System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Nuclear Reactor Protection System"] n1["component<br>Nuclear Instrumentation Subsystem"] n2["component<br>Process Instrumentation Subsystem"] n3["component<br>Reactor Trip Subsystem"] n4["component<br>Engineered Safety Features Actuation System"] n5["component<br>Post-Accident Monitoring Subsystem"] n6["component<br>Communication and Display Subsystem"] n7["component<br>Class 1E Power Supply Subsystem"] n8["component<br>Test and Surveillance Subsystem"] n1 -->|Neutron flux trip signals| n3 n2 -->|Process variable trip signals| n3 n2 -->|ESF actuation parameters| n4 n1 -->|Post-accident flux data| n5 n2 -->|Post-accident process data| n5 n3 -->|Trip status and alarms| n6 n4 -->|ESF actuation status| n6 n5 -->|Post-accident indications| n6 n7 -->|Channel power| n1 n7 -->|Logic power| n3 n8 -->|Test signals and bypass| n3 n8 -->|Test signals and bypass| n4
Nuclear RPS — Subsystem Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQS-001 | The Bistable Trip Processor SHALL compare each monitored parameter against its predetermined trip setpoint and generate a channel trip output within 100ms of the input signal reaching the setpoint value. Rationale: 100ms bistable response budget is allocated from the 2.0s total system response (SYS-REQS-001): 100ms bistable + 50ms coincidence + 100ms breaker + margins for signal conditioning and relay response. Exceeding 100ms compresses margins for downstream components and may violate the accident analysis timing assumption. | Test | subsystem, rts, bistable, session-199 |
| SUB-REQS-002 | The Coincidence Logic Module SHALL generate a train-level trip output when 2 or more of 4 channel trip inputs are present for any single trip function, with logic evaluation completed within 50ms. Rationale: 50ms coincidence logic evaluation is the allocated budget from the 2.0s system response time. 2-out-of-4 voting tolerates one failed/bypassed channel while preventing single-channel spurious trips. Logic must complete within budget to preserve time margin for breaker response and signal propagation delays. | Test | subsystem, rts, coincidence, session-199 |
| SUB-REQS-003 | When one protection channel is bypassed for maintenance, the Coincidence Logic Module SHALL automatically reconfigure to 2-out-of-3 voting for all trip functions served by the bypassed channel within 10ms of bypass activation. Rationale: Automatic reduction to 2-out-of-3 during single-channel bypass maintains single-failure tolerance per IEEE 603. 10ms reconfiguration prevents a gap in protection during the transition. Without automatic reduction, a bypassed channel plus one additional failure would defeat 2-out-of-4 voting. | Test | subsystem, rts, coincidence, session-199 |
| SUB-REQS-004 | The Reactor Trip Breaker SHALL open within 100ms of de-energization of its trip coil, interrupting power to the Control Rod Drive Mechanism power cabinets. Rationale: 100ms breaker opening time is derived from the total 2.0s system response budget. Mechanical breaker opening must complete within this allocation to ensure CRDM power interruption occurs fast enough for control rod insertion to match the reactivity insertion curve assumed in the safety analysis. | Test | subsystem, rts, breaker, session-199 |
| SUB-REQS-005 | The Reactor Trip Breaker SHALL employ undervoltage trip coils as the primary trip mechanism, such that loss of power to the trip coil causes breaker opening (fail-safe design). Rationale: Undervoltage trip coil design is fail-safe: loss of power opens the breaker. This satisfies SYS-REQS-004 fail-safe requirement. Alternative shunt-trip design requires power to trip and is not fail-safe. UV coil ensures that power supply failures, cable breaks, or relay contact failures all result in reactor trip. | Inspection | subsystem, rts, breaker, safety, session-199 |
| SUB-REQS-006 | The Manual Trip Interface SHALL provide a hardwired path from the main control room trip switches to the reactor trip breaker undervoltage coils that is independent of all digital processors, with actuation-to-breaker-opening time less than 200ms. Rationale: Manual trip independence from digital processors provides defense-in-depth per BTP 7-19 against common-cause software failure (SYS-REQS-015). 200ms response allocation accounts for switch contact closure, relay actuation, and breaker opening. Hardwired path eliminates all digital system dependencies. | Test | subsystem, rts, manual-trip, session-199 |
| SUB-REQS-007 | The Channel Bypass Logic SHALL prevent bypass of more than one protection channel simultaneously for any single trip function through hardware interlock, independent of software. Rationale: Hardware interlock prevents simultaneous bypass of multiple channels, which would reduce voting below 2-out-of-3 and violate Technical Specifications minimum channel requirements. Software-independent interlock ensures the protection cannot be defeated by software common-cause failure during maintenance. | Test | subsystem, rts, bypass, session-199 |
| SUB-REQS-008 | The ESF Coincidence Logic Processor SHALL evaluate 2-out-of-4 coincidence voting for each ESF function and generate an actuation demand output within 100ms of the second channel reaching its setpoint threshold. Rationale: 100ms ESF coincidence logic evaluation time is allocated from the 2.0s total ESF actuation initiation budget (SYS-REQS-005). Completion within 100ms of the second channel signal preserves timing margin for actuation priority logic, relay response, and component interface module processing. | Test | subsystem, esfas, session-201 |
| SUB-REQS-009 | The ESF Coincidence Logic Processor SHALL implement each ESF function (Safety Injection, Containment Isolation Phase A, Containment Isolation Phase B, Containment Spray, Steamline Isolation, Main Feedwater Isolation, Auxiliary Feedwater Actuation) in independent logic paths with no shared logic elements between functions. Rationale: Independent logic paths per ESF function prevent fault propagation between safety functions. A logic error in Containment Spray must not affect Safety Injection. This satisfies IEEE 603 functional independence requirements and ensures that maintenance or testing of one ESF function does not degrade another. | Inspection | subsystem, esfas, session-201 |
| SUB-REQS-010 | The Actuation Priority Logic Module SHALL enforce a fixed priority hierarchy where automatic ESF actuation commands override manual operator commands, which override normal plant control signals, and SHALL prevent any operator action from blocking or resetting an automatic ESF actuation once initiated until the initiating condition has cleared. Rationale: Fixed priority hierarchy ensures automatic safety actuation cannot be overridden by operator error during high-stress accident conditions. Blocking automatic actuation reset until the initiating condition clears prevents premature reset that could allow the accident to progress. Derived from IEEE 603 Clause 7.4 manual control requirements. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-011 | When a Safety Injection signal is coincident with a loss-of-offsite-power condition, the Sequential Events Controller SHALL shed non-essential loads from the safety bus within 3 seconds, issue emergency diesel generator start commands, and reconnect safety loads in a time-sequenced program with no less than 5-second intervals between load steps, completing the full loading sequence within 60 seconds. Rationale: Load sequencing prevents diesel generator overload during LOCA+LOOP. 5-second intervals allow each motor to start and reach running current before the next load connects. 60-second total sequence completion is assumed in FSAR Chapter 6 ECCS analysis. 3-second initial load shed prevents reverse power to the diesel. | Test | subsystem, esfas, session-201 |
| SUB-REQS-012 | The Manual ESF Actuation Panel SHALL provide hardwired manual initiation capability for each ESF function via dedicated two-switch controls, with signal paths that bypass all digital processing and connect directly to the Actuation Priority Logic Module. Rationale: Manual ESF actuation bypassing digital processing provides D3 backup per BTP 7-19 (SYS-REQS-015). Two-switch controls prevent inadvertent single-action actuation of ESF functions. Direct connection to Actuation Priority Logic Module ensures manual actuation works even with total digital system failure. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-013 | The ESF Component Interface Module SHALL provide electrical isolation rated to 1500V between protection system logic circuits and actuated equipment power circuits, and SHALL monitor actuation confirmation feedback (valve position, pump running status, breaker state) within 2 seconds of issuing an actuation command. Rationale: 1500V isolation rating exceeds the maximum credible fault voltage between safety logic (125VDC) and actuated equipment power circuits (480VAC/4160VAC). 2-second confirmation feedback is needed to verify actuation completed successfully; operators rely on this for post-trip verification per EOPs. | Test | subsystem, esfas, session-201 |
| SUB-REQS-014 | The Subgroup Relay Cabinet SHALL organise ESF actuation relays into functionally independent subgroups, enabling overlap testing of each individual actuation path during power operation without actuating the associated ESF equipment or disabling the automatic actuation capability of any other subgroup. Rationale: Subgroup organization enables partial testing at power per SYS-REQS-008 overlap testing requirement. Functional independence between subgroups ensures testing one actuation path does not inadvertently actuate equipment in another ESF function or disable the automatic actuation of any remaining path. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-015 | When an emergency diesel generator fails to start or accept load within 10 seconds, the Sequential Events Controller SHALL automatically transfer the affected train's safety loads to the alternate power source and adjust the loading sequence to prevent overloading the remaining power supply. Rationale: 10-second diesel start failure timeout is per FSAR emergency diesel generator requirements. Automatic transfer to alternate power prevents total loss of safety train during LOOP if one diesel fails. Adjusted loading sequence prevents overloading the remaining power source, which would cascade to loss of both trains. | Test | subsystem, esfas, session-201 |
| SUB-REQS-016 | The Source Range Detector Channel SHALL provide neutron flux measurement covering a minimum of 6 decades (1E-1 to 1E5 counts per second) using pulse counting mode at count rates below 1E5 cps and mean-square voltage mode above 1E4 cps, with a minimum 1-decade overlap between modes. Rationale: Source range detectors must cover 6 decades to span the full subcritical-to-critical transition. Pulse counting below 1E5 cps avoids dead-time losses; mean-square-voltage mode above 1E5 cps provides linear response when pulse pile-up makes counting unreliable. This dual-mode operation per NUREG-0800 SRP 7.2 ensures no gap in flux monitoring during reactor startup. | Test | subsystem, nis, session-201 |
| SUB-REQS-017 | The Intermediate Range Detector Channel SHALL provide compensated ionisation chamber output with gamma compensation error of less than 5% of indicated neutron flux across the full intermediate range (1E-11 to 1E-3 amps), with logarithmic amplifier response time of less than 1 second per decade. Rationale: 5% gamma compensation error limit is derived from FSAR safety analysis which assumes neutron flux measurement accuracy within 10% across the intermediate range. Gamma compensation is critical because ionisation chambers respond to both gamma and neutron radiation; without compensation, post-trip gamma fields would mask true neutron flux during shutdown monitoring. | Test | subsystem, nis, session-201 |
| SUB-REQS-018 | The Power Range Detector Channel SHALL provide upper and lower section ion chamber currents enabling axial flux difference (delta-I) measurement with an accuracy of ±2% of rated thermal power, and total neutron flux measurement from 1% to 120% rated thermal power with linearity error of less than ±1% of full scale. Rationale: ±2% delta-I accuracy is required by the Technical Specifications for axial flux difference surveillance. Split ion chambers (upper/lower) enable axial offset monitoring for departure-from-nucleate-boiling protection. Total power measurement within ±2% derives from the FSAR Chapter 15 overpower analysis assumptions. | Test | subsystem, nis, session-201 |
| SUB-REQS-019 | The NIS Signal Conditioning Electronics SHALL maintain calibration accuracy within ±0.5% of reading for a minimum of 18 months between scheduled calibrations, and SHALL provide built-in test capability for each channel without requiring disconnection of the detector. Rationale: ±0.5% calibration stability over 18 months matches the nuclear plant refueling cycle interval during which full-scope calibration is performed. Drift beyond 0.5% would exceed the channel uncertainty allocation in the safety analysis setpoint methodology (ISA 67.04). Built-in test capability enables partial verification between refueling outages without channel removal. | Test | subsystem, nis, session-201 |
| SUB-REQS-020 | The Detector High Voltage Power Supply SHALL maintain output voltage stability within ±0.1% over any 24-hour period, and SHALL automatically alarm when output voltage deviates by more than ±1% from the nominal setpoint. Rationale: ±0.1% voltage stability over 24 hours is required because detector sensitivity is proportional to applied bias voltage. For proportional counters and ion chambers, a 1% voltage shift can produce 2-5% gain change depending on operating point on the plateau curve. The 24-hour period bounds the maximum interval between automated surveillance checks. | Test | subsystem, nis, session-201 |
| SUB-REQS-021 | The RTD Temperature Measurement Channel SHALL measure reactor coolant temperature from 50°C to 400°C with a total channel accuracy of ±0.5°C including sensor drift, lead wire resistance compensation error, and signal conditioning uncertainty, using 4-wire platinum RTD elements calibrated to IEC 60751 Class AA. Rationale: ±0.5°C total channel accuracy is derived from the reactor protection system trip setpoint methodology per ISA 67.04. The temperature measurement uncertainty contributes directly to the overtemperature delta-T and overpower delta-T trip function uncertainties. Lead wire resistance compensation is essential for the 4-wire RTD configuration used over cable runs up to 150m between the RCS hot/cold legs and protection cabinets. | Test | subsystem, pis, rtd, session-202 |
| SUB-REQS-022 | The Pressure Transmitter Channel SHALL measure process pressures with a total channel accuracy of ±0.25% of calibrated span, including static pressure effects, ambient temperature effects over the range 10°C to 55°C, and 30-month calibration drift. Rationale: ±0.25% of calibrated span accuracy for pressure channels derives from the reactor protection system setpoint uncertainty analysis per ISA 67.04. Pressurizer pressure and RCS pressure measurements feed the low-pressure and high-pressure reactor trip functions. Static pressure and ambient temperature effects are specified because transmitters are exposed to containment conditions during normal operation. | Test | subsystem, pis, pressure, session-202 |
