document control desk - nrc.gov

AAREVA

May 22, 2012NRC:12:029

Document Control DeskU.S. Nuclear Regulatory CommissionWashington, D.C. 20555-0001

Response to U.S. EPR Design Certification Application RAI 414, Supplement 16

Ref. 1: E-Mail, Getachew Tesfaye (NRC) to Martin Bryan, et al (AREVA NP Inc.), "U.S. EPR DesignCertification Application RAI No. 414 (4394, 4398, 4752, 4548), FSAR Ch. 7 OPEN ITEM,"June 15, 2010.

Ref. 2: E-Mail, Dennis Williford (AREVA NP Inc.) to Getachew Tesfaye (NRC), "Response to U.S.EPR Design Certification Application RAI No. 414, FSAR Ch. 7 OPEN ITEM, Supplement15," February 17, 2012.

Ref. 3: Letter, Sandra M. Sloan (AREVA NP Inc.) to Document Control Desk (NRC), "ANP-10309P,"U.S. EPR Protection System Technical Report, Revision 3," NRC:1 1:068, July 1, 2011.

In Reference 1, the NRC provided a request for additional information (RAI) regarding the U.S. EPRdesign certification application. In Reference 2, AREVA NP Inc. (AREVA NP) provided a revisedschedule for a response to the remaining question, 07.03-30.

Enclosed is a technically correct and complete final response to Question 07.03-30 in RAI No. 414,as shown in the table below.

Appended to this file are affected pages of ANP-10309P, "U.S. EPR Protection System TechnicalReport," in redline-strikeout format which support the response to RAI 414, Question 07.03-30. Acomplete revision to the technical report will be submitted by separate letter. Since AREVA NPconsiders some of the material contained in the enclosed response to be proprietary, an affidavit isenclosed, as required by 10 CFR 2.390(b), to support the withholding of the information from publicdisclosure. Proprietary and non-proprietary versions of the enclosure to this letter are provided.

The following table indicates the respective pages in the enclosed response that contain AREVA NP'sfinal response to the subject question.

Question # Start Page End Page

RAI 414 - 07.03-30 2 5

This concludes the formal AREVA NP response to RAI 414, and there are no questions from this RAIfor which AREVA NP has not provided responses.

AREVA INC.3315 Old Forest Road, P.O. Box 10935, Lynchburg, VA 24506-0935Tel.: 434 832 3000 www.areva.com

Document Control DeskMay 22, 2012

NRC:12:029

If you have any questions related to this information, please contact Darrell Gardner by telephone at(704) 805-2355 or by e-mail at darrell.qardneraareva.com.

Sincerely,

Pedro SalasDirector, Regulatory AffairsAREVA NP Inc.

Enclosures

cc: G. TesfayeDocket 52-020

AFFIDAVIT

COMMONWEALTH OF VIRGINIA )) ss.

COUNTY OF CAMPBELL

1. My name is Russell Wells. I am U.S. EPR COLA Licensing Manager, for

AREVA NP Inc. (AREVA NP) and as such I am authorized to execute this Affidavit.

2. I am familiar with the criteria applied by AREVA NP to determine whether

certain AREVA NP information is proprietary. I am familiar with the policies established by

AREVA NP to ensure the proper application of these criteria.

3. I am familiar with the AREVA NP information contained in the document titled

"Response to U.S. EPR Design Certification Application RAI 414, Supplement 16, and referred

to herein as "Document." Information contained in this Document has been classified by

AREVA NP as proprietary in accordance with the policies established by AREVA NP for the

control and protection of proprietary and confidential information.

4. This Document contains information of a proprietary and confidential nature

and is of the type customarily held in confidence by AREVA NP and not made available to the

public. Based on my experience, I am aware that other companies regard information of the

kind contained in this Document as proprietary and confidential.

5. This Document has been made available to the U.S. Nuclear Regulatory

Commission in confidence with the request that the information contained in this Document be

withheld from public disclosure. The request for withholding of proprietary information is made in

accordance with 10 CFR 2.390. The information for which withholding from disclosure is

requested qualifies under 10 CFR 2.390(a)(4) "Trade secrets and commercial or financial

information":

6. The following criteria are customarily applied by AREVA NP to determine

whether information should be classified as proprietary:

(a) The information reveals details of AREVA NP's research and development

plans and programs or their results.

(b) Use of the information by a competitor would permit the competitor to

significantly reduce its expenditures, in time or resources, to design, produce,

or market a similar product or service.

(c) The information includes test data or analytical techniques concerning a

process, methodology, or component, the application of which results in a

competitive advantage for AREVA NP.

(d) The information reveals certain distinguishing aspects of a process,

methodology, or component, the exclusive use of which provides a

competitive advantage for AREVA NP in product optimization or marketability.

(e) The information is vital to a competitive advantage held by AREVA NP, would

be helpful to competitors to AREVA NP, and would likely cause substantial

harm to the competitive position of AREVA NP.

The information in the Document is considered proprietary for the reasons set forth in

paragraphs 6(c) and 6(d) above.

7. In accordance with AREVA NP's policies governing the protection and control

of information, proprietary information contained in this Document has been made available, on

a limited basis, to others outside AREVA NP only as required and under suitable agreement

providing for nondisclosure and limited use of the information.

8. AREVA NP policy requires that proprietary information be kept in a secured

file or area and distributed on a need-to-know basis.

9. The foregoing statements are true and correct to the best of my knowledge,

information, and belief.

SUBSCRIBED before me this

day of 2012.

1~Kathleen A. BennettNOTARY PUBLIC, COMMONWEALTH OF VIRGINIAMY COMMISSION EXPIRES: 8/31/2015Reg. #110864

I----- U

II KKIHLE AMl IEWNNNduy Pdk

C...-'.~ of *k0.1limp4

My Cuinmlulm Eubus Amg 31 2015

Responseto

Request for Additional Information No. 414, Supplement 16

6/15/2010

U. S. EPR Standard Design CertificationAREVA NP Inc.

Docket No. 52-020SRP Section: 07.02 - Reactor Trip System

SRP Section: 07.03 - Engineered Safety Features SystemsSRP Section: 07.04 - Safe Shutdown Systems

SRP Section: 07.07 - Control Systems

Application Section: FSAR Chapter 7

QUESTIONS for Instrumentation, Controls and Electrical Engineering 1(AP1000/EPR Projects) (ICE1)

AREVA NP Inc.

Response to Request for Additional Information No. 414, Supplement 16U.S. EPR Design Certification Application Page 2 of 5

Question 07.03-30:

OPEN ITEM

Follow-up to RAI 285, Question 07.03-25.

The staff requests that the applicant provide the following information:

1. Explain and/or clarify exactly what components are involved in the 'response time testing' ofthe PS in the PS ITAAC and surveillance testing. The Chapter 15 definition remainssomewhat vague and the presentation by the applicant on surveillance testing says that thetesting is from sensor to final actuating device. The applicant's response to RAI Question07.09.47 would seem to be in conflict with this.

2. Based upon the applicant's response to RAI Question 07.09.47, explain and/or clarify whythe applicant believes that the PACS does not need to be involved in the overall responsetime testing of the PS. The PACS modules are specific to ESFAS and ESFAS actuationscannot occur without the PACS. They are digital devices that are part of the overall logicchain for an ESFAS actuation.

QUESTION BASIS:

IEEE Std. 603-1998, Clause 4.d, requires, in part, that the U.S. EPR DCD document thevariables or combinations of variables used by the ESF actuation system to be monitoredmanually or automatically. Also Clause 4.d requires the U.S. EPR DCD to document theanalytical limit associated with each variable, the ranges and rates of change of these variablestill completion of protective action is ensured.

The staff issued RAI 957, Question 07.03-11, in order to get clarification on this issue. Theapplicant provided an initial response to this RAI question in which it stated that ESF responsetimes are documented in the U.S. EPR DCD Tier 2, Table 15.0-8, and that the PS responsetimes will be tested and verified according to the ITAAC documented in the U.S. EPR DCD Tier2, Section 14.2.12.12.10 Test #146. The applicant provided its response to RAI 78, Supplement2, which contained the FSAR markups for Question 07.03-11.

Based upon the review of the applicant's response, the staff created a supplemental RAI 285,Question 07.03-25. In response to Question 07.03-25, the applicant commits to adding specifictesting for ESF response times to support the Chapter 15 accident analyses.

In response to RAI Question 07.09.47, the applicant states the following:

" The bounding PS response times discussed in the Second Request for AdditionalInformation for ANP-10281(P), Attachment B are consistent with the response timeassumptions used in the accident analysis and listed in U.S. EPR FSAR Tier 2, Table15.0-7 and Table 15.0-8. If needed, AREVA NP can provide supportingdocumentation, such as a function-by-function demonstration of consistency, for NRCaudit. Refer to U.S. EPR FSAR Tier 1, Section 2.4.1, Item 4.24 and associated ITAAC, which has been added in the Response to RAI 285 Supplement 4, Question 07.03-25and addresses verification that the PS response times support accident analysisassumptions.

AREVA NP Inc.


The Second Request for Additional Information for ANP-10281(P), Attachment B,Paragraph one states: "The total response time for a given function consists of severalsub-intervals that span from a process variable exceeding a pre-defined limit tocompletion of the protective function. The sub-interval addressed herein accounts forthe computerized portion of the protection channel, and is defined as the time fromsensor conditioning output to RT breaker input terminals for RT functions, or to inputterminals of the PACS for ESF actuation functions." The priority and actuator controlsystem (PA CS) is not included in the PS response time analysis. Time delaysintroduced by the priority module in the PACS are included with the response time ofthe actuator it controls and is verified through response time testing of the actuator."

US EPR DCD, Tier 2, Chapter 15, Page 15.0-58, states the time delays(response times):

"....Represents the total time for completion of the function. Includes sensor delay, I&Cdelay, and other delays as noted until the function is completed."

In addition, in a presentation made to the staff concerning continuous self-testing of the PS, theapplicant stated:

"The Protection System response time shall be that time interval from when themonitored parameter exceeds its PS actuation setpoint at the division sensor until thePS equipment is capable of performing its safety function."

The applicant states that the PACS system has not been included in the response times. Thisappears to be in conflict with the definition of the response times for completion of ESFactuation in Chapter 15. The Chapter 15 definition makes no distinction between thecompterized portions of the PS and the PACS, and implies that the response times wouldenvelope all timing delays from sensor to final actuation device. Its should also be noted thatthe PACS ITAAC in U.S. EPR DCD, Tier 1, Section 2.4.5 makes no mention of response timing.Emergency Feedwater (EFW) is an ESF. The ITAAC for EFW is in U.S. EPR DCD, Tier 1,Section 2.2.4. There is no mention of response timing, in terms of valve stroke time with thePACS module, mentioned in the ITAAC. There is also no mention of response time testing inorder to meet the bounding times of the Chapter 15 safety analyses. This appears to be inconflict with what the applicant states in its response to RAI Quesiton 07.09-47. If the responsetiming of the PACS is not listed in either the PS, PACS or any other ESF ITAAC, then the staffcannot have confidence that the as-built configuration of the PS will meet the boundingresponse times of the Chapter 15 safety analyses.

Note: The applicant has committed to meeting the guidance of Regulatory Guide 1.118,"Periodic Testing of Electric Power and Protection Systems". RG 1 .118 cites 10 CFR Part 50,Appendix A, GDC 21, as a regulatory basis and endorses IEEE Std. 338-1987, "IEEE StandardCrieteria for Periodic Surveillance Testing of Nuclear Power Generating Station SafetySystems". Section 6.3.5 of IEEE Std. 338-1987, "Logic System Functional Test" states:

"A logic system functional test shall test all logic components from sensor through to theactuated device. Logic components consist of relays, contacts, and solid-state logic elements ofa logic circuit. The test may be performed by a series of sequential, overlapping, or total systemtests so that an entire logic system is tested."

AREVA NP Inc.


While the applicant does not consider the PACS as part of the computerized portions of the PS,it is a part of the 'entire logic system' for ESFAS and would be considered a part of a logicsystem functional test.

Response to Question 07.03-30:

As described in ANP-10315, U.S. EPR Surveillance Testing and TELEPERM XS Self-Monitoring Technical Report, "The entire actuation path from sensor to actuator is subject toresponse time testing." Figure 2-1 of the Technical Report shows the components that areincluded in the response time tests, which includes the Priority Module of the PACS. See RAI505 Q 7.1-44 for changes.

U.S. EPR FSAR Tier 1, Sections 2.2, 2.3, 2.4, 2.6, 2.7, 2.8, 2.9, and 3.5 will be revised to statethat the response time from sensor to PACS output shall be less than the value required tosatisfy the design basis safety analysis response time assumptions. The actuators will not beincluded as part of the Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) in U.S.EPR FSAR Tier 1. The response time requirements for the actuators are in the associatedprocess system sections.

U.S. EPR FSAR Tier 2, Section 6.2.4 and Table 6.2.4-1 will be revised to update the valveclosure times for the containment isolation valves.

U.S. EPR FSAR Tier 2, Section 15.0 will be revised to depict only the total response timesassumed in the safety analysis. Some additional response times, such as main control room(MCR) air intake activity > Maxl p, and clarifying statements concerning assumptions in theanalysis were added to U.S. EPR FSAR Tier 2, Table 15.0-7 and 15.0-8.

U.S. EPR FSAR Tier 2, Chapter 16, Bases 3.6.3 will be revised to point to U.S. EPR FSAR Tier2, Section 6.2.4 for a description of the containment isolation valves and their associated valveclosure times.

This response supersedes the Response to RAI 286, Question 07.09-47.

U.S. EPR FSAR Tier 2, Section 7.1, 7.2, and 7.3 will be revised to include the definitions andallocation of response times for reactor trip and engineered safety features functions assumedin the safety analysis.

Appendix B of ANP-10309P, "U.S. EPR Protection System Technical Report," will be revised toinclude the response time of the priority module of the PACS.

FSAR Impact:

U.S. EPR FSAR Tier 1 Sections 2.2, 2.3, 2.4, 2.6, 2.7, 2.8, 2.9 and 3.5 will be revised asdescribed in the response and indicated on the enclosed markup.

U.S. EPR FSAR Tier 2, Sections 6.2.4, 6.5, 7.1, 7.2, 7.3, 9.4 and 15.0, will be revised asdescribed in the response and indicated on the enclosed markup.

AREVA NP Inc.


