ML20064N271
| ML20064N271 | |
| Person / Time | |
|---|---|
| Site: | Clinch River |
| Issue date: | 02/15/1983 |
| From: | Longenecker J ENERGY, DEPT. OF, CLINCH RIVER BREEDER REACTOR PLANT |
| To: | Grace J Office of Nuclear Reactor Regulation |
| References | |
| HQ:S:83:213, NUDOCS 8302160170 | |
| Download: ML20064N271 (83) | |
Text
O Department of Energy Washington, D.C. 20545 Docket No. 50-537 HQ:S:83:213 FEB 151983 Dr. J. Nelson Grace, Director CRBR Program Office Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C.
20555
Dear Dr. Grace:
PRINCIPAL DESIGN CRITERIA FOR THE CLINCH RIVER BREEDER REACTOR PLANT Enclosed is the revised Section 3.1 of the Preliminary Safety Analysis Report (PSAR) that incorporates the final principal design criteria.
This information will be included in the next PSAR revision.
Any questions regarding the subject information can be addressed to Mr. D. Florek (FTS 626-6188) or Mr. A. Meller (FTS 626-6355) of the Project Office Oak Ridge staff.
Sincerely, hw OY JdEn R. Longeneck Acting Director, Office of Breeder Demonstration Projects Office of Nuclear Energy Enclosure cc: Service List Standard Distribution Licensing Distribution Oi,p 8302160170 830215 PDR ADOCX 05000537 A
T.. i L.-..-,.
..::. ^
l i
i This chapter identifies and discusses the principal architectural and engineering design criteria for the plant. These criteria are supplemented by i
more specific criteria discussed in Chapters 4 through 12.
31 CONFORMANCE WITH GENERAL DESIGN CRITERIA 3 1.1 Introduction and soone 3 1.1.1 General Pursuant to the provisions of Title 10 Part 50, Section 50 3% of the Ccde of Federal Regulations, an application for a nuclear power plant construction permit must include the principal design criteria for a proposed facility.
The principal design criteria establish the necessary design, fabrication, construction, testing and performance requirements for structures, systema mid components important to safety; that is, structures, systems and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public.
General design criteria, which establish the minimum requirements for the principal design criteria for nuclear power plants are identified in the Code of Federal Regulations, Title 10, Part 50, Appendix A (10CFR50A). While these criteria provide guidance for all types of nuclear power plants, they are specifically oriented toward water reactors. This is recognized in the Code of Federal Regulations which states, "These General Design Criteria establish minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have been issued by the Commission. The General Design Criteria are also considered to be generally applicable to other types of nuclear power units and are intended to provide guidance in establishing the principal design criteria for such other units".
As a result of the increased design and development activities directed toward the establishment of commercial liquid metal fast breeder reactor (LMFBR) plants, the need for more specific guidance for the design of these plants was recognized. Consequently, the American Nuclear Society Subcommittee ANS-24 (now ANS-54) was established in 1963 to develop and interpret these criteria for the LMFBR. The subcommittee included representatives from the reactor manufacturers, the architect-engineer, vendors, utilities, and the Atomic Energy Commission's regulatory and development divisions. The efforts of this group resulted in draft General Safety Design Criteria for an LMFBR Nuclear Power Plant.
3.1.1.2 ceneral neminn criteria The 10CFR50 Appendix A criteria and the draft criteria from ANS-54 were considered in developing the General Design Criteria for the Clinch River Breeder Reactor Plant (CRBRP). In July 1974, the USAEC Directorate of Licensing issued the " Interim General Design Criteria for the Clinch River Breeder Reactor Nuclear Power Plant". These interim criteria were then also carefully considered in finalizing the CRBRP General Design Criteria, which were discussed in Section 3 1 3 in the PSAR as docketed in April 1975 3 1-1
s 6
3 1.1 3 CRBRP Desian Criteria Subsequent to docketing of the PSAR, NRC issued the "CRBRP Design Criteria" which apply to CRBRP. The CRBRP Design Criteria are identified in Section 3 1 3 with a response provided for each. Table 3 1-4 provides a cross index between the General Design Criteria and the CRBRP Design Criteria.
In December 1982, following a review of the CRBRP Design Criteria, the NRC issued in Reference 3-1, the final Principal Design Criteria for CRBRP. As indicated in Reference 3-1, the review which lead to the issuance of the final Principal Design Criteria utilized the General Design Criteria for LWRs, contained in Appendix A to 10 CFR 50, as guidance with appropriate additions, deletions and modifications to account for the unique aspects of CRBRP and to reflect additional requirements and conservatians deemed appropriate for CRBRP.
The Principal Design Criteria, including a statement of how the CRBRP design complies with each, was incorporated into Section 31 of the PSAR in 6
February 1983
-These CRBRP Design Criteria recognize the overall design concept selections for the CRBRP, including a three loop plant having a heat transport system consisting of three flow paths in sequence separated by passive barriers.
These sequential flow paths are provided by a reactor coolant system, an intermediate cbolant system, and an extraction system for utilization or dissipation of beat. The principal components in the reactor coolant system are protected by guard vessels to limit the consequences of failure of the coolant boundary. The passive barriers, i.e., beat exchanger tube walls, are at the reactor coolant system / intermediate coolant system and the intermediate coolant system / heat extraction system interfaces.
A low leakage containment barrier is used as the outermost barrier to limit the release of radioactive materials to the environment.
It is recognized that highly reliable plant operation is an essential element in assuring safe operation. Accident prevention through the use of reliable designs obtained by rigorous application of codes and standards and quality control applied to all phases of design, construction, testing and operation is first and foremost in providing asfe operation. The degree to which various off-normal and accident conditions should be considered in formulating the design bases depends on the specific design features and their effectiveness in preventing the accidents.
Section 3 1.2 defines terms used in the criteria, where some possibility o ambiguity has been foreseen.
In Section 3 1.3, each of the criteria is stated, together with a statement of the means by which the design has been responsive to the requirements of that criterion.
3 1.2 Definitions and Evolanations The definitions given below form the bases for requirements placed with the criteria quoted in Section 3 1.3 3 1-2 o
....,~.= -
s l
Nuclear Power Unit.
A nuclear power unit means a nuclear power reactor and associated equipment necessary for electric power generation and includes those structures, systems, and components required to provide reasonable assurance the facility can be operated without undue risk to the health and safety of the public.
Active Comoonent. An active component is one in which mechanical movement must be initiated or electrical power must be provided to accomplish a safety function of the component.
Active Comoonent Failure. Active component failure means failure of an active component to operate or stop as intended on demand or a change of state when no change is intended.
No Loss of Safety Function. No loss of safety function meane that the equipment or component retains its capability of accomplishing its safety function as required to accommodate a postulated event, but following the event repairs or replacements could be required to restore the equipment to its original design conditions.
Sierle Failure. A single failure means an occurrence which results in loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single be designed against an failure. Fluid and electric systems are considered 6
assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly), nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.1 Common Mode Failure. Common mode failure is the failure of redundant equipment caused by a single phenomenon or credible event. In the context of this definition consideration should be given to such items as:
(1) degradation of properties of material at different locations due to the same cause and (2) a design, fabrication, maintenance, operational, testing or installation deficiency common to multiple components.
1 1Single failure of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.
3 1-3
s Reactor Coolant Svaten. Reactor coolant system means those components such as the reactor vessel, primary pumps, IHI, valves and connecting piping, which contain primary radioactive coolant and are necessary to transport reactor core heat to the intermediate coolant system.
Reactor Coolant Boundarv. Reactor Coolant Boundary means those compcaents i
auch as the vessel, heat exchangers, piping, pumps, tanks, and valves which are (a) part of the reactor coolant system or (b) connected to the reactor coolant system up to and including any and all of the following:
A.
The second of two (2) valves normally closed or automatically isolable during normal reactor operation.
B.
The passive barrier between the reactor coolant and the working fluid of other portions of the heat transport system.
A list of components which comprise the reactor coolant boundary can be found in Table 3 1-1.
Intermediate Coolant System.
Intermediate coolant system means those components such as intermediate pumps, steam gensrator, expansion tanks and connecting piping, which contain intermediate coolant and are necessary to transport core heat from the primary coolant system to the steam system.
Intermediate Coolant Boundarv. Intermediate coolant boundary means those components such as heat exchangers, piping, pumps, tanks, and valves which are (1) part of the intermediate coolant system or (2) connected to the intermediate coolant system up to and including any and all of the following:
(a) The passive barrier between the intermediate coolant and the working fluid of the other portions of the heat transport system.
(b) The first valve normally closed or automatically isolable during normal reactor operation in piping which does not penetrate reactor containment.
(c) The outermost containment isolation.41ve in piping which penetrates reactor containment.
The components which comprise the intermediate coolant boundary are listed in Table 3 1-2.
Normal Oneration Normal operation means steady state operation and those departures from steady state operation which are expected frequently or regularly in the course of power operation, refueling, maintenance, or maneuvering of the plant. It includes conditions such as startup, normal shutdown, standby, load following, anticipated operational occurrences, operation with specific equipment out of service as permitted by Technical Specifications, and routine inspection, testing and maintenance of components and systems during any of these conditions, if it is consistent with the Technical Specifications.
3 1-4
i Off-Normal Conditions Off-normal conditions mean those steady state and transient conditions not part of normal operation which (1) individually may be expected to occur once or more during the plant lifetime and i.
de but are not limited to an inadvertent control rod withdrawal, tripping of sodium circulating pumps, i
failure of all offsite power, and tripping of the turbine generator set or (2)
)
which individually are not expected to occur during the plant lifetime; however, when integrated over all plant components and systems, events in this category may be expected to occur a number of times. Events in (1) are termed Anticipated Faults and events in (2) are termed Unlikely Faults.
Extremelv Unlikelv Faults Events of such extremely low probability that no events in this category are expected to occur during the plant lifetime, but which nevertheless represent extreme or limiting cases ta' failures which are identified as possible.
These extremely unlikely events, which are design bases, shall encompass a spectrum of events appropriate to the design. These may include, for example, a large sodium fire, a large sodium-water reaction, and a rupture of a radwaste system tank.
Inert Atmosohere. Inert atmosphere means a gas or gaseous mixture limited in oxygen and other substances that are chemically reactive with sodium so that chemical reactions will not significantly increase the consequences of contact with sodium.
Heat Trannoort System. The heat transport system is the aggregate of systems and/or components containing the heat transport fluids and used for extracting heat from the reactor and transporting it to the equipment used for electrical power conversion during normal operation or, after plant shutdown, to an ultimate heat sink. It does not include systems whose prime function is the i
cooling of structures or equipment.
Reactor Residual Heat Extraction System. The reactor residual heat extraction system is the portion of the heat transport system which, r/ ter plant shutdown is capable of extracting heat from the reactor coolant and transporting this heat to an ultimate heat sink.
The ultimate heat sink is that heat sink including necessary retaining structures (e.g., a river with its dam, or a pond with.its dam) to which teactor decay heat and essential cooling system heat loads are dissip'ated following normal reactor shutdown or shutdown after an accident.
Fuel Desian Limits.
Fuel design limits means those limite such as temperature, burnup, fluence, and cladding strain which are specified by the designer for normal operation and anticipated operational occurrences beyond which fuel rod failure may occur.
l l
3 1-5
~
1.....-_._~
..a 3.1.2.1 Connarison of Plant conditions with 10CFR50 The text of Section 31.2 gives clear definitions of rive plant conditions:
Normal Operation, Anticipated Faults, Off-Normal Conditions, Unlikely Faults, and Extremely Unlikely Faults, which are consistently used throughout Chapter 15 of the PSAR. In 10CFR50, Appendix A and PSAR Section 3 1, a total of three categories of operational conditions and events are used, namely: Normal Operation (defined previously), Anticipated Operational Occurrences, and Postulated Accidents, defined below.
Anticioated Ooerational Occurrences. Anticipated operational occurrences means those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include, but are not limited to, an inadvertent control rod withdrawal, tripping of sodium circulating pumps, a failure of all offsite power, and tripping of the turbine generator set.
Postulated Accidents. Postulated accidents means those events which, although not expected to occur, are selected, in addition to normal and anticipated operational occurrences for establishing design bases of systems, components and structures. They represent bounding events which envelop variations in the types of accidents considered and are the upper bound design basis events.
Postulated accidents together with normal operational occurrences represent the total spectrum of design basis events.
Table 3 1-1 provides a comparison of the definitions of design basis event conditions (PSAR Chapter 15) with those definitions provided in 10CFR50 Appendix A.
313 Conformance with CRERP General Desian Criteria 3.1.3 1 Overall Recuirements Criterion 1 - Qualt*,v Standards anJ Records Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.
A quality assurance program shall be established and implemented in order to provide adequate assurance that 3 1-6
~
these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.
Response
The design of this plant conforms to the intent of this criterion. The design criteria for structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. The CRBRP structures, systems and components have been analyzed in accordance with the basic intent of 10CFR50, Section 50.55a and Regulatory Guide 1.?6, and have been classified as Safety Class 1 (SC-1), Safety Class 2 (SC-2), or Safety Class 3 (SC-3), commensurate with the importance of the safety functions to be performed. The safety class assignment is to be considered in the design, fabrication, construction, erection, test and operation of the plant. Further details are provided in PSAR Section 3 2.
Codes and Standards to be employed in the design, fabrication, erection and testing of the plant are identified and evaluated for applicability, adequacy and sufficiency, and as necessary are supplemented or modified to assure a quality product in keeping with the required safety function.
A quality assurance program has been established and implemented in order to provide adequate assurance that the structures, systems and components will satisfactorily perform their intended service. The program complies with the requirements of the contracts and the execution of the program complies with the requirements of 10CFR50, Appendix B.
The quality assurance program controls the quality-related activities throughout the life of the project and is documented.
Appropriate records of the design, fabrication, erection, and testing of structures, system and components important to safety are maintained under the control of the nuclear power plant licensee throughout the life of the plant. Procedures define those records which are necessary to document the quality of the abructures, systems and components important to l
safety. Records identified by the licensee are transferred as directed.
Further details are provided in PSAR Chapter 17 Criterion 2 - Desian Bases for Protection Against Natural Phenom.?na 4
Structures, systems, and components important to safety shall be designed.to withstand the effects of natural phenomena such as earthquakes, tornadoes".
hurricanes, floods, tsunami, and seiches without 1)ss of capability to perform their safety functions.
The design bases for these structures, systems, and components shall reflect:
(1) appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, 3 1-7
=
(2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and (3) the importance of the safety functions to be performed.
Resconse:
The design of this plant conforms to the intent of Criterion 2.
The historical record and other information influencing the selection of the design basis natural phenomena are given in Sections 2 3, 2.4, and 2.5.
The Clinch River Breeder Reactor Plant (CRBRP) structures, systems, and components important to safety are to be designed to remain functional in the event of a Safe Shutdown Earthquake (SSE) and are classified as seismic Category I.
These plant features are also referred to as safety-related features in this PSAR. These include, but are not limited to, those structures, systems and components which are necessary:
a.
To assure the integrity of the Reactor Coolant Boundary; b.
To shutdown the reactor and maintain it in a safe shutdown condition; c.
To prevent or mitigate the consequences of accidents which could result in potential off-site exposures comparable to the guideline exposures of 10CFR100.
Those CRBRP structures, systems and components which are to be designed only for an Operating Basis Earthquake (OBE) are classified as Category II.
Category II includes those features that are required to permit continued reactor operation, but are not included in the Category I classification; and those items selected as requiring protection so as to prctect plant investment.
Non-Seismic Category I structures, systems, and components are those which are not included in Seismic Category I, but are essentially for maintaining support of normal plant operations. Non-Seismic Category I structures will be designed in accordance with the Standard Building Code (SBC) for Seismic Ione 2.
The Seismic Design Criteria for the CRBRP, included as Appendix 3.7-A, presents the detailed criteria and engineering design requirements, including the response spectra, analytical requirements and procedures, loading conditions, categories and combinations, and testing criteria that are to be used for the plant design.
Design of Seismic Category I mechanical systems and equipment to withstand seismic, accident and operational loadings will be provided by analyses or by dynamic testing. The Category I instrumentation and electrical systems and components will be designed against failure to perform their intended functions during and after an earthquake of the intensity of the Safe Shutdown Earthquake.
3 1-8
Seismic Category I structures will be designed for a 90 mile / hour basic wind 30 feet above grade with a 100-year period of recurrence. The Seismic Category I structures will be designed to withstand tornadoes. Tornado wind loads will be applied to the Seissio Category I structures in a similar manner as the wind loads.
Structures not designed for tornado wind loadings and whose collapse could endanger the safoty functions of the protective structures, such as the non-Seismic Category I cooling tower, will be located a safe distance from the safety-related structures.
Seismic Category I structures and components will be designed to withstand or to be protected against a wide spectrum of credible missiles (internal and external) so that containment integrity will be maintained and safe shutdown of the reactor be brought under all plant conditions.
Seismic Category I structures and components will be designed for the hydrostatic forces due to the Maximum Flood Level (MFL) at 809 ft.
The conservative derivation of this level is described in Section 2.4.2.
For those safety-related systems and components located below the MFL, flood protection measures will be provided to ensure against intrusion of groundwater or flood water. There are no exterior penetrations in any Seismic I builaing below the MFL.
Flood warning systems will be developed and installed in conjunction with TVA flood control network.
The design criteria for protection of ths plant from the effects of natural phenomena are given in Sections 3 3 through 3 11. The systems, components and structures important to safety will be designed to accommodate, without loss of capability, effects of the design basis natural phenomena along with appropriate combinations of normal and accident conditions.
Criterion 9 - Fire Protection Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Noncombustible and heat resistant raterials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, l
systems, and components important to safety. Fire fighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of structures, systems, and components.
Bannonne:
The Non-Sodium Fire Protection System provides the plant with equipment, piping, valves, detectors, instrumentation and controls to prevent or mitigate the consequences of a non-sodium fire.
l 31-9
It consists of the following:
Water Supply System Wet Sprinkler System Preaction Sprinkler Systen Water Spray Systen Halon 1301 cas Blanketing System Standpipe System Portable Fire Extinguisher Systen Fire Detection System Fixed Dry Chemical System The general description of the above systems is provided in Section 913.1 and Table 9 13-4.
The fire prevention and protection systems to be provided for all the areas associated with the safety related structures, systems and components are listed in Table 9 13-3 In areas with safety related structures, systems and components, the Non-Sodium Fire Protection Cystem piping and components (such as sprinkler heads) will be designed so that neither piping failures nor inadvertent operation of the system fire protection components due to a seismic event will result in the loss of function of safety related structures, systems and components.
This is accomplished through the use of seismically qualified pipe supports, and dry pipe preaction sprinklers within areas containing safety-related equipment. Standpipes serving safety-related equipment are Seismic Category I and will be supplied by a Seismic Category I water supply system if necessary.
Building isolation valves will be specified as Seismic Category I.