| SUB-REQS-023 | The Differential Pressure Flow Channel SHALL detect a 10% step change in reactor coolant flow within 1.0 seconds, including DP transmitter response time, square-root extraction computation, and signal conditioning filter delay, to support timely RCS low-flow reactor trip actuation. Rationale: 1.0-second response to a 10% flow step change ensures the RCS low-flow trip function actuates within the system-level 2.0s response budget. Reactor coolant pump coastdown during a loss-of-flow event can lead to departure from nucleate boiling within 3-5 seconds, making rapid detection essential. The square-root extraction is necessary because DP is proportional to flow squared. | Test | subsystem, pis, flow, session-202 |
| SUB-REQS-024 | The Level Measurement Channel SHALL compensate for reference leg temperature changes during post-LOCA conditions, maintaining level indication accuracy within ±5% of span when containment temperature varies from 25°C to 171°C, using stored density correction curves or temperature-compensated reference columns. Rationale: Reference leg temperature compensation is critical during post-LOCA conditions when containment temperature rises from ~40°C to 171°C. The reference leg condensate pot temperature changes cause the reference leg density to change, introducing a level measurement error that can exceed 20% of span without compensation. ±5% accuracy during post-LOCA ensures operators have reliable level indication for emergency operating procedures. | Test | subsystem, pis, level, session-202 |
| SUB-REQS-025 | The Process Signal Conditioning Module SHALL process raw sensor inputs and deliver calibrated 4-20mA outputs with a total signal path delay of no more than 500ms from sensor input change to conditioned output change, while providing at least 40dB attenuation of frequencies above 2Hz to reject plant electrical noise. Rationale: 500ms total signal conditioning delay is the allocated budget within the 2.0s system response time. The conditioning module performs linearisation, engineering unit conversion, and filtering, each contributing latency. This budget ensures sufficient margin when combined with bistable processing (100ms) and coincidence logic (100ms) to meet the system-level trip response requirement. | Test | subsystem, pis, conditioning, session-202 |
| SUB-REQS-026 | The Containment Environment Monitor SHALL remain operational and within accuracy specifications during and after exposure to post-LOCA conditions of 171°C temperature, 413 kPa gauge pressure, chemical spray (pH 10.5 boric acid/sodium hydroxide), and 1E8 rad total integrated gamma dose, for a minimum of 720 hours post-event per IEEE 323 qualification. Rationale: 171°C and 413 kPa envelope the LOCA peak containment conditions from FSAR Chapter 6 containment analysis. Chemical spray exposure (boric acid + NaOH at pH 9-11) and 1E8 rad total integrated dose are the DBA environmental conditions per IEEE 323. The monitor must survive these to provide RG 1.97 Category 1 containment atmosphere data throughout the post-accident monitoring period. | Test | subsystem, pis, containment, session-202 |
| SUB-REQS-027 | The Process Instrumentation Subsystem SHALL maintain electrical independence between the four redundant protection channels such that a short circuit, open circuit, or ground fault in any single channel does not degrade the measurement accuracy of any other channel by more than 0.1% of span. Rationale: Electrical independence between the four protection channels is mandated by IEEE 603 Clause 5.6 and 10 CFR 50 Appendix A GDC 22. A fault in one channel (short, open, or ground) must not propagate to redundant channels, as this would defeat the redundancy relied upon in the single failure analysis. Physical separation per IEEE 384 and qualified isolation devices are the implementation means. | Test | subsystem, pis, independence, session-202 |
| SUB-REQS-028 | The Containment Environment Monitor SHALL measure containment pressure over a narrow range of 0 to 413 kPa gauge with a total channel accuracy of ±1% of span, providing the primary input for Safety Injection, Containment Isolation Phase A, and Containment Spray ESF actuation functions. Rationale: 0-413 kPa narrow-range containment pressure with ±1% accuracy provides the primary input for containment isolation and containment spray actuation Safety Injection signals. The narrow range provides better resolution than the wide-range monitor (0-1380 kPa) for the initial post-LOCA pressure transient, enabling timely ESF actuation before containment pressure exceeds design limits. | Test | subsystem, pis, containment, pressure, session-202 |
| SUB-REQS-030 | The Core Exit Thermocouple Assembly SHALL provide temperature measurement from 93°C to 1260°C at a minimum of 4 core locations per quadrant, using Type K thermocouples with an accuracy of ±2.2°C or ±0.75% of reading (whichever is greater) per ASTM E230, to detect approach to inadequate core cooling conditions. Rationale: 93°C to 1260°C range with Type K thermocouples covers the full spectrum from normal hot-leg temperature to inadequate core cooling conditions. 4 TCs per quadrant minimum ensures spatial coverage for detecting asymmetric core conditions per TMI Action Plan Item II.F.2. ±2.2°C or ±0.75% accuracy derives from IEC 60584 limits for Type K thermocouples, representing the best achievable in-vessel accuracy. | Inspection | subsystem, pams, cetc, session-202 |
| SUB-REQS-031 | The Reactor Vessel Level Indication System SHALL indicate reactor vessel water level from the bottom of the hot leg nozzle to the top of the vessel head with a resolution of ±5% of the indicated range, using heated junction thermocouple differential temperature method, and SHALL distinguish between subcooled liquid, two-phase mixture, and superheated steam conditions. Rationale: Reactor vessel level indication from hot-leg nozzle to vessel head covers the TMI Action Plan requirement (II.F.2) for detecting inadequate core cooling. ±5% resolution enables operators to distinguish between normal level, partial uncovery, and significant core uncovery conditions. The heated junction thermocouple and differential pressure methods both require post-LOCA qualification. | Test | subsystem, pams, rvlis, session-202 |
| SUB-REQS-032 | The Wide-Range Containment Pressure Monitor SHALL measure containment pressure from -34 kPa to 1380 kPa gauge with an accuracy of ±2% of span, providing continuous indication to the Qualified Safety Display Panel for a minimum of 30 days following a design basis LOCA without recalibration or maintenance. Rationale: -34 kPa to 1380 kPa range covers from subatmospheric (ice condenser containments or drawdown scenarios) through 3× design pressure, as required by RG 1.97 for Type A variable Category 1 wide-range containment pressure. ±2% span accuracy is the minimum needed for post-accident trending and assessment of containment integrity under design extension conditions. | Test | subsystem, pams, containment-pressure, session-202 |
| SUB-REQS-033 | The Containment Hydrogen Monitor SHALL measure hydrogen concentration from 0 to 10% by volume with an accuracy of ±0.5% absolute and a response time (sample transport plus analysis) of no more than 5 minutes, and SHALL annunciate when hydrogen concentration exceeds 4% by volume (lower flammability limit in air). Rationale: 0-10% hydrogen monitoring range covers from normal atmosphere to the combustion threshold (4% in air) and above, as required by 10 CFR 50.44. ±0.5% absolute accuracy enables confident assessment of whether hydrogen concentration approaches the lower flammability limit. 5-minute response time ensures operators have timely data for hydrogen mitigation decisions per emergency operating procedures. | Test | subsystem, pams, hydrogen, session-202 |
| SUB-REQS-034 | The Qualified Safety Display Panel SHALL remain fully functional during and after a Safe Shutdown Earthquake of 0.3g peak ground acceleration, SHALL be readable under emergency lighting conditions of 50 lux minimum, and SHALL provide simultaneous display of all Reg Guide 1.97 Category 1 variables without requiring operator page selection. Rationale: 0.3g seismic qualification ensures post-accident displays survive the SSE and remain available for operator decision-making. Emergency lighting readability at 50 lux accounts for loss of normal lighting concurrent with the accident. These requirements flow from RG 1.97 Category 1 qualification criteria requiring displays to remain functional during and after the design basis event. | Demonstration | subsystem, pams, display, session-202 |
| SUB-REQS-035 | The Station Battery Bank SHALL provide 125VDC power to all connected divisional loads for a minimum of 4 hours following a loss of all AC power sources concurrent with a design basis accident, without battery terminal voltage dropping below 105VDC. Rationale: 4-hour battery capacity with concurrent DBA loads is the minimum station blackout coping duration per 10 CFR 50.63 and NUMARC 87-00. The battery must carry all safety loads including protection logic, trip breakers, post-accident monitoring, and emergency lighting without voltage dropping below 105VDC (the minimum for reliable relay and logic operation). This defines the battery sizing calculation per IEEE 485. | Test | subsystem, class1e, battery, session-203 |
| SUB-REQS-036 | The Vital Bus Inverter SHALL convert 125VDC input to 120VAC 60Hz output with voltage regulation within ±2% and frequency regulation within ±0.5% under all load conditions from no-load to rated load. Rationale: ±2% voltage and ±0.5% frequency regulation ensure connected digital protection equipment receives power within its input specifications. Protection processors and bistable modules are designed for 120VAC ±10%; the ±2% inverter regulation provides margin for downstream cable voltage drop and transient loading. IEEE 946 provides the design standard for Class 1E inverters. | Test | subsystem, class1e, inverter, session-203 |
| SUB-REQS-037 | The Isolation Transfer Switch SHALL transfer from the preferred inverter source to the regulated transformer alternate source within 4ms of detecting inverter output voltage below 102VAC or frequency outside 57-63Hz, without interruption to downstream protection system loads. Rationale: 4ms transfer time is below the ride-through capability of typical digital protection logic modules (10ms minimum per manufacturer specifications). Faster transfer prevents any interruption visible to the protection processors. The 102VAC and ±3Hz thresholds represent the boundaries beyond which downstream loads cannot operate correctly, triggering the transfer before equipment malfunction. | Test | subsystem, class1e, transfer, session-203 |
| SUB-REQS-038 | The Battery Charger SHALL recharge a fully discharged Station Battery Bank to 95% of rated capacity within 12 hours while simultaneously supplying all connected DC loads, with float voltage regulation within ±1% of the 140VDC setpoint. Rationale: 12-hour recharge to 95% capacity from fully discharged state ensures the battery is restored before the next potential station blackout event. This recharge rate is consistent with IEEE 1115 recommended practice. Float voltage regulation at ±0.5% per cell prevents overcharging (which accelerates plate degradation) and undercharging (which causes sulfation and capacity loss). | Test | subsystem, class1e, charger, session-203 |
| SUB-REQS-039 | The Class 1E Distribution Panel SHALL provide individual circuit protection for each protection system load circuit via molded-case circuit breakers, with selective coordination ensuring that a fault on any branch circuit is isolated without de-energising the vital bus or other branch circuits. Rationale: Individual circuit protection with selective coordination ensures a fault on one branch circuit trips only the local breaker, not the upstream supply. Without coordination, a single fault could de-energise the entire division's protection system loads, constituting a common-cause failure. Selective coordination study per IEEE 242 is required during detailed design. | Inspection | subsystem, class1e, distribution, session-203 |
| SUB-REQS-040 | Each Class 1E Power Supply division SHALL be electrically independent from all other protection divisions and from non-safety power systems, with no electrical interconnections that could propagate faults or allow a single failure in one division to affect power availability in any other division. Rationale: Divisional independence is mandated by IEEE 603 Clause 5.6 and NRC GDC 17. Electrical interconnections between divisions or between safety and non-safety could propagate faults across redundant trains, defeating the independence assumed in the safety analysis. Complete electrical isolation ensures the single failure criterion is satisfied for the power supply architecture. | Inspection | subsystem, class1e, independence, session-203 |
| SUB-REQS-041 | All Class 1E Power Supply Subsystem components SHALL maintain their safety function during and after a safe shutdown earthquake, qualified to IEEE 344 with seismic response spectra enveloping the site-specific ground motion at the equipment mounting location. Rationale: Seismic qualification per IEEE 344 ensures all power supply components maintain their safety function during and after the SSE. A loss of Class 1E power during a seismic event concurrent with a design basis accident would prevent protection system actuation. Seismic response spectra must envelope site-specific ground motion amplified through the building structure to the equipment mounting location. | Test | subsystem, class1e, seismic, session-203 |
| SUB-REQS-042 | The Analog Channel Test Module SHALL inject calibrated test signals at the channel input with accuracy ≤0.1% of span traceable to NIST standards, exercising the complete signal path from signal conditioning through bistable trip output. Rationale: 0.1% test signal accuracy traceable to NIST ensures calibration uncertainties do not exceed the channel accuracy allocations in the setpoint methodology per ISA 67.04. Exercising the complete signal path from input to bistable trip verifies the channel has not drifted beyond its Technical Specification allowance. The 2% overlap deadband prevents nuisance alarms during test signal ramping. | Test | subsystem, test-surv, channel-test, session-203 |
| SUB-REQS-043 | The Logic Test Cabinet SHALL test all 2-out-of-4 coincidence logic voting combinations for each reactor trip and ESF actuation function without requiring any channel to be bypassed, completing the full test sequence within one channel bypass interval per Technical Specifications. Rationale: Testing all 2-out-of-4 voting combinations without channel bypass is required by IEEE 338 to verify coincidence logic integrity while maintaining the protection function. Requiring full logic test within 4 hours bounds the Technical Specification surveillance completion time and minimises the period during which test-induced masking could exist. | Demonstration | subsystem, test-surv, logic-test, session-203 |
