay. Thank you.

8 MR. BASTURESCU: We apologize for that.

9 So, yes, on the right side, we are showing 10 the exemptions, and those exemptions were the ones 11that the staff looked at. The staff evaluated the 12 ATWS exemption, and the that you will find in Chapter 137 of the SER. And we will be discussing that in a 14later slide. As for the three-mile exemption, that 15 one is documented in Chapter 8, SER.

16 Now moving on, unless there's any 17 questions?

18 (No response.)

19 Okay. So, this is the I&C architecture.

20 We saw this in the morning, and we are showing it as 21 an example, also, during the HIPS platform 22 presentation.

23We have this figure. Also, we have it 24loaded in Visio. So, we can zoom-in on any area 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 119 you're interested in looking at.

1 Besides the architecture, for NuScale, it 2 was the starting point of our review, and it was the 3 first thing we looked at and studied when we started 4 this project.

5MEMBER BROWN: Okay. Before you leave 6 this --7 MR. BASTURESCU: Yes?

8MEMBER BROWN: And to echo back to the 9 discussions we had with NuScale, and if I can find 10 your page here fast enough, page 44 -- that's the 11 problem with not having paper in front of you. Here 12 we are. You made a statement in here where you said 13 that, "The unidirectional data diode," which you talk 14 about from the PCS and the MCS, you described it as a 15 unidirectional data diode "firewalled connection".

16 And I don't know why we're combining those two words.

17"Firewalled" is a far more generic term, which would 18 imply that this can be -- that's not listed in Chapter 197. I couldn't find the word "firewalled" relative to 20 this anywhere in Chapter 7.

21 So, I'm just asking, do you know something 22that we don't? Or that NuScale, that I didn't 23 communicate properly with them earlier relative to the 24 data diode characteristics of being hardware, not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 120software-configured? Not allowing the option to be 1 software-configured as part of the overall design?

2 That's listed in a couple of places, both for the 3 module control system and the plant control system, 4 data diodes. And the figure just says --

5MEMBER BLEY: Charlie's earlier point was 6 we don't find anywhere in writing that requires that.

7 MEMBER BROWN: Yes, that it be hardware-8based. But, in addition to that, you use the word 9"firewalled" in the SER, which has a more generic 10 implication of being, sounding like something else 11 that would be software -- they can be software-12 controlled if you just talk about firewalls. I hate 13 to mouse-note this, but I don't want to leave any 14 contradiction in terms of where you think --

15MR. BETANCOURT: No, no, I hear your 16 comment.17MEMBER BROWN: -- you stand relative to 18 the hardware-based --

19 MR. BETANCOURT: Right.

20 MEMBER BROWN: -- data diode approach as 21 opposed to any software-based.

22 MR. BETANCOURT: Right.

23MEMBER BROWN: And I did do a data search 24 of the various vendors that make this stuff before I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 121 came here and found that there were units called "data 1 diodes," but, yet, had significant software in terms 2of their configuration. There were other vendors that 3 had units that very specifically called out hardware-4 based and touted their hard-based design as opposed to 5 those that were software-based.

6MR. BETANCOURT: Right. And I remember 7 the discussion that we had in the morning, that what 8 you heard in the morning is consistent --

9MEMBER BROWN: We're still in the morning, 10 by the way.

11 MR. BETANCOURT: -- in the application.

12 (Laughter.)

13 Right. Well, yes.

14MEMBER BROWN: I haven't gone to sleep 15 yet.16 (Laughter.)

17 MR. BETANCOURT: Okay. Point taken.

18 To answer your question, yes, the 19 application does not specify whether this diode is 20 going to be software-configured or hardware-based, and 21 I can see why the confusion when you read the SER and 22the word "firewall" attached to it. So, we need to 23 remove that because it's basically with what was 24discussed in the morning. So, I can see what was the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 122 confusion that you had before.

1MEMBER MARCH-LEUBA: I'm looking at the 2 SER, and it says, "unidirectional diode," comma --

3 MR. BETANCOURT: Yes.

4MEMBER MARCH-LEUBA: -- "firewalled 5 connection".

6MR. BETANCOURT: Yes, I have that over 7 here.8 MEMBER MARCH-LEUBA: So, it implements a 9 firewall function with that hardware --

10MR. BETANCOURT: Right, and I can see why 11 the confusion.

12MEMBER BROWN: There's a comma in between 13there, I'll agree with that. But, still, that just 14 means it just confuses it even more.

15MEMBER MARCH-LEUBA: No, I mean, there is 16 a firewall function.

17MEMBER BROWN: It's just "firewalled 18 connection".

19CHAIRMAN CORRADINI: I think they get it.

20MR. BETANCOURT: We got it. We will take 21 that comment.

22 MEMBER BROWN: Okay.

23MEMBER BLEY: Are you going to correct it?

24MR. BETANCOURT: Yes. Yes, by the full 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 123 Committee.

1 (Laughter.)

2MEMBER BROWN: But you also ought to --

3 there's no definition of a data diode in Chapter 7.

4 There's no definition of a data diode as a hardware-5 based device in the SER.

6 MR. BETANCOURT: That's correct.

7MEMBER BROWN: And I only suggest that 8that appear. Whether Chapter 7 gets revised or not is 9 another issue, but I would suggest that that be very 10 explicit in any SER that you all issue, that that data 11 diode is a hardware-based data diode.

12MR. BETANCOURT: I'll take that back since 13 right now the application does not contain that 14wording. So, we need to do some discussion 15 internally.

16MEMBER BROWN: We ought to have that 17 resolved.18 MR. BETANCOURT: Right.

19CHAIRMAN CORRADINI: So, that's one 20 member.21MEMBER BROWN: Oh, absolutely, I'm one 22 member.23CHAIRMAN CORRADINI: But I do think 24 there's a high probability event that, if it isn't 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 124 clarified, you might see a letter report that --

1MR. BETANCOURT: That has that comment.

2 I understand. I understand that.

3CHAIRMAN CORRADINI: -- that says it 4 should be clarified.

5MR. BETANCOURT: I understand that. Okay.

6 CHAIRMAN CORRADINI: Okay. Fine. Let's 7 move on.8 MR. BASTURESCU: So, here we're going to 9be looking at the safety classifications. The safety 10 classifications have been determined by NuScale and 11 reviewed by the staff for Chapters 15, 17, and 19, and 12 they are documented in Chapter 3.

13 We have had interactions with staff on 14 these chapters in order to validate these 15classifications. With the incorporation of risk 16 insights, I&C systems may be classified as safety-17 related/risk-significant, which is A1; safety-18related/non-risk-significant, which is A2; non-safety-19 related/risk-significant, B1, and non-safety-20 related/non-risk-significant, B2.

21 In keeping with the safety-focused review 22 project direction, the staff primarily focused on 23 evaluations of the A1 systems, that is, the module 24 protection system and the neutron-monitoring system, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 125the MPS and the NMS. There were no I&C systems for 1 the A2 or B1 classifications.

2 The scope of our review for the B2 systems 3 was to verify --

4MEMBER BLEY: And when you determined 5 that, did you base that, A2, did you base that 6determination on the PRA or something else? And if 7 you didn't base it on the PRA, how do you know there 8 are no risk-important/not-safety-related systems?

9MR. BETANCOURT: So, I guess this goes 10 back to the table that you were mentioning at the 11beginning of the discussion. Before the presentation, 12 NuScale provided a high-level -- these are all the 13 functions that we planned to actually send to the 14 staff. So, we went through that at that time. When 15 we received the application --

16MEMBER BLEY: Kind of based on looking at 17 their list and your judgment that it was reasonable?

18MR. BETANCOURT: Correct. So, we actually 19 went back to the --

20MEMBER BLEY: But no comparison to the 21PRA, to safety? Did any of these things crop up as 22 risk --23MR. BETANCOURT: So, that's where our 24 interface with the PRA --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 126 MEMBER BLEY: I didn't hear.

1MR. BETANCOURT: That's where our 2interface with the PRA group actually came in. So, we 3 actually went and talked to the DRAP people.

4 MEMBER BLEY: Okay.

5MR. BETANCOURT: We also went to the 6 Chapter 15 analysis to verify that there's no function 7that will be classified under A2. So, what we 8 confirmed is that --

9MEMBER BLEY: Should have picked up 10 anything in the PRA.

11 MR. BETANCOURT: Correct.

12 MR. ASHCRAFT: Yes, this is Joe Ashcraft 13 from the staff.

14In Chapter 17, I think it's Table 17-4 15that lists the conclusions based on NuScale's input 16 and the PRA.

17MEMBER BLEY: We'll look for that. We 18 haven't seen that yet.

19 MR. ASHCRAFT: I understand.

20 MR. BETANCOURT: Oh, there is a question 21 here.22 MR. HECHT: It's Myron Hecht.

23 On one of the RAIs, there was a mention of 24an MHS, which is a module heating system. And I don't 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 127 see it on this list, and I had not heard of it before.

1 It was pretty well-explained in the answer, but are 2 there other systems which don't appear on this list, 3 and why not?

4MR. BETANCOURT: So, these are the only 5I&C specific that appear in the architecture. The MHS 6 should appear in 17.4, for these are the only I&C 7 specific systems that were under review.

8MR. HECHT: I see. So, the MHS is more 9 like an actuator system? So, it's not really an I&C 10 system?11 MR. BETANCOURT: Yes. Yes.

12 MR. HECHT: Okay.

13 MEMBER BROWN: What does it heat?

14MEMBER SKILLMAN: It is the module heating 15 system that is an auxiliary system that is used to 16 start the plant by injecting heat through the CVCS 17from 0 to 15 percent power. So, it is basically a 18 thermal hydraulic bootstrap when there is no residual 19 decay heat being produced. It's in Chapter 9, but 20 it's very obscure. But it is buried down in Chapter 217, you're right. I went digging after this because I 22said, what is that? But it's not an I&C system. It's 23a plumbing system. It's an aux boiler system, one 24 each for six modules apiece, is what it is.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 128 MEMBER BROWN: Okay. Since I'm not this 1 plant understanding, it's a method to prevent the 2 plant from getting too cold or is it to allow you to 3 start up, to start up heating?

4MEMBER SKILLMAN: It can be helpful on 5 shutdown.6MEMBER BROWN: But is it with power? I 7mean, the reactor is critical or is this without --

8 this is independent boiler steam circulation?

9MEMBER SKILLMAN: You can have a cold, 10 brand-new, fresh core, no decay heat.

11 MEMBER BROWN: Okay.

12MEMBER SKILLMAN: And if you wish to start 13 the system, you use a module heating system with heat 14 from the auxiliary boilers.

15MR. ARNHOLT: Brian Arnholt with NuScale.

16 I would just offer, because NuScale is a 17 natural circulation plant, you don't have heat input 18 from the active reactor coolant pumps when you start 19the plant up. So, the module heating system provides 20 you that source of heat to initiate and maintain 21 natural circulation until you begin nuclear heating 22 and you start the reactor up.

