LR-N17-0034, Salem Generating Station, Units 1 & 2, Revision 29 to Updated Final Safety Analysis Report, Section 6, Engineered Safety Features
Text
SECTION 6 ENGINEERED SAFETY FEATURES The central safety objective in reactor design and operation is control of reactor fission products. The methods used to assure this objective are: 1. Design of the reactor core in conjunction with the Reactor Control and Protection Systems to preclude release of fission products from the fuel (Sections 4 and 7). 2. Retention of fission products in the reactor coolant for whatever leakage occurs (Sections 5 and 6). 3. Retention of fission products by the containment for operational and accidental releases beyond the reactor coolant boundary (Section 3.8 and Section 6). 4. Limiting fission product dispersal to minimize population exposure for an accidental release beyond the containment (Sections 2, 12, and 15). The engineered safety features are the provisions in the station which embody methods 2 and 3 above to prevent the occurrence or to ameliorate the effects of serious accidents. The engineered safety features in this station are: 1. The steel-lined, reinforced concrete containment, concrete cylindrical wall, and reinforced concrete base and dome. These form a virtually leak-tight barrier to the escape of fission products should a loss-of-coolant accident (LOCA) occur -detailed in Section 3.8. 6.1-1 SGS-UFSAR Revision 6 February 15, 1987
- 2. The Emergency Core Cooling System (ECCS), which provides borated water to cool the core in the event of an accidental depressurization of the Reactor Coolant System (RCS). The combination of the control rods and the boron in the injected water provides the necessary control of reactivity required -detailed in Section 6.3. 3. The Containment Spray System which is used to reduce containment pressure and remove iodine from the containment atmosphere -detailed in Section 6.2. 4. The Containment Fan Cooling System is used to recirculate and cool the containment atmosphere in the event of a LOCA
- detailed in Section 6.2. Evaluations of techniques and equipment used to accomplish the central objectives including accident cases are detailed in Sections 3, 5, 6, and 15. The design philosophy with respect to active components in the Engineered Safety Systems is to provide duplicate equipment so that maintenance is possible during operation without impairment of the safety function of the systems. Routine servicing and maintenance of equipment of this type would generally be scheduled for periods of refueling and maintenance outages. Conditions on continued reactor operation during such outages that are provided in the Technical Specifications will conform to reasonable experienced judgment and industry practice and will be shown to ensure safe operation. 6. 1 CRITERIA Criteria applying in common to all engineered safety features are given in Section 6.1.1. Criteria which are related to engineered 6.1-2 SGS-UFSAR Revision 6 February 15, 1987 safety features but are more specific to other plant features or systems are listed and cross-referenced in Section 6.1.2. Those criteria which are specific to one of the engineered safety features are discussed in the description of that system. 6.1.1 Engineered Safety Features Criteria The criteria applying to all engineered safety features are given below. 6.1.1.1 Engineered Safety Features Basis for Design The design, fabrication, testing, and inspection of the core, reactor coolant pressure boundary, and their Protection Systems give assurance of safe and reliable operation under all anticipated normal, transient, and accident conditions. However, engineered safety features are provided in the facility to back up the safety provided by these components. These engineered safety features have been designed to cope with any size pipe break up to and including the circumferential rupture of reactor coolant pipe assuming unobstructed discharge from both ends, and to cope with any steam or feedwater line break. The release of fission products from the containment is limited in three ways: 1. Blocking the potential leakage paths from the containment. SGS-UFSAR This is accomplished by: a. A steel-lined with liner weld concrete channels reactor containment and high integrity piping penetrations utilizing partial penetration seal welds between the containment penetration sleeve/seal plate and the process piping to form a virtually leak-tight barrier preventing the escape of fission products should a LOCA occur. 6.1-3 Revision 13 June 12, 1994
- b. Isolation of process lines by the Containment Isolation System which imposes double barriers for each line which penetrates the containment. 2. Reducing the fission product concentration in the containment atmosphere. This is accomplished by chemically treated spray which removes elemental iodine vapor from the containment atmosphere by washing action, and by recirculation of containment atmosphere through high-efficiency particulate air filter units. 3. Reducing the containment pressure and thereby limiting the driving potential for fission product leakage. This is accomplished by the Containment Spray System_ which cools the containment atmosphere or by recirculation of containment atmosphere through fan cooler units. 6.1.1.2 Reliability and Testability of Engineered Safety Features A comprehensive program of plant testing is formulated for all equipment systems and system control vital to the functioning of engineered safety features. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to assure reliable performance, upon demand, throughout the station lifetime. The initial tests of individual components and the integrated test of the system as a whole complement each other to assure performance of the system as designed and to prove proper operation of the actuation circuitry. Routine periodic testing of the engineered safety features components is intended. In the event that one of the redundant components should require maintenance as a result of failure to perform during the test according to prescribed limits, the SGS-UFSAR Revision 6 necessary corrections or minor maintenance are made and the unit retested immediately. Satisfactory performance of the remaining redundant component(s) is proof of the availability of that safety feature, and it is not necessary to adjust station load during the brief period that a safety feature component may be out of service. 6.1.1.3 A LOCA or other plant equipment failure might result in dynamic effects or missiles. For such engineered safety features as are required to assure safety in the event of such an accident or equipment failure, protection from these dynamic effects or missiles is considered in the layout of plant equipment and missile barriers. Fluid and mechanical driving forces are calculated, and consideration is given to the possibility of damage due to fluid jets and missiles which might be produced by the action of such jets. Consideration is given during the design of the station to the following sources of missiles: instrument thimbles including installed sensors, bolts, and complete control rod drive shafts and/or mechanisms (refer to Sections 3 and 5). Layout and structural design specifically protect safety injection lines to unbroken reactor coolant loops against damage as a result of the maximum reactor coolant pipe rupture. Injection lines penetrate the main missile barrier and the injection headers are located in the missile-protected area between the main missile barrier and the containment wall. Individual injection lines, connected to the injection header, pass through the barrier and then connect to the loops. Separation of the individual injection lines is provided to the maximum extent practicable. Movement of the injection line, associated with a rupture of a reactor coolant loop, is accommodated by line flexibility and by the design of the pipe supports such that no damage outside the missile barrier is possible. 6.1-5 SGS-UFSAR Revision 6 Februar 15 1987 In addition, missile protection is provided for engineered safety features located outside the containment. The containment structure is capable of withstanding the effects of missiles originating outside the containment and might be directed toward it so that no LOCA can result. The control room enclosure is also capable of withstanding such credible missiles as may be directed toward it, assuring capability to maintain control of the station. Consideration is also given to the layout of other equipment outside the containment which is required to place the station in a safe shutdown condition and maintain it in that condition until repairs can be effected. Missile protection will be afforded by: 1. Judicious location of piping and equipment otherwise subject to possible damage, behind existing wall or other barriers with appropriate credit for spatial separation of redundant components 2. Local shielding to stop potential missiles at their source 3. Addition of missile barriers to protect vulnerable piping and equipment All hangers, stops, and anchors are designed in accordance with ANSI 831.1, Code for Pressure Piping, and ACI 318, Building Code Requirements for Reinforced Concrete, which provide minimum requirements for material, design, and fabrication with ample safety margins for both dead and dynamic loads over the life of the equipment. 6.1.1.4 Engineered Safety Features Performance Capability Each engineered safety feature provides sufficient performance capability to accommodate any single failure and still function in 6.1-6 SGS-UFSAR Revision 6 February IS. 1987
- *
- a manner to avoid undue risk to the health and safety of the public . During the recirculation phase the ECCS is tolerant of one active or one passive failure1 but not in addition to a single failure in the injection phase. One active or passive failure in the systems required for long-term ECCS operation will not prevent the accomplishment of the ECCS objectives nor cause the total offsi te dose to exceed 10CFR50. 67 limits, with credit for detection and action. In the particular case of an ECCS pump being out for maintenance, an additional active or passive failure is not considered. The maximum period that operation would be continued with one pump out for maintenance is specified in the Technical Specifications. The extreme upper limit of public exposure is taken as the levels and time periods presently outlined in 10CFR50.67, i.e., 25 rem TEDE maximum in a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period at the exclusion radius, and 25 rem TEDE over the duration of the accident at the low population zone distance. The accident condition considered is the hypothetical case of a release of fission products as in Guide 1.183. Also, the loss of outside power is assumed concurrently with this accident . Under the above accident conditions, the Containment Spray and Fan Cooling Systems are designed and sized so that, operating with partial effectiveness, it can supply the necessary post-accident cooling capacity to assure the maintenance of containment integrity; that is, keep the pressure below design pressure at all times, assuming that the core residual heat is released to the containment as steam. Partial effectiveness is defined as operation of a system with at least one active component failure. The fan cooling system's performance capability for defense against thermally induced overpressure, the development of two-phase flow regions, and column separation or voiding leading to the possibility of waterhammer events are analyzed for as part of the NRC's Generic Letter 96-06 modifications. The ECCS and related pumps which must operate following the design basis accident include the residual heat removal, safety 6.1-7 SGS-UFSAR Revision 