Electrical power for the Fire Protection System will be provided from the normal plant AC power distribution system. If normal AC power is unavailable, the water supply system pressure will be maintained by two diesel-driven fire pumps, and the fire detection system will be energized by a non-Class IE 4-hour DC battery / inverter system that has the capability of being connected to an emergency diesel generator through qualified isolation devices. The Non-Sodium Fire Protection System will be designed in accordance with applicable codes and standards.
Five barriers will provide isolation between areas such as:
Steam Generator Building, Steam Generator Bay from Intermediate Bay, Maintenance Bay, Auxiliary Bay and Diesel Generator Building.
Access to all buildings, other than the Reactor Containment Building, will be designed such that there will be multiple means of access for operating personnel and there will be multiple mekna of access for fire fighting personnel.
The largest potential source of fire from fuel oil is in the vicinity of the standby diesel generator fuel oil storage tanks, located below grade adjacent to the Diesel Generator Building.
As these tanks are located below grade, the chance of an accident is reduced.
Physical separation provided between the 3 1-10
t two tanks limits the spreading of fire from one tank to the other. Since l
either tank is capable of fulfilling the emergency fuel oil requirements, a safe shutdown of the plant will not be jeopardized by a fire in either tank.
Charcoal filters will be bounded and separated by fire barriers, and the filter units will be made redundant, so that safe shutdown of the plant will i
not be jeopardized by a fire in either filter.
Table 9 13-3 lists the safety related areas of the plant containing combustible materials. The burning characteristics of these materials such as maximum fire intensity, flame spread, smoke generation and toxicity of combustion products are listed in Table 9 13-2.
A detailed fire hazards analysis will be provided in the FSAR and will evaluate the potential fire hazards throughout the plant and the effect of postulated design basis fires relative to maintaining the ability to perform safety shutdown functions and minimizing radioactive releases to the environment. This analysis will serve to confirm the adequacy of the present fire protection system which is based on a preliminary fire hazards analysis. Noncombustible and beat resistant materials will be used throughout the plant wherever practical to minimize the fire intensity in any combustion zone. The integrity of vital areas, components and systems is assured through the use of redundancy, physical separation and fire barriers, and administrative controls of materials brought into vital areas.
The design features of the fire detection system are provided in Table 9.13-4.
The alara system will be designed such that the failure of single fire detection devices do not affect the operation of remaining detection devices connected to the same detection zone. The interconnecting circuitry between the detection devices within a zone will be continuously supervised, and a break in the circuitry will be annunciated both locally and in the Control Room.
The entire plant will be encircled by a cement-line, coal tar enamel coated, underground ductile iron piping fire loop having a minimum diameter of 12 inches. Two runouts from the fire pump discharge header will serve the fire loop.
Section 9.13 describes the Non-Sodium Fire Protection System.
The electrical design criteria for circuit integrity and fire protection are described in Section 8.3 l
I Criterion 4 - Protection Anninnt Sodium and NaK Reactions Systems, components and structures containing sodium or NaK shall be designed l
and located to limit the consequences of chemical reactions resulting from a sodium or NaK spill. Special features acch as inert atmosphere vaults shall l
be provided as appropriate for the reactor coolant system. Fire control systems and means to detect sodium, NaK or their reaction products shall be provided to limit and control the extent of such reactions to assure that the l
i functions of component important to safety are maintained.
Means shall be I
provided to limit the release of reaction products to the environment as necessary to protect plant personnel and to avoid undue risk to the public l
3 1-11
l health and safety. Material which might come in contact with sodium or NaK shall be chosen to minimize the adverse effects of possible chemical reactions or microstructural changes. In areas where sodium or NaK chemical reactions
)
are possible, structures, components and systems important to safety, i
including electrical wiring and components, shall be designed and located so that the potential for damage by sodium chemical reactions is minimized.
Means shall be provided as appropriate to minimisa possible contacts between sodium /NaK and water.
A single failure of a passive boundary shall not permit the contact of primary coolant with water / steam. The effects of possible i
interactions between sodium /NaK and concrete shall be considered in the l
design.
The sodium-steam generator system shall be designed to detect sodium-water reactions and limit the effects of the energy and reaction products released by such reactions so as to prevent loss of safety functions of the heat transport system.
Response
The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require that the plant be designed and constructed with special consideration given to the effects of sodium and NaK including the detection, consequences and mitigating of sodium and NaK reactions and spills. CRBRP mecta Criterion 4 and provides protection against sodium or NaK reactions as follows:
j
- 2) The use of carbon steel cell liners and catch pans in concrete cells to prevent or mitigate any concrete / sodium or NaK reactions in the event i
of a spill.
i
- 3) The use of insulation approved for sodium and NaK systems with an inner and outer sheath of stainless steel to minimize absorption in the insulation.
- 4) The use of suitable instrumentation to detect any sodium or NaK reactions.
The instrumentation to detect sodium or NaK reactions is described in Sections 7 5.5 and 9 13 2.
Fire prevention and suppression capability is provided by an inert environment in steel lined cells and by a catch pan or catch pan / fire suppression deck system in air-filled cells.
The Steam Generator System is provided with subsystems to detect sodium-water leakage and to limit any reaction effects.
These are discussed in Sections 7 5 and 5.5, respectively.
3 1-12
..,a, 4
l Criterion 5 - Environmentale and Miamila Damien Emmam Structures, systems, and components important to safety shall be designed to d
accommodate the' effects of, and to be compatible with, the environmental conditions associated with normal operation, including articipated operational j
J occurrences, maintenance, testing, and postulated' accidents, including the affects of Na and NaK and their aerosols and combustion products. These structures, systems, and components shall be apropriately protected against dynamic effects, such as the effects of missiles, pipe whipping, and discharging fluida, that may result from equipment failures and from events and conditions outside the nuclear power unit.
Resnonse:
The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require that the plant be designed and constructed to withstand the effects of normal and abnormal operation without causing a loss of other plant systems or hardware important to safety. CRBRP meets criterion 5 through incorporation of the design features listed below.
All plant locations containing safety related control and electrical equipment, that need a controlled environment to maintain the required operability, are to be provided with redundant air conditioniLg and/or l
ventilation facilities for the needed environmental control. Analytical information on the various local environmental conditions in the plant is given in the corresponding sections in Chapters 2, 3, 6, 9 and 15.
The safety-related systems which are required to function during and following any identified accident are identified in Section 7.1.
Worst case environmental conditions will be defined for each location.
Where possible, the equipment comprising the safety-related I&C systems is located in controlled atmospheres (e.g., control room). For this equipment, the worst case environments are those resulting from salfunctions of H&V or power source systems. Safetysrelated equipment located in the Containment, the Steam Generator Building, the Reactor Service Building, the Control Building, the Electrical Equipment Building and the Diesel Generator Building l
will be designed to operate through, or be protected from, the worst I
environmental conditions for which the equipment must perform. Environmental conditions which will be considered in design include temperature, humidity, l
pressure, radiation, chemical (including sodium aerosols), seismic and 8
vibration.
Design considerations will also be given to typical environmental conditions for which protection will be provided for products of liquid metal sodium fires, high radiation, or steam / water atmospheres.
Protection will include locating safety-related equipment in separate ventilated rooms or in cabinets designed to prevent entry of sodium reaction products, etc. This method of protection is further explained in the environmental qualification l
program discussed in Section 3 5 and 3 11 of the PSAR.
i
' Natural phenomena are covered by Criterion 2.
3 1-13
- ~. - - - -
..~.
. : :. ~...
Since CRBRP contains Na and NaK containing components, CRBRP has identified an unique Na and NaK aerosol environmental parameter. CRBRP safety-related equipment required to function during and following Na and NaK spills is designed to accommodate the resulting environment.
Any safety-related equipment which has not been previously qualified by its application in other nuclear plants will be qualified to assure the capability 4
to perform its intended function in the combined post-accident environment of temperature, pressure, humidity, chemical and radiation exposure.
Seismic Category I structures, systems and components will be analyzed and designed to be protected against a wide spectrum of credible missiles.
Failure of certain rotating or pressurized components or equipment is credible and will presumably lead to generation of missiles. The only safety-related component that will be locsted outdoors is the Diesel Fuel Oil Storage Tank.
The protection provided for potential damage against tornado generated missiles is described in Section 3 5.1.
Most of the safety-related systems and components are located inside Seismic Category I buildings or structures which will be designed to withstand the impact from tornado generated missiles. Wherever missile barriers are required for protection of safety-related systems and components against internally-generated missiles, these barriers will be designed in accordance with the provisions described in Section 3 5.4.
All ventilation system air intakes and exhausts which are safety related, including those for emergency diesel generator units, will be protected against tornado generated missiles by reinforced concrete enclosures or heavy metal grills.
Design of Category I mechanical equipment to withstand seismic accident and operational vibratory loadings will be provided either by analyses or by dynamic testing.
Spontaneous ruptures of the sodium piping are not considered credible; therefore, massive failures of the sodium Heat Transport System (HTS) piping have not been included in the design bases. Failures of sodium and/or NaK l
j piping systems, other than HTS piping, due to accidental impact loadings are l
considered, and pipe whip analyses will be performed.
Protection against the dynamic effects associated with the postulated pipe ~
break other than sodium piping, will be provided in the form of pipe whip restraints, equipment shields, and physical separation of piping, equipment and instrumentation.
Restraints will not be provided where covement of the broken pipe can be tolerated, that is, where redundant systems shields, or physical separation obviate the need for restraints.
Equipment shields will be provided, where necessary, in order to isolate the portion of the equipment in an accident and prevent it from causing more severe accident consequences. Pipe whip restraints and impact shields will be 3 1-14
d designed to withstand the impact forces arising from the whipping action. Jet impingement shields will be provided to limit the consequences of rupture of the piping and will be designed to withstand the resultant jet forces.
Criterion 6 Rharina of Structuren. Svata==. and Cn=nanents Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.
Resoonse:
This criterion is not applicable to the CRBRP.
Criterion 7 - Sodium Heatina Svatama Heating systems shall be provided as necessary for systems and components important to safety which contain, or may be required to contain, sodium or sodium aerosol. The heating systems and their controls shall be appropriately
(
designed with suitable redundancy to assure that the temperature distribution and rate of change of temperature in sodium systems and components are maintained within design limits assuming a single failure. The heating system shall be designed such that its failure will not impair the safety function of associated systems and components.
Response
Heating systems will be provided for all systems and components important to safety which contain, or may be required to contain, sodium or sodium aerosol vapor. These heating systems will be designed (in conjunction with system insulation requirements) such that no single neater failure will result in unacceptable temperature transients or loss of safety function due to loss of heat input capability. Spare heaters will be provided, where appropriate, to permit restoration or heating' capability without the need to shutdown the system. There is no failure which will cause overheating because heaters will be "hard wired" to voltage taps which will result in maximum temperatures very near the desired operating temperature.
Proper wiring is to be verified during start up testing.
Potential shorting is, protected against by electrical insulation of heater sheaths from piping, ground fault detection /
power interruption, and circuit over cur.ent protection.
_ Criterion 8 - Reactor Denian The reactor and associated coolant, control, and protection systems aball be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation including the effects of anticipated operational occurrences.
Resoonse:
This criterion is satisfied by the following two design bases.
3 1-15
-~ ^
. _,, a -
a.-
- :. ; u s
a.
Fuel Residence Time In the first core loading, the fuel rods are limited to a peak pellet burnup of 80,000 messwatt days per metric ton of heavy metal (mwd /T).
For later cores the peak burnup increases to 115,000 mwd /T with an average burnup of 80,000 mwd /T. These peak burnup limits are achieved*
by limiting the in-core residence time and optimising the fuel management scheme. The duration of the first cycle is 128 full power days (FPD) and the second cycle is 200 FPD. These cycle lengths are consistent with the initial core peak pellet burnup limit of 80,000 mwd /T. For all operating cycles after the first two, the cycle length is increased to 274 FPD and the maximum fuel assembly residence time is two cycles. All fuel and inner blanket assemblies are discharged as a batch after two cycles under equilibrium core conditions.
Maintenance of fuel rod structural integrity is a design basis should an Unlikely Fault occur during the fuel residence time.
b.
Power Distribution Limits The power distribution limits are derived from the maximum allowable peak heat generation rates for nominal and anticipated operational conditions which, when combined with the rod mechanical and thermal design parameters, assure that incipient fuel melting does not occur in the fuel pellet with peak power. The superimposed effects of fuel depletion and control rod insertion patterns on the radial power peaking factors is included in this assessment. The peak fuel pellet linear power in the core at any time-in-life, which includes the highest radial and axial power factors, 155 overpower conditions and nuclear and engineering uncertainties, is less than that which re:ults 1
in fuel melting.
Criterion 0 - Reactor Inherent Protection The reactor and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tend to compedsate for a rapid increase in reactivity.
Resoonse:
The following design basis satisfies this criterion:
The Doppler effect provides the prompt negative reactivity feedback which.is required to mitigate the effects of reactivity transients (rapid power increases). Therefore, the fuel temperature (Doppler) coefficient shall be strongly negative when the reactor is critical. The negative Doppler coefficient is obtained through the inherent use of fuel with a large proportion of U-238. The Doppler coefficients for each major fueled reactor region have been calculated at the beginning and end of cycle for both the first and equilibrium cores with FFTF-grade (low Pu-240) plutonium fuel (See Table 4.3-16).
In all cases, the Doppler coefficients are strongly negative.
The analysis of accident conditions, presented in Chapter 15, uses conservative values of the Doppler reactivity feedback coefficient (nominal value less 3 uncertainty).
3 1-15a
h g
g a
um spi aW es%#
-mW
,g F-g a
+3 m
s l
At low power / flow ratio operating conditions as during the reactor startup, positive bowing reactivity effects are predicted. The not reactivity feedback during this power-to-flow ratio range is evaluated to conservatively envelope all possible combinations of bowing and compensating negative reactivity effects. For certain assumptions on assembly bowing behavior a not positive reactivity feedback is predicted over a portion of the low power-to-flow ratio range. The PPS can safely accommodate all design basis events initiated in the startup range when the above worst case effects are considered. Studies have been performed for a range of startup overpower transients. These have demonstrated that, even neglecting the effects of the plant protection system, the integrated reactivity feedback from the point of the initiation of the transient up to full power temperatures is always negative. Consequently, reactor power and temperatures are bounded even when worst case reactor feedback characteristics are utilized. Maximum temperature values fall well below values which are expected for normal power operation demonstrating satisfactory reactor inherent protection.
As the power-to-flow ratio approaches 1.0 and at higher power-to-flow ratios
(>1.0), reactor assembly bowing reactivity is negative and enhances the effect of negative Doppler which is discussed above.
Criterion 10 - Suoeression of Reactor Power Oscillations The reactor and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.
Resnonse:
The CRBRP is neutronically tightly coupled, preventing any possibility of spatial instability. The main stabilizing feedback is due to Doppler and the CRBRP is inherently stable -in response to reactivity perturbations.
The neutronic stability of the CRBRP has been analyzed with point-kinetics techniques (See Section 4 3). " The reactor was modelled by a set of coupled linearized first-order differential equations with constant coefficient describing the neutronics and temperature behavior of the system. The temperature de' pendent reactivity feedback effects used in this model include Doppler and fuel axial expansion which are fuel temperature dependent and the sodium density effect which is coolant temperature dependent.
These analyses have shown that CRBRP is a stable, well-behaved system in terms
~
of the response of the reactor to reactivity perturbations about full power.
The principal stabilizing feedback mechanism is the Doppler (fuel temperature) effect. The reactor remains a stable system even when the Doppler coefficient is halved and employed in any combination with the other reactivity feedback coefficients.
For worst case positive bowing reactivity characteristics, which can occur only in the startup range (0+ to 405 power), a not positive feedback is possible. With this condition, present control system analyses predict a worst-case (maximua) limit cycle oscillation of 22 2% of full power, comprised
/
3 1-16
.,1_,.
of a 125 dead band plus a 0.25 response turn around on both ends of the dead band. The smallest period associated with the worst-case condition is 500 seconds in that less bowing reactivity would result in a longer oscillation period. Recompensation of the flux control system for the final design may result in a reduction in amplitude of the limit cycle oscillation as well as a reduction in the frequency. Above 405 power and under all permitted conditions, where bowing reactivity is always negative, limit cycle oscillation due to this feedback component will not occur. Assurance that the specified acceptable fuel design limits will not be reached is provided throughout the O to 1005 power operating range by the reactor trip functions.
Criterion 11 - Instrumentation and Control Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, including anticipated operational occurrences, and for postulated accident conditions appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor-coolant boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.
Resoonse:
Instrument & tion and controls are provided to monitor and control neutron flux, control rod position, temperatures, pressures, flows, and levels as necessary to assure that adequate plant safety can be maintained. Instrumentation is provided in the Reactor System, Heat Transport System, Steam and Power Conversion System, the Engineered Safety Features Systems, Radwaste Systems and other auxiliaries. Parameters that must be provided for operator use under normal operating and accident conditions are indicated, in proximity with the controls for maintaining the indicated parameter in the proper range.
The control room is provided as the focal point from which the plant can be operated safely during normal operation, anticipated operational occurrences, and for postulated accident conditions.
The basic criteria for including instrumentation readout and control in the control room is as follows:
o The displays or controls necessary to support all normal plant operating conditions; o
The displays and controls necessary to respond to anticipated operational occurrences and accident conditions which impact on power operations capability; o
The displays or controls necessary to prevent potential radiological hazards to offsite personnel; o
The displays necessary to the operator for detection of fire hazards; or The display and controls necessary to prevent potential damage to the o
plant.
l 3 1-17 l
. : L.
~ ~. - _. -.. -... - - _
The control room is arranged to provide an effective interface between the plant and the operating personnel. Frequently used safety related instrumentation. and controls are located on the Main Control Board. This-equipment is grouped by operational category to assure that determination of plant condition and action to correct the condition are in close proximity.
Less frequently used equipment and certain electronic equipment for which access control is desired are located in a rear panel area.
The quantity and types of process instrumentation provided ensures safe and orderly operation of all systems over the full design range of the plant. The designs of these systems are described in Chapters 4 through 12.
Details of the instrumentation and contrci systems are discussed in Chapter 7 Criterion 12 - Reactor Coolant Boundary The reactor coolant boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.
BesDonse:
The design, fabrication, erection and testing to be employed on the reactor coolant boundary and the extensive quality control seasures to be employed during each of the above phases will ensure that this boundary has extremely low probabilitics of abnormal leakage, rapidly propagating failure, and gross rupture.
The highest quality of engineering, fabrication, installation and inspection will go into the primary vessels and piping. The primary vessels and piping are Class 1 components and will require a detailed stress analyses as required by the ASME Code. A description of the design ~ basis and analyses methods that will be ajplied on the primary system is given below. The analyses of the primary system will therefore assure that the design will be able to meet all anticipated service requirements.