23 I hope that helps.

24MEMBER BROWN: Well, it does. Thank you.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 129 I think I even read that. I just forgot it.

1 (Laughter.)

2MEMBER KIRCHNER: Just for clarity, the 3 CVCS system is part of the module control system?

4 MEMBER BROWN: The module heatup system, 5 you mean?6MEMBER SKILLMAN: It just delivers the hot 7 water.8MEMBER KIRCHNER: So, where does it 9 reside?10MR. TANEJA: CVCS is a plant system, 11 right? It's a plant system for that nuclear module.

12 The I&C systems are -- MCS, module control system, 13 controls CVCS functions.

14MEMBER KIRCHNER: No, I understand all 15 that.16MR. TANEJA: Okay. Right. But it's a 17 plant system. So, here we are just focusing on what 18 the I&C architecture and the I&C systems are.

19MR. HECHT: I guess the confusion is 20 because the second "C" in CVCS is "control" and the 21 second "C" in I&C, or the first "C" in I&C is 22"control".

23 (Laughter.)

24 MR. TANEJA: I can see that.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 130MEMBER KIRCHNER: I'm not really confused.

1 The CVCS system is part of the module control system 2 or? Where is the actual instrumentation and control 3 reside?4MR. ARNHOLT: This is Brian Arnholt again.

5 CVCS, the control of CVCS is one of those 6 module-specific, non-safety-related control systems.

7 The module heating system is a common plant system, 8 but it interfaces through the CVCS heat exchange.

9 MEMBER KIRCHNER: That's the way you get 10 it into the vessel, yes. Thank you.

11 MR. BASTURESCU: So, back to B2 systems.

12 The scope of our review for the B2 systems was to 13 verify that it met the pertinent regulatory 14 requirements and to evaluate for any adverse impact to 15 safety functions or placing the plant in an unanalyzed 16 state.17 Even though the plant protection system, 18 PPS, and safety display and indication system, SDIS, 19 are B2 systems, they both require an augmented level 20 of quality. The PPS provides monitoring and control 21plant systems. They are common throughout the 12 22nuclear NuScale power modules. Specifically, the PPS 23 provide automatic actuation functions for the control 24and habitability system and the normal control in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 131 heating and ventilation and air conditioning system; 1 and also, for the spent fuel pool and reactor pool 2level indication. The SDIS provides accurate, 3 complete, and timely information pertinent to the MPS 4 and PPS status and information displays.

5 So now, we're moving to the portion of our 6 presentation where we are going to focus on the I&C 7safety design principles. The first safety design 8principle is independence. And the four areas of 9 independence we reviewed was physical, electrical, 10 communications, and functional.

11 The physical independence. For physical 12 independence, the staff found that the equipment 13 associated with the module protection system, MPS, and 14 heat monitoring system are located in separate 15 seismically-qualified equipment rooms, and cabling is 16 routed in physical separate cable trays in risers.

17 For electrical independence, the staff 18 found that the electrical isolation between the 19 safety-related MPS and associated non-safety-related 20 systems is provided by galvanic isolation between the 21 non-safety-related sensor inputs to the MPS, transmit-22 only and receive-only fiber optic boards, DC-to-DC in 23 galvanic isolation at the hardwired modules, and 24 isolation device in the electrical power supply.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 132MEMBER SKILLMAN: What do you mean by 1"galvanic isolation"?

2MEMBER BROWN: They're electrically 3isolated by fiber optics. There's no electrical 4 connection. Galvanic.

5MEMBER BLEY: I think, typically -- you 6 guys can correct me on this -- you want the ground 7 systems not to be common.

8MEMBER BROWN: I think what they're 9 talking about galvanic, there's not an electrical 10 connection between an input and an output.

11 MR. BETANCOURT: It's what was called an 12 isolation amplifier.

13MEMBER BROWN: Yes. So, you so isolate 14 it.15 MR. BETANCOURT: But it is for the power 16 line. This is a power line.

17 MEMBER BLEY: This is power?

18MR. BETANCOURT: This is power. And this 19 already followed the scope of the HIPS Topical Report.

20 All of these features were already addressed during 21that review. So, the reason that we review over here, 22 how was that implemented throughout the whole 23 architecture?

24MEMBER BROWN: It was kind of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 133 electrical independence between divisions -- or 1 between segments, I mean, excuse me, separation groups 2 and --3 MR. BETANCOURT: And communications.

4MEMBER BROWN: -- the communications to 5 other functions like the NIB and maintenance 6 workstation, and a few things like that, as well as 7 the MCS and PCS.

8MR. TANEJA: Like the module control 9 system component-level controls are interfaced with 10 the module protection system using hardwired 11 connections, and they are isolated using these 12 isolation devices to provide electrical isolation 13 between the module control system and the protection 14system. So, any faults that may occur on the non-15 safety side of it does not promulgate into the safety 16 side. And that's the isolation device that provides 17 that capability.

18 MEMBER BROWN: Thank you.

19MR. BASTURESCU: The communications 20independence. As part of our evaluation, the staff 21found that, to the exception of divisional voting, 22 that the communications within the MPS separation 23 group is independent and does not rely on 24 communication from outside the respective separation 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 134 group or division to perform a safety function.

1 For voting purposes, the communication 2 uses a point-to-point fiber optics between the 3 scheduling and bypass modules and the scheduling and 4 voting modules. There are no digital communications 5 from the non-safety-related to the safety-related 6 side.7 Independence of module control system 8 interfaces with the MPS for performing manual 9 component-level controls is achieved via Class 1E 10 isolation devices.

11MEMBER BROWN: But that's, again, with 12 this enable switch.

13 MR. BETANCOURT: Right.

14 MR. BASTURESCU: Yes.

15MEMBER BROWN: So, I mean, literally, 16 that's a hardwired -- bypassed into the APLs.

17MR. BASTURESCU: Right. That's basically 18 it.19MR. HECHT: Can I ask a question with 20 respect to the communication independence? You have 21 three safety data buses, all of which are controlled 22 by communications modules which are called bus 23masters. And the bus master is working based on a 24 construct, a logical construct, called a finite state 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 135machine for communications. And we don't have any 1 information about how that is implemented and we don't 2 have any information about the different FPGA 3 technologies that would be used to implement it.

4 How are you sure that a bus master on one 5 of the safety buses which is connected to all of the 6functional modules might not take them all down 7 because of some kind of jabbering? And I understand 8 there are three separate safety data buses, but one of 9 those safety data buses might start basically 10 launching a denial-of-service attack, not intentional, 11 but unintentional, whereby it takes down all of those 12 SFMs.13MR. TANEJA: So, Myron, what you're 14looking at is one separation group. So, this is a 15 tripper module redundant architecture, the TMR 16architecture. What this offers is added dependability 17 and reliability.

18 From the safety perspective, I can lose 19 this whole separation group A and still be able to 20 perform my safety function, because within the 21 separation group I have added redundancy offered to 22 provide additional, I guess reliability benefit and 23operational benefit. So, I am not prone to -- it's a 24 more fault tolerant system, in other words.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 136 So, even though I think we looked at that 1 in detail when we looked at the Topical Report on how 2 these FPGAs were configured for these communication 3 protocols, but having three different buses, what it 4 allows me to do is I can lose communication to one of 5the safety buses. I just need the other two to be 6functional to still maintain my function. So, it just 7gives me a lot more fault tolerant capabilities.

8 That's what it does, you know.

9MR. HECHT: I guess my question really 10isn't on the safety buses. It's what the safety buses 11 can do to the SFMs.

12MR. TANEJA: That's okay. I mean, I could 13 lose this whole separation group, but it does not have 14 any adverse impact on the independent separation 15 groups that are running independent of this.

16MR. HECHT: So, basically, you're relying 17 on the fact that you have replication of four 18 separation groups and you basically believe that there 19 is no circumstance in which there could be a common 20 failure across all those separation groups?

21 MR. TANEJA: Right, right.

22MR. HECHT: Yet, you don't have any 23 details on the implementation of the bus masters?

24MR. TANEJA: Like I said, during the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 137 Topical Report for the HIPS platform, we went into 1 that detail review --

2 MR. HECHT: Well, it didn't say anything 3 there, either, because that was supposed to be one of 4 those application-specific items, and it doesn't seem 5to be occurring now. So, when would it be addressed?

6MR. BETANCOURT: So, which ASAI are you 7 talking about?

8 MR. HECHT: I don't remember which one.

9 MR. BETANCOURT: Okay.

10 MR. HECHT: But the point is that --

11MR. TANEJA: Let me understand the concern 12here. Are we worried about having a failure due to 13 the bus master malfunction?

14 MR. HECHT: Some logical error --

15 MR. TANEJA: Right.

16MR. HECHT: -- in the bus master which 17 could happen across multiple separation groups.

18MR. TANEJA: We don't have any sharing 19 between multiple separation groups.

20MR. HECHT: No, it's a common design, 21 right?22MR. TANEJA: No. We have diversity in the 23technology also, right? We have two separation groups 24 using one FPGA technology, and the other two 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 138 separation groups using a different FPGA technology.

1So, that right there is the level of diversity that 2 offers -- so, I could lose those two with the same 3FPGA technology, those two separation groups. We have 4 a slide that will show you how the failures of 5 multiple separation groups can still offer us with the 6 success of achieving a safety function.

7MR. HECHT: So, for example, one might be 8 using -- I forgot what they call it -- that flash 9 technology --

10 MR. TANEJA: Right.

11MR. HECHT: -- and the other one might be 12 using some kind of fusing technology?

13 MR. TANEJA: Right.

14 MR. HECHT: But underlying both of those 15 is common VHDL, right?

16MR. TANEJA: Well, it's different 17 toolsets.18 MR. HECHT: But the VHDL itself could --

19 the error might have been manifested there. So, the 20 question that I would have is, I mean, there are ways 21 of dealing with that through QA and through whatever 22 design constraints you're putting on, but that's not 23 specified here in the application, as far as I can 24 tell, or in the report.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 139MR. TANEJA: The software QA process is 1laid out in the application. So, there is a very 2 rigorous development process that requires to be 3followed in developing these platforms. So, there is 4an Appendix B which dictates the overall quality 5assurance program. And then, there's a specific 6 software QA assurance manual that dictates development 7of the module protection system design. So, it's 8 essentially a controlled process in developing the 9 whole thing all the way down to site acceptance 10testing. Not only just factory acceptance testing, it 11 takes it down to the site acceptance testing.

12MR. HECHT: Testing will take you so far, 13 but --14 MR. TANEJA: No, I'm just talking about, 15 it's a managed process that starts with your 16 conceptual design to intermediate design, to detailed 17 design, to integration, to module testing, you know, 18 the little software design module testing.

19 The only thing that I can offer is that, 20 when we were looking at the HIPS platform, we had the 21opportunity to actually participate in the -- the 22vendor built a prototype. We had an opportunity to 23 participate in the factory acceptance testing of the 24 prototype. Okay?

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 140 Now that prototype did not, you know, it 1 was not built following this QA process that they are 2 required to follow for the NuScale design. But that 3 prototype, during the test, there were 17 --

4MR. BETANCOURT: That may be proprietary.

