09 to Final Safety Analysis Report, Chapter 6, Engineered Safety Features, Section 6.3

ML16256A278
Person / Time
Site:	Waterford
Issue date:	08/25/2016
From:	Entergy Operations
To:	Office of Nuclear Reactor Regulation
Shared Package
ML16256A115	List: ML16256A120 ML16256A121 ML16256A122 ML16256A123 ML16256A124 ML16256A126 ML16256A127 ML16256A128 ML16256A129 ML16256A131 ML16256A132 ML16256A136 ML16256A137 ML16256A138 ML16256A144 ML16256A145 ML16256A150 ML16256A153 ML16256A154 ML16256A155 ML16256A156 ML16256A157 ML16256A159 ML16256A160 ML16256A161 ML16256A162 ML16256A163 ML16256A164 ML16256A165 ML16256A167 ML16256A170 ML16256A171 ML16256A172 ML16256A174 ML16256A175 ML16256A181 ML16256A182 ML16256A183 ML16256A184 ML16256A185 ML16256A186 ML16256A188 ML16256A189 ML16256A190 ML16256A191 ML16256A192 ML16256A193 ML16256A194 ML16256A195 ML16256A196 ... further results
References
W3F1-2016-0053
Download: ML16256A278 (62)
v • d • e

Text

WSES-FSAR-UNIT-3 6.3-1 Revision 10 (10/99) 6.3 EMERGENCY CORE COOLING SYSTEM 6.3.1 DESIGN BASIS The Emergency Core Cooling System (ECCS) or Safety Injection System (SIS) is designed to provide core cooling in the unlikely event of a loss of coolant accident (LOCA). The cooling must suffice to prevent significant alteration of core geometry, preclude fuel melting, limit the cladding metal-water reaction, and remove the energy generated in the core for an extended period of time following a LOCA.

The SIS fluid must contain sufficient neutron absorbers to maintain the core subcritical for the duration of a LOCA. In addition, the SIS functions to inject borated water into the Reactor Coolant System (RCS) to add negative reactivity to the core in the unlikely event of a steam line rupture. Safety injection is also initiated in the event of a steam generator tube rupture or a CEA ejection incident. The system is actuated automatically. The accidents and transients for which the required protection includes the ECCS are discussed in Chapter 15. Operating plants with similar ECCS designs (with some generic differences due to licensing requirements) are St. Lucie Unit 1, Millstone-2, and Arkansas Unit 2. Other plants with similar designs include San Onofre 2 and 3 and Pilgrim Unit 2.

6.3.1.1 Range of Coolant Pipe Ruptures The SIS provides sufficient core cooling to accomplish the design requirements for all breaks in the RCS up to and including the double-ended break in the largest reactor coolant pipe. A detailed discussion of the types of breaks is found in Subsection 6.3.3.

6.3.1.2 Fission Product Decay Heat The fission product decay energy curve used in the design and accident analysis is the Proposed ANS Standard, "Decay Energy Release Rates Following Shutdown of Uranium Fueled Thermal Reactors",

October 1971. Included in the curve is the decay energy of the U-239 and Np-239 produced by neutron absorption in U-238. The values on this curve are increased by 20 percent for LOCA analyses described in Subsection 6.3.3. The uncertainties in this curve are defined in the ANS Standard, and are tabulated below:

Cooling Time ts (seconds)

Uncertainty ts < 103

+20 percent, -40 percent 103< ts < 107

+10 percent, -20 percent ts> 107

+25 percent, -50 percent 6.3.1.3 Reactivity Required for Cold Shutdown



The refueling water storage pool (RWSP) will at all times contain sufficient borated water to provide subcriticality for the reactor in the cold condition, with the Worst Rod Stuck Out (WRSO). Refer to Section 4.3 for the analysis of shutdown capability, and Section 15.4 for dilution accidents which reduce shutdown margin. Sampling of the system and RWSP required by the Technical Specifications assures that the required dissolved boron concentration is present.



WSES-FSAR-UNIT-3 6.3-2 Revision 302 (12/08)

In addition to its emergency core cooling function, the SIS functions to inject borated water into the RCS to increase shutdown margin following a rapid cooldown of the RCS as a result of a steam line rupture.

Refer to Section 15.1 for the analysis of this accident.

6.3.1.4 Capability to Meet Functional Requirements In addition to the requirements defined above, the following additional functional requirements are used for system design:

a)

The safety functions defined in Subsection 6.3.1 must be accomplished assuming the failure of a single active component.

For failure analysis, all necessary supporting systems including the Onsite (standby) Power System are considered a part of the SIS. A failure modes and effects analysis of the SIS is presented in Table 6.3-1.

To assure system availability when required, redundant components are provided. Redundant system components receive power from independent onsite standby electrical power sources in the event that normal offsite power is unavailable. The power sources are discussed in Section 8.3. Actuating signals are discussed in Section 7.3.

b)

The design of the SIS provides for inspection and testing of components and subsystems to ensure their availability and proper operation.

c)

All components of the SIS and associated critical instrumentation are designed to operate in the environmental conditions specified in Section 3.11.

d)

The design, location, arrangement, and installation of the system and its components are such that it will withstand the effects of a safe shutdown earthquake and other natural phenomena without loss of the capability of performing its safety function as specified in General Design Criterion 2. For further information, see Section 3.1.

e)

Redundant components that are part of the SIS are protected from loss of function resulting from the consequential effects (i.e., fire, flooding, jet impingement, pipe whip, missiles) of an accident or equipment failure originating in adjacent areas. Protection from such events is provided by means of redundancy, physical separation, barriers, restraints, or analysis as described in Sections 3.5 and 3.6. Valve motor operators inside containment are protected from flooding by locating them above the maximum post LOCA flood level.

f)

The SIS is designed to perform the functions of Subsection 6.3.1 for the entire duration of a LOCA.

(EC-999, R302) g)

Evaluations have been performed to document compliance with the requirements of GSI-191 and Generic Letter 2004-02. See Section 6.2.2.2.2.1.

(EC-999, R302)

Additional information concerning the design bases for selective system and component parameters, reliability requirements, etc. is provided in Subsection 6.3.2.

WSES-FSAR-UNIT-3 6.3-3 Revision 14 (12/05) 6.3.1.4.1 Capacity to Meet Short-Term Cooling Requirements The safety injection tanks, containing borated water pressurized by a nitrogen cover gas, constitute a passive system that automatically discharges into the cold legs of the Reactor Coolant System to provide core cooling and refill when the reactor pressure falls below the tank pressure. Adequate fluid is contained in the tanks to accomplish this function with one of the tanks assumed to discharge directly through the break.

The RWSP contents are injected into the RCS by two sets of full capacity pumps. Each set contains one high-pressure safety injection (HPSI) pump and one low-pressure safety injection (LPSI) pump. Each set of pumps is capable of performing this short-term cooling function with one of the injection flow paths assumed to discharge directly through the break.

6.3.1.4.2 Capacity to Meet Long-Term Cooling Requirements Long-term core cooling is accomplished by recirculating the water in the SIS sump using the HPSI pumps. The switchover from injection to recirculation occurs automatically when the level of RWSP reaches the preset value given in Table 7.3-2. The HPSI pumps are sized such that each is capable of matching decay heat 20 minutes after the accident, which is the minimum time at which safety injection is shifted to the recirculation mode.

The SIS sump water is injected to the core, and the mechanism for residual heat removal is boil-off of fluid in the reactor vessel. For certain break sizes and break locations, this may result in a long-term buildup of solids in the reactor vessel. Two manual procedures are available to insure the cooling and flushing of the core during extended periods of time following a LOCA. The two procedures are simultaneous hot leg/cold leg injection for large breaks and shutdown cooling for small breaks. These two procedures cover the entire break spectrum and with sufficient overlap to provide adequate core cooling and flushing for any size break.

RCS instrumentation (in particular, pressurizer pressure) permits the operator to distinguish between large and small breaks so that the most effective ECCS realignment sequence can be implemented.

Between one-half and one hour post-LOCA, the operator determines if the break is sufficiently small to warrant dumping steam from the steam generators to reduce RCS pressure. For these small breaks, the safety injection flow provides makeup for spillage, while the RCS is cooled down and depressurized to shutdown cooling initiation conditions, utilizing the steam generator atmospheric dump valves and emergency feedwater. This is followed by a shutdown cooling operation.

(DRN 03-2060, R14)

For large breaks, the ECCS is manually realigned for simultaneous hot leg/cold leg injection between two and three hours post-LOCA. Injected fluid builds up in the intact side of the RCS, inducing flow through the reactor vessel and out the break to flush dissolved solids from the core region.

(DRN 03-2060, R14)

WSES-FSAR-UNIT-3 6.3-4 Revision 10 (10/99) 6.3.2 SYSTEM DESIGN 6.3.2.1 System Schematic Piping and Instrumentation Diagrams



The SIS is shown in Figure 6.3-1 (for Figure 6.3-1, Sheet 1, refer to Drawing G167, Sheet 1). The major components of this system are three HPSI pumps, two LPSI pumps, four safety injection tanks, high-pressure injection valves, and low-pressure injection valves. The major components are described in the following section. In addition, the system uses the RWSP and the shutdown cooling heat exchangers, discussed in Subsection 9.3.6.



6.3.2.2 Components Description A summary of design parameters for the major components is given in Table 6.3-2. The shutdown cooling heat exchangers are discussed in Subsection 9.3.6. Details of instrumentation and controls associated with the SIS are provided in Subsection 6.3.5 and Sections 7.3, 7.5, and 7.6. Subsection 6.3.3 specifies the components used to provide core protection for the complete spectrum of reactor coolant pipe breaks.

The SIS components are designed, fabricated, inspected, tested, and installed in accordance with the appropriate class of the ASME Code,Section III, (see Section 3.2). The design temperatures and pressures were selected to provide a generous margin above the highest anticipated component temperatures and pressures. Components were designed to provide a system whose design flowrate and net positive suction head (NPSH) exceed required values.

NPSH required for the safety injection pumps is included in Figures 6.3-2a and 2b, and 6.3-3a, 3b and 3c.

6.3.2.2.1 Safety Injection Tanks (SITS)



The four safety injection tanks are used to flood the core with borated water following depressurization as a result of a LOCA/MSLB. Each tank is piped into a cold leg of the RCS via a safety injection nozzle located on the RCS piping near the reactor vessel inlet. During normal plant operation, each safety injection tank is isolated from the RCS by two check valves in series. The SITs automatically discharge into the RCS if RCS pressure decreases below safety injection tank pressure during reactor operation.



The motor operated isolation valve on each SIT discharge is interlocked with pressurizer pressure to open these valves automatically as RCS pressure is increased to 500 psig and to prevent inadvertent closure prior to or during an accident. After the valve is opened, it will be locked open in the main control room, and the motor circuit breaker handle will be padlocked in the open position.

During plant startup, the operator will repressurize the SITs in accordance with plant Technical Specifications.

During normal power operation, the tank isolation valve, although locked open, receives a SIAS "open" signal if the RCS pressure should inadvertently drop below 1684 psia. During startup and shutdown operation, a variable setpoint is used as described in Section 7.2.

WSES-FSAR-UNIT-3 6.3-5 Revision 308 (11/14)

(EC-45607, R308)

In order to prevent inadvertent pressurization of the shutdown cooling system, SIT pressure will be lowered to less than 300 psig by the operator prior to placing shutdown cooling in service. SIT pressure is not raised above 300 psig until the shutdown cooling suction is isolated from the RCS. One SIT may be pressurized above 300 psig with the shutdown cooling suction not isolated from the RCS if the associated SIT outlet isolation is closed with the breaker open.

(EC-45607, R308)

Prior to initiation of shutdown cooling after a small break LOCA (see Subsection 6.3.1.4.2) the SITs are vented via the tank N2 vent valves. To provide a single failure proof means of venting the tanks two vent valves in parallel, each powered from a separate independent emergency power source, are provided for each tank.

N2 vent valves are operated with a key switch to prevent inadvertent valve operation that could result in depressurization of the SI Tank.

For further discussion on the SIT isolation valve interlocks and alarms see Section 7.6.

The tank gas/water fractions, gas pressure, and outlet pipe size are selected to allow three of the four tanks to cover the core before significant clad melting or zirconium-water reaction can occur following a LOCA. The volume of water in the tanks is conservatively calculated assuming that all water injected prior to the end of the RCS blowdown is lost.

The tanks contain borated water at a boron concentration between 2050 to 2900 ppm and are pressurized with nitrogen at a minimum pressure of 600 psig. Additional SIT parameters are given in Table 6.3-2.

Redundant level and pressure instrumentation (described in more detail Subsection 6.3.5.3 and Section 7.5) is provided to monitor the condition of the tanks. Sufficient visual and audible indication is made available to the operator such that maintaining the SITs within the required technical specifications during various modes of plant operations is readily accomplished from the main control room. Provisions are made for sampling, filling, draining, and correcting boron concentration.

6.3.2.2.2 Safety Injection Pumps 6.3.2.2.2.1 Low-Pressure Safety Injection Pumps The LPSI pumps serve two functions. One of these is to inject large quantities of borated water into the RCS in the event of a large pipe rupture. Sufficient flow is delivered under these conditions to satisfy functional requirements described in Subsection 6.3.1. The other function of the LPSI pumps is to provide shutdown cooling flow through the reactor core and shutdown cooling heat exchanger for normal plant shutdown cooling operation or as required for long-term core cooling as described in Subsection 6.3.2.9.5 for small breaks. The approximate pump characteristic curves for LPSI pump A and B are presented in Figure 6.3-2a and 6.3-2b respectively. Pump parameters are given in Table 6.3-2.

During normal operation the LPSI pumps are isolated from the RCS by motor-operated valves. When performing their safety injection function, the pumps deliver water from the RWSP to the RCS, via the RCS safety injection nozzles, when system pressure falls below pump shutoff head.

WSES-FSAR-UNIT-3 6.3-6 Revision 10 (10/99)

Sizing of the LPSI pump is governed by the shutdown cooling function. The flow available with a single LPSI pump is sufficient to maintain a core T at an acceptable level at the initiation of shutdown cooling (3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after shutdown). See Subsection 9.3.6.

The design temperature for the LPSI pumps is based upon the temperature of the reactor coolant at the initiation of shutdown cooling, about 350°F nominal, plus a design tolerance, resulting in a temperature of 400°F. The design pressure for the pumps is based upon the sum of the maximum pump suction pressure, which occurs at the initiation of shutdown cooling, the pump shutoff head, and design tolerances. The shutdown cooling function of the pumps is described in Subsection 9.3.6.

The LPSI pumps are vertical, single-stage centrifugal units equipped with mechanical face seals backed up by a bushing, with a leakoff to collect the leakage past the seals. The seals are designed for operation with a pumped fluid temperature of 400°F. To prolong seal life, a portion of the pump discharge is cooled by component cooling water and is used to cool the seals.

6.3.2.2.2.2 High-Pressure Safety Injection Pumps The primary function of the HPSI pumps is to inject borated water into the RCS if a break occurs in the RCS boundary. For small breaks, the RCS pressure remains high for a long period of time following the accident, and the HPSI pumps ensure that the injected flow is sufficient to meet the criteria given in Subsection 6.3.1. The HPSI pumps are also used during the recirculation mode to maintain a borated water cover over the core for extended periods of time following a LOCA. For long term core cooling, the HPSI pumps are manually realigned from the main control room for simultaneous hot and cold leg injection. This insures flushing and ultimate subcooling of the core independent of break location. For small breaks, the HPSI pumps continue injecting into RCS to provide makeup for spillage out of the break, while cooldown via steam dump and shutdown cooling is implemented.