| SUB-REQS-044 | The Response Time Test Equipment SHALL measure total channel response time from sensor input to trip actuator output with measurement uncertainty ≤50ms at 95% confidence level, using non-intrusive techniques (LCSR for RTDs, noise analysis for pressure transmitters) that do not require process perturbation. Rationale: 50ms measurement uncertainty at 95% confidence is required to validate that each channel meets its allocated response time budget within the 2.0s system response requirement. Non-intrusive techniques (e.g., noise analysis per NUREG/CR-5501) avoid perturbing the operating channel. Sensor-to-actuator coverage ensures no response time contributor is missed. | Test | subsystem, test-surv, response-time, session-203 |
| SUB-REQS-045 | The Trip Breaker Test Circuit SHALL verify reactor trip breaker operability by energising the shunt trip coil and measuring breaker opening time, with a hardwired interlock preventing simultaneous testing of both series breakers in the same trip path. Pass criterion: breaker opening time ≤150ms from coil energisation to contact separation. Rationale: Shunt trip coil actuation testing verifies mechanical operability of the trip breaker, which is the last active component in the trip chain. The interlock preventing simultaneous testing of redundant breakers in the same trip leg is essential — testing both breakers simultaneously would cause a spurious reactor trip, violating SYS-REQS-004 spurious trip requirements. | Demonstration | subsystem, test-surv, breaker-test, session-203 |
| SUB-REQS-046 | The Test and Surveillance Subsystem SHALL provide overlap testing capability per IEEE 338 such that the combined test coverage of analog channel tests, logic tests, and actuator tests verifies the complete protection system signal path from sensor to final actuator with no untested gaps. Rationale: Overlap testing per IEEE 338 Section 6.3 requires that the combined scope of all individual component tests covers every element in the protection chain from sensor through actuator with no untested gaps. Without overlap at test boundaries, components at the interfaces between test segments could fail undetected, defeating the surveillance programme's purpose. | Demonstration | subsystem, test-surv, overlap, session-203 |
| SUB-REQS-047 | While any channel test or surveillance is in progress, the Test and Surveillance Subsystem SHALL maintain the protection system in a configuration that satisfies the single failure criterion, with the tested channel either tripped or bypassed per the plant Technical Specifications. Rationale: Maintaining single-failure-criterion compliance during testing is mandated by IEEE 603 Clause 5.7 and Technical Specification LCO requirements. If a second channel fails while one is under test, the protection function must still actuate. This constrains test methodology to one channel at a time and requires the tested channel to be placed in a known safe state (tripped or bypassed with automatic 2-out-of-3 reduction). | Analysis | subsystem, test-surv, safety, session-203 |
| SUB-REQS-048 | The Safety Parameter Display System SHALL display all Regulatory Guide 1.97 Category 1 post-accident monitoring variables with update rate ≤2 seconds, using qualified flat-panel displays that remain legible under emergency lighting conditions and seismic events. Rationale: RG 1.97 Category 1 variables require continuous display with qualified redundant instrumentation. 2-second update rate ensures operators see real-time plant status during rapidly evolving transients. Qualified flat-panel displays replace legacy CRT-based systems while meeting the same seismic and environmental qualification requirements per IEEE 323 and IEEE 344. | Test | subsystem, comm-display, spds, session-203 |
| SUB-REQS-049 | The Safety Data Gateway SHALL enforce hardware-level unidirectional data flow from Class 1E protection systems to non-safety plant computer, with no electrical or logical path for data transmission from non-safety to safety systems. The gateway SHALL use fiber optic transmitters with physically no receive capability on the safety-side interface. Rationale: Hardware-enforced unidirectional data flow is the NRC-accepted implementation of GDC 24 separation between safety and non-safety. The critical requirement is that no receive hardware exists on the safety side — not merely a software firewall — because software-based isolation can be compromised by common-cause failure. This prevents any cyber attack or non-safety system fault from affecting protection system operation per 10 CFR 73.54. | Inspection | subsystem, comm-display, gateway, session-203 |
| SUB-REQS-050 | The Alarm and Status Annunciator SHALL provide first-out indication for reactor trip and ESF actuation events, identifying which trip function or ESF function initiated the actuation, using hardwired relay-driven inputs with no software in the safety-critical annunciation signal path. Rationale: First-out indication is required for post-trip diagnostics to determine which trip function initiated reactor trip or ESF actuation. Hardwired annunciation provides a diverse backup to digital alarm processing. First-out resolution distinguishes between the initiating event and consequential trips, which is essential for operator response per emergency operating procedures. | Demonstration | subsystem, comm-display, annunciator, session-203 |
| SUB-REQS-051 | The Intra-Division Communication Bus SHALL provide deterministic message delivery with guaranteed worst-case latency ≤10ms for all safety-critical data exchanges within a single protection division, using time-division multiplexed scheduling with CRC-32 error detection. Rationale: 10ms worst-case latency ensures intra-division communication does not consume excessive time from the 2.0s system response budget. Deterministic delivery is required because non-deterministic protocols (e.g., Ethernet with CSMA/CD) cannot guarantee message delivery within bounded time, which would make response time analysis non-conservative. The communication bus must be qualified per IEEE 603 for use in safety systems. | Test | subsystem, comm-display, bus, session-203 |
| SUB-REQS-052 | When persistent communication failure is detected on the Intra-Division Communication Bus (3 consecutive CRC failures or 50ms message timeout), the affected division SHALL place all protection outputs in the tripped state to maintain fail-safe operation. Rationale: Fail-safe response to communication failure places the affected division in the tripped state, consistent with the system-level fail-safe design philosophy per SYS-REQS-004. 3 consecutive CRC failures or 50ms timeout are detection thresholds that balance between avoiding false trips on transient EMI and ensuring timely detection of genuine bus failure. De-energise-to-trip provides the fail-safe action. | Test | subsystem, comm-display, bus, fail-safe, session-203 |
| SUB-REQS-053 | The Qualified Safety Display Panel and Safety Parameter Display System SHALL comply with NUREG-0700 human-system interface design review guidelines, including minimum character height of 4.7mm at normal viewing distance, colour coding per plant convention with no reliance on colour alone for safety-critical indications, alarm prioritisation into at least 3 severity levels, and operator response validation through task analysis demonstrating that all emergency operating procedure actions can be completed within the time margins assumed in the safety analysis. Rationale: NUREG-0700 compliance ensures human-system interfaces support correct operator action during high-stress post-accident conditions. Minimum 4.7mm character height at normal viewing distance ensures readability under degraded lighting. HSI design review guidelines address display layout, alarm management, and information hierarchy to minimise human error probability in safety-critical operator actions. | Inspection | subsystem, human-factors, comm-display, pams, session-205 |
| SUB-REQS-054 | The Reactor Trip Breaker SHALL have a minimum continuous current rating of 400A and a minimum interrupting capacity of 600A at 480VAC, sufficient to interrupt the full CRDM power bus load of approximately 320A continuous plus inrush current during rod stepping operations. | Test | subsystem, rts, breaker, cross-domain, session-224 |
| SUB-REQS-055 | The Reactor Trip Breaker SHALL be qualified for a minimum of 2000 full-load interrupting operations and 5000 no-load mechanical operations over a 60-year qualified life, with no degradation of opening time beyond the 100ms limit specified in SUB-REQS-004. | Test | subsystem, rts, breaker, cross-domain, session-224 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-DEFS-001 | The interface between Bistable Trip Processor and Coincidence Logic Module SHALL use optically isolated discrete digital outputs, with trip represented by de-energized state (fail-safe), signal transition time less than 1ms, and electrical isolation of at least 1500VDC between channels. Rationale: Optical isolation provides galvanic separation between protection channels, preventing fault propagation per IEEE 603. De-energized = trip state is fail-safe: any cable break, power loss, or transmitter failure produces a trip output. 1ms transition time is negligible within the 50ms coincidence logic budget. 1500VDC isolation exceeds maximum credible inter-channel fault voltage. | Test | interface, rts, session-199 |
| IFC-DEFS-002 | The interface between Coincidence Logic Module and Reactor Trip Breaker SHALL use dedicated hardwired connections to the breaker undervoltage coil, with each train's coincidence logic driving only its own train's breakers, and no shared conductors between Train A and Train B circuits. Rationale: Hardwired connection from coincidence logic to trip breaker eliminates software dependency in the final trip path. Train-dedicated wiring prevents a single wiring fault from disabling both trains. No shared conductors ensures IEEE 384 separation is maintained to the trip breaker terminals. | Inspection | interface, rts, session-199 |
| IFC-DEFS-003 | The interface between Nuclear Instrumentation Subsystem and Bistable Trip Processor SHALL use 4-20mA current loop signals for analog flux measurements, with each of the four NIS channels connected to its corresponding bistable processor channel through qualified Class 1E cables routed in separate raceways. Rationale: 4-20mA current loops are the nuclear industry standard for analog safety signals — immune to cable resistance variation and readily detectable at 0mA for open-circuit failure (fail-safe). Separate raceways per channel maintain IEEE 384 physical separation. One-to-one NIS-to-bistable mapping preserves channel independence. | Test | interface, rts, nis, session-199 |
| IFC-DEFS-004 | The interface between Process Instrumentation Subsystem and Bistable Trip Processor SHALL use 4-20mA current loop signals for temperature, pressure, flow, and level measurements, with signal conditioning performed within the process instrumentation cabinets before transmission to the bistable processors. Rationale: 4-20mA current loops for process signals provide the same fail-safe and noise immunity benefits as NIS interfaces. Signal conditioning within process instrumentation cabinets isolates raw sensor signals from bistable processors, preventing sensor faults from propagating into the digital trip logic domain. | Test | interface, rts, pis, session-199 |
| IFC-DEFS-005 | The interface between Process Instrumentation Subsystem and ESF Coincidence Logic Processor SHALL use qualified 4-20mA analog current loops for each monitored process parameter, with signal isolation provided by qualified isolation devices at the protection channel boundary, and SHALL support a minimum of 24 ESF-related process measurement inputs per protection channel. Rationale: Qualified 4-20mA current loops maintain channel independence per IEEE 603. Isolation devices at protection channel boundaries prevent fault propagation between channels. 24 minimum inputs per channel supports all ESF functions (SI, CIA/CIB, CSS, MSI, MFI, AFW) with adequate parameter coverage for each function's actuation logic. | Test | interface, esfas, session-201 |
| IFC-DEFS-006 | The interface between Nuclear Instrumentation Subsystem and ESF Coincidence Logic Processor SHALL provide source-range high flux and power-range high flux signals as 4-20mA current loop inputs, one per protection channel, with channel isolation maintaining independence between the four redundant NIS channels feeding the four ESFAS channels. Rationale: NIS signals to ESFAS are needed for source-range high flux at shutdown (automatic boration) and power-range high flux block of safety injection reset. Channel isolation maintains NIS four-channel independence through the ESFAS interface. 4-20mA standard provides consistent signal interface across NIS and process instrumentation inputs. | Test | interface, esfas, session-201 |
| IFC-DEFS-007 | The interface between ESF Coincidence Logic Processor and Actuation Priority Logic Module SHALL use optically isolated discrete digital signals, one per ESF function per train, with a signal transition time of less than 1ms and optical isolation rated to a minimum of 2500V breakdown voltage. Rationale: Optical isolation at the ESF coincidence-to-priority-logic interface provides galvanic separation between FPGA-based coincidence logic and the relay-based actuation chain. 1ms transition preserves response time budget. 2500V breakdown rating exceeds the 1500V inter-channel requirement because this interface bridges the digital-to-relay technology boundary. | Test | interface, esfas, session-201 |
| IFC-DEFS-008 | The interface between Actuation Priority Logic Module and Subgroup Relay Cabinet SHALL use hardwired relay contact outputs, with each relay contact rated for a minimum interrupting capacity of 10A at 125VDC, and SHALL maintain physical separation between Train A and Train B relay circuits in accordance with IEEE 384 separation criteria. Rationale: Hardwired relay contacts at 10A/125VDC are sized for the maximum inrush current of downstream subgroup relay coils. IEEE 384 train separation at this interface is critical because both trains share the same physical ESF switchgear room. Relay-based interface maintains technology diversity from the FPGA coincidence logic upstream. | Test | interface, esfas, session-201 |
| IFC-DEFS-009 | The interface between Subgroup Relay Cabinet and ESF Component Interface Module SHALL provide hardwired relay contact outputs grouped by ESF function, with status feedback from actuated equipment (valve position limit switches, pump running contacts, breaker auxiliary contacts) returned as discrete dry contact inputs within 500ms of state change. Rationale: Functional grouping by ESF function enables overlap testing of individual actuation paths per SYS-REQS-008. 500ms feedback time ensures actuation confirmation is available to operators within the post-trip verification timeline. Dry contact feedback inputs provide electrical isolation between high-power actuated equipment and protection system logic. | Test | interface, esfas, session-201 |
| IFC-DEFS-010 | The interface between Sequential Events Controller and ESF Component Interface Module SHALL use hardwired relay outputs for each load step, with the Sequential Events Controller providing time-stamped load connection commands at 5-second minimum intervals, and the Component Interface Module returning breaker close confirmation within 2 seconds of each command. Rationale: Hardwired relay outputs for load sequencing ensure the time-critical diesel loading program is not dependent on digital communication. 5-second minimum intervals between load steps prevent diesel generator overload per FSAR analysis. 2-second breaker confirmation enables the sequence controller to detect and respond to failed breaker close commands before proceeding to the next load step. | Test | interface, esfas, session-201 |
