transmittal of the meeting materials for the nrc's meeting ...enclosure 1 docket no. 52-021 mhi...

AtMITSUBISHI HEAVY INDUSTRIES, LTD.

16-5, KONAN 2-CHOME, MINATO-KU

TOKYO, JAPANApril 27, 2009 ,

Document Control DeskU.S. Nuclear Regulatory CommissionWashington, DC 20555-0001

Attention: Mr. Jeffrey A. CioccoDocket No. 52-021

MHI Ref: UAP-HF-09206

Subject: Transmittal of the meeting materials for the NRC's Meeting for PRA Modelof US-APWR

With this letter, Mitsubishi Heavy Industries, Ltd. ("MHI") transmits to the U.S. NuclearRegulatory Commission ("NRC") the meeting materials that have been presented during theNRC's meeting for PRA model of US-APWR. The meeting was held on April 14th through15th at Washington, U.S.

The enclosed meeting materials contain information that MHI considers proprietary, andtherefore the materials should be withheld from disclosure pursuant to 10 C.F.R. § 2.390(a)(4) as trade secrets and commercial or financial information which is privileged orconfidential. In accordance with the NRC submittal procedures, this letter includes anAffidavit (Enclosure 1) that identifies' the reasons MHI respectfully requests that all materialsdesignated as "Proprietary" in Enclosure 1 be withheld from disclosure pursuant to 10 C.F.R.§ 2.390 (a)(4).

Please contact Dr. C. Keith Paulson, Senior Technical Manager, Mitsubishi Nuclear EnergySystems, Inc. if the NRC has questions concerning any aspect of this submittal. His contactinformation is provided below.

Sincerely,

Yoshiki Ogata,General Manager-APWR Promoting DepartmentMitsubishi Heavy Industries, LTD.

Enclosures:

1. Affidavit of Yoshiki Ogata

2. Meeting material "I&C Presentation for PRA model" (Proprietary version)

3. Meeting material "I&C Presentation for PRA model" (Non-Proprietary version)

CC: J. A. CioccoC. K. Paulson

Contact InformationC. Keith Paulson, Senior Technical ManagerMitsubishi Nuclear Energy Systems, Inc.300 Oxford Drive, Suite 301Monroeville, PA 15146E-mail: ckpaulson@mnes-us.comTelephone: (412) 373-6466

ENCLOSURE 1Docket No. 52-021

MHI Ref: UAP-HF-09206

MITSUBISHI HEAVY INDUSTRIES, LTD.

AFFIDAVIT

I, Yoshiki Ogata, state as follows:

1. I am General Manager, APWR Promoting Department, of Mitsubishi Heavy Industries,LTD ("MHI"), and have been delegated the function of reviewing MHI's US-APWRdocumentation to determine whether it contains information that should be withheld frompublic disclosure pursuant to 10 C.F.R. § 2.390 (a)(4) as trade secrets and commercial orfinancial information which is privileged or confidential.

2. In accordance with my responsibilities, I have reviewed the enclosed document entitled"Meeting material I&C Presentation for PRA model" dated April 2009, and havedetermined that portions of the document contain proprietary information that should bewithheld from public disclosure. Those pages containing proprietary information areidentified with the label "Proprietary" on the top of the page and the proprietary informationhas been bracketed with an open and closed bracket as shown here "[ ]". The firstpage of the document indicates that all information identified as "Proprietary" should bewithheld from public disclosure pursuant to 10 C.F.R. § 2.390 (a)(4).

3. The information identified as proprietary in the enclosed document has in the past been,and will continue to be, held in confidence by MHI and its disclosure outside the companyis limited to regulatory bodies, customers and potential customers, and their agents,suppliers, and licensees, and others with a legitimate need for the information, and isalways subject to suitable measures to protect it from unauthorized use or disclosure.