Technical Report Impact:

ANP-10309P, "U.S. EPR Protection System Technical Report," will be revised as described inthe response and indicated on the enclosed markup. ANP-10309P, Revision 4 will be submittedby separate letter after completion of the Responses to RAI 414, RAI 505 and RAI 506.

U.S. EPR Final SafetyAnalysis Report Markups

All indicated changes are in response to RAI 414, Question 07.03-30

EPRU.S. EPR FINAL SAFETY ANALYSIS REPORT

Table 2.2.2-3-in-Containment Refueling Water StorageTank System ITAAC (9 Sheets)

Commitment Wording Inspections, Tests, Acceptance CriteriaAnalyses

7.1 Class I E valves listed in Tests and analyses " r a The valves changes position asTable 2.2.2-2 pef-€• the e ombinatian ef tests and listed Table 2.2.2-1 underwill function to chanee analyses. will be per., f.rmed to system operating conditions.position as listed in Table don....trate the ability @4 the

2.2.2-1 under system valves listed in Table 2.2.2 2operating conditions. to change position as listed in

Table 2.2.2 1 under systemoper.ating cond•i... .Tests willbe performed for the operationof the valves listed in Table-2.2.2 -2.

7.2 Containment isolation Tests will be performed usinQ Containment isolation valvesvalves listed in Table test sianals.to demonstrate the listed in Table 2.2.2-1 close2.2.2-1 close within the ability of the ,,ntainm•ent within 60 seconds after receiptcontainment isolation isolation -al-.'es listed in Table follwhing initiation of anresponse time following 2.2.2 1 to close within the eentaihment isolation testinitiation of a containment containment isolato• n response signal from the PACS module.isolation signal. timfe foll1owing initiationl Of a

tainmentisolation signal.....

7.3 The IRWST provides a An inspection and analysis The IRWST provides t4erequired water volume. will be pe•formed oafthe following- r... edi. minimum

oRI.1 'ST required water water volume- ofIVe4-imp. 66,886 ft3.

7.4 Post-LOCA pH control is An inspection and analysis The TSP baskets listed inprovided for the IRWST will be performed for the Table 2.2.2-1 e-an-hold t1ewith TSP. capacity of the TSP baskets to f ,llow.'ing combined a capacity

provide post-LOCA pH of TSP to provide post LOG•GAcontrol. pH eentrebof

> 12,200 lbm-..SP-.

7.5 The IRWST suction inlet a. An inspection will be a. A debris screen exists inline for each safety injection performed for the existence the IRWST suction inletsystem division has a debris of a debris screen in the line for each safetyscreen. IRWST suction inlet line injection system division.

for each safety injectionsystem division.

b. An inspection will be b. The debris screen has aperformed to verify the minimum surface area ofminimum surface area and 753 ft2 and the screen meshmaximum mesh grid is a maximum grid openingopening of the debris of 0.08 x 0.08 inches.screen.

Tier 1 Revision 4-lnterim Page 2.2-64



Table 2.2.3-3-Safety Injection System and Residual HeatRemoval System ITAAC (10 Sheets)


7.7 Class I E valves listed in Tests and anay,'ses or a The valves changes positionTable 2.2.3-2 ean perform t1-e combination of tests and as listed Table 2.2.3-1 underwill function to chane analy'ses will be perfrmed-t•. system operating conditions.position as listed in Table d.emonst.ate the ability of th2.2.3-1 under system ;a-es listed in Table 2.2.3 2operating conditions. to ehangc position -AS listcdMin

Table 2.2.3 1 under sylste~moetrnioA . d. 4i en.s. Testswill be performed for theoperation of the valves listedin Table 2.2.3-2.

7.8 The SIS/RHRS has Testing for fl . f the The flow test line allows theprovisions to allow flow SIS,'•o IRS pumps thrugh SIS/RHRS pumps to delivertesting of the SIS/RHRS fle" test line-Tests will be the following flow rates:pumps during plant operation. performed. a. MHSI pump:

Flow rate per pump isgreater than or equal to480 gpm.

b. LHSI pump:Flow rate per pump isgreater than or equal to1760 gpm.

7.9 Safety injection pumped flow Tests will be performed to Time for safety injection flowwill be delivered to the RCS determine the safety injection to reach full flow does notbefore the maximum elapsed pumped flow delivery time exceed 15 seconds withtime. usinU test signals. offsite power available or 40

seconds with loss of offsitepower after receipt of anisolation test sicnal from thePACS module.

7.10 Each LHSI pump delivers Testing will be performed to Each LHSI pump delivers awater at the required flow rate demonstrate that each LHSI flow rate greater than or equalto its respective hot leg of the pump delivers the required to 1720 gpm to its respectivereactor coolant system. flow to its respective hot leg hot leg of the RCS at an

of the RCS. equivalent RCS pressure of69.27 psia.

Tier 1 Revision 4-Interim Page 2.2-101



Table 2.2.5-3-Fuel Pool Cooling and Purification SystemITAAC (7 Sheets)


7.2 The pumps listed in Table Testing- Tests and analyses will The pumps listed in Table2.2.-5-1 have NPSHA that be performed. tO "eri-' 2.2.5-1 have NPSHA that isis greater than NPSHR at NPS. A fr•, Pumps listed ill greater than NPSHR at systemsystem run-out flow. Table 2.2.5 - . run-out flow.

7.3 Class IE valves listed in Tests and analy.ses or a The valves change position asTable 2.2.5-2 peerfemt-e ct m biination of tests and listed in Table 2.2.5-1 underwill function to change analyses ..... be per.for.ed to system operating conditions.position as listed in Table demonstr.ate the ability of the2.2.5-1 under system .alves listed in Tabl 2.2.5. 2operating conditions. ch.ange position. as listed in

Table 2.2.5 1 unde system- .-.operating conditions.Tests willbe performed for the operationof the valves listed in Table2.2.5-2.

7.4 The pumps listed in Table Tests will be performed. Each train of the FPCS2.2.5-1 each have the provides at least 3576 gpm tocapacity to provide flow to the FPCS heat exchanger withthe FPCS heat exchangers. one pump in operation.

7.5 Containment isolation Tests will be performed using Containment isolation valvesvalves listed in Table test siunals.to dem:onstArate the listed in Table 2.2.5-1 close2.2.5-1 close within the ability. of the c.ntaim.nment within 60 seconds fe.1......

containment isolation isolation valves listed in Table initiatienafter receipt of anresponse time following 2.2.5 1 to • l•se wihin the ea;nt-e- ... isolation testinitiation of a containment containm.ent isolation response signal firom the PACS module.isolation signal. tlime followving initiation of a

containment isolation signal.

7.6 The fuel pool cooling Inspection and testing will be The spent fuel pool water levelsystem design provides for performed to demonstrate the is maintained greater than ormaintaining the spent fuel spent fuel pool water level is equal to 23 feet above the spentpool water level above the maintained above the spent fuel.spent fuel. fuel.

Next File




Table 2.2.7-3-Extra Borating System ITAAC (7 Sheets)

Inspections, Tests,Commitment Wording Analyses Acceptance Criteria

7.2 Class IE valves listed in Tests and Analyses Or a The valves changes position asTable 2.2.7-2 perm-i the combination "f tests and listed Table 2.2.7-1 underwill function to chanme analyses will be pe-for.. ed to system operating conditions.position as listed in demon-strate the ability of theTable 2.2.7-1 under system valves listed in Tabl 2.",7 "2operating conditions. to ch.ange position as listed in

Table 2.2.7 1 under sst••:noperating en' i.i.. . Tests willbe performed for the operationof the valves listed in Table2..2.7-2.

7.3 The EBS has provisions to Testing fo- flow 4f the E=B The f l .test li .al.lows EBSallow flow testing of the pumps bael to the EBS tan .... pump flow test lineEBS pumps during plant Tests will be performed. recirculates back to the EBSoperation. tank-ofat least 49 gpm back to

the EBS tank.

7.4 Containment isolation Tests will be performed using Containment isolation valvesvalves listed in test signals.to demonstrate the listed in Table 2.2.7-1 closeTable 2.2.7-1 close within ability of the e.ntainmen. t within 60 seconds fe4oewingthe containment isolation isolation v.'al''ves listed in initiatienafter receipt of anresponse time following Table. 2.2.7 1 to clos . ithin , ontainment-isolation test

initiation of a containment the containment isolation signal from the PACS module.isolation signal. response time f.ll.wing

initiation- of a contain~men-tisolation sinal. ....

Next File

Tier 1 Revision 4-Interim Page 2.2-1 67Tier 1 Revision 4--Interim Page 2.2-167



Table 2.3.3-3-Severe Accident Heat Removal SystemITAAC (6 Sheets)


7.2 Class I E valves listed in Tests an.d analySes or a The valves changes position asTable 2.3.3-2 perfoe-4 th-e combination of tests and listed in Table 2.3.3-1 underwill function to chanae analyses will be perform.ed to system operating conditions.position as listed in Table d.emon..strate the ability of the2.3.3-1 under system va-lves listed in Table 2.3.3 2 tooperating conditions. ehangc p.SitiOn as listed in

Table 2.3.3 1 under systemopefratng eanditions.Tests willbe performed for the operationof the valves listed in Table2.3.3-2.

7.3 Containment isolation Tests will be performed usinu Containment isolation valvesvalves listed in Table test sianals.te demonstrate the listed in Table 2.3.3-1 close2.3.3-1 close within the ability of the ,ontainment within 60 seconds fe,,lewingcontainment isolation isolation -'al've listed in Table iniiatienafter receipt of anresponse time following 2.3.3 1 to close within the eonai4t e i4 isolation testinitiation of a containment containment isolation response signal firom the PACS mod ule.isolation signal. time followin" initiation of a

ontainmentisolation signal.. .

Next File

Tier 1 Revision 4-Interim Page 2.3-26Tier 1 Revision 4--Interim Page 2.3-26


AU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPR4.16 Electrical isolation is provided on connections between the four PS divisions.

4.17 Communications independence is provided between PS equipment and non-Class IEequipment.

4.18 The PS is designed so that safety-related functions required for an anticipated operationaloccurrence (AOO) or postulated accident (PA) are performed in the presence of thefollowing:

* Single detectable failures within the PS.

* Failures caused by the single failure.

* Failures and spurious system actions that cause or are caused by the AOO or PArequiring the safety function.

4.19 The equipment for each PS division is distinctly identified and distinguishable from otheridentifying markings placed on the equipment, and the identifications do not requirefrequent use of reference material.

4.20 Locking mechanisms are provided on the PS cabinet doors. Opened PS cabinet doors areindicated in the MCR.

4.21 CPU state switches are provided at the PS cabinets to restrict modifications to the PSsoftware.

4.22 The operational availability of each input variable listed in Table 2.4. I-2 and Table 2.4.1 -3 can be confirmed during reactor operation including post-accident periods- by one ofthe followin, methods:

" By pertUrbing the monitored variable.

* Bv introducing and varving, a substitute input of the same nature as the measuredvariable.

* Bv cross-checking between channels that bear a known relationship to each other.

" By specif/ing equipment that is stable and the period of time it retains its calibrationduring post-accident conditions.

4.23 Deleted.

4.24 The response time from sensor to ALU output. including sensor delay, for the RT signalslisted in Table 2.4.1-2 is less than the value required to satisfy the design basis safetyanalysis response time assumptions. The PS response time from sensor to PACS output.includina sensor delav, for the ESF signals listed in Table 2.4.1-3. is less than the valuerpn,,;rPrI lr~ ~l ;cf~, th~ rIp~,n-n 1-vdc ~f~pt~ ~ rp~znt~nQp limp ~Qumnl ,cn~

reSPonFse *ftime from;: sen-sor to ouitput. ineluidinEa sensor delav. for- the RT- si!znals liEtc iTable 2.1.1 2" anld the ESP signials listed in Table 2.. -3 is less tha the Nvalue requir-ed tEosatisfy, the design basis safety analysis r-espense time asupt-s.




Table 2.4.1-7-Protection System ITAAC (-1-2-15 Sheets)

Inspections, Tests,

Commitment Wording Analyses Acceptance Criteria

4.24 The response tinme fromsensor to ALU oLItpLIt.including sensor delay. forthe RT sianals listed inTable 2.4.1-2 is less thanthe value required to satisfythe desiun basis safet'analysis response timeassumptions. The PSresponse time from sensorto PACS output. includingsensor delay. for the ESFsinals listed in Table2.4.1-3. is less than thevalue reouired to satisf, the

a. An analysis will beperformed to determine therequired response time friomsensor to ALU output.includin, sensor delay forthe RT functions. Ananalysis will be performedto determine the requiredresponse time from sensorto PACS output. includinosensor delay for the ESFfunctions.Analyses An

ilbe perfcrmfedto determine the requiredresponse time from sensorto AlL output, incl•udiAgsens,.I delay, whichsbippef~s the safýety analy-siFespensc timeasmpinfor the RT- signals listed inTFable 2.41.1 2and ESF-signals listed in Table

a. A report exists and identifiesthe required response timefirom sensor to ALU output.including sensor delay, whichsupPorts the safety analysisresnonse time assumntions for

desien basis safety analhsisresponse timeassUmptions.The--PFeSPOnSe timfe from sensor

Jett. for jtheRT- signalslisted in Table 2.4.1 2 • idtheESF signals listed in.

A 1..4.1 isles thanrthe v.alue requ~ired to SatiSfy'the design basis safetyanalysis r-esponse timeaSSHHPtiE)HS.

the RT sianals listed in Table2.4.1-2. A report exists andidentifies the requiredresponse time from sensor toPACS output. includingsensor delay. which supportsthe safety analysis responsetime assumptions for the ESFsiinals listed in Table 2.4. I -

identifies the requiiredresponse time from sensor toALU output, "m•ludin senr...

N-lq'.wieh supports thlesafety analysis response timeassumptions for the RTsignals listed in Table 2.4.1 2and F=SF= signals listed in

b. A report e-ists and concludesthat PAS-response times areless than the value reGuired to

b. Tests, analyses, or acombination of tests andanalyses will be performedon the[ DCSS-quipmentthat contributies to RT andESF signal response times.

support the safety analysisresponse time assumptions forthe RT signals listed in Table2.4.1-2 and ESF signals listedin Table 2.4.1-3.