5MR. TANEJA: No, I don't think I'm saying 6 anything proprietary.

7 There was a number of multiple failures 8 that occurred before I lost the function within one 9 chassis. Okay? I'm not talking separation --

10MEMBER BLEY: We have closed session 11 scheduled.

12 MR. TANEJA: Right, but I'm just -- this 13is a generic statement. There were multiple failures 14 within a controller before I could lose that function 15capability. So, it's just built in, level of 16diversity that's built into it. And then, there is 17 this rigorous development life cycle activity that has 18 to occur for developing the actual platform.

19MEMBER BLEY: I think everybody has that, 20 but it seemed to me Myron was suggesting a failure or 21 error mode that could create situations we haven't 22 thought about. Is that right?

23MR. HECHT: Right. Well, where I was 24 hoping to get to is that there would be a formal 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 141 specification of those finite state machines or 1 communication engines, and that those would be proven 2as part of the development process. And I didn't hear 3 that being stated here. I'm just wondering why.

4MR. BETANCOURT: I would prefer to talk 5 about that in the closed session since --

6 MR. TANEJA: So, the state diagrams were 7laid out in the HIPS Topical Report, right? So, those 8state diagrams are there. Those are finite state 9diagrams; they were there. Now, like I said, that was 10 the details on the platform.

11 Now the actual development that occurs for 12 the NuScale equipment development, it has to follow a 13 formal development process, meaning that you do do 14intermediate verification and validation. And one of 15 the key parameters that goes into that QA program is 16 independent V&V that has to occur at the end of each 17 life cycle activity. Okay?

18MR. HECHT: It all starts fundamentally 19 from having --

20 MR. TANEJA: Exactly.

21 MR. HECHT: -- a sound --

22MR. TANEJA: Requirement spec. Right.

23 Yes.24MR. HECHT: So, I was trying to deal with 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 142 it from that aspect again, but maybe I'm taking up too 1much time of the Committee, unless there's other 2 interest.3MR. TANEJA: Maybe NuScale can offer some 4 more insight into that.

5MEMBER BROWN: Let me back us out of that, 6 if you would, for a minute. Okay?

7 MR. TANEJA: Okay.

8 MEMBER BROWN: I remember having some of 9this discussion back in the HIPS process. And I'm 10 going to be generic relative to this. I'm trying to 11 look at this relative to the thought process.

12 Within a separation group, the safety data 13 buses don't communicate between separation groups, No.

14 1.15 MR. BETANCOURT: That's correct.

16MEMBER BROWN: So, if you had a safety 17 data bus with a bus master controlling it, blowing up 18 one of the separation groups, that would not be a 19problem. And the only place we have an interaction 20 between separation groups is right there, and that is 21 not a bus master. It's a digital --

22MR. BETANCOURT: It's a point-to-point --

23 MEMBER BROWN: It's a point-to-point --

24 MR. BETANCOURT: Fiber optic --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 143 MEMBER BROWN: -- up/down, 1/0, whatever 1 you want to call it, to the voting unit processor 2 within the SVM.

3 MR. BETANCOURT: Correct.

4MEMBER BROWN: So, I'm not trying to 5 hammer my consultant here. Okay?

6 (Laughter.)

7 I'm trying to get a better understanding 8 of why a specific problem with the state machine, or 9 whatever they're called, since I have no idea what 10 anybody is talking about when you do that, compromises 11 this when you have that much separation or that much 12 electrical -- that much independence between each 13 separation group and any connection between separation 14 groups is isolated to a 1/0-type, on/off signal, not 15 a serial data link which is connected to a safety data 16 bus.17 MR. BETANCOURT: That's correct.

18MR. HECHT: Do you want me to answer that?

19 MEMBER BROWN: You can try.

20 MR. HECHT: Okay.

21 MEMBER BROWN: As long as it's short.

22 CHAIRMAN CORRADINI: Yes, I was going to 23 say --24MEMBER BROWN: And as long as I understand 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 144 it.1 CHAIRMAN CORRADINI: -- you guys are way 2 beyond stuff that I understand, but I do understand 3time. I do want to make sure we get through their 4 presentation before lunch.

5 MEMBER BROWN: Myron?

6MR. HECHT: All right. With the 7 Chairman's permission, it's similar argument that you 8 would make with software common-cause failures. And 9 you could argue that you have all this isolation 10 between separate processes on separate channels, and 11there can be several problems that can occur in the 12algorithms of those bus masters. I don't think 13they're simple. I don't remember seeing state 14 machines that -- or that completely describe the bus 15master performance. And given the fact that all 16 divisions are receiving the same signals in roughly 17 the same sequence, there's just --

18 MEMBER BROWN: All separation groups.

19 MR. HECHT: Yes.

20 MEMBER BROWN: But they're not.

21MR. HECHT: What? All separation groups.

22 MEMBER BROWN: They're separate.

23 MR. HECHT: Yes.

24MEMBER BROWN: That's why I'm having a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 145 hard time understanding.

1MR. HECHT: Well, if you don't believe 2 that it's credible that the separation groups are 3 getting the same signals that could cause common 4 problems, then --

5MEMBER BROWN: But they're not getting the 6same signals. There's no connection of the safety 7 data buses between separation groups.

8 MR. HECHT: But from the plant.

9 MEMBER BROWN: The only place you've got 10plant input is the detectors themselves. They've got 11 independent sensors going to each one of the SFMs.

12MR. TANEJA: They're not sharing anything.

13 I mean, that's really the review, our review, on 14 independence, was focusing on just those things that 15 Charlie is highlighting. The independence is at the 16input level. Independence is in the cross-17 communication between the separation groups.

18 Independence is at the EIM level, where it's really 19controlling the component. So, really, we are not 20doing any crosstalking other than the voting. That's 21 the only crosstalking that's happening.

22 MEMBER BROWN: And that's not a data bus 23 issue.24 MR. TANEJA: Right.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 146MEMBER BROWN: That's the way I walked 1 away from the HIPS meeting at the high level.

2MR. TANEJA: That's a correct 3 understanding that you have.

4MR. HECHT: I think that that's true, but 5 I guess the point is that the SFMs could react the 6 same way to the plant inputs that they're getting.

7MEMBER BLEY: Because of the logic inside 8 them.9 MR. HECHT: Yes.

10MR. AYALA: Not necessarily. Because each 11 SFM is different from each other. So, it's as if it 12has its own function. They don't share the same 13 functions.

14MR. TANEJA: So, I'll offer another 15solution to this thing. Okay? We were convinced, 16 looking at the design, because of the divorced FPGA 17 technology, that the potential for a common-cause 18 failure of all four separation groups was reasonably 19-- reasonably -- low. Okay?

20Now there is that "What if?" Right? So, 21 we asked that question to ourselves, "What if the hell 22 breaks loose and all four of them go crazy?" So, we 23have these manual system level actuations. Looking at 24 the physics of the NuScale modules, they're very, very 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 147slow transients. And you've got basically system-1level actuation. You can trip the plant; you can 2 initiate the DHRS; you can initiate the ECCS totally 3independent of the digital logic. They come in at the 4 APL, and you can take care of that.

5 You know, you don't have to worry about 6any of these things working. I mean, that's the 7 beauty of this whole plant that buys you that 8 additional confidence that, you know, hey, manual 9 actions are there as a defense-in-depth mechanism.

10 They are always there for me.

11 But, you know, just staying focused on 12 safety, we were okay with that.

13MR. TABATABAI: I just want to clarify, 14 when he says "beauty of this plant," he means I&C 15 systems.16 (Laughter.)

17CHAIRMAN CORRADINI: I think we've got all 18 sides of the argument. Can we move on?

19 MEMBER BROWN: Yes, we can move on.

20MEMBER BLEY: Well, almost. This is real 21short. I want to take us back to the galvanic 22 isolation.

23 I'm remembering back to the sixties where 24this first came up as an issue. And what it really 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 148 means -- I went back and double-checked a couple of 1 things -- is, as somebody said, no copper connection 2between different electrical segments. We used to 3 think we had separation if we had the batteries all 4 separate, but, then, we had common grounds coming 5back. And we got ground loops and we got all kind of 6crap. So, it means no copper connections between 7them. It can be any other kind of connection, 8 inductance, capacitance, light pipes, whatever, but no 9 copper anywhere.

10 MEMBER BROWN: That's the way I read the 11ISO that we've got. They are electrically isolated 12 because it's converted to an optical signal that goes 13 from point A to point B.

14MEMBER BLEY: And that problem was really 15 a ground problem once upon a time.

16MEMBER BROWN: Yes. Well, you can -- I 17hate to say this -- but if you have ground loops in 18 your power supplies, if you do that particularly with 19 auctioneered stuff, you can create huge problems.

20MEMBER BLEY: Very interesting situations, 21 too.22MEMBER BROWN: I mean, still situations 23you have to deal with in the design. Changing a wire 24 from No. 12 to No. 4 bus bar can remove your common-25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 149 cause, your common-mode failures relative to little 1 signals running along --

2MEMBER BLEY: If you have copper 3 connections.

4MEMBER BROWN: If you have copper 5 connections.

6CHAIRMAN CORRADINI: We'll talk about this 7 over lunch. Let's go.

8 (Laughter.)

9MR. BASTURESCU: So, the second design 10 principle we look at is redundancy.

11 MEMBER BROWN: We've got plenty of time.

12 (Laughter.)

13 We've got all day, Mike.

14 MR. BASTURESCU: This slide, this is the 15 review of redundancy, which is commonly used in safety 16 systems to achieve system reliability, goals, and 17 conformity with a single failure criterion.

18 The HIPS platform is based on a triple 19 module redundant architecture that provides for high 20 reliable and full design, such as use of three safety 21 buses, three voting modules, three bypass and schedule 22 modules within a separation group and a division.

23 Use of redundant equipment interface 24 modules for key safety application allows protection 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 150 against spurious actuations, fault tolerance, online 1testability, and supports self-diagnostics. Also, the 2 PPS and the SDIS consist of two independent and 3 redundant divisions.

4 MEMBER BROWN: Go ahead.

5MR. BASTURESCU: The predictability and 6repeatability. This is the third I&C design principle 7we'll look at. Predictable and repeatable system 8 behavior refers to a system that will produce the same 9 output for a given set of inputs, input signals, 10 within well-defined response time limits, to allow 11 timely completion of actions.

12 The staff found that the MPS is designed 13 to complete the reactor trip system and engineering 14 safety feature actuation system function in less than 15 or equal to one second, which satisfies the allocated 16 time in the safety analysis of one second for these 17functions. And this is done in a predictable and a 18 repeatable manner.

19 And if there's no other questions, I will 20 turn it now over to Dawnmathews.

21 MR. KALATHIVEETTIL: Thank you, Sergiu.

22Good morning, everyone. My name is 23 Dawnmathews Kalathiveettil, and I will be resuming our 24 presentation by diving straight into diversity and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 151 defense-in-depth, or D3, as we like to call it in the 1 I&C community.

