System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| IEC 60584 | — |
| IEC 60747-5-5 | — |
| IEC 60751 | — |
| IEC 61513 | Nuclear power plants — Instrumentation and control important to safety |
| IEEE 1115 | — |
| IEEE 242 | — |
| IEEE 317 | — |
| IEEE 323 | — |
| IEEE 338 | — |
| IEEE 344 | — |
| IEEE 384 | — |
| IEEE 450 | — |
| IEEE 485 | — |
| IEEE 603 | — |
| IEEE 603-2018 | — |
| IEEE 7-4.3.2 | — |
| IEEE 946 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
flowchart TB n0["system<br>Nuclear Reactor Protection System"] n1["component<br>Nuclear Instrumentation Subsystem"] n2["component<br>Process Instrumentation Subsystem"] n3["component<br>Reactor Trip Subsystem"] n4["component<br>Engineered Safety Features Actuation System"] n5["component<br>Post-Accident Monitoring Subsystem"] n6["component<br>Communication and Display Subsystem"] n7["component<br>Class 1E Power Supply Subsystem"] n8["component<br>Test and Surveillance Subsystem"] n1 -->|Neutron flux trip signals| n3 n2 -->|Process variable trip signals| n3 n2 -->|ESF actuation parameters| n4 n1 -->|Post-accident flux data| n5 n2 -->|Post-accident process data| n5 n3 -->|Trip status and alarms| n6 n4 -->|ESF actuation status| n6 n5 -->|Post-accident indications| n6 n7 -->|Channel power| n1 n7 -->|Logic power| n3 n8 -->|Test signals and bypass| n3 n8 -->|Test signals and bypass| n4
Nuclear RPS — Subsystem Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-NEEDS-001 | The Nuclear Reactor Protection System SHALL comply with NRC 10 CFR 50.55a, IEEE 603-2018, and IEC 61513 as the governing regulatory and standards framework for safety system design, qualification, and operation. Rationale: Nuclear safety systems must comply with governing regulatory framework (10 CFR 50.55a, IEEE 603, IEC 61513) as a condition of NRC licensing. Non-compliance prevents plant operation and may void safety analysis basis. | Inspection | stakeholder, regulatory, session-199 |
| STK-NEEDS-002 | The Nuclear Reactor Protection System SHALL automatically initiate reactor trip and engineered safety features actuation without operator action when plant parameters exceed safety limits, ensuring protection of the reactor core, primary pressure boundary, and containment. Rationale: Primary safety function of the RPS: prevent core damage, pressure boundary failure, and containment breach during design-basis events. Automatic initiation required because operator response times (minutes) exceed the timeline of fast transients like rod ejection or large-break LOCA (seconds). | Demonstration | stakeholder, operator, session-199 |
| STK-NEEDS-003 | The Nuclear Reactor Protection System SHALL achieve a probability of failure on demand of less than 1E-5 per demand for reactor trip and less than 1E-4 per demand for each ESF actuation function, demonstrated through probabilistic risk assessment. Rationale: PFD targets of 1E-5 (trip) and 1E-4 (ESF) derive from NRC regulatory expectations for safety system reliability consistent with Core Damage Frequency goals of 1E-4/reactor-year. Lower PFD for trip reflects its role as primary protection barrier. | Analysis | stakeholder, reliability, session-199 |
| STK-NEEDS-004 | The Nuclear Reactor Protection System SHALL limit spurious reactor trips to no more than one per year attributable to protection system malfunctions, balancing safety reliability against plant availability and economic impact. Rationale: Spurious trips cause thermal cycling stress on reactor components, economic losses (~$1M per event for a PWR), and potential for operator error during unnecessary transients. One per year is industry good practice per EPRI guidelines, balancing safety margin against availability. | Analysis | stakeholder, availability, session-199 |
| STK-NEEDS-005 | The Nuclear Reactor Protection System SHALL support complete surveillance testing of all trip functions during power operation without requiring plant shutdown or reducing the safety function capability below the minimum required by Technical Specifications. Rationale: Technical Specifications require periodic surveillance testing (typically 92-day intervals per NUREG-1431). Testing must be possible at power because refueling outage frequency (18-24 months) far exceeds required test intervals. Degrading safety capability during testing would violate single-failure criterion. | Demonstration | stakeholder, maintenance, session-199 |
| STK-NEEDS-006 | The Nuclear Reactor Protection System SHALL provide operators with reliable indication of critical safety parameters during and after design-basis accidents per Regulatory Guide 1.97, enabling informed decisions on emergency operating procedures. Rationale: RG 1.97 post-accident monitoring is required by 10 CFR 50.34(f)(2)(xix). Operators must assess plant state during accidents to select emergency operating procedures and determine need for protective actions. Without qualified indications, operators cannot verify automatic safety system response or take manual corrective action. | Inspection | stakeholder, operator, session-199 |
| STK-NEEDS-007 | The Nuclear Reactor Protection System SHALL maintain physical, electrical, and functional independence from non-safety plant control systems to prevent common-cause failures and ensure that no single credible failure or malfunction in the non-safety systems can prevent the safety function. Rationale: Independence from non-safety systems is a fundamental principle of IEEE 603 Clause 5.6 and NRC GDC 24. Common-cause failure between safety and non-safety systems was a contributing factor in multiple nuclear incidents. Any coupling creates a path for non-safety system faults to disable protection. | Inspection | stakeholder, safety, session-199 |
| STK-NEEDS-008 | The Nuclear Reactor Protection System SHALL be environmentally and seismically qualified to perform its safety functions under all postulated normal, abnormal, and accident conditions including loss-of-coolant accident, main steam line break, and safe shutdown earthquake per IEEE 323 and IEEE 344. Rationale: Environmental and seismic qualification ensures the RPS functions during the very conditions it must protect against. IEEE 323 (environmental) and IEEE 344 (seismic) qualification programs provide evidence that equipment will perform under LOCA, MSLB, and SSE conditions. Without qualification, safety analyses have no basis. | Test | stakeholder, qualification, session-199 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQS-001 | The Nuclear Reactor Protection System SHALL initiate opening of the reactor trip breakers within 2.0 seconds of any monitored parameter reaching its trip setpoint, measured from sensor output to breaker opening. Rationale: 2.0-second trip response time is derived from FSAR Chapter 15 accident analysis assumptions. Faster-developing transients (e.g., rod ejection, large-break LOCA) assume protection system response within this budget. Exceeding 2.0s invalidates the safety analysis and may result in fuel damage before protective action completes. | Test | system, performance, session-199 |
| SYS-REQS-002 | The Nuclear Reactor Protection System SHALL implement 2-out-of-4 coincidence voting logic for each reactor trip function, with automatic reduction to 2-out-of-3 when one channel is bypassed for maintenance. Rationale: 2-out-of-4 voting provides the optimum balance: tolerates one channel failure or bypass without losing protective capability, while requiring agreement of two independent channels to prevent spurious trips. Auto-reduction to 2-out-of-3 during maintenance preserves single-failure tolerance per IEEE 603. | Test | system, architecture, session-199 |
| SYS-REQS-003 | The Nuclear Reactor Protection System SHALL maintain four physically separated and electrically isolated protection channels, with no shared active components, power supplies, or signal paths between any two channels. Rationale: Four-channel independence satisfies IEEE 603 Clause 5.6 and NRC GDC 21/22. Physical separation prevents fire, flood, or missile from disabling multiple channels. Electrical isolation prevents fault propagation. No shared components ensures a single failure affects only one channel, preserving 2-out-of-4 voting integrity. | Inspection | system, independence, session-199 |
| SYS-REQS-004 | The Nuclear Reactor Protection System SHALL be designed fail-safe such that any single credible failure within the protection system, including loss of power, shall result in a channel trip output rather than inhibiting the protective action. Rationale: Fail-safe design is a fundamental nuclear safety principle per IEEE 603 Clause 5.2. Loss of power or component failure must produce a trip signal (safe state) rather than masking a trip condition. This ensures that equipment degradation moves the system toward reactor shutdown, not away from it. | Analysis | system, safety, session-199 |
| SYS-REQS-005 | The Nuclear Reactor Protection System SHALL initiate engineered safety feature actuation signals within 2.0 seconds of the monitored parameter reaching its actuation setpoint, with completion of all valve and pump sequencing within the time assumed in the FSAR Chapter 15 accident analyses. Rationale: 2.0-second ESF actuation initiation time is derived from FSAR Chapter 15 safety analyses for LOCA and MSLB. Sequential valve and pump starts must complete within the analysis timeline to ensure emergency core cooling and containment isolation functions are met. Failure to meet timing assumptions may result in exceeding 10 CFR 50.46 acceptance criteria. | Test | system, performance, session-199 |
| SYS-REQS-006 | The Nuclear Reactor Protection System SHALL remain fully functional during and after a Safe Shutdown Earthquake of 0.3g horizontal and 0.2g vertical peak ground acceleration, with all components qualified per IEEE 344. Rationale: 0.3g horizontal / 0.2g vertical PGA envelope the site-specific SSE per 10 CFR 100 Appendix A. IEEE 344 qualification by shake-table testing or analysis demonstrates structural integrity and functional capability. If protection equipment fails during an earthquake, seismic-induced transients cannot be mitigated. | Test | system, qualification, session-199 |
| SYS-REQS-007 | The Nuclear Reactor Protection System SHALL communicate with non-safety plant computer systems only through qualified one-way isolation devices that prevent any data or electrical feedback from the non-safety system to the protection system. Rationale: One-way isolation satisfies NRC GDC 24 and IEEE 603 Clause 5.6.3. Hardware-enforced unidirectionality prevents cyber attack vectors and fault propagation from non-safety systems. Software-only isolation is insufficient per NRC ISG-04; physical absence of receive capability on the safety side eliminates the attack surface. | Test | system, independence, session-199 |
| SYS-REQS-008 | The Nuclear Reactor Protection System SHALL provide overlap testing capability from sensor input through logic processing to final actuation device, with each test segment executable at power with no more than one channel per trip function bypassed at any time. Rationale: Overlap testing per IEEE 338 ensures complete coverage from sensor to actuator with no untested gaps. One-channel-at-a-time bypass limit preserves 2-out-of-3 voting during test, maintaining Technical Specification minimum operable channels. Without overlap coverage, hidden failures in the signal path could accumulate undetected. | Demonstration | system, testability, session-199 |
| SYS-REQS-009 | The Nuclear Reactor Protection System SHALL provide continuous, qualified indication of Regulatory Guide 1.97 Category 1 variables on dual-redundant displays in the main control room, powered by Class 1E batteries with minimum 4-hour capacity without AC power. Rationale: RG 1.97 Category 1 variables require qualified, redundant, continuously-available displays for post-accident operator decision-making. 4-hour battery capacity ensures display availability during station blackout (SBO) scenarios per 10 CFR 50.63, which assumes loss of all AC power. Dual redundancy ensures single display failure does not blind operators. | Test | system, monitoring, session-199 |
| SYS-REQS-010 | While exposed to post-LOCA containment conditions of 340F temperature, 60 psig pressure, and 1E8 rad total integrated dose, the Nuclear Reactor Protection System containment-located instrumentation SHALL continue to provide accurate process measurements within specified accuracy bands for a minimum of 30 days. Rationale: 340°F, 60 psig, and 1E8 rad envelope the worst-case post-LOCA containment conditions for a large dry PWR containment per FSAR Chapter 6 analysis. 30-day operability covers the period to cold shutdown and accident assessment. IEEE 323 Type Test or analysis must demonstrate these instruments survive the combined thermal, pressure, radiation, and chemical spray environment. | Test | system, qualification, session-199 |
| SYS-REQS-011 | The Nuclear Reactor Protection System SHALL satisfy single failure criterion per IEEE 603 Clause 5.1, such that no single detectable failure shall prevent the system from performing its minimum required safety functions. Rationale: Single failure criterion is mandated by NRC GDC 21 and IEEE 603 Clause 5.1. The safety analysis assumes no more than one concurrent failure in the protection system. This requirement ensures that no single detectable failure (electrical, mechanical, or software) can prevent the minimum required safety functions. | Analysis | system, safety, session-199 |
| SYS-REQS-012 | The Nuclear Reactor Protection System SHALL provide a hardwired manual reactor trip capability from the main control room that is independent of all automatic trip logic and directly opens the reactor trip breakers through a minimum of electrical components. Rationale: Manual trip provides defense-in-depth against common-cause failure of automatic trip logic, per NRC GDC 20 and BTP 7-19. Independence from automatic logic ensures operators can shut down the reactor even if digital systems suffer common-mode software failure. Minimum electrical components in the manual path reduces failure probability. | Demonstration | system, safety, session-199 |
| SYS-REQS-013 | The Nuclear Reactor Protection System SHALL implement a cyber security program per 10 CFR 73.54 that protects digital computer and communication systems performing safety functions from cyber attacks, including network isolation of safety-critical digital assets from all external networks, removal or disabling of all unnecessary communication ports and services, and monitoring of access attempts to safety system digital assets with tamper indication at each protection division cabinet. Rationale: 10 CFR 73.54 mandates cyber security for digital safety systems. Network isolation eliminates remote attack vectors. Port/service reduction minimizes attack surface. Tamper monitoring provides detection of physical access attempts. Failure to implement allows potential adversary manipulation of safety functions — an unacceptable nuclear safety risk. | Inspection | system, cybersecurity, session-205 |
| SYS-REQS-014 | The Nuclear Reactor Protection System SHALL implement a cyber security program per 10 CFR 73.54 that protects digital computer and communication systems performing safety functions from cyber attacks, including network isolation of safety-critical digital assets from all external networks, removal or disabling of all unnecessary communication ports and services, and monitoring of access attempts to safety system digital assets with tamper indication at each protection division cabinet. Rationale: DUPLICATE of SYS-REQS-013. Same cyber security requirement text. Should be consolidated during next revision. | Inspection | duplicate-of-SYS-REQS-013, session-223 |
| SYS-REQS-015 | The Nuclear Reactor Protection System SHALL incorporate diversity and defense-in-depth measures per NRC BTP 7-19 such that no postulated common-cause failure of digital systems can prevent the reactor trip or ESF actuation safety functions. The system SHALL implement at least two diverse processing technologies (FPGA-based coincidence logic and microprocessor-based bistable processing) and SHALL provide a diverse manual actuation path independent of all digital processors for reactor trip and ESF actuation. Rationale: NRC BTP 7-19 requires diversity and defense-in-depth (D3) analysis demonstrating no common-cause failure of digital systems can prevent safety functions. Two diverse processing technologies (FPGA + microprocessor) ensure software common-cause failure affects at most one processing platform. Diverse manual path provides ultimate backup independent of all digital systems. | Demonstration | system, d3, diversity, session-205 |
| SYS-REQS-016 | The Nuclear Reactor Protection System SHALL be qualified for electromagnetic compatibility per Regulatory Guide 1.180, with all digital safety system cabinets withstanding conducted and radiated electromagnetic interference at levels enveloping the measured in-plant environment plus 6dB margin, without loss of safety function or generation of spurious actuation signals. Rationale: EMC qualification per RG 1.180 ensures digital safety systems operate correctly in the plant electromagnetic environment. 6dB margin above measured in-plant levels provides guard band against unmeasured transient sources (e.g., breaker switching, walkie-talkies). Without EMC qualification, conducted or radiated interference could cause spurious trips or inhibit protective action. | Test | system, emc, qualification, session-205 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQS-001 | The Bistable Trip Processor SHALL compare each monitored parameter against its predetermined trip setpoint and generate a channel trip output within 100ms of the input signal reaching the setpoint value. Rationale: 100ms bistable response budget is allocated from the 2.0s total system response (SYS-REQS-001): 100ms bistable + 50ms coincidence + 100ms breaker + margins for signal conditioning and relay response. Exceeding 100ms compresses margins for downstream components and may violate the accident analysis timing assumption. | Test | subsystem, rts, bistable, session-199 |
| SUB-REQS-002 | The Coincidence Logic Module SHALL generate a train-level trip output when 2 or more of 4 channel trip inputs are present for any single trip function, with logic evaluation completed within 50ms. Rationale: 50ms coincidence logic evaluation is the allocated budget from the 2.0s system response time. 2-out-of-4 voting tolerates one failed/bypassed channel while preventing single-channel spurious trips. Logic must complete within budget to preserve time margin for breaker response and signal propagation delays. | Test | subsystem, rts, coincidence, session-199 |
| SUB-REQS-003 | When one protection channel is bypassed for maintenance, the Coincidence Logic Module SHALL automatically reconfigure to 2-out-of-3 voting for all trip functions served by the bypassed channel within 10ms of bypass activation. Rationale: Automatic reduction to 2-out-of-3 during single-channel bypass maintains single-failure tolerance per IEEE 603. 10ms reconfiguration prevents a gap in protection during the transition. Without automatic reduction, a bypassed channel plus one additional failure would defeat 2-out-of-4 voting. | Test | subsystem, rts, coincidence, session-199 |
| SUB-REQS-004 | The Reactor Trip Breaker SHALL open within 100ms of de-energization of its trip coil, interrupting power to the Control Rod Drive Mechanism power cabinets. Rationale: 100ms breaker opening time is derived from the total 2.0s system response budget. Mechanical breaker opening must complete within this allocation to ensure CRDM power interruption occurs fast enough for control rod insertion to match the reactivity insertion curve assumed in the safety analysis. | Test | subsystem, rts, breaker, session-199 |
| SUB-REQS-005 | The Reactor Trip Breaker SHALL employ undervoltage trip coils as the primary trip mechanism, such that loss of power to the trip coil causes breaker opening (fail-safe design). Rationale: Undervoltage trip coil design is fail-safe: loss of power opens the breaker. This satisfies SYS-REQS-004 fail-safe requirement. Alternative shunt-trip design requires power to trip and is not fail-safe. UV coil ensures that power supply failures, cable breaks, or relay contact failures all result in reactor trip. | Inspection | subsystem, rts, breaker, safety, session-199 |
| SUB-REQS-006 | The Manual Trip Interface SHALL provide a hardwired path from the main control room trip switches to the reactor trip breaker undervoltage coils that is independent of all digital processors, with actuation-to-breaker-opening time less than 200ms. Rationale: Manual trip independence from digital processors provides defense-in-depth per BTP 7-19 against common-cause software failure (SYS-REQS-015). 200ms response allocation accounts for switch contact closure, relay actuation, and breaker opening. Hardwired path eliminates all digital system dependencies. | Test | subsystem, rts, manual-trip, session-199 |
| SUB-REQS-007 | The Channel Bypass Logic SHALL prevent bypass of more than one protection channel simultaneously for any single trip function through hardware interlock, independent of software. Rationale: Hardware interlock prevents simultaneous bypass of multiple channels, which would reduce voting below 2-out-of-3 and violate Technical Specifications minimum channel requirements. Software-independent interlock ensures the protection cannot be defeated by software common-cause failure during maintenance. | Test | subsystem, rts, bypass, session-199 |