| IFC-DEFS-011 | The interface between Source Range Detector Channel and NIS Signal Conditioning Electronics SHALL carry detector pulse signals via triaxial cable with characteristic impedance of 50 ohms, maintaining signal-to-noise ratio of at least 10:1 at the minimum detectable count rate of 0.1 cps. Rationale: Triaxial cable at 50 ohms characteristic impedance matches the source range detector output impedance for maximum signal transfer. Pulse fidelity preservation is critical because pulse height discrimination is used to reject noise and gamma pulses. Cable shielding must prevent electromagnetic coupling between adjacent channels which would violate channel independence per IEEE 603. | Test | interface, nis, session-201 |
| IFC-DEFS-012 | The interface between Power Range Detector Channel and NIS Signal Conditioning Electronics SHALL provide independent upper and lower section current signals via separate mineral-insulated cables, each capable of carrying 1E-11 to 1E-3 amps with leakage current less than 1E-12 amps. Rationale: Independent upper and lower section signals on separate mineral-insulated cables enable axial flux difference (delta-I) measurement. Mineral insulation provides radiation resistance (>1E9 rad) and fire resistance for cables routed through containment. Separate cables prevent common-mode failure that could corrupt both sections simultaneously, which would invalidate axial offset protection. | Test | interface, nis, session-201 |
| IFC-DEFS-013 | The interface between Detector High Voltage Power Supply and all detector channels SHALL provide regulated DC bias voltage via dedicated high-voltage cables with double-shielded construction, current limiting at 1mA to protect detectors, and voltage monitoring telemetry to the signal conditioning electronics. Rationale: Double-shielded HV cables prevent electromagnetic interference from the high-voltage bias supply from coupling into nearby low-level signal cables. Dedicated cables per detector channel prevent single-point HV failures from affecting multiple channels. Current limiting protects against detector shorts that could otherwise damage the power supply or create fire hazards in containment. | Test | interface, nis, session-201 |
| IFC-DEFS-014 | The interface between RTD Temperature Measurement Channel and Process Signal Conditioning Module SHALL carry 4-wire RTD resistance signals over shielded twisted-pair cables with individual channel shields grounded at the conditioning module end only, maintaining lead wire resistance balance within 0.05 ohms per wire to preserve 4-wire measurement accuracy. Rationale: 4-wire RTD configuration eliminates lead wire resistance error, which is significant over cable runs up to 150m from RCS penetrations to protection cabinets. Individual channel shielding prevents crosstalk between temperature channels in the same cable tray, maintaining the measurement independence required by IEEE 603 Clause 5.6 for redundant channels feeding different protection divisions. | Test | interface, pis, rtd, session-202 |
| IFC-DEFS-015 | The interface between Pressure Transmitter Channel and Process Signal Conditioning Module SHALL use 4-20mA current loop signals over twisted-pair cables with a maximum loop resistance of 600 ohms, with each transmitter powered from the conditioning module via the same wire pair to maintain two-wire simplicity and eliminate ground loop errors. Rationale: 4-20mA current loops are the nuclear industry standard analog interface per ISA 67.04. 600 ohm maximum loop resistance accommodates the longest cable runs (up to 300m) using 16 AWG wire. Current loops are inherently immune to cable resistance variations and ground loops, providing fail-safe indication (0mA = wire break detectable as below-range). | Test | interface, pis, pressure, session-202 |
| IFC-DEFS-016 | The interface between Differential Pressure Flow Channel and Process Signal Conditioning Module SHALL provide 4-20mA analog signals representing the square root of measured differential pressure, with transmitter damping set to achieve a 63% step response time of no more than 400ms to support the 1.0-second flow trip response requirement. Rationale: Square-root-extracted 4-20mA output provides a signal linear with flow rate, simplifying downstream trip logic comparison. The interface must preserve the DP measurement accuracy through the extraction algorithm. Calibration range matching between transmitter output and conditioning module input is critical to avoiding systematic measurement bias in the low-flow trip function. | Test | interface, pis, flow, session-202 |
| IFC-DEFS-017 | The interface between Level Measurement Channel and Process Signal Conditioning Module SHALL provide 4-20mA signals with temperature compensation data transmitted as a separate thermocouple millivolt signal on a dedicated pair, enabling the conditioning module to apply real-time reference leg density corrections for post-accident level accuracy. Rationale: Separate thermocouple millivolt signal for reference leg temperature compensation is needed because post-LOCA containment temperature changes cause reference leg density changes that introduce 15-25% level error if uncompensated. Two independent signals (level and compensation) preserve measurement integrity and enable the conditioning module to apply real-time correction. | Test | interface, pis, level, session-202 |
| IFC-DEFS-018 | The interface between Containment Environment Monitor and Process Signal Conditioning Module SHALL pass through Class 1E qualified electrical penetration assemblies rated for 413 kPa at 171°C, with each signal pair using mineral-insulated cable inside containment and transitioning to standard instrumentation cable at the penetration, maintaining signal integrity within ±0.1% of span across the penetration boundary. Rationale: Class 1E qualified electrical penetration assemblies rated for 413 kPa at 171°C maintain containment integrity as the pressure boundary per 10 CFR 50 Appendix J. Each signal on a dedicated penetration conductor prevents a single penetration failure from affecting multiple measurement channels. The penetration must withstand LOCA conditions without leakage exceeding Type B test acceptance criteria. | Inspection | interface, pis, containment, penetration, session-202 |
| IFC-DEFS-019 | The interface between Core Exit Thermocouple Assembly and Qualified Safety Display Panel SHALL transmit thermocouple millivolt signals through qualified mineral-insulated cable from the reactor vessel head through containment penetrations, with cold junction compensation performed at the display panel end, maintaining end-to-end accuracy within ±4°C over the 93-1260°C measurement range. Rationale: Mineral-insulated cable from reactor vessel through containment is required because conventional polymer-insulated cable cannot survive the in-vessel and post-LOCA radiation and temperature environment. The cable routing from in-vessel TCs through the reactor head to the containment penetration is one of the most severe environmental paths in the plant, requiring MI cable rated to 1100°C. | Inspection | interface, pams, cetc, session-202 |
| IFC-DEFS-020 | The interface between Reactor Vessel Level Indication System and Qualified Safety Display Panel SHALL provide 4-20mA analog signals representing processed vessel level on two independent channels, with each channel independently powered from the panel's Class 1E supply, and SHALL include signal validation logic that flags disagreement exceeding 10% between redundant level channels. Rationale: Two independent 4-20mA channels for vessel level indication provide redundancy for this RG 1.97 Category 1 variable. Loss of a single channel must not result in loss of level indication to the operator. Signal isolation between the RVLIS and the display prevents faults in the display from affecting the measurement channel or propagating to other connected loads. | Test | interface, pams, rvlis, session-202 |
| IFC-DEFS-021 | The interface between Containment Hydrogen Monitor and Qualified Safety Display Panel SHALL provide a 4-20mA signal representing hydrogen concentration (0-10% range) and a discrete contact closure for the 4% high-hydrogen alarm, with the sample system status (flow, temperature, moisture) transmitted as additional discrete status contacts for monitoring sample system health. Rationale: 4-20mA analog concentration signal provides continuous trending capability while the discrete high-alarm contact provides a direct, unprocessed alert when hydrogen approaches the 4% lower flammability limit. The discrete contact is independent of the analog signal path, providing diverse indication and enabling direct annunciation without reliance on digital processing. | Test | interface, pams, hydrogen, session-202 |
| IFC-DEFS-022 | The interface between Station Battery Bank and Vital Bus Inverter SHALL carry 125VDC nominal (105-140VDC range) via 4/0 AWG Class 1E cable with current capacity of 200A continuous, with DC disconnect switch for maintenance isolation. Rationale: 4/0 AWG cable at 200A continuous capacity is sized for the maximum battery discharge current during a station blackout concurrent with DBA loads, with margin per IEEE 485. The 105-140VDC range represents the battery terminal voltage from end-of-discharge (105V = 1.75V/cell × 60 cells) to equalise charge (140V = 2.33V/cell × 60 cells). DC disconnect and fusing provide maintenance isolation and fault protection. | Inspection | interface, class1e, session-203 |
| IFC-DEFS-023 | The interface between Battery Charger and Station Battery Bank SHALL provide regulated DC at 2.33V per cell float (140VDC total) and 2.50V per cell equalise (150VDC total), with ripple voltage not exceeding 0.5% RMS of nominal output voltage. Rationale: 2.33V/cell float and 2.50V/cell equalise voltages are per IEEE 450 for lead-acid stationary batteries. Ripple voltage below 1% RMS prevents AC heating of battery plates which accelerates grid corrosion and reduces battery life. These interface parameters define the charger-battery compatibility envelope that must be verified during factory acceptance testing. | Test | interface, class1e, session-203 |
| IFC-DEFS-024 | The interface between Vital Bus Inverter and Isolation Transfer Switch SHALL carry 120VAC 60Hz single-phase at up to 25A, with the inverter providing voltage and frequency status signals to the transfer switch sensing circuits for automatic transfer initiation. Rationale: Voltage and frequency status signals from inverter to transfer switch enable the switch to detect inverter degradation and initiate transfer before downstream loads are affected. 25A capacity is sized for the maximum vital bus load including protection processors, bistable modules, and displays in a single division. The interface specification bounds the transfer switch input requirements. | Test | interface, class1e, session-203 |
| IFC-DEFS-025 | The interface between Isolation Transfer Switch and Class 1E Distribution Panel SHALL carry 120VAC 60Hz single-phase vital bus power at up to 25A continuous, with source status indication (inverter/alternate) provided to the distribution panel annunciation circuits. Rationale: Source status indication (inverter vs alternate) at the distribution panel enables maintenance personnel to verify power source and prevents inadvertent maintenance on an energised source. 25A continuous rating matches the upstream transfer switch output capacity. This interface defines the boundary between the uninterruptible power path and the distribution to individual protection loads. | Test | interface, class1e, session-203 |
| IFC-DEFS-026 | The interface between Class 1E Distribution Panel and protection system loads (Bistable Trip Processor, Coincidence Logic Module, safety displays) SHALL provide individually protected 120VAC branch circuits with load current not exceeding 80% of branch breaker rating under normal operating conditions. Rationale: Individual circuit protection for each load enables fault isolation — a short in one bistable processor trips only its breaker, not the entire division. Selective coordination ensures the branch breaker trips before the upstream main breaker, maintaining power to unaffected loads. This directly supports the single-failure-criterion by preventing power supply common-cause failures. | Test | interface, class1e, session-203 |
| IFC-DEFS-027 | The interface between Analog Channel Test Module and Process Signal Conditioning Module SHALL accept insertion of test signals at the input terminal block via test jacks, with signal isolation ensuring that test equipment faults cannot propagate to the process measurement channel or to other protection divisions. Rationale: Test signal insertion at the input terminal block exercises the complete channel signal path, satisfying IEEE 338 overlap testing requirements. Signal isolation between test equipment and the protection channel prevents the test equipment from becoming a fault pathway into the protection system. The test jack interface must be designed so that removal of the test plug restores normal channel operation. | Test | interface, test-surv, session-203 |
| IFC-DEFS-028 | The interface between Logic Test Cabinet and Coincidence Logic Module SHALL provide test input injection points at the voting logic inputs, with optical isolation between the test equipment and the protection logic to prevent common-cause failure propagation from test circuits to protection circuits. Rationale: Optical isolation between test equipment and voting logic prevents the test cabinet from injecting faults into the protection logic. Test injection at voting logic inputs overlaps with the analog channel test (which ends at bistable outputs), providing complete sensor-to-actuator coverage per IEEE 338. This interface must support testing without bypassing the channel under test. | Test | interface, test-surv, session-203 |
| IFC-DEFS-029 | The interface between Trip Breaker Test Circuit and Reactor Trip Breaker SHALL provide a dedicated shunt trip test coil circuit with series-connected breaker position contacts that de-energise the test circuit when the breaker opens, limiting test coil energisation to the duration necessary for breaker opening verification. Rationale: Series-connected breaker position contacts in the test circuit automatically de-energise the test coil when the breaker opens, preventing the test from holding the breaker open. This interlock ensures the breaker is available for automatic re-closure if needed. The shunt trip test coil is separate from the normal UV trip coil, allowing breaker operability testing without requiring a reactor trip signal. | Demonstration | interface, test-surv, session-203 |