4. The basis for holding the referenced information confidential is that it describes theunique design of I&C system, developed by MHI and not used in the exact form by any ofMHI's competitors. This information was developed at significant cost to MHI, since itrequired the performance of Research and Development and detailed design for itssoftware and hardware extending over several years.

5. The referenced information is being furnished to the Nuclear Regulatory Commission("NRC") in confidence and solely for the purpose of information to the NRC staff.

6. The referenced information is not available in public sources and could not be gatheredreadily from other publicly available information. Other than through the provisions inparagraph 3 above, MHI knows of no way the information could be lawfully acquired byorganizations or individuals outside of MHI.

7. Public disclosure of the referenced information would assist competitors of MHI in theirdesign of new nuclear power plants without incurring the costs or risks associated withthe design and testing of the subject systems. Therefore, disclosure of the informationcontained in the referenced document would have the following negative impacts on thecompetitive position of MHI in the U.S. nuclear plant market:

A. Loss of competitive advantage due to the costs associated with development ofthe I&C system. Providing public access to such information permits competitorsto duplicate or mimic the I&C system design without incurring the associatedcosts.

B. Loss of competitive advantage of the US-APWR created by benefits of enhancedplant safety, and reduced operation and maintenance costs associated with theI&C system.

I declare under penalty of perjury that the foregoing affidavit and the matters stated thereinare true and correct to the best of my knowledge, information and belief.

Executed on this 27th day of April, 2009.

Yoshiki Ogata,General Manager-APWR Promoting Department

Mitsubishi Heavy Industries, LTD.

Docket No. 52-021MHI Ref: UAP-HF-09206

Enclosure 3

UAP-HF-09206Docket No. 52-021

Meeting material "I&C Presentation for PRA model"

April 2009(Non-Proprietary)

UZoAPwRI&C System Presentation

for PRA Model

Mitsubishi Heavy Industries, Ltd.

0

Contents

SSystem and Function of I&C System,/Overall Architecture/Reactor Trip System/ ESF System

SConfiguration of Digital I&C System/ Reactor Trip System/ ESF System (S signal as example)

SDiverse Actuation SystemV1 Configuration of DAS

v" Shared Portion between DAS and PSMS

SUnavailability Calculation/ Calculation Equationv' Bypass Model in PRA/ Unavailability of RTB

1

US-APWR I&C Overall Architecture

7.Z. -7. - HSIlCnimputer System-DAS PSMS .. PCM Protects&,ControSystemr-- " Ic RoomA. ID1 : Conventionl Type or Diverse SystemI- an~ntrl Rom MCR- - --.. . Cosol Ad---Con-- > Hardwired (HW) LneDies aeyVUTanA----- Consolle Advisor C eonsol: Point-to-point Data Link

Mulib Drop Signal Network (Redundant)HS Pane,.- ;l ý1 ""Eý

HSI Panel :IO Network (Redundant)

Opeato Io IT Network

Safety VDU ISainBs EOIF ComputerPI I ro c e s o r T ra in A - D o pi r ain g L p

System Level Conventional Switch Alarm Operational Procedure parne lVDU (A) VDU (0) VDU (P) PanelES VDU (TSC) Panel (rsc) II

Acuaio AN "mLre Aar rcs UnitESF Actuation Reactor Trip Computer

System Breaker SI-tIe Syst m p Syter Comontr... .. .. .... .IL- .- - .-- -, - .- -. -. - - ----------- -iI- + -: - . . . . . . . .. I- - - -- -- - -- -' - -- -' -- -- " -• . . .-

,~~~~ ....... ... . ... . 7- .. . "'LpMS~Ii e , o -1 Ii R c Tubn

I II D. TrEd nIDiSp" '/O, : "Sy A emIO

, -- ,, ua -SF S

.. ve ... T"~mponentsaeA S nReactor & Turbine Plant Non-safety CompoGeneants o(M/ Cnsole ensorContro Valve, Mot rVa ves, oleoi V ranvs to etc

