ML20141L787: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
 
Line 18: Line 18:


=Text=
=Text=
{{#Wiki_filter:LO-0520-69493 May 20, 2020                                                                                            Docket No. 52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
{{#Wiki_filter:}}
 
==SUBJECT:==
Submittal of Second Updates to NuScale Power, LLC Standard Plant Design Certification Application, Revision 4
 
==REFERENCES:==
: 1. Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, Revision 4, dated January 16, 2020 (ML20036D336)
: 2. U.S Nuclear Regulatory Commission, Request for Additional Information No. 484 (eRAI No. 8930), dated May 29, 2018 (ML18149A640)
: 3. NuScale Power, LLC response to NRC Request for Additional Information No. 484 (eRAI No. 8930), dated September 14, 2018 (ML18257A308)
: 4. NuScale Power, LLC Supplemental Response to NRC "Request for Additional Information No. 484 (eRAI No. 8930)," dated July 18, 2019 (ML19199A117)
: 5. NuScale Power, LLC Supplemental Response to NRC Request for Additional Information No. 484 (eRAI No. 8930) on the NuScale Design Certification Application, dated November 27, 2019 (ML19332A120)
: 6. NuScale Letter to NRC, Submittal of Updates to NuScale Power, LLC Standard Plant Design Certification Application, dated April 1, 2020 (ML20092L899)
NuScale Power, LLC (NuScale) submitted Revision 4 of the NuScale Standard Plant Design Certification Application (DCA) on January 16, 2020 (Reference 1). Since submittal of this revision, NuScale identified the need to provide further updates to ensure conformance with the response to Request for Additional Information (RAI) 8930 (References 2, 3, 4, 5, and 6).
The purpose of this letter is to: provide updates to Revision 4 of the NuScale FSAR and NuScale DCA Part 4, Technical Specifications, that address conformance with the response to RAI 8930; provide FSAR updates for confirmatory items; and correct typographical errors related to closure time of a containment isolation valve, and number transposition in a table.
NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
LO-0520-69493 Page 2 of 3 5/20/2020 The enclosed pages reflect the modifications to ECCS actuation:
Module protection system (MPS) logic changes in FSAR Chapters 3, 6, and 7; Riser flow path changes in FSAR Chapters 3 and 5; FSAR Chapter 4 and 15 design changes describing the phenomena of boron redistribution and design changes impacts to loss-of-coolant accidents; FSAR Chapter 17, Table 17.4-1 updates adding new ECCS actuation and bypass signals; FSAR Chapter 19 updates module response for consistency with ECCS actuation logic and riser modification; and Conforming changes that address FSAR Chapter 16, Technical Specifications and the Bases.
The FSAR updates for confirmatory items are:
Clarification to Table 3.9-16 notes to address ECCS testing method and frequency; Addition of leak testing to Table 3.9-17 to close confirmatory item 03.09.06-5; and Revision of Table 15.4-11 to correct an LHGR value for rod drop and single rod withdrawal events.
The following typographicals errors are corrected:
In FSAR Part 2 Tier 1 and Chapter 14, an error related to a containment isolation valve closure time; and In FSAR Part 2 Tier 2 Chapter 3, numbers transposed in table 3.11-1.
The enclosure to this letter provides errata pages incorporating these changes. With the exception of Part 4 of the NuScale DCA, header language on each change page has amendatory language identifying the page it replaces. Part 4 of the NuScale DCA is submitted in its entirety, with a cover sheet explaining that the entire part is to be replaced.
This letter makes no regulatory commitments or revisions to any existing regulatory commitments.
NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
LO-0520-69493 Page 3 of 3 5/20/2020 If you have any questions, please feel free to contact Mike Melton at (240) 833-3007 or at MMelton@nuscalepower.com.
Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Gregory Cranston, NRC Prosanta Chowdhury, NRC Michael Dudek, NRC Michael Snodderly, NRC Christiana Liu, NRC Christopher Brown, NRC Marieliz Johnson, NRC Getachew Tesfaye, NRC Bruce Bavol, NRC
 
==Enclosure:==
Second Updates to NuScale Power, LLC Standard Plant Design Certification Application, Revision 4 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
LO-0520-69493
 
==Enclosure:==
 
Second Updates to NuScale Power, LLC Standard Plant Design Certification Application, Revision 4 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
This page replaces page 3.2-9 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.2, "Classification of Structures, Systems, and Components,"
of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                        Classification of Structures, Systems, and Components Table 3.2-1: Classification of Structures, Systems, and Components (Continued)
SSC (Note 1)                                                Location    SSC Classification    RTNSS Category QA Program        Augmented Design Requirements            Quality Group / Safety          Seismic Classification (A1, A2, B1, B2)        (A,B,C,D,E)  Applicability                  (Note 3)                          Classification          (Ref. RG 1.29 or RG 1.143)
(Note 2)                                                (Ref RG 1.26 or RG 1.143)              (Note 5)
(Note 4)
* Steam piping inside containment                                                                              RXB              A2                    N/A          Q        None                                                      B                              I
* Feedwater piping inside containment
* Feedwater supply nozzles
* Main steam supply nozzles
* Thermal relief valves
* Feed plenum access port covers
* Steam plenum access ports
* Steam plenum access port covers Flow restrictors                                                                                              RXB              A2                    N/A            Q      None                                                    N/A                              I RXC, Reactor Core System Fuel assembly (RXF)                                                                                            RXB              A1                    N/A            Q      None                                                    N/A                              I Fuel Assembly Guide Tube                                                                                      RXB              A2                    N/A            Q      None                                                    N/A                              I Incore Instrument Tube                                                                                        RXB              B2                  None          AQ-S      None                                                    N/A                            I CRDS, Control Rod Drive System
* Control Rod Drive Shafts                                                                                    RXB              A1                    N/A            Q      None                                                    N/A                              I
* Control Rod Drive Latch Mechanism CRDM Pressure Boundary (Latch Housing, Rod Travel Housing, Rod Travel Housing Plug)                            RXB              A2                    N/A            Q      None                                                      A                              I CRDS Cooling Water Piping and Pressure Relief Valve                                                            RXB              B2                  None          AQ-S      None                                                      B                            II Rod Position Indication (RPI) Coils                                                                            RXB              B2                  None          AQ-S      None                                                    N/A                            I
* Control Rod Drive Coils                                                                                      RXB              B2                  None          AQ-S      None                                                    N/A                            II
* CRDM power cables from EDN breaker to MPS breaker
* CRDM power cables from MPS breaker to CRDM Cabinets
* CRDM Control Cabinet                                                                                        RXB              B2                  None          AQ      None                                                    N/A                            III
* CRDM Power & Rod Position Indication Cables
* Rod Position Indication Cabinets (Train A/B)
CRA, Control Rod Assembly All components                                                                                                RXB              A2                    N/A            Q      None                                                    N/A                              I NSA, Neutron Source Assembly All components                                                                                                RXB              B2                  None          AQ-S      None                                                    N/A                            I RCS, Reactor Coolant System All components (except as listed below)                                                                        RXB              A1                    N/A            Q      None                                                      A                              I
* Reactor vessel internals (upper riser assembly (Note 7), lower riser assembly, core support assembly, flow  RXB              A1                  None          Q        None                                                    N/A                            I diverter, and pressurizer spray nozzles)
* Reactor vessel internals upper riser bellows-lateral seismic restraining structure
* Narrow Range Pressurizer Pressure Elements
* PZR/RPV Level Elements
* Narrow Range RCS Hot Leg Temperature Elements
* Wide Range RCS Hot Leg Temperature Elements
* RCS Flow Transmitters (Ultrasonic)
* Wide Range RCS Pressure Elements
* Wide Range RCS Cold Leg Temperature Elements                                                                RXB              A2                    N/A          Q        None                                                    N/A                            I Reactor vessel internals upper riser bellows-vertical expansion structure                                      RXB              B2                    N/A          AQ-S      ASME BPVC Section III Division 1 NG guidance            N/A                            II Reactor Safety Valve Position Indicator                                                                        RXB              B2                  None          AQ-S      Environmental Qualification                              N/A                              I Power from EDS
* PZR Control Cabinet                                                                                          RXB              B2                  None          AQ-S      None                                                    N/A                            II
* PZR Vapor Temperature Element
* PZR heater power cabling from MPS breaker to PZR heaters
* Pressurizer Liquid Temperature Element
* Narrow Range RCS Cold Leg Temperature Element PZR heater power cabling from ELV breaker to MPS breaker                                                      RXB              B2                  None        None      None                                                    N/A                            III Tier 2                                                                                                                                    3.2-9                                                                                                                        Revision 4
 
This page replaces page 3.9-13 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                        Mechanical Systems and Components of containment. In this transient, the RCS depressurizes through the break and the level in the pressurizer decreases. The reactor trips due to either low pressurizer pressure or level or high containment pressure, and the DHRS is actuated. The ECCS actuates on a high water level in containment or on low RCS pressure. Removal of decay heat is expected through the containment wall and peak pressure in the CNV is kept below design pressure.
Service Level C Transient 4 - Steam Generator Tube Failure The steam generator tube failure (SGTF) transient is bounded by the double-ended failure of a SG tube. The term failure is used here to include both a tube collapsing due to higher external pressure and a tube bursting due to higher inner pressure.
Multiple simultaneous SGTFs are considered beyond design basis. In this transient, the RCS blows down into the SG. A reactor trip would occur quickly due to high steam pressure, low pressurizer pressure, or low pressurizer level. Both trains of the DHRS will be actuated to remove the decay heat as normal cooldown using feedwater flow is not possible with SGTF. A SGTF incapacitates one train of the DHRS, but cooldown is still accomplished with the other train. Components within the RPV will experience a decrease in pressure when the SG tube fails and the RCS blows down to the SG. Once the MSIVs and feedwater isolation valves close and the DHRS actuates, the pressure decrease will slow to be only a function of the RCS cooldown rate. The cooldown rate is determined by the performance of the single DHRS train.
3.9.1.1.4          Service Level D Conditions Service Level D Transient 1 - Steam Piping Failures A main steam line break will cause an increase in steam flow rate and will reduce the SG inventory. A break inside containment is not postulated to occur because of leak before break detection on these lines. A break outside of containment could cause stresses on the components just outside of containment. RCS temperature and pressure briefly decrease due to the excess heat removal provided by the steam line blowdown. A break will quickly cause a reactor trip on low steam pressure or high containment pressure. Once the reactor is tripped, both trains of the DHRS will be activated. If the break compromises the water inventory inside one DHRS train, the remaining train of the DHRS will be capable of removing the decay heat from the reactor. The RSVs do not lift and there is no ECCS actuation.
Removal of decay heat is by the DHRS and peak pressure in the CNV is kept below design pressure.
Service Level D Transient 2 - Feedwater Piping Failures A feedwater line break could cover a wide range of break types. Due to the interaction of the DHRS and feedwater system, the spectrum of feedwater piping breaks includes breaks in the DHRS. A feedwater piping break inside containment is not postulated to occur because of leak-before-break detection on these lines, but a break in the DHRS condensate line inside containment is postulated. A break outside of containment could cause stresses on the nearby components. RCS temperature and pressure briefly decrease due to the excess cooling provided by Tier 2                                            3.9-13                                            Revision 4
 
This page replaces page 6.2-7 in Chapter 6, "Engineered Safety Features," Section 6.2, "Containment Systems," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                    Containment Systems In the event of a mass and energy release into CNV, a process of condensation and retention within the CNV facilitates the transfer of the energy to the UHS.
Reactor coolant released from the RPV or main steam or feedwater released from the secondary system condenses on the relatively cool inner surface of the CNV wall. The resulting condensate flows down the inner CNV wall and collects in the bottom of the CNV shell. The vapor condensation and heat removal from containment is accomplished passively by transferring the energy through the CNV wall to the reactor pool.
For releases from the RPV, the reactor coolant is condensed and collected until the condensate level within the CNV has increased to the ECCS actuation setpoint or when RCS pressure falls to the ECCS actuation setpoint. Actuation of the safety system opens the RVVs and RRVs, further depressurizing the RPV and increasing the discharge of RPV inventory to the CNV. When RPV and CNV pressures approach equilibrium and the accumulated level in the CNV shell reaches a level where sufficient driving head is available, coolant flow from the CNV is returned to the RPV through the ECCS recirculation valves for core cooling. Opening of the RVVs and RRVs establishes the CNV shell as the outer boundary of the coolant circulation flow path. This method of passive coolant circulation and heat removal is further described in Section 6.2.2.
For a secondary system mass and energy release into containment, the released steam or feedwater is captured within the CNV by closure of the CIVs. The collected inventory is condensed and retained with the heat energy transferred to the reactor pool.
The design of the CNV is consistent with the functional requirements of the ECCS and its associated acceptance criteria. Acceptable models for evaluating emergency core cooling during the postulated mass and energy releases are defined in 10 CFR 50 Appendix K.
The CNTS design provides for the isolation of process systems that penetrate the CNV. The design allows for the normal or emergency passage of fluids, vapor or gasses through the containment boundary while preserving the ability of the boundary to prevent or limit the escape of fission products in the event of postulated events. The containment isolation valves are described in Section 6.2.4.
The CNV components and appurtenances are designed to ensure pressure boundary integrity for the life of the plant when considering fatigue, corrosion and wear. The CNV components and penetrations (piping, electrical and instrumentation and controls (I&C)) are designed for and tested to harsh environment conditions (temperature, pressure, radiation, and submergence).
Refer to Chapter 3 for additional component design detail.
To ensure leak tightness and functional capability, the CNV is rigorously inspected and its appurtenances are tested to ensure that functional capability is maintained under calculated design basis conditions. The CNV is designed to support the leakage testing requirements of 10 CFR 50 Appendix J, with the exception of Type A testing as discussed in Section 3.1.5 and Section 6.2.6. Access is provided to allow for all inspections, testing, maintenance and removal of components contained Tier 2                                              6.2-7                                        Revision 4
 
This page replaces page 6.2-14 in Chapter 6, "Engineered Safety Features," Section 6.2, "Containment Systems," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                      Containment Systems
* high CNV level
* loss of normal AC power and the EDSS
* low RCS pressure The RVVs and RRVs open under the following conditions:
* If the pressure differential across the valves is greater than the IAB threshold when the ECCS signal actuates, then the valves stay closed until the pressure differential decreases to below the IAB release pressure.
* If the pressure differential across the valves has decreased to below the IAB threshold pressure when the ECCS signal actuates, then the valves open at that time.
* If the pressure differential across the valves is less than the valve opening spring force (approximately 15 psid), the valves open even without an ECCS actuation signal.
Opening of the RVVs increases the depressurization rate, and the primary system and CNV pressures approach equalization. As the pressures equalize, the break and valve flow decreases. With pressure equalization and the increase in the CNV pool level, flow through the RRVs into the reactor vessel starts to provide long-term cooling (LTC) via recirculation. This terminates the reactor vessel level decrease prior to core uncovery.
Heat transfer to the CNV wall and to the reactor pool eventually exceeds the energy addition from the break flow and the RVV flow. When this occurs, the period of peak containment pressure and temperature have been completed, and a gradual depressurization and cooling phase begins.
Sensitivity cases are performed to determine the effect of loss of power (AC or DC) scenarios, as well as postulated single failures, on the primary system mass and energy release scenarios considered by the NuScale containment response analysis methodology. The insights obtained from the results of the sensitivity cases, discussed in Reference 6.2-1, are used to determine the limiting cases for CNV pressure and temperature.
6.2.1.3.1            Mass and Energy Release Data - Primary System Release Events The maximum containment peak pressure and peak temperature scenarios are determined by conservatively modeling the mass and energy release and minimizing the performance of the containment heat removal function of containment.
Reference 6.2-1, Section 5.1 provides results of NRELAP5 analyses of the spectrum of the five primary system mass and energy release scenarios for the NPM. The limiting primary system release event (Case 5) CNV pressure results are depicted by figures contained in Reference 6.2-1, Section 5.1. Graphical results for the limiting CNV pressure, temperature and mass and energy release rates are shown in Figure 6.2-9 through Figure 6.2-14. The limiting peak pressure and temperature results are below the CNV design pressure and temperature.
6.2.1.3.2            Energy Sources - Primary System Release Events The containment response analysis methodology models available energy sources identified by 10 CFR Part 50, Appendix K, paragraph I.A, with the exception of Tier 2                                              6.2-14                                          Revision 4
 
This page replaces page 6.2-15 in Chapter 6, "Engineered Safety Features," Section 6.2, "Containment Systems," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                  Containment Systems energy associated with fuel clad metal-water reaction, since calculated cladding temperatures for design basis LOCAs remain below the threshold for cladding oxidation. Energy sources addressed in the containment response analysis analyses include
* core power initialized at 102 percent of rated thermal power (163.2 MW).
* decay heat modeled using the 1979 ANS standard decay heat model with a 1.2 multiplier.
* RCS stored energy based on conservative initial conditions of pressure, average RCS temperature and pressurizer level that consider the normal operating range including instrumentation uncertainties and deadband.
* stored energy in vessel internal structures.
* RCS piping inside containment.
* stored fuel energy.
* stored secondary energy (steam generator (SG) tubes, main steam and feedwater piping inside containment) based on conservative initial conditions of steam pressure and feedwater temperature that consider the normal operating range including instrumentation uncertainties and deadband.
6.2.1.3.3            Description of the Blowdown Model - Primary System Release Events During normal power operation (normal AC and DC power available), the primary system release scenarios start with the blowdown of the primary inventory through the pipe break or valve opening into the CNV. The reactor trips on high CNV pressure, and that causes a turbine trip along with main steam isolation and feedwater isolation. The primary system depressurizes as the CNV pressurizes, and the coolant inventory accumulates in the CNV. Steam released into the CNV condenses on the CNV inner surface that is cooled by conduction and convection to the reactor pool. When the CNV level reaches the high level setpoint or when RCS pressure falls to the ECCS actuation setpoint, the ECCS actuates. The ECCS valves subsequently open as described in Section 6.2.1.3.
The NRELAP5 primary release event model is developed from engineering information, drawings and associated reference documents to develop a thermal-hydraulic simulation model that calculates the mass and energy released from the RCS during blowdown.
The containment response analysis methodology assumes an initial power level of 1.02 times the licensed power level. The initial RCS volume and mass are consistent with that power level.
The mass and energy release determined by the containment response analysis methodology is based on the NRELAP5 computer code, and the modeling approach is very similar to the NuScale LOCA Evaluation Model that complies with the applicable portions of 10 CFR 50 Appendix K. Specific changes to the LOCA Evaluation Model required to model primary system mass release events are described by Reference 6.2-1. A discharge coefficient of 1.0 is applied to the applicable critical flow correlation. Reference 6.2-2 demonstrates the adequacy of the LOCA Evaluation Model two-phase and single phase choked and unchoked Tier 2                                              6.2-15                                      Revision 4
 
This page replaces page 6.2-61 in Chapter 6, "Engineered Safety Features," Section 6.2, "Containment Systems," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                      Containment Systems Table 6.2-2: Containment Response Analysis Results3, 4 Event Description                        Case Description                CNV Pressure      CNV Wall Temperature (psia)                  (°F)
RCS Discharge Break                      Base Case                                      705                    492 RCS Discharge Break                      Limiting Sensitivity Case Results              946                    521 RCS Injection Line Break                  Base Case                                      894                    514 RCS Injection Line Break                  Limiting Sensitivity Case Results              959                    5262 RPV High Point Vent Degasification        Base Case                                      554                    471 Line Break RPV High Point Vent Degasification        Limiting Sensitivity Case Results              901                    492 Line Break Inadvertent RVV Actuation                Base Case                                      856                    483 Inadvertent RVV Actuation                Limiting Sensitivity Case Results              911                    486 Inadvertent RRV Actuation                Base Case                                      941                    492 Inadvertent RRV Actuation                Limiting Sensitivity Case Results              9941                    515 Main Steam Line Break                    Limiting Results                              449                    433 Feedwater Line Break                      Limiting Results                              416                    408 1 Limiting NPM primary/secondary release event peak pressure, includes IAB operating range sensitivity.
2 Limiting NPM primary/secondary release event peak temperature.
3 Results reflected in this Table do not consider the impact of sensitivity studies performed to address a revised IAB operating range as discussed by Reference 6.2-1, Section 5.1.1, except as stated in Note 1 and Note 4.
4 Limiting LOCA and inadvertent valve opening cases consider ECCS actuation on CNV level, RCS pressure or IAB release, accounting for staggered ECCS valve opening.
Tier 2                                                        6.2-61                                                  Revision 4
 
This page replaces page 6.3-1 in Chapter 6, "Engineered Safety Features," Section 6.3, "Emergency Core Cooling System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Emergency Core Cooling System 6.3    Emergency Core Cooling System The emergency core cooling system (ECCS) provides core cooling during and after anticipated operational occurrences (AOOs) and postulated accidents, including loss-of-coolant accidents (LOCAs). The ECCS is an important NuScale Power Plant safety system in its safety-related response to LOCAs and as a component of both the reactor coolant and containment vessel (CNV) pressure boundaries. In conjunction with the containment heat removal function of containment, the ECCS provides core decay heat removal in the event of a loss of coolant that exceeds makeup capability.
The ECCS consists of three reactor vent valves (RVVs) mounted on the upper head of the reactor pressure vessel (RPV), two reactor recirculation valves (RRVs) mounted on the side of the RPV, and associated actuators located on the upper CNV as shown in Figure 6.3-1. All five valves are closed during normal plant operation and open to actuate the system during applicable accident conditions. The RVVs vent steam from the RPV into the CNV, where the steam condenses and liquid condensate collects in the bottom of the containment. The RRVs allow the accumulated coolant to reenter the RPV for recirculation and cooling of the reactor core. Placement of the RRV penetrations on the side of the RPV is such that when the system is actuated, the coolant level in the RPV is maintained above the core and the fuel remains covered. The cooling function of the ECCS is entirely passive, with heat conducted through the CNV wall to the reactor pool.
After actuation, the ECCS is a passive system that does not include long lengths of piping or holding tanks. The system is made up of the valves described above, which allow recirculation of the reactor coolant between the RPV and the CNV. The valves are maintained in the closed position during normal plant operation and receive an actuation signal upon predetermined event conditions (initiated by high containment level or low RCS pressure) to depressurize the RPV and allow flow of reactor coolant between the CNV and the RPV. In events that result in rapid equalization of pressure between the RCS and the CNV, such as an inadvertent RVV opening, the ECCS valves can open on low differential pressure without an ECCS actuation signal.
Reactor coolant inventory released during a LOCA event is collected and retained within the CNV which precludes the requirement to provide the makeup capacity necessary to replace coolant inventory lost to the core cooling function. The ECCS does not provide replacement or addition of inventory from an external source and does not provide a reactivity control function.
Facility design relies on passive design provisions that ensure sufficient coolant inventory is retained in the module to maintain the core covered and cooled. Makeup (addition) of reactor coolant inventory is not necessary or relied upon to protect against breaks. Reactor coolant inventory released from the reactor vessel during an in-containment unisolatable LOCA is collected and maintained within the CNV. After the ECCS valves open, the collected RCS inventory is returned to the reactor vessel by natural circulation. This return path to the vessel ensures that the core remains covered. The ECCS passively transfers water from containment to the RPV. It also transfers heat from the RCS to the reactor pool passively though the CNV wall.
Actuating the ECCS ensures that the core remains covered and that RCS temperature and pressure are reduced for all design-basis losses of coolant.
The reactor core is covered at all times during ECCS operation. The analyzed loss-of-coolant events do not result in periods of refill or reflood and the design does not include or require pumps for forced circulation. Actuation and operation of the ECCS establishes a natural Tier 2                                              6.3-1                                        Revision 4
 
This page replaces page 6.3-18 in Chapter 6, "Engineered Safety Features," Section 6.3, "Emergency Core Cooling System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Emergency Core Cooling System requirements. The applicable guidance of RG 1.79, Revision 2, is incorporated into the preoperational testing described in Section 14.2.
Preservice and inservice testing and inspection programs are described in Sections 3.9.6 and 6.6. The ECCS operational surveillance requirements are addressed in Chapter 16.
The ECCS-related Inspections, Tests, Analyses and Acceptance Criteria are addressed in Section 14.3.
6.3.5      Instrumentation Requirements The MPS provides for the control of the valves and monitoring instruments required for ECCS actuation. Post-accident monitoring information is provided in the control room through the safety display indication system and the module control system that includes ECCS valve position, containment isolation valve position, RPV riser level, RCS hot and cold temperature, pressurizer pressure, wide range RCS pressure, CNV water level, containment temperature, and containment pressure. The ECCS-related instrumentation is addressed in Section 7.2.
The ECCS is supplied with automatic actuation signals for emergency core cooling and LTOP from the ESFAS portion of the MPS, which also provides for manual actuation of the RVVs and RRVs by manual actuation switches in the main control room.
Automatic actuation signals for the ECCS are provided from independent and redundant sensors. The ECCS is automatically actuated and requires no operator action during the first 72 hours following event initiation. ECCS actuation values are listed in Table 6.3-1.
The ESFAS uses four redundant sensors (channels) to monitor ECCS-associated actuation parameters (high CNV water level) processed through MPS separation groups. The separation groups supply signals to two independent divisions of ESFAS that use two-out-of-four voting so that a single failure of an initiation signal cannot prevent a valid actuation or initiate an invalid actuation.
The actuators for the ECCS solenoid valves and ECCS valve position indications are supplied with power by the highly reliable DC power system. This power may not necessarily be available during an accident, and valve closure is not required during an accident. Position indication cabling is qualified in accordance with IEEE 323-1974 for the design conditions (temperature, humidity, submergence, pressure, radiation) of containment.
The ECCS performance monitoring is accomplished with instrumentation provided by the MPS for RPV riser and CNV water level, temperature and pressure; reactor pool temperature and level; and, valve positions for the ECCS valves, actuators, and containment isolation valves.
The MPS monitors-wide range RCS cold temperature and wide range RCS pressure parameters that provide the signal to initiate LTOP (opening of the RVVs).
Tier 2                                            6.3-18                                          Revision 4
 
This page replaces page 6.3-20 in Chapter 6, "Engineered Safety Features," Section 6.3, "Emergency Core Cooling System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                        Emergency Core Cooling System Table 6.3-1: Emergency Core Cooling System Actuation Values Parameter                                                        Value1 High CNV level actuation                                  252 inches above reactor pool floor Low RCS pressure                                                    800 psia RPV low temperature & high pressure (LTOP) actuation              The LTOP pressure setpoint is a function of the RCS cold temperature (Refer to Table 5.2-10 and Figure 5.2-4).
Note 1: Additional information for ECCS actuation values is provided in Table 7.1-4.
Tier 2                                                      6.3-20                                                Revision 4
 
This page replaces page 7.1-34 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Fundamental Design Principles reactor trip, containment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to two correct and two incorrect sensor values has no further impact. Out of the failed low signals, pressurizer level is the only signal used for nonsafety-related controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.
Failed High Signal The affected variables are pressurizer level and containment water level. Because protective actions are actuated when at least two-out-of-four separation groups demand a reactor trip or ESF actuation, a failed high signal results in a spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation.
Failed high signals received by Safety Block I are transmitted to MCS, displayed in the MCR, and used for nonsafety control functions. With the spurious actuation of a reactor trip, and CVCS isolation, the MCS response to two correct and two incorrect sensor values has a no further impact. Out of the failed high signals, pressurizer level is the only signal used for nonsafety controls; however, with CVCS isolated, MCS cannot use CVCS makeup and letdown pumps to change pressurizer level.
With Sensor Block II still capable of actuating on low-level signals (e.g.,
containment isolation on low-low pressurizer level), capability to initiate other ESFs is not lost.
Failed As-Is The affected variables are pressurizer level and containment water level. The failed as-is condition for two of the four sensors for each affected variable does not prevent the initiation of a reactor trip or ESF actuation. Sensor Block II is still capable of identifying plant conditions requiring protective actions.
Failed as-is signals do not lead to spurious initiation of protective actions. Failed as-is signals may go unnoticed until the valid signals significantly deviate from the failed signals.
Digital-Based CCF of Pressure Measuring System Function Type A digital-based CCF of pressure measuring system function type for Sensor Block I (Figure 7.1-12) causes
* spurious actuations from MPS
* incorrect information provided to SDIS
* incorrect information provided to MCS Failed Low Signal The affected variables are pressurizer pressure and wide range RCS pressure. Failed low signals in the four sensors for each affected variable can result in a spurious Tier 2                                            7.1-34                                          Revision 4
 
This page replaces page 7.1-35 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Fundamental Design Principles reactor trip, demineralized water system isolation, CVCS isolation, ECCS actuation, and secondary system isolation.
Failed low signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, demineralized water system isolation, and CVCS isolation, the MCS response to four incorrect sensor values is to turn on the pressurizer heaters, which is bounded by the spectrum of heatup event analyses described in Chapter 15.
Failed High Signal The affected variables are pressurizer pressure and wide-range RCS pressure. A failed high signal affecting the four sensors for the affected variables can result in a spurious reactor trip, CNTS isolation, DHRS actuation, demineralized water system isolation, pressurizer heater trip, and secondary system isolation.
Failed high signals received by Safety Block I and II are provided to MCS to be displayed in the MCR and to be used for nonsafety controls. With the spurious reactor trip, containment system isolation, demineralized water system isolation, and pressurizer heater trip, the MCS response to four incorrect sensor values has a no further impact. The automatic MCS response to a rise in pressure is to use pressurizer spray; however, with the closure of the containment isolation valves, pressurizer spray is unavailable.
Failed As-Is The affected variables are pressurizer pressure and wide-range RCS pressure. The failed as-is condition for the four sensors of each affected variable does not result in spurious actuations; however, it can prevent initiation of protective actions if a DBE were to occur. This failure can be considered a Type 3 failure and is discussed in Section 7.1.5.1.10 and Section 7.1.5.1.11.
Digital-Based CCF of Flow Measurement Function Type A digital-based CCF of flow measurement function type for Sensor Block I (Figure 7.1-13) causes
* spurious actuations from MPS
* incorrect information provided to SDIS
* incorrect information provided to MCS Failed Low Signal The affected variable is RCS flow. A failed low signal for the four channels results in a spurious reactor trip, demineralized water system isolation and CVCS isolation.
There is no further impact associated with a failed low signal.
Tier 2                                              7.1-35                                        Revision 4
 
This page replaces page 7.1-41 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Fundamental Design Principles
* chemical and control volume system isolation
* pressurizer heater trip
* demineralized water system isolation
* low temperature overpressure protection (LTOP)
* secondary system isolation
: 2) Potential digital-based CCF within a safety block may lead to spurious partial initiation of protective actions (Section 7.1.5.1.6). The identified scenarios are provided in Table 7.1-11.
: 3) Potential digital-based CCF of level function type within Sensor Block I or II may result in one of the following (Section 7.1.5.1.6):
* spurious reactor trip, containment isolation, CVCS isolation, demineralized water system isolation, pressurizer heater trip, and secondary system isolation
* spurious reactor trip, CVCS isolation, demineralized water system isolation, and ECCS actuation
: 4) Potential digital-based CCF of pressure measuring system function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):
* spurious reactor trip, CVCS isolation, demineralized water system isolation, ECCS actuation, and secondary system isolation
* spurious reactor trip, containment isolation, DHRS actuation, demineralized water system isolation, and secondary system isolation
* Type 3 failure for the digital-based pressure measuring system function type sensors
: 5) Potential digital-based CCF of flow function type within Sensor Block I and II may result in one of the following (Section 7.1.5.1.6):
* spurious reactor trip, demineralized water system isolation, and CVCS isolation
* Type 3 failure of flow function type sensors (See Item 6 and 7 below)
: 6) Type 3 failures of digital sensors may lead to failure of MPS to initiate protective action(s) during AOOs and postulated accidents. Table 7.1-18 identifies the digital sensors credited for AOOs and postulated accidents that were addressed with a D3 coping analysis. A failure of two of the four MPS separation groups that leads to the spurious initiation of a protection action or combination of protective actions was evaluated by the D3 coping analysis using best-estimate methods. While there are a very large number of possible actuation combinations, the analysis of these events can be simplified without addressing each possible combination specifically.
The D3 coping analysis determined that the spurious actuation of containment system isolation due to a digital-based CCF is the bounding analysis with Tier 2                                            7.1-41                                        Revision 4
 
This page replaces page 7.1-44 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Fundamental Design Principles The low RCS flow ESFAS actuation is used as a boron dilution initial condition but is not credited as part of the transient detection or mitigation. The minimum RCS flow is specified in order to generate the appropriate response time as part of the safety analysis evaluation but the change in neutron flux ultimately generates the mitigating actuations of RTS or DWS isolation. Because this is not a credited signal, this event is non-limiting.
Low Wide Range Reactor Coolant System Pressure The plant safety analyses described in Chapter 15 credit the low wide range RCS pressure ECCS actuation in the boron dilution-limiting scenario analyzed within the LOCA events. The low wide-range RCS pressure ECCS actuation signal is implemented primarily to mitigate the possibility of a boron dilution scenario as a result of a small-break LOCA. The actuation signal has interlocks on the RCS hot leg temperature and CNV pressure to prevent unnecessary ECCS actuation for non-LOCA events.
The limiting case analyzed for LOCA boron dilution is a smaller break in the LOCA break spectrum described in Chapter 15. This case has an ECCS actuation on low wide range RCS pressure. In addition, this analysis conservatively assumes that the highest worth control rod assembly is not inserted into the core and neglects negative reactivity insertion from xenon. The D3 coping analysis concluded that a best-estimate case which credits xenon reactivity and an all-rods-in condition would not require an earlier ECCS actuation on low wide range RCS pressure to mitigate a boron dilution scenario for any break size or location in the LOCA break spectrum. ECCS actuation in these cases occurs due to high CNV level or low differential pressure across the ECCS valves. Sufficient diversity exists such that ECCS is available to mitigate these small-break LOCA events.
7.1.5.3        Diversity and Defense-in-Depth Assessment Regulatory Conformance Conformance with SRM for SECY-93-087 The discussion below provides a summary of how the four-point position is either fully or partially addressed within the I&C system design.
Point 1 "The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed."
A D3 assessment of the MPS was performed. Vulnerabilities to digital-based CCFs are identified in Section 7.1.5.2. Evaluation of vulnerabilities shows that plant response to vulnerabilities is either bounded by Chapter 15 analyses or within acceptable limits.
Point 2 "In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report using best-estimate methods. The vendor or applicant shall demonstrate adequate diversity within the design for each of these events."
The D3 assessment demonstrates that there is adequate diversity within the MPS for each event that is evaluated in the accident analysis section of the Safety Analysis Report.
Tier 2                                            7.1-44                                        Revision 4
 
This page replaces page 7.1-45 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Fundamental Design Principles A D3 coping analysis was performed to address identified vulnerabilities and demonstrates adequate diversity within the design. The coping analysis described in Section 7.1.5.2 for the postulated vulnerabilities concluded that plant response to vulnerabilities is either bounded by Chapter 15 analyses or within acceptable limits.
Point 3 "If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a nonsafety system if the system is of sufficient quality to perform the necessary function under the associated event conditions."
The D3 assessment demonstrates that sufficient diversity exists within the MPS to prevent a postulated digital-based CCF from disabling the capability to perform any of its safety-related functions.
The D3 coping analysis identifies different sensors not vulnerable to the same digital-based CCF that exist to mitigate the associated event conditions without requiring a separate I&C system.
Point 4 "A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in Items 1 and 3 above."
Division I and II manual control switches are provided to manually initiate at the division-level the automatic safety-related functions. Manual actuation signals are inputs to the actuation priority logic within an EIM. The actuation priority logic within the EIMs is implemented in discrete analog components and is downstream of the automatic digital portion of the safety system. The MCS, SDIS, and manual controls are sufficiently diverse that any failure does not prevent the operator from obtaining or resolving conflicting information (Section 7.1.5.1.6).
7.1.6      Safety Evaluation Conformance with 10 CFR 50 Appendix A General Design Criterion 1 The I&C systems are designed to the quality assurance program requirements as described in Section 7.1.1, Section 7.2.1, and Section 17.5.
General Design Criterion 2 The I&C systems and components required to function during natural phenomena events are located within structures that protect them against natural phenomena. See Section 7.1.1 and Section 7.2.2.
General Design Criterion 4 The I&C systems are designed for the environmental conditions that are associated with normal operation, maintenance, testing, and postulated accidents to which they may be subjected and required to function. See Section 7.1.1 and Section 7.2.2.
Tier 2                                            7.1-45                                        Revision 4
 
This page replaces page 7.1-46 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Fundamental Design Principles General Design Criterion 5 The MPS, NMS, MCS, and ICISs are not shared between NPMs. The PCS and PPS are shared between multiple NPMs and are designed to not adversely affect the ability of I&C platforms to perform safety-related functions. See Section 7.1.1 and Section 7.2.11.
General Design Criterion 10 The MPS provides the reactor trips and ESF actuations based on analytical limits with appropriate margin to ensure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of AOOs. The MPS also monitors NPM variables and provides these signals to the MCS for control and indication.
The NMS monitors and provides neutron flux levels to the MPS. See Section 7.1.1.
General Design Criterion 13 The I&C systems monitor variables and systems over their anticipated ranges for normal operations, AOOs, and accident conditions to ensure adequate safety. See Section 7.1.2, Section 7.1.4, Section 7.1.5, Section 7.2.7, and Section 7.2.13.
General Design Criterion 15 The MPS and NMS provide the appropriate controls to the NPM with sufficient margin to ensure that the design conditions of the RCPB are not exceeded during normal operations or as a result of an AOO. See Section 7.1.1.
General Design Criterion 16 The MPS initiates containment isolation and safety-related functions. In addition, MPS removes power to the secondary main steam isolation valves (MSIVs) and the main feedwater regulating valve upon DHRS actuation, providing a backup containment isolation function. See Section 7.1.1.
Principal Design Criterion 19 The I&C systems ensure the ability to control each NPM during normal and accident conditions. The NuScale MCR is designed with the ability to place the reactors in safe shutdown in the event of an MCR evacuation event, and for safe shutdown to be maintained without operator action thereafter. Prior to evacuating the MCR, operators trip the reactors, initiate decay heat removal and initiate containment isolation. These actions result in passive cooling that achieves safe shutdown of the reactors. Operators can also achieve safe shutdown of the reactors from outside the MCR in the MPS equipment rooms within the reactor building. Following shutdown and initiation of passive cooling from either the MCR or the MPS equipment rooms, the NuScale design does not rely on operator action, instrumentation, or controls outside of the MCR to maintain safe shutdown condition. The design includes an RSS for monitoring of the plant if the MCR is evacuated.
There are no displays, alarms or controls in the RSS credited to meet the requirements of principal design criterion (PDC) 19 as there is no manual control of safety-related equipment allowed from the RSS. See Section 7.1.1 and Section 7.2.13.
General Design Criterion 20 The MPS, with inputs from the NMS, senses when specified parameters are exceeded and initiates reactor trips and ESF actuations to ensure that specified fuel design limits are not exceeded as a result of AOOs, and to sense accident conditions to initiate the operation of appropriate systems and components. See Section 7.1.1 and Section 7.2.7.
Tier 2                                            7.1-46                                        Revision 4
 
This page replaces page 7.1-65 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the Tier 2 NuScale Final Safety Analysis Report Table 7.1-4: Engineered Safety Feature Actuation System Functions ESF Function                  Process Variable                Analytical Limit        Number of  Logic        System Automated Function Channels Emergency Core Cooling System High Containment Water Level 240" - 264" (elevation) (Note 3)      4        2/4    Removes Electrical Power to the trip (ECCS)                        Low WR RCS Pressure            800 psia (Note 6)                  4        2/4    solenoids of the reactor vent valves.
Low ELVS voltage 24-hour Timer 24 hours                            3        2/3 Removes electrical power to the trip solenoids of the reactor recirculation valves Decay Heat Removal System      High Pressurizer Pressure      2000 psia                          4      2/4    Removes electrical power to the trip (DHRS)                        High Narrow Range RCS Hot      610°F                              4      2/4    solenoids of the decay heat removal valves Temperature (NR RCS Thot)
High Main Steam Pressure      800 psia                            4      2/4    Removes electrical power to the trip Low AC Voltage to Battery      80% of normal ELVS voltage          4      2/4    solenoids of the of the following valves in Chargers                      Actuation Delay of 60 seconds                      the containment, main steam, and (Note 4)                                            feedwater systems:
* main steam isolation valves 7.1-65
* main steam isolation bypass valves
* secondary main steam isolation valves
* secondary main steam isolation valve NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
bypass valves
* feedwater isolation valves
* feedwater regulating valves Fundamental Design Principles Revision 4
 
This page replaces page 7.1-69 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the Table 7.1-4: Engineered Safety Feature Actuation System Functions (Continued)
Tier 2 NuScale Final Safety Analysis Report ESF Function                    Process Variable                  Analytical Limit          Number of        Logic            System Automated Function Channels Pressurizer Heater Trip          Low Pressurizer Level            35%                                  4            2/4      Removes electrical power to the PZR High Pressurizer Pressure        2000 psia                            4            2/4      heaters High Narrow Range RCS Hot        610°F                                4            2/4 Temperature (NR RCS Thot)
High Main Steam Pressure          800 psia                                    4          2/4 Low AC Voltage to Battery        80% of normal ELVS voltage                  4          2/4 Chargers                          Actuation Delay of 60 seconds (Note 4)
Low Temperature Overpressure Low Temperature Interlock with Variable based on WR RCS cold                      4          2/4      Removes electrical power to the trip Protection (LTOP)                  High Pressure (WR RCS cold      temperature and WR RCS                                            solenoids of the reactor vent valves temperature and WR RCS          Pressure as listed in Table 5.2-10 Pressure)
Note 1: If RCS hot temperature is  600°F.
Note 2: If RCS hot temperature is < 600&deg;F.
Note 3: Automatically bypassed when RCS temperature is below the T-3 interlock and pressurizer level is above the L-2 interlock. Containment vessel water level are 7.1-69 presented in terms of elevation where reference zero is the bottom of the reactor pool. The analytical limit ranges allow +/-12" from the nominal ECCS containment water level setpoint.
Note 4: Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system.
Note 5: FSAR Section 9.3.4 describes "demineralized water supply isolation valves" as part of the CVCS system.
NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
Note 6: Automatically bypassed when Thot < 475&deg;F (T-6 interlock) or if containment pressure is less than < 1 psia (P-1 interlock).
Fundamental Design Principles Revision 4
 
This page replaces page 7.1-72 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                          Fundamental Design Principles Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)
Interlock/    Condition for Interlock/Permissive/                                Function Permissive/                  Override Override T-3 Interlock      Wide Range RCS Hot Temperature          Automatically establishes an operating bypass of the following:
Interlock:
* Secondary system isolation actuation on High Narrow Range Containment Pressure Interlock established when at least 3 of Containment system isolation actuation on High Narrow 4 Wide Range RCS Hot Temperature          Range Containment Pressure channels < 350&deg; F
* Chemical and volume control system isolation actuation on High Narrow Range Containment Pressure trip Operating bypasses are automatically removed when interlock condition is no longer satisfied.
T-4 Interlock      Narrow Range RCS Hot Temperature        Automatically establishes an operating bypass of the following:
Interlock:
* Reactor Trip on Low Pressurizer Pressure
* Demineralized water system isolation on Low Pressurizer Interlock established when at least 3 of Pressure 4 Narrow Range RCS Hot Temperature channels <600&deg; F                        Operating bypasses are automatically removed when interlock condition is no longer satisfied.
T-5 Interlock    Wide Range RCS Hot Temperature T-5 Automatically establishes an operating bypass of the following:
interlock:
* Secondary system isolation actuation on Low Low Pressurizer Pressure Interlock established when least 3 of 4
* Demineralized  water system isolation actuation that occurs Wide Range RCS Hot Temperature            coincident  with an automatic reactor trip signal.
channels are less than 420&deg;F AND RT-1
* Chemical and volume control system isolation actuation on is active.                                Low Low Pressurizer Pressure.
T-6 Interlock    Narrow Range RCS Hot Temperature        Automatically establishes a bypass of the Low RCS Pressure -
T-6 Interlock:                          ECCS actuation signal during normal cooldown conditions when Narrow Range RCS Hot Temperature is < 475&deg;F.
Interlock established when at least 3 of 4 Narrow Range RCS Hot Temperature This bypass is automatically removed when the interlock channels are less than 475&deg;F.            condition is no longer satisfied.
L-1 Interlock      Containment Water Level Interlock:      Automatically establishes operating bypass of the following:
* Secondary system isolation actuation on Low Low Pressurizer Interlock established when at least 3 of Level 4 Containment Level Channels > 45
* Secondary system isolation actuation on Low Low Main AND RT-1 is active                        Steam Pressure
* Secondary system isolation actuation on Low Main Steam Superheat
* Secondary system isolation actuation on High Narrow Range Containment Pressure
* Containment system isolation actuation on Low Low Pressurizer Level
* Chemical and volume control system isolation actuation on Low Low Pressurizer Level Operating bypasses are automatically removed when interlock condition is no longer satisfied.
Tier 2                                                    7.1-72                                                Revision 4
 
This page replaces page 7.1-73 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                          Fundamental Design Principles Table 7.1-5: Module Protection System Interlocks / Permissives / Overrides (Continued)
Interlock/    Condition for Interlock/Permissive/                                Function Permissive/                    Override Override L-2 Interlock      Pressurizer Level Interlock, L2:        Automatically establishes operating bypass of the ECCS actuation on high containment water level.
Interlock established when 3 of 4 Pressurizer Level channels are greater than 20% AND T-3 interlock is active.
F-1 Interlock      RCS Flow Interlock:                      Automatically establishes operating bypass of CVCS isolation on Low Low RCS Flow.
Interlock established after a set time delay when at least 3 of 4 RCS Flow      Operating bypasses are automatically removed when interlock Channels  0.0 ft3/sec and RT-1 has      condition is no longer satisfied.
been established O-1 Override      Containment System Isolation Override    Override allows manual control of the CFDS, RCS injection, and Function:                                pressurizer spray containment isolation valves if an automatic containment system isolation or a CVCS isolation actuation signal is present with the exception of the High Pressurizer Override established when manual Level CVCS isolation actuation signal.
override switch is active and RT-1 permissive is established The Override switch must be manually taken out of Override when the Override, O-1, is no longer needed.
P-1 Interlock      Containment Pressure Interlock          Automatically establishes an operating bypass of the Low RCS Function:                                Pressure - ECCS actuation signal to prevent inadvertent ECCS actuation during normal operation.
Interlock established when at least 3 of 4 Narrow Range Containment Pressure The operating bypass is automatically removed when the channels indicate less than 1.0 psia. interlock condition is no longer satisfied.
Tier 2                                                    7.1-73                                                  Revision 4
 
This page replaces page 7.1-74 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Fundamental Design Principles Table 7.1-6: Design Basis Event Actuation Delays Assumed in the Plant Safety Analysis Signal                                    Sensor                                Actuation Delay High Power Range Linear Power            Power Range Neutron Flux              2.0s SR and IR Log Power Rate                  SR & IR Neutron Flux                  Variable High Power Range Rate                    Power Range Neutron Flux              2.0s High Source Range Count Rate              Source Range Neutron Flux            3.0s High Subcritical Multiplication          Source Range Neutron Flux            150.0s High Narrow Range RCS Hot Temperature    Riser Outlet Temperature              8.0s High Narrow Containment Pressure          Containment Pressure                  2.0s High Pressurizer Pressure                Pressurizer Pressure                  2.0s High Pressurizer Level                    Pressurizer Level                    3.0s Low Pressurizer Pressure                  Pressurizer Pressure                  2.0s Low Low Pressurizer Pressure              Pressurizer Pressure                  2.0s Low Pressurizer Level                    Pressurizer Level                    3.0s Low Low Pressurizer Level                Pressurizer Level                    3.0s Low RCS Pressure                          Wide Range RCS Pressure              2.0s Low Main Steam Pressure                  Main Steam Pressure                  2.0s Low Low Main Steam Pressure              Main Steam Pressure                  2.0s High Main Steam Pressure                  Main Steam Pressure                  2.0s Low Main Steam Superheat                  Main Steam Pressure & Temperature    8.0s High Main Steam Superheat                Main Steam Pressure & Temperature    8.0s Low RCS Flow                              RCS Flow                              6.0s Low Low RCS Flow                          RCS Flow                              6.0s High Containment Water Level              Containment Level                    3.0s Low AC Voltage to the Battery Chargers    AC Voltage                            60.0s High Under-the-Bioshield Temperature      Under-the-Bioshield Temperature      8.0s Tier 2                                            7.1-74                                        Revision 4
 
This page replaces page 7.1-91 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)
Design Basis Event          Typical Signals Credited in Plant        Signals Credited in D3 Best-                                Comments Safety Analysis Described in            Estimate Coping Analysis Chapter 15 System Malfunction that          high PZR level (digital-based) (note 1) high PZR level (digital-based)      Sensor diversity ensures performance of required safety Increases Reactor Coolant        high PZR pressure (digital-based)      (note 1)                            function is satisfied. FPGA technology diversity within the MPS Inventory                                                              high PZR pressure (digital-based)    limits digital-based CCF impact to one of two divisions - the high main steam pressure (note 3)                              other division remains fully functional.
high CNV pressure high main steam pressure Feedwater System Pipe Breaks    high PZR pressure (digital-based)      high PZR pressure (digital-based)    Sensor diversity ensures performance of required safety Outside of Containment          high main steam superheat              (note 3)                              function is satisfied. FPGA technology diversity within the MPS high main steam superheat            limits digital-based CCF impact to one of two divisions - the low main steam pressure other division remains fully functional.
high main steam pressure              low main steam pressure high RCS hot temperature              high RCS hot temperature Steam Generator Tube Failure    low PZR level (digital-based) (note 1) low PZR level (digital-based) (note  Sensor diversity ensures performance of required safety 7.1-91 high PZR pressure (digital-based)      1)                                    function is satisfied. FPGA technology diversity within the MPS low PZR pressure (digital-based)      limits digital-based CCF impact to one of two divisions - the high main steam pressure (note 3)                              other division remains fully functional.
low PZR pressure (digital-based)
NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
high main steam pressure low main steam superheat Loss-of-Coolant Accidents from high PZR pressure (digital-based)        high CNV level (digital-based)        Diverse sensors not subject to a digital-based CCF provide a Spectrum of Postulated Piping high CNV level (digital-based) (note 1) (note 1)                              required protection. FPGA technology diversity within the MPS Breaks inside CNV              high CNV pressure                      high CNV pressure                    limits digital-based CCF impact to one of two divisions - the low PZR level (digital-based) (note 1)                                        other division remains fully functional.
low wide-range RCS pressure (digital-based) (note 4)
Fundamental Design Principles Revision 4
 
This page replaces page 7.1-92 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)
Design Basis Event          Typical Signals Credited in Plant        Signals Credited in D3 Best-                                Comments Safety Analysis Described in            Estimate Coping Analysis Chapter 15 Category 4 Events For the design basis events listed below, while the deterministic plant safety analyses described in Chapter 15 credit the function provided by the digital-based sensors that are subject to a CCF; however, the evaluation of the plant response for these events using best-estimate analysis methods determined that the plant response does not progress to the point where the digital-based sensor is relied upon to provide required protection. In these events, other sensors that do not use digital-based technology and are not subject to a digital-based CCF provide the required safety function and the FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function (note 2).
Control Rod Misoperation          high power range linear power          high power range linear power        Diverse sensors not subject to a digital-based CCF provide high RCS hot temperature                high RCS hot temperature            required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high PZR pressure (digital-based)      high power rate other division remains fully functional.
high power rate Inadvertent Operation of          high CNV pressure                      high CNV pressure                    Diverse sensors not subject to a digital-based CCF provide Emergency Core Cooling System high CNV level (digital-based) (note 1) high CNV level (digital-based)            required protection. FPGA technology diversity within the MPS (ECCS)                                                                    (note 1)                            limits digital-based CCF impact to one of two divisions - the 7.1-92 other division remains fully functional.
Instability Events                high RCS hot temperature                high RCS hot temperature            Diverse sensors not subject to a digital-based CCF provide low PZR level (digital-based) (note 1) low PZR level (digital-based)        required protection. FPGA technology diversity within the MPS NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
(note 1)                            limits digital-based CCF impact to one of two divisions - the low PZR pressure (digital-based) other division remains fully functional.
Increase in Steam Flow            high power range linear power          high power range linear power        Diverse sensors not subject to a digital-based CCF provide high RCS hot temperature                low main steam pressure              required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high main steam superheat other division remains fully functional.
high PZR pressure (digital-based) low main steam pressure Fundamental Design Principles Inadvertent Opening of Main      high RCS hot temperature              low main steam pressure              Diverse sensors not subject to a digital-based CCF provide Steam Safety Valve                high main steam superheat              high power range linear power        required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the high PZR pressure (digital-based) other division remains fully functional.
high power range linear power low main steam pressure Closure of Main Steam Isolation high main steam pressure                high main steam pressure            Diverse sensors not subject to a digital-based CCF provide Revision 4 Valve                          high PZR pressure (digital-based)                                            required protection. FPGA technology diversity within the MPS limits digital-based CCF impact to one of two divisions - the other division remains fully functional.
 
This page replaces page 7.1-93 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the Table 7.1-18: Digital Sensors Credited for Mitigating Anticipated Operational Occurrences Tier 2 NuScale Final Safety Analysis Report and Postulated Accidents (Continued)
Design Basis Event            Typical Signals Credited in Plant        Signals Credited in D3 Best-                                Comments Safety Analysis Described in            Estimate Coping Analysis Chapter 15 Steam System Piping Failures      high power range linear power          high power range linear power        Diverse sensors not subject to a digital-based CCF provide Outside of Containment            low main steam pressure                low main steam pressure              required protection. FPGA technology diversity within the MPS high PZR pressure (digital-based)                                            limits digital-based CCF impact to one of two divisions - the high RCS hot temperature                                                      other division remains fully functional.
high main steam superheat low main steam superheat Spectrum of Rod Ejection          high power range linear power            high power range linear power          Diverse sensors not subject to a digital-based CCF provide Accidents                          high power range positive rate          high power range positive rate        required protection. FPGA technology diversity within the MPS high PZR pressure (digital-based)                                              limits digital-based CCF impact to one of two divisions - the high RCS hot temperature                                                      other division remains fully functional.
Note 1: The digital-based level measurement function incorporates equipment diversity between sensor blocks I and II such that a postulated CCF of the digital-based level measurement function is limited to one sensor block only. Since the other sensor block remains functional, sufficient diversity exists for those functions that rely on the digital-based level measurement function, see Section 7.1.5.1.2.
7.1-93 Note 2: The design basis for the digital-based RCS flow sensors in the plant safety analysis described in Section 15.4.6 is to ensure minimum RCS flow rates exist during dilution events to ensure proper mixing within the RCS; therefore, the RCS flow sensors are not included in Table 7.1-18 as they are not relied upon for detection or mitigation of AOOs or postulated accidents as described in Section 7.1.5.2. The plant safety analysis credits the high subcritical multiplication protective function for detection and mitigation of an uncontrolled RCS dilution. Best-estimate analysis of this event concludes the event is non-limiting and does not rely on the digital-based RCS flow sensor to function. The NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
consequences of RCS flow stagnation or reversal during low power conditions are addressed in NuScale Power, LLC topical report, Non-Loss-of-Coolant Accident Analysis Methodology, TR-0516-49416. The FPGA technology diversity in the MPS divisions ensures a digital-based CCF does not prevent the MPS from performing its required safety function.
Note 3: Reactor module conditions that reach the pressurizer high or low pressure signal may occur in the best estimate transient progression but actuations from this process condition are not credited in the D3 coping analysis.
Note 4: Reactor module conditions that reach the low wide range RCS pressure ECCS actuation signal may occur in the best estimate transient progression but actuation from this process condition is not credited in the D3 coping analysis.
Fundamental Design Principles Revision 4
 
This page replaces page 7.1-105 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                                                                                                                                                                    Fundamental Design Principles Figure 7.1-1f: Reactor Coolant System Hot Temperature Trip, Temperature Interlocks HIGH NARROW RANGE RCS HOT TEMPERATURE T-2                                                          T-3                                                          T-4                                                    T-5 HIGH UNDER-THE-BIOSHIELD TEMPERATURE                                                                                                                                                              NR RCS HOT TEMPERATURE                                                                                        T-6 WR RCS HOT TEMPERATURE                                      WR RCS HOT TEMPERATURE                                                                                                WR RCS HOT TEMPERATURE                      NR RCS HOT TEMPERATURE RCS THOT 1        RCS THOT 2      RCS THOT 3 TEMPERATURE      TEMPERATURE      TEMPERATURE A        B      C      D A      B        C      D                                A      B        C      D                                      A        B      C        D                          A      B        C      D                    A      B      C      D TS      TS      TS      TS    (NOTE 2)
AVG                                                                                                                                    TS      TS        TS    TS      (NOTE 2)                TS      TS        TS    TS    (NOTE 2)                        TS      TS      TS      TS    (NOTE 2)            TS      TS        TS    TS                    TS    TS      TS    TS    (NOTE 2)
(NOTE 2)
TYPICAL RCS THOT AVERAGE                                                                                                                                                ESFAS REACTOR Thavg                                                      A        A        A      A                                                                                                                                                                        I        I      I        I CALCULATION                                                                                                          I      I        I      I                TRIPPED      I        I        I      I                                                                                          I      I        I      I                    I      I        I    I INTERLOCK RT-1 A            B      C        D TS      TS      TS      TS      (NOTE 2) 2/4                                    2/4                                              2/4                                                      2/4                                                  2/4                2/4                                        2/4                                          2/4 A        A      A        A ESFAS RT-1 2/4                2/4                                                                                                                                                                                                                                      ESFAS      RTS                                                          ESFAS                                ESFAS                                      ESFAS P                        P                                              P                                    P                                            P T-3        T-4                                                          T-4                                  T-5                                        T-6 F                                      F ESFAS P
T-2 F                                                                                                                                          ESFAS ESFAS                                              RTS                                                                                        ESFAS                                        ESFAS RTS                                    ESFAS                                                                                                                                                                                ESFAS DIVISION I DIVISION I                                                                                                            DIVISION I                                        DIVISION I                                          DIVISION I                                DIVISION I                                  DIVISION I DIVISION I              (NOTE 1)
(NOTE 1)                                                                                                              (NOTE 1)                                            (NOTE 1)                                          (NOTE 1)                                  (NOTE 1)                                    (NOTE 1)
(NOTE 1)
F ESFAS          REACTOR TRIP    DEMINERALIZED    CONTAINMENT CHEMICAL            SECONDARY T-2                                                                                                        RTS              ESFAS                                                                                    ESFAS RTS                                                                                                              WATER SYSTEM        SYSTEM      AND VOLUME        SYSTEM DIVISION I                                                                                                  INTERLOCK                                                                                                                                                                                                                    T-6 DIVISION I                                                                                                          ISOLATION      ISOLATION CONTROL SYSTEM      ISOLATION                                                                                                                                T-4              T-4 (NOTE 1)                                                                                                                                                                                                                                                                                                                            INTERLOCK ACTUATION    ISOLATION                                                                                                                                              INTERLOCK          INTERLOCK (NOTE 1)
ESFAS      NR RCS HOT TEMPERATURE P
T-6      INTERLOCK STATUS ESFAS      WR RCS HOT TEMPERATURE                                                                            ESFAS        NR RCS HOT TEMPERATURE P                                                                                                            P                                                                                ESFAS                                    3oo4 NR RCS HOT INPUTS REACTOR TRIP      SECONDARY        DEMINERALIZED                                                                                                                        T-2      INTERLOCK STATUS                                        T-3                                        T-4        INTERLOCK STATUS                                                                            ACTIVE DECAY HEAT        PRESSURIZER                                                                                                                                                                                                                                                                                                                    < T-6 SETPOINT SYSTEM          WATER SYSTEM REMOVAL SYSTEM                                                                                                                                                                          INTERLOCK                                                                                                              T-5 HEATER TRIP                                                                                              3oo4 THOT INPUTS < T-2 SETPOINT ISOLATION          ISOLATION                                                                                                                        ACTIVE                                                                                                        ACTIVE        3oo4 THOT INPUTS < T-4 SETPOINT                          INTERLOCK                                    2oo4 NR RCS HOT INPUTS ACTUATION                                                                                                                  AND REACTOR TRIPPED NOT ACTIVE  T-6 SETPOINT NOT ACTIVE    2oo4 THOT INPUTS  T-2 SETPOINT                                                                NOT ACTIVE      2oo4 THOT INPUTS  T-4 SETPOINT OR REACTOR NOT TRIPPED ESFAS      WR RCS HOT TEMPERATURE                                                                                ESFAS      WR RCS HOT TEMPERATURE P                                                                                                                    P T-3      INTERLOCK STATUS                                                                                        T-5      INTERLOCK STATUS NOTE 1:    LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.
ACTIVE      3oo4 THOT INPUTS < T-3 SETPOINT                                                                        ACTIVE      3oo4 THOT INPUTS < T-5 SETPOINT NOTE 2:    THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.
NOT ACTIVE    2oo4 THOT INPUTS  T-3 SETPOINT                                                                      NOT ACTIVE    2oo4 THOT INPUTS  T-5 SETPOINT Tier 2                                                                                                                                                                                                                      7.1-105                                                                                                                                                                                                  Revision 4
 
This page replaces page 7.1-106 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                                                                                                                                                                Fundamental Design Principles Figure 7.1-1g: Pressurizer Level Interlock and Trip, High Containment Pressure, and High Containment Level Trips L-1 CONTAINMENT WATER LEVEL INTERLOCK                                        LOW LOW PRESSURIZER LEVEL                                                            L-2 HIGH NARROW RANGE                                                                                        P-1                                        HIGH CONTAINMENT PRESSURIZER LEVEL INTERLOCK CONTAINMENT PRESSURE                                                                                NR CNT PRESSURE                                      WATER LEVEL A        B      C      D                                                                      A      B      C      D                          A      B        C        D                                                          A    B      C        D                                              A        B      C      D                                            A        B      C        D PS        PS      PS      PS                                                                    PS      PS      PS    PS                          LS      LS        LS      LS                                                        NS  NS      NS      NS    (NOTE 2)                                LS      LS      LS    LS    (NOTE 2)                              LS      LS      LS      LS    (NOTE 2)
(NOTE 2)                                                                                    (NOTE 2)                                                (NOTE 2)
ESFAS ESFAS T-3        ESFAS L-1                                                                                                    ESFAS L-2      ESFAS T-3      RT-1                                                                                                                          ESFAS T-2      ESFAS L-1 A          A        A      A                                                                    I        I      I      I                                                                                                              I                                              REACTOR TRIPPED      A        A        A      A                                          I        I        I      I INTERLOCK      INTERLOCK    INTERLOCK              I      I      I                                                                                      INTERLOCK      INTERLOCK INTERLOCK        INTERLOCK                                                                                                                                                                                                  INTERLOCK RT-1 A      A        A        A 2/4                            2/4                                                                                2/4                                                2/4                                                                    2/4                            2/4                                                2/4                                                                  2/4 ESFAS T-3        ESFAS L-1 ESFAS L-2 ESFAS T-2 ESFAS T-3 ESFAS L-1 ESFAS RT-1 ESFAS P
P-1 F
ESFAS                                                                                                                        ESFAS P                                                                                                                              P RTS                                                              L-1                                                                                                                          L-2 P
L-1                                                                                                                  F F
F F                                                                                                                                                                                                                ESFAS RTS                                                                                                                ESFAS                                                                  ESFAS                                                                                                                                                          ESFAS                                                ESFAS ESFAS                                                                                                                                  RTS DIVISION I              F                                                                                                                                                                    DIVISION I                                                                            DIVISION I                                                              DIVISION I                                          DIVISION I DIVISION I                                DIVISION I                                                                                DIVISION I (NOTE 1)                                                                                                                                                                                  (NOTE 1)                                                                              (NOTE 1)                                                                (NOTE 1)                                              (NOTE 1)
(NOTE 1)                                  (NOTE 1)                                                                                  (NOTE 1)
ESFAS                                          EMERGENCY CORE                                                                                                                              CHEMICAL        CONTAINMENT        SECONDARY DEMINERALIZED      CONTAINMENT CHEMICAL AND                                                                                                                                                                            RTS L-1                          L-1 INTERLOCK REACTOR TRIP                                                                    SECONDARY                              P-1                                            COOLING SYSTEM                                                                                                                            AND VOLUME          SYSTEM            SYSTEM                                        L-2 INTERLOCK WATER SYSTEM          SYSTEM        VOLUME                                                                                                                                                                      PERMISSIVE/                          (THIS SHEET)
SYSTEM                          INTERLOCK                                              ACTUATION                                                                                                                          CONTROL SYSTEM        ISOLATION        ISOLATION ISOLATION          ISOLATION      CONTROL                                                                                                                                                                        INTERLOCK ISOLATION                                                                                                                                                                                                                      ISOLATION          ACTUATION ACTUATION        SYSTEM ISOLATION ESFAS                                                                                                                                                                                                                ESFAS P                NR CNT PRESSURE INTERLOCK STATUS                                                                                                                                                              P                        LOW LOW PRESSURIZER LEVEL TRIP STATUS P-1                                                                ESFAS                                                                                                                                            L-1 ESFAS                                                                                                                                                              HIGH CONTAINMENT WATER LEVEL                                          CONTAINMENT WATER LEVEL P                        HIGH CONTAINMENT PRESSURE TRIP STATUS                                                                                        P        T-3 AND L-2                                                RTS L-1 AND ESFAS L-1 L-1                                                                              ACTIVE    3oo4 NR CNT PRESS INPUTS < P-1 SETPOINT                                TRIP STATUS                            P                                                                                      > L-1 SETPOINT          AUTOMATIC BYPASS INTERLOCK STATUS                                                                                                            ESFAS P                  PRESSURIZER LEVEL INTERLOCK STATUS
                    > L-1 SETPOINT          AUTOMATIC BYPASS                                                        2oo4 NR CNT PRESS INPUTS  P-1 SETPOINT            < T-3 AND > L-2      AUTOMATIC BYPASS                                                  3oo4 LEVEL INPUTS > L-1 SETPOINT                          L-1 SETPOINT                                                        L-2 NOT ACTIVE                                                                                                                          ACTIVE                                                                                                AUTOMATICALLY ENABLED L-1 SETPOINT                                                                                                                                          T-3 OR  L-2                                                                          AND REACTOR TRIPPED AUTOMATICALLY ENABLED                                                                                                                              AUTOMATICALLY ENABLED                                                                                                                                                                              ACTIVE      3oo4 LEVEL INPUTS > L-2 SETPOINT NOT ACTIVE                2oo4 THOT INPUTS  L-1 SETPOINT                              ESFAS P                        LOW LOW PRESSURIZER LEVEL TRIP STATUS ESFAS                                                                                                                                                                                                                                    OR REACTOR NOT TRIPPED                                        T-2 HIGH CONTAINMENT PRESSURE TRIP STATUS                                                                                                                                                                                                                                                                                                                    NOT ACTIVE    2oo4 THOT INPUTS  L-2 SETPOINT P
T-3                                                                                                                                                                                                                                                                                              < T-2 SETPOINT          AUTOMATIC BYPASS
                    < T-3 SETPOINT          AUTOMATIC BYPASS                                                                                                                                                                                                                                                                T-2 SETPOINT        AUTOMATICALLY ENABLED T-3 SETPOINT        AUTOMATICALLY ENABLED NOTE 1:    LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.
NOTE 2:    THERE IS A TRIP/BYPASS SWITCH FOR EACH SFM THAT HAS A SAFETY FUNCTION THAT SUPPORTS REMOVING THE SFM FROM SERVICE.
Tier 2                                                                                                                                                                                                                  7.1-106                                                                                                                                                                                                    Revision 4
 
This page replaces page 7.1-113 in Chapter 7, "Instrumentation and Controls," Section 7.1, "Fundamental Design Principles," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                                                                                                  Fundamental Design Principles Figure 7.1-1n: ESFAS Emergency Core Cooling System Actuation, Low Temperature Overpressure Protection Actuation WR RCS COLD TEMPERATURE (NOTE 5)    f(x)
T-1                                    HIGH CONTAINMENT                                            P-1                      T-6 WR RCS PRESSURE                                                                                                      WATER LEVEL                                        NR CNT PRESSURE      NR RCS HOT TEMPERATURE                                              MCR ISOLATION (NOTE 6)
TYPICAL LTOP                                                                                          WR RCS COLD TEMPERATURE                                                        LOW WR RCS PRESS (NOTE 7)
SETPOINT                                                                                                                                                                                                                                                      EMERGENCY CORE COOLING SYSTEM ACTUATION LTOP              LTOP          LTOP CALCULATION            A                B            C            D                        A                B                            D SP                SP                                                                        C SP                                                                                                                    A      B    C      D PS              PS            PS            PS                      TS              TS            TS            TS                                          PS    PS    PS    PS                                                                      HS LTOP SP                                                                                                                                                                                                                                                      ACTUATE                        (NOTE 2) f(x)            f(x)            f(x)          f(x)                                                                              I            A I    I      I    I A                        A A                                                      A                              I                        I I                                                          I 2/4                                                                  2/4 2/4 I          A T-1                                ESFAS P      T-1 (NOTE 4)
I          A LTOP ACTUATION ESFAS        WR RCS COLD TEMPERATURE ACTUATE                                            P (NOTE 2)      HS                                                                  T-1        INTERLOCK STATUS ACTIVE      3oo4 TCOLD INPUTS > T-1 SETPOINT NOT ACTIVE    2oo4 TCOLD INPUTS  T-1 SETPOINT MCR ISOLATION        (NOTE 6)
I        A LTOP AUTOMATIC ACTUATION (A)                  ECCS AUTOMATIC ACTUATION (A)
I        A LTOP MANUAL ACTUATION (M)        (NOTE 3)                                                                                            ECCS MANUAL ACTUATION (M)        (NOTE 3)
(M)      (A)  (M)                                                                                                                        (A)      (M)
OPEN                                                                                                                                    OPEN ECCS REACTOR                                                                                                                            ECCS REACTOR VENT VALVE                                                                                                                          RECIRCULATION VALVE NOTE 1: LOGIC IS SHOWN FOR DIVISION I ONLY. LOGIC FOR DIVISION II IS THE SAME AS DIVISION I.
NOTE 2:    TWO SWITCHES, ONE PER ESFAS DIVISION.
NOTE 3:    MANUAL ACTUATE INITIATES LTOP ACTUATION AND EMERGENCY CORE COOLING SYSTEM ACTUATION AT THE DIVISION LEVEL THROUGH THE EIM APL LOGIC.
NOTE 4:    LOW TEMPERATURE INTERLOCK T-1: AUTOMATIC BLOCK ABOVE T-1; AUTOMATIC LTOP ENABLE BELOW T-1.
NOTE 5:    LTOP SETPOINT (SP) IS CALCULATED BASED ON WR RCS COLD TEMPERATURE. LTOP ACTUATION OCCURS WHEN 2/4 WR RCS PRESSURE INPUTS INCREASE ABOVE THE LTOP SP. (REFERENCE 3)
NOTE 6:    TWO MANUAL ACTUATION ISOLATION SIGNALS, ONE PER RTS/ESFAS DIVISION.
NOTE 7:    IF NR CONTAINMENT PRESSURE INTERLOCK P-1 IS ACTIVE OR NR RCS THOT INTERLOCK T-6 IS ACTIVE, THEN A BYPASS IS ACTIVE FOR ECCS ACTUATION ON LOW RCS PRESSURE.
Tier 2                                                                                                                                                                                          7.1-113                                                                                                                                                Revision 4
 
This page replaces page 3.9-47 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                      Mechanical Systems and Components design basis when analyses demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping. The only RCS structures and components that require protection against the effects of pipe whipping and discharge fluids are those that are in the proximity of high and moderate energy piping between the RPV and the CNV. Additionally, the leak-before-break methodology is applied as described in Section 3.6
* GDC 10, as it relates to reactor internals; reactor internals are designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of AOOs. For further details on compliance, see Section 3.1.2 3.9.5.1        Design Arrangements Figure 3.9-1 through Figure 3.9-4 show the RVI subassemblies with components that comprise the RVI.
The overall RVI assembly is depicted in Figure 3.9-1. (Note the SG tube bundles which reside in the annulus between the upper riser assembly and the RPV upper shell are not depicted in this figure). The CSA is located near the bottom of the RPV, below the RPV flange. Above the CSA are the lower riser assembly and upper riser assembly. During disassembly, the CSA and lower riser assembly stay with the lower NPM and the upper riser assembly stays attached to the upper NPM. Each of the RVI sub-assemblies is described in more detail below.
The CSA includes the core barrel, core support blocks, upper support blocks, lower core plate, lower shared fuel pins and nuts, and reflector blocks (Figure 3.9-4), as well as the RPV surveillance specimen capsule holder and capsules (not shown in Figure 3.9-4).
The core barrel is a continuous ring with no welds. The upper support blocks, which are welded to the core barrel, serve to center the core barrel in the lower RPV. In addition, one of the upper support blocks engages a core barrel guide feature on the lower RPV to provide circumferential positioning of the core barrel as it is lowered into the lower RPV. The lower core plate, which is welded to the bottom of the core barrel serves to support and align the bottom end of the fuel assemblies. The lower core support blocks are located on the RPV bottom head.
The reflector blocks contain no welds. The reflector blocks are aligned by reflector block alignment pins and stacked on the lower core plate inside the core barrel. The shape of the reflector block assembly closely conforms to the shape of the peripheral fuel assemblies and thereby constrains lateral movement of the fuel assemblies and minimizes the reactor coolant flow that bypasses the fuel assemblies.
Surveillance specimen capsule holders are welded to the outer surface of the core barrel at about the mid height of the CSA.
A flow diverter is attached to the RPV bottom head, under the CSA, as shown in Figure 3.9-1. This flow diverter smoothes the turning of the reactor coolant flow from the downward flow outside the core barrel to upward flow through the fuel assemblies.
The flow diverter reduces flow turbulence and recirculation and minimizes flow related pressure loss in this region.
The lower riser assembly includes the lower riser, the upper core plate, CRA guide tubes, CRA guide tube support plate, and ICI guide tube support structure (see Tier 2                                            3.9-47                                          Revision 4
 
This page replaces page 3.9-48 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                      Mechanical Systems and Components Figure 3.9-3). The lower riser assembly is located immediately above the CSA and is aligned with and supported on the CSA by the four upper support blocks.
The lower riser channels the reactor coolant flow leaving the reactor core upward toward the central upper riser, and separates this flow from the flow outside the lower riser which is returning from the SGs.
The upper core plate, which is attached to the bottom of the lower riser by a socket head cap screw and alignment dowel, serves to support and align the top end of the fuel assemblies. Sixteen CRA guide tubes are attached to the upper core plate and extend upward to the CRA guide tube support plate. These guide tubes house the portion of the CRAs that extend above the top of the reactor core.
An ICI guide tube support structure is located inside the lower riser to support and align ICI guide tubes with their respective fuel assemblies.
The upper riser assembly is located immediately above the lower riser assembly and extends upward to the PZR baffle plate. It channels the reactor coolant leaving the core upward through the central riser and permits the reactor coolant to turn in the space above the top of the riser and below the PZR baffle plate, and then flow downward through the annular space outside of the riser and inside of the RPV where the SG helical tube bundles are located. Small diverse flow paths are located in the upper riser to permit a small amount of reactor coolant to bypass the top of the riser and flow into the SG tube bundle region. These flow paths ensure sufficient boron concentration remains in the reactor coolant during DHRS-driven riser uncovery conditions following non-LOCA transients, while not introducing structural integrity concerns.
The riser holes were evaluated for their effect on turbulent buffeting vibration and do not impact the results. Stress concentration factors at the structural discontinuities of the riser holes are insufficient to make the stresses significant contributors to fatigue usage. The riser holes are small relative to the upper riser and do not appreciably affect the structural properties of the assembly.
The potential for acoustic noise from vortices that may be formed at the riser holes, and other potential flow induced vibration effects of flow through the holes onto the steam generator tubes, was also evaluated. The riser flow holes are not expected to produce vortices due to the flow through the holes. If, however, vortices are formed, they do not coincide with a relevant acoustic mode of the riser. Additionally, the fluid passing through the riser holes produces minimal forces on the nearest SG tube column, and the frequency of the normal operation flow through the holes does not coincide with a predominant structural mode of the adjacent SG tubes. Therefore, the riser flow holes do not introduce structural integrity concerns due to flow-induced vibration.
The upper riser assembly includes the upper riser, a series of control rod drive shaft and ICI guide tube supports referred to as upper CRDS supports, and the upper riser hanger assembly. The upper riser assembly also accepts and positions the RCS injection piping.
The ICI guide tubes, which are supported by the upper riser assembly, extend from their respective penetrations in the RPV top head downward through the PZR space, the upper riser, and the lower riser to their respective fuel assemblies. The portion of the ICI guide tubes extending from the RPV upper head penetrations to the bottom of the upper riser assembly is depicted in Figure 3.9-2. The upper riser assembly hangs from the pressurizer baffle plate. There is a bellows assembly in the lower portion of the upper riser (see Figure 3.9-2). This bellows assembly exerts an initial contact load, in the Tier 2                                            3.9-48                                        Revision 4
 
This page replaces page 3.9-49 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Mechanical Systems and Components cold condition, on the lower riser interface, and then allows for the vertical thermal expansion. The RVI materials including base materials and weld filler materials are discussed in Section 4.5.2 and are designed to minimize the number of welds and bolted interfaces within the high neutron flux regions.
During refueling and maintenance outages the upper riser assembly stays attached to the upper section of the NPM (upper CNV, upper RPV and SG) while providing physical access for potential inspection of the feedwater plenums, SG, RPV and control rod drive shaft supports. The lower riser assembly and CSA remain with the lower NPM (lower CNV, lower RPV, core barrel, and core plates) when the module is parted for refueling and maintenance.
The RVI upper riser assembly is supported from the RPV integral steam plenum (e.g.,
below the bottom of the PZR).
Under normal operation, the reactor core is supported by the core support structures of the CSA (core support blocks, core barrel, lower core plate and upper core plate) that surround the fuel assemblies. The deadweight and other mechanical and hydraulic loads from the fuel are transferred to the upper and lower core plates. The motion of the upper and lower core plates is coupled through the core barrel. Under seismic and other accident conditions, the core barrel transfers lateral loads to the RPV shell through the core support blocks at the bottom of the RPV and the upper support blocks that are attached to the upper portion of the core barrel. The vertical loads are transferred from the core barrel to the RPV head through the core support blocks.
The fuel is surrounded by a heavy neutron reflector made of reflector blocks stacked on top of each other. The heavy reflector reflects neutrons back into the core to improve fuel performance. The heavy reflector provides the core envelope and directs the flow through the core. Under normal operation the heavy reflector does not provide support to the core and performs as an internal structure. During seismic and other accident events the heavy reflector limits the lateral movement of the fuel assemblies and transfers those loads to the core barrel.
A set of upper CRDM supports in the upper riser assembly, in conjunction with the CRA guide tube support plate, CRA guide tubes, and upper core plate in the lower riser assembly properly align and provide lateral support for the CRAs. The clearances provided at all these supporting members are intended to ensure adequate alignment of the CRDS with the fuel assemblies and permit full insertion of control rods under all design basis events (DBEs).
3.9.5.2        Loading Conditions Design, construction, and testing of the RVI core support structures and internal structures are in accordance with ASME BPVC Section III, Division 1, Subsection NG.
Section 3.6.2 provides determination and evaluation of pipe rupture locations and loads, and includes dynamic effects of postulated rupture of piping. Section 3.9.1 provides acceptable analytical methods for Seismic Category I components and supports designated ASME BPVC, Section III, Division 1, Class CS, which include RVI. The plant and system operating transient conditions including postulated seismic events and DBE that provide the basis for the design of the RVI are provided in Section 3.9.3.
Section 3.9.2 addresses the results of the comprehensive vibration assessment program including the preoperational vibration test program plan for the RVI that is consistent with the guidelines of RG 1.20.
Tier 2                                          3.9-49                                          Revision 4
 
This page replaces page 3.9-50 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                      Mechanical Systems and Components COL Item 3.9-3:      A COL applicant that references the NuScale Power Plant design certification will provide a summary of reactor core support structure American Society of Mechanical Engineers (ASME) service level stresses, deformation, and cumulative usage factor values for each component and each operating condition in conformance with ASME Boiler and Pressure Vessel Code Section III Subsection NG.
3.9.5.3        Design Bases Pursuant to GDC 10, the RVI are designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.
The RVI core support structures and internal structures are designed for the service loadings and load combinations shown in Table 3.9-5. The method of combining loads for ASME service level A, B, C, D, and test conditions is addressed in Section 3.9.3.
Section 3.9.3.1 describes allowable design or service loads to be applied to the RVI and the effects of service environments, deflection, cycling, and fatigue limits.
Section 3.9.2 provides the dynamic analyses of the RVI design under steady-state and operational transient conditions, and the proposed program for pre-operational and startup testing of flow-induced vibration and acoustic resonance.
Structural integrity evaluation for the structural design adequacy and ability, with no loss of safety function, of the reactor vessel internals (RVI) to withstand the loads from breaches in high energy pressure boundaries in combination with the safe shutdown earthquake is provided in Section 3.9.3.
3.9.6      Functional Design, Qualification, and Inservice Testing Programs for Pumps, Valves, and Dynamic Restraints This section describes the functional design and qualification provisions for preservice testing (PST) and inservice testing (IST) of safety-related valves that are designated as Class 1, 2, or 3 under Section III of the ASME BPV Code and meet the requirements of the OM Code, Subsection ISTA-1100. This also includes valves not categorized as ASME BPV Code Class 1, 2, or 3 that have a safety-related function. Inservice testing of ASME Code Class 1, 2, and 3 valves is performed in accordance with the ASME Operation and Maintenance (OM)
Code and applicable addenda, as endorsed by 10 CFR 50.55a(f), or where relief has been granted by the NRC in accordance with 10 CFR 50.55a(f).
Testing requirements for pumps, valves, and dynamic restraints are specified in the ASME OM Code (Reference 3.9-3). The ASME OM-2012 Code Edition was used to develop the inservice testing plan for the NuScale Power Plant design certification. The NuScale inservice test plan applies to valves in all twelve NPMs. Valves are grouped as required by OM Mandatory Appendices I, II, and IV, as specified in Note 4 of Table 3.9-16. The NuScale inservice testing plan includes augmented testing for a limited number of valves not constructed to the ASME Code that are relied on in some safety analyses (see Table 3.9-17).
The plan also considers the guidance provided in NUREG-1482, Revision 2.
Pursuant to 10 CFR 50.55a(z), the ASME OM-2017 Code Edition, Mandatory Appendix IV was used as an alternative to OM-2012 to develop inservice performance assessment testing as described in Section 3.9.6.3.2 and Table 3.9-16. Mandatory Appendix IV provides an acceptable level of quality and safety by utilizing established code requirements for testing to demonstrate that valves can perform their safety function at design basis conditions.
Tier 2                                            3.9-50                                          Revision 4
 
This page replaces page 5.4-3 in Chapter 5, "Reactor Coolant System and Connecting Systems," Section 5.4, "Reactor Coolant System Component and Subsystem Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                    Reactor Coolant System Component and Subsystem Design are minimized to limit the buildup of corrosion products. Minimal quantities of corrosion products are present because the SG tube-to-tubesheet contact is within the primary coolant environment. Crevices at the tube-to-tubesheet face are prevented by full-length expansion of the tube within the tubesheet bore. The tubes are expanded into both the steam and feed plenum tubesheets.
The SG has no secondary side crevices or low-flow regions that could concentrate corrosion products or impurities accumulated during the steam generation process.
The once-through SG design does not contain a bulk reservoir of water at the inlet plena where the accumulation or concentration of material could occur. The concept of SG blowdown to remove these deposits is not applicable to the once-through NuScale Power Module SG design based on the geometry of the design and flow characteristics that do not allow accumulation of corrosion products within a fluid reservoir.
Therefore, a blowdown system that could be implemented would only serve to divert feedwater flow from the SG and would not be capable of removing corrosion products or impurities. Based on these factors, no SG blowdown system is included in the NPM design.
Secondary coolant impurities and corrosion products may deposit directly on the interior tube surfaces as a scale or film, or be removed from the SG by carryover. The concentration of corrosion products and impurities is low based on selection of materials for the condensate system and chemistry control requirements. An unacceptable buildup of corrosion product films on the secondary surfaces of the SG tubes is removed through periodic cleaning performed during outage periods. The cleaning methods and techniques are based on proven chemical or mechanical methods already employed in the pressurized water reactor existing fleet.
Secondary side SG surfaces are corrosion resistant, either nickel alloy, stainless steel, or stainless steel clad, which removes the concern for degradation of the SG shell or other low-alloy or carbon steel material by cleaning solutions. No low-flow areas exist for the buildup of hard sludge piles, which would require water lancing or other invasive techniques. Cleaning of the SG is readily accomplished by connecting an appropriate system directly to the main steam and feedwater disconnect flanges during an outage.
Heated primary coolant from the reactor core exits the riser and flows down the outer annulus through the SG tubes where heat is transferred to secondary coolant inside the SG tubes. Small flow paths are located in the upper riser to permit a small amount of reactor coolant to bypass the top of the riser and flow into the SG tube bundle region.
These flow paths ensure sufficient boron concentration remains in the reactor coolant during DHRS-driven riser uncovery conditions following non-LOCA transients. The primary coolant continues to flow down through the annular downcomer below the SGs into the lower reactor vessel plenum, where it reenters the reactor core. Further discussion of the RCS is provided in Section 5.1 and the RCS loop flow is illustrated in Figure 5.1-3.
The SGs deliver superheated steam with moisture content no greater than 0.10 percent by weight during full-power operating conditions.
Feedwater is supplied to the SGs by piping from the feedwater and condensate system located outside the Reactor Building. The feedwater lines are routed to and through the containment vessel (CNV) and into the lower SG plena, which penetrate the RPV wall. Feedwater flows from each feed plenum access port through the bottom of the Tier 2                                            5.4-3                                            Revision 4
 
This page replaces page 5.4-4 in Chapter 5, "Reactor Coolant System and Connecting Systems," Section 5.4, "Reactor Coolant System Component and Subsystem Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                    Reactor Coolant System Component and Subsystem Design SG tube columns, upward and around the outside of the upper riser assembly, and is converted to steam by the heat transferred from the reactor coolant.
The steam plena collect steam from the top of the SG tube columns and direct the steam through the steam nozzles. Steam flows through the SG piping, through nozzles penetrating the containment, and then to the main steam system and power conversion systems located outside the Reactor Building.
The total SG heat transfer area provided in Table 5.4-2 comprises the outer surface area of the full length of tubes from the outer face of the feed plenums to the outer face of the steam plenums. The total heat transfer area of each of the two independent SGs includes a 10 percent tube plugging margin.
A fouling factor is used when calculating end-of-cycle heat transfer performance and is provided in Table 5.4-2. The value is selected to account for typical operating experience for nuclear power plants that maintain the secondary system chemistry within the limits of the plant secondary water chemistry control program. The fouling factor is applied to the tube inner surface where deposits of steam plant corrosion products occur. The thin oxide layer that develops on the outer surface of the tubes in the primary coolant is not considered in tube heat transfer fouling.
The SG tubes are designed with a nominal wall thickness of 0.050 inch. A lifetime degradation allowance of 0.010 inch is included in the design nominal wall thickness.
SG tube wall thickness is selected to account for random inservice tube degradation mechanisms (e.g., general corrosion, erosion, and wear) and tube defects introduced during the SG assembly process.
The SG design data is provided in Table 5.4-2. Transient conditions applicable to the SGs are discussed in Section 3.9.1 and design stress limits, loads, and load combinations applicable to the SGs are discussed in Section 3.9.3. NuScale SG degradation evaluations demonstrate that the SG tubing retains acceptable tube integrity with 50 percent thickness degradation under all loading conditions.
Main steam isolation valves (MSIVs) and feedwater isolation valves (FWIVs) are located outside the NPM on the main steam and feedwater headers, respectively, on top of the CNV at the top support structure platform. A detailed discussion of the isolation functions of the valves is provided in Section 6.2.4.
The DHRS forms a closed-loop connection between the steam lines and the feedwater lines inside the containment isolation boundary formed by the MSIVs and FWIVs. The DHRS is isolated from steam flow during normal operations by the DHRS actuation valves. The DHRS is described in more detail in Section 5.4.3.
The SGs are designed to minimize tube corrosion, to minimize tube vibration and wear, and to enhance overall reliability. The design includes provisions to reduce the potential for tube damage due to loose parts wear.
The SG design permits periodic inspection and testing of critical areas and features to assess their structural and pressure boundary integrity when the NPM is disassembled for refueling as shown in Figure 5.4-2. The internal surface of SG tubes is accessible over their entire length for application of nondestructive examination methods and techniques that are capable of finding the types of degradation that may occur over the life of the tubes. Individual SG tubes may be plugged, and if necessary, stabilized to Tier 2                                            5.4-4                                          Revision 4
 
This page replaces page 5.4-46 in Chapter 5, "Reactor Coolant System and Connecting Systems," Section 5.4, "Reactor Coolant System Component and Subsystem Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                        Reactor Coolant System Component and Subsystem Design Table 5.4-5: Decay Heat Removal System Design Data Parameter                                                  Value Internal pressure (psia)                                          2100 Actuation valve external pressure (psia)                                      60 Passive condenser external pressure (psia)                                    27 Temperature (&deg;F)                                                650 Number of condensers                                                2 Total number of tubes per condenser                                          80 Tube wall outer diameter (inches)                                        1.315 Tube wall thickness (inches)                                          0.109 Tube external surface area per condenser (ft2)                                258.2 Fouling factor (hr-ft2-F/BTU)                                        0.0005 Tier 2                                                  5.4-46                                          Revision 4
 
This page replaces page 4.3-4 in Chapter 4, "Reactor," Section 4.3, "Nuclear Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                        Nuclear Design modes of operation, including: operations, hot shutdown, safe shutdown, transition, and refueling. For the operations mode, the technical specification for SDM is based on the limit used for safety analysis. A comparison between the SDM limit used for safety analysis and the available SDM for the equilibrium fuel cycle is presented in Section 4.3.2.5.
During power operations, the CVCS is used to adjust soluble boron concentration to account for reactivity changes due to core burnup and due to power maneuvering, in order to maintain the CRAs within the power dependent insertion limits (PDIL). The PDILs ensure that sufficient SDM is maintained. Using soluble boron preserves the capability of the CRAs to rapidly reduce power and protect fuel design limits upon a reactor trip, and provides a means for controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure SAFDLs are not exceeded.
For AOOs, rapid CRA insertion after a reactor trip provides protection of fuel design limits. Consistent with GDC 26, the calculation of SDM includes a provision for the highest worth CRA remaining fully withdrawn from the core.
For postulated accidents comprised of infrequent events and accidents as described in Section 15.0, rapid CRA insertion after a reactor trip provides protection of the core. As with AOOs, the CVCS is used to adjust soluble boron concentration and maintain SDM prior to the event. Thus, for postulated accidents, the combined capability of the CVCS and CRAs control reactivity and ensures that the capability to cool the core is maintained as described in Section 15.0. CRAs reliably control reactivity changes after a postulated accident without the need for poison addition.
For design basis events (DBE), the insertion of all CRAs provides the safety related means to shut down the reactor and maintain it in a shutdown condition. Long term shutdown capability is defined as the amount of reactivity by which the reactor is subcritical or would be subcritical from its present condition assuming all CRAs are fully inserted and the RCS is cooled to equilibrium conditions. Long term shutdown capability is evaluated assuming that the core is xenon-free, no decay heat or voiding is present, and equilibrium samarium is accounted for. Insertion of all CRAs satisfies the portion of GDC 26 and PDC 27 requiring that one of the systems shall be capable of holding the reactor core subcritical under cold conditions.
Conservative analysis indicates that a return to power could occur following a reactor trip under the condition that the highest worth CRA does not insert, coincident with the CVCS system being unavailable. The probability of such a return to power is insignificant because the probability of failure of a CRA to insert and the CVCS being unavailable is less than 1E-5 per reactor year. Furthermore, even in a return to power scenario, fuel damage does not occur because the resultant power level is limited and the associated heat generated is within the capacity of the passive heat removal system, as discussed in Section 15.0.6.
LOCA events can result in condensation of unborated water in the CNV and RPV downcomer once the steam generator tubes become uncovered. The ECCS actuation signals on high CNV level and low RCS pressure are specifically designed to ensure ECCS actuation occurs prior to the development of conditions that could result in a core dilution event following ECCS actuation.
Tier 2                                              4.3-4                                        Revision 4
 