4.25 Hardwireddisconnects a. Inspections will be a. Hardwired disconnects existexist between the SU and performed. an the PS to between the SU and eacheach divisional MSI of the ...eif.the eiH"e PC P. 4 of A divisional MSI of the PS.PS. The hardwired hardwired disconnectsdisconnects prevent the between the SU and eachiconnection of the Service divisional MSi of PS




Table 2.6.3-3-Annulus Ventilation System ITAAC(4 Sheets)


b. Components listed b. Inspection reports exists anddesiznated as harsh conclude that theenvironment in Table components listed2.6.3-2 will be inspected to desiunated as harshverify installation in environment in Tableaccordance with the 2.6.3-2 asaed.onstruction dra..ing r .. ...ment hashave beenin•uading the .s.eeiated installed per thewiring, cables-an.d constru..tion. d .awi ...aterm1;;AinationS. Deviations to an'; deviatiefns havoe beeth .onstru.ti.. drang.... .. reeaneiled e4the EQDP;Aill be reconciled to the requirenients. andEQDP requirements. and deviations have beendeviations will be reconciled.reconciled.

7.1 The AVS provides a Tests-A test will be performed The AVS provides a negativenegative pressure between usino test signals.an-t-e pressure of at least 0.25 inchesthe inner and outer capability of the system. . to water gauge within 305containment shells during pro.vide a negative pr.essu seconds fr.. initiatin- afterpostulated accidents. between the inner and outer receipt of a test signal.

containment shellIs durinpostulated accidents.

7.2 Upon receipt of A test will be performed te A test confirms that uponcontainment isolation verif.y that upon r.eceipt a receipt of containment isolationsignal, the following containment isolation signal, signal, the following actionsactions occur the feojlwin.g actions o.cur occur automatically within 60automatically: a..emateaj'"l4.using test seconds after receipt of an

sianals. isolation test siunal friom thePACS module:

a. Isolation of the normal a.Theno.r.al operation train. a. The normal operation trainoperation train by isolates by cosig tl.e is isolated by closing theclosing the isolation isolation danm-,pers listed ini isolation dampers listed indampers listed in Table Table 2.6.3 1 for Normal Table 2.6.3-1 for Normal2.6.3-1 for Normal Ope•.a..e. Tral...,. Operation Train.Operation Train.

b. Start of the accident b. The accident filtration trains b. The accident filtration trainsfiltration trains and start, and the dampers listed start, and the dampers listedopening of the dampers in Table 2.6.3 1 for in Table 2.6.3-1 forlisted in Table 2.6.3-1 Accidenit Filtration Train to Accident Filtration Train arefor Accident Filtration the iodine filtration train are aligned to the open position.Train. aligned to the open position.

Next File

Tier 1 Revision 4--Interim Page 2.6-37



Table 2.6.4-3-Fuel Building Ventilation System ITAAC(6 Sheets)

Inspections, Tests,


7.1 Upon receipt of a containment A test will be performed to The test confirms, upon receiptisolation signal, the FBVS verify, upon receipt of a of a containment isolation testmaintains a negative pressure containment isolation test signal, that the FBVSrelative to the outside signal, -that the FBVS maintains the pressure lessenvironment in the Fuel maintains a negative pressure than or equal to -0.25 inchesBuilding. relative to the outside water gauge relative to the

environment in the Fuel outside environment in theBuilding. Fuel Building.

7.2 Upon receipt of a containment A test will be performed using A test confirms, upon receiptisolation signal, the FBVS test siarnals to verify, upen of a containment isolation testisolation dampers identified in receipt of a centainment signal, that the FBVS isolationTable 2.6.4-1 realign to isolatientest si.., al, that the dampers identified in Tableexhaust air to the SBVS iodine FBVS isolation dampe•-s 2.6.4-1 realign to exhaust air tofiltration exhaust to the plant identified in Table 2.6.4 1 the SBVS iodine filtrationvent stack within the design realign to eh•,Au.t air to the exhaust to the plant vent stackbasis closure time. SBVS iodine filtration exhaut, within 60 seconds from tlie

to tle plant ... ent stack within PACS module.the desigfn basis closur~e time.

7.3 The FBVS provides cooling to a. An inspection of the a. A report confirms that eachmaintain design temperatures manufacturer's FBVS cooling coil isin the Fuel Building pump documentation of the FBVS capable of providing designrooms for systems containing cooling coils will be cooling requirements.borated fluid, while operating performed.in a design basis accident b. Tests and analysis of the b. A report confirms that thealignment. FBVS cooling units will be FBVS is capable of

performed to verify that providing cooling todesign temperatures can be maintain designmaintained in the Fuel temperatures in the FuelBuilding pump rooms, Building pump rooms,while operating in a design while operating in a designbasis accident alignment, basis accident alignment.


All indicated changes are in response to RAI 414, Question 07.03-30AU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPR

Table 2.6.6-3-Safeguard Building Controlled-AreaVentilation System ITAAC (7 Sheets)


7.1 Upon receipt of a A test will be performed using The test confirms, upon receiptcontainment isolation test si unals.te.veFi. "..pen of a containment isolation tes-signal, the SBVS maintains re.eipt of a c.ntainmcn.. signal, that the SBVSa negative pressure in the , islation test signal,. tha the maintains the pressure less thanhot mechanical rooms of the SBNS maintains a negati.,.,e or equal to -0.25 inches waterSafeguard Buildings pressure in the hat mechanical gauge in the hot mechanicalrelative to the adjacent r.,ms of the Safegrd,.. rooms of the Safeguardareas. Buildings relati:e to the Buildings relative to the

ad.j.een .afea&. adjacent areas.

7.2 Deleted. Deleted. Deleted.

7.3 Upon receipt of a high A test will be performed A separate test for a radiationradiation signal in the Fuel separately for each iodine signal in the Fuel BuildingBuilding, both SBVS iodine filtration train using test (KLK38CROOI/002) confirmsfiltration trains start sijgnals.t .e...'theat .Up. " that upon receipt of a highautomatically, the isolation receipt Of a hig--h radiatio radiation signal in the Fueldampers open, and the signal in the Fuel Building, Building or Reactor Building,accident air is directed both SBYS iodihe filtration both SBVS iodine filtrationthrough the SBVS iodine trains start automatically, the trains start automatically, thefiltration trains. isolation dam.pers (the Fel isolation dampers open-(t-e

Building dampers KLCI5 Fuel Building dampef.s. KLC45AA^^3/A^AOO), the SBtS AA003/AA004) open, theis•lWai•n dampers (KLC.5 SBVS isolation dampersAAgOI/AAOO2) elese, and the (KLC45 AAOOI/AA002) close,accident air is directed through iodine filtration banks isolationthe SBS iodine filtration dampers (30KLC41/42trains by aligning the iodine, AAOO/AA0021 open. and thefiltration ban-ks isolation accident air is directed throughdampers (K......•L 2 the SBVS iodine filtrationAAOO!/AAO02) to the open trains. by aligning, the iodineposition (see Figure 2.6.6 2 or filtration banks isolationthe abov~e components). A test am~pers (30K.1 G-4142is perfo.med using a simu1la AA,•• .•AAO02) to the openhigh radiation signal from the position (see Figure 2.6.6 2 for

ae1 Buildi;ng• the above componenits). Abe-eThe isolation dampers close oropen within 60 seconds afterreceipt of a test signallfrom thePACS module. I


EPF


U.S. EPR FINAL SAFETY ANALYSIS REPORTI

Table 2.6.8-4-Containment Building Ventilation SystemITAAC (6 Sheets)

Inspections, Tests,


7.2 Containment isolation valves Tests will be performed LuSiniu' Containment isolation valveslisted in Table 2.6.8-1 close test sinals.t ,demons•rate the listed in Table 2.6.8-1 closewithin the containment ability .f the . .ntainmen. within 10 seconds afterisolation response time isolation -'ak-'eS listRed in Tabl receipt fllw-ing init;iaticn offollowing initiation of a 2.6.8 1 to clse withfin the an tAinment isolationcontainment isolation signal. ,,ntainment is.latin. respon.e signal from the PACS

timfe follo)wing, inlitiaftinl Of a modUle.containment isolation signal.

Next File

Tier I Revision 4-Interim Page 2.6-1 27Tier 1 Revision 4-lnterim Page 2.6-127


,U.S. EPR FINAL SAFETY ANALYSIS REPORT

EPR

Table 2.7.1-3-Component Cooling Water System ITAAC (10Sheets)


7.6 The CCWS delivers water to Tests an-d analyses will be The CCWS delivers at-least-athe spent fuel pool heat performed to detennin, te• minhimaum flowfate o t.he spe..texchangers. CV.S deliver', rate under fuel p coolinig h•lea!

..ertin con.ditiOnS.... ....... g of 0.8818 x 106

lb/hr to the spent fuel poolcoolina heat exchanaers.

7.7 Class 1E valves listed in Tests and analyzes or a The valves change position asTable 2.7.1-2 pe-..fm.th . ombination of tests and listed in Table 2.7.1-1 underwill function to chan~e analyses will be perfomed to system operating conditions.position as listed in Table demonstrate th.e ability of. t2.7.1-1 under system valves listed in Table 2.7.1 2 tooperating conditions. hange position as listed in

Table 2.7.1 1 under system.operating conditions.Tests willbe performed for the operationof the valves listed in Table2.7.1-2.

7.8 The CCWS has provisions to A-test-Tests will be performed. Normal system alignmentallow prevides-fo-flow allows testing of each CCWStesting of the CCWS pumps pump during plant operation.during plant operation.

7.9 Containment isolation valves Tests will be performed using Containment isolation valveslisted in Table 2.7.1-1 close test sianals.to demonstrate the listed in Table 2.7.1-1 closewithin the containment ability of the eontai.,nent within 60 seconds fel--i:-gisolation response time isolatin -'al'-'es listed in Table initiatieafter receipt of anfollowing initiation of a 2.7.1 I to close within thle eentainment isolation signalcontainment isolation signal. containment isolation response fr-om the PACS module.

time followving initiation 4facontainment isolation signal.

7.10 The CCWS surge tanks Tests-An inspection and The CCWS surge tank capacityprovide adequate capacity for analysis will be performed4o is equal to or greater thansystem operation. dete.mine the CCWS surge 950 ft3.




Table 2.7.5-3-Fire Water Distribution System ITAAC (5Sheets)


7.6 Containment isolation Tests will be performed usi.. Containment isolation valvesvalves listed in Table test sihnals.to demonstrate the listed in Table 2.7.5-1 close2.7.5-1 close within the ability of the . ,ntainment• within 60 seconds .......containment isolation isolIatio:- -'aL'es listed in- Table hitiationafier receipt of anresponse time following 2.7.5 I to close Within thle ....ainen. isolation signalinitiation of a containment . ..ntain:net iolatio r....n.. friom the PACS module.isolation signal. time f-Io1owin. initiation ofa

eontainment isolation signl

7.7 The standpipe and hose An analysis will be performed Analyses demonstrate thesystems in areas containing to demonstrate the ability of FWDS will remain functionalsystems and components the standpipe and hose systems following a SSE and is capablerequired for safe plant in areas containing systems of supplying the twoshutdown in the event of a and components required for hydraulically most remote hosesafe shutdown earthquake safe plant shutdown in the stations with at least 75 gpm(SSE), including the water event of a SSE to remain per hose stream.supply to these standpipes, functional and supply two hoseare capable of remaining stations following a SSE.functional and supplyingtwo hose stations followingan SSE.

Next File




Table 2.7.11-3-Essential Service Water System ITAAC(10 Sheets)

Commitment Wording Inspections, Tests, Acceptance CriteriaAnalyses AcceptanceCriteria

7.3 Class IE valves listed in Tesis and analyses or a The valves changes positionTable 2.7.11-2 perfrm the combination of tests and as listed Table 2.7.11-1 underwill function to chanŽe a,,•,s esill be perf..med t' system operating conditions.position as listed in Table dem.......e the ability . 4the2.7.11-1 under system vak'es listed in Table 2.7.11 2 tooperating conditions. ehange psiti"n as listed in

Table 2.7.11 1 under systemoperating .. ,4nitics. Tests will

be performed for the operationof the valves listed in Table2.7.11-2.

7.4 The ESWS has provisions to Testing for flow of the ESWS The closed loop allows ESWSallow flow testing of the pumps bak to the E... pump flow back to the ESWESWS pumps during plant tewef-basinTests will be cooling tower basin.operation. performed.


7.6 The ESWS delivers water to a-Tests and inspeetion e-a aa. A report exists andthe CCWS and EDG heat pup .d. a epef-t-will be c.ncludes that.The ESWSexchangers and the performed Usino test delivers water at > theESWPBVS room cooler. signals.to .. if the ,•EW•S Normal Flow Rate for the

delivery rate to the GCC, S ESW pump to the CCWSand E1G- h.Eat ...e? ......a.. a and EDG heat exchangersthe ESWPBVS room cooler, and the ESWPBVS room

cooler within 120 secondsafter receipt of a test sianalfrom the PACS module.]

b. An integrated system test will b. The ESW .oS stafs andbe performned to '.erify the delivers water to the GGIASstartup time of the FigSWS. ad 2P EG_ h e-At exch iang -ers

at Ž! the Total Requir-edE=S3A Flew for the hieatexchangers within 120seconds. A r-eport exiists andconcludes that the ES3ASdel ivers water to theF=SAWPB VS room cooler atŽ! the Total Required ESWPloy,' fo9r the room coolerw'.ithin 120 seconds.

Tier 1 Revision 4-Interim Page 2.7-1 08Tier 1 Revision 4-lnterim Page 2.7-108



Table 2.8.2-3-Main Steam System ITAAC (7 Sheets)


7.4 Each MSRIV per main Tests4+g will be performed Each MSRJV opens withinsteam line opens upon I[usin- test sianals.] 1.8 seconds after receipt of areceipt of a signal. test signal from the PACS

I module. 17.5 Each MSIV per main steam Test~sh-n' will be performed Each MSIV closes within

line closes upon receipt of a using test signals. 5 seconds after receipt of a testsignal. _signal from the PACS module.


7.7 Upon safety injection A test and analysis will be A ..epa. .exists and .. nekdesactuation, the MSRT performed using lest signalste that the te.. and analysis r.esultcontrols secondary system e ,nfirm the e..ldown rate. indicate that t.eThe MSRTcooldown at a pre-defined pressure control set-point israte. ramped from 1414.7 psia to

900 psia within 19 minutes.