| SUB-REQS-008 | The ESF Coincidence Logic Processor SHALL evaluate 2-out-of-4 coincidence voting for each ESF function and generate an actuation demand output within 100ms of the second channel reaching its setpoint threshold. Rationale: 100ms ESF coincidence logic evaluation time is allocated from the 2.0s total ESF actuation initiation budget (SYS-REQS-005). Completion within 100ms of the second channel signal preserves timing margin for actuation priority logic, relay response, and component interface module processing. | Test | subsystem, esfas, session-201 |
| SUB-REQS-009 | The ESF Coincidence Logic Processor SHALL implement each ESF function (Safety Injection, Containment Isolation Phase A, Containment Isolation Phase B, Containment Spray, Steamline Isolation, Main Feedwater Isolation, Auxiliary Feedwater Actuation) in independent logic paths with no shared logic elements between functions. Rationale: Independent logic paths per ESF function prevent fault propagation between safety functions. A logic error in Containment Spray must not affect Safety Injection. This satisfies IEEE 603 functional independence requirements and ensures that maintenance or testing of one ESF function does not degrade another. | Inspection | subsystem, esfas, session-201 |
| SUB-REQS-010 | The Actuation Priority Logic Module SHALL enforce a fixed priority hierarchy where automatic ESF actuation commands override manual operator commands, which override normal plant control signals, and SHALL prevent any operator action from blocking or resetting an automatic ESF actuation once initiated until the initiating condition has cleared. Rationale: Fixed priority hierarchy ensures automatic safety actuation cannot be overridden by operator error during high-stress accident conditions. Blocking automatic actuation reset until the initiating condition clears prevents premature reset that could allow the accident to progress. Derived from IEEE 603 Clause 7.4 manual control requirements. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-011 | When a Safety Injection signal is coincident with a loss-of-offsite-power condition, the Sequential Events Controller SHALL shed non-essential loads from the safety bus within 3 seconds, issue emergency diesel generator start commands, and reconnect safety loads in a time-sequenced program with no less than 5-second intervals between load steps, completing the full loading sequence within 60 seconds. Rationale: Load sequencing prevents diesel generator overload during LOCA+LOOP. 5-second intervals allow each motor to start and reach running current before the next load connects. 60-second total sequence completion is assumed in FSAR Chapter 6 ECCS analysis. 3-second initial load shed prevents reverse power to the diesel. | Test | subsystem, esfas, session-201 |
| SUB-REQS-012 | The Manual ESF Actuation Panel SHALL provide hardwired manual initiation capability for each ESF function via dedicated two-switch controls, with signal paths that bypass all digital processing and connect directly to the Actuation Priority Logic Module. Rationale: Manual ESF actuation bypassing digital processing provides D3 backup per BTP 7-19 (SYS-REQS-015). Two-switch controls prevent inadvertent single-action actuation of ESF functions. Direct connection to Actuation Priority Logic Module ensures manual actuation works even with total digital system failure. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-013 | The ESF Component Interface Module SHALL provide electrical isolation rated to 1500V between protection system logic circuits and actuated equipment power circuits, and SHALL monitor actuation confirmation feedback (valve position, pump running status, breaker state) within 2 seconds of issuing an actuation command. Rationale: 1500V isolation rating exceeds the maximum credible fault voltage between safety logic (125VDC) and actuated equipment power circuits (480VAC/4160VAC). 2-second confirmation feedback is needed to verify actuation completed successfully; operators rely on this for post-trip verification per EOPs. | Test | subsystem, esfas, session-201 |
| SUB-REQS-014 | The Subgroup Relay Cabinet SHALL organise ESF actuation relays into functionally independent subgroups, enabling overlap testing of each individual actuation path during power operation without actuating the associated ESF equipment or disabling the automatic actuation capability of any other subgroup. Rationale: Subgroup organization enables partial testing at power per SYS-REQS-008 overlap testing requirement. Functional independence between subgroups ensures testing one actuation path does not inadvertently actuate equipment in another ESF function or disable the automatic actuation of any remaining path. | Demonstration | subsystem, esfas, session-201 |
| SUB-REQS-015 | When an emergency diesel generator fails to start or accept load within 10 seconds, the Sequential Events Controller SHALL automatically transfer the affected train's safety loads to the alternate power source and adjust the loading sequence to prevent overloading the remaining power supply. Rationale: 10-second diesel start failure timeout is per FSAR emergency diesel generator requirements. Automatic transfer to alternate power prevents total loss of safety train during LOOP if one diesel fails. Adjusted loading sequence prevents overloading the remaining power source, which would cascade to loss of both trains. | Test | subsystem, esfas, session-201 |
| SUB-REQS-016 | The Source Range Detector Channel SHALL provide neutron flux measurement covering a minimum of 6 decades (1E-1 to 1E5 counts per second) using pulse counting mode at count rates below 1E5 cps and mean-square voltage mode above 1E4 cps, with a minimum 1-decade overlap between modes. Rationale: Source range detectors must cover 6 decades to span the full subcritical-to-critical transition. Pulse counting below 1E5 cps avoids dead-time losses; mean-square-voltage mode above 1E5 cps provides linear response when pulse pile-up makes counting unreliable. This dual-mode operation per NUREG-0800 SRP 7.2 ensures no gap in flux monitoring during reactor startup. | Test | subsystem, nis, session-201 |
| SUB-REQS-017 | The Intermediate Range Detector Channel SHALL provide compensated ionisation chamber output with gamma compensation error of less than 5% of indicated neutron flux across the full intermediate range (1E-11 to 1E-3 amps), with logarithmic amplifier response time of less than 1 second per decade. Rationale: 5% gamma compensation error limit is derived from FSAR safety analysis which assumes neutron flux measurement accuracy within 10% across the intermediate range. Gamma compensation is critical because ionisation chambers respond to both gamma and neutron radiation; without compensation, post-trip gamma fields would mask true neutron flux during shutdown monitoring. | Test | subsystem, nis, session-201 |
| SUB-REQS-018 | The Power Range Detector Channel SHALL provide upper and lower section ion chamber currents enabling axial flux difference (delta-I) measurement with an accuracy of ±2% of rated thermal power, and total neutron flux measurement from 1% to 120% rated thermal power with linearity error of less than ±1% of full scale. Rationale: ±2% delta-I accuracy is required by the Technical Specifications for axial flux difference surveillance. Split ion chambers (upper/lower) enable axial offset monitoring for departure-from-nucleate-boiling protection. Total power measurement within ±2% derives from the FSAR Chapter 15 overpower analysis assumptions. | Test | subsystem, nis, session-201 |
| SUB-REQS-019 | The NIS Signal Conditioning Electronics SHALL maintain calibration accuracy within ±0.5% of reading for a minimum of 18 months between scheduled calibrations, and SHALL provide built-in test capability for each channel without requiring disconnection of the detector. Rationale: ±0.5% calibration stability over 18 months matches the nuclear plant refueling cycle interval during which full-scope calibration is performed. Drift beyond 0.5% would exceed the channel uncertainty allocation in the safety analysis setpoint methodology (ISA 67.04). Built-in test capability enables partial verification between refueling outages without channel removal. | Test | subsystem, nis, session-201 |
| SUB-REQS-020 | The Detector High Voltage Power Supply SHALL maintain output voltage stability within ±0.1% over any 24-hour period, and SHALL automatically alarm when output voltage deviates by more than ±1% from the nominal setpoint. Rationale: ±0.1% voltage stability over 24 hours is required because detector sensitivity is proportional to applied bias voltage. For proportional counters and ion chambers, a 1% voltage shift can produce 2-5% gain change depending on operating point on the plateau curve. The 24-hour period bounds the maximum interval between automated surveillance checks. | Test | subsystem, nis, session-201 |
| SUB-REQS-021 | The RTD Temperature Measurement Channel SHALL measure reactor coolant temperature from 50°C to 400°C with a total channel accuracy of ±0.5°C including sensor drift, lead wire resistance compensation error, and signal conditioning uncertainty, using 4-wire platinum RTD elements calibrated to IEC 60751 Class AA. Rationale: ±0.5°C total channel accuracy is derived from the reactor protection system trip setpoint methodology per ISA 67.04. The temperature measurement uncertainty contributes directly to the overtemperature delta-T and overpower delta-T trip function uncertainties. Lead wire resistance compensation is essential for the 4-wire RTD configuration used over cable runs up to 150m between the RCS hot/cold legs and protection cabinets. | Test | subsystem, pis, rtd, session-202 |
| SUB-REQS-022 | The Pressure Transmitter Channel SHALL measure process pressures with a total channel accuracy of ±0.25% of calibrated span, including static pressure effects, ambient temperature effects over the range 10°C to 55°C, and 30-month calibration drift. Rationale: ±0.25% of calibrated span accuracy for pressure channels derives from the reactor protection system setpoint uncertainty analysis per ISA 67.04. Pressurizer pressure and RCS pressure measurements feed the low-pressure and high-pressure reactor trip functions. Static pressure and ambient temperature effects are specified because transmitters are exposed to containment conditions during normal operation. | Test | subsystem, pis, pressure, session-202 |
| SUB-REQS-023 | The Differential Pressure Flow Channel SHALL detect a 10% step change in reactor coolant flow within 1.0 seconds, including DP transmitter response time, square-root extraction computation, and signal conditioning filter delay, to support timely RCS low-flow reactor trip actuation. Rationale: 1.0-second response to a 10% flow step change ensures the RCS low-flow trip function actuates within the system-level 2.0s response budget. Reactor coolant pump coastdown during a loss-of-flow event can lead to departure from nucleate boiling within 3-5 seconds, making rapid detection essential. The square-root extraction is necessary because DP is proportional to flow squared. | Test | subsystem, pis, flow, session-202 |
| SUB-REQS-024 | The Level Measurement Channel SHALL compensate for reference leg temperature changes during post-LOCA conditions, maintaining level indication accuracy within ±5% of span when containment temperature varies from 25°C to 171°C, using stored density correction curves or temperature-compensated reference columns. Rationale: Reference leg temperature compensation is critical during post-LOCA conditions when containment temperature rises from ~40°C to 171°C. The reference leg condensate pot temperature changes cause the reference leg density to change, introducing a level measurement error that can exceed 20% of span without compensation. ±5% accuracy during post-LOCA ensures operators have reliable level indication for emergency operating procedures. | Test | subsystem, pis, level, session-202 |
| SUB-REQS-025 | The Process Signal Conditioning Module SHALL process raw sensor inputs and deliver calibrated 4-20mA outputs with a total signal path delay of no more than 500ms from sensor input change to conditioned output change, while providing at least 40dB attenuation of frequencies above 2Hz to reject plant electrical noise. Rationale: 500ms total signal conditioning delay is the allocated budget within the 2.0s system response time. The conditioning module performs linearisation, engineering unit conversion, and filtering, each contributing latency. This budget ensures sufficient margin when combined with bistable processing (100ms) and coincidence logic (100ms) to meet the system-level trip response requirement. | Test | subsystem, pis, conditioning, session-202 |
| SUB-REQS-026 | The Containment Environment Monitor SHALL remain operational and within accuracy specifications during and after exposure to post-LOCA conditions of 171°C temperature, 413 kPa gauge pressure, chemical spray (pH 10.5 boric acid/sodium hydroxide), and 1E8 rad total integrated gamma dose, for a minimum of 720 hours post-event per IEEE 323 qualification. Rationale: 171°C and 413 kPa envelope the LOCA peak containment conditions from FSAR Chapter 6 containment analysis. Chemical spray exposure (boric acid + NaOH at pH 9-11) and 1E8 rad total integrated dose are the DBA environmental conditions per IEEE 323. The monitor must survive these to provide RG 1.97 Category 1 containment atmosphere data throughout the post-accident monitoring period. | Test | subsystem, pis, containment, session-202 |
| SUB-REQS-027 | The Process Instrumentation Subsystem SHALL maintain electrical independence between the four redundant protection channels such that a short circuit, open circuit, or ground fault in any single channel does not degrade the measurement accuracy of any other channel by more than 0.1% of span. Rationale: Electrical independence between the four protection channels is mandated by IEEE 603 Clause 5.6 and 10 CFR 50 Appendix A GDC 22. A fault in one channel (short, open, or ground) must not propagate to redundant channels, as this would defeat the redundancy relied upon in the single failure analysis. Physical separation per IEEE 384 and qualified isolation devices are the implementation means. | Test | subsystem, pis, independence, session-202 |
| SUB-REQS-028 | The Containment Environment Monitor SHALL measure containment pressure over a narrow range of 0 to 413 kPa gauge with a total channel accuracy of ±1% of span, providing the primary input for Safety Injection, Containment Isolation Phase A, and Containment Spray ESF actuation functions. Rationale: 0-413 kPa narrow-range containment pressure with ±1% accuracy provides the primary input for containment isolation and containment spray actuation Safety Injection signals. The narrow range provides better resolution than the wide-range monitor (0-1380 kPa) for the initial post-LOCA pressure transient, enabling timely ESF actuation before containment pressure exceeds design limits. | Test | subsystem, pis, containment, pressure, session-202 |
| SUB-REQS-030 | The Core Exit Thermocouple Assembly SHALL provide temperature measurement from 93°C to 1260°C at a minimum of 4 core locations per quadrant, using Type K thermocouples with an accuracy of ±2.2°C or ±0.75% of reading (whichever is greater) per ASTM E230, to detect approach to inadequate core cooling conditions. Rationale: 93°C to 1260°C range with Type K thermocouples covers the full spectrum from normal hot-leg temperature to inadequate core cooling conditions. 4 TCs per quadrant minimum ensures spatial coverage for detecting asymmetric core conditions per TMI Action Plan Item II.F.2. ±2.2°C or ±0.75% accuracy derives from IEC 60584 limits for Type K thermocouples, representing the best achievable in-vessel accuracy. | Inspection | subsystem, pams, cetc, session-202 |
| SUB-REQS-031 | The Reactor Vessel Level Indication System SHALL indicate reactor vessel water level from the bottom of the hot leg nozzle to the top of the vessel head with a resolution of ±5% of the indicated range, using heated junction thermocouple differential temperature method, and SHALL distinguish between subcooled liquid, two-phase mixture, and superheated steam conditions. Rationale: Reactor vessel level indication from hot-leg nozzle to vessel head covers the TMI Action Plan requirement (II.F.2) for detecting inadequate core cooling. ±5% resolution enables operators to distinguish between normal level, partial uncovery, and significant core uncovery conditions. The heated junction thermocouple and differential pressure methods both require post-LOCA qualification. | Test | subsystem, pams, rvlis, session-202 |
| SUB-REQS-032 | The Wide-Range Containment Pressure Monitor SHALL measure containment pressure from -34 kPa to 1380 kPa gauge with an accuracy of ±2% of span, providing continuous indication to the Qualified Safety Display Panel for a minimum of 30 days following a design basis LOCA without recalibration or maintenance. Rationale: -34 kPa to 1380 kPa range covers from subatmospheric (ice condenser containments or drawdown scenarios) through 3× design pressure, as required by RG 1.97 for Type A variable Category 1 wide-range containment pressure. ±2% span accuracy is the minimum needed for post-accident trending and assessment of containment integrity under design extension conditions. | Test | subsystem, pams, containment-pressure, session-202 |
| SUB-REQS-033 | The Containment Hydrogen Monitor SHALL measure hydrogen concentration from 0 to 10% by volume with an accuracy of ±0.5% absolute and a response time (sample transport plus analysis) of no more than 5 minutes, and SHALL annunciate when hydrogen concentration exceeds 4% by volume (lower flammability limit in air). Rationale: 0-10% hydrogen monitoring range covers from normal atmosphere to the combustion threshold (4% in air) and above, as required by 10 CFR 50.44. ±0.5% absolute accuracy enables confident assessment of whether hydrogen concentration approaches the lower flammability limit. 5-minute response time ensures operators have timely data for hydrogen mitigation decisions per emergency operating procedures. | Test | subsystem, pams, hydrogen, session-202 |
| SUB-REQS-034 | The Qualified Safety Display Panel SHALL remain fully functional during and after a Safe Shutdown Earthquake of 0.3g peak ground acceleration, SHALL be readable under emergency lighting conditions of 50 lux minimum, and SHALL provide simultaneous display of all Reg Guide 1.97 Category 1 variables without requiring operator page selection. Rationale: 0.3g seismic qualification ensures post-accident displays survive the SSE and remain available for operator decision-making. Emergency lighting readability at 50 lux accounts for loss of normal lighting concurrent with the accident. These requirements flow from RG 1.97 Category 1 qualification criteria requiring displays to remain functional during and after the design basis event. | Demonstration | subsystem, pams, display, session-202 |
| SUB-REQS-035 | The Station Battery Bank SHALL provide 125VDC power to all connected divisional loads for a minimum of 4 hours following a loss of all AC power sources concurrent with a design basis accident, without battery terminal voltage dropping below 105VDC. Rationale: 4-hour battery capacity with concurrent DBA loads is the minimum station blackout coping duration per 10 CFR 50.63 and NUMARC 87-00. The battery must carry all safety loads including protection logic, trip breakers, post-accident monitoring, and emergency lighting without voltage dropping below 105VDC (the minimum for reliable relay and logic operation). This defines the battery sizing calculation per IEEE 485. | Test | subsystem, class1e, battery, session-203 |
| SUB-REQS-036 | The Vital Bus Inverter SHALL convert 125VDC input to 120VAC 60Hz output with voltage regulation within ±2% and frequency regulation within ±0.5% under all load conditions from no-load to rated load. Rationale: ±2% voltage and ±0.5% frequency regulation ensure connected digital protection equipment receives power within its input specifications. Protection processors and bistable modules are designed for 120VAC ±10%; the ±2% inverter regulation provides margin for downstream cable voltage drop and transient loading. IEEE 946 provides the design standard for Class 1E inverters. | Test | subsystem, class1e, inverter, session-203 |
| SUB-REQS-037 | The Isolation Transfer Switch SHALL transfer from the preferred inverter source to the regulated transformer alternate source within 4ms of detecting inverter output voltage below 102VAC or frequency outside 57-63Hz, without interruption to downstream protection system loads. Rationale: 4ms transfer time is below the ride-through capability of typical digital protection logic modules (10ms minimum per manufacturer specifications). Faster transfer prevents any interruption visible to the protection processors. The 102VAC and ±3Hz thresholds represent the boundaries beyond which downstream loads cannot operate correctly, triggering the transfer before equipment malfunction. | Test | subsystem, class1e, transfer, session-203 |
| SUB-REQS-038 | The Battery Charger SHALL recharge a fully discharged Station Battery Bank to 95% of rated capacity within 12 hours while simultaneously supplying all connected DC loads, with float voltage regulation within ±1% of the 140VDC setpoint. Rationale: 12-hour recharge to 95% capacity from fully discharged state ensures the battery is restored before the next potential station blackout event. This recharge rate is consistent with IEEE 1115 recommended practice. Float voltage regulation at ±0.5% per cell prevents overcharging (which accelerates plate degradation) and undercharging (which causes sulfation and capacity loss). | Test | subsystem, class1e, charger, session-203 |