This page replaces page 4.3-5 in Chapter 4, "Reactor," Section 4.3, "Nuclear Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                          Nuclear Design In some Non-LOCA scenarios, DHRS can cool the RCS such that the level drops below the top of the riser and the natural circulation loop is interrupted. Without natural circulation flow, condensation of steam could reduce the downcomer boron concentration. Diverse flow paths through four holes located in the riser promote mixing to preclude positive reactivity insertion when natural circulation is restored. The riser holes are located at the SG midpoint, which is below the level resulting from RCS fluid contraction from DHRS cooldown.
4.3.1.6        Stability The design of the reactor and associated systems, and the administrative controls on CRA position provide an inherently stable core with respect to axial and radial power stability.
In addition, oscillations in core power can be readily detected by the fixed in-core detector system which continuously monitors the core flux distribution.
The stability analyses are provided in Section 4.3.2.7.
This stability design satisfies GDC 12.
4.3.2        Nuclear Design Description 4.3.2.1        Nuclear Design Description The NuScale core design is comprised of 37 fuel assemblies, each arranged in a 17x17 lattice and containing 264 fuel rods, 24 CRA guide tubes, and one central instrumentation tube. The fuel rods are supported by five spacer grids; each fuel rod consists of a column of stacked, cylindrical ceramic pellets of enriched uranium dioxide (UO2) with gadolinium oxide (Gd2O3) as a burnable absorber homogeneously mixed within the fuel in selected locations. The fuel pellets are encapsulated in M5 cladding (a zirconium-based alloy) with an active fuel length of 78.74 inches. The fuel is enriched up to 4.95 percent.
Sixteen (16) of the fuel assembly positions contain CRAs. The CRAs are organized into two banks: a regulating bank and a shutdown bank. The regulating bank contains two groups of four (4) CRAs arranged symmetrically in the core. The regulating bank groups are used during normal plant operation to control reactivity and provide axial power shaping. The shutdown bank contains two groups of four (4) CRAs. The shutdown bank is fully withdrawn during power operation. The shutdown bank is used in the event of a reactor trip and to maintain the reactor shutdown. Each CRA contains 24 individual rods fastened at the top end to a common hub or spider. The rods contain two neutron absorbers, silver-indium-cadmium at the bottom of the rod, and boron carbide (B4C) in the upper portion of the rod. The CRA rods are clad with stainless steel. More information on the fuel and CRAs is provided in Section 4.2 and Section 4.6.
Power dependent insertion limits restrict the amount by which the two regulating bank groups can be inserted at power. When the regulating groups are inserted, both groups in the regulating bank move together until the Group 2 PDIL is reached. Once both groups reach the Group 2 PDIL, Group 1 can insert further, up to the Group 1 PDIL.
When the CRAs are withdrawn, Group 2 cannot be withdrawn from the Group 2 PDIL limit until Group 1 has been withdrawn to meet Group 2. From there, both regulating Tier 2                                              4.3-5                                        Revision 4
 
This page replaces page 4.3-6 in Chapter 4, "Reactor," Section 4.3, "Nuclear Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                          Nuclear Design banks move together for the remainder of the withdrawal. The PDILs are shown in Figure 4.3-2.
The fuel cycles are nominally two years and equivalent to a 12 GWd/MTU cycle length.
The nuclear design includes axial and radial enrichment zoning within an assembly.
Each fuel rod has a reduced enrichment axial blanket at the top and bottom, with a central fully enriched zone. Assemblies may also incorporate radial zoning to ensure that the peak power rod in any assembly is not on the assembly periphery.
The reload fuel management scheme places fresh fuel on the periphery of the core and shuffles burned fuel into the middle of the core in an "out-in" approach. The "out-in" fuel management, in conjunction with NuScale's heavy reflector design, lowers power peaking and maximizes thermal margin. In this scheme, the maximum power does not reside in the central assemblies and a flatter radial power distribution across the core is achieved. This approach provides for analysis and operational simplicity compared to the more traditional low-leakage core loading patterns. Additionally, the "out-in" approach minimizes the burnable poison loading requirement because of the inherently flatter power distribution. As a result, boron concentration and power peaking are usually greatest at the beginning of the cycle.
The NuScale reactor is designed with a heavy reflector (Figure 4.3-25) to improve neutron economy. The reflector is made of stainless steel, which reflects fast neutrons back into the core and flattens the power distribution to improve fuel performance.
The reflector is located between the core periphery and the core barrel and provides the core envelope and directs flow through the core.
The soluble boron concentration is adjusted throughout the cycle to compensate for the reactivity changes due to fuel burnup, fission product poisoning, and burnable poison depletion. The higher concentration at beginning of cycle balances the excess reactivity that is designed into the cycle to achieve the nominal two-year cycles. The equilibrium cycle has an initial boron concentration of 1235 ppm.
Burnable poison in the form of gadolinia (Gd2O3) is used in strategic locations within the fuel assemblies. The gadolinia is homogeneously mixed with the UO2 in selected fuel rods to provide a favorable radial power distribution, hold down reactivity, and minimize power peaking within an assembly. Although gadolinia is physically compatible with UO2, its addition to the fuel degrades some of the material properties of the UO2. For this reason, fuel containing gadolinia is limited to a lower power generation rate than fuel containing only UO2 based on consideration of centerline melting.
The equilibrium cycle is the reference for which analysis is presented in this section. The exact loading patterns, the initial and final positions of assemblies, and the number of fresh assemblies and their placement will ultimately depend on the energy requirements and the specific power history of the individual cycle. The loading pattern for the reference equilibrium cycle is shown in Figure 4.3-1.
Table 4.3-1 and Table 4.3-2 summarize the reactor core design parameters used in the analysis. Table 4.3-5 summarizes the plant operating modes for the NuScale design.
Tier 2                                              4.3-6                                        Revision 4
 
This page replaces page 4.3-7 in Chapter 4, "Reactor," Section 4.3, "Nuclear Design," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                            Nuclear Design 4.3.2.2        Power Distribution Power distribution calculations are discussed in the Nuclear Analysis Codes and Methods Qualification topical report (Reference 4.3-1). This report contains a discussion of power distribution uncertainty, including application and a means for updating the uncertainty values.
4.3.2.2.1            Definitions Maximum FH The maximum enthalpy rise hot channel factor, FH, is defined as the ratio of the maximum integrated fuel rod power to the average fuel rod power. The limit on FH is established to ensure that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. This limit ensures that the design basis value for the CHF ratio is met for normal operation, anticipated operational occurrences, and infrequent events. The FH limit is representative of the coolant flow channel with the maximum enthalpy rise. This channel has the highest power input to the coolant and therefore the highest probability for CHF.
The NuScale design limit for FH is 1.50 and is based on the safety analysis.
Maximum FQ The heat flux hot channel factor (or total peaking factor), FQ, is the ratio of maximum local heat flux on the surface of a fuel rod to the average fuel rod heat flux for the entire core. The maximum FQ value is used to calculate the peak linear heat generation rate (LHGR). The maximum value of FQ is used to ensure the specified acceptable fuel design limit for fuel centerline melting is not exceeded.
Axial Peaking Factor Fz The axial peaking factor, Fz, is the maximum relative power at any axial point in a fuel rod, divided by the average power of the fuel rod.
Engineering Hot Channel Factor, FE The engineering heat flux hot channel factor, FE, accounts for manufacturing tolerances on such parameters as enrichment, pellet density, and pellet diameter.
Measurement Uncertainty Factor, FM The measurement uncertainty factor, FM, accounts for the measurement error associated with power distribution predictions. FM is accounted for in the nuclear reliability factor (NRF) determined for FQ. The NRF is discussed in more detail in Section 4.3.2.2.7 and in Reference 4.3-1.
Additional uncertainties on the limiting FH value which is used in the CHF ratio calculation are included in the subchannel analysis discussed in Section 4.4.
Tier 2                                                4.3-7                                        Revision 4
 
This page replaces page 15.0-33 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Transient and Accident Analyses RADTRAD is used to determine the dose, as outlined in Section 15.0.3.3.8. There are no single failures assumed for this event. The control room model is described in Section 15.0.3.7.1. The potential radiological consequences of the iodine spike DBST are presented in Table 15.0-12.
15.0.4    Safe, Stabilized Condition Safety analyses of design basis events are performed from event initiation until a safe, stabilized condition is reached. A safe, stabilized condition is reached when the initiating event is mitigated, the acceptance criteria are met and system parameters (for example inventory levels, temperatures and pressures) are trending in the favorable direction. For events that involve a reactor trip, system parameters continue changing slowly as decay and residual heat are removed and the RCS continues to cool down. No operator action is required to reach or maintain a safe, stabilized condition.
Two additional considerations are discussed to show that Chapter 15 acceptance criteria are not challenged beyond the safe, stabilized condition. Long term decay and residual heat removal is discussed in Section 15.0.5 and a potential return to power is discussed in Section 15.0.6.
As discussed in Section 15.0.6, boron distribution is an important consideration during extended passive cooling conditions. Boron redistribution is determined to be acceptable during passive ECCS and DHRS cooling modes. Fluid boron concentration and boron distribution in the module continue to be important considerations when exiting these passive cooling modes, and must be accounted for to ensure shutdown margin limits are appropriately preserved during post-event recovery actions.
15.0.5    Long Term Decay and Residual Heat Removal There are two systems that perform the safety-related function of decay and residual heat removal from the NPM following a DBE. The DHRS, described in Section 5.4.3, provides decay and residual heat removal while RCS inventory is retained inside the RPV, the containment is maintained in partially evacuated dry conditions, and power is available.
The ECCS, described in Section 6.3, provides decay and residual heat removal when RCS inventory has been redistributed between the RPV and the CNV after the RVVs and RRVs are opened.
The DBEs listed in Table 15.0-1 progress from initiation of the event to effective DHRS or ECCS operation demonstrating that the NPM has reached a safe, stabilized condition, as described in Section 15.0.4. The decay heat removal process continues into the long-term phase, either with DHRS, natural circulation between the CNV and RPV through the RRVs and RVVs, or a combination of the two.
There are four decay and heat removal scenarios:
: 1) DHRS,
: 2) DHRS with the RVVs and RRVs opening 24 hours after a loss of normal AC power,
: 3) DHRS with the RVVs and RRVs opening after a loss of normal AC and normal DC power when the IAB pressure threshold is reached, and
: 4) ECCS actuation following an inadvertent opening of a reactor coolant pressure boundary (RCPB) valve or a LOCA.
Tier 2                                          15.0-33                                          Revision 4
 
This page replaces page 15.0-34 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Transient and Accident Analyses Scenario 1 - Decay and Residual Heat Removal using DHRS Non-LOCA events progress from event initiation to the point where DHRS actuation valves open and the MSIVs and FWIVs close to allow DHRS operation. The progression of decay heat removal using DHRS depends on the availability of AC power.
With AC power available, DHRS cools the NPM and provides long term removal of decay heat while the RRVs and RVVs remain closed. Section 5.4.3 describes the operation of DHRS, including actuation, cooling to the safe, stabilized condition, and long term residual and decay heat removal.
In some scenarios, DHRS can cool the RCS such that the level drops below the top of the riser and the natural circulation loop is interrupted. Without natural circulation flow, condensation of steam in the riser could reduce the downcomer boron concentration.
Diverse flow paths through four holes located in the riser promote mixing to preclude positive reactivity insertion when natural circulation is restored. The riser holes are located at the SG midpoint, which is below the level resulting from RCS fluid contraction from DHRS cooldown.
Scenarios 2 and 3 - Decay and Residual Heat Removal using DHRS followed by Natural Circulation through the RVVs and RRVs For non-LOCA events that results in DHRS actuation, if onsite AC power is lost, DC power to the RVVs and RRVs is automatically removed after 24 hours and the RVVs and RRVs go to a fail-safe open position. If the non-LOCA event analysis assumes that AC and DC power are lost, which results in power removed from the RVVs and RRVs, then the RVVs and RRVs are maintained closed by the IAB mechanism. The IAB mechanism prevents RVV and RRV actuation at high RCS pressures. The RVVs and RRVs go to a fail-safe open position when the RCS pressure decreases below the IAB release pressure. Therefore, long-term decay and residual heat removal is accomplished with DHRS followed by natural circulation through the RVVs and RRVs.
Opening the RVVs and RRVs to depressurize the RCS and establish long term cooling is not considered an event escalation because the functions of the RCS barrier are not lost. The progression of cooling function from DHRS to natural circulation using the RVVs and RRVs is an inherent function in the passive design of the NPM. The RCS barrier continues to provide a confined volume for reactor coolant which allows a flow path for cooling the core and thus, confining fission products to the fuel and preventing an escalation of a DBE, including an AOO.
In some scenarios, DHRS can cool the RCS such that the level drops below the top of the riser and the natural circulation loop is interrupted. Without natural circulation flow, condensation of steam could reduce the downcomer boron concentration. Diverse flow paths through four holes located in the riser promote mixing to preclude positive reactivity insertion when natural circulation is restored. The riser holes are located at the SG midpoint, which is below the level resulting from RCS fluid contraction from DHRS cooldown.
Scenario 4: Decay and Residual Heat Removal using ECCS following an Inadvertent Opening of an RCPB valve or LOCA The system response in terms of potential challenge to the fuel from an inadvertent opening of an RVV, as described in Section 15.6.6, bounds other RCPB valve opening events Tier 2                                          15.0-34                                          Revision 4
 
This page replaces page 15.0-35 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Transient and Accident Analyses as well as other non-LOCA events that transition from DHRS to natural circulation through the RVVs and RRVs. The rate of depressurization after an inadvertent opening of an RVV is more rapid compared to the rate of depressurization after opening other RCPB valves at full power or the RVVs and RRVs following other non-LOCA events. After the RVVs and RRVs open, RCS inventory is redistributed between the RPV and CNV and the NPM enters the same cooling configuration, irrespective of the initiating event. The results of the long term cooling analysis are summarized in Table 15.0-22.
LOCAs or inadvertent RCPB valve opening events can result in condensation of unborated water in the CNV and RPV downcomer once the steam generator tubes become uncovered.
The ECCS actuation signals on high CNV level and low RCS pressure are specifically designed to ensure ECCS actuation occurs prior to the development of conditions that could result in a core dilution event following ECCS actuation.
The LOCA analysis, including the analysis of long term cooling following a LOCA per 10 CFR 50.46(b)(5), is discussed in Section 15.6.5.
15.0.6    Evaluation of a Return to Power Having all control rods inserted provides the safety-related means to maintain the reactor shut down for internal events and for hazards such as floods and fires in the plant, earthquakes, severe weather conditions, external fires, and external floods. With all control rods inserted, a return to power is precluded. For design basis analysis of internal events for which the worst control rod is assumed stuck out, a return to power is highly unlikely.
However, a return to power is evaluated for various cooldown progressions to demonstrate that fuel design limits are not challenged. As described in Section 4.3, a failure in reactivity control system reliability to ensure long term shutdown is calculated to be less than 1E-5 per NPM-reactor year. With the highest worth control rod assembly stuck out and the chemical and volume control system unavailable, subcritical core conditions (keff<1.0) are demonstrated, for 72 hours after a DBE using nominal analysis assumptions, except for the condition where initial boron concentration is very low. The probability of reactivity control systems failing during the first 72 hours after shutdown within the small window of initial conditions that can lead to a return to power is conservatively calculated to be less than 1E-6 per NPM-reactor year.
In the unlikely event of a return to power, shutdown with margin for stuck rods is not required to demonstrate adequate fuel protection. Fuel is protected through physical processes inherent to the NuScale design that control reactivity and limit power compared to a design in which shutdown is required to limit power production to protect fuel integrity. In the NPM design, additional protection is provided by limiting power and passively removing heat. The means for limiting the power produced if the reactor does not remain shut down is dependent on the heat removal system used.
15.0.6.1        Identification of Causes and Accident Description Design basis events are analyzed with an assumed highest worth control rod stuck fully withdrawn in order to evaluate the immediate shutdown capability of the negative reactivity insertion due to a reactor trip with the control rods inserting into the core, consistent with GDC 26 (See Section 3.1). In the event of an extended cooldown, when the RCS is at low boron concentrations and the CVCS is unavailable to add boron, it may be possible to cool the core to the point of reestablishing some level of critical neutron power if the most reactive control rod stuck out is assumed. This potential Tier 2                                            15.0-35                                          Revision 4
 
This page replaces page 15.0-36 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Transient and Accident Analyses overcooling could cause a unique reactivity event similar to a steam line break for traditional multi-loop PWRs. Therefore, this event is specifically evaluated for specified acceptable fuel design limits (SAFDLs).
Boron distribution is an important consideration in the determination of the consequences of a return to power during extended passive cooling conditions. Under emergency core cooling conditions, boron will preferentially redistribute to the core and riser region of the NPM due to the boiling and condensing heat removal design of the ECCS. Over time, the boron concentration of the water recirculating to the core from the containment vessel will be at lower concentrations than the bulk core region and could be below the bulk critical boron concentration. Analysis of these conditions was performed separately from the overcooling return to power evaluation and included the following considerations:
* Conservative treatment of potential boron solidification mechanisms due to flashing and entrainment during the ECCS depressurization phase.
* Conservative treatment of the total mass of boron available to recirculate to the core including potential for CNV concentration gradients due to thermal stratification and conservative downcomer mixing to bound potential three dimensional effects. The potential for significant boron concentration gradients to develop in the core region was evaluated to justify adequate conservatism.
* Conservative treatment of potential boron lost due to entrainment and volatility during the long term ECCS cooling phase.
The analysis included consideration of all design basis events which could progress to ECCS cooling with specific evaluation of the inadvertent ECCS valve opening events as well as other piping breaks where pure water could be introduced into containment prior to ECCS cooling being established. These cases were analyzed for 72 hours. The results showed that the bulk core boron concentrations remained above the initial concentration which supports the conservative analysis of the return to power at end of cycle conditions where the initial boron concentration is minimal.
The purpose of this analysis is to evaluate the thermal hydraulic and core neutronic response of the NPM for an extended overcooling return to power. This analysis is intended to provide a generic bounding evaluation of the extended cooling that could result following any DBE, therefore AOO acceptance criteria and conservative analysis assumptions are applied. The limiting return to power event occurs when operating conditions are biased to maximize initial core fission product poisons which gradually decay resulting in reactivity insertion. The timing of this reactivity insertion occurs well after equilibrium DHRS or ECCS passive cooling modes will have been established following an initial transient and reactor trip. Therefore, analysis of the return to power is limited to the equilibrium thermal hydraulic and neutronic conditions with appropriate biases and conservatisms to ensure a conservative CHF analysis is performed.
15.0.6.2      Sequence of Events and Systems Operation For the overcooling return to power event, it is assumed that a reactor trip occurs at end of cycle (EOC) with the most reactive control rod stuck out of the core. The decay of xenon slowly adds positive reactivity during the cooldown. The subsequent cooldown is left unmitigated and boron addition does not occur. While there are simple operational means for mitigating the extended cooldown and thereby eliminating the Tier 2                                          15.0-36                                          Revision 4
 
This page replaces page 15.0-37 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                          Transient and Accident Analyses need for boron addition, operator action is not credited for either mitigating the cooldown or adding boron, consistent with Section 15.0.0.6.4.
15.0.6.3      Thermal Hydraulic and Critical Heat Flux Analyses 15.0.6.3.1        Evaluation Models The overcooling return to power analysis is performed using the following analysis procedure:
* The core average RCS temperature is determined using the long term cooling statepoint analysis approach described in the LTC technical report.
* The worst rod stuck out, EOC critical power level is determined using the SIMULATE5 core physic analysis model.
* CHF margin is evaluated using the zero flow CHF correlation described in the LOCA EM topical report.
The MCHFR analysis uses the CHF correlation applied in the LOCA evaluation model, evaluated against the 95/95 CHFR acceptance criterion of an AOO, as described in Reference 15.0-3.
SIMULATE5 is an advanced three-dimensional (3D), steady-state, multi-group nodal reactor analysis code capable of multi-dimensional nuclear analyses of reactors. A discussion of SIMULATE5 is provided in Section 4.3.
15.0.6.3.2        Input Parameters and Initial Conditions As stated above, this event is analyzed specifically for the parameters that generate the most severe overcooling return to power core power event. The following assumptions ensure that the equilibrium power results have sufficient conservatism.
* The core is assumed to be at hot full power and end of cycle (5 ppm boron concentration) conditions prior to the transient initiation.
* A critical boron concentration (CBC) nuclear reliability factor (NRF) is used in this analysis.
* The ECCS valve capacity is maximized to increase the efficiency of heat transfer from the RPV to the UHS.
* The DHRS heat transfer is increased by 30 percent to ensure the consequences of the cooldown are maximized after DHRS actuation.
* A reactor pool level of 69 feet and a temperature of 65 degrees Fahrenheit is used leading to a conservatively high cooldown rate, which adds the maximum positive reactivity.
* A time-dependent xenon worth is used in this analysis for the purposes of calculating timing of return to power only. The core is assumed to be at EOC conditions at the time of event initiation with equilibrium fission products. The xenon worth specified in the input is determined from the time dependent decay of the fission products that are present in the EOC core.
No single failure is assumed. Failure of the main steam or feedwater isolation valves to close could result in a reduction of DHRS cooling, which would be non-conservative for the overcooling return to power event. Full ECCS actuation Tier 2                                          15.0-37                                          Revision 4
 
This page replaces page 15.0-38 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                            Transient and Accident Analyses will be more limiting for CHF, therefore, an ECCS valve failure to open is not considered.
For the limiting MCHFR portion of the analysis, the following conservatisms are applied:
* A dynamic return to power factor of 2.0 is applied to the equilibrium power level to bound any potential overshoot of the equilibrium power.
* The maximum radial peaking (FH) due to the stuck control rod is 7.5. The return to power is driven by the lack of necessary negative reactivity insertion due to the postulated most reactive control rod stuck in a fully withdrawn position. The critical power will be localized in this region of large radial peaking.
* A maximum FQ was chosen with additional penalty for variation in axial peaking.
* A critical boron concentration (CBC) nuclear reliability factor (NRF) is used in the determination of the critical power level for the limiting MCHFR analysis.
15.0.6.3.3        Results This analysis provides a conservative characterization of the equilibrium power and corresponding critical heat flux ratio, should a return to power occur. Additionally, the time of return to power is evaluated based on time-dependent xenon and thermal-hydraulic conditions.
For several different cooldown modes and pool temperature conditions, the nominal equilibrium power level and MCHFR are summarized in Table 15.0-16. The limiting equilibrium power level and MCHFR are provided in Table 15.0-17. The nominal results for the limiting pool temperature are included in Figure 15.0-8. The results for a pool temperature of 140 degrees F are provided in Figure 15.0-10.
* The maximum equilibrium power level occurs for the ECCS cooldown mode with a 65 degrees F pool.
* The maximum equilibrium power is approximately 2.9 MW.
* Several of the cases do not return to a critical condition within the 72 hour window analyzed. The earliest return to power occurs at approximately 40 hours post scram.
* The timing of the initial recriticality demonstrates that the return to power event does not occur during the short-term RCS de-energizing phase, but instead is the result of the slow decay of xenon in the long-term equilibrium phase between decay heat and RCS temperature.
* Results show that the equilibrium power decreases with increasing pool temperature.
* The MCHFR is well above the analytical limit, therefore it is concluded that the SAFDLs are ensured should a limited return to power occur following an unmitigated cooldown, regardless of initiating event or time in cycle in which it occurs.
Tier 2                                            15.0-38                                          Revision 4
 
This page replaces page 15.0-51 in Chapter 15, "Transient and Accident Analyses," Section 15.0, "Transient and Accident Analyses," of Table 15.0-7: Analytical Limits and Time Delays (Continued)
Tier 2 NuScale Final Safety Analysis Report Signal              Analytical Limit                                            Basis and Event Type                                              Actuation Delay High Main Steam Pressure            800 psia        This signal is designed to detect and mitigate loss of main steam demand to protect primary and              2.0 sec secondary pressure limits during heatup events.
High Main Steam Superheat            150&deg;F        This signal is designed to detect and mitigate steam generator boil off to protect DHRS functionality        8.0 sec during at power and post trip conditions.
Low Main Steam Superheat              0.0&deg;F        This signal is designed to detect and mitigate steam generator overfilling to protect DHRS functionality      8.0 sec during at power and post trip conditions.
Low RCS Flow                        1.7 ft3/s      This signal is designed to ensure boron dilution cannot be performed at low RCS flowrates where the          6.0 sec loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event.
Low Low RCS Flow                    0.0 ft3/s      This signal is designed to ensure flow remains measureable and positive during low power startup              6.0 sec conditions.
High CNV Water Level              240-264(3)      This signal is designed to protect water level above the core in LOCA events.                                3.0 sec (elevation)
Low RCS Pressure                    800 psia        This signal is designed to actuate ECCS for small LOCA events prior to extended riser uncovery where the      2.0 sec SG can generate condensate causing boron distribution gradients in the RCS.
15.0-51 Low AC voltage                      Note 4        This signal is designed to ensure appropriate load shedding occurs to EDSS in the event of extended loss    60.0 sec of normal AC power to the EDSS battery chargers.
High Under-the-Bioshield              250&deg;F        This signal is designed to detect high energy leaks or breaks at the top of the NuScale Power Module          8.0 sec Temperature                                        under the bioshield to reduce the consequences of high energy line breaks on the safety related the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
equipment located on top of the module.
Notes:
: 1. If RCS hot temperature is above 600&deg;F. See Figure 15.0-9.
: 2. If RCS hot temperature is below 600&deg;F. See Figure 15.0-9.
: 3. CNV water level is presented in terms of elevation where reference zero is the bottom of the reactor pool. The range allows +/-12" from the nominal ECCS level setpoint of 252.
: 4. Normal AC voltage is monitored at the bus(es) supplying the battery chargers for the highly reliable DC power system. The analytical limit is based on Loss of Normal AC Transient and Accident Analyses Power to plant buses (0 volts) but the actual bus voltage is based upon the voltage ride-thru characteristics of the EDSS battery chargers.
: 5. The overcooling event analyses account for a cooldown event specific process error analytical limit of 0.5%/&deg;F.
: 6. The high count rate trip is treated as a source range over power trip that occurs at a core power analytical limit of 500kW which functionally equates neutron monitoring system counts per second to core power. This trip is bypassed once the intermediate range signal has been established.
Revision 4
 
This page replaces page 15.6-13 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                      Decrease in Reactor Coolant Inventory A steam space break initiates a blowdown of the RCS inventory into the CNV from the top of the RPV. A liquid space break causes blowdown of the RCS inventory into the CNV from the liquid filled region of the RPV. Steam space breaks depressurize more quickly and generally actuate ECCS on low RCS pressure. Some larger liquid space breaks also actuate ECCS on low RCS pressure, however, the majority of the liquid space break spectrum actuate ECCS on high CNV level. The progression of the steam and liquid space LOCA events are similar, with the exception of different timing of the key events and the liquid/steam composition of the break flow.
Table 15.6-12 shows the sequence of events for the limiting LOCA. The MPS is credited to initiate the reactor trip, isolate containment, and initiate DHRS, SSI and ECCS. DHRS is not credited for cooling following a LOCA. No operator action is credited in this event analysis.
The transition from the LOCA analysis to the post-LOCA long-term core cooling phase occurs when natural circulation between the RPV and the containment through the RVVs and RRVs has reached a stable state and decay and residual heat is being removed. The purpose of the post-LOCA long term cooling evaluation is to show that continued cooling occurs without boron precipitation for at least 72-hours after the initiation of a LOCA.
15.6.5.3      Core and System Performance 15.6.5.3.1          Evaluation Model The thermal hydraulic analysis of the plant response to a LOCA uses NRELAP5.
Section 15.0.2 provides details on the modeling requirements and code modifications needed to appropriately capture the phenomena and features of the LOCA evaluation model. Section 15.0.2 discusses the LOCA Evaluation Model Development and Assessment Process (EMDAP). Utilizing the results of the break spectrum, the methodology demonstrates that the design and operating conditions analyzed will result in a safe condition of a NPM for postulated design basis LOCAs.
The post-LOCA long-term core cooling analysis is performed using the NRELAP5 model to support the ECCS long term cooling methodology. A spectrum of cases is performed to encompass minimum and maximum cooldown scenarios. The results of the long-term core cooling analysis are then compared to the acceptance criteria developed for evaluating the margin to boron precipitation to show that boron precipitation is avoided during the long-term core cooling phase.
For the boron precipitation portion of the analysis, the following methodology is used. The determination of the boron precipitation temperature for a given mixing volume starts with the calculation of the entire mass of boron in the RCS. A corresponding concentration is calculated for the mixing volume assumption.
Finally, the precipitation temperature is obtained for the mixing volume concentration using the boron precipitation curve. These calculations are performed for various mixing volumes corresponding to various elevation of liquid levels above the core. Temperature and level results from the long-term core cooling calculation are compared to the boron precipitation results to determine if boron precipitation could occur.
Tier 2                                              15.6-13                                          Revision 4
 
This page replaces page 15.6-18 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory that the scenario consisting of a 100-percent injection line break with a reactor pool temperature of 65 degrees F, low pressurizer level and a 1.2 multiplier on decay heat results in the RCS minimum collapsed level. Boron precipitation does not occur at the time of the minimum collapsed liquid level, based on the core temperature being less than the highest boron precipitation temperatures for the highest boron concentration. Boron precipitation is also evaluated for the minimum RCS temperature during the 72-hour time following the LOCA, indicating that boron precipitation does not occur.
The MPS is credited to protect the NPM in the event of a LOCA. The following MPS signals provide the plant with protection during a LOCA:
* high pressurizer pressure
* high containment pressure
* low pressurizer level
* low low pressurizer pressure
* low low pressurizer level
* high containment water level
* low RCS pressure 15.6.5.4      Radiological Consequences Section 15.0.3 presents the iodine spike design basis source term (DBST) methodology and the radiological consequences of the iodine spike DBST. The LOCA does not result in fuel failure, therefore the iodine spike DBST bounds the source term, and thus the dose consequences, of a LOCA.
15.6.5.5      Conclusions The acceptance criteria for a LOCA, per 10 CFR 50.46(b), are listed below. In addition, NuScale specific acceptance criteria are presented in Table 15.0-4. These acceptance criteria, followed, by how the NuScale Power Plant design meets them, are listed below.
: 1) Peak cladding temperature - The calculated maximum fuel element cladding temperature shall not exceed 2200 degrees F. The NuScale specific criterion is that MCHFR remains greater than 1.29 and the collapsed water level remains above the top of the active fuel.
: 2) Maximum cladding oxidation - The calculated maximum total oxidation of cladding shall not exceed 17 percent of the total cladding thickness before oxidation. The NuScale specific criterion is that MCHFR remains greater than 1.29 and the collapsed water level remains above the top of the active fuel.
: 3) Maximum hydrogen generation - The calculated total amount of hydrogen generated from the chemical reaction of the cladding with water or steam shall not exceed 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the fuel rod plenum volume, were to react. The NuScale specific criterion is that MCHFR Tier 2                                            15.6-18                                          Revision 4
 
This page replaces page 15.6-20 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                      Decrease in Reactor Coolant Inventory chamber orifice that connects to the RCS. The principle method to depressurize the control chamber is by opening the associated ECCS trip valve, which drains the RCS fluid in the chamber to the containment unless it is blocked by the IAB function. The control chamber fluid can also be drained as a result of a mechanical failure of the valve assembly.
If an ECCS trip valve opens, the IAB feature will stop the loss of fluid from the control chamber by blocking the trip line flow path if the differential pressure between the RCS and containment is greater than the IAB threshold. The threshold is determined by the opening force of a spring internal to the IAB device. The flowpath from the control chamber through the trip line is blocked by a rod in the IAB arming valve moving into its seat. The IAB is actuated by the differential pressure between the RCS on one side of the rod and the pressure in the trip line. When a trip valve opens, fluid drains into containment and the pressure in the trip line decreases, which creates a large differential pressure across the rod. When the force from the differential pressure across the rod is greater than the IAB spring force, the rod moves into its seat and blocks the control chamber fluid from exiting through the trip line. The pressure in the control chamber is maintained by fluid entering through the orifice from the RCS, which prevents the ECCS valve from opening.
The IAB function is a sub-component feature of an ECCS valve as discussed in Section 15.0.0.5. A failure of one of the IAB features on an ECCS valve could result in the opening of a single ECCS valve if an ECCS actuation signal is present or DC power (EDSS) is not available (causes trip valve to fail open). Since the IAB is treated as a component not subject to single failure (Reference 15.6-4), failure of this device is an initiating event. Depressurization of the valve control chamber by a mechanical failure of the valve assembly is a similar initiating event. The mechanical failure results in an ECCS valve opening independent of the status of an ECCS signal or DC power availability. Single active failures, discussed in Section 15.6.6.3, were considered in each of these events but did not result in more limiting results for the acceptance criteria.
The limiting event analyzed is a mechanical failure of the valve that depressurizes the control chamber at operating pressure.
The inadvertent opening of a single ECCS valve is not expected to occur during the lifetime of a module. However the event is conservatively categorized as an AOO, as indicated in Table 15.0-1.
The inadvertent opening of an RPV valve analysis evaluates the primary system response to the transient to verify that the event meets the acceptance criteria specified in Table 15.0-2.
15.6.6.2      Sequence of Events and Systems Operation Sensitivity analyses are performed to identify the limiting event for the inadvertent operation of an ECCS valve. The initiating event that results in the limiting MCHFR for this transient is the inadvertent opening of one RVV. However, it is of note that the resulting MCHFR is similar to that of the inadvertent opening of an RRV.
The sequence of events is provided in Table 15.6-15 with the remaining ECCS valves opening on high CNV level. ECCS valves may open earlier on low RCS pressure Tier 2                                            15.6-20                                          Revision 4
 
This page replaces page 15.6-21 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory actuation however this is well after MCHFR is reached. Unless otherwise specified, the analysis of an inadvertent opening of an RVV assumes the plant control systems and engineered safety features perform as designed, with allowances for instrument uncertainty. No operator action is credited to mitigate the effects of the event.
15.6.6.3      Core and System Performance 15.6.6.3.1        Evaluation Model The thermal hydraulic response to an inadvertent opening of an ECCS valve event exhibits unique transient progression relative to other AOO events analyzed for the NPM. This progression is divided into two phases:
* The first phase is initiated with an inadvertent opening of an RPV valve (RSV, RVV, or RRV) that results in a blowdown of the RCS into the containment vessel.
This breach can be characterized as a steam region breach (i.e., opening of an RSV or RVV) or a liquid region breach (i.e., opening of an RRV). For the limiting event of an inadvertent opening of an RVV, this phase ends when the remaining ECCS valves are actuated as designed by the MPS.
* The second phase begins with ECCS actuation through designed MPS operation and ends when the NPM reaches a safe, stable condition and transitions to long-term ECCS cooling.
These two phases align with the two phases of the LOCA transient progression for the NPM. The LOCA evaluation model and Reference 15.6-1 have:
* identified and ranked important phenomena which occur during these transient phases for the NPM,
* assessed NRELAP5 against separate effects tests and integral effects tests related to these phenomena,
* determined NRELAP5 to be applicable for evaluating these phenomena, and
* developed a conservative NRELAP5 input model for transient analyses which involve an un-isolatable decrease in the RCS inventory event (See Section 15.6.5).
Due to the phenomenological similarities to the LOCA pipe break events described in Section 15.6.5, the LOCA evaluation model, with modifications, is conservatively used in this analysis to evaluate the inadvertent opening of an RPV valve event, consistent with Appendix B of Reference 15.6-1.
15.6.6.3.2        Input Parameters and Initial Conditions The input parameters and initial conditions used in the evaluation of an inadvertent opening of an RVV are selected to provide a conservative calculation and to minimize the MCHFR. Unless otherwise specified, the analysis assumes that the plant control systems and engineered safety features perform as designed, with allowances for instrument uncertainty. No operator action is credited to mitigate the effects of an inadvertent opening of an RVV.
Table 15.6-16 provides inputs and assumptions. The following are key input parameters:
Tier 2                                            15.6-21                                          Revision 4
 
This page replaces page 15.6-24 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory secondary system isolation. The RCS and containment pressures are shown in Figure 15.6-57.
The rapid RCS depressurization causes voiding in the core and a momentary decrease in RCS flow (Figure 15.6-58 and Figure 15.6-59), leading to a reduction in CHFR (Figure 15.6-67 and Figure 15.6-68). Reactor power decreases during this time due to control rod insertion and negative void feedback, as seen in Figure 15.6-55 and Figure 15.6-60. Following the occurrence of transient MCHFR (Figure 15.6-67), a temporary increase in RCS flow is observed due to the increased density gradient from voiding in the riser (Figure 15.6-58).
The isolation of the secondary system from high containment pressure causes an increase in steam generator pressure, as seen in Figure 15.6-61. DHRS actuates on high main steam pressure, however, DHRS is conservatively not credited in the analysis. Heat transfer from the RCS to the secondary coolant isolated in the steam generator region is limited due to the decreasing RCS temperatures associated with decreasing pressure and saturation temperature. Steam generator pressure is not limiting for an inadvertent opening of an RPV valve event.
As primary coolant is released to the containment through the open RVV, the inventory level inside the containment increases (Figure 15.6-62). ECCS actuation occurs on the high containment water level signal. Pressure and temperature inside the RPV continue a gradual downward trend, as shown in Figure 15.6-57, Figure 15.6-63, and Figure 15.6-64.
After the remaining ECCS valves open and pressure equalizes across the RRVs, liquid coolant from the containment begins to flow into the RPV downcomer region. This establishes a two phase natural circulation loop through the ECCS valves with steam exiting the pressurizer area into containment through the RVVs and liquid returning from the containment to the RPV through the RRVs. Decay heat and residual heat is transferred from the containment to the reactor pool resulting in the pressure and the temperature inside the RPV and containment continuing to decrease.
The transient continues until stable ECCS cooling has been established and RCS pressure and temperature continues to decrease. The module remains in a safe condition with liquid level maintained above the top of the core through the entire transient. The minimum collapsed liquid level occurs once quasi-equilibrium conditions are established between the RPV and containment and is approximately 10 feet above the top of the active fuel. The fuel volume average temperature is shown in Figure 15.6-65 and fuel cladding temperature is shown in Figure 15.6-66.
The MPS is credited to protect the module in the event of an inadvertent opening of an RVV by the following MPS signals:
* high containment pressure, and
* high containment water level
* low RCS pressure No operator actions are credited for this event.
Tier 2                                          15.6-24                                          Revision 4
 
This page replaces page 15.6-38 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-12: Loss-of-Coolant Accident - Sequence of Events - Minimum Collapsed Level Above TAF Event                                                                                  Time (sec)*
Line break                                                                                  0 Loss of normal AC                                                                            0 High pressurizer pressure                                                                    8 Reactor Trip System actuation signal                                                        10 Reactor trip                                                                                12 High containment pressure                                                                  16 Containment isolation signal                                                                18 Containment isolation                                                                      20 Low pressurizer level (35%)                                                                1011 Low Low pressurizer level (20%)                                                            1750 High CNV water level ECCS actuation limit                                                  7202 ECCS actuates (RCS pressure drops below IAB threshold)                                    13547
                *Time rounded to the nearest second.
Tier 2                                                15.6-38                                    Revision 4
 
This page replaces page 15.6-40 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                  Decrease in Reactor Coolant Inventory Table 15.6-14: Loss-of-Coolant Accident - Results Minimum Collapsed Level Above TAF(1)
Parameter                                Acceptance Criteria              Value Minimum Collapsed Liquid Level                                              Above top of core              1.5 ft Minimum critical heat flux ratio                                                  >1.29                      1.74 Containment pressure(2)                                                        <1050 psia                  461 psia Containment temperature(2)                                                      <550 F                    434 &deg;F Notes:
(1) Values rounded (2) Section 6.2 contains the limiting containment analysis. The containment pressure and temperature reported here is from the limiting minimum collapsed liquid level scenario.
Tier 2                                                      15.6-40                                              Revision 4
 
This page replaces page 15.6-45 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-19: Loss-of-Coolant Analysis - Discharge Line Break Spectrum with Loss of AC Power Break Size (%)  Time of RTS (s) Time of ECCS        MCHFR        Peak CNV Pressure      Min Collapsed Valves                                (psia)          Level above TAF Opening (s)                                                    (ft) 100              5.3            650              1.73              735                  7.9 75              5.7            871              1.76              716                  7.7 50              6.7            1353              1.78              686                  7.2 35              7.9            1757              1.79              696                  6.8 20              11.7            2568              1.78              739                  5.9 10              12.7            6758              1.75              543                  4.4 5              11.9          14262              1.74              464                  4.0 2.2            11.6          27108              1.74              404                  4.4 Tier 2                                          15.6-45                                            Revision 4
 
This page replaces page 15.6-46 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-20: Loss-of-Coolant Analysis - Injection Line Break Spectrum with Loss of AC Power Break Size (%)  Time of RTS (s)  Time of ECCS        MCHFR        Peak CNV Pressure      Min Collapsed Valves                                (psia)          Level above TAF Opening (s)                                                    (ft) 100            7.6              908              1.81              892                  5.4 75            7.9              980              1.81              893                  5.3 50            8.8              1386              1.81              862                  3.8 35            10.2            1629              1.79              847                  3.7 20            13.4            2893              1.76              759                  3.4 10            12.4            6859              1.75              541                  1.7 5              11.9            13547              1.74              470                  1.7 2.2            11.6            24325              1.74              404                  3.1 Tier 2                                          15.6-46                                            Revision 4
 
This page replaces page 15.6-47 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-21: Loss-of-Coolant Analysis - High Point Vent Line Break Spectrum with Loss of AC Power Break Size (%)  Time of RTS (s) Time of ECCS          MCHFR        Peak CNV Pressure      Min Collapsed Valves                                (psia)          Level above TAF Opening (s)                                                    (ft) 100            5.9              514              1.78              690                  9.7 75            6.6              720              1.79              679                  9.7 50            8.2              1245              1.80              663                  9.7 35            10.7            2084              1.81              646                  9.7 20            18.8            4821              1.77              581                  9.7 10            15.1            12708              1.76              459                  8.6 5              12.8            27945              1.75              394                  6.3 2.2            11.9            48584              1.74              431                  5.8 Tier 2                                        15.6-47                                              Revision 4
 
This page replaces page 15.6-48 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-22: Loss-of-Coolant Analysis - Pressurizer Spray Supply Line Break Spectrum with Loss of AC Power Break Size (%)  Time of RTS (s) Time of ECCS        MCHFR        Peak CNV Pressure      Min Collapsed Valves (s)                            (psia)          Level above TAF (ft) 35              6.8            785              1.79              676                  9.7 Tier 2                                          15.6-48                                            Revision 4
 
This page replaces page 15.6-49 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-23: Loss-of-Coolant Analysis - Five-percent Injection Line Break with Evaluation of Electric Power Available Case        Time of RTS  Time of ECCS      MCHFR            Peak CNV        Min Collapsed Level (s)    Valve Opening                      Pressure (psia)      Above TAF (ft)
(s)
All power available      243          13359            1.82              443                  1.8 Loss of Normal AC      11.9        13547            1.74              470                  1.7 Power Loss of normal AC and      2          13375            1.81              459                  1.8 DC power Tier 2                                          15.6-49                                            Revision 4
 
This page replaces page 15.6-50 in Chapter 15, "Transient and Accident Analyses," Section 15.6, "Decrease in Reactor Coolant Inventory," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                    Decrease in Reactor Coolant Inventory Table 15.6-24: Loss-of-Coolant Analysis - Five-percent Injection Line Break with Loss of Normal AC Power Evaluation of Single Failure Scenario      Time of RTS (s)  Time of ECCS        MCHFR        Peak CNV        Min Collapsed Level Valves                      Pressure (psia)      Above TAF (ft)
Opening (s)
No failure        11.9            13547              1.74            470                  1.7 Failure of one RVV      11.9            13547              1.74            456                  1.6 to open Failure of one RRV      11.9            13547              1.74            484                  1.6 to open Failure of one RVV      11.9            13547              1.74            461                  1.5 and RRV to open Tier 2                                            15.6-50                                        Revision 4
 
This page replaces page 15.4-46 in Chapter 15, "Transient and Accident Analyses," Section 15.4, "Reactivity and Power Distribution Anomalies," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                              Reactivity and Power Distribution Anomalies Table 15.4-11: Control Rod Misoperation (15.4.3) - Limiting Analysis Results Acceptance Criteria                            Limit              Analysis Value MCHFR CRA misalignment                                                  1.284                    1.437 MCHFR Single CRA withdrawal                                              1.284                    1.375 MCHFR CRA drop                                                          1.284                    1.432 Peak LHGR CRA misalignment                                            19.7 kW/ft              8.39 kW/ft Peak LHGR Single CRA withdrawal                                      19.7 kW/ft              8.62 kW/ft Peak LHGR CRA drop                                                    19.7 kW/ft              8.59 kW/ft Tier 2                                          15.4-46                                              Revision 4
 
This page replaces page  in Chapter 1, "4XDOLW\$VVXUDQFHDQG5HOLDELOLW\$VVXUDQFH," Section 1, "5HOLDELOLW\$VVXUDQFH
Table 17.4-1: D-RAP SSC Functions, Categorization, and Categorization Basis (Continued)
Tier 2 NuScale Final Safety Analysis Report Function        SSC Required to Perform System Function                  Basis for Function System Function                              Category                                                                  Categorization (A1 & B1)
Steam Generator System (SGS)
* Supports RCS by supplying part of the RCPB                              A1
* Steam generator tubes                                  Determination by PRA and
* Steam generator tube supports                          concurrence by the expert panel
* Feedwater plenums                                      as being needed for maintaining
* Integral steam plenums                                RCPB integrity Reactor Core System (RXC)
* Supports control rod assembly (CRA) by providing control rod guide      A1
* Fuel assembly                                          Determination by PRA and tubes to receive and align the CRA                                                                                                      concurrence by the expert panel
* Supports RCS by containing fission products and transuranics within                                                                    as being needed for reactivity the fuel rods to minimize contamination of the reactor coolant                                                                          control, radioactivity control,
* Supports RCS by maintaining a coolable geometry                                                                                        and removing fuel assembly heat Control Rod Drive System (CRDS)
* Supports CRA by releasing control rod during a reactor trip            A1
* Control rod drive shafts                                Determination by PRA and 3URJUDP," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
17.4-9
* Control rod drive latch mechanism                        concurrence by the expert panel as being needed for reactivity control Reactor Coolant System (RCS)
* Supports RXC by removing heat to ensure core thermal design limits    A1    All RCS SSC with the exception of the following:          Determination by PRA and are not exceeded
* Wide range RCS cold leg temperature element            concurrence by the expert panel
* Supports CNT by supplying the RCPB and a fission product boundary
* Reactor safety valve position indicator                as being needed for removing via the RPV and other appurtenances                                                                                                    fuel assembly heat, maintaining
* Pressurizer vapor temperature element
* Supports MPS by providing instrument information signals for MPS                                                                        containment and RCPB integrity,
* Pressurizer control cabinet actuation                                                                                                                              radioactivity control, and
* Pressurizer heater power cabling from MPS breaker to    reactivity control
* Supports CRDS by the RPV and the reactor vessel internals                      pressurizer heaters supporting and aligning the control rods
* Pressurizer liquid temperature element Reliability Assurance Program
* Supports ECCS by providing mechanical support for the ECCS valves
* Narrow range RCS cold leg temperature element
* Supports in-core instrumentation (ICI) by providing structural
* Pressurizer heater power cabling from low voltage AC support of the ICI guide tubes electrical distribution system breaker to MPS breaker
* Supports RXC by the reactor vessel internals providing mechanical
* Reactor vessel internals upper riser bellows-vertical support to orient, position, and seat the fuel assemblies expansion structure
* Supports SGS by providing physical support for the steam generator Revision 4 tube supports and for the integral steam and feed plenums
* Supports RXC by containing and mixing soluble neutron poison
 
The CVCS--ALOCA-COC event tree, provided in Figure 19.1-2, illustrates the accident sequence logic for an IE that involves a CVCS injection line break outside of the CNV. The distinguishing characteristic of this initiator is that CVCS makeup cannot be credited to provide RCS inventory because of the break location.
If an injection line pipe break outside containment were to occur, the expected module response is a reactor trip due to low pressurizer level or low pressurizer pressure, isolation of the break in the CVCS line and actuation of the DHRS with the result that the reactor reaches a safe, stable condition by natural recirculation through the DHRS without operator action (Sequence 1).
If CIVs close but both trains of DHRS are unavailable, then heat-up of primary coolant and pressurization of the RPV occurs to the point of RSV demand. If one RSV successfully opens, the RCS will depressurize and ECCS will be demanded.
Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration (Sequence 2). Unsuccessful ECCS valve opening leads to core damage (Sequence 3).
Failure of both RSVs to open prevents the ECCS valves from opening due to the ECCS inadvertent actuation block. There is no credit for operator action to mitigate this event. Continued pressurization of the RPV would occur until there is a breach in the pressure boundary. Reactor coolant would be expelled into the CNV through the failed boundary, reducing coolant water level and resulting in eventual core damage and evaluation in the Level 2 analysis (Sequence 4).
For sequences in which isolation of the injection line break has failed, the discharge of reactor coolant would necessitate inventory addition to avoid core damage. Because of the initial loss of RCS inventory in a CVCS injection line break, DHRS is also needed to reduce RPV pressure and the rate of coolant loss. Operator intervention to establish flow from the CFDS to the RPV would avoid core damage in combination with passive cooling through ECCS operation (Sequence 5). A failure of CFDS or ECCS would mean that there would be insufficient RPV water to facilitate passive cooling and result in core damage (Sequences 6 and 7).
The event tree consists of twelve accident sequences. Eight sequences involve successful actuation of the reactor trip system (RTS). The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is similar to the non-ATWS response; one exception is that DHRS is not considered because, for an ATWS, a demand for an RSV is not avoided with successful DHRS operation. Therefore, the results are the same with DHRS success or failure. Further, the CFDS is not credited to mitigate an 2                            19.1-14                                        Revision 4
 
guarantee success.
CVCS--ALOCA-LOC: CVCS Letdown (Discharge) Line Pipe Break Outside Containment The CVCS--ALOCA-LOC event tree, provided as Figure 19.1-3, illustrates the accident sequence logic for an IE that involves a break in the CVCS piping downstream of the discharge containment isolation valve. The module response to a CVCS--ALOCA-LOC initiator is similar to that described for a CVCS--ALOCA-COC except that CVCS makeup can be credited because RCS inventory makeup is possible by establishing CVCS makeup to the RPV after reopening the appropriate CIVs.
With a CVCS discharge line pipe break occurring outside containment, the expected module response is a reactor trip due to low pressurizer level or low pressurizer pressure, isolation of the break in the CVCS line and actuation of the DHRS with the result that the reactor reaches a safe, stable condition by natural recirculation through the DHRS without operator action (Sequence 1).
The module response is similar to the response to a CVCS injection line break in terms of DHRS, reactor safety valve, ECCS, and CFDS functions with the difference that DHRS is not needed to mitigate unisolated discharge line break with successful operation of both CFDS and ECCS. Because the break has occurred in the discharge line, flow through the CVCS injection line or the CVCS pressurizer spray line can be credited for makeup for this IE.The potential for inventory addition through the CVCS is reflected in top event CVCS-T01.
The event tree consists of sixteen accident sequences. Ten sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is similar to the non-ATWS response; one exception is that DHRS is not considered because an RSV is demanded irrespective of DHRS success and successful RSV with successful ECCS operation is sufficient to maintain core cooling (Sequence 11). Further, the CFDS is not credited to mitigate an unisolated break if the reactor fails to trip; that is, given the additional power due to the ATWS, the containment flooding and drain system does not guarantee success.
CVCS--ALOCA-CIC: CVCS Charging (Injection) Line LOCA Inside Containment The CVCS-ALOCA-CIC event tree, provided in Figure 19.1-4, illustrates the accident sequence logic for an IE that involves a break in the CVCS injection line between the inboard containment isolation valve and the RPV. In this situation, primary coolant inventory inside the RPV discharges into the sub-atmospheric CNV through the break.
2                            19.1-15                                        Revision 4
 
reaching the containment pressure setpoint. Reaching the containment pressure setpoint also initiates containment isolation, which is modeled in the Level 2 event tree. Discharge of reactor coolant into the CNV would continue because the flow cannot be isolated. The reduction in RPV water level and RCS pressure would eventually result in an ECCS demand. Heat removal by natural circulation then occurs to place the module in a safe, stable condition (Sequence 1).
In the event of ECCS failure, the last top event (CVCS-T04) models potential compensatory measures carried out by operators to inject makeup water to the RPV. For CVCS-T04 success, DHRS is required and a flow path would need to be established through the pressurizer spray supply lines after diagnosing that the in-containment LOCA is due to the CVCS injection line break. The operator action requires re-opening CIVs, aligning a flowpath from the demineralized water system (DWS), activating a makeup pump, and switching over to the pressurizer spray lines (Sequence 2). An unsuccessful CVCS injection leads to core uncovery and evaluation in the Level 2 analysis (Sequence 3). Without DHRS heat removal, makeup coolant would be insufficient to prevent core uncovery and damage (Sequence 4).
The event tree consists of eight accident sequences. Four sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is identical to the non-ATWS response.
RCS---ALOCA-IC: LOCA Inside Containment The RCS---ALOCA-IC event tree, provided as Figure 19.1-5, illustrates the accident sequence logic for an IE that involves an RPV steam or water line break, spurious opening of an RSV, or LOCA resulting from a failure in a pressurizer heater penetration. These events result in RCS inventory loss that cannot be isolated and RCS fluid is retained inside the CNV.
The accident progression and expected module response is similar to initiating event CVCS-ALOCA-CIC. The last top event (CVCS-T01) models potential operator action to inject makeup water to the RPV from the CVCS injection line following ECCS failure. This operator action requires re-opening CIVs, aligning a flowpath from the DWS and activating a makeup pump.
The event tree consists of six accident sequences. The module response to an ATWS is identical to the non-ATWS response.
ECCS--ALOCA-RV1: Spurious Opening of an ECCS Valve The ECCS--ALOCA-RV1 event tree, provided as Figure 19.1-6, illustrates the accident sequence logic for an IE that involves the spurious opening of an ECCS 2                          19.1-16                                      Revision 4
 
been included in the loss of RCS inventory category that has been given the shortcut name of LOCA even though the spurious opening of an ECCS valve is not by definition a LOCA. The event tree is developed separately from the other inside containment loss of RCS inventory initiators because of the impact on the operation of the ECCS. That is, if the initiator is an open RVV, ECCS mitigating system failures are limited to other failures, not including the RVV.
The event tree has a logic structure similar to the CVCS--ALOCA-CIC event.
There are six accident sequences and the module response to an ATWS is identical to the non-ATWS response.
MSS---ALOCA-SG: Steam Generator Tube Failure The MSS---ALOCA-SG event tree, provided as Figure 19.1-7, illustrates accident sequence logic for an IE that involves an SGTF. For an SGTF, the general accident scenario description is that a single tube fails; in such an event, higher pressure on the outside of the tube forces primary coolant into the failed tube and coolant inventory is potentially lost outside of the containment through the main steam line. In contrast to currently operating plants, the steam generator tubes are in compression (i.e., secondary coolant is on the inside of the tubes and primary coolant is on the outside); thus, multiple tube failures are not judged to be a credible IE.
The expected response to an SGTF is a reactor trip on low pressurizer level or low pressurizer pressure, followed by a containment isolation signal due to low-low pressurizer level. Containment isolation, among other protective actions, would close the MSIVs and the FWIVs on both steam generators. The low-low pressurizer level actuates containment isolation and subsequent high main steam pressure actuates DHRS. With the reactor tripped, the affected steam generator (indicated as #2 in the event tree) isolated, and a single train of DHRS in service on the intact steam generator, the module reaches a safe and stable configuration (Sequence 1).
Failure of the DHRS train on the intact steam generator would result in heat-up of primary coolant and pressurization of the RPV to the point of RSV demand. If one RSV successfully opens, the RCS will depressurize and ECCS will be demanded. Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration (Sequence 2).
Failure of the ECCS valves to open as designed could be compensated by operator action to inject makeup water to the RPV from the CVCS, as illustrated by Sequence 3. This operator action requires re-opening CIVs, aligning a flow path from the DWS and activating a makeup pump. Sequence 4 represents unsuccessful injection of makeup water to the RPV.
2                          19.1-17                                        Revision 4
 
pressure continues to increase and core damage ensues (Sequence 5).
If the SGTF were not isolated, as illustrated by Sequences 6 through 10, there is a loss of coolant path and the need for makeup water. Makeup water can be provided by the operator realigning and initiating the CVCS for injection.
Success requires at least one of two CVCS pumps to inject makeup inventory through the injection line (Sequences 6 and 9). If CVCS failure were to occur, an alternate method of inventory addition could be implemented using the CFDS and ECCS, as indicated by Sequence 7. Success of the CFDS requires the operator to align and start at least one of two available containment fill pumps and open two isolation valves. Failure of CFDS or failure of ECCS results in core damage (Sequences 8 and 10).
The event tree consists of sixteen accident sequences. Ten sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is similar to the non-ATWS response; one exception is that DHRS is not considered because an RSV is demanded irrespective of DHRS success. Further, the CFDS is not credited to mitigate an unisolated break if the reactor fails to trip; that is, given the additional power due to the ATWS, the containment flooding and drain system does not guarantee success.
TGS---FMSLB-UD: Secondary Side Line Break The event tree TGS---FMSLB-UD--ET, provided as Figure 19.1-8, illustrates the accident sequence logic for an IE that involves a pipe break in feedwater, main steam, or decay heat removal systems.
The expected module response to this initiator depends on the location of the secondary line break, with the initial module response being a reactor trip. For breaks occurring inside containment, a reactor trip signal is expected on high containment pressure. For main steam line or DHRS steam line breaks outside containment, a reactor trip signal is expected on low steam pressure or high reactor power. For feedwater line or DHRS condensate line breaks outside of containment, a reactor trip signal is expected on high pressurizer pressure.
Following the reactor trip, successful DHRS operation (without an RSV demand) would remove decay heat to the reactor pool by natural circulation to cool the module to a safe, stable configuration (Sequence 1). If an RSV is demanded to open following success of DHRS, reclosure of the RSV leads to a safe, stable configuration (Sequence 2). If an RSV sticks open, ECCS can provide heat removal (Sequence 3). If ECCS does not initiate, the operator can add inventory with CVCS (Sequence 4). If the operator is unsuccessful, the core continues to heat up without the removal of decay heat leading to core damage and evaluation in the Level 2 analysis (Sequence 5).
2                          19.1-18                                          Revision 4
 
successfully opens, the RCS will depressurize and ECCS will be demanded.
Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration (Sequence 6).
Failure of the ECCS valves to open as designed could be compensated by operator action to inject makeup water to the RPV from the CVCS. This action includes the need to align the flow path from DWS to the RPV and activate a CVCS makeup pump. (Sequence 7). Unsuccessful operator action leads to core damage (Sequence 8).
Given DHRS failure, if both RSVs fail to open, the RPV remains at high pressure and opening of the ECCS valves is prevented due to the IAB. The RPV pressure continues to increase and core damage ensues (Sequence 9).
The event tree consists of thirteen accident sequences. Nine sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is identical to the non-ATWS response except that DHRS is not considered because RSVs are demanded irrespective of DHRS success.
EHVS--LOOP: Loss of Offsite Power The EHVS--LOOP event tree, provided as Figure 19.1-9, illustrates the accident sequence logic for an initiating event that involves the loss of offsite power (LOOP). The LOOP event occurs when the connection to the transmission grid is lost; without island mode, the 13.8 kV and switchyard system (EHVS), the medium voltage AC electrical distribution system (EMVS), and the low-voltage AC electrical distribution system (ELVS) alternating current (AC) buses would eventually deenergize due to the loss of load on and power from the turbine generator system (TGS). The PRA analysis does not model operations using the island mode capability described in Section 8.3. Any NPM operating in island mode would be a source of normal AC power. A LOOP, as used in the PRA analysis, would, without island mode, result in a loss of normal AC power.
The expected module response to a LOOP is startup of the auxiliary AC power source (AAPS) or a backup diesel generator (BDG). For the PRA model, the AAPS is assumed to be a combustion turbine generator (CTG). Use of a CTG or BDG is illustrated by Figure 19.1-9 Sequences 1 and 2, respectively. Starting and loading either the CTG or a BDG requires operator action. If either of these AC power sources is restored, the event appears as a transient; thus, the sequences transfer to the TGS-TRAN-NPC event tree provided as Figure 19.1-11.
Sequences 3 through 13 evaluate the module response without either the offsite or onsite AC sources, that is, a "loss of all AC." Section 8.4 discusses the design capability with respect to "Station Blackout" as defined by 10 CFR 50.63.
2                          19.1-19                                          Revision 4
 
result that the reactor reaches a safe condition by natural recirculation through the DHRS without operator action. If AC power is restored within 24 hours, the module reaches a long term safe and stable configuration without an ECCS demand, as indicated by Sequence 3. If AC power is not restored within 24 hours, ECCS automatically opens to the fail-safe condition and the module is in a safe configuration (Sequence 4). An incomplete ECCS actuation leads to core damage (Sequence 5).
If an RSV opens and closes to control RPV pressure, Sequences 6, 7, and 8 mirror sequences 3, 4, and 5. Failure of an RSV to re-close results in an open path of steam to containment which leads to a reduction in RPV water level and RCS pressure to the point of triggering a demand for ECCS actuation. Successful ECCS actuation leads to the OK end state (Sequence 9). Failure of ECCS to function as a recirculation path represents a continuation of inventory loss from the RCS through the stuck open RSV, excessive heat-up of the core and eventual core damage as indicated by Sequence 10. With the loss of power, makeup inventory from the CVCS or CFDS is not available.
If both trains of DHRS fail, heat-up of the primary coolant and pressurization of the RPV continues to the point of RSV demand. If one RSV successfully opens, the RCS will depressurize and ECCS will be demanded. Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration (Sequence 11). Unsuccessful ECCS valve opening leads to core damage (Sequence 12).
Given DHRS failure, if both RSVs had failed to open when demanded to relieve reactor pressure, the ECCS inadvertent actuation block would prohibit the ECCS valves from opening. With AC power unavailable, the CVCS is precluded from operating and acting as a heat sink. Failure to remove decay heat results in the RPV pressurizing until there is a breach in the pressure boundary. Reactor coolant would be expelled into the CNV through the failed boundary, reducing coolant water level and resulting in core damage as indicated by Sequence 13.
The event tree consists of sixteen accident sequences. The first two sequences result in transfers to the general reactor trip event tree in Figure 19.1-11 reflecting that AC power is available from an onsite source. For scenarios where AC power is not available, eleven sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is identical to the non-ATWS response except that DHRS is not considered because RSVs are demanded irrespective of DHRS success.
2                            19.1-20                                        Revision 4
 
The EDSS--LODC event tree, provided as Figure 19.1-10, illustrates the accident sequence logic for an initiating event that involves the loss of DC power. The loss of DC power initiating event involves the coincident de-energization of at least two EDSS buses up to all four EDSS buses. At least two of the four EDSS buses are required to fail simultaneously in order for the reactor trip signal and engineered safety features to be actuated. If all four EDSS buses de-energize concurrently then indication and control from the main control room (MCR) would be lost and no operator intervention is credited. This is modeled using a conditional basic event in the fault tree logic for top event CVCS-T05 that accounts for the fraction of the initiating event frequency represented by a common cause failure (CCF) of four EDSS buses.
The expected module response to the loss of AC voltage to two or more EDSS buses would be a reactor trip signal, containment isolation signal and ECCS actuation signal, due to the MPS two-out-of-four voting trip determination logic. The engineered safety features signal would actuate the DHRS as well as close the CIVs, MSIVs, and the FWIVs. The DHRS would suffice as a heat sink until this configuration is interrupted by the opening of the ECCS valves. The IAB feature would prevent opening the ECCS valves until the differential pressure between the RPV and CNV reduces below the setpoint. Successful ECCS valve opening provides sufficient natural recirculation cooling to cool the module to a safe, stable configuration (Sequence 1).
An incomplete ECCS actuation could be compensated by operator intervention to inject makeup water to the RPV from the CVCS (CVCS-T05). However, this operator action can be accomplished only if there is MCR panel indication necessitating control power through at least one online EDSS bus (Sequence 2). Failure of this action, or the inability to take action due to a complete loss of DC power, results in core damage as illustrated by Sequence 3.
If both trains of DHRS fail, heat-up of the primary coolant and pressurization of the RPV continues to the point of RSV demand. If one RSV successfully cycles open and closed, sufficient heat is removed through containment into the reactor pool by natural circulation to cool the module. This cooling method is interrupted by ECCS valve opening when the RPV pressure is reduced below the IAB setpoint. Successful opening of ECCS valves results in a safe configuration as indicated by Sequence 4. Incomplete ECCS valve opening can be compensated by operator intervention to inject water with the CVCS (Sequence 5). Failure of both ECCS and CVCS makeup results in core damage (Sequence 6).
Given DHRS failure, if both RSVs had failed to open when demanded to relieve reactor pressure, the ECCS inadvertent actuation block would prohibit the ECCS valves from opening. Failure to remove decay heat results in the RPV pressurizing until there is a breach in the pressure boundary. Reactor coolant 2                            19.1-21                                        Revision 4
 
The event tree consists of 10 total accident sequences. Seven sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The expected module response is heat transfer to the reactor pool by a cycling RSV. Three end states are modeled for ATWS. Sequence 8 represents the successful operation of ECCS when the IAB setpoint is reached. Sequences 9 and 10 lead to core damage from an unsuccessful ECCS valve opening or core damage due to RPV overpressurization, respectively.
TGS---TRAN--NPC: General Reactor Trip The TGS---TRAN-NPC event tree, provided as Figure 19.1-11, illustrates the accident sequence logic for an initiating event that involves a general reactor trip. Transients include events such as a loss of feedwater flow, loss of main condenser vacuum, loss of cooling water systems, and a manual trip. The key characteristic of a general reactor trip is the availability of PRA-modeled support systems such as AC power and instrument air.
The general reactor trip would cause an imbalance between the heat generated by the fuel and that being rejected through the turbine generator and main condenser. The expected module response to this imbalance would be an increase in pressurizer pressure resulting in a reactor trip signal and DHRS actuation, without RSV demand, to place the module in a safe configuration, as indicated by Sequence 1. If only a single train of DHRS is functioning and is demanded on high pressurizer pressure, it may not remove heat quickly enough to prevent RPV pressure from reaching the RSV setpoint, thus, successful RSV functioning may be needed to place the module in a safe configuration as indicated by Sequence 2. Failure of an RSV to reclose would lead to ECCS actuation (Sequence 3), or if ECCS fails to function, inventory addition from the CVCS is required to place the module in a safe configuration as indicated by Sequence 4. Failure to add inventory from the CVCS results in core damage (Sequence 5).
If both trains of DHRS fail, heat-up of the primary coolant and pressurization of the RPV continues to the point of RSV demand. If one RSV successfully opens, the RCS will depressurize and ECCS will be demanded. Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration as indicated by Sequence 6. Failure of ECCS valves to open as designed could be compensated by operator actions to inject makeup water to the RPV from the CVCS, as illustrated by Sequence 7. Sequence 8 represents unsuccessful injection of makeup water to the RPV.
If both RSVs had failed to open when demanded to relieve reactor pressure, the ECCS inadvertent actuation block would prohibit the ECCS valves from 2                          19.1-22                                          Revision 4
 
point of breach (Sequence 9). Sequence 10 represents the failure to flood the CNV with CFDS leading to RPV overpressurization.
The event tree consists of nineteen accident sequences. Ten sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is identical to the non-ATWS response except that RPV pressure reaches the RSV setpoint and thus, RSV opening is demanded. In addition, normal operation of the CVCS pressurizer spray and CVCS discharge is capable of preventing RPV over-pressurization following an ATWS event with success of one train of DHRS and failure-to-open of both RSVs.
TGS---TRAN---NSS: Loss of Support Systems The TGS---TRAN---NSS event tree, provided as Figure 19.1-12, illustrates the accident sequence logic for an IE that involves loss of support systems causing unavailability of CVCS or CFDS for inventory addition. The loss of a support system IE includes events such as the loss of instrument air or multiple AC power buses (i.e., EHVS, EMVS, ELVS) that result in a reactor trip.
A reactor trip is expected on a low AC voltage or high steam pressure due to closure of the MSS secondary isolation valves. The expected module response is a reactor trip with DHRS operation removing decay heat. If the RPV pressure does not increase to the point of RSV demand and the module reaches a safe, stable configuration (Sequence 1). If only a single train of DHRS is functioning and is demanded on high pressurizer pressure, it may not remove heat quickly enough to prevent RPV pressure from reaching the RSV setpoint, thus, successful RSV functioning would be needed to place the module in a safe configuration as indicated by Sequence 2. Failure of an RSV to reclose would lead to an ECCS demand; if ECCS is successful, core damage is prevented (Sequence 3). If ECCS fails to function, core damage occurs as indicated by Sequence 4 because CVCS is assumed not to be available due to loss of a support system.
If both trains of DHRS fail, heat-up of the primary coolant and pressurization of the RPV continues to the point of RSV demand. If one RSV successfully opens, the RCS will depressurize and ECCS will be demanded. Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration as indicated by Sequence 5. Failure of the ECCS would result in core damage, as illustrated by Sequence 6.
Given DHRS failure, if both RSVs had failed to open when demanded to relieve reactor pressure, the ECCS inadvertent actuation block would prohibit the ECCS valves from opening. For this event, containment flooding is not credited 2                          19.1-23                                      Revision 4
 
The event tree consists of ten accident sequences. Seven sequences involve successful actuation of the RTS. The remaining sequences involve failure of the RTS and depict the module response to an ATWS. The ATWS response is identical to the non-ATWS response except that DHRS is not considered because RSVs are demanded irrespective of DHRS success.
1.4.1.1.5 Data Sources and Analysis This section provides the sources of numerical data used in the Level 1 PRA.
Initiating event frequencies, component failure rates, equipment unavailabilities, human error probabilities, and common-cause failure parameters are discussed.
Initiating Event Frequencies Each of the IE categories in Table 19.1-8 is represented by one or more initiating events that are used in the PRA. Each initiating event represents a grouping of potential module events that require a reactor trip or controlled shutdown and is associated with a common module response. Initiating event frequencies are typically developed using Bayesian estimation methods. This statistical inference methodology employs generic industry "prior" data and plant-specific data to produce a posterior distribution of event frequency using Bayes' Theorem. NuScale does not have operating experience to draw from. As such, most initiating event frequencies are estimated based solely on the generic prior of a parameter's value. Failure rate data collected by the NRC through Licensee Event Reports (LERs) from the U.S. nuclear industry serve as the basis of prior information. Studies of NuScale-specific advanced system design features (e.g., helical-coil steam generator tubes) were performed to support the development of initiating event frequencies. Initiating event frequencies are provided in terms of occurrences per module critical year (mcyr); the analysis assumes a module availability of 100 percent. Table 19.1-8 provides the mean frequency and error factors for each initiator. The following summarizes the method for assessing frequencies for each initiator.
As indicated in Table 19.1-8, the Loss-of-Coolant Accident category includes primary coolant leakage from piping and components as well as inadvertent valve openings in the reactor coolant pressure boundary. Different initiating events are defined based on the location of the break, or on the type of valve that opens, and on the mitigation capability following the occurrence. Unlike typical currently operating plants, it is unnecessary to define LOCAs by size because the makeup capability is sufficient for all break sizes and inadvertent valve opening, that is, the passive ECCS functions in the same manner to mitigate all break sizes and inadvertent (single) valve opening inside containment.
2                                  19.1-24                                      Revision 4
 
calculation of the IE frequency is based on generic prior data using the mean pipe failure rates for "external leak large" and "external leak small" of non-emergency service water piping found in NUREG/CR-6928. The failure rates in NUREG/CR-6928 are given in terms of occurrences (i.e., leaks) per foot per hour. This is converted to occurrences per module critical year by multiplication with approximate line lengths and the number of hours in a year. The prior distributions are combined by summation and this result is fitted to a lognormal distribution.
* IE-CVCS--ALOCA-LOC: This initiator consists of RCS discharge line breaks outside of containment. The calculation of the IE frequency is based on generic prior data using the mean pipe failure rates for "external leak large" and "external leak small" of non-emergency service water piping found in NUREG/CR-6928. The failure rates in NUREG/CR-6928 are given in terms of occurrences (i.e., leaks) per foot per hour. This is converted to occurrences per module critical year by multiplication with approximate line lengths and the number of hours in a year. The prior distributions are combined by summation and this result is fitted to a lognormal distribution.
* IE-CVCS--ALOCA-CIC: This initiator consists of an RCS injection line break inside containment. The calculation of the IE frequency is based on generic prior data using mean pipe failure rates for "external leak large" and "external leak small" of non-emergency service water piping, found in NUREG/CR-6928. The failure rates in NUREG/CR-6928 are given in terms of occurrences (i.e., leaks) per foot per hour. This is converted to occurrences per module critical year by multiplication with approximate line lengths and the number of hours in a year. The prior distributions are combined by summation and this result is fitted to a lognormal distribution.
* IE-RCS---ALOCA-IC: This initiator consists of either a break in the RCS discharge line inside containment, a break in the pressurizer spray supply line inside containment, a break in the RPV high point degasification line, a spurious operation of an RSV, or a resultant LOCA from the pressurizer heaters failing to trip, post-transient, causing a pressurizer heater penetration failure. (An RCS injection line break inside containment is covered by the IE-CVCS--ALOCA-CIC initiator). The calculation of the IE frequency is based on generic prior data using mean pipe failure rates for "external leak large" and "external leak small" of non-emergency service water piping found in NUREG/CR-6928. The failure rates in NUREG/CR-6928 are given in terms of occurrences (i.e., leaks) per foot per hour. This is converted to occurrences per module critical year by multiplication with approximate line lengths and the number of hours in a year. The failure rate for the spurious operation of a safety relief valve or code safety of the RCS is found in NUREG/CR-6928. There are two reactor safety valves on the RPV.
The failure rate for the induced LOCA resulting from the pressurizer heaters failing to trip is calculated based on the general transient IE frequency, using a developed fault tree. The prior distributions are combined by summation and this result is fitted to a lognormal distribution.
2                          19.1-25                                        Revision 4
 
The IE frequency is quantified using a fault tree model that analyzes the failure mechanisms that could result in a spurious opening of an ECCS valve.
As indicated in Table 19.1-8, the SGTF is given a separate category because of its characteristic of coincidentally breaching the reactor coolant pressure boundary and challenging the secondary side heat sink.
* IE-MSS---ALOCA-SG: This initiator is an SGTF. The operating environment of the NuScale design for the steam generators is opposite that of most existing PWRs. In the NuScale design, secondary coolant flows through the steam generator tubes. Therefore, the higher pressure is external to the tubes and the force exerted is a compression on the tubes rather than internal tension burst pressure on the tube walls such as for typical PWRs.
In addition to this operational environment difference, the NuScale design is helical as opposed to the U-shaped or once-through tube design of PWR steam generators. Fretting and other wear characteristics are expected to be different in the NuScale design. Design differences were taken into consideration in an independent study commissioned by NuScale investigating the NuScale helical coil. The IE frequency is based on that study, which employs a probabilistic physics of failure method to account for those degradation mechanisms that are relevant to the NuScale design.
As indicated in Table 19.1-8, the Secondary Side Line Break category considers pipe breaks and significant leaks in the main steam, feedwater, and decay heat removal lines, as well as spurious operation of the main steam safety valves inside and outside containment.
* IE-TGS---FMSLB-UD: This initiator consists of the ways in which a pipe leak can occur in the main steam, feedwater, or DHRS lines. An independent study, commissioned by NuScale, was performed to estimate the frequency for a secondary side line break given NuScale-specific system design.
Degradation mechanisms were evaluated to obtain design-centric data sets by screening out the mechanisms not applicable to the design. Field experience data and failure rate information form the basis of estimating conditional rupture probabilities given size, component type, and degradation mechanism. The likelihood of a pipe flaw propagating to a significant structural failure is expressed by the conditional failure probability. The frequency of pipe breaks is then summed for the conditional rupture probabilities and corresponding component types.
As indicated in Table 19.1-8, the Loss of Electric Power category consists of a LOOP and a loss of DC power. The LOOP initiating event depicts a loss of AC power to plant transformers. The category includes plant-centered, switchyard-centered, grid-centered, and weather-related LOOP events. The loss of two or more DC buses has been included as a unique initiator, "Loss of DC Power," for this category.
2                            19.1-26                                        Revision 4
 
entire data set from 1997 through 2014 reported in INL/EXT-16-37873 (Reference 19.1-24). The generic prior data consist of NRC data records that account for LOOP contributions: switchyard, weather-related, grid, and plant-centered events during power operation. The operating experience from the four categories is retained in the LOOP frequency estimation because the full prior dataset is considered appropriate for a plant that does not yet have a selected site in the United States. The data are assumed to fit a lognormal distribution.
* IE-EDSS--LODC---: This initiator represents a de-energization of at least two highly reliable DC buses. A loss of two of four buses initiates a signal for reactor shutdown and containment isolation. The IE has been quantified by reviewing past U.S. nuclear power plant operating experience for occurrences of DC bus failure. This review yielded two occurrences in over 5000 years of bus operating years. A failure rate of two or more buses deenergizing due to a common cause was calculated using generic alpha factors.
As indicated in Table 19.1-8, the Transients category includes internal initiating events that are not included in the other categories. Such events result in a reactor shutdown, and may or may not have support systems available. Transients that result in automatic trip or immediate operator action to trip the reactor are included.
* IE-TGS---TRAN-NPC: This initiator represents plant transients that necessitate a shutdown of the reactor and that have not already been covered by other IEs. The calculation of the IE frequency is based on prior experience of PWRs in the United States from 1988 to 2013. The source of prior data is a collection of event types taken from the 2013 update of Reference 19.1-11. The event types postulated to contribute to a loss of component cooling water, loss of feedwater, loss of condenser heat sink, and general transients at PWRs are included. The data are assumed to fit a lognormal distribution.
* IE-TGS---TRAN-NSS: This initiator represents the loss of support systems such as a partial loss of AC power and loss of instrument air thereby leading to the unavailability of the CVCS and the CFDS to provide inventory. The calculation of the IE frequency is based on prior data of event types taken in the United States from 1988 to 2013. The event types postulated to contribute to a loss of support system events are a partial loss of AC power and a loss of instrument air. The data are assumed to fit a lognormal distribution.
2                            19.1-27                                      Revision 4
 
Most basic events in the NuScale PRA are based on generic failure probabilities.
A few basic events use modified generic values and a smaller number are based on analyses that are developed to reflect a unique design feature. The components modeled in the PRA range from relatively small items such as breakers, to larger equipment such as pumps. These components can fail due to random causes, related or CCF, or unavailability due to testing and maintenance activities.
The general approach to quantifying component unreliability is summarized as:
: 1) Specify component boundaries: The boundary for modeled components are set to match the component boundaries associated with the generic data of NUREG/CR-6928.
: 2) Compare the NuScale plant-specific design with the industry generic data for consistency.
: 3) If the industry generic data are not appropriate for the NuScale design, then generic data are modified to better represent the design, or special analyses are performed to characterize the component failure probabilities.
Following the guidance in NUREG/CR-6928, beta and gamma distributions were used to model uncertainties in the basic event parameters. Beta distributions were used for demand failure probabilities such as fail to start, fail to open or close. Gamma distributions were used for time-based events such as fail to run, fail to remain open, spurious operation.
Table 19.1-9 identifies failure rates that were developed by modifying generic data to better represent the NuScale design. The table indicates the source of the underlying generic data as well as a summary of the use of the modified data in the PRA.
Table 19.1-10 identifies failure rates for basic events that do not have generic data directly applicable to the NuScale design. These basis events may include component level, system level, and phenomenology dependent events. The table indicates the mean failure rate and associated error factors.
Thermal-Hydraulic Uncertainty Because NuScale passive safety systems rely on natural circulation of reactor coolant rather than forced flow, the relatively low driving forces introduce thermal-hydraulic uncertainty that is considered in the system reliability assessment in addition to the component failure rates. Unlike component failure rate modeling, which is based in large part on operating experience, 2                            19.1-28                                      Revision 4
 
program.
Key Insights There are primarily two phenomena and three systems that underlie the very low risk of a NuScale module.
Key Phenomena A large negative moderator temperature coefficient (MTC) and passive heat removal capability (from the RPV to the CNV and from the CNV to the reactor pool) are important phenomenological characteristics of the design.
At full power, the core exhibits a large positive moderator density coefficient (negative MTC), even at beginning of cycle conditions. As a result, the core is rendered subcritical shortly after a loss of normal feedwater, even without inserting control rods (i.e., an ATWS). The long-term ATWS response is unique because of the excess heat transfer capacity of the passive cooling systems. This excess heat transfer results from the relatively small core size, a large coolant-to-power ratio, and the efficient passive heat transfer systems. Return to power occurs only after passive heat transfer to the UHS has been established. The strong negative reactivity feedback and large coolant-to-power ratio ensure that the core fission power increases to meet the passive heat removal capacity, but does not exceed it.
The resulting fission power is easily accommodated by the UHS, and the core is cooled. The effect of the strong negative reactivity feedback phenomena is reflected in the PRA model in that the event tree accident sequence structure is similar for both the success and failure of reactor trip.
Facilitating passive heat transfer to the UHS is the lack of insulating material on both the reactor vessel and the CNV. Following a LOCA or RSVs cycling, primary coolant collects in the containment to the point that the lower reactor vessel becomes submerged. For transients in which RSVs have cycled, the temperature inside the RPV is sufficiently high that heat transfer to the water collected in the containment becomes greater than decay heat levels. This condition occurs after roughly a dozen RSV cycles after which the RPV pressure subsides and RSV cycling stops. ECCS is demanded and natural circulation cooling is established through the RVVs and RRVs. For the remainder of the event, decay heat is accommodated by transferring it passively (by conduction and convection) through the uninsulated vessel wall to the coolant that has collected in the containment. Similarly, heat is being transferred passively (by condensation, conduction and convection) to the UHS through the containment wall.
Key Mitigating Systems The most important risk-significant SSC are the RSVs, the ECCS, and the CNTS.
As noted above, primary coolant system integrity can be ensured by cycling RSVs during sequences in which secondary heat removal is not available or a failure to scram has occurred. While the primary purpose of the RSVs is RCS overpressure 2                                19.1-41                                      Revision 4
 
the RSVs facilitates the passive heat transfer from the RPV to the CNV by preserving the coolant inventory used for core heat removal and obviating the need for makeup to the RPV. When ECCS is actuated, the coolant collected in the CNV through RSV cycling will flow back into the RPV and natural circulation will be established through the RVVs and RRVs, maintaining core cooling. The primary role that secondary heat removal plays following a transient is to determine the path of heat from the core to the reactor pool (either through the steam generators and the DHRS heat exchangers or through the RPV wall to the CNV and then through the CNV wall to the pool). With or without secondary side cooling, heat ultimately is transferred to the reactor pool. The role DHRS plays in managing safety during transient conditions is diminished in this regard being limited to determining whether RSVs and ECCS are demanded.
An ECCS is provided that can mitigate the entire spectrum of inside-containment LOCAs. During a LOCA, primary coolant system conditions are lower in pressure and temperature than for transients and passive heat removal from the reactor to the CNV may not be sufficient to accommodate decay heat. There is a need to return inventory in the RPV that is lost during a LOCA in order to maintain core cooling. The ECCS provides this function. The ECCS consists of RVVs that are each large enough that the reactor pressure is reduced to near containment pressure and RRVs that are sufficiently large that the static head of coolant that has collected in containment flows back into the RPV to maintain core cooling. By steaming to containment (out the break and also through the RVVs), condensing and flowing back into the reactor (through the RRVs) through natural circulation, the ECCS provides adequate core cooling for all (inside containment) LOCA conditions without the need for external inventory makeup.
While rare, loss of primary coolant outside containment is considered in the PRA (e.g., SGTF, pipe breaks outside containment). The CNV and associated valves play a role in further reducing the significance of these accidents. Loss of coolant through a failed steam generator tube is terminated with main steam and feedwater isolation. Pipe breaks outside containment through CVCS is terminated through closure of isolation valves on the injection and discharge lines. It should be noted that all of the pipes connected to the RPV that have been identified as potential sources for pipe breaks outside containment are designed for full RCS pressure and temperature. Once isolated, the break flow is terminated and the accident proceeds in a manner very similar to a transient, requiring only passive heat removal from the reactor to the pool to maintain adequate core cooling.
Because safety-related mitigating systems are fail safe on loss of power, there is little need of support systems for managing risk for the NuScale design.
Nevertheless, when power is available, portions of the MPS are needed to actuate these systems. This is largely limited to the actuation priority logic (APL) and the equipment interface modules (EIMs) for the ECCS and CNTS as both automatic and manual actuation are processed by these MPS components.
Approximately a dozen human actions are modeled in the PRA. These are limited to latent faults (e.g., mis-calibration errors) and recovery actions (e.g., manual 2                                19.1-42                                        Revision 4
 
Significant Multi-Module Sequences The sequence with the highest contribution to MM-CDF is a reactor coolant system LOCA inside containment initiating event (IE-RCS---ALOCA-IC) followed by failure of ECCS, and failure to make up RCS inventory from the CVCS, as illustrated by Figure 19.1-5, Sequence 3, which contributes about 31 percent of the MM-CDF.
Sequences associated with a LOOP initiator (IE-EHVS--LOOP-----) followed by failure of the site AC power sources and incomplete actuation when the backup battery supplies are exhausted contribute more than 52 percent of the MM-CDF as indicated by Figure 19.1-9, Sequences 5 and 8.
The MM-LRF is dominated by outside containment pipe breaks occurring in the CVCS, with an injection line break contributing about 93 percent to the MM-LRF. The most significant sequence, illustrated in Figure 19.1-2, Sequence 6, is initiated by a CVCS injection line break outside containment (IE-CVCS--ALOCA-COC) followed by failure to make up inventory by the CFDS and a failure to isolate the break as shown on the containment event tree, Figure 19.1-15, Sequence 3. The remaining initiators contribute negligibly to MM- LRF. The dominant contributors to MM-CDF do not contribute significantly to MM-LRF. Even though a multi-module core damage event is more likely with other initiating events, the CVCS line break initiating event also creates a direct release pathway and eliminates an RCS makeup path; thus, it is a more significant contributor to MM-LRF.
Significant Multi-Module Cutsets Table 19.1-79 provides significant cutsets resulting from the multi-module full power internal events PRA. The top ten core damage cutsets are associated with about 40 percent of the MM-CDF. As seen from the table, with the exception of the first two cutsets, other cutsets taken individually are small contributors to the MM-CDF, and thus, are not presented in the table. The first two cutsets are associated with the initiating event IE-RCS---ALOCA-IC, which is primarily associated with spurious opening of an RSV. However, the cumulative total of the cutsets indicates that the LOOP initiator, IE-EHVS--LOOP-----, is the most significant initiator for MM-CDF. The dominant MM-LRF cutsets are associated with CVCS line breaks outside of containment.
Risk Significance Consistent with the risk significance determination methodology described in TR-0515-13952-A, risk significance thresholds are applied on a single module level; therefore, insights related to multi-module design and operation were identified through cutset reviews and sensitivity studies. As discussed in the multiple module "Key Insights" section, multi-module risk is significantly lower than risk from a single module; potential multi-module events are mitigated by safety systems that are functionally independent of shared systems and other modules.
2                                    19.1-112                                      Revision 4
 
page 19.1-130 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report esign Feature                          Description                                                                Effect on Risk el (RPV) within a The RPV is contained within the
* The CNV is partially immersed in the UHS; thus, it provides an efficient steam condensation el (CNV) design high-pressure/low-volume CNV. The CNV, which is            surface that condenses inventory lost from the RPV and preserves it for recirculation back into partially immersed in the UHS, is designed to preserve the RPV.
primary system inventory in the event of a LOCA or an
* CNV atmosphere is maintained at a near vacuum, which limits the available oxygen. Also, the ECCS actuation.                                          near vacuum acts to insulate the RPV thereby obviating the need for insulating materials on the RPV, which eliminates the potential for lose material to interfere with coolant recirculation.
* This vessel within a vessel design combined with ECCS results in a rapid equalizing of pressures between the RPV and the CNV, thereby precluding high pressure RPV failure associated with potential severe accidents.
* The lack of concrete precludes the generation of non-condensable gases (i.e., concrete ablation) and long-term containment pressurization concerns.
facing systems The only system that directly interfaces with the RCS is
* Limited number of interfacing systems and the design for full RCS operating system pressure gned for full RCS the CVCS, which comprises four lines: RCS injection,    and temperature significantly decreases the likelihood of an interfacing system LOCA sure              RCS discharge, pressurizer spray, and RPV high point    (ISLOCA).
degas. All of these are designed for full RCS pressure and temperature.
engineered      The UHS is a subsurface water pool containing a large
* The NuScale UHS is not susceptible to becoming unavailable as a result of biofouling, mic class-1 UHS volume of borated water. The pool is stainless steel      weather-related conditions (e.g., freezing) or catastrophic external event.
lined with a leak detection system imbedded in the
* Inventory in the UHS is sufficient to maintain cooling for 12 modules indefinitely.
floor.
ust, aircraft      Each of the 12 NPMs includes its own CNV. All 12
* The robust RXB provides an additional protective barrier between the reactor core and the ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
ct resistant,    NPMs and the UHS are housed in the RXB, which is        environment.
mic class 1      designed as a seismic class 1 structure and to tor building      withstand aircraft impact.
nsive use of      Both safety-related and nonsafety-related control
* Signal integrity ensured through triplication.
  -optic controls systems use fiber optic cables as signal transmission
* No potential for hot shorts to cause spurious operation.
media.
erwater            Module disassembly and refueling take place under
* CNV is flooded as a prerequisite to refueling; the RPV is not drained and hence there are no eling            water in the UHS.                                        mid-loop operations or conditions that result in reduced coolant inventory. After the CNV is Probabilistic Risk Assessment flooded, decay heat is passively transferred to the UHS by conduction and convection.
ll coolant flow Small holes in the upper riser permit reactor coolant
* Eliminates the potential for significant boron concentration gradients between the core/riser s in the upper to bypass the top of the riser.                            and downcomer during extended DHRS operation.
 