During normal operation, the HPSI pumps are isolated from the RCS by motor operated valves. When performing their safety injection function, the pumps deliver water from the RWSP to the RCS, via the cold leg safety injection nozzles, when RCS pressure falls below pump shutoff head. During the recirculation mode of operation, the pumps take suction from the SIS sump.



The HPSI pumps are sized such that one pump will deliver saturated water at a rate sufficient to maintain level in the reactor vessel, matching boiloff at the time the SIS switches into the recirculation mode (not less than 20 minutes after the LOCA), assuming 25 percent spill out of the RCS break. The pump characteristic curve developed on this basis is used in verifying that the performance of SIS is able to prevent fuel and clad damage that would interfere with core cooling after any LOCA. The final pump characteristic curves are shown in Figures 6.3-3a, 6.3-3b, and 6.3-3c.



The pump design temperature is based on the saturation temperature of the reactor coolant at the containment design pressure plus a design tolerance. The design pressure for the high-pressure pumps is based on the shutoff head plus maximum containment pressure plus a design tolerance.

WSES-FSAR-UNIT-3 6.3-7 Mechanical shaft seals are used and are provided with leakoffs that collect any leakage past the seals.

The seals are designed for operation with a pumped fluid temperature of 400°F. To extend seal life, a portion of the pump discharge is cooled by the Component Cooling Water System and is used to cool the seals.

The following applies to LPSI and HPSI pumps:

The pumps are provided with minimum flow protection recirculation lines to prevent damage resulting from operation against a closed discharge.

The pump motors are specified to have the capability of starting and accelerating the driven equipment, under load, to design point running speed within eight seconds based on an initial voltage of 75 percent of the rated voltage at the motor terminals.

The pumps are provided with drain and flushing connections to permit reduction of the radiation before maintenance. The pressure containing parts of the pump are stainless steel with internals selected for compatibility with boric acid solutions. The materials selected are analyzed to ensure that differential expansion during the design transients can be accommodated. Pump operability qualification is in accordance with Regulatory Guide 1.48 (5/73) and is discussed in Subsection 3.9.3.2. The following inspections and tests are performed on the pumps:

a)

All welds in pressure containing parts are examined as required by Section III of the ASME Code.

b)

Pressure containing parts of the finish machined casing, seal, bearing and piping assemblies and bypass orifice are hydrostatically tested in accordance with Section III of the ASME Code.

c)

The pump assembly cooling water piping is hydrostatically tested in accordance with the Section III of the ASME Code.

d)

The pump assembly is tested to measure capacity, total head, power input, overall efficiency and suction requirements (NPSH), in accordance with the Power Test Code PTC 8.2 -

Centrifugal Pumps.

e)

A representative pump is tested under expected thermal transient conditions at the vendors shop.

f)

Seal leakage is measured and recorded to verify less than 50 cm3/hr leakage.

g)

Pump vibration is tested at the pump design points in accordance with Section XI of the ASME Code.

h)

The drive motor is tested to assure specified performance.

WSES-FSAR-UNIT-3 6.3-8 Revision 307 (07/13) 6.3.2.2.2.3 Net Positive Suction Head The high and low-pressure safety injection pumps are located in rooms in the lowest level of the Reactor Auxiliary Building. This location maximizes the available NPSH for the safety injection pumps.

(DRN 06-1026, R15)

The method of calculating NPSH is in agreement with the intent of NRC Regulatory Guide 1.1. No credit is taken for containment pressure increase due to heating of the atmosphere. However, the guide assumes no containment pressure increase above that present prior to a LOCA. Since this restriction would allow boiling of most of the water in the containment, it is more accurate to assume equilibrium between containment pressure and sump water at saturation conditions. The available NPSH for the pumps is calculated using a saturated sump model. The containment is conservatively assumed to be at the saturation pressure corresponding to the sump water temperature. No other credit is taken for this pressure.

(DRN 06-1026, R15)

The NPSH available to the high-pressure safety injection pumps during recirculation has been calculated based on piping drawings and on the following:

a)

Suction pipe lengths, fittings and elevations based on actual piping layouts.

(DRN 06-1026, R15; EC-1002, R302; EC-25199, R307) b)

Total flow on one suction header of 3235 gpm consisting of 2250 gpm for one containment spray pump and 985 gpm for one high-pressure safety injection pump. In this case, the maximum pump suction loss was 4.55 ft.

(EC-1002, R302; EC-25199, R307) c)

Containment pressure is equal to the saturation pressure of the sump water, maintaining the water in the liquid phase. No other credit is taken for this pressure in calculating available NPSH.

(DRN 00-314, R11; 05-1332, R15; EC-1002, R302) d)

Minimum Safety Injection sump water level at El. -5.29 ft. MSL.

(DRN 00-314, R11; 05-1332, R15; 06-1026, R15) e)

High-pressure safety injection pump impeller centerline are located at El. -32.17 ft.

MSL.

f)

Intake losses measured during the hydraulic testing of the sump design.

(EC-1002, R302)

The minimum available NPSH during recirculation mode is as follows:

(DRN 00-314, R11; 01-3706; R11-B; EC-1002, R302)

Pump Flow NPSH (avail.)

NPSH (req.)

Margin Pe Pi (gpm) (ft)

(ft)

(ft)

(ft)

(ft)

(DRN 05-1332, R15)

(DRN 05-1332, R15)

(DRN 06-1026, R15; EC-40296, R307; EC-25199, R307)

High Pressure 985 22.33 22.00 0.33 26.88 4.55 Safety Injection (DRN 00-314, R11; 01-3706, R11-B; 06-1026, R15; EC-1002, R302; EC-40296, R307; EC-25199, R307)

WSES-FSAR-UNIT-3 6.3-9 Revision 10 (10/99) 6.3.2.2.3 Piping Piping is specified to deliver borated safety injection water from the SITs and from the RWSP, via the safety injection pumps, to the safety injection nozzles in the RCS. The major piping sections are:

a)

From each SIT to its respective RCS cold leg safety injection nozzle.

b)

Redundant piping from the RWSP and SIS sump to the suction of the HPSI and LPSI pumps.

c)

Redundant piping from the HPSI pumps discharge to redundant high-pressure injection headers each of which serves the four injection nozzles on the cold legs plus the hot leg injection nozzles on the shutdown cooling suction lines.

d)

Piping from the LPSI pump discharges to redundant low pressure injection headers each of which serves two of the four cold leg injection nozzles.

The SIS piping is fabricated of austenitic stainless steel and is designed to ASME Code Section III.

Additional piping specification data are given on Table 6.3-2. Flexibility and seismic loading analyses are performed to confirm the structural adequacy of the system piping.

6.3.2.2.4 Valves



The location of valves, along with the type and size of the valve, type of operator, position of the valve (during the normal operating mode of the plant) and failure position of the valve, is shown in Figure 6.3-1 (for Figure 6.3-1, Sheet 1, refer to Drawing G167, Sheet 1).



6.3.2.2.4.1 Relief Valves Protection against overpressurization of components within the SIS is provided by conservative design of the system piping, appropriate valving between high-pressure sources and low-pressure piping, and by relief valves. All lines within the high-and low-pressure systems from the RCS up to and including the safety injection valves are designed for full RCS pressure. The high pressure header to which the charging pumps discharge is designed for full RCS pressure up to and including the outermost hot leg injection line isolation valve. Relief valves are provided as required by applicable codes.

A tabulation of relief valves is provided below.

a)

Safety Injection Tank Relief Valves The relief valves on the SITs are sized to protect the tanks against the maximum fill rate of liquid or gas into the tanks. They discharge into the containment. The set pressure is 700 psig with a capacity of 1120 scfm.

WSES-FSAR-UNIT-3 6.3-10 Revision 11 (05/01) b)

Check Valve Leakage Relief Valve A relief valve is provided on the safety injection test and leakage return line.

This relief valve is sized to protect against overpressurization of the line when filling a SIT. It discharges into the containment sump. The set pressure is 1900 psig with a capacity of 44 gpm (the capacity of one charging pump).

c)

Low-Pressure Safety Injection Header Thermal Relief Valve These valves protect the LPSI header against pressure developed due to a sudden temperature increase.

It discharges into the waste tanks. The set pressure is 650 psig with a capacity of five gpm per valve.

d)

High-Pressure Safety Injection Header Thermal Relief Valves These valves are sized to protect the HPSI lines against the pressure developed due to a temperature increase. They discharge into the waste tanks. The set pressure is 1950 psig with a capacity of five gpm.

e)

High-Pressure Safety Injection Header Relief Valve The HPSI header to which the charging pumps discharge are protected from the charging pumps discharge pressure by these valves. They discharge into the waste tanks. The set pressure is 2485 psig with a capacity of 160 gpm per valve.

6.3.2.2.4.2 Actuator-Operated Throttling and Stop Valves The position of each valve on loss of actuating signal or power supply (failure position) is selected to ensure safe operation. System redundancy is considered when defining the failure position of any given valve. Valve position indication is provided at the main control board. A locking type control switch on the main control board and/or manual override handwheel is provided where necessary for efficient and safe plant operation.

(DRN M9900934)

The HPSI and LPSI valves are trimmed during preoperational flow tests to prevent the safety injection pumps from exceeding runout flow during emergency operation. Following the determination of the required valve stem position for proper functioning of the system, each of the safety injection valves is fitted with stops and suitably tagged to ensure that it will open to the position necessary to fulfill its safety function. To prevent inadvertent actuation, the hot leg injection line isolation valves have power locked out in the closed position during normal operation and post-LOCA prior to hot leg injection. Failure of the limit switches on the LPSI Flow Control valves will cause an increase in LPSI flow to the RC cold legs, but the increased flow rate will not exceed the maximum flow rate assumed in the safety analyses for a large break LOCA.

(DRN M9900934) 6.3.2.3 Applicable Codes and Classifications The codes and classifications applicable to the ECCS components are listed in Section 3.2.

6.3.2.4 Materials Specifications and Compatibility See Section 6.1.

WSES-FSAR-UNIT-3 6.3-11 Revision 308 (11/14) 6.3.2.5 System Reliability 6.3.2.5.1 Safety Injection Tanks (DRN M9900458)

The SITs, containing borated water pressurized by a nitrogen cover, constitute a passive injection system, i.e. no outside operator action or electrical signal is required for operation. Each tank is connected to its associated reactor coolant cold leg by a separate line containing two check valves that isolate the tank from the RCS during normal operation. When the reactor coolant pressure falls below the tank pressure, the check valves open, thereby discharging the contents of the tank into the RCS.

Adequate borated water is supplied in the four tanks to rapidly cover the core, with the contents of one tank assumed to be discharging through the break. The evaluation of Subsection 6.3.3 demonstrates the adequacy of the quantity of coolant supplied. To prevent SIT draindown during plant cooldown, SIT pressure may be decreased when Reactor Coolant pressure is less than 1750 psia and the isolation valves on the tanks subsequently closed. An interlock with pressurizer pressure prevents the SIT isolation valves from being closed from the main control board if pressurizer pressure is greater than 400 psig. The interlock is to prevent accidental overpressurization of the Shutdown Cooling System due to the accidental opening of a SIT isolation valve with the SIT greater than 400 psig. An SIAS will send an open signal to the SIT isolation valves.

(DRN M9900458)

(EC-45607, R308)

The motor-operated isolation valves on the SIT discharge are interlocked with pressurizer pressure to open the valves automatically as system pressure is increased to 500 psig. The operator will maintain SIT pressure at least 75 psig below RCS pressure when pressurizing SITs. Further details of valve control and interlocks are provided in Section 7.6. Additional information regarding N2 venting procedures is provided in Subsection 6.3.2.2.1.

(EC-45607, R308) 6.3.2.5.2 High-Pressure and Low-Pressure Safety Injection Subsystems Two redundant HPSI and LPSI subsystems are provided. One HPSI and one LPSI pump and associated injection valves are connected to one Class 1E electrical bus; the other HPSI and LPSI pumps and injection valves are connected to a second Class 1E electrical bus. This ensures the automatic operation of one complete system in the unlikely event of a loss of offsite power and any active component, including a diesel generator, failing to operate. The third high-pressure pump AB allows plant operation to continue while one of the other two high-pressure pumps is undergoing maintenance. When put into service, the successful transfer of the control logic of HPSI pump AB and proper valve alignment is monitored by indicating lights.

All valves in the system not receiving an SIAS signal are maintained locked in position by administrative controls.

Prevention of flow blockage in small diameter pipes, including the above piping, is accomplished by control of particle size and specific weight in the injection water through sump design. See Subsection 6.2.2.

WSES-FSAR-UNIT-3 6.3-12 6.3.2.5.3 Power Sources In addition to the preferred sources of offsite power, independent onsite standby electrical power supplies are provided for the SIS equipment by the diesel generators. The electrical power system (both the preferred and the onsite standby power sources) is designed such that a single electrical failure can neither initiate injection flow, nor prevent initiation of required injection flow. A detailed description of the onsite standby power sources is given in Section 8.3. Diesel generator load sequencing is provided in Table 8.3-1.

6.3.2.5.4 Capacity to Maintain Cooling Following a Single Failure The SIS is designed to meet its functional requirements even with the failure of a single active component.

By providing proper redundancy of equipment, even with the single active failure noted above, the minimum required safety injection equipment is always available.

A failure modes and effects analysis demonstrating this is given in Table 6.3-1. The analysis is based on the following assumptions:

a)

One active failure is assumed to occur in the system.

b)

The analysis considers only failures which occur during the time period of SIS operation. Failures which might occur during normal plant operation are not considered.

c)

Relief and check valve failures are not considered credible failures.

d)

Failure to respond to an external signal is considered an active failure.

Minimum ECCS equipment that will operate during postulated accidents is as discussed in Subsection 6.3.3. This complement of equipment is required to mitigate the consequences of a LOCA that is initiated when the reactor is operating anywhere from hot shutdown to full power operation. This complement will result in conservative results for other accidents where ECCS is required.

The following component design features are provided in the system in order to meet a single failure criterion.

a)

Redundant HPSI and LPSI pumps.

b)

Redundant piping and valving between RWSP and safety injection pump suction.

c)

Redundant piping between SIS sump and safety injection pump suction.

d)

Redundant HPSI and LPSI headers.

e)

Four injection discharge points into the RCS cold legs and two injection discharge points into the RCS hot legs.

WSES-FSAR-UNIT-3 6.3-13 Revision 10 (10/99)

SIS equipment arrangement is as shown in the Figures of Section 1.2. SIS valve motor-operators inside containment have been located above the maximum post LOCA flood level to ensure they will not become submerged.

6.3.2.6 Protection Provisions The SIS is provided with protection from damage that could result from a LOCA by:

a)

Designing components to withstand the accident environment, including coolant chemistry, high temperature, and high pressure resulting from the accident.

b)

A seismic design that will withstand the stress imposed by the SSE and a LOCA in accordance with Sections 3.7 and 3.10.

c)

Protection from missiles in accordance with Section 3.5 and Subsection 6.3.2.6.2.

6.3.2.6.1 Capability to Withstand Accident Environment All SIS components and associated electrical equipment were designed to withstand accident environmental conditions. The design of each component encompasses the most severe condition the equipment will encounter.

Components located in the containment, such as remote-operated valves and instrumentation and control equipment required for initiation of SIS operation, are designed to withstand the conditions of temperature, pressure, humidity, chemistry, and radiation for the extended period of time required, as detailed in Section 3.11.