Next File




Table 2.8.7-3-Steam Generator Blowdown System ITAAC(6 Sheets)


7.1 Class IE valves listed in Table Tes-s And Analses o.. a The valves changes position2.8.7-2 Pe...FI.. he will . mbinatiei. of tests and as listed in Table 2.8.7-1function to change position as analyses "ill be perf•.n•,needd to under system operatinglisted in Table 2.8.7-1 under dem, nstrate t4e ability 4f . he conditions.system operating conditions. ,,valves listed in Table 2.8.7 2 te

elhange position as listed inTable 2.8.7 1 under Sy'Stemfoperating . .nditions...ests willbe performed for the operationof the valves listed in Table

7.2 Containment isolation valves Tests will be performed using The containment isolationlisted in Table 2.8.7-1 close test sianals.to demonstrate the valves listed in Table 2.8.7-1within the containment ability of the containmen. close within 60 secondsisolation response time isolationl valves listed in Table following nitiationafterfollowing initiation of a 2.R.7 1 to clse ".within the receipt of an eentai:entcontainment isolation signal. containment isolation "esponse isolation signal fiom the

time ola..wing initiation of a PACS module.containment iselation signal. ; -....

Next File

Tier I Revision 4-Interim Page 2.8-61Tier 1 Revision 4--Interim Page 2.8-61



Table 2.9.3-3-Gaseous Waste Processing System ITAAC(6 Sheets)


Deiaion÷ t... th +1been r.ec.niled t- theconstr..tion drawings will EQDP requirements. andbe reconciled to the EQDP deviations have beenrequirements. and reconciled.deviations will bereconciled.

7.1 The GWPS processing Inspections and analyses will Each delay bed (tag na~bersequipment contains delay be performed to verify the 3OKPLOAT^ I,beds listed in Table 2.9.3-1 mass of activated charcoal 3 D KP50A TOW, andfilled with the pFopeF types loaded in each delay bed.-(-ag 30KPL50AT300) listed inand am.ounts ef.activated nm..bers 301.....5.AT0O. , Table 2.9.3-1 contains acharcoal. 3 ,K,•,0AT-O2, af•d minimum of 5,440 Ibm of

30KPL5OATOO3.) activated charcoal.

7.2 The GWPS discharge valve Tests of the disharge "a The GWPS Ddischarge valvecloses upon receipt of a eesewill be performed (tag nquber 30KPL83AA005)high-radiation signal from using test sinals.y .ver.#,,ig closes upon receipt of a high-the activity monitor rdaton, mnitor. oper-ation radiation signal from thedownstream of the delay and simu.lating •ga hi:h rad:iaio activity monitor (tag-mibefbeds. signal at the activity monitor KPL83CROO1) downstream of

(tag number KPLS=3GROO 1 the delay beds.downst...r•rea; of the delay beds.

7.3 Containment isolation Tests will be performed using, Containment isolation valvesvalves listed in Table test sianals.jo demonstrate listed in Table 2.9.3-1 close2.9.3-1 close within the ab: l...ity of the contain ment within 60 seconds followinigcontainment isolation i-soation ... -1,es listed in Table.........her receipt of anresponse time following 19-93 1 to closE within. the e..ai.nmen.-isolation signalinitiation of a containment . .ntainment isolation response from the PACS module.isolation signal. time followi;ng ;° initiation ofa

eonitainment isolation signial.

Next File




Table 3.5-3-Containment Isolation ITAAC (8 Sheets)


7.1 Class IE valves listed in Tests and anal,,es or. a The valves change position asTable 3.5-2 pe•ir....-e will cmbination of tests and listed in Table 3.5-1 underfunction to change position as analyses will be perf,,med t. system operating conditions.listed in Table 3.5-1 under dem.nstr.ate the ability .f thsystem operating conditions. ,,valves listed in Table 3.5 2 to

ohafne paSitiv n as listed inT-able 3.5 1 under systemoperating, eenditions.Tests willbe performed for the operationof the valves listed in Table3.5-2.

7.2 Containment isolation valves Tests will be performed usinu A report exists and concludeslisted in Table 3.5-1 close test siunals.to demonstrate the that the containment isolationwithin the containment ability of the .ontainment valves listed in Table 3.5-1isolation response time isolation "alves listed in Table close within 60 secondsfollowing initiation of a 3.5 1 to close within the f-llowin. iii•-ationaftercontainment isolation signal. cnt-Ainment isolation response receipt of an .e...;i..e..

tie ;- .... ;R-i initiation; of a isolation signal firom thecotanmn .. isolation signal. PACS module.


Next File


All indicated changes are in response to RAI 414, Question 07.03-30AOWMWl U.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRand actuation time are such that the intended safety functions of the valves are

achieved. Closure time requirements are as follows:

" In general, power operated valves 31/2 inches to 12 inches in diameter close at least

within the time determined by dividing the nominal valve diameter by 12 inchesper minute.

" Valves 3 inches and less close within 15 seconds.

" All valves larger than 12 inches in diameter close within one minute.

" Valves in the containment building ventilation system that are associated withcontainment purging operations close within five seconds. The shorter closuretime requirement supports the radiological release evaluations in Section 15.0.3.

" An exception to the valve closing time requirements is the containment full flowventilation subsystem. Supply and exhaust valves in the full flow portion of thesystem are maintained closed during normal plant operation (MODES 1, 2, 3, and4). This portion of the system is used only during plant shutdown or refuelingoperations. No closure times are required to be listed for these valves.

In determining appropriate valve closure times, a variety of factors are considered,

including time delays due to loss of offsite power, valve stroke times, instrument and

control delay times, motive power delay times (e.g., diesel start delays), and possible

adverse transient conditions unique to isolating a given system.

Individual valve closure times (T3 and T4) are listed in Table 6.2.4-1. The valve

closure times are for valve assembly only, and do not include sensor or I&C dtlays.

The sensor and I&C delays are described in Section 7.3. The definition and allocation

of the different portions of the total response time are described in Section 7. 1. Valve

testing requirements are described by the inservice testing program for valves in

Section 3.9.6.

6.2.4.2.7 Penetrations Overpressure Protection

Overpressure protection is provided for liquid-filled piping between containment

isolation barriers to prevent damage when the piping is isolated unless it can be

demonstrated that the pressure between the isolation barriers cannot exceed the

design pressure of the isolation barriers or the piping between the isolation barriers.

Mechanical system lines that use a check valve as one of the containment isolation

valves have inherent overpressure protection. Other lines with gate, diaphragm, or

butterfly valves have overpressure protection provided by either a bypass check valve

or a pressure relief valve. The overpressure protection method utilized provides such

protection at the maximum back pressure condition that could exist during a loss of

coolant accident (LOCA). Containment penetration overpressure protection



EPRwhich contains a containment dome spray system to reduce pressure and to remove

fission products from the containment atmosphere under severe accident conditions.The SAHRS is described in Section 19.2.3.3. This system is not credited in the designbasis containment or radiological analyses.

6.5.3 Fission Product Control Systems

The primary mechanism to limit release of fission products that are producedfollowing a DBA is the Containment Building. The primary containment structure is acylindrical building constructed from reinforced, post-tensioned concrete with a 0.25-inch thick steel liner. The Containment Building is protected from external hazardsby the Shield Building. A detailed description of the entire RB is provided inSection 3.8.1.

Additional structures and systems that limit the release of fission products following aDBA are presented in this section.

6.5.3.1 Primary Containment

The primary containment requirements and performance for removal and control offission products are described in the sections that detail the building structure,accident mitigation capabilities, allowable leakage limits, isolation capability, and theuse of other systems that limit the spread of contamination and radiation.Table 6.5-1-Primary Containment Operations Following a Design Basis Accidentsummarizes primary containment provisions to control fission product releasesfollowing a DBA.

The RB structural design basis is specified and layout drawings are provided inSection 3.8.1. The containment design basis for accident mitigation is detailed inSection 6.2.1, which presents the sequence of events that occur within theContainment Building for each of the DBAs. The containment allowable leakage isdefined and limits are stated in Section 6.2.6 and Section 5.5.15 of the TechnicalSpecifications. The containment isolation system is described in Section 6.2.4. Thecontrol of hydrogen in containment during DBAs and severe accident conditions isdescribed in Section 6.2.5. The ESF filter systems are described in Section 6.5.1.Natural deposition of radioactive particulates and elemental iodine on surfaces withincontainment is addressed in Section 15.0.3.11.

Periodic containment purging is possible during power operation using the low-flowpurge exhaust subsystem of the CBVS. During purging operations, the ventilationsystem is aligned to ESF filters to filter radioactive releases in case of a rod ejectionaccident. Upon receipt of a containment isolation signal, the containment purge line isisolated within five seconds [after receiving a signal from the PACS modul .


All indicated changes are in response to RAI 414, Question 07.03-300U.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRselection algorithms and redundancy to minimize the possibility of a single failure that

results in a DBE that also reduces the redundancy of the safety-related systems. Thesafety-related systems implement error detection algorithms to detect and

accommodate failures.

7.1.1.6.5 Priority

The U.S. EPR I&C design allows for multiple I&C systems to send requests to a given

actuator. To make certain that each individual actuator executes the proper action forthe given plant condition, priority management rules for the PACS are provided. The

following systems inputs to the PACS are listed in order of priority:

" PS/DAS.

* DAS.

" SAS.

" SICS.

* PAS.

The DAS is given a higher priority than the SAS because it is a functional substitute tothe PS and is needed at this level of priority to verify proper operation of SASfunctions on a SWCCF of the PS.

During normal operation, the operational I&C disable switch on the SICS is set so thatthe PAS can send commands to the PACS. In this configuration, automatic commands

from the PAS override manual commands from the SICS because of the nature of themanual control logic in the PACS. If the operational I&C disable switch is set to

DISABLE by the operator, the PAS input will be disabled (i.e., the input signals from

the PAS to the communications module will be blocked from being sent to the priority

module), providing the priority of the SICS manual commands. The operational I&C

disable switch disables PAS inputs, all other PACS inputs remain operational.

7.1.2 Response Time

Figure 7.1-28--Definition and Allocation of' Response Times shows the equipment and

response times for the U.S. EPR design. The equipment shown in Figure 7.1-28 isdefined as follows:

9 Sensor - The device that responds to changes in a plant variable or condition andconverts the measured process variable into an electric, optic, or pneumatic signal.This includes the primary element and the transmitter.

* Black box signal conditioning - Equipment that transforms a sensor output into asignal level that is appropriate for acquisition by the DCS. Examples include



EPRincore and excore signal conditioning cabinets. (Note - this does not include thesignal conditioning and distribution system. which is internal to the Distributedcontrol system (DCS)).

Distributed control system -- The system that performs the logic solving function.The DCS receives input signals from the sensors, compares the signals to setpoints,performs voting, prioritizes the safety signal with other commands, and sends anactuation output to the actuation device. The DCS includes the following systems:SICS, PICS, DAS, PS, SAS, RCSL, PAS, SCDS and PACS.

" Actuation device - A component or assembly of components that directly controlsthe motive power, such as electricity, compressed air, or hydraulic fluid, foractuated equipment. Examples include breakers. motor controllers and solenoids.

" Actuated equipment - The assembly of prime movers, such as actuators such asmotors or hydraulic operators, and driven equipment, such as actuatedcomponents (pumps and valves, for example). This also applies to non-movingactuated equipment such as heaters.

The response times are allocated based on the type of equipment as defined. The

allocation of the response times are defined as follows:

" T - Overall loop response time from the change of the process variable at theprocess-sensor interface to the actuated equipment completing the safety functionsuch as to isolate flow, and provide rated flow.

* TI - Allocated portion of the overall response time from the change of' the processvariable at the process-sensor interface to the input to the DCS.

" T2 - Allocated portion of the overall loop response time from the input to the DCSto the input of the actuation device.

* T3 - Allocated portion of'the overall loop response time from the input of theactuation device to the input to the input of the actuated equipment.

" T4 - Allocated portion of the overall loop response time from the input to theactuated equipment to the completion of the safety function.

7.1.3 Identification of Safety Criteria

Table 7.1-2-I&C System Requirements Matrix, shows the I&C system requirements

matrix which details the regulatory requirements for the I&C systems of the U.S. EPR.

The U.S. EPR is designed in accordance with IEEE Std 603-1998 (Reference 1). Refer

to Section 7.1.3.6 for an explanation for using IEEE Std 603-1998 in lieu of IEEE Std

603-1991 per the alternative request in Reference 45.

The following I&C systems are within the scope of the protection system as defined in

IEEE Std 603-1998 (Reference 1):

I

Tier 2 Revision 4-Interim Page 7.1-50Tier 2 Revision 4-lnterim Page 7.1-50


U.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRFigure 7.1-28-Definition and Allocation of Response Times

T1 T2 a- 1-d 3 11d T--§

. ~Black Box

•Signal .. .Actuation: AcuaeSensor Conditioning. " DCS Device .. Equipment

•(if al~plicable)

PROCESS

EPR3429 T2

Next File

Page 7.1-203Tier 2 Revision 4-Interim

All indicated changes are in response to RAI 414, Question 07.03-30lU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPR7.2.2 Analysis

7.2.2.1 Design Basis Information

Clause 4 of IEEE Std 603-1998 (Reference 6) specifies the information used to establish

the design basis for safety-related systems. This section describes design basis

information for the U.S. EPR RT function. Reactor trip is performed automatically by

the PS and manually through the SICS in conjunction with PS. The design basis

information related to the equipment of these safety-related systems, environmentalconditions in which they must function, and methods used to determine their

reliability is described in Section 7.1.

The design basis information below pertains to the requirements placed on the RTfunction and the variables monitored to initiate the RT function.

7.2.2.1.1 Design Basis: Applicable Events (Clause 4.a and 4.b of IEEE Std 603-1998)

The anticipated operational occurrence and postulated accidents requiring protective

action are analyzed in Chapter 15. The initiating events analyzed are listed in

Table 15.0-1. The initial conditions analyzed for each event are defined in Chapter 15.

Correlation between each event and specific RT functions is found in Table 15.0-10.

7.2.2.1.2 Design Basis: Permissive Conditions for Operating Bypasses (Clause 4.c ofIEEE Std 603-1998)

The operating bypasses applicable to each RT function are identified in

Section 7.2.1.2.1 through Section 7.2.1.2.21. Each operating bypass (permissive signal)is described in Section 7.2.1.3. The functional logic used to generate each operating

bypass is also specified in Section 7.2.1.3.

