HITACHI Hitachi Nuclear Energy2's4 64S ý# Richard E. Kingston Vice President, ESBWR Licensing MFN...

HITACHI GE Hitachi Nuclear Energy

Richard E. KingstonVice President, ESBWR Licensing

PO Box 7803901 Castle Hayne Road, M/C A-55Wilmington, NC 28402-0780 USA

T 910.675.6192F [email protected]

MFN 08-742, Supplement I Docket No. 52-010

December 8, 2008

U.S. Nuclear Regulatory Commission11555 Rockville PikeDocument Control DeskRockville, MD 20852

Subject: Response to Portion of NRC Request for AdditionalInformation Letter No. 251 Related to ESBWR DesignCertification Application - RAI Numbers 7.1-103, 7.1-104,7.1-105, 7.1-106, 7.1-107, 7.1-108, 7.2-67, 7.3-14, 7.4-8, 7.4-9,7.4-10, 7.4-11, 7.5-7, 7.6-3, and 7.8-8

Enclosures 1 and 2 contain the GE Hitachi Nuclear Energy (GEH) response toRAI Numbers 7.1-103, 7.1-104, 7.1-105, 7.1-106, 7.1-107, 7.1-108, 7.2-67,7.3-14, 7.4-8, 7.4-9, 7.4-10, 7.4-11, 7.5-7, 7.6-3, and 7.8-8 from the U.S. NuclearRegulatory Commission (NRC) Request for Additional Information (RAI) sent byNRC letter dated September 14, 2008.

If you have any questions or require additional information, please contact me.

Sincerely,

2's4 64S ý#Richard E. KingstonVice President, ESBWR Licensing

MFN 08-742, Supplement 1 of 2

Reference:

1. MFN 08-687, Letter from U.S. Nuclear Regulatory Commission to RobertE. Brown, Request For Additional Information Letter No. 251 Related ToESBWR Design Certification Application, dated September 4, 2008

Enclosures:

1. Response to Portion of NRC Request for Additional Information LetterNo. 251 Related to ESBWR Design Certification Application - RAINumbers 7.1-103, 7.1-104, 7.1-105, 7.1-106, 7.1-107, 7.1-108, 7.2-67,7.3-14, 7.4-8, 7.4-9, 7.4-10, 7.4-11, 7.5-7, 7.6-3, and 7.8-8

2. Response to Portion of NRC Request for Additional Information LetterNo. 257 Related to ESBWR Design Certification Application - DCD andLicensing Topical Report Markups for RAI Numbers 7.1-105, 7.1-106,7.1-107, 7.1-108, 7.2-67, 7.3-14, 7.4-8, 7.4-9, 7.4-10, 7.4-11, 7.5-7,7.6-3, and 7.8-8

cc:AE CubbageRE BrownDH HindseDRF Section:

USNRC (with enclosures)GEH/VVilmington (with enclosures)GEH/Wilmington (with enclosures)0000-0091-7608 (RAI 7.1-103)0000-0091-7999 (RAI 7.1-104)0000-0092-5382 (RAI 7.1-105)0000-0092-5395 (RAI 7.1-106)0000-0092-1668 (RAI 7.1-107)0000-0091-0158 (RAI 7.1-108)0000-0092-5950 (RAI 7.2-67)0000-0092-1653 (RAI 7.3-14)0000-0090-9467 (RAI 7.4-8)0000-0093-6729 (RAI 7.4-9)0000-0093-6752 (RAI 7.4-10)0000-0092-5975 (RAI 7.4-11)0000-0094-6840 (RAI 7.5-7)0000-0091-0140 (RAI 7.6-3)0000-0093-3231 (RAI 7.8-8)

MFN 08-742, Supplement 1

Enclosure 1

Response to Portion of NRC Request forAdditional Information Letter No. 251

Related to ESBWR Design Certification Application

RAI Numbers 7.1-103, 7.1-104, 7.1-105, 7.1-106, 7.1-107,7.1-108, 7.2-67, 7.3-14, 7.4-8, 7.4-9, 7.4-10, 7.4-11, 7.5-7,

7.6-3, and 7.8-8

MFN 08-742, Supplement 1Enclosure 1 Page 1 of 17

NRC RAI 7.1-103

Section 7.4.3.3.1, under 10 CFR 50.55a(h): bullet states "RWCU/SDC is nonsafety-related and is not applicable".

However, SRP 7.4 states "For safe shutdown systems that are not safety, systems asdefined by IEEE Std 603-1991 and that are isolated from safety systems, the applicablerequirements of 10 CFR 50.55a(h) are IEEE Std 603-1991 Clause 5.6.3, 'IndependenceBetween Safety Systems and Other, Systems;' and IEEE Std 603-1991, Clause 6.3,'Interaction Between the Sense and Command Features and Other Systems'."

Comparable language is provided in SRPs 7.5, 7.6, 7.7, and 7.8 for nonsafety-relatedaccident monitoring instrumentation and interlock, control, and diverse actuationssystems, respectively. Identify for each nonsafety-related system that the requirementsof 10 CFR 50.55a(h), namely IEEE Std 603-1991 Criteria 5.6.3 and 6.3, are applicable.

GEH Response

GEH concurs with the request. DCD Tier 2, Table 7.1-1 and Table 7.1-2 will be revisedto indicate that the safety-related isolation valves associated with the nonsafety-relatedRWCU/SDC system conform to the applicable regulatory requirements including IEEEStd 603-1991 Criteria 5.6.3 and 6.3.

The RWCU/SDC system is not a "safe shutdown system" but can be used for decayheat removal from the ESBWR after hot shutdown of the reactor. The "functions" of theRWCU/SDC are nonsafety-related and, therefore, not subject to conformance with10CFR 50.55a(h) and IEEE Std. 603. However, the portion of RWCU/SDC providing acontainment isolation function and instrumentation for detection of system breaksoutside the containment is safety-related and does comply with the requirements of1OCFR 50.55a(h) and IEEE Std. 603. This is supported by revisions DCD Tier 2,Table 7.1-1 and Table 7.1-2.

DCD Impact

DCD Tier 2, Tables 7.1-1 and 7.1-2 will be revised in Revision 6 as noted above. Themarkup will be provided in a separate submittal in responses to RAI 7.1-99 andRAI 14.3-265, Supplement 1, respectively.


NRC RAI 7.1-104

In ESBWR DCD Tier 2, Revision 5 changes to Table 7.1-1, I&C Systems RegulatoryRequirements Applicability Matrix, changed the column heading for the NBS so that itnow applies to both Q (safety-related) and N (nonsafety-related) portions of the NBS,indicating the nonsafety-related NBS I&C conforms to the same requirements as thesafety-related NBS I&C. DCD Tier 2 Section 7.7.1.3.1 states conformance of safety-related portions of the NBS are designed to conform to IEEE Std. 603, implying GEHmay not have committed to conformance for the nonsafety-related NBS I&C, whichcontradicts DCD Tier 2, Revision 5, Table 7.1-1. This comment is applicable to LD&IS,RSS, PAM, CMS, and PRMS also listed in Table 7.1-1. Clarify the applicability ofregulatory requirements for systems designated as both Q and N.

GEH Response

GEH concurs with the request. DCD Tier 2 Table 7.1-1 will be revised to separate thesafety-related and nonsafety-related regulatory compliance for systems that have bothsafety-related and nonsafety-related functions/component.

The NBS is one of multiple ESBWR systems that contain both safety-related andnonsafety-related functions/components. Regulatory compliance for such systems isbased on the safety classification of the function/component and not the system towhich it belongs. DCD Tier 2 Chapter 7, including Subsection 7.7.1.3.1, indicates thatonly safety-related portions of a system comply with a certain regulation because theregulation is only applicable to safety-related functions.

DCD Impact

DCD Tier 2 Table 7.1-1 will be revised in Revision 6 as described above. The markupwill be provided in a separate submittal in response to RAI 7.1-99.


NRC RAI 7.1-105

DCD Tier 2, Revision 5, Section 7.1.2.8.7 states that the VB isolation function isimplemented on independent logic controllers and uses equipment different from theRPS, NMS, and SSLC/ESF equipment. Please explain why the VB isolation functionneeds to be handled by a third diverse platform (diverse from NUMAC and TRICON).Identify any affects on the topical report NEDO-33251, "ESBWR /&C Diversity andDefense-in-Depth Report," analyses?

GEH Response

GEH concurs.

The Vacuum Breaker Isolation Function (VBIF) is the safety-related means of backingup the individual vacuum breakers (VBs), whose safety-related isolation function is themechanical seating of the VB disc.

The VBIF is implemented on a diverse hardware platform (VBIF logic processor) similarto ATWS/SLC. An independent control platform is required in order to avoid commoncause failures (CCFs) of the RTIF, NMS, or SSLC/ESF hardware that are postulated inthe applicable PRA event sequences and could adversely affect operation of the VBIFlogic. Since the primary means of maintaining system isolation is mechanical, the VBsare not subject to computer-related CCF. VBIF is the diverse means of maintainingsystem isolation; thus, CCF of the VBIF logic processor does not need to be consideredand the VBIF logic processor does not require any Diverse Protection System backupfunctions.

The ESBWR I&C Diversity and Defense-in-Depth Report analyses (NEDO-33251) willbe revised for Revision 2 to incorporate a description of the VBIF functions and to notethat the VBIF is not required to perform any diverse functions.

DCD Impact

The ESBWR I&C Diversity and Defense-in-Depth Report analyses (NEDO-33251) willbe revised shown in Enclosure 2 to incorporate a description of the VBIF functions andto note that the VBIF is not required to perform any diverse functions. This revision willbe completed to support issuance of DCD Tier 2 Revision 6.

MFN 08-742, Supplement 1Enclosure 1 Page4 of 17

NRC RAI 7.1-106

DCD Tier 2, Revision 5 Section 7.1.3 states that the safety-related VDUs provide datadisplay for RTIF, NMS, and SSLC/ESF safety-related systems but manual controlcapability only for the SSLC/ESF. DCD Tier 2 Section 7.3.6.2, VB System Description,states that manual controls are independent for each VB isolation valve and are hard-wired to be independent of the VB isolation valve automatic control logic. Explain theVB isolation valves detailed control design and its interface with the SSLC/ESF system.Identify whether the VB isolation valve control by safety-related VDU or not?

GEH Response

GEH concurs with your request.

1. The VB isolation valve (VBIV) control logic is designed to be independent of othercontrol systems and functions. As noted in DCD Tier 2, Revision 5, subsection7.3.6.2, each VBIV has dedicated sensors and logic and operates independently ofthe other VBIVs according to input received from its sensors. Logic is processedfor each individual isolation valve; failure of the logic for one VBIV does not affectthe logic for any other VBIV.

The control logic for each VBIV consists a LOCA permissive, primary logic, andsecondary logic:

(a) the LOCA permissive is based upon discrete measurements of drywelltemperature. If two-out-of-four divisions of drywell sensors indicate that thedrywell temperature exceeds a predetermined LOCA value, then a permissiveis generated for use by the primary and secondary logics.

(b) for the primary logic, each VBIV has four divisions of discrete temperaturesensors assigned to it that measure temperatures in the drywell and in thewetwell as noted in DCD Tier 2 Section 7.3.6.2. If the temperature differencebetween the drywell and wetwell measurements exceeds a setpoint, a two-out-of-four logic output (based upon all four divisions) and the LOCA permissivecombine to provide an output to close the corresponding VBIV. One divisioncan be bypassed at any time via selector switch for maintenance purposes,changing the voting logic to two-out-of-three.

(c) the secondary logic is based upon the temperature difference between thedrywell and wetwell, the status of the LOCA permissive, and the vacuumbreaker position. If two-out-of-four vacuum breaker position sensors indicatethat the vacuum breaker is not closed, and if the temperature differencebetween the drywell and wetwell exceeds its setpoint, and if the LOCApermissive is available, then the secondary logic provides an output to closethe corresponding VBIV.

The VBIV logic is independent of other control systems in the ESBWR. There is nointerface with the SSLC/ESF system.


Manual open and close inputs for each VB isolation valve are not hardwired directlyto each valve. They are hardwired from the Main Control Room (MCR) to the samehardware platform on which VBIV logic is implemented, since that platform does notuse multiplexers.

2. Manual control of each VBIV is performed by a discrete control switch in the MCRand not by the VDUs.

DCD Impact

DCD Tier 2 Revision 5, subsection 7.3.6.2, will be revised in DCD Revision 6 as shownin Enclosure 2 to incorporate words clarifying manual operation of the VBIF.


NRC RAI 7.1-107

DCD Tier 2, Revision 5, Section 7.1.6.4 states that an exception to RG 1.62 RegulatoryPosition C4 and C5 is taken for the two of four divisional manual trip switches for ADS(SRV and DPV), GDCS, ICS, and SLC manual initiation. Provide simplified schematicdiagrams to demonstrate the difference between the ESBWR design and the RG 1.62guidance and justify these exceptions.

GEH Response

GEH concurs with the request. The exception to RG 1.62 listed in DCD Tier 2,subsection 7.1.6.4 is an error and will be deleted from this section to maintainconsistency with DCD Tier 2, Section 7.3 and 7.4. The ESBWR ADS (SRV and DPV),GDCS, ICS, and SLC designs conform to RG 1.62 as stated in DCD Tier 2, Sections7.3 and 7.4.

DCD Impact

DCD Tier 2, Revision 5, Section 7.1.6.4 will be revised in Revision 6 as shown inEnclosure 2.


NRC RAI 7.1-108

DCD Tier 2 Section 7.1.8 References 7.1-10 and 7.1-12 document titles are differentfrom Tier 1 Section 3.2. These titles should be consistent (i.e. SQAPM and SMPM).

GEH Response

GEH agrees that the titles should be consistent. The ESBWR DCD Tier 2 Section 7.1.8References 7.1-10 and 7.1-12 document titles will be made consistent with Tier 1Section 3.2.

Additionally, a review was conducted and the titles for the software manuals will beupdated and made consistent throughout the DCD.

DCD Impact

The ESBWR DCD will be revised in Revision 6 as shown in Enclosure 2.


NRC RAI 7.2-67

DCD Tier 2 Section 7.2.1.2.4.2 identifies a low control rod drive HCU accumulatorcharging header pressure scram, which is further described as "an anticipatory scrambecause it initiates a scram before the HCUs have time to depressurize the reactor".However, DCD Tier 2 Section 4.6 identifies that the low control rod drive HCUaccumulator charging header pressure scram ensures the capability to scram andshutdown the reactor before the HCU accumulator pressure can degrade to the levelwhere scram performance is adversely affected following the loss of charging headerpressure. DCD Tier 2, Revision 5, added, the words, "the reactor" to the phrase in DCDTier 2 Section 7.2.1.2.4.2, which now makes it inconsistent with DCD Tier 2 Section 4.6.Clarify the function of the low control rod drive HCU accumulator charging headerpressure scram to ensure it is consistently described in Chapters 4 and 7.

GEH Response

GEH concurs. ESBWR DCD Tier 2 Subsection 7.2.1.2.4.2 will be revised to remove thewords "the reactor" from the last sentence of Control Rod Drive System paragraph toindicate that a low CRD HCU charging header pressure anticipatory trip initiates ascram before the HCU accumulators depressurize.

DCD Impact

DCD Tier 2 subsection 7.2.1.2.4.2 will be revised in Revision 6 as shown inEnclosure 2.


NRC RAI 7.3-14

SRP Section 7.3 (both revisions 4 and 5) identifies that GDC 29 is applicable toengineered safety features actuation systems (ESFAS). However, DCD Tier 2, Table7.1-1 and Section 7.3 do not identify that GDC 29 is applicable to any ESFAS. DCD Tier2 Table 1.9-7 does not identify this as a difference with SRP 7.3. Clarify the applicabilityof GDC 29 to ESFAS. Note that DCD Tier 2, Section 3.1.3. 10 references DCD Tier 2,Section 7.3.

GEH Response

GEH concurs with the request. DCD Tier 2, subsections 7.3.1.1.3.2, 7.3.1.2.3.2,7.3.3.3.2, 7.3.4.3.2, 7.3.5.3.2, 7.3.6.3.2 and Table 7.1-1 will be revised to identify thatGDC 29 is applicable to ESFAS.

DCD Impact

DCD Tier 2, subsections 7.3.1.1.3.2, 7.3.1.2.3.2, 7.3.3.3.2, 7.3.4.3.2, 7.3.5.3.2, and7.3.6.3.2 will be revised in Revision 6 to identify that GDC 29 is applicable to ESFAS asshown in Enclosure 2.

DCD Tier 2 Table 7.1-1 will be revised in Revision 6 as described above. The markupwill be provided in a separate submittal in response to RAI 7.1-99.


NRC RAI 7.4-8

DCD Tier 2 Table 7.1-1 identifies that RG 1.209 is applicable to the Remote ShutdownSystem (RSS). However, conformance to RG 1.209 is not identified in DCD Tier 2Section 7.4.2.3.3. Clarify the applicability of RG 1.209 to the RSS.

GEH Response

The RSS safety-related design conforms to RG 1.209 as identified in DCD Tier 2, Table7.1-1. DCD Tier 2, Subsection 7.4.2.3.3 will be revised to be consistent with DCDTier 2, Table 7.1-1.

DCD Impact

DCD Tier 2, Chapter 7, subsection 7.4.2.3.3 will be revised in DCD Revision 6 as shownin Enclosure 2 to identify that the RSS safety-related design conforms to RG 1.209.