The system will be designed t6 assure that-stresses, strains and deformation are within the applicable code criteria and system functional limits. The analyses to satisfy these limits shall reflect both time-independent and time-dependent materials properties and structural behavior (elastic and inelastic) by considering all of the relevant modes of failure.
(1) Ductile rupture from short-tern loadings; (2) Creep rupture from long-tern loadings; (3) Creep-fatigue failure; (4) Gross distortion due to incremental collapse and ratcheting; (5) Loss of function due to excessive deformation; i
l (6) Buckling due to short-tern loadings; j
(7) Creep buckling due to long-tern loadings.
3 1-18
~
The RDT Standards imposed inspection limits placed on the material and welds of the primary system are more demanding than those of the ASME Code. The stringent inspections, controls and checks will assure that the probability of an undetected defect in the system, larger than the allowable, is extremely small.
Even if, by some inconceivable means, a through-the-wall crack could develop, it would leak and the sodium would be detected before the crack could grow.
Further, a small leak would not cause a crack to grow significantly by caustic corrosion because the reactor cavity moisture level is low (-40F dewpoint).
The corrosion attack from preliminary tests at -30F dewpoint rate is low (
1) mil per month for a leak of 50 gram /hr) and the leak would be detected by one or more of several leak detection methods (See Section 7 5.5.1).
Thus, a leaking crack would be detected and no viable mechanism exista (neither fatigue crack or corrosion) to significantly enlarge a postulated through-the-wall crack.
A discussion of the above conclusions is presented in Section 5 3 3.6 and further amplified in the " Primary Pipe Integrity Status Report" (Reference 2 in Section 1.6.2).
Criterion 19 - Reactor Coolant System Desien The reactor coolant system and associated control protection, auxiliary, and sodium heating systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences.
JLRADDEHt:
The reactor coolant system.and associated control, protection and auxiliary systems are designed with sufficient margin to assure that the design conditions of the reactor coolant boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences.
j The dssign conditions for the reactor coolant system components have been established and are provided in Chapter 5.0.
The PHTS component design conditions are listed in Table 5 3-2.
The components of the reactor coolant system and the associated fluid syste.ms required for safe operation and maintenance of a safe shutdown condition have been classified with respect to the importance of the safety function that they must perform.
This classification is described in Section 3 2.2.
Compatible with this classification, these systems and components cre designed to meet the appropriate sections of the ASME Code and applicable code cases and supplemented, as necessary, by RDT Standards. These design requirements l
are discussed in Section 3.9 The normal operating conditions and the nature and frequency of anticipated operational occurrences are listed in Appendix B.
These steady state and transient conditions have been included in the design analyses in accordance with the requirements of the ASME Code.
3.1-19
The transiente resulting from anticipated operational occurrences are reported in Chapter 15 where they are classified as Anticipated and Unlikely Faults.
The extent of departure from normal operating conditions during these Trip levels assumed in transients are limited by the Plant Protection System.
the analyses of these transients are listed in Table 151.3-1 and include high power level, power to flow ratio, high reactor inlet temperature, level within the reactor vessel, steam feedwater flow ratio and primary pump electrics.
Additional discussion of the plant protection system as well as the control j
system for normal operation is contained in Chapter 7 The piping and equipment electrical heating system is not essential for the safe shutdown end isolation of the reactor, nor will failure of the system result in a release of radioactive material. This system is classified as In those cases where heaters are applied to safety related non-safety.
components, the heaters are not required for the component or the associated system to perform its safety function.
The design of the electrical heating equipment will consider potential thermal stresses resulting from heater failure and locate the heaters such that loss of a heater will not result in unacceptable stress levels. To prevent a heater feilure from propagating to the piping or equipment to which it is attached, the following operatienal criteria are used:
For For normal operation, the heaters are operated at 1/3 power.
(1) abnormal operation, each heater control circuit is protected against Ground fault overcurrent by thermal overload circuit breaker.
interrupters (GFI) will be used for protection of ground currents.
In addition, it is planned to install a backup GFI on a feeder bus with a time relay for redundant operation.
(2) High and low temperature limit alarms for all heaters in safety related systems will be provided. Furthermore, the alarm thermocouple will be different from the control thermocouple, so that a failure in the control thermocouple will not affect the alarm.
The cold ends of the heaters are bent 900 and a spacing maintained (3) between adjacent heaters to prevent cross over of heaters and
~
significant mutual heating by radiation.
The proper setting of the GFI units will be set at installation and (4) based on prior tests.
For heaters mounted on stand-off insulators separation is maintained (5) between the heater sheath and piping or component.
(6) To prevent heater failure from design considerations, the heaters are designed to a high quality standard. The use of the standard In addition, the requires that each heater be radiographed.
technical, mechanical, electrical, material, fabrication and quality assurance requirements specified must be met.
3 1-20
...__. = n n m e rn
+
- Criterion 14 - Containment Damien Reactor containment and associated systems shall be provided to establish an essentially leaktight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require.
l Resoonse:
The confinement / containment design comprises a steel shell, with a design pressure of 10 psig, and leak testable penetrations, surrounded by a concrete confinement. This system completely surrounds the reactor coolant boundary.
Except for the Intermediate Heat Transport System Loops, which will be built to containment quality standards, all piping systems penetrating containment will be provided with ~ containment isolation valves, in compliance with Criterions 45 and 48.
The Containment Vessel, including all access openings and penetrations is designed such that the leakage of radioactive materials from the Containment under conditions of temperature and pressure resulting from the Extremely Unlikely Faults will not cause undue risk to the health and safety of the public and will not result in potential offsite exposures in excess of guideline values of 10CFR100. The purpose of the annulus filtration system is to ensure that off-site exposure dose rates are within the limits specified in 10CFR100.
The basic structural elements considered in the containment design are the vertical cylinder and dome acting as one structure and the bottom liner plate and foundation mat acting as another. Tne portion of the cylinder from the base mat to the operating deck circumscribes the approximately 3 feet thick concrete wall which forms the boundary of the internal concrete structure.
The bottom liner is encased in concrete and is designed as a leak tight membrane. The liner plate is anchored to the concrete by welding the Liner plate continuously to steel me,mbers, which are also embedded in and anchored i
to the concrete base mat. The bottom portion of the cylindrical wall is attached to an anchorage system which is deeply embedded in the base mat.
l The containment penetrations, other than airlocks and the equipment hatch, consist of electrical and piping penetrations. The portion of the penetrations consisting of the pipe sleeve welded to the vessel will be designed, fabricated, installed and tested according to the requirements of~
the appropriate sections of the '.aME, B&PV Code,Section III. The connections between the vessel pipe sleeve and the piping passing through the containment vessel shell will consist of a bellows assembly, flued head or other welded connection designed, fabricated, installed and tested to meet the requirements of the particular system and Section III of the ASME Code. The containment pipe sleeves through which electrical cables pass will be designed to meet the requirements of ASME Code,Section III as well as being compatible with the electrical penetration assemblies. The electrical penetrations assemblies will be designed, fabricated, installed and tested in accordance with the req':irements of IEEE 317-1972, Electrical Penetration Assemblies in 3 1-21
a
.s.
Containment Structure for Nuclear Power Generating Stations ( ANSI N45 3-1973).
In addition, all penetrations and assemblies or connections will be tested to meet the leakage requirements specified in Appendix J, 10CFR50, as is the overall containment vessel.
The confinement / containment will be designed to assure that an acceptable upper limit of leakage of radioactive material is not exceeded under design basis accident conditions. For purposes of integrity, the containment will be considered as the Containment Vessel and Containment Isolation System. This structure and system are directly relied upon to maintain containment integrity.
The design internal pressure for the containment is 10 psig, and the associated maximum allowable leskage rate is 0.1 (vol.) percentage /24 hr.
The containment testing will be performed at ambient temperature, but not below 600F. A negative pressure is maintained in the confinement / containment annulus space and the confinement / containment penetrations are being designed to achieve a very low bypass leakage.
The design criteria and methods of analysis for the containment structure are discussed in Section 3.8.2 and the function design and testing provisions are described in Section 6.2.
j The annulus filtration system is designed to ensure that the radioactivity released as a result of the design basis accident will not exceed the guidelines of 10CFR100. Two 1005 redundant filter fan units will be provided.
Redundant isolation valves will be provided on the supply side of the pressure maintenance fan. These measures insure that no single active failure will prevent 100% operation of the annulus filtration system.
Criterion 15 - Electric Power Svstamm An onsite electric power system and an offaite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant boundary are not exceeded as a result of normal operation, including anticipated operational occurrences and (2) the core is cooled, and containment integrity and other vital functions are maintained in the event of postulated accidents.
The on'aite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.
Electric power fro = the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accidents and environmental conditions.
A switchyard common to both circuits is acceptable. Each of these circuits 3.1-22
. :. w. -
^^
shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following any postulated accident to assure that core cooling, containment integrity, and other vital safety functions are maintained.
Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.
Response
The on-site Class IE power system is split into three independent and functionally redundant load groups, each with its own power supply, buses, transformers, loads and 125 volt DC control power. The three diesel generators are physically and electrically independent of each other.
Each on-site power system will include a Class IE (safety related) electric
. system and one diesel generator for each safety related load group.
Automatic transfer will not be allowed or possible between redundant load groups.
Provision has been made in the safety-related AC distribution system design, for manual cross-connection between the diesel generators on a limited basis. Manual cross-connection details are as described in Section 8.31.2.1.
Each diesel generator is installed in a separate and independent diesel generator room. These rooms are located in a Seismic Category I structure and are capable of withstanding missiles as described in Section 3A.6.
The AC loads which are not Class IE but are required for plant availability will be connected to the non-Class IE motor control conters. These motor control centers will ba provided with an incoming breaker in series with the Class IE breaker feeding these motor control centers from the 480 Volt load centers and will have capability to receive power from the Division 3 diesel generator in the event of loss of all offsite AC power sources.
Cables for the separate, redundant load groups of the Safety-Related AC Distribution System are installed in separate raceway systems. The independence criteria of the Clkas IE raceway systems is described in Section 8.3 1.4.
Cables and raceways of the Safety-Related AC Distribution System are marked in a distinctive manner as described in Section 8.31.5.
The Safety-Related AC Distribution System provides separation of the AC powered Class IE loads into three functionally redundant load groups such that loss of one group will not prevent safe shutdown of the plant.
Each redundant load group is supplied from either the Plant Power Supply, the l
Offsite AC Power Supplies, or the Standby AC Power Supply.
3.1-23
The continuous load rating of each diesel generator is greater than the sum of the estimated Class IE loads which are required to operate at any one time.
The loads are conservatively estimated and indicated in Tables 8 3-1A and
~
8.3-1B.
The basis of sizing of loads is in agreement with Regulatory Guide i
1.9 Each diesel generator is capable of starting in the required sequence and of operating the required loads. During the periods of load application or during the period of load removal, the generated voltage and frequency are maintained within limits which do not degrade the performance of the loads.
The offsite power system consists of the Preferred AC Power Supply and the Reserve AC Power Supply. Each of these two supplies providea two physically separate connections to the TVA 161 KV grid. All four of these grid sources are continuously energized and any one of them can supply the Normal AC Distribution System to facilitate and maintain a safe plant shutdown and startup.
The Preferred AC Power Supply consists of two 161 KV transmission lines in the Generating Switchyard connected to the main transformer, which in turn is connected to the two Unit Stttion Service transformers.
In the event of reactor or turbine trip when no electrical fault is present, the g3nerator circuit breaker opens automatically and disconnects the plant power supply.
The normal AC Power distribution system is then provided with power by the Preferred AC Power Supply through the main transformer without interruption.
Therefore, the Preferred AC Power Supply is termed an immediate access circuit.
In the event of an electrical fault in the Plant Power Supply, the 161 KV circuit breakers in the Generating Yard open and the turbine-generator trips.
This causes loss of the immediate access circuit to the AC Distribution System. In this event, power to the plant AC Distribution System is provided by the Reserve AC Power Supply within a period of 6 cycles. This transfer to the reserve power supply is performed automatically when the immediate access circuit to the Plant AC Distrkbution System is lost.
The Reserve AC Power Supply provides the two physically independent transmission lines per IEEE Standard 308-1974 " preferred power supply".
It connects the TVA grid to each of the three 4.15 KV Class 1E switchgear buses.
Hence, the Safety Related AC Distribution System has two physically separate and independent sources available from the TVA grid.
Results of steady-state studies show that with the 161 KV offsite power sources of the Reserve AC Power Supply there remains a reliable source to supply the onsite electric power system for single contingency conditions.
l Upon loss of all 161 KV power sources, the diesel generators start automatically and are capable of accepting the required safety loads. Any of the three diesel generators or any of the 161 KV power sources are capable of providing 3 1-24
sufficient power to safely shutdown the plant during the anticipated operational occurrences and to power the necessary engineered safety features in the event of postulated accidents.
The three diesel generators are redundant and independent including the distribution systems which they supply as described in Section 8.3.1.1.
Automatic starting and loading of each diesel generator to perform the safety function of the distribution systems they supply can be tested by simulating
)
loss of AC power supply to any 4.16 KV ESF distribution bus that is supplied by a diesel generator. Each diesel generator will start automatically and, if l
required, after 10 seconds the diesel generator on the disrupted distribution system will be automatically loaded with engineered safety features equipment in a timed sequence. The battery systems are redundant and independent including the distribution systems which they supply as described in Section 8.3.2.
In addition to the features detailed in Sections 8.2.1.1, 8.2.1.2 and 8.2.1 3, compliance with Criterion 15 is further demonstrated by the following:
a.
The plant is provided with two separate and independent switchyards -
the generating switchyard and the reserve switchyard. The generating switchyard is connected to the power grid by two 161 KV transmission lines. The reserve switchyaru is connected to the grid by two separate and physically independent 161 KV transmission lines. Each of the four transmission lines and each of the two switchyards are desigr.ed to be capable of providing full power to the Non-Class 1E and Class 1E aux $lisry locds required for plant startup, normal operation and to facilitate and maintain a safe plant shutdown.
The generating switchyard provides power to the plant auxiliary loads through the main power transformer and the two (2) unit station service transformers. Each unit station sarvice transformer is sized to supply 50 percent of the plant auxiliary loads required during the plant startup and the maximum power plant generation.
(When the main generator is operating the plant auxiliary loads receive power from the main generator via the generator circuit breaker and the unit' station service transformers). One of two unit station service transformers also supplies 100 percent power to Class IE loads of Divisions 1 and 3 and the other unit station service transformer provides 100 percent power to Class IE loads of Division 2.
i The plant reserve switchyard provides power to the plant auxiliary i
loads through two (2) reserve station services transformers. Each reserve station service transformer is sized to supply 50 percent of the plant auxiliary loads required during the plant startup and the maximum power plant generation.
One of the two reserve station service transformers also supplies 100 percent power to Class IE loads of Division 1 and 3 and the other reserve station service transformer provides 100 percent power to Class IE loads of Division 2.
3.1-25
b.
The 161 KV transmission lines are protected from lightning by overhead shield lines.
c.
The switchyards are provided with two independent DC supplies. Each DC supply system consists of a separate 125V DC battery, two battery chargers and a distribution system.
A single failure caused by a malfunction of either of the two 125V DC systems will not affect the performance of the other system. The ability of the switchyard to supply offsite power to the plant will not be affected by the loss of one of the two 125V DC systems. The surveillance of battery charger operation and battery voltage for each system is provided by individual alarms monitored in the control room.
l I
{
3 1-25a
d.
For reliability each breaker will have two trip coils on separate DC i
control circuits. The protection system is arranged to permit the following:
i i) Any transmission -line can be cleared under normal or fault conditions without affecting any other transmission line.
- 11) Any circuit breaker can be isolated for maintenance without interrupting the power or protection to any other circuit.
Criterion 16 Insnection and Testina of Ele 3tric Power Svata==
Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components. The systems shall be designed with a capability to test periodically (1) the operabiltiy and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operational sequence that brings the systems into operation, including operation cf applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system.
Resnonse:
The following transfers are testable during operation of the nuclear plant.
1.
Automatic transfer from the normal power source (ntelear power unit) to the reserve power source (preferred offsite power system) initiated by fault sensing relays in the normal power supply. Testing is accomplished by inserting simulated signals in relay inputs which initiates the transfer.
2.
Manual transfer from normal to reserve power source and vice versa.
3 Automatic transfer of class 1E Bus from normal or reserve power source to the diesel generator (onsite power supply) on degraded voltage at the Class 1E Bus.
31 Prolonged degraded voltage between 705 and 855 of nominal voltages is simulated at input to undervoltage relays.
32 Instantaneous degraded voltage below 70% of nominal voltage is simulated by tripping of the normal incoming breaker.
Operation of the sequencer logic is also tested by simulating inputs and monitoring the sequencer outputs to actuators (such as breakers) without actuating them. The load sequencer has intrinsic automatic testing of its circuitry which works continuously when the sequencer is not actuated by protective or testing input signals.
3 1-26
~. -.=. =.. ;. :.
..u m..,.....z. -..... u..
-s
=-
4.
Manual transfer of Class 1E Bus from normal or reserve power source to the diesel generator.
4.1 Testing of the diesel with the Claes 1E Bus disconnected from the offsite source is performed by starting the diesel, deenergizing the Class 1E Bus by tripping the incoming breaker, closing the diesel generator breaker and closing the load breakers.
4.2 Testing of the diesel with the Class 1E Bus energized by the offsite source is performed by starting the diesel, synchronizing it with the Class 1E Bus and loading it in steps consistent with actual loading requirements.
The AC and DC systems will be designed to be testable during operation of the plant in accordance with IEEE Standard 338-1977 and Regulatory Guide 1.118.
Periodic inspections and testing of important features, such as wiring, insulation, and connections, to assess the continuity of systems and the condition of their components will be performed during equipment shutdown.
Initial operational system tests will be performed with components installed and connected to demonstrate that the system operates within design limits and meets the performance specification, and to verify the independence between redundant AC power sources and load groups.
After being placed in service, the standby diesel generators and their respective associated supply systems will be inspected and tested periodically I
to detect any degradation of the system.
(See Section 8.3 1.1.1)
Initial pre-operational tests will be performed with equipment and components installed and ccnnected to demonstrate that the equipment is within design limits and the system meets performance specifications. This test will also demonstrate that loss of the Plant Power Supply and offsite AC power supplies can be detected.
Periodic equipment tests will'be performed to detect any degradation of the system and to demonstrate the capability of equipment which is normally de-energized. The test methods utilized are detailed in Section 8.3 1.1.2.
Periodic tests of the transfer of power between the Plant Power Supply and t
offsite AC power supplies will be performed to demonstrate that:
l Sensors can properly detect loss of the Plant Power Supply and the offsite a.
AC power supplies.
b.
Components required to accomplish the transfer from the Plant Power Supply to the Preferred AC Power Supply are operable.
Components required to accomplish the transfer from the Normal AC Power c.
Supply to the Reserve AC Power Supply are operable.
d.