7.2.2.1.3 Design Basis: Reactor Trip Input Variables (Clause 4.d of IEEE Std 603-1998)

Each RT function is listed in Table 15.0-7 with the relevant nominal trip setpoint,

normal and degraded uncertainties, and time delays for the function. For each of these

functions, Table 7.2-1 lists the input variables that are used either directly or as inputsto a calculation to initiate an RT. The range to be monitored for each of these

variables is also listed in Table 7.2-1. Table 7.2-3 lists the response times for the RT

functions. The definitions and allocation of response times are described in

Section 7.1.2.

7.2.2.1.4 Design Basis: Manual Reactor Trip Initiation (Clause 4.e of IEEE Std 603-1998)

The capability for manual RT is available to the operator as described in

Section 7.2.1.2.22. There are no operating bypasses placed on the manual RT function;

Tier 2 Revision 4-interim Page 7.2-22



EPRTable 7.2-3-Reactor Trip Response Time

Sheet 1 of 3

TotalResponse

Function Time (s) TI T2 T3 T4 T3 Definition T4 Definition

RT on Pressurizer pressure < Min2p 4.8 0.4 0.5 0.25 3.65 See Note 1 See Note 2

RT on Pressurizer pressure > Max2p 4.8 0.4 0.5 0.25 3.65 See Note I See Note 2

RT on Pressurizer level> Maxlp 5.4 1 0.5 0.25 3.65 See Note 1 See Note 2

RT on Hot leg pressure < Minlp 4.8 0.4 0.5 0.25 3.65 See Note 1 See Note 2

RT on SG pressure < Minip 4.8 0.4 0.5 0.25 3.65 See Note I See Note 2

RT on SG pressure > Maxlp 4.8 0.4 0.5 0.25 3.65 See Note 1 See Note 2

RT on SG AP > Maxilp 4.8 0.4 0.5 0.25 3.65 See Note 1 See Note 2

RT on SG level < Minlp 5.4 1 0.5 0.25 3.65 See Note 1 See Note 2

RT on SG level > Maxlp 5.4 1 0.5 0.25 3.65 See Note I See Note 2

RT on High containment pressure 4.8 0.4 0.5 0.25 3.65 See Note I See Note 2

RT on High linear power density 4.5 0.1 0.5 0.25 3.65 See Note 1 See Note 2

RT on Low DNBR 4.9 plus sensor 0.1 (SPNDs) 1 0.25 3.65 See Note 1 See Note 2delays 0.4 (PZR pressure)

0.1 (RCP speed)4 (Cold leg temp. NR)0.4 (RCS loop flow)

RT on Low DNBR (Imb/Rod Drop) 4.9 plus sensor 0.1 (SPNDs) 1 0.25 3.65 See Note I See Note 2delays 0.4 (PZR pressure)

0.1 (RCP speed)4 (Cold leg temp. NR)0.4 (RCS loop flow)3 (RCCA position)




EPRTable 7.2-3--Reactor Trip Response Time

Sheet 2 of 3

TotalResponse


RT on Low DNBR (Rod Drop) 4.9 plus sensor 0.1 (SPNDs) 1 0.25 3.65 See Note 1 See Note 2delays 0.4 (PZR pressure)

0.1 (RCP speed)4 (Cold leg temp. NR)0.4 (RCS loop flow)3 (RCCA position)

RT on Low DNBR (High Quality) 4.9 plus sensor 0.1 (SPNDs) 1 0.25 3.65 See Note 1 See Note 2delays 0.4 (PZR pressure)

0.1 (RCP speed)4 (Cold leg temp. NR)0.4 (RCS loop flow)

RT on Low DNBR (High Quality 4.9 plus sensor 0.1 (SPNDs) 1 0.25 3.65 See Note 1 See Note 2Imb/Rod Drop) delays 0.4 (PZR pressure)

0.1 (RCP speed)

4 (Cold leg temp. NR)0.4 (RCS loop flow)3 (RCCA position)

RT on Low saturation margin 4.4 plus sensor 4 (Cold leg temp. WR) 0.5 0.25 3.65 See Note 1 See Note 2delays 0.4 (Hot leg temp. NR)

0.4 (RCS loop flow)0.4 (Hot leg pressure WR)

RT on Excore high neutron flux rate 4.2 negligible 0.3 0.25 3.65 See Note 1 See Note 2of change

RT on High core power level 4.4 plus sensor 4 (Cold leg temp.WR) 0.5 0.25 3.65 See Note I See Note 2delays 4 (Hot leg temp. NR)

0.4 (RCS loop flow)0.4 (Hot leg pressure WR)




EPRTable 7.2-3-Reactor Trip Response Time

Sheet 3 of 3

TotalResponse


RT on Low RCS flow rate (2 loops) 4.55 0,4 0.25 0.25 3.65 See.Note 1 See Note 2

RT on Low-low RCS flow rate (one 4.55 0.4 0.25 0.25 3.65 See Note 1 See Note 2

RT on Low RCP speed (2 loops) 4.25 0.1 0.25 0.25 3.65 See Note I See Note 2

RT on High neutron flux (IR) 4.2 negligible 0.3 0.25 3.65 See Note 1 See Note 2

RT on Low neutron flux doubling 4.2 negligible 0.3 0.25 3.65 See Note 1 See Note 2time (IR)

NOTES

1. The maximum delay time for opening the RT breakers and contactors considering the undervoltage trip operating time,mechanism operating time, arcing time. and auxiliary relay operating time.

2. The maximum delay time between deenergizing the holding coils and the RCCAs fully inserted (e.g. bottom positionindication) (gripper release time of.15 sec + RCCA drop time of 3.5 sec).

Next File


All indicated changes are in response to RAI 414, Question 07.03-30lU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRrange to be monitored for each of these variables is also listed in Table 7.3-1. Table

7.3-6 lists the response times for the ESF actuation functions. The definitions and

allocation of response times are described in Section 7.1.2.

7.3.2.1.4 Design Basis: Manual ESF System Actuation (Clause 4.e of IEEE Std 603-1998)

The capability for manual system-level actuation and manual component level control

of ESF actuators is available to the operator as described in Section 7.3.1.1. Manualactions credited to mitigate AQOs and PAs are identified in Section 15.0, Section 7.2,

and in each credited function in Section 7.3.1.2. The variables to be displayed to the

operator to use in manual ESF actuation are determined as part of the methodology

used for selecting Type A PAM variables as described in Section 7.5.

7.3.2.1.5 Design Basis: Spatially Dependent Variables (Clause 4.f of IEEE Std 603-1998)

The U.S. EPR design uses no spatially dependent variables as inputs to ESF actuation

functions.

7.3.2.1.6 Design Basis: Critical Points in Time or Plant Conditions (Clause 4.j of IEEEStd 603-1998)

The PS initiates operation of ESF systems when selected variables exceed the

associated setpoints. The plant conditions that define the proper completion of the

safety function performed by an ESF system are defined on an event-by-event basis in

the Chapter 15 analyses. The actions of the execute features for an ESF actuation

function are complete when, for example, a valve has reached its full open or full

closed position, or required flow has been established by a pump.

The ESF actuation logic generally allows ESF actuation outputs generated by the PS to

be reset after completion of the actions of the execute features. The reset of the ESF

actuation signal does not result in change of state (return to normal) of the ESF

actuator. Plant specific operating procedures govern the point in time when the ESF

actuators can be returned to normal following their actuation.

7.3.2.2 Failure Modes and Effects Analysis

A system-level failure modes andeffect analysis (FMEA) is performed on the PS to

identify potential single point failures and their consequences. The architecture of the

PS as defined in the U.S. EPR Protection System Technical Report (ANP-10309P)(Reference 1) is used as the basis for the analysis. The FMEA considers each major part

of the system, how it may fail, and the effect of the failure on the system.

Because the PS is an integrated RT and engineered safety features actuation system

(ESFAS), a single failure in the system has the potential to affect both types of




EPRTable 7.3-6-Enqineered Safety Features Actuation System Response Times

Sheet 1 of 13

Tota IResponse

Function I Time (s) TI1 T2 T3 T4 T3 Definition T4 Definition

ESFAS

Safety Injection System Actuation

SIS actuation on pressurizer 16.5 0.4 1.1 0.5 14.5 See Note 1 The maximum timepressure < Min3p (w/o LOOP) delay for valve and

pump actuation.See Note 2 for moredetails.

SIS actuation on pressurizer 41.5 0.4 1.1 25.5 14.5 The maximum The maximum timepressure < Min3p (with LOOP time delay for delay for valve andand EDG loading) the MCC or pump actuation.

switchgear See Note 2 for moreincluding EDG details.activities (maxtime delay =EDG start delay+ EDG loading

delay -+ MCC orswitchgeardelay). See Note1 for moredetails

SIS actuation on RCS Hot Leg 15.5 plus sensor 0.4 (Hot leg press. WR) 0.5 0.5 14.5 See Note I The maximum time

APsat < Min1p (w/o LOOP) delays 4 (Hot leg temp. WR) delay for valve andpump actuation.See Note 2 for moredetails.





Sheet 2 of 13

TotalResponse


SIS actuation on RCS Hot Leg 40.5 plus sensor 0.4 (Hot leg press. WR) 0.5 25.5 14.5 The maximum The maximum timeAPsat < MinIp (with LOOP delays 4 (Hot leg temp. WR) time delay for delay for valve andincluding EDG loading) the MCC or pump actuation.

switchgear See Note 2 for moreincluding EDG details.activities (maxtime delay =EDG start delay+ EDG loadingdelay + MCC orswitchgeardelay). See Note1 for moredetails

SIS actuation on RCS Loop 16.5 1 0.5 0.5 14.5 See Note 1 The maximum timeLevel < Minlp (w/o LOOP) delay for valve and






Sheet 3 of 13

TotalResponse


SIS actuation on RCS Loop 41.5 1 0.5 25.5 14.5 The maximum The maximum timeLevel < Minlp (with LOOP time delay for delay for valve andand EDG loading) the MCC or pump actuation.

switchgear See Note 2 for moreincluding EDG details.activities (maxtime delay =

EDG start delay

+ EDG loadingdelay + MCC orswitchgeardelay). See NoteI for moredetails

Emergency Feedwater System Actuation

EFWS actuation on SG Level < 16.5 1 0.5 0.5 14.5 See Note 1 The maximum timeMin2p (WR) (affected SG) (w/ delay for valve ando LOOP) pump actuation.

See Note 2 for moredetails.





Sheet 4 of 13

TotalResponse


EFWS actuation on SG Level < 61.5 1 0.5 45.5 14.5 The maximum The maximum timeMin2p (WR) (affected SG) time delay for delay for valve and(with LOOP including EDG the MCC or pump actuation.loading) switchgear See Note 2 for more

including EDG details.

activities (maxtime delay =EDG start delay+ EDG loadingdelay + MCC or

switchgeardelay). See Note1 for moredetails

EFWS actuation on LOOP + 60 None None 45.5 14.5 The maximum The maximum timeSIS Actuation (includes EDG time delay for delay for valve andloadingi the MCC or pump actuation.

switchgear See Note 2 for moreincluding EDG details.

activities (maxtime delay =EDG start delay+ EDG loading

delay + MCC orswitchgeardelay). See NoteI for moredetails



EPRTable 7.3-6-Engineered Safety Features Actuation System Response Times

Sheet 5 of 13

TotalResponse


SG blowdown isolation 21.5 1 0.5 0.5 19.5 See Note ! The maximum time(affected SG) delay for valve and


EFW level control N/A N/A N/A N/A N/A N/A N/A

EFWVS pump overflow N/A N/A N/A N/A N/A N/A N/Aprotection

Emergency Feedwater System Isolation

EFWS isolation on SG Level > 61.5 1 0.5 0.5 59.5 See Note I The maximum timeMaxIp (WR) (affected SG) delay for valve and


SG Isolation Signal See SG Isolation below

Partial Cooldown Actuation

SIS Actuation Signal generated None iN/A IA INA /DA N/A N/A

*MSRT Actuation





Sheet 6 of 13

TotalResponse

Function Time (s) T1 T2 T3 T4 T3 Definition T4 Definition

MSRT opening (MSRIV) on 2.7 0.4 0.5 0.1 1.7 The time The maximum timeSG Pressure > Maxlp (affected required from delay for valve andSG receiving a pump actuation.

signal from the See Note 2 for moreDCS to when details.the relaycontacts changestates fromnormally opento normallyclosed, ornormally closedto normallyopen.

MSRT isolation (MSRIV, 5.9 0.4 0.5 0.1 4.9 See Note 1 The maximum timeMSRCV) on SG Pressure < delay for valve andMin3p (affected SG) pump actuation.


Main Steam Isolation

MSIV closure on SG pressure 5.9 0.4 0.5 0.5 4.5 See Note 1 The maximum timedrop > Maxlp (all SGs) delay for valve and





EPRTable 7.3-6-Engineered Safety Features Actuation System Response Times

Sheet 7 of 13

TotalResponse

Function Time (s) TI, T2 T3 T4 T3 Definition T4 Definition

MSIV closure on SG pressure < 5.9 0.4 0.5 0.5 4.5 See Note 1 The maximum timeMinip (all SGs) delay for valve and

pump actuation.See Note 2 for more

details.

MSIV closure on High See Containment Isolation below

Containment pressure


Main Feedwater Isolation

MFW full load isolation on 40 None None 0.5 39.5 See Note I The maximum time

Reactor Trip (all SGs) delay for valve and


MFW full load isolation on SG 41.5 1 0.5 0.5 39.5 See Note 1 The maximum time

Level > MaxIp (NR) (affected delay for valve and

SG) pump actuation.See Note 2 for moredetails.

MFWSSS i.solationonSG level 21.5 1 0.5 0.5 19.5 See Note I The maximum time

> Max0p (NR) for period of delay for valve and

time (affected SG) pump actuation.

See Note 2 for more

details.




EPRTable 7.3-6-Enaineered Safety Features Actuation System Response Times

Sheet 8 of 13

TotalResponse

Function Time (s) T1 T2 T3 T4 T3 Definition T4 Definition

MFW SSS isolation on SG 20.9 0.4 0.5 0.5 19.5 See Note I The maximum timepressure drop > Max2p delay for valve and(affected SG) pump actuation.


MFW SSS isolation on SG 20.9 0.4 0.5 0.5 19.5 See Note I The maximum timepressure < Min2p (affected SG) delay for valve and


MFW SSS isolation on High See Containment Isolation function belowContainment pressure


Containment Isolation

Containment equipment 0.9 plus T3 and 0.4 0.5 See See See Note 1 The maximum timecompartment pressure > T4 Section Section delay for valve andMaxip (Stage 1) 6.2.4 6.2.4 pump actuation.