MFN 08-742, Supplement IEnclosure 1 Page 11 of 17

NRC RAI 7.4-9

Clarify the design bases of the Reactor Water Cleanup (RWCU)/ Shutdown Cooling(SDC) System /&C as described in DCD Tier 2, Section 7.4.3.1.3. DCD System Tier 2,Section 7.4.3.1.3 identifies six power generation design bases which partiallycorresponds to the four basic plant functions described in DCD Tier 2 Section 7.4.3.2.1and the seven major activities identified in DCD Tier 2 Section 5.4.8. DCD Tier 2Section 5.4.8.1.1 identifies six power generation design bases for the RWCU functionand DCD Tier 2 Section 5.4.8.2.1 identifies three power generation design bases andthree Post-LOCA bases for the SDC function. Section 7.4.3.1.3 does not identify anyPost-LOCA bases. Also, the significantly different wording of the bases anddescriptions precludes the staff from verifying that the appropriate bases have beenidentified for the RWCU/SDC system /&C.

GEH Response

GEH concurs. DCD Tier 2, subsection 5.4.8.2.1 provides a clear discussion of theRWCU/SDC design basis. Therefore to avoid unnecessary duplication and assureconsistent discussion, DCD Tier 2, Subsection 7.4.3.1.3 will be deleted.

The verbiage contained in subsection 7.4.3.1.2, Nonsafety-Related Design Basis will bemoved to subsection 7.4.3.1, System Design Bases, and subsection 7.4.3.1.2 will bedeleted.

DCD Tier 2, subsection 7.4.3.2.1 will also be revised to delete the discussion of the fourbasic plant functions in order to eliminate inconsistent discussion.

DCD Impact

DCD Tier 2, Section 7.4.3 will be revised in DCD Revision 6 as noted in Enclosure 2.


NRC RAI 7.4-10

DCD Tier 2 Section 7.4.3.1.3 identifies that there is an interlock to prevent the openingof a regenerative heat exchanger (RHX) bypass valves during reactor power operation.This interlock is not identified in DCD Tier 2 Section 5.4.8. DCD Tier 2 Section 5.4.8.1.2identifies that interlocks are provided to prevent inadvertent opening of thedemineralizer resin addition and backflushing valves during normal operation. Thisinterlock is not identified in DCD Tier 2 Section 7.4.3. A change was made in DCD Rev.5 in Section 7.4.3.1.3 to state that the RWCU/SDC Shutdown Cooling function modesare interlocked with reactor power operation to prevent increase in core reactivity;however a corresponding change was not made in section 5.4.8.1.1. Clarify theRWCU/SDC System interlocks in the DCD.

GEH Response

GEH concurs. DCD Tier 2 subsection 5.4.8.1.1 will be revised to identify the interlocklogic that prevents opening of regenerative heat exchanger (RHX) bypass valves duringreactor power operation.

DCD Tier 2, subsection 7.4.3.1.3 will be deleted to eliminate duplicate and inconsistentdiscussion. Refer to the response to RAI 7.4-9 within this transmittal for this change tosubsection 7.4.3.1.3.

DCD Impact

DCD Tier 2, Subsection 5.4.8.1.1 will be revised in DCD Revision 6 as shown inEnclosure 2.


NRC RAI 7.4-11

DCD Tier 2 Section 5.4.8.1.3 refers to DCD Tier 2 Section 7.4.3 for the discussion ofsafety-related RWCU/SDC instrumentation to detect system pipe break outside thecontainment. DCD Tier 2 Section 7.4.3.1.2 identifies that the RWCU/SDC systemprovides safety-related instrumentation for detection of system breaks outside thecontainment, but provides no further information or reference. DCD Tier 2 Section 5.2.5does describe some RWCU/SDC leakage detection instrumentation but this sectiondoes not reference Section 7.4.3 nor vice versa. Clarify the safety-related RWCU/SDCinstrumentation to detect system pipe breaks outside the containment.

GEH Response

GEH concurs. DCD subsection 5.4.8.1.3 will be revised to reference DCD subsection5.2.5 in lieu of referencing 7.4.3. Additionally, subsection 5.4.8.1.1 reference to 7.4.3will be corrected to reference subsection 5.2.5.

The safety-related RWCU/SDC containment isolation and leak detection functions areperformed by LD&IS and are discussed in DCD subsection 7.3.3. Subsection 7.3.3.2(LD&IS System Description) references Subsection 5.2.5, which provides a detaileddescription of monitored parameters and the leak detection monitoring instrumentationof the RWCU/SDC; including reference to Table 5.2-6, "LD&IS Control and IsolationFunctions vs. Monitored Variables."

DCD Impact

DCD Tier 2 subsection 5.4.8.1.1 and 5.4.8.1.3 will be revised in Revision 6 as shown inEnclosure 2.


NRC RAI 7.5-7

DCD Tier 2 Section 7.5.1.3.5 discusses the conformance of the post accidentmonitoring instrumentation to BTP HICB-10. The section references RG 1.97, Revision4, Section A, which states that "Branch Technical Position HICB-10 will require updatesfor consistency with Revision 4 of RG 1.97. Conformance to these requirements isaddressed during the detailed design phase."

The discussion of conformance to BTP HICB-10 is no longer applicable as BTP 7-10was issued in March 2007 to address RG 1.97, Revision 4, Section A. DCD Tier 2Section 7.5.1.3.5 should be updated to reference and describe conformance to BTP 7-10. BTP HICB-10, Revision 4, is still referenced in Table 1.9-20. The reference shouldalso be updated to BTP 7-10 Revision 5. Since the ESBWR is conforming to the latestversion of RG 1.97, the DCD should discuss conformance to the corresponding versionof BTP 7-10.

The DCD statement that discussion of conformance to BTP 7-10 is addressed in thedetailed design phase is inappropriate. Include in the DCD discussion of conformanceto the design and qualification criteria supplemental to RG 1.97 identified in BTP 7-10.

GEH Response

GEH does not concur with the Staffs request. The ESBWR conforms with RG 1.97,Revision 4. GEH proposes the following clarification to the referenced text:

BTP HICB-10, Guidance on Application of RG 1.97:* Conformance: The PAM instrumentation design conforms to RG 1.97

Revision 4, IEEE Standard 497-2002 (with clarifications and exceptions stated inRG 1.97 Revision 4), and RG 1.100.

DCD IMPACT

DCD Tier 2 Section 7.5.1.3.5 will be revised in DCD Revision 6 as shown inEnclosure 2.


NRC RAI 7.6-3

DCD Tier 2, Revision 5, Section 7.6.1.3, Safety Evaluation, identifies the HP/LPinterlock system (provide protection to the low pressure FAPCS from the high pressureRWCU system) is nonsafety-related within the scope of Regulatory Treatment of Non-Safety System (RTNSS). However, this HP/LP interlock system is not included in theChapter 19 Appendix A on RTNSS systems. Address this interlock in Chapter 19Appendix A.

GEH Response

GE does not concur with the staffs request and proposes the following resolution:

The interlock logic exists to protect low pressure piping, but the protection of lowpressure piping is not required to meet RTNSS criteria as specified in DCD Tier 2Chapter 19 Appendix A. No change to DCD Tier 2 Chapter 19 is required. Section7.6.1.3, Safety Evaluation, will be revised to delete references to RTNSS treatment ofthe 'HP/LP Interlock System.' The interlock functions are embedded in the DCIS logicsuch that there is no separate interlock system. Therefore, sections 7.1.3.2.5, 7.1.6.5,and 7.6 will be revised to remove references to the 'Interlock System' and replace themwith 'Interlock Logic.'

DCD Impact

DCD Tier 2, sections 7.1.3.2.5, 7.1.6.5, and 7.6 will be revised as shown in Enclosure 2.


NRC RAI 7.8-8

DCD Tier 2 Section 7.8 describes the non-safety related Anticipated Transient WithoutScram/Altemate Rod Insertion (A TWS/ARI) mitigation system and the DiverseProtection Systems (DPS) as part of the Diverse Instrumentation and Control System.SRP 7.8 states that Generic Letter 85-06 provides acceptable guidance for the qualityassurance of diverse I&C systems and components. Additionally, SRP 7.8 states thatthe applicant should identify the test, maintenance, surveillance, and calibrationprocedures and that these procedures should be consistent with the guidance ofGeneric Letter 85-06. DCD Tier 2 Table 1.9-7 does not identify any differences withSRP 7.8. However, the DCD does not incorporate the guidance for DICS quality,system testing, and surveillance provided in Generic Letter 85-06 "Quality AssuranceGuidance for ATWS Equipment That Is Not Safety-Related." While DCD Tier 2 Table3.2-1 includes notes for Component C-12, Item 10 and component C-41, Item 7 stating,"A quality assurance program that meets or exceeds the guidance of NRC GenericLetter 85-06 is applied to all Nonsafety-Related ATWS equipment," no comparable noteis provided for component C-72, the DPS. Identify in the DCD how GEH plans toaddress the equipment qualification (EQ), quality assurance, and procedure guidance ofGeneric Letter 85-06 for the Diverse Instrumentation and Control System?

GEH Response

GEH agrees that Table 3.11-1 should indicate the requirements of the EQ program withrespect to the diverse instrumentation and control systems. In addition, subsection7.8.3 will be revised to show that the diverse instrumentation and control systems applythe guidance of Generic Letter 85-06.

A quality assurance program that meets or exceeds the guidance of Generic Letter85-06 is applied to all nonsafety-related diverse I&C systems and componentsdescribed in Section 7.8. Software used in diverse instrumentation and control systemsis designed and developed in accordance with the requirements of LTRs "ESBWRSoftware Management Program Manual," NEDO-33226, NEDE-33226P, and "ESBWRSoftware Quality Assurance Program Manual," NEDO-33245, NEDE-33245P. DCDsubsection 7.8.3 will be updated to state "A quality assurance program that meets orexceeds the guidance contained in NRC Generic Letter 85-06, 'Quality AssuranceGuidance for ATWS Equipment That Is Not Safety Related,' is applied to all diverse I&Csystems and components described in this Section. Software used in diverseinstrumentation and control systems is designed and developed in accordance with therequirements of Reference 7.8-3."

The request to clarify how special quality assurance requirements are specified inTable 3.2-1 for Diverse I&C systems will be addressed separately in the response to amore general request made recently in RAI 3.2-6, Supplement 2, to clarify this issue forall nonsafety-related SSCs.


DCD Revision 5, Tier 2, Subsection 7.8.4, Testing and Inspection Requirements, statesthat periodic testing to verify proper operation of the ATWS/SLC and DPS logic isperformed. The required tests, maintenance, surveillance, and calibration proceduresfor the risk significant diverse instrumentation and control functions are included in theAvailability Control Manual or the Technical Specifications as outlined by Table 19A-2.The DPS platform functions that are not identified as risk-significant functions have theirtest, maintenance, surveillance, and calibration procedures developed in accordancewith provisions outlined in Section 13.5.

DCD Revision 5, Tier 2, Subsection 7.8.3.3 addresses conformance of the diverseprotective functions to the Staff Requirements Memorandum (SRM) on SECY 93-087,"Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced LWRDesigns." Conformance with the SRM on SECY 93-087 includes the ability of theequipment to perform in the environments assumed in GEH document NEDO-33251,"ESBWR I&C Diversity and Defense-in-Depth Report." The equipment required toperform the diverse functions required by NEDO-33251 to meet BTP 19 requirementswill be included in the EQ program as outlined in Table 3.11-1 in the attached markup.All diverse instrumentation and control functions will be performed by systems ofsufficient quality to perform the necessary functions under the associated eventconditions, as required by the SRM on SECY 93-087 and stated in DCD Revision 5,subsection 7.8.3.3.

DCD Impact

DCD Tier 2, Table 3.11-1 and subsection 7.8.3 will be revised in DCD Revision 6 asshown in Enclosure 2. Table 3.2-1 updates described above will be provided in aseparate submittal in response to RAI 3.2-6, Supplement 2.

MFN 08-742, Supplement I

Enclosure 2

Response to Portion of NRC Request forAdditional Information Letter No. 251

Related to ESBWR Design Certification Application

DCD and Licensing Topical Report Markups forRAI Numbers 7.1-105, 7.1-106, 7.1-107, 7.1-108, 7.2-67, 7.3-14,

7.4-8, 7.4-9, 7.4-10, 7.4-11, 7.5-7, 7.6-3, and 7.8-8

LTR NEDO-33251 Markups forRAI 7.1-105

NEDO-33251

RCCWRCSRGRPSRPVRSSRTIFRMURWCU/SDCRWMSB&PCSBWRSCRRISLCSSPDSSRISRNMSRVSSCSSLCTBVTCCWTGCSTMITMRTSCVBIFVDU

WDP

Reactor Closed Cooling Water SystemReactor Coolant SystemRegulatory GuideReactor Protection SystemReactor Pressure VesselRemote Shutdown SystemReactor Trip and Isolation FunctionRemote Multiplexing UnitReactor Water Cleanup System/Shutdown Cooling SystemRod Worth MinimizerSteam Bypass and Pressure ControlSimplified Boiling Water ReactorSelected Control Rod Run-InStandby Liquid Control SystemSafety Parameter Display System (Sub-system of N-DCIS)Select Rod InsertSource Range Neutron MonitorSafety-Relief ValveShift Supervisor ConsoleSafety System Logic and ControlTurbine Bypass ValveTurbine Component Cooling WaterTurbine Generator Control SystemThree Mile IslandTriple Modular RedundantTechnical Support CenterVacuum Breaker Isolation FunctionVideo Display Unit (in this document the VDUs are assumed to betouch screen but further HFE analysis may dictate other operatorpointing devices)Wide Display Panel

I

* Trademark of General Electric Company

viii

NEDO-33251

Instrumentation System

"A reactor instrumentation system is that set of equipment that senses variousreactor parameters and transmits appropriate signals to control systems, to thereactor trip system, to the engineered safety features actuation system, and to themonitoring and indicator system for use in determining the actions these systemsor reactor operators will take. Independence is required between control systems,safety monitoring and display systems, the two safety systems, and betweenredundant divisions of the safety systems. "

In this report, the instrumentation system includes the following systems in theI&C architecture:

N-DCIS or cabinets including:

- Plant Investment Protection A,

- Plant Investment Protection B,

- DPS Severe Accident (deluge) Control System,

- Balance of Plant Control, and

- Plant Computer Functions (Sub-system of N-DCIS).

Q-DCIS or cabinets including:

- Reactor Trip and Isolation Function (RTIF), (the RTIF cabinet includes theRPS and the Main Steam Isolation Valve (MSIV), Leak Detection andIsolation System (LD&IS.)

- Anticipated Transients Without Scram/Standby Liquid Control System -(ATWS/SLCS) (also includes some nonsafety-related functions, the safety-related functions of ATWS/SLCS are physically located in the RTIFcabinet.)

- Containment System Vacuum Breaker Isolation Function (VBIF)(physically located in the RTIF cabinets).

- SSLC/ESF [includes ECCS (Isolation Condensers, Automatic -

Depressurization System, Gravity-Driven Cooling System and Standby -

Liquid Control System), control room habitability system, Non-MSIV -

LD&IS and the safety-related functions of the Containment MonitoringSystem (CMS.)

xiii

NEDo-33251

2 ESBWR INSTRUMENTATION AND CONTROL ARCHITECTURE ISYSTEMS DESCRIPTION

2.1 ARCHITECTURE DESCRIPTION

The architecture of the I&C associated function is shown in Figure 1. This figure is a simplifiedrepresentation of the ESBWR I&C architecture that illustrates the interactions between thevarious safety-related and nonsafety-related components. Divisional Q-DCIS cabinets arelocated in one of the four dedicated DCIS rooms appropriate to their division. The nonsafety-related Distributed Control and Information System (N-DCIS) cabinets and components arelocated in one of two nonsafety-related DCIS rooms; although also nonsafety-related, the DPScontrol cabinet is located separately from the other nonsafety-related control system cabinets.Specifically the four divisional safety-related control systems of the Q-DCIS are physicallyseparated from each other and from the nonsafety-related control systems of the N-DCIS andfrom the DPS. The two trains of the nonsafety-related plant investment protection (PIP) systemcontrollers are physically separated from each other and from the Q-DCIS and the DPS. TheDPS is physically separated from the two PIP trains and the Q-DCIS.

Communication between the safety-related and nonsafety-related DCIS is through fiber opticcable (fiber) and from Q-DCIS to N-DCIS [the only exceptions are time of day (used for timetagging safety-related data for later analysis but not for synchronization of the Q-DCIS) andAverage Power Range Monitor/Local Power Range Monitor (APRM/LPRM) calibration whichcan only be done by making the affected instrument inoperable (INOP)]. All communicationbetween divisions (to perform two-out-of-four logic) is also fiber isolated and one-way in thesense that no division is dependent on any other division for information, timing, data or thecommunication itself. More specifically no safety-related function depends on the accuracy orexistence of any nonsafety-related communication, or any nonsafety-related component.

Almost all communication to/from the field Remote Multiplexing Units (RMUs) is by fiber andall communication from the DCIS rooms to the main control room (MCR) safety-related andnonsafety-related Video Display Units (VDUs) are via fiber. The few hard-wired exceptions arefor signals like main turbine trip or reactor SCRAM signals. These MCR considerations areimportant because the communications protocol is such that a failure of a fiber will not causeerroneous operation nor affect the continued operation of all automatic safety-related ornonsafety-related systems. Likewise, touch screen operation of the VDUs requires severaloperator actions whose resulting communication is unlikely to be replicated by communicationsloss or damage; similarly the DCIS represents a distributed network whose nodal addresses areequally unlikely to be replicated by fiber loss.

Very broadly the major functional groupings of the DCIS include:

Nuclear Measurement Analysis and Control (NUMAC) derived functions (four divisions)- Reactor Protection System (RPS),

- Main steam isolation valve (MSIV),

- Leak Detection and Isolation System (LD&IS),

- Vacuum Breaker Isolation Function (VBIF) of the Containment System, and4

NEDO-33251

The DCIS hardware and software architecture is compliant with NEDO-33226P - SoftwareManagement Plan (Reference 5). The configuration supports:

" Controlling and monitoring of the safety-related systems on the safety-relateddisplays whatever the status of the N-DCIS,

* The alarm management of safety-related systems on the N-DCIS (through isolateddata links from the four divisions (control of Q-DCIS from N-DCIS is not possiblethrough the data links),

* Dual and triple redundancy for all important PCF and for control of power generationsystems,

* Segmented PIP systems, and* A high quality nonsafety-related DPS that can perform a subset of reactor scrams,

isolations, and ESF actuations without affecting or interfering with its safety-relatedcounterparts.