Set)stumnr ProtePu VavesetionC

DAS : Diverse Actuation System PSMS : Protection and Safety Monitoring System HSIS : Human System Interface System PCMS : Plant Control and Monitoring System

DCD Section 7.1, Figure 7.1-1

2

US-APWR I&C Overall Architecture

SI&C system of the US-APWR consists of four systems./ Protection and Safety Monitoring System (PSMS)$ Plant Control and Monitoring System (PCMS)/ Human System Interface System (HSIS)/ Diverse Actuation System (DAS)

SProtection and Safety Monitoring System;v/ Encompasses safety-related I&C system.

" Reactor Trip System

" Engineered Safety Features (ESF) System/ Has configuration of four redundant trains./ Includes

" Reactor Protection System (RPS)* ESF Actuation System (EFSAS)* Safety Logic System (SLS)" Safety Grade HSIS

V/ Continuously checked by self-diagnosis function.

3

Reactor Trip System

Sensor

7HSIS Computers

The shared use oflprocess signal

Toot._er Im System

Acuaio Fromss [Alarmon E- signai nal Safety tSyte 'i Pgn.

IUi B s T

ESlFomoterTre aftyBu (, 5 B

Covnio S itchUSyBus

f ataionsnl DStca to eter'enal ovre

E 7F Acuto Systemo ASUSysUSinerac

Train I . ............

Isolaio poin

DC Seto772 iur .-

i!i

JE0TE0 ID0 BUS TE/ 0 IBS - - -----....-.- --- --- -- -Sae. u! ea.toi Protetinsssem Ar

.. . . . I.............. ..-----.-----...... SaafetyBBu

ES Fro ote Tri ----------------c --------------- (TrainC)

Esig a PAM signa Tt e T an ,M anual trip -Saf'ety -Bus -, ' (T anB

. .... .. J J _J ., .,actor , 1i IsigalSystem Level Notei ,i, i Conventional Switch i :Bus

I • / ' • I :Data-Link

----- Hard wvired• ~~~~~~~~~Reactor Trip Breaker (A to D)Elcraltopi oneerr

EFataonsignal iOptical to eleclrical converter

S ESF Actuation System A :BU inefe! .. . ........ ] Isolation point

DCD Section 7.2, Figure 7.2-1

4

Reactor Trip SystemLow SG Water Level

Reactor Protection System A

A/ I Functional allocation

i' E/, 1To other

E -RPS TrainsE/0

._1 From otherEO RPS Trains

From other functions

2/4 - To-]I To eachESFAS TrainJ

Fin

------Gr.1--'5°----J--

-.-_---- --- ...................... .......

High Pressurizer Pressure

} Sensor} Input Part(from Sensor)

Processing Part

(in RPS)

Output Part

(to RTB)

Unit bus, Safety BusIFrom other RPS TrainsI

i V '. 'II B1,82 C1,C2 D1,D2

V VRTB-A1 RTB-B1 RTB-A2 RTB-C2

RT1-C1 RTB-] RTB-B12 RTB-D_

Reactor Trip Breaker

DCD Section 7.2, Figure 7.2-8

5

Reactoy Trip, System

Reactor Trip System consists of;'(Sensor/Reactor Protection System (RPS)/Reactor Trip Breaker (RTB)

SDesign Features of RPS/RPS has two controller groups with functional

diversity which process diverse variables forreactor trip. (see next sheet)

v/Two controller groups are separated from eachother, from sensor to output module.

'(Manual initiation function is provided such thatautomatic process part of RPS is bypassed.