| SUB-REQS-039 | The Class 1E Distribution Panel SHALL provide individual circuit protection for each protection system load circuit via molded-case circuit breakers, with selective coordination ensuring that a fault on any branch circuit is isolated without de-energising the vital bus or other branch circuits. Rationale: Individual circuit protection with selective coordination ensures a fault on one branch circuit trips only the local breaker, not the upstream supply. Without coordination, a single fault could de-energise the entire division's protection system loads, constituting a common-cause failure. Selective coordination study per IEEE 242 is required during detailed design. | Inspection | subsystem, class1e, distribution, session-203 |
| SUB-REQS-040 | Each Class 1E Power Supply division SHALL be electrically independent from all other protection divisions and from non-safety power systems, with no electrical interconnections that could propagate faults or allow a single failure in one division to affect power availability in any other division. Rationale: Divisional independence is mandated by IEEE 603 Clause 5.6 and NRC GDC 17. Electrical interconnections between divisions or between safety and non-safety could propagate faults across redundant trains, defeating the independence assumed in the safety analysis. Complete electrical isolation ensures the single failure criterion is satisfied for the power supply architecture. | Inspection | subsystem, class1e, independence, session-203 |
| SUB-REQS-041 | All Class 1E Power Supply Subsystem components SHALL maintain their safety function during and after a safe shutdown earthquake, qualified to IEEE 344 with seismic response spectra enveloping the site-specific ground motion at the equipment mounting location. Rationale: Seismic qualification per IEEE 344 ensures all power supply components maintain their safety function during and after the SSE. A loss of Class 1E power during a seismic event concurrent with a design basis accident would prevent protection system actuation. Seismic response spectra must envelope site-specific ground motion amplified through the building structure to the equipment mounting location. | Test | subsystem, class1e, seismic, session-203 |
| SUB-REQS-042 | The Analog Channel Test Module SHALL inject calibrated test signals at the channel input with accuracy ≤0.1% of span traceable to NIST standards, exercising the complete signal path from signal conditioning through bistable trip output. Rationale: 0.1% test signal accuracy traceable to NIST ensures calibration uncertainties do not exceed the channel accuracy allocations in the setpoint methodology per ISA 67.04. Exercising the complete signal path from input to bistable trip verifies the channel has not drifted beyond its Technical Specification allowance. The 2% overlap deadband prevents nuisance alarms during test signal ramping. | Test | subsystem, test-surv, channel-test, session-203 |
| SUB-REQS-043 | The Logic Test Cabinet SHALL test all 2-out-of-4 coincidence logic voting combinations for each reactor trip and ESF actuation function without requiring any channel to be bypassed, completing the full test sequence within one channel bypass interval per Technical Specifications. Rationale: Testing all 2-out-of-4 voting combinations without channel bypass is required by IEEE 338 to verify coincidence logic integrity while maintaining the protection function. Requiring full logic test within 4 hours bounds the Technical Specification surveillance completion time and minimises the period during which test-induced masking could exist. | Demonstration | subsystem, test-surv, logic-test, session-203 |
| SUB-REQS-044 | The Response Time Test Equipment SHALL measure total channel response time from sensor input to trip actuator output with measurement uncertainty ≤50ms at 95% confidence level, using non-intrusive techniques (LCSR for RTDs, noise analysis for pressure transmitters) that do not require process perturbation. Rationale: 50ms measurement uncertainty at 95% confidence is required to validate that each channel meets its allocated response time budget within the 2.0s system response requirement. Non-intrusive techniques (e.g., noise analysis per NUREG/CR-5501) avoid perturbing the operating channel. Sensor-to-actuator coverage ensures no response time contributor is missed. | Test | subsystem, test-surv, response-time, session-203 |
| SUB-REQS-045 | The Trip Breaker Test Circuit SHALL verify reactor trip breaker operability by energising the shunt trip coil and measuring breaker opening time, with a hardwired interlock preventing simultaneous testing of both series breakers in the same trip path. Pass criterion: breaker opening time ≤150ms from coil energisation to contact separation. Rationale: Shunt trip coil actuation testing verifies mechanical operability of the trip breaker, which is the last active component in the trip chain. The interlock preventing simultaneous testing of redundant breakers in the same trip leg is essential — testing both breakers simultaneously would cause a spurious reactor trip, violating SYS-REQS-004 spurious trip requirements. | Demonstration | subsystem, test-surv, breaker-test, session-203 |
| SUB-REQS-046 | The Test and Surveillance Subsystem SHALL provide overlap testing capability per IEEE 338 such that the combined test coverage of analog channel tests, logic tests, and actuator tests verifies the complete protection system signal path from sensor to final actuator with no untested gaps. Rationale: Overlap testing per IEEE 338 Section 6.3 requires that the combined scope of all individual component tests covers every element in the protection chain from sensor through actuator with no untested gaps. Without overlap at test boundaries, components at the interfaces between test segments could fail undetected, defeating the surveillance programme's purpose. | Demonstration | subsystem, test-surv, overlap, session-203 |
| SUB-REQS-047 | While any channel test or surveillance is in progress, the Test and Surveillance Subsystem SHALL maintain the protection system in a configuration that satisfies the single failure criterion, with the tested channel either tripped or bypassed per the plant Technical Specifications. Rationale: Maintaining single-failure-criterion compliance during testing is mandated by IEEE 603 Clause 5.7 and Technical Specification LCO requirements. If a second channel fails while one is under test, the protection function must still actuate. This constrains test methodology to one channel at a time and requires the tested channel to be placed in a known safe state (tripped or bypassed with automatic 2-out-of-3 reduction). | Analysis | subsystem, test-surv, safety, session-203 |
| SUB-REQS-048 | The Safety Parameter Display System SHALL display all Regulatory Guide 1.97 Category 1 post-accident monitoring variables with update rate ≤2 seconds, using qualified flat-panel displays that remain legible under emergency lighting conditions and seismic events. Rationale: RG 1.97 Category 1 variables require continuous display with qualified redundant instrumentation. 2-second update rate ensures operators see real-time plant status during rapidly evolving transients. Qualified flat-panel displays replace legacy CRT-based systems while meeting the same seismic and environmental qualification requirements per IEEE 323 and IEEE 344. | Test | subsystem, comm-display, spds, session-203 |
| SUB-REQS-049 | The Safety Data Gateway SHALL enforce hardware-level unidirectional data flow from Class 1E protection systems to non-safety plant computer, with no electrical or logical path for data transmission from non-safety to safety systems. The gateway SHALL use fiber optic transmitters with physically no receive capability on the safety-side interface. Rationale: Hardware-enforced unidirectional data flow is the NRC-accepted implementation of GDC 24 separation between safety and non-safety. The critical requirement is that no receive hardware exists on the safety side — not merely a software firewall — because software-based isolation can be compromised by common-cause failure. This prevents any cyber attack or non-safety system fault from affecting protection system operation per 10 CFR 73.54. | Inspection | subsystem, comm-display, gateway, session-203 |
| SUB-REQS-050 | The Alarm and Status Annunciator SHALL provide first-out indication for reactor trip and ESF actuation events, identifying which trip function or ESF function initiated the actuation, using hardwired relay-driven inputs with no software in the safety-critical annunciation signal path. Rationale: First-out indication is required for post-trip diagnostics to determine which trip function initiated reactor trip or ESF actuation. Hardwired annunciation provides a diverse backup to digital alarm processing. First-out resolution distinguishes between the initiating event and consequential trips, which is essential for operator response per emergency operating procedures. | Demonstration | subsystem, comm-display, annunciator, session-203 |
| SUB-REQS-051 | The Intra-Division Communication Bus SHALL provide deterministic message delivery with guaranteed worst-case latency ≤10ms for all safety-critical data exchanges within a single protection division, using time-division multiplexed scheduling with CRC-32 error detection. Rationale: 10ms worst-case latency ensures intra-division communication does not consume excessive time from the 2.0s system response budget. Deterministic delivery is required because non-deterministic protocols (e.g., Ethernet with CSMA/CD) cannot guarantee message delivery within bounded time, which would make response time analysis non-conservative. The communication bus must be qualified per IEEE 603 for use in safety systems. | Test | subsystem, comm-display, bus, session-203 |
| SUB-REQS-052 | When persistent communication failure is detected on the Intra-Division Communication Bus (3 consecutive CRC failures or 50ms message timeout), the affected division SHALL place all protection outputs in the tripped state to maintain fail-safe operation. Rationale: Fail-safe response to communication failure places the affected division in the tripped state, consistent with the system-level fail-safe design philosophy per SYS-REQS-004. 3 consecutive CRC failures or 50ms timeout are detection thresholds that balance between avoiding false trips on transient EMI and ensuring timely detection of genuine bus failure. De-energise-to-trip provides the fail-safe action. | Test | subsystem, comm-display, bus, fail-safe, session-203 |
| SUB-REQS-053 | The Qualified Safety Display Panel and Safety Parameter Display System SHALL comply with NUREG-0700 human-system interface design review guidelines, including minimum character height of 4.7mm at normal viewing distance, colour coding per plant convention with no reliance on colour alone for safety-critical indications, alarm prioritisation into at least 3 severity levels, and operator response validation through task analysis demonstrating that all emergency operating procedure actions can be completed within the time margins assumed in the safety analysis. Rationale: NUREG-0700 compliance ensures human-system interfaces support correct operator action during high-stress post-accident conditions. Minimum 4.7mm character height at normal viewing distance ensures readability under degraded lighting. HSI design review guidelines address display layout, alarm management, and information hierarchy to minimise human error probability in safety-critical operator actions. | Inspection | subsystem, human-factors, comm-display, pams, session-205 |
| SUB-REQS-054 | The Reactor Trip Breaker SHALL have a minimum continuous current rating of 400A and a minimum interrupting capacity of 600A at 480VAC, sufficient to interrupt the full CRDM power bus load of approximately 320A continuous plus inrush current during rod stepping operations. | Test | subsystem, rts, breaker, cross-domain, session-224 |
| SUB-REQS-055 | The Reactor Trip Breaker SHALL be qualified for a minimum of 2000 full-load interrupting operations and 5000 no-load mechanical operations over a 60-year qualified life, with no degradation of opening time beyond the 100ms limit specified in SUB-REQS-004. | Test | subsystem, rts, breaker, cross-domain, session-224 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-DEFS-001 | The interface between Bistable Trip Processor and Coincidence Logic Module SHALL use optically isolated discrete digital outputs, with trip represented by de-energized state (fail-safe), signal transition time less than 1ms, and electrical isolation of at least 1500VDC between channels. Rationale: Optical isolation provides galvanic separation between protection channels, preventing fault propagation per IEEE 603. De-energized = trip state is fail-safe: any cable break, power loss, or transmitter failure produces a trip output. 1ms transition time is negligible within the 50ms coincidence logic budget. 1500VDC isolation exceeds maximum credible inter-channel fault voltage. | Test | interface, rts, session-199 |
| IFC-DEFS-002 | The interface between Coincidence Logic Module and Reactor Trip Breaker SHALL use dedicated hardwired connections to the breaker undervoltage coil, with each train's coincidence logic driving only its own train's breakers, and no shared conductors between Train A and Train B circuits. Rationale: Hardwired connection from coincidence logic to trip breaker eliminates software dependency in the final trip path. Train-dedicated wiring prevents a single wiring fault from disabling both trains. No shared conductors ensures IEEE 384 separation is maintained to the trip breaker terminals. | Inspection | interface, rts, session-199 |
| IFC-DEFS-003 | The interface between Nuclear Instrumentation Subsystem and Bistable Trip Processor SHALL use 4-20mA current loop signals for analog flux measurements, with each of the four NIS channels connected to its corresponding bistable processor channel through qualified Class 1E cables routed in separate raceways. Rationale: 4-20mA current loops are the nuclear industry standard for analog safety signals — immune to cable resistance variation and readily detectable at 0mA for open-circuit failure (fail-safe). Separate raceways per channel maintain IEEE 384 physical separation. One-to-one NIS-to-bistable mapping preserves channel independence. | Test | interface, rts, nis, session-199 |
| IFC-DEFS-004 | The interface between Process Instrumentation Subsystem and Bistable Trip Processor SHALL use 4-20mA current loop signals for temperature, pressure, flow, and level measurements, with signal conditioning performed within the process instrumentation cabinets before transmission to the bistable processors. Rationale: 4-20mA current loops for process signals provide the same fail-safe and noise immunity benefits as NIS interfaces. Signal conditioning within process instrumentation cabinets isolates raw sensor signals from bistable processors, preventing sensor faults from propagating into the digital trip logic domain. | Test | interface, rts, pis, session-199 |
| IFC-DEFS-005 | The interface between Process Instrumentation Subsystem and ESF Coincidence Logic Processor SHALL use qualified 4-20mA analog current loops for each monitored process parameter, with signal isolation provided by qualified isolation devices at the protection channel boundary, and SHALL support a minimum of 24 ESF-related process measurement inputs per protection channel. Rationale: Qualified 4-20mA current loops maintain channel independence per IEEE 603. Isolation devices at protection channel boundaries prevent fault propagation between channels. 24 minimum inputs per channel supports all ESF functions (SI, CIA/CIB, CSS, MSI, MFI, AFW) with adequate parameter coverage for each function's actuation logic. | Test | interface, esfas, session-201 |
| IFC-DEFS-006 | The interface between Nuclear Instrumentation Subsystem and ESF Coincidence Logic Processor SHALL provide source-range high flux and power-range high flux signals as 4-20mA current loop inputs, one per protection channel, with channel isolation maintaining independence between the four redundant NIS channels feeding the four ESFAS channels. Rationale: NIS signals to ESFAS are needed for source-range high flux at shutdown (automatic boration) and power-range high flux block of safety injection reset. Channel isolation maintains NIS four-channel independence through the ESFAS interface. 4-20mA standard provides consistent signal interface across NIS and process instrumentation inputs. | Test | interface, esfas, session-201 |
| IFC-DEFS-007 | The interface between ESF Coincidence Logic Processor and Actuation Priority Logic Module SHALL use optically isolated discrete digital signals, one per ESF function per train, with a signal transition time of less than 1ms and optical isolation rated to a minimum of 2500V breakdown voltage. Rationale: Optical isolation at the ESF coincidence-to-priority-logic interface provides galvanic separation between FPGA-based coincidence logic and the relay-based actuation chain. 1ms transition preserves response time budget. 2500V breakdown rating exceeds the 1500V inter-channel requirement because this interface bridges the digital-to-relay technology boundary. | Test | interface, esfas, session-201 |
| IFC-DEFS-008 | The interface between Actuation Priority Logic Module and Subgroup Relay Cabinet SHALL use hardwired relay contact outputs, with each relay contact rated for a minimum interrupting capacity of 10A at 125VDC, and SHALL maintain physical separation between Train A and Train B relay circuits in accordance with IEEE 384 separation criteria. Rationale: Hardwired relay contacts at 10A/125VDC are sized for the maximum inrush current of downstream subgroup relay coils. IEEE 384 train separation at this interface is critical because both trains share the same physical ESF switchgear room. Relay-based interface maintains technology diversity from the FPGA coincidence logic upstream. | Test | interface, esfas, session-201 |
| IFC-DEFS-009 | The interface between Subgroup Relay Cabinet and ESF Component Interface Module SHALL provide hardwired relay contact outputs grouped by ESF function, with status feedback from actuated equipment (valve position limit switches, pump running contacts, breaker auxiliary contacts) returned as discrete dry contact inputs within 500ms of state change. Rationale: Functional grouping by ESF function enables overlap testing of individual actuation paths per SYS-REQS-008. 500ms feedback time ensures actuation confirmation is available to operators within the post-trip verification timeline. Dry contact feedback inputs provide electrical isolation between high-power actuated equipment and protection system logic. | Test | interface, esfas, session-201 |
| IFC-DEFS-010 | The interface between Sequential Events Controller and ESF Component Interface Module SHALL use hardwired relay outputs for each load step, with the Sequential Events Controller providing time-stamped load connection commands at 5-second minimum intervals, and the Component Interface Module returning breaker close confirmation within 2 seconds of each command. Rationale: Hardwired relay outputs for load sequencing ensure the time-critical diesel loading program is not dependent on digital communication. 5-second minimum intervals between load steps prevent diesel generator overload per FSAR analysis. 2-second breaker confirmation enables the sequence controller to detect and respond to failed breaker close commands before proceeding to the next load step. | Test | interface, esfas, session-201 |
| IFC-DEFS-011 | The interface between Source Range Detector Channel and NIS Signal Conditioning Electronics SHALL carry detector pulse signals via triaxial cable with characteristic impedance of 50 ohms, maintaining signal-to-noise ratio of at least 10:1 at the minimum detectable count rate of 0.1 cps. Rationale: Triaxial cable at 50 ohms characteristic impedance matches the source range detector output impedance for maximum signal transfer. Pulse fidelity preservation is critical because pulse height discrimination is used to reject noise and gamma pulses. Cable shielding must prevent electromagnetic coupling between adjacent channels which would violate channel independence per IEEE 603. | Test | interface, nis, session-201 |
| IFC-DEFS-012 | The interface between Power Range Detector Channel and NIS Signal Conditioning Electronics SHALL provide independent upper and lower section current signals via separate mineral-insulated cables, each capable of carrying 1E-11 to 1E-3 amps with leakage current less than 1E-12 amps. Rationale: Independent upper and lower section signals on separate mineral-insulated cables enable axial flux difference (delta-I) measurement. Mineral insulation provides radiation resistance (>1E9 rad) and fire resistance for cables routed through containment. Separate cables prevent common-mode failure that could corrupt both sections simultaneously, which would invalidate axial offset protection. | Test | interface, nis, session-201 |
| IFC-DEFS-013 | The interface between Detector High Voltage Power Supply and all detector channels SHALL provide regulated DC bias voltage via dedicated high-voltage cables with double-shielded construction, current limiting at 1mA to protect detectors, and voltage monitoring telemetry to the signal conditioning electronics. Rationale: Double-shielded HV cables prevent electromagnetic interference from the high-voltage bias supply from coupling into nearby low-level signal cables. Dedicated cables per detector channel prevent single-point HV failures from affecting multiple channels. Current limiting protects against detector shorts that could otherwise damage the power supply or create fire hazards in containment. | Test | interface, nis, session-201 |