Insofar as practical, safety injection components required to maintain a functional status are located outside containment to minimize exposure of this equipment to the post-LOCA conditions. The equipment outside containment is designed in consideration of the expected environmental conditions associated with operation following a LOCA (see Section 3.11). Figures 1.2-11, 20, and 6.3-1 (for Figure 6.3-1, Sheet 1, refer to Drawing G167, Sheet 1) show location of equipment inside or outside of containment.



The design life of the safety injection pumps is 40 years, corresponding to the life of the plant. Design pressures and temperatures are greater than the maximum pressures and temperatures experienced by the respective component during normal operating or accident conditions. Materials of construction for the pumps are compatible with the expected water chemistry under LOCA conditions. A radiation resistance requirement of 107 rads has also been placed on the pumps; this is in excess of the dose calculated for 40-year plant operation plus a LOCA at the end of the 40 years.

All valves are designed in consideration of the attendant environmental conditions discussed in Section 3.11.

The SIS sump isolation valves are located outside the Shield Building as shown in Figure 6.2-1. The valve operators are designed for the post accident environment conditions given in Section 3.11.

WSES-FSAR-UNIT-3 6.3-14 Revision 305 (11/11)

Since long-term cooling is required following a LOCA, consideration was given to the effect of the spray additives on post-LOCA coolant chemistry and on corrosion of RCS and SIS piping (see Section 6.1).

6.3.2.6.2 Missile Protection Protection from possible RCS-generated missiles is afforded by locating all components outside the containment, except for the safety injection tanks. These tanks are located outside the missile shield, such that protection from possible RCS-generated missiles is provided. Redundant components of the ECCS located outside containment have been placed in separate water tight compartments so that a passive failure of one pipe will not flood more than one room or cause the failure of more than one pump per system.

6.3.2.6.3 Seismic Design Since operation of the SIS is essential following a LOCA, it is seismic Category I.

The SIS components are designed to withstand the stresses resulting from emergency operation due to a LOCA and the stresses resulting from the SSE without loss of operation.

Refer to Sections 3.7 and 3.10 for details on seismic design and analysis methods. Active SIS equipment operability under seismic conditions is discussed in Subsection 3.9.3.2.

6.3.2.7 Provisions for Performance Testing The SIS is provided with the necessary connections such that proper operation of each active component can be determined. Recirculation lines are provided on each pump, such that the pumps can be started during normal operation and pump performance determined. The operability of all check valves can be verified either by pump operation or by the charging pump connection to the high pressure header.

Additionally, the motor-operated valves have position-indication for testing.

The SITs are provided with sample connections and boron addition connections to control their boron content. This assures that fluid containing the proper boron content would be injected in the event of a LOCA.

For further information on testing see Subsection 6.3.4.

6.3.2.8 Required Manual Actions The two modes of operation, injection and recirculation, are automatically initiated by Safety Injection Actuation Signal (SIAS) and Recirculation Actuation Signals (RAS) respectively, as outlined in Subsection 6.3.2.9.

Operator action is required to close the minimum flow recirculation on isolation valves. Operator action is required to close the RWSP discharge valves after verifying that the SIS sump discharge valves have opened.

(EC26496, R305)

If a LPSI pump fails to automatically stop, Operator action will be required to place the LPSI Pump on long cycle recirculation by opening shutdown cooling warm-up valve and closing the flow control valves to minimize debris transport to the Safety Injection Sump.

(EC26496, R305)

WSES-FSAR-UNIT-3 6.3-15 Revision 11 (05/01)

Manual procedures required for post-LOCA long-term core cooling are covered in Subsection 6.3.1.4.2.

The process instrumentation available to the operator in the main control room to assist in assessing post-LOCA conditions is listed in Table 6.3-3.

6.3.2.9 System Operation 6.3.2.9.1 System Standby Conditions During normal plant operation, the SIS is maintained in a standby mode with all of its components lined up for emergency operation. During this time, none of the system components are operating. The status of the system is as shown in Figure 6.3-1 (for Figure 6.3-1, Sheet 1, refer to Drawing G167, Sheet 1).

6.3.2.9.2 Initiation of Safety Injection

(DRN M9900458)

The SIS automatically goes into operation upon indication that a significant breach in the RCS boundary has occurred. For very small breaks, the charging pumps will be able to keep the RCS pressurized.

However, if pressurizer pressure drops below 1560 psia (analytical limit) during plant operation, a SIAS will be generated and the SIS is put into operation. A drop in pressurizer pressure may also be caused by excessive heat removal by the Main Steam System due to a steam line break. Again, if pressurizer pressure drops below 1560 psia (analytical limit) with the plant initially at pressure, a SIAS will be generated.

(DRN M9900458)

A LOCA or a steam line break inside containment will also cause a rise in containment pressure. High containment pressure will also generate a SIAS.

6.3.2.9.3 Injection Mode of Operation The injection mode of operation is initiated upon a SIAS. A SIAS is produced upon any two coincident low pressurizer pressure or two coincident high containment pressure signals. The SIAS may also be initiated manually in the main control room. Upon a SIAS, the safety injection pumps automatically start, and the safety injection valves isolating the path to the cold legs automatically open. In addition, the SIT isolation valves receive an SIAS Open signal, even though they are already open when the plant is at operating pressure.

The actuation of ESF loads is accomplished in a preprogrammed time sequence. If the preferred power source (offsite power) is available to the ESF buses, the ESF loads start immediately in the preprogrammed sequence. In the unlikely event that the preferred power sources are lost, the ESF buses shed normally operating loads and are connected to the onsite standby power sources (diesel generators).

ESF loads are then started in the preprogrammed time sequence as denoted in Table 8.3-1. During the injection mode, the minimum flow lines just downstream of each injection pump are kept open to prevent possible dead-head operation, following a small break LOCA or steam line break. Water that passes through the minimum flow lines is returned to the RWSP. The SIS lineup and flow distribution for this mode of operation is shown on Figure 6.3-4 and Table 6.3-4.

WSES-FSAR-UNIT-3 6.3-16 Revision 10 (10/99) 6.3.2.9.4 Short-Term Recirculation



When RWSP level is down to 10 percent, any two low RWSP level signals will produce a recirculation actuation signal (RAS). The RAS secures the LPSI pumps and opens the SIS sump isolation valves.

Upon indication that transfer to recirculation has occurred, the operator will verify that the appropriate amount of water has been discharged into the containment by examining RWSP level indication, and that the flow path from the SIS sump to the suction of the safety injection pumps is open. Following this, the operator will close the RWSP isolation valves. This SIS lineup and flow distribution for this mode of operation is shown on Figure 6.3-5 and Table 6.3-4. Upon indication that the RAS has occurred, the operator will close the mini-flow isolation valves.



6.3.2.9.5 Long-Term Recirculation Between one-half and one hour, post-LOCA, the operator determines if the break is sufficiently small to warrant dumping steam from the steam generators to reduce RCS pressure. At two hours following a LOCA, the high-pressure portion of the SIS will be realigned by the operator for simultaneous hot and cold leg injection. In this mode of operation, the HPSI pumps take water from the SIS sump and inject it simultaneously through the injection nozzles in the cold legs and through the shutdown cooling nozzles in the hot legs. The system is aligned such that approximately 50 percent of the flow delivered by each HPSI subsystem goes into the hot legs, and 50 percent goes into the cold legs.

For large breaks, simultaneous injection provides effective long-term cooling by inducing a flushing flow through the core and eventually producing a subcooled core. A large break is evidenced by a rapid emptying of the RWSP. The SIS lineup and flow distribution for this mode of operation is shown on Figure 6.3-6 and Table 6.3-4.

For small breaks, realignment for simultaneous injection may occur prior to transfer from injection to recirculation. Following a small break LOCA, the RCS will be kept filled and partially pressurized by the HPSI pumps. For such an event, following transfer to simultaneous hot and cold injection, the LPSI pumps will be realigned for shutdown cooling mode of operation. In the shutdown cooling mode, the LPSI pumps take suction from the hot legs of the RCS through the shutdown cooling line, discharge through the shutdown cooling heat exchangers, and return flow to the RCS through the injection lines. Prior to the initiation of this mode of operation, it may be necessary to reduce the temperature and pressure of the RCS to shutdown cooling initiation condition. To reduce RCS temperature, heat will be removed by relieving steam through the atmospheric dump valves on the secondary side of the steam generators.

Once RCS temperature has been stabilized at an appropriate level, RCS pressure will be reduced by throttling HPSI pump flow with the HPSI valves. The SIS lineup and flow distribution for this mode of operation is shown on Figure 6.3-7 and Table 6.3-4.

WSES-FSAR-UNIT-3 6.3-17 Revision 308 (11/14) 6.3.2.9.6 Plant Startup (EC-45607, R308)

During cold shutdown, the pressurizer pressure trip feature of the SIAS has been bypassed, and the RCS is less than 392 psia. The LPSI pumps are being used for their shutdown cooling function and the HPSI pumps may be disabled. The SITs are at a pressure less than 300 psig, and are isolated from the RCS.

One SIT may be pressurized above 300 psig with SDC in operation if the associated SIT outlet isolation is closed with the breaker open. The SIS lineup and flow distribution for this mode of operation is shown in Figure 6.3-8 and Table 6.3-4.

(EC-45607, R308)

When RCS pressure reaches 500 psia the low pressurizer pressure trip feature of the SIAS is restored, as described in Section 7.2.

(EC-45607, R308)

Once the reactor coolant pumps are started, the LPSI pumps will be secured and realigned for injection.

When RCS pressure rises to 500 psig the SIT isolation valves automatically open. The operator will pressurize the SITs in accordance with plant Technical Specifications by adding nitrogen. Normally, the SIT isolation valves will be administratively key-locked open in the main control room, and the motor operator circuit breaker handles will be padlocked in the open position prior to RCS pressure exceeding 392 psia. One isolation valve may remain closed until RCS pressure is 1750 psia.

(EC-45607, R308) 6.3.2.9.7 Normal Plant Shutdown During plant cooldown and shutdown cooling, a variable pressurizer pressure setpoint for the SIAS is used as described in Section 7.2.

(EC-45607, R308)

When RCS pressure is less than 1750 psia the operator will lower SIT pressure to between 235 and 300 psig by venting nitrogen pressure from the SIT. At an RCS pressure less than 392 psia, the SIT isolation valves will be closed. When RCS temperature is less than 200 F (Mode 5) the SITs may be depressurized. Normally, an interlock prevents the SIT isolation valves from being closed if RCS pressure is greater than 400 psig. However, the operator can override the interlock and shut the SIT isolation valves independent of RCS pressure, is necessary.

The LPSI pumps are lined up for injection during the initial phases of plant cooldown. Once the RCS is below 350°F and 392 psia, the LPSI pumps are realigned to operate in their shutdown cooling mode.

The SIS lineup for this mode of operation is shown in Figure 6.3-8 and Table 6.3-4.

(EC-45607, R308) 6.3.2.9.8 Distribution of Safety Injection Pump Flow A rupture in an RCS line may be either a large break (Subsection 6.3.3.2) or a small break (Subsection 6.3.3.3).

(DRN 03-2060, R14)

In the approved Large Break LOCA Evaluation Model, it is assumed that no safety injection flow enters the RCS until the system pressure falls below about 600 psig, when the Safety Injection Tanks (SITs) start to discharge. Safety injection pumps start after the end of blowdown for a large break transient.

The RCS pressure is in equilibrium with the containment pressure after the end of blowdown. Thus, when safety injection pump flow is assumed to enter the RCS, all SI lines see the same discharge pressure and the flow is equal in all lines.

(DRN 03-2060, R14)

WSES-FSAR-UNIT-3 6.3-18 Revision 307 (07/13)

The most limiting condition for the large break LOCA evaluation is with no active component failure.

Therefore, the ECCS performance analysis was performed with no single failure. As explained above, the flow to the broken loop is the same as that to the intact loop.

In the Small Break LOCA Evaluation the pressure between the three (3) intact legs and the broken leg is no greater than about 5 psi. Therefore, all lines see essentially the same back pressure and the flow is split evenly between them.

(DRN 04-631, R13-B)

The worst single failure for a small break is the failure of a Direct Current (DC) power bus which results in the consequential failure of an Emergency Diesel Generator (EDG) to start and the failure of a charging loop isolation valve to remain open (i.e., to fail close) resulting in no charging flow to the RCS. Therefore, only one HPSI and one LPSI pump will operate. It is assumed that the operating LPSI pump is connected to the broken leg and to one intact leg. As in the large break, the flow to the broken loop is the same as that to the intact loop.

(DRN 04-631, R13-B) 6.3.3 PERFORMANCE EVALUATION 6.3.3.1 Introduction and Summary (DRN 00-550, R10; EC-9533, R302)

The acceptance criteria for Emergency Core Cooling Systems for light water nuclear power reactors are set forth in 10CFR50.46 (Reference 1). The analyses presented in this subsection and in Subsection 15.6.3.3 demonstrate that the Waterford 3 ECCS design satisfies these criteria.

(DRN 04-631, R13-B;05-545, R14; 06-1061, R15; EC-8458, R307)

The ECCS performance was evaluated for a spectrum of break sizes ranging from a full double ended guillotine break to a 0.04 ft2 break at the extended power uprate with replacement steam generators and up to 10% of the SG tubes plugged for the full core implementation of CE 16x16 NGF assemblies. The large breaks were evaluated at a peak linear heat generation rate (PLHGR) of 12.9 kw/ft as specified in the Core Operating Limits Report. The break yielding the highest peak cladding temperature was identified as the 1.0 x DEG/PD(a).

(DRN 04-631, R13-B; 03-2060, R14;05-545, R14; 06-1061, R15; EC-9533, R302; EC-8458, R307)

(DRN 05-545, R14)

(DRN 05-545, R14)

(DRN 00-1821, R10; 03-1943, R13;04-631, R13-B;05-545, R14)

The results of the ECCS performance analysis show that the plant meets the 10CFR50.46 Acceptance Criteria. A conformance is summarized as follows: The PLHGR for this analysis is 12.9 kw/ft as specified in the Core Operating Limits Report.

(DRN 00-550, R10; 00-1821, R10; 03-1943, R13;04-631, R13-B;05-545, R14)

(a)

DEG/PD = Double Ended Guillotine at the Pump Discharge

WSES-FSAR-UNIT-3 6.3-19 Revision 307 (07/13)

Criterion (1)

Peak Clad Temperature. "The calculated maximum fuel element cladding temperature shall not exceed 2200°F."

(DRN 00-0550;05-545, R14; 06-1061, R15; EC-9533, R302; EC-8458, R307)

The analysis yielded a peak cladding temperature of 2092°F for the 1.0 x DEG/PD break.

(DRN 06-1061, R15; EC-9533, R302; EC-8458, R307)

Criterion (2)

Maximum Cladding Oxidation. "The calculated total oxidation of the cladding shall nowhere exceed 0.17 times the total cladding thickness before oxidation."

(DRN 04-631, R13-B; 06-1061, R15; EC-9533, R302; EC-8458, R307)

The analysis yielded a maximum cladding oxidation of 0.13 times the total cladding thickness before oxidation for the 0.8 x DEG/PD break.

(DRN 04-631, R13-B; 06-1061, R15; EC-9533, R302; EC-8458, R307)

Criterion (3)

Maximum Hydrogen Generation. "The calculated total amount of hydrogen generated from the chemical reaction of the cladding with water or steam shall not exceed 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react."

(DRN 06-1061, R15; EC-9533, R302; EC-8458, R307)

The analysis yielded a maximum core-wide cladding oxidation (maximum hydrogen generation) of less than 0.01 times the hypothetical amount for the spectrum of break sizes.

(DRN 00-0550;05-545, R14; 06-1061, R15; EC-9533, R302; EC-8458, R307)

Criterion (4)

Coolable Geometry. "Calculated changes in core geometry shall be such that the core remains amenable to cooling."