Components required to accomplish the transfer from the Reserve AC Power Supply to the Standby AC Power Supply are operable.
3 1-27
~
1 a a.-
-~.-.--a..=.
=.
e.
Components required to accomplish the transfer from the Plant Power Supply (simulating the unavailability of the offsite AC power supplies) to the Standby AC Power Supply are operable.
f.
Instruments and protective relays are properly set and operating correctly.
The 161 kV circuit breakers connecting the generating and reserve switchyard to the power grid will be inspected and tested on a r utine basis with the generators in service. Since either of the two breakers, each fully rated, is capable of connecting the generator to the two buses of the generating switchyard.
The 120 V Vital AC System components are inspected and tested at the vendor's facilities. The system it also inspected during installation. When the installation is complete, preoperational equipment tests and inspections are performed to demonstrate that:
A.
Components are correct and properly mounted.
B.
Connections are correct and the circuits are continuous.
C.
Components are operational.
D.
Instruments and protective devices are properly calibrated and adjusted.
The initial system tests will also demonstrate that while supplied by the DC power systems or the 480-120/208 Y Instrument AC Regulating transformer, the 120V Vital AC Power System can supply power to the design load as required..
Periodic tests are performed to detect any deterioration of the equipment and to demonstrate the capability of equipment which is normally energized.
Provision is included in the 4esign for testing the transfer of power between the unit station service transformers and the reserve transformers. These tests are performed during prolonged plant shutdown periods by simulating loss of the AC power supply from the unit station service transformers as described in Section 8.3.1.1.2.
Provisions are also included in the design for testing the operability and,
performance of equipment. The tests include a preoperational equipment tes;t, initial system test, and periodic equipment and system tests as described in Sections 8.2, 8.3 1.1.1 and 8.3 1.1.2.
Criterion 17 - Control Room
)
A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under postulated accident conditions (including those conditions addressed in NRC Criterion 4 - Protection Against Sodium and NaK Reactions). Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel I
3 1-28
-.. - -. - ~-
receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.
Equipment at ap' ropriate locations outside the control room shall be provided p
with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and with a design capability for subsequent control c; the reactor at any coolant temperature lower than the hot shutdown conditioLS.
Response
The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require that the control room be designed to permit access and occupancy under all normal and postulated accident conditions. Also, in the event the control room is uninhabitable or that its reactor shutdown or decay heat removal functions cannot otherwise be performed, alternate shutdown locations, independent of the control room instrumentation and controls be provided shall be provided to perform those functions. CRBRP meets this criterion through incorporation of design features discussed below.
The control room design is based on proven power plant design philosophy. All control stations, switches, controllers, and indicators necessary to operate and shutdown the plant and to maintain safe control of the reactor will be located in the control room.
The design of the control room will permit safe occupancy during abnormal conditions. The doses to personnel during accident conditions from containment building shine, radioactive clouds and ingress / egress to the exclusion boundary are less than 5 rem whole body, or its equivalent to any part of the body. These doses and criteria are detailed in Section 6.3 Two (2) 100% capacity redundant, Air Conditioning units provide conditioned supply air to the Control Room. The minimum outside air flow provided by this system is established on the basis of the ventilation requirements and pressurization requirements. sThe outside air flow is constant all-year-around except during accident conditions, when minimum amount of filtered outside air is introduced to the Control Room for pressurization. The supply air is distributed to the various areas by the supply ductwork to satisfy the ventilation requirements. The filters provided in the air conditioning units maintain the cleanliness of the supply air during normal operation. The cooling coils provided in the air conditioning units and the duct mounted,re-heat coils along with their instrumentation and controls maintain the temperature of the Control Room areas during normal operation. The chilled water supplied to the Control Room air conditioning units is provided by Emergency Chilled Water System. The humidifiers and cooling coils provided in the air conditioning units, along with their instrumentation and controls, maintain the required humidity for the varicus areas in the Control Room during normal operation. Two (2) 100% capacity redundant return fans are provided for returning and exhausting the air supplied to the Control Room.
Two (2) 1005 redundant filter units are provided to reduce radioactive airborne contamination during the presence of outside radioactivity. Supply, 3.1-29
.= ;
.. =..-
.u-return and exhaust ductwork, isolation valves, dampers, air outlets, instrumentation and controls are provided to make this system complete and operate as required. These filter units, which are located in separate cells, are connected by Juctwork to missile protected outside air intake structures.
These filter units will be supplied by class IE power.aupply.
The Control Room 1005 redundant filter units consist of a profilter section, a high efficiency particulate air (EEPA) filter section, a charcoal filter bank for radio-iodine adsorption, a final HEPA filter located downstream of the charcoal filter bank for removal of charcoal fines carried over from the adsorber, access sections between each component for maintenance and filter instrumentation consisting of flow and pressure differential switches, transmitters and indicators to facilitate monitoring and testing of the filter operation.
HEPA filters, although rated for only 995 removal capability, are capable of removing a minimum of 99 97 percent thermally generated dioctylphthalate particulate of uniform 0.3 droplet size at the design flow rate of 8,5000 CFM.
The charcoal filter bed is assumed to remove 95 percent of airborn radioactive elemental iodine and 95 percent of methyl iodine at relative humidities below 705 st the design flow rate of 8,500 CFM.
The actual tested efficiency of the charcoal bed in removing elemental iodine is 99.95 and 99 55 in removing methyl iodine.
Two separate outside air intakes are provided for the Control Room.
Instrumentation is provided to measure the airborne activity levels for each intake location. The intake locations are positioned such that the airborne activity at one intake will be significantly less than the other.
By providing radiation monitors at these intakes, the cleaner intake for Control Room pressurization is selected to reduce the airborne activity in the Control Room. During this mode of operation, the Control Room air is partially recirculated through the high efficiency filters. The Control Room will be continuously occupied by qualified personnel during all conditions of plant operation.
A containment isolation signal or a high radioactivity signal from the redundant radiation monitors located in the Control Room outside air intake duct or a signal of high levels of toxic chemicals or smoke in the Control Room outside air intake ducts will automatically initiate closure of the Control Room HVAC System redundant supply and exhaust isolation valves, and start one of the 1005 redundant filter unit fans to allow a minimum amount of outside air, required for pressurization, to pass through the operating filter unit. Control Room operators are provided with the capability to manually initiate isolation of the Control Room HVAC System if higher than normal levels of radioactivity are detected in other areas of the plant, by the Radiation Monitoring System.
Safe and continuous occupancy of the Control Room during normal and off-normal conditions is provided for in the design of the Control Building.
The probability of the Control Room becoming uninhabitable due to fire or other i
cause is considered extremely remote. However, in the event the Control Room 3.1-30
must be vacatsd temporarily, the reactor plant can be brought to and maintained in a hot shutdown condition for an extended period of time from designated remote shutdown panels located outside the control room.
The Remote Shutdown System will meet the following functional requirements:
1.
Equipment at appropriate locations outside the control room will be i
1 provided with a design capability for hot shutdown of the reactor including necessary instrumentation and controls to maintain the plant in a safe condition during hot shutdown.
2.
Design capability and necessary instrumentation and controls outside the control room shall be provided for control and uaintenance of the
~
plant in a safe shutdown condition at any coolant temperature below hot shutdown but above 4000F.
3 For equipment having controls present both at the control room and locally, the local controls will be provided with a local transfer switch which transfers control from the control room to the local station (and isolates control from the control room).
4.
Transfer of control to the local control station will not be possible until the local transfer switch is placed in the " local operating" position and an annunciating alarm is actuated in the control room.
5.
An independent soundpowered communications network will be established between the local safe shutdown control stations.
6.
The Sodium Water Reaction Pressure Relief System (SWRPRS) will be configured such that the system is initiated locally and automatically.
7 All PPS signals necessary for remote shutdown control will be buffered locally at the local control panel or provided with a transfer switch to isolate the main control room. This requirement is not intended to include control of the' reactor shutdown systems from outside of the control room.
However, the capability to manually trip the scram breakers is provided.
Criterion 18 - Protection System Furetions The protection system shall be designed (1) to initiate automatically the -
operation of appropriate systems, including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense postulated l
accident conditions and to initiate the operation of systems and components important to safety.
i Resoonse:
The operational limits for the reactor protection system ar7 defined by analysis of plant operating and transient conditions requiring rapid rod i
insertion to prevent or limit core damage.
A discussion of the appropriate 3.1-31
fuel design limits, which fora design basis for the reactor protection system, is given in Chapter 4.
The systems activated to prevent exceeding fuel design limits are:
1.
Primary reactor shutdown system 2.
Secondary reactor shutdown system In addition, the protection system will initiate the following actions:
a.
Coastdown of all primary and intermediate system cooling pumps at every reactor trip. This is necessary to minimize the thermal transients experienced by the components, and hence to assure endurance throughout the operating life.
b.
Isolation of the containment system in the event of a release of activity into the containment atmosphere.
Full details of both of the reactor shutdown systems are given in Section 7 2, and of the containment isolation system in Section 7 3.1 and 6.2.4.
Each of these systems has a large number of redundant input channels, redundant separation logic elements, and redundant output actuation elements. They are designed with independence, ceparation, testability, and diversity as criteria to provide maximum relitbility. These characteristics are discussed further in the responses to Criteria 19 through 22 which follow.
Criterion 19 - Protection System Reliability and Testability The protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed.
Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise I
demonstrated. The protection' system shall be designed to permit periodic testing of its functioning when the reactor is in operation including a capability to test channels independently to determine failure and losses of redundancy that may have occurred.
ResDonse:
Each of the two shutdown systems is designed for high functional reliability and in-service testability commensurate with the safety functions to be performed.
The protection sys.em performs indication and alarm functions in addition to its reactor trip and engineered safety features actuation functions. The design meets the requirements of RDT Standard C-16-1, which meets or exceeds those of IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations". Each system consists of a large number of input measurement channels, redundant logic trains, and redundant reactor trip breakers.
The redundant logic trains, and reactor trip breakers for each 3 1-32 l~-
system are electrically isolated and physically separated. Furthermore, physical separation of the channels is maintained within the separated trains.
The design is such that no single failure results in loss of the protection function during operation or testing. Either of the two systeme, which are highly redundant, will perform the shutdown function for all normal conditions. All channels employed in power operation are sufficiently redundant so that individual testing and calibration, without degrad& tion of the shutdown function or violation of the single failure criterion, can be performed with the reactor at power. Such testing will disclose failures or reductions in redundancy which may have occurred. Removal from service of any single channel or component does not result in loss of required redundancy.
For example, a two-of-three function is placed in a one-of-two mode when one channel is removed.
In addition to this manual testing capability of both the primary and secondary systems, a semiautomatic tester is included to test the logic trains of the primary system.
This tester has the capability of testing the major part of the protection system very rapidly with the reactor at power. Between tests, equipment is provided to continuously monitor certain internal protection system points, including train power supply voltages.
The protection system is discussed in Section 7.2.
Criterion 20 - Protection System Indeoendence The protection system shall be designed to assure that the effects of natural phenomena and of normal operation, including anticipated operational occurrences, maintenance, testing and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.-
Resoonse:
The protection system has been designed to provide adequate protection against the specified accident conditions and postulated events.
The defenses against loss of the protection function through the effects of natural phenomena, such as tornado, flood, earthquake, and fire, are location and Category I structures physical separation and electrical isolation of. '-
redundant channels and subsystems, functional diversity of subsystems, and safe (i.e., in the direction of reactor trip) component and subsystem failure modes. These defenses have been utilized in the design of the reactor protection systeu. The redundant logic trains, reactor trip breakers, and engineered safety features actuation devices are physically separated and electrically isolated.
Physically separate channel cable trays, conduit, and penetrations are maintained upstream from the logical elements of each train.
Functional diversity and physical separation are designed into the system.
The factors associated with normal operation are wear, temperature, humidity, dust or dirt, and vibration.
The protection system is tested and qualified 3.1-33
under environmental conditions in excess of the extreme normal ranges. ~In the majority of the system, wear is not a factor. The station test _and maintenance procedures will provide adequate measures against simultaneous multiple failures due to wear, dust or dirt. Furthermore, protection of the equipment from dust or other contaminants is afforded by the cabinets in which the equipment is installed.
The possibility of loss of the protection function through improper or incorrect maintenance is minimized by a number of factors.
Among these are administrative controls; functional diversity (a pump speed channel and a flow channel are not likely to be miscalibrated in the same direction, for example); and a comprehensive indication, alarm, and status system.
The protection system has been evaluated with respect to functional diversity and with respect to common mode susceptibility. These studies indicate that the system is designed to a very high probability of performing its function-in any postulated occurrence. An extensive reliability program has been initiated which will confirm this very high reliability before submission of the FSAR.
The reactor protection system and the engineered safety features actuation system are discussed in Sections 7.2 and 7.3, respectively.
Criterion 21 - Protection System Failure Modes The protection system shall be designed to fall into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, sodium, sodium reaction products, and radiation) are experienced.
Response
The protection system is designed with due consideration to the most probable failure modes of the components.
Where practical, the channels and logic circuits are designed such that failures which may occur will be in the direction which causes a trip.
Channel monitoring is provided to detect either safe or unsafe failures of individual channels. Provision of redundancy within each system assures that, should there be a single failure in the direction to impede a trip, it will result in no loss of the system capability.
I The protection systems components will be tested and qualified for the extremes of the normal environment to which they are subjected.
In addition, components will be tested and qualified according to individual requirements for the adverse environment specific to their location which might result from postulated accident conditions.
Protection against sodium and sodium reaction l
products is provided by location of the components.
To the maximum extent l
practical all protection system components are located in areas away from sodium containing components. Where this is not practical devices such as shields, totally enclosed containment around sensors or other features which 3 1-34
-..L
^
I s
may prove practical as the design evolves to its final configuration will be provided to shield components from sodium impingement and to prevent degradation of necessary performance due to fallout of sodium vapor or reaction products.
Failure Modes and Effects Analyses have been conducted to analyse potential failure modes within the Reactor Shutdown Systems and evaluate the effects of such failures on system performance (see Supplement 1 to Appendix C).
Even though the failure of an individual element may result in the inability to initiate channel trip, the provision of redundant independent instrument channels and logic trains assures that single failures cannot cause loss of either the Primary or Secondary Shutdown System thereby meeting design requirements. The high reliability of components, redundant configuration, provision of on-line monitoring and on-line periodic testing further assure that single failures will not accumulate to the point that trip initiation by either the Primary Reactor Shutdown System or Secondary Reactor Shutdowr; System is prevented.
Criterion 22 - Seoaration of Protection and Control Syste==
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.
Resoonse:
The failure of a single control system component or channel, or the failure or removal from service of any protection system component or channel, which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited so as to assure that safety is not significantly impaired.
Most functions performed by the reactor protection and the reactor control l
systems require the same process information. The design philosophy for these systems is to make maximum use of a wide spectrum of diverse and redundant process seasurements. The protection system is separate and distinct from the control system. The control system is dependent on the protection system in that control input signals are derived from protection system measurements -
wnere applicable. These control signals are transferred to the control system by isolation amplifiers which are classified as protection system components.
No credible failure at the output of an isolation amplifier will prevent the corresponding protection channel from performing its protection function.
Such failures include short circuits, open circuits, grounds, and the application of the maximum credible AC and DC voltages. The adequacy of system isolation has been verified by testing under these fault conditions.
The controls are designed such that a single failure of a sensor will not l
cause a control system malfunction requiring PPS function. The design meets i
3.1-35
s all requirements of RDT Standard C16-17, which meets or exceeds those of IEEE Standard 279-1971, eCriteria for Protection Systems for Nuclear Power Generating Stations".
Where instrument signals are provided to the Plant Control System by the Plant Protection System (e.g., Nuclear Flux), it is possible to conceive of multiple failures of PPS sensors causing loss of instrument channels in both the Plant Protection and Control Systems even though such multiple failures are very improbable. This could cause a Control System action that initiates a transient requiring Protection System action and could concurrently degrade the performance of one shutdown system. The consequences of this potential failure will be mitigated by the diverse instrumentation in the second Reactor Shutdown System which, being independent, is unaffected by the sensor failures. Since the worst case incident involving multiple failures of shared Plant Protection System / Plant Control System sensors is mitigated by the Plant Protection System, separation of control and protection systems is effected even in this extreme case.
The reactor protection systems and the control systems are discussed in Sections 7 2 and 7 7 respectively.
Criterion 29 - Protection System Reauirements for Reactivity Control Halfunctions The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single Lalfunction of the reactivity control systems, such as accidental withcrawal of control rods.
Response
The maximum controlled reactivity insertion rate due to control rod withdrawal at the design maximum withdrawal speed of 9 inches / minute (see Section 4.2 3) is 4.1 cents /second (see Section 4.3.2.6).
The protection system assures that the peak clad temperature is maintained within an allowable value for a ramp rate of this magnitude. Section 15.2 describes the core thermal response for the event at either startup of during full power operation and Section 4.2.1 provides a description of how this type of transient is included in the pin cladding structural design evaluations.
Criterion 24 - Reactivity Control System Redundancy and Canability Two independent reactivity control systems of different design principles. -
shall be provided. One system shall be capable of independently and reliably sensing and responding to off norma 3 conditions to assure that under ccnditions of normal operation, inc ating anticipated operational occurrences, and with appropriate margin for malfunctions such as a stuck rod, specified acceptable fuel design limits are not exceeded. The other system shall be capable of independently and reliably sensing and responding to off-normal conditions to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as a stuck rod, the capability to cool the core is maintained. Each system shall have sufficient worth, assuming failure of aay single active component, to shut down the reactor from any operating condition 3 1-36
to zero power and maintain suberiticality at the hot shutdown temperature of the coolant, with allowance for the maximum reactivity associated with any anticipated operational occurrence or postulated accident. One of the systems shall be capable of holding the reactor core suboritical for any coolant temperature lower than the Hot Shutdown temperature.
Responst:
The intent of this criterion, as stated in Reference 1 to PSAR Section 31, is to require two independent reactivity control systems of different design each capable of responding to off-normal events.
One system is used to maintain the fuel within acceptable design limits while the other system must maintain core coolability (assuming the first system does not respond). CRBRP meets this criterion as discussed below.
i The CRBRP design includes two Reactor Shutdown Systems (RSS) - the Primary Reactor Shutdown System and the Secondary Reactor Shutdown System. Each of the two shutdown systems has the capability, totally independent of the other system, to sense and respond to anticipated operational occurrences assuming a single failure. Criterion 22 is applied in the case of anticipated operational occurrences caused by a failure of equipment shared by the control and protection systems during testing.
The Primary RSS will be capable at any time in the reactor cycle, assuming the failure of any single active component (i.e., a stuck rod) to shutdown the reactor from any anticipated operational occurrence to the hot shutdown coolant temperature without exceeding fuel design limits. The worth requirement includes an allowance for reactivity insertion from postulated accidents; this allowance corresponds to the reactivity effect of withdrawing any single control rod from its normal operating position. Scram actuation is obtained by loss of electrical power to a group of rotor-roller nut mechanisms mounted on the reactor closure head. The scram release, located in each mechanism, causes coupled driveline and control rod (movable pin bundle) insertion into the fueled core region.