| IFC-DEFS-030 | The interface between Logic Test Cabinet and Communication and Display Subsystem SHALL transmit test result data including function tested, test time, measured values, acceptance criteria, and pass/fail status via one-way qualified data link to prevent test system from affecting protection function operation. Rationale: Transmitting structured test results (function, time, values, criteria, pass/fail) enables automated trending of surveillance test data and supports Technical Specification surveillance documentation requirements. Optical isolation at this interface ensures the non-safety communication path cannot electrically affect the test equipment or, through it, the protection system under test. | Test | interface, test-surv, session-203 |
| IFC-DEFS-031 | The interface between Intra-Division Communication Bus and protection processors (Bistable Trip Processor, Coincidence Logic Module, ESF Coincidence Logic Processor) SHALL use fiber optic serial connections at 10 Mbps with fixed time-division multiplexed message scheduling, with each processor allocated dedicated time slots in the bus schedule. Rationale: Fiber optic serial connections provide inherent galvanic isolation and EMI immunity for intra-division safety communication. Deterministic protocol is required because non-deterministic bus access (Ethernet CSMA/CD, token passing) cannot provide bounded worst-case latency needed for safety system response time analysis. Fiber optics also eliminate ground loop concerns within the division. | Test | interface, comm-display, session-203 |
| IFC-DEFS-032 | The interface between Safety Data Gateway and plant process computer SHALL transmit protection system data at 10 Mbps via fiber optic medium, with the safety-side transmitter containing no receive photodiode or receive signal processing circuitry, providing hardware-enforced isolation per IEEE 7-4.3.2. Rationale: No receive photodiode on the safety side implements hardware-enforced unidirectional data flow per NRC GDC 24. This prevents any signal — including cyber attacks — from propagating from the non-safety network back into the protection system. 10 Mbps is sufficient bandwidth for the ~500 parameters per division updated at 1-2 second intervals while supporting fiber optic qualification per IEEE 323. | Inspection | interface, comm-display, session-203 |
| IFC-DEFS-033 | The interface between Alarm and Status Annunciator and protection system components SHALL use discrete hardwired relay contact inputs (Form C) for each annunciated status, with contact wetting current ≥10mA to ensure reliable contact operation and optical isolation on the annunciator input to prevent fault propagation. Rationale: Discrete hardwired relay contacts for annunciation provide a diverse (non-digital) indication path independent of the communication bus. Form C contacts enable both alarm and status indication. Contact wetting current specification ensures reliable operation with the annunciator input circuits, preventing intermittent or false annunciation from oxidised contact surfaces. | Test | interface, comm-display, session-203 |
| IFC-DEFS-034 | The interface between Safety Parameter Display System and Qualified Safety Display Panel SHALL receive post-accident monitoring data via one-way qualified data link from each protection division, with the display system performing cross-division data validation by comparing redundant measurements before display. Rationale: One-way qualified data link from each division to the SPDS preserves divisional independence — the display cannot command or affect protection processors. Per-division data links maintain channel identity so the SPDS can display per-division parameter values and identify discrepancies between divisions. Update rate must support RG 1.97 display requirements for continuous post-accident monitoring. | Test | interface, comm-display, session-203 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-DECISIONS-001 | ARC: Nuclear RPS — Quadruple-redundant channel architecture with 2-out-of-4 coincidence voting was selected over triple-redundant 2/3 voting. The 4-channel design permits one channel to be bypassed for online maintenance while maintaining 2/3 voting capability, directly supporting the 18-month fuel cycle surveillance interval required by Technical Specifications. The additional channel cost is justified by achieving both the 1E-5 PFD target and the spurious trip rate target of less than 1 per year, which 2/3 voting cannot simultaneously achieve at realistic component failure rates. The architecture separates reactor trip and ESFAS logic into distinct subsystems sharing sensor inputs but using independent logic processors, per NRC Branch Technical Position 7-19 guidance on digital I&C diversity. Rationale: 4-channel 2/4 voting is the standard nuclear industry architecture because it uniquely permits one channel in test/maintenance and one failed channel while still maintaining trip capability (2/4 becomes 1/2 effective). 2/3 voting cannot tolerate simultaneous test and failure. MTBF > 40,000 hours per channel with 92-day surveillance drives the 2/4 reliability advantage. | Analysis | architecture, system-level, session-199 |
| ARC-DECISIONS-002 | ARC: RTS/ESFAS Separation — Reactor Trip Subsystem and ESFAS are implemented as separate subsystems rather than a combined protection processor. This separation ensures that a common-mode software failure in ESFAS logic cannot inhibit reactor trip, and vice versa. The subsystems share field sensor inputs through qualified isolation but use independent logic processors, independent power supplies, and independent output actuators. This architecture satisfies IEEE 603 diversity requirements and NRC expectations for defense-in-depth against digital common-cause failure per BTP 7-19. Rationale: RTS/ESFAS functional separation is mandated by BTP 7-19 diversity and defense-in-depth requirements. A combined processor would create a common-cause failure point for both trip and ESF actuation functions, which are relied upon independently in the safety analysis. Separate hardware ensures that a software defect affecting trip logic cannot simultaneously disable safety injection. | Analysis | architecture, rts, esfas, session-199 |
| ARC-DECISIONS-003 | ARC: ESFAS — Relay-based priority logic with FPGA-based coincidence voting was selected to provide technology diversity against digital common-cause failure. The coincidence logic uses FPGAs (no software, deterministic timing) while the priority logic and subgroup actuation use electromechanical relays. This mirrors the RTS architecture but adds the Sequential Events Controller as a distinct component because load sequencing is a time-domain function fundamentally different from the binary voting logic of ESF actuation. The subgroup relay organisation follows the NRC-endorsed approach of grouping actuations by function rather than by physical location, enabling meaningful online testing without spurious actuation. Rationale: FPGA-relay diversity addresses NRC BTP 7-19 CCF concerns for digital protection systems. FPGAs execute deterministic logic without an operating system or software in the traditional sense, reducing the CCF attack surface. Relay-based priority logic provides a technology-diverse path that is immune to digital CCF affecting the FPGA coincidence voting. | Analysis | architecture, esfas, session-201 |
| ARC-DECISIONS-004 | ARC: Nuclear Instrumentation — Three overlapping detector ranges (source, intermediate, power) with distinct detection physics were selected to cover 10+ decades of neutron flux from shutdown to 120% power. Source range uses proportional counters (pulse counting) for maximum sensitivity at low flux. Intermediate range uses compensated ion chambers to reject post-shutdown gamma fields. Power range uses uncompensated ion chambers in dual-section configuration for axial flux difference measurement required by overtemperature/overpower delta-T protection. This three-range architecture is mandated by physics — no single detector type can cover the full range with adequate accuracy. Rationale: 10-decade flux measurement requires three distinct detector types because no single detector technology can span this range. BF3/He-3 proportional counters (source), compensated ion chambers (intermediate), and uncompensated ion chambers (power) each have optimal sensitivity ranges. Range overlap prevents a gap in flux monitoring during startup, which could mask an uncontrolled criticality approach. | Analysis | architecture, nis, session-201 |
| ARC-DECISIONS-005 | ARC: Process Instrumentation — Sensor channels are decomposed by measurement principle (RTD, capacitance pressure, DP flow, DP level) rather than by plant system served or by protection channel division, because each measurement type has distinct signal conditioning requirements, calibration procedures, and failure modes. Containment environment monitoring is a separate component because its sensors operate inside containment under post-LOCA conditions, requiring distinct environmental qualification and mineral-insulated cabling through penetration assemblies — an entirely different technology base from the external process instruments. Signal conditioning is centralised per-channel (not per-sensor-type) because the protection architecture requires channel-level independence, and each channel's conditioning module must be physically and electrically isolated from the other three channels. Rationale: Decomposition by measurement principle groups components that share calibration methods, environmental qualification requirements, and failure modes. RTD channels share lead-wire compensation techniques; pressure channels share static pressure correction. This grouping optimises maintenance procedures and channel uncertainty analysis per ISA 67.04. | Analysis | architecture, pis, session-202 |
| ARC-DECISIONS-006 | ARC: Post-Accident Monitoring — PAMS components are decomposed by measured parameter rather than by location (in-vessel vs. containment vs. control room) because each measurement uses a fundamentally different sensing technology: heated junction thermocouples for vessel level (RVLIS), standard thermocouples for core exit temperature, thermal conductivity cells for hydrogen, and capacitance-cell transmitters for pressure. The Qualified Safety Display Panel is a separate component from the Communication and Display Subsystem because PAMS displays must be seismically qualified, powered from Class 1E sources, and independent from the plant process computer — requirements that do not apply to the general display subsystem. Hydrogen monitoring uses an extractive sample system rather than in-situ sensors because no qualified in-situ hydrogen sensor exists that can survive post-LOCA containment conditions for 30 days. Rationale: Parameter-based decomposition reflects the reality that each PAMS measurement uses different sensing technology (thermocouples, DP transmitters, hydrogen analysers, radiation monitors) with fundamentally different qualification challenges. Location-based grouping would mix unrelated technologies and obscure the distinct environmental qualification and calibration requirements of each parameter. | Analysis | architecture, pams, session-202 |
| ARC-DECISIONS-007 | ARC: Class 1E Power Supply — Uninterruptible power topology with battery-backed inverter as preferred source, regulated transformer as alternate via static transfer switch. This architecture ensures zero power interruption during loss of offsite power events (battery carries load through diesel generator start sequence) while providing maintenance flexibility (alternate source allows inverter removal). The 4-hour battery sizing is driven by NRC regulatory requirement for station blackout coping, not by typical diesel start time of 10 seconds. Five components per division reflects the minimum path: energy storage (battery), charging (charger), conversion (inverter), source selection (transfer switch), and distribution (panel). No consolidation possible without losing the ability to independently maintain or test each function. Rationale: Zero-interruption power ensures protection processors never lose power during source transitions — even a 4ms gap could cause protection logic to reset and require restart. Battery-backed inverter as preferred source means all normal power disturbances are absorbed by the battery/inverter, with the alternate transformer source only engaged if the inverter fails. This topology per IEEE 946 provides the highest availability. | Analysis | architecture, class1e, session-203 |
| ARC-DECISIONS-008 | ARC: Test and Surveillance — Four-component architecture reflecting the distinct test boundaries mandated by IEEE 338 overlap testing: analog channel test (sensor-to-bistable), logic test (bistable-to-actuation), actuator test (breaker opening), and response time measurement (end-to-end timing). These cannot be consolidated because each tests a different segment of the protection path using different techniques. Response Time Test Equipment is separated from Analog Channel Test Module because it uses non-intrusive noise analysis techniques (LCSR, TDR) requiring specialised signal processing, whereas the channel test module uses precision signal injection. The Trip Breaker Test Circuit is hardwired rather than software-controlled to ensure that the interlock preventing simultaneous testing of both series breakers cannot be defeated by a software error. Rationale: IEEE 338 mandates that surveillance testing covers every element from sensor through actuator with no untested gaps. The four test components (analog channel, logic, response time, trip breaker) align exactly with the four distinct test boundary segments in the protection chain. Each component has different test methodology, equipment, and frequency, making separate components the natural decomposition. | Analysis | architecture, test-surv, session-203 |
| ARC-DECISIONS-009 | ARC: Communication and Display — Four components reflecting the distinct communication isolation boundaries required by IEEE 603 and IEEE 7-4.3.2. The Safety Data Gateway is separated from the SPDS because it serves a fundamentally different isolation function: the gateway provides safety-to-non-safety isolation (preventing non-safety data from entering the protection system), while the SPDS aggregates data from multiple safety divisions for qualified operator display. The Alarm and Status Annunciator uses hardwired relay contacts rather than the digital communication bus because NRC guidance requires diverse actuation indication that is independent of the digital processing platform — this provides defence-in-depth against common-cause digital failures. The Intra-Division Communication Bus is separated from inter-division communication (which does not exist by design) to enforce the division independence architecture. Rationale: IEEE 603 Clause 5.6.3 and IEEE 7-4.3.2 require strict isolation between safety and non-safety communication paths. Separating the Safety Data Gateway (one-way hardware isolation) from the SPDS (display processing) from the Annunciator (diverse hardwired) from the intra-division bus (safety-to-safety) reflects the four fundamentally different isolation and qualification requirements at each communication boundary. | Analysis | architecture, comm-display, session-203 |