6

Diverse Parameters in TwoSeparate Controller Groups

Group 1 Group 2 Remark

Over Power A T High Power Range Over Power ProtectionHigh Power Range Neutron Flux Neutron FluxRate

Low RCP Speed Low Reactor Coolant Core Heat RemovalOver Temperature A T Flow Protection

Low PressurizerPressure

Low SG Water Level High Pressurizer Loss of Heat SinkHigh Pressurizer Water Level Pressure Protection

High Source Range Neutron Flux High Power Range Nuclear StartupHigh Intermediate Range Neutron Flux (Low ProtectionNeutron Flux Setpoint)

High Pressurizer Water Level High Pressurizer Primary Over PressurePressure Protection

DCD Section 7.2, Table 7.2-5

7

ESF System

System LevelConventional Switch

Safety Bus (Train A)

BU Rie~dundant BUS Safety Logi SytMsLs ss Gr.,I Gr.,2 Gr. 3

sub-system •ll sub--system 1A2(CPU WA1) (CPU 1A2)

I/0 or I/O with Priority Logic so

S------- Diverse Actuation SystemAutomatic actuation signal|Manual actuation signal

Note

- : Bus

- Data-Link

: Hard wired

:/O Electrical to optical converter or

Optical to electrical converter

BUS BUS interface

49 Isolation pointLocal, Swichgear, Motor control center, etc.

0

DCD Section 7.3, Figure 7.3-1

8

ESF System

ESF System consists of;,/ SensorV'Reactor Protection System (RPS)v/ ESF Actuation System (ESFAS)/ Safety Logic System (SLS)

SDesign Features of ESF Systemv/ RPS for ESF System is not considered of functional diversity.v/ SLS has two or three controller groups with functional diversity

which controls different components from each other group.'(Manual component control is provided from Safety/Operational

VDUs to SLS via Communication System such that automaticprocess part of RPS and ESFAS is bypassed.

'(So that, some kind of functional diversity can be appliedbetween automatic and manual ESF actuation function.

v/ESFAS and each group of SLS have two redundant controllers.Same application software is implemented in these redundantcontrollers.

S

Configuration of RTS

PRA Report, Figure 6.A.12-1

10

Configuration of RTS

11

Configuration of RTS

12

Configuration of RTS

Sensor~RPS

/ Input part/Processing part/Communication part

between other RPS trains"'Output part/Power supply

SReactor Trip Breaker

For each of twovariables to

consider functionaldiversity

'I

13

Configuration of RTS

) Sensor~RPS

I nnput partv Distribution module

e Analog input (A/l) module

* Repeater module

/Processing part

-/Communication part between other RPS trains

v/Output part/ Power supply

SReactor Trip Breaker

14

Configuration of RTS

) Sensor~RPS

v, Input part

/Processing part* CPU module" System management module* Network I/F module (for Unit Bus and Safety Bus)

/Communication part between other RPS trains

v/Output part

V Power supply

> Reactor Trip Breaker

15

Configuration of RTS

Sensor~RPS

/ Input part

v/Processing part

- Communication part between other RPSe Bus master module (for input and output)

* E/O module (for input and output of three

/Output part

/Power supply

SReactor Trip Breaker

trains

trains)

16

Configuration of RTS

Sensor~RPS

/Input part

/Processing part

"Communication part between other RPS trains

/Output part" Repeater module" Digital output (D/O) module* Distribution module

/ Power supply

> Reactor Trip Breaker

17

Configuration of RTS

ý>Sensor~RPS

/Input part

-/Processing part

,/Communication part between other RPS trains

'(Output part

'(Power supply* CPU power module (main and back up)

I/O power module (main and back up)

SReactor Trip Breaker

18

Configuration of ESF System

~2PRA Report, Figure 6.A.13-1

19

Configuration of ESF System

PRA Report, Figure 6.A.13-1

20

Configuration of ESF System

ý>Sensor~RPS

/ Input part

-/Processing part

/ Communication part

between other RPS trains

/Output parto Bus master module

o E/O module (for four train ESFAS)

/Power supply

21

Configuration of ESF System

SESFAS/ Input part

* E/O module" Bus master module

/Processing part* CPU module" System management module" Network I/F module (for Safety Bus)

v/Output part* Optical switch

/Power supply* CPU power module (main and back up)* I/0 power module (main and back up)

Redundantportion

22

Configuration of ESF System

SLS/ Input part

e Optical switch

v/Processing part" CPU module

" System management module* Network I/F module (for Safety Bus)

/Output part* Repeater module

/Power supply* CPU power module (main and back up)

e I/0 power module (main and back up) )

Redundantportion

23

Configuration of DASr~

MUAP-07006, Figure 6.0-1

24

Configuration of DAS

SDAS consists of;V Automatic actuation partv, Manual actuation part

SBoth parts have two subsystems.