A scram spring assist supplements gravity accelerated insertion.
e The Secondary RSS using rods of significantly different design principles, will be capable at any time in the reactor cycle, assuming the failure of any single active component (i.e., a stuck rod), to shutdown the reactor from any anticipated operational occurrence to the refueling temperature of the coolant without loss of capability to cool the core. The worth requirement includes an allowance for reactivity insertion from postulated accidents; this s
allowance corresponds to the reactivity effect of withdrawing any single control rod from its normal operating position. Secondary system diversity relative to the primary system is provided by utilizing mechanical components of different design features. Scram actuation is initiated by loss of electrical power to solenoids located in the mechanism mounted on the reactor closure head. The solenoids vent pressure in a piston mounted in the mechanism. Loss of pressure actuates a scram latch located in the control assembly and causes the control rod to scram.
A hydraulic scram assist supplements gravity accelerated insertion.
3.1-37
s Six of the nine Primary RSS control rods are utilized by the Reactor Control System to meet the fuel burnup and load follow requirements for each cycle as well as to coeoensata for criticality and refueling uncertainties.
Each RSS is capable of independently and reliably sensing and responding to off-normal conditions. Design featu.'es that are provided to accomplish this include diversity in parameters which are sensed and monitored in the primary system compared to those sensed and monitored in the secondary system. The primary system uses a local coincidence logic configuration while the secondary system uses a general coincidence logic. Redundancy in features is provided in each system such that even should a single randon active failure occur, either system remains fully capable to perform its intended safety function totally independent from the other. Discussion of the RSS design is provided in Section 4.2.3 and in Section 7.2.
Criterion 25 - Combined Reactivity Control Systema Canability The reactivity control systems shall be designed to have an independent capability of reliably sensing and responding to off-normal conditions to assure that under postulated accident conditions and with appropriate margin for malfunctions such as a stuck rod, the capability to cool the core is maintained.
Resoonse:
The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require reactivity control systems to be designed to have an independent capability of reliably senring and responding to off-norail conditions to assure that the ability to cool the core is maintained. CRBRP meets this criterion by providing two shutdown systems that are each functionally capable of sensing and responding to off-normal conditions, in addition to having design capabilities as discussed in the response to Criterion 24, to assure that the capability to cool the core with margin for a stuck rod in the system is maintained. Discussion of the reactivity control systems is provided in Section 4.2 3 and in Section 7 2.
Criterion 26 - Heat Trannoort System Desian The heat transport system shall be designed to reliably remove heat from the reactor and transport the heat to the turbine-generator or ultimate heat sinks under all plant conditions of normal operation, including anticipated operational occurrences, and postulated accidents.
Consideration shall be given to provision of independence and diversity to provide adequate protection against common mode failures. The system safety functions shall be to:
- 1) Provide sufficient cooling to prevent exceeding specified acceptable fuel design limits during normal operation and following anticipated operational occurrences, and
- 2) Maintain integrity of the reactor coolant boundary sufficient to provide adequate core cooling following postulated accidents.
l 3 1-38
~^
-~
. ~^:
=
\\
i b
(
t
~'
)
Following the loss of a flow path, the beat transport system shall include at least two independent flow paths, each capable of performing the safety functions following shutdown.e The system shall include suitable interconnections, leak detection, isolation and containment capability to assure that for onsite electric power systen 1
operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available) the safety function can be accomplished, assuming a single failure.
s Resoonse:
k The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to assure that th'e Heat Transport System (HTS) be designed for normal operation, including anticipated operational occurrences, and be able to withstand postulated accidents such that at least two flow paths remain available for decay heat removal. CRBRP meets Criterion 26 through incorporation of the design features discussed below.
The HTS includes those systems and boundaries which provide the necessary functions to safely remove and transport reactor heat to the turbine generator or ultimate heat sinks under all plant operating conditions including These systems anticipated operational occurrences and postulated accidents.
provide three paths for the transfer of reactor heat to the turbine generator At rated power, the overall cooling requirement of during normal operation.
the Heat Transport System is 975 Hwt equally divided among these three During all reactor shutdown conditions, these three paths are parallel paths.
Each path is preferred as the means for reactor shutdown heat removal.
separate and is independent from the other two.
Each path has sufficient capacity to remove the full reactor shutdown heat Each path is provided with its own dedicated heat sink which load by itself.
The HTS also is capable of accepting the full reactor shutdown heat load.
includes systems which provide another independent, diverse, and single-active-failure proof path including its own redundant heat sinks which, by itself, has sufficient capacity to effect reactor shutdown heat removal.
The HTS is designed such that it will perform its intended safety function of reactor heat removal for all operational conditions, including anticipated Emergency power is supplied in three occurrences and postulated accidents.
separate divisions and is arranged such that continued operation of all four The design of esoh paths is assured in the event of loss of off-site power.
of the three preferred paths is such that the system working fluids will naturally circulate in the absence of any pumping, and this natural circulation is adequate to effect reactor shutdown heat removal.
'This requirement is not intended to preclude two-loop operation provided the system safety functions can be appropriately met.
3 1-39
In the event of the loss of one preferred flow path, normally the two other preferred flow paths will remain available. However, if a single-active-failure occurs and the second preferred flow path is also lost, then the third preferred flow path remains available plus the single-active-failure proof diverse path.
These design features and others including leak detection capability, elevated reactor coolant piping, guard pipes and vessels, location of sodium containing piping and equipment in separate cells, and arrangement that assures physical separation of the four paths, assure that there are no credible common mode failures which could reduce the number of available flow paths to less than two.
Discussion of the HTS and its component systems is provided in Chapter 5 Discussion of the power supplies, including emergency power, is provided in Chapter 8.
Criterion 27 - Assurance of Adecuate Reactor Coolant Inventory The reactor coolant boundary and associated components, control and protection systems shall be designed to limit loss of reactor coolant so that an inventory adequate to perform the safety functions of the heat transport system is maintained under normal operation, anticipated operational occurrences and postulated accident conditions.
Resoonse:
Tha high quality standards applied to the design, fabrication, erection, and testing of the coolant boundary (Criterion 28) assure protection against loss of reactor coolant.
In the unlikely event of a primary pipe or component boundary failure, the PHTS has been designed to limit the loss of reactor coolant and assure that for any boundary failure, continued reactor cooling is provided. The PHTS design features which limit loss of coolant and assure reactor cooling are the combined use of elevated pipids, use of guard vessel around major equipment and five foot pony motor shutoff head. The PHTS guard vessels have been designed such that the tops of the guard vessels are at an elevation which is approximately 9 feet above the tops of the reactor vessel discharge nozzle.
This level is based on the combination of the pony motor shut-off head of 5 feet and the minimum safe reactor vessel level of two feet above the tops of the reactor discharge nozzle, plus an additional two feet to accommodate
~-
sodium shrinkage and hydraulic uncertainties.
The volume of the guard vessel and the volume of sodium above the minimum safe level of the reactor vessel have been sized to assure that the guard vessel's volume will be less tLan or equal to the volume loss from the reactor vessel for any leak condition plus contraction.
Continued reactor cooling is provided in the unlikely event of a pipe failure by the PHTS elevated piping arrangement.
All PHTS piping is routed at an elevation above the tops of the PHTS guard vessels thereby limiting the loss of coolant in the unlikely event of a pipe failure.
3.1-40
The combination of guard vessel elevation, guard vessel volume, reactor vessel sodium inventory above the minimum safe level, pony motor shutdown head and elevated piping assures a 1$nited loss of reactor coolant and continued reactor cooling capability.
The reactor coolant volume control is accomplished in that part of the Primary Sodium Storage and Processing System which consists of the primary modium overflow vessel, primary sodium makeup pumps, primary sodium cold traps, and i
associated piping and valve. These components operate continuously during reactor operation, to provide sodium-level control within the reactor vessel, to accommodate volume changes in primary sodium, and to limit oxygen and hydrogen impurities in primary sodium. The overflow heat exchanger, located in a bypass on the reactor makeup return line is not normally operated. This component is only operated in the event that the overflow circuit is used for removal cf reactor decay heat. The Primary Sodium Storage and Processing System is shown on Figure 9 3-2 (included in Section 9 3) and ie described in more detail in Section 9.3 The overflow-makeup components are the only components within the Auxiliary Liquid Metal System which, during normal reactor operation, circulate reactor coolant. The overflow heat exchanger, used only for decay heat removal, is normally bypassed. All these components are located in inerted cells within the Reactor Containment Building (RCB). Fill and drain piping connect these components with sodium storage vessels, one inside and others outside of the RCB. All connecting lines to the normally operating components are isolated from the storage components by manually operated, locked-closed valves. Lines penetrating containment are isolated by additional, locked-closed valves, located outride the containment wall. Lines penetrating containment are anchored by steel plate members welded to the pipe and to pipe nieeves imbedded in the containment wall, which are, in turn, welded to the inner containment liner.
All overflow-makeup components are Seismic Category I components, and all component supports are designed and analyzed to ensure component integrity and operability during and after the safe shutdown earthquake. The largest component, the overflow vessel, is hung from overhead structures, and laterally braced to provide both earthquake protection and to permit unrestricted thermal expansion during all operating conditions.
The method of controlling impurities and permissible levels of contamination in the reactor coolant is by use of the cold traps, which are part of the Primary Sodium Storage and Processing System, described in more detail in, -
Section 9 3 Operation of the cold trap will maintain oxygen and hydrogen.
levels in primary sodium at or below 2 ppm and 0.2 ppm, respectively.
In the primary heat transport system, the only pumps and valves which are considered a part of the PHTS and are active, are the primary pump and check valve (see Table 5 3-10 for a list of pumps and valves). Both are active components in the event of pipe leaks, i.e., the primary pumps are reduced to pony motor flow following reactor shutdown and the check valve prevents any significant reverse flow.
3.1-41
- -._--- i :.
^
Criterion 28 - Quality of Reactor Coolant Boundary Components which are part of the reactor coolant boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical.
Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage.
Reanonse:
The design, fabrication, erection and testing to be employed on the reactor coolant boundary and the extensive quality assurance measures to be employed during each of the above phases will ensure that this boundary has extremely low probabilities of abnormal leakage, rapidly propagating failure, and gross rupture. The codes and standards to be observed in the design of the reactor coolant pressure boundary are given in Subsection 3 2.2.
The quality assurance program requirements plan is discussed in Chapter 17 0.
Further details are also given in the responses to Criteria 12 and 29, and in Section 5 3 3.6.
The waterials used in fabricating the reactor vessel, closure head and guard vessel are summarized in Table 5.2-3 In general these materials conform to ASME Boiler and Pressure Vessel Code,Section III, and the supplemental requirements of RDT Standard E15-2NB-T.
Inspection of materials for the primary coolant boundary will be in accordance with the RDT material standards for the particular materials.
Inspection during fabrication will be in accordance with Section III of the ASME Code and RDT E15-2NB-T, Class 1 Nuclear Components. Inspection of materials and inspection during fabrication of the Guard Vessel will be in accordance with Section III of the ASME Code, Class 1 and RDT E15-2NB-T. The overall inspection and test plans for the three structures will be prepared by the fabricator and approved by the purchaser prior to fabrication.
Hydrostatic pressure tests will be performed on the completed reactor vessel and on the completed closure head as required by the ASME Code.
The high-pressure inlet plenum portion of the reactor vessel will be pressure tested to a pressure of 250 psig. This pressure test will take place after the installation of the core support structure. The pressure test will also provide structural verification of the core support structure, although not required by the ASME Code.
Following the pressure test of the inlet plenum, the entire vessel will be pneumatically tested; during this test, the uppen end of.the vessel will be sealed by a test head.
The closure head will be pneumatically tested to a pressure of 19 psig. A suitable test fixture will be used to retain the head and apply the test pressure to it.
The primary cold leg piping is made from 24 inch 0.D., 0.500 inch nominal wall thickness, stainless steel Type 304, Class 1 welded pipe, to design specifications and the supplementary requirements imposed by RDT H3-7T and RDT M2-ST and applicable code cases.
Per these two standards, the weld filler 3 1-42
material will conform to RDT M1-1T or RDT M1-2T.
Receiving inspection and certification of the material will include confirmation of heat and plate identification numbers and the following data:
chemistry - ladle and two check analysis mechanical - tensile tests (2) including ultimate, yield, elongation and reduction in area; flattening test; bend test, heat treatment report metallurgical - grgin size The primary hot leg piping is made from 36-inch 0.D. (reactor vessel-to-primary pump) and 24-inch 0.D. (primary pump-to-IRI), 0.50 inch nominal wall thickness, stainless steel Type 316, Class 1 welded pipe. The design specifications and supplementary requirements listed for the cold leg piping are also imposed on the hot leg piping.
Welders, welding procedures and welding operators will be qualified to the requirements of Section II of the ASME Code as supplemented by'RDT F6-5T.
Manufacturing operations will conform to the requirements of the ASME Code,Section III, as supplemented by RDT E15-2NB-T and applicable code cases.
Joints will be finished in accordance with the requirements of the ASME Code,Section III, as supplemented by RDG E15-2NE-T and applicable code cases.
Af ter final heat treatment, all final welded joints will be penetrant and radiographically examined over their entire length.
In accord with RDT Standards M3-7T and H2-5T, these examinations will be performed using the examination criteria of RDT F3-6T and acceptance criteria of RDT F3-37T. In addition, after heat treatment and hydrostatic tests, all final weld surfaces will be penetrant examined using the same criteria.
An intergranular corrosion test will also be performed to ASTM A 262 for detecting susceptibility to intergranular attack in the stainless steel.
Leaks from the sodium circuits of the reactcr coolant system can be detected by measurement of changes in sodium inventory, detection of radioactivity and a separate leak detection system. The leak detection system will include:
o Cable and Continuity Detectors o
Aerosol Monitoring Detectors This system will detect very small leaks, if they should occur, in piping, and inside of major component guard vessels as well as below large tanks such as the reactor overflow tank. Details of these methods for detection of sodium to gas leaks are discussed in Section 7.5 5.
Criterion 20 - Fracture Prevention of Reactor Coolant Boundary The reactor coolant boundary shall be designed with sufficient margin to assure that when stressed under normal operation, including anticipated
- 3. M 3
~~-
operational occurrences, maintenance, testing, and pcatulated accident l
conditions (1) the boundary behaves in a non-brittle manner and (2) the i
probability of rapidly propagating fracture is minimized.
The design shall reflect consideration of service temperatures, service degradation of material properties, creep, fatigue, stress-rupture, and other conditions of the boundary material under normal operation, including anticipated operational occurrences, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of coolant chemistry and irradiation on material properties, (3) residual, steady state and transients stresses, and (4) size of flaws.
Resoonne:
The intent of this criterion, as stated in Reference 1 to PSAR Section 3.1, is to require that the primary reactor coolant boundary components be designed to avoid brittle and rapidly propagating fracture modes, thus minimizing the likelihood of leaks greater than those assumed in the design basis.
CRBRP meets this criterion as discussed below.
Close control will be maintained over material selection and fabrication for the reactor coolant system to assure that the boundary will behave in a i
ductile manner.
Special inspection requirements will be included in the quality control procedure for both the basis material of' construction and on various subassemblies and final assembly for the reactor coolant loop components.
The analyses taking into account the service temperatures, service degradation of material properties, creep, and other conditions of the boundary material are given in response to Criterion 12 and Section 5 3 3.6.
Notch ductility as measured by the Charpy-V-notch test has historically been utilized for ferritic materials to determine the transition from ductile to brittle behavior.
The applicability of Charpy-V-notch toughness measurements to austenitic materials and weldment has not been demonstrated.
J-integral test and analysis procedures Are currently being explored and utilized in the analysis of fracture resistance or toughness of austenitic materials because of the plasticity associated with fracture in this class of materials (See Section 5 3.3.10).
Criterion 10 - Innnection of Reactor Coolant Boundarv Components which are part of the reactor coolant boundary shall be designed to i
permit (1) periodic inspection and testing of areas and features important to safety, to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program.
Resoonse:
The basis of the CRBRP in-service inspection program is defined in Appendix G of the PSAR.
Principal considerations are: 1) the use of a coolant which requires heaters and insulation to maintain a temperature greater than 4000F during shutdown and standby operations, 2) the containment of the primary 3.1-44
. E.
7 coolant system within independent inerted cells, and 3) the operation at low pressure because of the very low vapo: pressure of the coolant. Because of these features and the fact that very small leaks are capable of being detected, emphasis is placed upon continuous monitoring leak detection and visual inspection as the main techniques for in-service inspection.
The object of in-service inspection of components in nuclear power plants is to provide a continuing assurance that they are safe.
Components constructed to ASME rules are considered to be safe for initial operation within the events and conditions specified in the Design Specification.
The in-service inspection program provides monitoring and periodic inspection to detect abnormal conditions and indications of deterioration.
Additionally, the reactor coolant boundary is continuously monitored by reliable, sensitive, and diverse leak detection systems which assures early detection of leaks.
This instrumentation is described in the response to Criterion 28 and in Section 7 5.5 of this PSAR.
The criteria used to classify components into major categories correspond with the classifications used in Section II of the ASME Code.
a l
Representative surveillance materials will be obtained from the various product forms, including weldsents, from which the reactor vessel is fabricated. The requirements of Appendix H to 10CFR50 are considered not applicable since they were generated for ferritic material and the CRBRP reactor vessel will be made from austenitic material.
Criterion 91 - Intermediate Coolant Svaten The intermediate coolant system shall be designed to transport beat reliably from the reactor coolant system to the steam /feedwater systems as required for j
the reactor coolant system to meet its safety functions under all plant J
conditions including normal operation, anticipated operational occurrences and postulated accident conditions. The intermediate coolant system shall contain coolant that is not chemically reactive with the reactor coolant. A pressure i
differential shall be maintained across a passive boundary between the reactor coolant system and the intermediate coolant system such that any leakage would j
flow from the intermediate cooling system to the reactor coolant system unless j
cther provisio'ns can be shown to be acceptable on some defined basis.
Response
The intermediate coolant system will use sodium coolant, as will the reactor coolant. A nominal positive pressure differential will be maintained, across the passive boundary inside the IHI, from the intermediate coolant side (tube side) to the reactor coolant side. The intermediate coolant system will be designed to adequately and reliably transfer heat, under all plant conditions, from the reactor coolant system by circulating non-radioactive sodium from the IHI tube side to the steam generators.
These considerations are reflected in the following performance objectives for the intermediate coolant system:
Transport of reactor generated heat (975 mw ) through the intermediate a.
t coolant system to the Steam Generation System while maintaining an 3.1-45
n-adequate flow rate for controlling reactor temperature conditions within limits which preclude damage to the reactor vessel, fuel and reactor internals.
b.