The ESBWR DCIS use all the methodologies mandated by the various regulations to maximizecontrol system reliability and safety; these include redundancy, diversity, segmentation andisolation. Diversity is indicated for the various control systems:

* Q-DCIS cabinets including:

- Reactor Trip and Isolation System (RTIF) cabinet [includes RPS and (MSIV),

LD&IS].

- NMS [including APRMs, LPRMs and Source Range Neutron Monitor (SRNMs)].

- ATWS/SLCS (also includes some nonsafety-related functions) (this function is

physically located in the RTIF cabinets).

- VBIF (this function is located in the RTIF cabinets).

- ESF/ECCS [(includes ICS, ADS, GDCS, SLCS, Non MSIV, LD&IS, Control

Room Habitability System (CRHS) and Containment Monitoring System (CMS).]

" N-DCIS cabinets including:

- PIP A,

- PIP B,

- DPS,

- Severe Accident (deluge) Control System,

- BOP Control, and

- PCF (Subsystem of N-DCIS).

7

NEDO-33251

2.2 SAFETY-RELATED DISTRIBUTED CONTROL AND INFORMATION SYSTEMOVERVIEW

The Q-DCIS consists of the RPS (including MSIV isolation), the NMS and the SSLC/ESF.These systems and their associated sensors are organized into four divisions; the touch screendisplays associated with each division provide for the control of the safety-related equipment andadditionally provide the necessary monitoring of the plant safety-related functions during andfollowing an accident as required by Regulatory Guide (RG) 1.97 (Reference 13). The two-out-of-four logic associated with the RPS, LD&IS, NMS and SSLC/ESF, and the simplified ECCSsystems of the ESBWR allow the plant to be designed as "N-2"; specifically any two divisionscan accomplish the safety-related trip and ECCS functions. N-2 is a significant element of thedefense in depth design of the ESBWR DCIS.

The RPS and NMS systems are implemented on a NUMAC hardware/software platform and aresub functions of the Q-DCIS; the general relationship is shown in Figure 6. (There are alsononsafety-related portions of NMS not implemented on NUMAC platforms.) The RPScontrollers/logic are located in the RTIF cabinet (one per division in separate Q-DCIS rooms)that combines the RPS, LD&IS (for MSIVs and drains only VI__IF nd ATWS/SLCS functions.Although all equipment located in the RTIF cabinet is appropriate to the division and everythingin the cabinet is powered by the appropriate divisional uninterruptible and battery power, theATWS/SLCS function and the VBIF are is-segregated to a--separate chassis from the remainingRTIF controllers/logic and from one another. Logic required for the ATWS/SLC function andVBIF functionality are diverse from the RTIF-NMS and SSI.C/ESF platforms.-and- d es not usepfega-,b-le .,gie.- All of the RTIF functions are implemented in safiety-relatedhardware/software platforms diverse from the DPS.

The ESBWR RPS design has several important differences from other Boiling Water Reactor(BWR) SCRAM logic and hardware (although many of these features were included in theABWR design); these include:

" Per parameter trip (specifically there must be (for example) two un-bypassed level tripsto SCRAM, a pressure trip and a level trip will not cause a SCRAM).

* No operator manipulation of the division of sensors and/or division of logic bypass, norany operation of the RPS back panel inoperable switches can reduce SCRAM logicredundancy to less than "any two un-bypassed same parameters in trip will cause aSCRAM". Only one division at a time can be physically bypassed. The RPS (and MSIVLD&IS) is N-2 to SCRAM/isolate.

" Communication with the nonsafety-related DCIS is one-way (Q-DCIS to N-DCIS)through fiber; the loss of this communication does not affect RPS functionality.

* Communication with other RPS divisions is one-way, fiber isolated, and does not mixdivisional data.

" All signals are actively transported such that "fail safe" is not a "I" or a "0" but rather"trip on loss of communication". As a result, loss of communication from another

14

DCD Markups forRAI 7.1-106

26A6642AW Rev. 06ESBWR Design Control Document/Tier 2

Divisional instruments performing VB isolation valve logic are powered by theassociated safety-related divisional power supplies.

* Containment system VB isolation function logic controllers are independent (IEEE Std.603, Section 5.6).

7.3.6.2 System Description

The wetwell-to-drywell VB isolation function comprises independent logic controllersthree setsof VBs, and three sets of VB isolation valves, and -,ependn44 legie ,e,.,te,,efs. A moredetailed description is given in Subsection 6.2.1.1.2.

" Automatic Operation

- Closure of the VB isolation valve is performed automatically, without need foroperator action, once excessive bypass leakage through a VB is detected.

- Automatic actuation logic is performed by a control system with components similarto those used in the ATWS/SLC control system. These components are anindependent Q-DCIS subsystem.

- Each VBNB isolation valve pair has dedicated sensors and logic. Each VB isolationvalve operates independently of the other VB isolation valves according to inputreceived from its sensors. Logic is processed for each individual isolation valve;failure of the logic for one isolation valve does not affect the logic for any otherisolation valve.

" Manual Operation

- Manual controls are available to the operator in the MCR to:

" Open each VB isolation valve, and

" Close each VB isolation valve.

- Manual controls are independent for each VB isolation valve and are hard-wired tothe same hardware as the VB isolation valve automatic controllogic.

* Actuation Logic

- The primary closure demand for the VB isolation valve is based upon a temperaturedifferential between the drywell and wetwell and upon the bypass status of theassociated division of logic. A separate LOCA temperature value also is provided tothe logic.

- A secondary closure demand signal is based upon a temperature differential betweenthe drywell and wetwell and upon VB position. A separate LOCA temperature valuealso is provided to the logic.

7.3-52


displayed on multiple independent VDUs that each have dual power supplies. The alarmtiles, or their equivalent, are driven by redundant datalinks (with dual power). There areredundant alarm processors. There are no alarms that require manually controlled actions forsafety-related systems to accomplish their function. Thus the requirements for safety-relatedequipment and circuits are not applicable.

7.1.6.4 Regulatory Guides

A discussion of the general conformance of the I&C equipment to RGs is provided below.

RG 1.22, Periodic Testing of Protection System Actuation Functions. Safety-related systemshave provision for periodic testing. Proper functioning of analog sensors is verified by channelcross-comparison and is done continuously by the PCF. Some actuators and digital sensors,because of their locations, cannot be fully tested during actual reactor operation. Suchequipment is identified and provisions for meeting the guidance of Paragraph D.4 (per BTPHICB-8) are discussed in the Safety Evaluation subsections within Sections 7.2 through 7.8.

RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems.Bypass indications are designed to satisfy the guidance of IEEE Std. 603, Paragraph 5.8.3, andRG 1.47. The design of the bypass indications allows testing during normal operation and isused to supplement administrative procedures by providing indications of safety-related systemsstatus.

Bypass indications use isolation devices that preclude the possibility of any adverse electricaleffect of the bypass indication circuits on the plant safety-related system.

RG 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems.The safety-related system designs conform to the single failure criterion; additionally the designmeets N-2 conditions.

RG 1.62, Manual Initiation of Protective Actions. The applicable I&C systems are designed tocomply with RG 1.62. Specific conformance of the I&C systems is addressed in Sections 7.3

RG 1.75,Phsial independence ofe te ms The ate systm level fcr safctgeofteorems eto R1nditi5ns. An ecrbedieSubsecn to RG 1.62, Regulatnry Pesitiens L.1 And (.5 i taken

fef thewe of ffour divisional manRual trip switehes for- ADS (SRV and DP 1), GPC;,WS, antdSbcmanua-linitiation. Theze zwAitCheS are indireectl c-onnec-ted to tie squiib va1A~eaEdFi~e~s-evalve SEolR~cid sthrou-gh the SSLCESF. Thie DRS manual trip switehe:-a~e indape~dentIyeeniieeted 0 the squib valve lead driverS or v~alve selencids, thrOugh DPS loglic

RG 1.75, Physical Independence of Electric Systems. The safety-related system designsconform to RG 1.75 as described in Subsections 8.3.1.3 and 8.3.1.4.

RG 1.89, Environmental Qualification of Certain Electronic Equipment Important to Safety forNuclear Power Plants. The safety-related system design conforms to RG 1.89.

RG 1.97, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess PlantConditions During and Following an Accident. The I&C system is designed to meet theguidance of RG 1.97. Details of design implementation are discussed in Section 7.5.

7.1-63

26A6641AB Rev. 06ESBWR Design Control Document/Tier 1

3.2 SOFTWARE DEVELOPMENT

Inspections, Tests, Analyses, and Acceptance Criteria Summary

Design Description

NUREG-0800, Branch Technical Position HICB-14 (BTP 7-14), outlines activities to be considered whenestablishing a software development program for software-based Instrumentation and Control (I&C)systems. HICB-14 divides these activities into separate software development plans. The overall approachis that the software plans address and document the elements necessary to ensure the production anddelivery of High Quality Software.

GEH has completed a detailed analysis of regulatory guidelines and industry standards and incorporatedinformation from that study into the ESBWR Software Plans. Compliance with this process will provide asound base for development of High Quality Software.

The ESBWR Instrument & Controls (I&C) Software Plans are included in two GEH documents,Ithe ESBWR - ,&C-Software Management Program Manual (SMPM) and the ESBWR -&-&GSoftware Quality Assurance Program Manual (SQAPM). The software plans are identified inthe ESBWR Man-Machine Interface System and Human Factor & Engineering ImplementationPlan. The ESBWR Cyber Security Program Plan is further defined by a separate LicensingTopical Report, ESBWR Cyber Security Program Plan (CySP).

The ESBWR I&C software program will produce requirements, design, development, and testingdocuments throughout the software lifecycle as described in the SMPM. Result SummaryReports, based on the software plan implementation, address the ESBWR safety-related systemsdescribed in Table 2.2.10-1 and their associated safety-related functions defined in the TaskAnalysis. The results summary reports are available for the NRC staff review, and are includedin the list of items for Inspections, Tests, Analyses, and Acceptance Criteria.

The following is a list of the Design Commitments for the Software Development ITAAC:

(1) Implement the Software Management Plan (SMP) for the design and development ofESBWR I&C System software.

(2) Implement the Software Development Plan (SDP) for the design and development ofESBWR I&C System software.

(3) Implement the Software Quality Assurance Plan (SQAP) for the design and developmentof ESBWR I&C System software.

(4) Implement the Software Integration Plan (SIntP) for the design and development ofESBWR I&C System software.

(5) Implement the Software Installation Plan (SIP) for the design and development of ESBWRI&C System software.

(6) Implement the Software Operation and Maintenance Plan (SOMP) for the design anddevelopment of ESBWR I&C System software.

(7) Implement the Software Training Plan (STrngP) for the design and development ofESBWR I&C System software.

3.2-1

26A6642AB Rev. 06ESBWN'R Design Control Document/Tier 2

SCG Startup Coordinating Group

SCMP Software Configuration Management Plan

SCRRI Selected Control Rod Run-in

SCU Signal Conditioning Units

SCWS Stator Cooling Water System

SD Scintillation Detector

SDC Shutdown Cooling

SDG Standby Diesel Generator

SDM Shutdown Margin

SDP Software Development Plan

SDPM Software Development Plan Module

SDS System Design Specification

SER Safety Evaluation Report

SF/WT Service Water/Water Treatment Building

SFGA System Functional Gap Analysis

SFmin Minimum Safety Factor

SFP Spent Fuel Pool

SI Syst~me International d'Unitds (International System of Units)

SIL Service Information Letter

SIP Separation Indicator Probe

SIT Structural Integrity Test

SIU Signal Interface Unit

SJAE Steam Jet Air Ejector

SLC Standby Liquid Control

SLMCPR Safety Limit Minimum Critical Power Ratio

SMAW Shielded Metal Arc Welding

SMP Software Management Plan

SMPM Software Management Plan-Program MeduteManual

SOP System Operating Procedures

SORV Stuck Open Relief Valve

SOT System Operational Transient

SP Setpoint

26A6642AB Rev. 06ESBWR Design Control Document/Tier 2

SPC

SPDS

SPTM

SQAP

SQAPM

SQAR

SR

SRI

SRM

SRNM

SRO

SRP

SRSS

SRV

SSAR

SSC

SSE

SSI

SSLC

SSLC/ESF

SSP

SSPV

ST

STI

STPT

STRAP

STS

SV

SVVP

SWC

SWMS

SWS

Suppression Pool Cooling

Safety Parameter Display System

Suppression Pool Temperature Monitoring

Software Quality Assurance Plan

Software Quality Assurance Program Manual

Supplier Quality Assurance Requirements

Surveillance Requirement

Select Rod Insert

Source Range Monitor

Startup Range Neutron Monitor

Senior Reactor Operator

Standard Review Plan

Square Root of the Sum of the Squares

Safety Relief Valve

Standard Safety Analysis Report

Structure, System, or Component

Safe Shutdown Earthquake

Soil-Structure Interaction

Safety System Logic and Control

Safety System Logic and Control Engineered Safety Feature

Software Safety Plan

Scram Solenoid Pilot Valve

Steam Tunnel

Startup Test Instructions

Simulated Thermal Power Trip

Scram Time Recording and Analysis Panel

Standard Technical Specifications

Safety Valve

Software Verification and Validation Plan

Surge Withstand Capability

Solid Waste Management System

Station Water System

I


0 Communications between the systems.

Figure 7.1-1 shows a simplified functional block diagram of the ESBWR I&C system. The datacommunication systems embedded in the DCIS perform the data communication functions thatare part of or support the systems described in Sections 7.2 through 7.8. A network diagram ofthe DCIS appears as Figure 7.1-2, which is a functional representation of the design.

The Q-DCIS and N-DCIS architectures, their relationships, and their acceptance criteria arefurther described throughout Section 7.1.

The Q-DCIS and N-DCIS functions are implemented with diverse power and sensors asindicated in Figure 7.1-3 and diverse hardware and software architectures as shown in Figure7.1-4. These are discussed in Reference 7.1-4, the Licensing Topical Report (LTR), "ESBWRI&C Defense-In-Depth And Diversity Report," NEDO-3325 1.

The software for the Q-DCIS and N-DCIS is designed and developed in accordance with theLTRs "ESBWR I&-C- Software Management P-U*Program Manual," NEDO-33226, NEDE-

133226P, and "ESBWR 4&G Software Quality Assurance P.leRProgram Manual" NEDO-33245,IINEDE-33245P. (References 7.1-12 and 7.1-10, respectively.) These plans describe themanagerial, design, development, and software quality assurance requirements for the DCIS andaddress the Nuclear Regulatory Commission (NRC) review guidance provided in the StandardReview Plan.

7.1.2 Q-DCIS General Description Summary

The Q-DCIS, which performs the safety-related control and monitoring functions of the DCIS, isorganized into four physically and electrically isolated divisions. The Q-DCIS uses three diverseplatforms: NUMAC fr th, RTIF-NMS-ftinetiens, TRION fr SSLC/ESF-f-- 44ieos, andindependent logic controllers for the ATWS/SLC and vacuum breaker (VB) isolation function.Each division is segmented into systems; segmentation allows, but does not require, the systemsto operate independently of each other. The Q-DCIS major cabinets, systems, and functions are:

* Reactor Trip and Isolation Function (RTIF) cabinets. These cabinets include the followingsystems and functions:

- Reactor Protection System (RPS) (Refer to Subsection 7.2.1),

- Main Steam Isolation Valve (MSIV) functions of the Leak Detection andIsolation System (LD&IS) (Refer to Subsection 7.3.3),

- Anticipated Transient Without Scram/Standby Liquid Control (ATWS/SLC)functions (Refer to Subsection 7.4.1),

- Suppression Pool Temperature Monitoring (SPTM) subsystem of theContainment Monitoring System (CMS) (Refer to Subsection 7.2.3), and

- VB isolation function of the containment system (Refer to Subsection 7.3.6).

7.1-2


7.1.6.6.1.28 Cyber Security (IEEE Std. 7.4.3.2)

The security measures included in RG 1.152 are evaluated and incorporated in tile Q-DCISdesign and include plant hardware and software security measures. The software developmentprocess plans are developed with the security measures.

The comprehensive cyber security program plan (Reference 7.1-8) identifies security risks andoutlines appropriate procedures. The plant ensures that hardware, controls, and .data networkscomprising the control network cannot be disrupted, interrupted, or negatively affected byunauthorized users or external systems. Reference 7.1-8 documents the design commitments,which meet the applicable guidance of RG 1.152, Section C.2, and Positions 2.1 through 2.9.

Inspections, tests, analyses, and acceptance criteria (ITAAC) associated with the cyber-securityprogram plan are provided in Tier I together with the SDP.

7.1.7 COL Information

None

7.1.8 References

7.1-1 (Deleted)

7.1-2 (Deleted)

7.1-3 (Deleted)

7.1-4 GE-Hitachi Nuclear Energy Licensing Topical Report (LTR) entitled, "ESBWR I&CDefense-In-Depth and Diversity Report." NEDO-33251, Class I (Non-proprietary),Revision 1, August 2007.

7.1-5 (Deleted)

7.1-6 (Deleted)

7.1-7 (Deleted)

7.1-8 GE Energy, "ESBWR Cyber Security Program Plan," NEDO-33295, Class i (Non-Proprietary); and "ESBWR Cyber Security Program Plan," NEDE-33295-P, Class III(Proprietary).

7.1-9 GE-Hitachi Nuclear Energy, "GEH ABWR/ESBWR Setpoint Methodology," NEDO-33304, Class I (Non-proprietary); and "GEH ABWR/ESBWR Setpoint Methodology,"NEDE-33304P, Class III (Proprietary), Revision 0, October 2007.