| IFC-DEFS-014 | The interface between RTD Temperature Measurement Channel and Process Signal Conditioning Module SHALL carry 4-wire RTD resistance signals over shielded twisted-pair cables with individual channel shields grounded at the conditioning module end only, maintaining lead wire resistance balance within 0.05 ohms per wire to preserve 4-wire measurement accuracy. Rationale: 4-wire RTD configuration eliminates lead wire resistance error, which is significant over cable runs up to 150m from RCS penetrations to protection cabinets. Individual channel shielding prevents crosstalk between temperature channels in the same cable tray, maintaining the measurement independence required by IEEE 603 Clause 5.6 for redundant channels feeding different protection divisions. | Test | interface, pis, rtd, session-202 |
| IFC-DEFS-015 | The interface between Pressure Transmitter Channel and Process Signal Conditioning Module SHALL use 4-20mA current loop signals over twisted-pair cables with a maximum loop resistance of 600 ohms, with each transmitter powered from the conditioning module via the same wire pair to maintain two-wire simplicity and eliminate ground loop errors. Rationale: 4-20mA current loops are the nuclear industry standard analog interface per ISA 67.04. 600 ohm maximum loop resistance accommodates the longest cable runs (up to 300m) using 16 AWG wire. Current loops are inherently immune to cable resistance variations and ground loops, providing fail-safe indication (0mA = wire break detectable as below-range). | Test | interface, pis, pressure, session-202 |
| IFC-DEFS-016 | The interface between Differential Pressure Flow Channel and Process Signal Conditioning Module SHALL provide 4-20mA analog signals representing the square root of measured differential pressure, with transmitter damping set to achieve a 63% step response time of no more than 400ms to support the 1.0-second flow trip response requirement. Rationale: Square-root-extracted 4-20mA output provides a signal linear with flow rate, simplifying downstream trip logic comparison. The interface must preserve the DP measurement accuracy through the extraction algorithm. Calibration range matching between transmitter output and conditioning module input is critical to avoiding systematic measurement bias in the low-flow trip function. | Test | interface, pis, flow, session-202 |
| IFC-DEFS-017 | The interface between Level Measurement Channel and Process Signal Conditioning Module SHALL provide 4-20mA signals with temperature compensation data transmitted as a separate thermocouple millivolt signal on a dedicated pair, enabling the conditioning module to apply real-time reference leg density corrections for post-accident level accuracy. Rationale: Separate thermocouple millivolt signal for reference leg temperature compensation is needed because post-LOCA containment temperature changes cause reference leg density changes that introduce 15-25% level error if uncompensated. Two independent signals (level and compensation) preserve measurement integrity and enable the conditioning module to apply real-time correction. | Test | interface, pis, level, session-202 |
| IFC-DEFS-018 | The interface between Containment Environment Monitor and Process Signal Conditioning Module SHALL pass through Class 1E qualified electrical penetration assemblies rated for 413 kPa at 171°C, with each signal pair using mineral-insulated cable inside containment and transitioning to standard instrumentation cable at the penetration, maintaining signal integrity within ±0.1% of span across the penetration boundary. Rationale: Class 1E qualified electrical penetration assemblies rated for 413 kPa at 171°C maintain containment integrity as the pressure boundary per 10 CFR 50 Appendix J. Each signal on a dedicated penetration conductor prevents a single penetration failure from affecting multiple measurement channels. The penetration must withstand LOCA conditions without leakage exceeding Type B test acceptance criteria. | Inspection | interface, pis, containment, penetration, session-202 |
| IFC-DEFS-019 | The interface between Core Exit Thermocouple Assembly and Qualified Safety Display Panel SHALL transmit thermocouple millivolt signals through qualified mineral-insulated cable from the reactor vessel head through containment penetrations, with cold junction compensation performed at the display panel end, maintaining end-to-end accuracy within ±4°C over the 93-1260°C measurement range. Rationale: Mineral-insulated cable from reactor vessel through containment is required because conventional polymer-insulated cable cannot survive the in-vessel and post-LOCA radiation and temperature environment. The cable routing from in-vessel TCs through the reactor head to the containment penetration is one of the most severe environmental paths in the plant, requiring MI cable rated to 1100°C. | Inspection | interface, pams, cetc, session-202 |
| IFC-DEFS-020 | The interface between Reactor Vessel Level Indication System and Qualified Safety Display Panel SHALL provide 4-20mA analog signals representing processed vessel level on two independent channels, with each channel independently powered from the panel's Class 1E supply, and SHALL include signal validation logic that flags disagreement exceeding 10% between redundant level channels. Rationale: Two independent 4-20mA channels for vessel level indication provide redundancy for this RG 1.97 Category 1 variable. Loss of a single channel must not result in loss of level indication to the operator. Signal isolation between the RVLIS and the display prevents faults in the display from affecting the measurement channel or propagating to other connected loads. | Test | interface, pams, rvlis, session-202 |
| IFC-DEFS-021 | The interface between Containment Hydrogen Monitor and Qualified Safety Display Panel SHALL provide a 4-20mA signal representing hydrogen concentration (0-10% range) and a discrete contact closure for the 4% high-hydrogen alarm, with the sample system status (flow, temperature, moisture) transmitted as additional discrete status contacts for monitoring sample system health. Rationale: 4-20mA analog concentration signal provides continuous trending capability while the discrete high-alarm contact provides a direct, unprocessed alert when hydrogen approaches the 4% lower flammability limit. The discrete contact is independent of the analog signal path, providing diverse indication and enabling direct annunciation without reliance on digital processing. | Test | interface, pams, hydrogen, session-202 |
| IFC-DEFS-022 | The interface between Station Battery Bank and Vital Bus Inverter SHALL carry 125VDC nominal (105-140VDC range) via 4/0 AWG Class 1E cable with current capacity of 200A continuous, with DC disconnect switch for maintenance isolation. Rationale: 4/0 AWG cable at 200A continuous capacity is sized for the maximum battery discharge current during a station blackout concurrent with DBA loads, with margin per IEEE 485. The 105-140VDC range represents the battery terminal voltage from end-of-discharge (105V = 1.75V/cell × 60 cells) to equalise charge (140V = 2.33V/cell × 60 cells). DC disconnect and fusing provide maintenance isolation and fault protection. | Inspection | interface, class1e, session-203 |
| IFC-DEFS-023 | The interface between Battery Charger and Station Battery Bank SHALL provide regulated DC at 2.33V per cell float (140VDC total) and 2.50V per cell equalise (150VDC total), with ripple voltage not exceeding 0.5% RMS of nominal output voltage. Rationale: 2.33V/cell float and 2.50V/cell equalise voltages are per IEEE 450 for lead-acid stationary batteries. Ripple voltage below 1% RMS prevents AC heating of battery plates which accelerates grid corrosion and reduces battery life. These interface parameters define the charger-battery compatibility envelope that must be verified during factory acceptance testing. | Test | interface, class1e, session-203 |
| IFC-DEFS-024 | The interface between Vital Bus Inverter and Isolation Transfer Switch SHALL carry 120VAC 60Hz single-phase at up to 25A, with the inverter providing voltage and frequency status signals to the transfer switch sensing circuits for automatic transfer initiation. Rationale: Voltage and frequency status signals from inverter to transfer switch enable the switch to detect inverter degradation and initiate transfer before downstream loads are affected. 25A capacity is sized for the maximum vital bus load including protection processors, bistable modules, and displays in a single division. The interface specification bounds the transfer switch input requirements. | Test | interface, class1e, session-203 |
| IFC-DEFS-025 | The interface between Isolation Transfer Switch and Class 1E Distribution Panel SHALL carry 120VAC 60Hz single-phase vital bus power at up to 25A continuous, with source status indication (inverter/alternate) provided to the distribution panel annunciation circuits. Rationale: Source status indication (inverter vs alternate) at the distribution panel enables maintenance personnel to verify power source and prevents inadvertent maintenance on an energised source. 25A continuous rating matches the upstream transfer switch output capacity. This interface defines the boundary between the uninterruptible power path and the distribution to individual protection loads. | Test | interface, class1e, session-203 |
| IFC-DEFS-026 | The interface between Class 1E Distribution Panel and protection system loads (Bistable Trip Processor, Coincidence Logic Module, safety displays) SHALL provide individually protected 120VAC branch circuits with load current not exceeding 80% of branch breaker rating under normal operating conditions. Rationale: Individual circuit protection for each load enables fault isolation — a short in one bistable processor trips only its breaker, not the entire division. Selective coordination ensures the branch breaker trips before the upstream main breaker, maintaining power to unaffected loads. This directly supports the single-failure-criterion by preventing power supply common-cause failures. | Test | interface, class1e, session-203 |
| IFC-DEFS-027 | The interface between Analog Channel Test Module and Process Signal Conditioning Module SHALL accept insertion of test signals at the input terminal block via test jacks, with signal isolation ensuring that test equipment faults cannot propagate to the process measurement channel or to other protection divisions. Rationale: Test signal insertion at the input terminal block exercises the complete channel signal path, satisfying IEEE 338 overlap testing requirements. Signal isolation between test equipment and the protection channel prevents the test equipment from becoming a fault pathway into the protection system. The test jack interface must be designed so that removal of the test plug restores normal channel operation. | Test | interface, test-surv, session-203 |
| IFC-DEFS-028 | The interface between Logic Test Cabinet and Coincidence Logic Module SHALL provide test input injection points at the voting logic inputs, with optical isolation between the test equipment and the protection logic to prevent common-cause failure propagation from test circuits to protection circuits. Rationale: Optical isolation between test equipment and voting logic prevents the test cabinet from injecting faults into the protection logic. Test injection at voting logic inputs overlaps with the analog channel test (which ends at bistable outputs), providing complete sensor-to-actuator coverage per IEEE 338. This interface must support testing without bypassing the channel under test. | Test | interface, test-surv, session-203 |
| IFC-DEFS-029 | The interface between Trip Breaker Test Circuit and Reactor Trip Breaker SHALL provide a dedicated shunt trip test coil circuit with series-connected breaker position contacts that de-energise the test circuit when the breaker opens, limiting test coil energisation to the duration necessary for breaker opening verification. Rationale: Series-connected breaker position contacts in the test circuit automatically de-energise the test coil when the breaker opens, preventing the test from holding the breaker open. This interlock ensures the breaker is available for automatic re-closure if needed. The shunt trip test coil is separate from the normal UV trip coil, allowing breaker operability testing without requiring a reactor trip signal. | Demonstration | interface, test-surv, session-203 |
| IFC-DEFS-030 | The interface between Logic Test Cabinet and Communication and Display Subsystem SHALL transmit test result data including function tested, test time, measured values, acceptance criteria, and pass/fail status via one-way qualified data link to prevent test system from affecting protection function operation. Rationale: Transmitting structured test results (function, time, values, criteria, pass/fail) enables automated trending of surveillance test data and supports Technical Specification surveillance documentation requirements. Optical isolation at this interface ensures the non-safety communication path cannot electrically affect the test equipment or, through it, the protection system under test. | Test | interface, test-surv, session-203 |
| IFC-DEFS-031 | The interface between Intra-Division Communication Bus and protection processors (Bistable Trip Processor, Coincidence Logic Module, ESF Coincidence Logic Processor) SHALL use fiber optic serial connections at 10 Mbps with fixed time-division multiplexed message scheduling, with each processor allocated dedicated time slots in the bus schedule. Rationale: Fiber optic serial connections provide inherent galvanic isolation and EMI immunity for intra-division safety communication. Deterministic protocol is required because non-deterministic bus access (Ethernet CSMA/CD, token passing) cannot provide bounded worst-case latency needed for safety system response time analysis. Fiber optics also eliminate ground loop concerns within the division. | Test | interface, comm-display, session-203 |
| IFC-DEFS-032 | The interface between Safety Data Gateway and plant process computer SHALL transmit protection system data at 10 Mbps via fiber optic medium, with the safety-side transmitter containing no receive photodiode or receive signal processing circuitry, providing hardware-enforced isolation per IEEE 7-4.3.2. Rationale: No receive photodiode on the safety side implements hardware-enforced unidirectional data flow per NRC GDC 24. This prevents any signal — including cyber attacks — from propagating from the non-safety network back into the protection system. 10 Mbps is sufficient bandwidth for the ~500 parameters per division updated at 1-2 second intervals while supporting fiber optic qualification per IEEE 323. | Inspection | interface, comm-display, session-203 |
| IFC-DEFS-033 | The interface between Alarm and Status Annunciator and protection system components SHALL use discrete hardwired relay contact inputs (Form C) for each annunciated status, with contact wetting current ≥10mA to ensure reliable contact operation and optical isolation on the annunciator input to prevent fault propagation. Rationale: Discrete hardwired relay contacts for annunciation provide a diverse (non-digital) indication path independent of the communication bus. Form C contacts enable both alarm and status indication. Contact wetting current specification ensures reliable operation with the annunciator input circuits, preventing intermittent or false annunciation from oxidised contact surfaces. | Test | interface, comm-display, session-203 |
| IFC-DEFS-034 | The interface between Safety Parameter Display System and Qualified Safety Display Panel SHALL receive post-accident monitoring data via one-way qualified data link from each protection division, with the display system performing cross-division data validation by comparing redundant measurements before display. Rationale: One-way qualified data link from each division to the SPDS preserves divisional independence — the display cannot command or affect protection processors. Per-division data links maintain channel identity so the SPDS can display per-division parameter values and identify discrepancies between divisions. Update rate must support RG 1.97 display requirements for continuous post-accident monitoring. | Test | interface, comm-display, session-203 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-DECISIONS-001 | ARC: Nuclear RPS — Quadruple-redundant channel architecture with 2-out-of-4 coincidence voting was selected over triple-redundant 2/3 voting. The 4-channel design permits one channel to be bypassed for online maintenance while maintaining 2/3 voting capability, directly supporting the 18-month fuel cycle surveillance interval required by Technical Specifications. The additional channel cost is justified by achieving both the 1E-5 PFD target and the spurious trip rate target of less than 1 per year, which 2/3 voting cannot simultaneously achieve at realistic component failure rates. The architecture separates reactor trip and ESFAS logic into distinct subsystems sharing sensor inputs but using independent logic processors, per NRC Branch Technical Position 7-19 guidance on digital I&C diversity. Rationale: 4-channel 2/4 voting is the standard nuclear industry architecture because it uniquely permits one channel in test/maintenance and one failed channel while still maintaining trip capability (2/4 becomes 1/2 effective). 2/3 voting cannot tolerate simultaneous test and failure. MTBF > 40,000 hours per channel with 92-day surveillance drives the 2/4 reliability advantage. | Analysis | architecture, system-level, session-199 |
| ARC-DECISIONS-002 | ARC: RTS/ESFAS Separation — Reactor Trip Subsystem and ESFAS are implemented as separate subsystems rather than a combined protection processor. This separation ensures that a common-mode software failure in ESFAS logic cannot inhibit reactor trip, and vice versa. The subsystems share field sensor inputs through qualified isolation but use independent logic processors, independent power supplies, and independent output actuators. This architecture satisfies IEEE 603 diversity requirements and NRC expectations for defense-in-depth against digital common-cause failure per BTP 7-19. Rationale: RTS/ESFAS functional separation is mandated by BTP 7-19 diversity and defense-in-depth requirements. A combined processor would create a common-cause failure point for both trip and ESF actuation functions, which are relied upon independently in the safety analysis. Separate hardware ensures that a software defect affecting trip logic cannot simultaneously disable safety injection. | Analysis | architecture, rts, esfas, session-199 |
| ARC-DECISIONS-003 | ARC: ESFAS — Relay-based priority logic with FPGA-based coincidence voting was selected to provide technology diversity against digital common-cause failure. The coincidence logic uses FPGAs (no software, deterministic timing) while the priority logic and subgroup actuation use electromechanical relays. This mirrors the RTS architecture but adds the Sequential Events Controller as a distinct component because load sequencing is a time-domain function fundamentally different from the binary voting logic of ESF actuation. The subgroup relay organisation follows the NRC-endorsed approach of grouping actuations by function rather than by physical location, enabling meaningful online testing without spurious actuation. Rationale: FPGA-relay diversity addresses NRC BTP 7-19 CCF concerns for digital protection systems. FPGAs execute deterministic logic without an operating system or software in the traditional sense, reducing the CCF attack surface. Relay-based priority logic provides a technology-diverse path that is immune to digital CCF affecting the FPGA coincidence voting. | Analysis | architecture, esfas, session-201 |
| ARC-DECISIONS-004 | ARC: Nuclear Instrumentation — Three overlapping detector ranges (source, intermediate, power) with distinct detection physics were selected to cover 10+ decades of neutron flux from shutdown to 120% power. Source range uses proportional counters (pulse counting) for maximum sensitivity at low flux. Intermediate range uses compensated ion chambers to reject post-shutdown gamma fields. Power range uses uncompensated ion chambers in dual-section configuration for axial flux difference measurement required by overtemperature/overpower delta-T protection. This three-range architecture is mandated by physics — no single detector type can cover the full range with adequate accuracy. Rationale: 10-decade flux measurement requires three distinct detector types because no single detector technology can span this range. BF3/He-3 proportional counters (source), compensated ion chambers (intermediate), and uncompensated ion chambers (power) each have optimal sensitivity ranges. Range overlap prevents a gap in flux monitoring during startup, which could mask an uncontrolled criticality approach. | Analysis | architecture, nis, session-201 |
| ARC-DECISIONS-005 | ARC: Process Instrumentation — Sensor channels are decomposed by measurement principle (RTD, capacitance pressure, DP flow, DP level) rather than by plant system served or by protection channel division, because each measurement type has distinct signal conditioning requirements, calibration procedures, and failure modes. Containment environment monitoring is a separate component because its sensors operate inside containment under post-LOCA conditions, requiring distinct environmental qualification and mineral-insulated cabling through penetration assemblies — an entirely different technology base from the external process instruments. Signal conditioning is centralised per-channel (not per-sensor-type) because the protection architecture requires channel-level independence, and each channel's conditioning module must be physically and electrically isolated from the other three channels. Rationale: Decomposition by measurement principle groups components that share calibration methods, environmental qualification requirements, and failure modes. RTD channels share lead-wire compensation techniques; pressure channels share static pressure correction. This grouping optimises maintenance procedures and channel uncertainty analysis per ISA 67.04. | Analysis | architecture, pis, session-202 |