page 19.1-134 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Event Tree      Seq. No. RTS    CNV      DHRS    RSV    ECCS    CVCS      CFDS  End State    Thermal-hydraulic Simulation Isolation VCS--ALOCA-COC      1        S        S        S      --        --      --      --        OK      LCI-01T-1D0E0C0F0S-00-S (Figure 19.1-2)    2        S        S        F      S        S        --      --        OK      LCI-03T-0D1E0C0FSS-00-S 5        S        F        S      --        S        --      S        OK      LCU-05T-1D1E0C1F0S-02-S 9        F        S        --      S        S        --      --        OK      LCI-06A-0D1E0C0FSS-00-S CVCS--ALOCA-LOC      1        S        S        S      --        --      --      --        OK      LCI-01T-1D0E0C0F0S-00-S (Figure 19.1-3)    2        S        S        F      S        S        --      --        OK      LCI-03T-0D1E0C0FSS-00-S 3        S        S        F      S        F        S        --        OK      LLI-02T-0D0E1C0FSS-00-S 6        S        F        --      --        S        S        --        OK      LLU-01T-0D0E1C0F0S-00-S 7        S        F        --      --        S        F        S        OK      LLU-07T-0D1E0C1F0S-01-S 9        S        F        --      --        F        S        --        OK      LLU-01T-0D0E1C0F0S-00-S 11        F        S        --      S        S        --      --        OK      LCI-06A-0D1E0C0FSS-00-S 12        F        S        --      S        F        S        --        OK      LEC-10A-0D0E1C0F0S-01-S 15        F        F        --      --        --      S        --        OK      LLU-04A-0D0E1C0F0S-00-S CVCS--ALOCA-CIC      1        S        --      --      --        S        --      --        OK      LCC-07T-0D1E0C0F0S-00-S (Figure 19.1-4)    2        S        --      S      --        F        S        --        OK      LCC-01T-1D0E1C0F0S-00-S 5        F        --      --      --        S        --      --        OK      LEC-13A-0D1E0C0F0S-00-S 6        F        --      S      --        F        S        --        OK      LCC-02A-1D0E1C0F0S-00-S ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
RCS---ALOCA-IC      1        S        --      --      --        S        --      --        OK      LEC-07T-0D1E0C0F0S-00-S (Figure 19.1-5)    2        S        --      --      --        F        S        --        OK      LEC-09T-0D0E1C0F0S-00-S 4        F        --      --      --        S        --      --        OK      LEC-13A-0D1E0C0F0S-00-S 5        F        --      --      --        F        S        --        OK      LEC-10A-0D0E1C0F0S-00-S ECCS--ALOCA-RV1      1        S        --      --      --        S        --      --        OK      LEC-07T-0D1E0C0F0S-00-S (Figure 19.1-6)    2        S        --      --      --        F        S        --        OK      LEC-09T-0D0E1C0F0S-00-S 4        F        --      --      --        S        --      --        OK      LEC-13A-0D1E0C0F0S-00-S Probabilistic Risk Assessment 5        F        --      --      --        F        S        --        OK      LEC-10A-0D0E1C0F0S-00-S
 
page 19.1-135 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Event Tree      Seq. No.      RTS      CNV      DHRS    RSV      ECCS    CVCS    CFDS    End State    Thermal-hydraulic Simulation Isolation MSS---ALOCA-SG      1            S        S        S        --      --        --      --      OK      LSI-03T-1D0E0C0F0S-00-S (Figure 19.1-7)    2            S        S        F        S      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 3            S        S        F        S      F        S        --      OK      LLI-02T-0D0E1C0FSS-00-S 6            S        F        --      --      S        S        --      OK      LSU-07T-0D0E1C0F0S-00-S 7            S        F        --      --      S        F        S        OK      LLU-07T-0D1E0C1F0S-01-S 9            S        F        --      --      F        S        --      OK      LSU-07T-0D0E1C0F0S-00-S 11            F        S        --      S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S 12            F        S        --      S      F        S        --      OK      LEC-10A-0D0E1C0F0S-01-S 15            F        F        --      --      --        S        --      OK      LLU-04A-0D0E1C0F0S-00-S TGS---FMSLB-UD      1            S        --      S        --      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S (Figure 19.1-8)    2            S        --      S        S      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S 3            S        --      S      FO      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 4            S        --      S      FO      F        S        --      OK      LMU-02T-0D0E1C0FSS-00-S 6            S        --      F        S      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 7            S        --      F        S      F        S        --      OK      LMU-02T-0D0E1C0FSS-00-S 10            F        --      --      S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S 11            F        --      --      S      F        S        --      OK      LEC-10A-0D0E1C0F0S-01-S ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
EHVS--LOOP        3            S        --      S        --      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S (Figure 19.1-9)    4            S        --      S        --      S        --      --      OK      LEC-07T-0D1E0C0F0S-00-S 6            S        --      S        S      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S 7            S        --      S        S      S        --      --      OK      LEC-07T-0D1E0C0F0S-00-S 9            S        --      S      FO      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 11            S        --      F        S      S        --      --      OK      LEC-07T-0D1E0C0F0S-00-S 14            F        --      --      S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S Probabilistic Risk Assessment
 
page 19.1-136 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Event Tree      Seq. No.      RTS      CNV      DHRS    RSV      ECCS    CVCS    CFDS    End State    Thermal-hydraulic Simulation Isolation EDSS--LODC        1            S        --      S        --      S        --      --      OK      LEC-07T-0D1E0C0F0S-00-S (Figure 19.1-10)    2            S        --      S        --      F        S        --      OK      LCC-01T-1D0E1C0F0S-00-S 4            S        --      F        S      S        --      --      OK      LEC-07T-0D1E0C0F0S-00-S 5            S        --      F        S      F        S        --      OK      LCC-01T-1D0E1C0F0S-00-S 8            F        --      --      S      S        --      --      OK      TRN-20A-1D2E0C0F1S-01-S TGS---TRAN--NPC      1            S        --      S        --      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S (Figure 19.1-11)    2            S        --      S        S      --        --      --      OK      TRN-01T-0D0E0C0F1S-00-S 3            S        --      S      FO      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 4            S        --      S      FO      F        S        --      OK      LLI-02T-0D0E1C0FSS-00-S 6            S        --      F        S      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 7            S        --      F        S      F        S        --      OK      LLI-02T-0D0E1C0FSS-00-S 9            S        --      F      FC      --        --      S        OK      TRN-19T-0D0E0C1F0S-00-S 11            F        --      S        S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S 12            F        --      S        S      F        S        --      OK      LEC-10A-0D0E1C0F0S-01-S 14            F        --      S      FC      --        S        --      OK      TRN-06A-1D0E0C0F0S-00-S 16            F        --      F        S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S 17            F        --      F        S      F        S        --      OK      LEC-10A-0D0E1C0F0S-01-S ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
TGS---TRAN--NSS      1            S        --      S        --      --        --      --      OK      TRN-18T-1D0E0C0F0S-00-S (Figure 19.1-12)    2            S        --      S        S      --        --      --      OK      TRN-01T-0D0E0C0F1S-00-S 3            S        --      S      FO      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 5            S        --      F        S      S        --      --      OK      LCI-03T-0D1E0C0FSS-00-S 8            F        --      --      S      S        --      --      OK      LCI-06A-0D1E0C0FSS-00-S Probabilistic Risk Assessment
 
page 19.1-137 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Event Tree          Seq. No.      RTS        CNV          DHRS          RSV          ECCS          CVCS        CFDS      End State      Thermal-hydraulic Simulation Isolation for Success Criteria                                        Key for Thermal Hydraulic Simulation nimum system performance requirements for success          1st letter: Initiating Event Classification          3rd letter: Isolation Status V, one RSV cycles open and closed, or cycling
* T=Transient
* I = Isolated RS, one train of DHRS operational
* L=LOCA
* U = Unisolated CS, one RRV and one RVV open
* C = Inside containment 2nd letter: Initiating Event Type CS, one CVCS makeup pump operational
* N = Transient
* C = Charging (injection) line DS, one CFDS pump operational
* L = Letdown (discharge) line                    4th and 5th letters: Serial number of run stem Failure
* E = ECCS valve spurious opening
* E.g., 01 is first run ne RSV fails open
* M = Main steam line break                        6th letter: Reactor Trip Status oth RSVs fall in the closed position
* S = SGTF Two RRVs open and three RVVs fail to open
* T = Trip
* R = Transient
* A = ATWS ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
Probabilistic Risk Assessment
 
page 19.1-140 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Mitigating System1        Top                Redundancy                                                        Description Event rgency core cooling    ECCS-T01 One of three RVVs and one of two RRVs The ECCS provides fuel assembly heat removal and control of RCS inventory. The system m (ECCS)                      needed for success. Each module is    passively circulates coolant inventory by removing heat from the reactor core to the CNV supported by a dedicated system.      which transfers heat to the reactor pool. Success requires one RVV and one RRV to open; failure of both RRVs or all three RVVs to open is an incomplete ECCS actuation.
The ECCS is actuated on high CNV water level, low RCS pressure, loss of two or more EDSS buses, and 24 hours after a loss of AC power.
As discussed in Section 6.3.2.2, the system includes an inadvertent actuation block (IAB) that prohibits the valves from opening until the differential pressure between the RPV and CNV is low; this precludes a valve from opening at power. In some postulated scenarios, it is possible to actuate the IAB when the differential pressure between the RPV and CNV is high.
However, as differential pressure lowers, the main spring, assisted by reactor coolant pressure, will open the valve. Therefore, failure of the IAB does not affect successful opening of the ECCS valves.
An operator action to actuate ECCS is considered in cases where automatic initiation fails; the action can be completed from the MCR.
For initiators that involve a continued loss of coolant from the RPV to outside of containment, this top event is credited only if makeup coolant is successful.
ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
For initiators that involve a loss of coolant inside of containment, with success of RTS, ECCS provides passive fuel cooling without the need for inventory makeup or containment isolation.
tor coolant system RSV RCS-T01  One of two RSVs needed for success. The RSVs provide RPV pressure relief and RCS integrity. The RSVs are self-actuating pressure ns                                Each module is supported by a          relief valves and not operator controlled. Cycling of an RSV transfers RCS to containment dedicated system.                      and removes fuel assembly heat by convection and conduction to the reactor pool; pressure Probabilistic Risk Assessment eventually stabilizes below the RSV setpoint. If both trains of DHRS fail and both RSVs fail to open, the ECCS IAB prohibits the ECCS valves from opening and RPV pressure continues to increase.
 
page 19.1-141 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Mitigating System1        Top                Redundancy                                                            Description Event tor coolant system RSV RCS-T02  One of two RSVs needed for success.      The RSVs (coupled with ECCS operation) can serve as a backup to the DHRS by providing ng                              Each module is supported by a            fuel assembly heat removal.
dedicated system.
Repeated cycling of an RSV adds inventory to containment, depressurizes the RCS to the point of ECCS actuation and removes fuel assembly heat by convection and conduction from the RPV through the CNV and to the reactor pool. When pressure eventually stabilizes below the RSV setpoint, RSV closure reestablishes RCS integrity.
If an RSV fails to re-close, the open path transfers water from the RPV to the CNV. The increase in CNV water level eventually signals an ECCS actuation. The open RSV decreases the pressure differential between the RPV and the CNV enough to nullify the ECCS IAB. Note that if AC power is not restored following a LOOP, ECCS is demanded whether or not an RSV fails to re-close.
RCS-T03    Not used m generator tube      RCS-T04    Each of the two steam generators in      Containment isolation on low low pressurizer level closes the MSIVs and the FWIVs, thereby re isolation                    each module can by isolated by either a  isolating the SGTF.
safety related MSIV and FWIV or by a nonsafety-related isolation valve provided as backup to the MSIV and ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
FWIV. Each module is supported by dedicated main steam and feedwater systems.
tor coolant system    RCS-T05    One of two RSVs needed for success.      This event accounts for the possibility that primary pressure increases to the point of
) RSV demanded                  Each module is supported by a            reaching the RSV setpoint; this possibility is reflected by assigning a probability to the failure dedicated system.                        branch that the RSV opens. Only one train of DHRS functioning (in response to a high RPV pressure) may not remove heat quickly enough to prevent an RSV demand.
Probabilistic Risk Assessment
 
page 19.1-160 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Event Tree Initiator        Sequence      Contribution                                      Sequence Description
(% CDF)
LOCA inside containment      Figure 19.1-5      22.3      An RCS LOCA inside containment initiating event followed by failure of ECCS and failure to
---ALOCA-IC)                  Sequence 3                    make up RCS inventory from the CVCS.
of DC power                Figure 19.1-10      15.7      A loss of DC power initiating event followed by an incomplete ECCS actuation and failure to S-LODC)                      Sequence 3                    make up RCS inventory from the CVCS.
of offsite power            Figure 19.1-9      10.4      A LOOP initiating event followed by a failure of the CTG and BDGs, failure to restore power S-LOOP)                      Sequence 5                    before the timers time out, and an incomplete ECCS actuation.
of offsite power            Figure 19.1-9      10.4      A LOOP initiating event with an RSV demand, followed by a failure of the CTG and BDGs, S-LOOP)                      Sequence 8                    failure to restore power before the timers time out, and an incomplete ECCS actuation.
of support system          Figure 19.1-12        8.8      Loss of support system initiating event followed by an RSV demand but failure to reclose, and
---TRAN---NSS)                Sequence 4                    failure of ECCS.
S charging line pipe break    Figure 19.1-2        6.0      A CVCS injection line pipe break outside containment initiating event followed by a failure to ide containment              Sequence 6                    isolate the break and a failure to make up inventory from the CFDS.
S--ALOCA-COC) eral reactor trip            Figure 19.1-11        5.3      Transient initiating event followed by an RSV demand but failure to reclose, a failure of ECCS,
-TRAN-NPC)                    Sequence 5                    and failure to make up RCS inventory from the CVCS.
of support system          Figure 19.1-12        4.9      Loss of support system initiating event followed by a failure to remove heat through the DHRS
---TRAN---NSS)                Sequence 7                    or the RSVs.
of support system          Figure 19.1-12        4.3      Loss of support system initiating event followed by a failure of the reactor to trip (ATWS) and
---TRAN---NSS)              Sequence 10                    failure of the DHRS and both RSVs to provide fuel assembly heat removal and pressure relief.
ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
eral reactor trip            Figure 19.1-11        3.9      Transient initiating event followed by failures of the DHRS, RSVs, and CFDS.
-TRAN-NPC)                  Sequence 10 r sequences                      All            8.0 Probabilistic Risk Assessment
 
page 19.1-166 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Assumption                                                                                Basis RSV is sufficient to reduce pressure and the uncertainty in the heat transfer mechanism (single-phase                Common engineering practice and engineering uction/convention) that allows the RSVs to passively remove heat from the RPV is negligible.                          judgment probability that an RSV fails to reclose assumes that liquid water is passed (versus steam) when demanded.            Bounding simplification CFWS and MSS are not considered as mitigating systems; because almost any unplanned transient results in              Bounding simplification ation of DHRS, it also includes isolation of the feedwater and main steam lines.
dent Sequence d on the RPV ultimate pressure capacity analysis, a flange gap is expected to form at the outer O-ring of the        Engineering analysis and judgment surizer heater access ports in an RPV overpressure sequence. This leak area relieves RCS and RPV pressure, out further pressurization. Based on thermal-hydraulic simulation results, this sequence of failures is modeled re damage without a consequential containment failure.
oration of offsite power is only considered within 24 hours on the basis of precluding an ECCS demand; further        Bounding simplification very or mitigation is not considered.
ess Criteria ess criteria and accident sequence progression are based on best estimates of the design for the design              Common engineering practice and engineering fication and consider the spectrum of conditions that are characterized by the initiating event and event tree      judgment, bounding simplification events (e.g., range of break sizes, time in cycle). The plant-specific thermal-hydraulic analyses that support ess criteria and accident sequence progressions include bounding simplifications (e.g., double-ended otine break modeled if greater coolant loss rate is more challenging, end-of-cycle core modeled if greater y heat is more challenging).
ccident sequence is assigned an OK end state in the Level 1 if it is simulated directly by thermal-hydraulic        Common engineering practice and engineering ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
ysis and the results meet the success criteria (i.e., PCT does not reach 2,200 degrees Fahrenheit), or if a similar  judgment more challenging simulated sequence demonstrates success.
PRA mission time of 72 hours is sufficient to demonstrate that at a minimum, a stable or improving condition          Common engineering practice been achieved and the overall success criterion is met.
rators preserve the key safety function to remove fuel assembly heat even in cases where they would need to            Common engineering practice and engineering ch the containment boundary (e.g., operators would open the CVCS containment isolation valves to inject              judgment eup following incomplete ECCS actuation).
riser bypass flow holes and the low RCS pressure ECCS actuation design features preclude significant boron            Engineering analysis and judgment Probabilistic Risk Assessment tribution for ATWS events. These design aspects are effective for transients and the full spectrum of potential break sizes.
an Reliability Analysis plified approach to HRA is used to model pre-initiator and post-initiator operator actions (i.e., NUREG/CR-4772      Common engineering practice NUREG/CR-6883, respectively).
berate or malicious acts such as sabotage are outside the scope of the HRA.                                          Common engineering practice rol room staffing is based on the minimum staffing as described in Technical Specification 5.2.2 Facility Staff. Common engineering practice
 
page 19.1-167 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Assumption                                                                                    Basis nitiator and post-initiator human actions were identified through interviews with system engineers and                Common engineering practice ators.
ng for post-initiator human actions is based on the timing from the limiting thermal-hydraulic analysis.              Common engineering practice and engineering judgment rol room indication is available to operators unless there is a loss of all 4 EDSS busses.                            Common engineering practice and engineering judgment rators are expected to readily identify cases where the initiator is a break in the CVCS injection line outside of      Common engineering practice and engineering ainment (or discharge line), and actuate CFDS (or CVCS through the pressurizer spray line, respectively) if            judgment eup is needed.
HEPs are assumed to have a lognormal distribution.                                                                    Common engineering practice and engineering judgment Analysis ponent failure rates and unavailabilities, based on generic data, are applicable to the NuScale design.                Common engineering practice ponent failure rates, based on design-specific analyses, are representative and appropriate. Examples include          Common engineering practice and engineering S hydraulic-operated valve fails to operate and equipment interface module fails to operate.                            judgment s for component failure events (e.g., ECCS reactor vent valve passive actuation to open) and other event              Common engineering practice and engineering abilities (e.g., CVCS LOCA does not initiate excess flow check valve) that are based on engineering judgment          judgment epresentative and appropriate.
ive safety system reliability, based on plant-specific analysis, is representative; the analysis focuses on failures  Engineering analysis and judgment e DHRS and ECCS natural circulation heat transfer mechanisms that provide core cooling and maintain the ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
ant pressure boundary.
mon cause failures follow the alpha factor model and are based on generic data; both are applicable to the              Common engineering practice cale design.
dby failure rates are based on a non-staggered testing scheme.                                                        Bounding simplification.
refueling outage schedule is every 2 years.                                                                            Design condition ntification plified approach was used to address HEP dependencies; a second HEP in a cutset is set to moderate                    Bounding simplification Probabilistic Risk Assessment ndence, a third HEP in a cutset is set to high dependence, and additional HEPs in a cutset are set to complete ndence.
tenance is not performed concurrently on multiple trains of a system, multiple low voltage load centers, or            Common engineering practice backup diesel generators.
very of failed equipment or recovery of equipment that is in maintenance is not considered in the model.              Bounding simplification
 
page 19.1-170 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report Insight                                                                                    Comment re to scram events (ATWS) do not lead directly to core damage.                        Core characteristics result in ATWS power levels that are comparable to decay heat levels. Heat transfer from CNV to reactor pool is adequate to prevent core damage and results in most ATWS sequences requiring approximately the same system success criteria as non-ATWS events.
ive heat removal capability is sufficient to prevent core damage if RSVs cycle and RSV cycling and ECCS actuation transfers adequate RCS water to CNV to allow heat S successfully actuates.                                                                transfer through RPV to CNV and ultimately reactor pool to remove decay heat.
-accident heat removal through steam generators or DHRS is unnecessary if RSVs The SGs and DHRS provide effective heat removal paths to prevent core damage, but
: e.                                                                                    are unnecessary if RSV cycling and ECCS actuation allows heat transfer to reactor pool.
S functions to preserve RCS inventory, which is sufficient to allow core cooling        ECCS function provides natural circulation path through core and CNV, thus out RCS makeup from external source.                                                  providing heat transfer to the reactor pool.
tainment isolation preserves RCS inventory for core cooling without external            Containment isolation eliminates the potential for breaks outside of containment to eup.                                                                                    result in loss of RCS inventory. For breaks inside of containment, containment isolation is not necessary to support passive core cooling and heat removal.
port systems are not needed for safety-related (ECCS, DHRS, RSVs) system function. Safety-related mitigating systems are fail-safe on loss of power and do not require supporting systems such as lube oil, air or HVAC to function.
e are no risk significant, post-initiator human actions associated with the full-power No operator actions, including backup and recovery actions, are risk significant to the CDF because of passive system reliability and fail-safe system design.
significant SSC for external events are largely the same as those found risk          The module response to external events is comparable to the response to internal ificant for internal events.                                                          event due to the passive features of the design and independence from support ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
systems such as power. Additional systems and components have been identified as risk significant for external events due to a conservative evaluation.
ve systems providing backup inventory addition to the RPV are not risk significant. Inventory addition is possible by the active systems CVCS and CFDS. Due to the reliability of the passive safety systems, the active systems providing this backup function were found not to be risk significant, as indicated in Table 19.1-20 and Table 19.1-64.
Probabilistic Risk Assessment
 
page 19.1-172 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report vent Tree Initiator          Sequence  Contribution (%                                          Sequence Description LRF)
S charging line break  Figure 19.1-2        93        A CVCS injection line LOCA outside containment initiating event followed by a failure to isolate the break, ide CNV                Sequence 6                      and a failure to make up inventory from the CFDS.
VCS--ALOCA-COC)
S letdown line break    Figure 19.1-3          6          A CVCS discharge line LOCA outside containment initiating event followed by a failure to isolate the ide CNV                Sequence 8                        break, and a failure to make up inventory from the CFDS.
VCS--ALOCA-LOC)
Figure 19.1-7          1          An SGTF initiating event with a failure to isolate the feedwater or steam line on the secondary side, and SS---ALOCA-SG)        Sequence 8                        failure to provide make up inventory from the CVCS or CDFS.
ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
Probabilistic Risk Assessment
 
This page replaces page 19.1-284 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                    Probabilistic Risk Assessment Figure 19.1-2: Event Tree for Chemical and Volume Control System Charging Line Pipe Break Outside Containment CVCS LOCA Charging Line    Reactor Trip System  CVCS Charging Line LOCA      DHRS (2 Trains Available 1      RCS Reactor Saf ety Valve ECCS RX Vent Valves and RX          Containment Flooding  #  End State            Comments Outside Containment                          Outside Containment Isolation        Required)                          Opens            Recirculation Valves Open                                  (Phase - PH1)        (Phase - PH1)
IE-CVCS--ALOCA-COC      RTS-T01                CVCS-T02                      DHRS-T01                      RCS-T01                    ECCS-T01                        CFDS-T01 1      OK        LCI-01T-1D0E0C0F0S-00-S 2      OK      LCI-03T-0D1E0C0FSS-00-S Isolated                                    At least one RSV opens 3  LEVEL2-ET    TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                4  LEVEL2-ET    LCI-05T-0D0E0C0F0S-00-D RX trip Inventory addition to CNV via CFDS        5      OK      LCU-05T-1D1E0C1F0S-02-S 6  LEVEL2-ET    LCU-03T-0D0E0C0F0S-00-D Not isolated 7  LEVEL2-ET    LCU-03T-0D0E0C0F0S-00-D 8  LEVEL2-ET    LCU-03T-0D0E0C0F0S-00-D 9      OK      LCI-06A-0D1E0C0FSS-00-S At least one RSV opens Isolated                                                                                                                            10  LEVEL2-ET    TRN-07T-0D0E0C0FSS-00-D ATWS RSVs f ail to open                                                              11  LEVEL2-ET    LCI-05T-0D0E0C0F0S-00-D Not isolated                                                                                                                            12  LEVEL2-ET    LCU-03T-0D0E0C0F0S-00-D Tier 2                                                                                                                          19.1-284                                                                                                  Revision 4
 
This page replaces page 19.1-285 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                Probabilistic Risk Assessment Figure 19.1-3: Event Tree for Chemical and Volume Control System Letdown Line Pipe Break Outside Containment CVCS LOCA Letdown Line    Reactor Trip System  CVCS Letdown Line LOCA        DHRS (2 Trains Available 1      RCS Reactor Saf ety Valve  ECCS RX Vent Valves and RX      CVCS f or RCS Injection          Containment Flooding  #  End State              Comments Outside Containment                          Outside Containment Isolation        Required)                          Opens              Recirculation Valves Open                                                              (Phase - PH1)          (Phase - PH1)
IE-CVCS--ALOCA-LOC      RTS-T01                CVCS-T03                      DHRS-T01                      RCS-T01                      ECCS-T01                    CVCS-T01                        CFDS-T01 1      OK          LCI-01T-1D0E0C0F0S-00-S 2      OK          LCI-03T-0D1E0C0FSS-00-S Isolated                                    At least one RSV opens                                      RCS inventory addition                                    3      OK          LLI-02T-0D0E1C0FSS-00-S 4  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                                              5  LEVEL2-ET      LCI-05T-0D0E0C0F0S-00-D RX trip RCS inventory addition                                    6      OK        LLU-01T-0D0E1C0F0S-00-S Inventory addition to CNV via CFDS        7      OK        LLU-07T-0D1E0C1F0S-01-S Not isolated                                                                                                                                                            8  LEVEL2-ET      LCU-03T-0D0E0C0F0S-00-D RCS inventory addition                                    9      OK        LLU-01T-0D0E1C0F0S-00-S 10  LEVEL2-ET      LCU-03T-0D0E0C0F0S-00-D 11      OK        LCI-06A-0D1E0C0FSS-00-S At least one RSV opens                                      RCS inventory addition                                    12      OK        LEC-010A-0D0E1C0F0S-01S Isolated 13  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D ATWS RSVs f ail to open                                                                                            14  LEVEL2-ET      LCI-05T-0D0E0C0F0S-00-D RCS inventory addition                                    15      OK        LLU-04A-0D0E1C0F0S-00-S Not isolated 16  LEVEL2-ET      LCU-03T-0D0E0C0F0S-00-D Tier 2                                                                                                                                      19.1-285                                                                                                                    Revision 4
 
This page replaces page 19.1-289 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                            Probabilistic Risk Assessment Figure 19.1-7: Event Tree for Steam Generator Tube Failure Steam Generator #2 Tube    Reactor Trip System SG #2 Tube Failure Isolated  DHRS (#1 Train Available)      RCS Reactor Saf ety Valve  ECCS RX Vent Valves and RX    CVCS f or RCS Injection          Containment Flooding  #  End State                Comments Failure                                                                                                      Opens            Recirculation Valves Open                                                              (Phase - PH1)            (Phase - PH1)
IE-MSS---ALOCA-SG-        RTS-T01                RCS-T04                    DHRS-T02                      RCS-T01                      ECCS-T01                    CVCS-T01                        CFDS-T01 1      OK          LSI-03T-1D0E0C0F0S-00-S 2      OK          LCI-03T-0D1E0C0FSS-00-S Isolated                                  At least one RSV opens                                    RCS inventory addition                                    3      OK          LLI-02T-0D0E1C0FSS-00-S 4  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                                            5  LEVEL2-ET        LCI-05T-0D0E0C0F0S-00-D RX Trip RCS inventory addition                                    6      OK          LSU-07T-0D0E1C0F0S-00S Inventory addition to CNV via CFDS        7      OK          LLU-07T-0D1E0C1F0S-01-S Not isolated                                                                                                                                                        8  LEVEL2-ET      LSU-06T-0D0E0C0F0S-00-D RCS inventory addition                                    9      OK          LSU-07T-0D0E1C0F0S-00-S 10  LEVEL2-ET      LSU-06T-0D0E0C0F0S-00-D 11      OK          LCI-06A-0D1E0C0FSS-00-S At least one RSV opens                                    RCS inventory addition                                    12      OK          LEC-10A-0D0E1C0F0S-01-S Isolated 13  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D ATWS RSVs f ail to open                                                                                            14  LEVEL2-ET        LCI-05T-0D0E0C0F0S-00-D RCS inventory addition                                    15      OK          LLU-04A-0D0E1C0F0S-00-S Not isolated 16  LEVEL2-ET      LSU-06T-0D0E0C0F0S-00-D Tier 2                                                                                                                                  19.1-289                                                                                                                  Revision 4
 
This page replaces page 19.1-290 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                            Probabilistic Risk Assessment Figure 19.1-8: Event Tree for Secondary Line Break Secondary Side Line Break    Reactor Trip System  DHRS (#1 Train Available)    RCS Reactor Saf ety Valve      RCS Reactor Saf ety Valve  RCS Reactor Saf ety Valves ECCS RX Vent Valves and RX    CVCS f or RCS Injection  #  End State              Comments Demanded to Open                      Opens                      Cycling          Recirculation Valves Open                                (Phase - PH1)          (Phase - PH1)
IE-TGS---FMSLB-UD-        RTS-T01                DHRS-T02                    RCS-T05                        RCS-T01                      RCS-T02                    ECCS-T01                    CVCS-T01 RSV not demanded to open                                                                                                                              1      OK        TRN-18T-1D0E0C0F0S-00-S RSV reclosed                                                                  2      OK        TRN-18T-1D0E0C0F0S-00-S RCS-T06 3      OK        LCI-03T-0D1E0C0FSS-00-S RSV opens RSV fails to close                                  RCS inventory addition      4      OK        LMU-02T-0D0E1C0FSS-00-S RCS-T06 RX Trip                                                                                                                                                                                5  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D 6      OK        LCI-03T-0D1E0C0FSS-00-S At least one RSV opens                                                                RCS inventory addition      7      OK        LMU-02T-0D0E1C0FSS-00-S RSV demanded 8  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                                          9  LEVEL2-ET      TRN-08T-0D0E0C0F0S-00-D 10      OK        LCI-06A-0D1E0C0FSS-00-S At least one RSV opens                                                                RCS inventory addition      11      OK        LEC-10A-0D0E1C0F0S-01-S ATWS                                      RSV demanded 12  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                                          13  LEVEL2-ET      TRN-08T-0D0E0C0F0S-00-D Tier 2                                                                                                                                      19.1-290                                                                                                                Revision 4
 
This page replaces page 19.1-291 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                                                                          Probabilistic Risk Assessment Figure 19.1-9: Event Tree for Loss of Offsite Power Loss Of Off site Power Combustion Turbine Generator  Backup Diesel Generators    Reactor Trip System  DHRS (2 Trains Available 1    RCS Reactor Saf ety Valve      RCS Reactor Saf ety Valve  RCS Reactor Saf ety Valves  Of f site Power Recovered  ECCS RX Vent Valves and RX  #      End State                Comments Required)                Demanded to Open                      Opens                      Cycling                                          Recirculation Valves Open      (Phase - PH1)            (Phase - PH1)
IE-EHVS--LOOP-----        EHVS-T01                    ELVS-T01                  RTS-T01                DHRS-T01                      RCS-T05                        RCS-T01                    RCS-T02                    EHVS-T02                      ECCS-T01 Onsite CTG operates                                                                                                                                                                                                                                            1 TGS---TRAN--NPC-ET Both BDGs operate                                                                                                                                                                                                                2 TGS---TRAN--NPC-ET Power restored                                      3          OK          TRN-18T-1D0E0C0F0S-00-S RSV not demanded to open                                                                                                ECCS actuates at 24 hrs        4          OK          LEC-07T-0D1E0C0F0S-00-S Not restored 5      LEVEL2-ET        TRN-17T-2D0E0C0F0S-00-D Power restored                                      6          OK          TRN-18T-1D0E0C0F0S-00-S RSV reclosed                                      ECCS actuates at 24 hrs        7          OK          LEC-07T-0D1E0C0F0S-00-S Not restored RCS-T06 RX trip                                          RSV opens                                                                                                                                8      LEVEL2-ET        TRN-17T-2D0E0C0F0S-00-D 9          OK          LCI-03T-0D1E0C0FSS-00-S RSV f ails to close 10      LEVEL2-ET        TRN-07T-0D0E0C0FSS-00-D RCS-T06 11          OK          LEC-07T-0D1E0C0F0S-00-S RSV demanded                                                                                                                                12      LEVEL2-ET        TRN-17T-2D0E0C0F0S-00-D RSVs fail to open                                                                                            13      LEVEL2-ET        TRN-08T-0D0E0C0F0S-00-D 14          OK          LCI-06A-0D1E0C0FSS-00-S At least one RSV opens ATWS                                        RSV demanded                                                                                                                                15      LEVEL2-ET        TRN-07T-0D0E0C0FSS-00-D RSVs fail to open                                                                                            16      LEVEL2-ET        TRN-08T-0D0E0C0F0S-00-D Tier 2                                                                                                                                                                19.1-291                                                                                                                                                    Revision 4
 
This page replaces page 19.1-293 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                                                                        Probabilistic Risk Assessment Figure 19.1-11: Event Tree for General Transient General Reactor Trip    Reactor Trip System  DHRS (2 Trains Available 1    RCS Reactor Saf ety Valve      RCS Reactor Saf ety Valve  RCS Reactor Saf ety Valves ECCS RX Vent Valves and RX    CVCS f or RCS Injection        Containment Flooding  #  End State                Comments Required)                Demanded to Open                      Opens                      Cycling          Recirculation Valves Open                                                            (Phase - PH1)            (Phase - PH1)
IE-TGS---TRAN--NPC      RTS-T01                DHRS-T01                    RCS-T05                        RCS-T01                    RCS-T02                    ECCS-T01                    CVCS-T01                        CFDS-T01 RSV not demanded to open                                                                                                                                                          1      OK          TRN-18T-1D0E0C0F0S-00-S RSV reclosed                                                                                              2      OK          TRN-18T-0D0E0C0F0S-00-S RCS-T06 3      OK          LCI-03T-0D1E0C0FSS-00-S RSV opens RSV f ails to close                                RCS inventory addition                                    4      OK          LLI-02T-0D0E1C0FSS-00-S RCS-T06 5  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RX Trip 6      OK          LCI-03T-0D1E0C0FSS-00-S At least one RSV opens                                                                RCS inventory addition                                    7      OK          LLI-02T-0D0E1C0FSS-00-S RSV demanded                                                                                                                                                            8  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D CNV f looded f or passive heat removal    9      OK          TRN-19T-0D0E0C1F0S-00-S RSVs f ail to open 10  LEVEL2-ET      TRN-08T-0D0E0C0F0S-00-D 11      OK          LCI-06A-0D1E0C0FSS-00-S At least one RSV opens                                                                RCS inventory addition                                  12      OK          LEC-10A-0D0E1C0F0S-01-S RSV demanded                                                                                                                                                          13  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RCS inventory addition                                  14      OK          TRN-06A-1D0E0C0F0S-00-S RSVs f ail to open ATWS                                                                                                                                                                                                              15  LEVEL2-ET      TRN-08T-0D0E1C0F0S-00-D 16      OK          LCI-06A-0D1E0C0FSS-00-S At least one RSV opens                                                                RCS inventory addition                                  17      OK          LEC-10A-0D0E1C0F0S-01-S RSV demanded 18  LEVEL2-ET      TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                                                                                      19  LEVEL2-ET      TRN-08T-0D0E0C0F0S-00-D Tier 2                                                                                                                                                    19.1-293                                                                                                                              Revision 4
 
This page replaces page 19.1-294 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, "Probabilistic Risk Assessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                                                                                                                                                Probabilistic Risk Assessment Figure 19.1-12: Event Tree for Loss of Support System Loss of Support System    Reactor Trip System  DHRS (2 Trains Available 1    RCS Reactor Saf ety Valve      RCS Reactor Saf ety Valve  RCS Reactor Saf ety Valves ECCS RX Vent Valves and RX  #  End State            Comments Required)                Demanded to Open                      Opens                      Cycling          Recirculation Valves Open    (Phase - PH1)        (Phase - PH1)
IE-TGS---TRAN--NSS        RTS-T01                DHRS-T01                      RCS-T05                        RCS-T01                    RCS-T02                    ECCS-T01 RSV not demanded to open                                                                                                1      OK      TRN-18T-1D0E0C0F0S-00-S RSV reclosed                                      2      OK      TRN-18T-0D0E0C0F0S-00-S RCS-T06 RSV opens                                                                                                  3      OK      LCI-03T-0D1E0C0FSS-00-S RSV f ails to close Rx Trip                                                                                                                                                    4  LEVEL2-ET    TRN-07T-0D0E0C0FSS-00-D RCS-T06 5      OK      LCI-03T-0D1E0C0FSS-00-S At least one RSV opens 6  LEVEL2-ET    TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                              7  LEVEL2-ET    TRN-08T-0D0E0C0F0S-00-D 8      OK      LCI-06A-0D1E0C0FSS-00-S At least one RSV opens ATWS                                        RSV demanded                                                                                                  9  LEVEL2-ET    TRN-07T-0D0E0C0FSS-00-D RSVs f ail to open                                                            10  LEVEL2-ET    TRN-08T-0D0E0C0F0S-00-D Tier 2                                                                                                                          19.1-294                                                                                              Revision 4
 
page 19.1-299 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report S LOCA Charging Line      Reactor Trip System    CVCS Charging Line LOCA        DHRS (2 Trains Available 1    RCS Reactor Saf ety Valve  ECCS RX Vent Valves and RX  #        End State utside Containment                              Outside Containment Isolation          Required)                      Opens                Recirculation Valves Open          (Phase - PH1)
CS--ALOCA-COC        RTS-T01                  CVCS-T02                        DHRS-T01                    RCS-T01                      ECCS-T01 1    LODC---ECC-SEIS-ET 2            OK 3        LEVEL2-ET 4        LEVEL2-ET 5        LEVEL2-ET 6        LEVEL2-ET 7        LEVEL2-ET 8            OK 9        LEVEL2-ET ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
10      LEVEL2-ET 11      LEVEL2-ET Probabilistic Risk Assessment
 
page 19.1-301 in Chapter 19, "Probabilistic Risk Assessment and Severe Accident Evaluation," Section 19.1, cale Final Safety Analysis Report am Generator #2 Tube      Reactor Trip System  SG #2 Tube Failure Isolated    DHRS (#1 Train Available)    RCS Reactor Saf ety Valve  ECCS RX Vent Valves and RX  #        End State Failure                                                                                                        Opens                Recirculation Valves Open          (Phase - PH1)
S---ALOCA-SG-        RTS-T01                  RCS-T04                      DHRS-T02                    RCS-T01                      ECCS-T01 1    LODC---ECC-SEIS-ET 2            OK 3        LEVEL2-ET 4        LEVEL2-ET 5        LEVEL2-ET 6        LEVEL2-ET 7            OK 8        LEVEL2-ET 9        LEVEL2-ET ssessment," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
10      LEVEL2-ET Probabilistic Risk Assessment
 
This page replaces page 16.1-3 in Chapter 16, "Technical Specifications," Section 16.1, "Technical Specifications," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                                                    Technical Specifications frequency for evaluation of future changes to the surveillance test frequency, and the basis for that test frequency. Base test frequencies in Table 16.1-1 include consideration of the rules of applicability for surveillance testing including, when applicable, up to 1.25 times the specified interval as permitted by technical specification SR 3.0.2. For example, a base frequency of 24 months implies consideration of up to 30 months between performance of the surveillance test.
Incorporation of Technical Specification Task Force Change Travelers Technical Specification Task Force (TSTF) travelers issued since publication of Revision 4 of the ISTS were reviewed in the development of the NuScale GTS. Travelers were incorporated into the NuScale GTS or utilized as a basis for similar NuScale situations as described in the conformance report (Reference 16.1-1). The TSTF travelers considered in development of the NuScale GTS are listed in that report.
The GTS are intended to be used as a guide in the development of the plant-specific technical specifications. Preliminary information has been provided in single brackets [ ].
Combined license applicants referencing the NuScale Power Plant are required to provide the final plant-specific information.
COL Item 16.1-1:    A COL applicant that references the NuScale Power Plant design certification will provide the final plant-specific information identified by [ ] in the generic Technical Specifications and generic Technical Specification Bases.
COL Item 16.1-2:    A COL applicant that references the NuScale Power Plant design certification will prepare and maintain an owner-controlled requirements manual that includes owner-controlled limits and requirements described in the Bases of the Technical Specifications or as otherwise specified in the FSAR.
COL Item 16.1-3:    A COL applicant that references the NuScale Power Plant design certification, and uses allocations for sensor response times based on records of tests, vendor test data, or vendor engineering specifications as described in the Bases for Surveillance Requirement 3.3.1.3, will do so for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC.
16.1.2    References 16.1-1        NuScale Power, LLC, "Technical Specifications Regulatory Conformance and Development Technical Report," TR-1116-52011-NP, Revision 4.
16.1-2        Nuclear Energy Institute, "Risk-Informed Technical Specifications Initiative 5b-Risk-Informed Method for Control of Surveillance Frequencies,"
NEI 04-10, Revision 1, April 2007.
16.1-3        Nuclear Energy Institute, Risk-Informed Technical Specifications Initiative 4b-Risk-Managed Technical Specifications (RMTS) Guidelines," NEI 06-09, Rev. 0-A, November 2006.
Tier 2                                            16.1-3                                            Revision 4
 
LO-0520-69493 The following pages replace Part 4, Generic Technical Specifications, of NuScale Standard Plant Design Certification Application, Revision 4 (January 2020)
NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
DCA Part 4 Volume 1 Revision 4.0 Generic Technical Specifications NuScale Nuclear Power Plants Volume 1: Specifications
 
TABLE OF CONTENTS                                                                                                                Revision 1.0    USE AND APPLICATION 1.1      Definitions................................................................................................................. 4.0 1.2      Logical Connectors................................................................................................... 4.0 1.3      Completion Times .................................................................................................... 4.0 1.4      Frequency ................................................................................................................ 4.0 2.0    SAFETY LIMITS (SLs) 2.1      SLs ........................................................................................................................... 4.0 2.2      SL Violations ............................................................................................................ 4.0 3.0    LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY .............................. 4.0 3.0    SURVEILLANCE REQUIREMENTS (SR) APPLICABILITY .......................................... 4.0 3.1      REACTIVITY CONTROL SYSTEMS 3.1.1        SHUTDOWN MARGIN (SDM)............................................................................ 4.0 3.1.2        Core Reactivity ................................................................................................... 4.0 3.1.3        Moderator Temperature Coefficient (MTC) ........................................................ 4.0 3.1.4        Rod Group Alignment Limits .............................................................................. 4.0 3.1.5        Shutdown Bank Insertion Limits ......................................................................... 4.0 3.1.6        Regulating Bank Insertion Limits ........................................................................ 4.0 3.1.7        Rod Position Indication (RPI) ............................................................................. 4.0 3.1.8        PHYSICS TESTS Exceptions............................................................................. 4.0 3.1.9        Boron Dilution Control ........................................................................................ 4.0 3.2      POWER DISTRIBUTION LIMITS 3.2.1        Enthalpy Rise Hot Channel Factor ..................................................................... 4.0 3.2.2        AXIAL OFFSET (AO).......................................................................................... 4.0 3.3      INSTRUMENTATION 3.3.1        Module Protection System (MPS) Instrumentation............................................. 4.0 3.3.2        Reactor Trip System (RTS) Logic and Actuation................................................ 4.0 3.3.3        Engineered Safety Features Actuation System (ESFAS) Logic and Actuation ..................................................................................................... 4.0 3.3.4        Manual Actuation Functions ............................................................................... 4.0 3.3.5        Remote Shutdown Station (RSS) ....................................................................... 4.0 3.4      REACTOR COOLANT SYSTEM (RCS) 3.4.1        RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF)
Limits .................................................................................................................. 4.0 3.4.2        RCS Minimum Temperature for Criticality .......................................................... 4.0 3.4.3        RCS Pressure and Temperature (P/T) Limits..................................................... 4.0 3.4.4        Reactor Safety Valves (RSVs) ........................................................................... 4.0 3.4.5        RCS Operational LEAKAGE............................................................................... 4.0 3.4.6        Chemical and Volume Control System (CVCS) Isolation Valves ....................... 4.0 3.4.7        RCS Leakage Detection Instrumentation ........................................................... 4.0 3.4.8        RCS Specific Activity .......................................................................................... 4.0 3.4.9        Steam Generator (SG) Tube Integrity ................................................................ 4.0 3.4.10        Low Temperature Overpressure Protection (LTOP) Valves ............................... 4.0 NuScale [US600]                                                i                                                          Revision 4.0
 
TABLE OF CONTENTS                                                                                                          Revision 3.0  LIMITING CONDITION FOR OPERATION AND SURVEILLANCE REQUIREMENTS (continued) 3.5      PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.1        Emergency Core Cooling System (ECCS) ......................................................... 4.0 3.5.2        Decay Heat Removal System (DHRS) ............................................................... 4.0 3.5.3        Ultimate Heat Sink .............................................................................................. 4.0 3.6      CONTAINMENT SYSTEMS 3.6.1        Containment ....................................................................................................... 4.0 3.6.2        Containment Isolation Valves ............................................................................. 4.0 3.7      PLANT SYSTEMS 3.7.1        Main Steam Isolation Valves (MSIVs) ................................................................ 4.0 3.7.2        Feedwater Isolation ............................................................................................ 4.0 3.7.3        In-Containment Secondary Piping Leakage ....................................................... 4.0 3.8      REFUELING OPERATIONS 3.8.1        Nuclear Instrumentation ..................................................................................... 4.0 3.8.2        Decay Time ........................................................................................................ 4.0 4.0  DESIGN FEATURES 4.1      Site Location............................................................................................................. 4.0 4.2      Reactor Core ............................................................................................................ 4.0 4.3      Fuel Storage ............................................................................................................. 4.0 5.0  ADMINISTRATIVE CONTROLS 5.1      Responsibility ........................................................................................................... 4.0 5.2      Organization ............................................................................................................. 4.0 5.3      Facility Staff Qualifications ....................................................................................... 4.0 5.4      Procedures ............................................................................................................... 4.0 5.5      Programs and Manuals ............................................................................................ 4.0 5.6      Reporting Requirements .......................................................................................... 4.0 5.7      High Radiation Area ................................................................................................. 4.0 NuScale [US600]                                          ii                                                          Revision 4.0
 
Definitions 1.1 1.0 USE AND APPLICATION 1.1 Definitions
---------------------------------------------------------NOTE--------------------------------------------------------------
The defined terms of this section appear in capitalized type and are applicable throughout these Technical Specifications and Bases.
Term                                          Definition ACTIONS                                      ACTIONS shall be that part of a Specification that prescribes Required Actions to be taken under designated Conditions within specified Completion Times.
ACTUATION LOGIC TEST                          An ACTUATION LOGIC TEST shall be:
: a. The use of self-testing features, or application of simulated or actual input combinations as appropriate, to test digital computer hardware; and
: b. Verification of the required logic output.
An ACTUATION LOGIC TEST shall include each possible interlock logic state required for OPERABILITY of a logic circuit. The ACTUATION LOGIC TEST shall verify the OPERABILITY of each manual logic input device required for channel OPERABILITY. The ACTUATION LOGIC TEST shall be conducted such that it provides component overlap with the actuated device. The ACTUATION LOGIC TEST may be performed by means of any series of sequential, overlapping, or total steps, and each step must be performed within the Frequency in the Surveillance Frequency Control Program for the devices included in the step.
ACTUATION RESPONSE                            The time from when the Module Protection System TIME                                          equipment interface module output initiates an actuation signal until the actuated valves or breakers reach their final actuated position.
AXIAL OFFSET (AO)                            AO shall be the difference in power generated in the top half of the core (Ptop) and the bottom half of the core (Pbottom), divided by the sum of the power generated in the core (Ptotal).
AO = (Ptop - Pbottom) / Ptotal NuScale [US600]                                            1.1-1                                              Revision 4.0
 
Definitions 1.1 1.1 Definitions CHANNEL CALIBRATION A CHANNEL CALIBRATION shall be the adjustment, as necessary, of the channel output such that it responds within the necessary range and accuracy to known values of the parameter that the channel monitors. The CHANNEL CALIBRATION shall encompass all devices in the channel required for channel OPERABILITY.
Calibration of instrument channels with resistance temperature detector (RTD) or thermocouple sensors may consist of an inplace qualitative assessment of sensor behavior and normal calibration of the remaining adjustable devices in the channel. The CHANNEL CALIBRATION may be performed by means of any series of sequential, overlapping, or total channel steps, and each step must be performed within the Frequency in the Surveillance Frequency Control Program for the devices included in the step.
CHANNEL CHECK      A CHANNEL CHECK shall be the verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken. This determination shall include, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same parameter.
This determination can be made using computer software or be performed manually.
CHANNEL OPERATIONAL A COT shall be the injection of a simulated or actual signal TEST (COT)          into the channel as close to the sensor as practicable to verify OPERABILITY of all devices in the channel required for channel OPERABILITY. The COT shall include adjustments, as necessary, of the required alarm, interlock, and trip setpoints required for channel OPERABILITY such that the setpoints are within the necessary range and accuracy. The COT may be performed by means of any series of sequential, overlapping, or total channel steps, and each step must be performed within the Frequency in the Surveillance Frequency Control Program for the devices included in the step.
NuScale [US600]                1.1-2                                  Revision 4.0
 
Definitions 1.1 1.1 Definitions CHANNEL RESPONSE TIME  The time from when the process variable exceeds its setpoint until the output from the channel analog logic reaches the input of the digital portion of the Module Protection System digital logic.
CORE OPERATING LIMITS  The COLR is the unit-specific document that provides REPORT (COLR)          cycle specific parameter limits for the current reload cycle.
These cycle specific parameter limits shall be determined for each reload cycle in accordance with Specification 5.6.3. Module operation within these parameter limits is addressed in individual Specifications.
DOSE EQUIVALENT I-131  DOSE EQUIVALENT I-131 shall be that concentration of I-131 (microcuries per gram) that alone would produce the same committed effective dose equivalent as the quantity and isotopic mixture of I-131, I-132, I-133, I-134, and I-135 actually present. The dose conversion factors used for this calculation shall be those listed in Table 2.1 of EPA Federal Guidance Report No. 11, Limiting Values of Radionuclide Intake and Air Concentration and Dose Conversion Factors for Inhalation, Submersion, and Ingestion, EPA-520/1-88-020, September 1988.
DOSE EQUIVALENT XE-133 DOSE EQUIVALENT XE-133 shall be that concentration of Xe-133 (microcuries per gram) that alone would produce the same effective dose equivalent as the quantity and isotopic mixture of noble gases (Kr-85m, Kr-85, Kr-87, Kr-88, Xe-131m, Xe-133m, Xe-133, Xe-135m, Xe-135, and Xe-138) actually present. The dose conversion factors used for this calculation shall be those listed in Table III.1 of EPA Federal Guidance Report No. 12, External Exposure to Radionuclides in Air, Water, and Soil, EPA 402-R-93-081, September 1993.
INSERVICE TESTING      The INSERVICE TESTING PROGRAM is the licensee PROGRAM                program that fulfills the requirements of 10 CFR 50.55a(f).
NuScale [US600]                    1.1-3                                    Revision 4.0
 
Definitions 1.1 1.1 Definitions LEAKAGE              LEAKAGE shall be:
: a. Identified LEAKAGE
: 1. LEAKAGE from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary LEAKAGE, or
: 2. Reactor Coolant System (RCS) LEAKAGE through a steam generator (SG) to the Secondary System (primary to secondary LEAKAGE),
: b. Unidentified LEAKAGE All LEAKAGE that is not identified LEAKAGE, and
: c. Pressure Boundary LEAKAGE LEAKAGE (except primary to secondary LEAKAGE) through a nonisolable fault in an RCS component body, pipe wall, or vessel wall.
MODE                A MODE shall correspond to any one inclusive combination of reactivity condition, reactor coolant temperature, control rod assembly (CRA) withdrawal capability, Chemical and Volume Control System (CVCS) and Containment Flood and Drain System (CFDS) configuration, reactor vent valve electrical isolation, and reactor vessel flange bolt tensioning specified in Table 1.1-1 with fuel in the reactor vessel.
OPERABLE-OPERABILITY A system, subsystem, separation group, channel, division, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, electrical power, cooling water, lubrication, and other auxiliary equipment that are required for the system, subsystem, separation group, channel, division, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).
NuScale [US600]                  1.1-4                                    Revision 4.0
 
Definitions 1.1 1.1 Definitions PASSIVELY COOLED -  A module is in PASSIVE COOLING or is being PASSIVE COOLING    PASSIVELY COOLED when:
: a. Two or more reactor vent valves are open and one or more reactor recirculation valves is open, or
: b. One or more trains of DHRS is in operation, or
: c. Water level in the containment vessel is > 45 ft.
PHYSICS TESTS      PHYSICS TESTS shall be those tests performed to measure the fundamental nuclear characteristics of the reactor core and related instrumentation. These tests are:
: a. Described in Chapter 14, Initial Test Program and Inspections, Tests, Analyses, and Acceptance Criteria, of the FSAR;
: b. Authorized under the provisions of 10 CFR 50.59; or
: c. Otherwise approved by the Nuclear Regulatory Commission.
PRESSURE AND        The PTLR is the unit-specific document that provides the TEMPERATURE LIMITS  reactor vessel pressure and temperature limits, including REPORT (PTLR)      heatup and cooldown rates, for the current reactor vessel fluence period. These pressure and temperature limits shall be determined for each fluence period in accordance with Specification 5.6.4.
RATED THERMAL POWER RTP shall be a total reactor core heat transfer rate to the (RTP)              reactor coolant of 160 MWt.
NuScale [US600]                  1.1-5                                Revision 4.0
 
Definitions 1.1 1.1 Definitions SHUTDOWN MARGIN (SDM) SDM shall be the instantaneous amount of reactivity by which the reactor is subcritical or would be subcritical from its present condition assuming:
: a. Moderator temperature is 420 &deg;F; and
: b. All control rod assemblies (CRAs) are fully inserted except for the single CRA of highest reactivity worth, which is assumed to be fully withdrawn. However, with all CRAs verified fully inserted by two independent means, it is not necessary to account for a stuck CRA in the SDM calculation. With any CRA not capable of being fully inserted, the reactivity worth of the affected CRA must be accounted for in the determination of SDM.
THERMAL POWER        THERMAL POWER shall be the total reactor core heat transfer rate to the reactor coolant.
TOTAL RESPONSE TIME  TOTAL RESPONSE TIME is the sum of the CHANNEL RESPONSE TIME, the allocated MPS digital time response, and the ACTUATION RESPONSE TIME. The TOTAL RESPONSE TIME is the time interval from when the monitored parameter exceeds its actuation setpoint at the channel sensor until the actuated component is capable of performing its safety function (i.e., the valves travel to their required positions, breakers are open, etc.)
NuScale [US600]                    1.1-6                                    Revision 4.0
 
Definitions 1.1 Table 1.1-1 (page 1 of 1)
MODES INDICATED REACTOR REACTIVITY              COOLANT MODE                  TITLE                CONDITION (keff)      TEMPERATURES (&deg;F) 1          Operations                        0.99                All  420 2          Hot Shutdown                    < 0.99                Any  420 3          Safe Shutdown (a)                < 0.99                All < 420 4          Transition (b)(c)                < 0.95                    N/A 5          Refueling (d)                      N/A                    N/A (a) Any CRA capable of withdrawal, any CVCS or CFDS connection to the module not isolated.
(b) All CRAs incapable of withdrawal, CVCS and CFDS connections to the module isolated, and all reactor vent valves electrically isolated.
(c) All reactor vessel flange bolts fully tensioned.
(d) One or more reactor vessel flange bolts less than fully tensioned.
NuScale [US600]                                  1.1-7                              Revision 4.0
 
Logical Connectors 1.2 1.0 USE AND APPLICATION 1.2 Logical Connectors PURPOSE            The purpose of this section is to explain the meaning of logical connectors.
Logical connectors are used in Technical Specifications to discriminate between, and yet connect, discrete Conditions, Required Actions, Completion Times, Surveillances, and Frequencies. The only logical connectors that appear in Technical Specifications are AND and OR. The physical arrangement of these connectors constitutes logical conventions with specific meaning.
BACKGROUND          Several levels of logic may be used to state Required Actions. These levels are identified by the placement (or nesting) of the logical connectors and the number assigned to each Required Action. The first level of logic is identified by the first digit of the number assigned to a Required Action and the placement of the logical connector in the first level of nesting (i.e., left justified with the number of the Required Action).
The successive levels of logic are identified by additional digits of the Required Action number and by successive indentions of the logical connectors.
When logical connectors are used to state a Condition, Completion Time, Surveillance, or Frequency, only the first level of logic is used, and the logical connector is left justified with the statement of the Condition, Completion Time, Surveillance, or Frequency.
NuScale [US600]                                1.2-1                                    Revision 4.0
 
Logical Connectors 1.2 1.2 Logical Connectors EXAMPLES            The following examples illustrate the use of logical connectors.
EXAMPLE 1.2-1 ACTIONS CONDITION            REQUIRED ACTION            COMPLETION TIME A. LCO not          A.1 Verify met.
AND A.2 Restore In this example, the logical connector AND is used to indicate that when in Condition A, both Required Actions A.1 and A.2 must be completed.
NuScale [US600]                            1.2-2                                  Revision 4.0
 
Logical Connectors 1.2 1.2 Logical Connectors EXAMPLES (continued)
EXAMPLE 1.2-2 ACTIONS CONDITION            REQUIRED ACTION          COMPLETION TIME A. LCO not met.      A.1    Trip OR A.2.1  Verify AND A.2.2.1 Reduce OR A.2.2.2 Perform OR A.3    Align This example represents a more complicated use of logical connectors.
Required Actions A.1, A.2, and A.3 are alternative choices, only one of which must be performed as indicated by the use of the logical connector OR and the left justified placement. Any one of these three Actions may be chosen. If A.2 is chosen, then both A.2.1 and A.2.2 must be performed as indicated by the logical connector AND. Required Action A.2.2 is met by performing A.2.2.1 or A.2.2.2. The indented position of the logical connector OR indicates that A.2.2.1 and A.2.2.2 are alternative choices, only one of which must be performed.
NuScale [US600]                              1.2-3                                Revision 4.0
 
Completion Times 1.3 1.0 USE AND APPLICATION 1.3 Completion Times PURPOSE            The purpose of this section is to establish the Completion Time convention and to provide guidance for its use.
BACKGROUND          Limiting Conditions for Operation (LCOs) specify minimum requirements for ensuring safe operation of the unit. The ACTIONS associated with an LCO state Conditions that typically describe the ways in which the requirements of the LCO can fail to be met. Specified with each stated Condition are Required Action(s) and Completion Time(s).
DESCRIPTION        The Completion Time is the amount of time allowed for completing a Required Action. It is referenced to the discovery of a situation (e.g.,
inoperable equipment or variable not within limits) that requires entering an ACTIONS Condition unless otherwise specified, providing the unit is in a MODE or specified condition stated in the Applicability of the LCO.
Unless otherwise specified, the Completion Time begins when a senior licensed operator on the operating shift crew with responsibility for plant operations makes the determination that an LCO is not met and an ACTIONS Condition is entered. The "otherwise specified" exceptions are varied, such as a Required Action Note or Surveillance Requirement Note that provides an alternative time to perform specific tasks, such as testing, without starting the Completion Time. While utilizing the Note, should a Condition be applicable for any reason not addressed by the Note, the Completion Time begins. Should the time allowance in the Note be exceeded, the Completion Time begins at that point.
Required Actions must be completed prior to the expiration of the specified Completion Time. An ACTIONS Condition remains in effect and the Required Actions apply until the Condition no longer exists or the unit is not within the LCO Applicability.
If situations are discovered that require entry into more than one Condition at a time within a single LCO (multiple Conditions), the Required Actions for each Condition must be performed within the associated Completion Time. When in multiple Conditions, separate Completion Times are tracked for each Condition starting from the discovery of the situation that required entry into the Condition, unless otherwise specified.
NuScale [US600]                              1.3-1                                  Revision 4.0
 
Completion Times 1.3 1.3 Completion Times DESCRIPTION (continued)
Once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition, unless specifically stated. The Required Actions of the Condition continue to apply to each additional failure, with Completion Times based on initial entry into the Condition, unless otherwise specified.
However, when a subsequent train, subsystem, component, or variable, expressed in the Condition, is discovered to be inoperable or not within limits, the Completion Time(s) may be extended. To apply this Completion Time extension, two criteria must first be met. The subsequent inoperability:
: a. Must exist concurrent with the first inoperability; and
: b. Must remain inoperable or not within limits after the first inoperability is resolved.
The total Completion Time allowed for completing a Required Action to address the subsequent inoperability shall be limited to the more restrictive of either:
: a. The stated Completion Time, as measured from the initial entry into the Condition, plus an additional 24 hours; or
: b. The stated Completion Time as measured from discovery of the subsequent inoperability.
The above Completion Time extensions do not apply to those Specifications that have exceptions that allow completely separate re-entry into the Condition (for each train, subsystem, component, or variable expressed in the Condition) and separate tracking of Completion Times based on this re-entry. These exceptions are stated in individual Specifications.
The above Completion Time extension does not apply to a Completion Time with a modified time zero. This modified time zero may be expressed as a repetitive time (i.e., once per 8 hours, where the Completion Time is referenced from a previous completion of the Required Action versus the time of Condition entry) or as a time modified by the phrase from discovery ....
NuScale [US600]                              1.3-2                                    Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES            The following examples illustrate the use of Completion Times with different types of Conditions and changing Conditions.
EXAMPLE 1.3-1 ACTIONS CONDITION            REQUIRED ACTION          COMPLETION TIME B. Required          B.1 Be in MODE 2.          6 hours Action and associated        AND Completion Time not met.      B.2 Be in MODE 3.          36 hours Condition B has two Required Actions. Each Required Action has its own separate Completion Time. Each Completion Time is referenced to the time that Condition B is entered.
The Required Actions of Condition B are to be in MODE 2 within 6 hours AND in MODE 3 in 36 hours. A total of 6 hours is allowed for reaching MODE 2 and a total of 36 hours (not 42 hours) is allowed for reaching MODE 3 from the time that Condition B was entered. If MODE 2 is reached within 3 hours, the time allowed for reaching MODE 3 is the next 33 hours because the total time allowed for reaching MODE 3 is 36 hours.
If Condition B is entered while in MODE 2, the time allowed for reaching MODE 3 is the next 36 hours.
NuScale [US600]                              1.3-3                                Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
EXAMPLE 1.3-2 ACTIONS CONDITION            REQUIRED ACTION          COMPLETION TIME A. One valve          A.1 Restore valve to        7 days inoperable.              OPERABLE status.
B. Required            B.1 Be in MODE 2.          6 hours Action and associated          AND Completion Time not met.      B.2 Be in MODE 3.          36 hours When a valve is declared inoperable, Condition A is entered. If the valve is not restored to OPERABLE status within 7 days, Condition B is also entered and the Completion Time clocks for Required Actions B.1 and B.2 start. If the inoperable valve is restored to OPERABLE status after Condition B is entered, Condition A and B are exited, and therefore, the Required Actions of Condition B may be terminated.
When a second valve is declared inoperable while the first valve is still inoperable, Condition A is not re-entered for the second valve. LCO 3.0.3 is entered, since the ACTIONS do not include a Condition for more than one inoperable valve. The Completion Time clock for Condition A does not stop after LCO 3.0.3 is entered, but continues to be tracked from the time Condition A was initially entered.
While in LCO 3.0.3, if one of the inoperable valves is restored to OPERABLE status and the Completion Time for Condition A has not expired, LCO 3.0.3 may be exited and operation continued in accordance with Condition A.
While in LCO 3.0.3, if one of the inoperable valves is restored to OPERABLE status and the Completion Time for Condition A has expired, LCO 3.0.3 may be exited and operation continued in accordance with Condition B. The Completion Time for Condition B is tracked from the time the Condition A Completion Time expired.
NuScale [US600]                              1.3-4                                Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
On restoring one of the valves to OPERABLE status the Condition A Completion Time is not reset, but continues from the time the first valve was declared inoperable. This Completion Time may be extended if the valve restored to OPERABLE status was the first inoperable valve.
A 24 hour extension to the stated 7 days is allowed, provided this does not result in the second valve being inoperable for > 7 days.
EXAMPLE 1.3-3 ACTIONS CONDITION            REQUIRED ACTION            COMPLETION TIME A. One Function      A.1 Restore Function X      7 days X train                train to OPERABLE inoperable.            status.
B. One Function      B.1 Restore Function Y      72 hours Y train                train to OPERABLE inoperable.            status.
C. One Function      C.1 Restore Function X      72 hours X train                train to OPERABLE inoperable.            status.
AND              OR One Function      C.2 Restore Function Y      72 hours Y train                train to OPERABLE inoperable.            status.
NuScale [US600]                            1.3-5                                Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
When one Function X train and one Function Y train are inoperable, Condition A and Condition B are concurrently applicable. The Completion Times for Condition A and Condition B are tracked separately for each train starting from the time each train was declared inoperable and the Condition was entered. A separate Completion Time is established for Condition C and tracked from the time the second train was declared inoperable (i.e., the time the situation described in Condition C was discovered).
If Required Action C.2 is completed within the specified Completion Time, Conditions B and C are exited. If the Completion Time for Required Action A.1 has not expired, operation may continue in accordance with Condition A. The remaining Completion Time in Condition A is measured from the time the affected train was declared inoperable (i.e., initial entry into Condition A).
It is possible to alternate between Conditions A, B, and C in such a manner that operation could continue indefinitely without ever restoring the LCO. However, doing so would be inconsistent with the basis of the Completion Times. Therefore, there shall be administrative controls to limit the maximum time allowed for any combination of Conditions that result in a single contiguous occurrence of failing to meet the LCO. These administrative controls shall ensure that the Completion Times for those Conditions are not inappropriately extended.
NuScale [US600]                              1.3-6                                  Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
EXAMPLE 1.3-4 ACTIONS CONDITION            REQUIRED ACTION            COMPLETION TIME A. One or more          A.1 Restore valve(s) to      4 hours valves                  OPERABLE status.
inoperable.
B. Required            B.1 Be in MODE 2.            6 hours Action and associated        AND Completion Time not met.      B.2 Be in MODE 3.            36 hours A single Completion Time is used for any number of valves inoperable at the same time. The Completion Time associated with Condition A is based on the initial entry into Condition A and is not tracked on a per valve basis. Declaring subsequent valves inoperable, while Condition A is still in effect, does not trigger the tracking of separate Completion Times.
Once one of the valves has been restored to OPERABLE status, the Condition A Completion Time is not reset, but continues from the time the first valve was declared inoperable. The Completion Time may be extended if the valve restored to OPERABLE status was the first inoperable valve. The Condition A Completion Time may be extended for up to 4 hours provided this does not result in any subsequent valve being inoperable for > 4 hours.
If the Completion Time of 4 hours (including the extension) expires while one or more valves are still inoperable, Condition B is entered.
NuScale [US600]                                1.3-7                                Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
EXAMPLE 1.3-5 ACTIONS
                    -------------------------------------------NOTE----------------------------------------------
Separate Condition entry is allowed for each inoperable valve.
CONDITION                  REQUIRED ACTION                    COMPLETION TIME A. One or more              A.1 Restore valve to                  4 hours valves                        OPERABLE status.
inoperable.
B. Required                B.1 Be in MODE 2.                    6 hours Action and associated              AND Completion Time not met.          B.2 Be in MODE 3.                    36 hours The Note above the ACTIONS Table is a method of modifying how the Completion Time is tracked. If this method of modifying how the Completion Time is tracked was only applicable to a specific Condition, the Note would appear in that Condition rather than at the top of the ACTIONS Table.
The Note allows Condition A to be entered separately for each inoperable valve, and Completion Times tracked on a per valve basis. When a valve is declared inoperable, Condition A is entered and its Completion Time starts. If subsequent valves are declared inoperable, Condition A is entered for each valve and separate Completion Times start and are tracked for each valve.
If the Completion Time associated with a valve in Condition A expires, Condition B is entered for that valve. If the Completion Times associated with subsequent valves in Condition A expire, Condition B is entered separately for each valve and separate Completion Times start and are tracked for each valve. If a valve which caused entry into Condition B is restored to OPERABLE status, Condition B is exited for that valve. Since the Note in this example allows multiple Condition entry and tracking of separate Completion Times, Completion Time extensions do not apply.
NuScale [US600]                                    1.3-8                                              Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
EXAMPLE 1.3-6 ACTIONS CONDITION            REQUIRED ACTION            COMPLETION TIME A. One channel        A.1 Perform SR 3.x.x.x.        Once per 8 hours inoperable.
OR A.2 Reduce THERMAL              8 hours POWER to  50%
RTP.
B. Required          B.1 Be in MODE 2.              6 hours Action and associated Completion Time not met.
Entry into Condition A offers a choice between Required Action A.1 or A.2. Required Action A.1 has a once per Completion Time, which qualifies for the 25% extension, per SR 3.0.2, to each performance after the initial performance. The initial 8 hour interval of Required Action A.1 begins when Condition A is entered and the initial performance of Required Action A.1 must be complete within the first 8 hour interval. If Required Action A.1 is followed, and the Required Action is not met within the Completion Time (plus the extension allowed by SR 3.0.2),
Condition B is entered. If Required Action A.2 is followed and the Completion Time of 8 hours is not met, Condition B is entered.
If after entry into Condition B, Required Action A.1 or A.2 is met, Condition B is exited and operation may then continue in Condition A.
NuScale [US600]                              1.3-9                                  Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
EXAMPLE 1.3-7 ACTIONS CONDITION            REQUIRED ACTION          COMPLETION TIME A. One                A.1 Verify affected        1 hour subsystem              subsystem isolated.
inoperable.                                  AND Once per 8 hours thereafter AND A.2 Restore subsystem      72 hours to OPERABLE status.
B. Required            B.1 Be in MODE 2.          6 hours Action and associated        AND Completion Time not met.      B.2 Be in MODE 3.          36 hours Required Action A.1 has two Completion Times. The 1 hour Completion Time begins at the time the Condition is entered and each Once per 8 hours thereafter interval begins upon performance of Required Action A.1.
NuScale [US600]                            1.3-10                                Revision 4.0
 
Completion Times 1.3 1.3 Completion Times EXAMPLES (continued)
If after Condition A is entered, Required Action A.1 is not met within either the initial 1 hour, or any subsequent 8 hour interval from the previous performance (plus the extension allowed by SR 3.0.2), Condition B is entered. The Completion Time clock for Condition A does not stop after Condition B is entered, but continues from the time Condition A was initially entered. If Required Action A.1 is met after Condition B is entered, Condition B is exited and operation may continue in accordance with Condition A, provided the Completion Time for Required Action A.2 has not expired.
IMMEDIATE          When Immediately is used as a Completion Time, the Required Action COMPLETION          should be pursued without delay and in a controlled manner.
TIME NuScale [US600]                              1.3-11                                  Revision 4.0
 
Frequency 1.4 1.0 USE AND APPLICATION 1.4 Frequency PURPOSE          The purpose of this section is to define the proper use and application of Frequency requirements.
DESCRIPTION      Each Surveillance Requirement (SR) has a specified Frequency in which the surveillance must be met in order to meet the associated LCO. An understanding of the correct application of the specified Frequency is necessary for compliance with the SR.
The specified Frequency is referred to throughout this section and each of the Specifications of Section 3.0, Surveillance Requirement (SR)
Applicability. The specified Frequency consists of the requirements of the Frequency column of each SR as well as certain Notes in the Surveillance column that modify performance requirements.
Sometimes special situations dictate when the requirements of a Surveillance are to be met. They are otherwise stated conditions allowed by SR 3.0.1. They may be stated as clarifying Notes in the Surveillance, as part of the Surveillances, or both.
Situations where a Surveillance could be required (i.e., its Frequency could expire), but where it is not possible or not desired that it be performed until sometime after the associated LCO is within its Applicability, represent potential SR 3.0.4 conflicts. To avoid these conflicts, the SR (i.e., the Surveillance or the Frequency) is stated such that it is only required when it can be and should be performed. With an SR satisfied, SR 3.0.4 imposes no restriction.
The use of met or performed in these instances conveys specific meanings. A Surveillance is met only when the acceptance criteria are satisfied. Known failure of the requirements of a Surveillance, even without a Surveillance specifically being "performed," constitutes a Surveillance not met. Performance refers only to the requirement to specifically determine the ability to meet the acceptance criteria.
Some Surveillances contain notes that modify the Frequency of performance or the conditions during which the acceptance criteria must be satisfied. For these Surveillances, the MODE-entry restrictions of SR 3.0.4 may not apply. Such a Surveillance is not required to be performed prior to entering a MODE or other specified condition in the Applicability of the associated LCO if any of the following three conditions are satisfied:
NuScale [US600]                            1.4-1                                  Revision 4.0
 
Frequency 1.4 1.4 Frequency DESCRIPTION (continued)
: a. The Surveillance is not required to be met in the MODE or other specified condition to be entered; or
: b. The Surveillance is required to be met in the MODE or other specified condition to be entered, but has been performed within the specified Frequency (i.e., it is current) and is known not to be failed; or
: c. The Surveillance is required to be met, but not performed, in the MODE or other specified condition to be entered, and is known not to be failed.
Examples 1.4-3, 1.4-4, 1.4-5, and 1.4-6 discuss these special situations.
EXAMPLES          The following examples illustrate the various ways that Frequencies are specified. In these examples, the Applicability of the LCO (LCO not shown) is MODES 1 and 2.
EXAMPLE 1.4-1 SURVEILLANCE REQUIREMENTS SURVEILLANCE                              FREQUENCY Perform CHANNEL CHECK.                                12 hours Example 1.4-1 contains the type of SR most often encountered in the Technical Specifications (TS). The Frequency specifies an interval (12 hours) during which the associated Surveillance must be performed at least one time. Performance of the Surveillance initiates the subsequent interval. Although the Frequency is stated as 12 hours, an extension of the time interval to 1.25 times the stated Frequency is allowed by SR 3.0.2 for operational flexibility. The measurement of this interval continues at all times, even when the SR in not required to be met per SR 3.0.1 (such as when the equipment is inoperable, a variable is outside the specified limits, or the unit is outside the Applicability of the LCO). If the interval specified by SR 3.0.2 is exceeded while the unit is in a MODE or other specified condition in the Applicability of the LCO, and the performance of the Surveillance is not otherwise modified (refer to Example 1.4-3), then SR 3.0.3 becomes applicable.
NuScale [US600]                            1.4-2                                    Revision 4.0
 
Frequency 1.4 1.4 Frequency EXAMPLES (continued)
If the interval specified by SR 3.0.2 is exceeded while the unit is not in a MODE or other specified condition in the Applicability of the LCO for which performance of the SR is required, then SR 3.0.4 becomes applicable. The Surveillance must be performed within the Frequency requirements of SR 3.0.2, as modified by SR 3.0.3, prior to entry into the MODE or other specified condition or the LCO is considered not met (in accordance with SR 3.0.1) and LCO 3.0.4 becomes applicable.
EXAMPLE 1.4-2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                          FREQUENCY Verify flow is within limits.                        Once within 12 hours after 25% RTP AND 24 hours thereafter Example 1.4-2 has two Frequencies. The first is a one time performance Frequency, and the second is of the type shown in Example 1.4-1. The logical connector AND indicates that both Frequency requirements must be met. Each time the reactor power is increased from a power level
                  < 25% RTP to  25% RTP, the Surveillance must be performed within 12 hours.
The use of once indicates a single performance will satisfy the specified Frequency (assuming no other Frequencies are connected by AND).
This type of Frequency does not qualify for the 25% extension allowed by SR 3.0.2. Thereafter indicates future performances must be established per SR 3.0.2, but only after a specified condition is first met (i.e., the once performance in this example). If reactor power decreases to < 25% RTP, the measurement of both intervals stops. New intervals start upon reactor power reaching 25% RTP.
NuScale [US600]                              1.4-3                                Revision 4.0
 
Frequency 1.4 1.4 Frequency EXAMPLES (continued)
EXAMPLE 1.4-3 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY
                    -----------------------------NOTE-------------------------
Not required to be performed until 12 hours after  25% RTP.
Perform channel adjustment.                                    7 days The interval continues, whether or not the unit operation is < 25% RTP between performances.
As the Note modifies the required performance of the Surveillance, it is construed to be part of the specified Frequency. Should the 7 day interval be exceeded while operation is < 25% RTP, this Note allows 12 hours after power reaches  25% RTP to perform the Surveillance.
The Surveillance is still considered to be performed within the specified Frequency. Therefore, if the Surveillance were not performed within the 7 day (plus the extension allowed by SR 3.0.2) interval, but operation was
                  < 25% RTP, it would not constitute a failure of the SR or failure to meet the LCO. Also, no violation of SR 3.0.4 occurs when changing MODES, even with the 7 day Frequency not met, provided operation does not exceed 12 hours (plus the extension allowed by SR 3.0.2) with power 25% RTP.
Once the unit reaches 25% RTP, 12 hours would be allowed for completing the Surveillance. If the Surveillance were not performed within this 12 hour interval (plus the extension allowed by SR 3.0.2), there would then be a failure to perform a Surveillance within the specified Frequency, and the provisions of SR 3.0.3 would apply.
NuScale [US600]                                  1.4-4                                    Revision 4.0
 
Frequency 1.4 1.4 Frequency EXAMPLES (continued)
EXAMPLE 1.4-4 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY
                    -----------------------------NOTE-------------------------
Only required to be met in MODE 1.
Verify leakage rates are within limits.                        24 hours Example 1.4-4 specifies that the requirements of this Surveillance do not have to be met until the unit is in MODE 1. The interval measurement for the Frequency of this Surveillance continues at all times, as described in Example 1.4-1. However, the Note constitutes an otherwise stated exception to the Applicability of this Surveillance. Therefore, if the Surveillance were not performed within the 24 hour interval (plus the extension allowed by SR 3.0.2), but the unit was not in MODE 1, there would be no failure of the SR nor failure to meet the LCO. Therefore, no violation of SR 3.0.4 occurs when changing MODES, even with the 24 hour Frequency exceeded, provided the MODE change was not made into MODE 1. Prior to entering MODE 1 (assuming again that the 24 hour Frequency were not met), SR 3.0.4 would require satisfying the SR.
NuScale [US600]                                  1.4-5                                      Revision 4.0
 
Frequency 1.4 1.4 Frequency EXAMPLES (continued)
EXAMPLE 1.4-5 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY
                    -----------------------------NOTE-------------------------
Only required to be performed in MODE 1.
Perform complete cycle of the valve.                            7 days The interval continues, whether or not the unit operation is in MODE 1 or 2 (the assumed Applicability of the associated LCO) between performances.
As the Note modifies the required performance of the Surveillance, the Note is construed to be part of the specified Frequency. Should the 7 day interval be exceeded while operation is not in MODE 1, this Note allows entry into and operation in MODE 2 to perform the Surveillance.
The Surveillance is still considered to be performed within the specified Frequency if completed prior to entering MODE 1. Therefore, if the Surveillance were not performed within the 7 day (plus the extension allowed by SR 3.0.2) interval, but operation was not in MODE 1, it would not constitute a failure of the SR or failure to meet the LCO. Also, no violation of SR 3.0.4 occurs when changing MODES, even with the 7 day Frequency not met, provided operation does not result in entry into MODE 1.
Once the unit reaches MODE 1, the requirement for the Surveillance to be performed within its specified Frequency applies and would require that the Surveillance had been performed. If the Surveillance were not performed prior to entering MODE 1, there would then be a failure to perform a Surveillance within the specified Frequency, and the provisions of SR 3.0.3 would apply.
NuScale [US600]                                  1.4-6                                    Revision 4.0
 
Frequency 1.4 1.4 Frequency EXAMPLES (continued)
EXAMPLE 1.4-6 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY
                    -----------------------------NOTE-------------------------
Not required to be met in MODE 2.
Verify parameter is within limits.                              24 hours Example 1.4-6 specifies that the requirements of this Surveillance do not have to be met while the unit is in MODE 2 (the assumed Applicability of the associated LCO is MODES 1 and 2). The interval measurement for the Frequency of this Surveillance continues at all times, as described in Example 1.4-1. However, the Note constitutes an otherwise stated exception to the Applicability of this Surveillance. Therefore, if the Surveillance were not performed within the 24 hour interval (plus the extension allowed by SR 3.0.2), and the unit was in MODE 2, there would be no failure of the SR nor failure to meet the LCO. Therefore, no violation of SR 3.0.4 occurs when changing MODES to enter MODE 2, even with the 24 hour Frequency exceeded, provided the MODE change does not result in entry into MODE 1. Prior to entering MODE 1 (assuming again that the 24 hour Frequency were not met), SR 3.0.4 would require satisfying the SR.
NuScale [US600]                                  1.4-7                                      Revision 4.0
 
SLs 2.0 2.0 SAFETY LIMITS (SLs) 2.1 SLs 2.1.1    Reactor Core SLs 2.1.1.1    In MODE 1 the critical heat flux ratio shall be maintained at or above the following correlation safety limits:
Correlation            Safety Limit NSP2                      [1.17]
NSP4                      [1.21]
Extended Hench-Levy [1.06]
2.1.1.2    In MODE 1 the peak fuel centerline temperature shall be maintained  { 4901 - (1.37E-3 x Burnup, MWD/MTU) } &deg;F.
2.1.2    RCS Pressure SL In MODES 1, 2, and 3 pressurizer pressure shall be maintained  2285 psia.
2.2 Safety Limit Violations 2.2.1    If SL 2.1.1 is violated, restore compliance and be in MODE 2 within 1 hour.
2.2.2    If SL 2.1.2 is violated:
2.2.2.1    In MODE 1, restore compliance and be in MODE 2 within 1 hour.
2.2.2.2    In MODE 2 or 3, restore compliance within 5 minutes.
NuScale [US600]                                2.0-1                                  Revision 4.0
 
LCO Applicability 3.0 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY LCO 3.0.1        LCOs shall be met during the MODES or other specified conditions in the Applicability, except as provided in LCO 3.0.2, [and] LCO 3.0.7[,
and LCO 3.0.8].
LCO 3.0.2        Upon discovery of a failure to meet an LCO, the Required Actions of the associated Conditions shall be met, except as provided in LCO 3.0.5 and 3.0.6.
If the LCO is met or is no longer applicable prior to expiration of the specified Completion Time(s), completion of the Required Action(s) is not required, unless otherwise stated.
LCO 3.0.3        When an LCO is not met and the associated ACTIONS are not met, an associated ACTION is not provided, or if directed by the associated ACTIONS, the unit shall be placed in a MODE or other specified condition in which the LCO is not applicable. Action shall be initiated within 1 hour to place the unit, as applicable, in:
: a. MODE 2 within 7 hours; and
: b. MODE 3 and PASSIVELY COOLED within 37 hours.
Exceptions to this Specification are stated in the individual Specifications.
Where corrective measures are completed that permit operation in accordance with the LCO or ACTIONS, completion of the actions required by LCO 3.0.3 is not required.
LCO 3.0.3 is only applicable in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED.
LCO 3.0.4        When an LCO is not met, entry into a MODE or other specified condition in the Applicability shall only be made:
: a. When the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time; NuScale [US600]                            3.0-1                                  Revision 4.0
 
LCO Applicability 3.0 3.0 LCO APPLICABILITY LCO 3.0.4 (continued)
: b. After performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate (exceptions to this Specification are stated in the individual Specifications); or
: c. When an allowance is stated in the individual value, parameter, or other Specification.
This Specification shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
LCO 3.0.5          Equipment removed from service or declared inoperable to comply with ACTIONS may be returned to service under administrative control solely to perform testing required to demonstrate its OPERABILITY or the OPERABILITY of other equipment. This is an exception to LCO 3.0.2 for the system returned to service under administrative control to perform the testing required to demonstrate OPERABILITY.
LCO 3.0.6          When a supported system LCO is not met solely due to a support system LCO not being met, the Conditions and Required Actions associated with this supported system are not required to be entered.
Only the support system LCO ACTIONS are required to be entered.
This is an exception to LCO 3.0.2 for the supported system. In this event, an evaluation shall be performed in accordance with Specification 5.5.8, Safety Function Determination Program (SFDP). If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.
When a support systems Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.
NuScale [US600]                            3.0-2                                  Revision 4.0
 
LCO Applicability 3.0 3.0 LCO APPLICABILITY LCO 3.0.7        Test Exception LCO 3.1.8 allows specified Technical Specification (TS) requirements to be changed to permit performance of special tests and operations. Unless otherwise specified, all other TS requirements remain unchanged. Compliance with Test Exception LCOs is optional.
When a Test Exception LCO is desired to be met but is not met, the ACTIONS of the Test Exception LCO shall be met. When a Test Exception LCO is not desired to be met, entry into a MODE or other specified condition in the Applicability shall be made in accordance with the other applicable Specifications.
[ ------------------------------ REVIEWERS NOTE ------------------------------------
A COL applicant who wants to adopt LCO 3.0.8 must perform or reference a risk assessment for the NuScale design that has been submitted to the NRC, and that was prepared consistent with the bounding generic risk assessment provided in TSTF-427-A, Rev. 2, Allowance for Non-Technical Specification Barrier Degradation on Supported System OPERABILITY.
                  ------------------------------------------------------------------------------------------------]
[LCO 3.0.8      When one or more required barriers are unable to perform their related support function(s), any supported system LCO(s) are not required to be declared not met solely for this reason for up to 30 days provided that at least one train or subsystem of the supported system is OPERABLE and supported by barriers capable of providing their related support function(s), and risk is assessed and managed. This Specification may be concurrently applied to more than one train or subsystem of a multiple train or subsystem supported system provided at least one train or subsystem of the supported system is OPERABLE and the barriers supporting each of these trains or subsystems provide their related support function(s) for different categories of initiating events.
If the required OPERABLE train or subsystem becomes inoperable while this Specification is in use, it must be restored to OPERABLE status within 24 hours or the provisions of this Specification cannot be applied to the trains or subsystems supported by the barriers that cannot perform their related support function(s).
At the end of the specified period, the required barriers must be able to perform their related support function(s) or the supported system LCO(s) shall be declared not met.]
NuScale [US600]                                  3.0-3                                              Revision 4.0
 
SR Applicability 3.0 3.0 SURVEILLANCE REQUIREMENTS (SR) APPLICABILITY SR 3.0.1        SRs shall be met during the MODES or other specified Conditions in the applicability of individual LCOs, unless otherwise stated in the SR.
Failure to meet a Surveillance, whether such failure is experienced during the performance of the Surveillance or between performances of the Surveillance, shall be a failure to meet the LCO. Failure to perform a Surveillance within the specified Frequency shall be failure to meet the LCO except as provided in SR 3.0.3. Surveillances do not have to be performed on inoperable equipment or variables outside specified limits.
SR 3.0.2        The specified Frequency for each SR is met if the Surveillance is performed within 1.25 times the interval specified in the Frequency, as measured from the previous performance or as measured from the time a specified condition of the Frequency is met.
For Frequencies specified as once, the above interval extension does not apply.
If a Completion Time requires periodic performance on a once per...
basis, the above Frequency extension applies to each performance after the initial performance.
Exceptions to this Specification are stated in the individual Specifications.
SR 3.0.3        If it is discovered that a Surveillance was not performed within its specified Frequency, then compliance with the requirement to declare the LCO not met may be delayed, from the time of discovery up to 24 hours or up to the limit of the specified Frequency, whichever is greater. This delay period is permitted to allow performance of the Surveillance. The delay period is only applicable when there is a reasonable expectation the Surveillance will be met when performed.
A risk evaluation shall be performed for any Surveillance delayed greater than 24 hours and the risk impact shall be managed.
If the Surveillance is not performed within the delay period, the LCO must immediately be declared not met, and the applicable Condition(s) must be entered.
When the Surveillance is performed within the delay period, and the Surveillance is not met, the LCO must immediately be declared not met, and the applicable Condition(s) must be entered.
NuScale [US600]                            3.0-4                                Revision 4.0
 
SR Applicability 3.0 3.0 SR APPLICABILITY SR 3.0.4          Entry into a MODE or other specified condition in the Applicability of a LCO shall only be made when the LCO's Surveillances have been met within their specified frequency, except as provided by SR 3.0.3. When an LCO is not met due to Surveillances not having been met, entry into a MODE or other specified condition in the Applicability shall only be made in accordance with LCO 3.0.4.
This provision shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unit.
NuScale [US600]                            3.0-5                                  Revision 4.0
 
SDM 3.1.1 3.1 REACTIVITY CONTROL SYSTEMS 3.1.1 SHUTDOWN MARGIN (SDM)
LCO 3.1.1            SDM shall be within the limits specified in the COLR.
APPLICABILITY:      MODE 1 with keff < 1.0, MODES 2, 3, and 4.
ACTIONS CONDITION                            REQUIRED ACTION                            COMPLETION TIME A. SDM not within limits.          A.1      Initiate boration to restore              15 minutes SDM to within limits.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.1.1.1      ------------------------------NOTE--------------------------------
Not required to be performed in MODE 4.
Verify SDM to be within limits specified in the COLR.                    In accordance with the Surveillance Frequency Control Program NuScale [US600]                                    3.1.1-1                                        Revision 4.0
 
Core Reactivity 3.1.2 3.1 REACTIVITY CONTROL SYSTEMS 3.1.2 Core Reactivity LCO 3.1.2              The core reactivity balance shall be within +/-1% k/k of the normalized predicted values.
APPLICABILITY:        MODE 1.
ACTIONS CONDITION                      REQUIRED ACTION                COMPLETION TIME A. Core reactivity balance      A.1    Re-evaluate core design and  7 days not within limit.                    safety analysis and determine that the reactor core is acceptable for continued operation.
AND A.2    Establish appropriate        7 days operating restrictions.
B. Required Action and          B.1    Be in MODE 2.                6 hours associated Completion Time not met.
NuScale [US600]                              3.1.2-1                              Revision 4.0
 
Core Reactivity 3.1.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                  FREQUENCY SR 3.1.2.1    ------------------------------NOTE--------------------------------
Predicted reactivity values may be adjusted to correspond to measured core reactivity prior to exceeding a fuel burnup of 60 effective full power days (EFPDs) after each refueling.
Verify overall core reactivity balance is within                      Once prior to
                +/-1% k/k of predicted values.                                          exceeding 5% RTP after each refueling AND
                                                                                      --------NOTE--------
Only required after 60 EFPDs.
In accordance with the Surveillance Frequency Control Program NuScale [US600]                                  3.1.2-2                                        Revision 4.0
 