flowchart TB n0["component<br>Bistable Trip Processor (Ch A)"] n1["component<br>Bistable Trip Processor (Ch B)"] n2["component<br>Bistable Trip Processor (Ch C)"] n3["component<br>Bistable Trip Processor (Ch D)"] n4["component<br>Coincidence Logic (Train A)"] n5["component<br>Coincidence Logic (Train B)"] n6["component<br>Reactor Trip Breaker A1"] n7["component<br>Reactor Trip Breaker A2"] n8["component<br>Reactor Trip Breaker B1"] n9["component<br>Reactor Trip Breaker B2"] n10["component<br>Manual Trip Switch"] n11["component<br>Channel Bypass Logic"] n0 -->|Trip signal| n4 n0 -->|Trip signal| n5 n1 -->|Trip signal| n4 n1 -->|Trip signal| n5 n2 -->|Trip signal| n4 n2 -->|Trip signal| n5 n3 -->|Trip signal| n4 n3 -->|Trip signal| n5 n4 -->|Train A trip| n6 n4 -->|Train A trip| n7 n5 -->|Train B trip| n8 n5 -->|Train B trip| n9 n10 -->|Manual trip| n6 n10 -->|Manual trip| n8 n11 -->|Bypass status| n4 n11 -->|Bypass status| n5
Reactor Trip Subsystem — Internal
flowchart TB n0["actor<br>Process Instrumentation"] n1["actor<br>Nuclear Instrumentation"] n2["component<br>ESF Coincidence Logic Processor"] n3["component<br>Actuation Priority Logic"] n4["component<br>Sequential Events Controller"] n5["component<br>Manual ESF Actuation Panel"] n6["component<br>ESF Component Interface Module"] n7["component<br>Subgroup Relay Cabinet"] n8["actor<br>Safety Equipment"] n0 -->|4-20mA process signals| n2 n1 -->|Neutron flux signals| n2 n2 -->|ESF actuation demands| n3 n5 -->|Manual ESF initiation| n3 n3 -->|Prioritised commands| n7 n7 -->|Subgroup relay outputs| n6 n4 -->|Sequenced load commands| n6 n6 -->|Actuator drive signals| n8
ESFAS — Internal
flowchart TB n0["actor<br>Reactor Vessel"] n1["component<br>Source Range Channel"] n2["component<br>Intermediate Range Channel"] n3["component<br>Power Range Channel"] n4["component<br>Signal Conditioning"] n5["component<br>HV Power Supply"] n6["actor<br>Bistable Trip Processor"] n7["actor<br>ESF Coincidence Logic"] n0 -->|Neutron flux| n1 n0 -->|Neutron flux| n2 n0 -->|Neutron flux| n3 n5 -->|Detector bias| n1 n5 -->|Detector bias| n2 n5 -->|Detector bias| n3 n1 -->|Pulse/Campbell signal| n4 n2 -->|Ion chamber current| n4 n3 -->|Upper/lower section currents| n4 n4 -->|4-20mA trip signals| n6 n4 -->|4-20mA ESF signals| n7
Nuclear Instrumentation — Internal
flowchart TB n0["component<br>RTD Temperature Channel"] n1["component<br>Pressure Transmitter Channel"] n2["component<br>DP Flow Channel"] n3["component<br>Level Measurement Channel"] n4["component<br>Signal Conditioning Module"] n5["component<br>Containment Environment Monitor"] n0 -->|RTD resistance| n4 n1 -->|Pressure 4-20mA| n4 n2 -->|DP flow 4-20mA| n4 n3 -->|Level DP 4-20mA| n4 n5 -->|Containment signals| n4
Process Instrumentation — Internal
flowchart TB n0["component<br>Wide-Range Containment Pressure Monitor"] n1["component<br>Containment Hydrogen Monitor"] n2["component<br>Core Exit Thermocouple Assembly"] n3["component<br>Reactor Vessel Level Indication System"] n4["component<br>Qualified Safety Display Panel"] n0 -->|Pressure 0-200 psig| n4 n1 -->|H2 concentration| n4 n2 -->|Core exit temps| n4 n3 -->|Vessel level| n4
Post-Accident Monitoring — Internal
flowchart TB n0["component<br>Station Battery Bank"] n1["component<br>Battery Charger"] n2["component<br>Vital Bus Inverter"] n3["component<br>Isolation Transfer Switch"] n4["component<br>Class 1E Distribution Panel"] n5["actor<br>Class 1E 480V MCC"] n6["actor<br>Regulated Transformer"] n7["actor<br>Protection System Loads"] n5 -->|480VAC| n1 n1 -->|140VDC float charge| n0 n0 -->|125VDC| n2 n2 -->|120VAC preferred| n3 n6 -->|120VAC alternate| n3 n3 -->|120VAC vital bus| n4 n4 -->|Protected branch circuits| n7
Class 1E Power Supply — Internal
flowchart TB n0["component<br>Analog Channel Test Module"] n1["component<br>Logic Test Cabinet"] n2["component<br>Response Time Test Equipment"] n3["component<br>Trip Breaker Test Circuit"] n4["actor<br>Bistable/Logic Processors"] n5["actor<br>Reactor Trip Breakers"] n6["actor<br>Comm and Display"] n0 -->|Test signals| n4 n1 -->|Logic test inputs| n4 n2 -->|Timing reference| n0 n3 -->|Shunt trip test| n5 n1 -->|Test results| n6 n0 -->|Channel test results| n6
Test and Surveillance Subsystem — Internal
flowchart TB n0["component<br>Safety Parameter Display System"] n1["component<br>Safety Data Gateway"] n2["component<br>Alarm and Status Annunciator"] n3["component<br>Intra-Division Communication Bus"] n4["actor<br>Protection Processors"] n5["actor<br>Control Room Operators"] n6["actor<br>Plant Process Computer"] n4 -->|Divisional data| n3 n3 -->|Safety parameters| n0 n3 -->|Status data| n1 n1 -->|One-way data| n6 n4 -->|Hardwired status contacts| n2 n0 -->|Display| n5 n2 -->|Alarms| n5
Communication and Display Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Actuation Priority Logic Module | D0A53818 | Hardwired priority logic module resolving conflicts between automatic ESF actuation signals, manual operator commands, and normal plant control signals in a PWR nuclear protection system. Implements a fixed priority hierarchy: automatic safety actuation overrides manual control, which overrides normal control. Uses relay-based logic for diversity from digital coincidence logic. Located in safety-related switchgear room. |
| Alarm and Status Annunciator | D6ED7018 | Hardwired annunciator panel in main control room providing safety system status indication via illuminated window tiles. Displays channel trip status, train actuation status, bypass status, power supply status, and equipment malfunction for each protection division. Uses discrete relay-driven inputs from protection system status contacts — no software in the annunciation path for safety-critical alarms. Includes first-out indication for reactor trip and ESF actuation to support post-event operator diagnosis. Audible alarm with acknowledge, silence, and test functions. Seismically qualified per IEEE 344. |
| Analog Channel Test Module | D7E57018 | Automated test injection module for nuclear protection system analog instrument channels. Inserts precision test signals (4-20mA, 0-10VDC) at the channel input to verify the complete signal path from process transmitter through signal conditioning, bistable comparison, and trip output. Includes calibrated signal sources traceable to NIST standards, test sequencing logic, and automatic pass/fail comparison against acceptance criteria. Supports overlap testing per IEEE 338 to verify that no gaps exist in the combined test coverage. One module per protection channel, physically located in the protection cabinet. |
| Battery Charger | D4F53018 | Class 1E silicon-controlled rectifier battery charger converting 480VAC from Class 1E motor control centre to regulated 140VDC float charge voltage for station battery bank. Output current capacity sufficient to supply all connected DC loads while simultaneously recharging battery from fully discharged state within 12 hours. Automatic voltage regulation maintains float voltage within ±1% of setpoint. Includes high/low voltage alarms and ground fault detection. One charger per division, powered from divisional Class 1E 480V bus. |
| Bistable Trip Processor | 50F77A18 | Per-channel trip determination module in nuclear RPS Reactor Trip Subsystem. Receives conditioned analog signals from nuclear and process instrumentation. Compares each parameter against predetermined trip setpoints using digital comparators. Generates individual trip/no-trip binary outputs for each trip function (e.g., high neutron flux, low RCS pressure, low RCS flow). Four independent bistable processors, one per protection channel. Implemented as FPGA-based logic to avoid software common-cause failure concerns. Must complete bistable comparison within 100ms of input change. |
| Channel Bypass Logic | 40F67851 | Maintenance bypass and trip channel bypass logic in nuclear RPS Reactor Trip Subsystem. Allows one protection channel at a time to be removed from service for testing or maintenance. When a channel is bypassed, automatically reconfigures the coincidence logic from 2/4 to 2/3 voting for all trip functions served by that channel. Includes administrative lockout preventing bypass of more than one channel simultaneously. Generates bypass status indication to main control room and interlocks to prevent exceeding Technical Specification allowed bypass configurations. |
| Class 1E Distribution Panel | D6A51058 | Seismically qualified Class 1E power distribution panel providing circuit protection and load allocation for one protection division. Contains molded-case circuit breakers sized for individual load circuits including bistable processors, coincidence logic cabinets, safety displays, and field instrument power supplies. Bus-rated for 200A continuous. Includes undervoltage and overcurrent protection with local and remote status indication. Physical separation from other divisions per IEEE 384. Each division has dedicated panels for 120VAC vital bus and 125VDC loads. |
| Class 1E Power Supply Subsystem | 54D73858 | Safety-grade electrical power distribution for nuclear RPS. Four independent Class 1E power divisions corresponding to four protection channels. Each division has: 125VDC battery with 4-hour capacity, battery charger from Class 1E AC bus, DC-to-DC converters for logic power, and inverters for AC instrument power. Physical and electrical separation between divisions per IEEE 384. Automatic transfer to emergency diesel generator bus on loss of offsite power. Undervoltage and degraded voltage protection. Must maintain power to all safety channels during station blackout for minimum 4 hours. |
| Coincidence Logic Module | 50B73818 | 2-out-of-4 voting logic module in nuclear RPS Reactor Trip Subsystem. Receives binary trip outputs from all four bistable processors for each trip function. Implements coincidence voting: generates a trip output when 2 or more of 4 channels indicate trip for any single trip function. Automatically reconfigures to 2-out-of-3 when a channel bypass is active. Two independent trains (A and B) each contain a complete coincidence logic module. FPGA-based implementation with formal verification of voting logic correctness. Must complete coincidence evaluation within 50ms. |
| Communication and Display Subsystem | 54ED7859 | Human-machine interface and data communication system for nuclear RPS. Provides safety-grade displays in main control room showing trip status, channel values, bypass status, and alarm conditions. Safety parameter display system (SPDS) presents critical safety function status. One-way data link (fiber-optic isolation) from safety system to non-safety plant computer prevents feedback path. Alarm annunciator panels with first-out indication for trip diagnosis. Qualified flat-panel displays with Class 1E power. Must present trip information within 1 second of trip actuation. |
| Containment Environment Monitor | 54A53058 | Containment environment monitoring instrumentation within a nuclear reactor protection system. Measures containment atmosphere temperature (multiple elevations), containment pressure (wide-range 0-200 psig for severe accident monitoring and narrow-range 0-75 psig for ESF actuation), containment humidity, and containment area radiation levels. Containment pressure measurement is a direct ESF actuation input: high containment pressure initiates Safety Injection, Containment Isolation, and Containment Spray. Sensors and transmitters inside containment must be environmentally qualified per IEEE 323 to post-LOCA conditions (340°F, 60 psig, 1E8 rad TID). Hermetically sealed penetration assemblies connect to protection channel electronics outside containment. |
| Containment Hydrogen Monitor | 54853058 | Post-accident combustible gas monitoring system within a nuclear reactor protection system. Measures hydrogen concentration in containment atmosphere from 0 to 10% by volume using thermal conductivity detector cells. Critical for assessing deflagration/detonation risk following a LOCA with fuel damage (zirconium-water reaction produces hydrogen). Samples containment atmosphere through qualified tubing penetrations with particulate filters and moisture separators. Must distinguish hydrogen from steam in a post-LOCA atmosphere. Reg Guide 1.97 Type B Category 1 variable. Detector cells located outside containment with sample lines penetrating the containment boundary. |
| Core Exit Thermocouple Assembly | C6851058 | In-core thermocouple assembly providing direct measurement of reactor core exit coolant temperature for post-accident inadequate core cooling detection. Type K (chromel-alumel) thermocouples mounted at the top of selected fuel assemblies, extending through the reactor vessel head via Conax-type seal assemblies. Measures temperatures from 200°F (normal) to 2300°F (severe core damage indication). Typically 50-65 thermocouples distributed across the core, with at least 2 per core quadrant connected to safety-qualified displays. Reg Guide 1.97 Type A Category 1 variable — provides primary indication of approach to inadequate core cooling. Must withstand reactor vessel head temperature and pressure conditions. |
| Detector High Voltage Power Supply | D4C51018 | Precision high-voltage DC power supply providing detector bias voltage to ex-core neutron detectors in a PWR nuclear protection system. Supplies 300V to 1500V depending on detector type (proportional counters, compensated ion chambers, uncompensated ion chambers). Stability requirement of ±0.1% over 24 hours to maintain detector calibration accuracy. Each protection channel has independent HV supplies. Includes overvoltage protection, current limiting, and supply voltage monitoring with alarm on out-of-tolerance. Class 1E qualified, powered from the channel's dedicated vital bus. |
| Differential Pressure Flow Channel | 54B53858 | Differential pressure-based flow measurement channel within a nuclear reactor protection system. Measures reactor coolant system flow via RCS elbow tap differential pressure, feedwater flow via venturi tube DP, and main steam flow via flow nozzle DP. Uses high-accuracy DP transmitters (0.1% of calibrated span) with square-root extraction for flow computation. Four independent channels per measurement point. Safety function: RCS low-flow trip prevents departure from nucleate boiling during loss-of-flow events. Must discriminate between 2-loop and 3-loop flow configurations for setpoint adjustment. |
| Engineered Safety Features Actuation System | 51F77A51 | ESFAS for PWR nuclear plant. Monitors process parameters and initiates actuation of engineered safety features when setpoints exceeded. Functions include: safety injection (high-head and low-head pumps), containment isolation (Phase A and Phase B), main steam line isolation, auxiliary feedwater actuation, containment spray. Uses 2-out-of-4 coincidence logic separate from but architecturally similar to reactor trip logic. Actuates motor-operated valves, pump breakers, and damper actuators via Class 1E power. Must complete actuation sequences within defined time limits per FSAR Chapter 15 accident analyses. |
| ESF Coincidence Logic Processor | 50F77018 | Digital logic processor implementing 2-out-of-4 coincidence voting for each Engineered Safety Feature function in a PWR nuclear protection system. Receives per-channel bistable trip/no-trip signals from process and nuclear instrumentation via optically isolated inputs. Evaluates voting logic for Safety Injection, Containment Isolation Phase A/B, Containment Spray, Steamline Isolation, Main Feedwater Isolation, and Auxiliary Feedwater Actuation. FPGA-based with no software to eliminate digital common-cause failure concerns. Output is per-train ESF actuation demands to the priority logic module. Must complete voting within 100ms. Quad-redundant across four protection channels. |