7.1-10 GE HitachiE•-gy Nuclear _Energy, "ESBWR -4&-G Software Quality Assurance.PUH-.Prgram Manual," NEDO-33245, Class I (Non-proprietary); and "ESBWR --I&C-

'Software Quality Assurance .P4anProgram Manual," NEDE-33245P, Class III(Proprietary), Revision -2-3, July 2•0072008.

7.1-83

26A6642AW Rev. 06ESBWR Design Control Docurment/Tier 2

7.1-11 GE Nuclear Energy, "General Electric Instrument Setpoint Methodology," NEDO-31336,Class I (Non-proprietary); and "General Electric Instrument Setpoint Methodology,"NEDC-31336P-A, Class III (Proprietary), September 1996.

7.1-12 GE HitachiEner-gy Nuclear Energy, "ESBWR 4,&G- Software Management -WanProgramManual," NEDO-33226, Class I (Non-proprietary); and "ESBWR 4& SoftwareManagement PtanProqram Manual," NEDE-33226P, Class III (Proprietary), Revision 3-2,July-June 200-78.

7.1-13 -741-3-- DeletedE .. e ..lhiifran F.. . .r.e;.s : .,wehrini .... kuewaiAf... Plait. " Revisio., 3. 0r O332 A

7.1-84


* Conformance: The RPS design conforms to BTP HICB-8.

BTP HICB-9, Guidance on Requirements for RPS Anticipatory Trips:

* Conformance: Hardware used to provide trip signals in the RPS is designed in accordancewith IEEE Std. 603, Section 5.4 and is considered safety-related and meets the designrequirements of BTP HICB-9.

BTP HICB-I 1, Guidance on Application and Qualification of Isolation Devices:

Conformance: The RPS design conforms to this position. The RPS logics use safety-relatedfiber optic CIMs and fiber optic cables for interconnections between safety-related divisionsfor data exchange and for interconnections between safety-related and nonsafety-relateddevices.

Certain diverse and hardwired portions of RPS use coil-to-contact isolation of relays orcontactors. This is acceptable according to BTP HICB-I I when the application isanalyzed or tested per the guidelines of RG 1.75 and RG 1.153.

BTP HICB-12, Guidance on Establishing and Maintaining Instrument Setpoints:

Conformance: The RPS design conforms to BTP HICB-12. The nominal setpoints arecalculated based on the GEH instrument setpoint methodology (Reference 7.2-1). Thesetpoints are established based on instrument accuracy, calibration capability, and estimateddesign drift allowance data, and are within the instrument best accuracy range.

The digital RPS trip setpoints do not drift and any changes are reported to the N-DCIS asalarms. The analog-to-digital converters are self-calibrating, and the RPS uses self-diagnostics, all of which are reported to the N-DCIS through the required safety-relatedisolation. It is expected that all of the variability in the parameter channel will beattributable to the field sensor. The established setpoints provide margin to fulfill bothsafety requirements and plant availability objectives.

BTP HICB-13, Guidance on Cross-Calibration of Protection System Resistance TemperatureDetectors:

* Conformance: Because the RPS uses sensor input for suppression pool temperaturemonitoring, which is based on thermocouple-type temperature sensors, BTP HICB-13 doesnot apply.

BTP HICB-14, Guidance on Software Reviews for Digital Computer-based Instrumentation andControl Safety Systems:

Conformance: Development of software for the safety-related system functions within RPSconforms to the guidance of BTP HICB-14. Discussion of software development is includedin the LTRs "ESBWR -4&G- Software Management P4aRPronram Manual," NEDO-33226,1NEDE-33226P, and "ESBWR 4&G Software Quality Assurance P-anProgram Manual,"NEDO-33245, NEDE-33245P. (Reterences 7.2-3 and 7.2-4.) Safety-related software (to beembedded in the memory of the RPS logics) is developed according to a structured plan as

7.2-22


Conformance: There are four divisional safety-related subsystems of the NMS. Eachdivision is entirely redundant and identical in design. The divisions are independent of eachother, and each is capable of providing indication of neutron flux for the required range. TheNMS equipment is qualified to the requirements of IEEE Std. 323. Therefore, the NMScomplies with BTP HICB-10.

BTP HICP-I I, Guidance for Application and Qualification of Isolation Devices:

Conformance: The NMS design conforms to BTP HICP- II. The NMS equipment usessafety-related fiber optic CIMs and fiber optic cables for interconnections between safety-related divisions for data exchange and for interconnections between safety-related andnonsafety-related devices to meet the requirements of RG 1.75 and RG 1.153.

BTP HICB-12, Guidance for Establishing and Maintaining Instrument Setpoints:

Conformance: The analytical limits of the safety-related setpoints of the NMS are determinedfrom safety analyses for each reactor fuel cycle to ensure the reactor core is protected fromany rising neutron flux potentially exceeding these values. The nominal setpoints arecalculated to be consistent with the GEH standard setpoint methodology (Reference 7.2-1),which conforms to RG 1.105. The setpoint margin calculated by this method also hasconsidered additional uncertainties with the calibration interval. Therefore, the NMS meetsBTP HICB-12.

Most of the uncertainty associated with safety-related NMS trip setpoints is associatedwith the various neutron sensors because the digital electronics in the NMS do not drift,the setpoints are monitored and alarmed by the PCF of N-DCIS.

BTP HICB-14, Guidance on Software Reviews for Digital Computer-based Instrumentation andControl Safety Systems:

Conformance: Development of software for the safety-related system functions within NMScontbrms to the guidance of BTP HICB-14 as discussed in the L'TRs "'ESBWR -I&C-Software Management P-a*Program Manual," NEDO-33226, NEDE-33226P, and"ESBWR -I&G Software Quality Assurance P-aProgram Manual," NEDO-33245, NEDE-33245P. (References 7.2-3 and 7.2-4.) Safety-related software to be embedded in thememory of Me NMS logics Is developed according to a structured plan described inReferences 7.2-3 and 7.2-4. These plans follow the software life cycle process described inBTP HICB-14.

BTP HICB-16, Guidance on Level of Detail Required for Design Certification ApplicationsUnder 10 CFR Part 52:

* Conformance: The NMS section content conforms to BTP HICB-I 6.

BTP HICB-I 7, Guidance on Self-Test and Surveillance Test Provisions:

* Conformance: The safety-related subsystems of the NMS are designed to support therequired periodic testing. (Refer to Subsection 7.2.2.4.) The NMS system equipmentfeatures a self-test design operating in all modes of plant operations. This self-test function

7.2-49

26A6642AWV Rev. 06ESBWR Design Control Document/Tier 2

7.2-2 DeletedGE Nuelar Energy, NUMAC LTR, NEDO 33288, "Applietien f--NueleafMa.sur.ment Analysis and COntFra (NUMAC) for the ESBAWR Rea.. F TrP S.ystem,Revision 0, March 2007".-

7.2-3 GE Hitachi Nuclear Energy, "ESBWR =-&G Software Management -P-la*ProeramManual," NEDO-33226, Class I (Non-proprietary); and "ESBWR 4&G SoftwareManagement P-nPromram Manual," NEDE-33226P, Class III (Proprietary), Revision 2-3,Juilyune 2NO72008.

7.2-4 GE Hitachi Nuclear Energy, "ESBWR J&-G Software Quality Assurance P--mnProgramManual," NEDO-33245, Class I (Non-proprietary); and "ESBWR _&- Software QualityAssurance P-la*Program Manual," NEDE-33245P, Class III (Proprietary), Revision -23July 200-72008.

7.2-61

26A6642AW Rev. 06

ESBWR Design Control Document/Tier 2

0 Conformance: BTP HICB-3 is not applicable because there is no reactor coolant pump.

BTP HICB-4, Guidance on Design Criteria for Auxiliary Feedwater Systems:

0 Conformance: BTP HICB-4 is not applicable to the SSLC/ESF.

BTP HICB-6, Guidance on Design of Instrumentation and Controls Provided to AccomplishChangeover from Injection to Recirculation Mode:

* Conformance: There is no recirculation pump and no active ECCS pumps. Therefore, BTPHICB-6 is not applicable.

BTP HICB-8, Guidance on Application of RG 1.22:* Conformance: The SSLC/ESF is fully operational during reactor operation, and is tested in

conjunction with the Q-DCIS. Therefore, the SSLC/ESF design complies with BTP HICB-8.

BTP HICB-I 1, Guidance on Application and Qualification of Isolation Devices:

Conformance: SSLC/ESF logic controllers use fiber optic cables for interconnectionsbetween safety-related divisions for data exchange and for interconnections between safety-related and nonsafety-related devices. The Q-DCIS provides the communication functionsfor SSLC/ESF. See Subsection 7.1.2, 7.1.3.2 and 7.1.3.3 for descriptions of the Q-DCIScommunication system design.

Defined diverse and hardwired portions of RPS and SSLC/ESF may use coil-to-contactisolation of relays or contactors. This is acceptable according to BTP HICB-I I when theapplication is analyzed or tested in accordance with the guidelines of RG 1.75 andRG 1.153.

BTP HICB-12, Guidance on Establishing and Maintaining Instrument Setpoints:

* Conformance: The SSLC/ESF design conforms to BTP HICB-12. Setpoint implementationis in accordance with Reference 7.3-2.

BTP HICB-13, Guidance on Cross-Calibration of Protection System Resistance TemperatureDetectors:

* Conformance: BTP HICB-13 does not apply to the SSLC/ESF because this system does notuse resistance temperature detector-type sensors.

BTP HICB-14, Guidance on Software Reviews for Digital Computer-based Instrumentation andControl:

Conformance: Development of software for the safety-related system functions withinSSLC/ESF conforms to the guidance of BTP HICB-14 as discussed in the LTRs "ESBWR:4-&G Software Management P-anProgram Manual," NEDO-33226, NEDE-33226P and"ESBWR _-&4C- Software Quality Assurance P-Ne.nProgram Manual," NEDO-33245, NEDE-33245P. (References 7.3-3 and 7.3-4.) Safety-related software to be embedded in thememory of the SSLC/ESF controllers is developed according to a structured plan outlined inReferences 7.3-3 and 7.3-4.

7.3-48


7.3.6.5 Instrumentation and Control Requirements

The performance and effectiveness of the VB isolation function in a postulated accident isverified by observing the following MCR indications (IEEE Std. 603, Section 5.8) (additionaldiscussion on the VB isolation function instrumentation is contained in Subsection 7.3.6.1 and inSubsection 6.2.1.1.5):

" Status indication of VB position;

* Status indication of VB isolation valve position;

* Drywell and wetwell pressure indication;

" Drywell and wetwell temperature indications;

* VB isolation valve bypass status; and

* Status indication of bypass leakage.

The VB isolation function instrumentation located in the drywell is designed to operate in theharsh drywell environment that results from a LOCA. Safety-related instruments, locatedoutside the drywell, are qualified for the environment in which they must perform their safety-related function.


None

7.3.8 References

7.3-1 DeletedTriccne:1- Tepi•al RPeprt 7286 5•5 1 a, "Qualifiation Sum ... .Rep•Ft" , ]N4Feh

7.3-2 GE-Hitachi Nuclear Energy, "GEH ABWR/ESBWR Setpoint Methodology," NEDO-33304, Class I (Non-proprietary); and "GEH ABWR/ESBWR Setpoint Methodology,"NEDE-33304P, Class III (Proprietary), Revision 0, October 2007.

7.3-3 GE HitachigRei-gy Nuclear Energy, "ESBWR -t&G Software Management I3l*ProgramManual," NEDO-33226, Class I (Non-proprietary)j; and "ESBWR z-&k SoftwareManagement P-leProgram Manual," NEDE-33226P, Class III (Proprietary), Revision 23,Rt-yJu ne 20072008.

7.3-4 GE HitachiEne-gy Nuclear Energy, "ESBWR 1-&-C- Software Quality AssuranceP-ehProgram Manual," NEDO-33245, Class I (Non-proprietary)j,. and "ESBWR _-&GC-Software Quality Assurance P-hiProgram Manual," NEDE-33245P, Class III(Proprietary), Revision 23, July 2-07-2008.

7.3-5 DeleledGE Hitaehi Nuelear Energy, "ESB..R 1&G TRICON (S,,c't1GAE9I-P48emAppliation," NEDO 33388, Class 1 (Nen preprietar)", and "ESBIAIR I& I,-4,4ON

7.3-58

26A6642AW Rev. 06ESBWR Design Control Doctiment/Tier 2

" High quality components are used;

" Self-diagnostics are implemented;

" The man-machine interface (MMI) is implemented so that the equipment is structured intosmall units with sufficient diagnostics that a user can repair equipment by replacing modulesand can operate the equipment by following straightforward instructions;

* The software design process specifies modular code;

* Software modules have one entry and one exit point and are written using a limited numberof program constructs;

" Code is segmented by system and function:

- Program code for each safety-related system resides in independent modules thatperform setpoint comparison, voting, and interlock logic;

- Code for calibration, signal input/output, online diagnostics, and graphicaldisplays are common to all systems;

- Fixed message formats are used for plant sensor data, equipment activation data,and diagnostic data. Thus, corrupted messages are readily detected by error-detecting software in each digital instrument;

* Software design uses recognized defensive programming techniques, backed Lip by self-diagnostic software and hardware watchdog timers;

* Software for control programs is permanently embedded as firmware in controller Read OnlyMemory (ROM);

* Commercial development tools and languages with a known history of successful

applications in similar designs are used for software development;

* Automated software tools aid in verification and validation (V&V), and

" Reliable software is implemented by ensuring that the quality of the design and requirementsspecification is controlled under the formal V&V program which is discussed in the LTR"ESBWR 4-&G Software Quality Assurance Naff-Program Manual (SQAPM)," NEDO-33245, NEDE-33245P. (Reference 7.8-3.)

7.8.2.2 Defense Against Common Mode Failure

In addition to the DPS and the ATWS mitigation features, safety-related logic processingsystems used in the RPS and SSLC/ESF perform the following simple and repetitive tasks.These tasks are performed continuously and simultaneously in four independent and redundantdivisions of logic. They are:

* Setpoint comparison;

7.8-1 1

26A6642AW Rev. 06ESBWR Design Control Documentrrier 2

Conformance: Reference 7.8-1 details the echelons of defense used in the design thatconforms to BTP HICB-19. This document also discusses the basis for selection of the DPSfunctions used as backups for the RPS and SSLC/ESF. A failure modes and effects analysisbased on the Guidance in NUREG/CR-6303 (Reference 7.8-2) is performed to ensure theradiation guidelines from 10 CFR 100 are not exceeded in the event of a common modefailure of the RPS or SSLC/ESF software platform during the design basis events discussedin the Safety Analyses.

BTP HICB-21, Guidance on Digital System Real-Time Performance:

* Conformance: The safety-related ATWS mitigation logic conforms to the guidance in HICB-21. This BTP is not applicable to the nonsafety-related DPS.

7.8.4 Testing and Inspection Requirements

Periodic testing to verify proper operation of the ATWS/SLC logic is performed. Periodictesting to verify proper operation of the DPS logic is also performed.

7.8.5 Instrumentation and Control Requirements

The ATWS/SLC uses logic that is diverse from the RPS. Logic and controls for ATWS/SLC arelocated in divisional RTIF cabinets. Operating status is available to the operator in the MCR.Division of sensors bypass capability is provided for the ATWS/SLC logic. Communicationwith external interfaces is through isolation devices. Provisions are made to allow testing of theATWS/SLC logic and maintenance ofthe ATWS/SLC equipment.

The DPS uses triple redundant microprocessor-based automatic actuation logic that is diversefrom the RPS and SSLC/ESF automatic actuation logic.

The information available to the operator from the diverse I&C systems is described inSubsection 7.8.1.3.


None

7.8.7 References

7.8-1 GE-Hitachi Nuclear Energy, "ESBWR I&C Defense-In-Depth and Diversity Report",NEDO-33251, Class I (Non-proprietary), Revision 1, August 2007.

7.8-2 NUREG/CR-6303, "Method for Performing Diversity and Defense-in-Depth Analyses ofReactor Protection Systems, December 1994

7.8-3 GE Hitachi Nuclear Energy, "ESBWR -W&-C Software Quality Assurance P4.at-ProLramManual (SQAPM)," NEDO-33245, Class I (Non-proprietary); and "ESBWR -1&-GSoftware Quality Assurance P~e•--Proaram Manual (SQAPM)," NEDE-33245P, Class III(Proprietary), Revision -23, July 20072008.

7.8-19

26A6642BW Rev. 06ESBWR Design Control DocumentfTier 2

17.1 QUALITY ASSURANCE DURING DESIGN

The QA Program described in Section 17.1 is applicable to the ESBWR design activitiessupporting the standard design certification. Quality assurance is the responsibility of the DCDapplicant for these design activities. The QA Program for design activities related to a specificplant is defined in Section 17.2.

17.1.1 Organization

"GENE QA Program Description", NEDO-I 1209-04A (Reference 17.1-1) Section 1, establishesrequirements for the Organization structure used during design of the ESBWR.

17.1.2 Quality Assurance Program

"GENE QA Program Description", NEDO-1 1209-04A (Reference 17.1-1) Section 2, establishesrequirements for the Quality Assurance Program used during design of the ESBWR.

The identification of safety-related structures, systems and components (Q list) to be controlledby the GEH QA Program is shown in Table 3.2-1.

"GENE QA Program Description", NEDO-I 1209-04A (Reference 17.1-1) Section 2, establishesa 10CFR Part 21 notification and posting system which is procedurally controlled. Therequirement of 10 CFR Part 21 is imposed on all safety-related purchase documents.