MTC 3.1.3 3.1 REACTIVITY CONTROL SYSTEMS 3.1.3 Moderator Temperature Coefficient (MTC)
LCO 3.1.3            MTC shall be within limits specified in the COLR.
APPLICABILITY:      MODE 1 for upper MTC limit, MODES 1 and 2 for lower MTC limit, MODE 3 with any RCS temperature  200 &deg;F for lower MTC limit.
ACTIONS CONDITION                  REQUIRED ACTION                  COMPLETION TIME A. MTC not within limits. A.1    Be in MODE 2.                  6 hours B. MTC not within lower      B.1    Be in MODE 3 with all          48 hours limit.                            RCS temperatures
                                      < 200 &deg;F.
NuScale [US600]                            3.1.3-1                            Revision 4.0
 
MTC 3.1.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE                    FREQUENCY SR 3.1.3.1    Verify MTC is within the upper limit. Once prior to exceeding 5% RTP after each refueling SR 3.1.3.2    Verify MTC is within the lower limit. Once within 7 effective full power days (EFPDs) after reaching 40 EFPDs fuel burnup from beginning of cycle (BOC)
AND Once within 7 EFPDs after reaching 2/3 fuel burnup from BOC AND
                                                      -------NOTE-------
Only required when projected end of cycle MTC is not within limit.
7 EFPDs thereafter NuScale [US600]                          3.1.3-2              Revision 4.0
 
Rod Group Alignment Limits 3.1.4 3.1 REACTIVITY CONTROL SYSTEMS 3.1.4 Rod Group Alignment Limits LCO 3.1.4              All shutdown and regulating control rod assemblies (CRAs) shall be OPERABLE.
AND Individual CRA positions shall be within 6 steps of their group position.
APPLICABILITY:        MODE 1.
ACTIONS CONDITION                      REQUIRED ACTION                    COMPLETION TIME A. One or more CRAs              A.1.1  Verify SDM to be within          1 hour inoperable.                        limits specified in the COLR.
OR OR One or more CRAs not within alignment limits. A.1.2  Initiate boration to restore      1 hour SDM to within limit.
AND A.2    Be in MODE 2.                    6 hours NuScale [US600]                              3.1.4-1                                  Revision 4.0
 
Rod Group Alignment Limits 3.1.4 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                  FREQUENCY SR 3.1.4.1    -----------------------------NOTE-------------------------------
Not required to be performed for CRAs associated with an inoperable rod position indicator.
Verify position of individual CRAs within alignment                    In accordance limit.                                                                with the Surveillance Frequency Control Program SR 3.1.4.2    Verify CRA freedom of movement (trippability) by                      In accordance moving each CRA not fully inserted in the                              with the core  4 steps in either direction.                                    Surveillance Frequency Control Program SR 3.1.4.3    Verify each CRA drop time is  2.2 seconds.                            Prior to reactor criticality after each removal of the upper reactor pressure vessel section NuScale [US600]                                  3.1.4-2                                        Revision 4.0
 
Shutdown Bank Insertion Limits 3.1.5 3.1 REACTIVITY CONTROL SYSTEMS 3.1.5 Shutdown Bank Insertion Limits LCO 3.1.5            Each shutdown bank group shall be within insertion limits specified in the COLR.
APPLICABILITY:        MODE 1.
                      --------------------------------------------NOTE---------------------------------------------
This LCO is not applicable while performing SR 3.1.4.2.
ACTIONS CONDITION                            REQUIRED ACTION                            COMPLETION TIME A. One or more shutdown            A.1.1      Verify SDM is within the                1 hour groups not within                        limits specified in the insertion limits.                        COLR.
OR A.1.2      Initiate boration to restore            1 hour SDM to within limit.
AND A.2        Restore shutdown groups                  2 hours to within limits.
B. Required Action and            B.1        Be in MODE 2.                            6 hours associated Completion Time not met.
NuScale [US600]                                    3.1.5-1                                            Revision 4.0
 
Shutdown Bank Insertion Limits 3.1.5 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.1.5.1    Verify each shutdown bank group is within the        In accordance insertion limits specified in the COLR.              with the Surveillance Frequency Control Program NuScale [US600]                            3.1.5-2                          Revision 4.0
 
Regulating Bank Insertion Limits 3.1.6 3.1 REACTIVITY CONTROL SYSTEMS 3.1.6 Regulating Bank Insertion Limits LCO 3.1.6              Each regulating bank group shall be within the insertion limits specified in the COLR.
APPLICABILITY:        MODE 1 with keff  1.0.
                      --------------------------------------------NOTE---------------------------------------------
This LCO is not applicable while performing SR 3.1.4.2.
ACTIONS CONDITION                            REQUIRED ACTION                            COMPLETION TIME A. One or more regulating            A.1.1    Verify SDM is within the                  1 hour groups not within                          limits specified in the insertion limits.                          COLR.
OR A.1.2    Initiate boration to restore              1 hour SDM to within limits.
AND A.2      Restore regulating groups                2 hours to within limits.
B. Required Action and              B.1      Be in MODE 1 with                        6 hours associated Completion                      keff < 1.0.
Time not met.
NuScale [US600]                                      3.1.6-1                                            Revision 4.0
 
Regulating Bank Insertion Limits 3.1.6 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                      FREQUENCY SR 3.1.6.1    Verify each regulating bank group is within the          In accordance with insertion limits specified in the COLR.                  the Surveillance Frequency Control Program NuScale [US600]                            3.1.6-2                              Revision 4.0
 
Rod Position Indication 3.1.7 3.1 REACTIVITY CONTROL SYSTEMS 3.1.7 Rod Position Indication (RPI)
LCO 3.1.7                    The Control Rod Drive System (CRDS) Rod Position Indicators (RPIs) and the Control Rod Assembly (CRA) Counter Position Indicators (CPIs) shall be OPERABLE.
APPLICABILITY:                MODE 1.
ACTIONS
----------------------------------------------------------NOTE-------------------------------------------------------------
Separate Condition entry is allowed for each CRDS rod position indicator and each CRA counter position indicator.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One RPI per CRDM                      A.1      Verify the position of the                Once per 8 hours inoperable for one or                          CRA with inoperable more CRDMs.                                    position indicators with the Module Control System (MCS).
B. More than one RPI per                  B.1      Place the CRA under                      Immediately CRDM inoperable.                              manual control.
AND B.2      Verify the position of the                Once per 8 hours CRA with inoperable CRDS position indicators indirectly by using the in-core neutron detectors.
AND NuScale [US600]                                            3.1.7-1                                            Revision 4.0
 
Rod Position Indication 3.1.7 ACTIONS (continued)
CONDITION              REQUIRED ACTION            COMPLETION TIME B. (continued)              B.3 Restore inoperable rod    24 hours position indicators to OPERABLE status such that a maximum of one RPI per CRDM is inoperable.
C. One or more control      C.1 Verify the position of the 4 hours rod drive mechanisms        CRAs with inoperable (CRDMs) with                position indicators by inoperable position          using the MCS.
indicators have been moved in excess of 6 steps in one direction since the last determination of the CRAs position.
D. CRA CPI position        D.1 Verify by administrative  Once per 8 hours indicator inoperable for    means all RPIs for the one or more CRAs.            affected groups are OPERABLE.
AND D.2 Verify the most withdrawn  Once per 8 hours CRA and the least withdrawn CRA of the affected groups are 6 steps apart.
E. Required Action and      E.1 Be in MODE 2.              6 hours associated Completion Time not met.
NuScale [US600]                      3.1.7-2                          Revision 4.0
 
Rod Position Indication 3.1.7 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.1.7.1    Verify each RPI channel agrees within 6 steps of    Prior to criticality the group counter position indication for the full  after coupling a indicated range of CRA travel.                      CRA to the associated CRDM for one or more CRAs NuScale [US600]                          3.1.7-3                              Revision 4.0
 
PHYSICS TESTS Exceptions 3.1.8 3.1 REACTIVITY CONTROL SYSTEMS 3.1.8 PHYSICS TESTS Exceptions LCO 3.1.8            During the performance of PHYSICS TESTS, the requirements of:
LCO 3.1.3,  Moderator Temperature Coefficient (MTC),
LCO 3.1.4,  Rod Group Alignment Limits, LCO 3.1.5,  Shutdown Bank Insertion Limits, and LCO 3.1.6,  Regulating Bank Insertion Limits may be suspended provided:
: a. SDM is within the limits specified in the COLR, and
: b. THERMAL POWER is  5% RTP.
APPLICABILITY:      During PHYSICS TESTS initiated in MODE 1.
ACTIONS CONDITION                    REQUIRED ACTION                  COMPLETION TIME A. SDM not within limit.      A.1    Initiate boration to restore    15 minutes SDM to within limit.
AND A.2    Suspend PHYSICS                  1 hour TESTS exceptions.
B. THERMAL POWER not          B.1    Open reactor trip breakers.      Immediately within limit.
NuScale [US600]                              3.1.8-1                                Revision 4.0
 
PHYSICS TESTS Exceptions 3.1.8 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                      FREQUENCY SR 3.1.8.1    Verify THERMAL POWER is  5% RTP.                      In accordance with the Surveillance Frequency Control Program SR 3.1.8.2    Verify SDM is within the limits specified in the        In accordance COLR.                                                  with the Surveillance Frequency Control Program NuScale [US600]                          3.1.8-2                                Revision 4.0
 
Boron Dilution Control 3.1.9 3.1 REACTIVITY CONTROL SYSTEMS 3.1.9 Boron Dilution Control LCO 3.1.9            Two CVCS demineralized water isolation valves shall be OPERABLE.
AND Boric Acid supply boron concentration shall be within the limits specified in the COLR.
AND Maximum CVCS makeup pump demineralized water flow path flowrate shall be within the limits specified in the COLR.
APPLICABILITY:        MODES 1, 2, and 3 with any dilution source flow path in the CVCS makeup line not isolated.
ACTIONS CONDITION                      REQUIRED ACTION                COMPLETION TIME A. One CVCS                      A.1    Restore CVCS                  72 hours demineralized water                  demineralized water isolation valve                      isolation valves to inoperable.                          OPERABLE status.
NuScale [US600]                                3.1.9-1                              Revision 4.0
 
Boron Dilution Control 3.1.9 ACTIONS (continued)
CONDITION              REQUIRED ACTION                      COMPLETION TIME B. Required Action and      B.1 --------------NOTE------------
associated Completion        Flow paths may be Time not met.                unisolated intermittently under administrative OR                          controls.
Two CVCS demineralized water          Isolate dilution source flow        1 hour isolation valves            paths in the CVCS inoperable.                  makeup line by use of at least one closed manual or OR                          one closed and de-activated automatic Boric Acid supply boron      valve.
concentration not within limits.
OR CVCS makeup pump demineralized water flow path not configured to ensure maximum flowrate is within limits.
NuScale [US600]                      3.1.9-2                                  Revision 4.0
 
Boron Dilution Control 3.1.9 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.1.9.1    Verify that CVCS makeup pump demineralized            In accordance water flow path is configured to ensure that the      with the maximum demineralized water flowrate remains          Surveillance within the limits specified in the COLR.              Frequency Control Program SR 3.1.9.2    Verify each automatic CVCS demineralized water        In accordance isolation valve that is not locked, sealed, or        with the otherwise secured in the isolated position, actuates  Surveillance to the isolated position on an actual or simulated    Frequency signal.                                              Control Program SR 3.1.9.3    Verify Boric Acid supply boron concentration is      In accordance within the limits specified in the COLR.              with the Surveillance Frequency Control Program SR 3.1.9.4    Verify each CVCS makeup pump maximum                  In accordance flowrate is  25 gpm.                                with the Surveillance Frequency Control Program NuScale [US600]                            3.1.9-3                            Revision 4.0
 
FH 3.2.1 3.2 POWER DISTRIBUTION LIMITS 3.2.1 Enthalpy Rise Hot Channel Factor ( F H )
LCO 3.2.1            FH shall be within the limits specified in the COLR.
APPLICABILITY:        MODE 1 with THERMAL POWER  25% RTP.
ACTIONS CONDITION                        REQUIRED ACTION                  COMPLETION TIME A. FH not within limit.          A.1    Reduce THERMAL POWER            6 hours to < 25% RTP.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                        FREQUENCY SR 3.2.1.1        Verify FH is within the limits specified in the COLR. Once after each refueling prior to THERMAL POWER exceeding 25% RTP AND In accordance with the Surveillance Frequency Control Program NuScale [US600]                                3.2.1-1                              Revision 4.0
 
AO 3.2.2 3.2 POWER DISTRIBUTION LIMITS 3.2.2 AXIAL OFFSET (AO)
LCO 3.2.2            The AO shall be maintained within the limits specified in the COLR.
APPLICABILITY:      MODE 1 with THERMAL POWER  25% RTP.
ACTIONS CONDITION                        REQUIRED ACTION                COMPLETION TIME A. AO not within limits.      A.1      Reduce THERMAL POWER            6 hours to < 25% RTP.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                      FREQUENCY SR 3.2.2.1        Verify AO within limits using in-core instrumentation    In accordance neutron detectors.                                      with the Surveillance Frequency Control Program NuScale [US600]                              3.2.2-1                                Revision 4.0
 
MPS Instrumentation 3.3.1 3.3 INSTRUMENTATION 3.3.1 Module Protection System (MPS) Instrumentation LCO 3.3.1                    MPS instrumentation channels required for each Function in Table 3.3.1-1 shall be OPERABLE.
APPLICABILITY:                According to Table 3.3.1-1.
ACTIONS
---------------------------------------------------------NOTES------------------------------------------------------------
: 1. Separate Condition entry is allowed for each Function.
: 2. Separate Condition entry is allowed for each steam generator for Functions 16, 17, 18, 19, and 20.
: 3. Separate Condition entry is allowed for each ELVS battery charger of Function 25.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One or more Functions                  A.1      Place inoperable channel in              6 hours with one channel                              bypass or trip.
inoperable.
B. One or more Functions                  B.1      Place one inoperable                      6 hours with two channels                              channel in bypass.
inoperable.
AND B.2      Place one inoperable                      6 hours channel in trip.
NuScale [US600]                                            3.3.1-1                                            Revision 4.0
 
MPS Instrumentation 3.3.1 ACTIONS (continued)
CONDITION              REQUIRED ACTION                        COMPLETION TIME C. Required Action and      C.1 Enter Condition referenced            Immediately associated Completion        in Table 3.3.1-1 for the Time of Condition A or B    channel(s).
not met.
OR One or more Functions with three or more channels inoperable.
D. As required by Required  D.1 Open reactor trip breakers.            6 hours Action C.1 and referenced in Table 3.3.1-1.
E. As required by Required  E.1 Reduce THERMAL POWER                  6 hours Action C.1 and              to below the N-2H interlock.
referenced in Table 3.3.1-1.
F. As required by Required  F.1 --------------NOTE----------------
Action C.1 and              Flow paths may be referenced in                unisolated intermittently Table 3.3.1-1.              under administrative controls.
Isolate the flow paths                6 hours between the CVCS and the Reactor Coolant System by use of at least one closed manual or one closed and de-activated automatic valve.
NuScale [US600]                      3.3.1-2                                    Revision 4.0
 
MPS Instrumentation 3.3.1 ACTIONS (continued)
CONDITION              REQUIRED ACTION                        COMPLETION TIME G. As required by Required G.1 --------------NOTE----------------
Action C.1 and              Pressurizer heater breakers referenced in              may be closed intermittently Table 3.3.1-1.              under administrative controls.
Open pressurizer heater                6 hours breakers.
H. As required by Required H.1 Isolate dilution source flow          1 hour Action C.1 and              paths in the CVCS makeup referenced in              line by use of at least one Table 3.3.1-1.              closed manual or one closed and de-activated automatic valve.
I. As required by Required I.1 Be in MODE 2.                          6 hours Action C.1 and referenced in          AND Table 3.3.1-1.
I.2 Be in MODE 3 and                      36 hours PASSIVELY COOLED.
J. As required by Required J.1 Open two reactor vent                  1 hour Action C.1 and              valves.
referenced in Table 3.3.1-1.
K. As required by Required K.1 Be in MODE 2.                          6 hours Action C.1 and referenced in          AND Table 3.3.1-1.
K.2 Be in MODE 3 with RCS                  48 hours temperature below the T-2 interlock.
NuScale [US600]                      3.3.1-3                                    Revision 4.0
 
MPS Instrumentation 3.3.1 ACTIONS (continued)
CONDITION              REQUIRED ACTION              COMPLETION TIME L. As required by Required L.1 Be in MODE 2.                72 hours Action C.1 and referenced in          AND Table 3.3.1-1.
L.2 Be in MODE 3 and            96 hours PASSIVELY COOLED.
AND L.3 Be in MODE 3 with RCS        96 hours temperature below the T-2 interlock.
AND L.4 Isolate dilution source flow 96 hours paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve.
AND L.5 Open pressurizer heater      96 hours breakers.
M. As required by Required M.1 Be in MODE 2.                6 hours Action C.1 and referenced in          AND Table 3.3.1-1.
M.2 Be in MODE 3 with RCS        48 hours temperature below the T-3 interlock.
N. As required by Required N.1 Be in MODE 2 with RCS        6 hours Action C.1 and              temperature below the referenced in              T-6 interlock.
Table 3.3.1-1.
NuScale [US600]                    3.3.1-4                            Revision 4.0
 
MPS Instrumentation 3.3.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.3.1.1    Perform CHANNEL CHECK.                                                  In accordance with the Surveillance Frequency Control Program SR 3.3.1.2    --------------------------------NOTES-----------------------------
: 1. Adjust Neutron Monitoring System (NMS) nuclear instrument channel when absolute difference is
                    > 1% RTP.
: 2. Not required to be performed until 12 hours after reaching 15% RTP.
: 3. If the calorimetric heat balance is < 50% RTP, and if NMS nuclear instrumentation channel indicated power is:
: a. lower than the calorimetric measurement by
                          > 1%, then adjust the NMS nuclear instrumentation channel upward to match the calorimetric measurement.
: b. higher than the calorimetric measurement, then no adjustment is required.
Compare results of calorimetric heat balance to NMS                      In accordance with nuclear instrument channel output.                                      the Surveillance Frequency Control Program SR 3.3.1.3    --------------------------------NOTE-------------------------------
Neutron detectors are excluded from response time testing.
Verify CHANNEL RESPONSE TIME is within limits.                          In accordance with The CHANNEL RESPONSE TIME is combined with                              the Surveillance the allocated MPS digital time response and the                          Frequency Control ACTUATION RESPONSE TIME to determine and                                Program verify the TOTAL RESPONSE TIME.
NuScale [US600]                                  3.3.1-5                                        Revision 4.0
 
MPS Instrumentation 3.3.1 SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE                                                FREQUENCY SR 3.3.1.4    -------------------------------NOTE-----------------------------
Neutron detectors are excluded from the CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION in accordance                            In accordance with with the Setpoint Program.                                            the Surveillance Frequency Control Program SR 3.3.1.5    Perform CHANNEL CALIBRATION on each                                  In accordance with required Class 1E isolation device.                                  the Surveillance Frequency Control Program NuScale [US600]                                  3.3.1-6                                      Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 1 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED      REQUIRED FUNCTION                        CONDITIONS        CHANNELS  CONDITIONS
: 1. High Power Range Linear Power
: a. RTS                                    1, 2(a), 3(a)      4          D
: b. DWSI                                  1, 2(a), 3(a)      4          H
: 2. High Power Range Positive and Negative Rate
: a. RTS                                        1(b)          4          E
: b. DWSI                                        1(b)          4          H
: 3. High Intermediate Range Log Power Rate
: a. RTS                                  1(c), 2(a), 3(a)    4          D
: b. DWSI                                  1(c), 2(a), 3(a)    4          H
: 4. High Source Range Count Rate
: a. RTS                                  1(d), 2(a), 3(a)    4          D
: b. DWSI                                  1(d), 2(a), 3(a)    4          H
: 5. High Source Range Log Power Rate
: a. RTS                                  1(d), 2(a), 3(a)    4          D
: b. DWSI                                  1(d), 2(a), 3(a)    4          H
: 6. High Subcritical Multiplication
: a. DWSI                                    1(d), 2, 3        4          H (a)  When capable of CRA withdrawal.
(b)  With power above the N-2H interlock.
(c)  With power below the N-2L interlock.
(d)  When Intermediate Range Log Power less than N-1 interlock.
NuScale [US600]                                          3.3.1-7                      Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 2 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED        REQUIRED FUNCTION                        CONDITIONS          CHANNELS  CONDITIONS
: 7. High Pressurizer Pressure
: a. RTS                                  1, 2(a), 3(a)          4          D
: b. DHRS                                  1, 2, 3(e)            4          I
: c. Pressurizer Heater Trip                1, 2(f), 3(f)        4          G
: d. DWSI                                  1, 2(a), 3(a)          4          H
: e. SSI                                    1, 2, 3(e)            4          I
: 8. Low Pressurizer Pressure
: a. RTS                                      1(g)              4          D
: b. DWSI                                      1(g)              4          H
: 9. Low Low Pressurizer Pressure
: a. RTS                                    1, 2(a), 3(a)          4          D
: b. CVCSI                                  1, 2, 3(a)            4          F
: c. DWSI                                  1, 2(a), 3(a)          4          H
: d. SSI                                    1, 2, 3(a)            4          I
: 10. High Pressurizer Level
: a. RTS                                    1, 2(a), 3(a)          4          D
: b. CVCSI                                    1, 2, 3              4          F
: c. DWSI                                  1, 2(a), 3(a)          4          H (a)  When capable of CRA withdrawal.
(e)  When not PASSIVELY COOLED.
(f)  With pressurizer heater breakers closed.
(g)  With narrow range RCS hot temperature above the T-4 interlock.
NuScale [US600]                                          3.3.1-8                          Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 3 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED            REQUIRED FUNCTION                        CONDITIONS              CHANNELS              CONDITIONS
: 11. Low Pressurizer Level
: a. RTS                                  1, 2(a), 3(a)                4                      D
: b. Pressurizer Heater Trip              1, 2(f), 3(f)                4                      G
: c. DWSI                                1, 2(a), 3(a)                4                      H
: 12. Low Low Pressurizer Level
: a. CIS                                  1, 2, 3(h)                  4                      K
: b. CVCSI                                1, 2, 3(h)                  4                        F
: c. SSI                                  1, 2, 3(h)                  4                        I
: 13. High Narrow Range RCS Hot Temperature
: a. RTS                                      1                        4                      D
: b. DHRS                                  1, 2, 3(e)                  4                        I
: c. Pressurizer Heater Trip              1, 2(f), 3(f)                4                      G
: d. DWSI                                      1                        4                      H
: e. SSI                                  1, 2, 3(e)                  4                        I
: 14. Low RCS Flow
: a. DWSI                                  1, 2, 3                    4                      H
: 15. Low Low RCS Flow
: a. RTS                                  1, 2(a), 3(a)                4                      D
: b. CVCSI                                1, 2(a), 3(a)                4                        F
: c. DWSI                                1, 2(a), 3(a)                4                      H (a)  When capable of CRA withdrawal.
(e)  When not PASSIVELY COOLED.
(f)  With pressurizer heater breakers closed.
(h)  With RCS temperature above the T-2 interlock and containment water level below the L-1 interlock.
NuScale [US600]                                          3.3.1-9                                            Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 4 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED      REQUIRED FUNCTION                        CONDITIONS        CHANNELS    CONDITIONS
: 16. High Main Steam Pressure
: a. RTS                                      1, 2(a)      4 per SG      D
: b. DHRS                                    1, 2, 3(e)      4 per SG      I
: c. Pressurizer Heater Trip                1, 2(f), 3(f)  4 per SG      G
: d. DWSI                                      1, 2(a)      4 per SG      H
: e. SSI                                    1, 2, 3(e)      4 per SG      I
: 17. Low Main Steam Pressure
: a. RTS                                        1(b)        4 per SG      E
: b. DWSI                                      1(b)        4 per SG      H
: c. SSI                                        1(b)        4 per SG      E
: 18. Low Low Main Steam Pressure
: a. RTS                                    1, 2(a), 3(a)    4 per SG      D
: b. DWSI                                  1, 2(a), 3(a)    4 per SG      H
: c. SSI                                    1, 2(i), 3(i)  4 per SG      I
: 19. High Steam Superheat
: a. RTS                                        1          4 per SG      D
: b. DWSI                                        1          4 per SG      H
: c. SSI                                        1          4 per SG      I (a)  When capable of CRA withdrawal.
(b)  With power above the N-2H interlock.
(e)  When not PASSIVELY COOLED.
(f)  With pressurizer heater breakers closed.
(i)  With containment water level below the L-1 interlock.
NuScale [US600]                                          3.3.1-10                      Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 5 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED              REQUIRED FUNCTION                          CONDITIONS              CHANNELS              CONDITIONS
: 20. Low Steam Superheat
: a. RTS                                          1(j)              4 per SG                    D
: b. DWSI                                          1(j)              4 per SG                    H
: c. SSI                                          1(k)              4 per SG                    I
: 21. High Narrow Range Containment Pressure
: a. RTS                                      1, 2(a), 3(a)              4                        D
: b. CIS                                        1, 2, 3(l)                4                      M
: c. CVCSI                                      1, 2, 3(l)                4                        F
: d. DWSI                                      1, 2(a), 3(a)              4                        H
: e. SSI                                        1, 2, 3(m)                4                        I
: 22. High Containment Water Level
: a. ECCS                                      1, 2, 3(n)                4                        I
: 23. Low RCS Pressure - ECCS
: a. ECCS                                      1(o), 2(o)                4                        N
: 24. High RCS Pressure - Low Temperature Overpressure Protection
: a. LTOP                                          3(p)                  4                        J (a)  When capable of CRA withdrawal.
(j)  With power above the N-2H interlock or V-1 not active (both FWIVs open).
(k)  With containment level below the L-1 interlock with reactor power above the N-2H interlock, or with containment water level below the L-1 interlock with V-1 not active (both FWIVs open).
(l) With RCS temperature above the T-3 interlock.
(m) With RCS temperature above the T-3 interlock and containment water level below the L-1 interlock.
(n) With RCS temperature above the T-3 interlock or pressurizer water level below the L-2 interlock.
(o) With RCS Temperature above the T-6 interlock.
(p) With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.
NuScale [US600]                                              3.3.1-11                                          Revision 4.0
 
MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 6 of 6)
Module Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED      REQUIRED FUNCTION                        CONDITIONS        CHANNELS    CONDITIONS
: 25. Low AC Voltage to ELVS Battery Chargers
: a. RTS                                  1, 2(a), 3(a)      4 per bus      L
: b. DHRS                                  1, 2, 3(e)        4 per bus      L
: c. CIS                                    1, 2, 3          4 per bus      L
: d. CVCSI                                  1, 2, 3          4 per bus      F
: e. DWSI                                1, 2(a), 3(a)      4 per bus      L
: f. Pressurizer Heater Trip                1, 2(f)        4 per bus      L
: g. SSI                                  1, 2, 3(e)        4 per bus      L
: 26. High Under-the-Bioshield Temperature
: a. RTS                                  1, 2(a), 3(a)          4          L
: b. CIS                                    1, 2, 3              4          L
: c. CVCSI                                  1, 2, 3              4          F
: d. DWSI                                1, 2(a), 3(a)          4          L
: e. SSI                                  1, 2, 3(e)            4          L (a)  When capable of CRA withdrawal.
(e)  When not PASSIVELY COOLED.
(f)  With pressurizer heater breakers closed.
NuScale [US600]                                        3.3.1-12                          Revision 4.0
 
Reactor Trip System Logic and Actuation 3.3.2 3.3 INSTRUMENTATION 3.3.2 Reactor Trip System (RTS) Logic and Actuation LCO 3.3.2              Two Reactor Trip System (RTS) Logic and Actuation divisions shall be OPERABLE.
APPLICABILITY:        MODE 1, MODES 2 and 3 when capable of CRA withdrawal.
ACTIONS CONDITION                      REQUIRED ACTION                COMPLETION TIME A. One reactor trip breaker    A.1      Open the inoperable RTB.      48 hours (RTB) inoperable.
B. One division of RTS        B.1      Restore division of RTS        6 hours Logic and Actuation                Logic and Actuation to inoperable.                        OPERABLE status.
C. Required Action and        C.1      Open all RTBs.                Immediately associated Completion Time not met.
OR Both divisions of RTS Logic and Actuation inoperable.
OR More than one RTB inoperable.
NuScale [US600]                            3.3.2-1                              Revision 4.0
 
Reactor Trip System Logic and Actuation 3.3.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                    FREQUENCY SR 3.3.2.1    Perform ACTUATION LOGIC TEST.                          In accordance with the Surveillance Frequency Control Program SR 3.3.2.2    Verify ACTUATION RESPONSE TIME is within limits.        In accordance with The ACTUATION RESPONSE TIME is combined                the Surveillance with the allocated MPS digital time response and the    Frequency Control CHANNEL RESPONSE TIME to determine and verify          Program the TOTAL RESPONSE TIME.
SR 3.3.2.3    Perform CHANNEL CALIBRATION on each                    In accordance with Class 1E isolation device.                              the Surveillance Frequency Control Program SR 3.3.2.4    Verify each RTB actuates to the open position on an    In accordance with actual or simulated actuation signal.                  the Surveillance Frequency Control Program NuScale [US600]                          3.3.2-2                                Revision 4.0
 
ESFAS Logic and Actuation 3.3.3 3.3 INSTRUMENTATION 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation LCO 3.3.3                    Engineered Safety Features Actuation System (ESFAS) Logic and Actuation divisions required for each Function in Table 3.3.3-1 shall be OPERABLE.
APPLICABILITY:                According to Table 3.3.3-1.
ACTIONS
-----------------------------------------------------------NOTE------------------------------------------------------------
Separate Condition entry is allowed for each Function.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. LTOP Actuation Function                A.1      Open two reactor vent                    1 hour with one or both Logic                        valves (RVVs).
and Actuation divisions inoperable.
B. One or more Actuation                  B.1      Enter the Condition                      6 hours Functions, other than the                      Referenced in LTOP Actuation                                Table 3.3.3-1 for the Function, with one                            affected Function.
ESFAS Logic and Actuation division inoperable.
NuScale [US600]                                            3.3.3-1                                            Revision 4.0
 
ESFAS Logic and Actuation 3.3.3 ACTIONS (continued)
CONDITION                REQUIRED ACTION          COMPLETION TIME C. As required by Required C.1 Be in MODE 2.            6 hours Action B.1 and referenced in          AND Table 3.3.3-1.
C.2 Be in MODE 3 and        36 hours OR                          PASSIVELY COOLED.
Both divisions of ECCS Actuation Function inoperable.
OR Both divisions of DHRS Actuation Function inoperable.
OR Both divisions of SSI Actuation Function inoperable.
D. As required by Required D.1 Be in MODE 3 with        48 hours Action B.1 and              containment isolated.
referenced in Table 3.3.3-1.
OR Both divisions of Containment Isolation Actuation Function inoperable.
NuScale [US600]                    3.3.3-2                        Revision 4.0
 
ESFAS Logic and Actuation 3.3.3 ACTIONS (continued)
CONDITION                REQUIRED ACTION                        COMPLETION TIME E. As required by Required E.1 ---------------NOTE---------------
Action B.1 and              Flow paths may be referenced in              unisolated intermittently Table 3.3.3-1.              under administrative controls.
OR                          --------------------------------------
Both divisions of          Isolate dilution source flow          1 hour Demineralized Water        paths in the CVCS makeup Supply Isolation            line by use of at least one Actuation Function          closed manual or one closed inoperable.                and de-activated automatic valve.
F. As required by Required F.1 ----------------NOTE--------------
Action B.1 and              Flow paths may be referenced in              unisolated intermittently Table 3.3.3-1.              under administrative controls.
OR                          --------------------------------------
Both divisions of CVCS      Isolate the flow paths                1 hour Isolation Actuation        between the CVCS and the Function inoperable.        Reactor Coolant System by use of at least one closed manual or one closed and de-activated automatic valve.
G. As required by Required G.1 ----------------NOTE--------------
Action B.1 and              Pressurizer heater breakers referenced in              may be closed intermittently Table 3.3.3-1.              under administrative controls.
OR                          --------------------------------------
Both divisions of          Open pressurizer heater                6 hours Pressurizer Heater Trip    breakers.
Actuation Function inoperable.
NuScale [US600]                      3.3.3-3                                    Revision 4.0
 
ESFAS Logic and Actuation 3.3.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.3.3.1    Perform ACTUATION LOGIC TEST.                        In accordance with the Surveillance Frequency Control Program SR 3.3.3.2    Verify pressurizer heater breaker ACTUATION          In accordance with RESPONSE TIME is within limits. The ACTUATION        the Surveillance RESPONSE TIME is combined with the allocated          Frequency Control MPS digital time response and the CHANNEL            Program RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.3.3.3    Perform CHANNEL CALIBRATION on each                  In accordance with Class 1E isolation device.                            the Surveillance Frequency Control Program SR 3.3.3.4    Verify each pressurizer heater breaker actuates to    In accordance with the open position on an actual or simulated actuation the Surveillance signal.                                              Frequency Control Program NuScale [US600]                          3.3.3-4                              Revision 4.0
 
ESFAS Logic and Actuation 3.3.3 Table 3.3.3-1 (page 1 of 1)
ESFAS Logic and Actuation Functions APPLICABLE MODES OR ACTUATION                  OTHER SPECIFIED              REQUIRED FUNCTION                      CONDITIONS                DIVISIONS            CONDITIONS
: 1. Emergency Core                      1, 2, 3(a)                2                      C Cooling System (ECCS)
: 2. Decay Heat                          1, 2, 3(a)                2                      C Removal System (DHRS)
: 3. Containment                          1, 2, 3                  2                      D Isolation System (CIS)
: 4. Demineralized                        1, 2, 3                  2                      E Water Supply Isolation (DWSI)
: 5. CVCS Isolation                        1, 2, 3                  2                      F (CVCSI)
: 6. Pressurizer Heater                  1, 2(b), 3(b)              2                      G Trip
: 7. Low Temperature                        3(c)                    2                      A Overpressure Protection (LTOP)
: 8. Secondary System                    1, 2, 3(a)                2                      C Isolation (SSI)
(a)  When not PASSIVELY COOLED.
(b)  With pressurizer heater breakers closed.
(c)  With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.
NuScale [US600]                                            3.3.3-5                                      Revision 4.0
 
Manual Actuation Functions 3.3.4 3.3 INSTRUMENTATION 3.3.4 Manual Actuation Functions LCO 3.3.4                      Each manual actuation division for each Function in Table 3.3.4-1 shall be OPERABLE.
APPLICABILITY:                  According to Table 3.3.4-1.
ACTIONS
------------------------------------------------------------NOTE-----------------------------------------------------------
Separate Condition entry is allowed for each Function.
CONDITION                                    REQUIRED ACTION                                COMPLETION TIME A. One or more Functions                      A.1        Enter the Condition                          48 hours with one manual                                      referenced in Table 3.3.4-1 actuation division                                  for the affected Function.
inoperable.
B. One or more Functions                      B.1        Enter the Condition                          6 hours with two manual                                      referenced in Table 3.3.4-1 actuation divisions                                  for the affected Function.
inoperable.
C. As required by Required                    C.1        Open reactor trip breakers.                  Immediately Action A.1 or B.1 and referenced in Table 3.3.4-1.
D. As required by Required                    D.1        Be in MODE 2.                                24 hours Action A.1 or B.1 and referenced in                            AND Table 3.3.4-1.
D.2        Be in MODE 3 and                              72 hours PASSIVELY COOLED.
NuScale [US600]                                                  3.3.4-1                                                  Revision 4.0
 
Manual Actuation Functions 3.3.4 ACTIONS (continued)
CONDITION              REQUIRED ACTION                            COMPLETION TIME E. As required by Required E.1 ----------------NOTE--------------
Action A.1 or B.1 and      Flow paths may be referenced in              unisolated intermittently Table 3.3.4-1.              under administrative controls.
Isolate dilution source flow              1 hour paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve.
F. As required by Required F.1 ---------------NOTE--------------
Action A.1 or B.1 and      Flow paths may be referenced in              unisolated intermittently Table 3.3.4-1.              under administrative controls.
Isolate the flow paths                    1 hour between the CVCS and the Reactor Coolant System by use of at least one closed manual or one closed and de-activated automatic valve.
G. As required by Required G.1 --------------NOTE--------------
Action A.1 or B.1 and      Pressurizer heater referenced in              breakers may be closed Table 3.3.4-1.              intermittently under administrative controls.
Open pressurizer heater                    24 hours breakers.
NuScale [US600]                      3.3.4-2                                          Revision 4.0
 
Manual Actuation Functions 3.3.4 ACTIONS (continued)
CONDITION                    REQUIRED ACTION            COMPLETION TIME H. As required by Required    H.1    Open two reactor vent    Immediately Action A.1 or B.1 and              valves.
referenced in Table 3.3.4-1.
I. As required by Required    I.1    Be in MODE 3 with        48 hours Action A.1 or B.1 and              containment isolated.
Referenced in Table 3.3.4 1.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY SR 3.3.4.1        Perform actuation device operational test.        In accordance with the Surveillance Frequency Control Program NuScale [US600]                            3.3.4-3                          Revision 4.0
 
Manual Actuation Functions 3.3.4 Table 3.3.4-1 (page 1 of 1)
Manual Actuation Functions APPLICABLE MODES OR MANUALLY ACTUATED                  OTHER SPECIFIED              REQUIRED FUNCTION                      CONDITIONS                DIVISIONS          CONDITIONS
: 1. Reactor Trip System                    1, 2(a), 3(a)              2                      C
: 2. Emergency Core                          1, 2, 3(b)                2                      D Cooling System
: 3. Decay Heat Removal                      1, 2, 3(b)                2                      D System
: 4. Containment Isolation                    1, 2, 3                  2                      I System
: 5. Demineralized Water                      1, 2, 3                  2                      E Supply Isolation
: 6. CVCS Isolation                          1, 2, 3                  2                      F System
: 7. Pressurizer Heater                    1, 2(c), 3(c)              2                      G Trip
: 8. Low Temperature                            3(d)                    2                      H Overpressure Protection
: 9. Secondary System                        1, 2, 3(b)                2                      D Isolation (SSI)
(a)  When capable of CRA withdrawal.
(b)  When not PASSIVELY COOLED.
(c)  With pressurizer heater breakers closed.
(d)  With wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 interlock) and more than one reactor vent valve closed.
NuScale [US600]                                              3.3.4-4                                      Revision 4.0
 
RSS 3.3.5 3.3 INSTRUMENTATION 3.3.5 Remote Shutdown Station (RSS)
LCO 3.3.5            Instrumentation in the RSS shall be OPERABLE.
APPLICABILITY:      MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS CONDITION                      REQUIRED ACTION            COMPLETION TIME A. Instrumentation in the    A.1      Restore to OPERABLE        30 days RSS inoperable.                    status.
B. Required Action and        B.1      Be in MODE 2.              6 hours associated Completion Time not met.            AND B.2      Be in MODE 3 and          36 hours PASSIVELY COOLED.
NuScale [US600]                            3.3.5-1                        Revision 4.0
 
RSS 3.3.5 SURVEILLANCE REQUIREMENTS SURVEILLANCE                              FREQUENCY SR 3.3.5.1    Perform transfer protocol of required functions. In accordance with the Surveillance Frequency Control Program SR 3.3.5.2    Verify that the RSS communicates indication with In accordance with each required function of the Module Control    the Surveillance System and Plant Control System.                Frequency Control Program SR 3.3.5.3    Verify the OPERABILITY of the RSS hardware and  In accordance with software.                                        the Surveillance Frequency Control Program NuScale [US600]                          3.3.5-2                        Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits 3.4.1 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.1 RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits LCO 3.4.1            Each RCS CHF parameter shall be within the limits specified in the COLR:
: a. Pressurizer pressure,
: b. RCS cold temperature, and
: c. RCS flow resistance.
APPLICABILITY:      MODE 1.
ACTIONS CONDITION                  REQUIRED ACTION                COMPLETION TIME A. RCS pressurizer            A.1    Restore RCS CHF              2 hours pressure or RCS cold              parameter(s) to within limit.
temperature CHF parameters not within limits.
B. RCS flow resistance not    B.1    Evaluate flow resistance      7 days within limits.                    effect on safety analysis and verify that the reactor coolant system flow rate is acceptable for continued operation.
C. Required Action and        C.1    Be in Mode 2.                6 hours associated Completion Time not met.
NuScale [US600]                            3.4.1-1                              Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits 3.4.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                FREQUENCY SR 3.4.1.1    Verify pressurizer pressure is greater than or equal to              In accordance with the limit specified in the COLR.                                      the Surveillance Frequency Control Program SR 3.4.1.2    Verify RCS cold temperature is less than or equal to                  In accordance with the limit specified in the COLR.                                      the Surveillance Frequency Control Program SR 3.4.1.3    --------------------------------NOTE-----------------------------
Not required to be performed until 96 hours after exceeding 50% RTP.
Verify RCS flow resistance is within the limits                      Once prior to specified in the COLR.                                                exceeding 75% RTP after each refueling NuScale [US600]                                  3.4.1-2                                      Revision 4.0
 
RCS Minimum Temperature for Criticality 3.4.2 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.2 RCS Minimum Temperature for Criticality LCO 3.4.2            All RCS temperatures shall be  420 &deg;F.
APPLICABILITY:      MODE 1.
ACTIONS CONDITION                  REQUIRED ACTION              COMPLETION TIME A. One or more RCS              A.1  Be in MODE 2.                30 minutes temperatures not within limit.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY SR 3.4.2.1        Verify all RCS temperatures  420 &deg;F.              In accordance with the Surveillance Frequency Control Program NuScale [US600]                            3.4.2-1                            Revision 4.0
 
RCS P/T Limits 3.4.3 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.3 RCS Pressure and Temperature (P/T) Limits LCO 3.4.3                  RCS pressure, RCS temperature, and RCS heatup and cooldown rates shall be maintained within the limits specified in the PTLR.
APPLICABILITY:              At all times.
ACTIONS CONDITION                          REQUIRED ACTION                    COMPLETION TIME A. -------------NOTE-------------      A.1  Restore parameters to            30 minutes Required Action A.2 shall                within limits.
be completed whenever this Condition is entered.          AND A.2  Determine RCS is                  72 hours Requirements of LCO not                  acceptable for continued met in MODE 1, 2, or 3.                  operation.
B. Required Action and                  B.1  Be in MODE 2.                    6 hours associated Completion Time of Condition A not            AND met.
B.2  Be in MODE 3 with RCS            36 hours pressure < 500 psia.
C. --------------NOTE ------------      C.1  Initiate action to restore        Immediately Required Action C.2 shall                parameter(s) to within limits.
be completed whenever this Condition is entered.          AND C.2  Determine RCS is                  Prior to entering Requirements of LCO not                  acceptable for continued          MODE 3 met any time in other than                operation.
MODE 1, 2, or 3.
NuScale [US600]                                    3.4.3-1                                  Revision 4.0
 
RCS P/T Limits 3.4.3 ACTIONS (continued)
CONDITION                            REQUIRED ACTION                            COMPLETION TIME D. Containment flooding              D.1      Be in MODE 2.                            Immediately initiated while RCS temperature greater than          AND allowed by PTLR.
D.2      Be in MODE 3 with RCS                    36 hours temperature less than or equal to the containment flooding RCS temperature limit allowed by the PTLR.
AND D.3      Determine RCS is                          Prior to entering acceptable for continued                  MODE 2 from operation.                                MODE 3 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.4.3.1        --------------------------------NOTE-----------------------------
Only required to be performed during RCS heatup and cooldown operations and inservice leak and hydrostatic testing.
Verify RCS pressure, RCS temperature, and RCS                            In accordance with heatup and cooldown rates are within limits specified                    the Surveillance in the PTLR.                                                              Frequency Control Program NuScale [US600]                                      3.4.3-2                                          Revision 4.0
 
RSVs 3.4.4 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.4 Reactor Safety Valves (RSVs)
LCO 3.4.4            Two RSVs shall be OPERABLE.
APPLICABILITY:      MODES 1 and 2, MODE 3 with RCS cold temperature above the low temperature overpressure protection (LTOP) interlock T-1.
ACTIONS CONDITION                    REQUIRED ACTION                  COMPLETION TIME A. One RSV inoperable.        A.1    Restore valve to                72 hours OPERABLE status.
B. Required Action and        B.1    Be in MODE 2.                  6 hours associated Completion Time not met.              AND OR                        B.2    Be in MODE 3 with RCS          36 hours cold temperature below Two RSVs inoperable.              LTOP enable interlock T-1 temperature.
NuScale [US600]                            3.4.4-1                              Revision 4.0
 
RSVs 3.4.4 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                    FREQUENCY SR 3.4.4.1    Verify each RSV is OPERABLE in accordance with          In accordance with the INSERVICE TESTING PROGRAM. Following                the INSERVICE testing, lift settings shall be within 1% of the nominal TESTING setpoints of 2075 psia and 2100 psia as shown            PROGRAM below:
Valve 1 Setpoint:  2055 psia and  2095 psia.
Valve 2 Setpoint:  2079 psia and  2121 psia.
NuScale [US600]                              3.4.4-2                            Revision 4.0
 
RCS Operational LEAKAGE 3.4.5 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.5 RCS Operational LEAKAGE LCO 3.4.5              RCS operational LEAKAGE shall be limited to:
: a. No pressure boundary LEAKAGE,
: b. 0.5 gpm unidentified LEAKAGE,
: c. 2 gpm identified LEAKAGE from the RCS, and
: d. 150 gallons per day primary to secondary LEAKAGE.
APPLICABILITY:        MODES 1 and 2, MODE 3 with RCS hot temperature  200 &deg;F.
                      -------------------------------------------NOTE----------------------------------------------
This LCO is not applicable if one or more ECCS valves is open.
ACTIONS CONDITION                            REQUIRED ACTION                            COMPLETION TIME A. RCS operational                  A.1      Reduce LEAKAGE to within                  4 hours LEAKAGE not within                        limits.
limits for reasons other than pressure boundary LEAKAGE or primary to secondary LEAKAGE.
NuScale [US600]                                      3.4.5-1                                            Revision 4.0
 
RCS Operational LEAKAGE 3.4.5 ACTIONS (continued)
CONDITION                          REQUIRED ACTION                            COMPLETION TIME B. Required Action and            B.1        Be in MODE 2.                            6 hours associated Completion Time of Condition A not        AND met.
B.2        Be in MODE 3 with RCS hot                48 hours OR                                        temperature < 200 &deg;F.
Pressure boundary LEAKAGE exists.
OR Primary to secondary LEAKAGE not within limit.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.4.5.1      --------------------------------NOTES-----------------------------
: 1. Not required to be performed until 12 hours after establishment of steady state operation.
: 2. Not applicable to primary to secondary LEAKAGE.
Verify RCS Operational LEAKAGE is within limits by                      In accordance with performance of RCS water inventory balance.                              the Surveillance Frequency Control Program NuScale [US600]                                    3.4.5-2                                        Revision 4.0
 
RCS Operational LEAKAGE 3.4.5 SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE                                                  FREQUENCY SR 3.4.5.2    --------------------------------NOTE------------------------------
Not required to be performed until 12 hours after establishment of steady state operation.
Verify primary to secondary LEAKAGE is                                  In accordance with 150 gallons per day through the Steam Generator                      the Surveillance System.                                                                Frequency Control Program NuScale [US600]                                  3.4.5-3                                        Revision 4.0
 
Chemical and Volume Control System Isolation Valves 3.4.6 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.6 Chemical and Volume Control System (CVCS) Isolation Valves LCO 3.4.6                    Each of the following CVCS line flow path isolation valves shall be OPERABLE:
: a. RCS Injection Isolation Valves,
: b. RCS Discharge Isolation Valves,
: c. Pressurizer Spray Isolation Valves, and
: d. RPV High Point Degasification Isolation Valves.
APPLICABILITY:                MODES 1, 2, and 3.
ACTIONS
---------------------------------------------------------NOTES------------------------------------------------------------
: 1. CVCS flow paths may be unisolated intermittently under administrative controls.
: 2. Separate Condition entry is allowed for each flow path.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One or more CVCS flow                  A.1      Isolate the affected CVCS                72 hours paths with one CVCS                            flow path by use of at least valve inoperable.                              one closed and de-activated automatic valve, closed manual valve, or blind flange.
AND NuScale [US600]                                            3.4.6-1                                            Revision 4.0
 
Chemical and Volume Control System Isolation Valves 3.4.6 ACTIONS (continued)
CONDITION            REQUIRED ACTION                        COMPLETION TIME A. (continued)          A.2 ---------------NOTES-------------
: 1. Isolation devices in high radiation areas may be verified by use of administrative means.
: 2. Isolation devices that are locked, sealed, or otherwise secured may be verified by use of administrative means.
Verify the affected CVCS              Once per 31 days flow path is isolated.
B. One or more CVCS flow B.1 Isolate the affected CVCS              1 hour paths with two CVCS      flow path by use of at least valves inoperable.        one closed and de-activated automatic valve, closed manual valve, or blind flange.
C. Required Action and  C.1 Be in MODE 2.                          6 hours associated Completion Time not met.        AND C.2 Be in MODE 3 with RCS hot              48 hours temperature < 200 &deg;F.
NuScale [US600]                    3.4.6-2                                    Revision 4.0
 
Chemical and Volume Control System Isolation Valves 3.4.6 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                    FREQUENCY SR 3.4.6.1    Verify [required] valves accumulator pressures are    In accordance with within limits.                                        the Surveillance Frequency Control Program SR 3.4.6.2    Verify the isolation ACTUATION RESPONSE TIME          In accordance with of each automatic power operated CVCS valve is        the INSERVICE within limits. The ACTUATION RESPONSE TIME is          TESTING combined with the allocated MPS digital time          PROGRAM response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.4.6.3    Verify each automatic CVCS valve that is not locked,  In accordance with sealed, or otherwise secured in position, actuates to  the Surveillance the isolation position on an actual or simulated      Frequency Control actuation signal.                                      Program NuScale [US600]                          3.4.6-3                              Revision 4.0
 
RCS Leakage Detection Instrumentation 3.4.7 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.7 RCS Leakage Detection Instrumentation LCO 3.4.7                    Two of the following RCS leakage detection instrumentation methods shall be OPERABLE:
: a. Two Containment Evacuation System (CES) condensate channels,
: b. Two CES inlet pressure channels, and
: c. One CES gaseous radioactivity monitor channel.
APPLICABILITY:            MODES 1 and 2, MODE 3 with RCS hot temperature  200 &deg;F.
                          ------------------------------------------NOTES---------------------------------------------
: 1. Not required when one or more ECCS valves open.
: 2. Not required in MODE 3 during containment flood operations.
ACTIONS
------------------------------------------------------------NOTE-----------------------------------------------------------
Separate Condition entry is allowed for each condensate channel and each pressure channel.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One or more required                  A.1      ---------------NOTE---------------
leakage detection                              Not required until 12 hours instrumentation methods                        after establishment of steady with one required                              state operation.
channel inoperable.                            ---------------------------------------
Perform SR 3.4.5.1.                      Once per 24 hours AND A.2      Restore required leakage                  14 days detection channel(s) to OPERABLE status.
NuScale [US600]                                            3.4.7-1                                            Revision 4.0
 
RCS Leakage Detection Instrumentation 3.4.7 ACTIONS (continued)
CONDITION                      REQUIRED ACTION              COMPLETION TIME B. One required leakage          B.1    Restore one channel of      72 hours detection instrumentation            affected required leakage method with all required            detection instrumentation channels inoperable.                method to OPERABLE status.
C. Required Action and          C.1    Be in MODE 2.                6 hours associated Completion Time not met.                AND OR                            C.2    Be in MODE 3 with RCS hot    48 hours temperature < 200 &deg;F.
Two required leakage detection instrumentation methods with all required channels inoperable.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.4.7.1        Perform a CHANNEL CHECK of each required CES          In accordance with condensate channel.                                  the Surveillance Frequency Control Program SR 3.4.7.2        Perform a CHANNEL CHECK of each required CES          In accordance with inlet pressure channel.                              the Surveillance Frequency Control Program NuScale [US600]                              3.4.7-2                              Revision 4.0
 
RCS Leakage Detection Instrumentation 3.4.7 SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE                                  FREQUENCY SR 3.4.7.3    Perform a CHANNEL CHECK of required CES            In accordance with gaseous radioactivity monitor channel.              the Surveillance Frequency Control Program SR 3.4.7.4    Perform a COT of required CES gaseous radioactivity In accordance with monitor channel.                                    the Surveillance Frequency Control Program SR 3.4.7.5    Perform a COT of each required CES condensate      In accordance with channel.                                            the Surveillance Frequency Control Program SR 3.4.7.6    Perform a CHANNEL CALIBRATION of each              In accordance with required CES condensate channel.                    the Surveillance Frequency Control Program SR 3.4.7.7    Perform a CHANNEL CALIBRATION of each              In accordance with required CES inlet pressure channel.                the Surveillance Frequency Control Program SR 3.4.7.8    Perform a CHANNEL CALIBRATION of required CES      In accordance with gaseous radioactivity monitor channel.              the Surveillance Frequency Control Program NuScale [US600]                        3.4.7-3                            Revision 4.0
 
RCS Specific Activity 3.4.8 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.8 RCS Specific Activity LCO 3.4.8            The specific activity of the reactor coolant shall be within limits.
APPLICABILITY:        MODES 1 and 2.
ACTIONS CONDITION                        REQUIRED ACTION                        COMPLETION TIME A. DOSE EQUIVALENT              ---------------------NOTE-------------------
I-131 > 3.7E-2 &#xb5;Ci/gm.      LCO 3.0.4.c is applicable.
A.1      Verify DOSE EQUIVALENT                Once per 4 hours I-131  2.2 &#xb5;Ci/gm.
AND A.2      Restore DOSE                          48 hours EQUIVALENT I-131 to within limit.
B. DOSE EQUIVALENT              ---------------------NOTE-------------------
XE-133 > 10 Ci/gm.        LCO 3.0.4.c is applicable.
B.1      Restore DOSE                          48 hours EQUIVALENT XE-133 to within limit.
C. Required Action and          C.1      Be in MODE 2.                          6 hours associated Completion Time of Condition A or B    AND not met.
C.2      Be in MODE 3.                          36 hours OR DOSE EQUIVALENT I-131 > 2.2 Ci/gm.
NuScale [US600]                                3.4.8-1                                    Revision 4.0
 
RCS Specific Activity 3.4.8 SURVEILLANCE REQUIREMENTS SURVEILLANCE                            FREQUENCY SR 3.4.8.1    Verify reactor coolant DOSE EQUIVALENT XE-133  In accordance with specific activity  10 &#xb5;Ci/gm.                the Surveillance Frequency Control Program SR 3.4.8.2    Verify reactor coolant DOSE EQUIVALENT I-131  In accordance with specific activity  3.7E-2 &#xb5;Ci/gm.            the Surveillance Frequency Control Program AND Between 2 and 6 hours after a THERMAL POWER change of  15% of RTP within a 1 hour period NuScale [US600]                            3.4.8-2                    Revision 4.0
 
SG Tube Integrity 3.4.9 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.9 Steam Generator (SG) Tube Integrity LCO 3.4.9                    SG tube integrity shall be maintained.
AND All SG tubes satisfying the tube plugging criteria shall be plugged in accordance with the Steam Generator Program.
APPLICABILITY:                MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS
----------------------------------------------------------NOTE-------------------------------------------------------------
Separate Condition entry is allowed for each SG tube.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One or more SG tubes                  A.1      Verify tube integrity of the              7 days satisfying the tube                            affected tube(s) is plugging criteria and not                      maintained until the next plugged in accordance                          refueling outage or SG tube with the Steam Generator                        inspection.
Program.
AND A.2      Plug the affected tube(s) in              Prior to entering accordance with the Steam                MODE 3 following the Generator Program.                        next refueling outage or SG tube inspection B. Required Action and                    B.1      Be in MODE 2.                            6 hours associated Completion Time of Condition A not              AND met.
B.2      Be in MODE 3 and                          36 hours OR                                              PASSIVELY COOLED.
SG tube integrity not maintained.
NuScale [US600]                                            3.4.9-1                                            Revision 4.0
 
SG Tube Integrity 3.4.9 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.4.9.1    Verify SG tube integrity in accordance with the Steam In accordance with Generator Program.                                    the Steam Generator Program SR 3.4.9.2    Verify that each inspected SG tube that satisfies the Prior to entering tube plugging criteria is plugged in accordance with  MODE 3 following the Steam Generator Program.                          a SG tube inspection NuScale [US600]                            3.4.9-2                            Revision 4.0
 
LTOP Valves 3.4.10 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.10 Low Temperature Overpressure Protection (LTOP) Valves LCO 3.4.10                  Each closed reactor vent valve (RVV) shall be OPERABLE.
APPLICABILITY:              MODE 3 with wide range RCS cold temperature below T-1 interlock.
ACTIONS CONDITION                          REQUIRED ACTION                COMPLETION TIME A. ------------NOTE-------------      A.1  Restore RVV to OPERABLE      72 hours Not applicable with two                  status.
RVVs open.
    ---------------------------------- OR One closed RVV                    A.2  Open inoperable RVV.          72 hours inoperable.
B. Two closed RVVs                    B.1  Restore two closed RVVs      4 hours inoperable.                              to OPERABLE status.
OR B.2  Open two RVVs.                4 hours C. Three closed RVVs                  C.1  Initiate action to            2 hours inoperable.                              depressurize RCS.
AND C.2  Initiate action to open two  2 hours RVVs.
NuScale [US600]                                  3.4.10-1                            Revision 4.0
 
LTOP Valves 3.4.10 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.4.10.1    Verify each RVV actuates to the open position on an  In accordance with actual or simulated actuation signal.                the Surveillance Frequency Control Program SR 3.4.10.2    Verify the open ACTUATION RESPONSE TIME of          In accordance with each RVV is within limits. The ACTUATION            the INSERVICE RESPONSE TIME is combined with the allocated        TESTING MPS digital time response and the CHANNEL            PROGRAM RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.4.10.3    Verify the inadvertent actuation block setpoints are In accordance within limits, and the inadvertent actuation block  with the function of each RVV.                                INSERVICE TESTING PROGRAM NuScale [US600]                          3.4.10-2                          Revision 4.0
 
ECCS 3.5.1 3.5 PASSIVE CORE COOLING SYSTEM (PCCS) 3.5.1 Emergency Core Cooling System (ECCS)
LCO 3.5.1            Three reactor vent valves (RVV) and two reactor recirculation valves (RRV) shall be OPERABLE.
APPLICABILITY:        MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS CONDITION                      REQUIRED ACTION                COMPLETION TIME A. One RVV inoperable.        A.1      Restore RVV to OPERABLE      72 hours status.
B. One RRV inoperable.        B.1      Restore RRV to OPERABLE      72 hours status.
C. Required Action and        C.1      Be in MODE 2.                6 hours associated Completion Time of Condition A or B  AND not met.
C.2      Be in MODE 3 and              36 hours OR                                  PASSIVELY COOLED.
Two or more RVVs inoperable.
OR Two RRVs inoperable.
NuScale [US600]                              3.5.1-1                              Revision 4.0
 
ECCS 3.5.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.5.1.1    Verify each RVV and RRV actuates to the open    In accordance with the position on an actual or simulated actuation    Surveillance Frequency signal.                                          Control Program SR 3.5.1.2    Verify the open ACTUATION RESPONSE TIME          In accordance with the of each RVV and RRV is within limits. The        INSERVICE TESTING ACTUATION RESPONSE TIME is combined              PROGRAM with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.5.1.3    Verify the inadvertent actuation block setpoints In accordance with the are within limits, and the inadvertent actuation INSERVICE TESTING block function of each RVV and RRV.              PROGRAM NuScale [US600]                            3.5.1-2                          Revision 4.0
 
DHRS 3.5.2 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.2 Decay Heat Removal System (DHRS)
LCO 3.5.2          Two DHRS loops shall be OPERABLE.
APPLICABILITY:      MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS CONDITION                  REQUIRED ACTION      COMPLETION TIME A. One DHRS loop            A.1    Restore DHRS loop to 72 hours inoperable.                    OPERABLE status.
B. Required Action and      B.1    Be in MODE 2.        6 hours associated Completion Time not met.          AND OR                      B.2    Be in MODE 3 and    36 hours PASSIVELY COOLED.
Both DHRS loops inoperable.
NuScale [US600]                        3.5.2-1                  Revision 4.0
 
DHRS 3.5.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                  FREQUENCY SR 3.5.2.1    Verify [required] valves accumulator pressures are                      In accordance with within limits.                                                          the Surveillance Frequency Control Program SR 3.5.2.2    Verify DHRS heat exchangers are filled.                                In accordance with the Surveillance Frequency Control Program SR 3.5.2.3    -------------------------------NOTE--------------------------------
Not required to be performed for DHRS loop with associated FWIV open.
Verify SG level is > [5]% and  [65]%.                                  In accordance with the Surveillance Frequency Control Program SR 3.5.2.4    Verify that each DHRS actuation valve actuates to                      In accordance with the open position on an actual or simulated actuation                  the Surveillance signal.                                                                Frequency Control Program SR 3.5.2.5    Verify the open ACTUATION RESPONSE TIME of                              In accordance with each DHRS actuation valve is within limits. The                        the INSERVICE ACTUATION RESPONSE TIME is combined with the                            TESTING allocated MPS digital time response and the                            PROGRAM CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
NuScale [US600]                                  3.5.2-2                                        Revision 4.0
 
Ultimate Heat Sink 3.5.3 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.3 Ultimate Heat Sink LCO 3.5.3                    Ultimate Heat Sink shall be maintained within the limits specified below:
: a. Level  68 ft,
: b. Bulk average temperature  65 &deg;F and  110 &deg;F, and
: c. Bulk average boron concentration shall be maintained within the limit specified in the COLR.
APPLICABILITY:                At all times.
ACTIONS
------------------------------------------------------------NOTE-----------------------------------------------------------
LCO 3.0.3 is not applicable.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. Ultimate Heat Sink Level              A.1      Suspend module                            Immediately
      < 68 ft.                                      movements.
AND A.2      Suspend movement of                      Immediately irradiated fuel assemblies in the refueling area.
AND A.3      Restore Ultimate Heat Sink                30 days Level to within limits.
NuScale [US600]                                            3.5.3-1                                            Revision 4.0
 
Ultimate Heat Sink 3.5.3 ACTIONS (continued)
CONDITION                REQUIRED ACTION              COMPLETION TIME B. Ultimate Heat Sink Level  B.1 Initiate action to restore  Immediately 65 ft.                      Ultimate Heat Sink Level to
                                  > 65 ft.
AND B.2 Restore Ultimate Heat Sink  24 hours Level to > 65 ft.
C. Ultimate Heat Sink bulk  C.1 Suspend module              Immediately average temperature not      movements.
within limits.
AND C.2 Initiate action to restore  Immediately Ultimate Heat Sink bulk average temperature to within limits.
AND C.3 Restore Ultimate Heat Sink  14 days bulk average temperature to within limits.
D. Required Action and      D.1 Be in MODE 2.              6 hours associated Completion Time of Condition A, B or AND C not met.
D.2 Be in MODE 3.              36 hours NuScale [US600]                        3.5.3-2                          Revision 4.0
 
Ultimate Heat Sink 3.5.3 ACTIONS (continued)
CONDITION              REQUIRED ACTION                COMPLETION TIME E. Ultimate Heat Sink bulk  E.1 Initiate action to restore    Immediately average boron                Ultimate Heat Sink bulk concentration not within    average boron concentration limits.                      to within limits.
AND E.2 Terminate flow into          Immediately containment vessel from Ultimate Heat Sink via the Containment Flood and Drain System.
AND E.3 Suspend containment vessel    Immediately disassembly activities at containment tool.
AND E.4 Suspend module                Immediately movements.
AND E.5 Suspend movement of          Immediately irradiated fuel assemblies in the refueling area.
NuScale [US600]                      3.5.3-3                            Revision 4.0
 
Ultimate Heat Sink 3.5.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.5.3.1    Verify the Ultimate Heat Sink level is within limits. In accordance with the Surveillance Frequency Control Program SR 3.5.3.2    Verify the Ultimate Heat Sink bulk average            In accordance with temperature is within limits.                        the Surveillance Frequency Control Program SR 3.5.3.3    Verify Ultimate Heat Sink bulk average boron          In accordance with concentration is within limits.                      the Surveillance Frequency Control Program NuScale [US600]                          3.5.3-4                            Revision 4.0
 
Containment 3.6.1 3.6 CONTAINMENT SYSTEMS 3.6.1 Containment LCO 3.6.1            Containment shall be OPERABLE.
APPLICABILITY:        MODES 1 and 2, MODE 3 with RCS hot temperature  200 &deg;F.
ACTIONS CONDITION                      REQUIRED ACTION            COMPLETION TIME A. Containment inoperable.      A.1    Restore containment to    1 hour OPERABLE status.
B. Required Action and          B.1    Be in MODE 2.              6 hours associated Completion Time not met.                AND B.2    Be in MODE 3 with RCS hot  48 hours temperature < 200 &deg;F.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY SR 3.6.1.1        Perform required visual examinations and leakage    In accordance with rate testing in accordance with the Containment    the Containment Leakage Rate Testing Program.                      Leakage Rate Testing Program NuScale [US600]                            3.6.1-1                            Revision 4.0
 
Containment Isolation Valves 3.6.2 3.6 CONTAINMENT SYSTEMS 3.6.2 Containment Isolation Valves LCO 3.6.2                    Each containment isolation valve shall be OPERABLE.
APPLICABILTY:                MODES 1 and 2, MODE 3 with RCS hot temperature  200 &deg;F.
ACTIONS
----------------------------------------------------------NOTES-----------------------------------------------------------
: 1. Penetration flow paths may be unisolated intermittently under administrative controls.
: 2. Separate Condition entry is allowed for each penetration flow path.
: 3. Enter applicable Conditions and Required Actions for systems made inoperable by containment isolation valves.
: 4. Enter applicable Conditions and Required Actions of LCO 3.6.1, Containment, when isolation valve leakage results in exceeding the overall containment leakage rate acceptance criteria.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. -----------NOTE------------            A.1      Isolate the affected                      72 hours Only applicable to                            penetration flow path by use penetration flow paths                        of at least one closed and with two containment                          de-activated automatic isolation valves.                              valve, closed manual valve,
      --------------------------------              blind flange, or check valve with flow through the valve One or more penetration                        secured.
flow paths with one containment isolation                AND valve inoperable.
NuScale [US600]                                            3.6.2-1                                            Revision 4.0
 
Containment Isolation Valves 3.6.2 ACTIONS (continued)
CONDITION                    REQUIRED ACTION                        COMPLETION TIME A. (continued)                    A.2 ---------------NOTES-------------
: 1. Isolation devices in high radiation areas may be verified by use of administrative means.
: 2. Isolation devices that are locked, sealed, or otherwise secured may be verified by use of administrative means.
Verify the affected                    Once per 31 days penetration flow path is isolated.
B. -----------NOTE-----------      B.1 Isolate the affected                  1 hour Only applicable to                  penetration flow path by use penetration flow paths              of at least one closed and with two containment                de-activated automatic isolation valves.                  valve, closed manual valve,
    -------------------------------    or blind flange.
One or more penetration flow paths with two containment isolation valves inoperable.
C. Required Action and            C.1 Be in MODE 2.                          6 hours associated Completion Time not met.                  AND C.2 Be in MODE 3 with RCS hot              48 hours temperature < 200 &deg;F.
NuScale [US600]                              3.6.2-2                                      Revision 4.0
 
Containment Isolation Valves 3.6.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.6.2.1    Verify [required] valves accumulator pressures are                      In accordance with within limits.                                                          the Surveillance Frequency Control Program SR 3.6.2.2    ---------------------------------NOTE------------------------------
Valves and blind flanges in high radiation areas may be verified by use of administrative means.
Verify each containment isolation manual valve and                      In accordance with blind flange that is located outside containment and                    the Surveillance not locked, sealed, or otherwise secured and is                        Frequency Control required to be closed during accident conditions is                    Program closed.
SR 3.6.2.3    Verify the isolation ACTUATION RESPONSE TIME                            In accordance with of each automatic containment isolation valve is                        the INSERVICE within limits. The ACTUATION RESPONSE TIME is                          TESTING combined with the allocated MPS digital time                            PROGRAM response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.6.2.4    Verify each automatic containment isolation valve                      In accordance with that is not locked, sealed, or otherwise secured in                    the Surveillance position, actuates to the isolation position on an                      Frequency Control actual or simulated actuation signal.                                  Program NuScale [US600]                                  3.6.2-3                                        Revision 4.0
 
MSIVs 3.7.1 3.7 PLANT SYSTEMS 3.7.1 Main Steam Isolation Valves (MSIVs)
LCO 3.7.1                    Two MSIVs and two MSIV bypass valves per steam line shall be OPERABLE.
APPLICABILITY:                MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS
------------------------------------------------------------NOTE-----------------------------------------------------------
Main steam line flow paths may be unisolated intermittently under administrative controls.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. -----------NOTE------------            A.1      Isolate affected flow path by            72 hours Separate Condition                            use of at least one closed entry is allowed for                          and de-activated automatic each valve.                                    valve, closed manual valve,
      --------------------------------              or blind flange.
One or more valves                  AND inoperable.
A.2      --------------NOTES--------------
: 1. Isolation devices in high radiation areas may be verified by use of administrative means.
: 2. Isolation devices that are locked, sealed, or otherwise secured may be verified by use of administrative means.
Verify affected flow path is              Once per 7 days isolated.
NuScale [US600]                                            3.7.1-1                                            Revision 4.0
 
MSIVs 3.7.1 ACTIONS (continued)
CONDITION                      REQUIRED ACTION              COMPLETION TIME B. Steam line that cannot be      B.1  Isolate the affected main    8 hours isolated.                            steam line.
C. Required Action and            C.1  Be in MODE 2.                6 hours associated Completion Time not met.                  AND C.2  Be in MODE 3 and            36 hours PASSIVELY COOLED.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                  FREQUENCY SR 3.7.1.1        Verify [required] valves accumulator pressures are  In accordance within limits.                                      with the Surveillance Frequency Control Program SR 3.7.1.2        Verify isolation ACTUATION RESPONSE TIME of          In accordance each MSIV and MSIV bypass valve is within limits    with the on an actual or simulated actuation signal. The      INSERVICE ACTUATION RESPONSE TIME is combined with            TESTING the allocated MPS digital time response and the      PROGRAM CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.7.1.3        Verify each MSIV and MSIV bypass valve leakage      In accordance is within limits.                                    with the INSERVICE TESTING PROGRAM NuScale [US600]                              3.7.1-2                            Revision 4.0
 
Feedwater Isolation 3.7.2 3.7 PLANT SYSTEMS 3.7.2 Feedwater Isolation LCO 3.7.2                    One Feedwater Isolation Valve (FWIV) and one Feedwater Regulation Valve (FWRV) for each steam generator shall be OPERABLE.
APPLICABILITY:                MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS
---------------------------------------------------------NOTES------------------------------------------------------------
: 1. Separate Condition entry is allowed for each valve.
: 2. Feedwater flow paths may be unisolated intermittently under administrative controls.
CONDITION                                REQUIRED ACTION                            COMPLETION TIME A. One or two FWIVs                      A.1      Isolate the affected FWIV                72 hours inoperable.                                    flow path by use of at least one closed and de-activated automatic valve, closed manual valve, or blind flange.
AND A.2      --------------NOTES--------------
: 1. Isolation in high radiation areas may be verified by use of administrative means.
: 2. Isolation devices that are locked, sealed, or otherwise secured may be verified by use of administrative means.
Verify FWIV path isolated.                Once per 7 days NuScale [US600]                                            3.7.2-1                                            Revision 4.0
 
Feedwater Isolation 3.7.2 ACTIONS (continued)
CONDITION            REQUIRED ACTION                        COMPLETION TIME B. One or two FWRVs      B.1 Isolate the affected FWRV              72 hours inoperable.                flow path by use of at least one closed and de-activated automatic valve, closed manual valve, or blind flange.
AND B.2 --------------NOTES--------------
: 1. Isolation in high radiation areas may be verified by use of administrative means.
: 2. Isolation devices that are locked, sealed, or otherwise secured may be verified by use of administrative means.
Verify FWRV path isolated.            Once per 7 days C. Two valves in the same C.1 Isolate the affected flow path        8 hours flow path inoperable.      by use of at least one closed and de-activated automatic valve, closed manual valve, or blind flange.
D. Required Action and    D.1 Be in MODE 2.                          6 hours associated Completion Time not met.          AND D.2 Be in MODE 3 and                      36 hours PASSIVELY COOLED.
NuScale [US600]                    3.7.2-2                                    Revision 4.0
 
Feedwater Isolation 3.7.2 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                FREQUENCY SR 3.7.2.1    Verify [required] FWIV accumulator pressures are In accordance within limits.                                  with the Surveillance Frequency Control Program.
SR 3.7.2.2    Verify the closure ACTUATION RESPONSE TIME      In accordance of each FWIV and FWRV is within limits on an    with the actual or simulated actuation signal. The        INSERVICE ACTUATION RESPONSE TIME is combined with        TESTING the allocated MPS digital time response and the  PROGRAM CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME.
SR 3.7.2.3    Verify each FWIV and FWRV leakage is within      In accordance limits.                                          with the INSERVICE TESTING PROGRAM NuScale [US600]                          3.7.2-3                          Revision 4.0
 
In-Containment Secondary Piping Leakage 3.7.3 3.7 PLANT SYSTEMS 3.7.3 In-Containment Secondary Piping Leakage LCO 3.7.3              Leakage through in-containment secondary system pipe walls shall be 1.5 gallons per hour (gph).
APPLICABILITY:        MODES 1 and 2, MODE 3 and not PASSIVELY COOLED.
ACTIONS CONDITION                              REQUIRED ACTION                          COMPLETION TIME A. In-containment                  A.1        Be in MODE 2.                            6 hours secondary system leakage > 1.5 gph.              AND A.2        Be in MODE 3 and                        36 hours PASSIVELY COOLED.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.7.3.1      --------------------------------NOTE------------------------------
Not required to be performed until 24 hours after establishment of steady state operation.
Verify in-containment secondary system leakage                          In accordance with 1.5 gph.                                                              the Surveillance Frequency Control Program NuScale [US600]                                      3.7.3-1                                        Revision 4.0
 
Nuclear Instrumentation 3.8.1 3.8 REFUELING OPERATIONS 3.8.1 Nuclear Instrumentation LCO 3.8.1            Two refueling neutron flux channels and one refueling neutron flux audible count rate channel shall be OPERABLE.
APPLICABILITY:        MODE 5, except when reactor vessel upper assembly is seated on reactor vessel flange.
ACTIONS CONDITION                      REQUIRED ACTION                COMPLETION TIME A. One required refueling      A.1    Suspend positive reactivity  Immediately neutron flux channel                changes.
inoperable.
AND OR A.2    Suspend operations that      Immediately Required refueling                  would cause introduction of neutron flux audible                water into UHS with boron count rate channel                  concentration less than inoperable.                        specified in the COLR.
B. Two required refueling      B.1    Initiate actions to restore  Immediately neutron flux channels              one refueling neutron flux inoperable.                        channel to OPERABLE status.
AND B.2    Perform SR 3.5.3.3.          Once per 12 hours NuScale [US600]                              3.8.1-1                              Revision 4.0
 
Nuclear Instrumentation 3.8.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE                                                    FREQUENCY SR 3.8.1.1    Perform a CHANNEL CHECK.                                                In accordance with the Surveillance Frequency Control Program SR 3.8.1.2    --------------------------------NOTE------------------------------
Neutron detectors are excluded from CHANNEL CALIBRATION.
Perform CHANNEL CALIBRATION.                                            In accordance with the Surveillance Frequency Control Program NuScale [US600]                                  3.8.1-2                                        Revision 4.0
 
Decay Time 3.8.2 3.8 REFUELING OPERATIONS 3.8.2 Decay Time LCO 3.8.2            Reactor shall be subcritical for  48 hours.
APPLICABILITY:      During movement of irradiated fuel in the reactor pressure vessel.
ACTIONS CONDITION                      REQUIRED ACTION                  COMPLETION TIME A. Reactor subcritical for    A.1    Suspend movement of            Immediately
    < 48 hours.                        irradiated fuel in the reactor pressure vessel.
SURVEILLANCE REQUIREMENTS SURVEILLANCE                                      FREQUENCY SR 3.8.2.1      Verify reactor has been subcritical for  48 hours.      Once prior to movement of irradiated fuel assemblies in the reactor pressure vessel NuScale [US600]                            3.8.2-1                                Revision 4.0
 
Design Features 4.0 4.0 DESIGN FEATURES 4.1 Site Location
[Site specific information to be provided by the combined license applicant.]
4.1.1    Site and Exclusion Boundaries
[Site specific information to be provided by the combined license applicant.]
4.1.2    Low Population Zone (LPZ)
[Site specific information to be provided by the combined license applicant.]
4.2 Reactor Core 4.2.1    Fuel Assemblies The reactor shall contain 37 fuel assemblies. Each assembly shall consist of a matrix of fuel rods clad with a zirconium based alloy and containing an initial composition of natural or slightly enriched uranium dioxide (UO2) as fuel material.
Limited substitutions of zirconium based alloy or stainless steel filler rods for fuel rods, in accordance with approved applications of fuel rod configurations, may be used. Fuel assemblies shall be limited to those fuel designs that have been analyzed with applicable NRC staff approved codes and methods and shown by tests or analyses to comply with fuel safety design bases. A limited number of lead test assemblies that have not completed representative testing may be placed in non-limiting core regions.
4.2.2    Control Rod Assemblies The reactor core shall contain 16 control rod assemblies. The control material shall be silver indium cadmium or boron carbide as approved by the NRC.
4.3 Fuel Storage 4.3.1    Criticality The spent fuel storage racks are designed and shall be maintained with:
: a. Fuel assemblies having a maximum U-235 enrichment of 5.0 weight percent; NuScale [US600]                                4.0-1                                    Revision 4.0
 
Design Features 4.0 4.0 DESIGN FEATURES 4.3 Fuel Storage (continued)
: b. keff  0.95 if fully flooded with borated water at a minimum soluble boron concentration of 800 ppm, which includes an allowance for uncertainties to assure a 95 percent probability and 95 percent confidence level;
: c. keff < 1.00 if fully flooded with unborated water, which includes an allowance for uncertainties to assure a 95 percent probability and 95 percent confidence level;
: d. A nominal 11.22 inch center-to-center distance between fuel assemblies placed in the spent fuel storage racks.
4.3.2    Drainage The spent fuel pool is designed and shall be maintained to prevent inadvertent draining of the pool below 20 ft above the spent fuel pool floor.
4.3.3    Capacity The spent fuel pool is designed and shall be maintained with a storage capacity limited to no more than 1404 fuel assemblies.
NuScale [US600]                                4.0-2                                Revision 4.0
 
Responsibility 5.1 5.0 ADMINISTRATIVE CONTROLS 5.1 Responsibility 5.1.1        The [Plant Manager] shall be responsible for overall facility operations and shall delegate in writing the succession to this responsibility during his absence.
The [Plant Manager] or his designee shall approve, prior to implementation, each proposed test, experiment or modification to systems or equipment that affect nuclear safety.
5.1.2        The [Shift Manager (SM)] shall be responsible for the control room command function. During any absence of the SM from the control room while any unit is in MODE 1, 2, 3, 4, or 5, an individual with an active Senior Reactor Operator (SRO) license shall be designated to assume the control room command function.
NuScale [US600]                              5.1-1                                  Revision 4.0
 
Organization 5.2 5.0 ADMINISTRATIVE CONTROLS 5.2 Organization 5.2.1        Onsite and Offsite Organizations Onsite and offsite organizations shall be established for facility operation and corporate management, respectively. The onsite and offsite organizations shall include the positions for activities affecting safety of the nuclear power plant.
Lines of authority, responsibility, and communication shall be defined and established throughout highest management levels, intermediate levels, and all operating organization positions. These relationships shall be documented and updated, as appropriate, in organization charts, functional descriptions of departmental responsibilities and relationships, and job descriptions for key personnel positions, or in equivalent forms of documentation. These requirements including the plant-specific titles of those personnel fulfilling the responsibilities of the positions delineated in these Technical Specifications shall be documented in the [FSAR/QA Plan];
The [Plant Manager] shall be responsible for overall safe operation of the plant and shall have control over those onsite activities necessary for safe operation and maintenance of the plant; A [specified corporate officer] shall have corporate responsibility for overall plant nuclear safety and shall take any measures needed to ensure acceptable performance of the staff in operating, maintaining, and providing technical support to the plant to ensure nuclear safety; and The individuals who train the operating staff, carry out health physics, or perform quality assurance functions may report to the appropriate onsite manager; however, these individuals shall have sufficient organizational freedom to ensure their independence from operating pressures.
5.2.2        Facility Staff The facility staff organization shall include the following:
: a.      The minimum licensed operator staffing shall be:
Number of units                    Reactor          Senior Reactor Operating(1)                      Operator            Operator None                                  2                    1 One to twelve                        3                    3 (1) For the purpose of this table, a unit is considered to be operating when it is in MODE 1, 2, or 3.
NuScale [US600]                                5.2-1                                  Revision 4.0
 
Organization 5.2 5.2 Organization 5.2.2        Facility Staff (continued)
: b.      A person holding a senior reactor operator license for all fueled units at the site who is assigned responsibility for overall plant operation shall be onsite at all times when there is fuel in any unit.
: c.      A senior reactor operator license shall be in the control room at all times.
In addition to this senior reactor operator, a licensed reactor operator or senior reactor operator shall be present at the controls at all times.
: d.      Shift crew composition may be less than the minimum requirement for a period of time not to exceed 2 hours in order to accommodate unexpected absence of on-duty shift crew members provided immediate action is taken to restore the shift crew composition to within the minimum requirements.
: e.      A radiation protection technician shall be on site when fuel is in any unit.
The position may be vacant for not more than 2 hours, in order to provide for unexpected absence, provided immediate action is taken to fill the required position.
: f.      The operations manager or assistant operations manager shall hold an SRO license.
: g.      An individual shall provide advisory technical support to the facility operations shift crew in the areas of thermal hydraulics, reactor engineering, and plant analysis with regard to the safe operation of the facility. This individual shall meet the qualifications specified by the Commission Policy Statement on Engineering Expertise on Shift.
NuScale [US600]                                  5.2-2                                  Revision 4.0
 
Facility Staff Qualifications 5.3 5.0 ADMINISTRATIVE CONTROLS 5.3 Facility Staff Qualifications 5.3.1          Each member of the facility staff shall meet or exceed the minimum qualifications of Regulatory Guide 1.8, Revision 3, 2000, or more recent revisions, or ANSI Standards acceptable to the NRC staff. The staff not covered by Regulatory Guide 1.8 shall meet or exceed the minimum qualifications of Regulations, Regulatory Guides, or ANSI Standards acceptable to NRC staff.
5.3.2          For the purpose of 10 CFR 55.4, a licensed Senior Reactor Operator (SRO) and a licensed Reactor Operator (RO) are those individuals who meet the requirements of TS 5.3.1 and TS 5.2.2.
NuScale [US600]                              5.3-1                                    Revision 4.0
 
Procedures 5.4 5.0 ADMINISTRATIVE CONTROLS 5.4 Procedures 5.4.1        Written procedures shall be established, implemented, and maintained covering the following activities:
: a.      The applicable procedures recommended in Regulatory Guide 1.33, Revision 3, June 2013;
: b.      The emergency operating procedures required to implement the requirements of NUREG-0737 and NUREG-0737, Supplement 1;
: c.      Quality assurance for effluent and environmental monitoring;
: d.      Fire Protection Program implementation; and
: e.      All programs specified in Specification 5.5.
NuScale [US600]                              5.4-1                                Revision 4.0
 