| ESF Component Interface Module | D4F57018 | Signal conditioning and relay output module interfacing ESFAS logic with field-mounted safety equipment in a PWR nuclear protection system. Converts digital actuation commands into relay contact closures driving motor-operated valves, pump contactors, and solenoid valves. Provides electrical isolation between protection logic and actuated equipment power circuits. Includes status feedback monitoring (valve position, pump running, breaker state). Located in Class 1E switchgear rooms. |
| Intermediate Range Detector Channel | 54E55010 | Compensated ion chamber neutron detection channel covering approximately 8 decades of neutron flux from the upper source range through the power range in a PWR nuclear protection system. Two redundant channels (IR-N35, IR-N36) using compensated ionisation chambers that subtract gamma-induced current to provide a neutron-only signal. Located in the reactor vessel ex-core detector wells. Provides logarithmic neutron flux and flux rate signals to the protection system for intermediate range high flux trip and rod withdrawal stop. Signal conditioning includes a wide-range logarithmic amplifier with a response time of less than 1 second per decade. |
| Intra-Division Communication Bus | 40E57258 | Deterministic communication bus providing data exchange between digital components within a single protection division. Connects bistable trip processors, coincidence logic modules, ESF coincidence logic processors, and diagnostic processors within one division. Uses time-division multiplexed serial protocol with fixed message schedules guaranteeing worst-case latency ≤10ms. Physically separate bus per division with no inter-division connections. Fiber optic medium for noise immunity. Error detection via CRC-32 with message retry on single-bit errors and channel trip on persistent communication failures. Qualified to IEEE 7-4.3.2. |
| Isolation Transfer Switch | D4B73058 | Class 1E automatic static transfer switch providing seamless changeover between vital bus inverter (preferred source) and regulated transformer alternate AC source on inverter failure. Transfer time less than 4ms to prevent disruption to protection system logic processors. Includes voltage and frequency sensing for automatic transfer and retransfer logic. Manual bypass capability for inverter maintenance. Qualified to IEEE 323/344 for seismic and environmental conditions. Provides continuous power availability to downstream protection loads during inverter maintenance or failure. |
| Level Measurement Channel | 54853050 | Differential pressure-based level measurement channel within a nuclear reactor protection system. Measures pressurizer level (for heater cutoff and SI actuation), steam generator narrow-range and wide-range level (for feedwater isolation and auxiliary feedwater actuation), and refueling water storage tank level (for switchover to containment sump recirculation). Uses temperature-compensated reference leg DP transmitters to correct for density changes in the reference column. Four independent channels per safety parameter. Must maintain accuracy under post-accident temperature/pressure conditions that cause reference leg flashing. |
| Logic Test Cabinet | D1E77018 | Automated test system for nuclear protection system coincidence logic and actuation logic. Injects simulated channel trip inputs to the coincidence logic modules and verifies correct train-level trip and ESF actuation outputs. Tests all 2-out-of-4 voting combinations for each trip function without requiring channel bypass. Includes test result recording, trending analysis for response time degradation, and automatic comparison against Technical Specification surveillance requirements. Interfaces with the Communication and Display Subsystem for remote initiation and result reporting. |
| Manual ESF Actuation Panel | C68D7858 | Hardwired operator interface panel in main control room providing manual initiation for all ESF functions in a PWR nuclear protection system. Dedicated switches for Safety Injection, Containment Isolation Phase A/B, Containment Spray, Steamline Isolation, and Auxiliary Feedwater. Two-switch design. Signals bypass digital logic and connect directly to priority logic via hardwired paths. Seismically qualified to IEEE 344. |
| Manual Trip Interface | C4895811 | Hardwired manual reactor trip capability in nuclear RPS. Direct pushbutton switches in main control room that bypass all automatic logic and directly de-energize the reactor trip breaker undervoltage coils. Two independent manual trip switches (one per train) with additional diverse manual trip via separate actuation mechanism. Wired directly to breaker trip coils with minimum intervening components. Response time from switch actuation to breaker opening less than 200ms. Must function independently of any digital system, processor, or software. |
| NIS Signal Conditioning Electronics | D4E51018 | Analog and digital signal conditioning electronics processing raw detector currents from source, intermediate, and power range neutron detectors in a PWR nuclear protection system. Includes preamplifiers located near the detector wells (within containment for some channels), linear and logarithmic amplifiers, compensating voltage power supplies for compensated ion chambers, high-voltage detector bias supplies (typically 300-1500V), and digital processing modules for trip setpoint comparison. Each protection channel has independent signal conditioning with no shared components. Operates in a mild environment (control room electronics) except for preamplifiers which must be qualified for containment conditions. |
| Nuclear Instrumentation Subsystem | 54F57019 | Neutron flux monitoring system for PWR reactor protection. Comprises source-range, intermediate-range, and power-range detector channels in quadruple redundancy. Source range uses BF3 or fission chambers for 1E-1 to 1E5 counts/sec. Intermediate range uses compensated ion chambers for 1E-6 to 200 percent power. Power range uses uncompensated ion chambers with upper/lower sections for axial flux difference. Provides analog and digital flux signals to reactor trip logic. Must detect flux doubling within 200ms. |
| Nuclear Reactor Protection System | 55B77859 | Safety-critical instrumentation and control system (IEC 61513 Safety Category A, SIL 4) for pressurized water reactor nuclear power plants. Continuously monitors neutron flux, reactor coolant temperature, pressure, and flow parameters via quadruple-redundant sensor channels. Executes automatic reactor trip (SCRAM) and engineered safety feature actuation (ESFAS) when process variables exceed predetermined setpoints. Employs 2-out-of-4 coincidence voting logic to balance reliability against spurious trip avoidance. Must achieve probability of failure on demand <1E-5 per demand. Interfaces with reactor control system, plant process computer, main control room, and emergency diesel generators. Subject to NRC 10 CFR 50.55a, IEEE 603, and IEC 61513 regulatory framework. |
| Post-Accident Monitoring Subsystem | 54E57858 | Reg Guide 1.97 post-accident monitoring instrumentation for PWR. Provides qualified indication of critical plant parameters during and after design-basis accidents. Category 1 variables: containment pressure (0-150 psig), containment radiation (1E1 to 1E8 R/hr), reactor vessel level, containment hydrogen concentration, and reactor coolant system subcooling margin. Dual-redundant qualified displays in main control room with battery-backed power. Instruments qualified for post-LOCA containment environment including radiation, temperature, pressure, humidity, and chemical spray. |
| Power Range Detector Channel | 44C51010 | Uncompensated ion chamber neutron detection channel operating from approximately 1% to 120% rated thermal power in a PWR nuclear protection system. Four redundant channels (PR-N41 through PR-N44) using dual-section uncompensated ionisation chambers providing both upper and lower detector currents for axial flux difference measurement. Located in four symmetrically placed ex-core detector wells at 90-degree intervals around the reactor vessel. Provides linear neutron flux, axial flux difference (delta-I), and overtemperature/overpower delta-T protection inputs. Each detector assembly contains two axially stacked ion chambers for top/bottom flux measurement. |
| Pressure Transmitter Channel | 54D57018 | Capacitance-cell pressure transmitter channel within a nuclear reactor protection system. Measures pressurizer pressure, reactor coolant system pressure, containment pressure, and steam generator pressure. Uses variable-capacitance sensing cells with silicon oil fill fluid, providing 0.25% span accuracy. Operates in ranges from 0-75 psig (containment) to 0-2500 psig (RCS). Each transmitter provides 4-20mA output to protection system bistable processors. Safety function: pressurizer low-pressure trip, containment high-pressure SI actuation. Must withstand seismic (0.3g SSE) and post-LOCA environment for containment transmitters. |
| Process Instrumentation Subsystem | 54E57218 | Reactor coolant system process variable monitoring for PWR protection. Four redundant measurement channels for: RCS hot/cold leg temperature (RTDs, 0-700F), pressurizer pressure (0-2500 psig), RCS flow (differential pressure across elbow taps), pressurizer level, steam generator level and pressure. Provides conditioned analog signals and digital trip outputs to reactor trip and ESFAS logic. Signal conditioning includes range checking, rate limiting, and cross-channel comparison. |
| Process Signal Conditioning Module | 54F57018 | Analog signal conditioning module within a nuclear reactor protection system's process instrumentation subsystem. Receives raw 4-wire RTD resistance, 4-20mA transmitter outputs, and thermocouple millivolt signals. Performs amplification, linearisation (RTD Callendar-Van Dusen, thermocouple polynomial), filtering (2Hz low-pass for noise rejection while maintaining <500ms step response), and range checking. Outputs calibrated 4-20mA signals to bistable trip processors. Each module serves one protection channel and is physically isolated from other channels. Includes built-in test injection points for channel calibration verification without removing the module from service. |
| Qualified Safety Display Panel | D6CD5058 | Seismically and environmentally qualified display panel in the main control room providing post-accident monitoring indication to operators. Displays all Reg Guide 1.97 Category 1 variables: reactor vessel level, core exit temperature, containment pressure (wide-range), containment hydrogen concentration, containment radiation, RCS pressure (wide-range), and SG water level (wide-range). Uses dedicated, isolated display channels independent from the plant process computer. Displays are qualified to operate during and after an SSE. Includes recording capability for key parameters. Located in the control room with backup displays in the remote shutdown facility. Must remain readable under emergency lighting conditions. |
| Reactor Trip Breaker | D6951018 | High-reliability electromechanical circuit breaker in the reactor trip actuation path. Two series-connected breakers per train (Train A and Train B), four breakers total. When de-energized (tripped), interrupt power supply to control rod drive mechanism power cabinets, causing all control rods to drop into the reactor core by gravity. Breaker opening time less than 100ms from de-energization of trip coil. Shunt trip coils for automatic trip and undervoltage trip coils for fail-safe operation. Each breaker rated for 480VAC, 1600A continuous with 65kA interrupting capacity. |
| Reactor Trip Subsystem | 50B77A10 | Core safety logic for PWR reactor protection. Receives trip signals from nuclear and process instrumentation channels. Implements 2-out-of-4 coincidence voting logic per trip function using solid-state or FPGA-based logic modules. Drives reactor trip breakers (two series breakers per train, two trains) to de-energize control rod drive mechanisms. Supports manual trip from main control room. Provides channel bypass capability for maintenance with automatic reduction to 2/3 voting. Trip response time from sensor to breaker opening less than 2 seconds for all trip functions. |
| Reactor Vessel Level Indication System | 54F57058 | Heated junction thermocouple-based reactor vessel water level measurement system for post-accident monitoring. Uses the differential temperature between heated and unheated thermocouple junctions at multiple elevations in the reactor vessel head to determine whether the junction is submerged (liquid) or uncovered (steam/gas). Provides indication of reactor vessel water level from bottom of hot leg to top of vessel head during post-LOCA conditions when normal pressurizer level is meaningless. Reg Guide 1.97 Type A Category 1 variable for inadequate core cooling monitoring. Must function during natural circulation and two-phase conditions with system depressurized. |
| Response Time Test Equipment | 54A53218 | Precision timing measurement system for verifying nuclear protection system channel response times from sensor input to final actuator output. Uses noise analysis technique (LCSR - Loop Current Step Response for RTDs, TDR for pressure transmitters) for non-intrusive sensor response time measurement, combined with electronic signal path timing from bistable to trip breaker. Provides response time data for comparison against Technical Specification limits (e.g., 2 seconds total channel response for reactor trip). Measurement uncertainty ≤50ms at 95% confidence. Used during refuelling outages and after channel maintenance. |
| RTD Temperature Measurement Channel | 54853051 | Platinum resistance temperature detector (RTD) measurement channel within a nuclear reactor protection system. Measures reactor coolant system temperatures including hot leg (Thot), cold leg (Tcold), and derived parameters (Tavg, ΔT). Uses 4-wire platinum RTDs (Callendar-Van Dusen calibration) with Wheatstone bridge excitation, providing 0.1°C resolution over 50-400°C range. Four independent channels per parameter feed quadruple-redundant bistable trip processors. Safety-critical: under-measurement of Thot could prevent overtemperature trip actuation. |
| Safety Data Gateway | 50C57058 | One-way qualified data communication gateway providing isolation between Class 1E protection system data and non-safety plant computer systems. Hardware-enforced unidirectional data flow using optical isolation and qualified fiber optic transmitters with no receive capability on the safety side. Transmits protection system status, channel values, trip status, and test results to the plant process computer for archiving, trending, and non-safety displays. Data rate 10 Mbps per division. Each protection division has its own independent gateway with no cross-division data paths. Qualified to IEEE 7-4.3.2 for digital safety system communication. |