17.1.3 Design Control and Verification

"GENE QA Program Description", NEDO-1 1209-04A (Reference 17.1-1) Section 3, establishesrequirements for Design Control used during design of ESBWR. Minimum design requirementsare identified in Table 3.2-2.ESBWR _--mcf.ntie: & C.ntr4l (,&,) Software Quality Assurance P-aiProgram Manual,

NEDO-33245, NEDE-33254P (Reference 17.1-2), establishes the requirements for SoftwareVerification and Validation Quality Controls. Software Design Verification and Validation isdiscussed in Subsection 7.8.2.1 and Appendix 7B.

17.1.4 Procurement Document Control

"GENE QA Program Description", NEDO-1 1209-04A (Reference 17.1-1) Section 4, establishesrequirements for Procurement Document Control used during design of the ESBWR.

17.1.5 Instructions, Procedures, and Drawings

"GENE QA Program Description", NEDO-1 1209-04A (Reference 17.1-1) Section 5, establishesrequirements for Instructions, Procedures, and Drawings used during design of the ESBWR.

17.1.6 Document Control

"GENE QA Program Description", NEDO-1 1209-04A (Reference 17.1-1) Section 6, establishesrequirements for Document Control used during design of the ESBWR.

17.1-1

26A6642BWV Rev. 06ESBWR Design Control Documentflier 2

17.1.25 References

17.1-1 GE Nuclear Energy, "GE Nuclear Energy Quality Assurance Program Description,"NEDO-1 1209-04A (NRC accepted), Revision 8, March 1989.

17.1-2 GE HitachiE•eg5 Nuclear Energy, "ESBWR -&G Software Quality Assurance

Ph-tfProgýram Manual (SQAPM)," NEDO-33245, Class I (Non-proprietary); and"ESBWR - Software Quality Assurance Program Manual (SOAPM)," NEDE-33245P,Class II (Proprietary), Revision 23, July 2-W-72008.

17.1-3 GE Hitachi Nuclear Energy, "NP-2010 COL Demonstration Project Quality AssuranceProgram," NEDO-33181, Revision 5, February 2008.

17.1-4


the four RPS divisional sensor channels. The four pressure transmitters and associatedinstrument lines are components of the NBS.

Reactor Pressure Vessel Water Level: RPV water level is measured by four physicallyseparate level (differential pressure) transmitters mounted on separate divisional local racks inthe safety envelope within the RB. Each transmitter is on a separate pair of instrument lines andis associated with a separate RPS electrical division. Each transmitter provides an analog outputsignal to the RPS RMU, which digitizes and conditions the signal before sending it to theappropriate DTM in one of the four RPS divisional sensor channels. The four separate leveltransmitters and associated instrument lines are components of the NBS.

Main Steamline Isolation Valve Closure: Each of the four Main Steam Lines (MSLs) can beisolated by closing either its inboard or outboard isolation valve. Position (limit) switches aremounted on both isolation valves of each MSL. These switches provide output to the appropriateDTM in one of the four RPS divisional trip channels using hard-wired connections. On eachMSL, two position switches are mounted on each inboard isolation valve and each outboardisolation valve. Each of the two position switches on any one MSL isolation valve is associatedwith a different RPS divisional sensor channel. A reactor scram is initiated by either the inboardor outboard valve closure on two or more of the MSLs. The eight MSIVs and the 16 positionswitches supplied with these valves (for RPS use) are components of the NBS.

Feedwater Temperature Biased Simulated Thermal Power: FW temperature is measured byfour separate temperature sensors mounted on each FW line in the MSL tunnel area within theRB. Each sensor is connected to a separate channel and is associated with a separate RPSelectrical division. Each sensor provides a temperature signal to the RPS RMU, which digitizesand conditions the signal before sending it to the appropriate RPS DTM. The eight temperaturesensors (four on each FW line) are components of the NBS. The RPS uses FW temperature fromNBS to develop a STP setpoint that is a function of FW temperature. The RPS initiates a scramwhen the FW temperature further departs from the area allowed by the thermal poNver vs. FWtemperature domain.

Control Rod Drive System

Locally mounted pressure transmitters measure the CRDS accumulator charging header pressureat four physically separate locations. Each transmitter is associated with a separate RPS divisionand is on a separate instrument line. Each transmitter provides an analog output signal to theRMU, which digitizes and conditions the signal before sending it to the appropriate DTM (in oneof the four RPS divisional trip channels). The four pressure transmitters and associatedinstrument lines are components of the CRDS. This is an anticipatory scram because it initiatesa scram before the HCUs accumulators have time to depressurize-the-reaetor.

Reactor Protection System

Turbine Stop Valve Closure: TSV closure is detected by separate valve stem position switcheson each of the four valves. Each position switch provides an open/close contact output signalthrough hard-wired connections to the DTM in one of the four RPS divisional trip channels. TheTSV closure trip occurs in each division of trip logic when any two or more position switches

7.2-10


Table 7.1-1 identifies the ADS and the associated codes and standards applied, in accordancewith the SRP. This subsection addresses I&C systems conformance to regulatory requirements,guidelines, and industry standards.

7.3.1.1.3.1 Code of Federal Regulations

10 CFR 50.55a(a)(l), Quality Standards for Systems Important to Safety:

* Conformance: The ADS design complies with 10 CFR 50.55a(a)(1).

10 CFR 50.55a(h), Protection and Safety Systems compliance with IEEE Std. 603:

* Conformance: The ADS design complies with IEEE Std. 603. Separation and isolation arepreserved both mechanically and electrically in accordance with IEEE Std. 603, Section 5.6and RG 1.75. The ADS is divisionalized and designed with redundancy so failure of anyinstrument will not interfere with the system operation. Electrical separation is maintainedbetween the redundant divisions.

10 CFR 50.34 (f) (2) (v) (i.D.3), Bypass and Inoperable Status Indication:

* Conformance: The ADS design complies with 10 CFR 50.34 (0 (2) (v) (I.D.3).

10 CFR 50.34 (0 (2) (xiv) (I1.E.4.2), Containment Isolation Systems:

* Conformance: The ADS design complies with 10 CFR 50.34 (0 (2) (xiv) (II.E.4.2).

10 CFR 52.47(a)(i)(iv), Resolution of Unresolved and Generic Safety Issues:

* Conformance: Resolution of unresolved and generic safety issues is discussed inSection 1.11.

10 CFR 52.47(a)(l)(vi), ITAAC in Design Certification Applications:

* Conformance: ITAAC are provided for I&C systems and equipment in Tier 1.

10 CFR 52.47(a)(1)(vii), Interface Requirements:

0 Conformance: There are no interface requirements for this section.

10 CFR 52.47(a)(2), Level of Detail:

* Conformance: The level of detail provided for the ADS within the DCD conforms to thisrequirement.

10 CFR 52.47(b)(2)(i), Innovative Means of Accomplishing Safety Functions:

* Conformance: The I&C design does not use innovative means for accomplishing safetyfinctions.

7.3.1.1.3.2 General Design Criteria

GDC 1,2,4, 13, 19, 20, 21, 22, 23ýafd--24 and 29:

7.3-5

26A6642AW Rev. 06ES BWR Design Control Document/Tier 2

7.3.1.2.3.2 General Design Criteria

GDC 1, 2, 4, 13, 19, 20, 21, 22, 23, and-24 and 29:

Conformance: The GDCS design complies with these GDCs.

7.3.1.2.3.3 Staff Requirements Memorandum

SECY-93-087, Item II.Q, Defense Against Common-Mode Failures in Digital Instrumentationand Control Systems:

* Conformance: The GDCS design conforms to these criteria by providing diverse I&C, asdescribed in Section 7.8.

7.3.1.2.3.4 Regulatory Guides

RG 1.22, Periodic Testing of Protection System Function:

* Conformance: System logic is tested continually as described in Subsection 7.3.1.2.4.Components are tested periodically during refueling outages. The GDCS design complieswith RG 1.22.

RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety:

0 Conformance: The GDCS design complies with RG 1.47. Automatic indication is providedin the MCR to inform the operator that the system is inoperable or a division is bypassed.

RG 1.53, Application of the Single-Failure Criterion to Nuclear Power Protection Systems:

* Conformance: The GDCS design complies with RG 1.53, IEEE Std. 603, Section 5.1, andIEEE Std. 379.

RG 1.62, Manual Initiation of Protective Actions:

Conformance: The GDCS design complies with RG 1.62. Each division of the GDCS has amanual actuation switch in the MCR. Initiation of the system requires actuation of twoswitches to ensure that manual initiation is a premeditated act. There is an interlock betweenthe manual initiation switches and a low reactor-pressure signal. This interlock preventsmanual initiation of the system if the RPV is not depressurized.

RG 1.75, Physical Independence of Electric Systems:

* The GDCS design conforms to RG 1.75 as described in Subsections 8.3.1.3 and 8.3.1.4.

RG 1.89, Environmental Qualification of Certain Electric Equipment Important to Safety forNuclear Power Plants:

* Conformance: The GDCS design conforms to RG 1.89. 1

RG 1.100, Seismic Qualification of Electric and Mechanical Equipment for Nuclear PowerPlants:

7.3-18



* Conformance: The I&C design does not use innovative means for accomplishing safetyfunctions.

7.3.3.3.2 General Design Criteria

GDC 1,2, 4, 13, 19, 20, 21, 22, 23, &,d-24 and 29:

* Conformance: The LD&IS design complies with these GDCs.

7.3.3.3.3 Staff Requirements Memorandum

SRM on SECY 93-087, Item I1.Q, Defense Against Common-Mode Failures in DigitalInstrument and Control Systems:

* Conformance: The LD&IS and ESF designs conform to item II.Q of SECY-93-087 (BTPHICB-19) by implementation of diverse I&C, described in Section 7.8.

7.3.3.3.4 Regulatory Guide

RG 1.22, (Safety Guide 22) Periodic Testing of Protection System Actuation Function:

* Conformance: The LD&IS design conforms to RG 1.22.

RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System:



0 Conformance: The LD&IS design conforms to RG 1.53.

RG 1.62, Manual Initiation of Protective Actions:

0 Conformance: The LD&IS design conforms to RG 1.62.

RG 1.75, Physical Independence of Electric Systems:

* Conformance: The LD&IS design conforms to RG 1.75 as described in Subsections 8.3.1.3and 8.3.1.4.

RG 1.89, Environmental Qualification of Certain Electric Equipment Important to Safety forNuclear Power Plants:




7.3-28

26A6642AW Rev. 06ESBWR Design Control DocumentfTier 2

* Conformance: The CRHS design complies by providing automatic indication of bypassed

and inoperable status.

10 CFR 50.34(f)(2)(xiv)(II.E.4.2), TMI Action Plan Item IIE.4.2 Containment Isolation Systems:

* Conformance: The CRHS design complies with this requirement.

10 CFR 52.47(a)(1)(iv), Resolution of Unresolved and Generic Safety Issues:


10 CFR 52.47(a)(1 )(vi), ITAAC in Design Certification Applications:

* Conformance: ITAAC are provided for the I&C systems and equipment in Tier 1.


* Conformance: There are no interface requirements for this section.


* Conformance: The level of detail provided for the CRHS in the DCI) conforms to thisrequirement.




GDC 1,2,4, 13, 19, 20, 21, 22, 23, and-24 and 29:

* Conformance: The CRHS design complies with these GDCs.


SRM on SECY 93-087, Item II.Q, Defense Against Common-Mode Failures in DigitalInstrument and Control Systems:

0 Conformance: The CRHS and ESF designs conform to these criteria, as described inSubsection 7.8.2.2.

7.3.4.3.4 Regulatory Guides

RG 1.22, Periodic Testing of Protection System Actuation Function:

* Conformance: The CRHS design conforms to RG 1.22.

RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System:

7.3-36


10 CFR 50.34 (f)(2)(xiv) [II.E.4.2], Containment Isolation Systems:

* Conformance: The SSLC/ESF logic controlling containment isolation functions conforms tothese criteria.

10 CFR 50.34 (f)(2)(xxiii) [II.K.2. 10], Anticipatory Reactor Trip:

* Conformance: The SSLC/ESF initiates the ICS in response to a Loss of All Feedwater FlowEvent. This is an anticipatory trip actuated on loss of power to two of the four main FWpumps.

10 CFR 52.47(a)(l)(iv), Resolution of Unresolved and Generic Safety Issues:


10 CFR 52.47(a)(l)(vi), ITAAC in Design Certification Applications:


10 CFR 52.47(a)(l)(vii), Interface Requirements:



* Conformance: The level of detail provided for the SSLC/ESF within the DCD conforms tothis requirement.


* Conformance: The I&C design does not use innovative means for accomplishing safetyfinctions.


GDC 1,2,4, 13, 19, 20, 21, 22, 23, afd-24and 29:

* Conformance: The SSLC/ESF design complies with these GDCs.


SRM on SECY-93-087, Item II.Q Defense Against Common-Mode Failures in DigitalInstrument and Control Systems:

* Conformance: The Reactor Trip (Protection) System and ESF designs conform to Item II.Qof SRM on SECY-93-087 (BTP HICB-19) in conjunction with the implementation of theDPS, described in Section 7.8.

7.3-45


10 CFR 52.47(a)(1)(vi), ITAAC in Design Certification Applications:

0 Conformance: ITAAC are provided for the I&C systems and equipment in Tier 1.

10 CFR 52.47(a)(l )(vii), Interface Requirements:

0 Conformance: There are no interface requirements for this section.


• Conformance: The level of detail provided for the design of the VB and V13 isolationfunction within the DCD complies with this requirement.


* Conformance: The I&C design does not use innovative means for accomplishing safety-related functions.


IGDC 1,2,4, 13, 19, 20, 21, 22, 23, and-24 and 29:

* Conformance: The VB isolation function design complies with these GDCs.


SRM on SECY-93-087, Item II.Q, Defense Against Common-Mode Failures in DigitalInstrumentation and Control Systems:

Conformance: The VB isolation function design complies with these criteria throughdemonstration that no postulated common-mode failure of the control system could disablethe VB isolation function. The discrete logic and solid state controls used in this design arenot subject to the vulnerabilities described by SECY-93-087, Item II.Q.


RG 1.22, Periodic Testing of Protection System Function:

* Conformance: The VB isolation function design conforms to RG 1.22. System logic andcomponents are tested periodically during refueling outages.

RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety:

* Conformance: The VB isolation function design conforms to RG 1.47. Automatic indicationis provided in the MCR to inform the operator that the system is inoperable or a division isbypassed.


* Conformance: The VB isolation function design conforms to RG 1.53, IEEE Std. 603,Section 5.1, and IEEE Std. 379.

7.3-54


Conformance: The RSS design conforms to RG 1.75 as described in Subsections 8.3.1.3 and8.3.1.4.


* Conformance: The RSS design conforms to RG 1.100.

RG 1.118, Periodic Testing of Electric Power and Protection Systems:

0 Conformance: The RSS design conforms to RG 1.118.

RG 1.153, Power Instrumentation & Control Portions of Safety Systems:

0 Conformance: The RSS design conforms to RG 1.153.

RG 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference inSafety-Related I&C Systems:


RG 1.204, Guidelines for Lightning Protection of Nuclear Power Plants:


RG 1.209, Guidelines For Environmental Qualification of Safety-Related Computer-BasedInstrumentation and Control Systems in Nuclear Power Plants:

0 Conformance: The RSS Safety-Related system design conforms to RG 1.209.

7.4.2.3.4 Branch Technical Positions

BTP HICB-1 1, Guidance on Application and Qualification of Isolation Devices:

* Conformance: The RSS design conforms to BTP HICB-I 1.

BTP HICB-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation andControl Systems:

0 Conformance: The RSS design conforms to BTP HICB-14.

BTP HICB-16, Guidance on the Level of Detail Required for Design Certification ApplicationsUnder 10 CFR, Part 52:

• Conformance: The level of detail provided for RSS conforms to BTP HICB-16.

BTP HICB-I 7, Guidance on Self-Test and Surveillance Test Provisions:

* Conformance: The RSS design conforms to BTP HICB-17.

BTP HICB-18, Guidance on the Use of Programmable Logic Controllers in Digital ComputerBased Instrumentation and Control Systems:

7.4-14


* Conformance: The RSS design conforms to BTP HICB-I 8.

BTP HICB-21, Guidance on Digital Computer Real-Time Performance:

* Conformance: The RSS design conforms to BTP HICB-21.

7.4.2.3.5 Three Mile Island Action Plan Requirements

In accordance with the SRP for 7.4 and with Table 7.1-1, there are no Three Mile Island (TMI)action plan requirements applicable for the RSS. TMI action plan requirements are genericallyaddressed in Table 1A-I of Appendix IA.

From the foregoing analyses, it is concluded that the RSS meets its design bases.

7.4.2.4 Testing and Inspection Requirements

The capability to safely shut down the reactor from outside the MCR is confirmed during theInitial Plant Test Program (Refer to Section 14.2). Testing to confirm the fimctionality of eachRSS control circuit is performed during each refueling outage.

Minimum Requirements to Place and Maintain Plant in MODE 3 from Location Outside MCR

On the basis of Sections 15.5.6.2 and 15.5.6.3 which provide the assumptions and results of safeshutdown fire analysis, only a manual scram of the plant from the MCR is required to reach andmaintain Mode 3 (hot shutdown). If the operator is not able to initiate manual scram from theMCR due to spread of the fire, manual scram can be initiated from either of the RSS panels.Therefore, the operability of Division 1& 2 Manual Scram Switches at either of the two RSSpanels is the minimum requirement to achieve and maintain Mode 3 from a location outsideMCR.


The parameters displayed and/or controlled from Division I and Division 2 in the MCR also aredisplayed and/or can be controlled from either of the RSS panels.

7.4.3 Reactor Water Cleanup/Shutdown Cooling System

7.4.3.1 System Design Bases

The RWCU/SDC system design bases are described further in Subsections 5.4.8.1 and 5.4.8.2.Figure 5.1-4 shows the basic configuration of the RWCU/SDC system.