Programs and Manuals 5.5 5.0 ADMINISTRATIVE CONTROLS 5.5 Programs and Manuals The following programs shall be established, implemented, and maintained.
5.5.1          Offsite Dose Calculation Manual (ODCM)
: a.      The ODCM shall contain the methodology and parameters used in the calculation of offsite doses resulting from radioactive gaseous and liquid effluents, in the calculation of gaseous and liquid effluent monitoring alarm and trip setpoints, and in the conduct of the radiological environmental monitoring program.
: b.      The ODCM shall also contain the radioactive effluent controls and radiological environmental monitoring activities, and descriptions of the information that should be included in the Annual Radiological Environmental Operating, and Radioactive Effluent Release Reports required by Specification 5.6.1 and Specification 5.6.2.
: c.      Licensee initiated changes to the ODCM:
: 1.      Shall be documented and records of reviews performed shall be retained. This documentation shall contain:
: i.      Sufficient information to support the change(s) together with the appropriate analyses or evaluations justifying the change(s), and ii.      A determination that the change(s) maintain the levels of radioactive effluent control required by 10 CFR 20.1302, 40 CFR 190, 10 CFR 50.36a, and 10 CFR 50, Appendix I, and not adversely impact the accuracy or reliability of effluent or dose calculations;
: 2.      Shall become effective after the approval of the [plant manager];
and
: 3.      Shall be submitted to the NRC in the form of a complete, legible copy of the changed portion of the ODCM as a part of or concurrent with the Radioactive Effluent Release Report for the period of the report in which any change in the ODCM was made.
Each change shall be identified by markings in the margin of the affected pages, clearly indicating the area of the page that was changed, and shall indicate the date (i.e., month and year) the change was implemented.
NuScale [US600]                                  5.5-1                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.2        Radioactive Effluent Control Program
: a. This program conforms to 10 CFR 50.36a for the control of radioactive effluents and for maintaining the doses to members of the public from radioactive effluents as low as is reasonably achievable. The program shall be contained in the ODCM, shall be implemented by procedures, and shall include remedial actions to be taken whenever the program limits are exceeded. The program shall include the following elements:
: 1.      Limitations on the functional capability of radioactive liquid and gaseous monitoring instrumentation including surveillance tests and setpoints determination in accordance with the methodology in the ODCM;
: 2.      Limitations on the concentrations of radioactive material released in liquid effluents to unrestricted areas, conforming to ten times the concentration values in Appendix B, Table 2, Column 2 to 10 CFR 20;
: 3.      Monitoring, sampling, and analysis of radioactive liquid and gaseous effluents in accordance with 10 CFR 20.1302 and with the methodology and parameters in the ODCM;
: 4.      Limitations on the annual and quarterly doses or dose commitment to a member of the public for radioactive materials in liquid effluents released from each unit to unrestricted areas, conforming to 10 CFR 50, Appendix I;
: 5.      Determination of cumulative dose contributions from radioactive effluents for the current calendar quarter and current calendar year in accordance with the methodology and parameters in the ODCM at least every 31 days. Determination of projected dose contributions from radioactive effluents in accordance with the methodology in the ODCM at least every 31 days;
: 6.      Limitations on the functional capability and use of the liquid and gaseous effluent treatment systems to ensure that appropriate portions of these systems are used to reduce releases of radioactivity when the projected doses in a period of 31 days would exceed 2% of the guidelines for the annual dose or dose commitment, conforming to 10 CFR 50, Appendix I; NuScale [US600]                              5.5-2                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.2        Radioactive Effluent Control Program (continued)
: 7.      Limitations on the dose rate resulting from radioactive material released in gaseous effluents to areas beyond the site boundary shall be in accordance with the following:
: i.      For noble gases: a dose rate  500 mrem/yr to the whole body and a dose rate  3000 mrem/yr to the skin and ii. For iodine-131, iodine-133, tritium, and all radionuclides in particulate form with half-lives greater than 8 days: a dose rate  1500 mrem/yr to any organ;
: 8.      Limitations on the annual and quarterly air doses resulting from noble gases released in gaseous effluents from each unit to areas beyond the site boundary, conforming to 10 CFR 50, Appendix I;
: 9.      Limitations on the annual and quarterly doses to a member of the public from iodine-131, iodine-133, tritium, and all radionuclides in particulate form with half-lives > 8 days in gaseous effluents released from each unit to areas beyond the site boundary, conforming to 10 CFR 50, Appendix I; and
: 10. Limitations on the annual dose or dose commitment to any member of the public, beyond the site boundary, due to releases of radioactivity and to radiation from uranium fuel cycle sources, conforming to 40 CFR 190.
: b.      The provisions of SR 3.0.2 and SR 3.0.3 are applicable to the Radioactive Effluent Controls Program surveillance frequency.
5.5.3        Component Cyclic or Transient Limit This program provides controls to track the FSAR Section 3.9 cyclic and transient occurrences to ensure that components are maintained within the design limits.
5.5.4        Steam Generator (SG) Program A Steam Generator Program shall be established and implemented to ensure that SG tube integrity is maintained. In addition, the Steam Generator Program shall include the following:
NuScale [US600]                                5.5-3                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.4        Steam Generator (SG) Program (continued)
: a. Provisions for condition monitoring assessments. Condition monitoring assessment means an evaluation of the as found condition of the tubing with respect to the performance criteria for structural integrity and accident induced leakage. The "as found" condition refers to the condition of the tubing during an SG inspection outage, as determined from the inservice inspection results or by other means, prior to the plugging of tubes. Condition monitoring assessments shall be conducted during each outage during which the SG tubes are inspected or plugged to confirm that the performance criteria are being met.
: b. Performance criteria for SG tube integrity. SG tube integrity shall be maintained by meeting the performance criteria for tube structural integrity, accident induced leakage, and operational LEAKAGE.
: 1.      Structural integrity performance criterion: All inservice steam generator tubes shall retain structural integrity over the full range of normal operating conditions (including startup, operation in the power range, and cool down and all anticipated transients included in the design specification) and design basis accidents.
This includes retaining a safety factor of 3.0 against burst under normal steady state full power operation primary-to-secondary pressure differential and a safety factor of 1.4 against burst applied to the design basis accident primary-to-secondary pressure differentials. Apart from the above requirements, additional loading conditions associated with the design basis accidents, or combination of accidents in accordance with the design and licensing basis, shall also be evaluated to determine if the associated loads contribute significantly to burst or collapse. In the assessment of tube integrity, those loads that do significantly affect burst or collapse shall be determined and assessed in combination with the loads due to pressure with a safety factor of 1.2 on the combined primary loads and 1.0 on axial secondary loads.
: 2.      Accident induced leakage performance criterion: The primary to secondary accident induced leakage rate for any design basis accident, other than a SG tube failure, shall not exceed the leakage rate assumed in the accident analysis in terms of total leakage rate for all SGs and leakage rate for an individual SG.
Leakage is not to exceed 150 gallons per day.
: 3.      The operational LEAKAGE performance criterion is specified in LCO 3.4.5, "RCS Operational LEAKAGE.
NuScale [US600]                              5.5-4                                    Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.4        Steam Generator (SG) Program (continued)
: c. Provisions for SG tube plugging criteria. Tubes found by inservice inspection to contain flaws with a depth equal to or exceeding [40%] of the nominal tube wall thickness shall be plugged.
: d. Provisions for SG tube inspections. Periodic SG tube inspections shall be performed. The number and portions of the tubes inspected and methods of inspection shall be performed with the objective of detecting flaws of any type (e.g., volumetric flaws, axial and circumferential cracks) that may be present along the length of the tube, from the tube-to-tubesheet weld at the tube inlet to the tube-to-tubesheet weld at the tube outlet, and that may satisfy the applicable tube plugging criteria. The tube-to-tubesheet weld is not part of the tube. In addition to meeting the requirements of d.1, d.2, and d.3 below, the inspection scope, inspection methods, and inspection intervals shall be such as to ensure that SG tube integrity is maintained until the next SG inspection. A degradation assessment shall be performed to determine the type and location of flaws to which the tubes may be susceptible and, based on this assessment, to determine which inspection methods need to be employed and at what locations.
: 1.      Inspect 100% of the tubes in each SG during the first refueling outage following initial startup and SG replacement.
: 2.      After the first refueling outage following SG installation, inspect each SG at least every 72 effective full power months or at least every third refueling outage (whichever results in more frequent inspections). In addition, the minimum number of tubes inspected at each scheduled inspection shall be the number of tubes in all SGs divided by the number of SG inspection outages scheduled in each inspection period as defined in a, b, c and d below. If a degradation assessment indicates the potential for a type of degradation to occur at a location not previously inspected with a technique capable of detecting this type of degradation at this location and that may satisfy the applicable tube plugging criteria, the minimum number of locations inspected with such a capable inspection technique during the remainder of the inspection period may be prorated. The fraction of locations to be inspected for this potential type of degradation at this location at the end of the inspection period shall be no less than the ratio of the number of times the SG is scheduled to be inspected in the inspection period after the determination that a new form of degradation could potentially be occurring at this location divided by the total number of times the SG is scheduled to be inspected in the inspection period. Each inspection period defined below may be extended up NuScale [US600]                              5.5-5                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.4        Steam Generator (SG) Program (continued) to 3 effective full power months to include a SG inspection outage in an inspection period and the subsequent inspection period begins at the conclusion of the included SG inspection outage.
a)      After the first refueling outage following SG installation, inspect 100% of the tubes during the next 144 effective full power months. This constitutes the first inspection period; b)      During the next 120 effective full power months, inspect 100% of the tubes. This constitutes the second inspection period; c)      During the next 96 effective full power months, inspect 100% of the tubes. This constitutes the third inspection period; and d)      During the remaining life of the SGs, inspect 100% of the tubes every 72 effective full power months. This constitutes the fourth and subsequent inspection periods.
: 3.      If crack indications are found in any SG tube, then the next inspection for each affected and potentially affected unit SG for the degradation mechanism that caused the crack indication shall not exceed 24 effective full power months or one refueling outage (whichever results in more frequent inspections). If definitive information, such as from examination of a pulled tube, diagnostic non-destructive testing, or engineering evaluation indicates that a crack-like indication is not associated with a crack(s), then the indication need not be treated as a crack.
: e.      Provisions for monitoring operational primary to secondary LEAKAGE.
5.5.5        Secondary Water Chemistry Program This program provides controls for monitoring secondary water chemistry to inhibit SG tube degradation and low pressure turbine disc stress corrosion cracking. The program shall include:
: a.      Identification of a sampling schedule for the critical variables and control points for these variables;
: b.      Identification of the procedures used to measure the values of the critical variables; NuScale [US600]                                  5.5-6                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.5        Secondary Water Chemistry Program (continued)
: c.      Identification of process sampling points, which shall include monitoring the discharge of the condensate pumps for evidence of condenser in leakage;
: d.      Procedures for the recording and management of data;
: e.      Procedures defining corrective actions for all off control point chemistry conditions; and
: f.      A procedure identifying the authority responsible for the interpretation of the data and the sequence and timing of administrative events, which is required to initiate corrective action.
5.5.6        Explosive Gas and Storage Tank Radioactivity Monitoring Program This program provides controls for potentially explosive gas mixtures contained in the Gaseous Rad-Waste Management System, the quantity of radioactivity contained in gas storage tanks or fed into the offgas treatment system, and the quantity of radioactivity contained in unprotected outdoor liquid storage tanks.
The gaseous radioactivity quantities shall be determined following the methodology in Branch Technical Position (BTP) 11-5, "Postulated Radioactive Release due to Waste Gas System Leak or Failure. The liquid radwaste quantities shall be determined in accordance with Standard Review Plan, Section 15.7.3, "Postulated Radioactive Release due to Liquid-Containing Tank Failures.
The program shall include:
: a.      The limits for concentrations of hydrogen and oxygen in the Gaseous Rad-Waste Management System and a surveillance program to ensure the limits are maintained. Such limits shall be appropriate to the system's design criteria (i.e., whether or not the system is designed to withstand a hydrogen explosion),
: b.      A surveillance program to ensure that the quantity of radioactivity contained in each gas storage tank and fed into the offgas treatment system is less than the amount that would result in a whole body exposure of  0.5 rem to any individual in an unrestricted area, in the event of an uncontrolled release of the tanks' contents, and
: c.      A surveillance program to ensure that the quantity of radioactivity contained in all outdoor liquid radwaste tanks that are not surrounded by liners, dikes, or walls, capable of holding the tanks' contents and that do not have tank overflows and surrounding area drains connected to the NuScale [US600]                                5.5-7                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.6        Explosive Gas and Storage Tank Radioactivity Monitoring Program (continued)
Liquid Radioactive Waste System is less than the amount that would result in concentrations less than the limits of 10 CFR 20, Appendix B, Table 2, Column 2, at the nearest potable water supply and the nearest surface water supply in an unrestricted area, in the event of an uncontrolled release of the tanks' contents.
The provisions of SR 3.0.2 and SR 3.0.3 are applicable to the Explosive Gas and Storage Tank Radioactivity Monitoring Program surveillance frequencies.
5.5.7        Technical Specifications (TS) Bases Control Program This program provides a means for processing changes to the Bases of these Technical Specifications.
: a. Changes to the Bases of the TS shall be made under appropriate administrative controls and reviews.
: b. Licensees may make changes to Bases without prior NRC approval provided the changes do not require either of the following:
: 1.      A change in the TS incorporated in the license; or
: 2.      A change to the updated FSAR or Bases that requires NRC approval pursuant to 10 CFR 50.59.
: c. The Bases Control Program shall contain provisions to ensure that the Bases are maintained consistent with the FSAR.
: d. Proposed changes that meet the criteria of 5.5.7(b) above shall be reviewed and approved by the NRC prior to implementation. Changes to the Bases implemented without prior NRC approval shall be provided to the NRC on a frequency consistent with 10 CFR 50.71(e).
5.5.8        Safety Function Determination Program (SFDP)
: a. This program ensures that loss of safety function is detected and appropriate action taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other appropriate limitations and remedial or compensatory actions may be identified to be taken as a result of the supported system inoperability and corresponding exception to entering supported system Condition and Required Actions. This program implements the requirement of LCO 3.0.6. The SFDP shall contain the following:
NuScale [US600]                              5.5-8                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.8        Safety Function Determination Program (SFDP) (continued)
: 1.      Provisions for cross division checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected;
: 2.      Provisions for ensuring the unit is maintained in a safe condition if a loss of function condition exists;
: 3.      Provisions to ensure that an inoperable supported systems Completion Time is not inappropriately extended as a result of multiple support systems inoperabilities; and
: 4.      Other appropriate limitations and remedial or compensatory actions.
: b. A loss of safety function exists when, assuming no concurrent single failure, a safety function assumed in the accident analysis cannot be performed. For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:
: 1.      A required system redundant to the system(s) supported by the inoperable support system is also inoperable; or
: 2.      A required system redundant to the system(s) in turn supported by the inoperable supported system is also inoperable; or
: 3.      A required system redundant to the support system(s) for the supported systems (a) and (b) above is also inoperable.
: c. The SFDP identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. When a loss of safety function is caused by the inoperability of a single Technical Specification support system, the appropriate Conditions and Required Actions to enter are those of the support system.
5.5.9        Containment Leakage Rate Testing Program
: a. A program shall implement the leakage rate testing of the containment as required by 10 CFR 50.54(o) and 10 CFR 50, Appendix J, Option A, as modified by approved exemptions.
: b. The maximum allowable containment leakage rate, La, at Pa, shall be 0.20% of containment air weight per day.
NuScale [US600]                              5.5-9                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.9        Containment Leakage Rate Testing Program (continued)
: c. Containment leakage rate acceptance criterion is < 0.60 La. During the first unit startup following testing in accordance with this program, the leakage rate acceptance criteria are < 0.60 La for the Type B and Type C tests.
: d. The provisions of SR 3.0.3 are applicable to the Containment Leakage Rate Testing Program.
: e. Nothing in these Technical Specifications shall be construed to modify the testing Frequencies required by 10 CFR 50, Appendix J.
5.5.10      Setpoint Program (SP)
: a. The Setpoint Program (SP) implements the regulatory requirement of 10 CFR 50.36(c)(1)(ii)(A) that technical specifications will include items in the category of limiting safety system settings (LSSS), which are settings for automatic protective devices related to those variables having significant safety functions.
: b. The Limiting Trip Setpoint (LTSP), Nominal Trip Setpoint (NTSP),
As-Found Tolerance (AFT), and As-Left Tolerance (ALT) for each Technical Specification required automatic protection instrumentation function shall be calculated in conformance with [TR-0616-49121-P, Revision 1, "NuScale Instrument Setpoint Methodology."]
: c. For each Technical Specification required automatic protection instrumentation function, performance of a CHANNEL CALIBRATION surveillance in accordance with the Setpoint Program (SP) shall include the following:
: 1.      The as-found value of the instrument channel trip setting shall be compared with the previously recorded as-left value.
: i.      If all as-found measured trip setpoint values during calibration and surveillance testing are inside the two-sided limits of Nominal Trip Setpoint (NTSP) plus or minus the Performance and Test Acceptance Criteria Band (PTAC),
then the channel is fully OPERABLE, no additional actions are required.
NuScale [US600]                                5.5-10                                Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.10      Setpoint Program (SP) (continued) ii. If during channel OPERABILITY or calibration testing, the measured trip setpoint values are within the As-Found Tolerance band but outside the As-Left Tolerance Band, then the instrumentation channel is fully OPERABLE, however, calibration is required to restore the channel within the as-left tolerance band.
iii. If any as-found calibration setting value is outside the as-found Tolerance band, then the channel is inoperable, and corrective action is required. Calibration is required to restore the channel to within as-left tolerance band.
: 2.      The instrument channel trip setting shall be set to a value within the specified ALT around the specified NTSP at the completion of the surveillance; otherwise, the surveillance requirement is not met and the instrument channel shall be immediately declared inoperable.
: d.      The difference between the instrument channel trip setting as-found value and the previously recorded as-left value for each Technical Specification required automatic protection instrumentation function shall be trended and evaluated to verify that the instrument channel is functioning in accordance with its design basis.
: e.      The SP shall establish a document containing the current value of the specified LTSP, NTSP, AFT, and ALT for each Technical Specification required automatic protection instrumentation function and references to the calculation documentation. Changes to this document shall be governed by the regulatory requirement of 10 CFR 50.59. In addition, changes to the specified LTSP, NTSP, AFT, and ALT values shall be governed by the approved setpoint methodology. This document, including any revisions or supplements, shall be provided upon issuance to the NRC.
5.5.11      Surveillance Frequency Control Program This program provides controls for Surveillance Frequencies. The program shall ensure that Surveillance Requirements specified in the Technical Specifications are performed at intervals sufficient to assure the associated Limiting Conditions for Operation are met.
: a.      The Surveillance Frequency Control Program shall contain a list of Frequencies of those Surveillance Requirements for which the Frequency is controlled by the program.
NuScale [US600]                              5.5-11                                  Revision 4.0
 
Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.11      Surveillance Frequency Control Program (continued)
: b.      Changes to the Frequencies listed in the Surveillance Frequency Control Program shall be made in accordance with NEI 04-10, "Risk-Informed Method for Control of Surveillance Frequencies," Revision 1. FSAR Table 16.1-1, Surveillance Frequency Control Program Base Frequencies, describes the plant licensing bases for the surveillance test intervals.
: c.      The provisions of Surveillance Requirements 3.0.2 and 3.0.3 are applicable to the Frequencies established in the Surveillance Frequency Control Program.
5.5.12      Spent Fuel Storage Rack Neutron Absorber Monitoring Program This Program provides controls for monitoring the condition of the neutron absorber used in the spent fuel pool storage racks to verify the Boron-10 areal density is consistent with the assumptions in the spent fuel pool criticality analysis. The program shall be in accordance with NEI 16-03-A, "Guidance for Monitoring of Fixed Neutron Absorbers in Spent Fuel Pools," Revision 0, May 2017.
NuScale [US600]                              5.5-12                                  Revision 4.0
 
Reporting Requirements 5.6 5.0 ADMINISTRATIVE CONTROLS 5.6 Reporting Requirements The following reports shall be submitted in accordance with 10 CFR 50.4.
5.6.1          Annual Radiological Environmental Operating Report
              -----------------------------------------------NOTE----------------------------------------------------
A single submittal may be made for a multiple unit station. The submittal should combine sections common to all units at the station.
The Annual Radiological Environmental Operating Report covering the operation of the facility during the previous calendar year shall be submitted by May 15 of each year. The report shall include summaries, interpretations, and analyses of trends of the results of the radiological environmental monitoring program for the reporting period. The material provided shall be consistent with the objectives outlined in the Offsite Dose Calculation Manual (ODCM), and in 10 CFR 50, Appendix I, Sections IV.B.2, IV.B.3, and IV.C.
The Annual Radiological Environmental Operating Report shall include the results of analyses of all radiological environmental samples and of all environmental radiation measurements taken during the period pursuant to the locations specified in the table and figures in the ODCM, as well as summarized and tabulated results of these analyses and measurements in the format of the table in the Radiological Assessment Branch Technical Position, Revision 1, November 1979. In the event that some individual results are not available for inclusion with the report, the report shall be submitted noting and explaining the reasons for the missing results. The missing data shall be submitted in a supplementary report as soon as possible.
5.6.2          Radioactive Effluent Release Report
              -----------------------------------------------NOTE----------------------------------------------------
A single submittal may be made for a multiple unit station. The submittal should combine sections common to all units at the station.
The Radioactive Effluent Release Report covering the operation of the facility in the previous year shall be submitted prior to May 1 of each year in accordance with 10 CFR 50.36a. The report shall include a summary of the quantities of radioactive liquid and gaseous effluents and solid waste released from the facility.
The material provided shall be consistent with the objectives outlined in the ODCM and Process Control Program and in conformance with 10 CFR 50.36a and 10 CFR 50, Appendix I, Section IV.B.1.
NuScale [US600]                                        5.6-1                                              Revision 4.0
 
Reporting Requirements 5.6 5.6 Reporting Requirements 5.6.3        Core Operating Limits Report (COLR)
: a. Core operating limits shall be established prior to each reload cycle, or prior to any remaining portion of a reload cycle, and shall be documented in the COLR for the following:
3.1.1, SHUTDOWN MARGIN (SDM);
3.1.3, Moderator Temperature Coefficient (MTC);
3.1.4, Rod Group Alignment Limits; 3.1.5, Shutdown Bank Insertion Limits; 3.1.6, Regulating Bank Insertion Limits; 3.1.8, PHYSICS TESTS Exceptions; 3.1.9, Boron Dilution Control; 3.2.1, Enthalpy Rise Hot Channel Factor ( F H);
3.2.2, AXIAL OFFSET (AO);
3.4.1, RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits; 3.5.3, Ultimate Heat Sink; and 3.8.1, "Nuclear Instrumentation".
: b. The analytical methods used to determine the core operating limits shall be those previously reviewed and approved by the NRC, specifically those described in the following documents:
[-----------------------------------REVIEWER'S NOTE----------------------------------
The COL applicant shall confirm the validity of each listed document and the listed Specifications for the associated core operating limits, or state the valid NRC approved analytical method document and list of associated Specifications.
The COL applicant shall state the valid core reload analysis methodology document and list of associated Specifications.
                    -------------------------------------------------------------------------------------------------]
NuScale [US600]                                      5.6-2                                            Revision 4.0
 
Reporting Requirements 5.6 5.6 Reporting Requirements 5.6.3        Core Operating Limits Report (COLR) (continued)
: 1.    [NuScale Standard Design Certification Analysis (DCA), Part 2, Tier 2, NuScale Final Safety Analysis Report (FSAR), Section 4.3, Nuclear Design, Revision 1, March 2018; TR-0516-49416, Non-Loss-of-Coolant Accident Analysis Methodology, Revision 0, May 2016 (NuScale Proprietary); TR-0516-49422, "Loss-of-Coolant Accident Methodology," Revision 0, May 2016 (NuScale Proprietary); and TR-0716-50250, "Rod Ejection Accident Methodology," Revision 0, July 2016 (NuScale Proprietary).
(Methodology for Specifications 3.1.1 - SHUTDOWN MARGIN (SDM), 3.1.3 - Moderator Temperature Coefficient, 3.1.4 - Rod Group Alignment Limits, 3.1.5 - Shutdown Bank Insertion Limits, 3.1.6 - Regulating Bank Insertion Limits, and 3.1.8 - PHYSICS TESTS Exceptions.)]
: 2.    [NuScale DCA, Part 2, Tier 2, NuScale FSAR, Section 9.3.4, Chemical and Volume Control System, Revision 1, March 2018; and TR-0516-49416, Non-Loss-of-Coolant Accident Analysis Methodology, Revision 0, May 2016 (NuScale Proprietary).
(Methodology for Specification 3.1.9 - Boron Dilution Control.)]
: 3.    [NuScale DCA, Part 2, Tier 2, NuScale FSAR, Sections 4.3, Nuclear Design, and 4.4, Thermal and Hydraulic Design, Revision 1, March 2018; TR-0516-49416, Non-Loss-of-Coolant Accident Analysis Methodology, Revision 0, May 2016 (NuScale Proprietary); TR-0915-17564-A, Subchannel Analysis Methodology, Revision 2, February 2019 (NuScale Proprietary);
TR-0516-49422, "Loss-of-Coolant Accident Methodology,"
Revision 0, May 2016 (NuScale Proprietary); and TR-0716-50250, "Rod Ejection Accident Methodology," Revision 0, July 2016 (NuScale Proprietary).
(Methodology for Specifications 3.2.1 - Enthalpy Rise Hot Channel Factor (FH), and 3.2.2 - AXIAL OFFSET (AO).)]
: 4.    [NuScale DCA, Part 2, Tier 2, NuScale FSAR, Section 4.4, Thermal and Hydraulic Design, Revision 1, March 2018; TR-0516-49416, Non-Loss-of-Coolant Accident Analysis Methodology, Revision 0, May 2016 (NuScale Proprietary);
TR-0516-49422, "Loss-of-Coolant Accident Methodology,"
Revision 0, May 2016 (NuScale Proprietary); and TR-0716-50250, "Rod Ejection Accident Methodology," Revision 0, July 2016 (NuScale Proprietary).
NuScale [US600]                            5.6-3                                Revision 4.0
 
Reporting Requirements 5.6 5.6 Reporting Requirements 5.6.3        Core Operating Limits Report (COLR) (continued)
(Methodology for Specification 3.4.1 - RCS Pressure, Temperature, and Flow Resistance CHF Limits.)]
: 5.      [NuScale DCA, Part 2, Tier 2, NuScale FSAR, Section 4.3, Nuclear Design, Revision 1, March 2018.
(Methodology for Specifications 3.5.3 - Ultimate Heat Sink, and 3.8.1 - Nuclear Instrumentation.)]
: c. The core operating limits shall be determined such that all applicable limits (e.g., fuel thermal mechanical limits, core thermal hydraulic limits, Passive Core Cooling Systems limits, nuclear limits such as SDM, transient analysis limits, and accident analysis limits) of the safety analysis are met.
: d. The COLR, including any mid-cycle revisions or supplements, shall be provided upon issuance for each reload cycle to the NRC.
5.6.4        Reactor Coolant System (RCS) PRESSURE AND TEMPERATURE LIMITS REPORT (PTLR)
: a. RCS pressure and temperature limits for heat up, cooldown, low temperature operation, criticality, and hydrostatic testing as well as heatup and cooldown rates shall be established and documented in the PTLR for the following:
3.3.1, Module Protection System (MPS) Instrumentation; 3.3.3, Engineered Safety Features Actuation System (ESFAS)
Logic and Actuation; 3.3.4, Manual Actuation Functions; 3.4.3, RCS Pressure and Temperature (P/T) Limits; and 3.4.4, Reactor Safety Valves (RSVs).
NuScale [US600]                                5.6-4                                  Revision 4.0
 
Reporting Requirements 5.6 5.6 Reporting Requirements 5.6.4        Reactor Coolant System (RCS) PRESSURE AND TEMPERATURE LIMITS REPORT (PTLR) (continued)
: b.      The analytical methods used to determine the RCS pressure and temperature limits shall be those previously reviewed and approved by the NRC, specifically those described in the following document:
TR-1015-18177, "Pressure and Temperature Limits Methodology,"
[Revision 0, December 2016.]
: c.      The PTLR shall be provided to the NRC upon issuance for each reactor vessel fluency period and for any revision or supplement thereto.
5.6.5        Steam Generator Tube Inspection Report A report shall be submitted within 180 days after the initial entry into MODE 3 following completion of an inspection performed in accordance with the Specification 5.5.4, "Steam Generator (SG) Program." The report shall include:
: a.      The scope of inspections performed on each SG.
: b.      Degradation mechanisms found.
: c.      Nondestructive examination techniques utilized for each degradation mechanism.
: d.      Location orientation (if linear), and measured sizes (if available) of service induced indications.
: e.      Number of tubes plugged during the inspection outage for each degradation mechanism.
: f.      The number and percentage of tubes plugged to date, and the effective plugging percentage in each steam generator.
: g.      The results of condition monitoring, including the results of tube pulls and in-situ testing.
NuScale [US600]                                5.6-5                                  Revision 4.0
 
High Radiation Area 5.7 5.0 ADMINISTRATIVE CONTROLS 5.7 High Radiation Area As provided in paragraph 20.1601(c) of 10 CFR Part 20, the following controls shall be applied to high radiation areas in place of the controls required by paragraph 20.1601(a) and (b) of 10 CFR Part 20:
5.7.1          High Radiation Areas with Dose Rates Not Exceeding 1.0 rem/hour at 30 Centimeters from the Radiation Source or from any Surface Penetrated by the Radiation
: a. Each entryway to such an area shall be barricaded and conspicuously posted as a high radiation area. Such barricades may be opened as necessary to permit entry or exit of personnel or equipment.
: b. Access to, and activities in, each such area shall be controlled by means of Radiation Work Permit (RWP) or equivalent that includes specification of radiation dose rates in the immediate work area(s) and other appropriate radiation protection equipment and measures.
: c. Individuals qualified in radiation protection procedures and personnel continuously escorted by such individuals may be exempted from the requirement for an RWP or equivalent while performing their assigned duties provided that they are otherwise following plant radiation protection procedures for entry to, exit from, and work in such areas.
: d. Each individual or group entering such an area shall possess:
: 1.      A radiation monitoring device that continuously displays radiation dose rates in the area; or
: 2.      A radiation monitoring device that continuously integrates the radiation dose rates in the area and alarms when the devices dose alarm setpoint is reached, with an appropriate alarm setpoint; or
: 3.      A radiation monitoring device that continuously transmits dose rate and cumulative dose information to a remote receiver monitored by radiation protection personnel responsible for controlling personnel radiation exposure within the area; or
: 4.      A self-reading dosimeter (e.g., pocket ionization chamber or electronic dosimeter); and NuScale [US600]                                  5.7-1                                Revision 4.0
 
High Radiation Area 5.7 5.7 High Radiation Area 5.7.1        High Radiation Areas with Dose Rates Not Exceeding 1.0 rem/hour at 30 Centimeters from the Radiation Source or from any Surface Penetrated by the Radiation (continued)
(i)    Be under the surveillance, as specified in the RWP or equivalent, while in the area, of an individual qualified in radiation protection procedures, equipped with a radiation monitoring device that continuously displays radiation dose rates in the area; who is responsible for controlling personnel exposure within the area; or (ii)    Be under the surveillance as specified in the RWP or equivalent, while in the area, by means of closed circuit television, of personnel qualified in radiation protection procedures, responsible for controlling personnel radiation exposure in the area, and with the means to communicate with individuals in the area who are covered by such surveillance.
: e.      Except for individuals qualified in radiation protection procedures, or personnel continuously escorted by such individuals, entry into such areas shall be made only after dose rates in the area have been determined and entry personnel are knowledgeable of them. These continuously escorted personnel will receive a pre-job briefing prior to entry into such areas. This dose rate determination, knowledge, and pre-job briefing does not require documentation prior to initial entry.
5.7.2        High Radiation Areas with Dose Rates Greater than 1.0 rem/hour at 30 Centimeters from the Radiation Source or from any Surface Penetrated by the Radiation, but less than 500 rads/hour at 1 Meter from the Radiation Source or from any Surface Penetrated by the Radiation
: a.      Each entryway to such an area shall be conspicuously posted as a high radiation area and shall be provided with a locked or continuously guarded door or gate that prevents unauthorized entry, and, in addition:
: 1.      All such door and gate keys shall be maintained under the administrative control of the [shift manager], radiation protection manager, or his or her designees; and
: 2.      Doors and gates shall remain locked except during periods of personnel or equipment entry or exit.
NuScale [US600]                                5.7-2                                  Revision 4.0
 
High Radiation Area 5.7 5.7 High Radiation Area 5.7.2        High Radiation Areas with Dose Rates Greater than 1.0 rem/hour at 30 Centimeters from the Radiation Source or from any Surface Penetrated by the Radiation, but less than 500 rads/hour at 1 Meter from the Radiation Source or from any Surface Penetrated by the Radiation (continued)
: b.      Access to, and activities in, each such area shall be controlled by means of an RWP or equivalent that includes specification of radiation dose rates in the immediate work area(s) and other appropriate radiation protection equipment and measures.
: c.      Individuals qualified in radiation protection procedures may be exempted from the requirement for an RWP or equivalent while performing radiation surveys in such areas provided that they are otherwise following plant radiation protection procedures for entry to, exit from, and work in such areas.
: d.      Each individual group entering such an area shall possess:
: 1.      A radiation monitoring device that continuously integrates the radiation rates in the area and alarms when the devices dose alarm setpoint is reached, with an appropriate alarm setpoint; or
: 2.      A radiation monitoring device that continuously transmits dose rate and cumulative dose information to a remote receiver monitored by radiation protection personnel responsible for controlling personnel radiation exposure within the area with the means to communicate with and control every individual in the area; or
: 3.      A self-reading dosimeter (e.g., pocket ionization chamber or electronic dosimeter); and (i)    Be under surveillance, as specified in the RWP or equivalent, while in the area, of an individual qualified in radiation protection procedures, equipped with a radiation monitoring device that continuously displays radiation dose rates in the area; who is responsible for controlling personnel exposure within the area, or (ii)    Be under surveillance as specified in the RWP or equivalent, while in the area, by means of closed circuit television, or personnel qualified in radiation protection procedures, responsible for controlling personnel radiation exposure in the area, and with the means to communicate with and control every individual in the area.
NuScale [US600]                                5.7-3                                  Revision 4.0
 
High Radiation Area 5.7 5.7 High Radiation Area 5.7.2        High Radiation Areas with Dose Rates Greater than 1.0 rem/hour at 30 Centimeters from the Radiation Source or from any Surface Penetrated by the Radiation, but less than 500 rads/hour at 1 Meter from the Radiation Source or from any Surface Penetrated by the Radiation (continued)
: 4.      In those cases where options (2) and (3), above, are impractical or determined to be inconsistent with the As Low As is Reasonably Achievable principle, a radiation monitoring device that continuously displaces radiation dose rates in the area.
: e.      Except for individuals qualified in radiation protection procedures, or personnel continuously escorted by such individuals, entry into such areas shall be made only after dose rates in the area have been determined and entry personnel are knowledgeable of them. These continuously escorted personnel will receive a pre-job briefing prior to entry into such areas. This dose rate determination, knowledge, and pre-job briefing do not require documentation prior to initial entry.
: f.      Such individual areas that are within a larger area where no enclosure exists for the purpose of locking and where no enclosure can reasonably be constructed around the individual area need not be controlled by a locked door or gate, nor continuously guarded, but shall be barricaded, conspicuously posted, and a clearly visible flashing light shall be activated at the area as a warning device.
NuScale [US600]                              5.7-4                                  Revision 4.0
 
DCA Part 4 Volume 2 Revision 4.0 Generic Technical Specifications NuScale Nuclear Power Plants Volume 2: Bases
 
TABLE OF CONTENTS                                                                                                      Revision B 2.0 SAFETY LIMITS (SLs)
B 2.1.1  Reactor Core Safety Limits (SLs) ............................................................................. 4.0 B 2.1.2  Reactor Coolant System (RCS) Pressure SL........................................................... 4.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY .............................. 4.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY ............................................. 4.0 B 3.1    REACTIVITY CONTROL SYSTEMS B 3.1.1      SHUTDOWN MARGIN (SDM)............................................................................ 4.0 B 3.1.2      Core Reactivity ................................................................................................... 4.0 B 3.1.3      Moderator Temperature Coefficient (MTC) ........................................................ 4.0 B 3.1.4      Rod Group Alignment Limits .............................................................................. 4.0 B 3.1.5      Shutdown Bank Insertion Limits ......................................................................... 4.0 B 3.1.6      Regulating Bank Insertion Limits ........................................................................ 4.0 B 3.1.7      Rod Position Indication ....................................................................................... 4.0 B 3.1.8      PHYSICS TEST Exceptions ............................................................................... 4.0 B 3.1.9      Boron Dilution Control ........................................................................................ 4.0 B 3.2    POWER DISTRIBUTION LIMITS B 3.2.1      Enthalpy Rise Hot Channel Factor ..................................................................... 4.0 B 3.2.2      AXIAL OFFSET (AO).......................................................................................... 4.0 B 3.3    INSTRUMENTATION B 3.3.1      MPS Instrumentation .......................................................................................... 4.0 B 3.3.2      Reactor Trip System (RTS) Logic and Actuation................................................ 4.0 B 3.3.3      Engineered Safety Features Actuation System (ESFAS) Logic and Actuation ..................................................................................................... 4.0 B 3.3.4      Manual Actuation Functions ............................................................................... 4.0 B 3.3.5      Remote Shutdown Station (RSS) ....................................................................... 4.0 B 3.4    REACTOR COOLANT SYSTEM (RCS)
B 3.4.1      RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits ............................................................................................... 4.0 B 3.4.2      RCS Minimum Temperature for Criticality .......................................................... 4.0 B 3.4.3      RCS Pressure and Temperature (P/T) Limits..................................................... 4.0 B 3.4.4      Reactor Safety Valves (RSVs) ........................................................................... 4.0 B 3.4.5      RCS Operational LEAKAGE............................................................................... 4.0 B 3.4.6      Chemical and Volume Control System (CVCS) Isolation Valves ....................... 4.0 B 3.4.7      RCS Leakage Detection Instrumentation ........................................................... 4.0 B 3.4.8      RCS Specific Activity .......................................................................................... 4.0 B 3.4.9      Steam Generator (SG) Tube Integrity ................................................................ 4.0 B 3.4.10    Low Temperature Overpressure Protection (LTOP) Valves ............................... 4.0 B 3.5    PASSIVE CORE COOLING SYSTEMS (PCCS)
B 3.5.1      Emergency Core Cooling System (ECCS) - Operating ..................................... 4.0 B 3.5.2      Decay Heat Removal System (DHRS) ............................................................... 4.0 B 3.5.3      Ultimate Heat Sink .............................................................................................. 4.0 NuScale [US600]                                      i                                                          Revision 4.0
 
TABLE OF CONTENTS                                                                                                        Revision B 3.0 LIMITING CONDITION FOR OPERATION AND SURVEILLANCE REQUIREMENTS (continued)
B 3.6    CONTAINMENT SYSTEMS B 3.6.1      Containment ....................................................................................................... 4.0 B 3.6.2      Containment Isolation Valves ............................................................................. 4.0 B 3.7    PLANT SYSTEMS B 3.7.1      Main Steam Isolation Valves (MSIVs) ................................................................ 4.0 B 3.7.2      Feedwater Isolation ............................................................................................ 4.0 B 3.7.3      In-Containment Secondary Piping Leakage ....................................................... 4.0 B 3.8    REFUELING OPERATIONS B 3.8.1      Nuclear Instrumentation ..................................................................................... 4.0 B 3.8.2      Decay Time ........................................................................................................ 4.0 NuScale [US600]                                      ii                                                          Revision 4.0
 
Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)
B 2.1.1 Reactor Core Safety Limits (SLs)
BASES BACKGROUND          GDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not to be exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having critical heat flux (CHF) design bases, which corresponds to a 95% probability at a 95% confidence level (the 95/95 CHF criterion) that CHF will not occur during the evaluated conditions, and by requiring that the fuel centerline temperature stays below the melting temperature.
The restriction of this SL prevents overheating of the fuel and cladding, as well as possible cladding perforation that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.
Multiple MCHFR limits are provided and identified by reference to the CHF correlation that the limit is based upon. The multiple correlations are used to accurately reflect the wide range of conditions that are postulated to exist during steady state operation, normal operational transients, anticipated operational occurrences, and postulated accidents.
The applicable limit that is used to evaluate conditions is described in the individual safety analyses. The NSP2 and NSP4 correlations limits are used for comparison to conditions representative of normal operating conditions, operational transients, operational occurrences, and accidents other than events that are initiated by rapid reductions in primary system inventory. The Extended Hench-Levy correlation is used to evaluate postulated conditions that analyses indicate would occur during events that postulate a rapid reduction in primary system inventory.
Fuel centerline melting occurs when the local LHR or power peaking in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.
NuScale [US600]                            B 2.1.1-1                                  Revision 4.0
 
Reactor Core SLs B 2.1.1 BASES BACKGROUND (continued)
Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of departure from nucleate boiling and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (Zirconium water) reaction may take place.
This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.
The proper functioning of the Module Protection System (MPS) and decay heat removal system prevents violation of the reactor core SLs.
APPLICABLE      The fuel cladding must not sustain damage as a result of normal SAFETY          operation and AOOs. The reactor core SLs are established to preclude ANALYSES        violation of the following fuel design criteria:
: a. There must be at least 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and
: b. The hot fuel pellet in the core must not experience centerline fuel melting.
The Module Protection System (MPS) setpoints (Ref. 2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and THERMAL POWER level that would result in a critical heat flux ratio (CHFR) of less than the CHFR limit and preclude the existence of flow instabilities.
Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the MPS and the decay heat removal system.
The SLs represent a design requirement for establishing the MPS Trip System setpoints (Ref. 2). LCO 3.4.1, RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits, or the assumed initial conditions of the safety analyses (as indicated in FSAR Chapter 15, Ref. 3) provide more restrictive limits to ensure that the SLs are not exceeded.
NuScale [US600]                        B 2.1.1-2                                  Revision 4.0
 
Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS  The reactor core SLs are established to preclude violation of the following fuel design criteria:
: a. There must be at least a 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and
: b. There must be at least a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.
The reactor core SLs are used to define the various MPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).
To ensure that the MPS precludes violation of the above criteria, additional criteria are applied to the low pressurizer pressure reactor trip functions. That is, it must be demonstrated that the core exit quality is within the limits defined by the CHF correlation and that the low pressurizer pressure reactor trip protection functions continues to provide protection if core exit streams approach saturation temperature.
Appropriate functioning of the MPS ensures that for variations in THERMAL POWER, RCS Pressure, and RCS temperature the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs.
APPLICABILITY  SL 2.1.1 only applies in MODE 1 because this is the only MODE in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODE 1 to ensure operation within the reactor core SLs. The decay heat removal system and automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function which forces the unit into MODE 2. Setpoints for the reactor trip functions are described in LCO 3.3.1, Module Protection System (MPS) Instrumentation and specified in the
[owner-controlled requirements manual]. In MODES 2, 3, 4, and 5, applicability is not required since the reactor is not generating significant THERMAL POWER.
NuScale [US600]                        B 2.1.1-3                                  Revision 4.0
 
Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT    The following SL violation responses are applicable to the reactor core VIOLATIONS      SLs. If SL 2.1.1 is violated, the requirement to go to MODE 2 places the unit in a MODE in which this SL is not applicable.
The allowed Completion Time of 1 hour recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 10.
: 2. FSAR, Chapter 7.
: 3. FSAR, Chapter 15.
NuScale [US600]                      B 2.1.1-4                                Revision 4.0
 
RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs)
B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND          The SL on RCS pressure protects the integrity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, the continued integrity of the RCS is ensured. According to 10 CFR 50, Appendix A, GDC 14, Reactor Coolant Pressure Boundary, and GDC 15, Reactor Coolant System Design (Ref. 1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs).
Also, in accordance with GDC 28, Reactivity Limits (Ref. 1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.
The design pressure of the RCS is 2100 psia. During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the American Society of Mechanical Engineers (ASME) Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, according to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code, Section XI (Ref. 3).
Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases.
APPLICABLE          The reactor safety valves (RSVs), and the reactor high pressurizer SAFETY              pressure trip have settings established to ensure that the RCS pressure ANALYSES            SL will not be exceeded.
The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME, Boiler and Pressure Vessel Code, [2013 Edition], which permits a maximum pressure transient of 110%, 2310 psia, of design pressure 2100 psia. The SL of 2285 psia, as measured in the pressurizer, is equivalent to 2310 psia at the lowest elevation of the RCS.
NuScale [US600]                          B 2.1.2-1                                  Revision 4.0
 
RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)
The RSVs are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a turbine trip at full power without bypass capability. During the transient, no control actions are assumed except that the Decay Heat Removal System valves on the secondary plant are assumed to open when the pressurizer pressure reaches the Decay Heat Removal System actuation setpoint.
The Module Protection System (MPS) setpoints provide pressure protection for normal operation and AOOs. The MPS high pressurizer pressure trip setpoint is set to provide protection against overpressurization (Ref. 4). The safety analyses for both the high pressurizer pressure trip and the RSVs are performed using conservative assumptions relative to pressure control devices.
More specifically, no credit is taken for operation of the following:
: a. Turbine Bypass System;
: b. Reactor Control System;
: c. Pressurizer Level Control System; or
: d. Pressurizer spray.
SAFETY LIMITS  The maximum transient pressure allowed in the RCS pressure vessel, piping, valves, and fittings under the ASME Code, Section III, is 110% of design pressure; therefore, the maximum allowable pressurizer pressure is 2285 psia.
APPLICABILITY  SL 2.1.2 applies in MODES 1, 2, and 3 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODES 4 and 5 since the reactor vessel is vented to the containment until the upper reactor vessel assembly is removed, following which, the reactor vessel is vented directly to the ultimate heat sink; thus, making it unlikely that the RCS can be pressurized.
NuScale [US600]                      B 2.1.2-2                                    Revision 4.0
 
RCS Pressure SL B 2.1.2 BASES SAFETY LIMIT    If the RCS pressure SL is violated when the reactor is in MODE 1 VIOLATIONS      the requirement is to restore compliance and be in MODE 2 within 1 hour.
Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for abnormal radioactive releases (Ref. 5).
The allowable Completion Time of 1 hour recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.
If the RCS pressure SL is exceeded in MODE 2 or 3, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 2 or 3 may be more severe than exceeding this SL in MODE 1 since the reactor vessel temperature is lower and the vessel material, consequently, less ductile. As such, pressurizer pressure must be reduced to less than the SL within 5 minutes. The action does not require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 14, GDC 15, and GDC 28.
: 2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000,
[2013 edition]
: 3. ASME, Boiler and Pressure Vessel Code, Section XI, Article IWA-5000, [2013 edition]
: 4. FSAR, Chapter 7.
: 5. 10 CFR 50.34.
NuScale [US600]                      B 2.1.2-3                                Revision 4.0
 
LCO Applicability B 3.0 B 3.0 LIMITING CONDITIONS FOR OPERATION (LCO) APPLICABILITY BASES LCOs              LCO 3.0.1 through LCO [3.0.7 or 3.0.8] establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.
LCO 3.0.1        LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirements for when the LCO is required to be met (i.e. when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).
LCO 3.0.2        LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that the ACTIONS Condition is entered, unless otherwise specified. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:
: a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and
: b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.
There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met.
This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS). The second type of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.
NuScale [US600]                            B 3.0-1                                Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.2 (continued)
Completing the Required Actions is not required when an LCO is met, or is no longer applicable, unless otherwise stated in the individual Specifications.
The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCOs ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits.
The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The ACTIONS for not meeting a single LCO adequately manage any increase in plant risk, provided any unusual external conditions (e.g.,
severe weather, offsite power instability) are considered. In addition, the increased risk associated with simultaneous removal of multiple structures, systems, trains or components from service is assessed and managed in accordance with 10 CFR 50.65(a)(4).
When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable.
In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.
LCO 3.0.3          LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met; and:
: a. An associated Required Action and Completion Time is not met and no other Condition applies; or
: b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.
NuScale [US600]                            B 3.0-2                                Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)
This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. Planned entry into LCO 3.0.3 should be avoided. If it is not practicable to avoid planned entry into LCO 3.0.3, plant risk should be assessed and managed in accordance with 10 CFR 50.65(a)(4), and the planned entry into LCO 3.0.3 should have less effect on plant safety than other practicable alternatives.
Upon entering into LCO 3.0.3, 1 hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to enter lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.
A unit shutdown required in accordance with LCO 3.0.3 may be terminated, and LCO 3.0.3 exited if any of the following occurs:
: a. The LCO in now met,
: b. The LCO is no longer applicable,
: c. A Condition exists for which the Required Actions have now been performed, or
: d. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition was initially entered and not from the time LCO 3.0.3 is exited.
The time limits of LCO 3.0.3 allow 37 hours for the unit to be in MODE 3 and PASSIVELY COOLED when a shutdown is required during MODE 1 operation. If the unit is in MODE 2 when a shutdown is required, the time limit for entering MODE 3 and PASSIVE COOLING applies. If MODE 2 is entered in less time than allowed, however, the NuScale [US600]                              B 3.0-3                                    Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) total allowable time to enter MODE 3 and be PASSIVELY COOLED is not reduced. For example, if MODE 2 is entered in 2 hours, then the time allowed for entering MODE 3 and to establish PASSIVE COOLING is the next 35 hours, because the total time for entering MODE 3 and to be PASSIVELY COOLED is not reduced from the allowable limit of 37 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to enter a lower MODE of operation in less than the total time allowed.
The Completion Times are established considering the limited likelihood of a design basis event during the 37 hours allowed to enter MODE 3 and be PASSIVELY COOLED. They also provide adequate time to permit evaluation of conditions and restoration of OPERABILITY without challenging plant systems during a shutdown. Analysis shows that 37 hours from entry into 3.0.3 is a reasonable time to enter MODE 3 and be PASSIVELY COOLED using normal plant systems and procedures.
In MODES 1, 2, and MODE 3 when not PASSIVELY COOLED, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODE 3 when PASSIVELY COOLED, and MODES 4 and 5 because the unit is already in the most restrictive condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or MODE 3 when not PASSIVELY COOLED) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.
Exceptions to 3.0.3 are provided in instances where requiring a unit shutdown in accordance with LCO 3.0.3 would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.5.3, Ultimate Heat Sink. This Specification has an Applicability of "At all times." Therefore, this LCO can be applicable during any or all MODES. If the LCO and the Required Actions of LCO 3.5.3 are not met while in MODE 1 or 2, there is no safety benefit to be gained by placing the unit in a shutdown condition where it is dependent on the ultimate heat sink to perform its safety function to remove decay heat. The Required Action of LCO 3.5.3 for a level not within its normal upper range limits include a requirement to Suspend movement of irradiated fuel assemblies in the refueling area and to Suspend module movements which are the appropriate Required Actions to complete in lieu of the actions of LCO 3.0.3 for those NuScale [US600]                              B 3.0-4                                Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) conditions. The Required Action of LCO 3.5.3 at a level, temperature, or boron concentration that could limit the ability to support decay heat removal or containment flooding after a shutdown include a requirement to immediately restore the affected parameters which is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3 for that condition that could challenge the functions supported by the ultimate heat sink that are inoperable. These exceptions are addressed in the individual Specifications.
LCO 3.0.4          LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with either LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.
LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered following entry into the MODE or other specified condition in the Applicability will permit continued operation within the MODE or other specified condition for an unlimited period of time. Compliance with ACTIONS that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change.
Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made and the Required Actions followed after entry into the Applicability.
For example, LCO 3.0.4.a may be used when the Required Action to be entered states that an inoperable instrument channel must be placed in the trip condition within the Completion Time. Transition into a MODE or other specified condition in the Applicability may be made in accordance with LCO 3.0.4 and the channel is subsequently placed in the tripped condition within the Completion Time, which begins when the Applicability is entered. If the instrument channel cannot be placed in the tripped condition and the subsequent default ACTION ("Required Action and associated Completion Time not met") allows the OPERABLE train to be placed in operation, use of LCO 3.0.4.a is acceptable because the subsequent ACTIONS to be entered following entry into the MODE include ACTIONS (place the OPERABLE train in operation) that permit safe unit operation for an unlimited period of time in the MODE or other specified condition to be entered.
NuScale [US600]                              B 3.0-5                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)
LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.
The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope.
The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3.
Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE or other specified condition change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.
LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.
LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not NuScale [US600]                              B 3.0-6                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity) and may be applied to other Specifications based on NRC unit-specific approval.
The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 not PASSIVELY COOLED to MODE 3 PASSIVELY COOLED.
Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification.
Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.
NuScale [US600]                              B 3.0-7                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.5      LCO 3.0.5 establishes the allowance of restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:
: a. The OPERABILITY of the equipment being returned to service; or
: b. The OPERABILITY of other equipment.
The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO 3.0.5 should not be used in lieu of other practicable alternatives that comply with Required Actions and that do not require changing the MODE or other specified conditions in the Applicability in order to demonstrate equipment is OPERABLE. LCO 3.0.5 is not intended to be used repeatedly.
An example of demonstrating equipment is OPERABLE with the Required Actions not met is opening a manual valve that was closed to comply with Required Actions to isolate a chemical and volume control system (CVCS) flowpath with an inoperable CVCS isolation valve in order to perform testing to demonstrate that the isolation valve is now OPERABLE.
Examples of demonstrating equipment OPERABILITY include instances in which it is necessary to take an inoperable channel or trip system out of a tripped condition that was directed by a Required Action, if there is no Required Action Note for this purpose. An example of verifying OPERABILITY of equipment removed from service is taking a tripped channel out of the tripped condition to permit the logic to function and indicate the appropriate response during performance of required testing on the inoperable channel. Examples of demonstrating the OPERABILITY of other equipment are taking an inoperable channel or trip system out of the tripped condition 1) to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system, or 2) to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.
NuScale [US600]                          B 3.0-8                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.5 (continued)
The administrative controls in LCO 3.0.5 apply in all cases to systems or components in Chapter 3 of the Technical Specifications, as long as the testing could not be conducted while complying with the Required Actions. This includes the realignment or repositioning of redundant or alternate equipment or trains previously manipulated to comply with ACTIONS, as well as equipment removed from service or declared inoperable to comply with ACTIONS.
LCO 3.0.6          LCO 3.0.6 establishes an exception to LCO 3.0.2 for supported systems that have a support system LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCOs Required Actions. These Required Actions may include entering the supported systems Conditions and Required Actions or may specify other Required Actions.
When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However it is not necessary to enter into the supported systems Conditions and Required Actions unless directed to do so by the support systems Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems LCOs Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support systems Required Actions.
However, there are instances where a support systems Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.
This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support systems Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.
NuScale [US600]                            B 3.0-9                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)
Specification 5.5.8, Safety Function Determination Program (SFDP),
ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.
Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety functions exists are required to be entered.
This loss of safety function does not require the assumption of additional single failures or loss of electrical power. Since operations are being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. There are no support system LCO requirements for electrical power based on the safety related passive design.
When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic actuation capability due to inoperable instrumentation) the appropriate LCO is the LCO for the support system.
The ACTIONS for a support system LCO adequately address the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.
NuScale [US600]                            B 3.0-10                                  Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.7      There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCO 3.1.8 allows specified Technical Specification (TS) requirements to be changed to permit performance of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.
The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.
Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.
[ ------------------------------ REVIEWERS NOTE ------------------------------------
A COL applicant who wants to adopt LCO 3.0.8 must perform or reference a risk assessment for the NuScale design that has been submitted to and accepted by the NRC, and that was prepared consistent with the bounding generic risk assessment provided in TSTF-427-A, Allowance for Non-Technical Specification Barrier Degradation on Supported System OPERABILITY, Revision 2.
                ----------------------------------------------------------------------------------------------- ]
[LCO 3.0.8      LCO 3.0.8 establishes conditions under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providing their related support function(s).
Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications that support the performance of the safety function of systems described in the Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO 3.0.8 allows 30 days before declaring the supported system(s) inoperable and the LCO(s)
NuScale [US600]                              B 3.0-11                                            Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.8 (continued) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored.
However, the allowable duration may be less than the specified maximum time based on the risk assessment.
If the allowed time expires and the barriers are unable to perform their related support function(s), the supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.
This provision does not apply to barriers which support ventilation systems or to fire barriers. Ventilation system barriers and fire barriers are addressed by other regulatory requirements and associated plant programs. This provision does not apply to barriers which are not required to support system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, "Control of Hazard Barriers," dated April 2, 2001).
The provisions of LCO 3.0.8 are justified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following initiating event categories:
[ ------------------------------ REVIEWERS NOTE ------------------------------------
LCO 3.0.8 may be expanded to other initiating event categories provided plant-specific analysis demonstrates that the frequency of the additional initiating events is bounded by the generic analysis or if plant-specific approval is obtained from the NRC.
                  ------------------------------------------------------------------------------------------------]
* Loss of coolant accidents;
* High energy line breaks;
* Feedwater line breaks;
* Internal flooding;
* External flooding;
* Turbine missile ejection; and
* Tornado or high wind.
NuScale [US600]                                  B 3.0-12                                            Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)
The risk impact of the barriers which cannot perform their related support function(s) must be addressed pursuant to the risk assessment and management provision of the Maintenance Rule, 10 CFR 50.65 (a)(4), and the associated implementation guidance, Regulatory Guide 1.160, " Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 3. Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants."
This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).
[ ------------------------------ REVIEWERS NOTE ------------------------------------
Adoption of LCO 3.0.8 requires the licensee to make the following commitment:
[LICENSEE] commits to the guidance of NEI 04-08, "Allowance for Non Technical Specification Barrier Degradation on Supported System OPERABILITY (TSTF-427) Industry Implementation Guidance,"
March 2006.
                    ----------------------------------------------------------------------------------------------- ]
LCO 3.0.8 may be applied to one or more trains or subsystems of a system supported by barriers that cannot provide their related support function(s), provided that risk is assessed and managed (including consideration of the effects on Large Early Release and from external events). If applied concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting each of these trains or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO 3.0.8 may be applied for up to 30 days for more than one train of a multiple train supported system if the affected barrier for one train protects against internal flooding and the affected barrier for the other train protects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection functions for each train.
NuScale [US600]                                  B 3.0-13                                            Revision 4.0
 
LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)
If during the time that LCO 3.0.8 is being used, the required OPERABLE train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24 hours. Otherwise, the train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be declared inoperable and the associated LCOs declared not met. This 24 hour period provides time to respond to emergent conditions that would otherwise likely lead to entry into LCO 3.0.3 and a rapid unit shutdown, which is not justified given the low probability of an initiating event which would require the barrier(s) not capable of performing their related support function(s). During this 24 hour period, the unit risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).]
NuScale [US600]                            B 3.0-14                                Revision 4.0
 
SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs              SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.
SR 3.0.2 and SR 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.
SR 3.0.1        SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification ensures that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.g., CHANNEL CALIBRATION) specify that these tests are performed by means of any series of sequential, overlapping, or total steps.
Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:
: a. The systems or components are known to be inoperable, although still meeting the SRs; or
: b. The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.
Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.
Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.
NuScale [US600]                          B 3.0-15                                  Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.1 (continued)
Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met in accordance with SR 3.0.2 prior to returning equipment to OPERABLE status.
Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.
An example of this process is the calibration of the excore neutron detectors, which cannot be accomplished until the reactor power is high enough to provide representative calorimetric information and the neutron flux can be measured by the instrumentation.
SR 3.0.2            SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Actions with a Completion Time that requires the periodic performance of the Required Action on a once per interval.
SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers unit operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).
When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the Specification or incorporated by reference, is permitted.
NuScale [US600]                            B 3.0-16                                  Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.2 (continued)
The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular surveillance being performed is the verification of conformance with the SRs.
The exceptions to SR 3.0.2 are those Surveillances for which the 25%
extension of the interval specified in the Frequency does not apply.
These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Examples of where SR 3.0.2 does not apply are in the Containment Leakage Rate Testing Program required by 10 CFR 50, Appendix J, and the inservice testing of pumps and valves in accordance with applicable American Society of Mechanical Engineers Operation and Maintenance Code, as required by 10 CFR 50.55a. These programs establish testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot, in and of themselves, extend a test interval specified in the regulations directly or by reference.
As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a once per  basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.
The provisions of SR 3.0.2 are not intended to be used repeatedly to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.
SR 3.0.3            SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been performed within the specified Frequency. A delay period of up to 24 hours or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.
NuScale [US600]                              B 3.0-17                                Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.3 (continued)
When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been performed within the testing interval (including the allowance of SR 3.0.2 if invoked by the Section 5.5 Specification).
This delay period provides adequate time to perform Surveillances that have been missed. This delay period permits the performance of a Surveillance before complying with Required Actions or other remedial measures that might preclude performance of the Surveillance.
The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.
When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operational situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.
SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.
SR 3.0.3 is only applicable if there is a reasonable expectation the associated equipment is OPERABLE or that variables are within limits, and it is expected that the Surveillance will be met when performed.
Many factors should be considered, such as the period of time since the Surveillance was last performed, or whether the Surveillance, or a portion thereof, has ever been performed, and any other indications, tests, or activities that might support the expectation that the Surveillance will be met when performed. An example of the use of SR 3.0.3 would be a relay contact that was not tested as required in accordance with a particular SR, but previous successful performances NuScale [US600]                                B 3.0-18                                Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.3 (continued) of the SR included the relay contact; the adjacent, physically connected relay contacts were tested during the SR performance; the subject relay contact has been tested by another SR; or historical operation of the subject relay contact has been successful. It is not sufficient to infer the behavior of the associated equipment from the performance of similar equipment. The rigor of determining whether there is a reasonable expectation a Surveillance will be met when performed should increase based on the length of time since the last performance of the Surveillance. If the Surveillance has been performed recently, a review of the Surveillance history and equipment performance may be sufficient to support a reasonable expectation that the Surveillance will be met when performed. For Surveillances that have not been performed for a long period or that have never been performed, a rigorous evaluation based on objective evidence should provide a high degree of confidence that the equipment is OPERABLE. The evaluation should be documented in sufficient detail to allow a knowledgeable individual to understand the basis for the determination.
Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used repeatedly to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the unit down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 3. This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including unit shutdown.
The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine NuScale [US600]                              B 3.0-19                                Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.3 (continued) the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensees Corrective Action Program.
If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.
Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.
SR 3.0.4            SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.
This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.
A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.
However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment.
When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is NuScale [US600]                              B 3.0-20                                  Revision 4.0
 
SR Applicability B 3.0 BASES SR 3.0.4 (continued) removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability.
However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.
The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 not PASSIVELY COOLED to MODE 3 PASSIVELY COOLED.
The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into a MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCOs Applicability, would have its Frequency specified such that it is not due until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs annotation is found in Section 1.4, Frequency.
NuScale [US600]                            B 3.0-21                                  Revision 4.0
 
SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)
BASES BACKGROUND        According to GDC 26 (Ref. 1) the reactivity control systems must be redundant and capable of holding the reactor core subcritical when shutdown under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.
SDM requirements provide sufficient reactivity margin to assure that specified acceptable fuel design limits (SAFDLs) will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs).
As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and regulating bank control rod assemblies (CRAs), assuming that the single CRA of highest reactivity worth is fully withdrawn.
Additionally SDM requirements provide sufficient reactivity margin to ensure that the reactor will remain shutdown at all temperatures with all control rods inserted.
The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable CRAs and soluble boric acid in the Reactor Coolant System (RCS). The CRA System provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, following all AOOs and postulated accidents, assuming that the CRA of highest reactivity worth remains withdrawn.
The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes and maintain the reactor subcritical under cold conditions.
During power operation, SDM control is ensured by operating with the shutdown bank groups fully withdrawn and the regulating bank groups within the limits of LCO 3.1.6, Regulating Bank Insertion Limits.
When the unit is in MODES 2, 3, 4 or 5, the SDM requirements are met by means of adjustments to the RCS boron concentration and the boron requirements for the pool, LCO 3.5.3, "Ultimate Heat Sink" and CRA controls.
NuScale [US600]                          B 3.1.1-1                              Revision 4.0
 
SDM B 3.1.1 BASES APPLICABLE      The minimum required SDM is assumed as an initial condition in SAFETY          safety analyses. The safety analyses (Ref. 2) establish a SDM that ANALYSES        ensures that SAFDLs are not exceeded for normal operation and AOOs, with the assumption of the highest worth CRA stuck out on scram. For MODES 2 and 3, the primary safety analysis that relies on the SDM limits is the boron dilution analysis.
The acceptance criteria for the SDM requirements are that SAFDLs are maintained. This is done by ensuring that:
: a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;
: b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and
: c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.
The SDM requirement also protects against:
: a. Inadvertent boron dilution;
: b. An uncontrolled CRA withdrawal from subcritical or low power condition; and
: c. CRA ejection.
Each of these events is discussed below.
In the boron dilution analysis, the required SDM defines the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. These values, in conjunction with the configuration of the RCS and the assumed dilution flow rate, directly affect the results of the analysis. This event is most limiting at the beginning of core life, when critical boron concentrations are highest.
Depending on the system initial conditions and reactivity insertion rate, the uncontrolled CRA withdrawal transient is terminated by either a decade per minute trip, high power trip or a high pressurizer pressure trip. In all cases, power level, RCS pressure, linear heat rate, and the CHFR do not exceed allowable limits.
NuScale [US600]                        B 3.1.1-2                                  Revision 4.0
 
SDM B 3.1.1 BASES APPLICABLE SAFETY ANALYSES (continued)
SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed from the main control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.
LCO            SDM is a core design condition that can be ensured during operation through CRA positioning (regulating and shutdown banks) and through the soluble boron concentration.
APPLICABILITY  In MODE 1 with keff  1.0, SDM requirements are ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Regulating Bank Insertion Limits."
In MODE 1 with keff < 1.0 and in MODES 2, 3, and 4, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above.
In MODE 5 the shutdown reactivity requirements are given in LCO 3.5.3, "Ultimate Heat Sink.
ACTIONS        A.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that boration will be continued until the SDM requirements are met.
In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a concentrated solution. The operator should begin boration with the best source available for the plant conditions.
NuScale [US600]                          B 3.1.1-3                              Revision 4.0
 
SDM B 3.1.1 BASES SURVEILLANCE    SR 3.1.1.1 REQUIREMENTS In MODE 1 with keff  1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a CRA is known to be untrippable, however, SDM verification must account for the worth of the untrippable CRA as well as another CRA of maximum worth.
In MODE 1 with keff < 1.0, and in MODES 2, 3, and 4, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:
: a. RCS boron concentration;
: b. CRA position;
: c. RCS average temperature;
: d. Fuel burnup based on gross thermal energy generation;
: e. Xenon concentration;
: f. Samarium concentration; and
: g. Isothermal Temperature Coefficient (ITC).
Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical and the fuel temperature will be changing at the same rate as the RCS.
SR 3.1.1.1 is modified by a Note that indicates the surveillance is not required to be performed in MODE 4. In MODE 4 Table 1.1-1, MODES requires the module to be isolated from control systems and process lines that could change the SDM. Verification that the SDM will be met in MODE 4 is required before entry from MODE 5, and before entry from MODE 3 in accordance with SR 3.0.4.
During module movement instrumentation is not available to measure variables that could affect the SDM. Therefore reactivity calculations performed to verify the SDM conservatively account for passive phenomena that may occur such as temperature changes and Xenon decay, effects that may occur and affect reactivity during MODE 4 conditions.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                        B 3.1.1-4                              Revision 4.0
 
SDM B 3.1.1 BASES REFERENCES      1. 10 CFR 50, Appendix A, GDC 26.
: 2. FSAR, Chapter 15.
NuScale [US600]                  B 3.1.1-5      Revision 4.0
 
Core Reactivity B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Core Reactivity BASES BACKGROUND          According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control rod assembly (CRA) worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, SHUTDOWN MARGIN (SDM))
in ensuring the reactor can be brought safely to cold, subcritical conditions.
When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance since parameters are being maintained relatively stable under steady-state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as rod height, temperature, pressure, and power), provides a convenient method of ensuring that core reactivity is within design expectations, and that the calculation models used to generate the safety analysis are adequate.
In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical the excess positive reactivity is compensated by NuScale [US600]                              B 3.1.2-1                              Revision 4.0
 
Core Reactivity B 3.1.2 BASES BACKGROUND (continued) burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration.
When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated.
APPLICABLE      The acceptance criteria for core reactivity are that the reactivity SAFETY          balance limit ensures plant operation is maintained within the ANALYSES        assumptions of the safety analyses.
Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Accident evaluations (Ref. 2) are, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as CRA withdrawal accidents or CRA ejection accidents, are sensitive to accurate predictions of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks.
Monitoring reactivity balance provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity.
Design calculations and safety analysis are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion.
The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration.
NuScale [US600]                        B 3.1.2-2                                Revision 4.0
 
Core Reactivity B 3.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)
Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred.
The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the CRAs in their normal positions for power operation. The normalization is performed at BOC conditions so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.
Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed.
During operation, therefore, the Conditions of the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the nuclear design methodology are larger than expected. A limit on the reactivity balance of +/- 1% k/k has been established based on engineering judgment and operating experience. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.
When measured core reactivity is within 1% k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.
NuScale [US600]                        B 3.1.2-3                                Revision 4.0
 
Core Reactivity B 3.1.2 BASES APPLICABILITY  The limits on core reactivity must be maintained during MODE 1 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This specification does not apply in MODES 2, 3, and 4 because the reactor is shut down and the reactivity balance is not changing.
In MODE 5, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.5.3, Ultimate Heat Sink and CRA limits) ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, or CRA replacement).
NuScale will rely on CRAs for part of the shutdown requirement during refueling activities; as described in the COLR.
ACTIONS        A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.
Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated and it is concluded that the reactor core is NuScale [US600]                        B 3.1.2-4                                Revision 4.0
 
Core Reactivity B 3.1.2 BASES ACTIONS (continued) acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.
The required Completion Time of 7 days is adequate for preparing and implementing whatever operating restrictions that may be required to allow continued reactor operation.
B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours. If the SDM for MODE 2 is not met, then boration may be required to meet SR 3.1.1.1 prior to entry into MODE 2. The allowed Completion Time is reasonable, for reaching MODE 2 from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made considering that other core conditions are fixed or stable, including CRA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed prior to exceeding 5% RTP as an initial check on core conditions and design calculations at BOC. The Surveillance is performed again prior to exceeding 60 effective full power days (EFPDs) to confirm the core reactivity is responding to reactivity predictions and then periodically thereafter during the operating cycle in accordance with the Surveillance Frequency Control Program. The SR is modified by a Note indicating that the predicted core reactivity may be adjusted to the measured value provided this normalization is performed prior to exceeding a fuel burnup of 60 EFPDs. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations.
The subsequent Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.1.2-5                                Revision 4.0
 
Core Reactivity B 3.1.2 BASES REFERENCES      1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.
: 2. FSAR, Chapter 15.
NuScale [US600]                  B 3.1.2-6                          Revision 4.0
 
MTC B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)
BASES BACKGROUND          According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.
The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a non-positive MTC during the majority of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self-limiting, and stable power operation will result. There are times at the beginning of cycle and at less than normal operating temperature the MTC may be slightly positive.
MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the MTC is less than zero when reactor power is at RTP. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons (burnable absorbers) to yield an MTC within the range analyzed in the plant accident analysis.
The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.
The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the FSAR accident and transient analyses (Ref. 2).
If the LCO limits are not met, the unit response during transients may not be as predicted. The core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.
NuScale [US600]                              B 3.1.3-1                                Revision 4.0
 
MTC B 3.1.3 BASES BACKGROUND (continued)
The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits since this coefficient changes slowly, due principally to the RCS boron concentration associated with fuel burnup and burnable absorbers.
APPLICABLE      The acceptance criteria for the specified MTC are:
SAFETY ANALYSES        a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and
: b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.
FSAR Chapter 15 (Ref. 2) contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the least negative value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 2).
Accidents that cause core overheating, either by decreased heat removal or increased power production, must be evaluated for results when the MTC is least negative. Reactivity accidents that cause increased power production include the control rod assembly (CRA) withdrawal transient from either zero or full power. The limiting overheating event relative to unit response is based on the maximum difference between core power and steam generator heat removal during a transient. The most limiting event with respect to a positive MTC is a CRA withdrawal accident from zero power, also referred to as a startup accident (Ref. 2).
Accidents that cause core overcooling must be evaluated for results when the MTC is most negative. The event that produces the most rapid cooldown of the RCS, and is therefore the most limiting event with respect to the negative MTC, is a steam line break (SLB) event.
Following the reactor trip for the postulated EOC SLB event, the large moderator temperature reduction combined with the large negative MTC may produce reactivity increases that are as much as the shutdown reactivity. When this occurs, a substantial fraction of core power is produced with all CRAs inserted, except the most reactive NuScale [US600]                          B 3.1.3-2                                Revision 4.0
 
MTC B 3.1.3 BASES APPLICABLE SAFETY ANALYSES (continued) one, which is assumed withdrawn. Even if the reactivity increase produces slightly subcritical conditions, a large fraction of core power may be produced through the effects of subcritical neutron multiplication.
MTC values are bounded in reload safety evaluations assuming steady state conditions at core beginning of cycle (BOC) and EOC. A measurement is conducted two-thirds of the core operating cycle; when the RCS boron concentration reaches approximately 300 ppm.
The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.
MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation. The limit on a least negative MTC ensures that core overheating accidents will not violate the accident analysis assumptions. The most negative MTC limit for EOC specified in the COLR ensures that core overcooling accidents will not violate the accident analysis assumptions.
MTC is a core physics parameter determined by the fuel and fuel cycle design and cannot be easily controlled once the core design is fixed.
During operation, therefore, the LCO can only be ensured through measurement. The surveillance checks of MTC at BOC and near two-thirds of core burnup provide confirmation that the MTC is behaving as anticipated, so that the acceptance criteria are met.
APPLICABILITY  In MODE 1, the upper limit on the MTC must be maintained to ensure that any accident will not violate the design assumptions of the accident analysis. The limits must also be maintained to ensure startup and subcritical accidents, such as the uncontrolled CRA withdrawal, will not violate the assumptions of the accident analysis.
The lower MTC limit must be maintained in MODES 1 and 2 and MODE 3 with any RCS temperature  200 &deg;F, to ensure that cooldown accidents will not violate the assumptions of the accident analysis.
NuScale [US600]                        B 3.1.3-3                                  Revision 4.0
 
MTC B 3.1.3 BASES APPLICABILITY (continued)
In MODE 3 with all RCS temperatures < 200 &deg;F and in MODES 4 and 5, this LCO is not applicable because no Design Basis Accidents (DBAs) using the MTC as an analysis assumption are initiated from these conditions.
ACTIONS          A.1 MTC is a function of the fuel and fuel cycle designs, and cannot be controlled directly once the designs have been implemented in the core. If MTC exceeds its limits, the reactor must be placed in MODE 2.
This eliminates the potential for violation of the accident analysis bounds. The associated Completion Time of 6 hours is reasonable, considering the probability of an accident occurring during the time period that would require an MTC value within the LCO limits, and the time for reaching MODE 2 from full power conditions in an orderly manner.
B.1 Operating outside the lower MTC limit means the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unit must be placed in a MODE or condition in which the LCO requirements are not applicable. In addition to Required Action A.1, Required Action B.1 also requires the unit to be in MODE 3 with all RCS temperatures < 200 &deg;F within 48 hours.
The allowed Completion Time is a reasonable time based on the activities needed to reach the required MODE from full power operation in an orderly manner.
SURVEILLANCE      SR 3.1.3.1 and SR 3.1.3.2 REQUIREMENTS The SRs for measurement of the MTC at the beginning and two-thirds of each fuel cycle provide for confirmation of the limiting MTC values.
The MTC changes smoothly from least negative to most negative value during fuel cycle operation, as the RCS boron concentration is reduced to compensate for fuel depletion.
The requirement for measurement prior to operation > 5% RTP satisfies the confirmatory check on the upper MTC value.
NuScale [US600]                          B 3.1.3-4                                Revision 4.0
 
MTC B 3.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)
The requirement for measurement, within 7 effective full power days (EFPDs) after reaching a core burnup of 40 EFPDs from core beginning of cycle (BOC) and again within 7 EFPDs after reaching two-thirds 2/3 core burnup from core BOC, satisfies the confirmatory check of the lower MTC value. The measurement is performed at any power level so that the projected EOC MTC may be evaluated before the reactor actually reaches the EOC condition. MTC values may be extrapolated and compensated to permit direct comparison to the specified MTC limits.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 11.
: 2. FSAR, Chapter 15.
NuScale [US600]                        B 3.1.3-5                              Revision 4.0
 
Rod Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Rod Group Alignment Limits BASES BACKGROUND          The OPERABILITY (i.e., trippability) of the shutdown and regulating control rod assemblies (CRAs) is an initial assumption in all safety analyses that assume CRA insertion upon reactor trip. Maximum CRA misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available shutdown margin (SDM).
The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, Reactor Design, and GDC 26, Reactivity Control System Redundancy and Capability (Ref. 1), and 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants (Ref. 2).
Mechanical or electrical failures may cause a CRA to become inoperable or to become misaligned from its group. CRA inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CRA worth for reactor shutdown. Therefore, CRA alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.
Sixteen CRAs are arranged in four symmetrical groups. There are two shutdown bank groups of four CRAs each and two regulating bank groups of four CRAs each.
Limits on CRA alignment and OPERABILITY have been established, and CRA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.
CRAs are moved by their control rod drive mechanisms (CRDMs).
Each CRDM moves its CRA one step (approximately 3/8 inch) at a time.
The CRAs are arranged into groups that are radially symmetric.
Therefore, movement of the CRAs by group does not introduce radial asymmetries in the core power distribution. The shutdown and regulating CRAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip. The regulating bank CRAs also provide power level control during normal operation and transients.
NuScale [US600]                          B 3.1.4-1                                  Revision 4.0
 
Rod Group Alignment Limits B 3.1.4 BASES BACKGROUND (continued)
Their movement may be automatically controlled by the reactivity control systems.
The axial position of shutdown and regulating group CRAs is indicated by two separate and independent rod position indication systems.
APPLICABLE      CRA misalignment accidents are analyzed in the safety analysis SAFETY          (Ref. 3). The accident analysis defines CRA misoperation as any event ANALYSES        with the single failure of a safety-related component and multiple failures of non-safety related controls. The acceptance criteria for addressing CRA inoperability or misalignment are that:
: a. With the most reactive CRA stuck out of the core there will be no violations of either:
: 1. Specified acceptable fuel design limits (SAFDLs); or
: 2. Reactor Coolant System (RCS) pressure boundary integrity; and
: b. The core must remain subcritical after design basis events with all CRAs fully inserted.
Accident and transient analyses associated with CRA misalignment, static and dynamic, account for misalignment of 6 steps at the initiation of the event. The results of the CRA misoperation analysis show that during the most limiting misoperation events, no violations of the SAFDLs, or the SLs on critical heat flux ratio, fuel centerline temperature, or pressurizer pressure occur.
CRA alignment limits and OPERABILITY requirements satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
NuScale [US600]                          B 3.1.4-2                              Revision 4.0
 
Rod Group Alignment Limits B 3.1.4 BASES LCO            The limits on shutdown and regulating CRA alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on CRA OPERABILITY ensure that upon reactor trip, the CRAs will be available and will be inserted to provide enough negative reactivity to shut down the reactor. The CRA OPERABILITY requirements (i.e.,
trippability) are separate from alignment requirements which ensure that the CRA groups maintain the correct power distribution and CRA alignment. The CRA OPERABILITY requirement is satisfied provided the CRA will fully insert in the required CRA drop time assumed in the safety analysis. CRA control malfunctions that result in the inability to move a CRA (e.g., CRA rod lift coil failures), but do not impact trippability, do not result in CRA inoperability.
The requirement is to maintain the CRA alignment to within 6 steps between any CRA and its group position. Failure to meet the requirements of this LCO may produce unacceptable power peaking factors, or unacceptable SDMs, both of which may constitute initial conditions inconsistent with the safety analysis.
APPLICABILITY  The requirements on CRA OPERABILITY and alignment are applicable in MODE 1 because this is the only MODE in which neutron (or fission) power is generated, and the OPERABILITY (i.e.,
trippability) and alignment of CRAs have the potential to affect the safety of the unit. In MODES 2, 3, 4, and 5, the alignment limits do not apply because the CRAs are bottomed, and the reactor is shut down and not producing fission power. In the shutdown Modes, the OPERABILITY of the shutdown and regulating CRAs has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, SHUTDOWN MARGIN (SDM), for SDM in MODE 1 with keff < 1.0, MODES 2, 3, and 4 and LCO 3.5.3, "Ultimate Heat Sink" in MODE 5,"
for boron concentration requirements during refueling.
ACTIONS        A.1.1 and A.1.2 When one or more CRAs are inoperable (i.e. untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered.
When a CRA(s) becomes misaligned, it can usually be moved and is still trippable. If the CRA can be realigned within the Completion Time of 1 hour, local xenon redistribution during this short interval will not be NuScale [US600]                          B 3.1.4-3                                Revision 4.0
 
Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued) significant, and operation may proceed without further restriction. An alternative to realigning a single misaligned CRA to the group average position is to align the remainder of the group to the position of the misaligned CRA. However, this must be done without violating the group sequence, overlap, and insertion limits specified in LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Regulating Bank Insertion Limits." The Completion Time of 1 hour is adequate for determining SDM and, if necessary, for initiating boration and restoring SDM.
In this situation, SDM verification must include the worth of any untrippable CRA, in addition to the CRA of maximum worth.
A.2 When Required Action cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours, which obviates concerns about the development of undesirable xenon and power distributions. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 2 from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.1.4.1 REQUIREMENTS Verification that the position of individual rods is within alignment limits allows the operator to detect that a rod is beginning to deviate from its expected position.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that permits it not to be performed for rods associated with an inoperable rod position indicator. The alignment limit is based on rod position indicator which is not available if the indicator is inoperable. LCO 3.1.7, Rod Position Indication, provides Actions to verify the rods are in alignment when one or more rod position indicators are inoperable.
NuScale [US600]                          B 3.1.4-4                                Revision 4.0
 
Rod Group Alignment Limits B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.1.4.2 Verifying each CRA is OPERABLE would require that each CRA be tripped. In MODE 1 tripping each full length CRA would result in radial or axial power tilts, or oscillations. Exercising each individual CRA provides increased confidence that all CRAs continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each control rod by 4 steps will not cause significant radial or axial power tilts, or oscillations, to occur.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Between required performances of SR 3.1.4.2, if a CRA(s) is discovered to be immovable, but remains trippable, the CRA(s) is considered to be OPERABLE. At any time, if a CRA(s) is immovable, a determination of the trippability of the CRA(s) must be made, and appropriate action taken.
SR 3.1.4.3 Verification of CRA drop times determines that the maximum CRA drop time permitted is consistent with the assumed drop time used in the safety analysis (Ref. 3). Measuring drop times prior to reactor criticality, after removal of the upper reactor pressure vessel section, ensures the reactor internals and CRDM will not interfere with CRA motion or drop time, and that no degradation in these systems has occurred that would adversely affect CRA motion or drop time.
Individual CRAs whose drop times are greater than safety analysis assumptions are not OPERABLE.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 10 and GDC 26.
: 2. 10 CFR 50.46.
: 3. FSAR, Chapter 15.
NuScale [US600]                        B 3.1.4-5                                  Revision 4.0
 
Shutdown Bank Insertion Limits B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Shutdown Bank Insertion Limits BASES BACKGROUND        The insertion limits of the shutdown bank control rod assemblies (CRAs) are initial assumptions in all safety analyses that assume shutdown bank CRA insertion upon reactor trip. The insertion limits directly affect core power distributions and assumptions of available shutdown margin (SDM), ejected CRA worth, and initial reactivity insertion rate.
The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," and GDC 26, "Reactivity Limits" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on shutdown bank CRA insertion have been established, and all shutdown bank CRA positions are monitored and controlled during power operation to ensure that the reactivity limits, ejected CRA worth, and SDM limits are preserved.
The 16 CRAs are divided among the two regulating bank groups and two shutdown bank groups, with each group consisting of four CRAs in radially symmetric core locations. The shutdown bank CRAs are normally moved together as a group. Therefore, movement of a group of shutdown bank CRAs does not introduce radial asymmetries in the core power distribution. The shutdown bank and regulating bank CRAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip.
The design calculations are performed with the assumption that CRAs of the shutdown bank are withdrawn prior to the CRAs in the regulating bank. The CRAs of the shutdown bank can be fully withdrawn without the core going critical. This provides available negative reactivity for SDM in the event of unintended reduction of the RCS boron concentration. The shutdown bank CRAs are controlled manually by the control room operator. During normal unit operation, the shutdown bank CRAs are fully withdrawn. The shutdown bank CRAs must be completely withdrawn from the core prior to withdrawing regulating bank CRAs during an approach to criticality.
The shutdown bank CRAs are then left in the fully withdrawn position until the reactor is shut down. The eight CRAs of the shutdown bank add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.
NuScale [US600]                          B 3.1.5-1                                Revision 4.0
 
Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABLE      On a reactor trip, all CRAs (eight CRAs in two shutdown bank groups SAFETY          and eight CRAs in two regulating bank groups), except the most ANALYSES        reactive CRA, are assumed to insert into the core. The shutdown bank and regulating bank CRAs shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal. The regulating bank CRAs may be partially inserted in the core as allowed by LCO 3.1.6, "Regulating Bank Insertion Limits." The shutdown and regulating bank insertion limits are established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of regulating and shutdown bank CRAs (less the most reactive CRA, which is assumed to be fully withdrawn) are sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The CRA shutdown bank insertion limits also ensure that the reactivity worth of an ejected shutdown CRA is within safety analysis assumptions.
The acceptance criteria for addressing CRA shutdown bank and regulating bank insertion limits and CRA inoperability or misalignment are that:
: a. With the most reactive CRA stuck out there will be no violation of either:
: 1. Specified acceptable fuel design limits; or
: 2. Reactor Coolant System pressure boundary integrity; and
: b. The core remains subcritical after design basis events with all CRAs fully inserted.
The CRA shutdown bank insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            The CRA shutdown bank must be within insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.
The CRA shutdown bank insertion limits are specified in the COLR.
NuScale [US600]                        B 3.1.5-2                                  Revision 4.0
 
Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABILITY  The CRA shutdown bank must be within insertion limits, with the reactor in MODE 1. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. In MODE 2, 3, 4 the shutdown bank CRAs are fully inserted in the core and contribute to the SDM.
Refer to LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM requirements in MODES 2, 3, and 4. LCO 3.5.3, "Ultimate Heat Sink,"
ensures adequate SDM in MODES 4 and 5.
The Applicability is modified by a Note indicating the LCO requirement is not applicable while performing SR 3.1.4.2. This Note permits exceeding the CRA shutdown bank insertion limits while inserting each CRA in the bank in accordance with SR 3.1.4.2. This Surveillance verifies the freedom of the CRAs to move, and may require a shutdown bank group to move below the insertion limits specified in the COLR, which would normally violate the LCO. This Note applies to each CRA shutdown bank group as the group is moved below the insertion limit to perform the Surveillance. This Note is not applicable should a malfunction stop performance of the Surveillance. Note that the CRA group alignment limits of LCO 3.1.4 remain applicable to the CRAs in the shutdown bank group being exercised while performing this Surveillance.
ACTIONS        A.1.1, A.1.2, and A.2 When one or more CRA shutdown bank groups is not within insertion limits, 2 hours are allowed to restore the CRA shutdown bank groups to within insertion limits. This is necessary because the available SDM may be significantly reduced with CRA shutdown bank groups not within their insertion limits. Also, verification of the SDM or initiation of boration within 1 hour is required, since the SDM in MODE 1 is continuously monitored and adhered to, in part, by the CRA regulating and shutdown bank insertion limits (see LCO 3.1.1).
The allowed Completion Time of 2 hours provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain in an unacceptable condition for an extended period of time.
B.1 If the CRA shutdown bank groups cannot be restored to within their insertion limits within two hours, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours is reasonable for reaching the required MODE from full power conditions in an orderly manner.
NuScale [US600]                        B 3.1.5-3                                  Revision 4.0
 
Shutdown Bank Insertion Limits B 3.1.5 BASES SURVEILLANCE    SR 3.1.5.1 REQUIREMENTS Verification that the CRAs of each shutdown bank group are within insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown bank groups will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip. This SR and Frequency ensure that the CRA shutdown bank groups are withdrawn before the CRA regulating bank groups are withdrawn during a unit startup.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 10 and GDC 26.
: 2. 10 CFR 50.46.
: 3. FSAR, Chapter 15.
NuScale [US600]                          B 3.1.5-4                                Revision 4.0
 
Regulating Bank Insertion Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Regulating Bank Insertion Limits BASES BACKGROUND          The insertion limits of the regulating bank control rod assemblies (CRAs) are initial assumptions in the safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions, assumptions of available SDM, and initial reactivity insertion rate.
The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, Reactor Design, GDC 26, Reactivity Control System Redundancy and Protection, GDC 28, Reactivity Limits (Ref. 1) and 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors (Ref. 2). Limits on CRA regulating bank group insertion have been established, and all regulating bank group CRA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking, ejected CRA worth, and SDM limits are preserved.
The 16 CRAs are divided among two regulating bank groups and two shutdown bank groups, with each group consisting of four CRAs in radially symmetric core locations. The regulating bank consists of two groups of four CRAs that are electrically paralleled to step simultaneously. See LCO 3.1.4, Rod Group Alignment Limits, for regulating and shutdown CRA OPERABILITY and alignment requirements, and LCO 3.1.7, Rod Position Indication, for CRA position indication requirements.
The regulating bank group insertion limits are specified in the COLR.
Each CRA of a regulating bank group is required to be at or above its regulating bank group insertion limits, as well as within its CRA group alignment limits.
The CRA regulating bank groups are used for precise reactivity control of the reactor. The positions of the CRAs in a regulating bank group are normally controlled automatically by the Module Control System (MCS) together as a group of four CRAs; a regulating bank groups CRAs can also be manually controlled both individually and as a group. The CRA regulating bank groups are capable of changing core reactivity very quickly (compared to borating or diluting).
NuScale [US600]                              B 3.1.6-1                                Revision 4.0
 
Regulating Bank Insertion Limits B 3.1.6 BASES BACKGROUND (continued)
The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.1.4, Rod Group Alignment Limits, LCO 3.1.5, Shutdown Bank Insertion Limits, LCO 3.1.6, Regulating Bank Insertion Limits, LCO 3.2.1, Enthalpy Rise Hot Channel Factor (FH), and LCO 3.2.2, AXIAL OFFSET (AO) provide limits on control component operation and on monitored process variables which ensure that the core operates within the fuel design criteria.
The shutdown and regulating bank insertion and alignment limits and power distribution limits are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the regulating bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and regulating bank insertion limits assure the required SDM is maintained.
Operation within the subject LCO limits will prevent fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a loss of coolant accident (LOCA), loss of flow, ejected CRA, or other accident requiring termination by a Reactor Trip System (RTS) trip function.
APPLICABLE      The regulating bank insertion limits, FH, and AO LCOs are required to SAFETY          prevent power distributions that could result in fuel cladding failures in ANALYSES        the event of a LOCA, loss of flow, ejected CRA, or other accident requiring termination by an RTS trip function.
The acceptance criteria for addressing shutdown and regulating bank group insertion limits and inoperability or misalignment are that:
: a. With the most reactive CRA stuck out there will be no violations of either:
: 1. specified acceptable fuel design limits; or
: 2. Reactor Coolant System (RCS) pressure boundary integrity; and
: b. The core remains subcritical after design basis events with all CRAs fully inserted.
NuScale [US600]                        B 3.1.6-2                                Revision 4.0
 
Regulating Bank Insertion Limits B 3.1.6 BASES APPLICABLE SAFETY ANALYSES (continued)
As such, the CRA shutdown and regulating bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref. 3).
The SDM requirement is ensured by limiting the shutdown and regulating bank insertion limits so that allowable inserted worth of the CRAs is such that sufficient reactivity is available in the CRAs to shut down the reactor to hot zero power with a reactivity margin which assumes the maximum worth CRA remains fully withdrawn upon trip (Ref. 3).
Operation at the insertion limits or AO limits may approach the maximum allowable linear heat generation rate or peaking factor.
Operation at the insertion limit may also indicate the maximum ejected CRA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected CRA worth.
The shutdown and regulating bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 3).
The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) in that they are initial conditions assumed in the safety analysis.
LCO            The limits on regulating bank physical insertion as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected CRA worth is maintained, and ensuring adequate negative reactivity insertion is available on trip.
APPLICABILITY  The regulating bank physical insertion limits shall be maintained with the reactor in MODE 1 when keff is  1.0. These limits must be maintained since they preserve the assumed power distribution, ejected CRA worth, SDM, and reactivity insertion rate assumptions.
Applicability in MODE 1 with keff < 1.0, and MODES 2, 3, 4, and 5 is not required, since neither the power distribution nor ejected CRA worth assumptions would be exceeded in these MODES.
The Applicability is modified by a Note indicating the LCO requirement is not applicable to CRA groups being inserted while performing SR 3.1.4.2. This SR verifies the freedom of the CRAs to move, and may require the regulating bank group to move below the LCO limits, NuScale [US600]                        B 3.1.6-3                                Revision 4.0
 
Regulating Bank Insertion Limits B 3.1.6 BASES APPLICABILITY (continued) which would normally violate the LCO. This Note applies to each regulating bank group as it is moved below the insertion limit to perform the SR. This Note is not applicable should a malfunction stop performance of the SR.
ACTIONS          A.1.1, A.1.2, and A.2 When one or more regulating bank groups is not within insertion limits, they must be restored to within those limits. This restoration can occur in two ways:
: a. Reduce power to be consistent with CRA regulating bank group positions; or
: b. Moving CRA regulating bank groups to be consistent with power.
Also, verification of SDM or initiation of boration to regain SDM is required within 1 hour, since the SDM in MODE 1 with keff  1.0 is normally ensured by adhering to the regulating and shutdown bank insertion limits (see LCO 3.1.1, "Shutdown Margin (SDM)) has been upset.
The allowed Completion Time of 2 hours for restoring the regulating bank groups to within insertion limits, provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain outside the insertion limits for an extended period of time.
B.1 If the CRA regulating bank groups cannot be restored to within their insertion limits within two hours, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours is reasonable for reaching the required MODE from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.1.6.1 REQUIREMENTS Verification of the regulating bank insertion limits is sufficient to detect regulating bank groups that may be approaching the insertion limits.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.1.6-4                                  Revision 4.0
 
Regulating Bank Insertion Limits B 3.1.6 BASES REFERENCES      1. 10 CFR 50, Appendix A, GDC 10, GDC 26, and GDC 28.
: 2. 10 CFR 50.46.
: 3. FSAR, Chapter 15.
NuScale [US600]                  B 3.1.6-5                            Revision 4.0
 
Rod Position Indication B 3.1.7 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Rod Position Indication BASES BACKGROUND          According to GDC 13 (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences (AOOs), and accident conditions must be OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the control rod position indicators to determine control rod positions and thereby ensure compliance with the control rod alignment and power-dependent insertion limits (PDIL).
The OPERABILITY, including position indication, of the shutdown and regulating bank control rod assemblies (CRAs) is an initial assumption in the safety analyses that assume CRA insertion upon reactor trip.
Maximum CRA misalignment is an initial assumption in the CRA misalignment safety analysis that directly affects core power distributions and assumptions of available shutdown margin (SDM).
CRA position indication is required to assess OPERABILITY and misalignment.
Mechanical or electrical failures may cause a CRA to become inoperable or to become misaligned from its group. CRA inoperability or misalignment may cause increased power peaking due to the asymmetric reactivity distribution and a reduction in the total available CRA worth for reactor shutdown. Therefore, CRA alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.
Limits on CRA alignment and OPERABILITY have been established, and CRA positions are monitored and controlled during power operation to aid compliance with the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.
Sixteen CRAs are arranged in four symmetrical groups. Two shutdown bank groups of four CRAs each, and two regulating bank groups of four CRAs each.
CRAs are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms (CRDMs).
The CRAs are divided among the regulating bank groups and shutdown bank groups.
NuScale [US600]                              B 3.1.7-1                                Revision 4.0
 
Rod Position Indication B 3.1.7 BASES BACKGROUND (continued)
The axial position of shutdown bank CRAs and regulating bank CRAs are determined by two separate and independent means: the Counter Position Indicators (CPIs) (commonly called bank step counters) and the Rod Position Indicators (RPIs).
The CPI counts the commands sent to the CRDM gripper coils from the Control Rod Drive System (CRDS) that moves the CRAs. There is one step counter for each CRDM. The CRA CPI is considered highly precise (+/- 1 step or +/- {3/8} inch). If a CRA does not move one step for each command signal, the step counter will still count the command and incorrectly reflect the position of the CRA.
The RPI function of the CRDS provides a highly accurate indication of actual CRA position, but at a lower precision than the step counters.
This system is based on inductive analog signals from a series of coils spaced along a hollow tube with a center to center distance of 1.125 inches, which is equivalent to 3 steps. To increase the reliability of the RPI system, the inductive coils of a CRA's two RPI channels are alternately connected to two separate data systems. Each RPI channel is associated with just one of the data systems. Thus, if one system fails, the RPI will go on half accuracy with an effective coil spacing of 2.25 inches, which is 6 steps. Therefore, the normal indication accuracy of the RPIs is +/- 3 steps (+/- 1.125 inches), and the accuracy with one channel of RPI out-of-service is +/- 6 steps
(+/- 2.25 inches).
APPLICABLE      The regulating and shutdown bank groups CRA position accuracy is SAFETY          essential during power operation. Power peaking, ejected CRA worth, ANALYSES        or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2), with regulating or shutdown bank CRAs operating outside their limits undetected. Therefore, the acceptance criteria for CRA position indication is that CRA positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected CRA worth, and within minimum SDM (LCO 3.1.5, Shutdown Bank Insertion Limits, LCO 3.1.6, Regulating Bank Insertion Limits). The CRA positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, Rod Group Alignment Limits). CRA positions are continuously monitored to provide operators with information that assures the unit is operating within the bounds of the accident analysis assumptions.
NuScale [US600]                        B 3.1.7-2                              Revision 4.0
 