Regulation of neat transport system flow in response to plant process control over the full operating power range of 40 to 100 percent reactor thermal power.
c.
Transfer of decay heat to the Steam Generation System under all normal and off-normal conditions including failure of a beat transport system component or loop. Specifically, there will be capability to remove decay heat by pony motor flow or natural circulation.
d.
Containment of sodium coolant by providing a boundary for coolant confinement.
e.
Provide a sodium coolant system which can be easily filled, vented and rapidly drained.
f.
Support of operation in a hot stand-by condition - nominally 7-1/2 to 0
10% of full flow at a normal temperature of 600 F.
Criterion 92 - Fracture Prevention of Intermediate Coolant Boundary The intermediate coolant boundary shall be designed with sufficient margin to assure that when stressed under normal operation, including anticipated l
operational occurrences, maintenance, testing, and postulated accident conditions, (1) the boundary behaves in a non-brittle manner and (2) the
~
probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures, service degradation of material properties, creep, fatigue, stress rupture and other conditions of the boundary material under normal operation, including anticipated operational occurrences, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of coolant chemistry and irradiation on material properties and (3) residual, steady state and transient st$ esses, and (4) size of flaws.
Resnonse:
Similar considerations as described in " Response" to Criterion 29 for the Reactor Coolant Boundary will apply to the intermediate coolant boundary..The Structural Performance objectives for the intermediate coolant system areiks follows:
a.
Design, fabrication, erection, and testing of the HTS components which comprise the sodium boundary shall be in accordance with the ASME Boiler and Pressure Vessel Code,Section III, Division 1, Nuclear Power Plant Components, applicabic Code Cases for elevated temperature components and applicable RDT Standards, as applied in each equipment specifi0i ton.
3 1-46
b.
The natural frequencies of all components will, where possible, avoid resonance with all expected pump driving frequencies. Where not possible, the component design shall insure that structural desage will not occur as a result of resonance.
c.
Structural design shall provide for dry IHTS piping and component heat up at a rate of 30 F/hr.
d.
Structural design shall provide for a system fill under conditions of full vacuum with system components at an average temperature of 4000F and hot spot temperatures of 6000F.
e.
All IHTS components and piping shall be designed with consideration of the following environmental factors as follows:
- 1) Floods - flood protection is provided by ensuring the integrity of the Reactor Containment Building (RCB) and the Steam Generator Building (SGB).
- 2) Tornadoes - tornado protection is provided by ensuring the integrity of the RCB and SGB.
- 3) Missiles - missile protection is provided by ensuring the integrity of the RCB and SGB and the individual cells within the l
RCB and SGB.
- 4) Earthquakes - protection from earthquake induced damage is j
provided by ensuring the structural adequacy of the RCB and SGB, l
the individual cells within the RCB and SGB, the components and the components supports of the IHTS.
- 5) Fires - fire protection is provided by both the conventional fire protection system and the sodium fire protection system.
Criterion 99 - Innnection and Surveillance of Intermediate Coolant Boundary Components which are part of the intermediate coolant boundary aball be designed to permit (1) periodic inspection of areas and features important to safety, to assess their structural and leaktight integrity, and (2) appropriate material surveillance program for the intermediate coolant boundary. Means shall be provided for detecting intermediate coolant leak ge.
Resnonse:
A Liquid Metal-to-Gas Leak Detector System is provided to detect and identify l
the location of Liquid Metal-to-Gas leaks for the purpose of continuous monitoring of the intermediate mystem boundaries.
The major portion of the intermedia' boundary is in normally accessible areas, facilitating in-service ine, ation by visual methods.
An in-service inspection program for the IHTS O_1 be implemented and conducted in accordance with Appendix G of tne PSAR. The in-service inspection program l
l 1
3 1-47
=-
u
=..
..:. =. = =
n l
will include continuous monitoring and visual examination of all INTS components such as pressure vessels, piping, pumps and valves. Feriodic volumetric examinations will be made on transition welds.
The need to acnitor austenitic stainless steel toughness changes (due to carburization, plastic creep straining and the thermal environment) will be assessed as part of an ongoing program. These studies will be performed in parallel with design.
If fracture toughness surveillance is determined, by ongoing programs, to be required, then the surveillance program will be designed in accord with the philosophy of Appendix H to CFR Part 50.
Criterion 14 - Reactor Coolant and Cover can Purity Control Systems shall be provided to monitor and maintain reactor and intermediate coolant and cover gas purity within spec 3fied design limits. These limits shall be based on consideration of (1) chemical attack, (2) fouling and plugging of passages and (3) radioisotope concentrations and (4) detection of sodium-water reactions.
Response
Plugging temperature indicators are used to monitor the saturation temperature of the total impurities in the primary sodium, the EYST coolant, and the Intermediate Heat Transfer System (IHTS) sodium. Additionally, sodium samples are taken from these systems for laboratory analysis of sodium impurities.
Gas impurity analysis is performed periodically on reactor, EYST, FHC and IHTS cover gas samples by the gas chromatograph in the Plant Service Building laboratory. These monitoring systems are described in Section 9.8.
Reactor coolant (primary sodium) and cover gas processing systems are also provided to maintain the reactor coolant and cover gas design purity. These systems are discussed in PSAR Sections 9.3.2, 9.5, and 11 3 Steam / water to sodium leak detector modules monitor the background hydrogen and oxygen concentration in the IHTS sodium.
Operation of the purification system cold traps maintains the IHTS hydrogen and oxygen in sodium levels within specified limits. Operation of the leak detectors is discussed in PSAR Section 7 5.5.3 Criterion 15 - Reactor Residual Heat Extraction System A reactor residual heat extraction system shall be provided to reliably l
transfer residual heat from the reactor coolant system to ultimate heat sinks under all plant shutdown conditions following normal operation, including anticipated operational occurrences and postulated accident conditions.
A passive boundary shall normally separate reactor coolant from the working fluids of the reactor residual heat extraction system.
Any fluid in the residual beat extraction system that is separated from the reactor coolant by a single passive barrier shall not be chemically reactive with the reactor Coolant.
i 3.1-48
.~
Suitable redundancy, independence and diversity in systems, components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure, with at least two flow paths remaining available for residual heat removal.'
Resoonse:
The intent of this criterion, as stated in Referonce 1 of PSAR Section 31, is to require reliable means of removing reactor decay heat assuming loss of offsite or onsite power and a single failure which could remove one or more of the four available flow paths from service.
CRBRP meets this criterion through incorporation of design features discussed below.
The roactor residual heat extraction systems are designed to reliably transfer residual heat from the reactor coolant system to the ultimate heat sinks under all plant shutdown conditions following normal operation, anticipated operational occurrences, and postulated accidents. These systems include the Intermediate Heat Transport System (IHTS), the Steam Generator System (SGS),
the Steam Generator Auxiliary Heat Removal System (SGABRS) and the Direct Heat Removal Service (DHRS).
The reactor coolant, contained in the Primary Heat Transport System (PHTS), is separated fro = the working fluide of the residual heat exraction systems by the passive barriers of the Intermedinte Heat Exchangers (IHI) between the PHTS sodium and the IHTS sodium, and the passive barrier of the Overflow Heat Exchanger (OHI) between the. PHTS sodium and the working fluid (NaK) of the DHRS. The reactor coolant and the residual heat extraction working fluids separated from it by the IHIs and the OHI are not chemically interactive, and thus these single passive barniers are adequate. In the SGS and the SGAHRS a water / steam mixture ic used an the working fluid, and this is chemically reactive with the reactor coolant sodium. However, this water / steam mixture is separated from the sodium of the IHTS by the passive barriers of the steam-generators. Thus, there are _
passive barriers between the reactor coolant and the water / steam mixture, whis? is the only residual heat extraction working fluid which is chemically interactive with the reactor.:
~
coolant.
Redundancy in components and features is provided within the three redundant beat removal paths. Properly qualified equipment, Class 1E power supplies and motor and turbine driven feedwater pumps provide assurance of adequate short and long term residual heat removal for all design basis events. The DHRS provides a diverse, single failure proof residual heat removal capability in addition to that provided in the three redundant heat removal paths. The
'This requirement is not intended to preclude two-loop operation provided the safety functions can be appropriately met.
3 1-49
- '... :......... -. 2. = :..
designs of the IHTS, SGS and SGAHPS include features to ensure that the working fluids circulate naturally in the event of the loss of pumping, and that this natural circulation is adequate to retain full capability for reactor decay heat removal. A turbine-driven auxiliary feedwater pump is provided as part of SGAHRS to maintain water inventory in the event that all electric driven feedwater pumps are lost. A dedicated meismically qualified source of water is provided by the Protected Water Storage Tank (PWST) to supply the auxiliary feedwater pumps. Suitable leak detection capability is provided. The reactor residual beat extraction systems are able to operate on either the onsite or offsite electrical power system, and to accomplish the overall reactor residual beat removal safety function, given a single failure, and yet 3.o retain at least two heat transport paths. A loop that removes heat by either forced or natural circulation is considered to be a flow path.
Functional capability of the reactor heat extraction systems is also addressed under Criterion 26 which addresses functional requirements for the Heat Transport Systems.
Discussion of the reactor residual heat extraction systems designs is provided in PSAR Chapter 5.
Criterion 16 Insoection of Reactor Residual Heat Extraction Systema The Reactor Residual Heat Extraction System shall be designed to permit appropriate periodic inspection of important components, such as heat exchanser and piping, to assure integrity and capability of the system.
Resoonst:
The designs of systems used for reactor residual heat extraction will provide the capability and accessibility for appropriate inspection during the service life of the system.
The inspection capability complements the leak detection capability in assuring the. integrity of the systems.
Systems used for reactor residual beat extraction will be inspected on a l
regular basis in accordance with Appendix 0 of the PSAR. The inspection l
program will cover critical welds, valves, and components. The building arrangement will provide for adequate access for inspection.
Leak detection from the low pressure portion of the SGAHRS is accomplished by monitoring the water level in the PWST. A low water level alarm is sounded when the level reaches a minimum acceptable level.
c Criterion 97 - Testina of Reactor Residual Heat Extraction Systems The Reactor Residual Heat Extraction Systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of their components, (2) the operability and the performance of the active components of the systems, and (3) the operability of each complete system, and under conditions as close to design as practicai, the performance cf the full operational sequence that brings the systems into operation for reactor shutdown and following postulated accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.
3.1-50
Response
The designs of systems used for reactor residual heat extraction will provide the capability for appropriate periodic and functional testing during the service life of the systems, as required to meet the intent of the ASME Code,Section III and Appendix G of the PSAR. This testing will assure (1) the structural and leaktight integrity of system components, (2) the operability and the performance of the active components of the systems, and (3) the operability of each complete system, and under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation for reactor ebutdown and following poetulated accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources. Operability and performance of the active components of the systems may be assured by implementation of an in-service tets program for active components such as valves, and each valve will be tested during service as required by the program. Systems used for reactor residual heat extraction are designed to allow for operation on either normal or emergency power sources during appropriate plant periodic tests.
Details of the Reactor Residual Heat Extraction System are provided in Chapter 5.
Criterion 98 - Additional Coolina Systems In addition to the heat rejection capability provided by the reactor residual heat extraction systems, systems to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided, as necessary. The system safety function shall be to transfer the combined haat load of these structures, ayetems, and components as required for safety under normal operation, including anticipated operational occurrences and postulated accident conditions.
Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation, capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite i
power is not available) the system safety function can be eccomplished, assuming a single failure.
Resoonse:
The additional cooling systems for the CRBRP are:
Recirculating Gas Cooling Systems Ex-Vessel Storage Tank Emergency Chilled Water System Emergency Plant Service Water System The intent of this criterion is to require cooling to other components and system important to safety (which require a controlled temperature in order for them to perform their safety function), assuming loss of offsite or onsite pcwer and a single failure. The reliability of the additional cooling system is intended to be sufficient to support the requirements of the systems it 3 1-51
i 1
I serves, including the effects of all design basis events. CRBRP meets Criterion 38.
A brief discussion of each system and the design features satisfying the criterion follows.
Recirculatina Gas Coolina Swata==
Heat removal from the initial inner cells during normal plant operation is provided by the Recirculating Gas Cooling System.
The design basis for the removal of heat from these sub-systems is to maintain cell temperatures below a level which would be deleterious to the concrete, electrical wiring, instrumentation, components or equipment. The portions of ths RGCS servicing the EVST Ccoling Loops, and Primary Sodium Makeup pumps are Safety Class 3 Ex-Vessel Storane Tank Three independent heat removal systems (described in detail in Section 9.1) are each capable of removing the EVST design heat load of 1800 kw while maintaining EVST sodium temperature within acceptable limits.
Cooling capability is maintained following postulated accident conditions such as an SSE.
Redundancy in EYST cooling capability is normally provided by forced convection in either of the identical cooling circuits, each of which can l
maintain maximum sodium outlet temperature of 510oF.
I In the extreme unlikely event that both normal cooling circuits are unavailable, heat will be removed by a third (backup) cooling circuit by natural convection. The backup cooling circuit can remove 1800 kw while maintaining EVST sodium temperatures below 7750F.
Each of the three cooling circuits is separated and shielded in order to preclude the possibility of any failure in one circuit impairing the operability of another.
The sodium loops of each circuit are located in inerted cells to prevent a radioactive sodium fire. Thus, failure of any l
component in any of the sodium or NaK loops is isolated and can cause loss of only the circuit in which it is located. The standby cooling circuit can then be put into operation within minutes to provide essentially continous cooli.ng of the EVST sodium.
All components of the normal forced convection sodium and NaK loops which I
require electrical power are on the emergency, Class 1E, power system to ensure continuous EVST cooling, even following a single failure.
In the event of loss of onsite, or offiste power to the plant, power to both of the normal cooling circuits is provided by the plant diesels.
Immediate activiation of the diesel-powered supply is not necessary since the sodium volume within the EVST provides a heat sink to minimize sodium temperature rise during loss of circulation. Operation of the third (backup) sodium and NaK loops does not require electric power.
They can be brought into operation manually.
3.1-52 l
__ - _ 7
_7 F=armancy Chilled Water Swatan The Emergency Chilled Water System (Section 9 7) is supplied by two independent loops, each loop capable of meeting the total chilled water demand during an emergency. Each loop contains one electric motor-driven, mechanical refrigeration water chiller, circulation pump, and one air separator, expansion tank, piping, valves and instrumentation. The system is designed to operate during accident conditions without loss of function. The chilled water system is designed to Seismic Category I, ASME Section III, Class 3 requirements and is connected to the Class 1E AC power supply.
Emeraency Plant Service Water Svaten The Emergency Plant Service Water System (Section 9.9 2) is designed to provide sufficient cooling water to permit and maintain the safe shutdown condition in the event of an accident resulting in the loss of the Normal Plant Service Water System or the loss of the plant AC power supply and all offsite AC power supplies.
Heat is transferred from the EPSWS to the emergency cooling tower structure which serves as the ultimate heat sink.
All electric motors serving the system are connected to the Class 1E onsite power supply. In case of loss of plant and offsite power these motors are switched automatically to the onsite power supplies. The piping and equipment for each redendant loop of the system is physically separted or protected with a barrier to conform to common mode failure criterion.
The Emergency Plant Service Water System is capable of accommodating any single component failure without affecting the overall system capability of safe shutdown condition.
Criterion 99 Inanection Of Additional Coolina Syntama The additional cooling syst'em shall be designed to permit appropriate periodic inspection of important components, such as heat eFchangers and piping, to assure the integrity and capability of the systems.
EfJLD.QERE:
The intent of this criterion is to require the design of cooling systems which provide cooling to components and systems important to safety to allov provisions for periodic inspection of important components.
CRBRP meets Criterion 39 Recirculatina Gas Coolina Svatem Periodic inspection of equipment will be scheduled to ensure operation of the Recirculating Gas Cooling System.
In-service inspection of the equipment piping and valves will be provided in accordance with the requirements of the ASME Code,Section II, Division 1.
Ex-Vessel Stormae Tank Isolation valves are provided in the auction and return lines to each of the two normal, forced convection sodium loops to permit loop isolation for 3.1-53
=
4.
=..
inspection or maintenance. Prior to personnel access to a cell, the isolation valves will be cicsed; loop drainage will be provided depending upon the Na radioactivity level. The loop isolation valves, and loop high point vents, are located higher than the sodium level in the EVST; so that once the loop is vented and drained, siphoning of the EYST cannot occur, even if tho isolation valves are accidentally opened during a maintenance operation. Siphoning of the EYST is also prevented by antisiphon holes in the inlet downconer, and by j
limiting the elevation of the outlet downconers.
The high-point vent in the sodium loop of the third (backup) cooling circuit allows sodium to drain back to the EVST for inspection or maintenance. Since the entire backup loop is located higher than the sodium in the EYST, siphoning cannot occur.
Leak checks wil) be made on all of the systems prior to filling with Na or Nak according to specific procedures.
Prior to spent fuel loading, the system will be operationally tested to determine that the system will perform within design limits.
The equipment containing Na will be placed in inert atmosphere cells that will l
be accessible for inspection after component shutdown, deinerting, and radioactive decay. The three independent cooling loop components are separated by shield walls so that inspection and maintenance ckn be performed with the other loops remaining operational.
An in-service inspection device will be used to periodically check the structural integrity of the EVST vessel. Space for such a device is provided by allowing sufficient clearance between the storage vessel and guard vessel.
The NaK airblast and natural draft heat exchangers will be located in air atmosphere cells and will be available for periodic visual inspection.
F=arrancy Chilled Water System Periodic inspections of equipment and flow rates are scheduled to ensure the proper operation of the system.
In-service inspection of the equipment piping and valves will be provided in accordance with the requirements of the ASME l
l Code,Section II, Division 1.
The safety-related portions of these Cooling Systems piping and equipment are located in accessible areas and may be psciodically inspected.
F=arne'ncy Plant Service Water System Periodic inspections of equipment is scheduled to ensure the proper operation of the system.
In-service inspection of the equipment piping and valves will be provided in accordance with the requirements of ASME Code,Section II, Division 1.
3 1-54
a r..-
=
s Criterion 40 - Testina Of Additional Coolina Svat===
The additional cooling systems shall b) designed to permit appropriate periodic pressure and functional testing to assure. (1) the structural and leaktight integrity of their components, (2) the operability and the performance of the active. components of the systems, and (3) the operability of the complete systems and under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.
Hesponse:
The intent of this criterion is to require the design of the cooiing systems which provide cooling to components and systems important to safety to allow provisions for periodic testing to assure the systems still perform as designed. CRBRP meets Criterion 40.
Recirculatina Gas Coolina System The entire Recirculating Gas Cooling System will be tested prior to plant operation. Instruments and controls will be provided for periodically testing the performance of the system during plant operation or scheduled shutdown.
Fans and isolation valves will be tested at regular intervals to ensure their operability.