The RWCLI/SDC system is one of the dual redundant Plant Investment Protection (PIP) systemswhose instrumentation belongs to the N-DCIS. The RWCU/SDC system functions are notsafety-related. Accordingly, the RWCU/SDC system has no safety-related design bases beyonda containment isolation function and providing instrumentation for detection of system breaksoutside the containment (IEEE Std. 603, Sections 4.1 and 4.2). The containment is isolated bysignals from the LD&IS (as described in Subsection 7.3.3).

7.4-15

26A6642AW Rev. 06ESBWR Design Control DocumentfTier 2

7.4.3.1.1 (Deleted)

7.4.3.1.2 7.43.12 4eftft~~v ziaca csIn onseslieletea

The R•A''/S " system is onc . f the dual redundant Plant in..eStment Proteetien (PIP)-systemswhese ifistrumniftatien belongs to the N DCIS. The R3ACU/SDC- system funtme-ios afe n*etsafety related. Accordingly, the RMCU/SDC system has no safety related Aesign baes beyetida contfainmcant isolation funetion and providing, iniStrumneftatieln fcr dcteefien ef systefflbreaksoultqide- the containment (IEEE Std. 603, Secticns 1.1 and 1.2). The conta-inment is isolated bysignials fromn the LD&IS (as described in Subsection 73).The RsA'U/SDG-yseten-also isisolated by signals from the LD&1S received froem the SLC systemf.

7.4.3.1.3 -Power ..ner.i:n Design Bna cDeleted

manuMal a automatic devices for eontrolling, the systemf as it.:

PRemoves reactor coolant impuritiesý,

P.~mi4ts eess RPV. Water level dwiring reaetor heatup, statup, anid shutdown ~eee14H as well ashot- stby-modes of plant oper-ation,

P-Miflp~ize- eacorcolant temperature graidicnts,

91-eats the RPV for hydrostatic3 tests,,

ligRemoves rea•ctr core decay heat during typical plant shutdowns, and

EProvNides suprsso pool cooling-:.-

The RMICU/DC shu tdown cooling function modes are interlocked with reactor pe'AeF- eperafiefIte pfeivenl4ncrease in core reactivity. Durfing r-eactor power operation, the apefatef -eannet stftef-seleet-the R3ACU/SDG shutdewn cooling function modes. This interlock fcature is-designedto be single failurfe proofi. Interlocks are also provided to prevent inadertent operation ef-pt~iapsat higheF -speed and higher flowA, and prevent opening of regenerative heat exiehangeiF-(RI44X)bypass vatyes during, r-eactor powei operation. An alarm. is initiated if flOW is higher t MH neF~a1VIFIEf iffe Fe -.-I - - I- - eF.


7.4.3.2.1 Summary Description

The R• CU/SC system per•Forms for• baSic plant fnction.s. Firt, it provides a continuousPUif, ..Rg-eatm. t of the r.eact-or oolat duri• g startup, normfal operatiei*' eEejdew-hatstandby, md shutdown moedes of plant operatifon. Second, it removes -ore deeay heat ineE)HHefen With the Amain condenser or. the isola]tion condensers (IGS) diffii~g P44 ShetdeNWImedes -4hird, the RsACU!SPG system (vwith the feedwater system) PFOvideS reae ef-eee4afft

7.4-16


heat-up -~r ing. cold start up. Fourth, supprcssien peel eoaling is pre4e14-411d y eressfieeenfteetiens tEo the FAPCS. Each crOzstie connection is isolated with a sp eaele flange, a eheekvalvze and-e MO'.. if needed, supprcssien peel cooling by the R3A1U/SDC system i , ued ftefa LOCA t, brin,-g and maintain the plant in a cold shutdown state. There ar- two- . edundatRWSCU/D-C t•ran. The overall functional description of the RWCU/SDC system is provided inSubsection 5.4.8.

The I&C maintains the RWCU/SDC system process conditions within the limits necessary tocontrol the system and satisfy its design bases. Protective features include isolating theRWCU/SDC system from the RPV in response to an LD&IS signal. The above isolationfeatures protect the reactor core by minimizing the potential loss of RPV coolant inventory andavoid removal of boron from the reactor coolant if the SLC system is actuated.

7.4.3.2.2 Detailed System Description

The RWCU/SDC system measurements of flow, pressure, temperature, and conductivity arerecorded or indicated with suitable alarms in the MCR. Valves behind shielding arc furnishedwith on-off air operators that are individually controlled from local panels or from extensionstems penetrating the shielding.

Indicating and control instruments and components are mounted on panels or local racks and arevisible and accessible for repair, calibration, and testing.

The main process pumps are started automatically or from the MCR by VDU control with statusindication. The pumps are driven by solid-state adjustable speed drives. Temperature elementslocated in the Nuclear Boiler System (NBS) and a reactor cooldown controller with temperaturefeedback control each pump to limit the rate of reactor water cooldown. A low pump suctionflow interlock either prevents the pumps from starting or runs back or stops the pumpsautomatically. A reactor low water level (Level 3) pump speed runback interlock is provided toprotect the pumps from cavitation during shutdown.

The pumps typically are supplied from separate and preferred power sources. The powersupplies are automatically switched to dual on-site standby diesel-generators following the lossof preferred power (LOPP).

Motor-operated valves are operable automatically or manually by a VDU switch from the MCR.Each valve motor is stopped by limit switches or torque switches. The positions of air/nitrogen-operated containment isolation valves are indicated in the MCR to permit the plant operators toassess their status. An automatic signal overrides a manual signal to these valves. Containmentisolation valve closing speeds are selected to protect the reactor core and limit radioactivityrelease in case of a RWCU/SDC system pipe break outside the containment.

The signals that either prevent all containment isolation valves from opening (if closed) or closethe valves (if open) are:

* SLC system actuation is sent to the RWCU/SDC system via the LD&IS, and

" LD&IS actuation occurs.

7.4-17

26A6642AR Rev. 06ESB\VR Design Control Doctiment/Tier 2

* Enable unit operation within the guidelines of EPRI's "BWRVIP-130: BWR Vessel andInternals Project BWR Water Chemistry Guidelines."

* Discharge excess reactor water during startup, shutdown, and hot standby conditions andduring refueling to the main condenser or to the radwaste system.

* Minimize RPV temperature gradients by enhancing circulation through the bottom headregion of the RPV and to reduce core thermal stratification at low power.

" Provide heated primary coolant for RPV hydrostatic tests and reactor startup.

* Have redundant cleanup capacity with respect to major system components.

The RWCU/SDC Shutdown Cooling function modes are interlocked with Reactor Poweroperation to prevent increase in core reactivity. Durinn reactor power operation, the operatorcannot start or select the RWCU/SDC Shutdown Cooling function modes. This interlock featureis designed to be single failure proof. Interlocks are also provided to prevent inadvertentoperation of pumps at higher speed and higher flow, and to prevent opening of regenerative heatexchanger by-pass valves during Reactor Power operation. An alarm is initiated if flow is higher I[than normal and the reactor is at power.

5.4.8.1.2 System Description

System Description Summary

A main function of the RWCU/SDC system is to purify the reactor water. The RWCU/SDCsystem consists of two redundant trains, as shown on the RWCU/SDC system schematic(Figure 5.1-4). The major components of each train are two Adjustable Speed Drive (ASD)pumps, one Regenerative Heat Exchanger (RHX), one Non-Regenerative Heat Exchanger(NRHX), and a 100% capacity demineralizer. The electrical power supply to the two trains isfrom separate electrical busses.

Detailed System Description

The RWCU/SDC system is comprised of two independent pump-and-purification equipmenttrains. These trains together provide redundant cleanup capacity such that each pump train anddemineralizer is designed to achieve and maintain the reactor water quality within designspecifications. The system processes the water in the primary system during all modes ofoperation including startup, normal power generation, cooldown and shutdown operation. Thecapacity of each train for RWCU is 1% of the rated feedwater flow rate. The RWCU/SDCsystem flow rates and other system capabilities are provided in Table 5.4-3.

During normal plant operation, the RWCU/SDC system continuously recirculates water bytaking suction from the mid-vessel area of the RPV and from the reactor bottom head andreturning via the feedwater line to the RPV. This method of operation maintains the pre-warmedcondition for the large-bore piping used for SDC mode supply with a low flow rate that preventsstagnation that could trap voids in the piping connected to the hot RCS. The RWCU/SDC pipingis also arranged such that it slopes downward from the mid-vessel nozzles so that any voids tendto return back to the vessel by buoyancy. Warm SDC flow passes through the heat exchangerbefore reaching the pump inlet so only well subcooled flow is returned upward toward thefeedwater line connection. The return line rises toward the feedwater line and is kept normallyflowing by the RWCU return, so that during normal operation hot feedwater does not tend to

5.4-23

26A6642AR Rev. 06ESBWR Design Control Document/Tier 2

" GDC 14 as it relates to ensuring the RCPB integrity;" GDC 15 as it relates to reactor coolant associated auxiliary system design with sufficient

margin;

* GDC 31 as it relates to fracture prevention or RCPB design with sufficient margin;

* GDC 50 as it relates to long term post-LOCA containment cooling with fiuel failure,using the cross-connection to FAPCS;

" GDC 60 as it relates to the capability of the RWCU to control the release of radioactiveeffluents to the environment; and

" GDC 61 as it relates to designing the RWCU with appropriate confinement.

The RWCIJ/SDC system performs two basic functions, reactor water cleanup and shutdowncooling, which include the following major activities:

* Purify the reactor coolant during normal operation and shutdown;

" Supplement reactor cooling when the reactor is at high pressure in the hot standby mode;

" Assist in the control of reactor water level during startup, shutdown, and in the hotstandby mode;

" Induce reactor coolant flow from the reactor vessel bottom head to reduce thermalstratification during startup;

" Provide shutdown cooling and cooldown to cold shutdown conditions;

* Provide long term post-LOCA containment cooling with cross-connection to FAPCS; and

" Provide heated primary coolant for RPV hydrostatic testing and reactor startup.

The RWCU/SDC system is discussed in further detail in Subsections 5.4.8.1 and 5.4.8.2.

5.4.8.1 Reactor Water Cleanup Function

The RWCU function is performed by the RWCU/SDC system during startup, normal powergeneration, cooldown and shutdown.

5.4.8.1.1 Design Bases

Safety Design Bases

The RWCU/SDC system does not perform any safety-related functions. Therefore, theRWCU/SDC system has no safety design bases other than for safety-related containmentpenetrations and isolation valves, as described in Subsection 6.2.4, and provide instrumentationto detect system pipe break outside the containment as described in Subsection qA4-.-35.2.5.

Power Generation Design Bases

The RWCU/SDC system is designed to:

0 Remove solid and dissolved impurities from the reactor coolant and measure the reactorwater conductivity during all modes of reactor operation. This is done in accordancewith RG 1.56, "Maintenance of Water Purity in Boiling Water Reactors."

5.4-22

26A6642AR Rev. 06 "1ESBWR ' Design Control Document/Tier 2

The train in the overboarding mode uses an overboard flow control valve to maintain the reactorwater level. A control station is located downstream of the demineralizer. The control stationconsists of the overboard flow control valve, a high pressure restriction orifice, an orifice bypassvalve, and a main condenser isolation valve.

During the early phases of startup, when the reactor pressure is low, the restriction orifice isbypassed. The restriction orifice bypass valve automatically closes when the pressure upstreamreaches a predetermined set point to ensure the pressure drop across the overboard flow controlvalve and the orifice bypass valve are maintained within their design limits.

During overboarding, the RHX is bypassed and the NRHX is in service to cool the reactor waterto minimize two-phase flow in the pressure reducing components and downstream piping. Thedemineralizer is also in service to ensure the water overboarded to the condenser meets waterquality specification requirements. In the event high radiation is detected downstream of thedemineralizer, the overboarding flow is manually shifted to the Liquid Waste ManagementSystem (LWMS) by first opening the remote manual isolation valve to the radwaste system andthen closing the remote manual system isolation valve to the main condenser.

The system piping routed to the main condenser and LWMS is designed with sufficient wallthickness to ensure the stresses are within the stress limits even if subjected to full reactorpressure. Further, the low-pressure portion of the system is protected by the automatic closure ofthe overboard flow control valve upon detection of high pressure downstream of the pressurecontrol valve. The system piping routed to the LWMS system is also protected fromoverpressurization by a pressure relief valve that relieves to the piping routed to the maincondenser.

Refueling-During refueling, when the reactor well water may have a stratified layer of hotwater on the surface, the RWCU/SDC system can be used to supplement the FAPCS to cool thereactor well water.

5.4.8.1.3 Safety Evaluation

The RWCIJ/SDC system is classified as a nonsafety-related system except for its RCPBfunction, containment isolation functions, and providing instrumentation for detection of break inthe system outside the containment. Refer to Subsection 6.2.4 for containment isolation valvesand to Subsection q-.445.2.5 for containment isolation and pipe break detection instrumentation.

5.4.8.1.4 Testing and Inspection Requirements

During preoperational testing (see Section 14.2), system component operability, flow rates, heatremoval capacities and controls and interlocks are tested to demonstrate that the RWCU/SDCsystem meets design requirements.

The functional capabilities of the containment isolation valves are testable in-place in accordancewith the in-service inspection requirements. All such leak test connections are isolable by twovalves in series. Periodic leak testing of the containment isolation valves is prescribed in theTechnical Specifications and described in Subsection 6.2.6.

5.4-27


* Power source,

* Required number of channels,

* Qualification criteria, and

* Type of'monitoring channel display.


BTP HICB-1 0, Guidance on Application of RG 1.97:

* Conformance: RG 1.97, Rvize,:n 4, Sceti:n A, states that Bran..h T-rlcnifcia Pe'itien141GB 10 will reguirc updates fcr eensisfeney with Rcvisien 4 ef RG 1.9-7-. Confor-mane tthe1e ........ nt is ..... ssed dtfg :the•n ..... e design p...e:. •:._..• The PAM instrumentationdesign conforms to RG 1.97 Revision 4, IEEE Standard 497-2002 (with clarifications andexceptions stated in RG 1.97 Revision 4), and RG 1.1 00.

BTP HICB-16, Guidance on the Level of Detail Required for Design Certification ApplicationsUnder 10 CFR Part 52:

* Conformance: The level of detail provided for the PAM instrumentation design conforms toBTP HICB- 16.

7.5.1.4 Testing and Inspection Requirements

Testing and inspection requirements for RG 1.97 instrumentation are defined in IEEE Std. 497,Criterion 6.8, "Testability" and Criterion 6.11, "Maintenance and Repair". Compliance withthese requirements is addressed during the detailed design phase.

7.5.1.5 Instrumentation and Controls Requirements

Instrumentation requirements for RG 1.97 instrumentation are defined in IEEE Std. 497.Identification of specific instrument requirements and conformance to these requirements isaddressed during the detailed design phase.

7.5.2 Containment Monitoring System

The CMS provides the instrumentation to monitor the:

* Atmosphere in the containment for high gross gamma radiation levels,

* Pressure of the drywell and wetwell,

* Drywell/wetwell differential pressure,

* Lower and upper drywell water level (post-LOCA),

* Temperature of the suppression pool water,

7.5-9

26A6642AW Rev. 06ESB\VR Design Control Document/Tier 2

7.1.3.2.4.2 Containment Monitoring System

The CMS instrumentation measures and records radiation levels and the oxygen/hydrogenconcentration levels in containment under post-accident conditions. The CMS is designed tooperate continuously during normal operation and is automatically put in service upon detectionof LOCA conditions. Refer to Subsection 7.5.2 for additional information.

7.1.3.2.4.3 Process Radiation Monitoring System

Safety-related PRMS instrumentation monitors the following for radioactive materials:discharges from the ICS vent, and ventilation discharges. The nonsafety-related PRMS isdiscussed in Subsection 7.1.5.2.2.1. The MCR display, recording, and alarm capabilities areprovided along with controls that provide automatic trip inputs to the respective systems toprevent further radiation release. Refer to Subsection 11.5.3 for additional information.

7.1.3.2.5 Interlock System sL-2-ic

The interlock iogic functions are embedded in the DCIS logic, so that a separate interlock systemis not required. Refer to Section 7.6 for additional information.

.. •-eaete-..p..s...int.erlck embedded in. l.gi. is provid.d to the GD.S to prehibit inadvertenmain*ftil iatien of the system dur~ing norma! reaeter eperatien.

Parallel- pairs f air . p.. at.d, testable eh-ek valves, and mo..t.r .p..ated oen off a-Wes arc

pr.vid.d to pr•o..t the FAPd S lew prssur" piping from ever p ....... A...ztie. +-dathreaetar

pewer eperatien-and high prossure tranisiefits anld aeeidents. Redundant prossuro seetPF8-,4de a-14gh--prcssr-c- signlt the 141241=1 interleek system. The 1HP!LP interkek systemprevents mlotor operaited valves frooe nn or loses them, if open and prevents th e-testing ef!be ebeek~avswc the r-eaetor prcssumrp c:ccsthe V 4PC= low pre5Surc setpeint.

Other than the isolat•ien• f lves-, The design does not have logic that isolates safety-related fromnonsafety-related piping during a LOCA. It is not necessary because there are no pipinginterfaces separating the safety-related and nonsafety-related portions of piping systems.

7.1.3.2.6 Nuclear Boiler System Instrumentation

Redundant NBS safety-related instrumentation provides RPV water level and reactor vesselpressure data for operator monitoring. The NBS instrumentation also provides inputs to safety-related systems during normal, transient, and accident conditions. Refer to Subsection 7.7.1 foradditional information.

7.1.3.2.7 Data Communication Systems

The DCIS data communication functions are embedded within the Q-DCIS and the N-DCISarchitectures. Safety-related Q-DCIS internal and external communication protocols aredeterministic.

7.1-17


8A.1.2 for detailed information about the lightning protection system and conformance to RG1.204.