Rod Position Indication B 3.1.7 BASES APPLICABLE SAFETY ANALYSES (continued)
The CRA position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indicators monitor CRA position, which is an initial condition of the accident.
LCO            LCO 3.1.7 specifies that the RPIs and the CPI be OPERABLE for each CRA. For the CRA position indicators to be OPERABLE requires meeting the SR of the LCO and the following:
: a. The RPI indicates within 6 steps of the CRA counter position indicator as required by LCO 3.1.4, Rod Group Alignment Limits;
: b. For the RPIs there are no failed coils; and
: c. The CPI has been calibrated either in the fully inserted position or to the RPI System.
The 6 step agreement limit between the RPIs and the CPI indicates that the RPI is adequately calibrated and can be used for indication of the measurement of CRA position.
A deviation of less than the allowable limit given in LCO 3.1.4 in position indication for a single CRA ensures high confidence that the position uncertainty of the corresponding CRA group is within the assumed values used in the analysis (that specified CRA bank insertion limits).
These requirements provide adequate assurance that CRA position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.
OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned CRAs can be detected.
Therefore, power peaking, ejected CRA worth, and SDM can be controlled within acceptable limits.
APPLICABILITY  The requirements on the RPI and step counters are only applicable in MODE 1 (consistent with LCOs 3.1.4, 3.1.5, and 3.1.6), because this is the only MODE in which power is generated, and the OPERABILITY and alignment of CRAs has the potential to affect the safety of the unit.
In the shutdown MODES, the OPERABILITY of the shutdown and regulating banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System (RCS).
NuScale [US600]                        B 3.1.7-3                                Revision 4.0
 
Rod Position Indication B 3.1.7 BASES ACTIONS        The ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each CPI and each RPI indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.
A.1 When one channel of RPI sensors per CRDM fails, the position of the CRA can still be determined by use of the in-core instrumentation system. Normal power operation does not require excessive movement of groups. If a group has been significantly moved, the Actions of B.1 or B.2 below are required. Therefore, verification of CRA position within the Completion Time of 8 hours is adequate to allow continued full power operation, since the probability of simultaneously having a CRA significantly out of position and an event sensitive to that CRA position is small.
B.1, B.2, and B.3 When more than one channel of RPI sensors per CRA fails, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of CRA misalignment on associated accident analyses are limited. Placing the rod control function in manual mode ensures unplanned CRA motion will not occur. Together with the position determination available via the in-core instrumentation system, this will minimize the potential for CRA misalignment. The immediate Completion Time for placing the Rod Control function in manual mode reflects the urgency with which unplanned rod motion must be prevented while in this Condition.
The position of the CRAs may be determined indirectly by use of the in-core instrumentation system neutron detectors. Plant procedures define the required number and locations of in-core neutron detectors that must function to permit evaluation of the CRA position.
Verification of CRA position once per 8 hours is adequate for allowing continued full power operation for a limited, 24 hour period, since the probability of simultaneously having a CRA significantly out of position and an event sensitive to that CRA position is small. The 24 hour Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with the shutdown without full CRA position indication.
NuScale [US600]                        B 3.1.7-4                                Revision 4.0
 
Rod Position Indication B 3.1.7 BASES ACTIONS (continued)
Based on industry experience, normal power operation does not require excessive CRA movement. If one or more CRAs has been significantly moved, the Required Action of C.1 below is required.
C.1 The Required Action clarifies that when one or more CRAs with inoperable position indicators have been moved in excess of 6 steps in one direction since the position was last determined, the Required Actions of A.1 or B.1 are still appropriate but must be initiated promptly under Required Action C.1 to begin verifying that these CRAs are still properly positioned relative to their group positions.
D.1 and D.2 With one counter position indicator per group inoperable, the CRA positions can be determined by the RPI System. Since normal full power operation does not require excessive movement of CRAs, verification by administrative means that the CRDS position indicators are OPERABLE and the most withdrawn CRA and the least withdrawn CRA are  6 steps apart within the allowed Completion Time of once every 8 hours is adequate E.1 If a Required Action of Condition A, B, C, or D cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours. The allowed Completion Time is based on reaching the required MODE from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.1.7.1 REQUIREMENTS Verification that each RPI channel agrees within 6 steps of the counter position indication provides assurance that the RPI channel is operating correctly.
This surveillance is performed prior to reactor criticality after coupling of a CRA to the associated CRDM for one or more CRAs, as there is the potential for unnecessary unit transients if the SR were performed with the reactor critical.
NuScale [US600]                          B 3.1.7-5                                  Revision 4.0
 
Rod Position Indication B 3.1.7 BASES REFERENCES      1. 10 CFR 50, Appendix A, GDC 13.
: 2. FSAR, Chapter 15.
NuScale [US600]                  B 3.1.7-6                Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 PHYSICS TEST Exceptions BASES BACKGROUND        The primary purpose of the PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.
Section XI of 10 CFR 50, Appendix B, (Ref. 1) requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59 (Ref. 2).
The key objectives of a test program are to (Ref. 3):
: a. Ensure that the facility has been adequately designed;
: b. Validate the analytical models used in the design and analysis;
: c. Verify the assumptions used to predict unit response;
: d. Ensure that installation of equipment in the facility has been accomplished in accordance with the design; and
: e. Verify that the operating and emergency procedures are adequate.
To accomplish these objectives, testing is performed prior to initial criticality, during startup, during low power operations, during power ascension, at high power and after each refueling. The PHYSICS TEST requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4).
PHYSICS TEST procedures are written and approved in accordance with established formats. The procedures include information necessary to permit a detailed execution of the testing required, to ensure that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long-term power operation.
NuScale [US600]                            B 3.1.8-1                              Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 BASES BACKGROUND (continued)
The typical PHYSICS TESTS performed for reload fuel cycles (Ref. 4) in MODE 1 at < 5% RTP are listed below:
: a. Critical Boron Concentration - Control Rods Withdrawn;
: b. Control Rod Worth; and
: c. Isothermal Temperature Coefficient (ITC).
These tests are initiated in MODE 1 at < 5% RTP. These and other supplementary tests may be required to calibrate the nuclear instrumentation or to diagnose operational problems. These tests may cause the operating controls and process variables to deviate from their LCO requirements during their performance.
: a. The Critical Boron Concentration - Control Rods Withdrawn Test measures the critical boron concentration at hot zero power (HZP).
With rods out, the lead control group is at or near its fully withdrawn position. HZP is where the core is critical (keff = 1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Performance of this test should not violate any of the referenced LCOs.
: b. The Control Rod Worth Test is used to measure the reactivity worth of selected rod groups. This test is performed at HZP and has four alternative methods of performance. The first method, the Boron Exchange Method, varies the reactor coolant boron concentration and moves the selected regulating bank group in response to the changing boron concentration. The reactivity changes are measured with a reactivity computer. This sequence is repeated for the remaining regulating bank group. The second method, the Rod Swap Method, measures the worth of a predetermined reference group using the Boron Exchange Method above. The reference group is then nearly fully inserted into the core. The selected group is then inserted into the core as the reference group is withdrawn. The HZP critical conditions are then determined with the selected group fully inserted into the core. The worth of the selected group is calculated based on the position of the reference group with respect to the selected group. This sequence is repeated as necessary for the remaining groups. The third method, the Boron Endpoint Method, moves the selected regulating bank group over its entire length of travel while varying the reactor coolant boron concentration to maintain HZP criticality.
The difference in boron concentration is the worth of the NuScale [US600]                        B 3.1.8-2                                  Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 BASES BACKGROUND (continued) selected regulating bank group. This sequence is repeated for the remaining groups. The fourth method, Dynamic Rod Worth Measurement (DRWM), moves each group, individually, into the core to determine its worth. The group is dynamically inserted into the core while data is acquired from the excore channel. While the group is being withdrawn, the data is analyzed to determine the worth of the group. This is repeated for each regulating bank and shutdown bank group. Performance of this test will violate LCO 3.1.4, Rod Group Alignment Limits, LCO 3.1.5, Shutdown Bank Insertion Limit, or LCO 3.1.6, Regulating Bank Insertion Limits.
: c. The ITC Test measures the ITC of the reactor. This test is performed at HZP. The method is to vary the RCS temperature in a slow and continuous manner. The reactivity change is measured with a reactivity computer as a function of the temperature change.
The ITC is the slope of the reactivity versus the temperature plot.
The test is repeated by reversing the direction of the temperature change and the final ITC is the average of the two calculated ITCs.
Performance of this test should not violate any of the referenced LCOs.
APPLICABLE      The fuel is protected by LCOs that preserve the initial conditions of the SAFETY          core assumed during the safety analyses. The methods for ANALYSES        development of the LCOs that are excepted by this LCO are described in the [NuScale Reload Safety Evaluation Methodology report]
(Ref. 5). The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.
FSAR Chapter 14 defines requirements for initial testing of the facility, including low power PHYSICS TESTS. FSAR Sections 14.2.10.3 and 14.2.10.4 (Ref. 6) summarize the initial criticality and low power tests.
Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-2011 (Ref. 4). Although these PHYSICS TESTS are generally accomplished within the limits for the LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in:
LCO 3.1.3, Moderator Temperature Coefficient (MTC);
NuScale [US600]                        B 3.1.8-3                                Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 BASES APPLICABLE SAFETY ANALYSES (continued)
LCO 3.1.4, Rod Group Alignment Limits; LCO 3.1.5, Shutdown Bank Insertion Limit; and LCO 3.1.6, Regulating Bank Insertion Limits are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to  5% RTP and SDM is within the limits provided in the COLR.
PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Also involved are the movable control components (regulating and shutdown CRAs), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR.
As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.
LCO            This LCO allows the reactor parameters of MTC to be outside their specified limits. In addition, it allows selected regulating and shutdown rods to be positioned outside of their specified alignment and insertion limits. Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.
The requirements of LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 may be suspended during the performance of PHYSICS TESTS provided:
: a. SDM is within the limits provided in the COLR; and
: b. THERMAL POWER is  5% RTP.
APPLICABILITY  This LCO is applicable when performing low power PHYSICS TESTS.
The Applicability is stated as During PHYSICS TESTS initiated in MODE 1. Should the THERMAL POWER exceed 5% RTP, Required Action B.1 requires termination of critical operations by immediately opening the reactor trip breakers.
NuScale [US600]                        B 3.1.8-4                                Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 BASES ACTIONS        A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly.
A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.
Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.
B.1 When THERMAL POWER is > 5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.
SURVEILLANCE    SR 3.1.8.1 REQUIREMENTS Verification that the THERMAL POWER is  5% RTP will ensure that the unit is not operating in a condition that could invalidate the safety analyses.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.1.8.2 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:
: a. RCS boron concentration;
: b. Regulating bank group positions;
: c. RCS average temperature;
: d. Fuel burnup based on gross thermal energy generation;
: e. Xenon concentration;
: f. Samarium concentration; and
: g. Isothermal temperature coefficient (ITC).
NuScale [US600]                        B 3.1.8-5                                  Revision 4.0
 
PHYSICS TESTS Exceptions B 3.1.8 BASES SURVEILLANCE REQUIREMENTS (continued)
Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical or critical but below the point of adding heat, and the fuel temperature will be changing at the same rate as the RCS.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. 10 CFR 50, Appendix B.
: 2. 10 CFR 50.59.
: 3. Regulatory Guide 1.68, Revision 4, June 2013.
: 4. ANSI/ANS-19.6.1-2011.
: 5. [NuScale Reload Safety Evaluation Methodology.]
: 6. FSAR, Chapter 14.
NuScale [US600]                      B 3.1.8-6                                  Revision 4.0
 
Boron Dilution Control B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 Boron Dilution Control BASES BACKGROUND            One of the principle functions of the Chemical Volume and Control System (CVCS) is to maintain the reactor coolant chemistry conditions by controlling the concentration of boron in the coolant for unit startups, normal dilution to compensate for fuel depletion, and shutdown boration. In the dilute mode of operation, unborated demineralized water may be supplied directly to the Reactor Coolant System (RCS).
Although the CVCS is not considered a safety related system, certain isolations of the system are considered safety related functions. The appropriate components have been classified and designed as safety related. A CVCS safety related function is the termination of inadvertent boron dilution.
There are two demineralized water isolation valves in series; one controlled by Division I of the MPS ESFAS DWSI Logic and Actuation, and one controlled by Division II of the MPS ESFAS DWSI Logic and Actuation. MPS instrumentation Functions, each with four measurement channels, that initiate DWSI actuation signals to each Logic and Actuation division are described in Subsection B 3.3.1, "Module Protection System (MPS) Instrumentation," and are specified in Table 3.3.1-1.
The boric acid storage tank and boric acid batch tank contain the boric acid solution used to supply the CVCS to control the boron concentration of the reactor coolant system. The boron concentration of the boric acid supply is specified in the COLR so that it does not become an inadvertent source of uncontrolled dilution.
APPLICABLE            One of the initial assumptions in the analysis of an inadvertent boron SAFETY                dilution event (Ref. 1) is the assumption that the increase in core ANALYSES              reactivity, created by the dilution event, can be detected by the NMS instrumentation. The NMS will provide neutron flux and flux rate signals to the MPS, and the MPS instrumentation will then determine if actuation of the CVCS demineralized water isolation valves is necessary to terminate the boron dilution event. Thus the demineralized water isolation valves are components which function to mitigate an AOO.
NuScale [US600]                              B 3.1.9-1                                Revision 4.0
 
Boron Dilution Control B 3.1.9 BASES APPLICABLE SAFETY ANALYSES (continued)
The demineralized water isolation valves isolate on actuation signals initiated by the low RCS flow, High Subcritical Multiplication or reactor trip system (RTS). The low RCS Flow actuation signal is designed to ensure boron dilution cannot be performed at low RCS flowrates where the loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event. The High Subcritical Multiplication actuation signal is designed to detect and mitigate inadvertent subcritical boron dilution events in MODES 2 and 3.
The RTS actuation initiates a signal to isolate the demineralized water isolation valves to support a reactor trip. The demineralized water isolation valves prevent the designed source of dilution water from contributing to events when these conditions exist. The analysis for an inadvertent boron dilution event assumes that the diluting flow is from the demineralized water source, however the boric acid storage tank and boric acid batch tank also supply flow to the CVCS. Controlling the boron concentration in these supplies ensures that they are not a source of dilution water. Thus the boric acid supply boron concentration is an assumption of the boron dilution accident.
Another initial assumption of the inadvertent boron dilution event (Ref. 1) is that the maximum CVCS dilution flow is limited at reduced power levels. The lowest maximum acceptable demineralized water flow rate is that provided by one CVCS makeup pump. And the maximum acceptable demineralized water flow rate varies with core design and boron concentration in the RCS. The initial safety analysis assumption limits maximum flow to that provided by a single makeup pump, however analyses may be performed consistent with approved methodologies listed in TS 5.6.3, "Core Operating Limits Report" to permit adjustments to the maximum demineralized water flow limit as a function of core design and boron concentration in the RCS.
CVCS demineralized water isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii). The boron concentration in the boric acid supply and the CVCS makeup pump demineralized water flow path flowrate satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            The requirement that two demineralized water isolation valves be OPERABLE assures that there will be redundant means available to terminate an inadvertent boron dilution event. The requirement that the boron concentration of the boric acid supply be maintained within the limits specified in the COLR ensures that the supply is not a source to the CVCS that could result in an inadvertent boron dilution event.
NuScale [US600]                        B 3.1.9-2                                Revision 4.0
 
Boron Dilution Control B 3.1.9 BASES LCO (continued)
The limits on maximum CVCS makeup pump demineralized water flow path flowrate are established by restricting the flow that can be provided during system operation to within the limits in the COLR. The restrictions may be implemented by use of at least one closed manual or one closed and de-activated automatic valve, or by removing the power supply from one CVCS makeup pump.
APPLICABILITY  The requirement that two demineralized water isolation valves be OPERABLE, and that the boric acid storage tank boron concentration and maximum CVCS makeup pump demineralized water flow path flowrate is within the limits specified in the COLR is applicable in MODES 1, 2, and 3 with any dilution source flow path in the CVCS makeup line not isolated. In these MODES, a boron dilution event is considered possible, and the automatic closure of these valves is assumed in the safety analysis. The boron concentration of the boric acid sources are not assumed to be capable of causing a dilution event by the boron dilution event analysis. The maximum CVCS makeup pump demineralized water flow path flowrate is an assumption of the boron dilution event.
In MODE 1 < 15% RTP, the detection and mitigation of a boron dilution event would be signaled by a High Source or Intermediate Range Log Power Rate or a High Source Range Count Rate.
In MODE 1  15% RTP, the detection and mitigation of a boron dilution event would be signaled by a High Power Range Rate or High Power Range Linear Power. In MODES 2 and 3, the detection and mitigation of a boron dilution event would be signaled by a Source Range High Count Rate trip, a trip on Source Range High Log Power Rate, or a trip on High Subcritical Multiplication, or low RCS flow.
In MODES 4 and 5, a dilution event is precluded because the CVCS RCS injection and discharge flow paths are not connected to the RCS, thus eliminating the possibility of a boron dilution event in the RCS.
Pool volume is sufficient to minimize the potential for boron dilution during MODE 5 within the surveillance intervals provided by LCO 3.5.3, Ultimate Heat Sink.
NuScale [US600]                        B 3.1.9-3                                Revision 4.0
 
Boron Dilution Control B 3.1.9 BASES ACTIONS        A.1 If one CVCS demineralized water isolation valve is inoperable, the valve must be restored to OPERABLE status in 72 hours. The allowed Completion Time is considered acceptable because the safety function of automatically isolating the dilution source can be accomplished by the redundant isolation valve.
B.1 If the Required Action and associated Completion Time is not met, or if both CVCS demineralized water isolation valves are not OPERABLE (i.e., not able to be closed automatically), then the demineralized water supply flow path to the RCS must be isolated to preclude a boron dilution event. Isolation can be accomplished by manually isolating the CVCS demineralized water isolation valve(s) or by positioning the manual 3-way combining valve to only take suction from the boric acid tank. Alternatively, the dilution path may be isolated by closing appropriate isolation valve(s) in the flow path(s) from the demineralized water storage tank to the RCS.
If the boric acid concentration in the boric acid supply or if the CVCS makeup pump demineralized water flow path flowrate are not within the limits specified in the COLR, then the flow path to the RCS must be isolated to preclude a boron dilution event. Condition B permits indefinite operation with the boric acid storage tank or the boric acid batch tank not meeting the COLR concentration limits with the source isolated from the CVCS.
The Required Action is modified by a Note allowing either flow path to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path can be rapidly isolated when a need for isolation is indicated.
NuScale [US600]                        B 3.1.9-4                                Revision 4.0
 
Boron Dilution Control B 3.1.9 BASES SURVEILLANCE    SR 3.1.9.1 REQUIREMENTS This Surveillance verifies that CVCS makeup pump demineralized water flow path is configured to ensure that the maximum dilution flow rate that can exist during makeup pump operation remains within the limits specified in the COLR. The Surveillance accomplishes this by assuring that when the maximum demineralized water flowrate is restricted to that of a single CVCS makeup pump, at least one closed manual or one closed and de-activated automatic valve is correctly configured, or verifying that the power supply has been removed from one CVCS makeup pump. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.1.9.2 This Surveillance demonstrates that each automatic CVCS demineralized water isolation valve actuates to the isolated position on an actual or simulated actuation signal. This Surveillance is not required for automatic valves that are locked, sealed, or otherwise controlled under administrative controls.
In addition to this Surveillance, the automatic actuation logic is tested as part of Engineered Safety Features Actuation System Actuation and Logic testing, and valve performance is monitored as part of the INSERVICE TESTING PROGRAM.
The Surveillance Frequency for this test is controlled under the Surveillance Frequency Control Program.
SR 3.1.9.3 This Surveillance ensures that the boric acid supply is not a potential source of dilution water.
The Surveillance is applicable to the boric acid storage tank and the boric acid batch tank when the tank is aligned to supply boric acid to the CVCS. The batch tank is routinely isolated from the CVCS during preparation of boric acid solution, and either tank may be used as a source of boric acid or isolated from use during normal operations.
Condition B permits indefinite operation with a source not meeting the COLR concentration limits with the source isolated from the CVCS.
SR 3.0.4 requires verification that the boric acid supply boron concentration is within limits before aligning the tank to supply the CVCS.
NuScale [US600]                        B 3.1.9-5                                Revision 4.0
 
Boron Dilution Control B 3.1.9 BASES SURVEILLANCE REQUIREMENTS (continued)
Boron concentration in the supply is verified to be within the limits specified in the COLR by periodic measurement.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.1.9.4 This Surveillance verifies that CVCS makeup pump maximum flowrate is  25 gpm. The lowest maximum makeup pump demineralized water flowrate that can be used while in operation is that of one CVCS makeup pump as assumed in the boron dilution analysis. The Surveillance verifies the maximum flowrate of each CVCS makeup pump is consistent with the analysis assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.The limits on maximum CVCS makeup pump demineralized water flow path flowrate are established by restricting the flow that can be provided during system operation to within the limits in the COLR.
The restrictions may be implemented by use of at least one closed manual or one closed and de-activated automatic valve, or by removing the power supply from one CVCS makeup pump.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                        B 3.1.9-6                                Revision 4.0
 
FH B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Enthalpy Rise Hot Channel Factor (FH)
BASES BACKGROUND          The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. Control of the core power distribution with respect to these limits ensures that local conditions in the fuel rods and coolant channels do not challenge core integrity at any location during either normal operation or a postulated accident analyzed in the safety analyses.
FH is defined as the ratio of the maximum integrated rod power within the core to the average rod power. Therefore, FH is a measure of the maximum total power produced in a fuel rod.
FH is sensitive to fuel loading patterns, regulating bank group insertion, and fuel burnup. FH typically increases with regulating bank group insertion and typically decreases with fuel burnup.
FH is not directly measurable but is inferred from a power distribution map obtained with the fixed in-core neutron detectors. Specifically, the measurements taken from the fixed in-core instrument system are analyzed by a computer to determine FH. This value is calculated continuously with operator notification on unexpected results and validated by engineering in accordance with the surveillance frequency.
The COLR provides peaking limits that ensure that the safety analysis values for critical heat flux (CHF) are not exceeded for normal operation, operational transients, and any transient condition arising from analyzed events. The safety analysis precludes CHF and is met by limiting the minimum critical heat flux ratio (MCHFR) to that value defined in the COLR. All transient events are assumed to begin with an FH value that satisfies the LCO requirements.
Operation outside the LCO limits may produce unacceptable consequences if an event occurs. The CHF safety analysis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission products to the reactor coolant.
NuScale [US600]                            B 3.2.1-1                                Revision 4.0
 
FH B 3.2.1 BASES APPLICABLE      Limits on FH preclude core power distributions that exceed fuel design SAFETY          limits.
ANALYSES There must be at least 95% probability at the 95% confidence level (the 95/95 CHF criterion) that the hottest fuel rod in the core does not experience a CHF condition.
The limits on FH ensure that the safety analysis values for CHF are not exceeded for normal operation, operational transients, and any transient condition arising from analyzed events. The safety analysis precludes CHF and is met by limiting the MCHFR to that value defined in the COLR.
This value provides a high degree of assurance that the hottest fuel rod in the core does not experience a CHF condition.
The allowable FH limit increases with decreasing power level. This functionality in FH is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL 2.1.1. Therefore, any CHF events in which the calculation of the core limits is modeled implicitly use this variable value of FH in the analyses. Likewise, all transients that may be CHF limited are assumed to begin with an initial FH as a function of power level defined by the COLR limit equation.
The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the safety and accident analyses remain valid.
FH is measured periodically using the fixed in-core instrument system.
Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions are accomplished by operating the core within the limits of the LCOs on AO and Bank Insertion Limits.
FH satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            FH shall be maintained within the limits of the relationship provided in the COLR.
The FH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the least heat removal capability and thus the highest probability for a CHF condition.
The limiting value of FH, described by the equation contained in the COLR, is the design radial peaking limit used in the safety analyses.
NuScale [US600]                          B 3.2.1-2                                Revision 4.0
 
FH B 3.2.1 BASES APPLICABILITY  The FH limits must be maintained in MODE 1 with THERMAL POWER 25% RTP to preclude core power distributions from exceeding the fuel design limits for MCHFR. Applicability with THERMAL POWER < 25%
RTP and in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to FH in other conditions and modes (with THERMAL POWER < 25% RTP and MODES 2 through 5) have significant margin to CHF, and therefore, there is no need to restrict FH in these modes.
ACTIONS        A.1 With FH exceeding its limit, the unit must be placed in a mode or condition in which the LCO requirements are not applicable. This is done by reducing THERMAL POWER to  25% RTP within 6 hours. The allowed Completion Time of 6 hours provides sufficient time for the unit to restore FH to within its limits. This restoration may, for example, involve realigning any misaligned rods or reducing power enough to bring FH within its power dependent limit. When the FH limit is exceeded, the MCHFR limit is not likely violated in steady state operation, because events that could significantly perturb the FH value (e.g., static control rod misalignment) are considered in the safety analyses. However, the MCHFR may be violated if a CHF limiting event occurs. The allowed Completion Time of 6 hours is reasonable based on the time required to possibly restore the FH value and exit the Condition and if unsuccessful, to reduce THERMAL POWER to  25% RTP from full power conditions in an orderly manner and without challenging plant systems.
NuScale [US600]                        B 3.2.1-3                                  Revision 4.0
 
FH B 3.2.1 BASES SURVEILLANCE    SR 3.2.1.1 REQUIREMENTS The value of FH is determined by using the fixed in-core instrument system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FH from the measured flux distributions. The in-core instrument design and procedures incorporate the methods and process for measuring FH using the available in-core instrumentation. The procedures include verification that adequate instrument indications are available to provide a representative value of FH consistent with the methodology used to establish the FH limits in the COLR. This assures that the FH is within limits of the LCO.
After each refueling, FH must be determined in MODE 1 prior to exceeding 25% RTP. This requirement ensures that FH limits are met at the beginning of each fuel cycle and in accordance with the misload event analysis. (Ref. 1)
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                        B 3.2.1-4                                Revision 4.0
 
AO B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 AXIAL OFFSET (AO)
BASES BACKGROUND        The purpose of this LCO is to establish limits on the values of AO in order to limit the amount of axial power distribution skewing to either the top or bottom of the core. By limiting the amount of power distribution skewing, core peaking factors are consistent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.
The AO limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AO.
Subsequently, power peaking factors and power distributions are examined to ensure that the postulated event limits are met. Violation of the AO limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity. (Ref. 1)
The in-core instrumentation system's neutron detectors are arranged equally spaced radially and axially throughout the core. This neutron detector arrangement promotes an accurate indication for the module control system to analyze core power distributions and will be used to monitor AO.
APPLICABLE        The AO is a measure of the axial power distribution skewing to either the SAFETY            top or bottom half of the core. The AO is sensitive to many core related ANALYSES          parameters such as regulating bank group positions, core power level, axial burnup, axial xenon distribution, reactor coolant temperature, and boron concentration.
The allowed range of the AO is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.
The limits on the AO ensure that the bounding axial power distribution is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the AO also restrict the range of power distributions that are used as initial conditions in the analyses of anticipated operational occurrences (AOO), infrequent events (IE), and accidents. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important AOO is the Control Rod Misoperation - Single Rod Withdrawal. The most NuScale [US600]                          B 3.2.2-1                                  Revision 4.0
 
AO B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued) important IE is the Uncontrolled Control Rod Assembly Withdrawal from Power. The most important accident is the Rod Ejection Accident.
The limits on the AO satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            Information about the units AO is provided to the operator from the in-core instrumentation system. (Ref. 2) Separate signals are taken from the four neutron detectors on each of the 12 strings of in-core instrumentation. The AO is defined in Section 1.1.
The AO limits are provided in the COLR. Figure B 3.2.2-1 shows a typical AO limit.
APPLICABILITY  The AO requirements are applicable in MODE 1  25% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.
The value of the AO does not affect the limiting accident consequences with THERMAL POWER < 25% RTP and for lower operating power MODES.
ACTIONS        A.1 AO is a controllable and measurable parameter. With AO not within LCO limits, action must be taken to place the unit in a MODE or condition in which the LCO requirements are not applicable. Reducing THERMAL POWER to < 25% RTP places the core in a condition for which the value of the AO is not important in the applicable safety analyses.
The associated Completion Time of 6 hours is reasonable, considering the probability of an accident occurring during the time period that would require AO to be within the LCO limits, and the time for reaching < 25%
RTP from full power conditions in an orderly manner and without challenging plant systems.
NuScale [US600]                        B 3.2.2-2                                Revision 4.0
 
AO B 3.2.2 BASES SURVEILLANCE    SR 3.2.2.1 REQUIREMENTS This Surveillance verifies that the AO, as indicated by the in-core instrumentation system, is within its specified limits.
The in-core instrument design and procedures incorporate the methods and process for verifying the AO is within limits using the available in-core instrumentation. The surveillance procedures include verification that adequate instrument indications are available to provide a representative value of the AO consistent with the methodology used to establish the AO limits in the COLR. This assures that the AO is within limits of the LCO.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 15.
: 2. FSAR, Chapter 4.
NuScale [US600]                      B 3.2.2-3                                Revision 4.0
 
AO B 3.2.2 BASES Figure B 3.2.2-1 (page 1 of 1)
Axial Offset Window NuScale [US600]          B 3.2.2-4            Revision 4.0
 
MPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Module Protection System (MPS) Instrumentation BASES BACKGROUND          The Module Protection System (MPS) initiates reactor trips and other safety systems to protect against violating specified acceptable fuel design limits, and inadvertent breaching of the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). It also initiates other safety systems to ensure acceptable consequences during accidents.
The MPS is designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of process variables directly monitored by the MPS, as well as LCOs on other reactor system variables and equipment performance. The MPS is separate and independent for each unit.
Technical Specifications are required by 10 CFR 50.36 to include LSSS.
LSSS are defined by the regulation as "settings for automatic protective devices related to those variables having significant safety functions.
Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded."
The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protective action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for channel uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Program (SP) controlled by 10 CFR 50.59.
The Limiting Trip Setpoint (LTSP) specified in the SP is a predetermined setting for a protective channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the LTSP ensures that SLs are not exceeded. As such, the LTSP meets the definition of a LSSS (Ref. 1).
NuScale [US600]                            B 3.3.1-1                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel device with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel.
Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the LTSP to account for further drift during the next surveillance interval.
Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).
However, there is also some point beyond which the channel may not be able to perform its function due to, for example, greater than expected drift.
If all as-found measured values during calibration and surveillance testing are inside the as-left tolerance band, then the channel is fully operable, no additional actions are required.
If all as-found measured values during calibration testing and surveillance testing are within the as-found tolerance band but outside the as-left tolerance band, then the instrumentation channel is fully operable, however, calibration is required to restore the channel within the as-left tolerance band.
If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The NuScale [US600]                        B 3.3.1-2                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued) reactor module must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.
During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:
* The critical heat flux ratio (CHFR) shall be maintained above the SL value to prevent critical heat flux (CHF);
* Fuel centerline melting shall not occur; and
* Pressurizer pressure SL of 2285 psia shall not be exceeded.
Maintaining the variables within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 50.34 (Ref. 3) criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 50.34 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
The MPS includes devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:
: 1. Reactor Trip System (RTS) actuation;
: 2. Emergency Core Cooling System (ECCS) actuation;
: 3. Decay Heat Removal System (DHRS) actuation;
: 4. Containment Isolation System (CIS) actuation;
: 5. Secondary System Isolation (SSI);
: 6. Chemical and Volume Control System Isolation (CVCSI) actuation;
: 7. Demineralized Water Supply Isolation (DWSI) actuation; NuScale [US600]                          B 3.3.1-3                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
: 8. Pressurizer Heater Trip (PHT) actuation; and
: 9. Low Temperature Overpressure Protection (LTOP) actuation.
Equipment actuated by each of the above signals is identified in the FSAR (Ref. 4). Setpoints are specified in the [owner-controlled requirements manual].
This LCO addresses the equipment from the MPS input sensors to the input to the RTS and ESFAS SVMs. The MPS RTS and ESFAS equipment from the inputs of the SVMs to the outputs of the equipment interface modules (EIMs) to the actuated devices is addressed in LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation, and LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS)
Logic and Actuation", respectively. Manual actuation of the RTS and ESFAS from the actuating switches to the backplane connections of the chassis are addressed in LCO 3.3.4, Manual Actuation Functions.
The roles of each of the MPS functions in the RTS and ESFAS, including the actuation logic of LCO 3.3.2, 3.3.3, and 3.3.4 are discussed below.
Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the process variable being measured. Some measurement channels that are processed by MPS are sent to MCS for control functions (e.g., pressurizer pressure and level).
The excore nuclear instruments are considered components in the measurement channels of the High Power Range Linear Power, High Power Range Positive and Negative Rate, Source Range Count Rate, Source Range Log Power Rate, and High Intermediate Range Log Power Rate Neutron Flux trips.
Four identical measurement channels (also designated separation group-A through D) with electrical and physical separation are provided for each variable used in the generation of trip and actuation signals.
NuScale [US600]                        B 3.3.1-4                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
MPS sensor processing consists of four separation groups of sensors.
Each of the four groups is composed of safety function modules (SFMs) that condition input signals and provide channel trip and actuation determination. In addition, SFMs provide indication that can be displayed in the control room. Each SFM is comprised of:
* signal conditioning and analog to digital conversion sub-modules;
* digital logic circuits; and
* communication engines.
The signal conditioning input sub-modules of the SFM are comprised of an analog circuit and a digital circuit. The analog circuit converts analog voltages or currents into a digital representation. The digital representation of the process sensor output is communicated from the signal conditioning input sub-module to the digital logic circuits that form the trip or actuation determination block.
An SFM trip or actuation determination block accepts input from up to four signal conditioning input sub-modules. The output of each of the signal conditioning input sub-modules is sent to three redundant core logic signal paths in the programmable portion of the SFM that form the trip determination block.
The core logic functions in each of the three redundant signal paths independently:
* performs the safety function algorithm;
* compares the safety function algorithm output to a setpoint and makes a reactor trip and ESF actuation determination; and
* generates permissives and control interlocks.
The information provided via the signal conditioning input sub-modules to the core logic is also provided to the module control system (MCS), the safety display and indication (SDI) system, and the maintenance workstation (MWS) via the monitoring and indication bus communication module (MIB-CM).
NuScale [US600]                          B 3.3.1-5                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
The trip and actuation setpoints used in the SFM core logic function are based on the analytical limits derived from safety analysis (Ref. 5). The calculation of the LTSP specified in the Setpoint Program (SP) is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those MPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the LTSP specified in the SP is conservative with respect to the analytical limits. The nominal trip setpoint (NTSP) is the LTSP with margin added and is always equal to or more conservative than the LTSP. A detailed description of the methodology used to calculate the NTSPs is provided in the "NuScale Instrument Setpoint Methodology" (Ref. 7). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL CALIBRATION is defined as the as-left limit plus the acceptable drift about the NTSP.
The NTSPs listed in the SP are based on the methodology described in Reference 7, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTSP. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.
The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION that requires trip setpoint verification.
NTSPs, in conjunction with the use of as-found and as-left tolerances, consistent with the requirements of the SP will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.
NuScale [US600]                          B 3.3.1-6                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
The MPS incorporates continuous system self-testing features from the sensor input to the output switching logic, with the exception of the actuation and priority logic (APL). The self-testing features evaluate whether the MPS is functioning correctly. Surveillance testing verifies OPERABILITY of the APL. Self-testing features include on-line diagnostics for the MPS hardware and communications tests. These self-tests do not interfere with normal system operation.
In addition to the self-testing features, the system includes functional testing features. Functional testing of the entire MPS, from SFM input through the opening of individual RTBs and actuation of ESFAS components, can be performed either at power or shutdown. The manual actuation switches in the MCR cannot be tested at power because they would cause a reactor trip or ESF actuation. FSAR Chapter 7 (Ref. 4) provides more detail on MPS testing.
The output of the three SFM core logic function signal paths are each routed to one of three independent safety data buses. Each of the safety data buses carry the trip determination data to one of three respective scheduling and bypass modules (SBMs). The SBM transmits the data to both divisions of the RTS and the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups are received by each divisions set of RTS and ESFAS SVMs. The failure of one or more components in one of the three safety data paths in any separation group has no impact on the safety function (i.e., SBM and SVM).
A trip is determined by two-out-of-four logic. If two or more of the four redundant channels call for trip, then a trip will be generated. If a channel is taken to maintenance bypass, two of the remaining three channels (two-out-of-three) are required to generate a trip. By placing one channel in maintenance trip, only one of the remaining three channels (one-out-of-three) is required to generate a trip.
Two-out-of-three and two-out-of-four logic prevents inadvertent trips caused by any single channel failure in a trip condition.
In addition to the channel maintenance bypasses, there are also operating bypasses on select trips or actuations. These bypasses are enabled automatically or manually, depending on the function, in both divisions when unit conditions do not warrant the specific trip or actuation protection. All operating bypasses are automatically removed when the permissive or interlock conditions are no longer satisfied. Operating bypasses are implemented in the SVM.
NuScale [US600]                        B 3.3.1-7                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Logic for Trip or Actuation Initiation The MPS logic, addressed in LCO 3.3.2 and LCO 3.3.3, is implemented in two divisions each of RTS and ESFAS. It employs a scheme that provides a reactor trip or ESFAS actuation when an SFM in any two of the four separation group channels sense and signal the same input variable trip. The three SVMs in the RTS and the three SVMs in the ESFAS evaluate the trip information received from the SFMs from all four separation groups. If two or more of the four redundant channels call for a trip, then a trip request is passed to the associated EIMs.
The output of the three SVM communication modules is sent via three independent safety data buses to the EIMs. The EIMs receive the information from the three SVMs and performs a two-out-of-three vote. If two or more of the SVMs call for a trip, then a trip is generated and the EIM actuates the component it controls.
RTS Actuation The EIMs for each division of RTS interrupts power to the control rod drive mechanisms (CRDMs) by opening two reactor trip breakers associated with that division.
The RTS EIMs interrupt power to the reactor trip breaker undervoltage trip coils and energizes the reactor breaker shunt trip coil.
The reactor trip switchgear, addressed in LCO 3.3.2, consists of four RTBs, which are operated in two sets of two breakers (two divisions).
Power input to the reactor trip switchgear comes from the 3-phase 120/208 VAC EDNS power source.
Each of the two RTS divisions is capable of producing an automatic reactor trip output signal that opens two of the four reactor trip breakers associated with that division. The four reactor trip breakers are connected in a series-parallel arrangement. Each parallel path contains two trip breakers in series, one from each RTS division, to ensure that a reactor trip signal from a single division will initiate a reactor trip.
When a reactor trip signal is actuated in any two of the four separation groups, four trip breakers open, two in each RTS division, power is interrupted to the rod drive power supply, and the control rods are inserted into the core.
NuScale [US600]                        B 3.3.1-8                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Each set of RTBs is operated by either a manual reactor trip switch or via an MPS-actuated EIM for each RTB. The OPERABILITY of the manual trip switches and their function are addressed in LCO 3.3.4.
Functional testing of the entire MPS, from sensor input to the SFM through the opening of individual sets of RTBs, can be performed either at power or shutdown. FSAR Chapter 7 (Ref. 4) explains MPS testing in more detail.
ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to a breaker or valve controls.
Each division of ESFAS can control an independent component or in some cases either division can control one component. For example there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one MSIV per steam line and either Division I or II can close it.
Manual ESFAS initiation capability is provided to permit the operator to manually actuate ESF when necessary. Switches are located in the control room for each automatic ESF function, and each switch (one per division for each function) actuates its respective division. These manual switch signals are converted to logic level voltages by the HWMs in each RTS and ESFAS chassis and are available on the backplane for the associated actuation. The OPERABILITY of the manual actuation switches and their function are addressed in LCO 3.3.4.
Overall Functional Analysis Three of the four measurement separation groups are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 2). The fourth channel provides additional flexibility by allowing one group to be removed from service (channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic.
The failure of one or more components in one of the three safety data paths in any separation group has no impact on the safety function (i.e.,
SBM and SVM). Adequate channel to channel independence includes physical and electrical independence of each channel from the others.
This allows operation in two-out-of-three logic with one channel removed NuScale [US600]                        B 3.3.1-9                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued) from service and bypassed until the next MODE 3 entry since no single failure will either cause or prevent a protective system actuation. This arrangement meets the requirements of IEEE Standard 603-1991 (Ref. 8).
APPLICABLE        The MPS is designed to ensure that the following operational criteria are SAFETY            met:
ANALYSES, LCO, and APPLICABILITY
* The associated actuation will occur when the variable monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied; and
* Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the MPS instrumentation architecture.
Each of the analyzed accidents and transients which require a reactor trip or engineered safety feature can be detected by one or more MPS Functions. The MPS Functions that are credited to mitigate specific design basis events are described in FSAR Chapter 15 (Ref. 5). Setpoints are specified in the [owner-controlled requirements manual].
Each MPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each setpoint falls into one of three general categories:
* To ensure that the SLs are not exceeded during AOOs;
* To actuate the RTS and ESFAS during accidents; and
* To prevent material damage to major components (equipment protection).
The MPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTBs are closed.
The Module Protection System instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Permissive and interlock setpoints automatically provide, or allow manual or automatic blocking of trips during unit evolutions. They are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the initial conditions are consistent with the safety analysis, before NuScale [US600]                          B 3.3.1-10                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative initial conditions for the safety analysis, they are generally considered as nominal values without regard to measurement accuracy.
Operating bypasses are addressed in the footnotes to Table 3.3.1-1.
They are not otherwise addressed as specific Table entries.
The automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are OPERABLE.
RTS and ESFAS Operating Bypass Interlocks and Permissives Reactor protection permissives and interlocks are provided to ensure reactor trips and ESF actuations are in the correct configuration for the current unit status (Ref. 4). This is to ensure that the protection system functions are not bypassed during unit conditions under which the safety analysis assumes the functions are OPERABLE. Therefore, the permissive and interlock functions do not need to be OPERABLE when the associated reactor trip and ESF functions are outside the applicable MODES. Proper operation of these permissive and interlocks supports OPERABILITY of the associated reactor trip and ESF functions and/or the requirement for actuation logic OPERABILITY. The permissives and interlocks must be in the required state, as appropriate, to support OPERABILITY of the associated functions. The permissives and interlocks associated with each MPS Instrumentation Function channel, each Reactor Trip System (RTS) Logic and Actuation Function division, and each Engineered Safety Features Actuation System (ESFAS) Logic and Actuation Function division, respectively, must be OPERABLE for the associated Function channel or Function division to be OPERABLE. The combination of the continuous self-testing features of the MPS and the CHANNEL CALIBRATION specified by SR 3.3.1.4 verify the OPERABILITY of the interlocks and permissives. Specification 5.5.10, Setpoint Program is used to control interlock and permissive setpoints.
The permissives and interlocks are:
Intermediate Range Log Power Permissive, N-1 The Intermediate Range Log Power, N-1 permissive is established when the Intermediate Range Log Power channel increases to approximately one decade above the channel lower range limit. The N-1 permissive performs the following:
NuScale [US600]                      B 3.3.1-11                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
: 1. On increasing power, the N-1 permissive allows the manual block of the following:
* High Source Range Count Rate Reactor Trip and Demineralized Water System Isolation actuation; and
* High Source Range Log Power Rate Reactor Trip and Demineralized Water System Isolation actuation.
This prevents the premature block of the High Source Range Count Rate and High Source Range Log Power Rate trips and allows the operator to ensure that the Intermediate Range channel is OPERABLE as power increases prior to leaving the source range.
: 2. On increasing power, the N-1 interlock automatically establishes an operating bypass for High Source Range Subcritical Multiplication Demineralized Water System Isolation actuation.
: 3. On decreasing power, the N-1 interlock automatically removes the operating bypass for the following:
* High Source Range Count Rate Reactor Trip and Demineralized Water System Isolation actuation;
* High Source Range Log Power Rate Reactor Trip and Demineralized Water System Isolation; and
* High Source Range Subcritical Multiplication Demineralized Water System Isolation actuation.
Power Range Linear Power Permissive, N-2L The Power Range Linear Power, N-2L permissive is active on increasing power at approximately 15% power. On increasing power, the N-2L permissive allows the operator to manually establish an operating bypass of the following:
* Reactor Trip on High-1 Power Range Linear Power. This increases the High Power Range Linear Power trip to the High-2 trip setpoint; and
* Demineralized Water System Isolation actuation on High-1 Power Range Linear Power.
NuScale [US600]                      B 3.3.1-12                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
On decreasing power, the N-2L permissive automatically removes the above operating bypasses.
Power Range Linear Power Interlock, N-2L The Power Range Linear Power, N-2L interlock is active on increasing power at approximately 15% power. The N-2L interlock automatically establishes an operating bypass of the following:
* Reactor Trip on High Intermediate Range Log Power Rate; and
* Demineralized Water System Isolation actuation on High Intermediate Range Log Power Rate.
On decreasing power, the N-2L interlock automatically removes the above operating bypasses.
Power Range Linear Power Interlock, N-2H The Power Range Linear Power, N-2H interlock is active on decreasing power at approximately 15% power. The N-2H interlock automatically establishes an operating bypass of the following:
* Reactor Trip on High Power Range Positive Rate;
* Reactor Trip on High Power Range Negative Rate;
* Demineralized Water System Isolation actuation on High Power Range Positive Rate;
* Demineralized Water System Isolation actuation on High Power Range Negative Rate;
* Reactor Trip on Low Main Steam Pressure;
* Secondary System Isolation on Low Main Steam Pressure; and
* Demineralized Water System Isolation actuation on Low Main Steam Pressure.
On increasing power, the N-2H interlock automatically removes the above operating bypasses.
NuScale [US600]                      B 3.3.1-13                            Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Reactor Tripped Permissive, RT-1 The Reactor Tripped Permissive, RT-1 is established when both divisional reactor trip breakers indicate open. The RT-1 permissive is used in conjunction with the T-2, T-5, F-1, and L-1 interlocks, and the override function O-1.
Feedwater Isolation Valve (FWIV) Closed Interlock, V-1 The FWIV Closed interlock, V-1 is active when one or both FWIV indicate closed.
: 1. When the V-1 interlock AND the N-2H interlock are active, an automatic operating bypass is established for the Low Main Steam Superheat reactor trip.
: 2. When the V-1 interlock AND the N-2H interlock are active, OR the containment level interlock, L-1, is active, an automatic operating bypass is established for the Low Main Steam Superheat Secondary System Isolation actuation.
: 3. When the V-1 interlock OR the N-2H interlock are not active, AND L-1 is not active, the operating bypass is automatically removed for the Low Main Steam Superheat Secondary System Isolation actuation.
: 4. When the V-1 interlock OR the N-2H interlock are not active, the operating bypass is automatically removed for the Low Main Steam Superheat reactor trip.
Wide Range RCS Cold Temperature Interlock, T-1 The Wide Range RCS Cold Temperature Interlock, T-1, is established when Wide Range RCS Cold Temperature is greater than approximately 325 &deg;F.
: 1. On increasing temperature, the T-1 interlock automatically bypasses the Low Temperature Overpressure Protection actuation on High WR RCS Pressure.
: 2. On decreasing temperature, the T-1 interlock automatically enables the Low Temperature Overpressure Protection actuation on High WR RCS Pressure.
NuScale [US600]                        B 3.3.1-14                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Wide Range RCS Hot Temperature Interlock, T-2 The Wide Range RCS Hot Temperature interlock, T-2, is established when Wide Range RCS Hot Temperature is below approximately 200 &deg;F and the Reactor Tripped Permissive, RT-1 is established.
: 1. On decreasing temperature, the T-2 interlock automatically bypasses the Low Low Pressurizer Level trip for:
* Secondary System Isolation;
* CVCS Isolation actuation; and
* Containment Isolation actuation.
: 2. On increasing temperature above the T-2 interlock or RT-1 not established (RTBs closed), the T-2 interlock automatically enables the Low Low Pressurizer Level trip for:
* Secondary System Isolation;
* CVCS Isolation actuation; and
* Containment Isolation actuation.
Wide Range RCS Hot Temperature Interlock, T-3 The Wide Range RCS Hot Temperature interlock, T-3, is established when Wide Range Hot Temperature is below approximately 350 &deg;F.
: 1. On decreasing temperature, the T-3 interlock automatically bypasses:
* High Narrow Range Containment Pressure trip for SSI actuation, Containment Isolation actuation, and CVCS Isolation actuation.
: 2. On increasing temperature, the T-3 interlock automatically enables:
* High Narrow Range Containment Pressure trip for SSI actuation, Containment Isolation actuation, and CVCS Isolation actuation.
NuScale [US600]                    B 3.3.1-15                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Narrow Range RCS Hot Temperature Interlock, T-4 The Narrow Range RCS Hot Temperature Interlock, T-4, is established when Narrow Range RCS Hot Temperature is below approximately 600 &deg;F.
: 1. On decreasing temperature, the T-4 interlock automatically bypasses the Low Pressurizer Pressure trip for Reactor Trip and DWSI actuation.
: 2. On increasing temperature, the T-4 interlock automatically enables the Low Pressurizer Pressure trip for Reactor Trip and DWSI actuation.
Wide Range RCS Hot Temperature Interlock, T-5 The Wide Range RCS Hot Temperature Interlock, T-5, is established when Wide Range Hot Temperature is below approximately 420 &deg;F.
: 1. When RT-1 is active (reactor trip breakers open) and on decreasing temperature, the T-5 interlock automatically bypasses:
* Low Low Pressurizer Pressure Secondary System Isolation actuation;
* DWSI actuation signals from any automatic Reactor Trip actuation; and
* Low Low Pressurizer Pressure CVCS Isolation actuation.
: 2. When RT-1 is not active, or on increasing temperature, the T-5 interlock is not active, the following functions are automatically enabled:
* Low Low Pressurizer Pressure Secondary System Isolation actuation;
* DWSI actuation signals from any automatic Reactor Trip actuation; and
* Low Low Pressurizer Pressure CVCS Isolation actuation.
NuScale [US600]                      B 3.3.1-16                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Narrow Range RCS Hot Temperature Interlock, T-6 The Narrow Range RCS Hot Temperature Interlock, T-6, is established when Narrow Range RCS Hot Temperature is below approximately 475 &deg;F.
: 1. On decreasing temperature, the T-6 interlock automatically bypasses the Low RCS Pressure trip for ECCS actuation.
: 2. On increasing temperature, the T-6 interlock automatically enables the Low RCS Pressure trip for ECCS actuation.
Containment Level Interlock, L-1 The Containment Level Interlock, L-1 is established when Containment Water Level is above approximately 45 ft. and RT-1 (RTBs open) is active.
: 1. When L-1 is active, an automatic operating bypass is established for the:
* Low Low Main Steam Pressure Secondary System Isolation actuation,
* Low Main Steam Superheat Secondary System Isolation actuation,
* High Narrow Range Containment Pressure Secondary System Isolation actuation,
* Low Low Pressurizer Level Secondary System Isolation actuation,
* Low Low Pressurizer Level CVCS isolation, and
* Low Low Pressurizer Level Containment System Isolation actuation.
: 2. When the L-1 interlock is not active, the operating bypass is automatically removed for the:
* Low Low Main Steam Pressure Secondary System Isolation actuation.
NuScale [US600]                      B 3.3.1-17                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
: 3. When the L-1 interlock is not active, and the N-2H interlock OR the V-1 interlock is not active, the operating bypass is automatically removed for the:
* Low Main Steam Superheat Secondary System Isolation actuation.
: 4. When the L-1 interlock and the WR RCS Thot interlock, T-3, are not active, the operating bypass is automatically removed for the:
* High Narrow Range Containment Pressure Secondary System Isolation actuation.
: 5. When the L-1 interlock and the WR RCS Thot interlock, T-2, are not active, the operating bypass is automatically removed for the:
* Low Low Pressurizer Level Secondary System Isolation actuation,
* Low Low Pressurizer Level CVCS isolation, and
* Low Low Pressurizer Level Containment System Isolation actuation.
Pressurizer Level Interlock, L-2 The L-2 interlock is active when pressurizer level is greater than 20%.
: 1. When L-2 AND the WR RCS Thot Interlock, T-3, are active, an automatic operating bypass is established for the High Containment Level ECCS actuation.
: 2. When L-2 OR the WR RCS Thot Interlock, T-3, are not active, the operating bypass is automatically removed for the High Containment Level ECCS actuation.
Low Low RCS Flow CVCSI Interlock, F-1 When RCS flow goes below the Low Low RCS Flow setpoint, a reactor trip and CVCSI actuation are generated, opening the reactor trip breakers and isolating the CVCS. The CVCS, in conjunction with the module heatup system, is used to establish RCS flow and to heat-up the RCS during reactor startup. The F-1 interlock allows opening of the CVCS isolation valves, using the Enable NS Control switch and MCS, with RCS NuScale [US600]                        B 3.3.1-18                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) flow below the Low Low RCS Flow setpoint as long as the reactor trip breakers are open.
: 1. When two or more RCS flow channels are less than or equal to the Low Low RCS Flow setpoint, a reactor trip and CVCSI actuation are generated. When more than two RCS flow channels are less than or equal to the Low Low RCS Flow setpoint for more than a short time delay AND RT-1 is active (both divisional reactor trip breakers open),
F-1 is active and an automatic operating bypass is established for the Low Low RCS Flow CVCSI actuation.
: 2. When RT-1 is not active, or two or more RCS flow channels are greater than the Low Low RCS Flow setpoint for more than a short time delay, the F-1 interlock is not active and the operating bypass is automatically removed.
Containment System Isolation Override, O-1 The containment system isolation override, O-1, is established when the manual override switch (one for each division) in the main control room is in the override position for the respective ESFAS division and the RT-1 permissive is established. The O-1 override allows for manual control of the CVCS RCS injection and pressurizer spray containment isolation valves and the containment flood and drain containment isolation valves, from the module control system with an active automatic containment system isolation or automatic CVCS isolation signal present.
The override does not affect the CVCS containment isolation valves closure signal when the isolation signal is generated on High Pressurizer Level. The O-1 override switch must be manually taken out of override when the override O-1 is no longer needed. The override is automatically removed if the RT-1 permissive is removed.
Containment Pressure Interlock, P-1 The P-1 interlock is active when the narrow range containment pressure is less than about 1 psia.
: 1. On decreasing narrow range containment pressure, the P-1 interlock automatically bypasses the Low RCS Pressure ECCS actuation.
: 2. On increasing narrow range containment pressure, the P-1 interlock automatically enables the Low RCS Pressure ECCS actuation.
NuScale [US600]                        B 3.3.1-19                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Reactor Trip System and ESFAS Functions The specific safety analyses applicable to each protective function are identified below:
: 1. Excore Nuclear Power Neutron flux provides indication of reactor power and is measured at detectors located outside the containment vessel at the height of the core region. Wide range detectors are used at all power levels with continuous indication from subcritical conditions and startup to operating power levels. The neutron monitoring system provides indication from approximately 10E-6 to 125% RTP.
Neutron flux signals that exceed their setpoints or the rate of change limits cause the reactor trip breakers to open and the demineralized water supply valves to be isolated. Four channels of neutron flux are required to be OPERABLE when the unit is in a condition capable of withdrawing any CRA.
: a. High Power Range Linear Power - Reactor Trip and Demineralized Water System Isolation The High Power Range Linear Power trip compares the measured power range neutron flux to setpoints to initiate actuations if reactor power level exceeds the expected levels. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:
* Decrease in feedwater temperature;
* Increase in feedwater flow;
* Increase in steam flow;
* Inadvertent opening of the turbine bypass system;
* Control rod misoperation;
* Inadvertent decrease in boron concentration in the RCS;
* Spectrum of rod ejection accidents;
* Uncontrolled control rod assembly (CRA) withdrawal at power; and NuScale [US600]                        B 3.3.1-20                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
* Steam system piping failures inside and outside of containment.
Four channels of High Power Range Linear Power are required to be OPERABLE in MODE 1 and in MODES 2 and 3 with the RTBs closed and the CRDMs capable of withdrawing any CRA. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
The High Power Range Linear Power trip logic functions include a permissive, N-2L, that allows the operator to manually bypass the lower Power Range Neutron Flux High trip when power is increased above the N-2L permissive. The Power Range High Linear Power trip setpoint is automatically reset to the lower setpoint when power is reduced below the N-2L permissive.
Actual, interlock and permissive setpoints are established in accordance with the Setpoint Program.
: b. High Power Range Positive and Negative Rate - Reactor Trip and Demineralized Water System Isolation The Power Range Rate is measured using the power range neutron monitors that measure neutron flux for the High Linear Power trip. The Power Range Rate function measures the rate-of-change in neutron flux received at the detectors. The SFM logic unit performs calculations to determine the rate of change and compares the result to a setpoint. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:
* Inadvertent decrease in boron concentration in the RCS; and
* Control Rod Misoperation.
These trips provide protection from the effects of transients that occur at power levels above the N-2H interlock. The High Positive and Negative Power Range Rate trips are automatically bypassed below the N-2H interlock and automatically enabled above the N-2H interlock. Actual trip, isolation, interlock, and permissive setpoints are established and governed by the Setpoint Program.
NuScale [US600]                      B 3.3.1-21                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four channels of Power Range Rate are required to be OPERABLE in MODE 1 with reactor power above the N-2H interlock to limit the rate of change of the reactor power as measured by the excore neutron detectors. In MODE 1 with reactor power below the N-2L interlock, and MODES 2 and 3, the High Source and Intermediate Range Log Power Rate trips provide protection from transients that result in high rates of change in reactor power. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: c. High Intermediate Range Log Power Rate - Reactor Trip and Demineralized Water System Isolation The Neutron Monitoring System (NMS) provides an intermediate range doubling time signal which is used by the SFM to determine the rate of change and compares the result to a setpoint. The High Intermediate Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during an inadvertent decrease in boron concentration in the RCS that is postulated to occur at low power.
The High Intermediate Range Log Power Rate trip is only necessary for events that are postulated to occur from a subcritical condition or during the approach to critical operations and at low-power levels. It is not required to be OPERABLE at power levels above the N-2L interlock. The High Intermediate Range Log Power Rate trip is automatically bypassed when above the N-2L interlock and automatically enabled below the N-2L interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
Four channels of High Intermediate Range Log Power Rate are required to be OPERABLE in MODE 1 with reactor power below the N-2L interlock and in MODES 2 and 3 when capable of CRA withdrawal because the events that it is design to protect against occur at low power levels. This will limit the rate of change of the reactor power as measured by the excore neutron detectors. At power levels above the N-2L interlock, the High Power Rate trip provides protection from events that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical.
NuScale [US600]                      B 3.3.1-22                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: d. High Source Range Count Rate - Reactor Trip and Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a source range count rate and compares the result to a setpoint. The High Source Range Count Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:
* Inadvertent decrease in boron concentration in the RCS; and
* Uncontrolled CRA withdrawal from a subcritical or low power.
Four channels of High Source Range Count Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
The High Source Range Count Rate trip can be manually bypassed when the intermediate range flux increases to approximately one decade above the channel lower limit (above the N-1 permissive) and is automatically enabled when the intermediate range flux decreases below the N-1 permissive.
Interlock and permissive setpoints are governed by the Setpoint Program.
NuScale [US600]                      B 3.3.1-23                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
: e. High Source Range Log Power Rate - Reactor Trip and Demineralized Water System Isolation The NMS provides a source range doubling time signal which is used by the SFM to determine a source range log power rate and compares the result to a setpoint. The High Source Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:
* Inadvertent decrease in boron concentration in the RCS; and
* Uncontrolled CRA withdrawal from a subcritical or low power.
Four channels of Source Range Log Power Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
The High Source Range Log Power Rate trip can be manually bypassed above the N-1 permissive and is automatically enabled when the intermediate range flux decreases below the N-1 permissive. Interlock and permissive setpoints are governed by the Setpoint Program.
: f. High Subcritical Multiplication - Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a subcritical multiplication rate and compares the result to a setpoint. The High Subcritical NuScale [US600]                      B 3.3.1-24                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Multiplication trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:
* Inadvertent decrease in boron concentration in the RCS; and
* Uncontrolled CRA withdrawal from a subcritical or low power.
Four channels of Subcritical Multiplication are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and at all times in MODES 2 and 3. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single failure will disable this trip Function.
The High Subcritical Multiplication trip is automatically bypassed above the N-1 interlock and is automatically enabled when the intermediate range flux decreases below the N-1 interlock.
Interlock and permissive setpoints are governed by the Setpoint Program.
: 2. Pressurizer Pressure Pressurizer pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel.
The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 1500 to 2200 psia.
: a. High Pressurizer Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Demineralized Water System Isolation, and Secondary System Isolation The High Pressurizer Pressure trip is designed to protect against exceeding RPV pressure limits for reactivity and heatup events.
NuScale [US600]                      B 3.3.1-25                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The trip provides protection for the following events:
* Loss of external load;
* Turbine trip;
* Loss of condenser vacuum;
* Closure of a main steam isolation valve (MSIV);
* Loss of nonemergency AC power to station auxiliaries;
* Loss of normal feedwater flow;
* Pressurizer heater malfunction;
* Inadvertent operation of DHRS;
* Uncontrolled CRA withdrawal at power;
* System malfunctions that increases reactor coolant inventory; and
* Feedwater system pipe breaks inside and outside the containment vessel.
Four High Pressurizer Pressure Reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.
Four High Pressurizer Pressure DHRS and four SSI channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. When PASSIVE COOLING is established sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.
NuScale [US600]                    B 3.3.1-26                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: b. Low Pressurizer Pressure - Reactor Trip, and Demineralized Water System Isolation The Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment, CRA drop, and protect the RCS subcooled margin against flow instability events.
The RTS and ESFAS Low Pressurizer Pressure setpoint is approximately 1720 psia. Actual setpoints are established in accordance with the Setpoint Control Program. Four Low Pressurizer Pressure reactor trip and ESFAS channels are required to be OPERABLE when operating in MODE 1 with RCS hot temperature above the T-4 interlock. In MODE 1 with RCS hot temperature below the T-4 interlock and in MODES 2, 3, 4, and 5 the RCS temperatures are well below T-4 and with the reactor subcritical the heat input will be insufficient to reach T-4. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
The Reactor Trip and ESFAS actuation of the DWSI by the Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-4 interlock, and is automatically enabled when RCS temperature is above the T-4 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
: c. Low Low Pressurizer Pressure - Reactor Trip, Demineralized Water System Isolation, CVCS Isolation and Secondary System Isolation The Low Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment and protect the RCS subcooled margin against flow instability events.
NuScale [US600]                      B 3.3.1-27                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The RTS and ESFAS Low Low Pressurizer Pressure setpoint is approximately 1600 psia. Actual setpoints are established in accordance with the Setpoint Program.
Four Low Low Pressurizer Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the function is fulfilled because the CRAs are inserted.
Four Low Low Pressurizer Pressure CVCSI and Secondary System Isolation channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 when capable of CRA withdrawal. The ESFAS actuation of CVCSI and SSI by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-5 interlock and the reactor trip breakers are open (RT-1) and is automatically enabled when RCS temperature is above the T-5 interlock or when the reactor trip breakers are not open. In MODES 4 and 5 the reactor is subcritical at low RCS pressures with the CVCS and secondary system isolation valves de-energized and closed.
: 3. Reactor Coolant System Level RCS Level is measured by four (one per separation group) detectors to detect the water level in the RCS vessel. The sensors are located such that they can monitor water level from above the reactor core to the top of the pressurizer.
: a. High Pressurizer Level - Reactor Trip, CVCS Isolation, and Demineralized Water System Isolation The High Pressurizer Level trip provides protection for system malfunctions that increase the reactor coolant system inventory.
Four High Pressurizer Level reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four High Pressurizer Level CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the reactor will remain subcritical. Four channels are provided to permit one NuScale [US600]                      B 3.3.1-28                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: b. Low Pressurizer Level - Reactor Trip, Pressurizer Heater Trip, and Demineralized Water System Isolation The Low Pressurizer Level trip provides protection for:
* Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel;
* Loss-of-coolant accidents outside the containment vessel; and
* Steam generator tube failure.
The Low Pressurizer Level trip causes the reactor trip breakers to open, demineralized water system isolation, and the pressurizer heaters electrical supply to be isolated. Four Low Pressurizer Level reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four Low Pressurizer Level Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: c. Low Low Pressurizer Level - Containment Isolation, Secondary System Isolation, and CVCS Isolation The Low Low Pressurizer Level trip provides protection for:
* Steam system piping failures inside and outside containment;
* Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel;
* Loss-of-coolant accidents outside the containment vessel; and
* Steam generator tube failure.
NuScale [US600]                      B 3.3.1-29                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four Low Low Pressurizer Level Containment Isolation, SSI, and CVCSI trip channels are required to be OPERABLE when operating in MODES 1, and 2, and MODE 3 when RCS temperature is above the T-2 interlock and CNV level is less than L-1. In MODE 3 with RCS temperature below the T-2 interlock, and in MODES 4 and 5, the reactor will remain subcritical.
The Low Low Pressurizer Level CIS, SSI, and CVCS Isolation trip channels are automatically bypassed when the RCS temperature is below the T-2 interlock or containment water level is above the L-1 interlock. The Low Low Pressurizer Level CIS, SSI, and CVCS Isolation trip channels are automatically enabled when RCS temperature is above the T-2 interlock and containment water level is below the L-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
: 4. RCS Hot Temperature Narrow Range RCS Hot Temperature is measured by three resistance temperature detectors (RTDs) per separation group (a total of 12 RTDs), located in the RCS flow near the top of the reactor vessel downcomer.
: a. High Narrow Range RCS Hot Temperature - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, Secondary System Isolation The High RCS Hot Temperature trip provides protection for:
* Instability events;
* Control rod misoperation; and
* Uncontrolled CRA withdrawal at power.
The High RCS Hot Temperature trip causes a reactor trip, DWSI, DHRS actuation, SSI and a pressurizer heater trip.
Four High Narrow Range RCS Hot Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.
NuScale [US600]                      B 3.3.1-30                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four High Narrow Range RCS Hot Temperature DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.
Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: 5. RCS Flow RCS Flow is measured by four sensors (one per separation group located such that they measure the RCS flow below the steam generator region of the reactor vessel downcomer.
: a. Low RCS Flow - Demineralized Water System Isolation The Low RCS Flow trip ensures boron dilution cannot be performed at low RCS flowrates where the loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event.
The Low RCS Flow trip causes the demineralized water supply isolation valves to be closed. Four Low RCS Flow trip channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: b. Low Low RCS Flow - Reactor Trip, Demineralized Water System Isolation, and CVCS Isolation The Low Low RCS Flow trip provides protection due to failure of the module heatup system during startup conditions resulting in colder water being injected into the riser causing a loss of normal NuScale [US600]                      B 3.3.1-31                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) startup flow. It ensures RCS flow remains measurable and positive during low power startup conditions.
Four Low Low RCS Flow reactor trip, CVCSI and DWSI channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical.
The Low Low RCS Flow CVCSI is automatically bypassed when the Low Low RCS Flow CVCSI Interlock, F-1, is active.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: 6. Main Steam Pressure Main Steam pressure is measured by eight pressure sensors (two per separation group, one on each steam line) located on the main steam lines upstream of the MSIVs near the connection to the DHRS lines.
Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips.
: a. High Main Steam Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Secondary System Isolation, and Demineralized Water System Isolation The High Main Steam Pressure trip provides protection for:
* Loss of external load;
* Turbine trip;
* Loss of condenser vacuum;
* Loss of nonemergency AC power to the station auxiliaries;
* Closure of a MSIV; and
* Inadvertent operation of the DHRS.
NuScale [US600]                      B 3.3.1-32                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The High Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, SSI, DWSI, and Pressurizer Heater Trip to actuate.
Four High Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the reactor will remain subcritical.
Four Main Steam Pressure DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.
Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled.
: b. Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Main Steam Pressure trip provides protection for:
* Increase in steam flow;
* Inadvertent opening of the turbine bypass system;
* Loss of feedwater flow;
* Steam system piping failures inside and outside the containment vessel; and
* Feedwater system pipe breaks inside and outside the containment vessel.
The Low Main Steam Pressure trip causes the reactor trip breakers to open and the DWSI, and SSI to actuate.
NuScale [US600]                      B 3.3.1-33                            Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four Low Main Steam Pressure reactor trip, DWSI, and SSI Trip channels measuring pressure on each steam line are required to be OPERABLE when operating in MODES 1 with power range linear power above N-2H. In MODE 1 below N-2H and in MODE 2 the unit is protected by the Low Low Main Steam Pressure function. In MODES 3, 4, and 5 the reactor is subcritical. Interlock and permissive setpoints are governed by the Setpoint Program.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: c. Low Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Low Main Steam Pressure trip provides protection for:
* Increase in steam flow;
* Inadvertent opening of the turbine bypass system;
* Loss of feedwater flow;
* Steam system piping failures inside and outside the containment vessel; and
* Feedwater system pipe breaks inside and outside the containment vessel.
The Low Low Main Steam Pressure trip causes the reactor trip breakers to open and the DWSI and SSI to actuate.
Four Low Low Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.
Four Low Low Main Steam Pressure SSI actuation channels measuring pressure on each steam line are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with containment water level below the L-1 interlock. In MODES 4 and 5 the MPS and SSI actuation do not perform any function and are not required.
NuScale [US600]                      B 3.3.1-34                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. Interlock and permissive setpoints are governed by the Setpoint Program.
: 7. Steam Superheat Steam Superheat is determined by MPS SFM processing of main steam temperature and pressure data. Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips. Four steam temperature sensors are located on each steam pipe upstream of the MSIVs. Each channel of superheat receives two steam generator pressure inputs and two steam temperature inputs (one pressure and one temperature signal from each steam line). The degree of superheat is found by determining the saturation temperature (TSAT) at the measured main steam pressure (PSTM), and subtracting this value from the measured main steam temperature (TSTM). The main steam saturation temperature is found via a simple steam table lookup function using the measured steam pressure value.
TSH = TSTM - TSAT(PSTM)
: a. High Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The High Steam Superheat trip provides protection for steam generator (SG) boil-off.
The High Steam Superheat trip causes the reactor trip breakers to open and the DWSI, and SSI to actuate.
Four High Steam Superheat reactor trip, DWSI and SSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: b. Low Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Steam Superheat trip provides mitigation of SG overfilling.
NuScale [US600]                        B 3.3.1-35                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The Low Steam Superheat trip causes the reactor trip breakers to open and the DWSI and SSI to actuate. Steam Superheat is determined by MPS processing of temperature and pressure data.
Four Low Steam Superheat reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 with power above the N-2H interlock or both feedwater isolation valves (FWIVs) open. When below the N-2H interlock with one FWIV closed, the reactor trip and DWSI are not needed to mitigate any events.
Four Low Steam Superheat SSI channels are required to be OPERABLE in MODE 1 with the containment level below the L-1 interlock with power above the N-2H interlock, or with containment water level below the L-1 interlock with both FWIVs open.
In MODES 2, 3, 4, and 5 the reactor is subcritical.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. Reactor trip and DWSI are automatically bypassed when reactor power is below the N-2H interlock and V-1 is active (one FWIV closed). SSI is automatically bypassed when reactor power is below the N-2H interlock and the V-1 is active (one FWIV closed). SSI is also automatically bypassed if containment level is above the L-1 interlock. The bypass logic is necessary to permit unit startup without resulting in a Low Main Steam Superheat actuation.
: 8. Containment Pressure Narrow Range Containment pressure is measured by four sensors (one per separation group) located near the top of the containment vessel.
: a. High Narrow Range Containment Pressure - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Secondary System Isolation, and CVCS Isolation The High Containment Pressure trip provides protection for:
* System malfunctions that increase the RCS inventory;
* Inadvertent operation of the ECCS; NuScale [US600]                      B 3.3.1-36                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
* Loss of containment vacuum;
* Steam system piping failures inside and outside the containment vessel;
* Feedwater system pipe breaks inside and outside the containment vessel; and
* Loss-of-coolant accidents from a spectrum of postulated piping breaks inside the containment vessel.
The High Narrow Range Containment Pressure trip causes the reactor trip breakers to open, the containment to be isolated, the SSI to be actuated, and the DWS and CVCS to be isolated.
Four High Narrow Range Containment Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal.
Four High Narrow Range Containment Pressure SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock and containment water level below the L-1 interlock. In MODE 3 with RCS temperature below the T-3 interlock or containment water level above the L-1 interlock the High Narrow Range Containment Pressure actuation of SSI is not required to function to mitigate the safety analyses events. These operating bypasses are needed to permit unit startup. In MODES 4 and 5 the reactor is subcritical and passively cooled.
Four High Containment Pressure CVCSI and CIS channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock. In MODE 3 with RCS temperature is below the T-3 interlock, and in MODES 4 and 5 the containment pressure is allowed to exceed this setpoint and is expected, isolation is not required.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
The High Containment Pressure Containment Isolation, SSI, and CVCSI actuations are automatically bypassed when RCS temperature is below the T-3 interlock. The High Containment NuScale [US600]                      B 3.3.1-37                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Pressure SSI is also automatically bypassed when containment water level is above the L-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
: 9. Containment Water Level The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS hot temperature above T-3 or pressurizer level below L-2. In MODE 3 with RCS hot temperature below T-3 and pressurizer level above L-2, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T-3 interlock and the pressurizer level is above L-2, and automatically enabled when RCS temperature is above the T-3 interlock or pressurizer level is below L-2. Interlock and permissive setpoints are governed by the Setpoint Program.
: 10. Wide Range RCS Pressure and Wide Range RCS Cold Temperature Wide range RCS pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel. The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 0 to 2500 psia.
Wide range RCS cold temperature is measured to determine a representative minimum temperature in the RCS as measured at four locations in the lower downcomer region of the reactor vessel. The MPS is supplied signals from four sensors (one for each separation group) that measure temperature from about 40 to 700 &deg;F.
: a. Low RCS Pressure - ECCS The Low RCS Pressure - ECCS trip actuation provides protection from postulated boron re-distribution events during extended RCS steam space small break loss of coolant events. The Low RCS Pressure trip causes ECCS actuation.
The Low RCS Pressure - ECCS setpoint is approximately 800 psia. Actual setpoints are established in accordance with the Setpoint Program.
NuScale [US600]                        B 3.3.1-38                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four low RCS pressure trip channels are required to be OPERABLE when operating in MODES 1 and 2 with RCS hot temperature above T-6.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single failure will disable this trip Function.
The Low RCS Pressure ECCS trip design includes interlocks that ensure the actuation occurs when conditions could result in a boron re-distribution event. These features ensure the ECCS trip on low RCS pressure will not actuate during inappropriate evolutions such as startup and controlled shutdowns. The Low RCS Pressure trip is automatically bypassed when RCS hot temperature is below the T-6 interlock or containment pressure is below the P-1 interlock, and automatically enabled when RCS hot temperature is above the T-6 interlock and containment pressure is above the P-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
: b. High RCS Pressure - Low Temperature Overpressure Protection (LTOP)
The High RCS Pressure - Low Temperature trip provides protection for low temperature overpressure events.
The High RCS Pressure - Low Temperature trip signal causes the reactor vessel vent valves to open.
Four High RCS Pressure - Low Temperature trip channels are required to be OPERABLE when operating in MODE 3 with wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 Interlock) and more than one reactor vent valve closed. In MODES 1 and 2 the reactor vessel is at a higher temperature and overpressure protection is provided by the safety valves and the DHRS. In MODE 3 with two RVVs open, and MODES 4 and 5 the reactor vessel is protected from overpressure by the openings that exist between the reactor vessel and the containment or the conduction of heat between the reactor vessel and the refueling pool. The LTOP function is automatically bypassed when wide range RCS cold temperature is above the T-1 interlock and automatically enabled when wide NuScale [US600]                      B 3.3.1-39                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) range RCS cold temperature is below the T-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.
: 11. Low AC Voltage to ELVS Battery Chargers The Low AC Voltage function ensures the MPS will operate in a predictable manner if a degraded or loss of electrical power condition occurs. An uncredited function also delays ECCS actuation to allow operators time to restore AC power without ECCS actuation occurring.
An ECCS actuation will occur if required by unit conditions during this time delay.
: a. Low ELVS Voltage - ECCS Hold Low ELVS Voltage is determined by measuring two ELVS 480 VAC buses that provide power to the EDSS battery chargers with two sensors per separation group. If both 480 VAC bus voltages are below the setpoint, the following occurs:
* Reactor Trip;
* DHRS Actuation;
* Pressurizer Heater Trip Actuation;
* Containment Isolation Actuation;
* Chemical and Volume Control System Isolation;
* Secondary System Isolation; and
* Demineralized Water System Isolation.
Eight (4/bus) Low ELVS Voltage DWSI and reactor trip channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.
Eight (4/bus) Low ELVS Voltage Containment Isolation and CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the functions are fulfilled.
NuScale [US600]                      B 3.3.1-40                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Eight (4/bus) Low ELVS Voltage DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.
Eight (4/bus) Low ELVS Voltage Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater breakers closed. In MODES 2 with the pressurizer heater breakers open and in MODES 3, 4, and 5 this function is fulfilled.
Four channels per bus are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
: 12. Under-the-Bioshield Temperature Temperature under the bioshield is measured by 4 sensors (one per separation group) mounted on the pool wall outside containment.
: a. High Under-the-Bioshield Temperature - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Chemical and Volume Control System Isolation, and Secondary System Isolation An undetected small main steam line break under the bioshield would expose the equipment to sustained elevated temperatures challenging the safety-related functions of the MSIVs and DHR valves. The High Temperature Under-the-Bioshield trip provides protection for the safety-related equipment that would be exposed to these harsh temperature conditions.
Four High Under-the-Bioshield Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.
Four High Under-the-Bioshield Temperature Containment Isolation and CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 these functions are fulfilled.
NuScale [US600]                      B 3.3.1-41                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Four High Under-the-Bioshield Temperature SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical, passively cooled, and the MSIVs would be in their credited safety position.
Four High Under-the-Bioshield Temperature Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater breakers closed. In MODES 2 with the pressurizer heater breakers open and in MODES 3, 4, and 5 this function is fulfilled.
Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.
ACTIONS        The most common causes of channel inoperability are outright failure of a sensor or MPS SFM module sufficient to exceed the tolerance allowed by the unit-specific setpoint analysis as specified by the SP. Typically, sensor drift is found to be small and results in a delay of actuation rather than a total loss of capability to actuate within the allowed tolerance around the NTSP. This determination is of the channel's actual trip setting generally made during the performance of a CHANNEL CALIBRATION when the process sensor output signal is measured and verified to be within specification. If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE status.
When more than two channels of an MPS Function are inoperable, the affected MPS Function is lost and the unit is outside the assumptions of the applicable safety analyses. This condition is addressed for all MPS Functions by the second Condition statement C (One or more Functions with three or more channels inoperable).
Required Action C.1 directs immediately entering the Condition referenced in Table 3.3.1-1 for the affected MPS Function. The referenced Condition provides appropriate actions to place the unit in an NuScale [US600]                        B 3.3.1-42                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued) operational condition where the LCO for the affected MPS Function does not apply.
Notes have been added to the ACTIONS. The first Note has been added to clarify the application of the Completion Time rules to each Function in Table 3.3.1-1. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.
A second Note has been added to clarify the Completion Time rules for Functions required on a per steam generator (SG) basis. The Completion Times of each combination of inoperable Function and SG will be tracked separately.
A third Note has been added to clarify the Completion Time rules for Function 25 which applies to individual electrical supply buses supplying power to the ELVS battery chargers. The Completion Times of each inoperable low AC voltage to ELVS battery charger Function will be tracked separately starting from the time the Condition was entered for that electrical bus.
A.1 Condition A applies to the failure of a single instrument channel of one or more MPS Functions.
If one MPS channel is inoperable, operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 6 hours.
The 6 hours allotted to bypass or trip the channel are sufficient to allow the operator to take all appropriate actions for the failed channel and still ensure that the risk of operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering the applicable MODE or specified condition if the unit is in a MODE not requiring that channel to be OPERABLE. With a channel in bypass, the coincidence logic is now effectively two-out-of-three for the remaining operable channels.
B.1 and B.2 Condition B applies to the failure of two channels of one or more MPS Functions.
NuScale [US600]                          B 3.3.1-43                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
Required Actions B.1 and B.2 direct placing one inoperable channel in bypass and the other inoperable channel in trip within a Completion Time of 6 hours. This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk of operating with two failed channels is acceptable. With one channel of an MPS instrumentation Function bypassed, the MPS Function is in a two-out-of-three logic configuration; but with another channel of the same MPS Function failed, the MPS Function may be operating in a two-out-of-two logic configuration. This is outside the assumptions made in the applicable safety analyses and must be corrected. To correct this situation, the other inoperable channel can be placed in trip. This places the affected MPS Function in a one-out-of-two logic configuration. If just one of the two OPERABLE channels of the affected MPS Function generates a trip signal, each division of coincidence logic for the MPS Function will generate an actuation signal to the associated RTS and ESFAS logic and actuation Functions.
C.1 Condition C is entered when a Required Action and associated Completion Time of Condition A or B are not met, or one or more MPS Functions have three or more channels inoperable.
The Required Action is to immediately enter the Condition referenced in Table 3.3.1-1 for the MPS Function with the affected instrument channel(s). The Required Actions of the referenced Condition must be accomplished within the associated Completion Times.
D.1 Condition D is entered when Condition C applies to the following Functions that result in a reactor trip as listed in Table 3.3.1-1.
* 1a, Power Range Linear Power - High                                (RTS)
* 3a, Intermediate Range Log Power Rate - High                      (RTS)
* 4a, Source Range Count Rate - High                                (RTS)
* 5a, Source Range Log Power Rate - High                            (RTS)
* 7a, Pressurizer Pressure - High                                    (RTS)
* 8a, Pressurizer Pressure - Low                                    (RTS)
NuScale [US600]                          B 3.3.1-44                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
* 9a, Pressurizer Pressure - Low Low                            (RTS)
* 10a, Pressurizer Level - High                                  (RTS)
* 11a, Pressurizer Level - Low                                  (RTS)
* 13a, NR RCS Hot Temperature - High                            (RTS)
* 15a, RCS Flow - Low Low                                        (RTS)
* 16a, Main Steam Pressure - High                                (RTS)
* 18a, Main Steam Pressure - Low Low                            (RTS)
* 19a, Steam Superheat - High                                    (RTS)
* 20a, Steam Superheat - Low                                    (RTS)
* 21a, NR Containment Pressure - High                            (RTS)
If a Required Action associated with Condition A or B cannot be completed within the required Completion Time for the referenced MPS Function, or three or more channels of the referenced MPS Function are inoperable, the unit must be brought to a MODE or other specified condition where the LCO and Required Actions for the referenced MPS Function do not apply. This is accomplished by opening the reactor trip breakers. The above MPS Functions that result in a reactor trip are not required to be OPERABLE when the reactor trip breakers are open. The Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner.
E.1 Condition E is entered when Condition C applies to Functions that result in a reactor trip signal when reactor THERMAL POWER is above the N-2H interlock, as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by reducing THERMAL POWER to below the N-2H interlock. The allowed Completion Time for E.1 of 6 hours is reasonable, based on operating experience, for reaching the required condition from full power conditions in an orderly manner.
NuScale [US600]                          B 3.3.1-45                            Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
F.1 Condition F is entered when Condition C applies to Functions that result in isolation of the CVCS system as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating all four CVCS flow paths to and from the RCS. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for aligning the system in an orderly manner.
Required Action F.1 is modified by a Note that allows isolated flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for isolation is indicated. This allowance permits the isolation signal to be reset when appropriate conditions exist to do so.
G.1 Condition G is entered when Condition C applies to Functions that result in automatic removal of electrical power from the pressurizer heaters as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by opening the power supply breakers to the pressurizer heaters. The allowed Completion Time for G.1 of 6 hours is reasonable, based on operating experience, for reaching the required conditions in an orderly manner.
The Action is modified by a Note that permits the heaters to be energized intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the breaker controls, who is in continuous communication with the main control room. In this way, the pressurizer heaters can be de-energized when a need for de-energization is indicated. This permits the unit to continue to operate while in the Condition.
NuScale [US600]                          B 3.3.1-46                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
H.1 Condition H is entered when Condition C applies to Functions that result in automatic isolation of the demineralized water system as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve. The allowed Completion Time for H.1 of 1 hour is reasonable, based on operating experience, for reaching the required condition in an orderly manner.
I.1 and I.2 Condition I is entered when Condition C applies to Functions that result in a DHRS or ECCS actuation, as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions I.1 and I.2.
I.1 places the unit in MODE 2 within 6 hours. This action limits the time the unit may continue to operate with a limited or inoperable automatic channel.
I.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the LCO no longer applies.
Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.
J.1 As listed in Table 3.3.1-1, Condition J is entered when Condition C applies to Function 24.a, "High RCS Pressure - Low Temperature NuScale [US600]                          B 3.3.1-47                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
Overpressure Protection (LTOP)," which results in actuation of the LTOP system.
If a Required Action associated with Condition A or B cannot be completed within the required Completion Time, or three or more channels of this Function are inoperable, the unit must be brought to a MODE or other specified condition where the LCO and Required Actions for this Function do not apply. This is accomplished by opening at least two RVVs. The Completion Time of 1 hour is reasonable, based on operating experience, for establishing an RCS vent flow path sufficient to ensure low temperature overpressure protection.
K.1 and K.2 Condition K is entered when Condition C applies to Functions that result in actuation of the Containment Isolation system as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions K.1 and K.2. K.1 places the unit in MODE 2 within 6 hours. This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. K.2 places the unit in MODE 3 with RCS hot temperature < 200 &deg;F within 48 hours of entering the Condition. This Condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.
Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.
L.1, L.2, L.3, L.4, and L.5 Condition L is entered when Condition C applies to Functions that result in a reactor trip, CIS actuation, DHR actuation, DWSI, SSI, and Pressurizer Heater Trip due to the Low ELVS Voltage or High Under-the-Bioshield Temperature as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions L.1, L.2, L.3, L.4, and L.5.
NuScale [US600]                        B 3.3.1-48                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
L.1 places the unit in MODE 2 within 72 hours. This action limits the time the unit may continue to operate with a limited or inoperable automatic channel. L.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 96 hours of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the DHRS OPERABILITY is no longer required.
L.3 places the unit in MODE 3 with RCS temperature below the T-2 interlock within 96 hours of entering the Condition. This Condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.
L.4 isolates the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve within 96 hours. This completes the function of the DWSI.
L.5 opens the power supply breakers to the pressurizer heaters within 96 hours.
Completion Times are established considering the likelihood of a design basis event that would require automatic actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.
M.1 and M.2 Condition M is entered when Condition C applies to Function 21.b, High Narrow Range Containment Pressure - Containment Isolation System that results in actuation of the Containment Isolation system as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition in which the LCO and Required Actions for this Function does not apply. This is accomplished by Required Actions M.1 and M.2. M.1 places the unit in MODE 2 within 6 hours. This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. M.2 places the unit in MODE 3 with RCS hot temperature < 350 &deg;F within 48 hours of entering the Condition. This Condition assures the unit will be in a condition for which the LCO no longer applies.
NuScale [US600]                          B 3.3.1-49                              Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)
Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.
N.1 Condition N is entered when Condition C applies to Function 23.a, Low RCS Pressure - ECCS that results in actuation of the ECCS as listed in Table 3.3.1-1.
If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition in which the LCO and Required Actions for this Function does not apply. This is accomplished by Required Action N.1 that places the unit in MODE 2 with the RCS temperature below the T-6 interlock within 6 hours. This Condition assures the unit will be in a condition for which the LCO no longer applies.
The Completion Time was established considering the likelihood of a design basis event that would require the ECCS actuation on low RCS pressure during the period of inoperability. It also provides adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems to reach the required configuration.
SURVEILLANCE      SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken.
This determination includes, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same process variable. This determination is made using computer software or may be performed manually.
NuScale [US600]                        B 3.3.1-50                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
It is based on the assumption that instrument channels monitoring the same process variable should read approximately the same value.
Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between CHANNEL CALIBRATIONS.
Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment is operating outside its limits.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.2 A periodic calibration (heat balance) is performed when THERMAL POWER is above 15%. The Linear Power Level signal and the nuclear instrumentation system addressable constant multipliers are adjusted to make the nuclear power calculations agree with the calorimetric calculation if the absolute difference is  1%. The value of 1% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the nuclear power signal) are adequate to ensure that the accuracy is maintained within the analyzed error margins.
The power level must be above 15% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The Surveillance is modified by three Notes. The first Note indicates that the neutron monitoring system nuclear instrument channel must must be calibrated when the absolute difference is > 1% when compared to the calorimetric heat balance. The second Note indicates that this Surveillance need only be performed within 12 hours after reaching 15% RTP. The 12 hours after reaching 15% RTP is required for unit stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A third Note is provided that permits operation below 15% RTP without adjusting the instrument channel as long as the indicated nuclear instrument power is conservatively higher than the calorimetric heat balance results. This third Note is an exception to the first Note and only applies when below 15% RTP.
NuScale [US600]                        B 3.3.1-51                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.3 This SR 3.3.1.3 measures the individual CHANNEL RESPONSE TIMES.
The CHANNEL RESPONSE TIME is combined with the allocated MPS digital time response and the ACTUATION RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Response time testing criteria are included in FSAR Chapter 7.
CHANNEL RESPONSE TIME may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the CHANNEL RESPONSE TIME is verified. [Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications.] The ACTUATION RESPONSE TIME testing of the RTS and ESFAS divisions are tested in accordance with LCO 3.3.2, "Reactor Trip System Logic and Actuation," 3.3.3, "Engineered Safety Features Actuation Logic and Actuation," LCO. 3.4.6, "Chemical and Volume Control System Isolation Valves," LCO 3.4.10, "LTOP Valves," LCO 3.5.1, "ECCS," LCO 3.5.2, "DHRS," LCO 3.6.2, "Containment Isolation Valves,"
LCO 3.7.1, "MSIVs," and LCO 3.7.2, "Feedwater Isolation."
SR 3.3.1.3 is modified by a Note indicating that neutron detectors are excluded from CHANNEL RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.4 This SR is modified by a Note that indicates that neutron detectors are excluded from CHANNEL CALIBRATION.
The Surveillance verifies that the channel responds to a measured process variable within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. The test is performed in accordance with the SP. If all as-found measured values during calibration and surveillance testing are inside the as-left tolerance band, then the channel is fully operable, no additional actions are required.
NuScale [US600]                        B 3.3.1-52                                Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
If all as-found measured values during calibration testing and surveillance testing are within the as-found tolerance band but outside the as-left tolerance band, then the instrumentation channel is fully operable, however, calibration is required to restore the channel within the as-left tolerance band.
If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.
Interlocks and permissives are required to support the Function's OPERABILITY and are addressed by this CHANNEL CALIBRATION.
This is accomplished by ensuring the channels are calibrated properly in accordance with the SP. If the interlock or permissive is not functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations are performed for the affected Function(s). The affected Function's OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.
When an interlock or permissive is not supporting the associated Function's OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.5 SR 3.3.1.5 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.
Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety functions. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices. The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled NuScale [US600]                      B 3.3.1-53                                  Revision 4.0
 
MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program. However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. Regulatory Guide 1.105, Revision 3, December 1999.
: 2. 10 CFR 50, Appendix A, GDC 21.
: 3. 10 CFR 50.34.
: 4. FSAR, Chapter 7.
: 5. FSAR, Chapter 15.
: 6. 10 CFR 50.49.
: 7. TR-0606-49121, NuScale Instrument Setpoint Methodology, Rev. [2].
: 8. IEEE Standard 603-1991.
NuScale [US600]                        B 3.3.1-54                              Revision 4.0
 
