Nuclear Reactor Protection System

Rationale: Nuclear safety systems must comply with governing regulatory framework (10 CFR 50.55a, IEEE 603, IEC 61513) as a condition of NRC licensing. Non-compliance prevents plant operation and may void safety analysis basis.

Rationale: Primary safety function of the RPS: prevent core damage, pressure boundary failure, and containment breach during design-basis events. Automatic initiation required because operator response times (minutes) exceed the timeline of fast transients like rod ejection or large-break LOCA (seconds).

Rationale: PFD targets of 1E-5 (trip) and 1E-4 (ESF) derive from NRC regulatory expectations for safety system reliability consistent with Core Damage Frequency goals of 1E-4/reactor-year. Lower PFD for trip reflects its role as primary protection barrier.

Rationale: Spurious trips cause thermal cycling stress on reactor components, economic losses (~$1M per event for a PWR), and potential for operator error during unnecessary transients. One per year is industry good practice per EPRI guidelines, balancing safety margin against availability.

Rationale: Technical Specifications require periodic surveillance testing (typically 92-day intervals per NUREG-1431). Testing must be possible at power because refueling outage frequency (18-24 months) far exceeds required test intervals. Degrading safety capability during testing would violate single-failure criterion.

Rationale: RG 1.97 post-accident monitoring is required by 10 CFR 50.34(f)(2)(xix). Operators must assess plant state during accidents to select emergency operating procedures and determine need for protective actions. Without qualified indications, operators cannot verify automatic safety system response or take manual corrective action.

Rationale: Independence from non-safety systems is a fundamental principle of IEEE 603 Clause 5.6 and NRC GDC 24. Common-cause failure between safety and non-safety systems was a contributing factor in multiple nuclear incidents. Any coupling creates a path for non-safety system faults to disable protection.

Rationale: Environmental and seismic qualification ensures the RPS functions during the very conditions it must protect against. IEEE 323 (environmental) and IEEE 344 (seismic) qualification programs provide evidence that equipment will perform under LOCA, MSLB, and SSE conditions. Without qualification, safety analyses have no basis.

Rationale: 2.0-second trip response time is derived from FSAR Chapter 15 accident analysis assumptions. Faster-developing transients (e.g., rod ejection, large-break LOCA) assume protection system response within this budget. Exceeding 2.0s invalidates the safety analysis and may result in fuel damage before protective action completes.

Rationale: 2-out-of-4 voting provides the optimum balance: tolerates one channel failure or bypass without losing protective capability, while requiring agreement of two independent channels to prevent spurious trips. Auto-reduction to 2-out-of-3 during maintenance preserves single-failure tolerance per IEEE 603.

Rationale: Four-channel independence satisfies IEEE 603 Clause 5.6 and NRC GDC 21/22. Physical separation prevents fire, flood, or missile from disabling multiple channels. Electrical isolation prevents fault propagation. No shared components ensures a single failure affects only one channel, preserving 2-out-of-4 voting integrity.

Rationale: Fail-safe design is a fundamental nuclear safety principle per IEEE 603 Clause 5.2. Loss of power or component failure must produce a trip signal (safe state) rather than masking a trip condition. This ensures that equipment degradation moves the system toward reactor shutdown, not away from it.

Rationale: 2.0-second ESF actuation initiation time is derived from FSAR Chapter 15 safety analyses for LOCA and MSLB. Sequential valve and pump starts must complete within the analysis timeline to ensure emergency core cooling and containment isolation functions are met. Failure to meet timing assumptions may result in exceeding 10 CFR 50.46 acceptance criteria.

Rationale: 0.3g horizontal / 0.2g vertical PGA envelope the site-specific SSE per 10 CFR 100 Appendix A. IEEE 344 qualification by shake-table testing or analysis demonstrates structural integrity and functional capability. If protection equipment fails during an earthquake, seismic-induced transients cannot be mitigated.

Rationale: One-way isolation satisfies NRC GDC 24 and IEEE 603 Clause 5.6.3. Hardware-enforced unidirectionality prevents cyber attack vectors and fault propagation from non-safety systems. Software-only isolation is insufficient per NRC ISG-04; physical absence of receive capability on the safety side eliminates the attack surface.

Rationale: Overlap testing per IEEE 338 ensures complete coverage from sensor to actuator with no untested gaps. One-channel-at-a-time bypass limit preserves 2-out-of-3 voting during test, maintaining Technical Specification minimum operable channels. Without overlap coverage, hidden failures in the signal path could accumulate undetected.

Rationale: RG 1.97 Category 1 variables require qualified, redundant, continuously-available displays for post-accident operator decision-making. 4-hour battery capacity ensures display availability during station blackout (SBO) scenarios per 10 CFR 50.63, which assumes loss of all AC power. Dual redundancy ensures single display failure does not blind operators.

Rationale: 340°F, 60 psig, and 1E8 rad envelope the worst-case post-LOCA containment conditions for a large dry PWR containment per FSAR Chapter 6 analysis. 30-day operability covers the period to cold shutdown and accident assessment. IEEE 323 Type Test or analysis must demonstrate these instruments survive the combined thermal, pressure, radiation, and chemical spray environment.

Rationale: Single failure criterion is mandated by NRC GDC 21 and IEEE 603 Clause 5.1. The safety analysis assumes no more than one concurrent failure in the protection system. This requirement ensures that no single detectable failure (electrical, mechanical, or software) can prevent the minimum required safety functions.

Rationale: Manual trip provides defense-in-depth against common-cause failure of automatic trip logic, per NRC GDC 20 and BTP 7-19. Independence from automatic logic ensures operators can shut down the reactor even if digital systems suffer common-mode software failure. Minimum electrical components in the manual path reduces failure probability.

Rationale: 10 CFR 73.54 mandates cyber security for digital safety systems. Network isolation eliminates remote attack vectors. Port/service reduction minimizes attack surface. Tamper monitoring provides detection of physical access attempts. Failure to implement allows potential adversary manipulation of safety functions — an unacceptable nuclear safety risk.

Rationale: DUPLICATE of SYS-REQS-013. Same cyber security requirement text. Should be consolidated during next revision.

Rationale: NRC BTP 7-19 requires diversity and defense-in-depth (D3) analysis demonstrating no common-cause failure of digital systems can prevent safety functions. Two diverse processing technologies (FPGA + microprocessor) ensure software common-cause failure affects at most one processing platform. Diverse manual path provides ultimate backup independent of all digital systems.

Rationale: EMC qualification per RG 1.180 ensures digital safety systems operate correctly in the plant electromagnetic environment. 6dB margin above measured in-plant levels provides guard band against unmeasured transient sources (e.g., breaker switching, walkie-talkies). Without EMC qualification, conducted or radiated interference could cause spurious trips or inhibit protective action.