(DRN 04-631, R13-B)

The clad swelling and rupture models which are part of the evaluation models(4),

(7) account for the effects of changes in core geometry if such changes are predicted to occur. With these core geometry changes, core cooling was enough to lower temperatures. No further swelling and rupture can occur since the calculations were carried to the point at which the temperatures were decreasing.

Thus, a coolable geometry has been maintained.

(DRN 04-631, R13-B)

(DRN 00-0550)

Criterion (5)

Long-Term Cooling. "After any calculated successful initial operation of the ECCS, the calculated core temperature shall be maintained at an acceptably low value and decay heat shall be removed for the extended period of time required by the long-lived radioactivity remaining in the core."

The analysis shows that the rapid insertion of borated water from the ECCS will suitably limit the peak cladding temperature and cool the core within a short period of time. Subsequently, the safety injection pumps will supply cooling water from the RWSP or the SIS sump to remove decay heat resulting from the long-lived radioactivity remaining in the core. A detailed description of the long term cooling plan is given in Subsection 6.3.3.4.

(DRN 00-0550)

WSES-FSAR-UNIT-3 6.3-20 Revision 14 (12/05) 6.3.3.2 Large Break Analysis 6.3.3.2.1 Safety Injection System Assumptions

(DRN 00-550, R11)

The SIS consists of two high pressure pumps with a third pump as an installed spare, two low pressure pumps and four safety injection tanks. Automatic operation of the pumps is actuated by either a low pressurizer pressure signal or a high containment pressure signal. Flow is initiated from the SITs when the cold leg pressure drops below the tank pressure plus the elevation head.

(DRN 00-0550)

In performing the LOCA calculations, conservative assumptions are made concerning the availability of safety injection flow. It is assumed that offsite power is lost and all pumps must await diesel startup before they can begin to deliver flow. (It is assumed, however, that offsite power is available for the Containment Spray System and containment fan coolers). Also, it is assumed that all safety injection flow delivered to the broken cold leg is lost.

(DRN 00-0550)

An analysis of the possible single failures that can occur within the SIS has shown that the most limiting condition for the large break spectrum is no active component failure. The assumption of no failure results in the maximum safety injection flow spillage and minimum containment pressure which consequently results in a lower reflood rate.

(DRN 00-0550)

Therefore, based on the above assumptions, the following safety injection flows into the RCS are modeled in the large break analysis:

(DRN 00-0550; 03-2060, R14)

Two high pressure safety injection (HPSI) pumps are piped so that each one can feed all four cold leg injection points. Thus, for a break in the pump discharge leg, the safety injection flow is 75 percent of the flow from two HPSI pumps since it is assumed that all injection in the broken cold leg is spilled.

Two low pressure safety injection (LPSI) pumps are piped so that each one feeds two cold leg injection points. Thus, for a break in the pump discharge leg, 100 percent of the safety injection flow from one LPSI pump and 50% of the flow from the other LPSI pump is injected into the RCS. This produces slightly more limiting results because of the following reason: one half of one LPSI pump flow is sufficient to maintain a full downcomer. The excess flow is spilled out of the break to the containment. The higher spillage reduces containment pressure and results in a lower reflood rate. However, the differences between the assumption of single failure or no single failure are minimal with respect to the results.

(DRN 00-0550; 03-2060, R14)

WSES-FSAR-UNIT-3 6.3-21 Revision 14 (12/05)

(DRN 00-0550; 03-2060, R14)

Four safety injection tanks (SITs) are piped so that each SIT feeds a single cold leg injection point. Thus, for a break in the pump discharge leg, the safety injection flow credited is 100 percent of the flow from three SITs since it is assumed that all injection in the broken cold leg is spilled.

(DRN 00-0550)

The rate at which emergency cooling water is delivered to the downcomer annulus is shown in Subsection 15.6.3.3 for the worst break. The delivery curves for the high and low pressure pumps appear in Figures 6.3-2a and b and 3a and b. In the large break analysis, no operator action has been assumed.

6.3.3.2.2 Core, System and Containment Parameters The significant core and system parameters used in the large break calculations are presented in Subsection 15.6.3.3. The peak linear heat generation rate was assumed to occur at 65% of the height of the core, the conservative location as identified in Appendix A of Reference 4. A conservative beginning-of-life moderator temperature coefficient (+0.0 x 10-4 /°F) was used for all cases.

(DRN 03-2060, R14)

Fuel rod conditions, as determined by the FATES(8) computer program, were evaluated to determine the burnup which produced the maximum clad temperature and oxidation.

Containment parameters as presented in Subsection 6.2.1.5 were chosen to minimize containment pressure such that a conservative determination of core reflood rate is made. Pressure suppression equipment startup times are selected at their minimum values corresponding to offsite power being available.

6.3.3.2.3 Break Spectrum

(DRN 00-0550; 03-2060, R14)

In general, all possible break locations are considered in a LOCA analysis. However, as demonstrated in other Appendix K LOCA calculations (e.g. References 4 and 6), hot leg ruptures and cold leg ruptures on the suction side of the pump, yield clad temperatures substantially lower than those observed for cold leg ruptures on the discharge side of the pump. Pump discharge leg ruptures are limiting due to the minimizing of blowdown core flow and reflood rate for this break location.

(DRN 00-0550; 03-2060, R14)

WSES-FSAR-UNIT-3 6.3-22 Revision 14 (12/05)

(DRN 00-0550; 03-2060, R14)

Thus, only these breaks need to be considered in order to identify that rupture which results in the highest clad temperature or the maximum clad oxidation. Since core flow is a function of the break size, calculations have been performed for double ended guillotine breaks over a range of break sizes up to twice the flow area of the cold leg. A list of the breaks examined appears in Table 15.6-14.

 (DRN 00-0550; 03-2060, R14) 6.3.3.2.4 Results and Conclusions The results of this analysis are presented in Subsection 15.6.3.3, and summarized in Subsection 6.3.3.1.

Table 15.6-14 lists the important results which demonstrate compliance with the Acceptance Criteria of Reference 1. Table 15.6-12 presents the time sequence of important events for short-term cooling, for each break in the large break spectrum. These results show that the Emergency Core Cooling System for Waterford 3 is adequate to perform its intended function of maintaining the integrity of the core and limiting radiation release to the environment. Operational restrictions and limits on operation or maintenance that have been dictated by the results of this analysis are listed in the Technical Specifications.

6.3.3.3 Small Break Analysis

(DRN 04-631, R13-B;05-545, R14)

(DRN 04-631, R13-B;05-545, R14) 6.3.3.3.1 Safety Injection System Assumptions

(DRN 00-0550)

The major components of the safety injection system (SIS) are two high pressure pumps, two low pressure pumps and four safety injection tanks. The pumps are automatically actuated either by a low pressurizer pressure signal or by a high containment pressure signal. Flow from the safety injection tanks commences when the cold leg pressure drops below the safety injection tank pressure plus the elevation head.

In performing the small break LOCA analysis, conservative assumptions are made concerning the availability of safety injection flow. It is assumed that offsite power is lost upon reactor trip; therefore, starting of the safety injection pumps is delayed by the time required for starting of the emergency diesel generators and load sequencing. The total time delay assumed is 30 seconds. For breaks in the pump discharge leg, it is also assumed that all safety injection flow delivered to the broken leg spills out the break.

(DRN 04-631, R13-B;05-545, R14)

Steam generator atmospheric dump valve (ADV) flow is credited in the small break LOCA analysis for Waterford 3. An opening setpoint of 1040 psia provides primary to secondary heat transfer by limiting the rise in steam generator saturation temperature, which in turn, increases the rate of primary system pressure reduction. The increased primary system pressure reduction allows for more HPSI pump flow delivery to the RCS.

A single failure analysis of the SIS has shown that the worst single failure for a small break LOCA is the failure of one of the emergency diesels generators to start(7) due to a failure of a direct current bus. This failure causes the loss of one HPSI pump, one LPSI pump, two LPSI pump header isolation valves, and control power to one ADV, thereby resulting in a minimum of safety injection water being supplied to cool the core and secondary pressure control by a single ADV and all main steam safety valves. Injection flow from the charging pumps is not credited in the small break LOCA analysis.

(DRN 00-0550;04-631, R13-B;05-545, R14)

WSES-FSAR-UNIT-3 6.3-23 Revision 307 (07/13)

(DRN 00-550, R11;04-631, R13-B;05-545, R14)

Based on these assumptions, the following credit is taken for injection flow in the small break LOCA analysis. For a discharge leg break:

(DRN 00-550, R11;04-631, R13-B) 75% of the flow from one HPSI pump (DRN 06-1061, R15) 50% of the flow from one LPSI pump (DRN 06-1061, R15) 100% of the flow from three safety injection tanks and for a hot leg or suction leg break:

100% of the flow from one HPSI pump 100% of the flow from one LPSI pump 100% of the flow from four safety injection tanks (DRN 00-550, R11;04-631, R13-B)

The high pressure safety injection pump flow rates used in the small break LOCA analysis are listed in Table 6.3-6.

(DRN 00-550, R11;05-545, R14)

(DRN 05-545, R14)

(DRN 05-545, R14) 6.3.3.3.2 Core and System Parameters The significant core and system parameters used in the small break LOCA analysis are described in Subsection 15.6.3.3.

(DRN 00-550, R11;05-545, R14)

A peak linear heat generation rate (PLHGR) of 13.2 kw/ft was used in the small break LOCA analysis.

(DRN 06-1061, R15)

The initial steady state fuel rod conditions were obtained from the FATES3B computer program(8). The small break LOCA analysis was performed for the maximum fuel stored energy which occurs at a hot rod average burnup of 500 MWD/MTU. The fuel rod parameter values are provided in Table 15.6-13a.

(DRN 04-631, R13-B; 06-1061, R15) 6.3.3.3.3 Break Spectrum (DRN 06-1061, R15; EC-8458, R307)

A break spectrum analysis was performed for the following three break sizes: 0.06, 0.05, and 0.04 ft2.

The breaks were conservatively postulated to occur in the reactor coolant pump discharge leg.

(DRN 00-550, R11;05-545, R14; 06-1061, R15; EC-8458, R307)

WSES-FSAR-UNIT-3 6.3-24 Revision 307 (07/13)

(DRN 00-0550;04-631, R13-B;05-315, R14;05-545, R14) 6.3.3.3.4 Results and Conclusions (EC-8458, R307)

The results of this analysis are described in Subsection 15.6.3.3. Table 15.6-14a lists the important results, which demonstrate compliance with the acceptance criteria of Reference 1. The 0.05 ft2 break was determined to be the limiting break size. The sequence of important events for short term cooling for the three breaks is listed in Table 15.6-12a.

(EC-8458, R307)

Based on the results of the small break LOCA analysis, it is concluded that the Waterford 3 Emergency Core Cooling System satisfies the acceptance criteria of 10CFR 50.46 for a spectrum of small break LOCAs.

(DRN 00-0550;04-631, R13-B;05-315, R14;05-545, R14) 6.3.3.4 Post-LOCA Long Term Cooling 6.3.3.4.1 General Plan (DRN 05-315, R14)

Long Term Cooling (LTC) is initiated when the core is quenched after a LOCA and is continued until the plant is secured. The objectives of LTC are to maintain the core at safe temperature levels and to avoid the precipitation of boric acid in the core region. To accomplish these objectives, a LTC analysis for Waterford 3 was performed using the NRC-accepted evaluation model described in Reference 9 as modified by the following two changes. The two changes were accepted by the NRC in Reference 10.

a) The boric acid precipitation analysis uses a boric acid solubility limit of 36 wt%. This is the solubility limit of boric acid in a ternary solution of water, boric acid, and trisodium phosphate that is boiling at atmospheric pressure with a concentration of trisodium phosphate based on the amount present in the Waterford 3 containment sump (Attachment 2 to Enclosure 1 of Reference 11).

b) The boric acid precipitation analysis assumes that the Boric Acid Makeup Tank inventory, which is injected via the charging pumps, mixes in the intact cold legs with the safety injection pump flow from the Refueling Water Storage Pool. The resultant mixture is deposited in the mixing volume with the excess spilling to the containment sump.

The evaluation model with these two modifications retains conservatisms beyond those required by Appendix K to 10 CFR 50. For example, the analysis does not credit liquid entrainment in the steam flow leaving the mixing volume. The entrained liquid would remove boric acid from the mixing volume thereby decreasing the rate of accumulation of boric acid in the mixing volume. Also, the analysis does not credit the beneficial impact that containment back pressure has on the boric acid solubility limit in the mixing volume. Conservatively biased minimum containment pressure calculations have shown that containment pressure will be greater than 20 psia between 2 and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA. This higher pressure increases the solubility limit by approximately 4 wt% (Attachment 2 to Enclosure 1 of Reference 11).

(DRN 05-315, R14)

The LTC plan for Waterford 3 uses one of two procedures, depending on the break size. Shutdown cooling is initiated if the break is sufficiently small such that successful operation of the Shutdown Cooling System (SDC) is assured. Otherwise, simultaneous hot and cold side injection is used to maintain core cooling and boric acid flushing. The appropriate procedure is selected on the basis of the indicated Reactor Coolant System (RCS) pressure.

WSES-FSAR-UNIT-3 6.3-25 Revision 15 (03/07)

(DRN 05-315, R14)

Figure 6.3-9 shows the basic sequence of events and the time schedule for operator actions in the Waterford 3 LTC plan. With the exception of the time for initiating simultaneous hot and cold side injection, the time schedule is not intended to correspond to required times for actions when implementing plant procedures. Rather, the time schedule is one that demonstrates acceptable long term cooling under the conservative conditions of the LTC analysis. The operators first action is to initiate cooldown within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> post-LOCA by releasing steam from the steam generators. The steam is released either through the turbine bypass system, if it is available, or through the atmospheric dump valves. Between 2 and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA, the Safety Injection Tanks (SITs) are isolated or vented to avoid injecting nitrogen, a non-condensable gas, into the RCS. Also between 2 and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA, the High Pressure Safety Injection (HPSI) pump discharge lines are realigned so that the injection flow is divided between the hot and cold sides of the RCS.

(DRN 06-1061, R15)

In the analysis, if the indicated RCS pressure is above 170 psia 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the LOCA, then the RCS is refilled, which assures that proper suction is available for initiating shutdown cooling. The indicated pressure includes an allowance for uncertainty as listed in Table 6.3-5A. Cooling the RCS continues until the indicated RCS temperature is lower than the SDC entry temperature. The HPSI pumps are then throttled until RCS pressure is reduced to below the SDC entry pressure. All HPSI pump flow is then shifted back to the cold legs and shutdown cooling is initiated.

If the indicated RCS pressure is below 170 psia 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the LOCA, the break is too large for absolute assurance that proper suction is available for initiating shutdown cooling. In this event, simultaneous hot and cold side injection of HPSI pump flow is used to both cool the core and flush the reactor vessel.

(DRN 05-315, R14; 06-1061, R15)

Instrumentation used by the operator for monitoring and surveillance in implementing the LTC plan is listed in Table 6.3-5.

6.3.3.4.2 Assumptions Used in the LTC Analysis The major assumptions used in performing the LTC analysis are listed below:

(DRN 05-315, R14) a) No offsite power is available.

b) The worst single failure is the failure of an emergency diesel generator. Therefore:

1)

One HPSI pump is inoperable. (No LPSI pumps are used during the recirculation mode.)