RTS Logic and Actuation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Trip System (RTS) Logic and Actuation BASES BACKGROUND          The RTS portion of the Module Protection System (MPS) initiates a reactor trip to protect against violating the core fuel design limits and maintain reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents. By tripping the reactor, the RTS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.
LCO 3.3.2 addresses only the logic and actuation portions of the MPS that perform the RTS function. The scope of this LCO begins at the inputs to the scheduling and voting modules (SVM) and extends through the actuated components. This includes the reactor trip breakers (RTBs).
LCO 3.3.1, Module Protection System (MPS) Instrumentation, LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS)
Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.
Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.
Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the RTS SVMs. Redundant data from all four separation groups is received by each division of the RTS SVMs.
Logic for Reactor Trip Initiation The MPS reactor trip initiation logic is implemented in two divisions of RTS. The three SVMs, in each division, generate a reactor trip signal when safety function modules (SFMs) in any two of the four separation groups determine a reactor trip is required. Each of the two RTS divisions evaluate the input signals from the SFMs from all four separation groups.
Each SVM compares the four inputs received from the SFMs, and generates a reactor trip signal if required by two of the four separation groups. The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs).
The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.
NuScale [US600]                              B 3.3.2-1                                Revision 4.0
 
RTS Logic and Actuation B 3.3.2 BASES BACKGROUND (continued)
RTS Actuation The EIMs for the RTBs for each division of RTS interrupt power to the control rod drive mechanisms (CRDMs) by opening two reactor trip breakers associated with that division.
Power input to the reactor trip switchgear and supplied to the CRDMs comes from the 3-phase 120/208 VAC EDNS power source.
The reactor trip switchgear consists of four RTBs, which are operated in two sets of two breakers (two divisions). Each of the two trip paths consists of two RTBs in series. For example, if a reactor trip breaker receives an open signal in trip path A, an identical breaker in trip path B will also receive an open signal. This arrangement ensures that power is interrupted to the CRDM buses.
The RTS EIMs interrupt power to the reactor trip breaker undervoltage trip coils which will cause the breakers to open. If electrical power is available, the MPS will also apply power to the breaker shunt trip coil causing the reactor trip breaker to open.
Each set of RTBs can also be operated by manual reactor trip actuation.
The OPERABILITY of the manual trip switches and their function are addressed in LCO 3.3.4.
Functional testing of the entire MPS, from sensor input to the SFM through the opening of individual RTBs can be performed at power, at reduced power or shutdown conditions. FSAR Section 7.2 (Ref. 1) describes MPS testing in more detail.
APPLICABLE        The Applicable Safety Analyses for the RTS are described in the Bases of SAFETY            LCO 3.3.1, Module Protection System (MPS) Instrumentation.
ANALYSES, LCO, and APPLICABILITY The LCO requires the RTS Logic and Actuation to be OPERABLE in MODE 1 and in MODES 2 and 3 when any RTB is closed. These are the MODES or other specified conditions when the CRAs are capable of withdrawal using the CRDMs. In MODES 4 and 5, the CRDMs are disconnected from their power supply and the CRAs cannot be withdrawn.
The RTS Logic and Actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
NuScale [US600]                          B 3.3.2-2                                Revision 4.0
 
RTS Logic and Actuation B 3.3.2 BASES ACTIONS        A.1 and A.2 Condition A applies if a single RTB is inoperable. This Condition permits performance of required periodic surveillance testing of the RTBs. With the inoperable RTB open, both divisions of RTS logic remain capable of automatically causing a reactor trip.
The Completion Time of 48 hours is reasonable to perform any required troubleshooting, required periodic surveillance testing, and restore the RTB to OPERABLE status while minimizing the likelihood of unnecessary reactor trips. The MPS and RTS remain capable of automatically causing a reactor trip during this time.
B.1 Condition B applies when one division of RTS Logic and Actuation is inoperable. RTS logic as used in the Condition includes the SVM, EIM, and associated communication paths of a single division of RTS function.
In this Condition, the other division remains OPERABLE and capable of performing the required safety function. The redundant signal paths and logic of the OPERABLE division provides sufficient capability to automatically trip the reactor.
The Required Action for this Condition is to restore the inoperable logic division to OPERABLE within six hours. The six hour limit provides a maximum time during which the reactor may be operated without an OPERABLE logic division.
C.1 Condition C is entered if the Required Action or Completion Time of Condition A or B are not met, if both divisions of RTS Logic and Actuation are inoperable, or if more than one RTB is inoperable.
The Required Action is for all RTBs to be opened immediately. Conditions A and B provide adequate time to troubleshoot and make necessary repairs without resulting in an unnecessary forced shutdown of the reactor. Therefore, a Completion Time of immediately is reasonable based on the limited ability of the RTS to shut down the reactor.
NuScale [US600]                        B 3.3.2-3                              Revision 4.0
 
RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE    SR 3.3.2.1 REQUIREMENTS An ACTUATION LOGIC TEST on each RTS Logic division is performed to ensure the division will perform its intended function when needed.
These tests verify that the RTS is capable of performing its intended function, from SFM input signals to the SVM through actuation of the RTBs.
MPS testing from the input sensors to the SVMs is addressed by surveillance requirements specified in LCO 3.3.1, Module Protection System (MPS) Instrumentation. The RTS Logic and Actuation circuitry functional testing is accomplished with continuous system self-testing features on the SVMs and EIMs and the communication between them.
The self-testing features are designed to perform complete functional testing of all circuits on the SVM and EIM, with the exception of the actuation and priority logic (APL) circuitry. The self-testing includes testing of the voting and interlock/permissive logic functions. The built-in self-testing will report a failure to the operator and place the SVM or EIM in a fail-safe state.
The only portion of the RTS Logic and Actuation circuitry that is not self-tested is the APL. The manual actuation switches, enable nonsafety control switches, and operating bypass switches do not include self-testing features. The manual actuation switches are addressed by surveillance requirements specified in LCO 3.3.4, "Manual Actuation Functions."
This ACTUATION LOGIC TEST includes testing of the APL on all RTS EIMs, the enable nonsafety control switches, and the operating bypass switches. The ACTUATION LOGIC TEST includes a review of any alarms or failures reported by the self-testing features.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.3.2-4                                Revision 4.0
 
RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.2 This SR measures the ACTUATION RESPONSE TIME of the RTS divisions. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.
Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the process variable exceeds the trip setpoint value at the sensor to the time at which the RTBs open. TOTAL RESPONSE TIME may be verified by any series of sequential, overlapping, or total division measurements.
CHANNEL RESPONSE TIMES are tested in accordance with LCO 3.3.1.
The maximum digital time response is described in the FSAR. This SR encompasses the ACTUATION RESPONSE TIME of the RTS division from the output of the equipment interface modules until the RTBs are open.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.3 SR 3.3.2.3 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.
Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety function. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices.
The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program.
NuScale [US600]                        B 3.3.2-5                                  Revision 4.0
 
RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.4 SR 3.3.2.4 verifies the reactor trip breaker (RTB) actuates to the open position on an actual or simulated trip signal. This test verifies OPERABILITY by actuation of the end devices.
The RTB test verifies the under voltage trip mechanism opens the breaker. Each RTB in a division is tested separately to minimize the possibility of an inadvertent reactor trip.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Section 7.2.
NuScale [US600]                        B 3.3.2-6                                  Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation BASES BACKGROUND          The ESFAS portion of the Module Protection System (MPS) protects against violating the core fuel design limits, ensures reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents, and ensures acceptable consequences during accidents by initiating necessary safety systems.
Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.
Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups is received by each division of the ESFAS SVMs.
LCO 3.3.3 addresses only the logic and actuation portions of the MPS that perform the ESFAS functions. The scope of this LCO begins at the inputs to the SVMs and extends through the actuating contacts on the actuated components. This LCO also includes the pressurizer heater breakers. Component OPERABILITY and surveillance requirements are provided in the system LCOs and by programmatic requirements identified in Chapter 5, Administrative Controls.
LCO 3.3.1, Module Protection System (MPS) Instrumentation, and LCO 3.3.2, "Reactor Trip System (RTS) Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.
The ESFAS logic and actuation consists of:
: 1. Emergency Core Cooling System (ECCS) actuation;
: 2. Decay Heat Removal System (DHRS) actuation;
: 3. Containment Isolation System (CIS) actuation;
: 4. Demineralized Water Supply Isolation (DWSI) actuation;
: 5. Chemical and Volume Control System Isolation (CVCSI) actuation;
: 6. Pressurizer Heater Trip (PHT);
NuScale [US600]                            B 3.3.3-1                                Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES BACKGROUND (continued)
: 7. Low Temperature Overpressure Protection (LTOP) actuation; and
: 8. Secondary System Isolation (SSI) actuation.
Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.
The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division - independent and redundant EIMs for each division of ESFAS.
The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.
ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.
Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.
Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.
Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unit is shutdown. FSAR Chapter 7 (Ref. 1) describes MPS testing in more detail.
NuScale [US600]                          B 3.3.3-2                                Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE        The Applicable Safety Analyses for the ESFAS are described in the SAFETY            Bases of LCO 3.3.1, Module Protection System (MPS) Instrumentation.
ANALYSES, LCO and APPLICABILITY The LCO requires the ESFAS Logic and Actuation to be OPERABLE in the MODES listed in Table 3.3.3-1. The MODES or other specified conditions when the ESFAS safety functions are required to be OPERABLE are described below.
: 1. ECCS Actuation The ECCS is designed to mitigate postulated LOCAs and is used to maintain shutdown after other events. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct conduction and convection from the reactor vessel or the reactor fuel to the reactor pool.
: 2. DHRS Actuation The DHRS is designed to provide passive core cooling for events that do not transition to ECCS cooling. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive shutdown cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct contact of the reactor vessel or the reactor fuel to the reactor pool.
: 3. CIS Actuation The CIS is designed to protect and limit releases from postulated RCS or secondary leaks and to support DHRS and ECCS operation.
Therefore it is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the function has been accomplished.
: 4. DWSI Actuation The DWSI is designed to limit and mitigate postulated reactivity events due to inadvertent boron dilution by isolating the supply of demineralized water to the CVCS. Therefore it is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the demineralized water supply is physically isolated from the module and therefore cannot affect the boron concentration and reactivity in the reactor.
NuScale [US600]                          B 3.3.3-3                                Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
: 5. CVCSI Actuation The CVCSI is designed to mitigate postulated events that result from overfilling the reactor coolant system. It also mitigates primary system high energy line breaks postulated to occur outside of the containment. The actuation is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the CVCS is physically isolated from the module and therefore cannot affect the boron concentration and reactivity in the reactor nor can it overfill the RCS.
: 6. Pressurizer Heater Trip The PHT is designed to protect the pressurizer heaters from uncovering, overheating, and potentially compromising the RCS pressure boundary. The PHT is required to be OPERABLE when the pressurizer heaters are, or may be energized. The trip is required to be OPERABLE in MODE 1, and in MODES 2 and 3 if a pressurizer heater breaker is closed. In MODES 4 and 5 the power supply to the pressurizer heaters are physically isolated from the module and therefore cannot be energized.
: 7. LTOP Actuation The LTOP is designed to protect the reactor vessel integrity from postulated overpressure events that occur below the nil ductility transition (NDT) temperature below which the fracture toughness of the reactor vessel is reduced. Therefore the system must be OPERABLE in MODE 3 if the reactor coolant is below the NDT as specified in the PTLR and established as the LTOP enable temperature, the T-1 interlock. Alternatively, the function is satisfied if two RVVs are open. In MODES 1 and 2, the reactor vessel temperature is above the NDT temperature and the reactor safety valves provide overpressure protection. In MODE 4 the RVVs are de-energized and open which prevents pressurization of the reactor vessel. In MODE 5 the reactor coolant system is in open contact with the ultimate heat sink and cannot be pressurized.
NuScale [US600]                      B 3.3.3-4                                  Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
: 8. Secondary System Isolation The Secondary System Isolation is designed to isolate the steam generators from the feedwater and main steam systems. The system limits releases of radioactive materials via these flowpaths. It also provides boundaries to preserve the inventory of the DHRS ensuring that capability to transfer decay heat to the UHS remains available.
Therefore it is required to be OPERABLE in MODES 1, 2, and 3.
The ESFAS logic and actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Operability requirements for manual ESFAS actuation are described in LCO 3.3.4.
ACTIONS        When the required ESFAS logic for the Actuation Functions listed in Table 3.3.3-1 are inoperable, the unit is outside the safety analysis, if applicable in the current MODE of operation. Required Actions must be initiated to limit the duration of operation or to place the unit in a MODE or other applicable condition in which the Condition no longer applies.
A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Actuation Function. The Completion Time for the inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Actuation Function.
A.1 Condition A applies if one or more divisions of the LTOP Logic and Actuation Function are inoperable. The Required Action is to open two reactor vent valves (RVVs) within one hour. This places the unit in a condition in which the LCO no longer applies. The one hour Completion Time provides adequate time to either immediately restore the inoperable logic or take manual action to open the RVVs, which establishes an RCS vent flow path sufficient to ensure low temperature overpressure protection.
NuScale [US600]                          B 3.3.3-5                                  Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)
B.1 Condition B applies if one division of an ESFAS actuation logic Function is inoperable. This Condition is not applicable to LTOP actuation logic.
The redundant signal paths and logic of the OPERABLE division provides sufficient capability to automatically actuate the required ESFAS function with a single division of logic OPERABLE.
If one division of actuation Function logic cannot be restored to OPERABILITY within six hours, then the Conditions listed in Table 3.3.3-1 must be entered to limit the duration of operation with an inoperable division and to place the unit in a MODE or other applicable condition in which the LCO no longer applies. The six hour limit provides a reasonable time during which the actuation system may be restored to OPERABILITY.
C.1 and C.2 If Required Action B.1 directs entry into Condition C as specified in Table 3.3.3-1, or if both divisions of ECCS, DHRS, or SSI are inoperable the unit is outside its design basis ability to automatically mitigate a postulated event.
With one division of actuation logic inoperable the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the ECCS, DHRS, or SSI if required.
C.1 requires the unit to be in MODE 2 within 6. This action limits the time the unit may continue to operate with limited or inoperable automatic actuation logic.
C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours of entering the Condition. This Condition assures adequate passive decay heat transfer to the UHS and result in the unit being in a condition which assures passive cooling of the reactor core.
Completion Times are established considering the likelihood of a LOCA event that would require ECCS, DHRS, or SSI actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.
NuScale [US600]                          B 3.3.3-6                                  Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)
D.1 and D.2 If Required Action B.1 directs entry into Condition D as specified in Table 3.3.3-1, or if both divisions of the containment isolation actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.
With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the CIS if required.
D.1 requires the unit to be in MODE 2 within 6 hours of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable CIS automatic actuation logic.
D.2 requires the unit to be placed in MODE 3 with RCS temperature below the T-2 interlock within 48 hours of entering the Condition. This condition assures the unit will maintain the RCS depressurized, and the unit being in a condition for which the LCO no longer applies.
Completion Times are established considering the low probability of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.
E.1 If Required Action B.1 directs entry into Condition E as specified in Table 3.3.3-1, or if both divisions of demineralized water supply isolation actuation are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.
With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the DWSI if required.
In this Condition the demineralized water supply flow path(s) to the RCS must be isolated within 1 hour to preclude an inadvertent boron dilution event.
NuScale [US600]                          B 3.3.3-7                                Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)
Isolation can be accomplished by manually isolating the demineralized water isolation valve(s). Alternatively, the dilution path may be isolated by closing appropriate isolation valve(s) in the flow path(s) from the demineralized water storage tank to the RCS.
The Required Action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path can be isolated when a need for isolation is indicated.
F.1 If Required Action B.1 directs entry into Condition F as specified in Table 3.3.3-1, or if both divisions of the CVCS isolation actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.
With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the CVCSI if required.
F.1 requires the isolation of all four CVCS flow paths to and from the reactor coolant system within 1 hour of entering the Condition. The Action is modified by a Note that permits the flow path(s) to be unisolated intermittently under administrative controls. This Note limits the likelihood of an event by requiring additional administrative control of the CVCS flow paths. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path(s) can be isolated when a need for isolation is indicated. This permits the unit to continue to operate while in the Condition.
G.1 If Required Action B.1 directs entry into Condition G as specified in Table 3.3.3-1, or if both divisions of the pressurizer heater trip actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.
With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the PHT if required.
NuScale [US600]                          B 3.3.3-8                                  Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)
G.1 requires de-energization of the pressurizer heaters within 6 hours of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable PHT automatic actuation logic. The Action is modified by a Note that permits the heaters to be energized intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the breaker controls, who is in continuous communication with the main control room. In this way, the pressurizer heaters can be de-energized when a need for de-energization is indicated. This permits the unit to continue to operate while in the Condition.
The Completion Time was established considering the likelihood of a design basis event that would require automatic de-energization.
SURVEILLANCE      SR 3.3.3.1 REQUIREMENTS An ACTUATION LOGIC TEST on each ESFAS division is performed to ensure the division will perform its intended function when needed. These tests verify that the ESFAS actuation Functions are capable of performing their intended function, from the SVMs through actuation of the ESF Components.
MPS testing from the input sensors to the SVMs is addressed by surveillance requirements specified in LCO 3.3.1, Module Protection System (MPS) Instrumentation. The ESFAS logic and actuation circuitry functional testing is accomplished with continuous system self-testing features on the SVMs and EIMs and the communication between them.
The self-testing features are designed to perform complete functional testing of all circuits on the SVM and EIM, with the exception of the actuation and priority logic (APL) circuitry. The self-testing includes testing of the voting and interlock/permissive logic functions. The built-in self-testing will report a failure to the operator and place the SVM or EIM in a fail-safe state.
The only portion of the ESFAS logic and actuation circuitry that is not self-tested is the APL. The manual actuation switches, enable nonsafety control switches, main control room isolation switches, override switches, and operating bypass switches do not include self-testing features. The manual actuation switches are addressed by surveillance requirements specified in LCO 3.3.4, "Manual Actuation Functions."
NuScale [US600]                            B 3.3.3-9                                Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)
The ACTUATION LOGIC TEST includes testing of the APL on all ESFAS EIMs, the enable nonsafety control switches, the main control room isolation switches, the override switches, and the operating bypass switches. The ACTUATION LOGIC TEST includes a review of any alarms or failures reported by the self-testing features.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.3.2 This SR measures the pressurizer heater breaker opening ACTUATION RESPONSE TIMES. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the process variable exceeds the trip setpoint value at the sensor to the time at which ESF component actuates. TOTAL RESPONSE TIME may be verified by any series of sequential, overlapping, or total division measurements.
CHANNEL RESPONSE TIMES are tested in accordance with LCO 3.3.1.
The maximum digital time response is described in the FSAR. This SR encompasses the response time of the ESFAS from the output of the equipment interface modules to the loss of voltage at the output of the pressurizer heater breaker.
The ACTUATION RESPONSE TIME of valves actuated by the ESFAS are verified in accordance with the IST program, and LCO 3.4.6, "Chemical and Volume Control System Isolation Valves," LCO 3.4.10, "LTOP Valves," LCO 3.5.1, "ECCS," LCO 3.5.2, "DHRS," LCO 3.6.2, "Containment Isolation Valves," LCO 3.7.1, "MSIVs," and LCO 3.7.2, "Feedwater Isolation."
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                      B 3.3.3-10                              Revision 4.0
 
ESFAS Logic and Actuation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.3.3 SR 3.3.3.3 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.
Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety functions. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices. The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program. However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.3.4 SR 3.3.3.4 verifies the pressurizer heater breaker actuates to the open position on an actual or simulated trip signal on each pressurizer heater breaker. This test verifies OPERABILITY by actuation of the end devices.
The pressurizer heater breaker test verifies the under voltage trip mechanism opens the breaker.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 7.
NuScale [US600]                        B 3.3.3-11                                Revision 4.0
 
Manual Actuation Functions B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Manual Actuation Functions BASES BACKGROUND          The Manual Actuation Function portion of the module protection system (MPS) provides means to manually initiate the automatic actuations provided by the system to protect against violating the core fuel design limits, maintaining reactor coolant pressure boundary integrity, and not exceeding radiological dose limits during anticipated operational occurrences (AOOs) and postulated accidents. This LCO applies to components and functions from the manual actuation switches in the control room to the RTS and ESFAS Equipment Interface Modules (EIMs). EIM logic and actuated equipment OPERABILITY is addressed in LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation and LCO 3.3.3, Engineered Safety Features Actuation System (ESFAS)
Logic and Actuation, as well as LCO applicable to individual actuated components and systems, e.g., LCO 3.5.1, Emergency Core Cooling System (ECCS).
Manual switches in the main control room allow the operator to initiate a reactor trip if necessary. The manual switches are connected to the RTS hardwired modules (HWM) of the MPS. The HWM converts the manual switch position to appropriate signals and routes them to the division RTS EIMs to cause a reactor trip (Ref. 1).
Manual switches in the main control room also include switches for each automatic ESF function at the division level. These manual switches are connected to the ESFAS HWM of the MPS. The HWM converts the manual switch position to appropriate signals and routes them to the division ESFAS EIMs to cause an actuation.
A description of the MPS Instrumentation that causes automatic initiation of MPS protective functions is provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.
NuScale [US600]                            B 3.3.4-1                              Revision 4.0
 
Manual Actuation Functions B 3.3.4 BASES APPLICABLE        The MPS functions to maintain the SLs during all AOOs and mitigates SAFETY            the consequences of DBAs in MODES 1, 2, and 3.
ANALYSES, LCOs, and APPLICABILITY The LCO requires each Manual Actuation Function division performing an RTS or ESFAS Function, listed in Table 3.3.4-1, to be OPERABLE.
The safety analyses, LCO OPERABILITY and applicability requirements of Manual Actuation Functions listed in Table 3.3.4-1 are discussed in the Bases for LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation, and LCO 3.3.3, Engineered Safety Features Actuation System (ESFAS)
Logic and Actuation. While not specifically credited in the safety analyses, manual actuation of the Functions provides defense in depth to mitigate postulated events, and provides operators with the ability to address other events that may occur with the assistance of the automatic actuation portions of the MPS.
The Manual Actuation Functions satisfy Criterion 4 of 10 CFR 50.36(c)(2)(ii).
ACTIONS          A Note has been added in the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed in Table 3.3.4-1. The Completion Time(s) of the inoperable Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.
A.1 Condition A applies if one or more Functions with one manual actuation division inoperable. Required Action A.1 requires the Condition associated with the inoperable Function listed in Table 3.3.4-1 to be corrected, or the Condition listed in Table 3.3.4-1 to be entered within 48 hours. In this Condition, one division of manual actuation remains OPERABLE and the automatic MPS actuation capabilities remain available to perform the safety function consistent with the limits of LCO 3.3.1, 3.3.2, and 3.3.3.
The Completion Time of 48 hours is based on continued operation in conformance with the design basis for automatic actuation of protective functions, as well as an OPERABLE means of manually actuating the protective functions. The time also provides adequate opportunity to identify and implement corrective actions to restore a Manual Actuation Function without entering the Condition specified in Table 3.3.4-1.
NuScale [US600]                          B 3.3.4-2                                Revision 4.0
 
Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)
B.1 Condition B applies to the Manual Actuation Functions identified in Table 3.3.4-1. Condition B addresses the situation where one or more Functions have both manual actuation divisions inoperable. One manual actuation division consists of an actuation switch and the associated hardware (such as contacts and wiring) up to but not including the affected EIMs. EIM OPERABILITY is addressed in LCO 3.3.2 and LCO 3.3.3.
With both manual actuation divisions inoperable, the Condition listed in Table 3.3.4-1 must be entered in 6 hours. In this Condition, the automatic MPS actuations remain available to perform the design basis safety functions consistent with the limits of LCO 3.3.1, 3.3.2, and 3.3.3. The Completion Time of 6 hours provides adequate opportunity to identify and implement corrective actions to restore a Manual Actuation Function without entering the Condition specified in Table 3.3.4-1.
C.1 If Required Actions A.1 or B.1 direct entry into Condition C as specified in Table 3.3.4-1, then the reactor trip breakers must be opened immediately.
Opening the reactor trip breakers satisfies the safety function of the system and places the unit in a MODE or specified conditions in which the LCO no longer applies.
The immediate Completion Time is consistent with the importance of the ability to initiate a manual reactor trip using the actuation Function.
D.1 and D.2 If Required Actions A.1 or B.1 direct entry into Condition D as specified in Table 3.3.4-1, then Condition D provides 24 hours to restore the manual actuation capability to OPERABLE status before the unit must be in MODE 2. Required Action D.2 requires the unit be in MODE 3 and PASSIVELY COOLED within 72 hours of entering the Condition. The Completion Times provide opportunity for correction of the identified inoperability while maintaining the reactor coolant system closed, minimizing the transients and complexity of a return to operation when OPERABILITY is restored.
NuScale [US600]                          B 3.3.4-3                                Revision 4.0
 
Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)
The Completion Times are reasonable because the credited automatic actuation Function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.
E.1 If Required Actions A.1 or B.1 direct entry into Condition E as specified in Table 3.3.4-1, then Action E.1 requires the dilution source flow paths to be isolated if the Manual Actuation Function is not restored within 1 hour.
The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.
The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.
F.1 If Required Actions A.1 or B.1 direct entry into Condition F as specified in Table 3.3.4-1, then Action F.1 requires the four CVCS flow paths to and from the reactor coolant system be isolated if the Manual Actuation Function is not restored within 1 hour. The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.
The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.
NuScale [US600]                          B 3.3.4-4                                  Revision 4.0
 
Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)
G.1 If Required Actions A.1 or B.1 direct entry into Condition G as specified in Table 3.3.4-1, then Action G.1 requires the pressurizer heaters to be de-energized if the Manual Actuation Function is not restored within 24 hours. The Action includes a Note that permits the heaters to be energized intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.
The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.
H.1 If Required Actions A.1 or B.1 direct entry into Condition H as specified in Table 3.3.4-1, then Condition H requires two RVVs to be opened immediately which places the facility in a configuration in which an overpressure event in the reactor vessel is not possible. The Completion Time is reasonable given the need to ensure overpressure protection to the reactor vessel.
I.1 and I.2 If Required Actions A.1 or B.1 direct entry into Condition I as specified in Table 3.3.4-1, then the unit must be placed in MODE 3 with the containment isolated within 48 hours. Isolating the containment places the unit in a MODE or specified condition in which the LCO no longer applies.
The Completion Time is reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.
NuScale [US600]                        B 3.3.4-5                                  Revision 4.0
 
Manual Actuation Functions B 3.3.4 BASES SURVEILLANCE    SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is the performance of an actuation device operational test of Manual Actuation Functions listed in Table 3.3.4-1. The test shall independently verify the OPERABILITY of the actuated devices that function as a result of the actuation Functions listed in Table 3.3.4-1.
These tests verify that the Manually Actuated Functions are capable of performing their intended functions.
This surveillance addresses testing of the MPS from and including the manual actuation switches located in the control room to the hardwired modules and the input signals to the associated equipment interface modules for the actuation Function in test. The EIM functions are tested in accordance with LCO 3.3.2 and 3.3.3.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 7.
NuScale [US600]                        B 3.3.4-6                                Revision 4.0
 
RSS B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Remote Shutdown Station (RSS)
BASES BACKGROUND        Instrumentation located in the RSS provides the control room operator with sufficient displays to ensure the unit reaches a safe shutdown condition at a location other than the control room. The RSS also ensures that control room signals are isolated preventing unintended signals from impacting indication of the unit conditions. This capability is necessary to protect against the possibility that the control room becomes inaccessible (Ref. 1). The passive core cooling systems provided by the Decay Heat Removal System, Emergency Core Cooling System, or an appropriate water level in the containment can be used to remove core decay heat.
The use of PASSIVE COOLING systems allows extended operation with no operator action required in MODE 3 once initiated.
The RSS has several video display units which can be used to monitor unit conditions. The video display units are comparable to those provided in the control room and the operator can display information on the video display units in a manner which is comparable to the way the information is displayed in the control room. The operator normally selects an appropriate set of displays based on the particular operational goals being monitored by the operator at the time.
The OPERABILITY of the remote shutdown display functions ensures there is sufficient information available on selected variables to verify that the unit transitions to MODE 3 and PASSIVE COOLING, and remains stable once this condition is reached should the control room become inaccessible. Activation of the RSS also ensures that control room signals are isolated when control room evacuation is required.
APPLICABLE        The RSS is required to provide equipment at appropriate locations SAFETY            outside the control room to monitor the safe shutdown condition of the ANALYSES          unit, defined as MODE 3 with PASSIVE COOLING established. This is accomplished by providing instrumentation that displays unit conditions.
Passive core cooling systems actuated if the control room is evacuated can establish and maintain safe shutdown conditions for the unit.
NuScale [US600]                            B 3.3.5-1                                Revision 4.0
 
RSS B 3.3.5 BASES APPLICABLE SAFETY ANALYSES (continued)
The criteria governing the design and the specific system requirements for achieving safe shutdown conditions are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 2), which NuScale implements as principal design criterion 19 described in FSAR Section 3.1 (Ref. 3). No additional operator actions are required after actuation of passive cooling and therefore the RSS only provides indication to monitor unit conditions.
The remote shutdown station satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO            The RSS LCO provides the OPERABILITY requirements of the displays necessary to monitor the passive cooling system performance, verify that the unit transitions to and remains stable once MODE 3 and PASSIVE COOLING is reached, while monitoring from a location other than the control room.
The appropriate instrumentation in the RSS is OPERABLE if the display instrument functions needed to support the required monitoring capability are OPERABLE.
The instrumentation located in the RSS covered by this LCO does not need to be energized or configured to perform its design function, to be considered OPERABLE. During normal operation, the RSS is in standby with the workstations powered and connected to the human machine interface network, but the displays not activated. This LCO is intended to ensure the instrumentation located in the RSS will be OPERABLE if unit conditions require that the RSS be placed in operation.
APPLICABILITY  The instrumentation located in the RSS LCO is applicable in MODES 1, 2, and MODE 3 when not PASSIVELY COOLED. This is required so that the unit can be monitored to ensure the unit transitions to MODE 3 and PASSIVELY COOLED, and remains stable in MODE 3 and PASSIVELY COOLED for an extended period of time from a location other than the control room.
This LCO is not applicable in MODE 3 and PASSIVELY COOLED, 4, or
: 5. In these MODES, the unit is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument functions if actions are required.
NuScale [US600]                        B 3.3.5-2                              Revision 4.0
 
RSS B 3.3.5 BASES ACTIONS        A.1 Condition A addresses the situation where the instrumentation in the RSS is inoperable. The Required Action is to restore the instrumentation in the RSS to OPERABLE status within 30 days. The Completion Time is based on the system design for maintainability and the low probability of an event that would require evacuation of the control room.
B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and to MODE 3 and PASSIVELY COOLED within 36 hours.
The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE    SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 verifies that the transfer protocol can be performed and that it performs the required functions. This ensures that if the control room becomes inaccessible, from the RSS passive cooling system performance can be monitored and evaluated to verify that the unit is transitioning to MODE 3 and PASSIVE COOLING, and remains stable once MODE 3 and PASSIVELY COOLED condition is reached.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.5.2 This Surveillance verifies that the workstations in the RSS receive indications from the Module Control System (MCS) and Plant Control System (PCS). The communication is accomplished by use of the MCS and PCS networks.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                      B 3.3.5-3                                Revision 4.0
 
RSS B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.5.3 SR 3.3.5.3 verifies the OPERABILITY of the RSS hardware and software by performing diagnostics to show that operator displays are capable of being called up and displayed to an operator at the RSS. The instrumentation in the RSS has several video display units which can be used by the operator.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 7.
: 2. 10 CFR 50, Appendix A, GDC 19.
: 3. FSAR, Section 3.1.
NuScale [US600]                      B 3.3.5-4                              Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.1 RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits BASES BACKGROUND        These Bases address requirements for maintaining RCS pressure and temperature within the limits assumed in the safety analyses. The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope of operating conditions. For a given RCS flow resistance, RCS pressure and temperature in combination with THERMAL POWER establish the flow through the RCS including the reactor core. The limits placed on RCS pressure and temperature, in combination with the reactor power, ensure that the minimum critical heat flux ratio (CHFR) will be met for each of the transients analyzed.
The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are used to determine a value for comparison to the limit. A pressure below the limit will cause the reactor core to approach CHFR limits.
The RCS coolant cold temperature limit is consistent with full power operation within the nominal operational envelope. Indications of cold coolant temperature are averaged to determine a value for comparison to the limit. An RCS cold temperature above the limit could cause the core to approach CHF limits.
RCS flow resistance above the limit could cause a reduction in RCS flow and cause the core to approach CHF limits. The RCS flow resistance limit is consistent with and assures that the flow rates assumed in the safety analyses will occur.
Operation for significant periods of time outside these CHF limits increases the likelihood of a fuel cladding failure in a CHF limited event.
APPLICABLE        The requirements of this LCO represent the initial conditions for CHF SAFETY            limited transients analyzed in the plant safety analyses (Ref. 1). The ANALYSES          safety analyses have shown transients initiated within the requirements of this LCO will result in meeting the CHFR criterion. This is the acceptance limit for the RCS CHF parameters. Changes to the unit which could impact these parameters must be assessed for their impact on the CHFR criterion.
NuScale [US600]                          B 3.4.1-1                                Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued)
The NSP2 and NSP4 correlation limits are used for comparison to conditions representative of normal operation, operational transients, anticipated operational occurrences, and accidents other than events that are initiated by rapid reductions in primary system inventory. The Extended Hench-Levy correlation is used to evaluate events for which analyses postulate a rapid reduction in primary system inventory. An assumption for the analysis of these events is that the core power distribution is within the limits of LCO 3.1.6, Regulating Bank Insertion Limits; LCO 3.2.1, "Enthalpy Rise Hot Channel Factor (FH)," and LCO 3.2.2, AXIAL OFFSET (AO).
The flow resistance in the RCS directly affects the reactor coolant natural circulation flow rate established by THERMAL POWER, RCS pressure, and RCS temperature. The safety analyses assume flow rates that are based on a conservative value of flow resistance through the RCS.
Therefore the resistance must be verified to ensure that the assumptions in the safety analyses remain valid.
The pressurizer pressure operating limit and the RCS temperature limit specified in the COLR, as shown on the Analytical Design Operating Limits in FSAR Tier 2, Figure 4.4-9 (Ref. 2), correspond to operating limits, with an allowance for steady state fluctuations and measurement errors. These are the analytical initial conditions assumed in transient and LOCA analyses.
The RCS CHF parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO specifies limits on the monitored process variables, pressurizer pressure and RCS cold temperature to ensure the core operates within the limits assumed in the safety analyses. It also specifies the limit on RCS flow resistance to ensure that the RCS flow is consistent with the flow assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle.
Operating within these limits will result in meeting CHFR criterion in the event of a CHF-limited transient.
NuScale [US600]                        B 3.4.1-2                                Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES APPLICABILITY  In MODE 1, the limits on pressurizer pressure and RCS cold temperature must be maintained during steady state unit operation in order to ensure CHFR criterion will be met in the event of a CHF-limiting transient. In all other MODES, the power level is low enough that CHF is not a concern.
The CHFR limit is provided in SL 2.1.1, Reactor Core SLs. The conditions which define the CHFR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether a SL may have been exceeded.
ACTIONS        A.1 RCS pressure and RCS cold temperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be taken to restore parameter(s).
The 2 hour Completion Time for restoration of the parameters provides sufficient time to adjust unit parameters, to determine the cause for the off normal condition, and to restore the readings within limits.
B.1 RCS flow occurs due to the density differences in the RCS during operations with the flow rate limited by the flow resistance in the RCS.
Small changes in flow resistance may occur over the life of the unit, and the effect on RCS flow as a function of THERMAL POWER, RCS pressure, and RCS temperature must be verified to ensure that flow remains consistent with the flow rates assumed in the safety analyses.
B.1 addresses the condition of flow resistance that is not consistent with that assumed. The Required Action provides an opportunity to compare the measured flow rate to the safety analyses values to verify that the safety analysis assumptions are being met or to initiate action to otherwise restore the flow rate to that assumed. Seven days provides adequate time to perform the required analyses of the RCS flow resistance and establish an appropriate revised RCS flow rate.
C.1 If Required Action A.1 or B.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours. In MODE 2, the subcritical condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours is reasonable to reach the required plant conditions in an orderly manner.
NuScale [US600]                        B 3.4.1-3                                Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES SURVEILLANCE    SR 3.4.1.1 REQUIREMENTS This surveillance demonstrates that the pressurizer pressure remains greater than or equal to the limit specified in the COLR. Required Action A.1 allows a Completion Time of 2 hours to restore parameters that are not within limits and the Surveillance Frequency is sufficient to ensure the pressure can be restored to a normal operation, steady state condition following load changes and other expected transient operations.
The surveillance frequency is sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.4.1.2 This surveillance demonstrates that the RCS cold temperature remains less than or equal to the limit specified in the COLR. Required Action A.1 allows a Completion Time of 2 hours to restore parameters that are not within limits, and the Surveillance Frequency is sufficient to ensure the temperature can be restored to a normal operation, steady state condition following load changes and other expected transient operations. The surveillance frequency is sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.4.1.3 Verification that the RCS flow resistance is less than that assumed in the safety analysis is accomplished by performing measurements of RCS flow rate under controlled conditions. Assuring the RCS flow resistance remains less than or equal to the limit specified in the COLR after each refueling provides assurance that the safety analysis assumptions regarding the relationship between expected RCS flow, reactor power, RCS pressure, and RCS temperature remains accurate. The flow rate used to determine RCS flow resistance may be determined by installed instrumentation, thermodynamic analyses, or by other methods.
The SR is modified by a Note that permits operation for up to 96 hours at greater than 50% RTP to permit the unit to establish conditions that permit measurements of RCS flow that allow evaluation of the RCS flow resistance. This is acceptable because the testing must be completed NuScale [US600]                        B 3.4.1-4                                Revision 4.0
 
RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued) before exceeding 75% RTP which provides margin to safety analysis limits that are established at 100% RTP, and due to the low likelihood of a design basis event during the time allowed to perform testing.
The frequency requires this surveillance to be performed once after each refueling. Inadvertent changes that might impact flow resistance are most likely to occur during refueling operations. Other credible changes to flow resistance are slow developing phenomena and unlikely to change significantly between performances of the surveillance.
REFERENCES      1.      FSAR, Chapter 15.
: 2.      FSAR, Section 4.4.
NuScale [US600]                        B 3.4.1-5                              Revision 4.0
 
RCS Minimum Temperature for Criticality B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND        This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.
The first consideration is moderator temperature coefficient, LCO 3.1.3, Moderator Temperature Coefficient (MTC). In the transient and accident analyses, the MTC is assumed to be in a range from zero to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is operated consistent with these assumptions.
The second consideration is the protective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is selected to ensure proper indication and response while the reactor is critical.
The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.
The fourth consideration is that the reactor vessel is above its minimum nil-ductility reference temperature when the reactor is critical.
APPLICABLE        The RCS minimum temperature for criticality is an initial condition SAFETY            assumed in Design Basis Accidents (DBAs), such as the control rod ANALYSES          assembly (CRA) withdrawal, CRA ejection, and main steam line break accidents performed at zero power that either assume the failure of, or presents a challenge to, the integrity of a fission product barrier.
All low power safety analyses assume initial RCS temperatures  420 &deg;F, as described in FSAR Chapter 15 (Ref. 1).
NuScale [US600]                            B 3.4.2-1                                Revision 4.0
 
RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE SAFETY ANALYSES (continued)
The RCS minimum temperature for criticality parameter satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            Compliance with the LCO ensures that the reactor will not be made or maintained critical (keff  1.0) at a temperature less than the minimum temperature assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.
APPLICABILITY  In MODE 1 LCO 3.4.2 is applicable since the reactor can only approach critical (keff  1.0) in this MODE. In MODES 2, 3, 4, and 5, the reactor is maintained with keff < 0.99.
ACTIONS        A.1 If the temperature cannot be restored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 2 with keff < 0.99 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable to reach MODE 2 with keff < 0.99 in an orderly manner and without challenging plant systems.
SURVEILLANCE    SR 3.4.2.1 REQUIREMENTS RCS loop temperatures are required to be verified at or above 420 &deg;F.
The SR to verify RCS temperatures takes into account indications and alarms that are continuously available to the operator in the control room.
In addition, operators are trained to be sensitive to RCS temperatures during approach to criticality and will ensure that the minimum temperature for criticality is met as criticality is approached.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                            B 3.4.2-2                            Revision 4.0
 
RCS P/T Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND        All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.
The PTLR contains P/T limit curves for heatup, cooldown including containment flooding, inservice leak and hydrostatic testing, and data for the maximum rate of change of reactor coolant temperature. Also included is the maximum allowable RCS temperature for containment flooding.
Each P/T limit curve defines an acceptable region for normal operation.
The curves are used for operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.
The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The reactor vessel consists of multiple regions, but the limiting region for brittle failure is the lower reactor vessel region which contains the reactor core. Therefore, the LCO limits are provided based on the lower reactor vessel region and the limits apply mainly to the vessel.
10 CFR 50, Appendix G (Ref. 1) requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. An adequate margin to brittle failure must be provided during normal operation, anticipated operational occurrences, and system hydrostatic tests. Reference 1 references the use of the ASME Code, Section XI, Appendix G (Ref. 2).
The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.
NuScale [US600]                            B 3.4.3-1                                  Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES BACKGROUND (continued)
The actual shift in the RTNDT of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide 1.99 (Ref. 5).
The P/T limit curves are composite curves established by superimposing limits derived from stress and fracture mechanics analyses of those portions of the reactor vessel that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the P/T span of the limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.
The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. The thermal gradient due to containment flooding during cooldown is also captured since containment flooding introduces tensile stress on the outer diameter of the reactor vessel.
The criticality limit curve includes the Reference 1 requirements, for minimum temperature based on vessel pressure, above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for required testing.
The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a non-isolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.
ASME Code, Section XI, Appendix E (Ref. 6) provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.
NuScale [US600]                          B 3.4.3-2                                  Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES APPLICABLE      The P/T limits are not derived from Design Basis Accident (DBA)
SAFETY          analyses. They are prescribed during normal operation to avoid ANALYSES        encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Reference 7 establishes the methodology for determining the P/T limits. Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.
RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            The elements of this LCO are established in the PTLR including:
: a. The limit curves for heatup, cooldown;
: b. Limits on the rate of change of temperature; and
: c. Maximum RCS temperature for flooding of containment.
The LCO limits apply to all components of the RCS. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.
The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, and cooldown P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.
Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows:
: a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;
: b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and
: c. The existences, sizes, and orientations of flaws in the vessel material.
NuScale [US600]                        B 3.4.3-3                                Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES APPLICABILITY  The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile (brittle) failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation primarily during heatup or cooldown or required testing, they are applicable at all times in keeping with the concern for nonductile failure.
During MODE 1 other Technical Specifications provide limits for operation that can be more restrictive than, or can supplement these P/T limits.
LCO 3.4.1, RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits. LCO 3.4.2, RCS Minimum Temperature for Criticality; and Safety Limit 2.1.2, Reactor Coolant System (RCS)
Pressure SL, also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODE 1 is above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.
ACTIONS        The actions of this LCO consider the premise that a violation of the limits occurred during normal unit maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from abnormal operating procedures.
A.1 and A.2 Operation outside the P/T limits must be restored to within the limits. The RCPB must be returned to a condition that has been verified by stress analyses. Restoration is in the proper direction to reduce RCPB stress.
The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.
Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.
NuScale [US600]                        B 3.4.3-4                                Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)
The 72 hour Completion Time is reasonable to accomplish the evaluation.
The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.
Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration per Required Action A.1 alone is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. In reduced pressure and temperature conditions, the possibility of propagation with undetected flaws is decreased.
If the required restoration activity cannot be accomplished in 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.
If the required evaluation for continued operation cannot be accomplished within 72 hours or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.
Pressure and temperature are reduced by bringing the unit to MODE 2 within 6 hours and to MODE 3 within 36 hours, with RCS pressure
                  < 500 psia. The 500 psia is based on placing the RCS in a lower energy state and being less than the LTOP maximum pressure of 525 psia.
The allowed Completion Times are reasonable based on plant design, to reach the required unit conditions from full power condition in an orderly manner without challenging plant systems.
NuScale [US600]                          B 3.4.3-5                                  Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)
C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE 1, 2, or 3, so that the RCPB is returned to a condition that has been verified by stress analysis.
The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in a short period of time in a controlled manner.
Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 3. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.
Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.
D.1, D.2 and D.3 Condition D is based on an unexpected containment flooding initiated when RCS temperature is in excess of the maximum allowable temperature limit for containment flooding specified in the PTLR. The containment flooding system transfers borated water between the ultimate heat sink and the containment vessel. It is expected to be used during refuel preparations and during select beyond design basis events.
Both of these functions are non-safety related.
The immediate Completion Time for Action D.1 is appropriate because the system is designed to be utilized for containment flooding when the module has already been shutdown. Allowing operation to flood containment in these MODES would place the unit in an unanalyzed condition.
NuScale [US600]                          B 3.4.3-6                                Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)
The 36 hour Completion Time for Action D.2 allows sufficient time to cool down the unit to a condition that containment flooding is allowed.
Action D.3 requires evaluation of the RCS for continued operation prior to returning to MODE 2 after MODE 3 was entered to comply with the Required Actions. This is necessary to ensure P-T limits and cool down rates were not exceeded or an engineering evaluation performed if they were.
SURVEILLANCE      SR 3.4.3.1 REQUIREMENTS Verification that operation is within PTLR limits is required when RCS P/T conditions are undergoing planned changes. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
Pressurizer pressure instrumentation is utilized to monitor vessel pressure during planned changes. Use of temperature monitoring instrumentation is based on evolution being performed and delineated in PTLR.
Surveillance for heatup and cooldown, may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.
This SR is modified by a Note that only requires this surveillance to be performed during system heatup and cooldown and inservice leak and hydrostatic testing.
REFERENCES        1. 10 CFR 50, Appendix G.
: 2. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix G,
[2013 edition].
: 3. ASTM E 185-82.
: 4. 10 CFR 50, Appendix H.
: 5. Regulatory Guide 1.99, Revision 2, May 1988.
: 6. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix E,
[2013 edition].
NuScale [US600]                          B 3.4.3-7                                Revision 4.0
 
RCS P/T Limits B 3.4.3 BASES REFERENCES (continued)
: 7. TR-1015-18177, Pressure and Temperature Limits Methodology, Rev. [2].
NuScale [US600]                    B 3.4.3-8                            Revision 4.0
 
RSVs B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.4 Reactor Safety Valves (RSVs)
BASES BACKGROUND          Two RSVs, in conjunction with the module protection system (MPS),
provide integrated overpressure protection for the RCS. The RSVs are pilot operated, self-contained, self-actuating valves located on the reactor pressure vessel head. The RSVs provide overpressure protection based on the ASME Code, Section III pressure limit (ASME pressure limit) of 110% design pressure of RCS (Ref. 1). The RSVs are designed to prevent RCS pressure from exceeding the pressure Safety Limit (SL),
2285 psia, which is based on preventing pressure from exceeding 110%
of the design pressure (2100 psia) at the bottom of the reactor pressure vessel of 2310 psia. The RSVs also prevent exceeding 110% of Steam Generator System (SGS) design pressure during design basis accidents and anticipated operational occurrences (AOO) that challenge this system. Both RSV's are 100% redundant, only one valve is required to function to provide overpressure protection.
Because the RSVs are self-contained and self-actuating, they are considered independent components. The minimum relief capacity for each valve is 63,360 lb/hr. This capacity is based on a postulated overpressure transient of a turbine trip without turbine bypass capability, resulting in rapid decrease in heat removal capability. This event results in the maximum volumetric surge rate into the pressurizer, and defines the minimum volumetric relief capacity for each of the RSVs. An actuation of a RSV is indicated by RSV open position indication and by an increase in containment temperature and pressure because the RSVs discharge into the containment environment.
Overpressure protection is required in MODES 1, 2, and 3; however, in MODE 3 when RCS cold temperature is below the low temperature overpressure protection (LTOP) enable interlock T-1 temperature, overpressure protection is provided by operating procedures and by meeting the requirements of the LCO 3.3.1, "Module Protection System (MPS) Instrumentation" LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS) Logic and Actuation," and LCO 3.4.10, "LTOP Valves." In MODE 4 and MODE 5 with the reactor vessel head on, overpressure protection is provided by the ECCS reactor vent valves being isolated electrically from their controls causing them to open.
The upper and lower pressure limits are based on the +/-1% setpoint tolerance requirement (Ref. 1) for lifting pressures above 1000 psig. The lift settings are based on the differential pressure between the reactor NuScale [US600]                            B 3.4.4-1                                Revision 4.0
 
RSVs B 3.4.4 BASES BACKGROUND (continued) vessel and the containment atmospheric conditions associated with MODES 1, 2, and 3. All RSV testing is performed in accordance with INSERVICE TESTING PROGRAM.
OPERABILITY of the RSVs ensures that the RCS and SGS pressures will be limited to  110% of design pressures.
The consequences of exceeding the ASME pressure limit could include damage to RCS components, damage to SGS components, increased LEAKAGE, or a requirement to perform additional stress analyses prior to resumption of reactor operation.
APPLICABLE      Accident, AOOs and safety analyses in FSAR Chapter 15 (Ref. 2) that SAFETY          require safety valve actuation assume operation of one of two RSVs to ANALYSES        limit increases in the RCS pressure. Accidents and AOOs that could result in overpressurization if not properly terminated include:
: a. Uncontrolled rod withdrawal from full power;
: b. Loss of external electrical load;
: c. Loss of AC power/loss of normal feedwater;
: d. Turbine trip without bypass capability;
: e. Main Steam Isolation Valve closure;
: f. Steam system piping failures inside or outside Containment;
: g. Chemical and Volume Control System malfunction that increases Reactor Coolant System inventory;
: h. Control rod ejection; and
: i. Steam generator tube failure.
Detailed analyses of the above transients are contained in Reference 2.
Compliance with this LCO is consistent with the design bases and accident analyses assumptions.
RSVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
NuScale [US600]                        B 3.4.4-2                                Revision 4.0
 
RSVs B 3.4.4 BASES LCO            The setpoint of the two RSVs are established to ensure that the ASME pressure limit is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure and the highest safety valve to be set so that the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The upper and lower pressure limits are based on the +/- 1%
tolerance requirements for lifting pressures above 1000 psig (Ref. 1).
As-found acceptance criteria of +/- 3% meets the criteria of ASME OM code I-1320(c)(1) (Ref 4).
The limits protected by this Specification are the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure and 110% of external design pressure for the SGS. Inoperability of both RSVs could result in exceeding the reactor pressure SL or the 110% design pressure limit of the SGS, if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, damage to the SGS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.
APPLICABILITY  In MODES 1, 2, and MODE 3 when RCS cold temperature is greater than the LTOP enable interlock T-1 temperature specified in Pressure and Temperature Limits Report (PTLR), the RSVs are required because the RCS and SGS are pressurized and limiting design basis overpressure transients are postulated to occur in MODES 1 and 2. MODE 3 conditions are conservatively included although the FSAR Chapter 15 (Ref. 2) listed accidents and AOOs may not require the RSVs for protection. RCS cold temperature is considered to be greater than the LTOP enabling interlock T-1 temperature when three out of four RCS cold temperature instruments indicate greater than the LTOP enabling temperature specified in the PTLR. The T-1 interlock is described further in the Bases for LCO 3.3.1.
The LCO is not applicable in MODE 3 when RCS cold temperature is below the LTOP enable temperature because overpressure protection is ensured by LCO 3.3.1, "MPS Instrumentation," LCO 3.3.3, "ESFAS Logic and Actuation," and LCO 3.4.10, "LTOP Valves." In MODES 4 and 5, overpressure events are precluded by open ECCS reactor vent valves providing a relief path from the RCS to the containment and isolation of the module from credible sources of system overpressure (e.g., CVCS injection and pressurizer heaters).
NuScale [US600]                        B 3.4.4-3                              Revision 4.0
 
RSVs B 3.4.4 BASES ACTIONS        A.1 With one RSV inoperable, the remaining OPERABLE RSV is capable of providing the necessary overpressure protection. Because of additional design margin, the ASME pressure limit for the RCPB and SGS can also be satisfied with one RSV inoperable.
However, the overall reliability of the pressure relief system is reduced because additional failure of the remaining OPERABLE RSV could result in failure to adequately relieve primary or secondary system pressure during a limiting event. For this reason, continued operation is permitted for a limited time only.
The 72 hour Completion Time to restore the inoperable RSV to OPERABLE status is based on the relief capability of the remaining RSV and the low probability of an event requiring RSV actuation.
B.1 and B.2 If the Required Action of Condition A cannot be met within the required Completion Time or if two RSVs are inoperable, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and to MODE 3 with RCS cold temperature below the LTOP enable interlock T-1 temperature within 36 hours. RCS cold temperature is considered below the LTOP enabling temperature when two or more RCS cold temperature instruments indicate below the LTOP enabling temperature specified in the PTLR.
The allowed Completion Times are reasonable based on time to reach the required unit conditions from full power conditions in an orderly manner. The change from MODE 1, or 2, to MODE 3 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer in-surges, and thereby removes the need for overpressure protection by the RSVs.
SURVEILLANCE    SR 3.4.4.1 REQUIREMENTS SRs are specified in the INSERVICE TESTING PROGRAM. RSVs are to be tested in accordance with the requirements of ASME OM Code (Ref. 3), which provides the activities and Frequencies necessary to satisfy the SRs. No additional requirements are specified.
The RSV setpoint is +/- 3% for OPERABILITY, and the values are reset to remain within +/- 1% during the surveillance to allow for drift.
NuScale [US600]                        B 3.4.4-4                                Revision 4.0
 
RSVs B 3.4.4 BASES REFERENCES      1. ASME, Boiler and Pressure Vessel Code, Section III, Subarticles NB 7500 and NC 7500, [2013 edition].
: 2. FSAR, Chapter 15.
: 3. ASME, OM Code, [2012 edition].
NuScale [US600]                    B 3.4.4-5                          Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.5 RCS Operational LEAKAGE BASES BACKGROUND          Components that contain or transport the coolant to or from the reactor core comprise the RCS. Component joints are made by welding, bolting, rolling, or pressure loading. Valves isolate connecting systems from the RCS.
During unit life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of RCS Operational LEAKAGE.
10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
The safety significance of RCS Operational LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE outside of the reactor coolant pressure boundary (RCPB) is necessary. When possible, separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.
This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).
APPLICABLE          Except for primary to secondary LEAKAGE, the safety analyses do not SAFETY              address RCS Operational LEAKAGE. However, other forms of RCS ANALYSES            Operational LEAKAGE are related to the safety analyses for LOCA. The amount of LEAKAGE can affect the probability of such an event.
The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 150 gpd primary to secondary LEAKAGE as the initial condition.
NuScale [US600]                            B 3.4.5-1                                Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 BASES APPLICABLE SAFETY ANALYSES (continued)
Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube failure (SGTF). The leak contaminates the secondary fluid.
The FSAR Chapter 15 (Ref. 3) analyses for the accidents involving secondary side releases assume 150 gpd primary to secondary LEAKAGE as an initial condition. The design basis radiological consequences resulting from a postulated SLB accident and SGTF are provided in Sections 15.1.5 and 15.6.3 of FSAR Chapter 15, respectively.
The RCS Operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            RCS operational LEAKAGE shall be limited to:
: a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.
: b. Unidentified LEAKAGE 0.5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the Containment Evacuation System (CES), condensate monitoring equipment required by LCO 3.4.7, "RCS Leakage Detection Instrumentation," can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.
NuScale [US600]                        B 3.4.5-2                                  Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 BASES LCO (continued)
: c. Identified LEAKAGE Up to 2 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE. Violation of this LCO could result in continued degradation of a component or system.
: d. Primary to Secondary LEAKAGE The limit of 150 gallons per day is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 4). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." Current design does not support the ability to determine which one of the two steam generators has the primary to secondary leakage. Therefore total primary to secondary leakage will be conservatively attributed to one steam generator. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures.
APPLICABILITY  The potential for RCS Operational LEAKAGE is greatest when the RCS is pressurized In MODES 1 and 2. The potential also exists when elevated temperatures and pressures exist in MODE 3 when RCS hot temperature is  200 &deg;F.
In MODE 3 the RCS temperature may be < 200 &deg;F. In that circumstance RCS pressure is low and the potential for RCS Operational LEAKAGE is reduced so that monitoring is no longer required.
In MODE 4 or 5, RCS Operational LEAKAGE limits are not required because the RCPB is open to the containment or refueling pool.
The applicability requirements are modified by a Note indicating the LCO requirements are suspended if one or more ECCS valves is open. In that condition the RCS pressure is reduced, the system is open to the containment and leakage detection instrumentation is no longer OPERABLE.
NuScale [US600]                        B 3.4.5-3                              Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 BASES ACTIONS        A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours. This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce RCS Operational LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.
B.1, B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limits, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours, the reactor must be brought to lower pressure conditions to reduce the severity of the RCS Operational LEAKAGE and its potential consequences. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and exit the Applicability in MODE 3 with RCS hot temperature  200 &deg;F, within 48 hours. The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE    SR 3.4.5.1 REQUIREMENTS Verifying RCS Operational LEAKAGE is within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE.
Unidentified LEAKAGE and identified LEAKAGE are determined by performance of a RCS water inventory balance. The RCS water inventory balance must be met with the reactor at steady state operating conditions.
Two Notes modify SR 3.4.5.1. The first Note states the SR is not required to be performed until 12 hours after establishing steady state operation.
The 12 allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established. The second Note states the SR is not applicable to primary to secondary LEAKAGE.
SR 3.4.5.2 verifies the primary to secondary LEAKAGE.
Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, and makeup or letdown.
NuScale [US600]                        B 3.4.5-4                                Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 BASES SURVEILLANCE REQUIREMENTS (continued)
A warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the LEAKAGE detection systems specified in LCO 3.4.7, RCS Leakage Detection Instrumentation. The containment pressure RCS Operational LEAKAGE measurement is valid only after containment has been evacuated and residual moisture removed. The CES condensate monitor method of detecting leaks during MODES 1, 2, and 3 is not valid until containment has been evacuated and residual moisture removed.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.4.5.2 This SR verifies that primary to secondary LEAKAGE is less or equal to 150 gallons per day. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. Current design does not support the ability to determine which one of the two steam generators has the primary to secondary leakage. Therefore total primary to secondary leakage will be conservatively attributed to one steam generator. The 150 gallons per day limit is measured at room temperature as described in Reference 5.
The Surveillance is modified by a Note which states that the Surveillance is not required to be performed until 12 hours after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer level, makeup, and letdown flows.
Additionally Containment flooding is not in progress for steady state conditions.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The primary to secondary LEAKAGE is determined using process radiation monitors or radiochemical grab sampling in accordance with the EPRI guidelines (Ref. 5).
NuScale [US600]                        B 3.4.5-5                              Revision 4.0
 
RCS Operational LEAKAGE B 3.4.5 BASES REFERENCES      1. 10 CFR 50, Appendix A, GDC 30.
: 2. Regulatory Guide 1.45, Revision 1, May 2008.
: 3. FSAR, Chapter 15.
: 4. NEI-97-06, Rev. [3].
: 5. EPRI, Pressurized Water Reactor Primary-to-Secondary Leak Guidelines, Rev. [4].
NuScale [US600]                    B 3.4.5-6                            Revision 4.0
 
CVCS Isolation Valves B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.6 Chemical and Volume Control System (CVCS) Isolation Valves BASES BACKGROUND          One of the principle functions of the CVCS system is to maintain the reactor coolant inventory by providing water makeup for reactor coolant system (RCS) Operational LEAKAGE, shrinkage of the reactor coolant during cooldowns, and RCS boron concentration changes.
Although the CVCS is not considered a safety related system, certain isolation functions of the system are considered safety related functions.
The eight CVCS isolation valves in four flow paths have been classified and designed as safety related. The safety related functions provided by the CVCS are the isolation of RCS makeup to prevent overfilling of the pressurizer during non-LOCA transients, the isolation of CVCS postulated breaks outside containment (thereby maintaining RCS inventory), and protecting against reverse RCS flow during low power startup conditions.
The protection against RCS reverse flow is achieved by closing the CVCS makeup line isolation valves. Protection of overfilling the pressurizer is achieved by closing the CVCS makeup line and spray line isolation valves. The isolation of postulated breaks outside of containment is achieved by closing the containment isolation valves (CIVs) on all four CVCS lines.
APPLICABLE          One of the initial assumptions in the analysis of several non-LOCA SAFETY              events and during a steam generator tube failure accident is ANALYSES            that excessive CVCS makeup to the RCS may aggravate the consequences of the accident (Ref. 1). The need to isolate the CVCS from the RCS is detected by the pressurizer level instruments, pressurizer pressure instruments, containment pressure, or RCS flow instruments.
These instruments will supply a signal to their appropriate CVCS containment isolation valves causing these valves to close. Instrument signals generated during events prevent the overfilling of pressurizer during non-LOCA transients, provides the protection of CVCS postulated breaks outside of containment, and prevents the reverse RCS flow during low power startup conditions. Thus, the CVCS isolation valves are components which function to mitigate an accident.
CVCS isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
NuScale [US600]                            B 3.4.6-1                                Revision 4.0
 
CVCS Isolation Valves B 3.4.6 BASES LCO            The requirement that two CVCS isolation valves be OPERABLE for each of the four flow path lines connected to the RCS assures that there will be redundant means available to isolate the CVCS from the RCS during a non-LOCA event or a steam generator tube failure accident should that become necessary. Also, the OPERABLE CVCS isolation valves provide isolation protection against postulated breaks outside of containment and reverse RCS flow events.
APPLICABILITY  The requirement that two CVCS isolation valves for each of the four flow path lines connected to the RCS be OPERABLE is applicable in MODES 1, 2, and 3 because a pressurizer overfill event, steam generator tube failure accident, CVCS postulated break outside containment event, and reverse RCS flow event is considered possible in these MODES, and the automatic closure of these valves is assumed in the safety analysis.
In the applicable MODES, the need to isolate the CVCS makeup to the RCS is detected by the pressurizer level instruments, pressurizer pressure instruments, containment pressure, or RCS flow instruments.
This isolation function is not required in MODE 4 and 5. In these MODES, pressurizer overfill, steam generator overfill, CVCS breaks outside containment, and reverse RCS flow during startup is prevented by unit conditions.
ACTIONS        The ACTIONS are modified by two notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.
Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable CVCS isolation valves are governed by subsequent Condition entry and application of associated Required Actions.
NuScale [US600]                        B 3.4.6-2                              Revision 4.0
 
CVCS Isolation Valves B 3.4.6 BASES ACTIONS (continued)
A.1 and A.2 In the event one CVCS isolation valve in one or more CVCS flow paths is inoperable the affected flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and deactivated automatic containment isolation valve, a closed manual valve, and blind flange. For CVCS flow paths isolated in accordance with Required Actions A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 72 hour Completion Time. The 72 hour Completion Time is reasonable, considering the time required to isolate the flowpath and the relative importance of supporting containment OPERABILITY during MODES 1, 2, and MODE 3 with RCS hot temperature  200 &deg;F.
For affected CVCS flow paths that cannot be restored to OPERABLE status within the 72 hour Completion Time and that have been isolated in accordance with Required Action A.1, the affected CVCS flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of once per 31 days for isolation devices is appropriate considering the fact that the devices are operated under administrative controls and the probability of misalignment is low.
Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.
NuScale [US600]                          B 3.4.6-3                                  Revision 4.0
 
CVCS Isolation Valves B 3.4.6 BASES ACTIONS (continued)
B.1 With two CVCS isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and deactivated automatic valve, a closed manual valve, and a blind flange.
The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.2. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.
C.1 and C.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE or condition in which containment isolation requirement no longer applies. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and MODE 3 with RCS hot temperature < 200 &deg;F within 48 hours. The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.4.6.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for CVCS isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.4.6-4                                Revision 4.0
 
CVCS Isolation Valves B 3.4.6 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.4.6.2 Verifying that the isolation ACTUATION RESPONSE TIME of each automatic power operated CVCS isolation valve is within limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Isolation time is measured from output of the module protection system equipment interface module until the valves are isolated.
The Surveillance Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
SR 3.4.6.3 This Surveillance demonstrates that each automatic CVCS isolation valve actuates to the isolated position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked sealed, or otherwise secured in the isolated position under administrative controls. The actuation logic is tested as part of Engineered Safety Features Actuation System Actuation and Logic testing.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                        B 3.4.6-5                                Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.7 RCS Leakage Detection Instrumentation BASES BACKGROUND        GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting, and, to the extent practical, identifying the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting LEAKAGE detection systems.
LEAKAGE detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE.
Industry practice has shown that leakage of 0.5 gpm can be readily detected in contained volumes by monitoring changes in water level. The containment evacuation system (CES) sample vessel is used to collect and quantify water vapor that is from the containment that may be indicative of RCS LEAKAGE. The sample vessel is instrumented to alarm for increases in the normal flow rates to the vessel. This system sensitivity is acceptable for detecting unexpected increases in condensate that may indicate unidentified LEAKAGE.
Containment pressure is also used as an indicator to detect RCS LEAKAGE. The containment pressure monitoring is performed by CES inlet pressure instrumentation and provides indication in the main control room. The minimum pressure accuracy of the containment pressure monitoring instrumentation can detect a pressure change corresponding to a leak rate of < 1 gpm in 1 hour and a minimum detectable leak rate of
                  < 0.05 gpm.
OPERABILITY of the CES condensate collection and inlet pressure monitoring instrument channels requires the containment atmosphere to be maintained within a pressure-temperature range that prevents atmospheric saturation conditions from existing. These conditions ensure that leakage into the containment will result in vaporization of the water and changes in the measured containment pressure. Conditions are maintained by continuously ensuring that the containment pressure does not approach the saturation pressure of water that could be present in the containment. The pressure limit is conservatively chosen and based on the ultimate heat sink pool water temperature. A description of the acceptable operating region is provided in FSAR Section 5.2 (Ref. 3).
NuScale [US600]                          B 3.4.7-1                                Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 BASES BACKGROUND (continued)
The reactor coolant contains radioactivity that, when released, can be detected by radiation monitoring instrumentation in the CES gas discharage line. Reactor coolant radioactivity can therefore be used for leak detection. The CES system has a gaseous effluent monitor to detect isotopes that provide indication of LEAKAGE.
In addition to meeting the OPERABILITY requirements, the monitoring instrumentation is typically set to provide the most sensitive response without causing an excessive number of spurious alarms.
APPLICABLE      The need to evaluate the severity of an alarm or an indication is SAFETY          important to the operators, and the ability to compare and verify ANALYSES        with indications from other systems is necessary. The system response times and sensitivities are described in FSAR Sections 5.2, 3.6, and 11.5 (Refs. 3, 4, and 5).
The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, to take corrective action should a leak occur.
RCS LEAKAGE detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).
LCO            One method of protecting against large RCS LEAKAGE derives from the ability of instruments to rapidly detect extremely small leaks that indicate a possible RCPB degradation. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that small leaks are detected in time to allow actions to place the unit in a safe condition.
The LCO is satisfied when monitors of diverse measurement means are available. Thus, the CES sample vessel level monitors, in combination with CES inlet pressure channels and a CES gas discharge radioactivity monitor, provides five channels of leakage detection using three diverse methods. The specification requires two of the three diverse methods to be OPERABLE. CES inlet pressure monitoring is performed by two redundant, seismically qualified pressure instruments.
NuScale [US600]                        B 3.4.7-2                                Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 BASES APPLICABILITY  Because of elevated RCS temperature and pressure in MODES 1 and 2, and the potential for elevated temperature and pressure in MODE 3 when RCS hot temperature is  200 &deg;F, RCS leakage detection instrumentation is required to be OPERABLE.
In MODE 3 with RCS hot temperature < 200 &deg;F the RCS pressure is low and the RCPB no longer requires monitoring because pressurization is due to operation of the CVCS, and the likelihood of leakage and crack propagation is much smaller.
In MODE 4 or 5, the RCPB is open to the containment or refueling pool and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1 and 2, or when applicable in MODE 3, the likelihood of leakage and crack propagation is much smaller. Therefore, the requirements of this LCO are also not applicable in MODES 4 and 5.
The applicability requirements are modified by two Notes. The first Note states that the LCO requirements are not applicable if one or more ECCS valves is open. In that condition the RCS is open to the containment and leakage detection no longer indicates a potential degradation of the RCPB.
The second Note states that the LCO is not applicable in MODE 3 when containment flood operations are in progress. Containment flooding operations include actively adding water to the containment, when the containment is flooded, during draining of the containment, while removing residual water from the containment by establishing a vacuum to place leakage monitoring instrumentation in service.
In MODE 3 when containment flooding is in progress, the RCS is rapidly cooled to less than 200 &deg;F and the LCO Applicability will be exited. In this condition, the RCS leakage detection instrumentation is unavailable and the rapidly reduced RCS pressure reduces the likelihood of leakage and crack propagation. During restoration of operating conditions, the containment must be drained and residual water removed by establishment of a vacuum in the containment. Leakage detection instrumentation is not available until containment is drained and the requisite conditions are restored. Required leakage detection instrumentation is required prior to entry into MODE 2.
NuScale [US600]                        B 3.4.7-3                              Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS        The ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each condensate channel and each pressure channel. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable condensate and pressure channel. With an inoperable channel the method of detection remains capable of identifying RCS leakage with any OPERABLE channel.
A.1 and A.2 With one required leakage detection channels inoperable, the remaining OPERABLE channel(s) will provide indication of changes in leakage.
Additionally, the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.5.1 is not required to be performed until 12 hours after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown). The 12 hour allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established.
Restoration of the channel to OPERABLE status is required to regain the function in a Completion Time of 14 days after the channel's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.
B.1 With one required leakage detection method inoperable, the remaining OPERABLE method will provide indication of changes in leakage.
Additionally, Action A.1 will continue to apply and the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours to provide information that is adequate to detect leakage.
However diversity of leakage detection instrumentation is not available. In addition to the Required Actions of Condition A, the required leakage method is required to regain the function in a Completion Time of 72 hours after the method's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.
NuScale [US600]                        B 3.4.7-4                                Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS (continued)
C.1 and C.2 If the Required Action cannot be met within the required Completion Time or if all required leakage detection methods are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and to MODE 3 with RCS hot temperature < 200 &deg;F within 48 hours. This action will place the RCS in a low pressure state which reduces the likelihood of leakage and crack propagation. The allowed Completion Times are reasonable, based on operating requirements and normal cooling capabilities, to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.4.7.1, SR 3.4.7.2, and SR 3.4.7.3 REQUIREMENTS These SRs require the performance of a CHANNEL CHECK for each of the required RCS leakage detection instrumentation channels. The check gives reasonable confidence that the channel is operating properly. The CHANNEL CHECK of the CES condensate and inlet pressure channels includes instrumentation used to assure the containment is operating within the acceptable pressure-temperature region necessary for instrument OPERABILITY. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.4.7.4 and SR 3.4.7.5 These SRs require the performance of a COT on the CES gaseous radioactivity monitor and each required CES condensate channel when they are required to be OPERABLE. The test ensures that the monitor or channel can perform its function in the desired manner. A successful test may be performed by the verification of the change of state of an output of the channel. This is acceptable because all of the other required channel outputs are verified by the CHANNEL CALIBRATION. The test verifies the alarm setpoint and relative accuracy of the instrument string when applicable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.4.7-5                              Revision 4.0
 
RCS Leakage Detection Instrumentation B 3.4.7 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.4.7.6, SR 3.4.7.7, and SR 3.4.7.8 These SRs require the performance of a CHANNEL CALIBRATION for each of the required RCS leakage detection instrumentation channels.
The calibration verifies the accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. 10 CFR 50, Appendix A, GDC 30.
: 2. Regulatory Guide 1.45, Revision 1, May 2008.
: 3. FSAR, Section 5.2.
: 4. FSAR, Section 3.6.
: 5. FSAR, Section 11.5.
NuScale [US600]                        B 3.4.7-6                                Revision 4.0
 
RCS Specific Activity B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.8 RCS Specific Activity BASES BACKGROUND          The limits on RCS specific activity ensure that the doses due to postulated accidents are within the doses reported in FSAR Chapter 15.
The RCS specific activity LCO limits the allowable concentration of iodines and noble gases in the reactor coolant. The LCO limits are established based on a fuel defect level of 0.066% assumed by the NuScale operating source term and to ensure that unit operation remains within the conditions assumed for Design Basis Accident (DBA) release analyses.
The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to limit the doses due to postulated accidents to within the values calculated in the radiological consequences analyses (as reported in FSAR Chapter 15).
APPLICABLE          The LCO limits on the reactor coolant specific activity are a factor in SAFETY              accident analyses that assume a release of primary coolant to the ANALYSES            environment either directly as in a small line break outside containment or indirectly by way of LEAKAGE to the secondary coolant system and then to the environment (the Steam Line Break).
The events which incorporate the LCO values for primary coolant specific activity in the radiological consequence analysis include the following:
* Steam generator tube failure,
* Control rod ejection,
* Steam Line Break (SLB), and
* Small line break outside containment The limiting event for release of primary coolant activity is the small line break. The small line break dose analysis considers the possibility of a pre-existing iodine spike (in which case the maximum LCO of 2.2 Ci/gm DOSE EQUIVALENT I-131 is assumed) as well as the more likely initiation of an iodine spike due to the reactor trip and depressurization. In the latter case, the LCO of 3.7E-2 Ci/gm DOSE EQUIVALENT I-131 is assumed at the initiation of the accident, but the primary coolant NuScale [US600]                              B 3.4.8-1                                Revision 4.0
 
RCS Specific Activity B 3.4.8 BASES APPLICABLE SAFETY ANALYSES (continued) specific activity is assumed to increase with time due to the elevated iodine appearance rate in the coolant. The reactor coolant noble gas specific activity for both cases is assumed to be the LCO of 10 Ci/gm DOSE EQUIVALENT XE-133.
The LCO limits ensure that, in either case, the doses reported in FSAR Chapter 15 remain bounding.
The RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            The specific iodine activity is limited to 3.7E-2 Ci/gm DOSE EQUIVALENT I-131, and the specific noble gas activity is limited to 10 Ci/gm DOSE EQUIVALENT XE-133. These limits ensure that the doses resulting from a DBA will be within the values reported in FSAR Chapter 15.
The accident analyses (Ref. 1) show that the offsite doses are within acceptance limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of small line break accident, lead to doses that exceed those reported FSAR Chapter 15.
APPLICABILITY  In MODES 1 and 2, operation within the LCO limits for DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133 specific activity are necessary to contain the potential consequences of applicable safety analysis events to within the calculated site boundary dose values.
For operation in MODES 3, 4, and 5, the release of radioactivity in the event is limited by the reduced pressures and temperatures in the primary and secondary systems.
ACTIONS        A.1 and A.2 With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours must be taken to verify that DOSE EQUIVALENT I-131 is  2.2 Ci/gm. The Completion Time of 4 hours is required to obtain and analyze a sample. Sampling is to continue to provide a trend.
NuScale [US600]                        B 3.4.8-2                                Revision 4.0
 
RCS Specific Activity B 3.4.8 BASES ACTIONS (continued)
The DOSE EQUIVALENT I-131 must be restored to normal within 48 hours. If the concentration cannot be restored to within the LCO limit in 48 hours, it is assumed that the LCO violation is not the result of normal iodine spiking.
A Note to the Required Action of Condition A states that LCO 3.0.4.c is applicable. This exception allows entry into the applicable MODE(S) when an allowance is stated in the ACTIONS even though the ACTIONS may eventually require unit shutdown. This exception is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unit remains at, or proceeds to power operation.
B.1 With the DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit within 48 hours.
The allowed Completion Time of 48 hours is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas concentration would be restored within this time period. Also, there is a low probability of a small line break occurring during this time period.
A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODES, relying on Required Action B.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unit remains at, or proceeds to, power operation.
C.1 and C.2 If a Required Action and associated Completion Time of Condition A or B is not met, or if the DOSE EQUIVALENT I-131 is > 2.2 Ci/gm, the reactor must be brought to MODE 2 within 6 hours and MODE 3 within 36 hours. The allowed Completion Times are reasonable, based on operating requirements, to reach the required unit conditions from full power conditions in an orderly manner.
NuScale [US600]                          B 3.4.8-3                                  Revision 4.0
 
RCS Specific Activity B 3.4.8 BASES SURVEILLANCE    SR 3.4.8.1 REQUIREMENTS SR 3.4.8.1 requires performing a gamma isotopic analysis and calculating the DOSE EQUIVALENT XE-133 using the dose conversion factors in the DOSE EQUIVALENT XE-133 definition. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in the noble gas specific activity.
Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions.
If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.
The Surveillance Frequency is based on industry operating experience, equipment reliability, and unit risk and is controlled under the Surveillance Frequency Control Program.
SR 3.4.8.2 This Surveillance is performed to ensure iodine specific activity, calculated using the dose conversion factors in the DOSE EQUIVALENT I-131 definition, remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more likely to occur.
The normal Surveillance Frequency is based on industry operating experience, equipment reliability, and unit risk and is controlled under the Surveillance Frequency Control Program.
The conditional Frequency, between 2 and 6 hours after a power change 15% RTP within a 1 hour period, is established because the iodine levels peak during this time following iodine spike initiation; samples at other times would provide inaccurate results.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                        B 3.4.8-4                                  Revision 4.0
 
SG Tube Integrity B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.9 Steam Generator (SG) Tube Integrity BASES BACKGROUND        Steam generator (SG) tubes are small diameter, thin walled tubes that carry secondary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions.
Steam generator tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary systems pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO 3.5.2, "Decay Heat Removal System (DHRS).
SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.
Steam generator tubing is subject to a variety of degradation mechanisms. Steam generator tubes may experience tube degradation related to corrosion phenomena, such as pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.
Specification 5.5.4, Steam Generator (SG) Program, requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 5.5.4, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 5.5.4. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions.
The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Ref. 1).
NuScale [US600]                            B 3.4.9-1                                Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES APPLICABLE      The steam generator tube failure (SGTF) accident is the limiting design SAFETY          basis event for SG tubes and avoiding an SGTF is the basis for this ANALYSES        Specification. The analysis of a SGTF event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.5, RCS Operational LEAKAGE, plus the leakage rate associated with a double-ended failure of a single tube. The accident analysis for a SGTF assumes the contaminated secondary fluid is only briefly released to the atmosphere via safety valves and the majority is discharged to the main condenser.
The analysis for design basis accidents and transients other than a SGTF assume the SG tubes retain their structural integrity (i.e., they are assumed not to fail). In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.8, RCS Specific Activity, limits. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Ref. 2) which NuScale implements as principal design criterion 19 described in FSAR section 3.1 (Ref. 3),
10 CFR 50.34 (Ref. 4) or the NRC approved licensing basis (e.g., a small fraction of these limits).
Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO            The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging criteria be plugged in accordance with the Steam Generator Program.
During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.
If a tube was determined to satisfy the plugging criteria but was not plugged, the tube may still have tube integrity.
In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall, between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet.
The tube-to-tubesheet weld is not considered part of the tube.
A SG tube has tube integrity when it satisfies the SG performance criteria.
The SG performance criteria are defined in Specification 5.5.4, Steam Generator Program, and describe acceptable SG tube performance.
The Steam Generator Program also provides the evaluation process for determining conformance with the SG performance criteria.
NuScale [US600]                        B 3.4.9-2                                Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES LCO (continued)
There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. Failure to meet any one of these criteria is considered failure to meet the LCO.
The structural integrity performance criterion provides a margin of safety against tube failure or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube failure is defined as, The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation. Tube collapse is defined as, For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero. The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term significant is defined as An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting failure/collapse condition to be established. For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis.
The division between primary and secondary classifications will be based on detailed analysis and/or testing.
Structural integrity and the accident induced leakage performance criteria ensures that calculated stress intensity in a SG tube not exceed ASME Code, Section III (Ref. 5) limits for Design and all Service Level A, B, C and D Conditions included in the design specification. SG tube Service Level D represents limiting accident loading conditions. Additionally, NEI 97-06 Tube Structural Integrity Performance Criterion establishes safety factors for tubes with characteristic defects (axial and longitudinal cracks and wear defects), including normal operating pressure differential and accident pressure differential, in addition to other associated accident loads consistent with guidance in Draft Regulatory Guide 1.121 (Ref. 6).
Therefore in addition to meeting the structural integrity criteria, no additional accident induced primary-to-secondary LEAKAGE is assumed to occur as the result of a postulated design basis accident other than a SGTF.
NuScale [US600]                        B 3.4.9-3                                  Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES LCO (continued)
The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during unit operation. The limit on operational LEAKAGE is contained in LCO 3.4.5, RCS Operational LEAKAGE, and limits primary to secondary LEAKAGE to 150 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTF under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative.
APPLICABILITY  Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced in MODE 1, 2, or 3 and not PASSIVELY COOLED.
RCS conditions are far less challenging in MODE 3 and PASSIVELY COOLED, MODES 4 and 5 than during MODES 1, 2, and 3 and not PASSIVELY COOLED. In MODE 3 and PASSIVELY COOLED, MODES 4 and 5, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.
ACTIONS        The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and application of associated Required Actions.
A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by SR 3.4.9.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG plugging criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG NuScale [US600]                        B 3.4.9-4                                  Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES ACTIONS (continued) performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies.
A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of unit operation with a SG tube that may not have tube integrity.
If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows unit operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE 3 following the next unit refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.
B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 2 within 6 hours and MODE 3 and PASSIVELY COOLED within 36 hours.
The allowed Completion Times are reasonable, based on operating requirements, to reach the desired unit conditions from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.4.9.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.
During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the NuScale [US600]                            B 3.4.9-5                                Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued) as found condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.
The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation.
Inspection methods are a function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations.
The Steam Generator Program defines the Frequency of SR 3.4.9.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 7). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.4 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections.
If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected unit SGs is restricted by Specification 5.5.4 until subsequent inspections support extending the inspection interval.
SR 3.4.9.2 During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.
The tube plugging criteria delineated in Specification 5.5.4 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.
NuScale [US600]                        B 3.4.9-6                                Revision 4.0
 
SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued)
The Frequency of prior to entering MODE 3 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.
REFERENCES      1. NEI 97-06, Rev. [3].
: 2. 10 CFR 50, Appendix A, GDC 19.
: 3. FSAR, Section 3.1.
: 4. 10 CFR 50.34.
: 5. ASME, Boiler and Pressure Vessel Code, Section III, Subsection NB,
[2013 edition].
: 6. Draft Regulatory Guide 1.121, August 1976.
: 7. EPRI, Pressurized Water Reactor Steam Generator Examination Guidelines, Rev. [4].
NuScale [US600]                        B 3.4.9-7                              Revision 4.0
 
LTOP Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.10 Low Temperature Overpressure Protection (LTOP) Valves BASES BACKGROUND        The emergency core cooling system (ECCS) reactor vent valves (RVVs) serving as LTOP valves in combination with the module protection system (MPS) LTOP actuation function limit the RCS pressure at low temperatures. Together the MPS function and the valves limit the RCS pressure so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (P/T) limits of 10 CFR 50, Appendix G (Ref. 1). The PTLR provides the maximum allowable actuation setpoints for MPS actuation of the RVVs to limit the maximum RCS pressure for the existing RCS temperature to meet the Reference 1 requirements. The NuScale design limits potential LTOP conditions to MODE 3 with ECCS valves closed.
The reactor vessel material is less tough at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.
Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits, requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the PTLR limits.
If RCS pressure exceeds the established setpoint while the RCS temperature is approaching or below the nil ductility temperature of the limiting components of the reactor pressure boundary, the MPS will actuate to open the RVVs. Detection of this condition and the actuation are required in Technical Specifications 3.3.1, MPS Instrumentation, and 3.3.3, ESFAS Logic and Actuation. Automatic LTOP is enabled by the MPS during RCS operations at reduced temperatures.
Each RVV includes a mechanical actuation block to reduce the likelihood of inadvertent operation of the valve during power operations. Valve actuation is blocked when the difference between the containment pressure and RCS pressure is greater than could exist when LTOP is required to function. Therefore the inadvertent actuation block will not prevent immediate opening of the RVVs if an LTOP actuation occurs.
NuScale [US600]                          B 3.4.10-1                              Revision 4.0
 
LTOP Valves B 3.4.10 BASES BACKGROUND (continued)
With at least two RVVs open, the valves provide a vent path from the RCS to containment, preventing potential RCS low temperature overpressure conditions.
APPLICABLE      Safety analyses (Ref. 3) demonstrate that the reactor vessel is SAFETY          adequately protected against exceeding the Reference 1 P/T limits. In ANALYSES        MODES 1 and 2, and MODE 3 with RCS cold temperature exceeding LTOP arming temperature specified in the PTLR T-1, the reactor safety valves will prevent RCS pressure from exceeding the Reference 1 limits.
Below the T-1 temperature specified in the PTLR, overpressure prevention falls to three OPERABLE or two open ECCS RVVs.
The actual temperature at which the pressure in the P/T limit curve falls below the pressurizer safety valve setpoint increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the PTLR curves are revised, the LTOP System must be reevaluated to ensure its functional requirements can still be met using the RCS relief valve method or the depressurized and vented RCS condition.
The PTLR contains the acceptance limits that define the LTOP requirements including the setpoint for the T-1 LTOP enable interlock.
Any change to the RCS must be evaluated against the Reference 3 analyses to determine the impact of the change on the LTOP acceptance limits.
Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients, examples of which follow:
: a. Inadvertent operation of the module heatup system,
: b. Excessive CVCS makeup, or
: c. Spurious actuation of the pressurizer heaters.
The Reference 3 analyses demonstrate that two open RVVs can maintain RCS pressure below limits. Thus, the LCO requires each RVV to be OPERABLE or two RVVs open during the conditions when a low temperature overpressure condition could occur.
NuScale [US600]                        B 3.4.10-2                              Revision 4.0
 
LTOP Valves B 3.4.10 BASES APPLICABLE SAFETY ANALYSES (continued)
Fracture mechanics analyses established the temperature of LTOP Applicability at the LTOP enabling interlock specified in the PTLR.
The fracture mechanics analyses show that the vessel is protected when the RVVs are set to open at or below the limit shown in the PTLR. The setpoints are derived by analyses that model the performance of the MPS instrumentation and actuation and the RVVs assuming the limiting low temperature overpressure transient of spurious actuation of the pressurizer heaters in the RCS. These analyses consider pressure overshoot resulting from signal processing and valve stroke times. The LTOP setpoints at or below the derived limit ensures the Reference 1 P/T limits will be met.
The MPS setpoints in the PTLR will be updated when the revised P/T limits conflict with the LTOP analysis limits. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits, discuss these examinations.
The RVVs are considered active components. Thus, the failure of one RVV is assumed to represent the worst case, single active failure.
An open RVV is passive and is not subject to active failure.
The LTOP valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO requires that each closed LTOP valve (RVV) be OPERABLE.
The valves are OPERABLE when the RVVs are capable of opening in response to an LTOP actuation signal from the MPS. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference 1 limits as a result of an operational transient.
NuScale [US600]                        B 3.4.10-3                              Revision 4.0
 
LTOP Valves B 3.4.10 BASES APPLICABILITY  This LCO is applicable in MODE 3 when RCS cold temperature is below LTOP enable interlock T-1 specified in the PTLR. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above LTOP enable interlock T-1 specified in the PTLR.
When two or more RVVs are open, or when the module is in MODE 4 or MODE 5, it is disconnected from its operating position and the RCS is open to the containment atmosphere. In MODES 4 or 5 the ECCS RVVs are de-energized and open providing a vent path.
LCO 3.3.1, Module Protection System Instrumentation, and LCO 3.3.3, ESFAS Logic Actuation provide the OPERABILITY requirements for the instrumentation to detect and actuate each RVVs in response to an LTOP condition. LTOP is enabled when two of four wide range RCS cold temperatures indicate a temperature below the T-1 interlock setpoint established by the PTLR. The T-1 interlock is described in the Bases for LCO 3.3.1, "Module Protection System Instrumentation."
LCO 3.4.3 provides the operational P/T limits at all times.
LCO 3.4.4, Reactor Safety Valves, requires the OPERABILITY of the reactor safety valves that provide overpressure protection during MODES 1 and 2, and MODE 3 above the LTOP enable interlock T-1 specified in the PTLR.
ACTIONS        A.1 and A.2 With one RVV closed and inoperable, two RVVs remain available to mitigate an LTOP condition. A Note is provided which indicates the Condition does not apply when two RVVs are open because LTOP protection has been established. The Required Action is to restore the inoperable RVV or to open the inoperable RVV so that it is performing the safety function of providing a vent path from the RCS to the containment atmosphere.
The Completion Time considers that only two of the RVVs are required to mitigate an overpressure transient and that the likelihood of initiating event and an active failure of a remaining OPERABLE RVV during this time period is very low.
NuScale [US600]                      B 3.4.10-4                                Revision 4.0
 
LTOP Valves B 3.4.10 BASES ACTIONS (continued)
B.1 and B.2 With two closed RVVs inoperable, overpressurization is possible. Four hours to restore the closed RVV to OPERABILITY or open the RVV permits evaluation of the condition and completion of the action required to assure an LTOP condition cannot occur in a deliberate manner. The RCS vent to the containment atmosphere with two RVVs open prevents an overpressure condition from occurring.
C.1 and C.2 With three closed inoperable RVVs the RCS does not have overpressure protection. The Completion Time considers the urgency of removing the RCS from this condition, the time required to place the plant in this Condition in an orderly manner without challenging plant systems, and the relatively low probability of an overpressure event during this time period.
SURVEILLANCE      A Note is provided to indicate that the surveillance requirements are not REQUIREMENTS      required to be met for valves that are open. This merely clarifies the intent of the surveillance testing applicability and is consistent with the LCO requirement that each closed RVV be OPERABLE.
SR 3.4.10.1, SR 3.4.10.2, and SR 3.4.10.3 The ability of the RVVs to perform their LTOP safety function requires the same testing as required for them to perform their ECCS function. The bases for these surveillance requirements are the same as those specified in LCO 3.5.1, Emergency Core Cooling System however they only apply to the RVVs.
ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.
The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.
NuScale [US600]                        B 3.4.10-5                                  Revision 4.0
 
LTOP Valves B 3.4.10 BASES SURVEILLANCE REQUIREMENTS (continued)
In addition to verification that the RVVs will perform as designed, the inadvertent actuation block must be verified to function such that it will not prevent LTOP actuation if needed.
The Frequencies are controlled under the Surveillance Frequency Control Program or the INSERVICE TESTING PROGRAM consistent with the testing required by LCO 3.5.1.
REFERENCES      1. 10 CFR 50, Appendix G.
: 2. Generic Letter 88-11.
: 3. FSAR, Chapter 5.
NuScale [US600]                        B 3.4.10-6                              Revision 4.0
 