Containment service 0.9 plus T3 and 0.4 0.5 See See See Note I The maximum time

compartment pressure (NR) > T4 Section Section delay for valve andMax2p (Stage 1) 6.2.4 6.2.4 pump actuation.


Tier 2 Revision 4-InterimP Page 7.3-52




Sheet 9 of 13

TotalResponse


Containment activity > Maxlp 5.0 plus T3 and 4.5 0.5 See - See See Note 1 The maximum time(Stage 1) T4 Section Section delay for valve and

6.2.4 6.2.4 Pump actuation.See Note 2 for moredetails.

SIS Actuation Signal (Stage 1) N/A N/A N/A N/A N/,A N/A N/A

Containment service 0.9 plus T3 and 0.4 0.5 See See See Note 1 The maximum timecompartment pressure (WR) > T4 Section Section delay for valve andMax3p (Stages 1 & 2) 6.2.4 6.2.4 pump actuation.


CVCS Charging Isolation

CVCS charging line isolation 41.5 1 0.5 0.5 39.5 See Note I The maximum timeon pressurizer level> Max2p delay for valve and


CVCS Isolation for Anti-Dilution

Anti-Dilution (power) 105.5 65 0.5 0.5 39.5 See Note I The maximum timedelay for valve andpump actuation.See Note 2 for moredetails.





Sheet 10 of 13

TotalResponse


Anti-Dilution (shutdown) 105.5 65 (Boron 0.5 0.5 39.5 See Note 1 Note 2Theconcentration) maximum timenegligible (Cold leg delay for valve andtemperature WR) pump actuation.negligible (CVCS See Note 2 for morecharging line flow) details.

Anti-Dilution (shutdown no 105.5 65 (Boron 0.5 0.5 39.5 See Note I The maximum timeRCPs) Concentration) delay for valve and

negligible (CVCS pump actuation.charging line flow) See Note 2 for more

details.

Steam Generator Isolation

MSRT Setpoint Increase on SG 1.5 1 0.5 None None See Note 1 The maximum timeLevel > Max2p + partial delay for valve andcooldown initiated (affected pump actuation.SG) See Note 2 for more

details.

MSRT setpoint increase on N/A N/A N/A N/A N/A N/A N/Ahigh steam line activity +partial cooldown initiated(affected SG)

MSIV closure on SG level > 6.5 1 0.5 0.5 4.5 See Note I The maximum timeMax2p (NR) + partial. delay for valve anrdcooldown initiated (affected 2pump actuation.SG) See Note 2 for more

details.




Table 7.3-6-Enqineered Safety Features Actuation System Response TimesSheet 11 of 13

TotalResponse


MSIV closure on high steam N/A N/A N/A N/A N/A N/A N/Aline activity + partialcooldown initiated (affected

MFW SSS Isolation on SG 21.5 1 0.5 0.5 19.5 See Note 1 The maximum timelevel > Max2p (NR) + partial delay for valve andcooldown initiated (affected pump actuation.SSee Note 2 for more

details.

MFW SSS isolation on high N/A N/A N/A N/A NiA N/A N/Asteam line activity + partialcooldown initiated (affectedSG)

EFWS isolation on SG Level 61.5 1 0.5 0.5 59.5 See Note I The maximum time(NR) > Max2p + partial delay for valve andcooldown initiated (affected pump actuation.SG) See Note 2 for more

details.

EFWS isolation on High Steam N/A N/A N/A N/A N/A N/A N/ALine Activity + partialcooldown initiated (affectedSGI





Sheet 12 of 13

TotalResponse

Function Time (s) TI._ T2 T3 T4 T3 Definition T4 Definition

Reactor Coolant Pump Trip

RCP Trip on AP over RCP < 3.9 0.4 0.5 3 None This is the N/AMinip + SIS signal maximum delay

time from theoutputs of theDCS to whenthe power isremoved fromthe RCPs.

MCR AC System Isolation

MCR air intake activity> 17 6 0.5 0.5 10 See Note 1 The maximum timeMax1p delay for valve and


Turbine Trip on RT

Initiation of RT N/A (See Note N/A IN/A N/A N/A N/A N/A3) !(See

Note 3)

EDG on LOOP or dearaded voltage

EBS

EBS Isolation N/A N/A N/_A N/A_ I N/A N/A N/A




EPRTable 7.3-6-Encgineered Safety Features Actuation System Response Times

Sheet 13 of 13

TotalResponseFunction Time (s) TI T2 T.3 T4 T3 Definition T4 Definition

Hydrogen Mixing Dampers Opening

Containment service 18 0.4 0.5 0.5 16.6 See Note 1 The maximum timecompartment pressure (NR) > delay for valve andMaxI pump actuation.


Containment equipment 18 0.4 0.5 0.5 16.6 See Note 1 The maximum timecompartment/containment delay for valve andservice compartment AP > pump actuation.MaxI1 See Note 2 for more

details.

NOTES

1. The maximum delay time from the input of the switchgear or MCC to the input of the motors, pumps, valves, etc.considering the shunt trip operating time, mechanism operating time, arcing time, and auxiliaLy relay operating time.For emergency diesel generators (EDG): The maximum time delay from when the EDGs receive the start signal to whenthe EDGs reach the rated load including the EDG loading.

2. The following is the T4 definition for various actuated equipment in the plant:For all valves (or dampers): The maximum time delay from when the valve (or damper) receives the signal from theswitchgear to when the valve (or damper) goes to full open or full closed position.

- For motor operated valves: The maximum time delay from when the motor receives the signal from the MCC towhen the valve goes to full open or full closed position.

- For air-operated valves: The maximum time delay from when the valve receives the signal from the switchgear towhen the valve goes to full open or full closed position. This includes the time it takes the solenoid (air supply) orpilot valve to actuate.



lU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPR- For hydraulic actuated valves: The maximum time delay from when the valve receives the signal from the switchgear

to when the valve goes to full open or full closed position. This includes the time it takes the solenoid (control flow ofhydraulic fluid) or pilot valve to actuate.

- For pumps: The maximum time delay from when the pump receives a signal from MCC or switchgear to when thepump provides full flow.

3. The response time indicated for the Turbine Trip on RT is the minimum time based on the capability of the DCSequipment. Safety analysis requires a minimum response time of at least one second between a RT and a Turbine Trip.Therefore, a one-second time delay is implemented in the DCS software design for this function.



EPR9.4.7 Containment Building Ventilation System

The containment building ventilation system (CBVS) is designed to maintain

acceptable ambient conditions inside the Containment Building for proper operation

of equipment and instrumentation during normal plant operation and normal

shutdown (i.e., outages). The CBVS also provides acceptable ambient conditions for

personnel access to the service compartment during normal plant operation, and

equipment compartment during outage for conducting inspections, tests andmaintenance during normal plant operation.

9.4.7.1 Design Bases

The containment low-flow purge exhaust subsystem outside of Containment is

designated as a safety-related, Seismic Category I, ESF ventilation system.

This exhaust subsystem serves a safety function when operating in a low flow purge

alignment (during power operation) and upon receipt of a containment isolation

signal. During the short period of time required to close the containment isolation

valves, exhaust air from containment flows through the CBVS purge iodine filtration

units and is exhausted to the plant vent stack.

The containment penetration isolation valves are safety related and designed to

Seismic Category I requirements. The reactor pit cooling fans anRd internal filtrationsystem components are non-safety related but designed to Seismic Category I

requirements. The reactor pit cooling fans are non-safety related, but are designed to

Seismic Categor, II requirements. A4I--Other CBVS components ef the GBNVS are

non-safety related and Non-Seismic.

The CBVS components are located inside buildings that are designed to withstand the

effects of natural phenomena such as earthquakes, tornados, hurricanes, floods, and

external missiles (GDC 2).

The containment low-flow purge exhaust subsystem removes radioactive materials via

iodine filtration trains prior to release to the atmosphere (GDC 41). The filtration

system is designed to allow periodic inspection (GDC 42).

The internal filtration subsystem filters airborne radioactive materials from the

equipment compartments during normal operation.

The containment isolation valves are automatically closed within five seconds upon

receipt of a containment isolation signal after receiving a signal from the PACS

module, in accordance with BTP 6-4 (Reference 8), to maintain the integrity of thecontainment boundary and to limit the potential release of radioactive material.




EPRon the internal filtration subsystem and containment building cooling subsystem fail

to the "as-is" position. The power supply to main fans and reactor pit cooling fans is

supplied from corresponding emergency diesel generators. Air cooling unit fans stop

in the service compartment cooling subsystem.

Fuel Handling Accident in the Containment Building

In the event of a fuel handling accident in the Containment Building, the containment

isolation valves on the containment purge subsystem can be manually closed by

pushing the emergency push button located in the fuel handling area inside the

Containment Building. The dampers are closed when the hatch is opened. The low-

flow purge exhaust subsystem is used to avoid the spread of contamination by keepinga negative pressure in the Containment Building. To achieve this safety function, the

low-flow purge subsystem exhaust is switched over to the iodine filtration trains of the

safeguard building controlled-area ventilation system (refer to Section 9.4.5,

Section 11.5.3.1.5, Section 11.5.4.8, and Table 11.5-1, Monitor R-10).

High Pressure Level or Safety Injection Signal

In case of high-pressure level or a safety injection signal, the containment penetration

valves on the containment purge subsystem are closed and air flow in the Containment

Building is stopped.

Station Blackout

In the event of an SBO, the reactor pit area is air cooled to prevent degradation of theconcrete structure. The reactor pit cooling fans take air from the supply air shaft. The

air is supplied to the bottom of the pit and transferred through openings in the pit wall

around the main coolant piping to maintain a temperature less than 150'F. The power

supply to the reactor pit cooling fans is provided by the alternate AC (PGC) SBO diesel

generators.

Small-Break Loss-of-Coolant Accident and Loss-of-Coolant Accident

In the event of a small-break loss-of-coolant accident (SBLOCA) or loss-of-coolant

accident (LOCA), containment isolation valves automatically close after receipt of the

containment isolation signal. These valves are designed to perform their isolation

function under LOCA conditions and will close within five seconds after receipt of a

containment isolation signa• from the PACS module.

9.4.7.3 Safety Evaluation

The CBVS maintains proper temperatures in the Containment Building during normal

operations and shutdown conditions. Sufficient redundancy is included for properoperation of the system when one active component is out of service. The CBVS is an

engineered safety feature and the safety-related functions are closure of the CBVS


All indicated changes are in response to RAI 414, Question 07.03-30oU.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRcontainment isolation valves (CIV) and filtration of the low-flow purge prior to

closure of the ClVsfun.tion prox.d.s conta•lnmnt isolation and low flow pur. gexhaust from the containment isolation valvo-es during a postulated rod ejection

accident.

The CBVS low flow purge removes radioactive materials via two i00 percent iodine

filtration trains prior to release to the plant vent stack. Each train operates

independently. A failure in one train will not prevent the remaining train fromproviding the required engineered safety feature function.

The containment purge subsystem supply and exhaust penetrations through the

containment annulus are equipped with two normally open isolation valves, each

connected to separate control trains. A failure in one train will not prevent theremaining isolation valve from providing the required capability. The valves

automatically close within five seconds after receipt of a containment isolation signal-

from the PACS module. The isolation valves and containment penetrations are the

only portions of the CBVS that are safety related.

9.4.7.4 Inspection and Testing Requirements

The CBVS major components, such as dampers, motors, fans, filters, coils, heaters, and

ducts are located to provide access for initial and periodic testing to verify their

integrity.

Initial in-place acceptance testing of the CBVS is performed as described in

Section 14.2 (test abstracts #073 and #203), Initial Plant Test Program, to verify the

system is built in accordance with applicable programs and specifications.

The CBVS is designed with adequate instrumentation for differential pressure,

temperature, and flow indicating devices to enable testing and verification of

equipment function, heat transfer capability and air flow monitoring.

During normal plant operation, periodic testing of CBVS is performed to demonstrate

system and component operability and integrity.

During normal operation, equipment rotation is utilized to reduce and equalize wear

on redundant equipment during normal operation.

Isolation dampers are periodically inspected and damper seats replaced as required.

Per IEEE 334 (Reference 9), type tests of continuous duty class 1E motors for CBVS areconducted to ensure ESF system operation and availability.

Fans and air handling units are tested by manufacturer in accordance with Air

Movement and Control Association (AMCA) standards (References 4, 5, and 6). Air



EPRMain Steam Isolation Valves

Each main steam line includes an MSIV, located in the Valve Room just outside the

containment. The MSIVs provide a safety-related function of isolating the main steamlines in the event of excessive steam flow to prevent over cooling the reactor coolant.

In response to a main steam isolation signal, the MSIVs quickly and automaticallyclose. Each MSIV is capable of closure, in five seconds or less after receiving a signal

from the PACS module, against a flow of approximately 5x10 6 lbm/hr and adifferential pressure of 1320 psid in either direction. Each MSIV is designed with a

capability to periodically test the operability of the MSIVs and associated apparatusand determine if valve leakage is within acceptable limits. Each MSIV is seat leakagetested in the forward and reverse flow directions by the valve supplier. Periodic leak

testing of each MSIV is tested by pressurizing the valve cavity between the disks.

The MSIVs are gate valves with hydraulic-pneumatic actuators and are Reference 1,

Class 2, pressure boundary.

The hydraulic-pneumatic actuator is a piston actuator with its upper chamber charged

with high pressure nitrogen and its lower chamber connected to a hydraulic oilsystem. The nitrogen stored in the upper chamber serves as a spring to close the valvewithout failure. The hydraulic oil supplied to the lower chamber opens the valve.

The actuator upper chamber is closed and continuously maintained at high pressure.

In the event of leakage, the upper chamber is equipped with pressure transmitters to

alert the operator; in which case the upper chamber is manually connected to a

nitrogen gas cylinder to restore the nominal pressure.

Each MSIV actuator has its own hydraulic oil system that pumps hydraulic oil from atank into the actuator lower chamber. Fast closure is performed by dumping the

hydraulic oil back to the oil tank via two redundant lines. Figure 10.3-2 illustrates this

subsystem. Only one dump line is shown for clarity. On each dump line there is adump valve pilot-operated by two solenoid valves in series and operating on the de-

energize-to-trip principle. It is necessary to de-energize the two pilots in series toopen the dump valve and therefore close the MSIV. This arrangement prevents afailure of any one pilot valve from causing either spurious MSIV closure (two pilots in

series) or failure to close (two redundant control lines).