2)

One motor-driven emergency feedwater pump is inoperable.

c) RCS cooldown using the atmospheric dump valves begins at one hour post-LOCA.

d) The condensate storage pool and the wet cooling tower basins are the sources of emergency feedwater.

e) The SITs are vented or isolated in establishing SDC entry conditions for the small break LTC procedure.

f)

The pressurizer is cooled down in establishing SDC entry conditions for the small break LTC procedure.

(DRN 05-315, R14)

WSES-FSAR-UNIT-3 6.3-26 Revision 307 (07/13)

(DRN 05-315, R14) g) RCS cooldown is terminated when the hot leg temperature is below the SDC entry temperature.

h) Initial boric acid concentrations and inventories and pump flow rates used in the boric acid precipitation analysis are selected to maximize the boric acid concentration in the core.

i)

The mixing volume used in the boric acid precipitation analysis consists of the following. This definition of the mixing volume was accepted by the NRC in Reference 10.

50% of the volume of the lower plenum. The results of Mitsubishi Heavy Industries BACCHUS mixing tests, which are summarized in Attachment 1 to Enclosure 1 of Reference 11, documents the basis for crediting the participation of the lower plenum in the mixing volume.

The liquid volume in the core and outlet plenum up to the elevation of the top of the hot legs. The liquid volume in the core is calculated using the CEFLASH-4AS phase separation model (Reference 7). The liquid volume in the outlet plenum is calculated by adjusting the core exit void fraction, calculated using the CEFLASH-4AS phase separation model, to account for the increase in flow area in the outlet plenum.

6.3.3.4.3 Parameters Used in the LTC Analysis Significant core and system parameters used in the LTC analysis are presented in Table 6.3-5A.

6.3.3.4.4 Results of the LTC Analysis (DRN 06-1061, R15; EC-8458, R307)

The conclusions of the LTC analysis, which are based on original steam generators with up to 20% SG tubes plugged, are applicable to the replacement steam generators with up to 10% SG tubes plugged.

(EC-8458, R307)

The double ended (9.8 ft2) cold leg break is the limiting break for long term boric acid accumulation in the reactor vessel. For a cold leg break, the core flushing flow is the difference between the hot side HPSI pump flow rate and the core boiloff flow rate. The initiation of simultaneous hot and cold side HPSI pump flow rates of at least 383 gpm to each side between 2 and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA provides a substantial and time-increasing core flushing flow as shown in Figure 6.3-10. Figure 6.3-11 shows that with no core flushing flow, boric acid would begin to precipitate at approximately 7.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> post-LOCA. However, with a hot side injection flow rate of 383 gpm, initiated at 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA, the maximum boric acid concentration in the core is 20.89 wt%, a margin of 15.11 wt% to the precipitation limit of 36 wt%. The margin provided for the prevention of boric acid precipitation by a constant core flushing flow of 25 gpm is also shown in Figure 6.3-11.

(DRN 06-1061, R15)

The time at which all hot leg steam entrainment of injection water is terminated was calculated to be less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> post-LOCA. Therefore, the initiation of simultaneous hot and cold side injection between 2 and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> is after the potential for hot leg entrainment has terminated.

(DRN 05-315, R14)

(DRN 03-2060, R14; 06-1061, R15)

Figure 6.3-9 shows the two procedures for long term cooling. The small break procedure (left branch) applies to those break sizes for which the RCS refills before 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The analysis predicts the RCS to refill at various times depending on the break area as shown in Figure 6.3-12. A time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> post-LOCA was selected for the operator to decide if the small break procedure is appropriate. As shown in Figure 6.3-12, a break area as large as 0.038 ft2 refills within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Therefore, the analysis demonstrates that breaks as large as 0.038 ft2 will be able to use the SDC for the long term cooling and flushing of the core.

The LTC analysis determined that the large break procedure (right branch) can cool and flush the core for break areas as small as 0.010 ft2. The overlap in break areas for which either the large or small break procedure can be used is illustrated in Figure 6.3-13.

(DRN 03-2060, R14; 06-1061, R15)

WSES-FSAR-UNIT-3 6.3-27 Revision 306 (05/12)

(DRN 03-2060, R14; 06-1061, R15; EC-35592, R306)

The operator chooses the appropriate procedure on the basis of indicated RCS pressure at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Figure 6.3-13 lists the RCS pressure at 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for a range of break sizes and Figure 6.3-14 presents this information graphically. The decision pressure is selected as 170 psia, such that, for the pressurizer pressure measurement uncertainty of less than +/- 80 psi (Table 6.3-5A), the operator is assured of selecting the proper procedure for any break size.

(DRN 03-2060, R14; 06-1061, R15; EC-35592, R306) 6.3.3.5 Interconnections with Other Systems The safety injection water flows to the reactor vessel through a safety injection nozzle on each of the four RCS cold leg pipes. This arrangement provides four separate flow paths to the reactor. In addition, high pressure hot leg injection capability is provided, via the SDC suction lines in the hot legs, in order to supply hot leg injection (simultaneous with cold leg injection) during long-term ECCS operation.

During shutdown cooling, the LPSI pumps take suction from the RCS via the shutdown cooling suction line. See Subsection 9.3.6.

A connection is provided from the discharge side of the CVCS charging pumps to the HPSI header. Its primary purpose is to allow testing operability of the safety injection check valves upstream of the RCS safety injection nozzles when the RCS is pressurized. The connection can also be used to correct boron concentration in the SITs, and it provides an alternate injection path for the charging pumps.

An additional connection between the CVCS and the SDCS is discussed in Subsection 9.3.6.

There is a connection between the shutdown cooling heat exchangers and the containment spray pump discharge. This connection is used for containment spray purposes. See Subsection 6.2.2.

(DRN 03-2060, R14;06-230, R14-A; 06-1061, R15)

The RWSP is used as the source of water for injection mode of operation. ECCS Performance analysis supports it containing borated water having a boron concentration of 3000 ppm maximum. Technical Specifications specify a maximum boron concentration of 2900 ppm. The RWSP minimum temperature of 50°F is the limit assumed in the accident analyses. Technical Specifications specify a minimum RWSP temperature of 55F. The pool is vented to the atmosphere by a vent to protect it from excess internal or external pressure. Discussion of RWSP volume is provided in Subsection 6.2.2. The RWSP provides a sufficient volume of water for all ESF pumps to take suction for well over 20 minutes and provides adequate inventory for long-term cooling by recirculation.

(DRN 03-2060, R14;06-230, R14-A; 06-1061, R15)

Two connections are provided from the RWSP to the suction of the ESF PUMPS. In addition, return connections are provided for draining the SITs. Miniflow lines provide a flow path from the ESF pumps to the RWSP.

The Component Cooling Water System supplies cooling for safety injection pumps shaft seals and bearings.

A regulated nitrogen supply is provided for pressurization of the SITs.

Drains are provided for radioactive liquids. Typical sources are valve and equipment leakoffs, pump drains, and relief valve discharges.

(EC-935, R302)

Connections are provided between Essential Instrument Air (EIA) and the Instrument Air Accumulators serving pneumatic operators for Shutdown Cooling Suction Isolation Valves SI-405A and SI-405B. The EIA system replenishes the accumulators from leakage, and is credited to maintain sufficient air to open these valves to establish shutdown cooling following a post-tornado shutdown. Operators take manual action to place EIA into service.

(EC-935, R302)

WSES-FSAR-UNIT-3 6.3-28 Revision 14 (12/05) 6.3.3.6 System Flow Arrangement Simplified flow functional diagrams showing the alignment of SIS components following a LOCA are presented in Figures 6.3-4 through 6.3-8.

6.3.3.7 System and Component Operability Requirements See the Technical Specifications for information concerning bounds for principal system components and parameters that must be maintained to assure a minimum level of standby readiness.

6.3.3.8 Post-LOCA Maintenance Considerations Equipment required for long-term cooling following a postulated LOCA is designed to remain operable during and following the LOCA, and system redundancy assures that the ECCS will perform its post-LOCA function without maintenance.

Leakage from ECCS pumps, or valves will be collected in floor drain sumps as shown on Figure 9.3-5.

The maximum leakage from a passive failure of the ECCS has been defined as that resulting from the failure of an ECCS pump seal. (American National Standard N658.1976/ANS-51.7.1). The maximum leak rate due to a gross failure of an ECCS pump seal is 500 cc/min. These sumps are usually dry except during scheduled maintenance and/or cleaning of the equipment and/or the rooms.

When the Hi setpoint is reached the mechanical alternator starts one of the pumps (the pump or pumps shutdown at the Lo setpoint) and alarms in the control room. The actual starting up of the pump sends a signal to the plant monitoring computer. The mechanical alternator is designed so that each time it reached the Hi setpoint the alternate pump is started (this is done to use both pumps equally).

If the Hi-Hi setpoint is reached (due to failure of the first pump to start or due to greater capacity than one pump can handle) a separate level switch alarms to its dedicated annunciator in the main control room. If at this point the level drops, the annunciator shows a return to normal condition.

Also located in each pump room are Class 1E flood level switches, located a few inches above the floor.

These switches also alarm to their dedicated Class 1E annunciators in the main control room.

As can be seen the operator has some idea of the magnitude of the leakage. Since the operator knows which sump and/or room has excess leakage, it can be determined what part of the system is leaking.

The operator will then remotely shut the containment isolation valves for that train of ECCS and secure the respective pumps, stopping the leak. Once radiation levels permit, it may be decided to drain the isolated part of the system into the respective sump or sumps. The valves that must be operated to perform the draining function are located outside the pump room with the leakage condition. Thus there is no need for anybody to enter the pump compartment with the leak. The sump or sumps will then be pumped to the radwaste system for processing. The remaining safety equipment train will provide the required long-term cooling capability. In addition to the redundancy described above, the plant design incorporates the following provisions to enhance maintenance of long-term cooling capacity.

During the recirculation phase of a postulated large break LOCA, one HPSI and one CSS pump must operate. Three HPSI pumps are provided to meet the one pump requirement. Should one HPSI pump fail during service, the spare HPSI pump can be lined up to replace it, thus restoring two-train redundancy.

WSES-FSAR-UNIT-3 6.3-29 Revision 307 (07/13)

The two LPSI pumps used during the injection phase of a large break LOCA are automatically turned off and not used during recirculation. Should a CSS pump fail, either of the two LPSI pumps can be lined up to replace the failed CSS pump. Thus even though only one CSS pump is required to be functional, four pumps are provided that can perform the required function.

In addition to the multiple redundancy described above, each ESF pump can be isolated, drained, and flushed to permit maintenance to be performed.

(DRN M9900813; EC-30976, R307)

For a small break LOCA the LPSI pumps are used in their shutdown cooling mode to remove reactor decay heat. Expected radiation levels from such an accident may not be low enough to permit maintenance of a LPSI pump should it be required. Safety-related valves packing glands have provisions to adjust packing compression to reduce or eliminate leakage if accessible. Any leakage from the shutdown cooling heat exchangers will also flow through the drains to the safety equipment building sump. The amount of leakage from an affected train and associated radiation levels will dictate whether repairs can be made or whether to secure it and operate the other train alone.

(DRN M9900813; EC-30976, R307) 6.3.4 TEST AND INSPECTIONS During fabrication of the SIS components, tests and inspections are performed and documented in accordance with code requirements to assure high quality construction. As necessary, performance tests of components are performed in the vendor's facility. The SIS is designed and installed to permit in-service inspections and tests in accordance with ASME Code Section XI.

6.3.4.1 ECCS Performance Tests Prior to initial plant startup, a comprehensive series of system flow tests complying with NRC Regulatory Guides 1.68 (1/77) and 1.79 (9/75(a)), as detailed in Section 14.2, will be performed to verify that the design performance of the system and individual components is attained.

6.3.4.2 Reliability Tests and Inspections 6.3.4.2.1 System Level Tests After the plant is brought into operation, periodic tests and inspections of the SIS components and subsystems are performed to ensure proper operation in the event of an accident. The scheduled tests and inspections are necessary to verify system operability, since during normal plant operation, SIS components are aligned for emergency operation and serve no other function. The tests defined permit a checkout at the subsystem and component level during normal plant operation. Satisfactory operability of the complete system can be verified during normal scheduled refueling shutdown. The complete schedule of tests and inspections of the SIS is detailed in the Technical Specifications.

(a)

Except for C.1.b(2). Refer to Subsections 6.2.2.2.2.1, 6.2.2.3.2.1, 6.3.2.2.2.3 and the response to Q 211.64 for discussions on vortex control and NPSH.

6.3.4.2.2 Component Testing In addition to the system level tests described in Subsection 6.3.4.1 tests to verify proper operation of the SIS components are also conducted These tests supplement the system level tests by verifying acceptable performance of each active component in the SIS Pumps and valves will be tested in accordance with ASME Section XI as described in Subsection 3.9.6.

WSES-FSAR-UNIT-3 6.3-30 Revision 14 (12/05) 6.3.4.3 Leak Testing Leak testing of that part of the SI System outside containment will be conducted as part of a leak reduction program as required by NUREG-0737.

6.3.5 INSTRUMENTATION REQUIREMENTS 6.3.5.1 Design Criteria The instruments and controls for the SIS are designed in accordance with the IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. The controls are interlocked to automatically provide the sequence of operations required to initiate SIS operation. The instrumentation and controls that actuate and control the SIS are designed on the following bases:

a)

Redundant instruments are provided for initiation of SIS actions. Four sensors are used for each of the critical parameters. A trip from any of two of these four sensors initiates the appropriate SIS action. Circuits are run in separate wiring raceways to assure the availability of SIAS.

b)

Independent emergency power sources required for SIS controls and instruments are provided.

Actuator-operated valves are provided with key-operated control switches, where considered necessary, to prevent unintentional misalignment of safety injection flow paths during power operation.

All valves that are not required to operate at initiation of safety injection, or recirculation in the safety injection flow path, are locked in the safety injection position during operation. Administrative controls ensure that the valves are locked in the correct position.

A further discussion of the instrumentation and associated analog and logic channels employed for safety injection initiation is given in Section 7.3.

6.3.5.2 System Actuation Signals Operation of the SIS is controlled by two actuation signals. The first of these, the safety injection actuation signal (SIAS), initiates operation of the SIS in the event of low pressurizer pressure or high containment pressure. Both of these parameters provide an indication of a LOCA which requires operation of the SIS. SIAS may be manually initiated from the control room. The second control signal is the recirculation actuation signal (RAS). This signal changes the operation mode of the SIS from injection with suction from the RWSP to recirculation with suction from the SIS sump. The RAS is initiated by low RWSP level. RAS occurs automatically, whether SIAS is initiated manually or automatically. Changing from the injection mode of operation to recirculation permits continuous flow to the core when the RWSP water supply is depleted. See Section 7.3 for further discussion.

6.3.5.2.1 Safety Injection Actuation Signal (SIAS)

(DRN M9900458)

Initiation of safety injection is derived from four independent pressurizer pressure sensors and four independent containment pressure sensors. Coincidence trip signals from any two sensors for either parameter will automatically initiate safety injection. Automatic SIS operation is actuated at a pressurizer pressure of 1560 psia (analytical limit) during power operation.

(DRN M9900458)

During startup and shutdown operations, a variable setpoint is used as described in Section 7.2.

Blocking of SIAS must be accomplished manually and is automatically removed. The SIAS block and block removal design allows normal RCS cooldown without initiation of safety injection, at the same time prohibiting blocking of SIAS when the RCS is at operating pressure.

WSES-FSAR-UNIT-3 6.3-31 Revision 14 (12/05) 6.3.5.2.2 Recirculation Actuation Signal (RAS)

Four independent RWSP level transmitters provide signals for the RAS. Coincidence of any two low water level signals will initiate an RAS.