Two subsystems are configured with 2-out-of-2 toprevent spurious actuation.

SEach subsystem includes internal redundancy (1-out-of-2) for logic and output module to enhancethe reliability.

SNo single failure of DAS component cause tospurious actuation or failure to actuate.

25

Configuration of DAS

> Automatic actuation part:

> Diverse Automatic Actuation Cabinet(DAAC)v/Two subsystems

/Input from sensor signal via isolation module

/Bistable, voting logic, and output to SLS

-/Output module is relay as "energized to actuate"

/Combine automatic actuation and manualactuation with hardwired circuit.

26

Configuration of DAS

> Manual actuation part:

SDiverse HSI Panel (DHP)v" Have all controls of DAS manual functionv/ Provide required monitoring function

SPower Breaker for DHPv, Permit all DHP control by closing breaker

27

Model of DAS Reactor Trip

28

Model of DAS Reactor Trip

29

Unavailability Calculation

> Calculation Equation

UA=1- MTBFMTBF + (1 - SDR) +MTTR

2

v UA: Unavailability [/demand]

/ MTBF (Mean time between failures [hr])

/SDR (Self-diagnosis rate)V T (Test interval [hr])

/MTTR (Mean time to repair [hr])

30

Unavailability Calculation

) Calculation Equation

UA~1- MTBFMTBF + Down Time

Down Time = (1 - SDR)(T + MTTR) + SDR MTTR2

= (1- SDR) +MTTR2

SDownTime consists of;* Mean time to detect failure (MTDF)* Mean time to repair (MTTR)

v/ For failure undetected by self-diagnosis* MTDF = T/2* DownTime = T/2 + MTTR

,/ For failure detected by self-diagnosis* MTDF = Self-diagnosis interval << MTTR* DownTime = MTTR

31

Unavailability Calculation

SMTBF (Mean time- between failures [hr])v' The mean time of available period.

/Inverse value of failure rate [/hr] is used./Failure rate of sensor is based on industry experience data./ Failure rate of other component is estimated based on MIL

standard for each module.

> SDR (Self-diagnosis rate)v/ The rate that self-diagnosis function detects failures.v/ SDR of digital component is estimated as 100% based on

failure mode analysis of MELTAC platform./90% SDR is used in PRA to conservative assumption for

digital device./ 0% SDR is used for conventional device.

32

Unavailability Calculation

T (Test interval [hr])vThe interval period of time of surveillance./Surveillance can detect failures which were

undetected by self-diagnosis./Test interval is based on the surveillance

frequency in Technical Specification.

SMTTR (Mean time to repair [hr])/ The out-of-service period of time including time to

repair and bypass time.v/Time to repair is based on the Completion Time in

Technical Specification.

33

Bypass Model in PRA

SBypass time is conservatively assessed inMTTR of Unavailability calculation/To simplify Fault Tree.

SFor example of sensor,/MTTR of first channel is one year (8760hr).

,/MTTR of other channel is equal to CompletionTime plus bypass time (72hr+12hr).

/Average MTTR = (8760+84+84+84)/4 [hr]

SUnlimited bypass of Reactor Trip Breakeris modeled in Fault Tree./To avoid too conservative CCF value of RTB.

34

Unavailability of RTB

All trip mechanism of each train of RTB are testedevery 124 days, and manual trip function of RTBis tested every year in STS NUREG-1431.