| ARC-DECISIONS-006 | ARC: Post-Accident Monitoring — PAMS components are decomposed by measured parameter rather than by location (in-vessel vs. containment vs. control room) because each measurement uses a fundamentally different sensing technology: heated junction thermocouples for vessel level (RVLIS), standard thermocouples for core exit temperature, thermal conductivity cells for hydrogen, and capacitance-cell transmitters for pressure. The Qualified Safety Display Panel is a separate component from the Communication and Display Subsystem because PAMS displays must be seismically qualified, powered from Class 1E sources, and independent from the plant process computer — requirements that do not apply to the general display subsystem. Hydrogen monitoring uses an extractive sample system rather than in-situ sensors because no qualified in-situ hydrogen sensor exists that can survive post-LOCA containment conditions for 30 days. Rationale: Parameter-based decomposition reflects the reality that each PAMS measurement uses different sensing technology (thermocouples, DP transmitters, hydrogen analysers, radiation monitors) with fundamentally different qualification challenges. Location-based grouping would mix unrelated technologies and obscure the distinct environmental qualification and calibration requirements of each parameter. | Analysis | architecture, pams, session-202 |
| ARC-DECISIONS-007 | ARC: Class 1E Power Supply — Uninterruptible power topology with battery-backed inverter as preferred source, regulated transformer as alternate via static transfer switch. This architecture ensures zero power interruption during loss of offsite power events (battery carries load through diesel generator start sequence) while providing maintenance flexibility (alternate source allows inverter removal). The 4-hour battery sizing is driven by NRC regulatory requirement for station blackout coping, not by typical diesel start time of 10 seconds. Five components per division reflects the minimum path: energy storage (battery), charging (charger), conversion (inverter), source selection (transfer switch), and distribution (panel). No consolidation possible without losing the ability to independently maintain or test each function. Rationale: Zero-interruption power ensures protection processors never lose power during source transitions — even a 4ms gap could cause protection logic to reset and require restart. Battery-backed inverter as preferred source means all normal power disturbances are absorbed by the battery/inverter, with the alternate transformer source only engaged if the inverter fails. This topology per IEEE 946 provides the highest availability. | Analysis | architecture, class1e, session-203 |
| ARC-DECISIONS-008 | ARC: Test and Surveillance — Four-component architecture reflecting the distinct test boundaries mandated by IEEE 338 overlap testing: analog channel test (sensor-to-bistable), logic test (bistable-to-actuation), actuator test (breaker opening), and response time measurement (end-to-end timing). These cannot be consolidated because each tests a different segment of the protection path using different techniques. Response Time Test Equipment is separated from Analog Channel Test Module because it uses non-intrusive noise analysis techniques (LCSR, TDR) requiring specialised signal processing, whereas the channel test module uses precision signal injection. The Trip Breaker Test Circuit is hardwired rather than software-controlled to ensure that the interlock preventing simultaneous testing of both series breakers cannot be defeated by a software error. Rationale: IEEE 338 mandates that surveillance testing covers every element from sensor through actuator with no untested gaps. The four test components (analog channel, logic, response time, trip breaker) align exactly with the four distinct test boundary segments in the protection chain. Each component has different test methodology, equipment, and frequency, making separate components the natural decomposition. | Analysis | architecture, test-surv, session-203 |
| ARC-DECISIONS-009 | ARC: Communication and Display — Four components reflecting the distinct communication isolation boundaries required by IEEE 603 and IEEE 7-4.3.2. The Safety Data Gateway is separated from the SPDS because it serves a fundamentally different isolation function: the gateway provides safety-to-non-safety isolation (preventing non-safety data from entering the protection system), while the SPDS aggregates data from multiple safety divisions for qualified operator display. The Alarm and Status Annunciator uses hardwired relay contacts rather than the digital communication bus because NRC guidance requires diverse actuation indication that is independent of the digital processing platform — this provides defence-in-depth against common-cause digital failures. The Intra-Division Communication Bus is separated from inter-division communication (which does not exist by design) to enforce the division independence architecture. Rationale: IEEE 603 Clause 5.6.3 and IEEE 7-4.3.2 require strict isolation between safety and non-safety communication paths. Separating the Safety Data Gateway (one-way hardware isolation) from the SPDS (display processing) from the Annunciator (diverse hardwired) from the intra-division bus (safety-to-safety) reflects the four fundamentally different isolation and qualification requirements at each communication boundary. | Analysis | architecture, comm-display, session-203 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-METHODS-001 | Verify IFC-DEFS-001: Factory acceptance test measuring optical isolation breakdown voltage and signal transition time. Pass criteria: isolation exceeds 1500VDC, transition time less than 1ms. Test repeated after environmental qualification aging. Rationale: Optical isolation is the primary barrier between protection channels; failure to meet breakdown voltage could allow fault propagation between divisions, defeating redundancy. | Test | verification, rts, session-199 |
| VER-METHODS-002 | Verify IFC-DEFS-002: Integration test injecting trip signals from coincidence logic and measuring breaker opening time with oscilloscope on breaker auxiliary contacts. Pass criteria: breaker opens within 100ms. Verify train separation by confirming no voltage on opposite train circuits. Rationale: Trip breaker opening time is the final element in the 2.0s response time budget; direct measurement with oscilloscope provides traceable evidence of performance. | Test | verification, rts, session-199 |
| VER-METHODS-003 | Verify IFC-DEFS-003: Channel calibration test injecting known current signals at NIS output and verifying bistable processor receives correct value within 0.5 percent accuracy. Verify raceway separation by physical inspection per IEEE 384. Rationale: NIS-to-bistable signal integrity directly affects trip setpoint accuracy; any signal degradation at this interface shifts effective trip points. | Test | verification, rts, nis, session-199 |
| VER-METHODS-004 | Verify IFC-DEFS-004: End-to-end signal validation injecting calibrated current signals at process instrument transmitter output and verifying correct receipt at bistable processor input within specified accuracy band. Verify cable routing separation by walkdown inspection. Rationale: End-to-end calibration validates the cumulative accuracy of the process measurement chain from transmitter to bistable input. | Test | verification, rts, pis, session-199 |
| VER-METHODS-005 | Verify IFC-DEFS-005: Channel calibration test injecting known 4-20mA signals at each PIS transmitter output and measuring at ESF coincidence logic input. Pass: measured signal within ±0.25% of injected value after isolation. Verify minimum 24 inputs per channel by inspection of wiring drawings and point-to-point test. Rationale: Process instrumentation to ESFAS signal path accuracy affects ESF actuation setpoint reliability; verified at installation and each refueling outage. | Test | verification, esfas, session-201 |
| VER-METHODS-006 | Verify IFC-DEFS-006: End-to-end signal validation injecting calibrated neutron flux simulation signals at NIS detector preamplifier test inputs. Pass: ESF coincidence logic receives correct flux indication within ±1% of injected value, with no cross-channel signal coupling measured above -80dB. Rationale: NIS flux simulation verifies the complete signal path from detector preamplifier through conditioning to ESFAS input, covering range overlap transition zones. | Test | verification, esfas, session-201 |
| VER-METHODS-007 | Verify IFC-DEFS-007: Factory acceptance test measuring optical isolation breakdown voltage (pass: >=2500V per IEC 60747-5-5) and signal transition time (pass: <1ms measured at 10%-90% thresholds) for each ESF function output from coincidence logic to priority logic. Rationale: ESF coincidence-to-priority-logic isolation is critical for maintaining ESFAS availability; factory acceptance testing ensures qualification before installation. | Test | verification, esfas, session-201 |
| VER-METHODS-008 | Verify IFC-DEFS-008: Integration test measuring relay contact interrupting capacity under rated load (pass: >=10A at 125VDC without contact welding over 1000 cycles). Physical separation verified by inspection against IEEE 384 separation criteria with minimum 1-inch air gap or qualified barrier between Train A and Train B circuits. Rationale: Relay contacts must interrupt rated load current without welding over 100,000 cycles representing the design life of ESF actuations including surveillance tests. | Test | verification, esfas, session-201 |
| VER-METHODS-009 | Verify IFC-DEFS-009: Integration test actuating each subgroup relay and measuring time from relay energisation to confirmed equipment state change at Component Interface Module feedback input. Pass: feedback received within 500ms for all dry contact inputs. Functional grouping verified by inspection of subgroup assignment tables. Rationale: Subgroup relay-to-component actuation time must be verified to ensure ESF equipment achieves its safety function within the FSAR-assumed response time. | Test | verification, esfas, session-201 |
| VER-METHODS-010 | Verify IFC-DEFS-010: Timed sequence test injecting SI+LOOP signal and recording each load step timing. Pass: minimum 5-second interval between consecutive load connections, breaker close confirmation within 2 seconds of each step command, full sequence completion within 60 seconds. Rationale: Load sequencing timing prevents diesel generator overload during LOCA+LOOP; verification confirms each load step occurs within the designed interval. | Test | verification, esfas, session-201 |
| VER-METHODS-011 | Verify IFC-DEFS-011: Source range channel test injecting calibrated pulse signals through the triaxial cable at the detector well test connector. Pass: minimum 10:1 SNR at 0.1 cps equivalent, cable impedance measured at 50±5 ohms by TDR. Rationale: Source range pulse fidelity through triaxial cable directly affects pulse height discrimination and neutron/gamma separation accuracy during startup. | Test | verification, nis, session-201 |
| VER-METHODS-012 | Verify IFC-DEFS-012: Power range channel test injecting calibrated DC currents spanning 1E-11 to 1E-3 amps into upper and lower sections independently. Pass: signal conditioning output within ±1% of injected value, inter-section leakage below 1E-12 amps measured with opposite section grounded. Rationale: Power range upper/lower section independence is verified separately to confirm axial flux difference measurement capability for DNBR protection. | Test | verification, nis, session-201 |
| VER-METHODS-013 | Verify IFC-DEFS-013: HV power supply test measuring output voltage stability over 24 hours with rated detector load. Pass: ±0.1% stability, current limiting at 1mA±10%, shield continuity <1 ohm end-to-end. Rationale: HV supply stability directly affects detector gain; 24-hour test duration bounds the surveillance interval and captures thermal cycling effects. | Test | verification, nis, session-201 |
| VER-METHODS-014 | Verify IFC-DEFS-014: Channel calibration test injecting precision decade resistance values at the RTD element terminals and measuring signal at conditioning module output. Pass: output tracks injected resistance within ±0.5°C equivalent over full range. Verify wire balance by introducing 0.1 ohm imbalance and confirming error contribution <0.05°C. Rationale: RTD channel calibration using precision decade resistances verifies lead-wire compensation and linearisation across the full temperature range. | Test | verification, pis, rtd, session-202 |
| VER-METHODS-015 | Verify IFC-DEFS-015: Loop resistance test inserting calibrated resistance in series with each transmitter loop. Pass: 4-20mA signal stable within ±0.1% at 600 ohm total loop resistance. Verify isolation by measuring leakage current between loop and shield at 500VDC; pass: <1 microamp. Rationale: Loop resistance test validates that cable run resistance does not exceed the 600 ohm maximum, which would cause transmitter saturation and loss of signal. | Test | verification, pis, pressure, session-202 |
| VER-METHODS-016 | Verify IFC-DEFS-016: Step response test applying a 10% step change to DP transmitter input and recording time from step to 63% of final conditioned output value. Pass: 63% response time <=400ms. Verify square-root extraction linearity at 25%, 50%, 75%, 100% of span; pass: ±0.5% of reading. Rationale: Step response test measures the flow channel dynamic response to confirm the 1.0-second detection requirement for loss-of-flow protection is met. | Test | verification, pis, flow, session-202 |
| VER-METHODS-017 | Verify IFC-DEFS-017: Simulated post-accident test injecting thermocouple millivolt signals corresponding to 25°C, 100°C, and 171°C reference leg temperatures while providing known DP input. Pass: compensated level output accurate within ±5% of span at each temperature point. Verify thermocouple open-circuit detection; pass: alarm within 2 seconds. Rationale: Reference leg temperature compensation is critical for post-LOCA level accuracy; test simulates the 25-171°C range the reference leg experiences during containment heatup. | Test | verification, pis, level, session-202 |
| VER-METHODS-018 | Verify IFC-DEFS-018: Penetration assembly type test per IEEE 317 at 413 kPa and 171°C for 720 hours. Pass: insulation resistance >1 megohm between conductors and between conductor and ground. Signal integrity test measuring end-to-end attenuation at DC and 10Hz; pass: ±0.1% of span deviation from pre-penetration baseline. Rationale: Penetration assembly integrity is the containment pressure boundary; IEEE 317 type test at LOCA conditions verifies the penetration maintains its safety function. | Test | verification, pis, containment, session-202 |
| VER-METHODS-019 | Verify SUB-REQS-026: Environmental qualification type test per IEEE 323 exposing identical equipment to sequential aging, radiation (1E8 rad gamma), seismic (0.3g SSE), and LOCA simulation (171°C, 413 kPa, chemical spray). Pass: all monitored parameters remain within accuracy specifications throughout 720-hour LOCA profile. Document per IEEE 323 qualification report format. Rationale: Environmental qualification per IEEE 323 is the regulatory basis for demonstrating equipment operability under DBA conditions; sequential aging and irradiation simulate end-of-life exposure. | Test | verification, pis, containment, session-202 |
| VER-METHODS-020 | Verify IFC-DEFS-019: End-to-end channel test injecting precision millivolt signals at the thermocouple connector (simulating 200°C, 650°C, 1200°C) through the actual cable path and penetration. Pass: displayed temperature within ±4°C of injected value at each point. Verify cold junction compensation by varying panel ambient from 15°C to 40°C; pass: <1°C additional error. Rationale: MI cable-to-display path verification at simulated temperatures confirms core exit TC measurement integrity from vessel head through containment penetration to control room. | Test | verification, pams, cetc, session-202 |
| VER-METHODS-021 | Verify IFC-DEFS-020: Redundancy validation test injecting identical 4-20mA signals to both RVLIS channels and confirming displayed values agree within 2%. Inject 15% disagreement between channels and confirm flag appears on display within 5 seconds. Verify Class 1E power independence by removing power to one channel and confirming the other continues unaffected. Rationale: RVLIS redundancy validation confirms both independent channels track together, ensuring single-channel failure does not result in loss of vessel level indication. | Test | verification, pams, rvlis, session-202 |
| VER-METHODS-022 | Verify IFC-DEFS-021: Calibration gas test flowing certified 2%, 4%, 7% hydrogen-in-nitrogen through the monitor sample cell. Pass: displayed concentration within ±0.5% absolute at each point. Verify 4% alarm: inject 3.9% gas (no alarm), then 4.1% gas (alarm within 10 seconds). Verify sample system status contacts by simulating low-flow and high-moisture conditions. Rationale: Certified calibration gas at known concentrations provides traceable verification of hydrogen monitor accuracy across the 0-10% measurement range including the 4% flammability alarm point. | Test | verification, pams, hydrogen, session-202 |
| VER-METHODS-023 | Verify IFC-DEFS-022: Test battery-to-inverter interface by measuring DC bus voltage at inverter input terminals during simulated battery discharge from 140VDC to 105VDC while inverter supplies rated load. Pass: inverter output maintains 120VAC ±2% throughout discharge range. Rationale: Battery discharge simulation from 140V to 105V validates inverter operation across the full battery voltage range including end-of-discharge conditions during station blackout. | Test | verification, class1e, session-203 |
| VER-METHODS-024 | Verify IFC-DEFS-023: Test charger output by measuring float voltage at battery terminals over 24-hour period and equalise voltage during equalise charge. Measure ripple with oscilloscope at charger output. Pass: float 140VDC ±1%, equalise 150VDC ±1%, ripple ≤0.7V RMS. Rationale: Float and equalise voltage verification over 24 hours confirms charger regulation stability and ripple performance that directly affect battery life and capacity. | Test | verification, class1e, session-203 |
| VER-METHODS-025 | Verify IFC-DEFS-024: Test transfer switch response by disconnecting inverter output while monitoring downstream voltage with high-speed recorder (1ms resolution). Pass: transfer completes within 4ms, no voltage interruption exceeding 4ms at distribution panel input. Rationale: High-speed voltage recording during transfer captures the 4ms transfer time requirement; any gap exceeding protection processor ride-through causes logic reset. | Test | verification, class1e, session-203 |
| VER-METHODS-026 | Verify IFC-DEFS-025: Inspect transfer switch to distribution panel cabling for proper Class 1E identification, separation from other divisions per IEEE 384, and current rating. Verify source status indication changes when transfer occurs. Pass: all criteria met per IEEE 384 and wiring diagrams. Rationale: Physical inspection verifies IEEE 384 separation criteria which cannot be tested electrically; Class 1E identification ensures maintainers do not inadvertently cross-connect divisions. | Inspection | verification, class1e, session-203 |
| VER-METHODS-027 | Verify IFC-DEFS-026: Test branch circuit loading by measuring each load circuit current during normal plant operation. Verify selective coordination by analysis of time-current curves for branch breakers vs main breaker. Pass: all branch loads ≤80% breaker rating, coordination demonstrated for all fault levels. Rationale: Selective coordination verification under actual load conditions confirms that a branch fault trips only the local breaker, maintaining power to unaffected protection loads. | Test | verification, class1e, session-203 |
| VER-METHODS-028 | Verify SUB-REQS-035: Test battery duty cycle by performing modified performance test per IEEE 450 simulating design basis accident load profile for 4 hours. Measure terminal voltage at each load step. Pass: voltage remains ≥105VDC throughout 4-hour duty cycle. Rationale: Modified performance test per IEEE 450 with DBA load profile validates the sizing calculation and confirms 4-hour capacity with actual battery conditions including aging effects. | Test | verification, class1e, battery, session-203 |
| VER-METHODS-029 | Verify SUB-REQS-040: Inspection of divisional power supply independence by reviewing electrical single-line diagrams, physical separation analysis, and cable routing documentation. Verify no electrical interconnections between divisions or between Class 1E and non-safety power. Pass: complete independence demonstrated per IEEE 384. Rationale: Divisional independence inspection verifies IEEE 603 Clause 5.6 compliance; electrical separation cannot be fully tested without physical verification of routing and barriers. | Inspection | verification, class1e, independence, session-203 |