ECCS B 3.5.1 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)
B 3.5.1 Emergency Core Cooling System (ECCS) - Operating BASES BACKGROUND        The ECCS provides decay heat removal for a postulated steam generator tube failure event or Loss of Coolant Accident (LOCA) event that exceeds the makeup capacity of the Chemical and Volume Control System (CVCS). The ECCS is designed to bring the reactor coolant system (RCS) to a low temperature and low pressure safe shutdown condition.
The ECCS consists of three reactor vent valves (RVVs) located on the reactor head, two RRVs located above the reactor flange, and associated controls and instrumentation. The RVVs are connected to the vapor space of the pressurizer region of the reactor vessel. The reactor recirculation valves (RRVs) penetrate the reactor vessel above the top of the reactor core and open into the downcomer region of the reactor vessel. The ECCS valves form a portion of the reactor coolant pressure boundary.
ECCS actuation occurs when the Module Protection System (MPS) de-energizes solenoid trip valves in the hydraulic controls of the RVVs and RRVs. MPS is designed to actuate the ECCS on high containment water level. In addition to the solenoid trip valve actuation, the ECCS valves are hydraulically interlocked in the closed position until the differential pressure between the RCS and containment vessel is reduced by flow from a postulated break. Even with an open signal present the valves do not actuate open until the differential pressure has fallen to the credited differential pressure. The differential pressure interlock will not prevent the ECCS system from performing its design function, it just reduces the likelihood of inadvertent actuation during power operations.
ECCS actuation and function, including the differential pressure interlock, do not require electrical power. The solenoid trip valves are designed to actuate upon loss of electrical power. The differential pressure interlock is mechanical and does not require external power, depending only on the pressure sources of the reactor vessel and of the containment environment to function. No operator action is required to establish and maintain long term core cooling when the system is actuated.
Note that in certain loss of power events, the ECCS actuation solenoid trip valves are supplied battery power to prevent inadvertent actuation.
If an ECCS actuation signal occurs during this time, the solenoid trip valves will be deenergized and result in ECCS valve actuation when NuScale [US600]                          B 3.5.1-1                                  Revision 4.0
 
ECCS B 3.5.1 BASES BACKGROUND (continued) the mechanical pressure interlock permits. Although uncredited in the safety analyses, after 24 hours on battery power, ECCS will actuate if electrical power has not been restored. Additionally, the ECCS mechanical pilot valve design will result in the ECCS valves opening if the RCS and containment pressures approach the same values regardless of the ECCS actuation signal status. This behavior is not credited however is a function of the design of the valve actuators.
RCS vapor is vented from the pressurizer space through the RVVs into the containment vessel when the RVVs are opened. This steam condenses on the inner walls of the containment vessel and flows to the bottom of the vessel where it accumulates with any other leakage that is in the containment vessel from a postulated break. The RRVs open simultaneously with the RVVs to provide a flow path for this condensate from the containment vessel to flow back into the reactor vessel. The design of the reactor and containment vessel geometries and the total RCS liquid volume is such that upon ECCS actuation, liquid levels in both the reactor and containment vessel will stabilize above the top of the core. The containment water level will be higher than the RCS level providing the driving force for natural circulation flow of cooler RCS water in containment back into the reactor vessel.
This natural circulation flow will maintain core submersion and cooling.
Heat is transferred to the containment by steam condensation on the containment interior, and then removed from containment by condensate heat conduction through the containment vessel wall. In addition to mass transfer, heat is removed by conduction through the reactor vessel walls during ECCS operation because the lower portions of the reactor vessel walls are submerged and wetted by coolant on both sides. Heat is removed from the containment wall through contact with the reactor pool which acts as the ultimate heat sink (UHS).
The ECCS valves are sized to ensure that sufficient pressure equalization exist to support core cooling when at least two RVVs and at least one RRV have opened.
In MODES 1, 2 and MODE 3 when the RCS hot temperature is greater than the T-3 interlock (approximately 350 &deg;F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%), the ECCS is actuated on high level in the containment vessel. The high containment level actuation set point of the ECCS was chosen to ensure that sufficient level exists within the containment vessel prior to actuation of the ECCS to ensure the core remains covered as a result of ECCS actuation.
NuScale [US600]                        B 3.5.1-2                              Revision 4.0
 
ECCS B 3.5.1 BASES BACKGROUND (continued)
In MODES 1 and 2 when the containment pressure is above the P-1 interlock (approximately 1 psia) and the narrow range RCS hot temperature is above the T-6 interlock (approximately 475 &deg;F) the ECCS is actuated on low RCS pressure at about 800 psia. The setpoint was chosen to ensure that actuation occurs before significant accumulation of water with a reduced boron concentration can occur in the different regions of the RCS and the containment. This ensures an unanalyzed reactivity transient will not occur during small loss of coolant events in the containment.
Specification 3.3.1 describes the instrumentation and actuation logic for ECCS actuation. In applicable design basis accident scenarios, the actuation setpoints and the mechanical pressure interlock operation are sufficient to ensure the core remains cooled and covered.
In MODE 3 the RVVs provide Low Temperature Over-Pressure (LTOP) protection for the RCS as described in LCO 3.4.10.
In MODE 3 in PASSIVE COOLING, the ECCS is either performing its design function to support the transfer of decay heat from the reactor core to the containment vessel so the system or alternative means of removing decay heat have been established and the system is no longer required to be OPERABLE.
In MODE 4 the ECCS is not required because the ECCS valves are open and de-energized, and the unit is being passively cooled which ensures decay heat removal is being accomplished. Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de-energized and opened RRVs are open between the UHS water inside the containment and the RCS. In MODE 5, core cooling is accomplished by conduction through the RPV wall to the ultimate heat sink until the upper containment and upper RPV are separated from the lower RPV and the reactor core. Once the RPV is separated at the flange during disassembly the lower RPV internals and reactor core are in direct contact with the reactor pool thereby ensuring adequate cooling by direct contact with the ultimate heat sink. Therefore the ECCS is not required to be OPERABLE in MODE 5.
The ECCS valves are OPERABLE when they are closed and capable of opening, including the operation of the mechanical pressure interlock, upon receipt of an actuation signal, or are open performing their intended function. FSAR Section 6.3 describes the ECCS design (Ref. 1).
NuScale [US600]                        B 3.5.1-3                                Revision 4.0
 
ECCS B 3.5.1 BASES APPLICABLE      The ECCS is designed to provide core cooling following postulated SAFETY          Loss of Coolant Accident design basis events as described in the ANALYSES        FSAR Chapter 15 (Ref. 2).
The system establishes a path for heat transfer to the UHS via conduction and convection of condensed coolant in the containment vessel and by the condensation of steam vapor on the upper portions of the containment vessel. The design ensures that in the event of a loss of primary coolant to the containment vessel, sufficient coolant will be returned to the reactor vessel to ensure that the core remains cooled and covered at all times. Actuation of the system ensures that pressure differences between the containment vessel and the reactor pressure vessel are minimized sufficiently to allow hydraulic head of the fluid in containment to establish flow to the reactor vessel via an open RRV. Actuation also prevents significant differences in RCS boron concentration in the various regions of the RCS and the containment. This ensures an unanalyzed reactivity transient will not occur during small loss of coolant events in the containment.
The ECCS system includes an inadvertent actuation block (IAB) feature. The IAB safety function is to permit the RVVs and RRVs to open only when appropriate conditions exist as described in the safety analysis.
ECCS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO establishes the minimum conditions necessary to ensure that ECCS valves will be available to meet the initial conditions assumed in the safety analyses. Two RVVs and one RRV provide the safety function of the safety analyses for LOCA and SGTF events.
Loss of any system component eliminates the redundancy provided to meet its safety function.
APPLICABILITY  The ECCS is relied upon to provide a passive response to loss of coolant accidents in MODES 1 and 2, and in MODE 3 when the RCS hot temperature is greater than the T-3 interlock (approximately 350 &deg;F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%). Additionally, the valves are ensured to open when power is removed when the module is disconnected at the operating position as part of the refueling process. In MODE 4 and 5 core cooling is provided by passive conduction through the containment vessel or direct communication and contact of the core with the ultimate heat sink. Therefore the ECCS valves are not required to be OPERABLE in MODE 4 or 5.
NuScale [US600]                        B 3.5.1-4                                Revision 4.0
 
ECCS B 3.5.1 BASES ACTIONS        A.1 To meet the ECCS safety function at least two RVVs must open. If a single RVV is inoperable it eliminates the redundancy of this safety system. The valve must be restored to OPERABLE. A Completion Time of 72 hours is reasonable based on the probability of a LOCA or LTOP condition occurring during this period, the reliability of the other RVVs, and the ability of the system to cope with this event using the chemical volume control system and the containment flooding and drain system.
B.1 To meet the ECCS safety function at least one RRV must open. If a single RRV is inoperable it eliminates the redundancy of the of this safety system. The valve must be restored to OPERABLE. A Completion Time of 72 hours is reasonable based on the probability of a LOCA condition occurring during this period, the reliability of the other RRV, and the ability of the system to cope with this event using the chemical volume control system and the containment flooding and drain system.
C.1 and C.2 If the Required Actions cannot be completed within the associated Completion Times, if two or more RVVs, or both RRVs are inoperable the unit must be placed in a condition that does not rely on the ECCS valves opening. To accomplish this, the unit must be shutdown and placed in a safe condition. This is accomplished by Required Actions C.1 and C.2.
Required Action C.1 places the unit in MODE 2 within 6 hours.
Required Action C.2 places the unit in MODE 3 and passively cooled within 36 hours.
Completion Times are established considering the likelihood of a LOCA event that would require ECCS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.
NuScale [US600]                      B 3.5.1-5                                  Revision 4.0
 
ECCS B 3.5.1 BASES SURVEILLANCE    SR 3.5.1.1 REQUIREMENTS Verification that the RVVs and RRVs are OPERABLE by stroking the valves open ensures that each train of ECCS will function as designed when these valves are actuated. One RVV is designed to be actuated by either division of the MPS and it must be verified to open from each division without dependence on the other. The RVVs and RRVs safety function is to open as described in the safety analysis. When an ECCS valve is open it has performed its safety function.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.1.2 Verifying that the open ACTUATION RESPONSE TIME of each RVV and RRV is within limits is required to demonstrate OPERABILITY.
The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. One RVV is designed to be actuated by either division of the MPS and its actuation time must be tested from each division without dependence on the other.
ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.
When an ECCS valve is open it has performed its safety function.
Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
SR 3.5.1.3 Verification that the inadvertent actuation block setpoints are within limits, and the inadvertent actuation block function is OPERABLE ensures that opening of the RVVs and RRVs is blocked when elevated RCS to CNV differential pressure conditions exist.
Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
NuScale [US600]                        B 3.5.1-6                              Revision 4.0
 
ECCS B 3.5.1 BASES REFERENCES      1. FSAR, Section 6.3.
: 2. FSAR, Chapter 15.
NuScale [US600]                    B 3.5.1-7 Revision 4.0
 
DHRS B 3.5.2 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)
B 3.5.2 Decay Heat Removal System (DHRS)
BASES BACKGROUND          The Decay Heat Removal System (DHRS) is a passive heat removal system that is used whenever the normal unit feedwater and steam systems are unavailable due to failure or loss of normal AC power.
The system is comprised of two loops; one connected to each of the two steam generators.
Each loop of decay heat removal includes a steam generator submersed in the reactor coolant system fluid, and a heat exchanger that is attached to the outside of the containment vessel and submerged in the reactor pool. The heat exchanger is located above midline of the steam generator. The top inlet of the DHRS heat exchanger is attached to the main steam line upstream of the main steam isolation valve of the associated steam generator. The bottom of the heat exchanger is attached to the feedwater line downstream of the feedwater isolation valve to the associated steam generator. Each DHR heat exchanger is normally isolated from the main steam lines by two valves, the DHRS Actuation valves, in parallel on the line between the top of the heat exchanger and the main steam line from the associated steam generator.
During normal operation the DHR heat exchanger is filled and maintained pressurized by the feedwater system. When decay heat removal is required to perform its design function the feedwater and main steam isolation valves are closed, and the DHRS Actuation valves open. The closed feedwater and main steam isolation valves form part of the DRHS pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1). This allows the water stored in the heat exchanger and piping to enter the steam generator via gravity as steam flows into the heat exchanger from the main steam line. Steam condenses on the inside of the tubes and continues to drain back to the steam generator in a closed loop. The inventory of the decay heat removal system, associated SG, and piping is sufficient to support the operation of the system.
Only one loop of DHRS is required to meet the decay heat removal requirements of the power module, and only one DHRS Actuation valve is required to open to ensure operation of a decay heat removal train. As a result there is no single active failure that will prevent a single loop of DHRS from performing its design function.
NuScale [US600]                            B 3.5.2-1                                    Revision 4.0
 
DHRS B 3.5.2 BASES BACKGROUND (continued)
The closed feedwater and main steam isolation valves form part of the DHRS loop pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1) and FSAR Section 10.3 (Ref. 2).
APPLICABLE      The DHRS is designed to ensure that adequate decay heat removal is SAFETY          provided to ensure core integrity. The system function is bounded by ANALYSIS        loss of normal AC power event, as described in FSAR Chapter 15 (Ref. 3). A loss of normal AC power will result in a loss of feedwater and a loss of condenser vacuum. Both of these anticipated operational occurrences (AOOs) require actuation of the DHRS.
DHRS is actuated by MPS upon receipt of any of the following:
: a. High Pressurizer Pressure
: b. High RCS Hot Temperature
: c. Low AC Voltage
: d. High Steam Pressure These actuations cover the range of events that indicate inadequate heat removal from the Reactor Coolant System.
DHRS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO ensures that sufficient DHRS equipment is OPERABLE to meet the initial conditions assumed in the safety analyses. One loop of DHRS is required to function to meet the safety function of the system.
Each loop of DHRS includes one SG, one heat exchanger, and redundant valves that actuate for the system to meet its safety function. Inoperability of individual redundant valves do not affect the overall redundancy of the DHRS. However, both redundant valves are needed to ensure that the DHRS loop is capable of meeting its safety function if a single active failure occurs.
NuScale [US600]                        B 3.5.2-2                                Revision 4.0
 
DHRS B 3.5.2 BASES APPLICABILITY  The DHRS is relied upon to provide a passive means of decay heat removal in MODES 1 and 2. The DHRS must remain OPERABLE in MODE 3 until PASSIVE COOLING. In MODE 4, DHRS is not required because conductive shutdown cooling through the containment vessel to the ultimate heat sink (UHS) has been established. When being disassembled in MODE 4 and in MODE 5 when one or more reactor vessel flange bolts are less than fully tensioned, but before the upper module and lower reactor vessel are separated, the containment lower shell has been removed and the reactor vessel and RCS are cooled by direct contact with the UHS. In MODE 5 decay heat removal is by direct transfer to the refueling pool water which is in contact with the reactor fuel.
ACTIONS        A.1 To meet the DHR safety function at least one loop must function. If a single loop of DHR is inoperable it eliminates the redundancy of this safety system. The system must be restored to OPERABLE.
A Completion Time of 72 hours is reasonable based on the probability of the DHR system being needed during this period, the reliability of the other loop of DHR including redundant actuation and isolation valves, and the ability of the unit to cope with this condition using the ECCS.
B.1 and B.2 If the Required Actions cannot be completed within the associated Completion Time, or if both loops of DHRS are declared inoperable the unit must be placed in a mode that does not rely on the DHRS. This is accomplished by Required Actions B.1 and B.2.
Required Action B.1 places the unit in MODE 2 within 6 hours.
Required Action B.2 places the unit in MODE 3 and PASSIVELY COOLED within 36 hours.
Completion Times are established considering the likelihood of an event that would require DHRS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.
NuScale [US600]                        B 3.5.2-3                                Revision 4.0
 
DHRS B 3.5.2 BASES SURVEILLANCE    SR 3.5.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for DHRS actuation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.2.2 Verification that the DHRS including the heat exchanger is filled ensures that there is sufficient inventory in the loop to fulfill its design function, and that non-condensable gases have not accumulated in the system. Each loop of the DHRS has four level sensors - two located on the DHRS piping below each of the two actuation valves that would indicate a reduced water level in the DHRS heat exchanger leg. Any level switch indicating a reduced water level is sufficient to determine the DHRS heat exchanger leg is not filled. The DHRS is filled with feedwater during startup, and during normal operation it is maintained filled by feedwater pressure. Feedwater flow through the DHRS loop does not occur because the DHRS actuation valves are closed.
Dissolved gas concentrations are maintained very low in feedwater during startup and operations by secondary water chemistry requirements. Therefore, significant levels of noncondensable gases are not expected to accumulate in the DHRS piping. However, maintaining the required DHRS inventory using the level sensors protects against buildup of noncondensable gases which could adversely affect DHRS operation. Monitoring the level switches ensures the system remains filled and non-condensable gas accumulation has not occurred.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                        B 3.5.2-4                                    Revision 4.0
 
DHRS B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.5.2.3 Verification that the level in a steam generator (SG) is > [5]% and
[65]% when its associated feedwater isolation valve is closed assures that the SG contains inventory adequate to support actuation and OPERABILITY of the associated decay heat removal system loop if it is required.
A Note is provided indicating that the surveillance is not required to be performed when the associated FWIV is open. In those conditions, the normal feedwater system controls ensure that the SG will support DHRS OPERABILITY if it is required.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.2.4 Verification that the DHRS actuation valves are OPERABLE by stroking the valves open ensures that each loop of DHRS will function as designed when these valves are actuated. The DHRS actuation valves safety function is to open as described in the safety analysis.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.2.5 Verifying that the open ACTUATION RESPONSE TIME of each DHRS actuation valve is within limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. Each loop of DHRS contains two actuation valves, one actuated from each division of the MPS ESFAS actuation logic.
ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.
Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.
NuScale [US600]                        B 3.5.2-5                                Revision 4.0
 
DHRS B 3.5.2 BASES REFERENCES      1. FSAR, Section 5.4.
: 2. FSAR, Section 10.3.
: 3. FSAR, Chapter 15.
NuScale [US600]                    B 3.5.2-6 Revision 4.0
 
Ultimate Heat Sink B 3.5.3 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)
B 3.5.3 Ultimate Heat Sink BASES BACKGROUND          The ultimate heat sink (UHS) consists of three areas identified as the reactor pool (RP), refueling pool (RFP), and spent fuel pool (SFP). The pool areas are open to each other with a weir wall partially separating the SFP from the RP and RFP. The UHS water level indicates the depth of water in the UHS from the reactor pool floor (25 ft building elevation). The UHS supports or provides multiple safety and important functions including:
: a. Acts as ultimate heat sink during postulated design basis events,
: b. Provides cooling and shielding of irradiated fuel in the spent fuel storage racks,
: c. Limits releases from postulated fuel handling accidents,
: d. Provides a reserve of borated water for filling the containment vessel in MODE 3,
: e. Limits the temperature of the containment vessel and module during operations,
: f. Provides shielding of radiation emitted from the core of an operating module, and
: g. Provides buoyancy during module movement in MODE 4.
The UHS function is performed by providing a sufficient heat sink to receive decay heat from a module via the decay heat removal system (DHRS) heat exchangers and conduction through the containment vessel walls (Ref. 1) after a postulated Emergency Core Cooling System (ECCS) actuation and after transition to long-term shutdown cooling (Ref. 2).
Irradiated fuel is stored in the SFP portion of the UHS that is separated from the balance of the pool by a submerged wall. The submerged wall includes a weir that permits movement of new and irradiated fuel from the storage areas to a reactor during refueling, and also provides a means of inventory communication between the pool areas. The SFP provides cooling and shielding of the irradiated fuel in the storage racks, and provides sufficient water level to retain iodine fission product activity in the event of a fuel handling accident. Sufficient iodine activity NuScale [US600]                              B 3.5.3-1                                  Revision 4.0
 
Ultimate Heat Sink B 3.5.3 BASES BACKGROUND (continued) will be retained to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 2).
During transients and shutdowns which are not associated with design basis events in which DHRS or ECCS is actuated, water from the RP is added to the containment vessel by the Containment Flood and Drain System (CFDS). After reaching an appropriate level in the containment, the reactor vent valves (RVVs) and reactor recirculation valves (RRVs) are opened to permit improved heat transfer from the reactor coolant system (RCS) to the containment vessel walls.
During normal operations, the RP limits temperatures of the module by maintaining the containment vessel partially submerged in water. The water also provides shielding above and around the region of the core during reactor operations, limiting exposure to personnel and equipment in the area.
In MODE 4, the module is transported from the operating position to the RFP area of the UHS. The UHS provides buoyancy as the module displaces pool water during the movement, thereby reducing the load on the reactor building crane.
APPLICABLE      During all MODES of operation and storage of irradiated fuel, the UHS SAFETY          supports multiple safety functions.
ANALYSIS The UHS level is assumed and credited in a number of transient analyses. The 68 ft level provides buoyancy assumed in the reactor building crane analysis and design to ensure its single-failure proof capacity during module movement in MODE 4. A UHS level of 65 ft provides margin above the minimum level required to support DHRS and ECCS operation in response to LOCA and non-LOCA design basis events. The 65 ft level also assures the containment vessel wall temperature initial condition assumed in the peak containment pressure analysis.
The UHS bulk average temperature is assumed and credited, directly or indirectly in design basis accidents including those that require DHRS and ECCS operation such as LOCA and non-LOCA design basis events. The bulk average temperature is also assumed as an initial condition of the peak containment pressure analysis, and the minimum pool temperature is an assumption used in long-term cooling analyses.
Note that the UHS sensible heat needed to heat the pool to boiling is not credited in the UHS safety analyses for pool inventory. Additionally, NuScale [US600]                        B 3.5.3-2                                  Revision 4.0
 
Ultimate Heat Sink B 3.5.3 BASES APPLICABLE SAFETY ANALYSIS (continued) the UHS bulk average temperature is assumed in the buoyancy calculation of the reactor building crane load during movement of the module.
The UHS bulk average boron concentration lower limit is established to ensure adequate shutdown margin during unit shut downs that are not associated with events resulting in DHRS or ECCS actuation, when the module is filled with RP inventory using the CFDS and the RRVs are opened. It also ensures adequate shutdown margin when the module is configured with the UHS inventory in contact with the reactor core, specifically in MODE 4 when the containment vessel is disassembled for removal, and in MODE 5.
The upper limit on boron concentration is established to limit the effect of moderator temperature coefficient (MTC) during localized or UHS bulk average temperature changes while the module and core are in contact with UHS water. The upper limit also provides assurance for criticality and boron dilution analyses.
The ultimate heat sink level, temperature, and boron concentration parameters satisfy Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).
LCO            The UHS must provide an adequate heat sink to perform its UHS function. This is accomplished by providing sufficient submersion of the module and the mass of water that can be heated, and vaporized to steam if necessary, to remove decay heat via the decay heat removal system or conduction through the containment vessel walls and heat from irradiated fuel in the pool. The UHS level limits ensure that this level of module submersion and mass of water is available.
The UHS bulk average temperature is an initial assumption of safety analyses. The limits on temperature preserve the analyses assumptions and permit crediting the pool to mitigate these events. They also provide margin for performance of the UHS function in that the pool must be heated before vaporization of the contents will begin.
Determination of the UHS bulk average temperature is in accordance with approved procedures.
The boron concentration must be within limits when the UHS contents are in communication with the RCS to preserve core reactivity assumptions and analyses. Determination of the bulk average boron concentration is in accordance with approved plant procedures.
NuScale [US600]                        B 3.5.3-3                                Revision 4.0
 
Ultimate Heat Sink B 3.5.3 BASES APPLICABILITY  The limits on UHS level, bulk average temperature and bulk average boron concentration are applicable at all times. The supported safety functions are applicable in all MODES and when irradiated fuel is being handled. The applicability is conservative and recognizes the passive nature and resistance to changes that are inherent in the pool design and operation.
ACTIONS        A.1, A.2, and A.3 With the UHS level < 68 ft but > 65 ft the UHS safety function is preserved, however the margin in the safety analyses of events related to handling of spent fuel is reduced. Also, the assumed buoyancy provided by the water volume displaced by the module is reduced.
Required Actions A.1 and A.2 immediately suspend module movement and the movement of irradiated fuel assemblies. This reduces the likelihood of an event that would be adversely affected by the reduced water level. Suspension of movement does not preclude movement of a module or fuel assembly to a safe position.
Additionally, Required Action A.3, the UHS level must be restored to within limits within 30 days to restore the margin and assumptions of the safety analyses related to long-term cooling of the module and irradiated fuel. The 30 days is appropriate because the UHS safety function continues to be met even if a leak results in sudden draining of the pool to refill the dry dock. The level of > 65 ft ensures adequate submersion of the containment vessel walls and more than 3 days of decay heat removal without further action.
B.1 and B.2 If the UHS level is  65 ft, an initial condition assumption of the safety analysis regarding peak containment pressure may not be met. Action must be immediately initiated and continued to restore the UHS level to > 65 ft.
NuScale [US600]                        B 3.5.3-4                                Revision 4.0
 
Ultimate Heat Sink B 3.5.3 BASES ACTIONS (continued)
C.1, C.2, and C.3 If the UHS bulk average temperature is < 65 &deg;F or > 110 &deg;F, actions must be taken to restore the UHS bulk average temperature to within limits. 110 &deg;F is the initial temperature assumed in the peak containment pressure analysis calculations, and is conservative with respect to the RB Crane lifting capacity calculation. The minimum UHS bulk average temperature is an assumption used in long-term cooling analyses. The SFPC system in conjunction with the RFP cooling system is designed to maintain a UHS bulk average temperature of 110 &deg;F.
D.1 and D.2 If the UHS level or bulk average temperature cannot be returned to within limits within the associated Completion Time, the unit must be brought to a condition where the decay heat of the unit with the potential to be rejected to the UHS is minimized. To achieve this status, the unit must be brought to MODE 2 within 6 hours and MODE 3 within 36 hours. The allowed Completion Times are reasonable, based on operating requirements, to reach the required unit conditions from full power conditions in an orderly manner.
E.1, E.2, E.3, E.4, and E.5 If the UHS bulk average boron concentration is not within limits, actions must be initiated and continued to restore the concentration immediately.
Additionally, activities that could place pool inventory in communication with the reactor core must be suspended. Therefore, CFDS flow into the containment must be immediately terminated, and disassembly of the containment vessel that would open the RCS to communication with the UHS also suspended. Additionally, module movement must be suspended and the movement of irradiated fuel suspended.
The suspension of module and/or fuel movement shall not preclude completion of movement to safe position.
NuScale [US600]                          B 3.5.3-5                                Revision 4.0
 
Ultimate Heat Sink B 3.5.3 BASES SURVEILLANCE    SR 3.5.3.1 REQUIREMENTS Verification that the UHS level is above the required minimum level will ensure that the assumed heat capacity of the pool is available and the pool will provide the credited mitigation if an irradiated fuel handling accident occurs. Indication of UHS level including alarms when not within limits are available in the main control room.
The Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.3.2 Verification that the UHS bulk average temperature is within limits ensures that the safety analyses assumptions and margins provided by the UHS remain valid. Key UHS temperatures are monitored and alarmed in the control room.
The Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.5.3.3 Verification that the UHS bulk average boron concentration is within limits ensures that the assumed safety analyses assumptions and margins provided by the UHS boron concentration remain available.
Plant operations with potential to significantly affect the UHS boron concentration are controlled and indicated in the control room.
The Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. FSAR, Chapter 6.
: 2. FSAR, Chapter 15.
NuScale [US600]                        B 3.5.3-6                                  Revision 4.0
 
Containment B 3.6.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND          The containment is a free standing steel pressure vessel. The containment vessel, including all its penetrations, is a low-leakage steel vessel designed to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA) such that offsite radiation exposures are maintained within limits. The containment provides a level of shielding from the fission products that may be present in the containment atmosphere following accident conditions. The containment also functions to preserve coolant and provide ECCS pressure boundary and heat transfer path during LOCAs.
The containment vessel is a steel pressure vessel with torispherical upper and lower heads. The containment utilizes the steel shell, which is partially submerged in the ultimate heat sink, for passive containment cooling when filled with water.
Containment penetrations provide for the passage of process and service into the containment vessel while maintaining containment integrity.
The steel containment and its penetrations establish the low-leakage containment boundary. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. The containment also functions to preserve coolant and provide ECCS pressure boundary and heat transfer path during LOCAs.
SR 3.6.1.1 leakage rate Surveillance Requirements conform with 10 CFR 50, Appendix J (Ref. 1), as modified by approved exemptions.
The isolation devices for the penetrations of the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:
: a. All penetrations required to be closed during accident conditions are either:
: 1. Capable of being closed by an OPERABLE automatic isolation system;
: 2. Closed by manual valves, blind flanges; NuScale [US600]                          B 3.6.1-1                                  Revision 4.0
 
Containment B 3.6.1 BASES BACKGROUND (continued)
: b. De-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.2, Containment Isolation Valves; and
: c. The sealing mechanism associated with each containment penetration (e.g. welds, flanges, or o-rings) is OPERABLE (i.e.,
OPERABLE such that the containment leakage limits are met).
APPLICABLE      The safety design basis for the containment is that the containment SAFETY          must withstand the pressures and temperatures of the limiting Design ANALYSES        Basis Accident (DBA) without exceeding the design leakage rates.
The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a loss of coolant accident (LOCA), a steam line break, and a rod ejection accident (REA) (Ref. 2). In addition, release of significant fission product radioactivity within containment can occur from a LOCA or REA. The DBA analyses assume that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate of containment leakage. The containment is designed with an allowable leakage rate of 0.20% of containment air weight after a DBA per day (Ref. 3). This leakage rate, used in the evaluation of offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated peak containment internal pressure 994 psia (Pa) resulting from the limiting DBA. The allowable leakage rate represented by La forms the basis for the acceptance criteria imposed on containment leakage rate testing. La is assumed to be 0.20% per day in the safety analysis.
Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.
The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            The containment is designed to maintain leakage integrity < 1.0 La.
Leakage integrity is assured by performing local leak rate testing (LLRT) and containment inservice inspection. Total LLRT leakage is maintained
                < 0.60 La in accordance with 10 CFR 50, Appendix J (Ref. 1). Satisfactory LLRT and ISI examination are required for containment OPERABILITY.
NuScale [US600]                        B 3.6.1-2                                  Revision 4.0
 
Containment B 3.6.1 BASES LCO (continued)
Compliance with this LCO will ensure a containment configuration, including maintenance access manways, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.
APPLICABILITY  In MODES 1, 2, and 3 with RCS hot temperature  200 &deg;F, the RCS contains sufficient energy such that DBA could cause a release of radioactive material into containment. The containment limits the postulated release of radioactive fission products that could be released from the containment from the reactor core and reactor vessel. The containment supports the emergency core cooling system (ECCS) by providing a part of the means of passive heat transfer from the reactor core, coolant, and vessel to the reactor cooling pool. ECCS OPERABILITY is required as described in LCO 3.5.1, Emergency Core Cooling.
In MODE 3 with the RCS hot temperature < 200 &deg;F, MODES 4 and 5, the probability and consequences of these events are reduced due to unit conditions in these MODES. Therefore, containment is not required to be OPERABLE in these MODES.
ACTIONS        A.1 In the event containment is inoperable, it must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment OPERABLE during MODES 1, 2, and 3 with the RCS hot temperature  200 &deg;F. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal.
B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and to MODE 3 with RCS hot temperature < 200 &deg;F within 48 hours (Ref. 3). The allowed Completion Times are reasonable, to reach the required unit conditions from full power conditions in an orderly manner.
NuScale [US600]                        B 3.6.1-3                              Revision 4.0
 
Containment B 3.6.1 BASES SURVEILLANCE    SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the inservice inspection (ISI) examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Total leakage is maintained < 0.60 (La) in accordance with 10 CFR 50, Appendix J (Ref.1). At all other times between required leakage rate tests, the acceptance criteria is based on an overall leakage limit of < 1.0 La. At
                < 1.0 La, the offsite dose consequences are bounded by the assumptions of the safety analysis.
SR Frequencies are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.
REFERENCES      1. 10 CFR 50, Appendix J.
: 2. FSAR, Chapter 15.
: 3. FSAR, Section 6.2.
NuScale [US600]                        B 3.6.1-4                                Revision 4.0
 
Containment Isolation Valves B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Isolation Valves BASES BACKGROUND          Containment isolation valves and closed loops form part of the containment pressure boundary and provide a means for isolating penetration flow paths. These boundaries are either passive or active.
Closed loops are considered passive components. Automatic, power-operated valves designed to close without operator action following an accident, are considered active components. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation of leakage that exceeds limits assumed in the safety analysis.
Containment isolation is designed to provide isolation capability following a Design Basis Accident (DBA) for fluid lines that penetrate containment.
The containment isolation valve closure occurs upon receipt of signals from either the High Containment Pressure, Low Low Pressurizer Level, High Under-the-Bioshield Temperature or Low AC Voltage isolation signals. High Containment Pressure or Low Low Pressurizer Level are both signals indicating a loss of RCS coolant. Penetrations that are required to be isolated during accident conditions are isolated by containment isolation valves. As a result, the containment isolation valves and closed loops help ensure that the containment atmosphere will be isolated in the event of a release of fission products to the containment atmosphere from the RCS following a DBA.
The OPERABILITY requirements of containment isolation valves help ensure that containment is isolated within the time limits and within the leakage rates assumed in the safety analysis. Therefore, the OPERABILITY requirements provide assurance that the containment leakage limits assumed in the accident analysis will not be exceeded in a DBA.
APPLICABLE          The containment isolation valve LCO was derived from the assumptions SAFETY              related to minimizing the loss of reactor coolant inventory and ANALYSES            establishing the containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO.
The DBA that results in the largest release of radioactive material within containment is a design basis source term (DBST). In the analyses of DBAs, it is assumed that containment is OPERABLE, such that release of NuScale [US600]                            B 3.6.2-1                                  Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES APPLICABLE SAFETY ANALYSES (continued) fission products to the environment is controlled by the rate of containment leakage. The allowable leakage rate for the CNTS is 0.20%
of containment air weight of the original content of containment air the first day after the DBA, which thereafter the CNTS leakage rate is 0.1%
per day. This leakage rate is defined in 10 CFR 50, Appendix J (Ref. 1),
as La, the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa following a DBA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with containment penetrations.
It is assumed that, within 7 seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate La. The containment isolation of 7 seconds includes signal delay, and containment isolation valve stroke times (Refs. 2 and 3).
The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            Containment isolation valves form a part of the containment boundary.
The containment isolation valve safety function is to minimize the loss of reactor coolant inventory and establish the containment boundary during a DBA.
Containment isolation valves consist of automatic, power-operated isolation valves. The ACTION Statements allow the use of manual valves and blind flanges to restore containment isolation. Containment isolation valves are categorized as active containment isolation devices that, following an accident, either receive a containment isolation signal to close, or close as a result from a differential pressure.
The automatic isolation valves are required to have isolation times within limits and to actuate upon a containment isolation signal or loss of power.
Isolation valves are verified OPERABLE through the INSERVICE TESTING PROGRAM. Containment isolation valve OPERABILITY requires any associated nitrogen accumulator to be maintained at a pressure that is adequate to close the valve within the specified time.
The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in the closed position or blind flanges are in place, and closed systems are intact.
NuScale [US600]                      B 3.6.2-2                                  Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES LCO (continued)
This LCO provides assurance that the containment isolation valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents.
APPLICABILITY  In MODES 1, 2, and 3 with RCS hot temperature  200 &deg;F, a DBA could cause a release of radioactive material to containment. In MODE 3 with the RCS hot temperature < 200 &deg;F, MODES 4 and 5, the probability and consequences of these events are reduced due to unit conditions in these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 3 with RCS hot temperature < 200 &deg;F and MODES 4 and 5.
ACTIONS        The ACTIONS are modified by four notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.
Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.
Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation device.
Note 4 requires entry into the applicable Conditions and Required Actions of LCO 3.6.1 when leakage results in exceeding the overall containment leakage limit.
A.1 and A.2 Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves.
NuScale [US600]                      B 3.6.2-3                                Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES ACTIONS (continued)
In the event one containment isolation valve in one or more penetration flow paths is inoperable the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and de-activated automatic containment isolation valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For penetrations isolated in accordance with Required Actions A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 72 hour Completion Time. The 72 hour Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, and MODE 3 with RCS hot temperature  200 &deg;F.
For affected penetration flow paths that cannot be restored to OPERABLE status within the 72 hour Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis.
This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of once per 31 days for isolation devices outside containment is appropriate considering the fact that the devices are operated under administrative controls and the probability of misalignment is low.
Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position, is small.
NuScale [US600]                          B 3.6.2-4                                Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES ACTIONS (continued)
B.1 Condition B has been modified by a note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves.
With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, or a blind flange.
The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.
C.1 and C.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE or condition in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours and MODE 3 with RCS hot temperature < 200 &deg;F within 48 hours.
Completion Times are established considering the likelihood of an event that would require CIS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.
NuScale [US600]                          B 3.6.2-5                                Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES SURVEILLANCE    SR 3.6.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for containment isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.6.2.2 This SR requires verification that each manual containment isolation valve and blind flange located outside containment, and not locked, sealed, or otherwise secured in position, and required to be closed during accident conditions, is closed. The SR helps to ensure that post accident leakage of fission products outside the containment boundary is within design limits. This SR does not require any testing or device manipulation. Rather, it involves verification that those containment isolation devices outside containment and capable of being mispositioned are in the correct position.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR does not apply to devices that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.
The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted in MODES 1, 2, and 3 with RCS hot temperature  200 &deg;F for ALARA reasons.
Therefore, the probability of misalignment of these containment isolation valves, since they have been verified to be in the proper position, is small.
NuScale [US600]                      B 3.6.2-6                                  Revision 4.0
 
Containment Isolation Valves B 3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.6.2.3 Verifying that the isolation ACTUATION RESPONSE TIME of each automatic containment isolation valve is within the limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated.
The isolation time and Frequency of this SR are in accordance with the INSERVICE TESTING PROGRAM.
SR 3.6.2.4 Automatic containment isolation valves close on a containment isolation signal to minimize leakage of fission products from containment and to maintain required RCS inventory following a DBA. This SR ensures each automatic containment isolation valve will actuate to its isolation position on an actual or simulated actuation signal. The Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES      1. 10 CFR 50, Appendix J.
: 2. FSAR, Section 6.2.
: 3. FSAR, Chapter 15.
NuScale [US600]                        B 3.6.2-7                                Revision 4.0
 
MSIVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Isolation Valves (MSIVs)
BASES BACKGROUND          Each steam generator (SG) supplies one main steam line. Each main steam line includes four isolation valves that isolate steam flow to support decay heat removal system (DHRS) operation or containment system function. Two safety-related valves are located outside of and close to the containment. A description of the safety-related MSIVs is found in FSAR Section 6.2 (Ref. 1). Two non-safety related backup isolation valves are located downstream of the removable pipe spool between the module and balance of the main steam system. A description of the nonsafety-related backup MSIVs is found in FSAR Section 10.3. (Ref. 2).
The four valves are arranged so that each MSIV is provided with a bypass line that includes a MSIV bypass valve, one safety related and one non-safety related, arranged in parallel with the corresponding MSIVs.
The safety-related MSIVs and non-safety related secondary MSIVs, as well as the normally-closed MSIV bypass valves, will receive and close upon receipt of a Secondary System Isolation (SSI), Decay Heat Removal System (DHRS), or Containment Isolation System actuation as described in Specification 3.3.1. Each of the MSIV and MSIV Bypass Valves is designed to close upon loss of power.
Closing the MSIVs and MSIV bypass valves isolates the Turbine Bypass System and other steam flows from the SG to the balance of plant. The MSIVs isolate steam flow from the secondary side of the associated SG following a high-energy line break and preserves the reactor coolant system (RCS) inventory in the event of a steam generator tube failure (SGTF). The MSIVs and MSIV bypass valves also form part of the boundary of the safety-related, closed-loop, DHRS described in FSAR Section 5.4 (Ref. 3).
NuScale [US600]                            B 3.7.1-1                                Revision 4.0
 
MSIVs B 3.7.1 BASES APPLICABLE      The MSIVs and MSIV Bypass Isolation Valves close to isolate the SAFETY          SGs from the power conversion system. Isolation limits ANALYSES        postulated releases of radioactive material from the SGs in the event of a SG tube failure (Ref. 4) and terminates flow from SGs for postulated steam line breaks outside containment (Ref. 5). This minimizes radiological contamination of the secondary plant systems and components, and minimizes associated potential for activity releases to the environment, and preserves RCS inventory in the event of a SGTF.
The isolation of steam lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of an unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss-of-coolant accident (non-LOCA) design basis events when normal secondary-side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions.
The safety-related and nonsafety-related MSIV and MSIV bypass valves satisify Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO requires four isolation valves on each SG steam line to be OPERABLE. This includes safety related and non-safety related MSIVs and MSIV bypass valves in each steam line. The valves are considered OPERABLE when they will close on an isolation actuation signal, their isolation times are within limits, and valve leakage is within limits.
This LCO provides assurance that the safety related and non-safety related MSIVs and MSIV bypass valves will be available to perform their design safety function to limit consequences of accidents that could result in offsite exposures comparable to the 10 CFR 50.34 limits or the NRC staff approved licensing basis.
APPLICABILITY  The safety related and non-safety related MSIVs and MSIV Bypass Valves must be OPERABLE in MODE 1, 2, and MODE 3 when not PASSIVELY COOLED. Under these conditions, the isolation of the MSIVs ensures the DHRS can perform its design function and the valves provide a barrier to limit the release of radioactive material to the environment.
Closure of the MSIVs also preserves the RCS inventory in the event of a SGTF. Therefore, these valves must be OPERABLE or the flow path through the valve isolated. When these valves are closed or their flow path is isolated, the required function has been satisfied. In MODES 4 and 5, the unit is shutdown, the SGs do not contain significant energy or inventory, and the valves do not perform any credited safety function.
NuScale [US600]                        B 3.7.1-2                                Revision 4.0
 
MSIVs B 3.7.1 BASES ACTIONS        The ACTIONS are modified by a Note indicating that steam line flow paths may be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the MSIV flow path can be rapidly isolated when a need is indicated.
A.1 and A.2 Condition A is modified by a Note stating that a separate Condition entry is allowed for each valve. This is acceptable because the Required Actions provide appropriate compensatory actions for each inoperable isolation valve. The series-parallel valve arrangement could result in multiple valves being inoperable and the redundant capability to isolate the steam line maintained.
With a required valve open and inoperable, isolation of the main steam flow using that valve to perform the credited isolation function can no longer be assured. The isolation function could be susceptible to a single failure because only the redundant isolation valves on the affected steam line maintain the ability to isolate the effected steam flow.
Action A.1 requires isolation of the inoperable valve flow path within 72 hours. Some repairs may be accomplished within the 72 hour period to restore OPERABILITY and exit the Condition. The 72 hour Completion Time is reasonable because the inoperable isolation valve only affects the capability of one of the two redundant isolation valves to function. Only if a single failure occurs that affects the remaining capability to isolate the steam flow path will the safety function be affected.
The 72 hour Completion Time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require closure of the specific flow path.
Alternatively, if the valve flow path can be isolated by closing the inoperable valve within 72 hours then its function is being accomplished.
The capability to isolate steam flow if a single failure occurs remains unaffected.
An inoperable MSIV may be utilized to isolate the flow path only if its leak tightness has not been compromised. The 72 hours is reasonable to adjust unit conditions and take action to isolate the flowpath.
NuScale [US600]                        B 3.7.1-3                                Revision 4.0
 
MSIVs B 3.7.1 BASES ACTIONS (continued)
Required Action A.2 is modified by two notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.
For inoperable components that are not restored to OPERABLE status prior to the required Completion Time in Required Action A.1 and now have their flow path isolated, Required Action A.2 is applicable.
Action A.2 requires that the flow path be verified isolated on a periodic basis. The 7 day Completion Time is reasonable based on engineering judgement, valve and system status indications available in the control room, and other administrative controls, to ensure these flow paths remain isolated.
B.1 With a steam line that cannot be manually or automatically isolated the supported safety functions can no longer be met. This Condition applies when two or more inoperable isolation valves prevent automatic or manual isolation of steam flow from the steam generator. This condition exists when a flow path through the safety related MSIV and MSIV bypass valve exists, and a flow path through the non-safety related secondary MSIV and MSIV bypass valve exists, that cannot be manually or automatically isolated.
For example, one MSIV bypass valve inoperable and open, and one non-safety related secondary MSIV inoperable and open could prevent isolation of the steam flow from the associated steam generator. In this condition a steam line flow could exist through the MSIV bypass valve and the secondary MSIV that could not be isolated.
Action B.1 requires isolation of the main steam line by closure of valves so that the safety function of the steam line isolation is accomplished.
Some repairs may be accomplished within the 8 hour period. The 8 hour Completion Time is reasonable because the inoperable isolation valves only affect the capability of one of the two redundant DHRS trains to function.
NuScale [US600]                          B 3.7.1-4                                  Revision 4.0
 
MSIVs B 3.7.1 BASES ACTIONS (continued)
The 8 hour Completion Time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require isolation of the steam line.
If the main steam line can be isolated within 8 hours then its safety function is being accomplished. An inoperable MSIV or bypass valve may be utilized to isolate the steam line only if its leak tightness has not been compromised.
C.1 and C.2 With Required Actions and associated Completion Times not met, isolation capability of the main steam line(s) is not maintained. The associated DHRS and the ability to isolate postulated releases from the SGs are affected. The unit must be placed in a condition in which the LCO does not apply.
Required Action C.1 requires the unit to be in MODE 2 within 6 hours.
Required Action C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours.
The Completion Times are reasonable based on operational activities required to reach these conditions in an orderly manner. The time permits use of normal means to exit the conditions of Applicability. It is also consistent with the Completion Times for an inoperable train of the DHRS.
SURVEILLANCE      SR 3.7.1.1 REQUREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for MSIV and main steam line bypass isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM.
The Frequency is controlled under the Surveillance Frequency Control Program.
NuScale [US600]                          B 3.7.1-5                                  Revision 4.0
 
MSIVs B 3.7.1 BASES SURVEILLANCE REQUREMENTS (continued)
SR 3.7.1.2 This SR measures the safety related and non-safety related MSIV and MSIV Bypass Valve closure ACTUATION RESPONSE TIMES on an actual or simulated actuation signal. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.
The isolation time is assumed in the accident and containment analyses.
The MSIVs and MSIV Bypass Valves are not tested at power to reduce the likelihood of an unplanned transient due to valve closure when the unit is generating power. As the MSIVs are not tested at power, they are exempt from the ASME OM Code (Ref. 6) requirements during operation in MODES 1 and 2.
The Frequency is in accordance with the INSERVICE TESTING PROGRAM.
This test is typically conducted during shutdown conditions or with the unit at reduced operating temperatures and pressures before their OPERABILITY is required by the Applicability of this LCO.
SR 3.7.1.3 This SR verifies the safety related and non-safety related MSIV and MSIV Bypass Valves leakage are within limits. The MSIVs and MSIV Bypass Valves serve as a boundary for the DHRS and route steam from the steam generator to the DHR condenser when the DHR system is actuated.
The Frequency is in accordance with the INSERVICE TESTING PROGRAM.
NuScale [US600]                        B 3.7.1-6                              Revision 4.0
 
MSIVs B 3.7.1 BASES REFERENCES      1. FSAR, Section 6.2.
: 2. FSAR, Section 10.3.
: 3. FSAR, Section 5.4.
: 4. FSAR, Section 15.6.
: 5. FSAR, Section 15.1.
: 6. ASME, OM Code, [2012 edition].
NuScale [US600]                    B 3.7.1-7      Revision 4.0
 
Feedwater Isolation B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Feedwater Isolation BASES BACKGROUND          Each Feedwater line has one safety-related feedwater isolation valve (FWIV) to isolate feedwater flow when required to support decay heat removal system (DHRS) operation or the containment system (CNTS).
The safety-related FWIVs are located outside of and close to containment. Each feedwater line includes a non-safety related feedwater regulating valve (FWRV) located upstream of the removable pipe spool between the module and the balance of the feedwater system. A description of the safety-related FWIVs is found in FSAR Section 6.2 (Ref. 1). A description of the non-safety related FWRVs is found in FSAR Section 10.4 (Ref. 2).
The safety related FWIVs and non-safety related FWRV are closed on Secondary System Isolation (SSI), Decay Heat Removal System (DHRS),
or Containment Isolation System actuation as described in Specification 3.3.1. Each FWIV and FWRV closes on loss of power.
Closing of the FWIVs and FWRVs isolates each Steam Generator (SG) from the other SG and isolates the feedwater flows to the SGs from the balance of plant.
The FWIV and FWRV isolate the feedwater flow from the secondary side of the associated SG following a high energy line break and preserve RCS inventory in the event of a steam generator tube failure (SGTF). The FWIVs and FWRVs form part of the boundary of the safety-related DHRS closed loop, as described in FSAR Section 5.4 (Ref. 3) and applicable requirements in Specification 3.5.2.
APPLICABLE          The FWIVs and FWRVs close to isolate the SGs from the balance of SAFETY              plant feedwater system. Isolation limits postulated releases of ANALYSES            radioactive material from the SG in the event of a SG tube failure and terminates flow to the SGs in postulated feedwater line breaks inside and outside containment (Ref. 4). This minimizes radiological contamination of the secondary plant systems and components, and minimizes any associated potential for activity releases to the environment and preserves safety RCS inventory levels.
The isolation of the feedwater lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of the unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss of coolant accident (non-LOCA) design basis events when normal NuScale [US600]                            B 3.7.2-1                                Revision 4.0
 
Feedwater Isolation B 3.7.2 BASES APPLICABLE SAFETY ANALYSES (continued) secondary side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions. The FWIV and FWRV have a specific leakage criteria to maintain DHRS inventory.
The FWIV and FWRV satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO            This LCO requires the FWIVs and FWRV in each of the two feedwater lines to be OPERABLE. The valves are considered OPERABLE when their isolation times are within limits and they close on an isolation actuation signal and their leakage is within limits.
This LCO provides assurance that the FWIVs will perform their design safety function and the FWRVs their non-safety function to limit consequences of accidents that could result in offsite exposures comparable to the 10 CFR 50.34 limits or the NRC staff approved licensing basis.
APPLICABILITY  The FWIVs and FWRVs must be OPERABLE whenever there is significant mass and energy in the Reactor Coolant System and the steam generators. This ensures that, in the event of a high energy line break, a single failure cannot result in the blowdown of more than one steam generator, an inoperability of the DHRS, or a containment bypass path in the event of a steam generator tube failure. In MODE 1 and 2 FWIVs and FWRVs are required to be OPERABLE to limit the amount of available fluid that could be added to containment in case of a secondary system pipe break inside containment. In MODE 3 and not PASSIVELY COOLED, the FWIVs and FWRV are required to be OPERABLE, to support DHRS operability.
In MODES 4 and 5 the steam generators energy is low. Therefore, the MFIVs and MFRVs are normally closed since MFW system is not required.
ACTIONS        The ACTIONS table is modified by two Notes. The first being that separate entry is allowed for each valve. This is acceptable because the ACTIONS table provide actions for individual component entry. The second indicating that FWIV flow path may be unisolated intermittently under administrative control.
NuScale [US600]                        B 3.7.2-2                                Revision 4.0
 
Feedwater Isolation B 3.7.2 BASES ACTIONS (continued)
These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the FWIV flow path can be rapidly isolated when a need is indicated.
A.1, A.2, B.1, and B.2 With one or two FWIVs, or one or two FWRVs inoperable, isolate inoperable affected flow path in 72 hours. When the FWIV flow path is isolated, the FWIVs are performing their required safety function and when the FWRV flow path is isolated, the FWRVs are performing their non-safety related function.
The 72 hour Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves, and the low probability of an event that would require isolation of the main feedwater flow paths occurring during this period. If the Feedwater line can be isolated by closing the inoperable FWIV/FWRV valve within 72 hours then its function is being performed. The capability to isolate feedwater flow if a single failure occurs remains unaffected. If the FWIV or FWRV is inoperable and cannot be closed, then the Feedwater line should be isolated by the other FWIV/FWRV valve closed and deactivated, closed manual valve, or blind flange. An inoperable FWIV/FWRV may be utilized to isolate the line only if its leak tightness has not been compromised.
For inoperable FWIVs and FWRVs valves that cannot be restored to OPERABLE status within the specified Completion Time but are closed or isolated, the flow paths must be verified on a periodic basis to be closed or isolated. This is necessary to ensure that the assumptions in the safety analyses remain valid. The 7 day Completion Time is reasonable based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.
C.1 With two inoperable valves in the same flow path there may be no redundant system to operate automatically and perform the required safety function. Under these conditions, one valve in the affected flow path must be restored to OPERABLE status, or the affected flow path isolated within 8 hours. If the Feedwater line can be isolated by closing the inoperable FWIV/FWRV valve within 8 hours then its safety function is being performed. If the FWIV and FWRV valves are inoperable and cannot be closed, then the Feedwater line should be isolated by a closed NuScale [US600]                          B 3.7.2-3                                Revision 4.0
 
Feedwater Isolation B 3.7.2 BASES ACTIONS (continued) and deactivated automatic valve, closed manual valve, or blind flange. An inoperable FWIV/FWRV may be utilized to isolate the line only if its leak tightness has not been compromised. This action returns the system to a condition in which at least one valve in the affected flow path is performing the required safety function. The 8 hour Completion Time is a reasonable amount of time to complete the actions required to close the FWIV, or FWRV, which includes performing a controlled unit shutdown without challenging plant systems.
D.1, and D.2 If the FWIVs and FWRVs cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 2 within 6 hours, in MODE 3 and PASSIVELY COOLED within 36 hours. The allowed Completion Times are reasonable, to reach the required unit conditions from full power conditions in an orderly manner.
SURVEILLANCE      SR 3.7.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for feedwater isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.7.2.2 This SR measures the closure ACTUATION RESPONSE TIME of each FWIV and FWRV on an actual or simulated actuation signal. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.
NuScale [US600]                          B 3.7.2-4                                Revision 4.0
 
Feedwater Isolation B 3.7.2 BASES SURVEILLANCE REQUIREMENTS (continued)
The FWIV and FWRV isolation times are assumed in the accident and containment analyses. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. These valves are tested when the unit is in a shutdown condition, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power. Because the isolation valves are not tested when the unit is in a shutdown condition, they are exempt from ASME OM Code (Ref. 5) requirements during operation in MODE 1. The Frequency is in accordance with the INSERVICE TESTING PROGRAM.
SR 3.7.2.3 This SR verifies FWIV and FWRV valves leakage are within limits. The FWIV and FWRV valves serve as a boundary isolation for the DHRS operation, when the DHR system is actuated.
The Frequency is in accordance with the INSERVICE TESTING PROGRAM.
REFERENCES      1. FSAR, Section 6.2.
: 2. FSAR, Section 10.4.
: 3. FSAR, Section 5.4.
: 4. FSAR, Section 15.6.
: 5. ASME, OM Code, [2012 edition].
NuScale [US600]                        B 3.7.2-5                                Revision 4.0
 
In-Containment Secondary Piping Leakage B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 In-Containment Secondary Piping Leakage BASES BACKGROUND          A limit on leakage from the secondary piping inside containment is required to limit secondary system operation in the presence of excessive leakage. Leakage is limited to an amount which would not compromise safety consistent with the Leak-Before-Break (LBB) analysis discussed in FSAR Chapter 3 (Ref. 1). This leakage limit ensures appropriate action can be taken before the integrity of the lines is impaired.
LBB is an argument which allows elimination of design for dynamic load effects of postulated pipe breaks. The fundamental premise of LBB is that the materials used in nuclear plant piping are strong enough that even a large through wall crack leaking well in excess of rates detectable by present leak detection systems would remain stable, and would not result in a double-ended guillotine break under maximum loading conditions. The benefit of LBB is the elimination of pipe whip restraints, jet impingement effects, and internal system blowdown loads.
As described in FSAR Section 3.6 (Ref. 1), LBB has been applied to the main steam and feedwater piping inside containment. Hence, the potential safety significance of secondary side leaks inside containment requires detection and monitoring of leakage inside containment. This LCO protects the secondary system lines inside containment against undetected degradation. The consequences of violating this LCO include the possibility of further degradation of the secondary system piping, which may lead to pipe break if a seismic event occurs that could adversely affect safety-related components inside of the containment.
APPLICABLE          The safety significance of plant leakage inside containment varies SAFETY              depending on its source, rate, and duration. Therefore, detection and ANALYSES            monitoring of plant leakage inside containment are necessary. This is accomplished via the instrumentation required by LCO 3.4.7, RCS Leakage Detection Instrumentation, and the Reactor Coolant System (RCS) water inventory balance (SR 3.4.5.1). Subtracting identified leakage into the containment vessel from the total detected leakage inside containment provides qualitative information to the operators regarding possible main steam or feedwater line leakage. This allows the operators to take action should leakage occur which would be detrimental to the safety of the facility if a seismic event occurred.
NuScale [US600]                            B 3.7.3-1                              Revision 4.0
 
In-Containment Secondary Piping Leakage B 3.7.3 BASES APPLICABLE SAFETY ANALYSES (continued)
This specification has been included in Technical Specifications because if a seismic event occurs when the in-containment secondary leakage is greater than the LCO limit, a main steam or feedwater pipe break could occur. This could result in an adverse interaction between the affected in-containment secondary system piping and other safety related equipment located inside the containment.
LCO            In-containment secondary piping leakage is defined as leakage inside containment in any portion of the main steam line or feedwater pipe walls.
Up to 1.5 gallons per hour (gph) of leakage is allowable because it is below the leak rate for LBB analyzed cases of a secondary line crack twice as long as a crack leaking at the detectable leak rate under normal operating conditions including the stress imposed by postulated seismic events. Violation of this LCO could result in continued degradation of the main steam line or feedwater piping inside the containment vessel.
APPLICABILITY  Because of elevated secondary system temperatures and pressures, the potential for in-containment secondary system piping leakage is greatest in MODES 1, 2, and MODE 3 when not PASSIVELY COOLED.
In MODE 3 when PASSIVELY COOLED, and in MODES 4 and 5 an in-containment secondary system piping leakage limit is not provided. In MODE 3 when PASSIVELY COOLED, the secondary system temperatures and pressures are rapidly reducing, resulting in lower stresses and reduced potential for leakage or adverse effects from a postulated secondary system pipe rupture. In MODES 4 and 5 the secondary system piping is depressurized.
ACTIONS        A.1 and A.2 With in-containment secondary system piping leakage in excess of the LCO limit, the unit must be brought to lower secondary system pressure conditions to reduce the severity of the leakage and its potential consequences if a seismic event occurs.
The reactor must be placed in MODE 2 within 6 hours and MODE 3 and PASSIVELY COOLED within 36 hours. This action reduces the in-containment secondary system piping pressure and leakage, and also reduces the factors which tend to degrade the secondary system lines if a seismic event occurs.
NuScale [US600]                        B 3.7.3-2                              Revision 4.0
 
In-Containment Secondary Piping Leakage B 3.7.3 BASES ACTIONS (continued)
The Completion Time of 6 hours to reach MODE 2, and 36 hours to reach MODE 3 and PASSIVELY COOLED without challenging plant systems is reasonable based on the time to reach required unit conditions in an orderly manner. In MODE 3 with PASSIVE COOLING established, the pressure stresses acting on the in-containment secondary system piping are being rapidly and passively reduced. Further deterioration of the in-containment secondary system piping if a seismic event occurs is less likely.
SURVEILLANCE      SR 3.7.3.1 REQUIREMENTS A Note to SR 3.7.3.1 states the SR is not required to be performed until 24 hours after establishing steady state operation. The 24 hours allowance provides sufficient time for water to be removed from the containment after it has been flooded and stable unit conditions established so that secondary piping leakage may be monitored. This allowance is reasonable based on the low likelihood of a seismic event occurring during the limited time provided by the note.
Verifying that in-containment secondary piping leakage is within the LCO limit assures the integrity of those lines inside containment is maintained.
An early warning of line leakage is provided by the systems that monitor the containment pressure and containment evacuation system condensate collection. In-containment secondary system piping leakage would appear as unidentified leakage inside containment via these systems. Performance of an RCS water inventory balance (SR 3.4.5.1),
radiological analysis of containment evacuation system condensate and gases, and evaluation of the cooling water system inside containment, may determine whether the in-containment secondary piping is the potential source of unidentified leakage inside containment.
The Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES        1. FSAR, Section 3.6.
NuScale [US600]                          B 3.7.3-3                                Revision 4.0
 
Nuclear Instrumentation B 3.8.1 B 3.8 REFUELING OPERATIONS B 3.8.1 Nuclear Instrumentation BASES BACKGROUND            Three refueling neutron flux channels are provided to monitor the core reactivity during refueling operations. These detectors are located external to the reactor vessel below the reactor vessel flange and detect neutrons leaking from the core with the ability to be extended and retracted to facilitate module disassembly and reassembly.
The refueling neutron flux detectors are proportional counters. The detectors monitor the neutron flux in counts per second. The instrument range covers five decades of neutron flux (from 1E0 cps to 1E5 cps) with a 5% instrument accuracy. The refueling neutron flux channels also provide continuous visual indication in the control room and continuous visual and audible indication at the refueling panel located in the reactor building at elevation 100 ft in close proximity to the refueling area.
After the RPV is placed on the RPV refueling stand, a retractable support mechanism positions the refuel neutron monitors in the detector sleeves on the RPV. This ensures the refuel neutron monitors are placed in the same position for each refueling. The refuel neutron monitors are located in the refuel pool bay area and are separate from the normal excore detectors used during operation. These are the only neutron monitors utilized during refueling.
APPLICABLE            Two OPERABLE refueling neutron flux channels are required to SAFETY                provide a signal to alert the operator to unexpected changes in core ANALYSES              reactivity. During initial fuel loading, or when otherwise required, temporary neutron detectors may be used to provide additional reactivity monitoring (Ref. 1).
The audible count rate from the refueling neutron flux channels provides prompt and definite indication of any change in reactivity. The count rate increase is proportional to subcritical multiplication and allows operators to promptly recognize any change in reactivity. Prompt recognition of unintended reactivity changes is consistent with the assumptions of the safety analysis and is necessary to assure sufficient time is available to initiate action before SHUTDOWN MARGIN is lost (Ref. 1). The refueling neutron flux channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
NuScale [US600]                              B 3.8.1-1                                Revision 4.0
 
Nuclear Instrumentation B 3.8.1 BASES LCO            This LCO requires two of the three refueling neutron flux channels to be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity during removal of the upper reactor vessel assembly and during fuel movement in the reactor vessel. To be OPERABLE, each channel must provide visual indication in the control room. In addition, at least one of the two required channels must provide an OPERABLE audible count rate function to alert the operators to the initiation of a boron dilution event.
APPLICABILITY  In MODE 5 when the reactor vessel upper assembly is not seated on the reactor vessel flange, the refueling neutron flux channels are required to be OPERABLE to determine possible unexpected changes in core reactivity. There are no other direct means available to monitor the core reactivity conditions. The Applicability allows the retractable refueling neutron flux channels to be installed on the lower reactor vessel assembly following entry into MODE 5 (i.e., after detensioning the first reactor vessel flange bolt) and prior to the reactor vessel upper assembly lift. In MODES 1, 2, and 3 the Module Protection System neutron detectors and associated circuitry are required to be OPERABLE by LCO 3.3.1, Module Protection System (MPS) Instrumentation. In MODE 4, the module is disconnected from unborated water sources and the module Neutron Monitoring System. No changes to the core reactivity can occur in MODE 4 because a boron dilution event or fuel loading error cannot occur in this condition. Therefore, neutron monitoring is not required in MODE 4.
ACTIONS        A.1 and A.2 Redundancy has been lost if only one refueling neutron flux channel is OPERABLE. In addition, if the required refueling neutron flux audible count rate channel is inoperable, prompt and definite indication of a boron dilution event, consistent with the assumptions of the safety analysis, is lost. Since these instruments are the only direct means of monitoring core reactivity conditions, positive reactivity additions, and introduction of water into the ultimate heat sink (UHS) with boron concentration less than required to meet the minimum boron concentration of LCO 3.5.3, Ultimate Heat Sink, must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation.
Introduction of water inventory must be from sources that have a boron concentration greater than that which would be required in the UHS for minimum refueling boron concentration. This may result in an overall reduction in UHS boron concentration, but provides acceptable margin to maintaining subcritical conditions. Performance of Required Action A.1 shall not preclude completion of actions to establish a safe condition.
NuScale [US600]                        B 3.8.1-2                                Revision 4.0
 
Nuclear Instrumentation B 3.8.1 BASES ACTIONS (continued)
B.1 and B.2 If no refueling neutron flux channels are OPERABLE, actions to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, actions shall be continued until a refueling neutron flux channel is restored to OPERABLE status.
If no refueling neutron flux channels are OPERABLE, there is no direct means of detecting changes in core reactivity. However, since positive reactivity additions are discontinued, the core reactivity condition is stabilized and no changes are permitted until the refueling neutron flux channels are restored to OPERABLE status. This stabilized condition is confirmed by performing SR 3.5.3.3 to verify that the required boron concentration exists.
The Completion Time of once per 12 hours ensures that unplanned changes in boron concentration would be identified. The 12 hour Completion Time is reasonable considering the low probability of a change in core reactivity during this time period and the volume of the UHS.
SURVEILLANCE      SR 3.8.1.1 REQUIREMENTS SR 3.8.1.1 is the performance of a CHANNEL CHECK, which is the comparison of the indicated parameter values monitored by each of these instruments. It is based on the assumption that the two required indication channels should be consistent for the existing core conditions. Changes in core geometry due to fuel loading can result in significant differences between the refueling neutron flux monitor channels, however each channel should be consistent with its local conditions.
The Frequency specified in the Surveillance Frequency Control Program is consistent with the CHANNEL CHECK Frequency specified for similar instruments in LCO 3.3.1, Module Protection System (MPS)
Instrumentation."
NuScale [US600]                          B 3.8.1-3                                Revision 4.0
 
Nuclear Instrumentation B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.8.1.2 SR 3.8.1.2 is the performance of a CHANNEL CALIBRATION. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the refueling neutron flux channels consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The CHANNEL CALIBRATION also includes verification of the audible alarm count rate function of the one required audible channel.
The Frequency specified in the Surveillance Frequency Control Program is consistent with the CHANNEL CALIBRATION Frequency specified for similar instruments in LCO 3.3.1.
REFERENCES      1. FSAR, Chapter 15.
NuScale [US600]                        B 3.8.1-4                                Revision 4.0
 
Decay Time B 3.8.2 B 3.8 REFUELING OPERATIONS B 3.8.2 Decay Time BASES BACKGROUND        The movement of irradiated fuel assemblies requires allowing at least 48 hours for radioactive decay before initiating handling of irradiated fuel.
During fuel handling, this LCO ensures that sufficient radioactive decay has occurred in the event of a fuel handling accident (Refs. 1 and 2).
Sufficient radioactive decay of short lived fission products would have occurred to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 2).
APPLICABLE        The minimum radioactivity decay time is an initial condition assumed SAFETY            in the analysis of a fuel handling accident, as postulated by Regulatory ANALYSES          Guide 1.183 (Ref. 1) and described in Reference 3.
It is assumed that all of the fuel rods in one irradiated fuel assembly are damaged to the extent that all the gap activity in the rods is released instantaneously. The damaged fuel assembly is assumed to be the assembly with the highest fission product inventory. The fission product inventories from which the highest is selected are those inventories present 48 hours after the reactor becomes subcritical.
The decay time requirement satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO                This LCO requires the reactor be subcritical for at least 48 hours prior to commencing movement of irradiated fuel within the reactor pressure vessel. This LCO does not preclude core movement associated with module movement. A minimum radioactive decay time ensures that the radiological consequences of a postulated fuel handling accident are within the values calculated in Reference 2.
APPLICABILITY      This LCO is applicable when moving irradiated fuel assemblies in the reactor pressure vessel. The LCO minimizes the possibility of radioactive release due to a fuel handling accident that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not being moved, a postulated fuel handling accident is precluded. Requirements for fuel handling accidents in the spent fuel pool are also covered by LCO 3.5.3, Ultimate Heat Sink.
NuScale [US600]                            B 3.8.2-1                                Revision 4.0
 
Decay Time B 3.8.2 BASES ACTIONS        A.1 With the reactor subcritical for less than 48 hours, there shall be no operations involving movement of irradiated fuel assemblies within the reactor pressure vessel. This will preclude a fuel handling accident with fuel containing more fission product radioactivity than assumed in the safety analysis.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. Suspension of irradiated fuel assemblies should be completed as quickly as possible in order to minimize the time during which the unit is outside the initial assumptions of the fuel handling accident.
The suspension of irradiated fuel movement shall not preclude completion of movement to a safe position, nor does it preclude the movement of irradiated fuel assemblies that have not been exposed to a critical core within the previous 48 hours.
SURVEILLANCE    SR 3.8.2.1 REQUIREMENTS Verification that the reactor has been subcritical for at least 48 hours prior to movement of irradiated fuel in the reactor pressure vessel ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met. This SR may be performed by verifying the date and time of subcriticality prior to first irradiated fuel movement within the reactor pressure vessel. Specifying a minimum radioactive decay time limits the consequences of fuel rod damage that is postulated to result from a fuel handling accident (Ref. 2).
REFERENCES      1. Regulatory Guide 1.183, Revision 0, July 2000.
: 2. FSAR, Chapter 15.
: 3. TR-0915-17565-P, "Accident Source Term Methodology," Rev. [3].
NuScale [US600]                        B 3.8.2-2                                    Revision 4.0
 
This page replaces page 3.9-90 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical function of the valves is to open and remain open when actuated. The closed safety function to support the reactor coolant pressure boundary is passive. The reset pilot is Tier 2 NuScale Final Safety Analysis Report a nonsafety function and is not inservice tested as part of the ASME OM Code IST program. The trip valve is tested during failsafe and exercise testing.
RRVs and RVVs do not have specific leakage criteria. Seat tightness will be in accord with the requirements of the OM Code Mandatory Appendix I. ECCS valve seat leakage will be RCS unidentified leakage and must meet Technical Specification surveillance criteria. The owner's seat tightness criteria should be in accordance with the methods prescribed in OM Mandatory Appendix I, Table I-8220-1. The associated pilot valve bodies form part of the reactor coolant and containment boundaries and are subject to 10 CFR 50 Appendix J Type B testing. The IAB is a subcomponent of the ECCS valve and is subject to performance assessment testing.
ISTC-5110 Power Operated Relief Valves - RRVs and RVVs have attributes of both power operated valves (ISTC-5100) and relief valves (ISTC-5240). Performance assessment testing per Note 16 includes a functional test of the inadvertent actuation block at normal RCS pressure to confirm that the ECCS valve does not open. Testing also includes an operational test to demonstrate that the valves not exercise tested will open on low RCS pressure even though the trip valves remain energized (closed).
: 13. Reactor Safety Valves (Section 5.1.3.5): These valves are not exercised for inservice testing; their position indication components are tested by local inspection without valve exercise. RSVs do not have specific leakage criteria. Seat tightness will be in accord with the requirements of the OM Code Mandatory Appendix I. Any RSV seat leakage will be RCS unidentified leakage and must meet Technical Specification surveillance criteria. Owner's as-left seat tightness criteria shall be no observed leakage utilizing the methods prescribed in OM Mandatory Appendix I, Table I-8220-1.
: 14. Steam Generator System Thermal Relief Valves (Section 5.4.1.2): These thermal relief valves are located inside containment on each SG system feedwater header.
: 15. All secondary systems containment isolation valves close to complete the decay heat removal system boundary. All of these valves have specific leakage criteria and are tested per NuScale Technical Specification surveillance test (Technical Specification SR 3.7.1.2 and SR 3.7.2.2).
: 16. These valves are subject to performance assessment testing per the requirements of 10 CFR 50.55a. The test frequencies are to be established in accordance with the 3.9-90 intent ASME OM Code - 2017, Mandatory Appendix IV. The approach detailed in Mandatory Appendix IV shall be applied to both AOVs and HOVs.
OM Mandatory Appendix IV and this Plan address the attributes of a successful POV program as delineated in NRC Regulatory Issue Summary (RIS) 2000-3, "Resolution of Generic Safety Issue 158: Performance of Safety-Related Power Operated Valves Under Design Basis Conditions." See subsection 3.9.6.3.2 (3) for the factors to be Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
considered in the evaluation of performance assessment testing. Subsection 3.9.6.4.3 shall be used to determine ECCS IAB test method and frequency.
: 17. Reactor Building Rupture Disks: These passive, redundant, nonreclosing pressure relief devices provide reactor building overpressure protection. 5 year replacement frequency unless historical data indicates a requirement for more frequent replacement (OM I-1360).
Mechanical Systems and Components Revision 4
 
This page replaces page 3.9-91 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.9, "Mechanical Tier 2 NuScale Final Safety Analysis Report Table 3.9-17: Valve Augmented Requirements Valve No.          Description          Valve /      Position        Augmented              IST                  IST Type3              Notes Actuator1                    Function(s)2        Category Chemical Volume and Control System CVC-AOV-0001    CVCS Discharge Isolation    GLOBE        Closed    Active                  Category A Position Verification Test            9 Valve                      Remote AO                Containment Isolation              Exercise Full Stroke/Cold Shutdown Failsafe Test/Cold Shutdown Leak Test Performance Assessment Test CVC-SV-0081      NDS Supply to Reactor      GLOBE        Closed    Active                  Category A Position Verification Test            9 Module Isolation Valve  Remote SO                Containment Isolation              Exercise Full Stroke/Cold Shutdown Failsafe Test/Cold Shutdown Leak Test Condensate and Feedwater System FW-AOV-0134    Feedwater Regulating          FCV        Closed    Active                  Category A Position Verification Test            4, 7 Valve                      Remote AO                Feedwater Isolation                Exercise Full Stroke/Cold Shutdown Containment Isolation              Failsafe Test/Cold Shutdown Decay Heat Removal                Leak Test 3.9-91 Boundary                          Performance Assessment Test FW-AOV-0234      Feedwater Regulating        FCV        Closed    Active                  Category A Position Verification Test            4, 7 Valve                    Remote AO                Feedwater Isolation                Exercise Full Stroke/Cold Shutdown Systems and Components," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
Containment Isolation              Failsafe Test/Cold Shutdown Decay Heat Removal                Leak Test Boundary                          Performance Assessment Test FW-CKV-0135      Backup Feedwater Check  Nozzle Check  Closed    Active                  Category C Check Exercise/ Cold Shutdown          5 Valve                                              Decay Heat Removal Boundary Mechanical Systems and Components FW-CKV-0235      Backup Feedwater Check  Nozzle Check  Closed    Active                  Category C Check Exercise/ Cold Shutdown          5 Valve                                              Decay Heat Removal Boundary Containment System CVC-CKV-0329    CVCS Injection Check      Nozzle Check  Closed    Active                  Category AC Check Exercise/Cold Shutdown        8,9 Valve                                              Containment Isolation              Leak Test CVC-CKV-0323    Pressurizer Spray Check  Nozzle Check  Closed    Active                  Category AC Check Exercise/Cold Shutdown        8,9 Valves                                              Containment Isolation              Leak Test Revision 4
 
This page replaces page 15.4-46 in Chapter 15, "Transient and Accident Analyses," Section 15.4, "Reactivity and Power Distribution Anomalies," of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
NuScale Final Safety Analysis Report                              Reactivity and Power Distribution Anomalies Table 15.4-11: Control Rod Misoperation (15.4.3) - Limiting Analysis Results Acceptance Criteria                            Limit              Analysis Value MCHFR CRA misalignment                                                  1.284                    1.437 MCHFR Single CRA withdrawal                                              1.284                    1.375 MCHFR CRA drop                                                          1.284                    1.432 Peak LHGR CRA misalignment                                            19.7 kW/ft              8.39 kW/ft Peak LHGR Single CRA withdrawal                                      19.7 kW/ft              8.62 kW/ft Peak LHGR CRA drop                                                    19.7 kW/ft              8.59 kW/ft Tier 2                                          15.4-46                                              Revision 4
 
This page replaces page 2.1-9 in Chapter 2, "Unit Specific Structures, Systems, and Components Design Descriptions and ITAAC,"
Section 2.1, "NuScale Power Module," of the NuScale Standard Plant Design Certification Application Part 2, Tier 1, Revision 4 (January 2020).
NuScale Tier 1                                                                          NuScale Power Module Table 2.1-3: NuScale Power Module Electrical Equipment Equipment Name                            Remotely Loss of Motive CIV Closure Time Operated Power Position        (sec)1 ECCS reactor vent valve trip valves (4 Total)                        Yes        Open              N/A ECCS reactor vent valve reset valves (3 Total)                        Yes        Close            N/A ECCS reactor recirculation valve trip valves (2 Total)                Yes        Open              N/A ECCSreactor recirculation valve reset valves (2 Total)                Yes        Close            N/A CNTS reactor coolant system injection inboard CIV                    Yes        Closed              7 CNTS reactor coolant system injection outboard CIV                    Yes        Closed              7 CNTS pressurizer spray inboard CIV                                    Yes        Closed              7 CNTS pressurizer spray outboard CIV                                  Yes        Closed              7 CNTS reactor coolant system discharge inboard CIV                    Yes        Closed              7 CNTS reactor coolant system discharge outboard CIV                    Yes        Closed              7 CNTS reactor pressure vessel high point degasification inboard CIV    Yes        Closed              7 CNTS reactor pressure vessel high point degasification outboard CIV  Yes        Closed              7 CNTS containment evacuation inboard CIV                              Yes        Closed              7 CNTS containment evacuation outboard CIV                              Yes        Closed              7 CNTS flood and drain inboard CIV                                      Yes        Closed              7 CNTS flood and drain outboard CIV                                    Yes        Closed              7 CNTS reactor component cooling water system supply inboard CIV        Yes        Closed              7 CNTS reactor component cooling water system supply outboard CIV      Yes        Closed              7 CNTS reactor component cooling water system return inboard CIV        Yes        Closed              7 CNTS reactor component cooling water system return outboard CIV      Yes        Closed              7 CNTS feedwater #1 CIV                                                Yes        Closed              7 CNTS feedwater #2 CIV                                                Yes        Closed              7 CNTS main steam #1 CIV                                                Yes        Closed              7 CNTS main steam line #1 bypass valve CIV                              Yes        Closed              7 CNTS main steam #2 CIV                                                Yes        Closed              7 CNTS main steam line #2 bypass valve CIV                              Yes        Closed              7 DHRS actuation valves (4 Total)                                      Yes        Open              N/A CNTS I&C Division I Electrical Penetration Assembly (EPA)            N/A          N/A              N/A CNTS I&C Division II Electrical Penetration Assembly (EPA)            N/A          N/A              N/A CNTS PZR Heater Power #1 Electrical Penetration Assembly (EPA)        N/A          N/A              N/A CNTS PZR Heater Power #2 Electrical Penetration Assembly (EPA)        N/A          N/A              N/A CNTS I&C Channel A Electrical Penetration Assembly (EPA)              N/A          N/A              N/A CNTS I&C Channel B Electrical Penetration Assembly (EPA)              N/A          N/A              N/A CNTS I&C Channel C Electrical Penetration Assembly (EPA)              N/A          N/A              N/A CNTS I&C Channel D Electrical Penetration Assembly (EPA)              N/A          N/A              N/A CNTS CRD Power Electrical Penetration Assembly (EPA)                  N/A          N/A              N/A CNTS RPI Group #1 Electrical Penetration Assembly (EPA)              N/A          N/A              N/A CNTS RPI Group #2 Electrical Penetration Assembly (EPA)              N/A          N/A              N/A Tier 1                                                    2.1-9                                    Revision 4
 
This page replaces page 2.5-7 in Chapter 2, "Unit Specific Structures, Systems, and Components Design Descriptions and ITAAC,"
Section 2.5, "Module Protection System and Safety Display and Indication System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 1, Revision 4 (January 2020).
NuScale Tier 1                                      Module Protection System and Safety Display and Indication System Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions Engineered Safety Feature            Protective                  Input Variable            Interlock/Permissive Function ESFAS - ECCS actuation        High containment water level Containment water level      T-3 interlock L-2 interlock Low ELVS voltage 24-hour      ELVS voltage                None timer Low wide range RCS pressure Wide range RCS pressure        P-1 interlock T-6 interlock ESFAS - DHRS actuation        High narrow range RCS hot    Narrow range RCS hot        None temperature                  temperature (NR RCS Thot)
High pressurizer pressure    Pressurizer pressure        None High main steam pressure      Main steam pressure (DHRS    None inlet pressure)
Low AC voltage to battery    ELVS voltage                None chargers ESFAS - Secondary System      High pressurizer pressure    Pressurizer pressure        None Isolation                    High narrow range RCS hot    Narrow range RCS hot        None temperature                  temperature (NR RCS Thot)
Low main steam pressure      Main steam pressure          N-2H interlock Low low main steam pressure  Main steam pressure          L-1 interlock High main steam pressure      Main steam pressure          None Low main steam superheat      Main steam pressure (DHRS    L-1 interlock inlet pressure)              V-1 interlock Main steam temperature      N-2H interlock (DHRS inlet temperature)
High main steam superheat Main steam pressure (DHRS        None inlet pressure)
Main steam temperature (DHRS inlet temperature)
High narrow range            Narrow range containment    T-3 interlock containment pressure          pressure                    L-1 interlock Low low pressurizer pressure Pressurizer pressure          T-5 interlock RT-1 interlock Low low pressurizer level    Pressurizer level            T-2 interlock L-1 interlock Low AC voltage to battery    ELVS voltage                None chargers High under-the-bioshield      Under-the-bioshield          None temperature                  temperature ESFAS - containment system    High narrow range            Narrow range containment    T-3 interlock isolation                    containment pressure          pressure Low AC voltage to battery    ELVS voltage                None chargers Low low pressurizer level    Pressurizer level            T-2 interlock L-1 interlock High under-the-bioshield      Under-the-bioshield          None temperature                  temperature Tier 1                                                  2.5-7                                              Revision 4
 
This page replaces page 2.5-8 in Chapter 2, "Unit Specific Structures, Systems, and Components Design Descriptions and ITAAC,"
Section 2.5, "Module Protection System and Safety Display and Indication System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 1, Revision 4 (January 2020).
NuScale Tier 1                                        Module Protection System and Safety Display and Indication System Table 2.5-2: Module Protection System Automatic Engineered Safety Feature Functions (Continued)
Engineered Safety Feature              Protective                  Input Variable            Interlock/Permissive Function ESFAS - demineralized water    High subcritical              Source range count rate      N-1 interlock system isolation                multiplication Low RCS flow                  RCS flow                    None Automatic reactor trip        N/A                          T-5 interlock RT-1 interlock ESFAS - chemical and volume    High narrow range            Narrow range containment    T-3 interlock control system isolation        containment pressure          pressure High pressurizer level        Pressurizer level            None Low low pressurizer level    Pressurizer level            T-2 interlock L-1 interlock Low low pressurizer pressure Pressurizer pressure          T-5 interlock RT-1 interlock Low low RCS flow              RCS flow                    F-1 interlock RT-1 interlock Low AC voltage to battery    ELVS voltage                None chargers High under-the-bioshield      Under-the-bioshield          None temperature                  temperature ESFAS - pressurizer heater trip Low pressurizer level        Pressurizer level            None High pressurizer pressure    Pressurizer pressure        None High narrow range RCS hot    Narrow range RCS hot        None temperature                  temperature (NR RCS Thot)
Low AC voltage to battery    ELVS voltage                None chargers High main steam pressure      Main steam pressure (DHRS    None inlet pressure)
Low temperature overpressure Low temperature interlock        Wide range RCS cold          T-1 interlock protection actuation            with high pressure            temperature (WR RCS Tcold)
Wide range RCS pressure Tier 1                                                    2.5-8                                              Revision 4
 
This page replaces page 2.5-10 in Chapter 2, "Unit Specific Structures, Systems, and Components Design Descriptions and ITAAC,"
Section 2.5, "Module Protection System and Safety Display and Indication System," of the NuScale Standard Plant Design Certification Application Part 2, Tier 1, Revision 4 (January 2020).
NuScale Tier 1                                          Module Protection System and Safety Display and Indication System Table 2.5-4: Module Protection System Interlocks/Permissives/Overrides Interlock/Permissive/Override F-1      RCS flow interlock L-1      Containment water level interlock L-2      Pressurizer level interlock N-1      Intermediate range log power interlock/permissive N-2H      Power range linear power interlock N-2L      Power range linear power interlock/permissive O-1      CNTS isolation override P-1      Containment pressure interlock RT-1      Reactor tripped interlock T-1      Wide range RCS cold temperature interlock T-2      Wide range RCS hot temperature interlock T-3      Wide range RCS hot temperature interlock T-4      Narrow range RCS hot temperature interlock T-5      Wide range RCS hot temperature interlock T-6      Narrow range RCS hot temperature interlock V-1      Feedwater isolation valve closed interlock Tier 1                                                    2.5-10                                              Revision 4
 
This page replaces page 14.3-105 in Chapter 7, "Initial Test Program and ITAAC," Section 14.3, "Certified Design Material and ITAAC,"
of the NuScale Standard Plant Design Certification Application Part 2, Tier 2, Revision 4 (January 2020).
Certified Design Material and Inspections, Tests, Analyses, and NuScale Final Safety Analysis Report                                                                    Acceptance Criteria Table 14.3-3c: NuScale Power Module Electrical Equipment Equipment Name                      Equipment Identifier    Remotely        Loss of      CIV Closure Operated        Motive        Time (sec)
Power Position ECCS reactor vent valve trip valves (4 Total)            ECC-SV-0101A            Yes            Open            N/A ECC-SV-0101B ECC-SV-0101C-1 ECC-SV-0101C-2 ECCS reactor vent valve reset valves (3 Total)            ECC-SV-0103A            Yes            Close            N/A ECC-SV-0103B ECC-SV-0103C ECCS reactor recirculation valve trip valves (2 Total)    ECC-SV-0102A            Yes            Open            N/A ECC-SV-0102B ECCSreactor recirculation valve reset valves (2 Total)    ECC-SV-0104A            Yes            Close            N/A ECC-SV-0104B CNTS reactor coolant system injection inboard CIV        CVC-HOV-0331            Yes          Closed            7 CNTS reactor coolant system injection outboard CIV        CVC-HOV-0330            Yes          Closed            7 CNTS pressurizer spray inboard CIV                        CVC-HOV-0325            Yes          Closed            7 CNTS pressurizer spray outboard CIV                      CVC-HOV-0324            Yes          Closed            7 CNTS reactor coolant system discharge inboard CIV        CVC-HOV-0334            Yes          Closed            7 CNTS reactor coolant system discharge outboard CIV        CVC-HOV-0335            Yes          Closed            7 CNTS reactor pressure vessel high point degasification    CVC-HOV-0401            Yes          Closed            7 inboard CIV CNTS reactor pressure vessel high point degasification    CVC-HOV-0402            Yes          Closed            7 outboard CIV CNTS containment evacuation inboard CIV                    CE-HOV-0001            Yes          Closed            7 CNTS containment evacuation outboard CIV                  CE-HOV-0002            Yes          Closed            7 CNTS flood and drain inboard CIV                          CFD-HOV-0022            Yes          Closed            7 CNTS flood and drain outboard CIV                        CFD-HOV-0021            Yes          Closed            7 CNTS reactor component cooling water system supply      RCCW-HOV-0185            Yes          Closed            7 inboard CIV CNTS reactor component cooling water system supply      RCCW-HOV-0184            Yes          Closed            7 outboard CIV CNTS reactor component cooling water system return      RCCW-HOV-0190            Yes          Closed            7 inboard CIV CNTS reactor component cooling water system return      RCCW-HOV-0191            Yes          Closed            7 outboard CIV CNTS feedwater #1 CIV                                    FW-HOV-0137              Yes          Closed            7 CNTS feedwater #2 CIV                                    FW-HOV-0237              Yes          Closed            7 CNTS main steam #1 CIV                                    MS-HOV-0101              Yes          Closed            7 CNTS main steam line #1 bypass valve CIV                  MS-HOV-0103              Yes          Closed            7 CNTS main steam #2 CIV                                    MS-HOV-0201              Yes          Closed            7 CNTS main steam line #2 bypass valve CIV                  MS-HOV-0203              Yes          Closed            7 DHRS actuation valves (4 Total)                          DHR-HOV-0101A            Yes            Open            N/A DHR-HOV-0101B DHR-HOV-0201A DHR-HOV-0201B CNTS I&C Division I Electrical Penetration Assembly          CNV8                N/A            N/A            N/A (EPA)
Tier 2                                                  14.3-105                                                Revision 4
 
This page replaces page 3.11-20 in Chapter 3, "Design of Structures, Systems, Components and Equipment," Section 3.11, Table 3.11-1: List of Environmentally Qualified Electrical/I&C and Mechanical Equipment Located in Harsh Tier 2 NuScale Final Safety Analysis Report Environments (Continued)
Description(6)              Location(1)  EQ Environment  Qualification Program  PAM(2)  EQ Category(3)            Operating Time SG2 Steam Supply CIV/MS        EQ Zone G            Harsh              Electrical          C            A          Extended PAM (100 days)
Bypass Isolation Valve Close Position Sensor SG2 Steam Supply CIV/MS        EQ Zone G            Harsh              Electrical          C            A          Extended PAM (100 days)
Bypass Isolation Valve Open Position Sensor SG1 Steam Supply CIV/MS        EQ Zone G            Harsh              Electrical          C            A          Extended PAM (100 days)
Bypass Isolation Valve Close "Environmental Qualification of Mechanical and Electrical Equipment," of the NuScale Standard Plant Design Certification Application Position Sensor SG1 Steam Supply CIV/MS        EQ Zone G            Harsh              Electrical          C            A          Extended PAM (100 days)
Bypass Isolation Valve Open Position Sensor Steam Generator System (SGS-A014)
Environmental Qualification of Mechanical and Electrical Equipment Thermal relief valves          EQ Zone C            Harsh            Mechanical          N/A          B          Extended Term (<= 720 hr) 3.11-20 Control Rod Drive System        -
(CRDS-A022)
Control Rod Drive Coils        EQ Zone E            Harsh              Electrical        N/A          A          Short Term (<= 1 hr)
Rod Position Indication (RPI)  EQ Zone E            Harsh              Electrical        N/A          B          Extended Term (<= 720 hr)
Coils CRDM Control Cabinet            EQ Zone N            Harsh              Electrical        N/A          A          Short Term (<= 1 hr)
Rod Position Indication        EQ Zone N            Harsh              Electrical        N/A          B          Long Term (<= 72 hr)
Cabinets (Train A/B)
CRDS Cooling Water Piping      EQ Zone E            Harsh            Mechanical          N/A          B          Extended Term (<= 720 hr) and Pressure Relief Valve      EQ Zone F Part 2, Tier 2, Revision 4 (January 2020).
Reactor Coolant System          -
(RCS-A030)
PZR Control Cabinet          EQ Zone K              Harsh              Electrical        N/A          A          A Short Term (<= 1 hr)
EQ Zone L                                                                  B Reactor Safety Valve Position EQ Zone E              Harsh              Electrical          C            A          Extended PAM (100 days)
Indicator Reactor Safety Valves        EQ Zone E              Harsh            Mechanical          N/A          B          Extended Term (<= 720 hr)
Revision 4 Narrow Range Pressurizer      EQ Zone D              Harsh              Electrical        N/A          A          Short Term (<= 1 hr)
Pressure Elements            EQ Zone E}}

Latest revision as of 14:20, 11 December 2024

LLC, Submittal of Second Updates to Standard Plant Design Certification Application, Revision 4
ML20141L787
Person / Time
Site: NuScale
Issue date: 05/20/2020
From: Rad Z
NuScale
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LO-0520-69493
Download: ML20141L787 (540)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML20141L787&oldid=4183977"