6.3.5.3 System Instrumentation The instrumentation provided for monitoring SIS components during normal plant operation and during SIS operation is discussed in this section. Post accident monitoring and post-LOCA instrumentation are identified in Table 6.3-3.

6.3.5.3.1 Low-Pressure Injection Header Temperature Temperature instrumentation on the low-pressure injection header is used to measure and record shutdown cooling water temperature as it enters and leaves the SIS. This readout is used to provide a measure of the overall system performance and provides information allowing the operator to adjust cooldown rate.

6.3.5.3.2 Pressure 6.3.5.3.2.1 Low-Pressure Safety Injection Header Pressure A pressure transmitter is located in each LPSI header. This pressure is indicated in the control room and provides confirmation of pump operation.

When used in conjunction with the pump characteristic performance curve, this pressure may be used to determine system flowrate.

6.3.5.3.2.2 High-Pressure Safety Injection Header Pressure Pressure transmitters are located in each HPSI header. These pressures are indicated in the main control room and provide confirmation of pump operation. When used in conjunction with the pump characteristic performance curve, this pressure may be used to determine system flowrate.

6.3.5.3.2.3 Safety Injection Tank Pressure - Wide Range A wide range pressure transmitter mounted on each safety injection tank permits readings of each tank pressure in the main control room.

6.3.5.3.2.4 Safety Injection Tank Pressure - Narrow Range Two narrow range pressure transmitters on each tank permit more accurate tank pressure than the wide range. One transmitter alarms on high-and low-pressure and the other alarms on high-high and low-low pressure.

6.3.5.3.2.5 Safety Injection Check Valve Leakage Pressure Pressure transmitters are located on each of six safety injection lines just upstream of the safety injection check valve adjacent to the reactor coolant loops. The leakage past these valves will be indicated by an increase in pressure with a high alarm in the main control room.

WSES-FSAR-UNIT-3 6.3-32 Revision 14 (12/05) 6.3.5.3.2.6 Safety Injection Tank Isolation Valve Position Valve position is indicated in the control room by redundant and diverse indicators. Indicator lights verify either the fully open or fully closed position. An audible alarm is activated if the valve is not fully open when RCS pressure is  500 psig.

6.3.5.3.3 Level 6.3.5.3.3.1 Safety Injection Tank Level - Wide Range Water level for each safety injection tank is indicated in the main control room throughout the complete tank volume except for water above the upper tank tangent or below the lower tank tangent. Signal input for this indication is provided by a differential pressure transmitter.

High and low water level alarms on each tank are actuated by a wide range. Similarly, high-high and low-low alarms are actuated by another wide range transmitter. Each wide range transmitter reads out in the main control room and provides redundant level indication.

6.3.5.3.4 Flow 6.3.5.3.4.1 Shutdown Cooling Flow A shutdown cooling flow indicator which indicates total shutdown cooling flow is provided in each LPSI header.

The flowmeter may also be used for backup flowrate data during safety injection and for testing the performance of the LPSI pumps. The flowrate is indicated in the main control room.

6.3.5.3.4.2 High-Pressure Safety Injection Flow These flow channels indicate the flowrate in each of the four HPSI lines to the cold legs and each of the two lines to the hot legs. The flow elements for the flowmeters are located in such a manner that they serve both high pressure manifolds. The flowmeters are used to balance the HPSI flowrates in each of the lines.

WSES-FSAR-UNIT-3 6.3-33 Revision 302 (12/08)

SECTION 6.3: REFERENCES (DRN 00-550, R11)

1.

Code of Federal Regulations, Title 10, Part 50, Section 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors.

(DRN 00-550, R11)

2.

Pilgrim II PSAR, Section 6E, Amendment 21, October 30, 1975, Docket No. 50-471.

3.

San Onofre Nuclear Generating Station Units 2 and 3 FSAR, Docket No. 50-361 and 50-362 February 1977.

4.

"Calculational Methods for the CE Large Break LOCA Evaluation Model," Combustion Engineering, CENPD-132, August 1974 (Proprietary). "Calculational Methods for the CE Large Break LOCA Evaluation Model," Combustion Engineering, CENPD-132, Supplement 1, February 1975 (Proprietary). "Calculational Methods for the CE Large Break LOCA Evaluation Model" Combustion Engineering, CENPD-132, Supplement 2, July 1975 (Proprietary). CENPD-132-P, Supplement 3-P-A, Calculative Methods for the C-E Large Break LOCA Evaluation Model for the Analysis of C-E and W Designed NSSS", June, 1985.

(DRN 05-315, R14)

CENPD-132, Supplement 4-P-A, Calculative Methods for the CE Nuclear Power Large Break LOCA Evaluation Model, March, 2001.

(DRN 05-315, R14)

(EC-9533, R302)

CENPD-132-P-A, Supplement 4-P-A, Addendum 1-P-A, Calculative Methods for the CE Nuclear Power Large Break LOCA Evaluation Model, Improvement to 1999 Large Break LOCA EM Steam Cooling Model for Less Than 1 in/sec Core Reflood, August 2007.

(EC-9533, R302)

5.

Letter D.C. Switzer (NNECO) to 0.D. Parr (NRC), Millstone Unit 2 ECCS Reevaluation, July 10, 1975, Docket No. 50-336.

6.

System 80 CESSAR PSAR, Section 6.3.3, Docket No. STN-50-470.

(DRN 00-550, R11)

7.

"Calculation Methods for the CE Small Break LOCA Evaluation Model," Combustion Engineering Proprietary Report, CENPD-137, August 1974 (Proprietary). "Calculative Methods for the CE Small Break LOCA Evaluation Model", Combustion Engineering, CENPD-137, Supplement 1, January 1977 (Proprietary). CENPD-137, Supplement 2-P-A, Calculative Methods for the ABB CE Small Break LOCA Evaluation Model, April 1998 (Proprietary)

8.

"CE Fuel Evaluation Model" Combustion Engineering, CENPD-139, July, 1974 (Proprietary) CEN-161(B)-P-A, Improvements to Fuel Evaluation Model, August 1989. CEN-161(B)-P, Supplement 1-P-A, Improvements to Fuel Evaluation Model, January 1992.

(DRN 00-550, R11)

9.

CENPD-254-P-A, Post-LOCA Long Term Cooling Evaluation Model, June 1980, (Proprietary).

(DRN 05-315, R14)

10.

NRC Safety Evaluation Report for the Waterford 3 Extended Power Uprate.

11.

Entergy Letter W3F1-2005-0007, R.A. Dodds (Entergy) to Document Control Desk (NRC),

Supplement to Amendment Request NPF-38-249, Extended Power Uprate, Waterford Steam Electric Station, Unit 3, Docket No. 50-382, License No. NPF-38, February 5, 2005.

(DRN 05-315, R14)

WSES-FSAR-UNIT-3 6.3-34 Revision 14 (12/05)

SECTION 6.3: BIBLIOGRAPHY

1.

"Calculational Methods for the CE Large Break LOCA Evaluation Model," Combustion Engineering, Inc., CENPD-132, Supplement 2, July 1975.

2.

Supplement to the Status Report by the Directorate of Licensing in the Matter of Combustion Engineering, Inc., ECCS Evaluation Model Conformance to 10CFR50, Appendix K, November 13, 1974.

3.

"CEFLASH-4A, A FORTRAN IV Digital Computer Program for Reactor Blowdown Analysis,"

Combustion Engineering, Inc., CENPD-133, April 1974 (Proprietary).

Supplement 2, "CEFLASH-4A, A FORTRAN IV Digital Computer Program for Reactor Blowdown Analysis (Modification)", Combustion Engineering, Inc., CENPD-133. December 1974 (Proprietary). CENPD-133, Supplement 5-A, "CEFLASH-4A, A FORTRAN77 Digital Computer Program for Reactor Blowdown Analysis", June 1985.

4.

"COMPERC-II, A Program for Emergency Refill-Reflood of the Core," Combustion Engineering, Inc., CENPD-134, April 1974 (Proprietary). Supplement 1, "COMPERC-II, A Program for Emergency Refill-Reflood of the Core (Modification)," Combustion Engineering, Inc.,

CENPD-134, December 1974 (Proprietary). CENPD-134, Supplement 2-A, "COMPERC-II, A Program for Emergency Refill-Reflood of the Core", June 1985.

5.

"STRIKIN-II, A Cylindrical Geometry Fuel Rod Heat Transfer Program," Combustion Engineering, Inc. CENPD-135, April 1974 (Proprietary).

Supplement 2, "STRIKIN-II, A Cylindrical Geometry Fuel Rod Heat Transfer Program (Modification)," Combustion Engineering, Inc., CENPD-135, December 1974 (Proprietary).

6.

"CE Fuel Evaluation Model," Combustion Engineering, CENPD-139, July 1974 (Proprietary).

WSES-FSAR-UNIT-3 Revision 14 (12/05)

Pages 6.3-35 through 6.3-36 have been intentionally deleted.

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 1 of 17)

Revision 305 (11/11)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name1 Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects This FMEA covers failures that impact the function and operation of the Safety Injection System in both the injection and recirculation modes. Refer to FSAR Table 9.3-16 for a FMEA of the Shutdown Cooling System (SDCS).

1.

Shutdown cooling valve (motor) 2SI-V305B (SI-453),

2SI-V306A (SI-452)

Inadvertently opened Operator error Some cross flow to one LPSI subsystem from one Containment Spray subsystem, reduced or deadheaded LPSI pump flow, CS pump runout Reduced flow indication in one CS train and different outlet temps at the SDC HX (CS IFI7122A,B and CS ITI0303X,Y)

Redundant LPSI and CS subsystems would be unaffected. See Remarks.

N/A Valve is motor operated and normally locked closed except during SDCS operation

2.

Shutdown cooling flow control valve 2SI-FM317A (SI-307),

2SI-FM348B (SI-306)

Inadvertently closed Operator error Loss of one LPSI train Operator, valve position indication in control room Redundant parallel LPSI trains N/A Valve fails open on loss of air or loss of electrical power. Valve is normally locked open, except during SDCS operation

3.

Shutdown cooling stop valve (motor) 2SI-FM349B (SI-656),

2SI-FM318A (SI-657)

Inadvertently opened Operator error None Valve position indicator in control room Normally closed valves upstream prevent inadvertent flow N/A Valve is locked closed except during SDCS operation

4.

Isolation valve from SDC to LPSI pump discharge (motor) 2SI-V308B (SI-456),

2SI-V307A (SI-457)

Inadvertently opened Operator error None Valve position indicator in control room Normally closed valves down stream prevent inadvertent flow N/A Valve is motor operated and locked closed except during SDCS operation 1Valve tag numbers (SI-XXX) in this Table are CE valve numbers.

5.

LPSI pump A, B Fails to pump Electrical fault Loss of one LPSI train Low flow indication (SI IFIC0306 or -307), pump status lights and LPSI header pressure Redundant parallel LPSI trains N/A (EC-26496, R305)

Failure to stop on RAS Electrical Fault Increased sump flow resulting in potential loss of adequate NPSH to both trains of HPSI and CS pumps Pump status lights, flow indication (SI IFIC0306 or 307)

Manual action from Control Room to isolate pump flow from sump N/A (EC-26496, R305)

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 2 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 6.

LPSI suction valve 2SI-B301A (SI-444),

2SI-B302B (SI-432)

Inadvertently closed Operator error Loss of one LPSI train Operator, periodic testing Redundant parallel LPSI trains N/A Valve is hand operated and normally locked open 7.

CVCS to LPSI pump stop valve 2SI-V341A, 2SI-V342B Inadvertently opened Operator error None Periodic testing Normally closed valves in CVCS prevent inadvertent flow N/A Manual valves closed except during SDCS operation 8.

HPSI flow path isolation valve 2SI-V803A/B (SI-413),

2SI-V804A/B (SI-412),

2SI-V311A (SI-470),

2SI-V312B (SI-402),

2SI-V313A (SI-411),

2SI-V314B (SI-403),

2SI-V806A (SI-427),

2SI-V807B (SI-405)

a. Fails open or closed

b. Inadvertently closed Mechanical binding Operator error Unable to isolate a HPSI pump for maintenance Loss of one HPSI train Operator Operator, periodic testing Redundant train available Redundant parallel HPSI train N/A N/A Valves are normally locked open or closed such as to assure two redundant and isolated HPSI subsystems 9.

HPSI pump No. A or B or A/B Fails to pump Electrical fault Loss of one HPSI train Pump status lights Redundant full capability HPSI pump assures system performance N/A The third HPSI pump is normally on standby and available as an installed spare

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 3 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects

¨ (DRN 99-0934) 10.

LPSI valve (motor)

SI MVAAA139B (2SI-V1549A1)

(SI-615),

SI MVAAA138B (2SI-V1539B1)

(SI-625),

SI MVAAA139A (2SI-V1541A2)

(SI-635),

SI MVAAA138A (2SI-V1543B2)

(SI-645)

a. Fails to open on SIAS

b. Inadvertently opened

c. Fails full open on SIAS Mechanical binding Operator error Limit switch failure Loss of LPSI flow to one RCS cold leg None Increased LPSI flow to RCS cold leg Valve position indicator in control room Valve position indicator in control room High flow indication from FIC-306 or FIC-307 Adequate flow to remaining three cold legs In-line check valves prevent back flow Failure of the Flow Control valve to full open position will not cause LPSI flow to exceed maximum flow assumed in safety analyses.

N/A N/A 11.

HPSI valve (motor)

SI MVAAA225A (2SI-V1550A1)

(SI-617),

SI MVAAA225B (2SI-V1545B1)

(SI-616),

SI MVAAA226B (2SI-V1540B2)

(SI-626),

SI MVAAA226A (2SI-V1546A2)

(SI-627),

a. Fails to open on SIAS

b. Inadvertently opened Mechanical binding Operator error Degredation of HPSI flow to one RCS cold leg None Valve position indicator and HPSI flow meters in control room Valve position indicator in control room Redundant flow paths, redundant HPSI subsystems In-line check valves prevent back flow from RCS during normal plant operation N/A N/A (DRN 99-0934)

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 4 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 11.

SI MVAAA227A (2SI-V1542A3)

(SI-637),

SI MVAAA227B (2SI-V1547B3)

(SI-636),

SI MVAAA228B (2SI-V1544B4)

(SI-646),

SI MVAAA228A (2SI-V1548A4)

(SI-647)

(Cont'd)

c. Fails full open on SIAS Limit switch failure Increased HPSI flow to RCS cold leg High flow indication from FI-311, FI-321, FI-331, or FI-341 Redundant full capacity HPSI pump assures system performance.

There is no HPSI upper limit assumed in safety analysis.

12.

SIT stop valve (motor) 1SI-V1505TK1A (SI-614),

1SI-V1506TK1B (SI-624),

1SI-V1507TK2A (SI-634),

1SI-V1508TK2B (SI-644)

Inadvertently closed Operator error Loss of one SIT N/A N/A N/A This failure is not considered credible since the valves must be opened, and locked open, with power removed prior to plant startup.

13.

SIT pneumatic fill v alv e 2SI-F1564TK1A (SI-611),

2SI-F1565TK1B (SI-621),

2SI-F1566TK2A (SI-631),

2SI-F1567TK2B (SI-641)

a. Fails closed

b. Fails open Air line separates from operator Mechanical binding SIT level control cannot be increased None. In-line stop valves prevent a tank from being drained No change in tank level indication with time Valve position indication None required Redundant stop valves in series N/A N/A SIT operability covered in plant Technical Specifications 14.