| VER-METHODS-030 | Verify IFC-DEFS-027: Test signal isolation by injecting a fault condition (short circuit, open circuit, ground fault) at the test module output while monitoring the process measurement channel downstream. Pass: no perturbation exceeding 0.5% of span on the process channel. Rationale: Test signal isolation must be verified under fault conditions because normal operation may not stress the isolation barrier; a fault on the test module must not propagate into the protection channel. | Test | verification, test-surv, session-203 |
| VER-METHODS-031 | Verify IFC-DEFS-028: Test optical isolation by measuring leakage current from test cabinet to protection logic under normal and fault conditions. Verify that test input injection does not alter coincidence logic output state when test inputs are inactive. Pass: leakage ≤1μA, no spurious logic state change. Rationale: Optical isolation leakage measurement under fault conditions verifies that the test cabinet cannot corrupt voting logic even during test equipment failure. | Test | verification, test-surv, session-203 |
| VER-METHODS-032 | Verify IFC-DEFS-029: Test breaker test circuit interlock by attempting simultaneous test initiation of both series breakers in a trip path. Verify the hardwired interlock prevents the second breaker test from initiating. Then verify normal single-breaker test produces breaker opening within 150ms. Pass: interlock blocks simultaneous test, single test opens breaker within 150ms. Rationale: Interlock testing prevents a procedural error from simultaneously testing both series trip breakers, which would cause a spurious reactor trip and potential fuel damage from thermal shock. | Demonstration | verification, test-surv, session-203 |
| VER-METHODS-033 | Verify IFC-DEFS-030: Test data link directionality by monitoring the communication interface during test data transmission. Verify no data can be transmitted from Communication and Display Subsystem back to the Logic Test Cabinet. Pass: hardware-enforced one-way communication confirmed by protocol analysis. Rationale: Data link directionality verification confirms no reverse path exists for test data or fault propagation from non-safety communication back to protection logic. | Test | verification, test-surv, session-203 |
| VER-METHODS-034 | Verify SUB-REQS-046: Perform overlap test analysis per IEEE 338 by documenting the test boundaries for each test type (analog channel, logic, actuator) and verifying that every link in every protection signal path from sensor to actuator is covered by at least one test. Pass: no untested gap identified in signal path coverage matrix. Rationale: IEEE 338 overlap analysis documents that no untested gaps exist between analog channel, logic, and actuator test segments; coverage gaps leave failure modes undetectable. | Analysis | verification, test-surv, session-203 |
| VER-METHODS-035 | Verify IFC-DEFS-031: Test intra-division bus timing by measuring message latency from transmitter to receiver under maximum bus loading. Inject messages at all allocated time slots simultaneously and measure worst-case delivery time. Pass: all messages delivered within ≤10ms, no message loss over 1-hour test duration. Rationale: Intra-division bus latency under maximum loading validates deterministic message delivery within the 10ms budget allocated from the system response time. | Test | verification, comm-display, session-203 |
| VER-METHODS-036 | Verify IFC-DEFS-032: Test gateway unidirectionality by attempting to transmit data from non-safety plant computer toward the safety-side gateway interface. Physical inspection of safety-side fiber optic transceiver confirms no receive photodiode installed. Pass: no data reception possible on safety side, confirmed by physical inspection and signal injection test. Rationale: Gateway unidirectionality is the primary cyber security barrier per 10 CFR 73.54; verification that no receive hardware exists on the safety side is a critical inspection. | Inspection | verification, comm-display, session-203 |
| VER-METHODS-037 | Verify IFC-DEFS-033: Test annunciator inputs by actuating each relay contact input individually and verifying correct window tile illumination, audible alarm, and first-out sequence indication. Test fault isolation by shorting an input circuit and verifying no effect on other annunciator inputs. Pass: all windows respond correctly, no cross-coupling between inputs. Rationale: Annunciator relay contact input testing verifies the diverse hardwired indication path functions independently of digital communication systems. | Test | verification, comm-display, session-203 |
| VER-METHODS-038 | Verify IFC-DEFS-034: Test SPDS data validation by providing identical test signals to two protection divisions and one deliberately offset signal to a third division. Verify SPDS correctly identifies and flags the deviant value. Pass: cross-division comparison detects deviant channel within 2 seconds. Rationale: SPDS data validation testing with deliberate offset verifies the display can identify discrepant division data, alerting operators to instrument failure during post-accident monitoring. | Test | verification, comm-display, session-203 |
| VER-METHODS-039 | Verify SUB-REQS-001: Inject step change at bistable processor input simulating setpoint exceedance and measure time to channel trip output using high-speed data acquisition (1ms resolution). Pass: trip output generated within 100ms of input reaching setpoint at 25%, 50%, and 100% of setpoint ramp rates. Repeat for all monitored parameters on each of four channels. Rationale: Bistable processor response time is the first active element in the trip chain; 100ms allocation must be verified under worst-case input conditions. | Test | verification, rts, session-204 |
| VER-METHODS-040 | Verify SUB-REQS-002: Inject two simultaneous channel trip inputs to coincidence logic module and measure time from second input assertion to train-level trip output using oscilloscope with 0.1ms resolution. Pass: trip output within 50ms. Test all 2-of-4 input combinations (6 combinations per trip function) across all trip functions. Rationale: Coincidence logic evaluation time directly determines whether the 2.0s system trip response time is achievable; 50ms allocation is verified at the train level. | Test | verification, rts, session-204 |
| VER-METHODS-041 | Verify SUB-REQS-004: De-energise reactor trip breaker undervoltage coil and measure time from coil de-energisation to breaker contact separation using auxiliary contact signal and oscilloscope. Pass: contact separation within 100ms. Verify CRDM power interruption by monitoring CRDM bus voltage. Test each breaker individually with the other breaker closed. Rationale: Trip breaker mechanical opening time is the final response time element; 100ms allocation verified by high-speed measurement from coil de-energisation to contact separation. | Test | verification, rts, session-204 |
| VER-METHODS-042 | Verify SUB-REQS-008: Inject simulated setpoint exceedance on two of four ESF channels simultaneously and measure time from second channel input to actuation demand output at ESF coincidence logic processor. Pass: actuation demand generated within 100ms. Test each ESF function (SI, CIA, CIB, CS, SLI, MFWI, AFW) independently with all 6 two-of-four input combinations. Rationale: ESF coincidence logic response time determines whether safety injection and other ESF functions meet the FSAR-assumed actuation time after setpoint exceedance. | Test | verification, esfas, session-204 |
| VER-METHODS-043 | Verify SUB-REQS-011: Simulate concurrent SI signal and LOOP condition and record load shed and reconnect sequence timing using event recorder with 10ms resolution. Pass: non-essential loads shed within 3 seconds, EDG start command issued, safety loads reconnected in sequence with minimum 5-second intervals between load steps, full sequence complete within 60 seconds. Verify no two loads connected closer than 5 seconds apart. Rationale: Load sequencing timing during simulated SI+LOOP confirms diesel generator loading stays within rated capacity and each safety load receives power within its FSAR-assumed start time. | Test | verification, esfas, session-204 |
| VER-METHODS-044 | Verify SYS-REQS-014: Cybersecurity assessment per NEI 08-09 Rev 6. Conduct vulnerability scanning of all digital safety system assets using approved security tools. Verify no external network connectivity exists by physical port inspection and network traffic capture over 72-hour period. Pass: zero external network paths detected, all unused ports physically disabled or removed, tamper indication functional on all 4 division cabinets. Rationale: Cybersecurity assessment per NEI 08-09 validates that digital safety systems meet 10 CFR 73.54 requirements; penetration testing on isolated systems verifies attack resistance. | Analysis | verification, cybersecurity, session-205 |
| VER-METHODS-045 | Verify SYS-REQS-015: D3 analysis per BTP 7-19 Appendix D. Review FPGA design tools and microprocessor compiler toolchains for tool chain diversity. Inject simulated common-cause failure scenario (all digital processors in one division producing identical incorrect output) and verify diverse manual actuation path still completes reactor trip within 2.0 seconds. Pass: documented D3 coping analysis shows diverse means exist for all Chapter 15 events, manual trip test completes with breaker opening in less than 200ms from switch actuation. Rationale: D3 analysis per BTP 7-19 verifies that no single common-cause failure of digital systems can prevent both reactor trip and ESF actuation; diverse backup paths must be demonstrated. | Analysis | verification, d3, diversity, session-205 |
| VER-METHODS-046 | Verify SYS-REQS-016: EMC qualification testing per MIL-STD-461G with test levels derived from in-plant electromagnetic survey plus 6dB margin per Regulatory Guide 1.180. Conduct radiated susceptibility (RS103), conducted susceptibility (CS101/CS114), and surge (CS116) tests on each digital safety system cabinet. Pass: no trip function degradation, no spurious actuation signals, and no communication errors during or after exposure to specified EMI levels. Rationale: EMC qualification per MIL-STD-461G with 6dB margin above in-plant survey levels ensures digital safety systems tolerate the actual electromagnetic environment including walkie-talkie and welding EMI. | Test | verification, emc, session-205 |
| VER-METHODS-047 | Verify SUB-REQS-053: Human factors validation per NUREG-0711 integrated system validation. Conduct human factors engineering verification of display character size, colour coding, and alarm prioritisation against NUREG-0700 criteria. Perform operator-in-the-loop simulation using plant-specific emergency operating procedures for LOCA, MSLB, and station blackout scenarios. Pass: all safety actions completed within analysed time margins, operator error rate below 1E-2 per critical action, no reliance on colour alone confirmed by monochrome display review. Rationale: NUREG-0711 human factors validation confirms safety display interfaces support correct operator action during high-stress post-accident conditions with acceptable error probability. | Inspection | verification, human-factors, session-205 |
| VER-METHODS-048 | Verify SUB-REQS-054: Conduct breaker interrupting capacity type test per IEEE C37.09 at rated voltage (480VAC) with calibrated load bank set to 600A. Perform 3 consecutive interruptions measuring arc duration and contact condition. Pass criteria: all 3 interruptions successful with arc duration less than 50ms and no contact welding or pitting exceeding manufacturer limits. | Test | verification, rts, breaker, session-224 |
| VER-METHODS-049 | Verify SUB-REQS-055: Conduct accelerated life test per IEEE C37.09 cycling the breaker 2000 times at rated interrupting current and 5000 times at no-load, measuring opening time at intervals of 500 cycles. Pass criteria: opening time remains below 100ms at every measurement interval, contact resistance does not increase beyond 10% of initial value, and mechanical linkage shows no measurable wear exceeding manufacturer specifications. | Test | verification, rts, breaker, session-224 |
flowchart TB n0["component<br>Bistable Trip Processor (Ch A)"] n1["component<br>Bistable Trip Processor (Ch B)"] n2["component<br>Bistable Trip Processor (Ch C)"] n3["component<br>Bistable Trip Processor (Ch D)"] n4["component<br>Coincidence Logic (Train A)"] n5["component<br>Coincidence Logic (Train B)"] n6["component<br>Reactor Trip Breaker A1"] n7["component<br>Reactor Trip Breaker A2"] n8["component<br>Reactor Trip Breaker B1"] n9["component<br>Reactor Trip Breaker B2"] n10["component<br>Manual Trip Switch"] n11["component<br>Channel Bypass Logic"] n0 -->|Trip signal| n4 n0 -->|Trip signal| n5 n1 -->|Trip signal| n4 n1 -->|Trip signal| n5 n2 -->|Trip signal| n4 n2 -->|Trip signal| n5 n3 -->|Trip signal| n4 n3 -->|Trip signal| n5 n4 -->|Train A trip| n6 n4 -->|Train A trip| n7 n5 -->|Train B trip| n8 n5 -->|Train B trip| n9 n10 -->|Manual trip| n6 n10 -->|Manual trip| n8 n11 -->|Bypass status| n4 n11 -->|Bypass status| n5
Reactor Trip Subsystem — Internal
flowchart TB n0["actor<br>Process Instrumentation"] n1["actor<br>Nuclear Instrumentation"] n2["component<br>ESF Coincidence Logic Processor"] n3["component<br>Actuation Priority Logic"] n4["component<br>Sequential Events Controller"] n5["component<br>Manual ESF Actuation Panel"] n6["component<br>ESF Component Interface Module"] n7["component<br>Subgroup Relay Cabinet"] n8["actor<br>Safety Equipment"] n0 -->|4-20mA process signals| n2 n1 -->|Neutron flux signals| n2 n2 -->|ESF actuation demands| n3 n5 -->|Manual ESF initiation| n3 n3 -->|Prioritised commands| n7 n7 -->|Subgroup relay outputs| n6 n4 -->|Sequenced load commands| n6 n6 -->|Actuator drive signals| n8
ESFAS — Internal
flowchart TB n0["actor<br>Reactor Vessel"] n1["component<br>Source Range Channel"] n2["component<br>Intermediate Range Channel"] n3["component<br>Power Range Channel"] n4["component<br>Signal Conditioning"] n5["component<br>HV Power Supply"] n6["actor<br>Bistable Trip Processor"] n7["actor<br>ESF Coincidence Logic"] n0 -->|Neutron flux| n1 n0 -->|Neutron flux| n2 n0 -->|Neutron flux| n3 n5 -->|Detector bias| n1 n5 -->|Detector bias| n2 n5 -->|Detector bias| n3 n1 -->|Pulse/Campbell signal| n4 n2 -->|Ion chamber current| n4 n3 -->|Upper/lower section currents| n4 n4 -->|4-20mA trip signals| n6 n4 -->|4-20mA ESF signals| n7
Nuclear Instrumentation — Internal
flowchart TB n0["component<br>RTD Temperature Channel"] n1["component<br>Pressure Transmitter Channel"] n2["component<br>DP Flow Channel"] n3["component<br>Level Measurement Channel"] n4["component<br>Signal Conditioning Module"] n5["component<br>Containment Environment Monitor"] n0 -->|RTD resistance| n4 n1 -->|Pressure 4-20mA| n4 n2 -->|DP flow 4-20mA| n4 n3 -->|Level DP 4-20mA| n4 n5 -->|Containment signals| n4
Process Instrumentation — Internal
flowchart TB n0["component<br>Wide-Range Containment Pressure Monitor"] n1["component<br>Containment Hydrogen Monitor"] n2["component<br>Core Exit Thermocouple Assembly"] n3["component<br>Reactor Vessel Level Indication System"] n4["component<br>Qualified Safety Display Panel"] n0 -->|Pressure 0-200 psig| n4 n1 -->|H2 concentration| n4 n2 -->|Core exit temps| n4 n3 -->|Vessel level| n4
Post-Accident Monitoring — Internal
flowchart TB n0["component<br>Station Battery Bank"] n1["component<br>Battery Charger"] n2["component<br>Vital Bus Inverter"] n3["component<br>Isolation Transfer Switch"] n4["component<br>Class 1E Distribution Panel"] n5["actor<br>Class 1E 480V MCC"] n6["actor<br>Regulated Transformer"] n7["actor<br>Protection System Loads"] n5 -->|480VAC| n1 n1 -->|140VDC float charge| n0 n0 -->|125VDC| n2 n2 -->|120VAC preferred| n3 n6 -->|120VAC alternate| n3 n3 -->|120VAC vital bus| n4 n4 -->|Protected branch circuits| n7
Class 1E Power Supply — Internal
flowchart TB n0["component<br>Analog Channel Test Module"] n1["component<br>Logic Test Cabinet"] n2["component<br>Response Time Test Equipment"] n3["component<br>Trip Breaker Test Circuit"] n4["actor<br>Bistable/Logic Processors"] n5["actor<br>Reactor Trip Breakers"] n6["actor<br>Comm and Display"] n0 -->|Test signals| n4 n1 -->|Logic test inputs| n4 n2 -->|Timing reference| n0 n3 -->|Shunt trip test| n5 n1 -->|Test results| n6 n0 -->|Channel test results| n6
Test and Surveillance Subsystem — Internal
flowchart TB n0["component<br>Safety Parameter Display System"] n1["component<br>Safety Data Gateway"] n2["component<br>Alarm and Status Annunciator"] n3["component<br>Intra-Division Communication Bus"] n4["actor<br>Protection Processors"] n5["actor<br>Control Room Operators"] n6["actor<br>Plant Process Computer"] n4 -->|Divisional data| n3 n3 -->|Safety parameters| n0 n3 -->|Status data| n1 n1 -->|One-way data| n6 n4 -->|Hardwired status contacts| n2 n0 -->|Display| n5 n2 -->|Alarms| n5
Communication and Display Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Actuation Priority Logic Module | D0A53818 | Hardwired priority logic module resolving conflicts between automatic ESF actuation signals, manual operator commands, and normal plant control signals in a PWR nuclear protection system. Implements a fixed priority hierarchy: automatic safety actuation overrides manual control, which overrides normal control. Uses relay-based logic for diversity from digital coincidence logic. Located in safety-related switchgear room. |
| Alarm and Status Annunciator | D6ED7018 | Hardwired annunciator panel in main control room providing safety system status indication via illuminated window tiles. Displays channel trip status, train actuation status, bypass status, power supply status, and equipment malfunction for each protection division. Uses discrete relay-driven inputs from protection system status contacts — no software in the annunciation path for safety-critical alarms. Includes first-out indication for reactor trip and ESF actuation to support post-event operator diagnosis. Audible alarm with acknowledge, silence, and test functions. Seismically qualified per IEEE 344. |
| Analog Channel Test Module | D7E57018 | Automated test injection module for nuclear protection system analog instrument channels. Inserts precision test signals (4-20mA, 0-10VDC) at the channel input to verify the complete signal path from process transmitter through signal conditioning, bistable comparison, and trip output. Includes calibrated signal sources traceable to NIST standards, test sequencing logic, and automatic pass/fail comparison against acceptance criteria. Supports overlap testing per IEEE 338 to verify that no gaps exist in the combined test coverage. One module per protection channel, physically located in the protection cabinet. |
| Battery Charger | D4F53018 | Class 1E silicon-controlled rectifier battery charger converting 480VAC from Class 1E motor control centre to regulated 140VDC float charge voltage for station battery bank. Output current capacity sufficient to supply all connected DC loads while simultaneously recharging battery from fully discharged state within 12 hours. Automatic voltage regulation maintains float voltage within ±1% of setpoint. Includes high/low voltage alarms and ground fault detection. One charger per division, powered from divisional Class 1E 480V bus. |
| Bistable Trip Processor | 50F77A18 | Per-channel trip determination module in nuclear RPS Reactor Trip Subsystem. Receives conditioned analog signals from nuclear and process instrumentation. Compares each parameter against predetermined trip setpoints using digital comparators. Generates individual trip/no-trip binary outputs for each trip function (e.g., high neutron flux, low RCS pressure, low RCS flow). Four independent bistable processors, one per protection channel. Implemented as FPGA-based logic to avoid software common-cause failure concerns. Must complete bistable comparison within 100ms of input change. |
| Channel Bypass Logic | 40F67851 | Maintenance bypass and trip channel bypass logic in nuclear RPS Reactor Trip Subsystem. Allows one protection channel at a time to be removed from service for testing or maintenance. When a channel is bypassed, automatically reconfigures the coincidence logic from 2/4 to 2/3 voting for all trip functions served by that channel. Includes administrative lockout preventing bypass of more than one channel simultaneously. Generates bypass status indication to main control room and interlocks to prevent exceeding Technical Specification allowed bypass configurations. |
| Class 1E Distribution Panel | D6A51058 | Seismically qualified Class 1E power distribution panel providing circuit protection and load allocation for one protection division. Contains molded-case circuit breakers sized for individual load circuits including bistable processors, coincidence logic cabinets, safety displays, and field instrument power supplies. Bus-rated for 200A continuous. Includes undervoltage and overcurrent protection with local and remote status indication. Physical separation from other divisions per IEEE 384. Each division has dedicated panels for 120VAC vital bus and 125VDC loads. |
| Class 1E Power Supply Subsystem | 54D73858 | Safety-grade electrical power distribution for nuclear RPS. Four independent Class 1E power divisions corresponding to four protection channels. Each division has: 125VDC battery with 4-hour capacity, battery charger from Class 1E AC bus, DC-to-DC converters for logic power, and inverters for AC instrument power. Physical and electrical separation between divisions per IEEE 384. Automatic transfer to emergency diesel generator bus on loss of offsite power. Undervoltage and degraded voltage protection. Must maintain power to all safety channels during station blackout for minimum 4 hours. |