2 So, the figure that you see in front of 3 you is basically the module protection system, or MPS, 4design. As you can see, the MPS is made up of two 5 separation groups for each division, and in total, 6 there are four separat ion groups for the entire 7design. Division 1 is the yellow color, while 8 division 2 is shown in red, so that it's easier to 9 understand.

10 Let's start off with the inputs to the 11MPS. As you can see, on top, there's PTL, et cetera.

12That's the pressure-temperature level sensors. As you 13 can see, these sensors come into the input submodule 14 versus the signal condition A, B, C, et cetera. And 15they are additional sensors. They're analog sensors.

16 But, for the purpose of D3 assessment, our focus on 17 the sensors was mainly towards the digital-based 18 sensors, and the ones that actually have safety 19 functions related to it, and which could actually be 20 affected by additional base common-cause failure.

21 These were identified to be the digital-22base level pressure and flow sensors. However, the 23 coping analysis demonstrated that, even if these 24 additional sensors did have additional common-cause 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 152 failure, the plant can cope up with it.

1 To discuss the actual MPS, the FPGA 2 portion of the safety function module, the 3 communication module, and the equipment interface 4 module are the only portions of the MPS that could be 5 affected by additional common-cause failure. Hence, 6 the MPS uses two diverse FPG architectures, like I 7 said, in order to achieve this equipment diversity.

8 So, if division 1 is made up of one type 9 of FPGAs, then division 2 would be made up of another 10kind. And the whole idea is that the same digital 11 common-cause failure cannot simultaneously take out 12 both divisions, and at least one division would be 13 available to complete the required safety functions.

14MEMBER BROWN: To be clear, the divisions 15 are the bottom line, and the separation groups are the 16 top line?17MR. KALATHIVEETTIL: Exactly. So, when it 18 comes to the division level, what you see is the ESFAS 19 and the RTS; whereas, in the separation group, you 20 actually see it come through A, B, C, and D.

21 So, in addition to the equipment diversity 22 that I just discussed, the diverse FPGA technologies 23 also result in an associated level of design 24 diversity, since FPGA vendors use different 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 153 development tools to provide the final configured 1FPGAs. These tools have inherent diversity due to the 2 FPG architectures and the programming methods which 3 are used.4 The MPS also provides functional diversity 5 for the use of protection logic on the safety function 6module, which Luis was trying to mention earlier. So, 7 the way that they are, there are different functions 8 associated with different safety function modules.

9 So, the actual logic in that would be slightly 10 different, which adds to more functional diversity.

11 MEMBER SKILLMAN: Dawnmathews, may I ask 12 this question, please?

13 MR. KALATHIVEETTIL: Sure.

14MEMBER SKILLMAN: How will a technician 15 know the difference between an FPGA of one 16 architecture versus an FPGA of a different 17 architecture?

18MR. BETANCOURT: As part of the 19 identification requirement, they're supposed to be 20 labeled in that throughout the plant either by 21markings or colors. So, that's how a technician will 22 know what FPGA technology will be present in whatever 23 division.24MEMBER SKILLMAN: That sounds great. So, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 154 I'm a technician, and I put two of them in my pocket 1and I walk around for two afternoons. Then, I pull 2 them out of my pocket and I say, "Oh-oh, what do I do 3 with these?" How do I know which one goes where?

4MR. BETANCOURT: We actually asked that 5 question regarding, let's say, for example, that you 6 have an SFM that pertains to separation group A, and 7 by mistake, you want to put that into separation group 8 B. So, the platform has these self-testing features 9 that will be identify whether or not you're putting 10the wrong module to other cabinets. So, it will tell 11 the operator, in that case an alarm, that you're 12 putting the wrong SFM to whatever cabinet.

13 MEMBER SKILLMAN: Thank you. Thank you.

14MEMBER BLEY: It will fit? Physically, it 15 will fit? It's just you need the test --

16 MR. BETANCOURT: Correct.

17 MR. TANEJA: Also, physically, there are 18 some modules that are designed to a -- there's a 19 special key that won't let you plug them in.

20MEMBER BLEY: That's really convincing if 21 we --22 MR. TANEJA: Yes.

23 MR. ARNHOLT: Brian Arnholt with NuScale 24 Power.25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 155 What Luis said is correct, but, also, if 1 you get to Corvallis and you look at the prototype, we 2can actually demonstrate it. But the cards, each card 3 is physically keyed so that you cannot physically 4 insert the one card in the wrong slot.

5 MEMBER SKILLMAN: Thank you.

6 MR. KALATHIVEETTIL: All right. So, the 7 table here tries to explain the effects of additional 8 base common-cause failure on the MPSes in diversity.

9 There are three events which are shown in the table.

10 A green tic basically implies that the particular 11 module is available to do its function, while the 12 cross just says that it's not available.

13 All right. So, let's look at event one, 14 where the scenario is that you have a transient or a 15 design basis event happening, but there is no common-16cause failure. In that situation, you have the 17 modules of all four separation groups available to 18perform their function. Event two is a situation 19 where you have a transient or design basis event 20 concurrent with an additional base common-cause 21 failure.22And what is happening here is we are 23 assuming that there is functional diversity of the SFM 24 in addition to the equipment diversity. So, this is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 156 only affecting the SFM in separation group A and C.

1 As you can see, the communication module and the 2 equipment interface modules of A and C, along with 3 both B and D, are available to do their function.

4 And the final scenario is one where, once 5 again, you have the common-cause failure, but in this 6 case, for whatever reason, the entire separation group 7 A and C modules are gone. So, the reason is that we 8 are only considering equipment diversity, no more 9functional diversity. The particular kind of FPGA 10 which is available in division 1 has been taken out, 11 but you still have all the modules and the different 12 type of FPGA in division 2 available to do the safety 13 functions.

14 And just to add, in addition to this, like 15 Dinesh mentioned earlier, you have the diverse system-16 level manual actuations which actually bypass the MPS 17logic. And so, if needed, that adds an additional 18 level of diversity and defense-in-depth.

19 Next slide.

20All right. So, simplicity has been a 21 focus of NuScale design, and NuScale has been able to 22 incorporate the fundamental design principles into its 23I&C architecture and the systems while adhering to 24 simplicity.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 157 This is very evident since the design uses 1 simple reactor trip systems and ESFAS functions.

2 There are no closed or open loops, and all safety-3related functions are de-energized to actuate. In 4 other words, the safety-related functions happen by 5 the removal of electrical power.

6MEMBER BLEY: I really liked this part.

7 We wanted this to be one of the principles, but in 8 many applications it's just not feasible, given the 9kind of systems people are buying. This is an 10 excellent characteristic of this system.

11MEMBER BROWN: It's a very subjective one, 12 but it's also important.

13 MEMBER BLEY: It's subjective, but, boy, 14 when you look at problems that crop up, you eliminate 15-- and the ability to review and understand and test 16-- you eliminate a lot of potential situations by 17 having simplicity.

18MR. KALATHIVEETTIL: All right. So, until 19 now, we've talked quite a bit about the safety side of 20the NuScale design. On the non-safety side, the 21 module control system and the plant control system are 22 segmented to ensure that a failure of these non-safety 23 systems does not adversely affect the MPS.

24 MEMBER BROWN: Okay. You can stop right 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 158 there, please.

1 MR. KALATHIVEETTIL: Okay.

2MEMBER BROWN: I have a hard time 3understanding this. Since the MPS is separate, not 4 communicated with, why does segmentation of the MPS 5 and/or PCS affect the operation of the MPS if it's not 6segmented? I mean, that's a unidirectional -- if you 7 look at your diagram, it's unidirectional and there's 8no feedback. The only feedback you ever get to is 9 when you operate the enable safety control switch, 10 where you can take manual control, which applies only 11 getting into the APL or the actuation and priority 12 logic.13MR. TANEJA: So, let me try to answer 14 that, Charlie.

15MEMBER BROWN: You're going to have to try 16 real hard.

17 (Laughter.)

18MR. TANEJA: I'll give you a good example.

19 See, when the safety analyses are performed in Chapter 2015, there are certain failures assumed. Loss of 21 feedwater, for example, would be one failure, right, 22 or turbine trip or turbine bypass values. So, those 23 are the different design basis events that are 24 postulated to see if the plant transient can deal with 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 159 that, right?

1 So, with the module control system, what 2 we were looking for was could you have multiple 3 failures or spurious failures on the module, you know, 4 on the balance-of-plant side that can challenge safety 5 from the thermal hydraulic point of view, not the 6 electrical interfaces or not actuating equipment, but 7the impact on the thermal hydraulic of the plant. And 8 that is really the concern here.

9 And I think, like NuScale presented this 10 morning, that there were these five goals that they 11 were trying to achieve from the segmentation, which 12 was essentially looking at an impact to the 13reactivity, release of radiation. So, these were 14safety of the plant. So, they had to basically assign 15 function to different segments, so they don't have a 16 common-cause failure that they cut multiple functions 17 and result in one of those unsafe conditions.

18MEMBER BROWN: Yes, but that's a plant 19 safety issue, not a response of the module protection 20 system issue.

21MR. TANEJA: It is a module protection 22system issue if you don't do it right. If you put 23 controls on the same controller, multiple, you know, 24 if you put like -- this morning I think Brian gave a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 160 very good example of two functions being on the same 1 controller would have resulted in unsafe plant 2 conditions.

3MR. ARNHOLT: Brian Arnholt with NuScale.

4I might be able to maybe clarify what Charlie is 5 asking.6 I think he's saying that there is no --

7 since we've isolated the MPS from the MCS, there's no 8possible maybe adverse feedback the other way. Is 9 that your point?

10MEMBER BROWN: Yes, it's you can't -- the 11MPS will respond to the input it gets. And you're not 12 going to change that, regardless whether you have or 13don't have segmentation. Whether you have multiple 14 plant systems failures that result in some analyzed 15 transient that you haven't analyzed under your 16 accident condition that the module protection system, 17 even though it responds, doesn't result in adequate 18 protection, you know, protecting the plant, that's not 19the MPS's failure. It's not a matter of compromising 20 it. That's what I was trying to understand, but the 21 segmentation does not --

22MEMBER BLEY: Let me try to parrot what he 23 said because it's something I brought up earlier.

24He's talking about the module control system. So, can 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 161 you drive the plant itself, the physical plant, from 1 problems there into conditions that challenge the 2 protection system, that get the plant in a situation 3 that's beyond what's been analyzed?

4 MEMBER BROWN: But that's different from 5adversely affecting the MPS functions. It functions, 6 but they may have missed a transient --

7MEMBER BLEY: Well, it's different from 8adversely affecting operations within the MPS. It can 9 affect the MPS function because you don't get what you 10 expected to get other than --

11 MEMBER BROWN: Yes, I would --

12MEMBER BLEY: But the problem seems a real 13 one.14MEMBER BROWN: I understand your point, 15 and I understand --

16MEMBER BLEY: Are you arguing words or are 17 you saying the problem is not a real one? I'm sorry 18 to get us going.