Injection line drain v alv e 1SI-F1551TK1A (SI-618),

1SI-F1552TK1B (SI-628),

a. Fails closed Severed air line Loss of ability to manually reduce excessive pressure in safety injection line and ability to recirculate affected pipe section No change in line pressure with time, valve position indication None, but would require a second failure to cause equipment damage N/A Valves are normally closed and receive close signal on SIAS

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 5 of 17)

Revision 305 (11/11)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects

14.

1SI-F1553TK2A (SI-638),

1SI-F1554TK2B (SI-648)

(Cont'd)

b. Fails to close on SIAS Mechanical binding Small diversion of SI flow to RWSP or RDT Operator, valve position indication Redundant parallel SI train N/A

15.

SIT vent valve 2SI-E632 (SI-605),

2SI-E636 (SI-613),

2SI-E633 (SI-606),

2SI-E637 (SI-623),

2SI-E634 (SI-607),

2SI-E638 (SI-633),

2SI-E635 (SI-608),

2SI-E639 (SI-643)

a. Fails closed

b. Fails in open position Mechanical binding or electrical malfunction Mechanical binding Degredation of redundancy to vent the tank for refill or to relieve pressure Degraded SIT performance No change in tank pressure when valve is opened Low SIT pressure alarm Redundant parallel valve With less than four (4) SITs operable, Technical Specifications require plant shutdown and depressurization N/A N/A Normally closed solenoid valve designed to fail closed on loss of power

16.

Nitrogen supply valve 2SI-F605TK1A (SI-612),

2SI-F606TK1B (SI-622),

2SI-F607TK2A (SI-632),

2SI-F608TK2B (SI-642)

a. Fails closed

b. Fails open Electrical fault, mechanical binding Mechanical

binding, electrical fault, seat erosion Loss of ability to repressurize SIT Possible overpressurization of one SIT No increase in pressure when valve is opened, valve position indication High SIT pressure alarm Per Technical Specifications, plant operation is prohibited unless all four (4) SITs are operable Relief valve N/A N/A (EC-14765, R305)

17.

Stop valves SDC return line 1SI-V1504A (SI-652),

1SI-V1502B (SI-666),

SI-4052A(B)

Inadvertently opened Operator error None Valve position indicator in control room Redundant series valve N/A Valves are locked closed except during SDCS operation (EC-14765, R305)

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 6 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 17.

1SI-V1503A (SI-651),

1SI-V1501B (SI-665),

2SI-V327A (SI-440),

2SI-V326B (SI-441)

(Cont'd) 18.

Stop valve SIT drain lines 2SI-F1561A/B (SI-682)

a. Fails closed

b. Inadvertently opened Mechanical binding or electrical malfunction Operator error SITs cannot be drained to the RWSP until a repair is made None No decrease in SIT level with time Position indicator SIT can be drained to RDT Normally closed valves in series prevent flow N/A N/A 19.

Stop valve SIT drain lines 5SI-F1563 (SI-661)

a. Fails closed

b. Inadvertently opened Mechanical binding or electrical malfunction Operator error SITs cannot be drained to the DCDH until a repair is made None No decrease in SIT level with time Position indicator SIT can be drained to RWSP Normally closed valves in series prevent flow N/A N/A 20.

Stop valve, hot leg injection 2SI-V1557 (SI-604),

2SI-V1556 (SI-321),

2SI-V1558 (SI-609),

2SI-V1559 (SI-331)

a. Inadvertently opened

b. Fails to open on demand Operator error Mechanical binding No effect on SI function Loss of one of two hot side safety injection flow paths Valve position indicator in control room Valve position indicator in control room; flow indicators SI IFI0390A, B in control room Redundant series isolation valve, and valve is normally locked closed Redundant flow path N/A N/A Prior to initiation of hot leg injection, operator must first close the HPSI discharge valves in order to prevent exceeding pump runout

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 7 of 17)

Revision 14 (12/05)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 21.

(DRN 05-196, R14)

(DRN 05-196, R14)

Drain valve, hot leg injection 1SI-V2504 (SI-301),

1SI-V2505 (SI-302)

a. Fails closed

b. Fails to close on SIAS Mechanical binding Electrical or mechanical malfunction while line is being drained Unable to drain off reactor coolant which may leak past check valve during normal operation.

Degradation of one of two redundant hot leg injection flow paths Valve position indicator and pressure indication Valve position indicator None required.

CIAS will isolate drain line to RWSP.

N/A N/A

22.

RWSP isolation valve 2SI-L103A, 2SI-L104B

a. Fails closed

b. Fails open Mechanical

binding, blockage, electrical failure Mechanical, electrical failure Loss of one suction line from RWSP Cannot isolate RWSP during recirculation of containment sump water; might have air in pump line and loss of one ECCS train Valve position indicator Valve position indicator Redundant parallel suction path Position of RWSP relative to SI sump should prevent air entrainment N/A N/A Valve is normally open

23.

RWSP level instrument SI ILT7114, SI ILT0301, SI ILT0302, SI ILT0305A, SI ILT0305B, SI ILT0305C, SI ILT0305D

a. Fails by indicating high level

b. Fails by indicating low level Mechanical, electrical Mechanical, electrical None None Level indicator Level indicator 2 out of 4 logic will prevent any single failure from preventing RAS 2 out of 4 logic N/A N/A Two instruments must fail to cause premature RAS

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 8 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 24.

SIS recirculation sump isolation valve 2SI-L101A (SI-653),

2SI-L102B (SI-654)

a. Fails closed

b. Fails in partial open position Mechanical, electrical

failure, blockage Mechanical binding, seal leakage Loss of one SIS recirculation sump suction line; loss of one HPSI and CS subsystem Might cause cavitation in affected pump Local valve position indicator Pump pressure Redundant parallel flow paths Redundant parallel flow paths N/A N/A 25.

Sampling system isolation valve 2SI-F623B, 2SI-F624A (SI-443)

a. Fails closed

b. Inadvertently opened Mechanical

failure, blockage Operator error No impact on SI System No impact on SI function Operator Operator None required Series redundant valve prevents inadvertent flow N/A N/A 26.

Minimum recirculation line isolation valve (motor) 2SI-V809A (SI-668),

2SI-V802B (SI-660),

2SI-V810B (SI-667),

2SI-V801B (SI-659)

a. Inadvertently closed

b. Fails open Operator error Mechanical, electrical failure Loss of one minimum flow recirculation line to RWSP.

Possible pump/seal damage.

Potential diversion of sump water following RAS to RWSP Valve position indicator in control room; flow indication Valve position indicator in control room; flow indication Redundant SI train. Operator restores recirculation flow Series redundant valve isolates flow N/A N/A Valves are normally open, fail as is 27.

LPSI pump isolation v alv e 2SI-V309A (SI-446),

2SI-V310B (SI-434)

a. Inadvertently closed

b. Fails open Operator error Mechanical failure Loss of one LPSI line No impact on SI or SDC systems Flow indicator, pressure indicator in control room Operator Redundant parallel LPSI path None required N/A N/A Locked open, manually operated valve 28.

Pressure indicator SI IPI0306, SI IPI0307 Fails to indicate correct value Electrical, mechanical failure No direct impact on SI System Pressure indicator in control room, periodic testing None required N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 9 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 29.

HPSI pressure indicator SI IPI0308, SI IPI0309 Fails to indicate correct value Electrical, mechanical failure No impact on SI System Periodic testing None required N/A 30.

High pressure header isolation valve (motor) 2SI-V1534 (SI-698),

2SI-V811B (SI-699)

a. Inadvertently closed

b. Fails open Operator error Mechanical failure Partial loss of cold leg HPSI flow Cannot divert specified fraction of cold leg HPSI flow to hot leg for long term cooling Operator, valve position indication Periodic testing, valve position indication Parallel restricting orifice, and parallel redundant HPSI path Parallel redundant HPSI path N/A N/A Locked open valve 31.

Charging pump to HPSI lines isolation v alv e 2SI-V1600 (SI-508),

2SI-V1535 (SI-509)

a. Fails closed

b. Inadvertently opened Mechanical failure Operator error No impact on SI System; cannot test check valve No impact on SI System Periodic testing Periodic testing None required Redundant series isolation v alv e N/A N/A 32.

Flow indicator SI IFI0390A,B Fails to indicate correct flow Electrical, mechanical failure No impact on System operation Periodic testing None required N/A 33.

RWSP isolation v alv e 3SI-V320A/B (SI-459),

2SI-V1570 (SI-463)

a. Fails closed

b. Fails open Mechanical failure Mechanical failure No impact on SI function None Periodic testing Periodic testing None required Redundant series isolation valves prevent draining SITs N/A N/A 34.

Isolation valves between RWSP return line and various systems 2SI-V319B, 2SI-V343B, 2SI-V344A, 2SI-V345A (SI-460)

a. Fails closed

b. Inadvertently opened Mechanical failure Operator error No impact on SI System No impact on SI System Periodic testing Operator None required Redundant series isolation v alv e N/A N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 10 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 35.

SDC return cross over valve 2SI-V346B (SI-450),

2SI-V353A (SI-400)

a. Fails closed

b. Inadvertently opened Mechanical failure Operator error No impact on SI (see FMEA for SDCS)

Divert part of LPSI flow from one LPSI header to LPSI pump suction.

Possibly exceed pump runout flow.

Periodic testing Periodic testing, valve position indication None required Redundant LPSI subsystem N/A N/A 36.

HPSI header flow indicator SI IFI0311, SI IFI0321, SI IFI0331, SI IFI0341 Fails to measure correct flow Mechanical, electrical failure No impact on SI Flow indicators in control room, periodic testing None required N/A 37.

Hot leg coolant injection (HLCI) pressure transmitter SI IPT0390A,B Fails to indicate correct pressure Mechanical failure No impact on SI System; might issue false alarm Periodic testing None required N/A Failure to detect leakage past RCS isolation check valve coupled with leakage past HLCI check valve could overpressurize HLCI line outside containment 38.

SIT pressure indicator SI IPI0311, SI IPI0312, SI IPI0313, SI IPI0321, SI IPI0322, SI IPI0323, SI IPI0331, SI IPI0332, SI IPI0333, SI IPI0341, SI IPI0342, SI IPI0343 Fails to indicate correct pressure Mechanical, electrical failure None Pressure indicators in control room, periodic testing Three parallel redundant pressure indicators per SIT N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 11 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 39.

SIT level indicator SI ILI0312, SI ILI0313, SI ILI0322, SI ILI0323, SI ILI0332, SI ILI0333, SI ILI0342, SI ILI0343 Fails to indicate correct level Electrical, mechanical failure None Level indicators in control room, periodic testing Parallel redundant level indicators N/A 40.

SIT to RCS pressure indicators SI IPI0319, SI IPI0329, SI IPI0339, SI IPI0349 Fails to indicate correct pressure Electrical, mechanical failure No impact on SI Periodic testing None required N/A Failure to detect leakage past RCS isolation check valve coupled with leakage past SI header check valve could lead to overpressure of SI lines outside containment.

41.

LPSI pump discharge check valve 2SI-V333A (SI-433),

2SI-V334B (SI-423)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Reduced LPSI flow, effective loss of one LPSI subsystem No effect Low flow indication from SI IFIC0306 or SI IFIC0307 None Redundant LPSI subsystem Series check valves prevent back flow N/A N/A 42.

LPSI pump suction check valve 2SI-V331A (SI-428),

2SI-V332B (SI-418),

2SI-V354A, 2SI-V355B

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Effective loss of LPSI subsystem Normally no effect, potential contamination of CS system and RWSP with primary fluid during normal shutdown cooling (requires double failure)

Low flow indication from SI IFIC0306 or SI IFIC0307 Periodic testing Redundant LPSI subsystem Series check valves prevent back flow N/A N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 12 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 43.

HPSI discharge header check valve 2SI-V1521A (SI-404)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Effective loss of one HPSI subsystem Possible overpressure of one HPSI subsystem when charging through HPSI header Periodic testing Increase in equipment drain tank level Redundant HPSI subsystem Relief valve 2SI-R1530A (SI-417)

N/A N/A 44.

HPSI pump discharge check v alv e 2SI-V821A (SI-425),

2SI-V805A/B (SI-414),

2SI-V822B (SI-415)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Loss of one HPSI train No effect Periodic testing None Redundant full capability HPSI pump assures system performance Suction check valves prevent back flow through inoperative pump N/A N/A 45.

HPSI pump suction check valve 2SI-V315A (SI-410),

2SI-V316B (SI-401)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Effective loss of one HPSI subsystem None during emergency operation Periodic testing None Redundant full capability HPSI subsystem Other in-line check valve prevents back flow N/A N/A 46.

HPSI pump minimum flow stop check valve 2SI-V1562-1 thru 4 (SI-422),

(SI-424),

(SI-426),

(SI-488) a.

Inadvertently closed

b. Fails open Operator error Seat leakage Possible damage to one HPSI pump if it is run dead headed Unable to isolate associated pump for maintenance Eventual pump status indication Leakage during maintenance Redundant HPSI pumps Redundant full capacity subsystem available N/A N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 13 of 17)

Revision 14 (12/05)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects

47.

HPSI header check valve 1SI-V1522RL1A (SI-113),

1SI-V1523RL1B (SI-123),

1SI-V1524RL2A (SI-133),

1SI-V1525RL2B (SI-143)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Loss of HPSI flow to one RCS cold leg None Periodic testing None Adequate HPSI flow to remaining three cold legs Series isolation valve can isolate system for repair N/A N/A

(DRN 05-196, R14)

48.

Hot leg injection check valve 1SI-V2506, 1SI-V2507, 1SI-V2508, 1SI-V2509

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Loss of one hot side safety injection path No effect on safety injection Low flow indication in control room, SI IFI0390 A,B Periodic testing Redundant parallel hot leg injection path Redundant check valve in series N/A N/A Failure to detect leakage past RCS isolation check valve coupled with leakage past HLCI check valve could overpressurize HLCI line outside containment

(DRN 05-196, R14)

49.

RWSP outlet header check valve 2SI-V107A, 2SI-V108B

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign

material, mechanical binding, seat leakage Loss of one suction line from RWSP; loss of all ECCS redundancy Potential diversion of coolant from containment sump to RWSP when RAS is initiated; potentially eventual inadequate NPSH for HPSI and CS pumps Periodic testing None Redundant parallel suction line None N/A N/A

50.

SIS recirculation sump check valve 2SI-V105 (SI-406),

2SI-V106B (SI-407)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material Loss of one SIS recirculation sump suction line; lose one train for recirculation None Flow indicators in affected SI train Periodic testing Redundant SI train Series redundant isolation valve N/A N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 14 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 51.

LP header check v alv e 1SI-V1517RL1A (SI-114),

1SI-V1518RL1B (SI-124),

1SI-V1519RL2A (SI-134),

1SI-V1520RL2B (SI-144)

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign

material, mechanical binding, seat leakage Loss of one LPSI line Overpressure of one LPSI subsystem outside containment during small break LOCA injection phase; loss of RWSP inventory to waste tank Periodic testing None Redundant parallel LPSI line None N/A N/A LPSI header relief valve may protect LPSI piping 52.

SIT discharge check v alv e 1SI-V1510TK1A (SI-215),

1SI-V1512TK1B (SI-225),

1SI-V1514TK2A (SI-235),

1SI-V1516TK2B (SI-245)

a. Fails closed

b. Fails open Mechanical failure Mechanical failure Loss of one SIT Reverse flow; overpressure of one SIT when HPSI pumps start up following a small break LOCA Periodic testing Periodic testing None None N/A N/A 53.

SI to RCS check v alv e 1SI-V1509RL1A (SI-217),

1SI-V1511RL1B (SI-227),

1SI-V1513RL2A (SI-237),

1SI-V1515RL2B (SI-247)

a. Fails closed

b. Fails open Mechanical binding Mechanical binding Loss of one SI line Increase in SI line pressure inside containment Periodic testing High pressure alarm None Pressure can be periodically reduced by bleeding to the RWSP N/A N/A 54.