Ex-Vessel Storane Tank EVST cooling is periodically transferred from one normal cooling circuit to the other normal cooling circuit approximately every 4 months. Thus the operability and performance of both circuits during startup and steady-state operating conditions is periodically tested.
The third backup cooling circuit is normally maintained in a preheated condition with a reduced sodium and NaK flow rate. Periodically it is brought on-line with a significant heat load of several hundred kilowatts in the EVST to test its operability.
Prior to plant startup, preoperational testing of the EYST cooling systems is performed to assure the adequacy of the design. Refer to Section 9.1.2.1.4.
Leak detection is provided by liquid metal and sodium /NaK aerosol detectors, smoke detectors, and tank sodium /NaK level slarms.
_=arnency Chilled Water System F
f After testing each individual component of the system, the entire system is l
tating prior to plant operation.
Instruments and controls are provided for periodically testing the performance of the system during normal plant operation or scheduled shutdown.
The safety-related portions of these cooling systems are designed such that they may be tested for integrity, operability and performance on a periodic bcsis as required by the ASME code,Section II, Division 1.
3 1-54a
c.
Emernency Plant Service Water Swatan The system components are tested at the manufacturers' facilities, and a complete system test is accomplished prior to plant operation. The Emergency Plant Service Water Pumps are tested at regular intervals to ensure their availability. Isolation valves are also tested on a periodic basis to ensure their operability.
The pressure and temperature sensing devices and logic circuits are tested as described in Section 7.6.1.
Two redundant indications of each Emergency Plant Service Water header pressure are provided in the control room with low header pressure annunciated in the control room. Each pressure sensor can be tested by valving the sensor out of service and applying a simulated signal to verify the control indication and annunciation.
l Heat is transferred from the EPSWS to the Emergency Cooling Tower Structure which serves as the ultimate heat sink.
Details on testing of these systems are described in Section 3A.1, 5.6, 91, 9 3 and 9 7 I
e 3 1-54b
l
^
~^
Criterion 41 - Containment Dominn a==f a The reactor containment structure, including access openings and penetrations, and if necessary, in conjunction with additional post accident beat removal systems including ex-vessel systems, shall be designed so that the cont 2iament structure and its internal compartments can accommodate, without exceeding the design leakage rate, and with sufficient margin, the calculated pressure and temperature conditions resulting from normal operation, including anticipated operational occurrences and any of the postulated accidents. This margin shall reflect consideration of (a) the effects of potential energy sources i
which have not been included in the determination of the peak conditions, such as decay heat in released fission products, potential spray or aerosol formation, and potential exothermic chemical reactions; (b) the limited experience and experimental data available for defining accident phenomena and containment responses; and (c) the conservatism of the calculational model and input parameters.
Response
The confinement / containment structure, including access openings and penetrations, will be designed with sufficient conservatism to accommodate, without exceeding the design leakage rate, the peak pressure and temperature associated with conservatively postulated accident conditions.
The containment design consists of a free-standing, all welded steel vessel with a steel lined concrete bottom designed to meet the requirements of the ASME code Section III Division 1 Subsection NE and Division 2 Subsection CC.
A concrete confinement will surround the containment. The confinement /
I containment annulus space will be maintained at a minimum 1/4" water gauge j
negative pressure during normal plant operations and all accident conditions.
i l
l i
3.1-55
2 -..
- - -. d :. : *
=
During accident conditions, the containment / confinement annulus exhaust will be filtered through high efficiency filters. Details of the design and analyses are given in Sections 3.8.2 and 6.2.
The ability of the containment to function as an effective enclosure in the event of sodium fires or radioactive releases is demonstrated in Sections 6.2 and 15.6.
Criterion 42 - Fracture Prgyention of Reactor Contain= ant Boundary The react.or containment boundary shall be designed with sufficient margin to assure that undar normal operation, including anticipated operational occurrences, maintenance, testing, and postulated accident conditions (a) its i
metallic materials behave in a nonbrittle manner and (b) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the containment boundary material during operation, including anticipated operational occurrences, maintenance, testing and postulated accident conditions, and the uncertainties in determining (a) material properties, (b) residual, steady-state, and transient stresses, and (c) size of flaws.
Response
The containment vessel and its penetration sleeves will meet the material, design and technical process requirements of ASME-III subsection NE.
Charpy V-notch impact tests requirements will be in conformance with ASME-III Code, employing a lowest service metal temperature of 115 F.
The design will consider uncertainties in material properties, residual, steady-state, and transient stresses, and material flaws, in addition to conservative allowable stress levels for all stressed elements of the containment boundary. Details of the containment design are given in Sections 3 8.2 and 6.2.
Criterion 49 - Canability for Containmant Leakane Rate Testina The reactor containment and other equipment which may be subjected to containment test conditions sh'all be designed so that periodic integrated l
leakage rate testing can be conducted at containment design pressure.
Resoonse:
The reactor containment design will permit overpressure strength testing during construction and permit preoperational integrated leakage rate tes' ting in accordance with Appendix J of 10CFR50. All equipment which may be subjected to the test pressure will be designed or arrar:ed with suitable provisions so that periodic integrated leakage rate testing can be conducted.
Further details are provided in Section 3.8.2 and 6.2.
Criterion 44 - Provisions for Containment Testina and Tnanection The reactor containment shall be designed to permit (1) appropriate periodic inspection of all important areas, such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leak tightness of penetrations which have resilient seals and expansion bellows.
ttJk M
. :..:. ;.= h:. :.
~ ~ '
Besconse:
The reactor containment and the containment isolation system will be designed so that appropriate periodic inspection of all important areas such as penetrations can be made.
The design will also be such that an appropriate surveillance program can be maintained.
The design will permit periodic testing at containment design pressure of the leak tightness of isolation valves and penetrations having resilient seals and expansion bellows. It will also permit demonstrating periodically the operability of the containment isolation system. The containment will be inspected and tested to heed the requirements of 10CFR50 Appendix J.
Further information is given in Section 6.2.
Criterion 45 - Pininn Systema Penetratina Containment Piping systems penetrating reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability, and performance capabilities which reflect the importance to safety of isolating the piping systems. Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to, determine if valve leakage is within acceptable limits.
ResDonse:
The design of the piping systems penetrating reactor containment conforms to this criterion in accordance with Criteria 46 (Reactor Coolant Boundary Penetrating Containment), 47 (Primary Containment Isolation) and 48 (Closed Systems Penetrating Containment) as shown in Table 6.2-5.
The containment isolation features of the design of lines penetrating containment provide the necessary assurance that the containment system will provide the barrier to release or spread of radioactive gas or particulate matter.
For lines of closed systems penetrating containment, one isolation valve located outside of containment as close as practical to containment is provided. A single valve meets the criteria and provides the necessary capability to liEit the release of activity. The valves and associated actuators are located in-protected areas and are testable. Manual initiation of isolation is provided.
For the lines connected to the reactor coolant boundary, or containment atmosphers, two valves, automatically actuated provide the necessary protection.
The argon and nitrogen supply line valves provide a double barrier which is automatically activated on loss of the ex-containment boundary. The valves and associated actuators are located in protected areas and are testable.
Remote and local manual initiations are provided.
1 3.1-57
__,4 z
The nitrogen exhaust line to CAPS has two automatically actuated valves. The ex-containment portions of the system are protected against the effects of severe natural phenomena. Valve closure signal is initiated by the plant protective system. The valves provide two barriers following closure. The valves and associated actuators are located in protected areas and are testabla.
Automatic isolation of the lines for containment mir ventilation and those for containment vacuum breakers is provided by two isolation valves for the containment vacuum breakers, and three isolation valves for the containment air ventilation, with independent actuating trains.. One valve is inside containment and one and two outside as close as practical for the containment vacuum breakers, and for the containment air ventilation, respectively. This redundancy assures proper isolation assuming single internal random failures of the equipment.
Periodic on-line testing capabilities are included. The valves and associated actuators are located in areas which are protected from tornado generated missiles and which are designed to withstand the seianic forces.
The IHTJ piping within containment out to the end of the penetration seal is protected from inadvertent accidents and natural phenomena by being totally enclosed with reinforced concrete cella (248, 251, and 252) which serve as radiation shields within the intermediate bay of the steam generator building (Figures 1.2-13 and 20). the IHTS piping is designated Safety Class 2, Seismic Category 1, and classified as ASME Section III, Class 2, designed and constructed to Class 1 requirenents. Since the entire IHTS is a closed system and is neither part of nor directly connected to either the containment atmosphere or the primary coolant boundary, and is protected as described above, isolation valves are not required (Tables 3 2-2, 4, 5).
Criterion 46 - Reactor Coolant Boundarv Penetratina Containmant Each line that is part of or directly connected to the reactor coolant boundary and that penetrates reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation profisions for a specific class of lines, such an instrument lines, are acceptable on some other defined basis:
(1) One locked closed isolation valve inside and ons locked closed isolation valve outside containment, or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment, or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment.
A simple check valve may not be used as the automatic isolation valve outside containment, or (4) One automatic isolation valve inside and one automatic isolation valve outside containment.
A simple check valve may not be used as the automatic isolation valve outside containment.
3 1-58
. : =..- :.;. 2 1
Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.
Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for inservice inspection, protection against more severe natural phenomena, and additional isolation valves and containment shall include consideration of the population density, l
use characteristics, and physical characteristics of the site environs.
Response
Those lines which are part of or directly connected to the reactor coolant boundary and penetrating the containment are the argon supply line, the argon exhaust to RAPS, and the gas sampling line.
Each line will be provided with one automatic isolation valve in side containment and one automatic isolation valve outside containment.
(See Table 6.2-5.)
Simple check valves are not used as containment isolation valves outside containment.
The isolation valves outside containment will be located as close to the containment as practical-and the automatic isolation valves are designed to take the position that provides greater safety upon loss of actuating power.
Appropriate measures will be taken to minimize the probability or consequences of an accidental rupture of these lines or lines connected to them to assure l
adequate safety.
(More details are provided in Section 6.2.4.2.)
Criterion 47 - Primary Containment Isolation t
Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it dan be demonstrated that the containment isolation provisions for a specific class of lines, cuch as instrument lines, are acceptable on some other defined basis:
(1) One locked closed isolation valve inside and one locked close isolation valve outside containment, or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment, or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment.
A simple check valve may not be used as the automatic isolation valve outside containment, or (4) One automatic isolation valve inside and one automatic isolation valve outside containment.
A simple check valve may not be used as the automatic isolation valve outside containment.
l 3 1-59
^~
^
au,;; ;;
Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.
Responne:
The following lines penetrate the reactor containment and are directly connected to the containment atmosphere:
Containment Ventilation Air Supply Line Contbinnent Ventilation Air Exhaust Line Containment Vacuum Breakers Each of these lines, except the containment vacuum breakers will be provided with three confinement / containment isolation valves, two immediately outside the confinement and one inside the containment, with independent actuating trains.
The valves and associated actuators will close on loss of air or electrical Because the system operating pressures are low and the closure times power.
required for the containment isolation valves are four seconds, the dynamic forces resulting from the inadvertent closure under operating conditions will not challenge the integrity of the valves or connecting piping.
However, a quick acting automatic relief damper will be provided in a branch duct between the Air Supply Line containment isolation valves and the supply fans in order to relieve any excess pressure on the ductwork originated by the activation of 1
the containment isolation valves. A relief damper is provided in the exhaust air line between the isolation valves and the exhaust fans, to relieve the vacuum in the exhaust duct after the isolation valves close. In addition, upon containment isolation, the containment ventilation supply and exhaust fans are automatically stopped.
Criterion 48 - Closed System Penetratina Containment Each line that penetrates primary reactor containment and is neither part of l
nor directly connected to the reactor coolant boundary, nor connected directly to the containment atmosphere shall have at least one containment isolation valve, unless it can be demonstrated that containment isolation provisions for a specific class of lines are acceptable on some other defined basis. The isolation valve, if required, shall be either automatic or locked closed, or I
capable of remote manual operation. This valve shall be outside containment f
and located as close to the containment as practical.
A simple check valve ~
aay not be used as the automatic isolation valve.
Resnonse:
Each of the following lines of closed systems penetrates the reactor containment and is neither part of the reactor coolant boundary nor connected directly to the containment atmosphere:
3 1-60
],.
- ]._._f ] ]~,
j j7 _.
'~ R
~
~
1
)
i Sodium Transfer Line Between Storage Tanks (Section 9 3)
Sodium Transfer Line from 2VST (Section 9 3)
DHRS NaK Line to Containment (Section 9 3)
DHRS NaK Line from Containment (Section 9 3)
Norsal Chilled Water to Containment (Section 9,7)
Normal Chilled Water from Containment (Section 9 7)
Emergency Chilled Water Supply (Section 9 7)
Emergency Chilled Water Return (Section 9 7)
Each of these lines has at least one containment isolation valve capable of remote manual operation and located outside and as close to containment as practical. These lines and the associated containment isolation valve designs are discussed in Section 6.2.4.
The IHTS has been judged to be an acceptable isolation boundary without the inclusion of isolation valves because of (1) the precautions taken to protect the IHTS boundary against accidents, extreme environmental conditions, and natural phenomena, (2) the ability to monitor the integrity of the boundary and (3) upon the acceptability of the radiological consequences which would result from a failure of the boundary. The basis for this judgement is discussed in more detail in Section 6.2.4.1 and 15.6.1.5 2.
Criterion M - Contain==nt Atmonohere Cleanun Systems to control fission products, hydrogen, oxygen, Na aerosols or l
combustion products and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. The necessity of such systems should consider the effects of sodium leakage and its potential reaction with oxygen and its potential for hydrogen generation when in contact with concrete.
Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure.
Response
During normal operation, the confinement / containment annulus will be maintained at a minimum of 1/4" water gauge negative pressurc with respect to the outside atmosphere by exhausting 3000 CFM of filtered air through one of two ESF annulus pressure maintenance fans.
Upon a containment isolation signal, both the annulus pressure maintenance fan and the annulus filter fan with its associated filter unit will operate.
During this condition, only a portion of the total air flow (3000 CFM) is exhausted to the outside atmosphere and the remainder of the total air flow 3 1 61
~
-. ~,_,_ _.a n.
7-4 (11000 CFM) is returned back to t'he annulus space at the 733'-0" elevation and then it is relieved to the upper annulus through equally spaced openings at elevation 816'-0".
The filter system will be designed as an ESF system, and will comply with Regulatory Guide 1.52.
The filter system will be designed to achieve a minimum of 995 particulate and 955 absorbent efficiency. Radiation monitoring equipment associated with the annulus filtration system is described in Section (same notation) 12.2 of the PSAR. By maintaining the annulus at a minimum of 1/4" water gauge negative pressure with respect to the outside atmosphere, the bypass leakage (that fraction of annulus radioactivity which leaks from the confinement building without being filtered) can be maintained at less than 15 The annulus filtration system features of the design provide the necessary assurance that the radioactivity released as a result of the design basis accident will not exceed the guidelines of 10CFR100.
Criterion 50 - Insoection of Containment Atmosehere Cleanun Svstama The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.
Response
The annulus filtration system shall be inspected per the requirements of Regulatory Guide 1.62.
Criterion 51 - Testina of Containment Atmosehere Cleanun Svata==
The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency pcwer sources, and the operation of associated systems.
Resocnse:
-}
The annulus filtration system shall be tested per the requirements of Regulatory Guide 1.52.
Containment penetrations shall be tested per Appendix J to 10CFR50 with the exceptions summarized in Section 6.2.1.4, in order to verify bypass leakage assumptions used for radiological accident analyses, griterion 52 - Control of Releases of Radioactive Materia 1m to the Environment The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation including 3 1-62
l anticipated operational occurrence. Sufficient boldup onpacity aball be provided for retention of gaseous and liquid effluents containing radioactive asterials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment.
Reseonse:
The CRBRP design incorporates in its liquid processing system a division of the radioactive waste streams into two categories: an intermediate radioactivity level waste stream, and a low level radioactivity waste streas.
The normal operation of the intermediate radioactive liquid waste stream is such that the processed liquids are not released from the plant but are recycled for reuse. The low level radioactive vaste stream will discharge to a diluent strema only a design estimate of approximately 1 of activity per year excepting tritium which is expected to be 3 aci/ year.
The gaseous radioactive release from the CRBRP will be processed through the Radioactive Argon Processing System (RAPS) and the Cell Atmosphere Processing System (CAPS). These two systems are subsystems of the Inert Gas Receiving and Processing System (See Section 9 5).
The RAPS exhaust is recycled with no direct discharge to the environment. The CAPS maintains the cell atmospheres at acceptable levels. The exhaust release rate from this system is designed at 50 SCFM exhausting to the RCB HVAC system.
j l
Other gaseous effluents from the CRBRP will be exhausted through the normal l
HVAC systems and the CRBRP design is such that activities are expected to be
<<10CFR20 limits.
The Solid Radioactive Waste. System is designed to handle compactible, non-compactible and solidification of liquid wastes with cement or concrete.
Suitable weather protected facilities are designed to prevent any release of activity to the environment dgring on site storage.
Department of Transportation approved containers will be utilized to transport solid radioactive waste for eventual long tera disposal at licensed locations.
The releases of radioactive materials from the CRBRP are discussed separately in Section 11.2, Liquid radioactive releases, Section 11.3, Gaseous j
radioactive releases, and Section 11.5 Solid radioactive releases.
i Criterion 59 - Fuel Storane and unnalin, and nadioactivity Control The fuel storage and handling, radioactive vaste, and other systems which may contain radioactivity shall be designed to assure adequate safety under normal operation, including anticipated operational occurrences, and postulated accident conditions. These systems shall be designed (1) with a capability to permit appropriate periodic inspection and testing of components important to safety, (2) with suitable shielding for radiation protection (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal capability having reliability and testability that 3 1-63 i
l
reflects the importance to safety of decay heat and other residual heat removal, and (5) to prevent significant reduction in fuel storage coolant inventory under accident conditions. The fuel handling and its interfacing systems shall be designed to minimize the potential for fuel management errors that could result in fuel rod failure.
i l
l l
l l
l l
l 3 1-63a
Response
Fuel storage facilities and fuel handling equipment important to safety are designed to provide accessibility for performing inspection, maintenance and testing activities. All fuel storage facilities and fuel handling equipment will be shielded for radiation protection to meet the requirements specified in 10CFR20, 50 and 100, and Regulatory Guide 8.8.
Containment, confinement, and filtering are provided as required for all fuel storage facilities and I
fuel handling equipment containing radioactive material to limit any radioactive releases below those radiation doses specified in 10CFR20 and 100 j
as appropriate.
Adequate cooling capability is provided for spent fuel i
storage and spent fuel handling equipment to assure decay beat removal with enough reliability, independence and redundancy to accommodate all plant conditions.
A significant reduction of sodium coolant inventory in the spent fuel storage facilities under accident conditions will be prevented by employing high quality design and construction standards to the spent fuel storage vessels, by guard jackets surrounding the storage vessels and by anti-syphon features. The design measures necessary to meet this criterion are described in Section 9.1 for the fuel storage and handling system.
i Criterion 54 - Prevention of Critiemlity in Fuel Storane and unnalin, Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe l
configurations.