| Coincidence Logic Module | 50B73818 | 2-out-of-4 voting logic module in nuclear RPS Reactor Trip Subsystem. Receives binary trip outputs from all four bistable processors for each trip function. Implements coincidence voting: generates a trip output when 2 or more of 4 channels indicate trip for any single trip function. Automatically reconfigures to 2-out-of-3 when a channel bypass is active. Two independent trains (A and B) each contain a complete coincidence logic module. FPGA-based implementation with formal verification of voting logic correctness. Must complete coincidence evaluation within 50ms. |
| Communication and Display Subsystem | 54ED7859 | Human-machine interface and data communication system for nuclear RPS. Provides safety-grade displays in main control room showing trip status, channel values, bypass status, and alarm conditions. Safety parameter display system (SPDS) presents critical safety function status. One-way data link (fiber-optic isolation) from safety system to non-safety plant computer prevents feedback path. Alarm annunciator panels with first-out indication for trip diagnosis. Qualified flat-panel displays with Class 1E power. Must present trip information within 1 second of trip actuation. |
| Containment Environment Monitor | 54A53058 | Containment environment monitoring instrumentation within a nuclear reactor protection system. Measures containment atmosphere temperature (multiple elevations), containment pressure (wide-range 0-200 psig for severe accident monitoring and narrow-range 0-75 psig for ESF actuation), containment humidity, and containment area radiation levels. Containment pressure measurement is a direct ESF actuation input: high containment pressure initiates Safety Injection, Containment Isolation, and Containment Spray. Sensors and transmitters inside containment must be environmentally qualified per IEEE 323 to post-LOCA conditions (340°F, 60 psig, 1E8 rad TID). Hermetically sealed penetration assemblies connect to protection channel electronics outside containment. |
| Containment Hydrogen Monitor | 54853058 | Post-accident combustible gas monitoring system within a nuclear reactor protection system. Measures hydrogen concentration in containment atmosphere from 0 to 10% by volume using thermal conductivity detector cells. Critical for assessing deflagration/detonation risk following a LOCA with fuel damage (zirconium-water reaction produces hydrogen). Samples containment atmosphere through qualified tubing penetrations with particulate filters and moisture separators. Must distinguish hydrogen from steam in a post-LOCA atmosphere. Reg Guide 1.97 Type B Category 1 variable. Detector cells located outside containment with sample lines penetrating the containment boundary. |
| Core Exit Thermocouple Assembly | C6851058 | In-core thermocouple assembly providing direct measurement of reactor core exit coolant temperature for post-accident inadequate core cooling detection. Type K (chromel-alumel) thermocouples mounted at the top of selected fuel assemblies, extending through the reactor vessel head via Conax-type seal assemblies. Measures temperatures from 200°F (normal) to 2300°F (severe core damage indication). Typically 50-65 thermocouples distributed across the core, with at least 2 per core quadrant connected to safety-qualified displays. Reg Guide 1.97 Type A Category 1 variable — provides primary indication of approach to inadequate core cooling. Must withstand reactor vessel head temperature and pressure conditions. |
| Detector High Voltage Power Supply | D4C51018 | Precision high-voltage DC power supply providing detector bias voltage to ex-core neutron detectors in a PWR nuclear protection system. Supplies 300V to 1500V depending on detector type (proportional counters, compensated ion chambers, uncompensated ion chambers). Stability requirement of ±0.1% over 24 hours to maintain detector calibration accuracy. Each protection channel has independent HV supplies. Includes overvoltage protection, current limiting, and supply voltage monitoring with alarm on out-of-tolerance. Class 1E qualified, powered from the channel's dedicated vital bus. |
| Differential Pressure Flow Channel | 54B53858 | Differential pressure-based flow measurement channel within a nuclear reactor protection system. Measures reactor coolant system flow via RCS elbow tap differential pressure, feedwater flow via venturi tube DP, and main steam flow via flow nozzle DP. Uses high-accuracy DP transmitters (0.1% of calibrated span) with square-root extraction for flow computation. Four independent channels per measurement point. Safety function: RCS low-flow trip prevents departure from nucleate boiling during loss-of-flow events. Must discriminate between 2-loop and 3-loop flow configurations for setpoint adjustment. |
| Engineered Safety Features Actuation System | 51F77A51 | ESFAS for PWR nuclear plant. Monitors process parameters and initiates actuation of engineered safety features when setpoints exceeded. Functions include: safety injection (high-head and low-head pumps), containment isolation (Phase A and Phase B), main steam line isolation, auxiliary feedwater actuation, containment spray. Uses 2-out-of-4 coincidence logic separate from but architecturally similar to reactor trip logic. Actuates motor-operated valves, pump breakers, and damper actuators via Class 1E power. Must complete actuation sequences within defined time limits per FSAR Chapter 15 accident analyses. |
| ESF Coincidence Logic Processor | 50F77018 | Digital logic processor implementing 2-out-of-4 coincidence voting for each Engineered Safety Feature function in a PWR nuclear protection system. Receives per-channel bistable trip/no-trip signals from process and nuclear instrumentation via optically isolated inputs. Evaluates voting logic for Safety Injection, Containment Isolation Phase A/B, Containment Spray, Steamline Isolation, Main Feedwater Isolation, and Auxiliary Feedwater Actuation. FPGA-based with no software to eliminate digital common-cause failure concerns. Output is per-train ESF actuation demands to the priority logic module. Must complete voting within 100ms. Quad-redundant across four protection channels. |
| ESF Component Interface Module | D4F57018 | Signal conditioning and relay output module interfacing ESFAS logic with field-mounted safety equipment in a PWR nuclear protection system. Converts digital actuation commands into relay contact closures driving motor-operated valves, pump contactors, and solenoid valves. Provides electrical isolation between protection logic and actuated equipment power circuits. Includes status feedback monitoring (valve position, pump running, breaker state). Located in Class 1E switchgear rooms. |
| Intermediate Range Detector Channel | 54E55010 | Compensated ion chamber neutron detection channel covering approximately 8 decades of neutron flux from the upper source range through the power range in a PWR nuclear protection system. Two redundant channels (IR-N35, IR-N36) using compensated ionisation chambers that subtract gamma-induced current to provide a neutron-only signal. Located in the reactor vessel ex-core detector wells. Provides logarithmic neutron flux and flux rate signals to the protection system for intermediate range high flux trip and rod withdrawal stop. Signal conditioning includes a wide-range logarithmic amplifier with a response time of less than 1 second per decade. |
| Intra-Division Communication Bus | 40E57258 | Deterministic communication bus providing data exchange between digital components within a single protection division. Connects bistable trip processors, coincidence logic modules, ESF coincidence logic processors, and diagnostic processors within one division. Uses time-division multiplexed serial protocol with fixed message schedules guaranteeing worst-case latency ≤10ms. Physically separate bus per division with no inter-division connections. Fiber optic medium for noise immunity. Error detection via CRC-32 with message retry on single-bit errors and channel trip on persistent communication failures. Qualified to IEEE 7-4.3.2. |
| Isolation Transfer Switch | D4B73058 | Class 1E automatic static transfer switch providing seamless changeover between vital bus inverter (preferred source) and regulated transformer alternate AC source on inverter failure. Transfer time less than 4ms to prevent disruption to protection system logic processors. Includes voltage and frequency sensing for automatic transfer and retransfer logic. Manual bypass capability for inverter maintenance. Qualified to IEEE 323/344 for seismic and environmental conditions. Provides continuous power availability to downstream protection loads during inverter maintenance or failure. |
| Level Measurement Channel | 54853050 | Differential pressure-based level measurement channel within a nuclear reactor protection system. Measures pressurizer level (for heater cutoff and SI actuation), steam generator narrow-range and wide-range level (for feedwater isolation and auxiliary feedwater actuation), and refueling water storage tank level (for switchover to containment sump recirculation). Uses temperature-compensated reference leg DP transmitters to correct for density changes in the reference column. Four independent channels per safety parameter. Must maintain accuracy under post-accident temperature/pressure conditions that cause reference leg flashing. |
| Logic Test Cabinet | D1E77018 | Automated test system for nuclear protection system coincidence logic and actuation logic. Injects simulated channel trip inputs to the coincidence logic modules and verifies correct train-level trip and ESF actuation outputs. Tests all 2-out-of-4 voting combinations for each trip function without requiring channel bypass. Includes test result recording, trending analysis for response time degradation, and automatic comparison against Technical Specification surveillance requirements. Interfaces with the Communication and Display Subsystem for remote initiation and result reporting. |
| Manual ESF Actuation Panel | C68D7858 | Hardwired operator interface panel in main control room providing manual initiation for all ESF functions in a PWR nuclear protection system. Dedicated switches for Safety Injection, Containment Isolation Phase A/B, Containment Spray, Steamline Isolation, and Auxiliary Feedwater. Two-switch design. Signals bypass digital logic and connect directly to priority logic via hardwired paths. Seismically qualified to IEEE 344. |
| Manual Trip Interface | C4895811 | Hardwired manual reactor trip capability in nuclear RPS. Direct pushbutton switches in main control room that bypass all automatic logic and directly de-energize the reactor trip breaker undervoltage coils. Two independent manual trip switches (one per train) with additional diverse manual trip via separate actuation mechanism. Wired directly to breaker trip coils with minimum intervening components. Response time from switch actuation to breaker opening less than 200ms. Must function independently of any digital system, processor, or software. |
| NIS Signal Conditioning Electronics | D4E51018 | Analog and digital signal conditioning electronics processing raw detector currents from source, intermediate, and power range neutron detectors in a PWR nuclear protection system. Includes preamplifiers located near the detector wells (within containment for some channels), linear and logarithmic amplifiers, compensating voltage power supplies for compensated ion chambers, high-voltage detector bias supplies (typically 300-1500V), and digital processing modules for trip setpoint comparison. Each protection channel has independent signal conditioning with no shared components. Operates in a mild environment (control room electronics) except for preamplifiers which must be qualified for containment conditions. |
| Nuclear Instrumentation Subsystem | 54F57019 | Neutron flux monitoring system for PWR reactor protection. Comprises source-range, intermediate-range, and power-range detector channels in quadruple redundancy. Source range uses BF3 or fission chambers for 1E-1 to 1E5 counts/sec. Intermediate range uses compensated ion chambers for 1E-6 to 200 percent power. Power range uses uncompensated ion chambers with upper/lower sections for axial flux difference. Provides analog and digital flux signals to reactor trip logic. Must detect flux doubling within 200ms. |
| Nuclear Reactor Protection System | 55B77859 | Safety-critical instrumentation and control system (IEC 61513 Safety Category A, SIL 4) for pressurized water reactor nuclear power plants. Continuously monitors neutron flux, reactor coolant temperature, pressure, and flow parameters via quadruple-redundant sensor channels. Executes automatic reactor trip (SCRAM) and engineered safety feature actuation (ESFAS) when process variables exceed predetermined setpoints. Employs 2-out-of-4 coincidence voting logic to balance reliability against spurious trip avoidance. Must achieve probability of failure on demand <1E-5 per demand. Interfaces with reactor control system, plant process computer, main control room, and emergency diesel generators. Subject to NRC 10 CFR 50.55a, IEEE 603, and IEC 61513 regulatory framework. |
| Post-Accident Monitoring Subsystem | 54E57858 | Reg Guide 1.97 post-accident monitoring instrumentation for PWR. Provides qualified indication of critical plant parameters during and after design-basis accidents. Category 1 variables: containment pressure (0-150 psig), containment radiation (1E1 to 1E8 R/hr), reactor vessel level, containment hydrogen concentration, and reactor coolant system subcooling margin. Dual-redundant qualified displays in main control room with battery-backed power. Instruments qualified for post-LOCA containment environment including radiation, temperature, pressure, humidity, and chemical spray. |
| Power Range Detector Channel | 44C51010 | Uncompensated ion chamber neutron detection channel operating from approximately 1% to 120% rated thermal power in a PWR nuclear protection system. Four redundant channels (PR-N41 through PR-N44) using dual-section uncompensated ionisation chambers providing both upper and lower detector currents for axial flux difference measurement. Located in four symmetrically placed ex-core detector wells at 90-degree intervals around the reactor vessel. Provides linear neutron flux, axial flux difference (delta-I), and overtemperature/overpower delta-T protection inputs. Each detector assembly contains two axially stacked ion chambers for top/bottom flux measurement. |
| Pressure Transmitter Channel | 54D57018 | Capacitance-cell pressure transmitter channel within a nuclear reactor protection system. Measures pressurizer pressure, reactor coolant system pressure, containment pressure, and steam generator pressure. Uses variable-capacitance sensing cells with silicon oil fill fluid, providing 0.25% span accuracy. Operates in ranges from 0-75 psig (containment) to 0-2500 psig (RCS). Each transmitter provides 4-20mA output to protection system bistable processors. Safety function: pressurizer low-pressure trip, containment high-pressure SI actuation. Must withstand seismic (0.3g SSE) and post-LOCA environment for containment transmitters. |
| Process Instrumentation Subsystem | 54E57218 | Reactor coolant system process variable monitoring for PWR protection. Four redundant measurement channels for: RCS hot/cold leg temperature (RTDs, 0-700F), pressurizer pressure (0-2500 psig), RCS flow (differential pressure across elbow taps), pressurizer level, steam generator level and pressure. Provides conditioned analog signals and digital trip outputs to reactor trip and ESFAS logic. Signal conditioning includes range checking, rate limiting, and cross-channel comparison. |
| Process Signal Conditioning Module | 54F57018 | Analog signal conditioning module within a nuclear reactor protection system's process instrumentation subsystem. Receives raw 4-wire RTD resistance, 4-20mA transmitter outputs, and thermocouple millivolt signals. Performs amplification, linearisation (RTD Callendar-Van Dusen, thermocouple polynomial), filtering (2Hz low-pass for noise rejection while maintaining <500ms step response), and range checking. Outputs calibrated 4-20mA signals to bistable trip processors. Each module serves one protection channel and is physically isolated from other channels. Includes built-in test injection points for channel calibration verification without removing the module from service. |
| Qualified Safety Display Panel | D6CD5058 | Seismically and environmentally qualified display panel in the main control room providing post-accident monitoring indication to operators. Displays all Reg Guide 1.97 Category 1 variables: reactor vessel level, core exit temperature, containment pressure (wide-range), containment hydrogen concentration, containment radiation, RCS pressure (wide-range), and SG water level (wide-range). Uses dedicated, isolated display channels independent from the plant process computer. Displays are qualified to operate during and after an SSE. Includes recording capability for key parameters. Located in the control room with backup displays in the remote shutdown facility. Must remain readable under emergency lighting conditions. |
| Reactor Trip Breaker | D6951018 | High-reliability electromechanical circuit breaker in the reactor trip actuation path. Two series-connected breakers per train (Train A and Train B), four breakers total. When de-energized (tripped), interrupt power supply to control rod drive mechanism power cabinets, causing all control rods to drop into the reactor core by gravity. Breaker opening time less than 100ms from de-energization of trip coil. Shunt trip coils for automatic trip and undervoltage trip coils for fail-safe operation. Each breaker rated for 480VAC, 1600A continuous with 65kA interrupting capacity. |
| Reactor Trip Subsystem | 50B77A10 | Core safety logic for PWR reactor protection. Receives trip signals from nuclear and process instrumentation channels. Implements 2-out-of-4 coincidence voting logic per trip function using solid-state or FPGA-based logic modules. Drives reactor trip breakers (two series breakers per train, two trains) to de-energize control rod drive mechanisms. Supports manual trip from main control room. Provides channel bypass capability for maintenance with automatic reduction to 2/3 voting. Trip response time from sensor to breaker opening less than 2 seconds for all trip functions. |
| Reactor Vessel Level Indication System | 54F57058 | Heated junction thermocouple-based reactor vessel water level measurement system for post-accident monitoring. Uses the differential temperature between heated and unheated thermocouple junctions at multiple elevations in the reactor vessel head to determine whether the junction is submerged (liquid) or uncovered (steam/gas). Provides indication of reactor vessel water level from bottom of hot leg to top of vessel head during post-LOCA conditions when normal pressurizer level is meaningless. Reg Guide 1.97 Type A Category 1 variable for inadequate core cooling monitoring. Must function during natural circulation and two-phase conditions with system depressurized. |
| Response Time Test Equipment | 54A53218 | Precision timing measurement system for verifying nuclear protection system channel response times from sensor input to final actuator output. Uses noise analysis technique (LCSR - Loop Current Step Response for RTDs, TDR for pressure transmitters) for non-intrusive sensor response time measurement, combined with electronic signal path timing from bistable to trip breaker. Provides response time data for comparison against Technical Specification limits (e.g., 2 seconds total channel response for reactor trip). Measurement uncertainty ≤50ms at 95% confidence. Used during refuelling outages and after channel maintenance. |
| RTD Temperature Measurement Channel | 54853051 | Platinum resistance temperature detector (RTD) measurement channel within a nuclear reactor protection system. Measures reactor coolant system temperatures including hot leg (Thot), cold leg (Tcold), and derived parameters (Tavg, ΔT). Uses 4-wire platinum RTDs (Callendar-Van Dusen calibration) with Wheatstone bridge excitation, providing 0.1°C resolution over 50-400°C range. Four independent channels per parameter feed quadruple-redundant bistable trip processors. Safety-critical: under-measurement of Thot could prevent overtemperature trip actuation. |
| Safety Data Gateway | 50C57058 | One-way qualified data communication gateway providing isolation between Class 1E protection system data and non-safety plant computer systems. Hardware-enforced unidirectional data flow using optical isolation and qualified fiber optic transmitters with no receive capability on the safety side. Transmits protection system status, channel values, trip status, and test results to the plant process computer for archiving, trending, and non-safety displays. Data rate 10 Mbps per division. Each protection division has its own independent gateway with no cross-division data paths. Qualified to IEEE 7-4.3.2 for digital safety system communication. |
| Safety Parameter Display System | 54CD7858 | Qualified display system providing plant operators with safety-critical parameter indications in the main control room. Displays reactor power, RCS temperatures and pressures, containment conditions, core exit temperatures, and safety system status on dedicated qualified flat-panel monitors. Receives data via one-way qualified data links from each protection division. Meets RG 1.97 Category 1 display requirements for post-accident monitoring variables. Seismically qualified to IEEE 344, environmentally qualified to IEEE 323 for control room conditions. Provides audible and visual alarms for parameters exceeding Technical Specification limits. |