SFor US-APWR, surveillance interval of RTB isextended from STS, as follows.

/ Four trains changed from two trains on staggered basis.

/Manual, shunt and UV functions are separately tested.

Days 62 62 62 62 62 62 62 62 62 62 62 62 62

Train A B C D A B C D A B C D A

uv X X X X X

Shunt X X X X

Manual X X X X

Mech. X X X X X X X X X X X X X

35

Unavailability of RTB

Therefore, unavailability of RTB iscalculated from NUREG 6928 to includethese extension of surveillance interval,

/ Mechanical, UV and shunt function is calculatedrespectively.

/Failure rate [/hr] is calculated from unavailabilitydata [/d] in NUREG with STS data.

/ Unavailability [/d] for US-APWR is calculated fromabove failure rate [/hr] with US-APWR data.

/ Unavailability of RTB is integrated with data ofmechanical, UV and shunt function.

This calculated value will be reflected innext revision of PRA.

36

Unavailability of RTB

SUnavailability data of RTB in NUREGUnavailability of mechanical: UA'M=1.5E-5 /dUnavailability of UV coil: UA'uv=4.OE-4 /dUnavailability of Shunt coil: UA's=3.OE-4 /d

Calculation of failure rate [/hr] of RTB2 1,5xE-5x2

AM -UA'M x- = = 1. OIE-8/hrT 124x24

4 -UA'-vx2= 4.OxE-4x2 - 2.69E- 7 / hrT 124 x 24

2 3.OxE-4x2Acs = UA's X-- = = 2.02E - 7 / hr

T 124x24

Where; UA= A T/2, then A =UAx2/TT=Test interval in STS (124 days)

37

Unavailability of RTB

> Calculation of unavailability for US-APWR

UAM = 1.O1E -8x( 5 9 52 +24)=32

.03E-5/d

UAUV = 2.69E-7x(17856 +

248) = 2.4 1E-3/d

UAS- 8x17856 + 48) = 1.81E - 3 / d

2

UAR TB- UAM + UAUV .UAs

- 3.03E-5 +2.41E-3x1.81E-3

-3.03E- 5 + 4.36E- 6 - 3.47E- 5

3.5E- 5 / d

38

Planned changes to the PRA model

MHI plans to update digital I&C portion ofthe PRA model in 2009

Types of changes include/ Incorporate RAI response commitments,

Reflect design changes, and

,/Amend model based on MHI self check

/ Reflect amended reliability parameters

SSystems to be updated/ Reactor trip system

,/ ESF system

,/DAS

39

Planned changes to the PRA model

General changes

) Revise unavailability of I&C hardwarecomponents

SModel RPS communication part in detail

SIncorporate dependency of power supplymodule (RAI 19-28)

SConsider dependency of sensors used inreactor trip system and EFS system (RAI19-38)

40

Planned changes to the PRA model

Reactor protection system

SModel 2 groups of the RPS part/Failure combinations of group 1 and 2 are

adequately modeled

SDependency with power supply module/Failure of power supply is eliminated since such

failure cause reactor trip

Apply re-estimated reactor tripunavailability

41

Planned changes to the PRA model

ESF systemSConsider application softwaredependencies among different signals,including "other signals"Amend FT part of manual safety injectionusing DAS

SCredit automatic actuation of motor drivenEFW using DAS

SRevise FT structure in a way that thesignal flow can be traced in the tree

42

Planned changes to the PRA model

DAS

Adequately model dependency betweenDAS and other systems/ Sensors and distributer module are common with

ESF and Reactor trip system

Apply unreliability value estimated fromfault tree analysis

43

Planned changes to the PRA model

Changes of Digital I&C model have beenincorporated in the DCD rev.0 PRA to seethe impact of update

CDF of internal events at power

DCD rev.0

1.17E-6 /RY

Digital I&C updated

1.25E-6 /RY (+9%)

44