RG 1.209, Guidelines For Environmental Qualification of Safety-Related Computer-BasedInstrumentation and Control Systems in Nuclear Power Plants. The safety-related system designconforms to RG 1.209.

7.1.6.5 Branch Technical Positions

BTPs that are applicable to the I&C systems are identified relative to the I&C systems inTable 7.1-1. BTPs are guidance documents; the I&C systems are generally designed to conformto the BITPs. The degree of conformance, along with any clarifications or exceptions, isdiscussed in the safety evaluation subsections of Sections 7.1 through 7.8.

BTP HICB-1, Guidance on Isolation of the Low Pressure Systems from the High PressureReactor Coolant System. The GDCS and interlock lo ic design conforms toBTP HICB-1.

BTP HICB-8, Guidance on Application of RG 1.22. The Q-DCIS is fully functional duringreactor operation and is tested in conjunction with the SSLC/ESF. Therefore, the Q-DCIS designconforms to BTP HICB-8.

BTP HICB-9, Guidance on Requirements for RPS Anticipatory Trips. The Q-DCIS conforms toBTP HICB-9.

BTP HICB-10, Guidance on Application of Regulatory Guide 1.97. I&C design conforms toBTP HICB-1 0. Details of design implementation are discussed in Section 7.5.

BTP HICB-I I, Guidance on Application and Qualification of Isolation Devices. The Q-DCISdesign conforms to BTP HICB-I 1.

BTP HICB-12, Guidance on Establishing and Maintaining Instrument Setpoints. The Q-DCISdesign conforms to BTP HICB-12.

BTP HICB-14, Guidance on Software Reviews for Digital Computer-based I&C Safety Systems.Refer to Subsections 7.1.2.4, Reference 7.1-10 and 7.1-12 discussions. The Q-DCIS designconforms to BTP HICB-14.

The Q-DCIS and N-DCIS follow a development process that is in accordance with BTPHICB-14. As part of the Certification activity, the software development process plans requireNRC review and approval.

Safety-related I&C systems (RTIF, NMS and SSLC/ESF) use computers for their logicfunctions. A description of the Q-DCIS design, together with the description of the DPS isincluded in Section 7.8, and specifically addresses the issues of defense-in-depth and diversityand defense against common mode failures.

BTP HICB-16, Guidance on Level of Detail Required for Design Certification ApplicationsUnder 10 CFR Part 52. BTP HICB-16 is applicable to all sections of Chapter 7 of the DesignControl Document and all sections conform to it.

7.1-68

26A6642AW Rev. 06ESBWR Design Control Docuinentflier 2

7.6 INTERLOCK LOGICSYSTEMS

In accordance with the Standard Review Plan (NUREG-0800), the syste is-High Pressure/LowPressure interlock logic addressed in this section are "those interlock logics sysefm,-important tosafety which operate to reduce the probability of occurrence of specific events or to maintainsafety systems in a state to assure their availability in an accident-" and are not addressed in othersections. While there are no ESBWR systems that meet this scope, this section includesdiscussion of the Low Pressure Coolant Iniection (LPCI) This.i..further...i..ed.-tek....iet..wetypes ef. -inftl..k systems: (1) High Pressure/Low Pressure (HP/LP) interlock lo.ic syste•,r- tethat prevents over-pressurization of this low-pressure systems (which are-isconnected to highpressure systems), and (2) systems to isolate safety related syst.m. fo ...........system.1 Hgth typess eo swt-is -rc nddtrsscd in this sLotin.•

7.6.1 High Pressure/Low Pressure Interlock LogicSystemfs-

7.6.1.1 System Design Bases

The FAPCS HP/LP interlock logic prevents the operation of the LPCI mode of the FAPCSwhenever there is a high pressure signal from the RPV pressure transmitters of the NBS bypreventing the isolation valves from opening or closing them if opened. The high pressure sienalalso prevents testing of the air-operated testable check valves and closes them if they are openfor testing. During reactor power operation, the high pressure in the RWCU/SDC system pipingexceeds the design pressure of the low pressure FAPCS piping. The following subsectionsdescribe the nonsafety-related interlock logic provided to prevent over-pressurization of theFAPCS piping. The FAPCS design is discussed in Subsection 9.1.3. The reactor pressureinstruments of the Nuclear Boiler System (NBS) are discussed in Subsection 7.7.1.

The Fuel and Auxiliary Pools Cooling System (FAPCS) is a low pressure piping system. It hasthe following interfaces with the high pressure Reactor Water Cleanup/Shutdown Cooling(RWCU/SDC) system.

" Its Low Pressure Coolant Injection (LPCI) line is connected to the RWCU/SDC system LoopB discharge line, which is connected to the Reactor Pressure Vessel (RPV) via the FeedwaterLoop A discharge line.

" Crosstie connections are provided from the FAPCS suppression pool suction to the RPVRWCU line to the regenerative heat exchanger (RHX) (RWCU suction) and from the RWCUreturn line (discharge line to RPV) to the FAPCS discharge line to the suppression pool,Gravity-Driven Cooling System (GDCS) pools and containment spray line.

PuFiRgr-FeacOE pAWer operation, the high pressure in the RWGU/SDF system pipirg iNeeeds thedeSigR PF-55s.....of th W e .rSSUre FAPG9 piping. The following subs.. ti.ns dese.ibe..heiRte~4ek S5'Stemf prof'ided to) provent ovorF prossurFizti0n of the FAPGS piping. The.FAPG-Sdesign is discussed in Subseetien 9.1.3. The r-eaeter preSSurc instFruments cfthe Nuz eeff-geileFSystemw.R4412) ar discussed in Subsection 7.74.11

7.6-1


The only other HP/LP interface exists in the GDCS. Because the GDCS piping downstream ofsquib valves connected to the RPV has a design pressure equivalent to the reactor operatingpressure, and the low pressure GDCS piping upstream of squib valves is open to the GDCSpools, there is no need for overpressure protection of the low pressure portion. A high pressureinterlock logic is provided to prevent inadvertent manual initiation of the GDCS. The GDCSdesign basis is discussed in Subsection 7.3.1.2. Subsequent s.. bsee.ieis.dese.be the ..AP.

14PAP itereek systeF&i-


7.6.1.2.1 Function Identification

The LPCI line isolation valves consist of parallel pairs of air-operated, testable safety-relatedcheck valves and nonsafety-related motor-operated beek valves to protect the FAPCS lowpressure piping from over-pressurization during reactor power operation. These valves arenormally closed. The t....... !Vh2c 5 ;a.....and the. m.ot...r. p ...... (M......-efeI..e..sa.f-et5+..oe4 Parallel valves are provided for redundancy and fire zone separation. Both Isets of parallel valves have identical interlock logic for operation except that the power suppliesfor operation of these valves are provided from different sources, the Plant Investment Protection(PIP) systems PIP A and PIP B buses, for redundancy and fire zone separation. The logic foroperation of the valves is implemented in the PIP A Nonsafety-related Distributed Control andInformation System (N-DCIS) and PIP B N-DCIS. The IIP/L=P initerlok system p~eN~eats theiselatien val;'c from opening, and elescz them if opencd, wheacvcr thcre is a hi -h PFeSSe~wsig:nal from the RPV przuc rnmitterz of the NBS. The high prczsurc signal a!K) f-feYefltstestig Of-te air operaited icztable chcek v'alves and elescc them if the), arc Spcn fe testing. i~talsopeveflts the peratiOn of the 1,P4G! mode of the FAP, The FAPCS modes are describedin Subsection 9.1.3.2. A safety relief valve is provided upstream of the LPCI line check valvesto protect against over-pressurization of the pipe by leakage through the check valves. The reliefvalve discharge line is monitored to detect any leakage through the check valves.

The crosstie from the FAPCS to the RWCU/SDC system is used only following a Loss ofcoolant Accident (LOCA). These connections allow the RWCU/SDC system to providecontainment cooling after a LOCA to bring the plant to a cold shutdown. Each FAPCS toRWCU/SDC system crosstie connection is isolated with a spectacle flange, a check valve and aMOV providing a positive isolation. The flange removal and the operation of the crosstie areunder administrative control. Therefore no interlock Jo__c exists between the low pressureFAPCS crosstie and the high pressure RWCU/SDC system.

7.6-2

26A6642AW Rev. 06 L

ESBWR Design Control Document/Tier 2

7.6.1.2.2 Power Sources

The power supplies for nonsafety-related pressure instruments, logic, and solenoids (foroperation of testable check valves) are provided by the PIP A N-DCIS and PIP B N-I)CIS. Thepower supplies for operation of the LPCI line nonsafety-related motor operated parallel valvesare provided from different sources, the PIP A and PIP B buses, for redundancy and fire zoneseparation. These nonsafety-related power supplies are backed up by nonsafety-related batteriesand diesel generators. Refer to Subsection 8.3.2 for a description of the DC power supplies andSubsection 8.3.1 for a description of the AC power supplies.

7.6.1.2.3 (Deleted)

7.6.1.2.4 Logic Description

The high reactor pressure signals from the NBS processed in the N-DCIS are used to determinewhether a high pressure condition exists in the RWCU/SDC discharge line to the RPV feedwaterinlet line. If a high pressure condition exists the interlock system logic sends a signal to close theMOVs. This signal also prevents testing of the check valves and prevents the LPCI mode ofoperation of the FAPCS. The N-DCIS is described in Subsection 7.1.5.

7.6.1.2.5 (Deleted)

7.6.1.2.6 Bypasses and Interlocks

The HP/LP interlock Iogicsystem-design has no bypass.

7.6.1.2.7 Redundancy and Diversity

The LPCI line uses pairs of redundant isolation valves (a parallel pair of MOVs, a parallel pair oftestable check valves). Each set of valves is installed in series and provides over-pressureprotection. Parallel valves provide redundancy and fire zone separation. Diversity is providedby a testable check valve, equipped with a pneumatic-assist actuator having a fail-closed featureand a motor-operated fail as-is, normally closed block valve.

7.6.1.2.8 Actuated Devices

The LPCI line motor operated, parallel isolation valves and air-operated, parallel, testable check[valves are the actuation devices affected by the HP/LP interlock lo_.igc . Separate IIsolenoids are used for controlling air to each of the testable check valve actuators. The solenoidsfor the parallel testable check valves are powered by the PIP A N-DCIS for the solenoid for onevalve and the PIP B N-DCIS for the solenoid for the other parallel valve. The PIP A bus powersone of the parallel MOVs and the PIP B bus powers the other MOV. The MOVs are fail as-isand are provided with hand wheels.

7.6-3


7.6.1.2.9 Separation

Electrical separation is provided by different power sources (PIP A and PIP B buses) with thelogic separation provided by having implementation of valve operation in the PIP A N-DCIS andPIP B N-DCIS.

7.6.1.2.10 Testability

Testing of the reactor pressure instruments is discussed in Subsection 7.7.1.

Due to the high pressure interlock, the LPCI line isolation valves and check valves are stroke-tested only during low reactor pressure conditions. These valves are not subjected to the 10 CFR50 Appendix J leak rate test, because they are neither containment isolation valves nor part of theReactor Coolant Pressure boundary (RCPB). However, they are leak rate tested per AmericanSociety of Mechanical Engineers (ASME) Code Section Xl.

7.6.1.2.11 Environmental Considerations

The instrumentation and controls (&C for the HP/LP interlock logic are classified asnonsafety-related equipment and qualified to the environmental conditions existing at thelocations of the devices.

7.6.1.2.12 Operational Consideration

The HP/LP interlock lopicsy ef-prevents manual initiation of the LPCI mode of FAPCS until Ithe RPV has been depressurized below the reactor pressure instrument setpoint for the HP/LPinterlock logic-system.[

7.6.1.2.13 Reactor Operator Information

The status of each valve providing the HP/LP boundary is indicated in the Main Control Room(MCR). The status of the pressure instruments also is indicated in the MCR.

7.6.1.2.14 Setpoints

The HP/LP interlock lo i6c setpoint is based on the design pressure of the low ressureFAPCS piping.

7.6.1.3 Safety Evaluation

There is no HP/LP interface involving safety-related systems. There is a nonsafety-relatedHP/LP interface involving the low pressure FAPCS LPCI line, which interfaces with a highpressure condition in the RWCU/SDC system piping. The RWCU/SDC system piping interfaceswith the feedwater line, which maintains the RCPB.

The parallel testable safety-related check valves and MO's provide protection to the lowvpressure FAPCS from the high pressure RWCU system. The motor-operated, normally closed,fail-as-is gatebl4eA valves provide defense-in-depth protection ",teet-against any leakage

7.6-4

26A6642AWV Rev. 06ESBWR Design Control Document/Tier 2

passing through the check valves. A safety relief valve is provided upstream of the testablecheck valves to protect against over-pressurization of the pipe by leakage through the checkvalves. The relief valve discharge line is monitored to detect any leakage through the checkvalves. T-he MONs block an), leakag passing. t- "" ... ha the be valve and ----"e"t low pesPAPG9 piping by the HP/LP interlock system.

The FAPCS HP/LP interlock lofzicsystem-prevents the opening of the isolation valves on theLPCI discharge line. The interlock Iogicysteei-vprohibits the LPCI line isolation valves frombeing opened whenever the reactor pressure is greater than the reactor pressure permissivesetpoint for the interlock logic, thereby precluding over-pressurization ot•-oeeg-the low]pressure FAPCS piping frm . ver pfr•oSSiZatin• during reactor power operation. The interlocklogic.,e, .. is.de.•..*ed-4e-permits LPCI mode initiation when the reactor pressure is below itsreactor pressure permissive setpoint allowing the operator to manually open either isolation

I valve. The interlock loaicswsten+-onerates automatically, and its status is nrovided to the reactor I[operator in the MCR.

The -Winc prc;'cideS a path to bring in firo Wat..AP.pp.. SSiO. p8ol Watfr fO .f.et... . .h.dew,eooling 72 heurs after a Design Basis Event (DBE), if the normal shut do*. eeeling systefn isfietfavatilable. Therefere the 14PALP interlock system is nensafcty related within !he-seepe-ef

I

r)g'l tcr e trutmct of eIacn Z 5•m tI •zi.acm., % / £d

Table 7.1-1 identifies the HP/LP interlock locic .y.tem-.and the associated codes and standardsapplied, in accordance with NUREG-0800. This subsection addresses conformance of thenonsafety-related HP/LP interlock log icsyem-to regulatory requirements, guidelines, and Iindustry standards.

7.6.1.3.1 Code of Federal Regulations

* Conformance: The HP/LP interlock loaicsy4em-is nonsafety-related. The testable eheekvalves and upstream f MOVs pO..'..e p:SSUc 1b.undarýy :itegriyfeor t- PeWCU/G4 )G-system.The aetUateffi for the testable ehcek valves, the solenoids, eleetrieal moedules and-eables--aFeHeRa at5' rolated and these fWl Under RPISS. The Eulity5 assurane- e'eatS aFeSimfilar to thosc for the safety related eomponents.

10 CFR 50.55a(h), Protection and Safety Systems compliance with IEEE Std. 603

• Conformance: The HP/LP interlock lo_.g~isystef-is nonsafety-related. 10 CFR 50.55a(h) andIEEE Std. 603 are not applicable to this system, however- eachl ofthe parallel air-eperatedtestable chcck alN•es and each of the parallel MOs•. is powerod cither from the PIP-AOF-PI-PB buse '. Simf)il()l, interlk logiy is implemented in the PIP A N DC-a or PIP B N DnIS

peding separation and isolation, both mechianically and electrieally.

10 CFR 50.34(f)(2)(v)(I.D.3), Bypass and Inoperable Status Indication:

* Conformance: The HP/LP interlock lic•system-does not have a bypass feature. I

7.6-5


10 CFR 52.47(a)(I)(iv), Resolution of Unresolved and Generic Safety Issues:


10 CFR 52.47(a)(1)(vi), Inspections, Tests, Analyses and Acceptance Criteria (ITAAC) inDesign Certification Applications:





* Conformance: The level of detail provided for the interlock Iocs ic-1s&-conforms to this Icriterion.




GDC 1,2,4, 13, 19, 24 and 25:

I * Conformance: Because the HP/LP interlock lo~icsyst-em-does not involve reactivity control,GDC 25 is not applicable. The interlock Ioggicsyem-design complies with the remainingGDC listed above.


RG 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems:

I* Conformance: The HP/LP interlock lopicsystef-does not have a bypass feature. ]

RG 1.53, Application of the Single Failure Criterion to Nuclear Power Protection Systems:

* Conformance: The HP/LP interlock 9_g__csyeH-is nonsafety-related. RG 1.53 is notapplicableiethissystem. is

RG 1.75, Physical Independence of Electrical Systems:

* Conformance: The HP/LP interlock logic is nonsafety-related. The physical and]electrical separations maintained between safety-related and nonsafety-related systemsconform to RG 1.75 as described in Subsections 8.3.1.3 and 8.3.1.4.

7.6-6


RG 1.105, Setpoints for safety-related Instrumentation:

[ Conformance: The HP/LP interlock loaicsysten+-is nonsafety-related. RG 1.105 does notIapply to the HP/LP interlock logic-system. fThe n-minal sctpeints are c'a"eu4atedusintghe

GE14 setpeiint methodology (Rcfcrenec :7.6 1).

RG 1.118, Periodic Testing of Electric Power and Protection Systems:

* Conformance: The LPCI line iselatien valves and check Lal-esThe parallel safety-relatedtestable check valves and parallel nonsafety-related motor-operated gate valves are stroke-tested only during low reactor pressure conditions due to the interlock logic.

RG 1.15 1, Instrument Sensing Lines:[*Conformance: The HP/LP interlock lo__gic yste:m.design ee cmplies = --';h,, , 1.1•---51-isl

nonsafety-related. RG 1.151 is not applicable.

RG 1.152, Criteria for use of computers in Safety systems of nuclear power plants.