19 You guys can just sit back and relax for 20 a minute.21MEMBER BROWN: Well, no, no, that's right, 22 we're having fun.

23 (Laughter.)

24 We're going to get there, Mike, don't 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 162 worry.1CHAIRMAN CORRADINI: But I want to make 2sure -- I don't hear it as substantive. I hear about 3 you don't like how they word this, but --

4MEMBER BROWN: No, I don't like the 5 implication --

6 CHAIRMAN CORRADINI: Right.

7MEMBER BROWN: -- that there is some 8failure in the MCS, whatever that is, that now can 9 adversely affect the ability of the MPS to respond to 10its sensor inputs. That's all I'm saying. That is 11 wrong.12 MR. TANEJA: No, that is not what we are 13 saying.14 MEMBER BROWN: I totally understand that 15 you can have compounding things in the MCS that could 16 result in a plant response when the MPS does not have 17 the proper inputs --

18 MR. TANEJA: Correct.

19MEMBER BROWN: -- to respond. That's a 20 different issue. That does not adversely affect the 21MPS functions. That's all. It's a little bit broad.

22This sends a message in your SER. They don't say that 23 in Chapter 7, by the way. NuScale doesn't say that, 24 but it is --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 163MR. TANEJA: No, it's a broad statement 1that we made. It is that the MPS functionality, 2 whether it's not getting the correct input at the 3 given situation -- so, the inputs are part of the MPS 4structure, you know. So, what we were saying was 5 that, a transient on the balance of plant does not 6 give me what I need to create a turbine trip, I mean 7 a reactor trip or an ESFAS function, because the input 8 conditions did not come in at the right time --

9 MEMBER BROWN: I understand that.

10 MR. TANEJA: Yes. Right.

11MEMBER BROWN: I understand that. But, 12 right now, we've got pressure-temperature level, 13neutron, whatever else would come in there. If you 14 need another function to get generated because of some 15 other combination of things, it won't be there because 16 of the MCS failure. You're saying if you -- the way 17 they physically -- if we had combined all these things 18 in what I would have called "memory segmentation" 19 only, with all the control functions tied up in a big 20 pile of software, but they physically, at least what 21 they said, they physically separated them out by 22 processors --

23 MR. TANEJA: Right.

24MEMBER BROWN: -- with their own 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 164individual software. And that's a physical separation 1 of the data.

2 MR. TANEJA: Right.

3MEMBER BROWN: But even that doesn't give 4 you a big -- it looks very difficult to have four of 5 those things that you can control from the MCS with a 6common command set or software set. You've still got 7 four different response systems downstream from what 8you can control. So, I just think we're working 9 overtime on this.

10CHAIRMAN CORRADINI: But I just want to 11make sure what we're arguing about. The way they 12 state this here is what you're objecting to, not what 13 they meant to say?

14MEMBER BROWN: I don't like the message 15 that somehow there's something that impacts the MPS 16and it doesn't. We may not have covered it from a 17 protection standpoint, from a plant transient in terms 18of failures in the plant standpoint. We didn't 19provide enough input to the MPS. We didn't provide a 20 proper --21 MEMBER BLEY: It's not screwing with the 22 MPS internally.

23MEMBER BROWN: That's right. That's what 24 this --25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 165 MEMBER BLEY: It's feeding it unexpected 1 information.

2MEMBER BROWN: And to me, this implies 3that an MCS failure can adversely affect it. And 4 that's why we segment. That's not --

5CHAIRMAN CORRADINI: Okay. Do you guys 6 get it?7MEMBER BROWN: That's not why they're 8 doing it.9 CHAIRMAN CORRADINI: So, do you guys get 10 it?11 MR. TANEJA: Right.

12CHAIRMAN CORRADINI: And you agree with 13 it?14MEMBER BROWN: I understand what they did.

15 (Laughter.)

16MR. ASHCRAFT: This is Joe Ashcraft. I 17 just want to make a quick comment.

18 And so, maybe this slide is misleading.

19 I think the overall, what they are trying --

20MEMBER BROWN: Well, it's in the SER also.

21 MR. ASHCRAFT: I think what we're trying 22 to say is that the MCS/PCS does not affect the MPS.

23MR. KALATHIVEETTIL: It doesn't 24 unnecessarily challenge it.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 166MR. ASHCRAFT: In other reviews that we've 1 had that was a big issue. So, maybe it's not worded 2 correctly here or maybe it's confusing, but that was 3 the goal, to just ensure that the non-safety side does 4 not impact the safety.

5MR. BETANCOURT: This is it. I'm looking 6 at Mike and the clock.

7MEMBER BROWN: You don't want an MCS 8 failure affecting three or four items that result in 9 data not getting to the MPS that it needs to show 10protection for that set of failures. That's 11 fundamentally what you're --

12MR. BETANCOURT: I think we understand the 13comment. We're going to go back to the SE and find a 14 better way to say it.

15 CHAIRMAN CORRADINI: That's probably the 16 way to deal with it.

17 Okay. Let's move on.

18 MEMBER BROWN: What's next?

19MR. KALATHIVEETTIL: All right. So, this 20 is the 10 CFR 5062 exemption or the anticipated 21transient without scram exemption. The evaluation of 22this exemption was documented in Chapter 7 with 23 assistance from Reactor Systems and the PRA Branches.

24 To give a brief history, NuScale requested 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 167 an exemption from the portion of the ATWS rule 1 requiring diverse equipment to initiate a turbine trip 2under conditions indicative of an ATWS. They also 3 stated that, since the design does not include an 4 auxiliary or emergency feedwater system, the portion 5 of the ATWS rule requiring diverse automatic auxiliary 6 feedwater system initiation is not applicable to them.

7 Since the underlying purpose of the 8 10 CFR 5062 rule is to reduce the risks associated 9 with ATWS events, staff evaluated three major aspects 10 for this request.

11 First, staff evaluated how the design 12 reduces the risk of an ATWS event through redundancy, 13 diversity, and independence within the NuScale MPS.

14 The built-in diversity of the MPS design reduces the 15 probability of a failure to scram.

16 Secondly, the staff evaluated how the 17 NuScale design responds to an ATWS event and found 18 that the response is bounded by the design basis 19 accident analysis.

20 Finally, staff's evaluation also showed 21 that the MPS design results in an ATWS contribution to 22 core damage frequency which is lower than the safety 23 goal which is identified in the 10 CFR 5062 rulemaking 24 documents.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 168 Hence, staff concluded that the underlying 1 purpose of the ATWS rule was met by the NuScale 2 design.3MEMBER MARCH-LEUBA: Did NuScale submit a 4reference ATWS calculation? Because the SER mentions 5 some numbers from Chapter 19 here and there, but I 6 haven't seen a plot of what the ATWS response is.

7 With respect to your bullet No. 2, how do you decide 8 that an ATWS is better than anything in Chapter 15?

9MR. KALATHIVEETTIL: We actually have Jim 10Gilmer here from Reactor Systems. He's the one who 11 evaluated this portion of it.

12CHAIRMAN CORRADINI: But we're going to 13 see this, I guess --

14 MEMBER MARCH-LEUBA: Are we going to see 15 it?16 CHAIRMAN CORRADINI: Yes, we're going to 17 see it.18MEMBER MARCH-LEUBA: That's the question.

19 Are we?20MR. GILMER: Yes, Jim Gilmer, Reactor 21 Systems.22 NuScale has not submitted on the docket 23the calculation. However, during Chapter 19 audit as 24 well as Chapter 15 audit, we reviewed all of their in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 169 RELAP calculations and any supporting ANSYS stress 1 analysis.2MEMBER MARCH-LEUBA: So, basically, we'll 3 get to see that, Chapter 15 and Chapter 19 --

4 CHAIRMAN CORRADINI: If not, we're going 5 to ask for it.

6MEMBER MARCH-LEUBA: I'm not happy that 7 there is no submitted on-the-record calculation for 8 ATWS. It should be part of this.

9MR. GILMER: I understand. We would like 10 to see it, also, on the docket.

11 But the two particular ATWS acceptance 12 criteria that were challenged in this design are the 13 reactor coolant pressure, RCS pressure, and 14 containment.

15 MEMBER MARCH-LEUBA: Yes.

16 MR. GILMER: And there were --

17MEMBER MARCH-LEUBA: I'm willing to table 18 it until Chapter 15 or 19.

19 CHAIRMAN CORRADINI: Okay. All right.

20 MR. KALATHIVEETTIL: Next slide.

21All right. So, as the heading of this 22 slide states, the purpose here is to address some of 23 the ACRS comments from a NuScale Chapter 8 24 Subcommittee meeting.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 170 First, there was a concern as to how the 1 24-hour timers were powered. The 24-hour timers are 2part of the MPS boundary. And so, they are powered 3 the same source as the MPS is. The whole purpose of 4 the 24-hour timers is simply to provide an ECCS hold 5 mode and, also, any load-shedding which could, in 6 turn, help with achieving their 72-hour capacity for 7 the post-accident monitoring, or PAM-only mode.

8 Another concern was as to what happens if 9there are degraded voltage conditions. The MPS is 10 capable of sensing any kind of degraded voltage 11 condition, and if such a condition exists, then the 12 MPS basically performs its safety function.

13 Next slide.

14MEMBER MARCH-LEUBA: So, are you saying 15 that MPS has an under-voltage sensor and a scram based 16 on it?17MR. KALATHIVEETTIL: Yes, it actually had 18a predetermined value that it looks for. And the 19 moment that it is hit, it actually goes ahead and does 20 the RTS --

21MEMBER MARCH-LEUBA: One of the scrams is 22 local just to MPS?

23MR. KALATHIVEETTIL: Yes. Yes, you are 24 correct.25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 171MEMBER BROWN: Okay. Is that separate 1 from the timers?

2MR. TANEJA: The degraded condition is not 3 part of the timers. That is how the MPS is --

4MEMBER BROWN: So, is there an under-5 voltage sensor that's fed into the MPS?

6 MR. ARNHOLT: Brian Arnholt with NuScale 7 Power.8 Yes, we monitor the AC voltage input to 9the EDSS battery chargers, and if we detect a low-10 voltage condition, there's logic within the MPS that 11 will initiate a reactor trip, containment isolation, 12 and decay heat removal system.

13 MEMBER BLEY: In fact, it's an ESFAS?

14 MEMBER MARCH-LEUBA: Is it --

15 CHAIRMAN CORRADINI: One at a time.

16MR. ARNHOLT: Yes, both a reactor trip and 17 an ESFAS function.

18MEMBER BLEY: Back in the Chapter 8 19 meeting, we were concerned that what if the batteries 20didn't hold up as long as they're supposed to. Could 21 we get individual valves drifting shut and weird 22 stuff? And now, they're saying, well, you shouldn't 23 because we have one more backup on the battery, and 24 that's to initiate one of the safety functions.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 172 MEMBER MARCH-LEUBA: But he said they're 1 detecting the AC power coming from outside --

2MEMBER BLEY: Which won't be there if 3we're running on batteries. So, it doesn't help us if 4 we're on batteries.