| Safety Parameter Display System | 54CD7858 | Qualified display system providing plant operators with safety-critical parameter indications in the main control room. Displays reactor power, RCS temperatures and pressures, containment conditions, core exit temperatures, and safety system status on dedicated qualified flat-panel monitors. Receives data via one-way qualified data links from each protection division. Meets RG 1.97 Category 1 display requirements for post-accident monitoring variables. Seismically qualified to IEEE 344, environmentally qualified to IEEE 323 for control room conditions. Provides audible and visual alarms for parameters exceeding Technical Specification limits. |
| Sequential Events Controller | 50B73A58 | Programmable logic controller managing time-sequenced loading of safety-related electrical loads onto emergency diesel generator buses following a loss-of-offsite-power concurrent with a safety injection signal in a PWR nuclear protection system. Implements load-shedding and load-sequencing program with 5-second interval steps. Manages loads for ECCS, Containment Spray, CCW, and Service Water pumps. Must complete full sequence within 60 seconds. Two independent trains. |
| Source Range Detector Channel | 54F75211 | Fission chamber-based neutron detection channel covering 6 decades of neutron flux from shutdown to approximately 1E-4% rated thermal power in a PWR nuclear protection system. Two redundant channels (SR-N31, SR-N32) using BF3 or B-10 lined proportional counters located in the reactor vessel biological shield. Provides count rate and count rate increase (startup rate) to the protection system for source range high flux trip and minimum count rate alarm. Operates in pulse counting mode at low flux and transitions to mean-square voltage (Campbell) mode as count rate increases. Detector assemblies are in-core, non-replaceable during operation. |
| Station Battery Bank | D6D51058 | Class 1E 125VDC lead-acid battery bank providing 4-hour uninterruptible DC power to one protection division. Sized for design basis accident concurrent with loss of all AC power sources. 60 cells in series, capacity 1500Ah minimum at 8-hour rate. Float-charged by battery charger during normal operation. Provides power to vital bus inverters, DC-powered trip breaker undervoltage coils, and Class 1E DC control circuits. Each of 4 divisions has independent battery bank with no cross-connections. Qualified to IEEE 535 for seismic and environmental conditions. |
| Subgroup Relay Cabinet | D6A51018 | Electromechanical relay cabinet grouping related ESF actuations into testable subgroups within a PWR nuclear protection system. Each subgroup contains relays for functionally related ESF equipment (e.g., all high-head SI valves). Enables online testing of individual actuation paths without actuating complete ESF function. Contains input relays from priority logic and output relays to component interface modules. Two trains with separate cabinets per train, seismically mounted. |
| Test and Surveillance Subsystem | 51A53959 | Online testing and calibration system for nuclear RPS. Provides overlap testing capability to verify complete trip actuation path from sensor input through logic to final actuator without requiring plant trip. Includes: automatic surveillance test sequencers, response time testing interfaces, channel calibration injection points, and tech spec compliance tracking. Supports testing at power with one channel in bypass (2/3 voting maintained). Records all test results for regulatory audit. Must not introduce common-cause failure mechanisms into the protection channels being tested. |
| Trip Breaker Test Circuit | 54A43818 | Dedicated test circuit for periodic testing of reactor trip breakers without causing an actual reactor trip. Provides shunt trip coil energisation to verify breaker opening mechanism while the redundant breaker in series maintains reactor trip circuit continuity. Includes breaker position monitoring, trip time measurement (specified ≤150ms from coil energisation to contact separation), and undervoltage trip device testing. Supports both manual and automated test initiation. Hardwired interlock prevents simultaneous testing of both series trip breakers in same trip path. |
| Vital Bus Inverter | D4E73018 | Static inverter converting 125VDC battery power to 120VAC 60Hz regulated vital bus power for protection system instrument channels. Each division has dedicated inverters with automatic transfer to a regulated transformer alternate supply on inverter failure. Output regulation ±2% voltage, ±0.5% frequency. Qualified to IEEE 323/344 for seismic and environmental conditions. Provides uninterruptible power to bistable processors, coincidence logic, and safety displays during loss of offsite power and diesel generator start sequence. |
| Wide-Range Containment Pressure Monitor | D4853858 | Post-accident containment pressure monitoring instrument within a nuclear reactor protection system. Measures containment pressure from -5 psig (vacuum) to 200 psig, covering both normal operation and severe accident overpressure scenarios. Uses qualified capacitance-cell transmitters with hermetic seals rated for post-LOCA conditions. This is a Reg Guide 1.97 Type A Category 1 variable — required for operator decisions on containment integrity and venting. Must survive and function accurately during 1E8 rad TID, 340°F, 60 psig LOCA conditions for minimum 30 days. Redundancy: 2 channels minimum per Reg Guide 1.97. |
| Component | Belongs To |
|---|---|
| Nuclear Instrumentation Subsystem | Nuclear Reactor Protection System |
| Process Instrumentation Subsystem | Nuclear Reactor Protection System |
| Reactor Trip Subsystem | Nuclear Reactor Protection System |
| Engineered Safety Features Actuation System | Nuclear Reactor Protection System |
| Post-Accident Monitoring Subsystem | Nuclear Reactor Protection System |
| Communication and Display Subsystem | Nuclear Reactor Protection System |
| Class 1E Power Supply Subsystem | Nuclear Reactor Protection System |
| Test and Surveillance Subsystem | Nuclear Reactor Protection System |
| Bistable Trip Processor | Reactor Trip Subsystem |
| Coincidence Logic Module | Reactor Trip Subsystem |
| Reactor Trip Breaker | Reactor Trip Subsystem |
| Manual Trip Interface | Reactor Trip Subsystem |
| Channel Bypass Logic | Reactor Trip Subsystem |
| ESF Coincidence Logic Processor | Engineered Safety Features Actuation System |
| Actuation Priority Logic Module | Engineered Safety Features Actuation System |
| Sequential Events Controller | Engineered Safety Features Actuation System |
| Manual ESF Actuation Panel | Engineered Safety Features Actuation System |
| ESF Component Interface Module | Engineered Safety Features Actuation System |
| Subgroup Relay Cabinet | Engineered Safety Features Actuation System |
| Source Range Detector Channel | Nuclear Instrumentation Subsystem |
| Intermediate Range Detector Channel | Nuclear Instrumentation Subsystem |
| Power Range Detector Channel | Nuclear Instrumentation Subsystem |
| NIS Signal Conditioning Electronics | Nuclear Instrumentation Subsystem |
| Detector High Voltage Power Supply | Nuclear Instrumentation Subsystem |
| RTD Temperature Measurement Channel | Process Instrumentation Subsystem |
| Pressure Transmitter Channel | Process Instrumentation Subsystem |
| Differential Pressure Flow Channel | Process Instrumentation Subsystem |
| Level Measurement Channel | Process Instrumentation Subsystem |
| Process Signal Conditioning Module | Process Instrumentation Subsystem |
| Containment Environment Monitor | Process Instrumentation Subsystem |
| Wide-Range Containment Pressure Monitor | Post-Accident Monitoring Subsystem |
| Containment Hydrogen Monitor | Post-Accident Monitoring Subsystem |
| Core Exit Thermocouple Assembly | Post-Accident Monitoring Subsystem |
| Reactor Vessel Level Indication System | Post-Accident Monitoring Subsystem |
| Qualified Safety Display Panel | Post-Accident Monitoring Subsystem |
| Vital Bus Inverter | Class 1E Power Supply Subsystem |
| Station Battery Bank | Class 1E Power Supply Subsystem |
| Battery Charger | Class 1E Power Supply Subsystem |
| Class 1E Distribution Panel | Class 1E Power Supply Subsystem |
| Isolation Transfer Switch | Class 1E Power Supply Subsystem |
| Analog Channel Test Module | Test and Surveillance Subsystem |
| Logic Test Cabinet | Test and Surveillance Subsystem |
| Response Time Test Equipment | Test and Surveillance Subsystem |
| Trip Breaker Test Circuit | Test and Surveillance Subsystem |
| Safety Parameter Display System | Communication and Display Subsystem |
| Safety Data Gateway | Communication and Display Subsystem |
| Alarm and Status Annunciator | Communication and Display Subsystem |
| Intra-Division Communication Bus | Communication and Display Subsystem |
| From | To |
|---|---|
| Bistable Trip Processor | Coincidence Logic Module |
| Coincidence Logic Module | Reactor Trip Breaker |
| Manual Trip Interface | Reactor Trip Breaker |
| Channel Bypass Logic | Coincidence Logic Module |
| ESF Coincidence Logic Processor | Actuation Priority Logic Module |
| Manual ESF Actuation Panel | Actuation Priority Logic Module |
| Actuation Priority Logic Module | Subgroup Relay Cabinet |
| Subgroup Relay Cabinet | ESF Component Interface Module |
| Sequential Events Controller | ESF Component Interface Module |
| Process Instrumentation Subsystem | ESF Coincidence Logic Processor |
| Nuclear Instrumentation Subsystem | ESF Coincidence Logic Processor |
| Source Range Detector Channel | NIS Signal Conditioning Electronics |
| Intermediate Range Detector Channel | NIS Signal Conditioning Electronics |
| Power Range Detector Channel | NIS Signal Conditioning Electronics |
| Detector High Voltage Power Supply | Source Range Detector Channel |
| Detector High Voltage Power Supply | Intermediate Range Detector Channel |
| Detector High Voltage Power Supply | Power Range Detector Channel |
| NIS Signal Conditioning Electronics | Bistable Trip Processor |
| RTD Temperature Measurement Channel | Process Signal Conditioning Module |
| Pressure Transmitter Channel | Process Signal Conditioning Module |
| Differential Pressure Flow Channel | Process Signal Conditioning Module |
| Level Measurement Channel | Process Signal Conditioning Module |
| Containment Environment Monitor | Process Signal Conditioning Module |
| Process Signal Conditioning Module | Bistable Trip Processor |
| Process Signal Conditioning Module | ESF Coincidence Logic Processor |
| Wide-Range Containment Pressure Monitor | Qualified Safety Display Panel |
| Containment Hydrogen Monitor | Qualified Safety Display Panel |
| Core Exit Thermocouple Assembly | Qualified Safety Display Panel |
| Reactor Vessel Level Indication System | Qualified Safety Display Panel |
| Qualified Safety Display Panel | Communication and Display Subsystem |
| Wide-Range Containment Pressure Monitor | Containment Environment Monitor |
| Station Battery Bank | Vital Bus Inverter |
| Battery Charger | Station Battery Bank |
| Vital Bus Inverter | Isolation Transfer Switch |
| Isolation Transfer Switch | Class 1E Distribution Panel |
| Class 1E Distribution Panel | Bistable Trip Processor |
| Class 1E Distribution Panel | ESF Coincidence Logic Processor |
| Class 1E Distribution Panel | Qualified Safety Display Panel |
| Analog Channel Test Module | Bistable Trip Processor |
| Analog Channel Test Module | Process Signal Conditioning Module |
| Logic Test Cabinet | Coincidence Logic Module |
| Logic Test Cabinet | ESF Coincidence Logic Processor |
| Response Time Test Equipment | Analog Channel Test Module |
| Trip Breaker Test Circuit | Reactor Trip Breaker |
| Safety Parameter Display System | Qualified Safety Display Panel |
| Safety Data Gateway | Intra-Division Communication Bus |
| Intra-Division Communication Bus | Bistable Trip Processor |
| Intra-Division Communication Bus | Coincidence Logic Module |
| Intra-Division Communication Bus | ESF Coincidence Logic Processor |
| Alarm and Status Annunciator | Reactor Trip Breaker |
| Alarm and Status Annunciator | Coincidence Logic Module |
| Component | Output |
|---|---|
| Bistable Trip Processor | Per-channel trip/no-trip binary outputs |
| Coincidence Logic Module | Train-level trip actuation signal |
| Reactor Trip Breaker | CRDM power interruption |
| ESF Coincidence Logic Processor | Per-function ESF actuation demand signals |
| Actuation Priority Logic Module | Prioritised actuation/block commands to subgroup relays |
| Sequential Events Controller | Time-sequenced load connection commands to safety bus breakers |
| ESF Component Interface Module | Relay contact closures to safety equipment actuators |
| Source Range Detector Channel | Neutron count rate and startup rate signals |
| Intermediate Range Detector Channel | Logarithmic neutron flux and flux rate signals |
| Power Range Detector Channel | Linear neutron flux and axial flux difference signals |
| NIS Signal Conditioning Electronics | Conditioned analog and digital flux signals to bistable processors |
| Detector High Voltage Power Supply | Regulated HV bias for neutron detectors |
| RTD Temperature Measurement Channel | 4-20mA signals proportional to reactor coolant temperatures (Thot, Tcold, Tavg, delta-T) |
| Pressure Transmitter Channel | 4-20mA signals proportional to pressurizer, RCS, containment, and SG pressures |
| Differential Pressure Flow Channel | 4-20mA signals proportional to RCS loop flow, feedwater flow, and steam flow |
| Level Measurement Channel | 4-20mA signals proportional to pressurizer level, SG level, and RWST level |
| Process Signal Conditioning Module | Calibrated and linearised 4-20mA analog signals to bistable trip processors |
| Containment Environment Monitor | Containment pressure, temperature, humidity, and radiation level signals |
| Wide-Range Containment Pressure Monitor | Containment pressure indication 0-200 psig for operator assessment |
| Containment Hydrogen Monitor | Containment hydrogen concentration 0-10% by volume |
| Core Exit Thermocouple Assembly | Core exit coolant temperatures for inadequate core cooling assessment |
| Reactor Vessel Level Indication System | Reactor vessel water level from hot leg to vessel head |
| Qualified Safety Display Panel | Visual indication of all RG 1.97 Category 1 variables to operators |
| Vital Bus Inverter | 120VAC 60Hz regulated vital bus power from 125VDC battery source |
| Station Battery Bank | 125VDC uninterruptible power for 4-hour design basis duration |
| Battery Charger | Regulated 140VDC float charge and equalise charge to battery bank |
| Class 1E Distribution Panel | Protected branch circuit power to individual protection system loads |
| Isolation Transfer Switch | Uninterrupted 120VAC vital bus power via automatic source transfer |
| Analog Channel Test Module | Precision test signals injected into instrument channels with automated pass/fail results |
| Logic Test Cabinet | Automated test results for all coincidence logic voting combinations |
| Response Time Test Equipment | Measured channel response times for comparison against Technical Specification limits |
| Trip Breaker Test Circuit | Verified trip breaker operability including opening time measurement |
| Safety Parameter Display System | Qualified visual display of RG 1.97 Category 1 safety parameters for operator assessment |
| Safety Data Gateway | One-way data stream of protection system status to non-safety plant computer |
| Alarm and Status Annunciator | Hardwired visual and audible alarms for safety system status and first-out trip indication |
| Intra-Division Communication Bus | Deterministic intra-division data exchange with guaranteed ≤10ms worst-case latency |