| Sequential Events Controller | 50B73A58 | Programmable logic controller managing time-sequenced loading of safety-related electrical loads onto emergency diesel generator buses following a loss-of-offsite-power concurrent with a safety injection signal in a PWR nuclear protection system. Implements load-shedding and load-sequencing program with 5-second interval steps. Manages loads for ECCS, Containment Spray, CCW, and Service Water pumps. Must complete full sequence within 60 seconds. Two independent trains. |
| Source Range Detector Channel | 54F75211 | Fission chamber-based neutron detection channel covering 6 decades of neutron flux from shutdown to approximately 1E-4% rated thermal power in a PWR nuclear protection system. Two redundant channels (SR-N31, SR-N32) using BF3 or B-10 lined proportional counters located in the reactor vessel biological shield. Provides count rate and count rate increase (startup rate) to the protection system for source range high flux trip and minimum count rate alarm. Operates in pulse counting mode at low flux and transitions to mean-square voltage (Campbell) mode as count rate increases. Detector assemblies are in-core, non-replaceable during operation. |
| Station Battery Bank | D6D51058 | Class 1E 125VDC lead-acid battery bank providing 4-hour uninterruptible DC power to one protection division. Sized for design basis accident concurrent with loss of all AC power sources. 60 cells in series, capacity 1500Ah minimum at 8-hour rate. Float-charged by battery charger during normal operation. Provides power to vital bus inverters, DC-powered trip breaker undervoltage coils, and Class 1E DC control circuits. Each of 4 divisions has independent battery bank with no cross-connections. Qualified to IEEE 535 for seismic and environmental conditions. |
| Subgroup Relay Cabinet | D6A51018 | Electromechanical relay cabinet grouping related ESF actuations into testable subgroups within a PWR nuclear protection system. Each subgroup contains relays for functionally related ESF equipment (e.g., all high-head SI valves). Enables online testing of individual actuation paths without actuating complete ESF function. Contains input relays from priority logic and output relays to component interface modules. Two trains with separate cabinets per train, seismically mounted. |
| Test and Surveillance Subsystem | 51A53959 | Online testing and calibration system for nuclear RPS. Provides overlap testing capability to verify complete trip actuation path from sensor input through logic to final actuator without requiring plant trip. Includes: automatic surveillance test sequencers, response time testing interfaces, channel calibration injection points, and tech spec compliance tracking. Supports testing at power with one channel in bypass (2/3 voting maintained). Records all test results for regulatory audit. Must not introduce common-cause failure mechanisms into the protection channels being tested. |
| Trip Breaker Test Circuit | 54A43818 | Dedicated test circuit for periodic testing of reactor trip breakers without causing an actual reactor trip. Provides shunt trip coil energisation to verify breaker opening mechanism while the redundant breaker in series maintains reactor trip circuit continuity. Includes breaker position monitoring, trip time measurement (specified ≤150ms from coil energisation to contact separation), and undervoltage trip device testing. Supports both manual and automated test initiation. Hardwired interlock prevents simultaneous testing of both series trip breakers in same trip path. |
| Vital Bus Inverter | D4E73018 | Static inverter converting 125VDC battery power to 120VAC 60Hz regulated vital bus power for protection system instrument channels. Each division has dedicated inverters with automatic transfer to a regulated transformer alternate supply on inverter failure. Output regulation ±2% voltage, ±0.5% frequency. Qualified to IEEE 323/344 for seismic and environmental conditions. Provides uninterruptible power to bistable processors, coincidence logic, and safety displays during loss of offsite power and diesel generator start sequence. |
| Wide-Range Containment Pressure Monitor | D4853858 | Post-accident containment pressure monitoring instrument within a nuclear reactor protection system. Measures containment pressure from -5 psig (vacuum) to 200 psig, covering both normal operation and severe accident overpressure scenarios. Uses qualified capacitance-cell transmitters with hermetic seals rated for post-LOCA conditions. This is a Reg Guide 1.97 Type A Category 1 variable — required for operator decisions on containment integrity and venting. Must survive and function accurately during 1E8 rad TID, 340°F, 60 psig LOCA conditions for minimum 30 days. Redundancy: 2 channels minimum per Reg Guide 1.97. |
| Component | Belongs To |
|---|---|
| Nuclear Instrumentation Subsystem | Nuclear Reactor Protection System |
| Process Instrumentation Subsystem | Nuclear Reactor Protection System |
| Reactor Trip Subsystem | Nuclear Reactor Protection System |
| Engineered Safety Features Actuation System | Nuclear Reactor Protection System |
| Post-Accident Monitoring Subsystem | Nuclear Reactor Protection System |
| Communication and Display Subsystem | Nuclear Reactor Protection System |
| Class 1E Power Supply Subsystem | Nuclear Reactor Protection System |
| Test and Surveillance Subsystem | Nuclear Reactor Protection System |
| Bistable Trip Processor | Reactor Trip Subsystem |
| Coincidence Logic Module | Reactor Trip Subsystem |
| Reactor Trip Breaker | Reactor Trip Subsystem |
| Manual Trip Interface | Reactor Trip Subsystem |
| Channel Bypass Logic | Reactor Trip Subsystem |
| ESF Coincidence Logic Processor | Engineered Safety Features Actuation System |
| Actuation Priority Logic Module | Engineered Safety Features Actuation System |
| Sequential Events Controller | Engineered Safety Features Actuation System |
| Manual ESF Actuation Panel | Engineered Safety Features Actuation System |
| ESF Component Interface Module | Engineered Safety Features Actuation System |
| Subgroup Relay Cabinet | Engineered Safety Features Actuation System |
| Source Range Detector Channel | Nuclear Instrumentation Subsystem |
| Intermediate Range Detector Channel | Nuclear Instrumentation Subsystem |
| Power Range Detector Channel | Nuclear Instrumentation Subsystem |
| NIS Signal Conditioning Electronics | Nuclear Instrumentation Subsystem |
| Detector High Voltage Power Supply | Nuclear Instrumentation Subsystem |
| RTD Temperature Measurement Channel | Process Instrumentation Subsystem |
| Pressure Transmitter Channel | Process Instrumentation Subsystem |
| Differential Pressure Flow Channel | Process Instrumentation Subsystem |
| Level Measurement Channel | Process Instrumentation Subsystem |
| Process Signal Conditioning Module | Process Instrumentation Subsystem |
| Containment Environment Monitor | Process Instrumentation Subsystem |
| Wide-Range Containment Pressure Monitor | Post-Accident Monitoring Subsystem |
| Containment Hydrogen Monitor | Post-Accident Monitoring Subsystem |
| Core Exit Thermocouple Assembly | Post-Accident Monitoring Subsystem |
| Reactor Vessel Level Indication System | Post-Accident Monitoring Subsystem |
| Qualified Safety Display Panel | Post-Accident Monitoring Subsystem |
| Vital Bus Inverter | Class 1E Power Supply Subsystem |
| Station Battery Bank | Class 1E Power Supply Subsystem |
| Battery Charger | Class 1E Power Supply Subsystem |
| Class 1E Distribution Panel | Class 1E Power Supply Subsystem |
| Isolation Transfer Switch | Class 1E Power Supply Subsystem |
| Analog Channel Test Module | Test and Surveillance Subsystem |
| Logic Test Cabinet | Test and Surveillance Subsystem |
| Response Time Test Equipment | Test and Surveillance Subsystem |
| Trip Breaker Test Circuit | Test and Surveillance Subsystem |
| Safety Parameter Display System | Communication and Display Subsystem |
| Safety Data Gateway | Communication and Display Subsystem |
| Alarm and Status Annunciator | Communication and Display Subsystem |
| Intra-Division Communication Bus | Communication and Display Subsystem |
| From | To |
|---|---|
| Bistable Trip Processor | Coincidence Logic Module |
| Coincidence Logic Module | Reactor Trip Breaker |
| Manual Trip Interface | Reactor Trip Breaker |
| Channel Bypass Logic | Coincidence Logic Module |
| ESF Coincidence Logic Processor | Actuation Priority Logic Module |
| Manual ESF Actuation Panel | Actuation Priority Logic Module |
| Actuation Priority Logic Module | Subgroup Relay Cabinet |
| Subgroup Relay Cabinet | ESF Component Interface Module |
| Sequential Events Controller | ESF Component Interface Module |
| Process Instrumentation Subsystem | ESF Coincidence Logic Processor |
| Nuclear Instrumentation Subsystem | ESF Coincidence Logic Processor |
| Source Range Detector Channel | NIS Signal Conditioning Electronics |
| Intermediate Range Detector Channel | NIS Signal Conditioning Electronics |
| Power Range Detector Channel | NIS Signal Conditioning Electronics |
| Detector High Voltage Power Supply | Source Range Detector Channel |
| Detector High Voltage Power Supply | Intermediate Range Detector Channel |
| Detector High Voltage Power Supply | Power Range Detector Channel |
| NIS Signal Conditioning Electronics | Bistable Trip Processor |
| RTD Temperature Measurement Channel | Process Signal Conditioning Module |
| Pressure Transmitter Channel | Process Signal Conditioning Module |
| Differential Pressure Flow Channel | Process Signal Conditioning Module |
| Level Measurement Channel | Process Signal Conditioning Module |
| Containment Environment Monitor | Process Signal Conditioning Module |
| Process Signal Conditioning Module | Bistable Trip Processor |
| Process Signal Conditioning Module | ESF Coincidence Logic Processor |
| Wide-Range Containment Pressure Monitor | Qualified Safety Display Panel |
| Containment Hydrogen Monitor | Qualified Safety Display Panel |
| Core Exit Thermocouple Assembly | Qualified Safety Display Panel |
| Reactor Vessel Level Indication System | Qualified Safety Display Panel |
| Qualified Safety Display Panel | Communication and Display Subsystem |
| Wide-Range Containment Pressure Monitor | Containment Environment Monitor |
| Station Battery Bank | Vital Bus Inverter |
| Battery Charger | Station Battery Bank |
| Vital Bus Inverter | Isolation Transfer Switch |
| Isolation Transfer Switch | Class 1E Distribution Panel |
| Class 1E Distribution Panel | Bistable Trip Processor |
| Class 1E Distribution Panel | ESF Coincidence Logic Processor |
| Class 1E Distribution Panel | Qualified Safety Display Panel |
| Analog Channel Test Module | Bistable Trip Processor |
| Analog Channel Test Module | Process Signal Conditioning Module |
| Logic Test Cabinet | Coincidence Logic Module |
| Logic Test Cabinet | ESF Coincidence Logic Processor |
| Response Time Test Equipment | Analog Channel Test Module |
| Trip Breaker Test Circuit | Reactor Trip Breaker |
| Safety Parameter Display System | Qualified Safety Display Panel |
| Safety Data Gateway | Intra-Division Communication Bus |
| Intra-Division Communication Bus | Bistable Trip Processor |
| Intra-Division Communication Bus | Coincidence Logic Module |
| Intra-Division Communication Bus | ESF Coincidence Logic Processor |
| Alarm and Status Annunciator | Reactor Trip Breaker |
| Alarm and Status Annunciator | Coincidence Logic Module |
| Component | Output |
|---|---|
| Bistable Trip Processor | Per-channel trip/no-trip binary outputs |
| Coincidence Logic Module | Train-level trip actuation signal |
| Reactor Trip Breaker | CRDM power interruption |
| ESF Coincidence Logic Processor | Per-function ESF actuation demand signals |
| Actuation Priority Logic Module | Prioritised actuation/block commands to subgroup relays |
| Sequential Events Controller | Time-sequenced load connection commands to safety bus breakers |
| ESF Component Interface Module | Relay contact closures to safety equipment actuators |
| Source Range Detector Channel | Neutron count rate and startup rate signals |
| Intermediate Range Detector Channel | Logarithmic neutron flux and flux rate signals |
| Power Range Detector Channel | Linear neutron flux and axial flux difference signals |
| NIS Signal Conditioning Electronics | Conditioned analog and digital flux signals to bistable processors |
| Detector High Voltage Power Supply | Regulated HV bias for neutron detectors |
| RTD Temperature Measurement Channel | 4-20mA signals proportional to reactor coolant temperatures (Thot, Tcold, Tavg, delta-T) |
| Pressure Transmitter Channel | 4-20mA signals proportional to pressurizer, RCS, containment, and SG pressures |
| Differential Pressure Flow Channel | 4-20mA signals proportional to RCS loop flow, feedwater flow, and steam flow |
| Level Measurement Channel | 4-20mA signals proportional to pressurizer level, SG level, and RWST level |
| Process Signal Conditioning Module | Calibrated and linearised 4-20mA analog signals to bistable trip processors |
| Containment Environment Monitor | Containment pressure, temperature, humidity, and radiation level signals |
| Wide-Range Containment Pressure Monitor | Containment pressure indication 0-200 psig for operator assessment |
| Containment Hydrogen Monitor | Containment hydrogen concentration 0-10% by volume |
| Core Exit Thermocouple Assembly | Core exit coolant temperatures for inadequate core cooling assessment |
| Reactor Vessel Level Indication System | Reactor vessel water level from hot leg to vessel head |
| Qualified Safety Display Panel | Visual indication of all RG 1.97 Category 1 variables to operators |
| Vital Bus Inverter | 120VAC 60Hz regulated vital bus power from 125VDC battery source |
| Station Battery Bank | 125VDC uninterruptible power for 4-hour design basis duration |
| Battery Charger | Regulated 140VDC float charge and equalise charge to battery bank |
| Class 1E Distribution Panel | Protected branch circuit power to individual protection system loads |
| Isolation Transfer Switch | Uninterrupted 120VAC vital bus power via automatic source transfer |
| Analog Channel Test Module | Precision test signals injected into instrument channels with automated pass/fail results |
| Logic Test Cabinet | Automated test results for all coincidence logic voting combinations |
| Response Time Test Equipment | Measured channel response times for comparison against Technical Specification limits |
| Trip Breaker Test Circuit | Verified trip breaker operability including opening time measurement |
| Safety Parameter Display System | Qualified visual display of RG 1.97 Category 1 safety parameters for operator assessment |
| Safety Data Gateway | One-way data stream of protection system status to non-safety plant computer |
| Alarm and Status Annunciator | Hardwired visual and audible alarms for safety system status and first-out trip indication |
| Intra-Division Communication Bus | Deterministic intra-division data exchange with guaranteed ≤10ms worst-case latency |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-REQS-009 | IFC-DEFS-034 | derives | |
| SYS-REQS-009 | IFC-DEFS-033 | derives | |
| SYS-REQS-007 | IFC-DEFS-032 | derives | |
| SYS-REQS-007 | IFC-DEFS-031 | derives | |
| SYS-REQS-007 | IFC-DEFS-030 | derives | |
| SYS-REQS-008 | IFC-DEFS-029 | derives | |
| SYS-REQS-008 | IFC-DEFS-028 | derives | |
| SYS-REQS-008 | IFC-DEFS-027 | derives | |
| SYS-REQS-011 | IFC-DEFS-026 | derives | |
| SYS-REQS-003 | IFC-DEFS-025 | derives | |
| SYS-REQS-004 | IFC-DEFS-024 | derives | |
| SYS-REQS-003 | IFC-DEFS-023 | derives | |
| SYS-REQS-003 | IFC-DEFS-022 | derives | |
| SYS-REQS-003 | IFC-DEFS-013 | derives | |
| SYS-REQS-003 | IFC-DEFS-012 | derives | |
| SYS-REQS-003 | IFC-DEFS-011 | derives | |
| SYS-REQS-003 | IFC-DEFS-008 | derives | |
| SYS-REQS-003 | IFC-DEFS-006 | derives | |
| SYS-REQS-003 | IFC-DEFS-005 | derives | |
| SYS-REQS-005 | IFC-DEFS-010 | derives | |
| SYS-REQS-005 | IFC-DEFS-009 | derives | |
| SYS-REQS-005 | IFC-DEFS-008 | derives | |
| SYS-REQS-005 | IFC-DEFS-007 | derives | |
| SYS-REQS-005 | IFC-DEFS-006 | derives | |
| SYS-REQS-005 | IFC-DEFS-005 | derives | |
| SYS-REQS-003 | IFC-DEFS-004 | derives | |
| SYS-REQS-003 | IFC-DEFS-003 | derives | |
| SYS-REQS-003 | IFC-DEFS-002 | derives | |
| SYS-REQS-003 | IFC-DEFS-001 | derives | |
| SYS-REQS-008 | SUB-REQS-044 | derives | |
| SYS-REQS-001 | SUB-REQS-055 | derives | |
| SYS-REQS-001 | SUB-REQS-054 | derives | |
| SYS-REQS-009 | SUB-REQS-053 | derives | |
| SYS-REQS-004 | SUB-REQS-052 | derives | |
| SYS-REQS-007 | SUB-REQS-051 | derives | |
| SYS-REQS-009 | SUB-REQS-050 | derives | |
| SYS-REQS-007 | SUB-REQS-049 | derives | |
| SYS-REQS-009 | SUB-REQS-048 | derives | |
| SYS-REQS-011 | SUB-REQS-047 | derives | |
| SYS-REQS-008 | SUB-REQS-046 | derives | |
| SYS-REQS-008 | SUB-REQS-045 | derives | |
| SYS-REQS-001 | SUB-REQS-001 | derives | |
| SYS-REQS-002 | SUB-REQS-002 | derives | |
| SYS-REQS-002 | SUB-REQS-003 | derives | |
| SYS-REQS-001 | SUB-REQS-004 | derives | |
| SYS-REQS-004 | SUB-REQS-005 | derives | |
| SYS-REQS-012 | SUB-REQS-006 | derives | |
| SYS-REQS-008 | SUB-REQS-007 | derives | |
| SYS-REQS-005 | SUB-REQS-008 | derives | |
| SYS-REQS-005 | SUB-REQS-009 | derives | |
| SYS-REQS-005 | SUB-REQS-010 | derives | |
| SYS-REQS-005 | SUB-REQS-011 | derives | |
| SYS-REQS-005 | SUB-REQS-012 | derives | |
| SYS-REQS-005 | SUB-REQS-013 | derives | |
| SYS-REQS-005 | SUB-REQS-014 | derives | |
| SYS-REQS-005 | SUB-REQS-015 | derives | |
| SYS-REQS-004 | SUB-REQS-015 | derives | |
| SYS-REQS-012 | SUB-REQS-012 | derives | |
| SYS-REQS-008 | SUB-REQS-014 | derives | |
| SYS-REQS-001 | SUB-REQS-016 | derives | |
| SYS-REQS-001 | SUB-REQS-017 | derives | |
| SYS-REQS-001 | SUB-REQS-018 | derives | |
| SYS-REQS-001 | SUB-REQS-019 | derives | |
| SYS-REQS-001 | SUB-REQS-020 | derives | |
| SYS-REQS-001 | SUB-REQS-023 | derives | |
| SYS-REQS-001 | SUB-REQS-025 | derives | |
| SYS-REQS-003 | SUB-REQS-027 | derives | |
| SYS-REQS-005 | SUB-REQS-028 | derives | |
| SYS-REQS-006 | SUB-REQS-026 | derives | |
| SYS-REQS-010 | SUB-REQS-024 | derives | |
| SYS-REQS-010 | SUB-REQS-026 | derives | |
| SYS-REQS-001 | SUB-REQS-021 | derives | |
| SYS-REQS-001 | SUB-REQS-022 | derives | |
| SYS-REQS-009 | SUB-REQS-030 | derives | |
| SYS-REQS-009 | SUB-REQS-031 | derives | |
| SYS-REQS-009 | SUB-REQS-032 | derives | |
| SYS-REQS-009 | SUB-REQS-033 | derives | |
| SYS-REQS-006 | SUB-REQS-034 | derives | |
| SYS-REQS-003 | SUB-REQS-035 | derives | |
| SYS-REQS-004 | SUB-REQS-036 | derives | |
| SYS-REQS-006 | SUB-REQS-037 | derives | |
| SYS-REQS-003 | SUB-REQS-038 | derives | |
| SYS-REQS-011 | SUB-REQS-039 | derives | |
| SYS-REQS-003 | SUB-REQS-040 | derives | |
| SYS-REQS-006 | SUB-REQS-041 | derives | |
| SYS-REQS-008 | SUB-REQS-042 | derives | |
| SYS-REQS-008 | SUB-REQS-043 | derives | |
| STK-NEEDS-007 | SYS-REQS-013 | derives | |
| STK-NEEDS-008 | SYS-REQS-016 | derives | |
| STK-NEEDS-002 | SYS-REQS-015 | derives | |
| STK-NEEDS-007 | SYS-REQS-014 | derives | |
| STK-NEEDS-002 | SYS-REQS-012 | derives | |
| STK-NEEDS-001 | SYS-REQS-011 | derives | |
| STK-NEEDS-008 | SYS-REQS-010 | derives | |
| STK-NEEDS-006 | SYS-REQS-009 | derives | |
| STK-NEEDS-005 | SYS-REQS-008 | derives | |
| STK-NEEDS-007 | SYS-REQS-007 | derives | |
| STK-NEEDS-008 | SYS-REQS-006 | derives | |
| STK-NEEDS-002 | SYS-REQS-005 | derives | |
| STK-NEEDS-002 | SYS-REQS-004 | derives | |
| STK-NEEDS-007 | SYS-REQS-003 | derives | |
| STK-NEEDS-004 | SYS-REQS-002 | derives | |
| STK-NEEDS-003 | SYS-REQS-002 | derives | |
| STK-NEEDS-002 | SYS-REQS-001 | derives |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| SYS-REQS-016 | VER-METHODS-046 | verifies | |
| SYS-REQS-015 | VER-METHODS-045 | verifies | |
| SYS-REQS-014 | VER-METHODS-044 | verifies | |
| IFC-DEFS-034 | VER-METHODS-038 | verifies | |
| IFC-DEFS-033 | VER-METHODS-037 | verifies | |
| IFC-DEFS-032 | VER-METHODS-036 | verifies | |
| IFC-DEFS-031 | VER-METHODS-035 | verifies | |
| IFC-DEFS-030 | VER-METHODS-033 | verifies | |
| IFC-DEFS-029 | VER-METHODS-032 | verifies | |
| IFC-DEFS-028 | VER-METHODS-031 | verifies | |
| IFC-DEFS-027 | VER-METHODS-030 | verifies | |
| IFC-DEFS-026 | VER-METHODS-027 | verifies | |
| IFC-DEFS-025 | VER-METHODS-026 | verifies | |
| IFC-DEFS-024 | VER-METHODS-025 | verifies | |
| IFC-DEFS-023 | VER-METHODS-024 | verifies | |
| IFC-DEFS-022 | VER-METHODS-023 | verifies | |
| IFC-DEFS-021 | VER-METHODS-022 | verifies | |
| IFC-DEFS-020 | VER-METHODS-021 | verifies | |
| IFC-DEFS-019 | VER-METHODS-020 | verifies | |
| IFC-DEFS-018 | VER-METHODS-018 | verifies | |
| IFC-DEFS-017 | VER-METHODS-017 | verifies | |
| IFC-DEFS-016 | VER-METHODS-016 | verifies | |
| IFC-DEFS-015 | VER-METHODS-015 | verifies | |
| IFC-DEFS-014 | VER-METHODS-014 | verifies | |
| IFC-DEFS-013 | VER-METHODS-013 | verifies | |
| IFC-DEFS-012 | VER-METHODS-012 | verifies | |
| IFC-DEFS-011 | VER-METHODS-011 | verifies | |
| IFC-DEFS-010 | VER-METHODS-010 | verifies | |
| IFC-DEFS-009 | VER-METHODS-009 | verifies | |
| IFC-DEFS-008 | VER-METHODS-008 | verifies | |
| IFC-DEFS-007 | VER-METHODS-007 | verifies | |
| IFC-DEFS-006 | VER-METHODS-006 | verifies | |
| IFC-DEFS-005 | VER-METHODS-005 | verifies | |
| IFC-DEFS-004 | VER-METHODS-004 | verifies | |
| IFC-DEFS-003 | VER-METHODS-003 | verifies | |
| IFC-DEFS-002 | VER-METHODS-002 | verifies | |
| IFC-DEFS-001 | VER-METHODS-001 | verifies | |
| SUB-REQS-055 | VER-METHODS-049 | verifies | |
| SUB-REQS-054 | VER-METHODS-048 | verifies | |
| SUB-REQS-053 | VER-METHODS-047 | verifies | |
| SUB-REQS-011 | VER-METHODS-043 | verifies | |
| SUB-REQS-008 | VER-METHODS-042 | verifies | |
| SUB-REQS-004 | VER-METHODS-041 | verifies | |
| SUB-REQS-002 | VER-METHODS-040 | verifies | |
| SUB-REQS-001 | VER-METHODS-039 | verifies | |
| SUB-REQS-046 | VER-METHODS-034 | verifies | |
| SUB-REQS-040 | VER-METHODS-029 | verifies | |
| SUB-REQS-035 | VER-METHODS-028 | verifies | |
| SUB-REQS-026 | VER-METHODS-019 | verifies |