5MR. ARNHOLT: Now there's two parts to 6 that. There's the AC voltage monitoring we perform, 7 but also, if you remember, I mentioned we had those 8 DC-to-DC power converters, those Class 1E isolation 9devices. Those monitor for any type of under-voltage 10 or voltage-changing condition for the power feed into 11 MPS. And just like they isolate --

12MEMBER MARCH-LEUBA: So, if there's a drop 13 in voltage, you also operate for that --

14MR. ARNHOLT: A circuit breaker, for 15 example, and then, they would remove power and isolate 16 that power feed into the MPS as well.

17 MEMBER BLEY: And the setpoints on those 18 are higher than the point at which, by testing, we 19 know any of the valves would start to drift?

20 MR. ARNHOLT: Correct.

21 MEMBER BLEY: Is that true?

22 MR. ARNHOLT: That's true.

23 MEMBER BLEY: Where is the test reports?

24 MR. ARNHOLT: Oh, we haven't those -- we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 173 haven't gotten that far yet. That's not --

1 MEMBER BLEY: You're going to test that?

2 We'll be interested in seeing the test results.

3 MEMBER BROWN: I also did not read -- is 4 there something in Chapter 7 or in, I guess Chapter 7, 5 that talks about the sensor inputs, one of the under-6 voltage -- that's input to the MPS system?

7MR. BETANCOURT: Yes. So, if you look 8 under the DCD, there's a Table 7.1-4 that shows, and 9 then, Table 7.1-3 that shows all of the inputs and the 10parameters for the ESFAS and RTS. So, Table 7.1-3 --

11 MEMBER BROWN: This is in the Chapter 7?

12MR. BETANCOURT: Right. Reactor trip 13 functions, and Table 7.1-4, Engineered Safety 14Features, Actuation System Functions. So, you will 15 see those parameters to be on both of them.

16 MEMBER BROWN: Okay. I just missed that 17 when I went through it. Okay. Thank you.

18MR. KALATHIVEETTIL: This was the first 19time that staff used the design specific review 20standard, Chapter 7, to review an application. The 21 approach of DSRS Chapter 7 resulted in a simple I&C 22 architecture and HIPS design, while incorporating the 23fundamental design principles. The approach also 24 resulted in the completion of the Safety Evaluation in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 174 an efficient and effective safety-focused manner.

1 In conclusion, the staff finds that the 2 I&C design is safe and that it complies with all the 3 applicable NRC regulatory requirements.

4MEMBER BROWN: And I have another 5question. Actually, I have two questions. Sorry, 6 Mike. We've got a lot of time, three minutes.

7 Multi-unit stations, you all concluded 8 that the setup and the controls, and everything, that 9 multi-unit station setup is okay?

10 MR. KALATHIVEETTIL: Yes.

11MEMBER BROWN: My question is, when do we 12 see an evaluation of how people actually control the 13plant using this? Is that going to be in Chapter 18, 14 HNI, or whatever it is?

15MR. BETANCOURT: So, we reviewed the 16 Chapter 21 input and RFCR in Chapter 7, but I think 17 that will be for Chapter 18 and Chapter 15 it could be 18 addressed.

19 MEMBER BROWN: But I didn't get much out 20 of the multi-unit station discussion.

21 MR. BETANCOURT: Right.

22MEMBER BROWN: It just says the I&C 23 systems and the distributed control systems, et 24 cetera, et cetera, provide the ability to control all 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 175these things. It didn't say how am I going to control 1 12 modules with one DC system.

2 MR. BETANCOURT: Right.

3MEMBER BROWN: How many operators do I 4 need to do --

5 MR. BETANCOURT: So, that's a Chapter 18 6 topic.7MEMBER BLEY: And I understand, I've heard 8 that the way they're doing that has evolved from what 9 we saw several years ago when we were out there, which 10 was three people in the control room, one guy running 11 all the plants and, then, dropping them off. And it 12 was pretty interesting. It worked very well. But 13 we're really interested in seeing that whenever it 14 comes up.15MEMBER BROWN: So, it's really Chapter 18?

16 MR. BETANCOURT: Yes.

17 MEMBER BROWN: Okay. All right. That's 18 question one.

19 CHAIRMAN CORRADINI: Wait a minute. Now 20 you brought it up, so it's your fault.

21 (Laughter.)

22 So, has the staffing regimen for the 23 multi-units been settled or is it still an issue 24 that's a policy issue to the Commission? I'm trying 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 176 to understand how many people are watching how many 1modules. It kind of interacts with the questions you 2 were asking.

3MEMBER BROWN: No, that's part of it, yes.

4CHAIRMAN CORRADINI: Has that been settled 5 and it's in the DCD, settled for review?

6MR. TABATABAI: I cannot answer that 7question. Actually, I'm not the PM for Chapter 18.

8 So, I don't want to provide --

9 MR. BERGMAN: Tom Bergman, NuScale.

10 That's still an active part of the review.

11 CHAIRMAN CORRADINI: Fine.

12MR. BERGMAN: The staff has just recently 13observed some of our operator training. They have 14 another audit coming out to see more of the testing.

15 So, we haven't heard any concerns specifically raised, 16 but it is still under review by the staff.

17MEMBER BLEY: Tom, is it spelled out in 18 the DCD now or is it --

19 MR. BERGMAN: Is what spelled out?

20MEMBER BLEY: How they're going to operate 21 or how you expect them to operate.

22MR. BERGMAN: I don't know that the number 23 of operators is specifically in the DCD. It will be 24 in the appendix that certifies the design, Part 52.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 177 So, the regulatory approaches are appendix and Part 1 52, which say COLs that incorporate this design by 2 reference follow this approach in lieu of that in 35054(m). And that will say our approach is six 4 operators will be in front, plus a senior reactor 5operator, STA, and supervisor. But, just like you saw 6 when you were there, they are still the three people 7 at the desks.

8 MEMBER BLEY: Okay. Thanks.

9 CHAIRMAN CORRADINI: Charlie, I'm sorry.

10 You had one more question, Charlie?

11 MEMBER BROWN: Yes, but I've got to find 12 it here.13 Yes, it's you all had a comment or a 14 paragraph where you talked about the MPS is an FPGA-15based system. Traditional watchdog timers do not 16 provide the same protections for FPGA systems as they 17do in microprocessor-based systems. The MPS addresses 18 the need for "alabness," although I couldn't find that 19 word anywhere, via the self-testing features of the 20MPS modules, EGVF-FM. In other words, it's under the 21 built-in self-test features.

22 But, when I went and looked at that, all 23 I could find was that throughout the testing you have 24 individual -- at least the way I read it, each 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 178 individual piece has some type of an identification of 1 its alabness or --

2 MR. BETANCOURT: Correct.

3 MEMBER BROWN: But there's no beginning-4 to-end check that anything ever finishes a complete 5 cycle anywhere.

6 MR. BETANCOURT: Right.

7MEMBER BROWN: In other words, from start 8to finish. I'm not talking about repeatability. Just 9 the things actually get to the end.

10 MR. BETANCOURT: The feedback.

11 MEMBER BROWN: That's right. As you get 12with the watchdog timer. In other words, you're 13stepping through -- I mean, FPGA still has to go 14 through and process data, result into a vote, and 15 something has to happen.

16 MR. BETANCOURT: Right.

17MEMBER BROWN: But there's nothing that 18 says that that actually gets completed, other than 19 individual pieces along the way.

20MR. BETANCOURT: So, you're correct. Like 21 the way that they are designed, it's like a piecemeal 22 way.23 MEMBER BROWN: Very piecemeal.

24MR. BETANCOURT: Right. But, then, you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 179 will still get that feedback at the control room that 1 the actuation, or whatever function you're trying to 2 activate --

3MEMBER BROWN: If you actuate, but you 4 don't actuate the protection.

5 MR. BETANCOURT: Right.

6MEMBER BROWN: You don't actuate the trip 7 systems.8 MR. BETANCOURT: Right.

9MEMBER BROWN: So, you don't ever know 10 whether the thing is being voted and a signal is being 11 out to the EIM.

12MR. BETANCOURT: And that's where the 13piecemeal comes into play. It's like each one of the 14 modules will actually do like a cross-check against 15each other. So, in other words, the EIM may be 16 expecting a signal from one of the separation groups, 17 and if it doesn't come in in the allotted time, it 18 will send out an alarm, hey, I was expecting --

19MEMBER BROWN: Where are those alarms 20 identified?

21 MR. BETANCOURT: The specific alarms?

22 MEMBER BROWN: Chapter 7?

23MR. BETANCOURT: Like you're talking about 24 the failure?

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 180 MEMBER BROWN: Yes, I'm trying to figure 1 out, if I don't say that I complete data processing 2 from data input in whatever the sample size, you know, 3 whatever the sample period is from beginning to end, 4 and I either get a signal that either doesn't arrive 5 or does arrive at an EIM -- I don't know what the 6endpoint is. Obviously, you don't want to actuate 7 anything.8MR. BETANCOURT: I believe we had an 9 RAI --10MEMBER BROWN: Or outputs from the voting 11 unit that says, I'm finished; nothing's there; I don't 12have to trip. Something ought to be telling you that 13 I have finished it somewhere.

14MR. BETANCOURT: I believe there was an 15 RAI and an ASAI, but it was clearly delineated, that 16 concern, what is a safe state of a failure, whatever 17module. And I know that we had that on the SER. And 18 there's a table that shows what is the safe state that 19 is expected for each one of the modules.

20MEMBER BROWN: I understand the safe 21 state, but how do I know that it doesn't get to safe 22 state? Is there an alarm triggered and where is the 23 alarm specified?

24MR. ARNHOLT: I might be able to help.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 181 Brian Arnholt from NuScale Power.

1 I've got to be careful with what I say 2 here because a lot of this detail is proprietary of 3 how it works. But if --

4MEMBER BROWN: I don't want to know how it 5works. I just want to know whether an alarm goes off 6 if it doesn't complete a processing cycle --

7 MR. ARNHOLT: Yes, it does.

8 MEMBER BROWN: -- in 50 millicycles.

9MR. ARNHOLT: The answer to your question 10 is yes.11 MEMBER BROWN: And where is that stated?

12 That's not proprietary. That just means --

13 MR. ARNHOLT: That's a part of our self-14testing and diagnostics that described in the HIPS 15 Topical Report.

16CHAIRMAN CORRADINI: And if you want more 17 detail, let's do it after lunch in the closed session.

18MEMBER BROWN: I guess I'll want more 19 detail.20 CHAIRMAN CORRADINI: I figured you did.

21MEMBER BROWN: We can talk about it after 22 lunch.23 (Laughter.)

24 CHAIRMAN CORRADINI: Okay.

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 182MEMBER BROWN: Because I don't remember --

1 I remember the BIST for each individual piece, but I 2 never saw a start; I don't remember and could not 3find. I went and took a quick look at Rev 1 of HIPS, 4 and I'm not going to talk about that anymore right 5 now, but I couldn't find anything.