SIT relief valves 2SI-R617TK1A (SI-211),

2SI-R619TK1B (SI-221),

2SI-R618TK2A (SI-231),

2SI-R620TK2B (SI-241)

a. Fails to open

b. Fails to reseat Mechanical binding Spring failure or seat leakage No effect on SI function. Possible tank over-pressurization Loss of pressure in one tank if valve fails wide open, effective loss of one tank Periodic testing or high pressure alarm on effective tank Low pressure alarm Pressure can be manually relieved from the control room Shutdown and repair N/A N/A The spurious opening of a relief valve is a passive failure of low probability

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 15 of 17)

Revision 12 (10/02)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects 55.

LPSI line relief valve 2SI-R350B, 2SI-R613A/B (SI-439)

a. Fails to open

b. Fails to reseat Mechanical binding Seat leakage No effect on SI function. Cannot relieve excess pressure when required. Possible over-pressure when header is isolated.

Divert part of LPSI flow to waste tank Pressure indicator, periodic testing Periodic testing None required Redundant parallel LPSI path N/A N/A 56.

HPSI line relief v alv e 2SI-R823A (SI-472),

2SI-R1530A (SI-417),

2SI-R824B (SI-409),

2SI-R1529, 2SI-R1531A

a. Fails to open

b. Fails to reseat Mechanical

binding, blockage Seat leakage No effect on SI function. Cannot relieve excess pressure when required. Possible over-pressure when header isolated.

Divert part of HPSI flow to waste tank Pressure indicator, periodic testing Periodic testing None required Redundant parallel HPSI path N/A N/A 57.

LPSI mini recirculation line solenoid valve 2SI-E1587A, 2SI-E1588B

a. Inadvertently closed

b. Fails in open position Operator error Mechanical binding Loss of recirculation line from LPSI pump to RWSP. Possible pump/seal damage.

No effect on SI function Valve position indication in control room, flow indication Operator Redundant parallel SI train.

Operator restores recirculation flow.

None required N/A N/A Solenoid operated, normally open, fail open valve Refer to SDCS FMEA

¨(DRN 02-1051) 58.

LPSI Header Auto Vent Isolation valves SI-ISV-6011 SI-ISV-6012

a. Fails in open position

b. Inadvertently closed Loss of power, failed solenoid Operator error Redundant valve provided, no effect on system Loss of capability to automatically vent potential gas voids Periodic testing Operator None required None required N/A N/A Fail open (DRN 02-1051) 59.

HPSI suction line relief valve 2SI-R124A, 2SI-R125B, 2SI-R126A/B

a. Fails to open

b. Fails to reseat Mechanical

binding, blockage Seat leakage No effect on SI function. Cannot relieve excess pressure when required. Possible over-pressure when header isolated.

Divert part of HPSI flow to waste tank Periodic testing Periodic testing None required Redundant parallel HPSI path may provide adequate flow N/A N/A

WSES-FSAR -UNIT-3 TABLE 6.3-1 (Sheet 16 of 17)

Revision 13 (04/04)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects

¨(DRN 02-1896, R13) 60.

Injection line check valve bypass test valves 1SI-V1592 (1, 3, 4 & 6) 1SI-V2510-1, 1SI-V2510-2 Inadvertently left open Operator error No effect of SI function. Possible pressurization of SI piping outside containment.

Operator None N/A Failure would be detected during valve lineups or testing (DRN 02-1896, R13) 61.

Local sample valves 2SI-F808A (SI-490),

2SI-F1569B (SI-467)

a. Inadvertently open

b. Fails closed Operator error Mechanical binding No impact on SI function No impact on SI function Operator Operator Series redundant valve prevents inadvertent flow None required N/A N/A 62.

SIT sample isolation valves 2SI-V609-11 (SI-214),

2SI-V609-14 (SI-224),

2SI-V609-17 (SI-234),

2SI-V609-20 (SI-244)

Inadvertently closed Operator error No impact on SI function. Cannot sample SIT Operator None N/A Operator must restore sampling capability in order to verify SIT operability requirements 63.

Drain line isolation from SIT to RWSP 5SI-V1599 Inadvertently closed Operator error No impact on SI function. Unable to drain SITs to RWSP.

Operator Alternate drain to RDT available N/A 64.

LPSI pump suction line relief valves 2SI-R614A (SI-468),

2SI-R212B (SI-478)

a. Fails to open

b. Fails to reseat Mechanical

binding, blockage Seat leakage No impact on SI function. Possible over-pressurization of SI piping.

Diversion of small portion of SI fluid Operator Operator None Operator action to eventually recognize failure and isolate leak path N/A N/A

WSES-FSAR-UNIT-3 TABLE 6.3-1 (Sheet 17 of 17)

Revision 14 (12/05)

FAILURE MODE AND EFFECTS ANALYSIS SAFETY INJECTION SYSTEM No Name Failure Mode Cause Symptoms and Local Effects Including Dependent Failures Method of Detection Inherent Compensating Provision Effect Upon Remarks and Other Effects

65.

RWSP vent line check valve 7SI-V120A/B

a. Fails closed

b. Fails open Corrosion, mechanical binding Foreign material No impact on SI function No impact on SI function None None RWSP vacuum breakers would open during SI and CS phase None N/A N/A Failure would not result in a loss of RWSP safety function or an uncontrolled release of radioactivity to the environment

(DRN 02-1399, R12-A)

66.

LPSI Header Auto Vent Isolation Valves SI ISV 14023A & SI ISV 14024A

a. Inadvertently closed

b. Fails open Operator error Mechanical

binding, blockage Loss of auto-vent potential for gas void No impact on SI function Operator, valve position indication locally (SI 14024A) in control room (SI 14023A)

Operator, valve position indication locally (SI 14024A) in control room (SI 14023A)

Manual venting using SI-14021A Series redundant valve closes on SIAS & CIAS N/A N/A Periodic surveillance for system gas voiding required by Tech. Spec.

(DRN 02-1399, R12-A)

(DRN 05-196, R14)

67.

ADV Failure PCV-MS-0303A and PCV-MS-0303B

a. Fails open

b. Fails closed Mechanical

binding, blockage Mechanical binding, control loop failure, operator error (valve

disabled, improper setpoint)

No impact on SI function No impact on SI Function Valve position, steam pressure indication (SG-IPT-1013, 1023)

Valve position, steam pressure indication (SG-IPT-1013, 1023)

None ADV on the second steam generator N/A N/A The operation of one ADV to supplement the operation of one HPSI train is credited in SBLOCA PCT analysis. With two HPSI trains available, an ADV is not required.

(DRN 05-196, R14)

WSES-FSAR-UNIT-3 TABLE 6.3-2 (Sheet 1 of 3) Revision 9 (12/97)

SAFETY INJECTION SYSTEM COMPONENTS PARAMETERS Component/Property Parameters Low-pressure safety injection pumps Quantity 2

Type Single stage, vertical centrifugal Safety Classification 2

Code ASME III, Class 2 Design pressure, psig 650 Maximum operating suction 435 pressure, psig Design temperature, F 400

¨ Design flowrate, gpm 4,050 (does not include 100 gpm min. recirc. flow)

Design head, ft.

342 Maximum flowrate, gpm 5,650 Head at maximum flowrate, ft.

240 minimum Materials Stainless Steel type 316 or approved equivalent Seals Mechanical Motor horsepower 500 High-pressure safety injection pumps Quantity 3

Type Multistage, horizontal centrifugal Quality Group Classification B

Code ASME III, Class 2 Design pressure, psig 1,950 Maximum operating suction 400 pressure, psig

WSES-FSAR-UNIT-3 TABLE 6.3-2 (Sheet 2 of 3)

Revision 302 (12/08)

Component/Property Parameters High-pressure safety injection pumps (Cont'd)

Design temperature, F 400 Design flowrate, gpm 380 (Does not include 25 gpm bypass flow)

Design head, ft.

2,830 Maximum flowrate, gpm 910 Head at maximum flowrate, ft.

1,275 (DRN99-2461, R11)

Tested Pump Runout Capacity, gpm 985 (DRN99-2461, R11)

Materials Stainless Steel, type 316 or approved equivalent Shaft seal Mechanical Motor horsepower 600 Safety injection tanks Quantity 4

Quality Group Classification B

Code ASME III, Class 2 Design pressure, internal/

700/0 external, psig Design temperature, F 200 Operating temperature, F 120 Normal operating pressure, psig 615 - 655 Minimum operating pressure, psig 600 Volume total, ft.3 2,250 Liquid (DRN 03-2060, R14; EC-9533, R302)

Minimum, ft.3 926 Nominal, ft.3 1366 Maximum, ft.3 1586 (DRN 03-2060, R14; EC-9533, R302)

Discharge nozzle size, in.

12 Schedule 160

WSES-FSAR-UNIT-3 TABLE 6.3-2 (Sheet 3 of 3) Revision 10 (10/99)

Component/Property Parameters Safety injection tanks (Cont'd)

¨ Fluid Borated water, 2050-2900 ppm boron nominal

Material Stainless clad carbon steel

WSES-FSAR-UNIT-3 TABLE 6.3-3 POST-LOCA INSTRUMENTATION Item Post-LOCA Function Cold leg injection line flow-Monitor cold leg injection meters flow Hot leg injection line flow-Monitor hot leg injection meters flow LPSI header temperature Monitor LPSI header indicator, (a) temperature SDCHX inlet pressure (a)

Monitor SDCHX performance SDCHX outlet temperature (a)

Monitor SDCHX performance RCS pressure indication (a)

Initiate and control shut down cooling RCS temperature (a)

Initiate shutdown cooling Containment pressure (a)

Initiate ESFAS, secure containment spray Steam generator pressure (a)

Initiate MSIS Steam generator level (a)

Initiate auxiliary feed-water Pressurizer level (a)

Monitor pressurizer level (a): A post-accident monitored parameter. See Section 7.5

WSES-FSAR-UNIT-3 TABLE 6.3-4 SAFETY INJECTION SYSTEM PROCESS FLOW DATA Operating Mode - Flow, gpm Data Point Injection Fig. 6.3-4 Short Term Recirculation Fig. 6.3-5 Long Term Recirculation Fig. 6.3-6 (Large Break)

Long Term Recirculation Fig. 6.3-7 (Small Break)*

Shutdown Cooling (Fig. 6.3-8) 1 0

2635 2635 885 to 0 0

2 7785 0

0 0

0 3

5065 0

0 0

4050 4

910 885 885 885 to 0 0

5 5065 0

0 4050 4050 6

910 885 885 885 to 0 0

7 100 0

0 0

0 8

25 0

0 0

0 9

4965 0

0 4050 4050 10 885 885 885 885 to 0 0

11 0

0 0

0 to 4050 0 to 4050 12 4965 0

0 4050 to 0 4050 to 0 13 4965 0

0 4050 4050 14 2482.5 0

0 2025 2025 15 885 885 442.5 885 to 0 0

16 221.25 221.25 110.6 221.25 to 0 0

17 442.5 442.5 221.25 442.5 to 0 0

18 2925 442.5 221.25 2467.5 to 2025 2025 19 0

0 442.5 0

0 20 0

0 442.5 4050 4050 21 370 0

0 0

0 22 1810 1750 1750 0

0 23 60 0

0 0

0

• These flows assume that the containment spray system is not actuated. For situations where containment spray is actuated flow point 1 would be 2635 to 1750 gpm and flow point 22 would be 1750 gpm.

WSES-FSAR-UNIT-3 TABLE 6.3-5 Revision 14 (12/05)

LONG TERM COOLING INSTRUMENTATION Post LOCA Monitoring and Surveillance PARAMETER ACTION MONITORED TAG. NO.

Emergency Feedwater SG Level L1113 & 1123 System Actuated SG Pressure P1013 & 1023 (EFAS)

HPSI Pump HPSI Flow F311, 321, 331, 341 Actuated HPSI Pressure PI 308 & 309 Confirm Emergency Emergency Feed FT-FW-8330 AS Feed Flow Flow FT-FW-8330 BS Confirm Steam SG Pressure P1013 & 1023 Dump Activated SG Level L1113 & 1123

(DRN 03-2060, R14)

(DRN 03-2060, R14)

Shutdown Cooling Pressurizer P103, 104, 105, 106 Initiation Pressure RCS Temperature T115 & 125 SDCHX Pressure P303x, 303y Confirm Hot Leg Hot Leg Injec-FT-SI0390 AS Injection tion Flow FT-SI0390 BS

WSES-FSAR-UNIT-3 TABLE 6.3-5A Revision 307 (07/13)

Core and System Parameters Used in the LTC Analysis Parameter Value (DRN 03-2060, R14; 06-1061, R15)

Reactor power level (including uncertainty) 3735 MWt Number of plugged tubes per SG 1870*

SG/RCS cooldown rate 40oF/hr Shutdown cooling entry temperature 350oF (EC-35592, R306)

RCS pressure measurement uncertainty *

+75.4 psi / -78.7 psi (EC-35592, R306)

Number of atmospheric dump valves 2

Atmospheric dump valve flow rate, at 900 psia 675,000 lbm/hr/valve Emergency feedwater flow requirement 281,000 gal RCS liquid mass 480,000 lbm RCS boron concentration 2000 ppm Boric acid makeup tanks liquid volume, total 22,920 gal boric acid concentration 6187 ppm Refueling water storage pool liquid volume 548,016 gal boron concentration 3000 ppm Safety injection tanks number 4

liquid volume per tank 1886 ft3 boron concentration 3000 ppm Charging pumps number 3

flow rate per pump 44 gpm Flow rates for emptying the RWSP HPSI pump flow rate 790 gpm LPSI pump flow rate 4084 gpm CS pump flow rate 1750 gpm (EC-8458, R307)

• Corresponds to 20% of SG tubes plugged for original steam generators (DRN 03-2060, R14; 06-1061, R15; EC-8458, R307)

(EC-35592, R306)

• The LTC analysis supports pressurizer pressure uncertainties that bound +/- 80psi (EC-35592, R306)

WSES-FSAR-UNIT-3 TABLE 6.3-6 Revision 307 (07/13)

(DRN 00-550, R11;04-631, R13-B; 03-2060, R14;05-545, R14)

HIGH PRESSURE SAFETY INJECTION PUMP MINIMUM DELIVERED FLOW TO THE RCS FOR A SMALL BREAK LOCA (Assuming One Emergency Diesel Generator Failed)

(DRN 04-631, R13-B)

(DRN 05-1457, R15)

RCS Pressure, psig Flow Rate, gpm (a) 0 800.0 200 735.9 400 666.3 600 589.2 800 501.4 1000 396.0 1200 254.0 1300 143.3 (EC-8458, R307) 1355.1 0

(DRN 05-1457, R15; EC-8458, R307)

(a)

For a discharge leg break, it is assumed that 25% of the flow spills out the break and that the remaining 75% of the flow is injected to the three intact discharge legs.

(DRN 00-550, R11; 03-2060, R14;05-545, R14)

WSES-FSAR-UNIT-3 TABLE 6.3-6a Revision 14 (12/05)

 (DRN 04-631, R13-B;05-545, R14)

THIS TABLE HAS BEEN INTENTIONALLY DELETED

 (DRN 04-631, R13-B;05-545, R14)

WSES-FSAR-UNIT-3 TABLE 6.3-7 Revision 11 (05/01)

¨ (DRN 00-550)

TABLE 6.3-7 HAS BEEN INTENTIONALLY DELETED.

(DRN 00-550)