23 October 17, 2007 I injection, containment spray, centrifugal charging, component cooling water, and service water pumps. Minimum available Net Positive Suction Head (NPSH) to the safety injection, centrifugal charging, and containment spray pumps occurs when all are taking suction from the refueling water storage tank (RWST) during the injection operation immediately following the design basis accident. Since maximum required NPSH and minimum available NPSH occur at the_ runout flow for the pumps, this flow was assumed for calculation purposes. The temperature of the RWST water varies between 40°F and 100°F. Available NPSH at runout flow to these pumps at both the high and low temperatures was calculated. Suction line friction losses are higher at 40°F, but the higher vapor pressure of 100°F water leaves less available NPSH to the pumps. Friction losses were calculated using the conservative pipe and fitting resistances given in the Crane co. Technical Paper Number 410. The residual heat removal pumps take suction during the post-accident recirculation phase from the containment sump. The water is at a higher temperature than during injection, but the elevated containment pressure following a design basis accident somewhat offsets the higher vapor pressure of the water; however, no credit is taken for this. In addition, the piping to the pump suctions is quite direct; hence, friction losses are small. Service water pumps are vertical turbine pumps taking suction directly at the plant intake. Suction location is 44 inches below low-low water elevation (Elevation 76 feet), temperature 90°F. The component cooling water pumps have suction head tanks which maintain pressure in the closed system equal to the maximum elevation of the system piping. 6.1-8 SGS-UFSAR Revision 12 July 22, 1992 6.1.1.5 Engineered Safety Features Components' Capability Active components of the ECCS and the Containment Spray System are located outside the containment and not subject to containment accident conditions. 6.1.1.6 Accident Aggravation Prevention The reactor is maintained subcritical following a pipe rupture accident. Introduction of borated cooling water into the core does not result in a net positive reactivity addition. The control rods insert and remain inserted. The supply of water by the ECCS to cool the core cladding does not produce significant water-metal reactions. The delivery of cold emergency core cooling water to the reactor vessel following accidental expulsion of reactor coolant does not cause further loss of integrity of the RCS boundary. Accumulator actuation, including possible nitrogen addition, is evaluated in Section 15 and is shown not to aggravate any LOCA. Instrumentation, motors, cables, and penetrations located inside the containment which are required to function are selected to meet the most adverse accident conditions to which they may be subjected. These items are either protected from containment accident conditions or are designed to withstand, without failure, exposure to the worst combination of temperature, pressure, and humidity expected during the required operational period. The ECCS pipes serving each loop are restrained at the missile barrier in each loop area to restrict potential accident damage to the portion of piping beyond this point. The anchorage is designed to withstand, without failure, the thrust force of any branch line severed from the reactor coolant pipe and discharging fluid to the atmosphere, and to withstand a bending moment equivalent to that which produces failure of the piping under the action of free end discharge to atmosphere or motion of the broken 6.1-9 SGS-UFSAR Revision 6 February 15, 1987 reactor coolant pipe to which the emergency core cooling pipes are connected. This prevents possible failure at any point upstream from the support point including the branch line connection into the piping header. 6.1.1.7 Sharing of Systems For all shared systems and/or components, analyses confirm that there is no interference with basic function and operability of these systems due to sharing, and hence no undue risk to the health and safety of the public results. The residual heat removal pumps and heat exchangers serve dual functions. Although the normal duty of the residual heat removal exchangers and residual heat removal pumps is performed during periods of reactor shutdown, during all station operating periods this equipment is aligned to perform the low head injection function of emergency core cooling. During the recirculation phase of the accident, the residual heat removal pumps take suction from the containment sump. Each pump has a separate suction line. Operational testing of the system, performed during each refueling period before station startup, provides assurance of correct system alignment for the safety function of the components. During the injection phase, the safety injection and centrifugal charging pumps do not depend on any portion of other ECCSs. During the recirculation phase, if RCS pressure stays high due to a small break accident, suction to the high head and centrifugal charging safety injection pumps is provided by the residual heat removal pumps. The ability of the above systems to perform their dual function is discussed in Sections 6.2 and 6.3 and in Sections 5 and 15. 6. 1-10 SGS-UFSAR Revision 6 February 15, 1987 6.1.2 Related Criteria The following are criteria which, although related to all engineered safety features are more specific to other plant features or systems. sections, as listed. Therefore, they are discussed in other Name Quality Standards Performance Standards Records Requirements Instrumentation and Control Systems Engineered Safety Features Protection System Emergency Power Seismic Design Criteria 6.1-11 SGS-UFSAR Discussion Section 17 Section 3.1 Section 17 Section 7 Section 7 Section 8 Section 3.7 Revision 6 February 15, 1987