Each dump line also has an exercise dump valve for testing (partial closure) or slow

closure. Each exercise dump valve is operated by a solenoid pilot valve. For MSIVtesting or slow closure, the main dump valve is in the quick closure position and theexercise pilot is energized to slowly drain hydraulic fluid back to the tank.

Functional testing of pilot valves can be performed individually during normal

operation without affecting power generation.



EPRNP - Nominal power - it should be noted that other terms are also used to depictreactor power, thermal power, rated thermal power, etc. Under steady-stateconditions, these are equivalent.NF - Nominal flowNS - Nominal speedNR - Narrow range

2. For RT functions the time delay is from the time the value is sensed at the sensoruntil the stationary gripper releases. It includes sensor delay, I&C delay, and thedelay for the trip breakers to open and the stationary gripper to release. Once thestationary gripper releases the control rods drop into the core. It is assumed thatthe control rods take an additional 3.5 seconds to completely insert (Figure 15.0-]1

3. FWLB has conservatively assumed a setpoint of 0% NR.

4. A TT is credited following an RT. The DCS is designed to issue the trip signal tothe turbine is-afdgerierator I&C system after a one-second delay.

5. The DCS includes an RT on high containment pressure. This trip is not credited inthe analysis presented in this section; however, it is credited in the containmentanalysis presented in Chapter 6.

6. This safety-related signal was not explicitly credited in the safety analyses. An RTon low saturation margin is introduced because, in case of saturation occurring in ahot leg, the thermal core power level calculation becomes invalid.

7. The pressure setpoint is variable and tracks the steam line pressure with a constantoffset (102 psi). The setpoint has a limitation on its maximum pressure (1087.7psia) and its maximum rate of decrease (29 psi/main). If the steamline pressuredecreases more rapidly than the allowable rate, then the margin between theactual pressure and the setpoint decreases until the steam line pressure is less thanthe setpoint generating an RT.

8. The uncertainty related to this RT function is discussed in Reference 2.




Table 15.0-8-Engineered Safety Features Actuation System (ESFAS)Functions Used in the Accident Analysis

Sheet I of 5

Uncertainty(Normal/ Time Delay

Function Setpoint Degraded) (seconds)4

Safety Injection System Actuation

SIS actuation on pressurizer pressure 1667.9 psia 25 psi/55 psi 1.5-plu< Min3p 16.5 w/o LOOP

for SI delivery or40-41.5 withLOOP (includesEDG loading)

SIS actuation on RCS Hot Leg APsat 220 psi 110 psi/181 psi 0.5 pius sensor< Minlp delays plus

15.5 w/o LOOPfor SI delivery or40.5 with LOOP(includes EDGloading)

SIS actuation on RCS Loop Level < Minlp 18.9 inches 1.1 inchl2.0 inch 4-516.5 w/o LOOPfor SI delivery or41.5 with LOOPincludes EDG__loadino

Emergency Feedwater System Actuation3 , 15

EFWS actuation on SG Level < Min2p 40% WR 2%/16.5%(WR) (affected SG) 16.5 w/o LOOP

for EFW deliveryor6061.5 with LOOP(includes EDGloading)

EFWS actuation on LOOP + SIS See note 1 See note 1 60 with LOOPActuation' (includes EDG

loading)

SG blowdown isolation (affected SG) 16 40% WR 2%/16.5% 21.5 phtis-20" -fe,(includes valveclosure)

EFW level control 82.2% WR 8%/9% Not Applicable

EFWS pump overflow protection 490 gpm max Not Applicable See nete 15N/A(See Note 15)





Sheet 2 of 5



Emergency Feedwater System Isolation

EFWS isolation on SG Level > Maxlp 89% WR"1 8%/9% 61.5 plus-•60 fa--(WR) (affected SG) (includes valve

closure)

SG Isolation Signal See SG Isolation function below

Partial Cooldown Actuation

SIS Actuation Signal generated See note 9 See note 9 See note 9

MSRT Actuation

MSRT opening (MSRIV) on SG Pressure 1384.7 psia 30 psi/75 psi 2.7 (includes valve> Maxlp (affected SG) opening)0.9 plus

MSRT isolation (MSRIV,MSRCV) on SG 579.7 psia 30 psi/75 psi 0. npbts -55.9Pressure < Min3p (affected SG) (includes closing

time for MSRIV)anid 40far-

Main Steam Isolation

MSIV closure on SG pressure drop See note 13 30 psi/75 psi _. p! 5.9> Maxlp (all SGs) (includes fef-valve

closureA

MSIV closure on SG pressure < Minlp (all 724.7 psia 30 psi/75 psi 0.9 plus 5 for valveSGs) closure

MSIV closure on High Containment See Containment Isolation function belowpressure


Main Feedwater Isolation

MFW full load isolation on Reactor Trip Not Applicable Not Applicable Following TT, 25-(all SGs) for isolation valve

elesfe- and-40 fe-(includes controlvalve closure)

MFW full load isolation on SG Level 69% NR 9.5%/1 1.5% 1.5 pis 254e> Maxlp (NR) (affected SG)"0 is'latien v..v"

elosuroe and 40 for-41.5 (includescontrol valveclosureI





Sheet 3 of 5



MFW SSS isolation on SG Level > MaxOp 65% NR for 10 sec 9.5%/11.5% 21.5 plus 2-(NR) for period of time (affected SG) w RT fef(includes valve

closure)

MFW SSS isolation on SG pressure drop See note 14 30 psi/75 psi 20.9 pl.us 2 fef-> Max2p (affected SG) (includes valve

closure)

MFW SSS isolation on SG pressure 579.7 psia 30 psi/75 psi 20.9 1 -s_2-feF-< Min2p (affected SG) (includes valve

closure)

MFW SSS isolation on High Containment See Containment Isolation function belowpressure






Sheet 4 of 5



Containment Isolation

Containment equipment compartment 18.7 psia 0.5 psi "7 9See Sectionpressure > Maxlp (Stage 1) 6.2.4

Containment service compartment 18.7 psia 0.5 psi "_,See Sectionpressure (NR) > Max2p (Stage 1) 6.2.4

Containment activity > Maxlp (Stage 1) 100 X backgrounA Not applicable 10

SIS Actuation Signal (Stage 1) Not applicable Not applicable Not applicable

Containment service compartment 36.3 psia Not applicable 0_9See Section.pressure (WR) > Max3p (Stages 1 & 2) 6.2.4

CVCS Charging Isolation

CVCS charging line isolation on 80% 5.5%/8.0% 41.5 piu-s-40-pressurizer level > Max2p feo(includes valve

closure)

CVCS Isolation for Anti-Dilution

Anti-Dilution (power) See note 5 See note 8 66-i-40-1 06(includes valveclosure)

Anti-Dilution (shutdown) See note 5 See note 8 66-i 40".106(includes valveclosure)

Anti-Dilution (shutdown no RCPs) 927 ppm See note 7 66-.-406-106(includes valveclosure

Steam Generator Isolation

MSRT Setpoint Increase on SG Level > 85% NR' 1 9.5%/11.5% 1.5Max2p + partial cooldown initiated (1435.5 psia) (30 psi / 75 psi)(affected SG)

MSRT setpoint increase on high steam See note 2 See note 2 See note 2.line activity + partial cooldown initiated (1435.5 psia) (30 psi/75 psi)

(affected SG)2

MSIV closure on SG level > Max2p (NR) + 85% NR11 9.5%/11.5% 5-1 -ff6.5partial cooldown Initiated (affected SG) (includes valve

closure)





Sheet 5 of 5



MSIV closure on high steam line activity + See note 2. See note 2. See note 2.partial cooldown initiated (affected SG) 2

MFW SSS Isolation on SG Level > Max2p 85% NR11 9.5%/11.5% 1.5.p•-§•--s ,20,.(NR) + partial cooldown initiated (affected 21.5 (includesSG) valve closure)

MFW SSS isolation on high steam line See note 2 See note 2 See note 2activity + partial cooldown initiated(affected SG)2

EFWS isolation on SG Level (NR) > Max2p 85% NRn1 9.5%/11.5% 61.5 plt±, 60 fey-+ partial cooldown initiated (affected SG) (includes valve

closure)

EFWS isolation on High Steam Line See note 2. See note 2. See note 2.Activity + partial cooldown initiated(affected SG)2

Reactor Coolant Pump Trip

RCP Trip on AP Over RCP < Minlp + SIS 80% nominal 3%/5% 3.912

Signal

MCR AC System Isolation

MCR air intake activity > Maxlp 3 X background Not applicable 60

Turbine Trip on RT

Initiation of RT Following RT Not Applicable 1.0 (DCS isdesigned to issueTIT 1 second afterRT)

EDG on LOOP or degraded voltage17

EBS

EBS Isolation Manual Not Applicable Not Applicable

Hydrogen Mixing Dampers Opening

Containment service compartment 17.4 psia ±0.5 psia 18 (includespressure (NR) > Maxlp damper opening)

Containment equipment compartment! 0.5 psi ±30% 18 (includescontainment service compartment AP damper opening)> Maxlp I I I


All indicated changes are in response to RAI 414, Question 07.03-300 "W1 U.S. EPR FINAL SAFETY ANALYSIS REPORT

EPRNotes:

1. EFWS actuation on LOOP and SIS is assumed in the SGTR to minimize the marginto overfill. It is also credited in SBLOCA. This function does not have a specificsetpoint, uncertainty, or delay.

2. The accident analysis does not credit automatic actions based on MSL activity butuses MSL activity for input to operator action. This function does not have aspecific setpoint, uncertainty, or delay.

3. EFWS actuation also results in SG blowdown isolation.

4. Represents the total time for completion of the function. Includes sensor delay,I&C delay (includes DCS computerized portion, and PACS delays), and otherdelays as noted until the function is completed.

5. The setpoints for the anti-dilution protection function vary as a function of coreburnup and are specified in the Core Operating Limits Report.

6. The first tim: aeeounts for tim: delays in taip py-ccesing. the seeend ti: b ank. untsfer- the stroak: tim:e of the CYCGS iselatieft valveslntentionally left blank.

7. A bounding uncertainty of 400 ppm is used.

8. Varies with boron concentration.

9. The partial cooldown actuation signal is initiated on the SIS signal and thereforedoes not have a specific setpoint, uncertainty, or delay.

10. MFW is isolated in two steps. First is the full load and the second is isolation of thestartup and shutdown system (SSS).

11. These SGTR mitigation features are credited in the accident analysis as manualoperator actions.

12. Three seconds of the 3.9-second delay is associated with the bus supply breakerdelay. This feature results in an RCP trip.

13. The pressure setpoint is variable and tracks the steam line pressure with a constantoffset (102 psi). The setpoint has a limitation on its maximum pressure (1087.7psia) and its maximum rate of decrease (29 psi/min). If the steamline pressuredecreases more rapidly than the allowable rate, then the margin between theactual pressure and the setpoint decreases until the steam line pressure is less thanthe setpoint generating an MSIV closure.

14. The pressure setpoint is variable and tracks the steam line pressure with a constantoffset (247 psi). The setpoint has a limitation on its maximum pressure (942.7 psia)and its maximum rate of decrease (29 psi/min). If the steamline pressure decreasesmore rapidly than the allowable rate, then the margin between the actual pressureand the setpoint decreases until the steam line pressure is less than the setpointgenerating an MFW SSS isolation.



Containment Isolation ValvesB 3.6.3

BASES

APPLICABLE SAFETY ANALYSES (continued)

valves) are minimized. The safety analyses assume that the 39 inch fullflow purge valves are closed at the start of a LOCA or rod election but notfor a fuel handling accident. The DBA analysis assumes that, within

ON, .C1 M

and leakage teFrminated except for the design leakage ratc, I.,.ThGcontainm~ent iso~lation to-tal response ti.meP of 6_0 SccGonds includes signalIdelay, diesel generator stailup (fen loss of ofsitc power), and containmom.isol~atin "vale streke times. The containment isolation valves. along with theirassociated valve closure times, are described in FSAR Section 6.2.4 (Ref. 2).

The single failure criterion required to be imposed in the conduct of plantsafety analyses was considered in the design of the full flow purge valves.Two valves in series on each purge line provide assurance that both thesupply and exhaust lines could be isolated even if a single failureoccurred. The inboard and outboard isolation valves are pneumaticallyoperated spring closed valves that will fail on the loss of air. The inboardand outboard isolation valves are powered from separate electrical trainsand connected to separate control trains.

The full flow purge valves are designed to close in the environmentfollowing a LOCA or MSLB. However, the DBA dose analysis assumesthat each full flow purge line is isolated during MODES 1, 2, 3, and 4.

The low flow purge valves may be opened during normal operation. Inthis case, the single failure criterion remains applicable to the low flowpurge valves due to failure in the control circuit associated with eachvalve. The system valve design precludes a single failure fromcompromising the containment boundary as long as the system isoperated in accordance with the subject LCO.

The containment isolation valves satisfy Criterion 3 of 10 CFR50.36(c)(2)(ii).

LCO Containment isolation valves form a part of the containment boundary.The containment isolation valves' safety function is related to minimizingthe loss of reactor coolant inventory and establishing the containmentboundary during a DBA.

The automatic power operated isolation valves are required to haveisolation times within limits and to actuate on an automatic isolationsignal. The 39 inch full flow purge valves must be maintained sealedclosed. The valves covered by this LCO are listed along with theirassociated stroke times in FSAR Section 6.2.4 (Ref. 2).

U.S. EPR GTS B 3.6.3-3 Interim Rev. 4


ANP-10309NP - U.S. EPRProtection SystemTechnical Report

Markups


AREVA NP Inc. ANP-1 0309NPRevision 4

U.S. EPR Protection SystemTechnical Report Page B-1

APPENDIX BPROTECTION SYSTEM RESPONSE TIME


AREVA NP Inc. ANP-10309NPRevision 4


B.1 Basis

Branch Technical Position 7-21 (Reference 1) provides guidance for the NRC staff

review of digital computer real-time performance. The following passages are stated as

review acceptance criteria in BTP 7-21:

"Limiting response times should be shown to be consistent with safety

requirements (e.g., suppress power oscillations, prevent fuel design limits

:from being exceeded, prevent a non-coolable core geometry). Setpoint

analyses and limiting response times should also be shown to be

consistent."

"Digital computer timing should be shown to be consistent with the limiting

response times and characteristics of the computer hardware, software,

and data communications systems."