Resnonse:
Geometrically safe configurations and fixed neutron absorbers (in the Ex-Vessel storage tank) are employed to preclude criticality in new and spent fuel storage facilities and in fuel handling equipment. The appropriate safety measures and the design features necessary to meet this criterion are described in Section 9.1 for the fuel storage and handling system.
Criterion 55 - Monitorin, Fuel and Waste Storare i
Appropriate systems shall be provided in fuel storage and radioactive waste systems and associated handling areas (1) to detect conditions that may result in loss of residual beat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions.
Resoonse:
Monitoring systems are provided to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels.
Appropriate local alarms will be set off and annunciated in the control room to warn personnel of potential safety problems.
The number, sensitivities, ranges, and locations of the radiation detectors i
will be determined by requirements of the specific monitored process during normal and postulated abnormal (accident) conditions.
All monitors will be designed so that saturation of detectors during a severe accident condition will not cause erroneously 3ow readings. Monitoring during severe post I
1 3.1-64
1 accident conditions will be accomplished by the h:1h range gamma eroa monitors discussed in Section 12.1.4, in conjunction with the sampling lines described in Section 11.4.2.2.1.
Excessive gamma radiation levels will trip an alara locally, and annunciate it in the control room thus permitting operators to take corrective action. Monitoring instrumentation will be provided for the EYST and its associated areas for conditions that might result in a loss of the capability to remove decay beat and to detect excessive radiation levels.
The RSB has radioactivity monitors above the EVST to detect accidental releases and to sound alarms. Monitorir.3 instrumentation will also be provided for the FHC for conditions that might result in a loss of the capability to remove decay heat, and to detect excessive radiation levels.
Temperature instrumentation and sodium level sensing probes will monitor cooling capability of the EYST. Too high sodium temperatures, and too high or too low sodium levels will sound an alara. Other monitors will be provided in the two primary EVST cooling systems and the backup cooling loop. Sodium leak detectors will monitor the space between the storage tank vessel and the guard vessel. An argon gas activity monitor will be provided. An area monitor will measure the gamma radiation activity in the operating gallery of the FHC.
Instrumentation is provided for the EYST cooling system to monitor and alara off-normal conditions in both the sodium and NaK systems, including high temperature low flow, and external leak detection. The operating pressure of the NaK system is maintained higher than that of the sodium system. Leakage of NaK to sodium is monitored, and alarmed, by abnormal level indication in the NaK system expansion tank, in conjunction with the level in the EYST.
Most of the gas processed in CAPS is the inerted cell nitrogen which is periodically purged to control its oxygen content. Additional gas from air atmosphere cells may also be processed in CAPS if it contains radioactivity.
In order to reduce the gas-processing load in CAPS the nitrogen t.nd the air atmosphere in the cells are monitored for radioactivity. When a cell shows high levels of radioactivity, the atmosphere can be passed through CAPS by manual diversion. Radiation monitoring for the inerted cells is provided by three multi-channel sampling units. The several connected cell lines are analyzed in sequence for radioactivity, water vapor, and oxygen.
If high levels of any of these are detected, the cell discharge line valve can be manually actuated to direct the purge to CAPS, but the purge flow is not begud until any of the upper limit setpoints for the water vapor, or oxygen concentrations are reached.
Once begun, the purge flow will continue until l
the lower setpoint of the offending function is reached. Automatic purges are I
monitored for high racioactivity and are automatically diverted to CAPS if ;a high radiation level exists.
Process radiation monitors are provided to allow the evaluation of plant equipment performance and to measure, indicate and record the radioactive concentration in plant process and effluent streams during normal operation and anticipated operational occurrences.
Fixed and mobile continuous air monitors (CAM) will be employed in conjunction with portable air sampling equipment to satisfy the requirements of CRBRP Design Criteria 17 and 56 and the relevant sections of 10CFR20; and to verify that radioactive atmospheric contamination within the CRBRP remains normally "as low as reasonably achievable".
3 1-65
1 Criterion 56 - Monitorinn Radiometivity Relemaan Means shall be provided for monitoring the reactor containment atmospheres, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences l
and from postulated accidents.
I
Response
The containment atmosphere vill be continuously monitored during normal and anticipated operational occurrences, using the containment exhaust radiation monitors which will be located in the ventilation exhaust before the containment isolation valves. In the event of a postulated accident, samples of the containment atmosphere can be obtained via post accident sampling lines which penetrate the RCB to allow airborne radioactivity concentrations within the containment to be sampled. Fixed continuous radioactivity monitors (area monitors) will be provided in frequently occupied work areas with potential for radioactivity. The presence of radioactivity in the normal plant effluent discharge paths and in the site environs will be continuously monitored during I
normal operations, anticipated operational occurrences, and from postulated accidents by the plant radiation monitoring systems and by the off-site radiological monitoring program for this plant.
Process radiation monitors are provided to allow the evaluation of plant equipment performance and to me6sure, indicate and record the radioactive concentration in plant process and effluent streams during normal operation and anticipated operational occurrences. Radiation monitoring of process systems provides early warning of equipment malfunctions, indicative of potential radiological hazards for prevention of the release of activity to the environment in excess of 10CFR 20 limits. Each monitor will be equipped with a loss-of-signal instrument failure alarm and a high level alarm, (a high-high level alarm is also provided when required). These alarms alert operating personnel to channel malfunction and excessive radioactivity.
Corrective action will then be manually or automatically performed.
Monitoring of liquid and gaseous effluents under normal operating conditions will be in accordance with Regulatory Guide 1.21 and any activity released will be within limits established in 10CFR20.
The numbe., sensitivities, ranges, and location of the radiation detectors will be determined by requirements of the specific monitored process during normal and postulated abnormal (accident) conditions.
All monitors will be designed so that saturstion of detectors during a severe accident condition will not cause erroneously low readings. Monitoring within the RCB during severe post accident conditions will be accomplished by the high-range gamma I
area monitors with the HAA and/or the post-accident sampling lines penetrating I
containment.
Radioactivity in the low level waste release will be integrated and recorded.
Control signals will be provided by the radiation monitor (s) to terminate liquid or RCB gaseous effluent if an out-of-limit signal is recorded. The monitoring and control exerted by the process radiation monitoring equipment j
and the operator during any release will also be verified by periodic sampling 3.1-66
1 and laboratory analysis in accordance with Technical Specifications. For tritiated process liquids, tritium surveillance will be by sampling and lab analysis. All detectors will be shielded against ambient background radiation levels so that required activity measurements can be maintained.
The preoperational environmental monitoring program has the objective of establishing a baseline of data on the distribution of a background i
radioactivity in the environment near the plant site. With this background information, it will then be possible to determine any statistically significant changes in the radioactivity levels. The preoperational environmental monitoring program will be initiated approximately two years 1
prior to receipt of radioactive material at the site. The program will remain essentially unchanged throughout the preoperational period and through the first several years of operation.
t Evaluations after plant startup will be made on the basis of the baselines established in the preoperational program, considering geography and the time of the year where these factors are applicable, and by comparisons to control stations where the concentrations of station effluents is expected to be negligible.
In those cases where a statistically significant increase in the radioactivity level is seen in a particular sampling vector but not in the control station, meteorology and specific nuclide analysis will be used to identify the source of the increase.
The planned sampling frequencies will ensure that significant changes in the environmental radioactivity can be detected. The vectors which would first indicate increases in radioactivity are sampled most frequently. Those which are less effected by transient changes but show long-term accumulations are sampled less frequently. However, specific sampling dates are not crucial and adverse weather conditions or equipment. failure on occasion prevent collection of specific samples.
The capability of the environmental monitoring program to detect design-level releases from plant effluents is uncertain because of the insignificant quantities which will be released. The program will however provide the capability of detecting any afsnificant buildup of radioactive material in the environment above and beyond that which is already present. Those vectors which are most sensitive to reconcentration of specific isotopes are sampled.
If any increase in radioactivity levels is detected in these vectors, the program will be evaluated and broadened if deemed necessary.
From the data obtained from the radioanalytical and radiochemical analyses of the vectors sampled, dose estimates can be made for an individual or the population living near the plant site.
Criterion 57 - Reactivity Limits The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor vessel internals to impair significantly the capability to cool the core. These 3 1-67
postulated reactivity accidents shall include consideration of events such as rod runout, stenaline rupture, changes in reactor coolant temperature and pressure, cold sodium addition.
Resoonse:
The intent of this criterion, as stated in Reference 1 to PSAR Section 31, is to require that the plant systems which can add reactivity to the core be designed to limit reactivity insertion to values that are consistent with the capability of the protection systems and will not result in loss of coolant boundary or affect the ability to cool the core.
CRBRP meets this criterion as discussed below.
The maximum rate of primary control rod withdrawal is mechanically limited by the physical design of the control rod drive mechanisms. The consequeness of a partially inserted primary control rod withdrawing at this maximum mechanical speed have been analyzed and shown to re ult in neither 1) damage to the reactor coolant boundary greater than limited local yielding nor 2) a disturbance that significantly impairs core coolability.
In addition, the core restraint system is designed to adequately limit the movement of core assemblies during anticipated operational occurrences and postulated accidents.
A seismically induced step reactivity insertion has been analyzed and shown to result in neither 1) damage to reactor coolant boundary greater than limited local yielding nor 2) a disturbance that significantly impairs core coolability.
These features of the design are further discussed in Sections 4.3, 4.4, and 7 2 of the PSAR.
Criterion 58 - Protection Arminst Anticiented Ooeratienal Occurrences The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.
Resoonse:
The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require highly reliable reactor protection and reactivity control systems.
CRBRP meets this criterion as discussed below.
The protection and reactivity control systems are designed to reliably preclude violation of the specified fuel design limits.
Reliability in design is provided through use of redundant, diverse and independent trains.
Reliability assurance is achieved through analysis and testing, the use of accepted codes and standarde, and the application of strir. gent quality control to all phases of design and construction. Specific reliability programs have been implemented, as described in Appendix C.
3168
l Criterion 50 - Fuel Rod Failure Fronaration Features shall be previded to limit propagation of stochastic fuel rod f ailure s.
These featur3s may be inherent in the design of the fuel and blanket assemblies to altainate or mitigate propagation or may include monitoring systems to detect pin failures in time to permit appropriate measures to be taken. The features provided shall be sufficient to limit propagation of each failure to the assembly in which it is located.
Response
The intent of this criterion, as stated in Reference 1 to PSAR Section 31, is to require that the design be capable of preventing fuel failure propagation which could lead to a disruption of a significent fraction of the core.
CRBRP meets this criterion by inherent features in combination with nonitoring systems as discussed below.
Protection against rapid propagatien initiated by a stochastic failure is provided by the inherent design features of the rods and assemblies. Such rapid propagation would be of necessity fission gas induced, and it has been shown both experimentally and analytically that stochastic failure is benign on a short time scale.
(See Section 15.4)
Slow propagation is prevented by the inherent features of the fuel and blanxet in conjunction with the monitoring systems provided.
The plant incorporates cover gas and delayed neutron monitoring systems for detection and diagnostic purposes. Existing experience with oxide fuel in LMFBR systems demonstrates that fuel degradation, a prerequisite for propagation, is a slow process.
When a fuel or blanket rod breaches, the cover gas monitoring system detects and identifies the breached rod.
The delayed neutron detector system monitors the coolant for evidence of sodium-fuel contact.
1 Based on the current experimental data base the following operational procedures will be undertaken: Upon the detection of a breached fuel or blanket rod, as indicated by (ission gas, the assembly will be removed from the reactor at the first plant shutdown. Upon detection of sodium-fuel contact, as indicated by a generally increasing delayed neutron signal, the reactor will be brought to a controlled shutdown and the assembly removed from the reacter.
Criterion 60 - Flow Blockane The reactor internals and core assemblies shall be designed to minimize the potential for flow blockade or flow restriction to one or more core assemblies by loose parts or by core assembly loading errors sufficient to cause fuel rod failure.
i Resoonse:
l The intent of this criterion, as stated in Reference 1 to PSAR Section 3 1, is to require that the reactor and core assembly design incorporate features to minimize the potential for flow blockage while the assemblies are in the reactor core. CRBRP meets 2his criterion as discussed below.
l l
J l
3 1-69
)
~ ~
,.....~,, -. -. - --
The criterion is satisfied by utilizing two design principles: flow path redundance and LIM / assembly flow zone discriminators.
4 To preclude inlet flow blockage by clogging materials is not anticipated in reactor operation, all the lower inlet modules (LIMA) have primary and l
auxiliary ports separated by radial and axial debris barriers t hich assure that sufficient flow will enter the LIM. Tests of a hypothetical total LIM blockage below the debris barriers demonstrated that the design is extremely effective in citigating the effect of flow blockages.
For protection against smaller debris, the flow which enters the LIMs passes through 0.25" holes before it feeds a cluster of seven core assemblies.
Any debris smaller than 1/4" that will not pass through the fuel bundles will be trapped in the unheated bottom region of the bundles thereby precluding blockages within the fueled region of the fuel bundle.
Flow path redundancy is provided at the LIM-to-assembly interface with multiple LIM flow holes feeding six slotted holes at the assembly inlet. Flow redundancy is adoptod throughout the design of the core assembly components with multiple hold orifice plates and multiple pin fuel bundles.
To preclude undercooling arising from refueling errors, all core assemblies utilize a discriminator at the inlet nozzle to LIM interface which precludes mis-installation. Similarly each of the lower inlet modules utilize a unique discriminator feature for core location.
The design of the LIM is discussed in Section 4.4 of the PSAR.
References to Section 9.1
- 1) NRC Letter dated December 27, 1982, P. S. Check to J. R. Longenecker, "CRBRP Principal Design Criteria."
'o 3 1-70
.. -.,... a.:. -..
..n
]
TABLE 3 1-1 COMPONENTS WHICH COMPRISE THE REACTOR COOLANT BOUNDARY The list of Components or Parts of Components which comprise the Reactor Coolant Boundary per the definitions of PSAR Section 3 1.2 is as follews:
Primary Heat Transport System (PHTS) Piping and Appurtenances PHTS Pump Tank PHTS Pump Tank Drain Line Up To and Including the Second Isolation Valve PETS Pump Shaft Seal PHTS Pump Instrument Penetrations PHTS Check Valve Body PHTS Check Valve Freeze Vent PHTS Hot Leg Freeze Vent Intermediate Heat Exchanger (IHX) Shell IHX Shell Freeze Vent IHX Tube Bundle (including Tube Sheets)
IHX Bellows Seal IHX Downcomer IHX Vent Line IHX Vent Line Freeze Vent IHX Cold Leg Pipe Drain Up To and Including the Sccond Isolation Valve Reactor Vessel Closure Head Large Rotating Plug (LRP)
Intermediate Rotating Plug (IRP)
Small Rotating Plug (SRP)
LRP Riser Assembly IRP Riser Assembly SRP Riser Assembly In-Vessel Transfer Hschine Port Plug Rotating Guide Tube Control Rod Drive Mechanism Nozzle Extensions Control Rod Drive Mcchanism Motortubes Upper Internals Structure Jacking Mechanism Column Supports Upper Internals Structure Jacking Mechanism Seals 4
Liquid Level Monitor Port Plugs Maintenance Port Plugs Cover Gas System Recycle Argon Storage Vessels Vapor Condensers RAPS Vacuum Vessel RAPS Surge Vessel RAPS Storage Vessel RAPS Cryostill Connecting Piping and Valve Bodies 3 1-71
Auxiliary Liquid Metal System Primary Sodium Overflow Vessel Primary Sodium Makeup Pump Primary Sodium Cold Trap Overflow Heat Exchanger Connecting Piping and Valve Bodies l
I
~
3 1-72 m
M
f.
TABLE 3 1-2 COMPONENTS WHICH COMPRISE THE INTERMEDIATE COOLANT BOUNDARY Intermediate Heat Exchanger Inlet nozzle Downcomer and bellows Lower tubeabeet Hemispherical head Tubes (intermediate system is inside tubes)
Upper tubesheet Intermediate channel Outlet nozzle Startup vent nozzles Superheater (1)
Sodium inlet nozzle Vessel shell Tubes (Intermediate system is outside tubes)
Sodium bleed vent Sodium outlet nozzles (2)
Evaporators (2)
Sodium inlet nozzle Vessel shell Tubes (Intermediate system is outside tubes)
Sodium bleed vent Sodium outlet nozzle, Intermediate Sodium Pump Inlet nozzle Discharge nozzle Pump tank
~
Gas Equalization line Instrument penetrations Shaft Seal Intermediate Expansion Tank Expansion Tank Shell Nozzles (10)
Cover Gas System up to and including the first isolation valve 3 1-73
TABLE 3 1-2 (Continued)
Sodium Venturies (Loop 2 only)
Instrumentation Bosses Intermediate Sodium Dump Valves Pump outlet Evaporators Superheater Expansion tank vent Piping 24" Hot leg 18" between steam generator to mixing tee 18" x 36" pump inlet mixing tee 24" cold leg Reducers Elbows Tees 4" drain lines 36" pump suction piping 8" expansion tank return line 2" IHI vent line 2" Expansion tank, pump tank equalization line 6" Expansion tank vent line IHI Isolation Gas Connection Line Miscellaneous Components (not actually parts of the IHTS)
Sodium and Gas Rupture Discs Hydrogen Detector Valves 0
3 1-74
}-
- ......~. - - -.... -
TABLE 3 1-3 COMPARISON OF PLANT CONDITIONS WITH 10 CFA 50 l
CRBRP PSAR Chanter 15 10CFR50 Annendir A and Sec. 1.1 Normal Operation Normal Operation
/ nticipated Faults Anticipated Operational A
b Occurrences l
Off-Normal Conditions (UnlikelyFaults Extremely Unlikely Faults i
Postulated Accidents s
e 3 1-75
TABLE 3 1-4 These criteria have been renumbered since the initial submittal of this PSAR.
Future amendments will identify the criteria by their new numbers. The following table is provided to assist the reader in those cases where the
= rent PSAR section cites the (old) incorrect numbers.
t Old Number New Number 1
1 2
2 3
3 3.a 4
4 C
6 6
5 7
10 8
11 9
12 10 13 11 14 12 15 13 16 14 17 15 18 16 19
.7 20 18 21 19 22 20 23 21 24 22 25 23 26 24 27 25 30.a 26 30.b 27 30.c 28 31 29 32 30 34 31 35 32 36 33 33 34 37 35 38 36 39 37 40 38 41 39 3 1-76
TABLE 3.1-4 (cont'd.)
Old Number New Number 42 40 50 41 51 42 52 43 53 44 54 45 55 46 56 47 57 48 58.a 49 58.b 50 58.c 51 60 52 61 53 62 54 63 55 64 56 None 57 None 58 None 59 None 60 e
O l
i l
3.1-77
-.. - -.-..