6 CHAIRMAN CORRADINI: Okay.

7 MEMBER SKILLMAN: Mike --

8CHAIRMAN CORRADINI: No, no, I want to 9 make sure I had the members --

10 MEMBER BROWN: That's my last --

11MEMBER SKILLMAN: I have a question, sir, 12 Mr. Chairman.

13You have not introduced slide 23. Please 14do it. On this slide. You had to have been there to 15 understand why this change in regulation came in 1980-16 1981. I recognize this is not a full P and it's not 17 a full B. This is a hybrid in shutdown because this 18 is a PWR with a very, very low pressure.

19 But I will tell you, from having been 20 there in the control room, if you do not know what 21 your pressurized level is, you do not know the 22condition of your core. And so, I don't know why 23 staff finds pressurizer level not necessary. I 24 understand you might say it's not necessary to achieve 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 183 cooling, but it's vital to understand the status of 1 the core.2MR. BETANCOURT: And what I believe, that 3 the intent of how NuScale is set to address this is 4 that they're not relying on pressurizer level 5 indication to get that function. They're relying on 6 the RCS flow instead of the pressurizer level 7 indication to be able to meet the intent of that 8regulation. So, they're saying that we still meet the 9 intent, not using the pressurizer level indication.

10 We're using the RCS flow indication to be able to 11 verify there's natural circulation throughout the 12 core.13CHAIRMAN CORRADINI: But I think what Dick 14 is saying is, whether I'm a B or a P, in the P I find 15 pressurized level, and if it's a B, I have a level 16indication in the reactor. What I think he is 17 bothered by is I have neither.

18 MEMBER SKILLMAN: Bingo.

19MR. TANEJA: Yes, the regulation, for 20 regulation's sake, they don't need that information.

21 But it is a post-accident monitoring variable that is 22available. The pressurizer level I believe is one of 23 the variables that is displayed on the safety 24indication and display panel. So, it is one of the --

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 184MR. ARNHOLT: One point of clarification.

1 Brian Arnholt, NuScale Power.

2 The post-accident monitoring variable for 3this function is RPD riser level. And that's what we 4 use to monitor inventory within the reactor vessel.

5CHAIRMAN CORRADINI: The riser level is 6 what -- where is that measured? That's within the 7 downcomer after the steam generators?

8MR. ARNHOLT: The riser is the central 9 column of water coming out of the core.

10 CHAIRMAN CORRADINI: Oh, I'm sorry, just 11the opposite. What I call the shroud in the BWR.

12Okay. Fine. Okay. So, it's within that, which is 13 physically below where the pressurizer control is?

14MR. ARNHOLT: Correct. But that's our 15 direct measurement for whether we --

16MEMBER SKILLMAN: And would one put on the 17 record that that is an adequate and accurate 18 representation of the hydraulic level above the core?

19 That's a yes or no.

20MR. ARNHOLT: Could you repeat the 21 question, please?

22MEMBER SKILLMAN: Yes. Would one 23 communicate that that riser level is an adequate and 24 accurate indication of the hydraulic level above the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 185 core?1 MR. ARNHOLT: Yes.

2 MEMBER SKILLMAN: Thank you.

3CHAIRMAN CORRADINI: Other comments by the 4 members?5 (No response.)

6Okay. I think at this point I'd like 7 to --8MR. BETANCOURT: Can I break up all of the 9actions that we have to do? Sorry. Or you want to do 10 that after --

11CHAIRMAN CORRADINI: Well, I think I want 12 to go to public comments.

13 MR. BETANCOURT: Okay.

14CHAIRMAN CORRADINI: We can do that, 15 because we're going to have a closed session, and 16 we'll have a full more, I'm sure.

17Okay. So, I'd like to get the phone line 18 open, if we could, please.

19 OPERATOR: The bridge is open.

20 CHAIRMAN CORRADINI: Thank you.

21 So, are there any members of the public 22 out there who would like to make a comment at the end 23 of our open session?

24 (No response.)

25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 186 Okay. Hearing none, could you close the 1 outside line?

2 And I want to ask, anybody in the audience 3 that would like to make a comment?

4 (No response.)

5Okay. Hearing none, we will break for 6lunch, and we'll come back at 1:15. I think that's 7 okay if we give ourselves an additional five minutes, 8ten minutes. Okay? We'll see you back here at 1:15, 9 and it will be in closed session.

10 (Whereupon, the foregoing matter went off 11 the record for lunch at 12:09 p.m. and went back on 12 the record in closed session at 1:16 p.m.)

13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.(202) 234-4433WASHINGTON, D.C. 20005-3701(202) 234-4433 August 23, 2018

NOT TO SCALE

Time = 0 seconds Low ELVS bus voltage detected Time = 60 seconds Reactor trip DHRS actuation CNT isolation Time = 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ECCS Actuation ECCS Hold Mode PAM Only Mode EDNS 208 Vac ELVS 480 Vac RTBs EDSS 125 Vdc CRDS V Low AC voltage sensors ELVS bus voltage monitoring ESF Solenoids ESFAS Actuation RTS EIMs ESF EIMs MPS Logic MPS EDSS 125 Vdc RTS Actuation Plant Sensors I&C logic AC Power DC Power

Safety Data Bus 1 Safety Data Bus 2 Safety Data Bus 3 Monitoring & Indication Bus Safety Data Bus 1 Safety Data Bus 2 Safety Data Bus 3 Monitoring & Indication Bus From SG B SBM1 From SG C SBM1 From SG D SBM1 From SG B SBM2 From SG C SBM2 From SG D SBM2 From SG B SBM3 From SG C SBM3 From SG D SBM3 Reactor Trip System Division I Chassis Separation Group A Chassis Monitoring &

Indication Monitoring &

Indication Isolation Isolation Isolation Isolation Isolation Isolation Isolation Isolation Isolation

Portland Office6650 SW Redwood Lane, Suite 210 Portland, OR 97224 971.371.1592Corvallis Office1100 NE Circle Blvd., Suite 200 Corvallis, OR 97330 541.360.0500Rockville Office11333 WoodglenAve., Suite 205 Rockville, MD 20852 301.770.0472Charlotte Office2815 Coliseum Centre Drive, Suite 230 Charlotte, NC 28217 980.349.4804Richland Office 1933JadwinAve., Suite 130 Richland, WA 99354 541.360.0500Arlington Office2300 Clarendon Blvd., Suite 1110 Arlington, VA 22201London Office 1 stFloor Portland HouseBressendenPlace London SW1E 5BH United Kingdom

+44 (0) 2079 321700http://www.nuscalepower.comTwitter: @NuScale_Power SafetyEvaluation with Open Items: Chapter 7, Instrumentation and ControlsNuScale Design Certification Application ReviewACRSSubcommittee MeetingAugust 23, 2018 Agenda*Background

-NRCStaff Review Team

-NRCStaff Interfaces

-Timeline*Safety Evaluation

-Safety-Focused Review

-Instrumentation and Controls Overview

-Fundamental Design Principles

-Non-safety-related Systems Segmentations

-Exemption Request to 10 CFR 50.62(c)(1)

• ACRS Comments on Chapter 8 Subcommittee Meeting

• Conclusions 2August 23, 2018Chapter 7

-Instrumentation and Controls NRCStaff Review Team

• Technical Staff

-Joseph Ashcraft, NRO -Sergiu Basturescu, NRO -Luis Betancourt, NRO -DerekHalverson, RES

-Dawnmathews Kalathiveettil, NRO

-Dinesh Taneja, NRO -Yaguang Yang, RES*Project Manager

-Gregory Cranston, Lead Project Manager

-Omid Tabatabai, Chapter Project Manager 3August 23, 2018Chapter 7

-Instrumentation and Controls NRC Staff InterfacesChap. 7PAMSNRO/DICPNRO/DLSENRO/DSRAEQ & TMI-Action Item Exemption NRR/DECoping Analysis & ATWS ExemptionNRO/DSRASetpoints & Tech SpecsNRR/DSSSoftware QA & ITPNRO/DCIPCOMSNSIR/EPATWS ExemptionNRO/DSRA 4August 23, 2018Chapter 7

-Instrumentation and Controls Timeline 5August 23, 2018Chapter 7

-Instrumentation and ControlsDateActivity 2014 -2016 Pre-application ActivitiesSeptember 2016ReadinessReviewMarch 2017Accepted Revision0 of the DCD for ReviewApril 2017ACRS Full Committee Meeting on HIPS Platform Topical ReportMarch 2017 -December 2017Held 5 Public Meetings / Issued9 RAIs / Completed 1 AuditJanuary 2018Draft SE with Open Items CompletedMarch 2018Applicant SubmittedRevision1 of the DCDApril 2018All ConfirmatoryItems Incorporated into Revision 1 of the DCDAugust 2018 ACRS SubcommitteeMeetingSeptember 2018ACRS Full CommitteeMeeting Safety-Focused Review 6August 23, 2018Chapter 7

-Instrumentation and ControlsESFRAFUNDAMENTAL DESIGN PRINCIPLESIndependenceRedundancyPredictability & RepeatabilityDiversity and Defense-in-DepthSimplicity NuScale DCD Evaluation 7August 23, 2018Chapter 7

-Instrumentation and ControlsTIER 12.5 (MPS/SDIS)2.6 (NMS)ATWS (50.62)TMI Action Item50.34(f)(2)(xx)Exemptions TIER 2IBR DocumentsSetpoints TeR(Tier 2 -7.2.7)Sensors TeR(Tier 2-7.2.6)14.3.5(ITAAC)9.5.2(COMS)A S A IChapter 7TR-1015-18653HIPS Platform NuScale I&C Architecture 8August 23, 2018Chapter 7

-Instrumentation and Controls Safety Classification 9August 23, 2018Chapter 7

-Instrumentation and Controls Independence10Chapter 7

-Instrumentation and ControlsPhysicalElectricalCommunicationsFunctionalAugust 23 ,2018 Redundancy

• MPS Redundancy

-Four separation groups and two divisions of RTS/ESFAS-Internal Platform Redundancy

• NMS Redundancy

-Four separation groups*Post-Accident Monitoring

-Two divisions of SDIS 11Chapter 7

-Instrumentation and ControlsAugust 23 ,2018 MPS Platform12Chapter 7

-Instrumentation and ControlsPredictability and RepeatabilityAugust 23 ,2018 Input Sub-ModuleSFMSBMEIMField Components SVMEIMField Sensors Diversity and Defense

-in-Depth13Chapter 7

-Instrumentation and ControlsAugust 23 ,2018 14Chapter 7

-Instrumentation and ControlsDiversity and Defense

-in-Depth (Cont.)August 23 ,2018

• The I&C architecture and systems incorporate the fundamental design principles with an overall focus on simplicity

• NuScale passively safe I&C design results in a simple I&C design solution

-Simple RTS/ESFAS functions

-No closed/open loop control

-All safety-related functions are "de

-energize to actuate "Simplicity15Chapter 7

-Instrumentation and ControlsAugust 23 ,2018 Non-Safety-Related Systems Segmentations16Chapter 7