"The level of detail in the architectural description should be sufficient that

the staff can determine the number of message delays and computational

delays interposed between the sensor and the actuator. An allocation of

time delays to elements of the system and software architecture should be

available. In initial design phases (e.g., at the point of design certification

application), an estimated allocation of time delays to elements of the

proposed architecture should be available."

"The means proposed, or used, for verifying a system's timing should be

consistent with the design."

"Testing and/or analytic justification should show that the system meets

limiting response times for a reasonable, randomly selected subset of

system loads, conditions, and design basis events."




It is therefore necessary to establish limiting time response calculation methods for

typical PS functions to validate:

" Time response assumptions used as inputs to the plant safety analysis.

* Consistency of setpoint calculations with the PS design.

* The sufficiency of the PS architecture with respect to time response.

B.2 Scope

The total response time for a given function consists of several sub-intervals that span

from a process variable exceeding a pre-defined limit to completion of the function (e.g.,

complete valve closure or required flow rate established). The scope of this document

is limited to only the microprocessor basod programm.abe el-cctronicDCS portion of the

total response time of any given protective function and excludes time intervals such as

sensor response times as well as priority actuation thru PACS and and valve closure

times.

This document applies only to the automatic protective functions identified in U.S. EPR

FSAR Tier 2, Chapter 7.

B.3 Contents

The remainder of this document is organized as follows:

Section B.4 defines the basic principles relevant to response time calculations. These

basic principles are based on the generic TXS platform properties that are architecture

independent.

Section B.5 describes how the basic principles of Section B.4 are applied to verify that

the response times calculated are the limiting (maximum) response times for the

system.

Section B.6 defines the assumed cycle times used in the calculations. Both function

processor cycle times and communication cycle times are considered. The principles



U.S. EPR Protection• SystemTechnical Report Page B-4

defined in Sections B.4 and B.5 are then applied to the specific architecture of the PS

and red po.ition measurement systemn (RPMS) systems interfacing with the PS to

obtain limiting response times for the typical function types.

B.4 Basic Response Time Principles

B.4.1 Definition of Response Time T2

The total response time for a given function consists of several sub-intervals that span

from a process variable exceeding a pre-defined limit to completion of the protective

function. The sub-interval addressed in this document is known as T2. T2 accounts for

the microprocessor based programmable .. e...r•nicDCS portion of the protection

channel, and is defined as the time from sensor conditioning-or black box signal

conditioning output to RT breaker input terminals for RT functions, or to iFRPut-outPut

ter-miaeof the PACS for ESF actuation functions. T2 incJludes the microprocessor

based programmable electron-ic portions of monitoring systemsG acquiring the sensor.

PAS response time v..aries depending on the type of input signal, and w~ill bhe- included

in the actuator response time. NOn m~icroprocessor based programmable electroni

sensor conRditioning 41from the- Monitoring sYstems6 _and SOD-S w.ill beinldepn-h

sensor response time.

B.4.2 TELEPERM XS Timing Concepts

The PS is composed of TXS function processors which run asynchronously to each

other and exchange signals using network links. Therefore, when calculating response

time, function processor cycle times and communication times for data exchange must

both be taken into account. Non m-icroprocessor based program.m...ablIe e-l•ectGronic

censoFr conditioning fromR the monRitoring systems and SODS2 Will bheinlddnth

sensor response time.

Each TXS function processor uses a cyclic execution model. Each processing task is

performed at a pre-defined time during each processing cycle. For the purpose of

response time calculations, three processing tasks are of interest:




1. Function Diagram Groups: The function diagrams executed by a TXS function

processor can be organized into one or two function diagram groups (FDG).

Each FDG is assigned a cycle time: Tfgl for the first FDG and Tfg2 for the second

FDG. The results of the first FDG will be available every Tfgl milliseconds, and

the results of the second FDG will be available every Tfg2 milliseconds. Thelonger of the two FDG cycle times must be evenly divisible by the shorter cycle

time to verify that the end of a cycle of the longer FDG coincides with the end of

a cycle of the shorter FDG. This is necessary to facilitate signal exchange

between the two FDGs within the same function processor.

Within an FDG, all required signal exchanges between individual function

diagrams can be performed during one FDG cycle time. However, signal

exchanges between the two FDGs can only occur at the beginning or end of the

longer of the two FDG cycle times.

2. Communication Drivers: Drivers for network communication modules are

executed cyclically with a cycle time, TN, which is common for all TXS function

processors in a system. A common cycle time does not imply that the

communications are synchronized between different functional processors;

different functional processors can start their communication cycles at different

times. For all function processors, the time that elapses between the start of twocommunication cycles is the same. Every TN milliseconds, each function

processor reads the messages received during the previous communication

cycle, and writes the messages to be sent during the next communication cycle.

3. Input / Output (1/O) Drivers: The drivers for the input and output modules

attached to a TXS function processor are executed with a cycle time

corresponding with the faster of the two FDG cycle times. This results in

acquired values (inputs) and generated signals (outputs) being updated at least

at the beginning or end of both FDG cycles.




Figure B.4-1 provides an example of the timing relative to the three processing tasks

described above. The example assumes a TXS function processor with two FDGs and

cycle times of TN = Tfg2 = 50 and Tfgl = 25.

Figure B.4-1-Example of 2 FDG Timing Principles

110

-1W1

I I I IN I N

25 50 75 100 125 150I0 t (mS)

I " DG.I . One cycle of FDG 1

One cycle of FDG 2

NW I/O

3110

3

Signals exchangedwith network drivers

and I/O drivers

Signals exchangedwith I/O drivers

FDG--E-- Signals exchangedbetween FDG

B.5 Application of Principles

B.5.1 Limiting Response Time

The exact response time of a PS function can not be calculated due to:

* The different function processors of the system operate asynchronously. This is

a desirable characteristic for a safety-related system, but it complicates the

response time determination. The time delays introduced by asynchronous




operation are not constant; for example, they may change after restarting an

individual function processor.

The load of the function processor and networks can not be calculated exactly.

Therefore, the approach followed in this methodology is to determine the worst case, or

limiting, response time for each typical function type. The limiting time delays possible

due to asynchronisms are taken into account, and full loading of function processors

and networks is assumed. This verifies that the limiting response time for each function

type is obtained.

The remainder of Section B.5 is dedicated to defining the fragments of time to be

considered in a limiting response time calculation. The following time fragments are

defined:

" Acquisition of an input signal

* Processing within one FDG

" Exchange of a signal between FDGs of the same function processor

* Exchange of a signal between different function processors over network links

" Generation of an output signal

B.5.2 Acquisition of an Input Signal (Time Fragment <1>)

Fragment <1> corresponds with the time between an input signal changing and the time

the new input value is used in FDG processing. A FDG reads input signals from the I/O

driver at the beginning of every FDG cycle. In the limiting case, the input signal

changes just after the beginning of an FDG cycle. This results in a limiting fragment

<1> time delay equal to the FDG cycle time. Figure B.5-1 shows the fragment <1 > time

delay.




Figure B.5-1-Acquisition of Input Signal

Fragment <1> time delay =Tfgx:

) Limiting fragment <1> delay

( I) Actual fragment <1> delay

I TChange of input Start of new FDG

signal occurs cycle with newinput value

B.5.3 Processing Within One FDG (Time Fragment <2>)

Fragment <2> corresponds with the time between the start of an FDG cycle with

refreshed input values, and the end of the FDG cycle when new FDG outputs are

available. The limiting fragment <2> time delay is equal to the cycle time of the FDG

itself. Figure B.5-2 shows the fragment <2> time delay.


AREVA NP Inc.

U.S. EPR Protection SystemTechnical Report

ANP- 0309NPRevision 4

Page B-9

Figure B.5-2-Processing Within One FDG

Fragment <2> time delay = Tfgx

tI/o EI/O

Actual Fragment <1> Limiting Fragment <2>

I I .L I .L I II I

Change of inputsignal occurs

TIStart of new FDG

cycle with newinput value

I TIEnd of FDG cyclewith new outputvalues available

I I t

B.5.4 Signal Exchange between FDGs within the Same Function Processor

(Time Fragment <3>)

Fragment <3> corresponds with the time between the source FDG making a signal

available, and the destination FDG being ready to accept the signal. Two cases are

possible for fragment <3> depending on the relative cycle time of the source FDG and

the destination FDG:

" If the source FDG has a slower cycle time than the destination FDG, then a cycle

of the destination FDG starts exactly at the end of the source FDG. In this case,

the limiting fragment <3> time delay is equal to zero.

* If the source FDG has a faster cycle time than the destination FDG, then one or

more cycles of the source FDG must elapse before the beginning of the next

cycle of the destination FDG. In this case, the limiting fragment <3> time delay is

equal to Tfg dest - Tfg source,




This results in an overall limiting fragment <3> time delay equal to max(0, Tfg dest - Tfg

source). Figure B.5-3 and Figure B.5-4 show the fragment <3> time delay for both cases.

Figure B.5-3-Signal Exchange from Slow FDG to Fast FDG

Fragment <3> time delay = 0 ]

FOG. 1 FDG 1 I FOG -1

t FDG EXk• l 2 ... K

I I I I I

I

TSignal Exchange

I I t

Figure B.5-4-Signal Exchange from Fast FDG to Slow FDG

I Fragment <3> time delay = Tfg dest - Tfg source I

K

S~ j'$ glV IV

I) Limiting fragment <3> delay

I

TITEnd of Signalsending .Exchange

FDG cycle




B.5.5 Signal Exchange between Function Processors over Network Link (Time

Fragment <4>)

Fragment <4> corresponds with the time between the source function processor writing

its output signals to be sent on the network, and the destination function processor

reading in those signals. Three time delays must be considered:

* If the source FDG has a cycle time faster than the network cycle time, it must

wait for the beginning of the next network cycle time. This introduces a limiting

time delay equal to max(0, TN - Tfg source) for the sending portion of message

transfer.

* The assumption is made that the full network bandwidth is used. This means

that the serial data transmission occurs during the entire network cycle time and

the last piece of information is sent just before the end of the cycle. This

introduces a limiting network transmission delay time equal to TN.

The message may arrive at the destination function processor just after the

beginning of a communication cycle. If the communication cycle time is longer

than the FDG cycle time, a limiting time delay is introduced equal to TN. If the

destination FDG cycle time is longer than the communication cycle time, it must

be considered that the message arrives just after the beginning of an FDG cycle.

This introduces a limiting time delay equal to Tfg dest. Therefore, the limiting time

delay for the receive portion of message transfer is equal to max(TN, Tfg dest).

Taking into account the three time delays involved in network communication, the

overall limiting fragment <4> time delay is equal to max(0, TN - Tfg source) + TN + max(TN,

Tfgdest). Figure B.5-5 shows the fragment <4> time delay.




Figure B.5-5-Signal Exchange over Network Link

I Fragment <4> time delay = max(TN - Tfg source, 0) + TN + max(TN, Tfg dest) I

SourceProcessor

DestinationProcessor

I TN - Tfg source _ TN ,,1 Tfg dest

I I I I

I I I

I IEnd of networktransmission

t

Signal output Beginning offrom source FDG Network Cycle of

source processor

Signal read in foruse in destination

processor

Note: In this example, TN = Tfg dest = 2Tfg source

B.5.6 Generation of an Output Signal (Time Fragment <5>)

Fragment <5> corresponds with the time between the output signals being updated, and

the completion of the hardwired logic downstream of the ALUs. Output signals are

updated at the end of every FDG. Opto-coupler modules are used to implement the

hardwired logic, and their time delay is annotated as TOUT. Figure B.5-6 shows the

limiting fragment <5> delay which is equal to TOUT.




Figure B.5-6-Distribution of Signal

Fragment <5> time delay = TOUT

hO

I/o

* V

I

TOUT

'I"/TFDG1 Hardwioutputs logicupdated compl

VTOUT

FDG2outputsupdated

IV

I jut

Hardwiredlogic

complete

red

ete

B.5.7 Signal Distribution through the SCDS (Time Fragment <6>)

Fragment <6> corresponds with the time necessary to distribute sensor input signals

through the signal conditioning and distribution system (SCDS). Outputs are sent from

the rod petitionm,,re, unit ,,,M" ) sensor or black box siqnal conditioninq

equipment and distributed through the SCDS to the APU. Output signals are updated at

the end of every FDG. Non-processor based components are used to distribute the

signal, and their time delay is denoted as TOIST. Figure B.5-7 shows the limiting

fragment <6> delay, which is equal to TDIST.


AREVA NP Inc.


ANP-10309NPRevision 4

Page B-14

Figure B.5-7-Generation of Output Signal

Fragment <6> time delay = TDIST

hO

hON

TDIST

i---)

VTDIST

S---

V

I I II T

FDG1outputs dupdated

ITSignal FDG2

istributed outputsupdated

SignalDistributed

I -t

B.5.8 Priority Module of the Priority and Actuator Control System (PACS) (Time

Fragment <7>)

Fragment <7> corresponds with the time necessary for the priority module of the PACS

to send an actuation signal upon request from the PS. The priority module of the PACS

time delay is denoted as TPACS. This time delay will be added after the generation of an

PS outDut sianal (Time Fra'ament <5>) (See Section B.5.6).

B.6 Timing Assumptions




B.6.1 Response times for typical PS functions

Given the special case of APU A3 having a different cycle time than the other APUs,

each typical implementation must be considered two ways. First a limiting response

time is calculated for each typical function assuming any APU, other than APU A3, is

used. Second, the limiting response time is calculated for each typical function

assuming that APU A3 is used.

B.6.2 Function Type 1-Typical Function Not Using APU A3




Figure B.6-1-Typical Function Not Using APU A3

B.6.3 Function Type 2-Typical Function Using APU A3

7


AREVA NP Inc.


ANP-1 0309NPRevision 4

Page B-19

1B.6 .5 Function Typc 4 Thrcc Levcl Function Using APU A33


AREVA NP Inc.

U.S. EPR Protection SystemT=rhnif-nf P= nrf

ANP-10309NPRevision 4

P=r~ = R-son

M6MB.6.4 Function Type 653-Special Case for DNBR Function


AREVA NP Inc.


ANP-1 0309NPRevision 4

Page B-21

Figure B.6-3-Special Case for DNBR Function




B.7 Appendix B References

1. NUREG-0800, Branch Technical Position 7-21, Rev. 5, "Guidance on

Digital Computer Real-Time Performance," March 2007.

document control desk - nrc.gov

Documents