1 Conformance: The HP/LP interlock loggicsystem-is nonsafety-related. RG 1.152 is notapplicable.te-.thissystem.

RG 1.1 53, Criteria for Power, Instrumentation, and Control Portions of Safety Systems:

* Conformance: The HP/LP interlock Iogicsysteff-is nonsafety-related. RG 1.153 is notapplicable te•this system.

RG 1.168, Verification, Validation, Reviews, and Audits for Digital computer software used inSafety systems of nuclear power plants:

* Conformance: The HP/LP interlock logcsystem-is nonsafety-related. RG 1.168 is notapplicable-te hissystem. i

RG 1.169, Configuration Management Plans for Digital Computer Software Used in SafetySystems of Nuclear Power Plants:

f Conformance: The HP/LP interlock ogjcsystemi+-is nonsafety-related. RG 1.169 is notapplicable.e ths system.J

RG 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systemsof Nuclear Power Plants:

[* Conformance: The HP/LP interlock l°gic•ysteni-is nonsafety-related. RG 1.170 is not[applicable-te this system.

RG 1.171, Software Test Documentation for Digital Computer Software Used in Safety Systemsof Nuclear Power Plants:

l Conformance: The HP/LP interlock logicsystem-is nonsafety-related. RG 1.171 is notapplicable.tehis system.

7.6-7


RG 1.172, Software Unit Testing for Digital Computer Software Used in Safety Systems ofNuclear Power Plants:

, Conformance: The HP/LP interlock loZicsystem-is nonsafety-related. RG 1.172 is notapplicable ieto": ..... em.

RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used inSafety Systems of Nuclear Power Plants:

C onformance: The HP/LP interlock lo_9g•:,cyztc:,is nonsafety-related. RG i.173 is notIapplicable to this syste m..'z

RG 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference inSafety-Related Instrumentation and Control Systems:* Conformance: The HP/LP interlock oi'tcm ...... m .. G.1.. is nonsafetv related.

RG 1.180 is not applicable.

RG 1.204, Guidelines for Lightning Protection of Nuclear Power Plants:

* Conformance: The HP/LP interlock lop ...... ccmp.... , ith G 1.2( is not aseparate system RG 1.204 is not applicable.


BTP HICB-l, Guidance on Isolation of Low-Pressure Systems from the High-Pressure ReactorCoolant System:

Conformance: Because the MOVs are normally closed and are interlocked as; describedabove, and the check valves are tested only when the reactor pressure is below the permissivesetpoint for the interlock, the nonsafety-related HP/LP interlock logicsystem-design conforms Ito BTP HICB-l.

BTP HICB-I 1, Guidance on Application and Qualification of Isolation Devices:*Conformance: The HP/LP interlock Ioicyp e He:g ef.tm . 2 I"G!!B 14-is not an

isolation device. BTP HICB-11I is not applicable.

BTP HICB-12, Guidance on Establishing and Maintaining Instrument Setpoints:* Conformance: The HP/LP interlock Joic& is nonsafet -related. BTP HICB-12 does

Snot anlv to the HP/LP interlock Iouic~ys l The nominal f et-rente " IC.aued -:. 4•

the ... s t F.. ....t A | .. . . .. . . .

BTP HICB-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation andControl Systems:

* Conformance: The HP/LP interlock Jogic6 is nonsafety-related so BTP HICB-14 doesnot apply.

7.6-8


BTP H1ICB-16, Guidance on the Level of Detail Required for Design Certification ApplicationsUnder 10 CFR Part 52:

* Conformance: The level of detail provided for the HP/LP interlock lo iconforms too

BTP HICB-16.

BTP HICB-17, Guidance on Self-Test and Surveillance Test Provisions:

* Conformance: The HP/LP interlock lo ic_9_is nonsafety-related. The motor operated::]valves and testable check valves are stroke-tested only during low reactor pressure becauseof the interlock. No surveillance tests are conducted.

BTP HICB-I 8,- Guidance on the Use of Programmable Logic Controllers in Digital Computer-Based Instrumentation and Control Systems.

•Conformance: The HP/LP interlockIog,....";"

nonsafety-related. BTP HICB-18 is not applicable.

BTP HICB-21,- Guidance on Digital Computer Real-Time Performance:

0 Conformance: The HP/LP interlock Ioeicsystem-is nonsafety-related. BTP HICB-21 doesnot apply to the HP/LP interlock Io.icsyesem.

7.6.1.3.5 Three Mile Island Action Plan Requirements

In accordance with NUREG-0800 Section 7.6 and Table 7.1-1, 10 CFR 50.34(f)(2)(v) (I.D.3)applies to the HP/LP interlock system and is addressed above. Three Mile Island (TMI) actionplan requirements are generically addressed in Appendix IA.

7.6.1.4 Testing and Inspection RequirementsHP/LP interlock g cyef1-Gfunctions aecalibrated and tested duigthe peprtoa

[testing program to confirm that the ....................... .7 .......... th HP/LP interlock Ilo.[g.c[syst-em-functions as designed

Testing and inspection of the NBS system pressure instruments are described in Subsection7.7.1.4.

The LPCI line iselatien v'alves and eheek ,a!Nves are Strcke tcsted during lew rcateferpfesstiwecondii•ens beeause ofthe intcrlock The parallel safety-related testable check valves and parallelnonsafety-related motor-operated eate valves are stroke-tested only during low reactor pressureconditions due to the interlock logic.


The following information is available to the reactor operator for the instrumentation andinterlock logic•ystem-described in this subsection.

7.6-9


* The reactor pressure is indicated in the MCR and at four local racks in the Reactor Buildingoutside the containment.

" HP/LP interlock logicsysestatus is indicated in the MCR and is alarmed when any LPCIvalve is open and the interlock logiqsystem-is active.

" The open and closed positions of the isolation valves and check valves are indicated in theMCR.

7.6.2 (Deleted)

7.6.2.1 (Deleted)


None

7.6.4 References

7.6.-1-GP4ifaehi Nueicar Pficrgy, "GEH AB3A'R,'EBsBWR Sctpeint Mediedelegy," NEDO-33304,~azI(a preprietary); and "GEH ABIWRESBAIR Setpeint Methedelegy-E -33304P, Glass MI (Proprictary), Revision 0, October 200-7-.one.

7.6-10

26A6642AK Rev. 06ESBWR Design Control Document/Tier 2

Table 3.11-1

Electrical and Mechanical Equipment for Environmental Qualification

Required Qualification

Components Quantity Location Function' Operation Program(note 1) (note 2) Time (nogram

(note 3) (note 4)

B21 Nuclear Boilinger System

Depressurization Valves 8 CV ESF 72 hr' MH

Safety Relief Valves 10 CV ESF 72 hr MH

Temperature element in 12 CV ESF 72 hr EHDPV/SRV Discharge

MSIV - Inboard 4 CV PB 100 Days MH

MSIV - Outboard 4 RB PB 100 Days MH

MSIV Drain Bypass Valve 2 ST ESF 72 hr MH

Steam Line Lowpoint Drain I TB ESF 72 hr MHBypass Valve

Feedwater isolation valve 4 ST/CV PB 100 Days MH

RPV Level Transmitters -24AII RB ESF 100 Days EH

RPV Temperature Elements AII.4-2 CV ESF 100 Days EH

RPV Temperature Elements All4-22 RB ESF IOODays EH

RPV Pressure Transmitter All.20 RB ESF 100 Days EH

Feed Piping Diff Pressure All RB ISOL 100 Days EHTransmitter

Steam Line Flow All RB ISOL 100 Days EHTransmitter

Electrical Modules and All CV, RB, ESF 100 Days EHCable ST, TB

B32 Isolation Condenser System

Isolation Valves 16 CV PB 100 Days MH

Isolation Valves Operator 16 CV ESF 100 Days MH

Condensate Return Valves 4 CV ESF 100 Days MH

3.11-16

26A6642AK Rev. 06ESBWR Design Control DocumentfTier

Table 3.11-1



Components Quantity Location Function Operation Program(note 1) (note 2) Time

(note 3) (note 4)

2

Condensate Return ValvesOperator

Condensate Return BypassValve

Condensate Return BypassValve Operator

Upper Header Vent Valve

Upper Header Vent ValveActuator

4

4

4

8

8

CV

CV

CV

CV

CV

Lower Header Vent Valve

Lower Header Vent ValveActuator

Equipment Storage PoolConnections

Vent Line TemperatureElement

Condensate DrainTemperature Element

16 CV

16 CV

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

ESF

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

100 Days

MH

MH

MH

MH

MH

MH

MH

MH

EH

EH

EH

EH

EH

4

8

RB

CV

12 CV

Steam Piping Diff PressureTransmitter

Condensate Drain DiffPressure Transmitter

Electrical Modules andCable

8

8

CV

CV

All CV, RB

C1 1 Rod Control and Information System

Electrical M odules andAl CB E F7 hrHCable

C12 Control Rod Drive System

HCU Scram Solenoid PilotValve 135 RB ESF 72 hr MH

II

3.11-17

26A6642AK Rev. 06ESBWR Design Control Documentfli er

Table 3.11-1




(note 3) (note 4)

FMCRD Passive Holding 269 CV ESF 72 hr MHBrake

(Deleted)

FMCRD Separation Switch 538 CV ESF 72 hr EH

Charging Water Header 4 RB ESF 72hr EHPressure Transmitter

Electrical Modules and All CV, RB ESF 72 hr EHCable

C21 Leak Detection and Isolation System

Pressure Transmitters All CV, RB, ESF 100 Days EHCB

Temperature Sensors All CV, RB, ESF 100 Days EHCB

Electrical Modules and All CV, RB, ESF 100 Days EHCable CB

2

C31 Feedwater Control System

Electric Modules and Cable Al.__ CB, RB ES___F 72 h___ EHl

C51 Neutron Monitoring System

Detector and Tube 81 CV ESF 72 hr MHAssembly

Electrical Modules and All CV, RB, ESF 100 Days EHCable CB

C61 Remote Shutdown --me]System

Electrical Panels, ModulesadCbeAll RB ESF 100 Days C_and Cable

C63 Safety-Related DCIS

Electrical Modules and All RB, CB ESF 100 Days C_Cable

3.11-18


Table 3.11-1




(note 3) (note 4)

C71 Reactor Protection System

Electrical Modules and All CB, RB ESF 100 Days EHCableC72 Diverse Protection Sy'stem

Electrical M odules and Al CB, RB, S .I O 10 Da sECable T._BB

C74 Safety System Logic and Control

Electrical Modules and All CB, RB ESF 100 Days EHCable

C41 Standby Liquid Control System

RPV Isolation Valve 2 CV PB 72 hr MH

Isolation Check Valves 4 CV/RB PB 72 hr MH

Squib Injection Valves 4 RB ESF 72 hr MH

Injection Shut Off Valves 4 RB ESF 100 Days EHActuator

Nitrogen Charging Globe 2 RB ESF 100 Days MHValve

Nitrogen Charging Globe 2 RB ESF 100 Days EHValve Actuator

Nitrogen Charging Check 2 RB ESF 72 hr MlValveAccumulatorAcmltr4 RB ESF 100 Days MHDepressurization Valves

AccumulatorDepressurization Valves 4 RB ESF 100 Days EHActuator

Accumulator Relief Valve, 2 RB PB 72 hr MH

Injection Shut Off Valves 4 RB ESF 72 hr MH

3.11-19


Table 3.11-1




(note 3) (note 4)

CIV - Drywell Spray - I CV PB 72 hr MHInboard

CIV - SPC Suction - 4 RB PB 72 hr MHOutboard

CIV - SPC Return - 2 RB PB 72 hr MHOutboard

CIV - SPC Return - Inboard 2 CV PB 72 hr MH

CIV - GDCS Suction -Oubar1 RB PB 72 hr MHOutboard

CIV - GDCS Suction - I CV PB 72 hr MHInboard

CIV - GDCS Return - I RB PB 72 hr MHOutboard

CIV - GDCS Return - I CV PB 72 hr MHInboard

LPCI Isolation 4 FB/RB PB 72 hr MH

IC/PCC Pool Level RB ESF 100 Days EHInstrumentation

Fuel Pool Level 2 FB ESF 100 Days EliInstruments

Electrical Modules and All CV, FB, ESF 100 Days EHCable RB, CB

G31 Reactor Water Cleanup/Shutdown Cooling System

CIV - Mid Vessel - Inboard 2 CV PB 72 hr MH

CIV-Mid Vessel- 2 RB PB 72 hr MHOutboard

CIV - Mid Vessel - Inboard CV PB 72 hr EHOperator

CIV - Mid Vessel- 2 RB PB 72hr EHOutboard Operator

3.11-21


Table 3.11-1



Components Quantity Location Function Operation Program(note 1) (note 2) Time (nogram

(note 3) (note 4)

CIV - Bottom Drain 2 CV PB 72 hr MHInboard

CIV - Bottom Drain 2 RB PB 72 hr MUOutboard

CIV - Bottom Drain 2 CV PB 72 hr EHInboard Operator

CIV - Bottom Drain 2 RB PB 72 hr EHOutboard Operator

CIV - Process Sampling 2 CV PBIPAMS 100 Days MHLine -Inboard

CIV - Process Sampling 2 RB PB/PAMS 100 Days MULine -Outboard

CIV - Process Sampling 2 CV PB/PAMS 100 Days EHLine -Inboard Operator

CIV - Process Sampling 2 RB PB/PAMS 100 Days EH

Line -Outboard Operator

Return Line Shutoff Valve 2 RB ISOL 72 hr MH

Check Valve to Feedwater 4 RB ISOL 72 hr MH

Mid-vessel Flow CV ISOL 100 Days EHInstrumentation

Mid-vessel Temperature A114 CV ISOL 100 Days EHInstrumentation

Bottom Drain Flow A112 CV ISOL 100 Days EHInstrumentation

Bottom Drain Temperature A114 CV ISOL 100 Days EHInstrumentation

Return Line FlowInstrumentation A... RB ISOL 100 Days EU

Return Line Temperature A114 RB ISOL 100 Days EHInstrumentation

3.11-22

ESBWR26A6642AK Rev. 06

Design Control Document/Tier 2

Table 3.11-1



Components Quantity Location Function Operation Program(note 1) (note 2) Time(note 3) (note 4)

Overboard Flow A112 RB ISOL 100 Days EHInstrumentation

Overboard Temperature A114 RB ISOL 100 Days EHInstrumentation

Electrical Modules andCles All CV, RB ESF 100 Days EHCables

1111 Main Control Room Panels

Panels, Modules and Cables All CB ESF 100 Days CE

H12 MCR Back Room Panels

Panels, Modules and Cable All CB ESF 100 Days C_

H21 Local Panels and Racks

Panels, Modules and Cable All ALL ESF 100 Days EH

N21 Condensate and Feedwater System

Feed Line Temperature All ST ESF 100 Days EHElement

Feed Piping Diff Pressure All ST ISOL 100 Days EHTransmitter

Electrical Modules and All ST. GB ESF 100 Days EHCable

P10 Makeup Water System

Isolation Valves All CV, RB ISOL 72hr MH

P25 Chilled Water System

Isolation Valves 8 CV, RB ISOL 72hr MH

P51 Service Air System


P54 High Pressure Nitrogen Supply System


3.11-23


The functional program logic in the RPS and SSLC/ESF controllers provides protection againstcommon mode failures using:

* Redundant sensors. Data messages from the sensors have unique identifications in eachdivision;

* Identical modules that provide simple, readily verifiable functions such as setpointcomparison and two-out-of-four logic; and

" Standard protocols for multiplexing and other data transmission functions that are verified toindustry standards and are qualified to safety-related standards.

7.8.3 Safety Evaluation

The DPS is designed as a highly reliable nonsafety-related system that meets the probabilisticrisk assessment (PRA) requirements to minimize failures on demand and to minimize inadvertentoperation. The DPS components are designed to ensure that reliability goals and system designrequirements are met. The sensors and actuation devices that interface directly with safety-related structures, systems, and components (SSC) are qualified to meet the seismic category Iclassification (IEEE Std. 603, Section 5.4).

Consistent with the guidance in IEEE Std. 603, Section 5.6 and IEEE Std. 384, the nonsafety-related DPS is designed to avoid adverse interaction with the protection systems with which itinterfaces. Because the DPS logic does not communicate with the RPS logic, credible DPSfailure modes do not prevent the RPS from performing a reactor trip. The DPS cannot cause theRPS to initiate a reactor trip prematurely. Credible DPS failure modes cannot prevent theSSLC/ESF actuation system from initiating ECCS functions and/or performing fission productbarrier isolation functions. Additionally, credible DPS failure modes cannot result in prematureoperation of these protection systems.

The ATWS/SLC logic is designed to mitigate a failure of the normal reactor trip system tofunction and is diverse from and independent of the RPS. The ATWS/SLC logic platform isdesigned as a safety-related system with four independent divisions powered from divisionallyseparated safety-related power sources. Each redundant division of ATWS/SLC logic, whichuses two-out-of-four voting logic, is capable of performing ATWS mitigation during reactoroperation.

A quality assurance program that meets or exceeds the guidance contained in NRC GenericLetter 85-06, "Quality Assurance Guidance for ATWS Equipment That Is Not Safety-Related,"is applied to all diverse I&C systems and components described in this section. Software used indiverse instrumentation and control systems is designed and developed in accordance with therequirements of Reference 7.8-3.

m I

Table 7.1-1 identifies the diverse I&C and the associated codes and standards applied, inaccordance with the SRP. This subsection addresses I&C systems conformance to regulatoryrequirements, guidelines, and industry standards.

7.8-13

HITACHI Hitachi Nuclear Energy2's4 64S ý# Richard E. Kingston Vice President, ESBWR Licensing MFN...

Documents

Transcript of HITACHI Hitachi Nuclear Energy2's4 64S ý# Richard E. Kingston Vice President, ESBWR Licensing MFN...