-Instrumentation and Controls

• Segmentation of the MCS and PCS ensures that a failure of these systems does not adversely affect the MPS functions*This segmentation prevents any multiple failures resulting in spurious actuations or situations which put the plant in an unanalyzed condition

• Staff audited the technical basis of the segmentation analyses for both the MCS and the PCS August 23 ,2018 Three aspects to acceptance of exemption*Built-in Diversity of the MPS

• ATWS Response Bounded by Plant Design and Chapter 15 analysis

• ATWS contribution to CDF is well below the target CDF 1x10

-5/reactor year17August 23, 2018Chapter 7

-Instrumentation and Controls10 CFR 50.62(c)(1) Exemption 24-hour timers

• 24-hour timers are part of the MPS boundary

• Powered by the non

-safety-related EDSSMPS Undervoltage Design Feature

• Upon voltage

degradation conditions,the MPS fails into a safe state 1Chapter 7 -Instrumentation and ControlsACRS Comments from NuScale Chapter 8 SC Meeting August 23 ,2018Source: DCD Tier 2, Figure 7.1

-1ai: Loss of AC Power to ELVS 24 Hour Timers Division I

• The approach of DSRS Chapter 7 result ed in:-A simple I&C architecture and the HIPS design, which are based on the fundamentaldesign principles

-A completion of safety evaluation i n an efficient and effective manner (safety

-focused)*The staff finds the I&C design to be saf e and that it complies with applicabl e regulatory requirementsChapter 7 -Instrumentation and ControlsConclusionAugust 23 ,2018 Acronyms*ACRS: Advisory Committee on Reactor Safeguards*ASAI: application-specific action item

• ATWS: anticipated transient wi thout scram*CCF: common

-cause failure

• CDF: core damage frequency

• CM: communications module

• COMS: communication systems

• D3: diversity and defens e-in-depth*DBC: digital-bas ed CCF*DCD: design control document

• DCIP: Division of Constructi on Inspection and Operational Programs

• DLSE: Division of Licensing, Siti ng and Environmental Analysis

• DSRA: Division of Safety Systems and Risk Assessment

• DSRS: design-specific review standard

• DSS: division of safety systems

• EDSS: highly reliable direct curr ent power system*EIM: equipment interface module

• EP: emergency preparedness

• ESFAS: engineered safety features actuation system

• ESFRA: enhanced safety-foc us ed review*EQ: environmental qualification

• HIPS: highly integrated protecti on system*HPN: health physics network

• I&C: instrumentation and control

• ICIS: in-core instrumentation system

• ITAAC: Inspections, Tests, Analyses

, and Acceptance Criteri a*MCS: module control system

• MPS: module protection system

• NRC: U.S. Nuclear Regulatory Commission 2Chapter 7 -Instrumentation and ControlsAugust 23, 2018 Acronyms 2Chapter 7 -Instrumentation and ControlsAugust 23, 2018*NMS: neutron monitoring system

• NRO: Office of New Reactors*NRR: Office of Nuclear Regulation

• NSIR: Office of Nuclear Security and Incident Respons e*NuScale: NuScale Power, LLC*PAMS: postaccident monitoring system

• PCS: plant control system*PPS: plant protection system

• QA: quality assurance

• RAI: request for additional information*RES: Office of Nuclear RegulatoryResearch*RTS: reactor trip system

• RM: fixed area radiation monitoring

• SBM: scheduling and bypass module*SC: subcommi ttee*SFM: safety function module*SDIS: safety display and indicati on system*SER: safety evaluation report

• SVM: scheduling and voting module

• TeR: technical report

• TMI: Three Mile Isl and 2Chapter 7 -Instrumentation and ControlsBackup SlideAugust 23 ,2018 2August 23, 2018Chapter 7

-Instrumentation and Controls10 CFR 50.34(f)(2)(xx) Exemption

• 10 CFR 50.34(f)(2)(xx) specifies powerprovisions for pressurizer relief valves,block valves, and level indicators

• Staff finds pressurizer levelinstrumentation is not necessary t o maintain natural circulation cooling Remote Shutdown Station (RSS)Main Control Room (MCR)Module ControlSystem (MCS)MCR Control Room Supervisor (CRS) WorkstationMCR Shift Manager WorkstationMCR Common Systems Panel WorkstationMCR Reactor Operator Workstation (3)MCR Module Control System Operator Workstation (12)

DIV ISDI DIV IISDISafetySafetyNonsafetyManualSafety Manual Switches(Note 10)Shift Technical Advisor WorkstationMCR Safety Display and Indication Monitors (13)PCSPower Operations HSI NetworkPCSPower Operations HSI NetworkPCSPower Operations HSI Network PCSPower Operations HSI Network MCSHSINetworkPCSPower Operations HSI NetworkPCS`MCSLocalI/O MCS I/O NetworkMCS Domain Controller and Historian (MCR & RSS)MCS Unidirectional Data Diode Typical (12)Module Specific Nonsafety ComponentsBidirectional nonsafety control communicationsMCS HSINetwork(MCR & RSS)NMS-refuelInstrumentsModule Control System (MCS) Control NetworkPlant Control System (PCS)Plant NetworkPlant Domain Controller / HistorianTo Corporate/Business NetworkBidirectional Firewall Plant Control System (PCS) Control NetworkPCS I/O NetworkPCS Domain Controller and Historian(MCR & RSS)PCS LocalI/OSeismic Monitoring Meteorological & Environmental MonitoringAccident Monitoring InstrumentationPCS Unidirectional Data DiodeShared Plant Nonsafety Components PCSPower Operations HSI Network(MCR & RSS)RadwasteHandlingHSI NetworkPlant Online Monitoring / Emergency Response Data ServerPlant Video Monitoring SystemSDI HUBFire Protection SystemSafety SystemsRadioactive Waste Building Control Room (RWBCR)Liquid/Solid/Gaseous Radwaste MonitoringRadwasteHandlingHSI NetworkPCSPCSTechnical Support CenterTSC Engr. Workstation PCSPower Operations HSI NetworkMCS/PCSRemote Shutdown Station (RSS)PCSMCSPCSPower Operations HSI NetworkMCSHSINetworkFor protection system interconnecting linesSolid lines indicate continuous connections, dashed lines indicate temporary connections. Network line arrows indicate one way communication direction.Internal data (Safety Data Bus)Internal diagnostic and parameter data (Monitoring and Indication Bus)Internal discrete signalExternal unidirectional data External discrete or dataDIV I RTS B C D B C D B C DSeparation Group B & DDIV I ESFAS B C D B C D B C DDIV II RTS SDB1 SVMDIV II ESFAS SDB1 SVMDIV II RTS SDB2 SVMDIV II ESFAS SDB2 SVMDIV II RTS SDB3 SVMDIV II ESFAS SDB3 SVMSeparation Group A & C (Note 7)Hard-wired Modules (HWM)Trip/BypassHard-wired Modules (HWM)OP BypassManual Trip Enable NS SDB1 SVMSDB2 SVMSDB3 SVMRTS I EIMPriorityLogic (APL)RTS I -MIB CMSDB1 SVMSDB2 SVMSDB3 SVMESFAS I EIMPriorityLogic (APL)ESFAS I -MIB CMHard-wired Modules (HWM)OP BypassManual Actuation Enable NS Neutron Monitoring SystemSafety Related InstrumentationSC/TD SC/TD SC/TDSC/TD SFMMIB CM(Note 11)SBM SD1SBM SD2SBM SD3MPS GATEWAY DIV I CTBSeparation Group A, C, & DIV I MWSMCSMPS GATEWAY DIV II Accident Monitoring Instrumentation TO MCRNonsafety Systems DIV IIDIV IIDIV IPlant Protection System (PPS) DIV II (Note 4)

DIV IDIV II (Note 4)

DIV IDIV IICRH/CRVComponentsManualControl (PCS)(Note 3)ISOManual ActuationDIV II (Note 4)

DIV I DIV IProcess Monitoring Instrumentation EIMMIB CM SFMSDI HUB DIV I SDI HUB DIV IIMWSAccident Monitoring InstrumentationPriorityLogic (APL)TO MCRSBM3SBM2SBM1MCS I/OMPS GATEWAY DIV IISDI HUB DIV IHard-wired Modules (HWM)Trip/BypassEnable NS Accident Monitoring InstrumentationSafety Manual Isolation Switches(Note 9)Module Protection System (MPS)

CTB CM(Note 11)CTBReactor Trip BreakersESFAS ComponentsSPAREMPS GATEWAY DIV IISPARE(Note 11)(Note 9)(Note 6)(Note 4)(Notes 3 & 6)(Note 11)(Note 11)(Note 9)(Notes 3 & 6)(Note 12)(Notes 5 & 8)(Note 1)(Notes 3 & 6)(Note 1)(Note 1)(Note 2)Notes:Note 1: MPS, SDIS, and PPS will provide separated, optically isolated, unidirectional data to MCS and PCS (read-only data).Note 2: Refueling neutron monitors will have normal connection to PCS during specific refueling operations. Other module instruments for refueling, which would have normal connections to MCS or PCS, are to be determined.Note 3: Includes individual component operation originating from MCS to MPS or PCS to PPS through enable nonsafety control swit ch. Note 4: MPS and PPS DIV II internals are the same as DIV I internals.Note 5: Temporary MPS and PPS Maintenance Workstation communications are one-way, receive only and manually initiated to one channel at a time while at power. Note 6: Individual HWMs used for each separation group and division to maintain signal separation. All inputs to the HWMs are isolated.Note 7: Separation Groups A & C are physically separated from B & D. Only Separation Group A is shown connected.Note 8: MPS MWS DIV II is associated with Separation Groups B & D. MWS & Gateway Server are nonsafety-related.Note 9: Isolation switches to isolate MCR manual reactor trip, ESFAS actuation, overrides, and the enable nonsafety control switches for all modules.Note 10: Safety-related manual switches in the MCR include RTS and ESFAS actuation, operational bypasses and overrides, and the enable nonsafety control switches.Note 11: All MIB-CM and CTB-CM outputs and inputs are isolated (isolation not shown).

Note 12: Each divisional MPS Gateway (nonsafety-related) also has inputs from the other 3 separation groups and RTS II and ESFAS II.Note 13: The backplane (not explicitly shown) supports bi-directional communication between SFMs and SBMs and between SFMs and MIB CM.Note 14: PPS EIM only receives information and does not transmit information on the safety data bus.Note 15: Bidirectional communication exists in the backplane between SFMs and SBMs, between SFMs and MIB CM, and between SBMs and MIB CM. Note 16: MPS EIM only receives information from the SVM and does not transmit information on the safety data bus. Bidirectional communication exists in the backplane between EIMs and MIB CM and between SVMs and MIB CM.(Note 13)(Note 14)(Note 15)(Note 16)(Note 16)PCS PCSPCSPCS PCS PCS PCS PCS PCSPCSPCS PCSPCS PCSPCS PCS PCS MCS MCS MCS MCS PCS MCSNuScale NonproprietaryNuScale NonproprietaryMPS Chassis Backplane connectionsPCS